Support restricted PSA for worker pods #2410
Conversation
kubevirt-bot
added
release-note
|
/hold |
kubevirt-bot
added
do-not-merge/hold
mhenriks
force-pushed
the
restricted-psa
branch
from
9d6fe45 to
0298d15
Compare
|
I suspect the nbdkit socket will be an issue here. |
mhenriks
changed the title
please elaborate |
|
Basically when I was working on #2331 I also tried removing root as part of that, and when I was running tests, they started failing because I was unable to access the nbdkit socket since I wasn't root. I didn't look into the exact reason much more though. |
|
But it looks like the tests are passing, so maybe not an issue. |
There was a problem hiding this comment.
Basically when I was working on #2331 I also tried removing root as part of that, and when I was running tests, they started failing because I was unable to access the nbdkit socket since I wasn't root. I didn't look into the exact reason much more though.
Really interested about why last time around we saw imports failing on block without root.
Maybe related to us switching to less nbdkit usages?
Attempt to get in compliance with restricted PSA. See: https://kubernetes.io/docs/concepts/security/pod-security-admission/
Reading the k8s docs IIUC we need to explicitly set more things to comply with "restricted":
- allowPrivilegeEscalation to false (done by Comply with restricted security context #2331)
- runAsNonRoot (on pod level is easier)
- seccompProfile (pod level)
What am I missing?
- SecurityContextConstraint update
If we end up changing our version of the SCC we should probably make the reconciliation of it more strict so it gets upgraded properly. Currently, it'll only reconcile if
containerized-data-importer/pkg/operator/controller/scc.go
Lines 105 to 109 in 13a9b12
OFC this is a potential issue regardless of this PR so we can tackle elsewhere
| @@ -733,6 +723,7 @@ func MakeCloneSourcePodSpec(sourceVolumeMode corev1.PersistentVolumeMode, image, | |||
| { | |||
| Name: DataVolName, | |||
| MountPath: common.ClonerMountPath, | |||
| ReadOnly: true, | |||
There was a problem hiding this comment.
Nice, is there a real impact for this? IIUC the other ReadOnly is just about enforcing this one
| @@ -592,15 +592,6 @@ func MakeCloneSourcePodSpec(sourceVolumeMode corev1.PersistentVolumeMode, image, | |||
| }, | |||
| }, | |||
| Spec: corev1.PodSpec{ | |||
| SecurityContext: &corev1.PodSecurityContext{ | |||
There was a problem hiding this comment.
Nice! this will fix an issue someone was seeing on OpenShift 4.12 with kubevirt tekton tasks https://github.com/kubevirt/tekton-tasks-operator/blob/main/data/tekton-pipelines/okd/windows10-customize.yaml#L126
I can try to find the chats if needed
|
/hold |
mhenriks
force-pushed
the
restricted-psa
branch
from
13a9b12 to
50bf8b5
Compare
|
/hold cancel |
kubevirt-bot
removed
the
do-not-merge/hold
mhenriks
force-pushed
the
restricted-psa
branch
2 times, most recently
from
74f1da8 to
1f1c0fc
Compare
|
/retest-required |
|
/test pull-cdi-linter |
|
/retest |
There was a problem hiding this comment.
Awesome
We probably won't hit the same issues as in the PR description here, right? kubevirt/kubevirt#8436
| @@ -46,8 +46,8 @@ import ( | |||
|
|
|||
| const ( | |||
| tempFile = "tmpimage" | |||
| nbdkitPid = "/var/run/nbdkit.pid" | |||
| nbdkitSocket = "/var/run/nbdkit.sock" | |||
| nbdkitPid = "/tmp/nbdkit.pid" | |||
There was a problem hiding this comment.
are we concerned about some OS variants cleaning up /tmp after a certain period of time?
There was a problem hiding this comment.
I've never heard of any tmp cleanup happening in the absence of a reboot.
There was a problem hiding this comment.
https://serverfault.com/a/377349
For example (RHEL)
But I don't this applies/matters much to our ephemeral workloads
| @@ -165,7 +165,7 @@ func getImageFileName(dir string) (string, error) { | |||
| } | |||
|
|
|||
| func createCertificateDir(registryCertDir string) (string, error) { | |||
| allCerts := "/var/local/all_certs" | |||
| allCerts := "/tmp/all_certs" | |||
There was a problem hiding this comment.
Same here, I am missing why /var/local wasn't good enough?
There was a problem hiding this comment.
non root cannot write to /var/local
| @@ -37,6 +37,34 @@ import ( | |||
|
|
|||
| const sccName = "containerized-data-importer" | |||
|
|
|||
| func setSCC(scc *secv1.SecurityContextConstraints) { | |||
There was a problem hiding this comment.
Not really important but I recently discovered https://pkg.go.dev/sigs.k8s.io/controller-runtime/pkg/controller/controllerutil#CreateOrUpdate which could've worked in ensureSCCExists()
| } | ||
| options := fmt.Sprintf("-%s%s", tarOptions, "xvC") | ||
| untar := exec.Command("/usr/bin/tar", "--no-same-owner", options, destDir, strings.Join(args, "")) | ||
| untar := exec.Command("/usr/bin/tar", "--no-same-owner", "-xvC", destDir) |
There was a problem hiding this comment.
WDYT about printing the whole cmd before executing it with verbosity lvl 3?
always nice when debugging, we do the same for qemu-img
There was a problem hiding this comment.
I saw you took up the suggestion in the clone source pod but not here. Intended?
cmd/cdi-cloner/clone-source.go
Outdated
| args = append(args, "--files-from", "/dev/null") | ||
| } | ||
|
|
||
| cmd := exec.Command("/usr/bin/tar", args...) |
There was a problem hiding this comment.
Same here, if you're up for printing the args of course
What issues, specifically? They are attacking the issue in a totally different way for now |
Signed-off-by: Michael Henriksen <[email protected]>
Signed-off-by: Michael Henriksen <[email protected]>
Signed-off-by: Michael Henriksen <[email protected]>
Signed-off-by: Michael Henriksen <[email protected]>
Signed-off-by: Michael Henriksen <[email protected]>
refactor scc management Signed-off-by: Michael Henriksen <[email protected]>
mhenriks
force-pushed
the
restricted-psa
branch
from
f53115b to
0338798
Compare
| // pod-security.kubernetes.io/<MODE>: <LEVEL> | ||
| labels["pod-security.kubernetes.io/enforce"] = "restricted" | ||
| if utils.IsOpenshift(f.K8sClient) { | ||
| labels["security.openshift.io/scc.podSecurityLabelSync"] = "false" |
There was a problem hiding this comment.
Nice OpenShift awareness!
Looks good just let me know if you want to tackle the few small replies, otherwise I think we are good |
cluster-sync/clean.sh
Outdated
| fi | ||
| fi | ||
|
|
||
| set +e | ||
| _kubectl patch cdi ${CR_NAME} --type=json -p '[{ "op": "remove", "path": "/metadata/finalizers" }]' | echo "this is fine" |
There was a problem hiding this comment.
DId you mean || echo "this is fine"? Piping the output of the kubectl command to echo does nothing...
Either way however, the error code of the kubectl command will be ignored, so set +e/set -e should not be necessary here.
But the code works the way it is, so no big deal.
Signed-off-by: Michael Henriksen <[email protected]>
|
/test pull-containerized-data-importer-e2e-destructive |
|
/lgtm |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: mhenriks The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
kubevirt-bot
added
the
approved
Signed-off-by: Michael Henriksen <[email protected]>
Signed-off-by: Michael Henriksen <[email protected]>
Signed-off-by: Michael Henriksen <[email protected]>
Signed-off-by: Michael Henriksen <[email protected]>
Signed-off-by: Michael Henriksen [email protected]
What this PR does / why we need it:
Attempt to get in compliance with restricted PSA. See: https://kubernetes.io/docs/concepts/security/pod-security-admission/
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when PR gets merged):Fixes #
Special notes for your reviewer:
Release note: