Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

More comprehensive securityContext settings in helm chart #3850

Open
rptaylor opened this issue Dec 13, 2024 · 13 comments · May be fixed by #3925
Open

More comprehensive securityContext settings in helm chart #3850

rptaylor opened this issue Dec 13, 2024 · 13 comments · May be fixed by #3925
Labels
kind/feature Categorizes issue or PR as related to a new feature.

Comments

@rptaylor
Copy link
Contributor

In #874 , customizable securityContexts were added for the pod, and the manager container, but not the kube-rbac-proxy container.

Consequently it is not possible to make the kueue chart abide by Pod Security Standards and it can not be installed on a cluster that enforces them.
Rather than introducing more customizability for another container, it should just define the minimal securityContext that it requires. What does kube-rbac-proxy container do? Will it work with dropping all capabilities by default, RuntimeDefault seccompprofile, allowPrivilegeEscalation: false ?

I can make a PR but the security requirements needed for the application to run properly must be defined (e.g. by someone who knows the code base and what the application does).

@rptaylor rptaylor added the kind/feature Categorizes issue or PR as related to a new feature. label Dec 13, 2024
@rptaylor
Copy link
Contributor Author

It looks like this component will be removed: #3760

@kannon92
Copy link
Contributor

I think adding this would be useful.

@mbobrovskyi and @mimowo i don’t think the rbac proxy will go into 0.10 so should we implement some support for this?

@mimowo
Copy link
Contributor

mimowo commented Dec 16, 2024

Actually, maybe I should prioritize that PR. I would prefer to invest effort into the container that is going away soon-ish

@mimowo
Copy link
Contributor

mimowo commented Dec 16, 2024

@rptaylor @kannon92 the change #3760 was a little bit too big to include for 0.10, but it solves the concern of the container long-term for 0.11. So I would suggest we close the issue.

For the short-term work-around I think you could patch the Kueue deployment for 0.10 setting the appropriate security context - TBH I'm not sure what is the optimal setting here.

@kannon92
Copy link
Contributor

Sounds good to me.

@rptaylor kueue does not manage the proxy image so we aren’t sure the impacts of the security settings. If you find out what works please feel free to add a doc update or update this thread with your findings.

@rptaylor
Copy link
Contributor Author

Thanks for finishing that PR! Do you know when v0.11 will be released?

@mimowo
Copy link
Contributor

mimowo commented Dec 17, 2024

Generally Kueue is aiming for releases every 2-3 months. So, the next we are planning for Feb 2025, but it might slip to March.

cc @mwysokin @mwielgus

@rptaylor
Copy link
Contributor Author

rptaylor commented Dec 17, 2024

Actually this also pertains to the manager container. If PSS is enforced on a cluster, these additional settings are required to install kueue, and can be set with .Values.controllerManager.manager.podSecurityContext and/or .Values.controllerManager.manager.containerSecurityContext thanks to #878

          capabilities:
            drop:
            - ALL
          seccompProfile:
            type: RuntimeDefault

But if it can be confirmed that the manager container doesn't need any capabilities or special seccomp profile, wouldn't it be better to make kueue more secure by default and reduce the extra steps needed to use PSS?

@mimowo
Copy link
Contributor

mimowo commented Dec 18, 2024

But if it can be confirmed that the manager container doesn't need any capabilities or special seccomp profile

I would be surprised if kueue manager requires a special seccomp profile

wouldn't it be better to make kueue more secure by default and reduce the extra steps needed to use PSS?

I'm open to the possibility, but can you explain more precisely what you mean? What are the steps you want to reduce and how? changing the default?

If this continues to work on kind, gke, openshift etc. ootb, and we keep it configurable for some more restrictive environments, then I'm good to try. cc @dgrove-oss

@rptaylor
Copy link
Contributor Author

@mimowo Yes, if it is confirmed that kueue does not require any special capabilities or seccomp profile, then I would propose to drop all capabilities and set RuntimeDefault by default, as in #3850 (comment)

@mimowo
Copy link
Contributor

mimowo commented Dec 19, 2024

I see, I did a sanity check on GKE and it worked fine with the snippet proposed in #3850 (comment).

So, I'm good to move forward with that, but we need to be careful about current installations, so maybe we should consider an opt-out configuration parameter in help, wdyt @tenzen-y ? @rptaylor do you see some risks, where would you be coming from?

Feel free to post a PR.

@tenzen-y
Copy link
Member

tenzen-y commented Jan 3, 2025

So, I'm good to move forward with that, but we need to be careful about current installations, so maybe we should consider an opt-out configuration parameter in help, wdyt @tenzen-y ? @rptaylor do you see some risks, where would you be coming from?

I'm ok with setting those securityContexts by default in kustomize manifests and Helm chart.
IIUC, these securityContexts do not have any impact on the Kueue behavior, right?

@rptaylor
Copy link
Contributor Author

rptaylor commented Jan 3, 2025

IIUC, these securityContexts do not have any impact on the Kueue behavior, right?

That is a question for kueue developers. Presumably kueue does not rely on any capabilities ? Moreover, kueue already runs as NonRoot by default, and has allowPrivilegeEscalation false, so I believe it can not have any capabilities beyond the default granted by the container runtime. That being said, each container runtime may grant different default capabilities, so this results in inconsistent behaviour. For reproducible behaviour any required capabilities should be explicitly defined, and all others should be dropped.

As for the seccompProfile, as long as kueue doesn't do any syscalls to the kernel, this should also be fine.

Here is the PR: #3925

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/feature Categorizes issue or PR as related to a new feature.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants