Add support for no_new_privs via AllowPrivilegeEscalation

[jessfraz]

What this PR does / why we need it:
Implements kubernetes/community#639
Fixes #38417

Adds AllowPrivilegeEscalation and DefaultAllowPrivilegeEscalation to PodSecurityPolicy.
Adds AllowPrivilegeEscalation to container SecurityContext.

Adds the proposed behavior to kuberuntime, dockershim, and rkt. Adds a bunch of unit tests to ensure the desired default behavior and that when DefaultAllowPrivilegeEscalation is explicitly set.

Tests pass locally with docker and rkt runtimes. There are also a few integration tests with a setuid binary for sanity.

Release note:

Adds AllowPrivilegeEscalation to control whether a process can gain more privileges than it's parent process

[dims]

@jessfraz : sorry for a dumb question. Is this feature meant to only be active/available when the kubelet --allow-privileged is true?

[jessfraz]

@dims there is a chart in the proposal that might help, no_new_privs will be added when allowPrivilegeEscalation is false, by default this will be when a container is not privileged, adding CAP{_SYS_ADMIN, or when the uid!=0

[dims]

@jessfraz got it. thanks!

[jessfraz]

I will switch this to google_containers before merge don't worry

[jessfraz]

fixed the image to be on google container registry

[pweil-]

@php-coder

[spxtr]

/lint

[k8s-ci-robot]

@spxtr: 7 warnings.

Details

In response to this:

/lint

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[k8s-ci-robot]

Golint naming: don't use underscores in Go names; func Convert_api_SecurityContext_To_v1_SecurityContext should be ConvertAPISecurityContextToV1SecurityContext. More info.

[k8s-ci-robot]

Golint naming: don't use underscores in Go names; func Convert_extensions_PodSecurityPolicySpec_To_v1beta1_PodSecurityPolicySpec should be ConvertExtensionsPodSecurityPolicySpecToV1beta1PodSecurityPolicySpec. More info.

[k8s-ci-robot]

Golint type-inference: should omit type bool from declaration of var yyhl16; it will be inferred from the right-hand side.

[k8s-ci-robot]

Golint comments: exported function NewNoNewPrivsAdmitHandler should have comment or be unexported. More info.

[k8s-ci-robot]

Golint zero-value: should drop = 0 from declaration of var root; it is the zero value.

[k8s-ci-robot]

Golint comments: exported method LinuxContainerSecurityContext.GetNoNewPrivs should have comment or be unexported. More info.

[k8s-ci-robot]

Golint type-inference: should omit type bool from declaration of var yyhl32; it will be inferred from the right-hand side.

[spxtr]

Lint comments on generated code aren't too useful 😞

[jessfraz]

this is all updated and green :)

[tallclair]

/lgtm

[jessfraz]

/retest

…

On Jul 28, 2017 20:29, "k8s-ci-robot" ***@***.***> wrote: @jessfraz <https://github.com/jessfraz>: The following test *failed*, say /retest to rerun them all: Test name Commit Details Rerun command pull-kubernetes-e2e-kops-aws a5e4c6f <a5e4c6f> link <https://k8s-gubernator.appspot.com/build/kubernetes-jenkins/pr-logs/pull/47019/pull-kubernetes-e2e-kops-aws/37905/> /test pull-kubernetes-e2e-kops-aws Full PR test history <https://k8s-gubernator.appspot.com/pr/47019>. Your PR dashboard <https://k8s-gubernator.appspot.com/pr/jessfraz>. Please help us cut down on flakes by linking to <https://github.com/kubernetes/community/blob/master/contributors/devel/flaky-tests.md#filing-issues-for-flaky-tests> an open issue <https://github.com/kubernetes/kubernetes/issues?q=is:issue+is:open> when you hit one in your PR. Instructions for interacting with me using PR comments are available here <https://github.com/kubernetes/community/blob/master/contributors/devel/pull-requests.md>. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra <https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:> repository. I understand the commands that are listed here <https://github.com/kubernetes/test-infra/blob/master/commands.md>. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#47019 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABYNbAH6PtUVf8iRfE-Y0MPavb0NcJfuks5sSnz8gaJpZM4Nw1Aj> .

[jessfraz]

ping @smarterclayton for approval 😇

[smarterclayton]

API approved as per the proposal and discussion on the thread.

/approve

[k8s-github-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jessfraz, smarterclayton, tallclair

Associated issue: 639

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these OWNERS Files:

• api/OWNERS [smarterclayton]
• docs/OWNERS [smarterclayton]
• federation/OWNERS [smarterclayton]
• pkg/OWNERS [smarterclayton]
• staging/src/k8s.io/api/OWNERS [smarterclayton]
• test/OWNERS [smarterclayton]

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

[jessfraz]

/test pull-kubernetes-bazel

[k8s-github-robot]

Automatic merge from submit-queue (batch tested with PRs 49651, 49707, 49662, 47019, 49747)

[mkumatag]

Is there any specif reason why we are using C code? I see even os library in go has Geteuid() which can be used.

[jessfraz]

Does it matter?

[mkumatag]

Yes. For multi arch test images we are planning to have all images under kubernetes/tests/images directory for supported architectures like amd64, arm, arm64, ppc64le. So its always very easy to cross build the go code over a C code.

[grodrigues3]

Which sig does this fall under?

[jessfraz]

sig-auth

…

On Aug 16, 2017 13:48, "grodrigues3" ***@***.***> wrote: Which sig does this fall under? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#47019 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABYNbK92W_zltYwO7qZXMwUV2LuPWlcsks5sYyuFgaJpZM4Nw1Aj> .

[jessfraz]

Sure thanks

…

On Aug 29, 2017 08:56, "Vyacheslav Semushin" ***@***.***> wrote: ***@***.**** commented on this pull request. ------------------------------ In pkg/apis/extensions/v1beta1/types.go <#47019 (comment)> : > @@ -933,6 +933,15 @@ type PodSecurityPolicySpec struct { // host paths may be used. // +optional AllowedHostPaths []string `json:"allowedHostPaths,omitempty" protobuf:"bytes,15,opt,name=allowedHostPaths"` + // DefaultAllowPrivilegeEscalation controls the default setting for whether a + // process can gain more privileges than it's parent process. + // // +optional @jessfraz <https://github.com/jessfraz> I see that s/it's parent/its parent/ wasn't fixed. Do you want me to prepare PR for that? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#47019 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABYNbBeUnZqwIVlGeDLR3xA0vePnRL7_ks5sdAqSgaJpZM4Nw1Aj> .

[php-coder]

I see that tests don't cover that case of using InitContainers? Does this validation work for them? I assume that it should but I don't see any mentions about them in the code.

[php-coder]

@jessfraz Should we handle InitContainers here too? Looks like, yes, we should.

[jessfraz]

Are init containers handled differently that should probably be documented somewhere so it's not overlooked unless I missed it

[php-coder]

As far I understand, the most of the code from this PR is handling initContainers correctly because it works only with securityContext. The existing infrastructure is aware about containers/initContainers and executes validation on their SecurityContexts.

But when we're manually inspecting PodSpec we obligated to take care about initContainers. In this particular case, I see that noNewPrivsRequired() will return false for a pod that has initContainers with allowPrivielegeEscalation=false. I'm not sure what will be the consequence of this, perhaps allowPrivielegeEscalation=false won't work for a pod?

[php-coder]

@jessfraz Are we missing the case "when a container is not run as root" here?

[jessfraz]

We got rid of that functionality

[php-coder]

And the proposal is outdated now? https://github.com/kubernetes/community/blob/f149433600ff1795521e7d9f2ae8ff3162394c61/contributors/design-proposals/no-new-privs.md#changes-of-securitycontext-objects

[php-coder]

Also some tests can be deleted then:

kubernetes/pkg/securitycontext/util_test.go

Lines 203 to 212 in 28f6b3f

	"allowPrivilegeEscalation nil nonRoot": {
	sc: v1.SecurityContext{
	RunAsUser: &nonRoot,
	},
	},
	"allowPrivilegeEscalation nil root": {
	sc: v1.SecurityContext{
	RunAsUser: &root,
	},
	},