✨ Apply PodSecurityStandard in Secure Cluster Class #6390
Conversation
|
|
k8s-ci-robot
added
the
cncf-cla: no
k8s-ci-robot
added
size/S
|
Awesome - this is working for me: The Pod "busybox" is invalid: spec: Forbidden: pod updates may not change fields other than `spec.containers[*].image`, `spec.initContainers[*].image`, `spec.activeDeadlineSeconds` or `spec.tolerations` (only additions to existing tolerations)
core.PodSpec{
Volumes: {{Name: "kube-api-access-p9jbd", VolumeSource: {Projected: &{Sources: {{ServiceAccountToken: &{ExpirationSeconds: 3607, Path: "token"}}, {ConfigMap: &{LocalObjectReference: {Name: "kube-root-ca.crt"}, Items: {{Key: "ca.crt", Path: "ca.crt"}}}}, {DownwardAPI: &{Items: {{Path: "namespace", FieldRef: &{APIVersion: "v1", FieldPath: "metadata.namespace"}}}}}}, DefaultMode: &420}}}},
InitContainers: nil,
Containers: []core.Container{
{
... // 16 identical fields
TerminationMessagePolicy: "File",
ImagePullPolicy: "IfNotPresent",
- SecurityContext: &core.SecurityContext{Privileged: &true},
+ SecurityContext: nil,
Stdin: false,
StdinOnce: false,
TTY: false,
},
},
EphemeralContainers: nil,
RestartPolicy: "Always",
... // 5 identical fields
AutomountServiceAccountToken: nil,
NodeName: "cloister-linux-workers-ppp8v-775fffb45b-kdp7k",
SecurityContext: &core.PodSecurityContext{
- HostNetwork: true,
+ HostNetwork: false,
HostPID: false,
HostIPC: false,
... // 11 identical fields
},
ImagePullSecrets: nil,
Hostname: "",
... // 15 identical fields
}We should run the full e2e suite on this before merging to make sure it doesn't break anything (as this modifies the ClusterClass that underpins all of our tests). I don't think there should be an issue, but just in case. |
|
/test pull-cluster-api-e2e-full-main |
|
@chrischdi Thank you so much for getting around to opening this PR so quickly!!!! |
What would be the definition of "no issues detected by this change?". If it is only about e2e test passing then looks like we have achieved that already!! 🎉
Yeah that makes sense to me because it meets second and third guideline on secure defaults in cloud native apps mentioned here: https://github.com/cncf/tag-security/blob/main/security-whitepaper/secure-defaults-cloud-native-8.md Next step for me sounds like figuring out how we can enable this across all CAPI cloud providers. |
|
I think we should be happy with adding this as is for now as the main use for this ClusterClass is e2e testing and a reference implementation. /lgtm |
k8s-ci-robot
added
the
lgtm
|
For the cloud providers there currently are no pre-generated/pre-defined cluster classes to use (I checked the latest releases of CAPA, CAPZ and CAPG). From a clusterctl perspective: Currently it is only consuming the released yaml files of the infrastructure providers (in case of this PR the docker infrastructure provider). One thing we could do to improve here would be to add a security guidelines section to the book as proposed by fabrizzio here. Edit: maybe we should move this discussion then back to the issue #6329 :-) |
What if we add a variable, named Pushing this a little bit further, we can make this variable a struct allowing users to define:
Also, what about extending the scope of this PR including the creation of a security guidelines section n the book (probably under tasks) with a short description to how to enable pod-security-standards + an inline version of the above variable/patches and a link to the CAPD example |
k8s-ci-robot
added
size/L
I did some refactoring of the PR :-)
|
docs/book/src/tasks/experimental-features/cluster-class/write-clusterclass.md
Outdated
Show resolved
Hide resolved
docs/book/src/tasks/experimental-features/cluster-class/write-clusterclass.md
Outdated
Show resolved
Hide resolved
|
Would it make sense to add the content from #6152 in to the security guidelines section created in this PR? Edit: To be clear, Not suggesting to add it in this PR but in follow up PRs :) |
|
/retitle Apply PodSecurityStandard in Secure Cluster Class (Since the scope of the PR has changed thought this might be a better reflection of the work being done. Please revert/edit as needed) |
k8s-ci-robot
changed the title
|
/retitle ✨ Apply PodSecurityStandard in Secure Cluster Class Just adding a prefix to make this work for our release note generation process 🙂 |
k8s-ci-robot
changed the title
chrischdi
force-pushed
the
issue-6329-add-admission-pss
branch
from
6b38f19 to
ca3eb82
Compare
docs/book/src/tasks/experimental-features/cluster-class/write-clusterclass.md
Outdated
Show resolved
Hide resolved
docs/book/src/tasks/experimental-features/cluster-class/write-clusterclass.md
Outdated
Show resolved
Hide resolved
docs/book/src/tasks/experimental-features/cluster-class/write-clusterclass.md
Outdated
Show resolved
Hide resolved
chrischdi
force-pushed
the
issue-6329-add-admission-pss
branch
from
ca3eb82 to
96ed69d
Compare
|
Addressed comments and rebased for squashing :-) |
|
/test help |
|
@chrischdi: The specified target(s) for
The following commands are available to trigger optional jobs:
Use
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
cert-manager failed. Should be unrelated /test pull-cluster-api-e2e-main |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
/lgtm (Thank you so much for working on this @chrischdi !) |
|
/test pull-cluster-api-test-full-main |
|
@fabriziopandini: The specified target(s) for
The following commands are available to trigger optional jobs:
Use
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/test pull-cluster-api-e2e-full-main |
There was a problem hiding this comment.
Very nice
I assume the current state is manually tested.
It would be really nice to see a follow-up PR to include those changes in our e2e test quickstart ClusterClass to:
- find out if this is compatible with our e2e tests
- to keep the diff between tested templates/ClusterClass and released template as small as possible
docs/book/src/tasks/experimental-features/cluster-class/write-clusterclass.md
Outdated
Show resolved
Hide resolved
docs/book/src/tasks/experimental-features/cluster-class/write-clusterclass.md
Outdated
Show resolved
Hide resolved
docs/book/src/tasks/experimental-features/cluster-class/write-clusterclass.md
Show resolved
Hide resolved
* use parametrizable patches via ClusterClass instead of statically adding the Pod Security Standard * book: introduce security guidelines section * book: add security guidelines section about Pod Security Standard * book: add section about limitation of cluster class json patches Signed-off-by: Christian Schlotter <[email protected]>
chrischdi
force-pushed
the
issue-6329-add-admission-pss
branch
from
96ed69d to
9d3927f
Compare
k8s-ci-robot
removed
the
lgtm
|
Thanks for the detailed review. I applied changes according the following patch: --- a/docs/book/src/security/pod-security-standards.md
+++ b/docs/book/src/security/pod-security-standards.md
@@ -3,7 +3,7 @@
Pod Security Admission allows applying [Pod Security Standards] during creation of pods at the cluster level.
The flavor `development-topology` for the docker provider used in [Quick Start](../user/quick-start.md) already includes a basic Pod Security Standard configuration.
-It is using variables and patches via ClusterClass to inject the configuration.
+It is using ClusterClass variables and patches to inject the configuration.
## Adding a basic Pod Security Standards configuration to a ClusterClass
@@ -51,7 +51,7 @@ spec:
The following snippet contains the patch to be added to the ClusterClass.
-Due to [limitations of ClusterClass with patches](../tasks/experimental-features/cluster-class/write-clusterclass.md#limitations-of-clusterclass-with-patches) there are two versions for this patch.
+Due to [limitations of ClusterClass with patches](../tasks/experimental-features/cluster-class/write-clusterclass.md#json-patches-tips--tricks) there are two versions for this patch.
{{#tabs name:"tab-configuration-patches" tabs:"Add to existing slice,Create slice"}}
{{#tab Append}}
@@ -76,7 +76,7 @@ spec:
matchResources:
controlPlane: true
jsonPatches:
- - op: add
+ - op: add
path: "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/extraArgs"
value:
admission-control-config-file: "/etc/kubernetes/kube-apiserver-admission-pss.yaml"
@@ -133,7 +133,7 @@ kind: ClusterClass
spec:
...
patches:
- - name: admissionPodSecurityPolicy
+ - name: podSecurityStandard
description: "Adds an admission configuration for PodSecurity to the kube-apiserver."
definitions:
- selector:
@@ -190,7 +190,7 @@ spec:
### Create a secure Cluster using the ClusterClass
-After adding the variables and patdocs/book/src/tasks/experimental-features/cluster-class/write-clusterclass.mdches the Pod Security Standards would be applied by default.
+After adding the variables and patches the Pod Security Standards would be applied by default.
It is also possible to disable this patch or configure different levels for the configuration
using variables.
diff --git a/docs/book/src/tasks/experimental-features/cluster-class/write-clusterclass.md b/docs/book/src/tasks/experimental-features/cluster-class/write-clusterclass.md
index 32b6a1dc6..4d62bf6c7 100644
--- a/docs/book/src/tasks/experimental-features/cluster-class/write-clusterclass.md
+++ b/docs/book/src/tasks/experimental-features/cluster-class/write-clusterclass.md
@@ -685,12 +685,11 @@ add operation must exist.
As a consequence ClusterClass authors should pay special attention when the following
conditions apply in order to prevent errors when a patch is applied:
-* the patch is a JSON patch
-* the patch tries to `add` a value to a **slice**
+* the patch tries to `add` a value to an **array** (which is a **slice** in the corresponding go struct)
* the slice was defined with `omitempty`
* the slice currently does not exist
-A workaround in this particular case is to create the slice in the patch instead of adding it to the non-existing one.
+A workaround in this particular case is to create the array in the patch instead of adding to the non-existing one.
When creating the slice, existing values would be overwritten so this should only be used when it does not exist.
The following example shows both cases to consider while writing a patch for adding a value to a slice.I will verify again the last open point tomorrow. Edit: verified and works as outlined in the doc |
|
Check, looks good so far |
|
Thank you! |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: fabriziopandini The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
What this PR does / why we need it:
Adds a baseline pod security standard which gets enforced at cluster level.
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when PR gets merged):Resolves parts of #6329
Open for discussion for me:
Wether or not add it to the default ClusterClass or add a separate ClusterClass e.g. called
capi-quickstart-secure.A second ClusterClass would have the con of duplicating the normal quick-start ClusterClass with lots of duplicated content.
If adding the PSS to the default cluster class results into issues we could also work the other way around and add a "insecure" ClusterClass named
capi-quickstart-securefur users to fallback to (clusterctl generate cluster capi-quickstart --flavor development-topology-insecure ...).TODO: