Adapt k8s-1.30 PSS

Makefile

@@ -1,4 +1,4 @@
-ENVTEST_K8S_VERSION = 1.27.1
+ENVTEST_K8S_VERSION = 1.30.0
 
 # Set the shell used to bash for better error handling.
 SHELL = /bin/bash

hooks/ephemeral_container_test.go

@@ -26,6 +26,7 @@ metadata:
   namespace: %s
   name: %s
 spec:
+  hostUsers: false
   containers:
   - name: ubuntu
     image: ghcr.io/cybozu/ubuntu

hooks/suite_test.go

@@ -72,7 +72,7 @@ var _ = BeforeSuite(func() {
 			},
 		},
 	}
-	testEnv.ControlPlane.GetAPIServer().Configure().Append("feature-gates", "ProcMountType=true")
+	testEnv.ControlPlane.GetAPIServer().Configure().Append("feature-gates", "ProcMountType=true", "UserNamespacesSupport=true")
 
 	var err error
 	k8sConfig, err = testEnv.Start()

hooks/testdata/baseline/apparmor-profile.yaml

@@ -0,0 +1,20 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: apparmorprofile0
+spec:
+  securityContext:
+    appArmorProfile:
+      type: RuntimeDefault
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      appArmorProfile:
+        type: RuntimeDefault
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      appArmorProfile:
+        type: RuntimeDefault

hooks/testdata/privileged/apparmor-profile.yaml

@@ -0,0 +1,22 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: apparmorprofile1
+spec:
+  securityContext:
+    runAsNonRoot: true
+    appArmorProfile:
+      type: RuntimeDefault
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      appArmorProfile:
+        type: RuntimeDefault
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      appArmorProfile:
+        type: Localhost
+        localhostProfile: k8s-apparmor-example-deny-write

hooks/testdata/privileged/procmount1.yaml

@@ -5,6 +5,7 @@ metadata:
   annotations:
     test.pod-security.cybozu.com/message: "denied the request: spec.containers[0].securityContext.procMount: Forbidden: ProcMountType Unmasked is not allowed"
 spec:
+  hostUsers: false
   securityContext:
     runAsNonRoot: true
   containers:

hooks/testdata/privileged/procmount2.yaml

@@ -5,6 +5,7 @@ metadata:
   annotations:
     test.pod-security.cybozu.com/message: "denied the request: spec.initContainers[0].securityContext.procMount: Forbidden: ProcMountType Unmasked is not allowed"
 spec:
+  hostUsers: false
   securityContext:
     runAsNonRoot: true
   containers:

hooks/testdata/restricted/apparmor-profile.yaml

@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: apparmorprofile2
+spec:
+  securityContext:
+    runAsNonRoot: true
+    appArmorProfile:
+      type: RuntimeDefault
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      appArmorProfile:
+        type: RuntimeDefault
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      appArmorProfile:
+        type: RuntimeDefault

hooks/testdata/restricted/safe-sysctl2.yaml

@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: safe-sysctl-2
+spec:
+  securityContext:
+    runAsNonRoot: true
+    sysctls:
+      - name: net.ipv4.ping_group_range
+        value: "100 100"
+      - name: net.ipv4.ip_local_reserved_ports
+        value: "8080,9148"
+      - name: net.ipv4.tcp_keepalive_time
+        value: "100"
+      - name: net.ipv4.tcp_fin_timeout
+        value: "10"
+      - name: net.ipv4.tcp_keepalive_intvl
+        value: "60"
+      - name: net.ipv4.tcp_keepalive_probes
+        value: "5"
+  containers:
+    - name: ubuntu
+      image: ghcr.io/cybozu/ubuntu

hooks/validate_pod_test.go

@@ -44,21 +44,18 @@ var _ = Describe("validate Pod webhook", func() {
 		validatePod(filepath.Join("testdata", "baseline"), "privileged", true)
 		validatePod(filepath.Join("testdata", "restricted"), "privileged", true)
 	})
-
 	It("should deny privileged pods in hostpath namespace", func() {
 		validatePod(filepath.Join("testdata", "privileged"), "hostpath", false)
 		validatePod(filepath.Join("testdata", "hostpath"), "hostpath", true)
 		validatePod(filepath.Join("testdata", "baseline"), "hostpath", true)
 		validatePod(filepath.Join("testdata", "restricted"), "hostpath", true)
 	})
-
 	It("should deny privileged and hostpath pods in baseline namespace", func() {
 		validatePod(filepath.Join("testdata", "privileged"), "baseline", false)
 		validatePod(filepath.Join("testdata", "hostpath"), "baseline", false)
 		validatePod(filepath.Join("testdata", "baseline"), "baseline", true)
 		validatePod(filepath.Join("testdata", "restricted"), "baseline", true)
 	})
-
 	It("should deny privileged, hostpath, and baseline pods in restricted namespace", func() {
 		validatePod(filepath.Join("testdata", "privileged"), "restricted", false)
 		validatePod(filepath.Join("testdata", "hostpath"), "restricted", false)

hooks/validators/deny_unsafe_apparmor.go

@@ -22,5 +22,45 @@ func (v DenyUnsafeAppArmor) Validate(ctx context.Context, pod *corev1.Pod) field
 			errs = append(errs, field.Forbidden(p.Key(k), fmt.Sprintf("%s is not an allowed AppArmor profile", v)))
 		}
 	}
+
+	p0 := field.NewPath("spec").Child("SecurityContext")
+	hasPodAppArmorProfile := pod.Spec.SecurityContext != nil && pod.Spec.SecurityContext.AppArmorProfile != nil
+	if hasPodAppArmorProfile {
+		isTypeUnconfined := pod.Spec.SecurityContext.AppArmorProfile.Type == corev1.AppArmorProfileTypeUnconfined
+		isTypeRuntimeDefault := pod.Spec.SecurityContext.AppArmorProfile.Type == corev1.AppArmorProfileTypeRuntimeDefault
+		isTypeLocalhost := pod.Spec.SecurityContext.AppArmorProfile.Type == corev1.AppArmorProfileTypeLocalhost
+		hasNotAllowedType := !(isTypeUnconfined || isTypeRuntimeDefault || isTypeLocalhost)
+		if  hasNotAllowedType {
+			errs = append(errs, field.Forbidden(p0.Child("AppArmorProfile"), "not an allowed *** AppArmor *** profile"))
+		}
+	}
+
+	p1 := p.Child("containers")
+	for i, co := range pod.Spec.Containers {
+		hasPodAppArmorProfile := co.SecurityContext != nil && co.SecurityContext.AppArmorProfile != nil
+		if hasPodAppArmorProfile {
+		    isTypeUnconfined := co.SecurityContext.AppArmorProfile.Type == corev1.AppArmorProfileTypeUnconfined
+			isTypeRuntimeDefault := co.SecurityContext.AppArmorProfile.Type == corev1.AppArmorProfileTypeRuntimeDefault
+			isTypeLocalhost := co.SecurityContext.AppArmorProfile.Type == corev1.AppArmorProfileTypeLocalhost
+			hasNotAllowedType := !(isTypeUnconfined || isTypeRuntimeDefault || isTypeLocalhost)
+			if  hasNotAllowedType {
+				errs = append(errs, field.Forbidden( p1.Index(i), fmt.Sprintf("%s not an allowed *** AppArmor *** profile", "any" )))
+			}
+		}
+	}
+
+	p2 := p.Child("initContainers")
+	for i, co := range pod.Spec.Containers {
+		hasPodAppArmorProfile := co.SecurityContext != nil && co.SecurityContext.AppArmorProfile != nil
+		if hasPodAppArmorProfile {
+			isTypeUnconfined := co.SecurityContext.AppArmorProfile.Type == corev1.AppArmorProfileTypeUnconfined
+			isTypeRuntimeDefault := co.SecurityContext.AppArmorProfile.Type == corev1.AppArmorProfileTypeRuntimeDefault
+			isTypeLocalhost := co.SecurityContext.AppArmorProfile.Type == corev1.AppArmorProfileTypeLocalhost
+			hasNotAllowedType := !(isTypeUnconfined || isTypeRuntimeDefault || isTypeLocalhost)
+			if  hasNotAllowedType {
+				errs = append(errs, field.Forbidden( p2.Index(i), fmt.Sprintf("%s not an allowed *** AppArmor *** profile", "any" )))
+			}
+		}
+	}
 	return errs
 }

hooks/validators/deny_unsafe_sysctls.go

@@ -14,6 +14,11 @@ var allowedSysctls = map[string]struct{}{
 	"net.ipv4.tcp_syncookies":             {},
 	"net.ipv4.ping_group_range":           {},
 	"net.ipv4.ip_unprivileged_port_start": {},
+	"net.ipv4.ip_local_reserved_ports":    {}, // since Kubernetes 1.27
+	"net.ipv4.tcp_keepalive_time":         {}, // since Kubernetes 1.29
+	"net.ipv4.tcp_fin_timeout":            {}, // since Kubernetes 1.29
+	"net.ipv4.tcp_keepalive_intvl":        {}, // since Kubernetes 1.29
+	"net.ipv4.tcp_keepalive_probes":       {}, // since Kubernetes 1.29
 }
 
 // DenyUnsafeSysctls is a Validator that denies usage of unsafe sysctls