Merge pull request kubernetes#127489 from pacoxu/feature/125234

feat: Added net.ipv4.tcp_rmem and net.ipv4.tcp_wmem into safe sysctl list

Author: k8s-ci-robot

pkg/kubelet/sysctl/safe_sysctls.go

@@ -60,6 +60,14 @@ var safeSysctls = []sysctl{
 		name:   "net.ipv4.tcp_keepalive_probes",
 		kernel: utilkernel.TCPKeepAliveProbesNamespacedKernelVersion,
 	},
+	{
+		name:   "net.ipv4.tcp_rmem",
+		kernel: utilkernel.TCPReceiveMemoryNamespacedKernelVersion,
+	},
+	{
+		name:   "net.ipv4.tcp_wmem",
+		kernel: utilkernel.TCPTransmitMemoryNamespacedKernelVersion,
+	},
 }
 
 // SafeSysctlAllowlist returns the allowlist of safe sysctls and safe sysctl patterns (ending in *).

pkg/kubelet/sysctl/safe_sysctls_test.go

@@ -75,6 +75,8 @@ func Test_getSafeSysctlAllowlist(t *testing.T) {
 				"net.ipv4.tcp_fin_timeout",
 				"net.ipv4.tcp_keepalive_intvl",
 				"net.ipv4.tcp_keepalive_probes",
+				"net.ipv4.tcp_rmem",
+				"net.ipv4.tcp_wmem",
 			},
 		},
 	}

pkg/util/kernel/constants.go

@@ -54,3 +54,11 @@ const TmpfsNoswapSupportKernelVersion = "6.4"
 // nftables mode with by default. This is not directly related to any specific kernel
 // commit; see https://issues.k8s.io/122743#issuecomment-1893922424
 const NFTablesKubeProxyKernelVersion = "5.13"
+
+// TCPReceiveMemoryNamespacedKernelVersion is the kernel version in which net.ipv4.tcp_rmem was namespaced(netns).
+// (ref: https://github.com/torvalds/linux/commit/356d1833b638bd465672aefeb71def3ab93fc17d)
+const TCPReceiveMemoryNamespacedKernelVersion = "4.15"
+
+// TCPTransmitMemoryNamespacedKernelVersion is the kernel version in which net.ipv4.tcp_wmem was namespaced(netns).
+// (ref: https://github.com/torvalds/linux/commit/356d1833b638bd465672aefeb71def3ab93fc17d)
+const TCPTransmitMemoryNamespacedKernelVersion = "4.15"

staging/src/k8s.io/pod-security-admission/policy/check_sysctls.go

@@ -47,6 +47,8 @@ spec.securityContext.sysctls[*].name
 'net.ipv4.tcp_fin_timeout'
 'net.ipv4.tcp_keepalive_intvl'
 'net.ipv4.tcp_keepalive_probes'
+'net.ipv4.tcp_rmem'
+'net.ipv4.tcp_wmem'
 
 */
 
@@ -72,6 +74,10 @@ func CheckSysctls() Check {
 				MinimumVersion: api.MajorMinorVersion(1, 29),
 				CheckPod:       sysctlsV1Dot29,
 			},
+			{
+				MinimumVersion: api.MajorMinorVersion(1, 32),
+				CheckPod:       sysctlsV1Dot32,
+			},
 		},
 	}
 }
@@ -84,26 +90,19 @@ var (
 		"net.ipv4.ping_group_range",
 		"net.ipv4.ip_unprivileged_port_start",
 	)
-	sysctlsAllowedV1Dot27 = sets.NewString(
-		"kernel.shm_rmid_forced",
-		"net.ipv4.ip_local_port_range",
-		"net.ipv4.tcp_syncookies",
-		"net.ipv4.ping_group_range",
-		"net.ipv4.ip_unprivileged_port_start",
-		"net.ipv4.ip_local_reserved_ports",
-	)
-	sysctlsAllowedV1Dot29 = sets.NewString(
-		"kernel.shm_rmid_forced",
-		"net.ipv4.ip_local_port_range",
-		"net.ipv4.tcp_syncookies",
-		"net.ipv4.ping_group_range",
-		"net.ipv4.ip_unprivileged_port_start",
+	sysctlsAllowedV1Dot27 = sysctlsAllowedV1Dot0.Union(sets.NewString(
 		"net.ipv4.ip_local_reserved_ports",
+	))
+	sysctlsAllowedV1Dot29 = sysctlsAllowedV1Dot27.Union(sets.NewString(
 		"net.ipv4.tcp_keepalive_time",
 		"net.ipv4.tcp_fin_timeout",
 		"net.ipv4.tcp_keepalive_intvl",
 		"net.ipv4.tcp_keepalive_probes",
-	)
+	))
+	sysctlsAllowedV1Dot32 = sysctlsAllowedV1Dot29.Union(sets.NewString(
+		"net.ipv4.tcp_rmem",
+		"net.ipv4.tcp_wmem",
+	))
 )
 
 func sysctlsV1Dot0(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
@@ -118,6 +117,10 @@ func sysctlsV1Dot29(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) Che
 	return sysctls(podMetadata, podSpec, sysctlsAllowedV1Dot29)
 }
 
+func sysctlsV1Dot32(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
+	return sysctls(podMetadata, podSpec, sysctlsAllowedV1Dot32)
+}
+
 func sysctls(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec, sysctls_allowed_set sets.String) CheckResult {
 	var forbiddenSysctls []string
 

staging/src/k8s.io/pod-security-admission/policy/check_sysctls_test.go

@@ -96,6 +96,28 @@ func TestSysctls(t *testing.T) {
 			expectReason: `forbidden sysctls`,
 			expectDetail: `net.ipv4.tcp_keepalive_probes`,
 		},
+		{
+			name: "new supported sysctls not supported: net.ipv4.tcp_rmem",
+			pod: &corev1.Pod{Spec: corev1.PodSpec{
+				SecurityContext: &corev1.PodSecurityContext{
+					Sysctls: []corev1.Sysctl{{Name: "net.ipv4.tcp_rmem", Value: "4096 87380 16777216"}},
+				},
+			}},
+			allowed:      false,
+			expectReason: `forbidden sysctls`,
+			expectDetail: `net.ipv4.tcp_rmem`,
+		},
+		{
+			name: "new supported sysctls not supported: net.ipv4.tcp_wmem",
+			pod: &corev1.Pod{Spec: corev1.PodSpec{
+				SecurityContext: &corev1.PodSecurityContext{
+					Sysctls: []corev1.Sysctl{{Name: "net.ipv4.tcp_wmem", Value: "4096 87380 16777216"}},
+				},
+			}},
+			allowed:      false,
+			expectReason: `forbidden sysctls`,
+			expectDetail: `net.ipv4.tcp_wmem`,
+		},
 	}
 
