Update "Windows Storage Support" KEP status to implementable and address prior feedback

[ddebroy]

Updates:

1. Clarify deprecation policy for API members.
2. Add pointer to golang issue to track supporting detection of domain socket files in Windows.
3. Compare Linux Node Plugin attack surface to CSI Proxy.
4. Update diagram and API members from Get => List.
5. Specify generation of eventlog entries that can be used as an audit trail.

[ddebroy]

/sig storage

[ddebroy]

/assign @PatrickLang @msau42 @liggitt

[msau42]

The image can be checked into this directory directly

[ddebroy]

Done.

[ddebroy]

/assign @calebamiles

[liggitt]

are the RPC messages described below (MkdirRequest, RmdirRequest, PartitionDisk, FormatVolume, LinkVolume, etc) pre-existing or introduced as part of this feature?

since this is exposing an API that allows things running inside containers to escalate permissions to do host-level operations, we need clear information about the following aspects:

• what values are allowed in paths
  • are special characters restricted?
  • are backstep path segments allowed?
  • are forward and backslashes (and international path separators like ¥) allowed and normalized?
  • which of the filepath variants in https://docs.microsoft.com/en-us/dotnet/standard/io/file-path-formats are allowed?
• is the csi-proxy process or the caller responsible for normalization and validation of paths?
• do symlink traversal and time-of-check-time-of-use issues exist in windows? for example, could a container create a link in a filesystem it controlled that pointed to a host filepath it should not have access to, then request a CSI volume be mounted at a path beneath that link, and get the privileged csi-proxy to follow the link and overwrite/expose host files to the container? if so, how does the caller indicate to the csi-proxy what the acceptable boundary is for resolved paths that include links?

[liggitt]

It's possible some or many of the validation bits are constrained by the CSI spec already and the kubelet is responsible for filtering out some of those things. If so, just noting that and ensuring test coverage of the kubelet is fine.

The symlink/link/traversal issues are more interesting, since the csi-proxy would be the only actor capable of performing those checks.

[ddebroy]

All the RPCs mentioned are new. Will clarify the path semantics and validations.

[PatrickLang]

Rather than repeating everything in the doc - I think we can reference https://docs.microsoft.com/en-us/windows/win32/fileio/naming-a-file

@liggitt - that doc you linked to is a subset implemented in .Net. https://docs.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-getfullpathnamew is the native API that should be used to canonicalize file names that follows the rules listed in the prior doc

[liggitt]

+1 for linking to existing references, clarifying which API is used, and being explicit about where normalization happens (which component(s) are responsible for doing it)

[PatrickLang]

path normalization on the node side can be done with https://github.com/golang/go/blob/2b8cbc384d092dc63e9dc18ec318d0682185611c/src/syscall/syscall_windows.go#L224

[ddebroy]

I have updated the Request and Response struct descriptions for the RPCs along with restrictions. /cc @liggitt and @PatrickLang PTAL.

[liggitt]

Thanks. Do these map closely to windows filesystem APIs? If so, that would be good to reference.

I'll defer to the windows/storage experts to determine if these provide a reasonable API that covers the information/operations a CSI driver would need.

[liggitt]

are there already things that could be mounted into pods that allowed arbitrary hostpath mounts that would allow similar escalations/capabilities? if so, the mere existence of the csi proxy isn't really an increased risk for those pods.

the increased risk comes from the csi-proxy handling of data plumbed to it by the csi drivers from restricted user-specified PVCs/Pods that were not allowed hostPath access, hence the data validation questions in https://github.com/kubernetes/enhancements/pull/1184/files#r308785333

[PatrickLang]

Windows doesn't support container mount projection today, so there's no way to create new mounts that can be interpreted by the host.

[msau42]

cc @tallclair

[liggitt]

is there an alternative check that can be done on windows to avoid spawning lots of events for normal files/dirs (like ensuring it is not a directory, and is not a regular file)? I know there were bugs with the plugin manager getting overwhelmed trying to process change events for non-socket files under that dir.

[ddebroy]

The code fragment I am referring to that needs to be relaxed is: https://github.com/kubernetes/kubernetes/blob/master/pkg/kubelet/pluginmanager/pluginwatcher/plugin_watcher.go#L193-L196

I think the rest of the code around the above does get invoked regardless of file type - so I don't think the invocation of handleCreateEvent itself is being filtered based on file type but the downstream calls like handlePluginRegistration are filtered.

