Skip to content
Permalink
Browse files
Remove PodSecurityPolicy admission plugin
  • Loading branch information
liggitt committed May 4, 2022
1 parent 889e60a commit 410ac59c0da01eca74d593f1a38419e77369a7fe
Showing 55 changed files with 76 additions and 10,201 deletions.
@@ -33,8 +33,15 @@ import (
core "k8s.io/kubernetes/pkg/apis/core"
apivalidation "k8s.io/kubernetes/pkg/apis/core/validation"
"k8s.io/kubernetes/pkg/apis/policy"
"k8s.io/kubernetes/pkg/security/podsecuritypolicy/seccomp"
psputil "k8s.io/kubernetes/pkg/security/podsecuritypolicy/util"
)

const (
// AllowAny is the wildcard used to allow any profile.
seccompAllowAny = "*"
// DefaultProfileAnnotationKey specifies the default seccomp profile.
seccompDefaultProfileAnnotationKey = "seccomp.security.alpha.kubernetes.io/defaultProfileName"
// AllowedProfilesAnnotationKey specifies the allowed seccomp profiles.
seccompAllowedProfilesAnnotationKey = "seccomp.security.alpha.kubernetes.io/allowedProfileNames"
)

// ValidatePodDisruptionBudget validates a PodDisruptionBudget and returns an ErrorList
@@ -149,15 +156,15 @@ func ValidatePodSecurityPolicySpecificAnnotations(annotations map[string]string,
}
}

if p := annotations[seccomp.DefaultProfileAnnotationKey]; p != "" {
allErrs = append(allErrs, apivalidation.ValidateSeccompProfile(p, fldPath.Key(seccomp.DefaultProfileAnnotationKey))...)
if p := annotations[seccompDefaultProfileAnnotationKey]; p != "" {
allErrs = append(allErrs, apivalidation.ValidateSeccompProfile(p, fldPath.Key(seccompDefaultProfileAnnotationKey))...)
}
if allowed := annotations[seccomp.AllowedProfilesAnnotationKey]; allowed != "" {
if allowed := annotations[seccompAllowedProfilesAnnotationKey]; allowed != "" {
for _, p := range strings.Split(allowed, ",") {
if p == seccomp.AllowAny {
if p == seccompAllowAny {
continue
}
allErrs = append(allErrs, apivalidation.ValidateSeccompProfile(p, fldPath.Key(seccomp.AllowedProfilesAnnotationKey))...)
allErrs = append(allErrs, apivalidation.ValidateSeccompProfile(p, fldPath.Key(seccompAllowedProfilesAnnotationKey))...)
}
}
return allErrs
@@ -321,7 +328,7 @@ func validatePSPSupplementalGroup(fldPath *field.Path, groupOptions *policy.Supp
// validatePodSecurityPolicyVolumes validates the volume fields of PodSecurityPolicy.
func validatePodSecurityPolicyVolumes(fldPath *field.Path, volumes []policy.FSType) field.ErrorList {
allErrs := field.ErrorList{}
allowed := psputil.GetAllFSTypesAsSet()
allowed := getAllFSTypesAsSet()
// add in the * value since that is a pseudo type that is not included by default
allowed.Insert(string(policy.All))
for _, v := range volumes {
@@ -332,6 +339,44 @@ func validatePodSecurityPolicyVolumes(fldPath *field.Path, volumes []policy.FSTy
return allErrs
}

// getAllFSTypesAsSet returns all actual volume types, regardless
// of feature gates. The special policy.All pseudo type is not included.
func getAllFSTypesAsSet() sets.String {
fstypes := sets.NewString()
fstypes.Insert(
string(policy.HostPath),
string(policy.AzureFile),
string(policy.Flocker),
string(policy.FlexVolume),
string(policy.EmptyDir),
string(policy.GCEPersistentDisk),
string(policy.AWSElasticBlockStore),
string(policy.GitRepo),
string(policy.Secret),
string(policy.NFS),
string(policy.ISCSI),
string(policy.Glusterfs),
string(policy.PersistentVolumeClaim),
string(policy.RBD),
string(policy.Cinder),
string(policy.CephFS),
string(policy.DownwardAPI),
string(policy.FC),
string(policy.ConfigMap),
string(policy.VsphereVolume),
string(policy.Quobyte),
string(policy.AzureDisk),
string(policy.PhotonPersistentDisk),
string(policy.StorageOS),
string(policy.Projected),
string(policy.PortworxVolume),
string(policy.ScaleIO),
string(policy.CSI),
string(policy.Ephemeral),
)
return fstypes
}

// validatePSPDefaultAllowPrivilegeEscalation validates the DefaultAllowPrivilegeEscalation field against the AllowPrivilegeEscalation field of a PodSecurityPolicy.
func validatePSPDefaultAllowPrivilegeEscalation(fldPath *field.Path, defaultAllowPrivilegeEscalation *bool, allowPrivilegeEscalation bool) field.ErrorList {
allErrs := field.ErrorList{}
@@ -30,8 +30,6 @@ import (
"k8s.io/apimachinery/pkg/util/validation/field"
api "k8s.io/kubernetes/pkg/apis/core"
"k8s.io/kubernetes/pkg/apis/policy"
"k8s.io/kubernetes/pkg/security/podsecuritypolicy/seccomp"
psputil "k8s.io/kubernetes/pkg/security/podsecuritypolicy/util"
"k8s.io/utils/pointer"
)

@@ -373,15 +371,15 @@ func TestValidatePodSecurityPolicy(t *testing.T) {

invalidSeccompDefault := validPSP()
invalidSeccompDefault.Annotations = map[string]string{
seccomp.DefaultProfileAnnotationKey: "not-good",
seccompDefaultProfileAnnotationKey: "not-good",
}
invalidSeccompAllowAnyDefault := validPSP()
invalidSeccompAllowAnyDefault.Annotations = map[string]string{
seccomp.DefaultProfileAnnotationKey: "*",
seccompDefaultProfileAnnotationKey: "*",
}
invalidSeccompAllowed := validPSP()
invalidSeccompAllowed.Annotations = map[string]string{
seccomp.AllowedProfilesAnnotationKey: api.SeccompProfileRuntimeDefault + ",not-good",
seccompAllowedProfilesAnnotationKey: api.SeccompProfileRuntimeDefault + ",not-good",
}

invalidAllowedHostPathMissingPath := validPSP()
@@ -660,8 +658,8 @@ func TestValidatePodSecurityPolicy(t *testing.T) {

validSeccomp := validPSP()
validSeccomp.Annotations = map[string]string{
seccomp.DefaultProfileAnnotationKey: api.SeccompProfileRuntimeDefault,
seccomp.AllowedProfilesAnnotationKey: api.SeccompProfileRuntimeDefault + ",unconfined,localhost/foo,*",
seccompDefaultProfileAnnotationKey: api.SeccompProfileRuntimeDefault,
seccompAllowedProfilesAnnotationKey: api.SeccompProfileRuntimeDefault + ",unconfined,localhost/foo,*",
}

validDefaultAllowPrivilegeEscalation := validPSP()
@@ -779,7 +777,7 @@ func TestValidatePSPVolumes(t *testing.T) {
}
}

volumes := psputil.GetAllFSTypesAsSet()
volumes := getAllFSTypesAsSet()
// add in the * value since that is a pseudo type that is not included by default
volumes.Insert(string(policy.All))

@@ -45,7 +45,6 @@ import (
podpriority "k8s.io/kubernetes/plugin/pkg/admission/priority"
"k8s.io/kubernetes/plugin/pkg/admission/runtimeclass"
"k8s.io/kubernetes/plugin/pkg/admission/security/podsecurity"
"k8s.io/kubernetes/plugin/pkg/admission/security/podsecuritypolicy"
"k8s.io/kubernetes/plugin/pkg/admission/securitycontext/scdeny"
"k8s.io/kubernetes/plugin/pkg/admission/serviceaccount"
"k8s.io/kubernetes/plugin/pkg/admission/storage/persistentvolume/label"
@@ -75,8 +74,7 @@ var AllOrderedPlugins = []string{
nodetaint.PluginName, // TaintNodesByCondition
alwayspullimages.PluginName, // AlwaysPullImages
imagepolicy.PluginName, // ImagePolicyWebhook
podsecurity.PluginName, // PodSecurity - before PodSecurityPolicy so audit/warn get exercised even if PodSecurityPolicy denies
podsecuritypolicy.PluginName, // PodSecurityPolicy
podsecurity.PluginName, // PodSecurity
podnodeselector.PluginName, // PodNodeSelector
podpriority.PluginName, // Priority
defaulttolerationseconds.PluginName, // DefaultTolerationSeconds
@@ -129,7 +127,6 @@ func RegisterAllAdmissionPlugins(plugins *admission.Plugins) {
runtimeclass.Register(plugins)
resourcequota.Register(plugins)
podsecurity.Register(plugins)
podsecuritypolicy.Register(plugins)
podpriority.Register(plugins)
scdeny.Register(plugins)
serviceaccount.Register(plugins)
@@ -108,7 +108,6 @@ import (
"k8s.io/kubernetes/pkg/kubelet/util/sliceutils"
"k8s.io/kubernetes/pkg/kubelet/volumemanager"
"k8s.io/kubernetes/pkg/security/apparmor"
sysctlallowlist "k8s.io/kubernetes/pkg/security/podsecuritypolicy/sysctl"
"k8s.io/kubernetes/pkg/util/oom"
"k8s.io/kubernetes/pkg/volume"
"k8s.io/kubernetes/pkg/volume/csi"
@@ -776,7 +775,7 @@ func NewMainKubelet(kubeCfg *kubeletconfiginternal.KubeletConfiguration,

// Safe, allowed sysctls can always be used as unsafe sysctls in the spec.
// Hence, we concatenate those two lists.
safeAndUnsafeSysctls := append(sysctlallowlist.SafeSysctlAllowlist(), allowedUnsafeSysctls...)
safeAndUnsafeSysctls := append(sysctl.SafeSysctlAllowlist(), allowedUnsafeSysctls...)
sysctlsAllowlist, err := sysctl.NewAllowlist(safeAndUnsafeSysctls)
if err != nil {
return nil, err
@@ -18,8 +18,6 @@ package sysctl

import (
"testing"

"k8s.io/kubernetes/pkg/security/podsecuritypolicy/sysctl"
)

func TestNewAllowlist(t *testing.T) {
@@ -37,7 +35,7 @@ func TestNewAllowlist(t *testing.T) {
{sysctls: []string{"net.*/foo"}, err: true},
{sysctls: []string{"foo"}, err: true},
} {
_, err := NewAllowlist(append(sysctl.SafeSysctlAllowlist(), test.sysctls...))
_, err := NewAllowlist(append(SafeSysctlAllowlist(), test.sysctls...))
if test.err && err == nil {
t.Errorf("expected an error creating a allowlist for %v", test.sysctls)
} else if !test.err && err != nil {
@@ -69,7 +67,7 @@ func TestAllowlist(t *testing.T) {
{sysctl: "kernel.sem", hostIPC: true},
}

w, err := NewAllowlist(append(sysctl.SafeSysctlAllowlist(), "kernel.msg*", "kernel.sem"))
w, err := NewAllowlist(append(SafeSysctlAllowlist(), "kernel.msg*", "kernel.sem"))
if err != nil {
t.Fatalf("failed to create allowlist: %v", err)
}
@@ -16,13 +16,17 @@ limitations under the License.

package sysctl

import (
"k8s.io/apimachinery/pkg/util/validation/field"
api "k8s.io/kubernetes/pkg/apis/core"
)

// SysctlsStrategy defines the interface for all sysctl strategies.
type SysctlsStrategy interface {
// Validate ensures that the specified values fall within the range of the strategy.
Validate(pod *api.Pod) field.ErrorList
// SafeSysctlAllowlist returns the allowlist of safe sysctls and safe sysctl patterns (ending in *).
//
// A sysctl is called safe iff
// - it is namespaced in the container or the pod
// - it is isolated, i.e. has no influence on any other pod on the same node.
func SafeSysctlAllowlist() []string {
return []string{
"kernel.shm_rmid_forced",
"net.ipv4.ip_local_port_range",
"net.ipv4.tcp_syncookies",
"net.ipv4.ping_group_range",
"net.ipv4.ip_unprivileged_port_start",
}
}

This file was deleted.

This file was deleted.

0 comments on commit 410ac59

Please sign in to comment.