Migrate to Seccomp profile in security Context ⚠️ #475
Conversation
|
Thanks for opening this pull request! Please check out our contributing guidelines and sign the CLA. |
ghost
added
the
|
I've signed the CLA! |
Ser87ch
changed the title
|
@genevieveluyt , could you take a look at the PR please? |
|
hi, @Ser87ch ! Thank you for your contribution! I will take a closer look at your PR either today or tomorrow. In the meantime, would you mind adding support to both annotations and |
|
@dani-santos-code Thanks for your reply. May I ask, why? Seccomp annotation support will be removed quite soon. |
|
Hi, @Ser87ch, you asked a question about the possibility of supporting both which led me to believe that this would be an option you considered. I do understand that supporting both would be a more involved implementation. However, it would be preferable to be backwards compatible and not ship breaking changes and only ship the changes once it is effectively deprecated (as of k8s v.1.25, if I understand correctly?). We can open an issue for this. We could check either for missing annotations or missing seccompProfile. We could add a warning about annotations to mention it will soon be deprecated?
as a follow-up, once annotations are fully deprecated, we can remove the part that adds support to annotations. let me know what you think and if this would be feasible! 🙏 |
|
Thanks @dani-santos-code , I'll let you know tomorrow. |
|
If the annotation is going to stop working and the security profile has already been available for some time, I think dropping annotation support is fair. +1 to @dani-santos-code's suggestion though, if it's not too much of a hassle. I think ideally |
|
Thanks guys, I will implement your suggestions. |
|
I've encountered an issue, that I don't know how to fix yet. I'm testing a change that you suggested with the following pod spec: apiVersion: v1
kind: Pod
metadata:
name: pod
namespace: seccomp-profile-missing-annotations
annotations:
seccomp.security.alpha.kubernetes.io/pod: runtime/default
container.seccomp.security.alpha.kubernetes.io/container: localhost/bla
spec:
containers:
- name: container
image: scratchThe problem is when I fetch security context the pod spec, it returns me a security context with seccomp profile set: I have a feeling that k8s library returns seccomp profile in security context even if only seccomp annotation set. If it's the case I'm not able to differentiate between seccomp set in security context and annotations. |
|
It's not a k8s library problem, it the way k8s API works. If I export the pod spec I mentioned in the previous comment by using apiVersion: v1
kind: Pod
metadata:
annotations:
container.seccomp.security.alpha.kubernetes.io/container: localhost/bla
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"v1","kind":"Pod","metadata":{"annotations":{"container.seccomp.security.alpha.kubernetes.io/container":"localhost/bla","seccomp.security.alpha.kubernetes.io/pod":"runtime/default"},"name":"pod","namespace":"seccomp-profile-missing-annotations"},"spec":{"containers":[{"image":"scratch","name":"container"}]}}
seccomp.security.alpha.kubernetes.io/pod: runtime/default
creationTimestamp: "2022-09-13T08:46:02Z"
name: pod
namespace: seccomp-profile-missing-annotations
resourceVersion: "1735"
uid: cc1671c0-bbde-4a98-91ee-5d4761cb19d4
spec:
containers:
- image: scratch
imagePullPolicy: Always
name: container
resources: {}
securityContext:
seccompProfile:
localhostProfile: bla
type: Localhost
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: default-token-jh5xb
readOnly: true
dnsPolicy: ClusterFirst
enableServiceLinks: true
nodeName: kubeaudit-test-control-plane
preemptionPolicy: PreemptLowerPriority
priority: 0
restartPolicy: Always
schedulerName: default-scheduler
securityContext:
seccompProfile:
type: RuntimeDefault
serviceAccount: default
serviceAccountName: default
terminationGracePeriodSeconds: 30
tolerations:
...So, I don't believe it's possible to catch a situation when seccompProfile is absent in securityContext but is present in annotations. |
|
Based on these docs, it sounds like having seccomp enabled is the new default behaviour, so kubeaudit might not even have to check that seccomp is enabled but rather should produce an error if seccomp is explicitly disabled (eg. if the profile is set to Unconfined). Did you run your kubelet with the |
|
@genevieveluyt thanks for your comment. As far as I understand from the link you shared and feature gates, it is a default behaviour but only since version 1.25 (which is in beta). I tested it with the default |
|
I see. If neither the annotation nor the seccomp profile are set, what does the library return for the profile? |
There is misunderstanding here. Annotation is set in the example I put above. The problem is that Kubernetes API returns also seccomp profile in the security context when only annotation is set. |
|
Yes I understand that when the annotation is set (but not the seccomp profile) the Kubernetes API still returns a seccomp profile so we cannot differentiate between seccomp being enabled via annotation or profile. I'm wondering though what the Kubernetes API returns for seccomp profile if neither the annotation nor the profile are set. Does it default to |
|
If neither is set, then it returns empty securityContext. |
There was a problem hiding this comment.