We can explore sending down a FSCTL to the file to check for the Windows reparse points (through go wrappers) to align with fi.Mode()&os.ModeSocket == 0. I can call that plan out here.

[liggitt]

what owner/permissions are associated with the new directory? are all parent directories created if missing as well?

[ddebroy]

I went ahead and added a Windows OS error code for all responses as that is critical. Also clarified paths will not be pre-created for parents and a PathExists RPC. Also mentioned the typical user SID under which csi-proxy.exe will be started and the permissions (read, write) that will be set when creating directories.

[liggitt]

if it does exist already, is an error returned? is the error distinguishable as an "already exists" error?

[ddebroy]

Yes. I went ahead and added a Windows OS error code for all responses to make error detection and reaction to them easier.

[liggitt]

Thanks. Do these map closely to windows filesystem APIs? If so, that would be good to reference.

I'll defer to the windows/storage experts to determine if these provide a reasonable API that covers the information/operations a CSI driver would need.

[liggitt]

will need to be under this path

Including resolution of any links in the parent dir?

For example, in the following setup:

1. kubernetes-csi-plugins-path = C:\var\lib\kubelet\plugins\kubernetes.io\csi
2. C:\var\lib\kubelet\plugins\kubernetes.io\csi\foo\bar is a link that points to Z:\baz

Would a request to delete C:\var\lib\kubelet\plugins\kubernetes.io\csi\foo\bar\quux be allowed (since it really resolves to Z:\baz\quux?

[liggitt]

@msau42 is more familiar with what the CSI drivers are required to do, and how much visibility (if any) they have to the mountPath/subPath inputs the user provides. The less direct input from untrusted pvc/pod creators the drivers make use of, the less concerned I am about these aspects.

[msau42]

/var/lib/kubelet/plugins/kubernetes.io/csi is where the staging mounts go, but I think we also need /var/lib/kubelet/pods/ for the per pod link right?

Regarding @liggitt's concern, I think we should disallow symlinks for the paths that get passed to the proxy.

Kubelet is supposed to give the driver only system-controlled paths, but that doesn't stop the driver from giving another path to the proxy.

[msau42]

CSI drivers don't handle subpaths. It's handled directly by the kubelet, and IIUC, this proxy is only for CSI driver file/mount operations, not kubelet.

[msau42]

I'm not familiar with windows symlink mechanics. Does it have the same issue as linux where O_NOFOLLOW only applies to the past element of the path?

[ddebroy]

@msau42 @liggitt I specifically mentioned for RmdirRequest: Path cannot be a file of type symlink as a restriction https://github.com/kubernetes/enhancements/pull/1184/files#diff-0533ba89d026317907f55974130ce267R419 . The file type of the path will be checked and request to delete a path of type symlink will be rejected. So that should take care of rmdir being invoked on a symlink path to remove a target somewhere else.

For MkdirRequest, the proxy creates the path and will make sure they are regular directories and not symlinks.

[liggitt]

The following are the main RPC calls that will comprise a v1 version of the CSIProxyService API

isn't what is described below the v1alpha1 version of the CSIProxyService API?

[ddebroy]

Correct. I will update this.

[saad-ali]

/assign

[verult]

nit: Could you define CSI Node Plugins? Maybe in a glossary section? I wasn't sure if this is referring to the CSI driver to be installed on nodes or the DaemonSet or something else without reading deeper

[PatrickLang]

/lgtm
looking for approval from a sig-storage rep

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ddebroy, PatrickLang

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• keps/sig-windows/OWNERS [PatrickLang]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[ddebroy]

Well that was strange - tide feels the PR has not been approved but the k8s-ci-robot added approved tag and merged the PR?

[msau42]

Why do CSI drivers need the container runtime paths?

[ddebroy]

This is for the LinkVolume step where the proxy needs to invoke mklink from the host staging path to a path inside the container's fs as part of node publish.

[yujuhong]

Could you explain a little bit more? I assume CSI plugin only needs to know the /var/lib/kubelet paths, and the container runtime will be the one to handle paths for the container rootfs

[ddebroy]

I ran through the flow again and what I stated above is incorrect. The node publish path on the container side is indeed under C:\var\lib\kubelet\pods. I will correct this in a fresh PR.