KEP-1441: update sysadmin profile to remove CAP_SYS_ADMIN and add privileged

[eiffel-fl]

• One-line PR description: As discussed in kubectl debug: add sysadmin profile kubernetes#119200, I updated sysadmin profile to remove CAP_SYS_ADMIN and uses privileged in all debug cases.

• Issue link: KEP 1441 - kubectl debug #1441

• Other comments:

[k8s-ci-robot]

Hi @eiffel-fl. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[soltysh]

Looks like this has been updated in #4160, not sure if this one is needed. Feel free to re-open if it still is valid.

[eiffel-fl]

Hi.

Sorry, but you went too fast.
This PR is about sysadmin while #4160 is about netadmin.
I sadly cannot re-open, can you please do?

Best regards.

[soltysh]

/ok-to-test
it's likely that since the other PR merged you might need to rebase

[ardaguclu]

@eiffel-fl could you please give more details about why we need to remove CAP_SYS_ADMIN?. I think, one of the major consequence of this change is netadmin seems more privileged than sysadmin which seems to me counter-intuitive.

[eiffel-fl]

@eiffel-fl could you please give more details about why we need to remove CAP_SYS_ADMIN?. I think, one of the major consequence of this change is netadmin seems more privileged than sysadmin which seems to me counter-intuitive.

Sure!
Basically this KEP upgrades sysadmin to use privileges for all case (nod, pod, etc.) rather than CAP_SYS_ADMIN.
So, sysadmin is still more privileged than netadmin as privileged should give all capabilities.
You will find more details in the discussion of this PR:
kubernetes/kubernetes#119200

[eiffel-fl]

Hi!

I do not want to put pressure on anyone but a review before end of this year would be really appreciated :D!

Best regards.

[lion7]

I so needed this today (together with kubernetes/kubernetes#119200).

In my use case, I'm trying to debug a Talos Linux node (Talos has no shell, so debug pods are the only way to do diagnostics). It's just awkward to spawn my own pod when the kubectl debug --profile netadmin almost does what I want (netadmin gives privileged too, but without mounting the host filesystem). See kubernetes/kubernetes#119200 (comment) for a more detailed explanation of this use-case.

[ardaguclu]

This makes sense as we discussed earlier;

/lgtm
/cc @verb

[soltysh]

/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: eiffel-fl, soltysh

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• keps/sig-cli/OWNERS [soltysh]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[eiffel-fl]

Thank you for the merge!