Change SecurePodDefaults default from Disabled to Enabled (knative#16042)

nader-ziada · web-flow · commit 62b04a0c5d5e · 2025-10-08T22:54:13.000Z
* create a new default value for secure-pod-defaults: AllowRootBounded

- default is still disabled
- when AllowRootBounded, defaults SeccompProfile and Capabilities if nil
- when enabled sets RunAsNonRoot to true if not already specified

* clean up to address review comments

* use slices.Contains for checking flag value
diff --git a/config/core/configmaps/features.yaml b/config/core/configmaps/features.yaml
@@ -22,7 +22,7 @@ metadata:
     app.kubernetes.io/component: controller
     app.kubernetes.io/version: devel
   annotations:
-    knative.dev/example-checksum: "e6ec6806"
+    knative.dev/example-checksum: "9553535b"
 data:
   _example: |-
     ################################
@@ -43,8 +43,11 @@ data:
     # Default SecurityContext settings to secure-by-default values
     # if unset.
     #
-    # This value will default to "enabled" in a future release,
-    # probably Knative 1.10
+    # Disabled - do nothing; no security options are applied
+    # AllowRootBounded - Applies secure defaults without enforcing strict policies; sets seccompProfile
+    # to RuntimeDefault and drops all capabilities
+    # Enabled - Enforces security defaults; sets seccompProfile to RuntimeDefault, drops all capabilities,
+    # and sets runAsNonRoot to true if not already specified.
     secure-pod-defaults: "disabled"
 
     # Indicates whether multi container support is enabled
diff --git a/pkg/apis/config/features.go b/pkg/apis/config/features.go
@@ -37,6 +37,9 @@ const (
 	// Allowed neither explicitly disables or enables a behavior.
 	// eg. allow a client to control behavior with an annotation or allow a new value through validation.
 	Allowed Flag = "Allowed"
+	// AllowRootBounded is used by secure-pod-defaults to apply secure defaults without enforcing strict policies;
+	// sets RunAsNonRoot to true if not already specified
+	AllowRootBounded Flag = "AllowRootBounded"
 )
 
 // service annotations under features.knative.dev/*
@@ -124,7 +127,7 @@ func NewFeaturesConfigFromMap(data map[string]string) (*Features, error) {
 		asFlag("multi-container-probing", &nc.MultiContainerProbing),
 		asFlag("queueproxy.mount-podinfo", &nc.QueueProxyMountPodInfo),
 		asFlag("queueproxy.resource-defaults", &nc.QueueProxyResourceDefaults),
-		asFlag("secure-pod-defaults", &nc.SecurePodDefaults),
+		asSecurePodDefaultsFlag("secure-pod-defaults", &nc.SecurePodDefaults),
 		asFlag("tag-header-based-routing", &nc.TagHeaderBasedRouting),
 		asFlag(FeatureContainerSpecAddCapabilities, &nc.ContainerSpecAddCapabilities),
 		asFlag(FeaturePodSpecAffinity, &nc.PodSpecAffinity),
@@ -198,6 +201,7 @@ type Features struct {
 }
 
 // asFlag parses the value at key as a Flag into the target, if it exists.
+// Only accepts Enabled, Disabled, and Allowed values.
 func asFlag(key string, target *Flag) cm.ParseFunc {
 	return func(data map[string]string) error {
 		if raw, ok := data[key]; ok {
@@ -211,3 +215,19 @@ func asFlag(key string, target *Flag) cm.ParseFunc {
 		return nil
 	}
 }
+
+// asSecurePodDefaultsFlag parses the value at key as a Flag into the target, if it exists.
+// Accepts Enabled, Disabled, Allowed, and SecureDefaultsOverridable values.
+func asSecurePodDefaultsFlag(key string, target *Flag) cm.ParseFunc {
+	return func(data map[string]string) error {
+		if raw, ok := data[key]; ok {
+			for _, flag := range []Flag{Disabled, AllowRootBounded, Enabled} {
+				if strings.EqualFold(raw, string(flag)) {
+					*target = flag
+					return nil
+				}
+			}
+		}
+		return nil
+	}
+}
diff --git a/pkg/apis/config/features_test.go b/pkg/apis/config/features_test.go
@@ -714,6 +714,51 @@ func TestFeaturesConfiguration(t *testing.T) {
 		data: map[string]string{
 			"kubernetes.podspec-hostnetwork": "Disabled",
 		},
+	}, {
+		name:    "secure-pod-defaults Disabled",
+		wantErr: false,
+		wantFeatures: defaultWith(&Features{
+			SecurePodDefaults: Disabled,
+		}),
+		data: map[string]string{
+			"secure-pod-defaults": "Disabled",
+		},
+	}, {
+		name:    "invalid secure-pod-defaults value",
+		wantErr: false,
+		wantFeatures: defaultWith(&Features{
+			SecurePodDefaults: Disabled,
+		}),
+		data: map[string]string{
+			"secure-pod-defaults": "InvalidValue",
+		},
+	}, {
+		name:    "secure-pod-defaults AllowRootBounded",
+		wantErr: false,
+		wantFeatures: defaultWith(&Features{
+			SecurePodDefaults: AllowRootBounded,
+		}),
+		data: map[string]string{
+			"secure-pod-defaults": "AllowRootBounded",
+		},
+	}, {
+		name:    "PodSpecAffinity cannot be set to Restricted",
+		wantErr: false,
+		wantFeatures: defaultWith(&Features{
+			PodSpecAffinity: Disabled, // Should remain default since Restricted is not valid
+		}),
+		data: map[string]string{
+			"kubernetes.podspec-affinity": "Restricted",
+		},
+	}, {
+		name:    "tag-header-based-routing cannot be set to Restricted",
+		wantErr: false,
+		wantFeatures: defaultWith(&Features{
+			TagHeaderBasedRouting: Disabled, // Should remain default since Restricted is not valid
+		}),
+		data: map[string]string{
+			"tag-header-based-routing": "Restricted",
+		},
 	}}
 
 	for _, tt := range configTests {
diff --git a/pkg/apis/serving/fieldmask.go b/pkg/apis/serving/fieldmask.go
@@ -21,6 +21,7 @@ package serving
 
 import (
 	"context"
+	"slices"
 
 	corev1 "k8s.io/api/core/v1"
 	"knative.dev/serving/pkg/apis/config"
@@ -664,7 +665,7 @@ func PodSecurityContextMask(ctx context.Context, in *corev1.PodSecurityContext)
 
 	out := new(corev1.PodSecurityContext)
 
-	if config.FromContextOrDefaults(ctx).Features.SecurePodDefaults == config.Enabled {
+	if slices.Contains([]config.Flag{config.Enabled, config.AllowRootBounded}, config.FromContextOrDefaults(ctx).Features.SecurePodDefaults) {
 		// Allow to opt out of more-secure defaults if SecurePodDefaults is enabled.
 		// This aligns with defaultSecurityContext in revision_defaults.go.
 		if in.SeccompProfile != nil {
@@ -749,8 +750,8 @@ func CapabilitiesMask(ctx context.Context, in *corev1.Capabilities) *corev1.Capa
 
 	if config.FromContextOrDefaults(ctx).Features.ContainerSpecAddCapabilities == config.Enabled {
 		out.Add = in.Add
-	} else if config.FromContextOrDefaults(ctx).Features.SecurePodDefaults == config.Enabled {
-		if len(in.Add) == 1 && in.Add[0] == "NET_BIND_SERVICE" {
+	} else if slices.Contains([]config.Flag{config.Enabled, config.AllowRootBounded}, config.FromContextOrDefaults(ctx).Features.SecurePodDefaults) {
+		if slices.Equal(in.Add, []corev1.Capability{"NET_BIND_SERVICE"}) {
 			out.Add = in.Add
 		} else {
 			out.Add = nil
diff --git a/pkg/apis/serving/fieldmask_test.go b/pkg/apis/serving/fieldmask_test.go
@@ -855,8 +855,20 @@ func TestPodSecurityContextMask(t *testing.T) {
 		},
 	}
 
-	want := &corev1.PodSecurityContext{}
-	ctx := context.Background()
+	want := &corev1.PodSecurityContext{
+		SeccompProfile: &corev1.SeccompProfile{
+			Type:             corev1.SeccompProfileTypeRuntimeDefault,
+			LocalhostProfile: nil,
+		},
+	}
+	ctx := config.ToContext(context.Background(),
+		&config.Config{
+			Features: &config.Features{
+				SecurePodDefaults:      config.Enabled,
+				PodSpecSecurityContext: config.Disabled,
+			},
+		},
+	)
 
 	got := PodSecurityContextMask(ctx, in)
 
@@ -967,6 +979,111 @@ func TestPodSecurityContextMask_SecurePodDefaultsEnabled(t *testing.T) {
 	}
 }
 
+func TestPodSecurityContextMask_SecurePodDefaults_AllowRootBounded(t *testing.T) {
+	// Test that AllowRootBounded works the same as Enabled for masking purposes
+	want := &corev1.PodSecurityContext{
+		SeccompProfile: &corev1.SeccompProfile{
+			Type: corev1.SeccompProfileTypeRuntimeDefault,
+		},
+	}
+
+	in := &corev1.PodSecurityContext{
+		SELinuxOptions:     &corev1.SELinuxOptions{},
+		WindowsOptions:     &corev1.WindowsSecurityContextOptions{},
+		SupplementalGroups: []int64{1},
+		Sysctls:            []corev1.Sysctl{},
+		RunAsUser:          ptr.Int64(1),
+		RunAsGroup:         ptr.Int64(1),
+		RunAsNonRoot:       ptr.Bool(true),
+		FSGroup:            ptr.Int64(1),
+		SeccompProfile: &corev1.SeccompProfile{
+			Type: corev1.SeccompProfileTypeRuntimeDefault,
+		},
+	}
+
+	ctx := config.ToContext(context.Background(),
+		&config.Config{
+			Features: &config.Features{
+				SecurePodDefaults:      config.AllowRootBounded,
+				PodSpecSecurityContext: config.Disabled,
+			},
+		},
+	)
+
+	got := PodSecurityContextMask(ctx, in)
+
+	if &want == &got {
+		t.Error("Input and output share addresses. Want different addresses")
+	}
+
+	if diff, err := kmp.SafeDiff(want, got); err != nil {
+		t.Error("Got error comparing output, err =", err)
+	} else if diff != "" {
+		t.Error("PodSecurityContextMask (-want, +got):", diff)
+	}
+}
+
+func TestCapabilitiesMask_SecurePodDefaults_AllowRootBounded(t *testing.T) {
+	// Ensures users can only add NET_BIND_SERVICE or nil capabilities
+	tests := []struct {
+		name string
+		in   *corev1.Capabilities
+		want *corev1.Capabilities
+	}{{
+		name: "empty",
+		in: &corev1.Capabilities{
+			Add: nil,
+		},
+		want: &corev1.Capabilities{
+			Add: nil,
+		},
+	}, {
+		name: "allows NET_BIND_SERVICE capability",
+		in: &corev1.Capabilities{
+			Add: []corev1.Capability{"NET_BIND_SERVICE"},
+		},
+		want: &corev1.Capabilities{
+			Add: []corev1.Capability{"NET_BIND_SERVICE"},
+		},
+	}, {
+		name: "prevents restricted fields",
+		in: &corev1.Capabilities{
+			Add: []corev1.Capability{"CHOWN"},
+		},
+		want: &corev1.Capabilities{
+			Add: nil,
+		},
+	}}
+
+	for _, test := range tests {
+		ctx := config.ToContext(context.Background(),
+			&config.Config{
+				Features: &config.Features{
+					SecurePodDefaults: config.AllowRootBounded,
+				},
+			},
+		)
+
+		t.Run(test.name, func(t *testing.T) {
+			got := CapabilitiesMask(ctx, test.in)
+
+			if &test.want == &got {
+				t.Error("Input and output share addresses. Want different addresses")
+			}
+
+			if diff, err := kmp.SafeDiff(test.want, got); err != nil {
+				t.Error("Got error comparing output, err =", err)
+			} else if diff != "" {
+				t.Error("CapabilitiesMask (-want, +got):", diff)
+			}
+
+			if got = CapabilitiesMask(ctx, nil); got != nil {
+				t.Errorf("CapabilitiesMask = %v, want: nil", got)
+			}
+		})
+	}
+}
+
 func TestSecurityContextMask(t *testing.T) {
 	mtype := corev1.UnmaskedProcMount
 	want := &corev1.SecurityContext{
diff --git a/pkg/apis/serving/k8s_validation.go b/pkg/apis/serving/k8s_validation.go
@@ -21,6 +21,7 @@ import (
 	"fmt"
 	"math"
 	"path"
+	"slices"
 	"strings"
 
 	"github.com/google/go-containerregistry/pkg/name"
@@ -985,14 +986,19 @@ func ValidatePodSecurityContext(ctx context.Context, sc *corev1.PodSecurityConte
 // Note that this **explicitly** does not warn on dangerous SecurityContext
 // settings, the purpose is to avoid accidentally-insecure settings, not to
 // block deliberate use of dangerous settings.
-func warnDefaultContainerSecurityContext(_ context.Context, psc *corev1.PodSecurityContext, sc *corev1.SecurityContext) *apis.FieldError {
+func warnDefaultContainerSecurityContext(ctx context.Context, psc *corev1.PodSecurityContext, sc *corev1.SecurityContext) *apis.FieldError {
 	if sc == nil {
 		sc = &corev1.SecurityContext{}
 	}
 	if psc == nil {
 		psc = &corev1.PodSecurityContext{}
 	}
 
+	// if the user has explicitly enabled the feature, we don't need to warn
+	if slices.Contains([]config.Flag{config.Enabled, config.AllowRootBounded}, config.FromContextOrDefaults(ctx).Features.PodSpecSecurityContext) {
+		return nil
+	}
+
 	insecureDefault := func(fieldPath string) *apis.FieldError {
 		return apis.ErrGeneric("Kubernetes default value is insecure, Knative may default this to secure in a future release", fieldPath).At(apis.WarningLevel)
 	}
diff --git a/pkg/apis/serving/k8s_validation_test.go b/pkg/apis/serving/k8s_validation_test.go
@@ -1474,6 +1474,26 @@ func TestPodSpecFeatureValidation(t *testing.T) {
 	}
 }
 
+func TestPodSpecSecurityContext_FeatureEnabled_AllowsPodSecurityContext(t *testing.T) {
+	ctx := context.Background()
+	// Ensure the feature is enabled in context
+	cfg := config.FromContextOrDefaults(ctx)
+	cfg.Features.PodSpecSecurityContext = config.Enabled
+	ctx = config.ToContext(ctx, cfg)
+
+	ps := corev1.PodSpec{
+		SecurityContext: &corev1.PodSecurityContext{
+			RunAsNonRoot: ptr.Bool(false),
+		},
+		Containers: []corev1.Container{{
+			Image: "busybox",
+		}},
+	}
+	if got := ValidatePodSpec(ctx, ps).Filter(apis.ErrorLevel); got != nil {
+		t.Fatalf("ValidatePodSpec() = %v, want nil", got)
+	}
+}
+
 func TestPodSpecFieldRefValidation(t *testing.T) {
 	tests := []struct {
 		name     string
diff --git a/pkg/apis/serving/v1/revision_defaults.go b/pkg/apis/serving/v1/revision_defaults.go
@@ -17,7 +17,9 @@ limitations under the License.
 package v1
 
 import (
+	"cmp"
 	"context"
+	"slices"
 	"strconv"
 
 	corev1 "k8s.io/api/core/v1"
@@ -203,10 +205,13 @@ func (*RevisionSpec) applyGRPCProbeDefaults(container *corev1.Container) {
 
 // Upgrade SecurityContext for this container and the Pod definition to use settings
 // for the `restricted` profile when the feature flag is enabled.
-// This does not currently set `runAsNonRoot` for the restricted profile, because
-// that feels harder to default safely.
+// when the feature flag is enabled or AllowRootBounded:
+// `seccompProfile` is set to `RuntimeDefault` if its empty or nil
+// `capabilities` is set to `NET_BIND_SERVICE` if its empty or nil
+// when the feature flag is set to Enabled:
+// `runAsNonRoot` is set to true only if its empty or nil
 func (rs *RevisionSpec) defaultSecurityContext(psc *corev1.PodSecurityContext, container *corev1.Container, cfg *config.Config) {
-	if cfg.Features.SecurePodDefaults != config.Enabled {
+	if !slices.Contains([]config.Flag{config.Enabled, config.AllowRootBounded}, cfg.Features.SecurePodDefaults) {
 		return
 	}
 
@@ -224,9 +229,7 @@ func (rs *RevisionSpec) defaultSecurityContext(psc *corev1.PodSecurityContext, c
 		updatedSC.AllowPrivilegeEscalation = ptr.Bool(false)
 	}
 	if psc.SeccompProfile == nil || psc.SeccompProfile.Type == "" {
-		if updatedSC.SeccompProfile == nil {
-			updatedSC.SeccompProfile = &corev1.SeccompProfile{}
-		}
+		updatedSC.SeccompProfile = cmp.Or(updatedSC.SeccompProfile, &corev1.SeccompProfile{})
 		if updatedSC.SeccompProfile.Type == "" {
 			updatedSC.SeccompProfile.Type = corev1.SeccompProfileTypeRuntimeDefault
 		}
@@ -247,8 +250,12 @@ func (rs *RevisionSpec) defaultSecurityContext(psc *corev1.PodSecurityContext, c
 		}
 	}
 
-	if psc.RunAsNonRoot == nil {
-		updatedSC.RunAsNonRoot = ptr.Bool(true)
+	if cfg.Features.SecurePodDefaults == config.Enabled {
+		if psc.RunAsNonRoot == nil {
+			if updatedSC.RunAsNonRoot == nil {
+				updatedSC.RunAsNonRoot = ptr.Bool(true)
+			}
+		}
 	}
 
 	if *updatedSC != (corev1.SecurityContext{}) {
diff --git a/pkg/apis/serving/v1/revision_defaults_test.go b/pkg/apis/serving/v1/revision_defaults_test.go
diff --git a/pkg/testing/v1/revision.go b/pkg/testing/v1/revision.go
