Enrich the PSP templates with template and field-level descriptions #109
Conversation
julianKatz
force-pushed
the
psp-field-descriptions
branch
from
d7bdde4 to
e6d2113
Compare
| @@ -3,7 +3,7 @@ kind: ConstraintTemplate | |||
| metadata: | |||
| name: k8spspfsgroup | |||
| annotations: | |||
| description: Controls allocating an FSGroup that owns the Pod's volumes. | |||
| description: "Controls allocating an FSGroup that owns the Pod's volumes. Corresponds to the `fsGroup` field in a PodSecurityPolicy." | |||
There was a problem hiding this comment.
I wish there could be an "extended discription", so we can have a blurb and then more detailed instructions.
There was a problem hiding this comment.
Yea I was thinking about that. Particularly something that would allow for some nice markdown syntax.
There was a problem hiding this comment.
Yeah, interesting to think how it would interact with shorter descriptions and examples...
File an issue for a feature request?
There was a problem hiding this comment.
Where does this feature request go? Isn't this part of JSONSchema? Or are you talking about extended description for the whole resource? Couldn't we just add another annotation for that?
There was a problem hiding this comment.
The second (another annotation), just an FR against the library.
There was a problem hiding this comment.
Issue created: #112
| items: | ||
| type: object | ||
| properties: | ||
| readOnly: | ||
| type: boolean | ||
| description: "when set to true, will allow host volumes matching the pathPrefix only if all volume mounts are readOnly." |
There was a problem hiding this comment.
all volume mounts or all matching volume mounts?
There was a problem hiding this comment.
So, hilariously, I copied this from the k8s libraries themselves.
all volume mounts or all matching volume mounts?
So this would be all of the volume mounts that match that prefix. So, if you had another allowed prefix with readOnly: false the mounts matching that prefix would not be required to be readOnly.
Another version of that description could be:
When set to true, all mounts covered by the pathPrefix must be mounted readOnly.
Thoughts?
There was a problem hiding this comment.
Ah, def. don't just use PSP words:
- Because we should at least cite them if we do
- Because the Rego may not be written exactly like the PSP Go code... particularly if the behavior isn't documented as part of the API
Looking at the template, here's what it seems like is happening:
- It's possible to use paths on the host node as volumes that can be mounted to the pods (
spec.volumes)- in order to do this, you must specify that the volume is a host path type, and which host path you want to use as a volume, this path is what
pathPrefixmatches against
- in order to do this, you must specify that the volume is a host path type, and which host path you want to use as a volume, this path is what
- A volume can be mounted to one or more paths in the pod
- Each volume mount must reference a volume defined in
spec.volumes - Each volume mount specifies where that volume gets mounted inside the pod (this value is not checked)
- Each volume mount can be mounted as read only
- Each volume mount must reference a volume defined in
It appears that the readOnly parameter allows users to say "for every volume mount that references this volume must mount it as read only"
There was a problem hiding this comment.
how about:
when set to true, any container volumeMounts matching the pathPrefix must include `readOnly: true`
| @@ -3,7 +3,7 @@ kind: ConstraintTemplate | |||
| metadata: | |||
| name: k8spspselinuxv2 | |||
| annotations: | |||
| description: Controls the SELinux context of the container. | |||
| description: "Defines an allow-list of seLinuxOptions configurations for pod containers. Corresponds to a PodSecurityPolicy with SELinux rule `MustRunAs` enabled and specific `seLinuxOptions` specified." | |||
There was a problem hiding this comment.
can we make these longer descriptions multi-lined via the | operator (like the rego field below). This should help readability for people using vim (or GitHub code review)
WRT text...
"and specific seLinuxOptions specified."
"specific" isn't very descriptive. Do you mean the options as provided to the parameters of the CT?
There was a problem hiding this comment.
Will change all of the templates to use the | operator. It's definitely cleaner and more readable.
There was a problem hiding this comment.
r.e. "specific, the idea I'm going for is the following:
If you use this template, you configure at least one set of seLinuxOptions that is defined as a legal configuration of options for a container to run with. Were you to apply a container with a different set of Linux Options, that container would be rejected by g8r.
To achieve the same effect with a PSP, you'd have to create an seLinux entry with rule MustRunAs and the specific set of allowed SELinux options included under it. That would look like:
spec:
seLinux:
rule: RunAsAny
seLinuxOptions:
[values]So I'm really just trying to say that you'd have to configure that field with some specific values of your choosing. So I'm not being particularly specific when I say specific. I'm just trying to say that you have to configure.
How could I say it better?
There was a problem hiding this comment.
One thing I forgot about is newlines... I think > is the correct character if you want to have newlines for readability but not for content:
There was a problem hiding this comment.
re: specific... TBH I wouldn't mention it. It's enough to say that it is "requiring SELinux configs"
Referencing the PSP policy could be helpful for users already familiar with PSP, to help guide them when choosing replacement policies, but we shouldn't do it to the point where it confuses anyone unfamiliar with PSP and reading the docs for the first time.
There was a problem hiding this comment.
Are you saying I should get rid of the "Corresponds to a PodSecurityPolicy" parts of all the descriptions? @mkorfgoogle told me he liked those.
There was a problem hiding this comment.
Also, newest version:
Defines an allow-list of seLinuxOptions configurations for pod
containers. Corresponds to a PodSecurityPolicy requiring SELinux configs.
| properties: | ||
| min: | ||
| type: integer | ||
| max: | ||
| type: integer | ||
| supplementalGroups: | ||
| type: object | ||
| description: "Controls which groups are applied to the first process run in any pod container, in addition to the container's primary GID." |
There was a problem hiding this comment.
Is there a reason we're calling out the "first process"?
There was a problem hiding this comment.
I guess "main process" would be a better way to describe this.
I adapted this from the kubernetes core code.
My understanding is that other processes are forked off of that first process, so they can only have groups that it would have? Is that right?
There was a problem hiding this comment.
Please reword anything inspired from others' work.
There was a problem hiding this comment.
Also, I do like "main process" better. You can do escalation via methods like su, so it's not strictly true that it's an inheritance tree, but I do think that's the default behavior.
There was a problem hiding this comment.
New version:
description: "Controls which additional groups are applied to a pod container's main process beyond its primary GID."
There was a problem hiding this comment.
After reading other comments, I think it's better to go a simpler route, where we don't try to teach the feature in the CT. Rather, we should say specifically what policy the CT enforces and no more.
| properties: | ||
| min: | ||
| type: integer | ||
| max: | ||
| type: integer | ||
| fsGroup: | ||
| type: object | ||
| description: "Controls the supplemental group applied to some volumes." |
There was a problem hiding this comment.
"some volumes": which volumes?
There was a problem hiding this comment.
Also adapted from k8s docs.
Based on this blogpost and these docs, it looks like it sets both the volume mounted to the contianer AND any files created within it by the Pod containers have this GID.
This is complicated, and I'm not sure how to think about ROI on figuring out how it works in detail. Is there something that's kind of vague but not wrong that we could say? It seems like the k8s docs punted as well
There was a problem hiding this comment.
Please reword anything inspired from others' work.
There was a problem hiding this comment.
Also, we should be documenting these things based of the Rego written, for accuracy.
Finally, I'm asking "which volumes", because as a user, that would be my first question when I read something like "some volumes.
There was a problem hiding this comment.
I think you make a good point in another comment that we shouldn't try to teach people these features, but rather how to restrict them via the CT.
That being said, I think it makes sense to change the descriptions in this CT to things like:
fsGroup:
type: object
description: "Controls the fsGroup values allowed in a Pod or container level SecurityContext."This is simpler and is actually what we validate in the rego.
Going to go ahead and change these, let me know if I should revert.
julianKatz
force-pushed
the
psp-field-descriptions
branch
2 times, most recently
from
0c8328b to
63a047c
Compare
| description: Controls restricting escalation to root privileges. | ||
| description: >- | ||
| Controls restricting escalation to root privileges. Corresponds to the | ||
| `allowPrivilegeEscalation` field in a PodSecurityPolicy. |
There was a problem hiding this comment.
What do you think about using fully-qualified paths in comments? My preference is to use the longer ones to make the structure clearer to the people consuming the templates.
There was a problem hiding this comment.
For PSP specifically, the main purpose is to provide guidance for people who are referencing the PSP fields/ documentation.
The PSP documentation references its fields by non-fully-qualified name:
https://kubernetes.io/docs/concepts/policy/pod-security-policy/
So we should follow their conventions.
Since PSP is deprecated, we may choose to remove these references entirely once most/all users are no longer in a transitional phase.
If we are talking about related fields within the same constraint template, that seems reasonable to me, though I'd be a bit concerned about verbosity. Maybe make all paths relative to parameters?
There was a problem hiding this comment.
I think @willbeason is talking about saying:
Corresponds to the `spec.allowPrivilegeEscalation` field in a PodSecurityPolicy
in the description.
Personally, I'm down either way. My first move when using a PSP Constraint Template would be to look at an example PSP, so the full paths wouldn't be a huge difference maker (they're basically all spec.[fieldname]). That said, adding them requires little effort so I'm happy to do so if you feel strongly @willbeason . Are you against this, @maxsmythe ?
There was a problem hiding this comment.
I lean more towards matching the PSP docs (meaning what's written is fine as-is)
library/pod-security-policy/allow-privilege-escalation/template.yaml
Outdated
Show resolved
Hide resolved
library/pod-security-policy/read-only-root-filesystem/template.yaml
Outdated
Show resolved
Hide resolved
Signed-off-by: juliankatz <juliankatz@google.com>
julianKatz
force-pushed
the
psp-field-descriptions
branch
from
dcdd096 to
8dad32d
Compare
Signed-off-by: juliankatz <juliankatz@google.com>
julianKatz
changed the title
…ary into psp-field-descriptions Signed-off-by: juliankatz <juliankatz@google.com>
library/pod-security-policy/allow-privilege-escalation/template.yaml
Outdated
Show resolved
Hide resolved
…ileged-containers Signed-off-by: juliankatz <juliankatz@google.com>
…pen-policy-agent#109) Signed-off-by: juliankatz <juliankatz@google.com> Signed-off-by: Mark van Holsteijn <mark.van.holsteijn@gmail.com>
No description provided.