I think we should check for annotations separately (an auditor can return multiple results).
- Check the pod for seccomp annotations. If there are any, produce a
warningresult where the pending fix removes all said annotations - Check the pod and containers for seccomp profile (as you do currently). If it's unset or set to Unconfined, produce an
errorresult and the pending fix sets the profile to RuntimeDefault
This means in manifest mode you might get both a warning and an error, but I think that's ok. In cluster and local mode, since autofix doesn't do anything, likely someone would manually fix the annotation warning by removing annotation, rerun kubeaudit, and then get the seccomp profile error. In future we could upgrade the annotation warning to an error results as well.
What do you think?
| if isSeccompEnabledForContainers(annotations, resource) { | ||
| if isPodSeccompProfileMissing(podSpec.SecurityContext) { | ||
| // If all the containers have container-level seccomp profiles then we don't need a pod-level profile | ||
| if isSeccompEnabledForAllContainers(resource) { |
There was a problem hiding this comment.
If we get here then we won't produce any warnings for potential annotations 🤔
There was a problem hiding this comment.
Annotations are checked in a separate method now.
auditors/seccomp/seccomp.go
Outdated
| Rule: SeccompProfileMissing, | ||
| Severity: severity, | ||
| Message: msg, | ||
| PendingFix: &BySettingSeccompProfileAndRemovingAnnotations{seccompProfileType: ProfileRuntimeDefault, annotationsToRemove: seccompAnnotations}, |
There was a problem hiding this comment.
I think there's a weird case here where if there are seccomp annotations but also a valid seccomp profile, the pending fix will overwrite the profile with RuntimeDefault
There was a problem hiding this comment.
I think it's also not relevant now.
|
Thanks, your proposal sounds good. I will change accordingly. |
|
Unfortunately, there is another problem. The opposite problem is also true. When I create a pod with a seccomp profile in the securityContext only: apiVersion: v1
kind: Pod
metadata:
name: pod
spec:
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- name: container
image: scratchKubernetes API also returns annotations for the pod. It means that the annotation deprecation warning will be always created with a valid seccomp profile in the SecurityContext. |
|
Well that's a rather unexpected and annoying way for the API to behave lol. There's no way in kubeaudit to only run a check manifest mode, no. What if, for number 1 above ie
We change that check to "the pod has only seccomp annotations"? That should only ever happen in manifest mode then right? I don't think there's anything we can do about the annotations in cluster and local mode given how the API behaves... |
I don't think it's possible unless we can restrict this check only to the manifest mode. If this can't be restricted, then in the cluster and local modes this warning will be always fired when there is any kind of seccomp profile in SecurityContext. |
|
What I mean is, we can check if the pod has a seccomp annotation AND there is NO seccompProfile, then produce a warning. If I understand correctly, this can never happen in local and cluster mode because of how the API behaves (either both the annotation and the seccompProfile are set, or neither are set). So effectively, the warning can only ever happen in manifest mode. |
|
@genevieveluyt I've introduced a separate method that audit annotations only if seccomp profile is missing for both pod and all containers. This way it will be easier to remove this logic once seccomp annotation support is dropped. |
|
@genevieveluyt could you review PR? |
|
@Ser87ch thank you for making the changes, I will review and 🎩 by end of next week. |
| namespace: seccomp-disabled-localhost | ||
| spec: | ||
| securityContext: | ||
| seccompProfile: |
There was a problem hiding this comment.
Nit: the indentation looks a bit off here, maybe tabs vs spaces?
| "MissingAnnotation": PodAnnotationKey, | ||
| }, | ||
| } | ||
| // We check annotations only when seccomp profile is missing for both pod and all containers |
There was a problem hiding this comment.
This comment is amazing, thank you! ❤️
Co-authored-by: Genevieve Luyt <[email protected]>
|
Is it possible to request a release after the PR is merged? |
There was a problem hiding this comment.
I also tested on my end and it works really well! Thanks for your changes @Ser87ch ! 🙏
|
by the way, feel free to open an issue to request a release! :) |
|
@dani-santos-code thanks, how can we merge this one first? |
|
I guess we can merge this on our end! |
Description
This PR changes
seccompauditor to scanseccompProfileinstead of annotations as requested in #343The following changes were done:
seccompauditor changed to scansecurityContextin pod and containers to findseccompProfile.fixcreated inseccompauditor to create seccomp profile in a pod and containers and to remove profile in containers. The auditor updated to use the newfix.SeccompAnnotationMissingrule renamed toSeccompProfileMissing.SeccompDeprecatedContainerrule dropped.Fixes #343
Type of change
How Has This Been Tested?
Checklist: