Modify privileged SCC to allow to use all capabilities #12875
Conversation
There was a problem hiding this comment.
Thanks @php-coder this is what I was expecting. I think you can clean up and add unit tests for the strategies/regen if @smarterclayton is good with this enhancement.
| @@ -1256,6 +1256,9 @@ const ( | |||
| // Capability represent POSIX capabilities type | |||
| type Capability string | |||
|
|
|||
| // CapabilityAll represent all POSIX capabilities types. | |||
| var CapabilityAll Capability = "*" | |||
There was a problem hiding this comment.
There should be changes in here and v1 types to note on the description that * is an available wildcard
There was a problem hiding this comment.
And to add CapabilityAll to the v1 version 😄
There was a problem hiding this comment.
to note on the description that * is an available wildcard
@pweil- Do you mean that I should add such a comment to the Capability type above?
There was a problem hiding this comment.
The comment should go on the SCC's AllowedCapabilities description so it shows up in generated documentation.
|
Looks good to me barring paul's comments. |
@pweil- I'm sorry but it's not clear to me what exactly clean up I should do. Also could you elaborate on |
|
There should be a |
php-coder
force-pushed
the
privileged_should_allow_all_capabilities
branch
from
f6fd7a4 to
0b67a9c
Compare
php-coder
changed the title
php-coder
force-pushed
the
privileged_should_allow_all_capabilities
branch
2 times, most recently
from
73b6e03 to
057df4a
Compare
php-coder
changed the title
|
PTAL again @pweil- There is only one known issue: |
|
🐛 let's fix it now |
php-coder
force-pushed
the
privileged_should_allow_all_capabilities
branch
from
057df4a to
d9f28a9
Compare
|
It's ready to be merged. PTAL @pweil- |
| allowedAdd := makeCapSet(s.allowedCaps) | ||
| allowAllCaps := allowedAdd.Has(string(api.CapabilityAll)) | ||
| if allowAllCaps { | ||
| if len(s.requiredDropCapabilities) > 0 { |
There was a problem hiding this comment.
this validation doesn't belong here. s here represents a strategy created from an SCC api object. You have validation that ensures that this case should never happen in the api object itself.
This should be for testing the pod/container requests against the ability to add everything.
There was a problem hiding this comment.
If anything, that validation should be in the New... method since it is validation against the invariants. Assuming you're trying to protect against misconfiguration of the parameters. Can that even happen? Do we need a migration of an invalid strategy?
There was a problem hiding this comment.
I've pushed the code that is addressing your first comment.
Do we need a migration of an invalid strategy?
While technically it was possible to create a SCC with * as the allowedCapabilities value, most likely no one uses it because it didn't have a special meaning.
php-coder
force-pushed
the
privileged_should_allow_all_capabilities
branch
from
11cad7f to
25ade46
Compare
|
Sgtm
…On Mon, Feb 27, 2017 at 10:39 Vyacheslav Semushin ***@***.***> wrote:
***@***.**** commented on this pull request.
------------------------------
In
vendor/k8s.io/kubernetes/pkg/securitycontextconstraints/capabilities/mustrunas.go
<#12875 (comment)>:
> @@ -101,9 +101,21 @@ func (s *defaultCapabilities) Validate(pod *api.Pod, container *api.Container) f
return allErrs
}
+ allowedAdd := makeCapSet(s.allowedCaps)
+ allowAllCaps := allowedAdd.Has(string(api.CapabilityAll))
+ if allowAllCaps {
+ if len(s.requiredDropCapabilities) > 0 {
I've pushed the code that is addressing your first comment.
Do we need a migration of an invalid strategy?
While technically it was possible to create a SCC with * as the
allowedCapabilities value, most likely no one uses it because it didn't
have a special meaning.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#12875 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AE_PU9WBfXQGYFDWuCZPsqGqR97riJapks5rgu44gaJpZM4L7O4I>
.
|
|
[test] - @php-coder can you get a BZ or trello card for this, it needs added to the QE test cases. Merging on green. |
|
Evaluated for origin test up to 25ade46 |
|
@pweil- I'm not aware of any existing Trello/BZ. Do you want me to create one? |
|
continuous-integration/openshift-jenkins/test FAILURE (https://ci.openshift.redhat.com/jenkins/job/test_pull_request_origin/47/) (Base Commit: aff7b5b) |
|
Something wrong with our infrastructure: The full log is here: https://ci.openshift.redhat.com/jenkins/job/test_pull_request_origin_extended_conformance_install/34/consoleFull @stevekuznetsov Is it a known problem? Should I create an issue? Is it a test-flake or permanent failure? |
yes |
|
Other jobs have been succeeding -- are you sure that is not something from this PR? |
@stevekuznetsov I see that another PR has just failed with the same error: openshift/openshift-ansible#3554 (comment) Log is here: https://ci.openshift.redhat.com/jenkins/job/merge_pull_request_openshift_ansible/2/consoleFull |
|
I see. Please make an issue -- I'll look into it now. |
|
test flake #13318 |
|
@smarterclayton QE saw this once[1] in a particular environment but never again. The suggested workaround is to add set the timeout=30 in /etc/ansible.cfg. There's a few upstream issues[2][3]. 1- https://bugzilla.redhat.com/show_bug.cgi?id=1427025 |
|
I'll set that in origin-gce, thanks
[merge]
…On Thu, Mar 16, 2017 at 9:19 AM, Scott Dodson ***@***.***> wrote:
@smarterclayton <https://github.com/smarterclayton> QE saw this once[1]
in a particular environment but never again. The suggested workaround is to
add set the timeout=30 in /etc/ansible.cfg. There's a few upstream
issues[2][3].
[defaults]
timeout = 30
1- https://bugzilla.redhat.com/show_bug.cgi?id=1427025
2- ansible/ansible#14426 <ansible/ansible#14426>
3 - ansible/ansible#13278
<ansible/ansible#13278>
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#12875 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ABG_p5M4k6pPo1cJxziyV3mDqtYMero_ks5rmTbygaJpZM4L7O4I>
.
|
|
That's something new: |
|
Should I fill an issue for that? |
|
There's one here: openshift/origin-gce#15 re[merge] |
|
Evaluated for origin merge up to 25ade46 |
|
continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/merge_pull_request_origin/111/) (Base Commit: b9ff323) (Image: devenv-rhel7_6072) |
|
When is this change is going to be available and which version? I trying to setup elasticsearch 5.3.2 on Openshift Origin 1.5.0 and is not working out because I need to add Capabilities like IPC_LOCK and SYS_RESOURCE, in Kubernetes this is working fine. Please fix it!. Thanks |
|
@jcperezamin this should be available in the following releases: |
|
@jcperezamin On old versions you may modify |
|
P.S. Something like this should do the trick: |
|
Thanks, is working out now! |
|
@smarterclayton @liggitt I think this pull needs to be reverted. It changes the meaning of a kube API in an incompatible way, which prevents unification and makes our podspecs incompatible with kube podspecs. We still have time before 3.6 ships. |
|
Unless the comment is lying (which I suppose it may be). |
|
@deads2k I don't see how "It changes the meaning of a kube API". It modifies
It doesn't affect pod spec. Otherwise, could you provide an example?
Which one comment? |
|
@php-coder you say |
|
Should only apply to |
Ok, that would be good. That would mean the doc and constant are in the wrong spot, but we could keep it otherwise. It also suggests that we may want to separate types. |
@deads2k I can move it to a proper place. Where it should be? Just above |
Yeah, and the comment about usage goes inside of the SCC capabilities values since it only applies there |
Automatic merge from submit-queue Move CapabilityAll from k8s types and rename it to AllowAllCapabilities Move `CapabilityAll` from k8s types to openshift, close to the SCC definition and also rename it to `AllowAllCapabilities`. Addresses #12875 (comment) and fixes #15273 PTAL @deads2k @pweil- CC @simo5
Automatic merge from submit-queue (batch tested with PRs 51337, 47080, 52646, 52635, 52666). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.. PodSecurityPolicy.allowedCapabilities: add support for * to allow to request any capabilities **What this PR does / why we need it**: Prior this change there was no way to allow to pods to request any capabilities. Cluster admin had always specify a full list of capabilities explicitly. Because there are many of them, it gets tedious. This PR makes possible to use `*` to allow all possible capabilities. Non-paranoid (and lazy) cluster admins can use it. Those who are super strict and paranoid of course won't use it because `*` allows capabilities that don't exist today but may be introduced in the future. "privileged" PSP in examples was modified to allow privileged users to use this feature. **Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #50055 **Special notes for your reviewer**: This functional is already present in OpenShift: openshift/origin#12875 and openshift/origin#15135 **Release note**: ```release-note PSP: add support for using `*` as a value in `allowedCapabilities` to allow to request any capabilities ``` CC @simo5 @pweil- @gyliu513 @liqlin2015
PTAL @pweil- @smarterclayton
Fixes #12741