Enable a simple image policy admission controller #8995
Conversation
|
In addition to signatures, we have an annotation we want to enforce against: I think we'll want a pedigree check: who made this image? This could either be a check for an author claim in a signature or a subject check of the signature itself. The problem that I see is timing. We can't sign inside the builder (doing so would expose the key), so we need to have the build controller do the signing. That means we can't tag the image until after the build controller has signed it. I'm not sure of the order today @bparees We might want multiple levels of signature checking. I think that people may want more control over which images are allowed to run as root. Combined with exec denial privileges and enforcement of entry points, this could allow a cluster-admin to curate a list of images that unprivileged users and SA could be allowed to run as root. I think one significant question is whether we like signatures better than annotations on an image? For pedigree checks I think it makes sense to prevent someone with API access from lying about who created the image. For straight denial of execution, I don't think it buys much. I can see whitelisting falling in the in-between case. I suspect that for most people, annotations controlled by API access are enough. Others may want the image to be signed by a particular subject, but I think I'd expect most of the "this image can run" logic to be held by the signer and we simply trust that subject knew what they were doing. |
order is:
|
Are these step done by the build controller or (more likely) the build pod? |
|
As a Rorschach test for image policy this is already effective. |
pod. |
Wait, if that's not what you had in your head, what were you thinking? |
|
I don't think I would want the signing key for builds to be sent to
the pods, unless users/service accounts have individual signing keys.
That's valuable for other reasons, but probably wouldn't be the first
goal. The build controller would probably be the signer.
|
|
There have been a number of issues and discussions, I'm just enjoying
that I can open an empty shell and people congregate.
|
Now I feel dirty and used! :)
I like the build controller as the signer, but the images are only available locally on the given node that ran the build. Maybe we could push to some sort of internal staging ImageStream? That would work, but it would produce quota problems. |
Unfortunately that's not really enough - most people won't enforce on the top level - they'll enforce on the root level (base) which requires us to do a join against image layers.
That's a good scenario - something that ultimately may overlap with PSP in ways we haven't discussed yet. Certainly any sort of "auto installer" style pod needs to come from a trusted root by default. @pweil- so he's aware.
I think annotations are the primary use case, and signatures would be the secondary. We would allow someone to set constraints (based on the generic metadata extracted) and check those. I'm not sure I'm interested in deep policy engine behavior on signatures in the near term. Requiring signed by or even just is signed is probably a high bar. I'd prefer to have an external engine set annotations that come from signatures if necessary. |
openshift-bot
added
the
needs-rebase
The problem is you can't trust the system that signed the image, any more On Tue, May 24, 2016 at 11:20 AM, OpenShift Bot [email protected]
|
smarterclayton
force-pushed
the
image_policy
branch
from
1095ab3 to
45fc794
Compare
|
I wrote out some scenarios in the comments of the policy API that cover the use cases that I've heard. Core goals are making the image the central policy artifact, but affordances based on everything we've done with policies so far (combination of user perm, group perm, SA checks, namespace checks, node selector) to deal with different ways of organizing topology. I'd like to do a perm check to allow bypass of certain rules, but admins have to decide to allow that (i.e. saying "no unsigned images in production" shouldn't be something a cluster-admin accidentally violates). As much as possible all annotations / labels / values should be coming from config or images or namespaces. I don't want any special values hardcoded. |
openshift-bot
removed
the
needs-rebase
openshift-bot
added
the
needs-rebase
smarterclayton
force-pushed
the
image_policy
branch
from
45fc794 to
9ad6776
Compare
openshift-bot
removed
the
needs-rebase
smarterclayton
force-pushed
the
image_policy
branch
2 times, most recently
from
d9dfa2a to
04c95de
Compare
smarterclayton
changed the title
|
|
||
| // resourcesToCheck is a map of resources and corresponding kinds of things that | ||
| // we want handled in this plugin | ||
| // TODO: Include a function that will extract the PodSpec from the resource for |
|
Also turns on the policy by default, still need to add a test-cmd.sh for to test for failure. |
new flake, import image should be tolerant to retry conflicts. |
|
I added resolution of ImageStreamTags and ImageStreamImages on Builds (to collapse them down to DockerImage) and ended up with a cleaner code path. Resolution now creates the attributes (since resolution knows the resolved image name, and ISI/ISTag also implies internal registry). The MutateImageReferenceFunc takes an Object reference, and we error on any reference that says it's an image but we don't recognize (this may fail on older builds that allowed ImageStream, but I'm ok with that I think). [ ] I need to add a deeper test on builds to verify resolution in edge cases. |
|
The lack of alias recognition really hurts the usability of this feature. It's definitely a good starting point, but can I convince you to take a patch that allows multi-name resolution if I can get it in this week? |
| matchImageAnnotations: | ||
| - key: images.openshift.io/deny-execution | ||
| value: "true" | ||
| allowResolutionFailure: true |
There was a problem hiding this comment.
I'd like this to resolve: true too.
There was a problem hiding this comment.
I don't think we should resolve without much deeper testing. It's a more
invasive change.
On Wed, Aug 10, 2016 at 9:50 AM, David Eads [email protected]
wrote:
In pkg/image/admission/imagepolicy/api/v1/default-policy.yaml
#8995 (comment):@@ -0,0 +1,20 @@
+kind: ImagePolicyConfig
+apiVersion: v1
+executionRules:
+- name: execution-denied
Reject all images that have the annotation images.openshift.io/deny-execution set to true.
This annotation may be set by infrastructure that wishes to flag particular images as dangerous
- onResources:
- resource: pods
- resource: builds
- reject: true
- matchImageAnnotations:
- key: images.openshift.io/deny-execution
- value: "true"
- allowResolutionFailure: true
I'd like this to resolve: true too.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/openshift/origin/pull/8995/files/5acd1663143e0c8196692974691537db1b40cc53#r74247302,
or mute the thread
https://github.com/notifications/unsubscribe-auth/ABG_p2wTLrmv4FCvfIDNAbk-nQe1UdFoks5qedc4gaJpZM4IlDlb
.
There was a problem hiding this comment.
I.e. resolve changes the whole behavior of the platform. I might have
enabled it last week - but right now it would require a retest of every
failure mode.
On Wed, Aug 10, 2016 at 10:03 AM, Clayton Coleman [email protected]
wrote:
I don't think we should resolve without much deeper testing. It's a more
invasive change.On Wed, Aug 10, 2016 at 9:50 AM, David Eads [email protected]
wrote:In pkg/image/admission/imagepolicy/api/v1/default-policy.yaml
#8995 (comment):@@ -0,0 +1,20 @@
+kind: ImagePolicyConfig
+apiVersion: v1
+executionRules:
+- name: execution-denied
Reject all images that have the annotation images.openshift.io/deny-execution set to true.
This annotation may be set by infrastructure that wishes to flag particular images as dangerous
- onResources:
- resource: pods
- resource: builds
- reject: true
- matchImageAnnotations:
- key: images.openshift.io/deny-execution
- value: "true"
- allowResolutionFailure: true
I'd like this to resolve: true too.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/openshift/origin/pull/8995/files/5acd1663143e0c8196692974691537db1b40cc53#r74247302,
or mute the thread
https://github.com/notifications/unsubscribe-auth/ABG_p2wTLrmv4FCvfIDNAbk-nQe1UdFoks5qedc4gaJpZM4IlDlb
.
|
Alias? I was up too late - explain. On Wed, Aug 10, 2016 at 8:33 AM, David Eads [email protected]
|
openshift-bot
added
the
needs-rebase
smarterclayton
force-pushed
the
image_policy
branch
from
5acd166 to
2074332
Compare
openshift-bot
removed
the
needs-rebase
smarterclayton
force-pushed
the
image_policy
branch
from
2074332 to
ba8a28a
Compare
|
Added resolution tests and a test/cmd/images.sh test to verify the default On Wed, Aug 10, 2016 at 6:01 PM, OpenShift Bot [email protected]
|
|
govet |
|
once you're green, this lgtm. |
Support basic acceptance policy, and provide an ootb default config. Lay the groundwork for future consumption and placement policy but do not enable it in the public API.
Add the default policy to bindata
smarterclayton
force-pushed
the
image_policy
branch
from
ba8a28a to
3796d2e
Compare
smarterclayton
force-pushed
the
image_policy
branch
from
3796d2e to
de0ae2d
Compare
|
@stevekuznetsov networking flake? |
|
Yeah, known issue with the Jenkins set up. re[test] |
|
The Origin test job could not be run again for this pull request.
|
|
Evaluated for origin test up to de0ae2d |
|
[merge] |
|
continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/7830/) (Image: devenv-rhel7_4810) |
|
Evaluated for origin merge up to de0ae2d |
|
continuous-integration/openshift-jenkins/test SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/7831/) |
This adds an admission controller to OpenShift which can do the following:
Open items: