NSC - Add support for K8S PSS restricted/baseline profiles (for hostPath volumes)

[pnavali]

Motivation

K8S 1.25 release deprecates PSP (Pod security policy) and enables PSS (Pod Security Standards)/PSA (Pod Security Admission controller) by default. The PSS has 3 profiles - Privileged, Baseline and Restricted.
NSC requires hostPath volumes for unix sockets. HostPath volumes are not permitted in Baseline/Restricted profiles.

Need a solution for NSC to work in Baseline/Restricted profiles.

Couple of options:

• NSM CSI driver : Add a NSM CSI driver plugin to mount the hostPath volume.
• Use network sockets instead of unix sockets and eliminate the need for hostPath volume.

References

https://kubernetes.io/docs/concepts/security/pod-security-standards/

[denis-tingaikin]

Decomposition:

• Implement NSM CSI driver ~ 14h
• Test NSM CSI driver (nsmgr sidecar/pod) ~ 7h
• Test NSM CSI driver + NSM infra ~ 7h
• Add NSM CSI driver yaml deployment ~ 4h
• Include Feature into new example ~7h
• Pass tests ~7h
• Pass review ~3h

TOTAL: 49h

[glazychev-art]

To use CSI, we need to change the volumes type from hostPath to csi on NSC and NSE.
For example:

      volumes:
        - name: nsm-socket
          hostPath:
            path: /var/lib/networkservicemesh
            type: DirectoryOrCreate

becomes

      volumes:
        - name: nsm-socket
          csi:
            driver: "csi.networkservicemesh.io"
            readOnly: true

To test NSM-CSI on CI, we will need to modify our examples.

We have 2 options:

1. Get rid of the use of hostPath in all our examples in favor of CSI
2. Continue using hostPath, but create duplicate tests for CSI examples

[glazychev-art]

Current state:
As described above, PSS has 3 profiles - Privileged, Baseline and Restricted.

1. Privileged works, because it has no restrictions.
2. Baseline also works, since the main limitation is the use of hostPath, and this will be fixed by the NSM CSI driver
3. Restricted - it has many limitations - https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
   We fixed one issue - Livelinesschecker now works in non-privileged mode. And that's enough for a basic example.

But we have other problems with restricted profile:

• Local DNS Server on the NSC. We have denied access to edit /etc/resolv.conf, as well as the use of the :53 port.
• VL3 DNS probably has the same problems
• VPP applications also cannot be used, because vpphelper also needs rights (mkdir /etc/vpp/helper: permission denied)
• nsm-system namespace is in a policy exemptions because the applications require privileged mode (nsmgr requires hostPath, forwarder configures endpoints ...)
• other issues not yet found.

[edwarnicke]

• VPP applications also cannot be used, because vpphelper also needs rights (mkdir /etc/vpp/helper: permission denied)

This should be fixable using the WithRootDir option for vpphelper.

[denis-tingaikin]

@edwarnicke , @glazychev-art

I guess this one could be closed and we could create another one with remaining problems for next release.