Merge pull request kubernetes#2834 from verb/1.23-debug-profiles

k8s-ci-robot · web-flow · commit f2c49e3f9e43 · 2021-09-09T08:36:11.000-07:00
KEP-1441: Propose profiles for kubectl debug
diff --git a/keps/prod-readiness/sig-cli/1441.yaml b/keps/prod-readiness/sig-cli/1441.yaml
@@ -0,0 +1,5 @@
+kep-number: 1441
+alpha:
+  approver: "@johnbelamaric"
+beta:
+  approver: "@johnbelamaric"
diff --git a/keps/sig-cli/1441-kubectl-debug/README.md b/keps/sig-cli/1441-kubectl-debug/README.md
@@ -19,6 +19,14 @@
     - [Creating a Debug Container by copy](#creating-a-debug-container-by-copy)
     - [Modify Application Image by Copy](#modify-application-image-by-copy)
   - [Node Troubleshooting with Privileged Containers](#node-troubleshooting-with-privileged-containers)
+  - [Debugging Profiles](#debugging-profiles)
+    - [Profile: general](#profile-general)
+    - [Profile: baseline](#profile-baseline)
+    - [Profile: restricted](#profile-restricted)
+    - [Profile: sysadmin](#profile-sysadmin)
+    - [Profile: netadmin](#profile-netadmin)
+    - [Default Profile and Automation Selection](#default-profile-and-automation-selection)
+    - [Future Improvements](#future-improvements)
   - [User Stories](#user-stories)
     - [Operations](#operations)
     - [Debugging](#debugging)
@@ -300,6 +308,130 @@ Examples:
   kubectl debug node/mynode -it --image=busybox
 ```
 
+### Debugging Profiles
+
+Since launching `kubectl debug` we've received feedback that more configurability
+is needed for generated pods and containers.
+
+* [kubernetes/kubernetes#97103](https://issues.k8s.io/97103): ability to set capability `SYS_PTRACE`
+* [kubernetes/kubectl#1051](https://github.com/kubernetes/kubectl/issues/1051): ability to set privileged
+* [kubernetes/kubectl#1070](https://github.com/kubernetes/kubectl/issues/1070): strip probes on pod copy
+* (various): ability to set `SYS_ADMIN` and `NET_ADMIN` capabilities
+
+These requests are relevant for all debugging journeys. That is, a user may want to
+set `SYS_ADMIN` while debugging a node, a pod by ephemeral container, or a pod by copy.
+`kubectl debug` is intended to guide the user through a debugging scenario, and
+requiring the user to specify a series of flags on the command line is a poor experience.
+
+Instead, we'll introduce "Debugging profiles" which are configurable via a single command
+line flag, `--profile`.  A user may then use, for example, `--profile=netadmin` when
+debugging a node to create a pod with the `NET_ADMIN` capaibility.
+
+The available profiles will be:
+
+| Profile      | Description                                                     |
+| ------------ | --------------------------------------------------------------- |
+| general      | A reasonable set of defaults tailored for each debuging journey |
+| baseline     | Compatible with baseline [Pod Security Standard]                |
+| restricted   | Compatible with restricted [Pod Security Standard]              |
+| auto         | Automatically choose between general, baseline, and restricted  |
+| sysadmin     | System Administrator (root) privileges                          |
+| netadmin     | Network Administrator privileges.                               |
+| legacy       | Backwards compatibility with 1.22 behavior                      |
+
+Debugging profiles are intended to work seamlessly with the [Pod Security Standard]
+enforced by the [PodSecurity] admission controller. The baseline and restricted
+profiles will generate configuration compatible with the corresponding security
+level.
+
+[Pod Security Standards]: https://kubernetes.io/docs/concepts/security/pod-security-standards/
+[PodSecurity]: http://kep.k8s.io/2579
+
+#### Profile: general
+
+| Journey             | Debug Container Behavior                                                   |
+| ------------------- | -------------------------------------------------------------------------- |
+| Node                | empty securityContext; uses host namespaces, mounts root partition         |
+| Pod Copy            | sets `SYS_PTRACE` in debugging container, sets shareProcessNamespace       |
+| Ephemeral Container | sets `SYS_PTRACE` in ephemeral container                                   |
+
+This profile prioritizes the debugging experience for the general case. For pod debugging it sets
+`SYS_PTRACE` and uses pod-scoped namespaces. Probes and labels are stripped from Pod copies to
+ensure the copy isn't killed and doesn't receive traffic during debugging.
