Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

If capabilities are explicitly added then also add them to the ambien… #5043

Closed
wants to merge 1 commit into from
Closed

If capabilities are explicitly added then also add them to the ambien… #5043

wants to merge 1 commit into from

Conversation

vinayakankugoyal
Copy link

…t set.

What type of PR is this?

/kind feature

What this PR does / why we need it:

his change makes it so that we add capabilities to the ambient set if they are explicitly added. So in kubernetes if we add a capability to the container securityContext then that capability will be added to the ambient set in addition to the inheritable, effective, permitted and bounding sets. This will allow users to run a container as non-root while giving it just the capabilities it needs, without having to apply file capabilities and allowing privilege escalation.

If ALL capabilities are added then we don't add ALL capabilities to the ambient set because that would make a non-root user essentially root. We also don't add the defaultUnixCaps i.e. the default capabilities that are always added to inheritable, effective, permitted and bounded sets to the ambient capability set as that will also make non-root user as power full as root.

Which issue(s) this PR fixes:

Special notes for your reviewer:

Does this PR introduce a user-facing change?

Explicitly added capabilities are added to the ambient set.

@openshift-ci openshift-ci bot added release-note Denotes a PR that will be considered when it comes time to generate release notes. kind/feature Categorizes issue or PR as related to a new feature. dco-signoff: no Indicates the PR's author has not DCO signed all their commits. labels Jun 28, 2021
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jun 28, 2021

Hi @vinayakankugoyal. Thanks for your PR.

I'm waiting for a cri-o member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci openshift-ci bot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Jun 28, 2021
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jun 28, 2021

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: vinayakankugoyal
To complete the pull request process, please assign kolyshkin after the PR has been reviewed.
You can assign the PR to them by writing /assign @kolyshkin in a comment when ready.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@TomSweeneyRedHat
Copy link
Contributor

@vinayakankugoyal thanks for the PR but the CI requires PR's to be signed. Please git commit --amend -s, fetch, rebase and push.

@vinayakankugoyal
If capabilities are explicitly added then also add them to the ambien…
f700591 
…t set.

Signed-off-by: Vinayak Goyal <vinaygo@google.com>
@openshift-ci openshift-ci bot added dco-signoff: yes Indicates the PR's author has DCO signed all their commits. and removed dco-signoff: no Indicates the PR's author has not DCO signed all their commits. labels Jun 28, 2021
@vinayakankugoyal
Copy link
Author

@mrunalp - this is RE: kubernetes/enhancements#2757

@codecov
Copy link

codecov bot commented Jun 29, 2021

Codecov Report

Merging #5043 (f0ecc2f) into master (b67b4b5) will decrease coverage by 0.03%.
The diff coverage is 22.22%.

❗ Current head f0ecc2f differs from pull request most recent head f700591. Consider uploading reports for the commit f700591 to get more accurate results

@@            Coverage Diff             @@
##           master    #5043      +/-   ##
==========================================
- Coverage   41.72%   41.69%   -0.04%     
==========================================
  Files         108      108              
  Lines       10158    10175      +17     
==========================================
+ Hits         4238     4242       +4     
- Misses       5471     5485      +14     
+ Partials      449      448       -1

@haircommander
Copy link
Member

/ok-to-test

full review will come later, but we can run CI for now, thanks for opening @vinayakankugoyal

@openshift-ci openshift-ci bot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Jun 29, 2021
saschagrunert
saschagrunert reviewed Jun 29, 2021
View reviewed changes
server/container_create.go
@@ -351,6 +353,30 @@ func setupCapabilities(specgen *generate.Generator, caps *types.Capability, defa
}
}

if addDefaultCapbilities {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
if addDefaultCapbilities {
if !addAll && !dropAll {

to make addDefaultCapbilities obsolete

@mrunalp
Copy link
Member

mrunalp commented Jun 29, 2021

@vinayakankugoyal Thanks for the PR!
What about the case where a user drops ALL and adds back the default set?

@vinayakankugoyal
Copy link
Author

All those would be added to to the ambient set. But that in that case the user is choosing to do so, by explicitly adding them. We should be secure by default and not add anything to the ambient set if nothing is explicitly added is a safe starting point.

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Mar 28, 2022

@vinayakankugoyal: PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci openshift-ci bot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Mar 28, 2022
@github-actions
Copy link

A friendly reminder that this PR had no activity for 30 days.

@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jun 29, 2022
@openshift-ci-robot
Copy link

@vinayakankugoyal: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/kata-jenkins f700591 link true /test kata-containers

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Feb 6, 2023

@vinayakankugoyal: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/ci-rhel-integration f700591 link true /test ci-rhel-integration
ci/kata-jenkins f700591 link true /test kata-containers
ci/prow/ci-images f700591 link true /test ci-images
ci/prow/ci-e2e f700591 link true /test ci-e2e
ci/prow/ci-cgroupv2-e2e-crun f700591 link true /test ci-cgroupv2-e2e-crun
ci/prow/ci-fedora-integration f700591 link true /test ci-fedora-integration
ci/prow/ci-fedora-critest f700591 link true /test ci-fedora-critest
ci/prow/images f700591 link true /test images
ci/prow/periodics-images f700591 link true /test periodics-images
ci/prow/ci-rhel-critest f700591 link true /test ci-rhel-critest
ci/prow/ci-e2e-conmonrs f700591 link true /test ci-e2e-conmonrs
ci/prow/ci-cgroupv2-integration f700591 link true /test ci-cgroupv2-integration
ci/prow/ci-cgroupv2-e2e-features f700591 link true /test ci-cgroupv2-e2e-features
ci/prow/ci-crun-e2e f700591 link true /test ci-crun-e2e
ci/prow/ci-cgroupv2-e2e f700591 link true /test ci-cgroupv2-e2e
ci/prow/e2e-aws-ovn f700591 link true /test e2e-aws-ovn
ci/prow/ci-rhel-e2e f700591 link true /test ci-rhel-e2e
ci/prow/e2e-gcp-ovn f700591 link true /test e2e-gcp-ovn

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@haircommander
Copy link
Member

I think this PR doesn't make sense right now. I think we'd want an alternate way for container's to specify ambient caps, ideally with proper pod API support in kube. I am closing this. Thanks for your PR @vinayakankugoyal

@pacoxu pacoxu mentioned this pull request Sep 9, 2024
Open
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@saschagrunert saschagrunert saschagrunert left review comments

@mrunalp mrunalp Awaiting requested review from mrunalp mrunalp is a code owner

@runcom runcom Awaiting requested review from runcom

Assignees
No one assigned
Labels
dco-signoff: yes Indicates the PR's author has DCO signed all their commits. kind/feature Categorizes issue or PR as related to a new feature. lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. release-note Denotes a PR that will be considered when it comes time to generate release notes.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@vinayakankugoyal @TomSweeneyRedHat @haircommander @mrunalp @openshift-ci-robot @saschagrunert