Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

✨ Apply PodSecurityStandard in Secure Cluster Class #6390

Merged

Conversation

chrischdi
Copy link
Member

@chrischdi chrischdi commented Apr 7, 2022

What this PR does / why we need it:

Adds a baseline pod security standard which gets enforced at cluster level.

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Resolves parts of #6329

Open for discussion for me:

Wether or not add it to the default ClusterClass or add a separate ClusterClass e.g. called capi-quickstart-secure.
A second ClusterClass would have the con of duplicating the normal quick-start ClusterClass with lots of duplicated content.

If adding the PSS to the default cluster class results into issues we could also work the other way around and add a "insecure" ClusterClass named capi-quickstart-secure fur users to fallback to (clusterctl generate cluster capi-quickstart --flavor development-topology-insecure ...).

TODO:

  • squash commits

@linux-foundation-easycla
Copy link

linux-foundation-easycla bot commented Apr 7, 2022

CLA Signed

The committers listed above are authorized under a signed CLA.

  • ✅ login: chrischdi / name: Christian Schlotter (7c704c5)

@k8s-ci-robot k8s-ci-robot added the cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. label Apr 7, 2022
@k8s-ci-robot k8s-ci-robot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. and removed cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. labels Apr 7, 2022
@killianmuldoon
Copy link
Contributor

killianmuldoon commented Apr 7, 2022

Awesome - this is working for me:

The Pod "busybox" is invalid: spec: Forbidden: pod updates may not change fields other than `spec.containers[*].image`, `spec.initContainers[*].image`, `spec.activeDeadlineSeconds` or `spec.tolerations` (only additions to existing tolerations)
  core.PodSpec{
        Volumes:        {{Name: "kube-api-access-p9jbd", VolumeSource: {Projected: &{Sources: {{ServiceAccountToken: &{ExpirationSeconds: 3607, Path: "token"}}, {ConfigMap: &{LocalObjectReference: {Name: "kube-root-ca.crt"}, Items: {{Key: "ca.crt", Path: "ca.crt"}}}}, {DownwardAPI: &{Items: {{Path: "namespace", FieldRef: &{APIVersion: "v1", FieldPath: "metadata.namespace"}}}}}}, DefaultMode: &420}}}},
        InitContainers: nil,
        Containers: []core.Container{
                {
                        ... // 16 identical fields
                        TerminationMessagePolicy: "File",
                        ImagePullPolicy:          "IfNotPresent",
-                       SecurityContext:          &core.SecurityContext{Privileged: &true},
+                       SecurityContext:          nil,
                        Stdin:                    false,
                        StdinOnce:                false,
                        TTY:                      false,
                },
        },
        EphemeralContainers: nil,
        RestartPolicy:       "Always",
        ... // 5 identical fields
        AutomountServiceAccountToken: nil,
        NodeName:                     "cloister-linux-workers-ppp8v-775fffb45b-kdp7k",
        SecurityContext: &core.PodSecurityContext{
-               HostNetwork: true,
+               HostNetwork: false,
                HostPID:     false,
                HostIPC:     false,
                ... // 11 identical fields
        },
        ImagePullSecrets: nil,
        Hostname:         "",
        ... // 15 identical fields
  }

We should run the full e2e suite on this before merging to make sure it doesn't break anything (as this modifies the ClusterClass that underpins all of our tests). I don't think there should be an issue, but just in case.

@killianmuldoon
Copy link
Contributor

/test pull-cluster-api-e2e-full-main

@PushkarJ
Copy link
Member

PushkarJ commented Apr 7, 2022

@chrischdi Thank you so much for getting around to opening this PR so quickly!!!!

@PushkarJ
Copy link
Member

PushkarJ commented Apr 7, 2022

If adding the PSS to the default cluster class results into issues

What would be the definition of "no issues detected by this change?". If it is only about e2e test passing then looks like we have achieved that already!! 🎉

we could also work the other way around and add a "insecure" ClusterClass named capi-quickstart-insecure for users to fallback to (clusterctl generate cluster capi-quickstart --flavor development-topology-insecure ...)

Yeah that makes sense to me because it meets second and third guideline on secure defaults in cloud native apps mentioned here: https://github.com/cncf/tag-security/blob/main/security-whitepaper/secure-defaults-cloud-native-8.md

Next step for me sounds like figuring out how we can enable this across all CAPI cloud providers.

@killianmuldoon
Copy link
Contributor

I think we should be happy with adding this as is for now as the main use for this ClusterClass is e2e testing and a reference implementation.

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Apr 8, 2022
@chrischdi
Copy link
Member Author

chrischdi commented Apr 8, 2022

For the cloud providers there currently are no pre-generated/pre-defined cluster classes to use (I checked the latest releases of CAPA, CAPZ and CAPG).

From a clusterctl perspective: Currently it is only consuming the released yaml files of the infrastructure providers (in case of this PR the docker infrastructure provider).
The docker infrastructure provider is the only one currently providing cluster class manifests (selected via the flag --flavor development-topology).

One thing we could do to improve here would be to add a security guidelines section to the book as proposed by fabrizzio here.

Edit: maybe we should move this discussion then back to the issue #6329 :-)

@fabriziopandini
Copy link
Member

fabriziopandini commented Apr 8, 2022

Whether or not add it to the default ClusterClass or add a separate ClusterClass e.g. called capi-quickstart-secure.
A second ClusterClass would have the con of duplicating the normal quick-start ClusterClass with lots of duplicated content.

If adding the PSS to the default cluster class results into issues we could also work the other way around and add a "insecure" ClusterClass named capi-quickstart-secure fur users to fallback to (clusterctl generate cluster capi-quickstart --flavor development-topology-insecure ...).

What if we add a variable, named enable-PodSecurityStandard defaulted to true, and we use this var to add/remove the changes in this PR via patches (instead of changing editing templates sources).

Pushing this a little bit further, we can make this variable a struct allowing users to define:

  • Pod Security standard name (restricted, baseline, privileged)
  • Applicable mode (enforce, warn, audit)
  • Applicable version (usually default)
    (this can be also a follow up iteration)

Also, what about extending the scope of this PR including the creation of a security guidelines section n the book (probably under tasks) with a short description to how to enable pod-security-standards + an inline version of the above variable/patches and a link to the CAPD example

@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed lgtm "Looks good to me", indicates that a PR is ready to be merged. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Apr 12, 2022
@chrischdi
Copy link
Member Author

Whether or not add it to the default ClusterClass or add a separate ClusterClass e.g. called capi-quickstart-secure.
A second ClusterClass would have the con of duplicating the normal quick-start ClusterClass with lots of duplicated content.

If adding the PSS to the default cluster class results into issues we could also work the other way around and add a "insecure" ClusterClass named capi-quickstart-secure fur users to fallback to (clusterctl generate cluster capi-quickstart --flavor development-topology-insecure ...).

What if we add a variable, named enable-PodSecurityStandard defaulted to true, and we use this var to add/remove the changes in this PR via patches (instead of changing editing templates sources).

Pushing this a little bit further, we can make this variable a struct allowing users to define:

  • Pod Security standard name (restricted, baseline, privileged)
  • Applicable mode (enforce, warn, audit)
  • Applicable version (usually default)
    (this can be also a follow up iteration)

Also, what about extending the scope of this PR including the creation of a security guidelines section n the book (probably under tasks) with a short description to how to enable pod-security-standards + an inline version of the above variable/patches and a link to the CAPD example

I did some refactoring of the PR :-)

  • I added a todo at the top-level comment so I don't forget to squash commits
  • Refactored the configuration to use patches via cluster class instead which allows configuring the levels and disabling the patches (keeping the default enabled)
  • book/quick-start: added a short part to mention how PSS could be disabled for the docker quickstart
  • book/writing cluster class: added a Limitation section to note the unability to append to empty slices via json patches
  • book/security-guidelines: added a section which as of now only contains adding pod security policy to a cluster class

Copy link
Member

@PushkarJ PushkarJ left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Few suggestions on docs for clarity. But overall looks good!!

@PushkarJ
Copy link
Member

PushkarJ commented Apr 14, 2022

Would it make sense to add the content from #6152 in to the security guidelines section created in this PR?

Edit: To be clear, Not suggesting to add it in this PR but in follow up PRs :)

@PushkarJ
Copy link
Member

/retitle Apply PodSecurityStandard in Secure Cluster Class

(Since the scope of the PR has changed thought this might be a better reflection of the work being done. Please revert/edit as needed)

@k8s-ci-robot k8s-ci-robot changed the title ✨ CAPD: add PodSecurityStandard to quickstart topology for security by default Apply PodSecurityStandard in Secure Cluster Class Apr 14, 2022
@killianmuldoon
Copy link
Contributor

/retitle ✨ Apply PodSecurityStandard in Secure Cluster Class

Just adding a prefix to make this work for our release note generation process 🙂

@k8s-ci-robot k8s-ci-robot changed the title Apply PodSecurityStandard in Secure Cluster Class ✨ Apply PodSecurityStandard in Secure Cluster Class Apr 15, 2022
@chrischdi chrischdi force-pushed the issue-6329-add-admission-pss branch from 6b38f19 to ca3eb82 Compare April 19, 2022 08:09
@chrischdi
Copy link
Member Author

Thanks for the detailed review 👍

Would it make sense to add the content from #6152 in to the security guidelines section created in this PR?

