Update pod security standards to use PodOS field

[ravisantoshgudimetla]

xref: kubernetes/enhancements#2802

[netlify]

👷 Deploy Preview for kubernetes-io-vnext-staging processing.

Name	Link
🔨 Latest commit	a1f6615
🔍 Latest deploy log	https://app.netlify.com/sites/kubernetes-io-vnext-staging/deploys/62fe97647e40e8000854980e

[ravisantoshgudimetla]

/cc @tallclair @liggitt

/sig auth
/sig windows

[sftim]

We try to write documentation to be timeless - see https://developers.google.com/style/timeless-documentation for an example.

Here are some suggestions with that in mind.

[sftim]

Suggested change

	Containers must drop <code>ALL</code> capabilities, and are only permitted to add back
	the <code>NET_BIND_SERVICE</code> capability.
	the <code>NET_BIND_SERVICE</code> capability. Starting v1.25, windows pods would be exempted from this control if pod.spec.os.Name is set to <code>windows</code>
	For Linux pods, require that containers drop <em>all</em> capabilities:
	<code>ALL</code>.
	As a special case, containers are permitted to add back the
	<code>NET_BIND_SERVICE</code> capability (and only this capability).
	This control only applies when you set `spec.os` for the overall Pod to
	<code>linux</code>, or if you do not specify a
	Pod OS. Versions of Kubernetes before v1.25 enforce this control regardless of
	operating system.

[sftim]

Suggested change

	In v1.25, the `pod.spec.os` field has graduated to stable which helps identify the windows pods authoritatively. Pod Security admission plugin has been updated to use this field which allows certain relaxations for the windows pods. The restricted profile has been updated to ensure that the Linux-specific restrictions such as seccomp profile, disallowing privilege escalation, capabilities are ignored if the `pod.spec.os.Name` is set to `windows`.
	For Kubernetes v{{< skew currentVersion >}} it is good practice to specify
	the `.spec.os` field for every Pod. The `.spec.os` field is available in Kubernetes
	v1.23 and later but was behind a
	[feature gate](https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/)
	for Kubernetes v1.23 and v1.24.
	If you set the Pod OS field to `linux`, only Linux nodes try to run the Pod, and the enforced security
	controls are appropriate to Linux.
	Setting the Pod OS field to `windows` means that only Windows nodes would try to run the Pod, and
	you don't need to apply Linux-specific restrictions. For example, a Windows Pod does not
	need to explicitly drop all capabilities for each container, even if you are applying the `restricted`
	Pod security standard.
	If you don't specify the Pod OS, Kubernetes takes a precautionary approach and applies all the Pod
	security measures that could be relevant.

I would move this section out of the FAQ and move it to a 2nd-level heading just above the FAQ.
The section heading I'd use would be:

## Security standards for different operating systems

[ravisantoshgudimetla]

I am fine with @tallclair any concerns?

[tallclair]

I agree. I was going to suggest the same thing.

[chrisnegus]

I just have one capitalization suggestion that occurs several time.

[chrisnegus]

Other k8s docs capitalize the "W" in "Windows pods". I suggest changing the lowercase "windows pods" instances in this document.

[ravisantoshgudimetla]

Sure. Will change it.

[reylejano]

/milestone 1.25
/assign @cathchu
/cc @kcmartin

[tallclair]

/assign

[tallclair]

Rather than integrating this text in here, I'd suggest just having a standard header that you can add to all the linux-only fields. I prefer this approach because it makes it easier to identify the linux-only fields with a visual scan.

Maybe something like this:

<p><em><a href="#what-profiles-should-i-apply-to-my-windows-pods">Linux only</a> in v1.25+ (`spec.os != windows`)</em></p>

[sftim]

It's a bit odd to hyperlink “Linux only” to #what-profiles-should-i-apply-to-my-windows-pods - maybe we could have a new page section that covers OS specifics, with a subheading for Linux and another subheading for Windows.

[ravisantoshgudimetla]

The content for Windows is pretty small with only 3 policies changes in restricted profile for now. May be we can create a new page section when the content increases for Windows? How about just a note?

[tallclair]

... when you set spec.os to linux ...

It's actually coded the other way - skip the check when it's set to windows. A subtle difference, but it could matter if we added another OS.

[sftim]

I wonder if I should also file a feature request issue to invert the logic there?

[liggitt]

exempting only for an explicitly windows pod is intentional, so we default in the safe direction for new hitherto unknown OSes

[ravisantoshgudimetla]

I thought about it but did not want to include negations(skips) in the docs for skipping. However I agree since there is a chance of expanding OS'es later it is better to talk about skips.

[tallclair]

Unfortunately markdown syntax isn't processed in this table, so you need to use raw HTML tags.

Suggested change

	<p>On Linux, require that the seccomp profile is explicitly set to one of the allowed values. Both the <code>Unconfined</code> profile and the <em>absence</em> of a profile are prohibited. This control only applies when you set `spec.os` to <code>linux</code>, or if you do not specify a Pod OS. Versions of Kubernetes before v1.25 enforce this control regardless of operating system.</p>
	<p>On Linux, require that the seccomp profile is explicitly set to one of the allowed values. Both the <code>Unconfined</code> profile and the <em>absence</em> of a profile are prohibited. This control only applies when you set <code>spec.os</code> to <code>linux</code>, or if you do not specify a Pod OS. Versions of Kubernetes before v1.25 enforce this control regardless of operating system.</p>

[sftim]

Also, is it actually .spec.os.name?

[tallclair]

I agree. I was going to suggest the same thing.

[ravisantoshgudimetla]

I slightly tweaked your suggestions @sftim and @tallclair. PTAL

[sftim]

I do recommend some more changes here.

[sftim]

Suggested change

	Another important change starting Kubernetes v{{ < skew currentVersion >}} is that the pod restricted standard
	Another important change, made in Kubernetes v1.25, is that the _restricted_ Pod security standard

If you can, rewrite the text to define and document the current (oost-v1.25) behaviour, rather than the state change.

[tallclair]

I was actually thinking it might be worth having an explicit changelog on this page. This is a bit different from documenting Kubernetes changes, as the older profiles are supported indefinitely, across Kubernetes versions.

[ravisantoshgudimetla]

@tallclair - You mean a link to the changelog on this page?

[sftim]

Suggested change

	### Pod API validation changes
	### Pod security checks based on Pod operating system

Document the behavior, not the change in behavior (that's for the release notes)/

[tallclair]

I think we should drop this section. Pod API validation is not part of the Pod Security Standards.

[ravisantoshgudimetla]

Yup. Those changes look good to me. Thank you for making them @sftim

[tallclair]

I think we should drop this section. Pod API validation is not part of the Pod Security Standards.

[tallclair]

I was actually thinking it might be worth having an explicit changelog on this page. This is a bit different from documenting Kubernetes changes, as the older profiles are supported indefinitely, across Kubernetes versions.

[tallclair]

Add a warning here about how Kubelets prior to v1.24 don't enforce the pod OS field, and if a cluster has nodes on versions earlier than v1.24 the restricted policies should be pinned to a version prior to v1.25.

[ravisantoshgudimetla]

Added note here: https://github.com/kubernetes/website/pull/35772/files#diff-1eb43daa07b175394d3d428f40b35e9010ad719ce9fa8c0e858a0f773e4330faR472

[reylejano]

Hi @ravisantoshgudimetla , are you able to address the comments and feedback
The 1.25 Docs complete deadline passed and this PR needs to address the comments and feedback as soon as possible

[ravisantoshgudimetla]

Thanks for the suggestions @sftim and @tallclair

@reylejano - I am on PTO till the end of this week with limited access to the internet so I'm making changes as soon as I can. If someone can pick this PR up to push it along, I am fine with it.

[sftim]

Should we:

• merge this as-is
• postpone the v1.25 release?

[ravisantoshgudimetla]

Is this the only outstanding comment on which we need to get feedback?

[reylejano]

let's merge as-is and I'll create a follow-up PR to address comments and suggestions
/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: reylejano

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• content/en/OWNERS [reylejano]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[sftim]

/lgtm

We should review this after the release, as we're merging updates to docs about a security control, and we don't yet have a tech review signoff from the right SIGs.

[k8s-ci-robot]

LGTM label has been added.

Git tree hash: 805ba4d3f310232a934431e96bf864d447a65d9b