 	for _, tc := range tests {
@@ -244,3 +266,62 @@ func TestSysctls_1_29(t *testing.T) {
 		})
 	}
 }
+
+func TestSysctls_1_32(t *testing.T) {
+	tests := []struct {
+		name         string
+		pod          *corev1.Pod
+		allowed      bool
+		expectReason string
+		expectDetail string
+	}{
+		{
+			name: "forbidden sysctls",
+			pod: &corev1.Pod{Spec: corev1.PodSpec{
+				SecurityContext: &corev1.PodSecurityContext{
+					Sysctls: []corev1.Sysctl{{Name: "a"}, {Name: "b"}},
+				},
+			}},
+			allowed:      false,
+			expectReason: `forbidden sysctls`,
+			expectDetail: `a, b`,
+		},
+		{
+			name: "new supported sysctls: net.ipv4.tcp_rmem",
+			pod: &corev1.Pod{Spec: corev1.PodSpec{
+				SecurityContext: &corev1.PodSecurityContext{
+					Sysctls: []corev1.Sysctl{{Name: "net.ipv4.tcp_rmem", Value: "4096 87380 16777216"}},
+				},
+			}},
+			allowed: true,
+		},
+		{
+			name: "new supported sysctls: net.ipv4.tcp_wmem",
+			pod: &corev1.Pod{Spec: corev1.PodSpec{
+				SecurityContext: &corev1.PodSecurityContext{
+					Sysctls: []corev1.Sysctl{{Name: "net.ipv4.tcp_wmem", Value: "4096 65536 16777216"}},
+				},
+			}},
+			allowed: true,
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			result := sysctlsV1Dot32(&tc.pod.ObjectMeta, &tc.pod.Spec)
+			if !tc.allowed {
+				if result.Allowed {
+					t.Fatal("expected disallowed")
+				}
+				if e, a := tc.expectReason, result.ForbiddenReason; e != a {
+					t.Errorf("expected\n%s\ngot\n%s", e, a)
+				}
+				if e, a := tc.expectDetail, result.ForbiddenDetail; e != a {
+					t.Errorf("expected\n%s\ngot\n%s", e, a)
+				}
+			} else if !result.Allowed {
+				t.Fatal("expected allowed")
+			}
+		})
+	}
+}

staging/src/k8s.io/pod-security-admission/test/fixtures_sysctls.go

@@ -156,4 +156,39 @@ func init() {
 		fixtureKey{level: api.LevelBaseline, version: api.MajorMinorVersion(1, 29), check: "sysctls"},
 		fixtureDataV1Dot29,
 	)
+
+	fixtureDataV1Dot32 := fixtureGenerator{
+		expectErrorSubstring: "forbidden sysctl",
+		generatePass: func(p *corev1.Pod) []*corev1.Pod {
+			if p.Spec.SecurityContext == nil {
+				p.Spec.SecurityContext = &corev1.PodSecurityContext{}
+			}
+			return []*corev1.Pod{
+				// security context with no sysctls
+				tweak(p, func(p *corev1.Pod) { p.Spec.SecurityContext.Sysctls = nil }),
+				// sysctls with name="net.ipv4.tcp_rmem", "net.ipv4.tcp_wmem"
+				tweak(p, func(p *corev1.Pod) {
+					p.Spec.SecurityContext.Sysctls = []corev1.Sysctl{
+						{Name: "net.ipv4.tcp_rmem", Value: "4096 87380 16777216"},
+						{Name: "net.ipv4.tcp_wmem", Value: "4096 65536 16777216"},
+					}
+				}),
+			}
+		},
+		generateFail: func(p *corev1.Pod) []*corev1.Pod {
+			if p.Spec.SecurityContext == nil {
+				p.Spec.SecurityContext = &corev1.PodSecurityContext{}
+			}
+			return []*corev1.Pod{
+				// sysctls with out of allowed name
+				tweak(p, func(p *corev1.Pod) {
+					p.Spec.SecurityContext.Sysctls = []corev1.Sysctl{{Name: "othersysctl", Value: "other"}}
+				}),
+			}
+		},
+	}
+	registerFixtureGenerator(
+		fixtureKey{level: api.LevelBaseline, version: api.MajorMinorVersion(1, 32), check: "sysctls"},
+		fixtureDataV1Dot32,
+	)
 }

staging/src/k8s.io/pod-security-admission/test/run.go

@@ -37,7 +37,7 @@ import (
 )
 
 const (
-	newestMinorVersionToTest            = 31
+	newestMinorVersionToTest            = 32
 	podOSBasedRestrictionEnabledVersion = 29
 )
 

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/apparmorprofile0.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    container.apparmor.security.beta.kubernetes.io/container1: unconfined
+  name: apparmorprofile0
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/apparmorprofile1.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    container.apparmor.security.beta.kubernetes.io/initcontainer1: unconfined
+  name: apparmorprofile1
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/capabilities_baseline0.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: capabilities_baseline0
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      capabilities:
+        add:
+        - NET_RAW
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      capabilities: {}
+  securityContext: {}