Run queue proxy with restricted profile

[skonto]

Fixes partially #13308

Proposed Changes

• Allows to run a ksvc in a namespace with restricted profile enabled. Without this patch we get the following issue on 1.25 (see instructions next):

Warning FailedCreate replicaset/helloworld-go-00001-deployment-584759b77b (combined from similar events): Error creating: pods "helloworld-go-00001-deployment-584759b77b-tmxxd" is forbidden: violates PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "user-container" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "queue-proxy" must set securityContext.capabilities.drop=["ALL"]), seccompProfile (pod or containers "user-container", "queue-proxy" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

• To test follow instructions here.
• Discussed here.

Release Note

Queue proxy explicit set `SeccompProfile` to `RunTimeDefault` to be able to run under restricted PSP policy by default.

[skonto]

We don't allow the user to set the following two properties. So we enforce the defaults here to make it pass the PSP auditing.

[evankanderson]

@mattmoor just made allowPrivilegeEscalation pass-through in #13395 , though we could force it to false as we do here instead.

[evankanderson]

I sent #13401 to allow setting this in the Revision Spec (e.g. in Service).

[codecov]

Codecov Report

Base: 86.47% // Head: 86.47% // No change to project coverage 👍

Coverage data is based on head (f3360cf) compared to base (6264c1b).
Patch has no changes to coverable lines.

Additional details and impacted files

@@           Coverage Diff           @@
##             main   #13376   +/-   ##
=======================================
  Coverage   86.47%   86.47%           
=======================================
  Files         196      196           
  Lines       14551    14551           
=======================================
  Hits        12583    12583           
  Misses       1669     1669           
  Partials      299      299           

Impacted Files	Coverage Δ
pkg/reconciler/revision/resources/queue.go	98.23% <ø> (ø)

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report at Codecov.
📢 Do you have feedback about the report comment? Let us know in this issue.

[psschwei]

Couple of minor things, but otherwise this looks good to me:

• could you add a release note?
• this won't work with kourier (it doesn't set runAsNotRoot = true)... don't think that blocks us here, just wanted to make a note of it

[skonto]

this won't work with kourier (it doesn't set runAsNotRoot = true)... don't think that blocks us here, just wanted to make a note of it

If you mean the gateway yes. I will take a look to fix it. Downstream we already run without root.

[skonto]

@psschwei gentle ping, added the release note and created knative-extensions/net-kourier#934.

[psschwei]

/lgtm
/approve
/hold

to give @dprotaso a chance to weigh in

[knative-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: psschwei, skonto

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• pkg/OWNERS [psschwei]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[evankanderson]

I think we may want to pass-through the allowPrivilegeEscalation and seccompProfile fields, and then add a feature flag to default them to safe values if not provided.

I hadn't hit on this until the other day seeming @mattmoor 's #13395 , but I think I'd feel most happy long term with "didn't set anything" meaning secure, but allowing people to explicitly be insecure when needed (maybe with warnings)

[evankanderson]

@mattmoor just made allowPrivilegeEscalation pass-through in #13395 , though we could force it to false as we do here instead.

[skonto]

@evankanderson I also mentioned on slack that allowing users to configure stuff on their own was more user friendly than having everything explicitly set without ability to change on demand. Also as you said users can choose their security level. For some properties though you can be opinionated and set explicitly the defaults instead of optionally applying them as in #13398 as long as users can remove them. This can be done, given our experience of what users need in practice eg. usually you dont want a service to escalate privileges. Another approach is to define security application as a downstream issue only. We have options depending on the strategy, do we want to be secure by default? My understanding is that this concept applies to other features like internal-encryption etc. Btw I am not sure if @mattmoor was aware of this PR or discussion. Should I close this PR and enable all stuff in #13398 or keep this PR with the queue proxy changes only?

(maybe with warnings)

You get the warning anyways from psp no need to add more imho.

[skonto]

I guess this takes precedence compared to podsecurityContext.SeccompProfile.

[evankanderson]

Yes, it does.

[evankanderson]

Can users see the PSP / PSA warnings when they apply a Knative Service? If so, then I'd agree about not needing a second set of warnings that settings are possibly dangerous.

In #13399, I tried to add a warning because our future behavior might change, which could break a small number of applications.

Upon reflection, I think giving the defaulting of security properties time to sit rather than rushing it for release is probably the right idea, particularly given the issues hit by #13399.

[evankanderson]

I'm still willing to approve the queue-proxy side of this, but I don't want to add a breaking behavioral change without some sort of "out" for users.

[skonto]

/test istio-latest-no-mesh

[psschwei]

FYI @skonto I updated the PR title / release note since these changes are just on QP now.
/lgtm

[skonto]

@psschwei thank you, ok to unhold?

[psschwei]

/hold cancel