Strip unnecessary security contexts on Windows #93475
Conversation
|
/sig node |
pkg/securitycontext/util.go
Outdated
There was a problem hiding this comment.
extra space causing gofmt failure
pkg/securitycontext/util.go
Outdated
There was a problem hiding this comment.
DetermineEffectiveSecurityContext returns right away if the checks above are satisfied. In that case, if the effectiveSc or containerSc happens to have the members of a security context that do not apply to Windows, they will continue to be returned (and will not be stripped as below).
Since the desired action is specific to Windows, have you considered cleaning up the security contexts in the Windows caller? That would:
- Allow the early/optimized exit paths above to continue to work.
- Allow
DetermineEffectiveSecurityContextto be invoked from a cluster-wide controller context (if needed in the future) rather than the node-specific kubelet context. Theruntime.GOOS != "windows"checks assumesDetermineEffectiveSecurityContextwill never be invoked from a cluster-wide controller context.
There was a problem hiding this comment.
Doing this work in the windows specific code makes sense. We have run into a few other places where this has come up with security context: #92355. In the future there could be a place where some of the these attributes might be available if a form of privileged containers becomes available.
The move to doing the checks in windows specific code makes the resulting logic here much simpler over adding complex if statements which will become hard to maintain and easily introduce bugs.
There was a problem hiding this comment.
I initially thought about it, however we have to call DetermineEffectiveSecurityContext first and then resetting the values at the call site which did not make much sense to me. Having said that, I am fine making the change, so that we can have everything within the Windows caller to improve readability.
pkg/securitycontext/util.go
Outdated
There was a problem hiding this comment.
The effectiveSc != nil && containerSc != nil checks seem to be taken care of by the checks above but I think this is safer code.
|
Can we add a test to verify that the desired behavior works once this PR is merged? |
|
@ravisantoshgudimetla what recent change caused this pod crash behavior? |
|
/milestone v1.20 |
pkg/securitycontext/util.go
Outdated
There was a problem hiding this comment.
I don't think this one should be overridden due to the conversation on #92355 (comment) where we decided to check that the ContainerAdministrator is not set for a RunAsNonRoot check.
pkg/securitycontext/util.go
Outdated
There was a problem hiding this comment.
same as above via: #92355 (comment)
Is there a reason this PR should not add tests for this iteration instead of after the fact? At the very least should have unit tests for this behavior. Having an e2e test for this would also be valuable to verify the the behavior does improve. |
Yeah that's what I meant, I just phrased it confusingly :) |
8531fe8 to
b3150b1
Compare
bcfbf2e to
3bac4eb
Compare
This is not something new. This behavior was there from a long time |
|
Thank you @ddebroy @jsturtevant @pjh for your reviews. I addressed your comments. I added a test but I am not sure, if it is in right place. PTAL. |
3bac4eb to
1f1c448
Compare
|
/test pull-kubernetes-integration |
|
I am glad to see this pr.I am very excited to see this pr, I have some questions to ask:
It seems that the current pr does not really solve these problems If we want to solve these problems, we need to run different logics according to the operating system when sanbox is created, and at the same time pass the identity information to cri I am also trying to fix this logic recently. I mentioned an issue #92963 and a pr #93299 before(wip). Can you help discuss whether this method is ok |
|
@wawa0210 - Thank you for reviewing the PR.
Please look at the comment - #93475 (comment). It is my understanding that for the Windows pods there is no need to have sandbox level security Constraints. If we want to push the securityContext outside from Container Security Context to sandbox security constraints it needs a broader discussion as it needs api changes and beyond the scope of current PR
The first question that we need to ask is do we need container sandbox for Windows considering all the security options are at the container Security contexts. What does the new WindowsSandboxConfig offer - just the security options, for example in case of linux we need to identify parent cgroup etc. If it is just the security options there is no need to define new api around it. @ddebroy has created #93580 to remove the dependency on the LinuxContainerConfig, as part of that, we can see to move the podSecurityContext to the caller function which should the remove the dependency on LinuxContainerConfig without creating WindowsContainerConfig at the pod level |
Thank you for your reply. It is true that Windows pods support sandbox level security Constraints and do not belong to the scope of the current pr. But I think this feature is really needed, from #92963 (comment). Because if we need to implement this feature, it will include the changes in the current pr If possible, we can discuss this topic in another pr or issue #92963 or #93299 |
|
this will be moved back into the milestone as part of the phased reopen for 1.20 merges |
|
I took a look at this from the perspective of where sig-windows would like to go longer term with the KEP for Privileged Containers and in relation to the issue for supporting runasuser in pod sandbox (#92963) A few things standout:
I think the approach in #93299 is closer to what we need longer term (solves 1 & 2) and would negate the need for the code here that strips the security constraints on the linux configuration but there is more discussion I think that needs to happen (CRI changes and containerd would need to support the sandbox configuration). I also think the test this PR introduces is valuable for sig-windows. Since the Privileged Container KEP is still in review and the CRI changes are bigger, this LGTM with the caveat that once we split the dependency on linux configuration these checks should be removed (though they wouldn't hurt anything if it was moved to a linux only file as proposed by #93299) Thoughts? |
|
one additional thought, @ravisantoshgudimetla did you look into adding unit tests for this in https://github.com/kubernetes/kubernetes/blob/master/pkg/kubelet/kuberuntime/kuberuntime_sandbox_test.go? |
@jsturtevant - I'd also like to remove the check on the kubelet side and have the api to have windowsSpecific fields in the long term.
I initially wanted to add units but there were not many edge cases considering the changes we're making are OS specific. |
|
/test pull-kubernetes-e2e-kind-ipv6 |
|
@SergeyKanzhelev @ddebroy could we get a review/approval? |
| if pod.Spec.SecurityContext != nil { | ||
| sc := pod.Spec.SecurityContext | ||
| if sc.RunAsUser != nil { | ||
| if sc.RunAsUser != nil && runtime.GOOS != "windows" { |
There was a problem hiding this comment.
it looks like misconfiguration if windows pod configured like this. Should this if has else to report this misconfiguration as a warning?
There was a problem hiding this comment.
we discussed this a bit as well at sig-windows, my understanding is the use case where users are running into this is when there was automation that assigns security contexts to all pods. The expectation from the windows perspective since these fields are marked as not supported on windows they would be ignored. @ravisantoshgudimetla can confirm
|
@ddebroy your approval is needed for test/e2e/windows/OWNERS |
|
/approve |
|
Issue capturing the weirdness of calling In the meantime, |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: ddebroy, ravisantoshgudimetla, sjenning The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/milestone v1.20 |
What type of PR is this?
/kind bug
/kind cleanup
What this PR does / why we need it:
As of now, the kubelet is passing the security context to container runtime even
if the security context has invalid options for a particular OS. As a result,
the pod fails to come up on the node. This error is particularly pronounced on
the Windows nodes where kubelet is allowing Linux specific options like SELinux,
RunAsUser etc where as in documentation,
we clearly state they are not supported. This PR ensures that the kubelet strips
the security contexts of the pod, if they don't make sense on the Windows OS.
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
Does this PR introduce a user-facing change?:
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:
/sig windows