Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enforce Pod Security Standard restricted #2021

Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

Enforce Pod Security Standard restricted #2021

wants to merge 5 commits into from

Conversation

collivier
Copy link
Collaborator

@collivier collivier commented May 10, 2024
edited
Loading

Description

https://kubernetes.io/docs/tutorials/security/cluster-level-pss/

Issues:

close: #1887

How has this been tested:

  • Covered by existing integration testing
  • Added integration testing to cover
  • Verified all A/C passes
    • develop
    • master
    • tag/other branch
  • Test environment
    • Shared Packet K8s cluster
    • New Packet K8s cluster
    • Kind cluster
  • Have not tested

@collivier collivier force-pushed the pss branch 3 times, most recently from 994104d to 01d24c3 Compare May 10, 2024 14:27
@kosstennbl
Copy link
Collaborator

For ease of review:

TLDR: add PodSecurity: restricted as ClusterConfiguration to cluster.yml in github actions.

This PR creates file /tmp/pss/cluster-level-pss.yaml with contents:

apiVersion: apiserver.config.k8s.io/v1
        kind: AdmissionConfiguration
        plugins:
        - name: PodSecurity
          configuration:
            apiVersion: pod-security.admission.config.k8s.io/v1
            kind: PodSecurityConfiguration
            defaults:
              enforce: "restricted"
              enforce-version: "latest"
              audit: "restricted"
              audit-version: "latest"
              warn: "restricted"
              warn-version: "latest"
            exemptions:
              usernames: []
              runtimeClasses: []
              namespaces:
                - kube-system
                - local-path-storage

Then, during "Mirror setup", "sysctls specs kind config override" and "Mirror override" steps - it modifies the creation of cluster.yml: file cluster-level-pss.yaml is mounted as extra mount and used as ClusterConfiguration.
Also, image: kindest/node:v1.29.2@sha256:51a1434a5397193442f0be2a297b488b6c919ce8a3931be0ce822606ea5ca245 lines are removed from cluster.yml, intentions for which are not very clear.

@collivier
Copy link
Collaborator Author

collivier commented May 21, 2024
edited
Loading

Also, image: kindest/node:v1.29.2@sha256:51a1434a5397193442f0be2a297b488b6c919ce8a3931be0ce822606ea5ca245 lines are removed from cluster.yml, intentions for which are not very clear.

It was discussed in the previous PR that double (image) pinning was useless as kind is already pinned. this will be precised in a second pending commit

@kosstennbl
Copy link
Collaborator

I don't have too much experience with Kubernetes and Helm and trying to review changes like this is new for me. Sorry if some of the questions are obvious or aren't making much sense.

  1. It seems that chaos and some other tests aren't covered by this change as they have their own creation of cluster.yml. Is it intentional?
  2. It's not quite clear to me how does this change help with functest issue, it seems that functest patches to the "baseline" security level, and it patches completely different namespaces. Litmus and cnf-testsuite namespaces are created during execution of cnf-testsuite tasks, and, to me - it seems, that they won't have any PodSecurity admission controls when tested with this change.
  3. I'm not sure, but maybe we could test functionality of testsuite with restricted PodSecurity as a separate job in a pipeline, not in "spec" job? It seems that controls, that are being done with this restricted policy - are colliding with some of the testsuite tests, and even through namespaces afflicted shouldn't have recources of installed cnf, I'm still worried that some of the spec test results could be unclear or incorrect.

It was discussed in the previous PR that double (image) pinning was useless as kind is already pinned. this will be precised in a second pending commit

Couldn't find the discussion, can you link it please?

@martin-mat
Copy link
Collaborator

gh actions failing:
image

@collivier collivier force-pushed the pss branch 2 times, most recently from 35a7606 to 08c726b Compare August 27, 2024 14:08
@collivier collivier mentioned this pull request Oct 22, 2024
Open
@collivier collivier force-pushed the pss branch 3 times, most recently from 7bacf64 to 2417c51 Compare October 29, 2024 12:16
@collivier collivier force-pushed the pss branch 3 times, most recently from dabc625 to 919211a Compare November 4, 2024 19:16
@collivier collivier force-pushed the pss branch 2 times, most recently from 34d7f2d to 2b4c16b Compare November 13, 2024 14:02
@collivier collivier force-pushed the pss branch 2 times, most recently from 27f18c8 to b1b3aef Compare December 2, 2024 08:59
@collivier collivier force-pushed the pss branch 3 times, most recently from fce9f6c to 329e025 Compare January 7, 2025 14:51
@collivier
Don't enforce Pod Security Standard restricted when cluter-api and pl…
7fc8974 
…atform

It's not really relevant in case of platform testing and both
Cluster API and sonobuoy (it fails if namespace exists) don't
work in this particular case.

Signed-off-by: Cédric Ollivier <[email protected]>
@collivier
Enforce privileged for the cnf-testsuite namespaces
49c5e4f 
It adds "pod-security.kubernetes.io/enforce: privileged" in:
- both cnf-testsuite and litmus namespaces created by cnf-testsuite
- all manifest files used as samples for the cnf-testsuite workflows
- the namespace created by cnf-testsuite for the helm chart deployment
- the registry manifest files

It also fixes a couple of indent issues discovered during the changes
and slightly fixes litmus deployment logic.

Signed-off-by: Cédric Ollivier <[email protected]>
@collivier collivier requested review from svteb and removed request for taylor, wvwatson, HashNuke, agentpoyo, denverwilliams and horecoli January 8, 2025 13:16
@collivier collivier force-pushed the pss branch 2 times, most recently from fae452e to d4f611a Compare January 11, 2025 00:48
@collivier
Install all observability tools in the cnf-testsuite namespace
bf862bd 
It allows running observability and platform:observability
when Pod Security Standard restricted is enforced.

It also sets the namespace cnf-space and the right label in
the sample-openmetrics manifest.

Signed-off-by: Cédric Ollivier <[email protected]>
@collivier
Rather set namespace in cnf-testsuite.yml if helm_dirs
e94c769 
It also uses the right constant instead of cnf-testsuite directly
and unifies all samples to use namespace cnfspace.

It also fixes a spec test in shared_database, installing now
the chart in a dedicated namespace with the right labels.

Signed-off-by: Cédric Ollivier <[email protected]>
@collivier collivier requested review from Smitholi67 and removed request for kosstennbl, denverwilliams, agentpoyo and HashNuke January 11, 2025 11:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@martin-mat martin-mat Awaiting requested review from martin-mat

@svteb svteb Awaiting requested review from svteb

@Smitholi67 Smitholi67 Awaiting requested review from Smitholi67

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Feature] Cover CNF Test Suite vs Clusters where Pod Security Standard restricted is enforced
3 participants
@collivier @kosstennbl @martin-mat