Updates to KEP for Windows Security Options#975
Merged
k8s-ci-robot merged 1 commit intokubernetes:masterfrom Apr 30, 2019
ddebroy:master
Merged
Updates to KEP for Windows Security Options#975k8s-ci-robot merged 1 commit intokubernetes:masterfrom ddebroy:master
k8s-ci-robot merged 1 commit intokubernetes:masterfrom
ddebroy:master
Conversation
Contributor
Author
|
/assign @PatrickLang @michmike @liggitt |
Contributor
Author
|
/kind api-change |
|
This PR may require API review. If so, when the changes are ready, complete the pre-review checklist and request an API review. Status of requested reviews is tracked in the API Review project. |
liggitt
reviewed
Apr 24, 2019
| ## Proposal | ||
|
|
||
| In this KEP we propose a new field named `WindowsOptions` in the `PodSecurityContext` struct (associated with a pod spec) and the `SecurityContext` struct (associated with each container in a pod). `WindowsOptions` will be a pointer to a new struct of type `WindowsSecurityOptions`. The `WindowsSecurityOptions` struct will contain Windows OS specific security attributes scoped either at the pod level (applicable to all containers in the pod) or at the individual container level (that can override the pod level specification). Initially, the `WindowsSecurityOptions` struct will have the following fields: | ||
| In this KEP we propose a new field named `WindowsOptions` in the `PodSecurityContext` struct (associated with a pod spec) and the `SecurityContext` struct (associated with each container in a pod). `WindowsOptions` will be a pointer to a new struct of type `WindowsOptions`. Having the field name and struct type name being the same has [precedence] (https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/api/core/v1/types.go). The `WindowsOptions` struct will contain Windows OS specific security attributes scoped either at the pod level (applicable to all containers in the pod) or at the individual container level (that can override the pod level specification). This is inspired by the existing `SELinuxOptions` field that groups Linux specific SELinux options. Initially, the `WindowsOptions` struct will have the following fields: |
Member
There was a problem hiding this comment.
suggest the type name be WindowsSecurityContextOptions, to indicate the context in which it is used
liggitt
reviewed
Apr 24, 2019
| securityContext: | ||
| windowsOptions: | ||
| gmsaCredentialSpecName: webapp1-credspec | ||
| runAsUserName: "NT AUTHORITY\NETWORK SERVICE" |
Member
There was a problem hiding this comment.
nit for the example, would need \\ because it's in a yaml string (applies to all)
Member
|
fill in the |
Contributor
Author
|
Addressed the comments so far from the meeting and on the PR (so far). Ready for another round of review @liggitt @PatrickLang |
liggitt
reviewed
Apr 26, 2019
| The fields within the `WindowsSecurityContextOptions` struct will be validated as follows: | ||
| - GMSACredentialSpecName: This field will be the name of a custom resource. It should follow the rules associated with [naming of resources](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names) in Kubernetes. Only the length will be checked to make sure it is below 64 characters. | ||
| - GMSACredentialSpec: The size of the CredentialSpec JSON blob should be limited to avoid abuse. We will limit it to 64K which allows for a lot of room to specify extremely complicated credential specs. Typically this JSON blob is not expected to be more than 1K based on experience so far. | ||
| - RunAsUserName: This field needs to allow for a valid set of usernames allowed for Windows containers. Currently the OCI spec or Windows documentation does not specify any clear restrictions around the length of this parameter or restrictions around usage of special characters when passed to the container runtime and eventually to Windows HCS. So Kubernetes validation won't enforce any character set validation. A maximum length of 64 characters will be allowed to prevent abuse. |
Member
There was a problem hiding this comment.
I thought we discussed this as 256 characters?
Member
There was a problem hiding this comment.
we don't want to make this stricter than what windows would accept, is there a clear limit specified there?
Contributor
Author
There was a problem hiding this comment.
Agree. But I am not able to find a clear limit specified anywhere in MSDN or moby/moby today around the above. @PatrickLang any thoughts on ^ ?
liggitt
reviewed
Apr 26, 2019
|
|
||
| The fields within the `WindowsSecurityContextOptions` struct will be validated as follows: | ||
| - GMSACredentialSpecName: This field will be the name of a custom resource. It should follow the rules associated with [naming of resources](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names) in Kubernetes. Only the length will be checked to make sure it is below 64 characters. | ||
| - GMSACredentialSpec: The size of the CredentialSpec JSON blob should be limited to avoid abuse. We will limit it to 64K which allows for a lot of room to specify extremely complicated credential specs. Typically this JSON blob is not expected to be more than 1K based on experience so far. |
Member
There was a problem hiding this comment.
it amuses me to no end that we literally have our own "64k ought to be enough for anyone" :)
liggitt
reviewed
Apr 26, 2019
| #### Validation of fields | ||
|
|
||
| The fields within the `WindowsSecurityContextOptions` struct will be validated as follows: | ||
| - GMSACredentialSpecName: This field will be the name of a custom resource. It should follow the rules associated with [naming of resources](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names) in Kubernetes. Only the length will be checked to make sure it is below 64 characters. |
Member
There was a problem hiding this comment.
clarify this will validate the string is a GMSACredentialSpec name (length and format)
Member
|
a couple comments about the validation, lgtm otherwise |
wk8
added a commit
to wk8/kubernetes
that referenced
this pull request
Apr 26, 2019
As outlined in the KEP at https://github.com/kubernetes/enhancements/blob/master/keps/sig-windows/20190418-windows-security-context.md and improvements on it at kubernetes/enhancements#975 For now this struct is left empty, as discussed in the KEP (see above) and as previously discussed with Jordan Liggitt. It will allow adding GMSA and options as well as `RunAsUserName` options; both of which have already been pre-implemented respectively at kubernetes#75459 and kubernetes#73609; and both of which will need to be re-based to make use of the new struct. Signed-off-by: Jean Rouge <rougej+github@gmail.com>
Contributor
Author
|
Clarified some of the validation as requested. |
Member
|
lgtm, can squash once other reviewers are happy |
PatrickLang
reviewed
Apr 29, 2019
|
|
||
| Overall test plans for GMSA are covered in the GMSA KEP. | ||
| An e2e test case with `[sig-windows]` label will be added to the Windows test runs to exercise and verify RunAsUserName is correctly taking effect. The test will try to bring up a pod with a container based on NanoServer, default user `ContainerUser` and the entrypoint trying to execute a privileged operation like changing the routing table inside the container. The pod spec will specify `ContainerAdministrator` as the RunAsUserName to verify the privileged operation within the container can successfully execute. Without RunAsUserName working correctly, the default user in the container will fail to execute the privileged operation and the container will exit prematurely. | ||
|
|
Contributor
There was a problem hiding this comment.
^^ :) Glad we don't need a custom image. I forgot nanoserver already had both users defined.
…ptions Signed-off-by: Deep Debroy <ddebroy@docker.com>
Member
|
/lgtm |
Contributor
|
/lgtm |
Contributor
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: ddebroy, liggitt, PatrickLang The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-publishing-bot
pushed a commit
to kubernetes/api
that referenced
this pull request
May 3, 2019
As outlined in the KEP at https://github.com/kubernetes/enhancements/blob/master/keps/sig-windows/20190418-windows-security-context.md and improvements on it at kubernetes/enhancements#975 For now this struct is left empty, as discussed in the KEP (see above) and as previously discussed with Jordan Liggitt. It will allow adding GMSA and options as well as `RunAsUserName` options; both of which have already been pre-implemented respectively at kubernetes/kubernetes#75459 and kubernetes/kubernetes#73609; and both of which will need to be re-based to make use of the new struct. Signed-off-by: Jean Rouge <rougej+github@gmail.com> Kubernetes-commit: d7aa31858e1734861131d2e8d67f94c766f9b577
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
7 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.