Edit: To be clear, Not suggesting to add it in this PR but in follow up PRs :)

Should be fine to add the content of #6152 in a separate PR.

Copy link
Member

@fabriziopandini fabriziopandini left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Last round of nits but really looking forward to get this merged

@chrischdi chrischdi force-pushed the issue-6329-add-admission-pss branch from ca3eb82 to 96ed69d Compare April 19, 2022 15:17
@chrischdi
Copy link
Member Author

Addressed comments and rebased for squashing :-)

@chrischdi
Copy link
Member Author

/test help

@k8s-ci-robot
Copy link
Contributor

@chrischdi: The specified target(s) for /test were not found.
The following commands are available to trigger required jobs:

  • /test pull-cluster-api-build-main
  • /test pull-cluster-api-e2e-main
  • /test pull-cluster-api-test-main
  • /test pull-cluster-api-test-mink8s-main
  • /test pull-cluster-api-verify-main

The following commands are available to trigger optional jobs:

  • /test pull-cluster-api-apidiff-main
  • /test pull-cluster-api-e2e-full-main
  • /test pull-cluster-api-e2e-informing-ipv6-main
  • /test pull-cluster-api-e2e-informing-main
  • /test pull-cluster-api-e2e-workload-upgrade-1-23-latest-main

Use /test all to run the following jobs that were automatically triggered:

  • pull-cluster-api-apidiff-main
  • pull-cluster-api-build-main
  • pull-cluster-api-e2e-informing-ipv6-main
  • pull-cluster-api-e2e-informing-main
  • pull-cluster-api-e2e-main
  • pull-cluster-api-test-main
  • pull-cluster-api-test-mink8s-main
  • pull-cluster-api-verify-main

In response to this:

/test help

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@chrischdi
Copy link
Member Author

cert-manager failed. Should be unrelated

/test pull-cluster-api-e2e-main

@fabriziopandini
Copy link
Member

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Apr 20, 2022
@PushkarJ
Copy link
Member

/lgtm

(Thank you so much for working on this @chrischdi !)

@fabriziopandini
Copy link
Member

/test pull-cluster-api-test-full-main

@k8s-ci-robot
Copy link
Contributor

@fabriziopandini: The specified target(s) for /test were not found.
The following commands are available to trigger required jobs:

  • /test pull-cluster-api-build-main
  • /test pull-cluster-api-e2e-main
  • /test pull-cluster-api-test-main
  • /test pull-cluster-api-test-mink8s-main
  • /test pull-cluster-api-verify-main

The following commands are available to trigger optional jobs:

  • /test pull-cluster-api-apidiff-main
  • /test pull-cluster-api-e2e-full-main
  • /test pull-cluster-api-e2e-informing-ipv6-main
  • /test pull-cluster-api-e2e-informing-main
  • /test pull-cluster-api-e2e-workload-upgrade-1-23-latest-main

Use /test all to run the following jobs that were automatically triggered:

  • pull-cluster-api-apidiff-main
  • pull-cluster-api-build-main
  • pull-cluster-api-e2e-informing-ipv6-main
  • pull-cluster-api-e2e-informing-main
  • pull-cluster-api-e2e-main
  • pull-cluster-api-test-main
  • pull-cluster-api-test-mink8s-main
  • pull-cluster-api-verify-main

In response to this:

/test pull-cluster-api-test-full-main

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@fabriziopandini
Copy link
Member

/test pull-cluster-api-e2e-full-main

Copy link
Member

@sbueringer sbueringer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Very nice

I assume the current state is manually tested.

