|
19 | 19 | - [Creating a Debug Container by copy](#creating-a-debug-container-by-copy) |
20 | 20 | - [Modify Application Image by Copy](#modify-application-image-by-copy) |
21 | 21 | - [Node Troubleshooting with Privileged Containers](#node-troubleshooting-with-privileged-containers) |
| 22 | + - [Debugging Profiles](#debugging-profiles) |
| 23 | + - [Default Profile and Automation Selection](#default-profile-and-automation-selection) |
| 24 | + - [Profile: debug](#profile-debug) |
| 25 | + - [Profile: baseline](#profile-baseline) |
| 26 | + - [Profile: restricted](#profile-restricted) |
| 27 | + - [Profile: sysadmin](#profile-sysadmin) |
| 28 | + - [Profile: netadmin](#profile-netadmin) |
22 | 29 | - [User Stories](#user-stories) |
23 | 30 | - [Operations](#operations) |
24 | 31 | - [Debugging](#debugging) |
@@ -300,6 +307,124 @@ Examples: |
300 | 307 | kubectl debug node/mynode -it --image=busybox |
301 | 308 | ``` |
302 | 309 |
|
| 310 | +### Debugging Profiles |
| 311 | + |
| 312 | +Since launching `kubectl debug` we've received feedback that more configurability |
| 313 | +is needed for generated pods and containers. |
| 314 | + |
| 315 | +* [kubernetes/kubernetes#97103]: ability to set capability `SYS_PTRACE` |
| 316 | +* [kubernetes/kubectl#1051]: ability to set privileged |
| 317 | +* [kubernetes/kubectl#1070]: strip probes on pod copy |
| 318 | +* (various): ability to set `SYS_ADMIN` and `NET_ADMIN` capabilities |
| 319 | + |
| 320 | +These requests are relevant for all debugging journeys. That is, a user may want to |
| 321 | +set `SYS_ADMIN` while debugging a node, a pod by ephemeral container, or a pod by copy. |
| 322 | +`kubectl debug` is intended to guide the user through a debugging scenario, and |
| 323 | +requiring the user to specify a series of flags on the command line is a poor experience. |
| 324 | + |
| 325 | +Instead, we'll introduce "Debugging profiles" which are configurable via a single command |
| 326 | +line flag, `--profile`. A user may then use, for example, `--profile=netadmin` when |
| 327 | +debugging a node to create a pod with the `NET_ADMIN` capaibility. |
| 328 | + |
| 329 | +The available profiles will be: |
| 330 | + |
| 331 | +| Profile | Description | |
| 332 | +| ------------ | --------------------------------------------------------------- | |
| 333 | +| debug | A reasonable set of defaults tailored for each debuging journey | |
| 334 | +| baseline | Compatible with baseline [Pod Security Standard] | |
| 335 | +| restricted | Compatible with restricted [Pod Security Standard] | |
| 336 | +| auto | Automatically choose between debug, baseline, and restricted | |
| 337 | +| sysadmin | System Administrator (root) privileges | |
| 338 | +| netadmin | Network Administrator privileges. | |
| 339 | +| legacy | Backwards compatibility with 1.22 behavior | |
| 340 | + |
| 341 | +Debugging profiles are intended to work seamlessly with the [Pod Security Standard] |
| 342 | +enforced by the [PodSecurity] admission controller. The baseline and restricted |
| 343 | +profiles will generate configuration compatible with the corresponding security |
| 344 | +level. |
| 345 | + |
| 346 | +It might be possible to support user-configurable profiles, but it's not a goal of |
| 347 | +this KEP, and we have no plans to implement it. |
| 348 | + |
| 349 | +[Pod Security Standards]: https://kubernetes.io/docs/concepts/security/pod-security-standards/ |
| 350 | +[PodSecurity]: http://kep.k8s.io/2579 |
| 351 | + |
| 352 | +#### Default Profile and Automation Selection |
| 353 | + |
| 354 | +The profile named "debug" will generate the best configuration for a particular |
| 355 | +debugging journey, for example including `SYS_PTRACE` for ephemeral containers |
| 356 | +so that a debugging container may signal and attach to other processes. |
| 357 | + |
| 358 | +The profile named "auto" will choose between "debug", "baseline", and "restricted" |
| 359 | +by looking `pod-security.kubernetes.io/enforce` annotation on the namespace and |
