Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

recording: Emit event when attempting to record a privileged container + add docs #1156

Merged
merged 2 commits into from
Sep 9, 2022
Merged

recording: Emit event when attempting to record a privileged container + add docs #1156

merged 2 commits into from
Sep 9, 2022

Conversation

jhrozek
Copy link
Contributor

@jhrozek jhrozek commented Sep 8, 2022
edited
Loading

What type of PR is this?

/kind cleanup
/kind documentation

What this PR does / why we need it:

  • docs: Document that the log based recorder can't record privileged pods - adds docs that make it clear that we can't record privileged containers using the log enricher
  • recording: Issue an event if a privileged pod is recorded with a log-based recorder - when log enricher is used to record privileged containers, attach an event to the recording object

Which issue(s) this PR fixes:

None

Does this PR have test?

No

Special notes for your reviewer:

N/A

Does this PR introduce a user-facing change?

If the log-based recorder is in use and the user attempts to either record a container which already had its SecurityContext set or attempts to record a privileged container (which ignores both seccomp profiles and selinux contexts), the profile recording webhook issues a warning event.

@k8s-ci-robot k8s-ci-robot added release-note-none Denotes a PR that doesn't merit a release note. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. kind/documentation Categorizes issue or PR as related to documentation. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Sep 8, 2022
@k8s-ci-robot k8s-ci-robot added approved Indicates a PR has been approved by an approver from all required OWNERS files. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Sep 8, 2022
@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Sep 8, 2022
@jhrozek jhrozek force-pushed the record_logs_privileged branch 2 times, most recently from 81ad4d7 to d7a34f8 Compare September 8, 2022 21:19
@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Sep 9, 2022
@JAORMX
Copy link
Contributor

JAORMX commented Sep 9, 2022

/lgtm cancel
@jhrozek This is actually a user facing change, so this should have a relevant release note.

@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Sep 9, 2022
saschagrunert
saschagrunert reviewed Sep 9, 2022
View reviewed changes
installation-usage.md
Comment on lines +456 to +457
Please note that log based recording does not have any effect if the recorded container
is privileged, that is, the container's security context sets `privileged: true`. This
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we wanna behave in the same way if we already have a seccomp profile applied to the container?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think there might be a use-case for still recording a workload even if there's a profile applied to it. e.g. verifying that the applied profile is sufficient.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But for the log enricher we would override the existing profile.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For Seccomp? I thought it was only the case for SELinux.

Copy link
Contributor Author

@jhrozek jhrozek Sep 9, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we wanna behave in the same way if we already have a seccomp profile applied to the container?

I'm sorry, can you elaborate? Are you thinking about the case where someone records a workload while already specifying the profile in the first place?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The webhook just updates the security context for log based seccomp profile recordings:

security-profiles-operator/internal/pkg/webhooks/recording/recording.go

Lines 250 to 268 in 1e4dfea

func (p *podSeccompRecorder) updateSeccompSecurityContext(
ctr *corev1.Container,
) {
if ctr.SecurityContext == nil {
ctr.SecurityContext = &corev1.SecurityContext{}
}
if ctr.SecurityContext.SeccompProfile == nil {
ctr.SecurityContext.SeccompProfile = &corev1.SeccompProfile{}
}
ctr.SecurityContext.SeccompProfile.Type = corev1.SeccompProfileTypeLocalhost
profile := fmt.Sprintf(
"operator/%s/%s.json",
p.impl.GetOperatorNamespace(),
config.LogEnricherProfile,
)
ctr.SecurityContext.SeccompProfile.LocalhostProfile = &profile
}

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we wanna behave in the same way if we already have a seccomp profile applied to the container?

I'm sorry, can you elaborate? Are you thinking about the case where someone records a workload while already specifying the profile in the first place?

Yes, exactly. We could assume that users do not understand how it works in detail, so I'm wondering if we wanna make them aware that we overwrote their already used seccomp profile.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK, makes sense. btw it seems like we were overwriting the context for SELinux recording as well, so I added events to both.

@jhrozek
recording: Issue an event if a privileged pod is recorded with a log-…
fc64b1d 
…based recorder

In addition to documenting that privileged pods can't be recorded with a
log-based recorder, let's also issue an event.
@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. and removed release-note-none Denotes a PR that doesn't merit a release note. labels Sep 9, 2022
@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Sep 9, 2022
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: JAORMX, jhrozek, saschagrunert

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • OWNERS [JAORMX,jhrozek,saschagrunert]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot merged commit 64ba55b into kubernetes-sigs:main Sep 9, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@JAORMX JAORMX JAORMX approved these changes

@saschagrunert saschagrunert saschagrunert approved these changes

Assignees

@JAORMX JAORMX

@saschagrunert saschagrunert

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. kind/documentation Categorizes issue or PR as related to documentation. lgtm "Looks good to me", indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@jhrozek @JAORMX @k8s-ci-robot @saschagrunert