capability defaulting #6470
capability defaulting #6470
Conversation
|
Do we need to be smart and not add defaults when they are already dropped (by the container or scc)? |
Since I'm using a string set and using the union it will not duplicate the adds. If the container is dropping something that is added by default it will be removed by the |
pweil-
force-pushed
the
scc-caps
branch
3 times, most recently
from
14452c0 to
1aef128
Compare
|
[test] |
| // the containers. Any capability listed in add will be added to the container even if | ||
| // it is not requested. Any capability listed in drop will be removed from the container | ||
| // even if it is requested to be added. | ||
| RequiredCapabilities Capabilities `json:"requiredCapabilities" description:"capabilities that must be added and dropped"` |
|
@twiest FYI |
|
One more question. An admin wants to run a pod. They have access to various high privilige sccs. When they run a pod that wants to ping, will they get defaulted to drop raw net caps? |
In this case, the assumption would be that the admin has access to an SCC that does not require the net caps to be dropped. The admin should use prioritization to ensure that they get the defaults they expect when not requesting specific capabilities that would force validation failures (similar to requesting UID 0 before we could prioritize the |
|
Ok - those changes will be follow up / split PR? On Mon, Jan 11, 2016 at 2:52 PM, Paul Weil notifications@github.com wrote:
|
Yes, wrapping up unit tests right now on this one for the mechanics and then we can do a follow up that will add in the default sets of caps to our bootstrap policies where appropriate. |
|
Changes LGTM but want another sign off. |
| @@ -2597,7 +2597,19 @@ type SecurityContextConstraints struct { | |||
|
|
|||
| // AllowPrivilegedContainer determines if a container can request to be run as privileged. | |||
| AllowPrivilegedContainer bool `json:"allowPrivilegedContainer" description:"allow containers to run as privileged"` | |||
| // Required capabilities are the capability set that must be set or defaulted into | |||
There was a problem hiding this comment.
How about RequiredCapabilities are defaulted into containers. ?
pweil-
force-pushed
the
scc-caps
branch
2 times, most recently
from
509a0eb to
0e7c71f
Compare
|
[test] |
| allowedCapListedInRequiredDrop.RequiredCapabilities = api.Capabilities{ | ||
| Drop: []api.Capability{"foo"}, | ||
| } | ||
| allowedCapListedInRequiredDrop.AllowedCapabilities = []api.Capability{"foo"} |
There was a problem hiding this comment.
what about a test case where a capability is in both add, drop, and allowed?
There was a problem hiding this comment.
the validation doesn't care about that. It tests required.Add -> required.Drop and Allowed -> required.Drop. It is valid to have it in allowed and required.Add though I don't see why someone would do that.
There was a problem hiding this comment.
Okay, I'll buy that for now. If people find it incredibly confusing we can add a validation later.
There was a problem hiding this comment.
can we add a validation later if that would invalidate existing sccs?
There was a problem hiding this comment.
I don't think we need validation for this but if someone really wants it I can add it. If you put something in both allowed and required.add it is just redundant but it isn't invalid. It is invalid to have something in (allowed or required.add) AND required.drop which is what we're validating.
|
re[test] |
|
Any other comments on this? On Wed, Jan 13, 2016 at 8:40 PM, OpenShift Bot notifications@github.com
|
|
/sub |
| }, | ||
| // UC 3: if an SCC requires a cap then it should accept the pod request | ||
| // to add the cap. | ||
| "should accept cap add when in requied": { |
|
Updates:
|
|
re[test] |
| // 3. Capabilities in InitialCapabilities.Drop will be dropped from the container | ||
| // 4. Containers that request to add a capability that is required to be dropped will fail | ||
| // validation. | ||
| InitialCapabilities Capabilities `json:"initialCapabilities" description:"capabilities that will be added or dropped"` |
There was a problem hiding this comment.
This name makes it seem like capabilities can change over time. "initial" needs a time context to be understood, and it's a little odd because the sequence is: 1) pod spec submitted to the API may specify capabilities, 2) admission drops some capabilities, adds some capabilities unless dropped by the pod, 3) object is created and capabilities can never be changed.
What about "assignedCapabilities"? They are what admission will assign to the pod at creation time, and the pod author can explicitly opt out of some of the added capabilities by dropping them in their submitted pod spec.
There was a problem hiding this comment.
I know it is bike shedding, but 'assigned' sounds to me like it would blindly overwrite things. Which it only sort of does. You don't end up with the 'assigned' caps. You end up with some amalgamation.
I'm not arguing for Initial either, I'll try to think of something to propose instead of just being a negative nancy...
There was a problem hiding this comment.
Last IRC suggestion was:
allowedCapabilities []kapi.Capbility - what you're allowed to add (already exists)
defaultAddCapabilitiess []kapi.Capbility - what you'll be given by default unless you drop one of them explicitly
requiredDropCapabilitiess []kapi.Capbility - you must drop these
@smarterclayton @eparis @liggitt - satisfactory?
There was a problem hiding this comment.
allowedAddCapabilities
There was a problem hiding this comment.
Can't change that one, it already exists
There was a problem hiding this comment.
I'm not in love with the names but we don't have time to bike shed. Names are approved
| // container specifically is dropping the cap) and container requested adds | ||
| // 2. a capabilities.Drop set containing all the required drops and container requested drops | ||
| func (s *defaultCapabilities) Generate(pod *api.Pod, container *api.Container) (*api.Capabilities, error) { | ||
| requiredAdd := makeCapSet(s.defaultAddCapabilities) |
|
re[test] |
|
[test] |
|
Evaluated for origin test up to ddf3dd0 |
|
@liggitt anything else on the revised code that looks fishy? I'm just fighting with jenkins at this point. |
|
continuous-integration/openshift-jenkins/test SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/45/) |
|
nope, LGTM |
|
[merge] |
|
continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/merge_pull_requests_origin/4646/) (Image: devenv-rhel7_3165) |
|
[merge] |
|
Evaluated for origin merge up to ddf3dd0 |
Merged by openshift-bot
@smarterclayton @eparis - here is the WIP for adding required add/drops into SCCs. PTAL
The mechanics are:
requiredCapabilitiesin the SCC which can include adds and drops