[WIP] Add KEP to create seccomp built-in profiles and add complain mode #1257
Conversation
|
Welcome @pjbgf! |
k8s-ci-robot
added
do-not-merge/work-in-progress
k8s-ci-robot
added
the
cncf-cla: yes
|
Hi @pjbgf. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
needs-ok-to-test
pjbgf
changed the title
There was a problem hiding this comment.
Thanks for working on this! You've got a good start here.
/assign @wangzhen127
| ### Goals | ||
|
|
||
| - Add audit-mode support for logging violations instead of blocking them. | ||
| - Set clusters to use the new audit profile (i.e. `runtime/default-audit`) by default. |
There was a problem hiding this comment.
We should reconcile the API with #1148, which I'm hoping to get into 1.17
There was a problem hiding this comment.
Is it possible to take the same profile and run it in audit or enforce mode? If so, we should probably make it a *bool on the SeccompOptions rather than a profile-level switch.
There was a problem hiding this comment.
@tallclair yes, that is feasible. I can think of two ways to approach this, both involves amending the profile before sending it over to the CRI:
- Audit only unspecified actions by replacing the profile's defaultAction to
SCMP_ACT_LOG. Very useful to keep allowed and blocked rules intact, but providing users a way to find extra syscalls that may need to be allowed. - Audit all syscalls that are not whitelisted by replacing all defined blocking actions and the defaultAction with
SCMP_ACT_LOG. This answers questions such as "why my application is being blocked even though I am running it in audit mode?"
The first approach sounds reasonable and would work fine with the default profile which currently does not blacklist anything. However, the second might be more user-friendly for custom profiles that may have blocking/tracing rules.
If we were to do this, I would go for the first approach and use a meaningful name for the flag inside the SeccompOptions. Maybe something in the lines of AuditOnlyUnspecifiedSyscalls?
UPDATE 1: A caveat here is that this would not work with the current runtime/default profiles. This would only work for the new kubernetes and/or custom profiles, as we would be able to manipulate them.
UPDATE 2: Based on another point you raised I think we may not want to make changes to profiles at runtime and rather keep them immutable. This way it will be easier to identify when profiles were tampered with. I will detail this a bit better on the custom profiles KEP, however, it may be sensible to have that applied to both custom and built-in profiles.
pjbgf
changed the title
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
|
PTAL |
|
|
||
| ##### Beta -> GA Graduation | ||
|
|
||
| - Enable audit-mode as default. |
There was a problem hiding this comment.
Once the tooling is sufficiently mature, and with enough soak time, do you see us eventually flipping the default to the enforcing default profile?
There was a problem hiding this comment.
I removed this in the new scope. The idea is to get built-in pods in either the default profile or on a custom profile - if needed - in parallel to this effort. Ultimately, the complain mode should be used only for user workloads, as an opt-in feature.
|
/ok-to-test |
k8s-ci-robot
added
ok-to-test
Signed-off-by: Paulo Gomes <paulo.gomes.uk@gmail.com>
Signed-off-by: Paulo Gomes <paulo.gomes.uk@gmail.com>
Co-Authored-By: Tim Allclair (St. Clair) <tallclair@google.com>
Signed-off-by: Paulo Gomes <paulo.gomes.uk@gmail.com>
This comment has been minimized.
This comment has been minimized.
k8s-ci-robot
removed
sig/api-machinery
|
After going through @tallclair's feedback, I decreased the scope of this KEP to only create new built-in profiles. Users will be able to use the existing mechanisms (subject to changes from #1148) to explicitly set the new profiles for containers, pods or the entire cluster. This removes a lot of the complexity and potential backwards compatibility issues, whilst delivering the main value which is the ability for users to assess impact of PTAL |
pjbgf
changed the title
k8s-ci-robot
added
the
do-not-merge/work-in-progress
|
I am currently reviewing this KEP, so in the interest of time, I would suggest to put on hold any reviews until the next batch of changes are pushed through. /hold |
|
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
k8s-ci-robot
added
the
lifecycle/stale
|
/remove-lifecycle stale |
k8s-ci-robot
removed
the
lifecycle/stale
|
/milestone clear |
|
This KEP is being withdrawn in favour of the seccomp-operator, which will eventually bring similar features out of tree. |
This proposal focuses on creating new seccomp built-in profiles in order to support a complain mode..
Feature: #135
Security Audit Issue: kubernetes/kubernetes#81115
For context:
kubernetes/community#660
kubernetes/kubernetes#39845
kubernetes/kubernetes#20870
kubernetes/kubernetes#39128
kubernetes/kubernetes#52827
/sig-node
/sig-auth
/priority important-longterm
/assign @tallclair
/cc @jessfraz