Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: secure-pod-defaults is enabled by default #14168

Closed
wants to merge 6 commits into from
Closed

feat: secure-pod-defaults is enabled by default #14168

wants to merge 6 commits into from

Conversation

kauana
Copy link
Member

@kauana kauana commented Jul 11, 2023
edited
Loading

Fixes #14029

Proposed Changes

  • secure-pod-defaults is now enabled by default on the config-features ConfigMap

@knative-prow knative-prow bot added the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label Jul 11, 2023
@knative-prow knative-prow bot requested review from krsna-m and ReToCode July 11, 2023 18:32
@kauana kauana changed the title secure-pod-defaults is enabled by default [WIP] secure-pod-defaults is enabled by default Jul 11, 2023
@knative-prow knative-prow bot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. area/API API objects and controllers labels Jul 11, 2023
@kauana kauana force-pushed the secure-pod-defaults-enabled branch from f5e91db to c8063c3 Compare July 11, 2023 22:56
@knative-prow knative-prow bot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. and removed size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Jul 11, 2023
@kauana kauana force-pushed the secure-pod-defaults-enabled branch 3 times, most recently from e680a43 to faa0f31 Compare July 12, 2023 01:17
@knative-prow knative-prow bot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Jul 12, 2023
@kauana kauana force-pushed the secure-pod-defaults-enabled branch 2 times, most recently from 18474ca to bc94f59 Compare July 12, 2023 06:17
@knative-prow knative-prow bot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. labels Jul 12, 2023
@kauana kauana force-pushed the secure-pod-defaults-enabled branch 2 times, most recently from a65102f to 590813d Compare July 12, 2023 15:44
@kauana kauana changed the title [WIP] secure-pod-defaults is enabled by default [WIP] feat: secure-pod-defaults is enabled by default Jul 14, 2023
@kauana
Copy link
Member Author

kauana commented Jul 18, 2023

Hello @psschwei,

I'm working on updating the tests to account for enabling the flag secure-pod-defaults to true by default (follow up to PR #13398). One failing unit test in particular made me think about the interaction between the two flags SecurePodDefaults and PodSpecSecurityContext. While I'm trying to ramp on these changes, I noticed you mentioned having validation issues when you set SecurePodDefaults: enabled which required enabling PodSpecSecurityContext as well.

Just to recap (and to confirm my own understanding), setting PodSpecSecurityContext allows the user to configure some PodSecurityContext fields mentioned here. However, secure-pod-defaults makes it so pods adhere the restricted pod security standard and it allows some parts of PodSecurityContext to be set but to specific values (including setting allowPrivilegeEscalation to false and seccompProfile to RuntimeDefault).

Anyways, I do see a bit of a conflict between these two flags. Perhaps the flag to set PodSpecSecurityContext is now redundant or when SecurePodDefault is enabled it enables PodSpecSecurityContext by default? I would like to heart your thoughts.

@psschwei
Copy link
Contributor

Just to recap (and to confirm my own understanding), setting PodSpecSecurityContext allows the user to configure some PodSecurityContext fields mentioned here. However, secure-pod-defaults makes it so pods adhere the restricted pod security standard and it allows some parts of PodSecurityContext to be set but to specific values (including setting allowPrivilegeEscalation to false and seccompProfile to RuntimeDefault).

I think you're right

Anyways, I do see a bit of a conflict between these two flags. Perhaps the flag to set PodSpecSecurityContext is now redundant or when SecurePodDefault is enabled it enables PodSpecSecurityContext by default? I would like to heart your thoughts.

I think the latter option (SecurePodDefault enabled also enables PodSpecSecurityContext) makes sense for now.

There might be some scenario where someone doesn't want to use our secure defaults or enable the pod security context, so it may make sense to leave in the PodSpecSecurityContext flag, at least for the time being.

cc @evankanderson who also had thoughts on this iirc

@kauana
Copy link
Member Author

kauana commented Jul 19, 2023

I think the latter option (SecurePodDefault enabled also enables PodSpecSecurityContext) makes sense for now.

There might be some scenario where someone doesn't want to use our secure defaults or enable the pod security context, so it may make sense to leave in the PodSpecSecurityContext flag, at least for the time being.

I'm wondering what should be the timeline for making SecurePodDefaults enable PodSpecSecurityContext? This PR is an attempt at making SecurePodDefaults enabled by default (#14029), which would mean PodSpecSecurityContext would also be enabled by default.

Currently, kubernetes.podspec-securitycontext is set to "disabled" by default, with warnings about enabling this feature flag (see here). So, I'm thinking that before we do this, we might want to add a "warning" similar to what Evan did here?