It would be really nice to see a follow-up PR to include those changes in our e2e test quickstart ClusterClass to:

  • find out if this is compatible with our e2e tests
  • to keep the diff between tested templates/ClusterClass and released template as small as possible

* use parametrizable patches via ClusterClass instead of statically adding the Pod Security Standard
* book: introduce security guidelines section
* book: add security guidelines section about Pod Security Standard
* book: add section about limitation of cluster class json patches

Signed-off-by: Christian Schlotter <[email protected]>
@chrischdi chrischdi force-pushed the issue-6329-add-admission-pss branch from 96ed69d to 9d3927f Compare April 27, 2022 18:32
@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Apr 27, 2022
@chrischdi
Copy link
Member Author

chrischdi commented Apr 27, 2022

Thanks for the detailed review. I applied changes according the following patch:

--- a/docs/book/src/security/pod-security-standards.md
+++ b/docs/book/src/security/pod-security-standards.md
@@ -3,7 +3,7 @@
 Pod Security Admission allows applying [Pod Security Standards] during creation of pods at the cluster level.

 The flavor `development-topology` for the docker provider used in [Quick Start](../user/quick-start.md) already includes a basic Pod Security Standard configuration.
-It is using variables and patches via ClusterClass to inject the configuration.
+It is using ClusterClass variables and patches to inject the configuration.

 ## Adding a basic Pod Security Standards configuration to a ClusterClass

@@ -51,7 +51,7 @@ spec:

 The following snippet contains the patch to be added to the ClusterClass.

-Due to [limitations of ClusterClass with patches](../tasks/experimental-features/cluster-class/write-clusterclass.md#limitations-of-clusterclass-with-patches) there are two versions for this patch.
+Due to [limitations of ClusterClass with patches](../tasks/experimental-features/cluster-class/write-clusterclass.md#json-patches-tips--tricks) there are two versions for this patch.

 {{#tabs name:"tab-configuration-patches" tabs:"Add to existing slice,Create slice"}}
 {{#tab Append}}
@@ -76,7 +76,7 @@ spec:
         matchResources:
           controlPlane: true
       jsonPatches:
-       - op: add
+      - op: add
         path: "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/extraArgs"
         value:
           admission-control-config-file: "/etc/kubernetes/kube-apiserver-admission-pss.yaml"
@@ -133,7 +133,7 @@ kind: ClusterClass
 spec:
   ...
   patches:
-  - name: admissionPodSecurityPolicy
+  - name: podSecurityStandard
     description: "Adds an admission configuration for PodSecurity to the kube-apiserver."
     definitions:
     - selector:
@@ -190,7 +190,7 @@ spec:

 ### Create a secure Cluster using the ClusterClass

-After adding the variables and patdocs/book/src/tasks/experimental-features/cluster-class/write-clusterclass.mdches the Pod Security Standards would be applied by default.
+After adding the variables and patches the Pod Security Standards would be applied by default.
 It is also possible to disable this patch or configure different levels for the configuration
 using variables.

diff --git a/docs/book/src/tasks/experimental-features/cluster-class/write-clusterclass.md b/docs/book/src/tasks/experimental-features/cluster-class/write-clusterclass.md
index 32b6a1dc6..4d62bf6c7 100644
--- a/docs/book/src/tasks/experimental-features/cluster-class/write-clusterclass.md
+++ b/docs/book/src/tasks/experimental-features/cluster-class/write-clusterclass.md
@@ -685,12 +685,11 @@ add operation must exist.
 As a consequence ClusterClass authors should pay special attention when the following
 conditions apply in order to prevent errors when a patch is applied:

-* the patch is a JSON patch
-* the patch tries to `add` a value to a **slice**
+* the patch tries to `add` a value to an **array** (which is a **slice** in the corresponding go struct)
 * the slice was defined with `omitempty`
 * the slice currently does not exist

-A workaround in this particular case is to create the slice in the patch instead of adding it to the non-existing one.
+A workaround in this particular case is to create the array in the patch instead of adding to the non-existing one.
 When creating the slice, existing values would be overwritten so this should only be used when it does not exist.

 The following example shows both cases to consider while writing a patch for adding a value to a slice.

I will verify again the last open point tomorrow.

Edit: verified and works as outlined in the doc

@sbueringer
Copy link
Member

Check, looks good so far

@sbueringer
Copy link
Member

sbueringer commented Apr 27, 2022

Thank you!
/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Apr 27, 2022
Copy link
Member

@fabriziopandini fabriziopandini left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/approve

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: fabriziopandini

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Apr 28, 2022
@k8s-ci-robot k8s-ci-robot merged commit 813e702 into kubernetes-sigs:main Apr 28, 2022
@k8s-ci-robot k8s-ci-robot added this to the v1.2 milestone Apr 28, 2022
@chrischdi chrischdi deleted the issue-6329-add-admission-pss branch June 30, 2022 06:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants