KEP: Security Profile Design Proposal #2052
Conversation
k8s-ci-robot
added
sig/auth
k8s-ci-robot
added
needs-ok-to-test
|
/assign @tallclair |
easeway
force-pushed
the
securityprofile-proposal
branch
from
b9aedc7 to
b628c64
Compare
k8s-ci-robot
added
the
sig/architecture
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: Assign the PR to them by writing The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
easeway
changed the title
|
I'm concerned with the lack of scoping in this proposal. Autopopulating namespaces, config as code, bootstrapping config, conformance testing, meta-policies… there are at least three or four unique sub-projects in this document. Before we get into the nitty gritty of the proposal, does it make sense to keep all of these concepts as one framework? Naively I could see conformance profiles and namespace templating being separate. Conformance profiles are a way to express the capabilities a cluster provides. Namespace templates are a tool for admins to quickly provision namespaces for users with sane security defaults. |
|
@ericchiang you are right. The unique pieces covered in the proposal are relatively independent/separate. They can be used individually. The reason putting all things together is for a really simple user experience and also the possibility to share the experience across Kubernetes clusters in different environments. I agree it will be better to break up and focus on individual pieces. I will send out individual proposals, covering:
And later update this KEP as a complete solution to demonstrate the ultimate user experience we want to achieve after things are integrated. |
| - TLS required for communication | ||
| - Explicitly specify `--wal-dir`, and `--max-wals=0` | ||
| - kube-apiserver | ||
| - TLS required for communication |
There was a problem hiding this comment.
They are defined in bootstrapping rules, the enforcement of bootstrapping rules are implementation specific, thus out of scope in this proposal.
Verification is out of scope.
I will call out these explicitly.
| - Audit logging must be explicitly configured | ||
| - No anonymous auth, basic auth (unset `--anonymous-auth`, `--basic-auth-file`) | ||
| - Required authorization-mode: Node, RBAC | ||
| - Excluded authorization-mode: ABAC, AlwaysAllow |
There was a problem hiding this comment.
please add: automountServiceAccountToken: false
There was a problem hiding this comment.
automountServiceAccountToken is a field in ServiceAccount or Pod spec. Currently, it's difficult to define that in security profile as it's can't be enforced by any component (though security profile can introduce a admission webhook to mutate that field, however, the intention of security profile is to leveraging existing mechanism, not introduce something new). So I think this will be a good feature in PodSecurityPolicy, then it can be defined in security profile.
| - file-permissions | ||
| - ... # correct setup of cert/key/config file permissions | ||
| - PodSecurityPolicy | ||
| - No priviledged |
There was a problem hiding this comment.
can you specify? I'm thinking this is: privileged: false, allowPrivilegeEscalation: false, MustRunAsNonRoot
Or is this stronger than what you were thinking for 'default'?
There was a problem hiding this comment.
I think it's stronger than what the default is proposed. I'm even thinking of removing No privileged in this profile. The default profile is designed to give the maximum compatibility with existing workloads. Add restrictions to block privileged will definitely break some workloads. So I think I need rephrase the goal for each security profiles, and add one more between default and saas-multitenancy.
| Enforcement: in addition to `default` | ||
|
|
||
| - PodSecurityPolicy | ||
| - No privileged pods |
There was a problem hiding this comment.
I should remove that from default.
There was a problem hiding this comment.
so 'default' would allow privileged pods?
Obviously I'm coming at this from a security angle, but if I turn on security profiles, I'm probably OK with it warning me that I shouldn't be running pods as privileged and then fix that - or are you saying that there isn't a lower level so they're stuck with that issue?
There was a problem hiding this comment.
This is my personal opinion (I'd like to hear other thoughts, as I'm probably wrong): the default security profile is provided to bring in the lowest level (there's no lower levels) of security (eliminate some really bad insecure configurations) without breaking compatibility of how people are using Kubernetes today. So we can use default to help Kubernetes users smoothly transit from insecure to secure. I believe privileged containers are allowed in most Kubernetes clusters with trusted users (like inside the same corp or team) and sometimes useful. That's the reason I removed "no-privileged containers" from default profile.
There was a problem hiding this comment.
got it, I see you defined default as "to be compatible with most workloads". That makes sense then.
| - persistentVolumeClaim | ||
| - projected | ||
| - secret | ||
| - NetworkPolicy |
There was a problem hiding this comment.