@psschwei
Copy link
Contributor

I'm wondering what should be the timeline for making SecurePodDefaults enable PodSpecSecurityContext?

I think you'd need to do that for this PR, but I'd keep both flags (so that a user could toggle them both off if they so desired).

@dprotaso
Copy link
Member

dprotaso commented Jul 31, 2023
edited
Loading

I think the latter option (SecurePodDefault enabled also enables PodSpecSecurityContext) makes sense for now.

We shouldn't do this.

SecurePodDefault should only allow the desired defaults to be set to specific values

Enabling PodSpecSecurityContext gives users way more freedom than SecurePodDefaults intends

@KauzClay
Copy link
Contributor

KauzClay commented Sep 13, 2023
edited
Loading

perhaps the changes in #14363

could be rolled into this PR as well

OR

The test updates and stuff get rolled into #14363 , and this PR just becomes changing the default.

That way we could backport the other changes

@dprotaso
Copy link
Member

If #14363 means secure pod defaults is broken when enabled then we should fix it (and I'll cherry-pick it)

I think the scope of this PR should just remain to flipping secure pod defaults from off to on

@kauana kauana force-pushed the secure-pod-defaults-enabled branch from 590813d to 58c5e7e Compare September 20, 2023 17:54
@knative-prow
Copy link

knative-prow bot commented Sep 20, 2023

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: kauana
Once this PR has been reviewed and has the lgtm label, please assign davidhadas for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@knative-prow knative-prow bot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Sep 21, 2023
@codecov
Copy link

codecov bot commented Sep 26, 2023
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (05e349f) 86.11% compared to head (a3204f1) 86.12%.
Report is 153 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #14168      +/-   ##
==========================================
+ Coverage   86.11%   86.12%   +0.01%     
==========================================
  Files         196      196              
  Lines       14880    14880              
==========================================
+ Hits        12814    12816       +2     
+ Misses       1758     1754       -4     
- Partials      308      310       +2

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@kauana kauana force-pushed the secure-pod-defaults-enabled branch from bae5bb4 to 97d080d Compare September 26, 2023 21:04
@kauana kauana force-pushed the secure-pod-defaults-enabled branch 2 times, most recently from 3b76307 to 76f9f52 Compare September 29, 2023 00:45
@kauana
Copy link
Member Author

kauana commented Sep 29, 2023

/retest

@kauana kauana changed the title [WIP] feat: secure-pod-defaults is enabled by default feat: secure-pod-defaults is enabled by default Sep 29, 2023
@knative-prow knative-prow bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Sep 29, 2023
test PodSpecSecurityContext/SecurePodDefaults interaction
8b51a60 
- Secure pod default off and podspec security context off ..can't set special securitycontext properties
- Secure pod default off and podspec security context on...can change allowed securitycontext to anything, e.g. runAsNonRoot: false
- Secure pod default on and podspec security context off...must use restricted profile security properties
@kauana kauana force-pushed the secure-pod-defaults-enabled branch from 76f9f52 to 8b51a60 Compare September 29, 2023 05:13
@dprotaso
Copy link
Member

/retest

@knative-prow knative-prow bot added the area/test-and-release It flags unit/e2e/conformance/perf test issues for product features label Sep 29, 2023
@kauana kauana force-pushed the secure-pod-defaults-enabled branch from 8239a07 to a3204f1 Compare September 29, 2023 16:25
@knative-prow
Copy link

knative-prow bot commented Sep 29, 2023

@kauana: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
upgrade-tests_serving_main a3204f1 link true /test upgrade-tests

Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@dprotaso
Copy link
Member

/hold

see: #14029 (comment)

@knative-prow knative-prow bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Sep 29, 2023
@kauana kauana mentioned this pull request Oct 24, 2023
Closed
@github-actions GitHub Actions
Copy link

This Pull Request is stale because it has been open for 90 days with
no activity. It will automatically close after 30 more days of
inactivity. Reopen with /reopen. Mark as fresh by adding the
comment /remove-lifecycle stale.

@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Dec 29, 2023
@github-actions github-actions bot closed this Jan 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@krsna-m krsna-m Awaiting requested review from krsna-m

@ReToCode ReToCode Awaiting requested review from ReToCode

Assignees
No one assigned
Labels
area/API API objects and controllers area/test-and-release It flags unit/e2e/conformance/perf test issues for product features do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Set secure-pod-defaults to "enabled" by default
4 participants
@kauana @psschwei @dprotaso @KauzClay