| 360 | +choosing the most permission of "debug", "baseline", and "restricted" that will |
| 361 | +be allowed by default. In this way it will choose a default that's always |
| 362 | +compatible with the current security policy. |
| 363 | + |
| 364 | +When not `--profile` is not specified it will default to "legacy" to be backwards |
| 365 | +compatible with the current behavior and print a warning that the behavior will |
| 366 | +change starting with release 1.25. Starting with 1.25 the default will be "auto". |
| 367 | + |
| 368 | +Even with automatic selection it's still desirable to be able to specify "debug", |
| 369 | +"baseline", and "restricted" explicitly. In the future there will be an optional |
| 370 | +"break glass" mechanism to bypass the current security policy for debugging. |
| 371 | + |
| 372 | +#### Profile: debug |
| 373 | + |
| 374 | +| Journey | Debug Container Behavior | |
| 375 | +| ------------------- | -------------------------------------------------------------------------- | |
| 376 | +| Node | empty securityContext; uses host namespaces, mounts root partition | |
| 377 | +| Pod Copy | sets `SYS_PTRACE` in debugging container, sets shareProcessNamespace | |
| 378 | +| Ephemeral Container | sets `SYS_PTRACE` in ephemeral container | |
| 379 | + |
| 380 | +This profile is intended to be a useful default. For pod debugging it sets `SYS_PTRACE` and uses |
| 381 | +pod-scoped namespaces. Probes and labels are stripped from Pod copies to ensure the copy isn't |
| 382 | +killed and doesn't receive traffic during debugging. |
| 383 | + |
| 384 | +Node debugging uses host-scoped namespaces but doesn't otherwise request escalated privileges. |
| 385 | + |
| 386 | +#### Profile: baseline |
| 387 | + |
| 388 | +| Journey | Debug Container Behavior | |
| 389 | +| ------------------- | -------------------------------------------------------------------------- | |
| 390 | +| Node | empty securityContext; uses isolated namespaces | |
| 391 | +| Pod Copy | empty securityContext; sets shareProcessNamespace | |
| 392 | +| Ephemeral Container | empty securityContext | |
| 393 | + |
| 394 | +This profile eliminates the privileges from "debug" that are disallowed under the baseline security |
| 395 | +profile, such as host namespaces, host volume mounts and `SYS_PTRACE`. |
| 396 | + |
| 397 | +#### Profile: restricted |
| 398 | + |
| 399 | +| Journey | Debug Container Behavior | |
| 400 | +| ------------------- | -------------------------------------------------------------------------- | |
| 401 | +| Node | empty securityContext; uses private namespaces | |
| 402 | +| Pod Copy | empty securityContext; sets shareProcessNamespace | |
| 403 | +| Ephemeral Container | empty securityContext | |
| 404 | + |
| 405 | +This profile adds configuration to "baseline" that's required under the restricted security profile, |
| 406 | +such as requiring a non-root user and dropping all capabilities. |
| 407 | + |
| 408 | +#### Profile: sysadmin |
| 409 | + |
| 410 | +| Journey | Debug Container Behavior | |
| 411 | +| ------------------- | -------------------------------------------------------------------------- | |
| 412 | +| Node | sets `SYS_ADMIN` and privileged; uses host namespaces | |
| 413 | +| Pod Copy | sets `SYS_ADMIN` on debugging container | |
| 414 | +| Ephemeral Container | sets `SYS_ADMIN` on ephemeral container | |
| 415 | + |
| 416 | +This profile offers elevated privileges for system debugging. |
| 417 | + |
| 418 | +#### Profile: netadmin |
| 419 | + |
| 420 | +| Journey | Debug Container Behavior | |
| 421 | +| ------------------- | -------------------------------------------------------------------------- | |
| 422 | +| Node | sets `NET_ADMIN` and privileged; uses host namespaces | |
| 423 | +| Pod Copy | sets `NET_ADMIN` on debugging container | |
| 424 | +| Ephemeral Container | sets `NET_ADMIN` on ephemeral container | |
| 425 | + |
| 426 | +This profile offers elevated privileges for network debugging. |
| 427 | + |
303 | 428 | ### User Stories |
304 | 429 |
|
305 | 430 | #### Operations |
|
0 commit comments