Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add explicit securityContexts to the controller and namespace label for privileged #3399

Merged
merged 1 commit into from
Apr 21, 2023
Merged

add explicit securityContexts to the controller and namespace label for privileged #3399

merged 1 commit into from
Apr 21, 2023

Conversation

chrischdi
Copy link
Member

@chrischdi chrischdi commented Apr 6, 2023
edited
Loading

What type of PR is this?

/kind feature

What this PR does / why we need it:

This does not really change the configuration, it just makes it explicit and enforce the defaults, except for the seccompPolicy which changes from Unconfined to RuntimeDefault. Syscalls filtered by RuntimeDefault policy are 95% namespaced and require capabilities (which we drop) in the first place, so no practical change there either.

This allows the controller to be compatible to the restricted pod security admission profile.

However, the nmi daemonset requires the privileged profile which is why this also adds the corresponding label to the namespace, to allow cluster-wide enforcement of a policy lower than privileged, while preserving privileged for the capz-system namespace. If the nmi daemonset is replaced by Azure Workload Identity (#2205), and if Azure Workload Identity does not require privileged, the namespace label could get removed again.

This is a recommendation in the CAPI v1.3->1.4 upgrade guide.

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #

Special notes for your reviewer:

Prior art:

Note: this requires the v1.4 branch of CAPI for usage with tilt, because the Tiltfile then removes the securityContext for allowing it to succeed.

Please confirm that if this PR changes any image versions, then that's the sole change this PR makes.

TODOs:

  • squashed commits
  • includes documentation
  • adds unit tests

Release note:

Explicitly set securityContexts in the manifests to comply with the restricted pod security admission profile.

@k8s-ci-robot k8s-ci-robot added kind/feature Categorizes issue or PR as related to a new feature. do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. labels Apr 6, 2023
@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. release-note Denotes a PR that will be considered when it comes time to generate release notes. and removed do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. labels Apr 6, 2023
@codecov-commenter
Copy link

Codecov Report

Patch and project coverage have no change.

Comparison is base (c125458) 51.64% compared to head (aff2982) 51.64%.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #3399   +/-   ##
=======================================
  Coverage   51.64%   51.64%           
=======================================
  Files         182      182           
  Lines       18066    18066           
=======================================
  Hits         9331     9331           
  Misses       8208     8208           
  Partials      527      527

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report in Codecov by Sentry.
📢 Do you have feedback about the report comment? Let us know in this issue.

@chrischdi
add explicit securityContexts to the controller and namespace label f…
4aeec5e 
…or privileged

This does not really change the configuration, it just makes it explicit and enforce
the defaults, except for the seccompPolicy which changes from Unconfined to RuntimeDefault.
Syscalls filtered by RuntimeDefault policy are 95% namespaced and require capabilities
(which we drop) in the first place, so no practical change there either.

This allows the controller to be compatible to the restricted pod security admission profile.
However, the nmi daemonset requires the privileged profile which is why this also adds the
corresponding label to the namespace, to allow cluster-wide enforcement of a policy lower
than privileged, while preserving privileged for the capz-system namespace.

This is a recommendation in the CAPI v1.3->1.4 upgrade guide.
@chrischdi chrischdi force-pushed the prepare-securitycontext-for-psa branch from aff2982 to 4aeec5e Compare April 6, 2023 08:21
@CecileRobertMichon
Copy link
Contributor

Thank you @chrischdi

If the nmi daemonset is replaced by Azure Workload Identity (#2205), and if Azure Workload Identity does not require privileged, the namespace label could get removed again.

@sonasingh46 @aramase do you know if this is true?

@jackfrancis jackfrancis added this to the v1.9 milestone Apr 6, 2023
@Jont828
Copy link
Contributor

Jont828 commented Apr 7, 2023

This looks good to me and it seems to be passing the tests as well which gives me confidence that it works. I think if we get a second look from others we should be good to proceed.

@aramase
Copy link
Member

aramase commented Apr 7, 2023

Thank you @chrischdi

If the nmi daemonset is replaced by Azure Workload Identity (#2205), and if Azure Workload Identity does not require privileged, the namespace label could get removed again.

@sonasingh46 @aramase do you know if this is true?

NMI does need privileged: true in order to add the iptable rules. Azure Workload Identity webhook doesn't require privileged, so this is correct.

CecileRobertMichon
CecileRobertMichon reviewed Apr 11, 2023
View reviewed changes
Copy link
Contributor

@CecileRobertMichon CecileRobertMichon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/assign @sonasingh46

config/default/namespace.yaml
@@ -2,3 +2,6 @@ apiVersion: v1
kind: Namespace
metadata:
name: system
labels:
# this is required due to the nmi daemonset
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@sonasingh46 can we make a note to remove this in #2924 ?

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Apr 11, 2023
@k8s-ci-robot
Copy link
Contributor

LGTM label has been added.

Git tree hash: 9105c70aee9a030d21c99e091efcabaffd75a87f

@jackfrancis
Copy link
Contributor

cc @sonasingh46 if you're able to add another review to this in the 1.9 milestone cycle that would be great!

@sonasingh46
Copy link
Contributor

Sure. I will take a look at this tomorrow.

mboersma
mboersma reviewed Apr 14, 2023
View reviewed changes
Copy link
Contributor

@mboersma mboersma left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

mboersma
mboersma approved these changes Apr 21, 2023
View reviewed changes
Copy link
Contributor

@mboersma mboersma left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: mboersma

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Apr 21, 2023
@k8s-ci-robot k8s-ci-robot merged commit 7bed3d0 into kubernetes-sigs:main Apr 21, 2023
@chrischdi chrischdi deleted the prepare-securitycontext-for-psa branch April 23, 2023 09:29
@chrischdi chrischdi mentioned this pull request Apr 26, 2023
Closed
This was referenced Apr 28, 2023
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@CecileRobertMichon CecileRobertMichon CecileRobertMichon left review comments

@mboersma mboersma mboersma approved these changes

@devigned devigned Awaiting requested review from devigned

@marosset marosset Awaiting requested review from marosset

Assignees

@mboersma mboersma

@CecileRobertMichon CecileRobertMichon

@sonasingh46 sonasingh46

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
CAPZ Planning
Archived in project
Milestone
v1.9
Development

Successfully merging this pull request may close these issues.
9 participants
@chrischdi @codecov-commenter @CecileRobertMichon @Jont828 @aramase @k8s-ci-robot @jackfrancis @sonasingh46 @mboersma