Merge pull request #6732 from zalando-incubator/admission-controller-psp

Implement PSP in admission-controller

Author: gargravarr

cluster/config-defaults.yaml

@@ -555,7 +555,7 @@ teapot_admission_controller_namespace_delete_protection_enabled: "false"
 teapot_admission_controller_resolve_vanity_images: "true"
 
 {{if eq .Cluster.Environment "e2e"}}
-teapot_admission_controller_ignore_namespaces: "^kube-system|((downward-api|kubectl|projected|statefulset|pod-network|scope-selectors|resourcequota|limitrange)-.*)$"
+teapot_admission_controller_ignore_namespaces: "^kube-system|((downward-api|kubectl|projected|statefulset|pod-network|scope-selectors|resourcequota|limitrange|sysctl|node-tests|e2e-kubelet-etc-hosts)-.*)$"
 teapot_admission_controller_crd_ensure_no_resources_on_delete: "false"
 {{else}}
 teapot_admission_controller_ignore_namespaces: "^kube-system$"
@@ -611,6 +611,21 @@ teapot_admission_controller_configmap_deletion_protection_enabled: "false"
 teapot_admission_controller_configmap_deletion_protection_enabled: "true"
 {{end}}
 
+# Enable and configure Pod Security Policy rules implemented in admission-controller.
+teapot_admission_controller_pod_security_policy_enabled: "true"
+
+# comma separated list of service accounts that are allowed to use privileged
+# pod security policy rules. Format: `<namespace>_<service-account-name>`
+{{ if eq .Cluster.Environment "e2e" }}
+teapot_admission_controller_pod_security_policy_privileged_service_accounts: "psp-privileged-zalando_privileged-sa,psp-privileged-deployment-zalando_privileged-sa"
+{{ else }}
+teapot_admission_controller_pod_security_policy_privileged_service_accounts: ""
+{{ end }}
+teapot_admission_controller_pod_security_policy_privileged_allow_privilege_escalation: "false"
+
+# Optionally disable PodSecurityPolicy. Make sure `teapot_admission_controller_pod_security_policy_enabled` is true if this is disabled, otherwise there are no Pod security Policy enforcement in the cluster.
+pod_security_policy_enabled: "false"
+
 # Prevent the use of a particular AZ as much as possible
 blocked_availability_zone: ""
 

cluster/manifests/01-admission-control/config.yaml

@@ -82,6 +82,33 @@ data:
   # This setting enables and disables replacement of vanity images with ECR images during pod admission (during create and update)
   pod.vanity-image-replacement.enable: "{{ .Cluster.ConfigItems.teapot_admission_controller_resolve_vanity_images }}"
 
+  # Pod Security Policy
+  pod.pod-security-policy.enable: "{{ .Cluster.ConfigItems.teapot_admission_controller_pod_security_policy_enabled }}"
+
+  # service accounts that need privileged PSP should be defined here as `<namespace>_<sa-name>`
+  pod.pod-security-policy.privileged-service-accounts.kube-system_kube-proxy: ""
+  pod.pod-security-policy.privileged-service-accounts.kube-system_skipper-ingress: ""
+  pod.pod-security-policy.privileged-service-accounts.kube-system_node-monitor: ""
+  pod.pod-security-policy.privileged-service-accounts.kube-system_nvidia: ""
+  pod.pod-security-policy.privileged-service-accounts.kube-system_audittrail-adapter: ""
+  pod.pod-security-policy.privileged-service-accounts.kube-system_kube-aws-iam-controller: ""
+  pod.pod-security-policy.privileged-service-accounts.kube-system_kube2iam: ""
+  pod.pod-security-policy.privileged-service-accounts.kube-system_ebs-csi-node-sa: ""
+  pod.pod-security-policy.privileged-service-accounts.kube-system_flannel: ""
+  pod.pod-security-policy.privileged-service-accounts.kube-system_etcd-backup: ""
+  pod.pod-security-policy.privileged-service-accounts.kube-system_coredns: ""
+  pod.pod-security-policy.privileged-service-accounts.kube-system_efs-provisioner: ""
+  pod.pod-security-policy.privileged-service-accounts.visibility_logging-agent: ""
+{{- range $sa := split .Cluster.ConfigItems.teapot_admission_controller_pod_security_policy_privileged_service_accounts "," }}
+  pod.pod-security-policy.privileged-service-accounts.{{ $sa }}: ""
+{{- end}}
+
+{{- range $sysctl := split .Cluster.ConfigItems.allowed_unsafe_sysctls "," }}
+  pod.pod-security-policy.allowed-unsafe-sysctls.{{ $sysctl }}: ""
+{{- end}}
+
+  pod.pod-security-policy.allow-privilege-escalation: "{{ .Cluster.ConfigItems.teapot_admission_controller_pod_security_policy_privileged_allow_privilege_escalation }}"
+
   deployment.default.rolling-update-max-surge: "{{ .Cluster.ConfigItems.teapot_admission_controller_deployment_default_max_surge }}"
   deployment.default.rolling-update-max-unavailable: "{{ .Cluster.ConfigItems.teapot_admission_controller_deployment_default_max_unavailable }}"
 

cluster/manifests/deletions.yaml

@@ -271,3 +271,9 @@ post_apply:
   kind: HorizontalPodAutoscaler
   namespace: kube-system
 {{ end }}
+{{- if ne .Cluster.ConfigItems.pod_security_policy_enabled "true" }}
+- kind: PodSecurityPolicy
+  name: privileged
+- kind: PodSecurityPolicy
+  name: restricted
+{{- end }}

cluster/manifests/psp/pod_security_policy.yaml

@@ -1,3 +1,4 @@
+{{- if eq .Cluster.ConfigItems.pod_security_policy_enabled "true" }}
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
@@ -87,3 +88,4 @@ spec:
   - SETUID
   - SYS_CHROOT
   - SYS_NICE
+{{- end }}

cluster/node-pools/master-default/userdata.yaml

@@ -120,14 +120,14 @@ write_files:
           - --allow-privileged=true
           - --service-cluster-ip-range=10.5.0.0/16
           - --secure-port=443
-          - --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,ExtendedResourceToleration,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota,StorageObjectInUseProtection,PodSecurityPolicy,Priority,NodeRestriction{{if eq .Cluster.ConfigItems.event_rate_limit_enable "true"}},EventRateLimit{{end}}
+          - --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,ExtendedResourceToleration,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota,StorageObjectInUseProtection,{{ if eq .Cluster.ConfigItems.pod_security_policy_enabled "true" }}PodSecurityPolicy,{{end}}Priority,NodeRestriction{{if eq .Cluster.ConfigItems.event_rate_limit_enable "true"}},EventRateLimit{{end}}
           {{- if eq .Cluster.ConfigItems.event_rate_limit_enable "true"}}
           # This file specifies the EventRateLimit admission plugin's configuration
           - --admission-control-config-file=/etc/kubernetes/config/admission-config.yaml
           {{- end }}
           - --tls-cert-file=/etc/kubernetes/ssl/apiserver.pem
           - --tls-private-key-file=/etc/kubernetes/ssl/apiserver-key.pem
-          - --runtime-config=policy/v1beta1=true,authorization.k8s.io/v1beta1=true,scheduling.k8s.io/v1alpha1=true,admissionregistration.k8s.io/v1beta1=true,autoscaling/v2beta2={{ .Cluster.ConfigItems.autoscaling_v2beta2_enabled }},autoscaling/v2beta1={{ .Cluster.ConfigItems.autoscaling_v2beta1_enabled }},batch/v1beta1={{ .Cluster.ConfigItems.batch_v1beta1_enabled }}
+          - --runtime-config={{ if eq .Cluster.ConfigItems.pod_security_policy_enabled "true" }}policy/v1beta1=true,{{end}}authorization.k8s.io/v1beta1=true,scheduling.k8s.io/v1alpha1=true,admissionregistration.k8s.io/v1beta1=true,autoscaling/v2beta2={{ .Cluster.ConfigItems.autoscaling_v2beta2_enabled }},autoscaling/v2beta1={{ .Cluster.ConfigItems.autoscaling_v2beta1_enabled }},batch/v1beta1={{ .Cluster.ConfigItems.batch_v1beta1_enabled }}
           - --authentication-token-webhook-config-file=/etc/kubernetes/config/authn.yaml
           - --authentication-token-webhook-cache-ttl=10s
           - --cloud-provider=aws
@@ -205,7 +205,7 @@ write_files:
             limits:
               memory: {{ .Values.InstanceInfo.MemoryFraction (parseInt64 .Cluster.ConfigItems.apiserver_memory_limit_percent)}}
 {{- end }}
-        - image: 926694233939.dkr.ecr.eu-central-1.amazonaws.com/production_namespace/teapot/admission-controller:master-185
+        - image: 926694233939.dkr.ecr.eu-central-1.amazonaws.com/production_namespace/teapot/admission-controller:master-187
           name: admission-controller
           lifecycle:
             preStop:

test/e2e/go.mod

@@ -24,6 +24,7 @@ require (
 	k8s.io/client-go v0.24.17
 	k8s.io/kubernetes v0.0.0-00010101000000-000000000000
 	k8s.io/pod-security-admission v0.0.0
+	k8s.io/utils v0.0.0-20240102154912-e7106e64919e
 )
 
 require (
@@ -222,7 +223,6 @@ require (
 	k8s.io/metrics v0.24.17 // indirect
 	k8s.io/mount-utils v0.24.17 // indirect
 	k8s.io/sample-apiserver v0.0.0 // indirect
-	k8s.io/utils v0.0.0-20220210201930-3a6ce19ff2f9 // indirect
 	sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.37 // indirect
 	sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2 // indirect
 	sigs.k8s.io/kustomize/api v0.11.4 // indirect

test/e2e/go.sum

@@ -1315,8 +1315,9 @@ k8s.io/sample-apiserver v0.24.17 h1:l4HFFu2BJXgIPs7yzYZ3lffragka3/TNzSf+krqC+V0=
 k8s.io/sample-apiserver v0.24.17/go.mod h1:0TJRSfFu6UzS5N6EVtMIlJlPa3vkiO2QW8p9utpLAfk=
 k8s.io/utils v0.0.0-20210802155522-efc7438f0176/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
 k8s.io/utils v0.0.0-20211116205334-6203023598ed/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
-k8s.io/utils v0.0.0-20220210201930-3a6ce19ff2f9 h1:HNSDgDCrr/6Ly3WEGKZftiE7IY19Vz2GdbOCyI4qqhc=
 k8s.io/utils v0.0.0-20220210201930-3a6ce19ff2f9/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
+k8s.io/utils v0.0.0-20240102154912-e7106e64919e h1:eQ/4ljkx21sObifjzXwlPKpdGLrCfRziVtos3ofG/sQ=
+k8s.io/utils v0.0.0-20240102154912-e7106e64919e/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
 rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=

test/e2e/psp.go

@@ -32,49 +32,63 @@ import (
 )
 
 var _ = describe("PSP use", func() {
-	privilegedRole := "privileged-psp"
 	privilegedSA := "privileged-sa"
 	f := framework.NewDefaultFramework("psp")
+	f.SkipNamespaceCreation = true
 	f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged
 	var cs kubernetes.Interface
 
 	BeforeEach(func() {
 		cs = f.ClientSet
-		saObj := createServiceAccount(f.Namespace.Name, privilegedSA)
-		_, err := cs.CoreV1().ServiceAccounts(f.Namespace.Name).Create(context.TODO(), saObj, metav1.CreateOptions{})
+	})
+
+	It("Should not create a privileged POD if restricted SA [PSP] [Zalando]", func() {
+		defaultSA := "default"
+		ns := "psp-restricted-zalando"
+		_, err := cs.CoreV1().Namespaces().Create(context.TODO(), &v1.Namespace{
+			ObjectMeta: metav1.ObjectMeta{
+				Name: ns,
+			},
+		}, metav1.CreateOptions{})
 		Expect(err).NotTo(HaveOccurred())
 
-		_, err = cs.RbacV1().RoleBindings(f.Namespace.Name).Create(context.TODO(), createRBACRoleBindingSA(privilegedRole, f.Namespace.Name, privilegedSA), metav1.CreateOptions{})
+		// create SA
+		saObj := createServiceAccount(ns, privilegedSA)
+		_, err = cs.CoreV1().ServiceAccounts(ns).Create(context.TODO(), saObj, metav1.CreateOptions{})
 		Expect(err).NotTo(HaveOccurred())
-	})
 
-	// TODO: We have to have a solution to get an unprivileged
-	// User to check this, if not it would always create a
-	// privileged POD for an unprivileged serviceAccount.
-	// --
-	// It("Should not create a POD that use privileged PSP [PSP] [Zalando]", func() {
-	//      defaultSA := "default"
-	// 	ns := f.Namespace.Name
-	// 	label := map[string]string{
-	// 		"app": "psp",
-	// 	}
-	// 	msg := fmt.Sprintf("Creating a privileged POD as %s", defaultSA)
-	// 	By(msg)
-	//      route := fmt.Sprintf(`* -> inlineContent("%s") -> <shunt>`, "OK")
-	// 	pod := createSkipperPodWithHostNetwork("", ns, defaultSA, route, label, 80)
-	// 	defer func() {
-	// 		By(msg)
-	// 		defer GinkgoRecover()
-	// 		err := cs.CoreV1().Pods(ns).Delete(pod.Name, metav1.NewDeleteOptions(0))
-	// 		Expect(err).To(HaveOccurred())
-	// 	}()
-	// 	_, err := cs.CoreV1().Pods(ns).Create(pod)
-	// 	Expect(err).To(HaveOccurred())
-	// 	framework.ExpectNoError(f.WaitForPodRunning(pod.Name))
-	// })
+		label := map[string]string{
+			"app": "psp",
+		}
+		msg := fmt.Sprintf("Creating a privileged POD as %s", defaultSA)
+		By(msg)
+		route := fmt.Sprintf(`* -> inlineContent("%s") -> <shunt>`, "OK")
+		pod := createSkipperPodWithHostNetwork("", ns, defaultSA, route, label, 80)
+		defer func() {
+			By(msg)
+			defer GinkgoRecover()
+
+			err = cs.CoreV1().Namespaces().Delete(context.TODO(), ns, metav1.DeleteOptions{})
+			Expect(err).NotTo(HaveOccurred())
+		}()
+		_, err = cs.CoreV1().Pods(ns).Create(context.TODO(), pod, metav1.CreateOptions{})
+		Expect(err).To(HaveOccurred())
+	})
 
 	It("Should create a POD that use privileged PSP [PSP] [Zalando]", func() {
-		ns := f.Namespace.Name
+		ns := "psp-privileged-zalando"
+		_, err := cs.CoreV1().Namespaces().Create(context.TODO(), &v1.Namespace{
+			ObjectMeta: metav1.ObjectMeta{
+				Name: ns,
+			},
+		}, metav1.CreateOptions{})
+		Expect(err).NotTo(HaveOccurred())
+
+		// create SA
+		saObj := createServiceAccount(ns, privilegedSA)
+		_, err = cs.CoreV1().ServiceAccounts(ns).Create(context.TODO(), saObj, metav1.CreateOptions{})
+		Expect(err).NotTo(HaveOccurred())
+
 		label := map[string]string{
 			"app": "psp",
 		}
@@ -89,16 +103,31 @@ var _ = describe("PSP use", func() {
 			defer GinkgoRecover()
 			err := cs.CoreV1().Pods(ns).Delete(context.TODO(), pod.Name, metav1.DeleteOptions{})
 			Expect(err).NotTo(HaveOccurred())
+
+			err = cs.CoreV1().Namespaces().Delete(context.TODO(), ns, metav1.DeleteOptions{})
+			Expect(err).NotTo(HaveOccurred())
 		}()
 
-		_, err := cs.CoreV1().Pods(ns).Create(context.TODO(), pod, metav1.CreateOptions{})
+		_, err = cs.CoreV1().Pods(ns).Create(context.TODO(), pod, metav1.CreateOptions{})
 		Expect(err).NotTo(HaveOccurred())
 
 		framework.ExpectNoError(e2epod.WaitForPodNameRunningInNamespace(f.ClientSet, pod.Name, pod.Namespace))
 	})
 
 	It("Should create a POD that use privileged PSP via deployment [PSP] [Zalando]", func() {
-		ns := f.Namespace.Name
+		ns := "psp-privileged-deployment-zalando"
+		_, err := cs.CoreV1().Namespaces().Create(context.TODO(), &v1.Namespace{
+			ObjectMeta: metav1.ObjectMeta{
+				Name: ns,
+			},
+		}, metav1.CreateOptions{})
+		Expect(err).NotTo(HaveOccurred())
+
+		// create SA
+		saObj := createServiceAccount(ns, privilegedSA)
+		_, err = cs.CoreV1().ServiceAccounts(ns).Create(context.TODO(), saObj, metav1.CreateOptions{})
+		Expect(err).NotTo(HaveOccurred())
+
 		label := map[string]string{
 			"app": "psp",
 		}
@@ -117,6 +146,9 @@ var _ = describe("PSP use", func() {
 			defer GinkgoRecover()
 			err := cs.AppsV1().Deployments(ns).Delete(context.TODO(), d.Name, metav1.DeleteOptions{})
 			Expect(err).NotTo(HaveOccurred())
+
+			err = cs.CoreV1().Namespaces().Delete(context.TODO(), ns, metav1.DeleteOptions{})
+			Expect(err).NotTo(HaveOccurred())
 		}()
 
 		deploy, err := cs.AppsV1().Deployments(ns).Create(context.TODO(), d, metav1.CreateOptions{})
@@ -134,7 +166,7 @@ var _ = describe("PSP use", func() {
 		Expect(err).NotTo(HaveOccurred())
 		By(fmt.Sprintf("Got rs: %s, from deployment: %s", rs.Name, deploy.Name))
 
-		pods, err := e2epod.PodsCreatedByLabel(f.ClientSet, f.Namespace.Name, rs.Name, replicas, labelSelector)
+		pods, err := e2epod.PodsCreatedByLabel(f.ClientSet, ns, rs.Name, replicas, labelSelector)
 		Expect(err).NotTo(HaveOccurred())
 		By(fmt.Sprintf("Ensuring each pod is running for rs: %s, pod: %s", rs.Name, pods.Items[0].Name))
 		// Wait for the pods to enter the running state. Waiting loops until the pods

test/e2e/util.go

@@ -27,6 +27,7 @@ import (
 	"k8s.io/kubernetes/test/e2e/framework/config"
 	e2elog "k8s.io/kubernetes/test/e2e/framework/log"
 	testutil "k8s.io/kubernetes/test/utils"
+	"k8s.io/utils/ptr"
 
 	. "github.com/onsi/ginkgo"
 	. "github.com/onsi/gomega"
@@ -251,6 +252,7 @@ func createSkipperPodWithHostNetwork(nameprefix, namespace, serviceAccount, rout
 	pod := createSkipperPod(nameprefix, namespace, route, labels, port)
 	pod.Spec.HostNetwork = true
 	pod.Spec.ServiceAccountName = serviceAccount
+	pod.Spec.TerminationGracePeriodSeconds = ptr.To(int64(0))
 	pod.Spec.Containers[0].Ports[0].HostPort = int32(port)
 	return pod
 }
@@ -272,6 +274,7 @@ func createSkipperPod(nameprefix, namespace, route string, labels map[string]str
 
 func createSkipperPodSpec(route string, port int32) corev1.PodSpec {
 	return corev1.PodSpec{
+		TerminationGracePeriodSeconds: ptr.To(int64(0)),
 		Containers: []corev1.Container{
 			{
 				Name:  "skipper",