-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature: Let users set allowPrivilegeEscalation = false
on ksvc.
#13395
Conversation
🎁 This allows used to specify `allowPrivilegeEscalation` (in particular to false) to ensure that processes cannot escalate privileges. Kicking the tires on the new GKE security posture dashboard, I noticed that ~all Knative services get flagged for this despite Knative not allowing me to set it to false! https://cloud.google.com/kubernetes-engine/docs/concepts/about-security-posture-dashboard /kind bug
Codecov ReportBase: 86.43% // Head: 86.45% // Increases project coverage by
Additional details and impacted files@@ Coverage Diff @@
## main #13395 +/- ##
==========================================
+ Coverage 86.43% 86.45% +0.01%
==========================================
Files 196 196
Lines 14549 14551 +2
==========================================
+ Hits 12576 12580 +4
+ Misses 1673 1671 -2
Partials 300 300
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. ☔ View full report at Codecov. |
Does the GKE security posture dashboard line up with the Pod Security Standards published by Kubernetes (and the Pod Security Admission feature in 1.24 and 1.25)? I couldn't see any indication either way. I wish that Kubernetes had a reasonable way of turning on these security features automatically for users. In particular, the restricted profile requires the following entries: allowPrivilegeEscalation: false
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault # or Localhost
capabilities:
drop: [ALL] The baseline profile allows the above fields to be undefined as well as the "safe" values. With the exception of allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault # or Localhost
capabilities:
drop: [ALL]
add: [NET_BIND_SERVICE] # allow bind to low ports as non-root I think we might want to put this behind a feature flag, and flip the flag forward for the January release (1.9). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
/approve
I'll see about sending a PR for the feature to default to more secure.
An extra-bonus that I'll look at later is pulling the effective user ID when we resolve the OCI image; if the userId is non-zero or specified as non-zero in the SecurityContext, I can set runAsNonRoot: true
to allow Knative Services to run under the restricted
profile by default, which would be nice.
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: evankanderson, mattmoor The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
@evankanderson one gotcha with this is that the user can be specified as either |
🐛 Pull in knative/serving#13395 /kind bug
🐛 Pull in knative/serving#13395 /kind bug
🐛 Pull in knative/serving#13395 /kind bug
I didn't realize y'all had forked the source of truth for our fieldmasking, so unfortunately this missed the CRD schema 😞 I'll send a PR to update that shortly, so the CRD configs include these fields. |
…dmask. 🐛 My previous changed missed the new config file that controls how the CRD schema is updated. You can now clearly see the fields being added to the schemas. Apologies for the break, I had no clue this was a thing! /kind bug Related: knative#13395
…native#13395) 🎁 This allows used to specify `allowPrivilegeEscalation` (in particular to false) to ensure that processes cannot escalate privileges. Kicking the tires on the new GKE security posture dashboard, I noticed that ~all Knative services get flagged for this despite Knative not allowing me to set it to false! https://cloud.google.com/kubernetes-engine/docs/concepts/about-security-posture-dashboard /kind bug
…dmask. (knative#13402) 🐛 My previous changed missed the new config file that controls how the CRD schema is updated. You can now clearly see the fields being added to the schemas. Apologies for the break, I had no clue this was a thing! /kind bug Related: knative#13395
…native#13395) 🎁 This allows used to specify `allowPrivilegeEscalation` (in particular to false) to ensure that processes cannot escalate privileges. Kicking the tires on the new GKE security posture dashboard, I noticed that ~all Knative services get flagged for this despite Knative not allowing me to set it to false! https://cloud.google.com/kubernetes-engine/docs/concepts/about-security-posture-dashboard /kind bug
…dmask. (knative#13402) 🐛 My previous changed missed the new config file that controls how the CRD schema is updated. You can now clearly see the fields being added to the schemas. Apologies for the break, I had no clue this was a thing! /kind bug Related: knative#13395
…ion (#1282) * Feature: Let users set `allowPrivilegeEscalation = false` on ksvc. (knative#13395) :gift: This allows used to specify `allowPrivilegeEscalation` (in particular to false) to ensure that processes cannot escalate privileges. Kicking the tires on the new GKE security posture dashboard, I noticed that ~all Knative services get flagged for this despite Knative not allowing me to set it to false! https://cloud.google.com/kubernetes-engine/docs/concepts/about-security-posture-dashboard /kind bug * Fix: Add the new `AllowPrivilegeEscalation` field to the *other* fieldmask. (knative#13402) :bug: My previous changed missed the new config file that controls how the CRD schema is updated. You can now clearly see the fields being added to the schemas. Apologies for the break, I had no clue this was a thing! /kind bug Related: knative#13395 * add allowPrivilegeEscalation to manifests Co-authored-by: Matt Moore <[email protected]>
…ion (knative#1282) * Feature: Let users set `allowPrivilegeEscalation = false` on ksvc. (knative#13395) :gift: This allows used to specify `allowPrivilegeEscalation` (in particular to false) to ensure that processes cannot escalate privileges. Kicking the tires on the new GKE security posture dashboard, I noticed that ~all Knative services get flagged for this despite Knative not allowing me to set it to false! https://cloud.google.com/kubernetes-engine/docs/concepts/about-security-posture-dashboard /kind bug * Fix: Add the new `AllowPrivilegeEscalation` field to the *other* fieldmask. (knative#13402) :bug: My previous changed missed the new config file that controls how the CRD schema is updated. You can now clearly see the fields being added to the schemas. Apologies for the break, I had no clue this was a thing! /kind bug Related: knative#13395 * add allowPrivilegeEscalation to manifests Co-authored-by: Matt Moore <[email protected]>
…e` on ksvc. (#18) * [RELEASE-1.5] [BACKPORT] Feature: Let users set allowPrivilegeEscalation (knative#1282) * Feature: Let users set `allowPrivilegeEscalation = false` on ksvc. (knative#13395) :gift: This allows used to specify `allowPrivilegeEscalation` (in particular to false) to ensure that processes cannot escalate privileges. Kicking the tires on the new GKE security posture dashboard, I noticed that ~all Knative services get flagged for this despite Knative not allowing me to set it to false! https://cloud.google.com/kubernetes-engine/docs/concepts/about-security-posture-dashboard /kind bug * Fix: Add the new `AllowPrivilegeEscalation` field to the *other* fieldmask. (knative#13402) :bug: My previous changed missed the new config file that controls how the CRD schema is updated. You can now clearly see the fields being added to the schemas. Apologies for the break, I had no clue this was a thing! /kind bug Related: knative#13395 * add allowPrivilegeEscalation to manifests Co-authored-by: Matt Moore <[email protected]> * Add missing allowPrivilegeEscalation patch into 1-serving-crds.yaml (knative#1301) * fix download script Co-authored-by: Matt Moore <[email protected]> Co-authored-by: Kenjiro Nakayama <[email protected]>
…e` on ksvc. (#18) (#90) * [RELEASE-1.5] [BACKPORT] Feature: Let users set allowPrivilegeEscalation (knative#1282) * Feature: Let users set `allowPrivilegeEscalation = false` on ksvc. (knative#13395) :gift: This allows used to specify `allowPrivilegeEscalation` (in particular to false) to ensure that processes cannot escalate privileges. Kicking the tires on the new GKE security posture dashboard, I noticed that ~all Knative services get flagged for this despite Knative not allowing me to set it to false! https://cloud.google.com/kubernetes-engine/docs/concepts/about-security-posture-dashboard /kind bug * Fix: Add the new `AllowPrivilegeEscalation` field to the *other* fieldmask. (knative#13402) :bug: My previous changed missed the new config file that controls how the CRD schema is updated. You can now clearly see the fields being added to the schemas. Apologies for the break, I had no clue this was a thing! /kind bug Related: knative#13395 * add allowPrivilegeEscalation to manifests Co-authored-by: Matt Moore <[email protected]> * Add missing allowPrivilegeEscalation patch into 1-serving-crds.yaml (knative#1301) * fix download script Co-authored-by: Matt Moore <[email protected]> Co-authored-by: Kenjiro Nakayama <[email protected]> Co-authored-by: Stavros Kontopoulos <[email protected]> Co-authored-by: Matt Moore <[email protected]> Co-authored-by: Kenjiro Nakayama <[email protected]>
🎁 This allows used to specify
allowPrivilegeEscalation
(in particular to false) to ensure that processes cannot escalate privileges.Kicking the tires on the new GKE security posture dashboard, I noticed that ~all Knative services get flagged for this despite Knative not allowing me to set it to false!
https://cloud.google.com/kubernetes-engine/docs/concepts/about-security-posture-dashboard
/kind bug
/cc @dprotaso @evankanderson @psschwei