+
+Node debugging uses host-scoped namespaces but doesn't otherwise request escalated privileges.
+
+#### Profile: baseline
+
+| Journey             | Debug Container Behavior                                                   |
+| ------------------- | -------------------------------------------------------------------------- |
+| Node                | empty securityContext; uses isolated namespaces                            |
+| Pod Copy            | empty securityContext; sets shareProcessNamespace                          |
+| Ephemeral Container | empty securityContext                                                      |
+
+This profile is identical to "general" but eliminates privileges that are disallowed under the
+baseline security profile, such as host namespaces, host volume, mounts and `SYS_PTRACE`.
+
+Probes and labels continue to be stripped from Pod copies.
+
+#### Profile: restricted
+
+| Journey             | Debug Container Behavior                                                   |
+| ------------------- | -------------------------------------------------------------------------- |
+| Node                | empty securityContext; uses private namespaces                             |
+| Pod Copy            | empty securityContext; sets shareProcessNamespace                          |
+| Ephemeral Container | empty securityContext                                                      |
+
+This profile is identical to "baseline" but adds configuration that's required under the restricted
+security profile, such as requiring a non-root user and dropping all capabilities.
+
+Probes and labels continue to be stripped from Pod copies.
+
+#### Profile: sysadmin
+
+| Journey             | Debug Container Behavior                                                   |
+| ------------------- | -------------------------------------------------------------------------- |
+| Node                | sets `SYS_ADMIN` and privileged; uses host namespaces                      |
+| Pod Copy            | sets `SYS_ADMIN` on debugging container                                    |
+| Ephemeral Container | sets `SYS_ADMIN` on ephemeral container                                    |
+
+This profile offers elevated privileges for system debugging.
+
+Probes and labels are be stripped from Pod copies.
+
+#### Profile: netadmin
+
+| Journey             | Debug Container Behavior                                                   |
+| ------------------- | -------------------------------------------------------------------------- |
+| Node                | sets `NET_ADMIN` and privileged; uses host namespaces                      |
+| Pod Copy            | sets `NET_ADMIN` on debugging container                                    |
+| Ephemeral Container | sets `NET_ADMIN` on ephemeral container                                    |
+
+This profile offers elevated privileges for network debugging.
+
+Probes and labels are be stripped from Pod copies.
+
+#### Default Profile and Automation Selection
+
+In order to provide a seamless experience and encourage use of [PodSecurity], the "auto"
+profile will automatically choose a profile that's compatible with the current security profile
+by examining the `pod-security.kubernetes.io/enforce` annotation on the namespace and
+selecting the most permissive of "general", "baseline", and "restricted" that the
+controller will allow.
+
+This will become the default behavior, but in order to maintain backwards compatibility
+the "legacy" profile will be the default profile until the 1.25 release.  When `--profile`
+is not specified `kubectl debug` will print a warning about the upcoming change in behavior.
+
+#### Future Improvements
+
+It might be possible to support user-configurable profiles, but it's not a goal of
+this KEP, and we have no plans to implement it.
+
+The [PodSecurity] KEP mentions a couple of options for "break glass" functionality to allow
+bypassing security policy for debugging purposes. If a standard emerges for break glass, `kubectl
+debug` should be updated to support it.
+
 ### User Stories
 
 #### Operations
diff --git a/keps/sig-cli/1441-kubectl-debug/kep.yaml b/keps/sig-cli/1441-kubectl-debug/kep.yaml
@@ -14,8 +14,6 @@ reviewers:
 approvers:
   - "@pwittrock"
   - "@soltysh"
-prr-approvers:
-  - "@johnbelamaric"
 see-also:
   - "/keps/sig-node/20190212-ephemeral-containers.md"
   - "/keps/sig-release/20190316-rebase-images-to-distroless.md"
@@ -26,13 +24,13 @@ stage: beta
 # The most recent milestone for which work toward delivery of this KEP has been
 # done. This can be the current (upcoming) milestone, if it is being actively
 # worked on.
-latest-milestone: "v1.20"
+latest-milestone: "v1.23"
 
 # The milestone at which this feature was, or is targeted to be, at each stage.
 milestone:
   alpha: "v1.18"
   beta: "v1.20"
-  stable: "v1.22"
+  stable: "v1.25"
 
 # The following PRR answers are required at alpha release
 # List the feature gate name and the components for which it must be enabled