Why wouldn't we include this in 'default'?
There was a problem hiding this comment.
Adding NetworkPolicy (blocking all traffic by default) will break a lot of existing workloads which doesn't assume the existence of NetworkPolicy. So I think it doesn't belong to default.
|
|
||
| #### Release | ||
| Security profiles are maintained as an individual project similarly to other Kubernetes open source projects, like heapster, dashboard etc. | ||
| It has its own release lifecycle. |
There was a problem hiding this comment.
What is the goal? To roughly release in line with K8s major releases, for example?
| Uninstall is easy as resources from a bundle are labeled with bundle name. | ||
| With multiple bundles installed, it's possible multiple admission controls, controllers are running side-by-side. | ||
| With help of labeled bundle name, the admission controls, controllers will stop enforcement if the currently selected security profile is not from the same bundle. | ||
| With this mechanism, it's very simple and lightweight to switch back to the previous security profile if something unexpected happens with a new security profile. |
There was a problem hiding this comment.
to the previous security profile version?
There was a problem hiding this comment.
not exactly the version. The user may upgrade from default to saas, and find out breaking workloads and decided to switch back to default.
| With help of labeled bundle name, the admission controls, controllers will stop enforcement if the currently selected security profile is not from the same bundle. | ||
| With this mechanism, it's very simple and lightweight to switch back to the previous security profile if something unexpected happens with a new security profile. | ||
|
|
||
| When upgrading a cluster, it's possible the current security profile may not work on the new cluster version. |
There was a problem hiding this comment.
may not work, or may not be supported? (i.e., 'deprecated')
There was a problem hiding this comment.
to be accurate: may not be supported. (it's not 'deprecated' which means the profile may still work, but may not guarantee the security level it's promised to provide because of imperfection of rules, bugs in implementations, etc.)
|
|
||
| - Any bug found in enforcement logic (admission control, controllers etc) | ||
| - Improper/Incomplete rules in the profile | ||
| - Other security concerns |
There was a problem hiding this comment.
would we ever deprecate a security profile when it no longer ad some critical security functionality, even though it was the best practice for that K8s version?
For example, would we deprecate a security profile for K8s 1.5, because it does not have the ability to enforce RBAC? Is there some minimum K8s version (or recency) we require for security profiles?
There was a problem hiding this comment.
In this case, a security profile won't be deprecated for the supported K8S version. In the example mentioned, the profile will not be deprecated for K8s 1.5, however it's not supported in K8s 1.6 or above with RBAC. So for users upgrading K8s from 1.5 to 1.6 they will have to upgrade the security profile to a new version which supports both 1.5 and 1.6.
| The alternative is put test suite together with Kubernetes E2E tests in the official Kubernetes repository, | ||
| It will be a little difficult to synchronize the development work in two repos. | ||
|
|
||
| The details is out of scope of this doc. A separate doc will be focus on conformance tests. |
easeway
force-pushed
the
securityprofile-proposal
branch
from
b628c64 to
a8cb206
Compare
|
Removed Conformance tests which is on a different layer and should be separate from security profile. |
|
/ok-to-test |
k8s-ci-robot
removed
the
needs-ok-to-test
|
@easeway: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
k8s-ci-robot
added
the
lifecycle/stale
|
/kind kep |
k8s-ci-robot
added
kind/kep
and removed
lifecycle/stale
|
@mikedanese @enj @tallclair This KEP is listed under sig-auth. Have y'all reviewed it yet? |
|
REMINDER: KEPs are moving to k/enhancements on November 30. Please attempt to merge this KEP before then to signal consensus. Any questions regarding this move should be directed to that thread and not asked on GitHub. |
|
KEPs have moved to k/enhancements. Any questions regarding this move should be directed to that thread and not asked on GitHub. |
|
@justaugustus: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
What is the new location of this PR? I don't see it in k/enhancements? |
This is the detailed design proposal for Security Profile.
Security Profile helps managing a secured Kubernetes cluster by solving problems of:
Management complexity
Extra efforts building in-house solutions
by defining curated settings of:
And simplify the cluster management by specifying the name of security profile.
This proposal is looking for sponsorship from sig-auth,
to create a public repo as https://github.com/kubernetes-sigs/security-profiles,
that community can help curate commonly used security profiles.
Details are described in Release section in the proposal.
/sig auth
/cc @davidopp
/cc @tallclair
/cc @ericchiang
/cc @liggitt