Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Document kubernetes.io/psp annotation #30578

Closed
disconnect3d opened this issue Apr 8, 2020 · 12 comments
Closed

Document kubernetes.io/psp annotation #30578

disconnect3d opened this issue Apr 8, 2020 · 12 comments
Assignees
@mtardy @tallclair
Labels
kind/feature Categorizes issue or PR as related to a new feature. language/en Issues or PRs related to English language lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. sig/auth Categorizes an issue or PR as relevant to SIG Auth. sig/docs Categorizes an issue or PR as relevant to SIG Docs. triage/accepted Indicates an issue or PR is ready to be actively worked on.

Comments

@disconnect3d
Copy link

Hey,

I have a question regarding validating if PSP is applied, as well as an enhancement request on clarifying this.

It seems to me that when a Pod is validated with a PSP, a "kubernetes.io/psp" annotation is added with the name of the used pod security policy as its value. It is not obvious if that mechanism can be relied on, especially since it is not documented in the PSP documentation - https://kubernetes.io/docs/concepts/policy/pod-security-policy/.

However, it can be found to be relied on per the psp/rbac examples readme:
https://github.com/kubernetes/examples/blob/master/staging/podsecuritypolicy/rbac/README.md#testing-access

"Show me the code"

The "kubernetes.io/psp" is defined in pkg/security/podsecuritypolicy/util/util.go#L29 and the annotation is written into the pod object in plugin/pkg/admission/security/podsecuritypolicy/admission.go#L139. I haven't debugged this piece of code nor have I tested if it is invoked in all possible paths, and so on. That's also partially why I want to make this issue: to confirm this detail ;).

TLDR

What would you like to be added:
Documentation about the kubernetes.io/psp annotation in Pod Security Policy docs.

Why is this needed:
To know how to check if a given Pod was validated by a given PSP. This can be very important when using managed kubernetes services, as some providers add a "privileged" PSP by default, to keep backwards compatibility.

It will also be useful for auditors to have a ground truth for this behaviour and have a place to link to :).
@fejta-bot
Copy link

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

@disconnect3d
Copy link
Author

Any chance someone confirms it is a valid way to get the applied PSP in all cases? I can send a PR to improve the docs.

Maybe @sttts or @pweil- (via git blame around the linked code)?

@pweil-
Copy link

pweil- commented Jul 30, 2020

Hi @disconnect3d. The code you point out would run for any pod that passed validation however given the current state of PSP and the deprecation policy I would defer to @tallclair on whether anything more should be documented.

I also see that the admission.Attributes record appears to be given an annotation for the admit-policy here and validate-policy here. Unfortunately I'm not actively involved in the maintenance so I'm not sure if that is a more standardized way to audit what you're looking for vs the deprecated PSP mechanism. @tallclair can probably help out there too. Apologies if that just muddies the water.

@fejta-bot
Copy link

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten

@tallclair
Copy link
Member

Yes, this annotation can be relied on as long as PSP is still around.

@sftim
Copy link
Contributor

sftim commented Nov 20, 2021

We should document this in https://kubernetes.io/docs/reference/labels-annotations-taints/
/transfer website

@k8s-ci-robot k8s-ci-robot transferred this issue from kubernetes/kubernetes Nov 20, 2021
@k8s-ci-robot k8s-ci-robot added the needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. label Nov 20, 2021
@sftim
Copy link
Contributor

sftim commented Nov 20, 2021

/lifecycle frozen
/language en
/triage accepted
/priority important-soon
/kind feature
/sig auth
/sig docs

@k8s-ci-robot k8s-ci-robot added lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. language/en Issues or PRs related to English language triage/accepted Indicates an issue or PR is ready to be actively worked on. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. kind/feature Categorizes issue or PR as related to a new feature. sig/auth Categorizes an issue or PR as relevant to SIG Auth. sig/docs Categorizes an issue or PR as relevant to SIG Docs. and removed needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Nov 20, 2021
@sftim
Copy link
Contributor

sftim commented Nov 20, 2021

The actions I'd want:

Those are fairly self-contained

@disconnect3d would you be willing to update the issue description to link to this specific comment?
(if you do, we can mark this as a good first issue)

@sftim
Copy link
Contributor

sftim commented Nov 20, 2021

BTW the “important-soon” priority is because the replacement feature is going beta in the next release, and properly documenting the feature it replaces is equally timely.

@mtardy
Copy link
Member

mtardy commented Jun 28, 2022

I can do that!
/assign

@mtardy mtardy mentioned this issue Jun 28, 2022
Merged
@sftim
Copy link
Contributor

sftim commented Aug 1, 2022

/close

@k8s-ci-robot
Copy link
Contributor

@sftim: Closing this issue.

In response to this:

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@sftim sftim mentioned this issue Aug 1, 2022
Merged
@enj enj moved this to Closed / Done in SIG Auth Dec 5, 2022
@enj enj added this to SIG Auth Dec 5, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mtardy mtardy

@tallclair tallclair

Labels
kind/feature Categorizes issue or PR as related to a new feature. language/en Issues or PRs related to English language lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. sig/auth Categorizes an issue or PR as relevant to SIG Auth. sig/docs Categorizes an issue or PR as relevant to SIG Docs. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
SIG Auth
Archived in project
Milestone
No milestone
Development

No branches or pull requests
7 participants
@pweil- @disconnect3d @mtardy @k8s-ci-robot @sftim @tallclair @fejta-bot