enhancements
enhancements copied to clipboard
kubernetes
KEP-24: Promote Apparmor to GA
KEP-24: Promote Apparmor to GA
New updated KEP outlining requirement for Apparmor to move to GA.
- Issue link: #24
Supersedes #1444
Welcome @jan0ski!
It looks like this is your first PR to kubernetes/enhancements 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.
You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.
You can also check if kubernetes/enhancements has its own contribution guidelines.
You may want to refer to our testing guide if you run into trouble with your tests not passing.
If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!
Thank you, and welcome to Kubernetes. :smiley:
Hi @jan0ski. Thanks for your PR.
I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.
Once the patch is verified, the new status will be reflected by the ok-to-test label.
I understand the commands that are listed here.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
Before we graduate this, can we check whether https://kubernetes.io/docs/tutorials/security/apparmor/ is current? That page talks a lot about requiring Kubernetes v1.4 or later, so my guess is that it does need an update.
Before we graduate this, can we check whether https://kubernetes.io/docs/tutorials/security/apparmor/ is current? That page talks a lot about requiring Kubernetes v1.4 or later, so my guess is that it does need an update.
I would concur we need to revamp the website documentation. We could remove the references to PodSecurityPolicy regarding AppArmor and recommend something OPA/Admission Controller based for controlling what profiles can/can't be used.
We may want to mention on this KEP what we want to do about the PodSecurityPolicy enforcements around AppArmor.
We can: 1) do nothing 2) extend enforcements to the proposed new fields.
I am of the opinion we should do nothing, given that PodSecurityPolicy is sunsetting and there is little point changing anything on its functionality. Either way, it feels reasonable to call this out in the KEP. Similarly to what we did on the Seccomp route to GA, however for that we took a different path.
From v1.25 onwards, there is no PodSecurityPolicy API.
@sftim There is a residual PSP code currently in main that overlaps with AppArmor. The code provides the ability of defining the default AppArmor profile across the cluster, and also to set what AppArmor profiles are allowed. They are defined via annotations "apparmor.security.beta.kubernetes.io/defaultProfileName" and "apparmor.security.beta.kubernetes.io/allowedProfileNames":
https://github.com/kubernetes/kubernetes/blob/2c1c1b75465e93ecc49d0cd59efdfa1b0bdb3bbc/staging/src/k8s.io/api/core/v1/annotation_key_constants.go#L59-L62 https://github.com/kubernetes/kubernetes/blob/3ffdfbe286ebcea5d75617da6accaf67f815e0cf/pkg/apis/policy/validation/validation.go#L143
I think this KEP should at least mention it and clarify what happens with that functionality.
We may want to mention on this KEP what we want to do about the
PodSecurityPolicyenforcements aroundAppArmor. We can: 1) do nothing 2) extend enforcements to the proposed new fields.I am of the opinion we should do nothing, given that
PodSecurityPolicyis sunsetting and there is little point changing anything on its functionality. Either way, it feels reasonable to call this out in the KEP. Similarly to what we did on the Seccomp route to GA, however for that we took a different path.
Good call out. I've added a mention to this in ac8121e
@tallclair: GitHub didn't allow me to request PR reviews from the following users: discussion, for, Pod.
Note that only kubernetes members and repo collaborators can review this PR, and authors cannot review their own PRs.
In response to this:
Something that we should discuss for the transition to GA:
The baseline and restricted pod security levels (https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline) currently allow all Localhost profiles. In the case of seccomp, this works as intended, since localhost profiles are installed to a specially designated directory. However in the case of apparmor, any profile loaded on the node is fair game, including profiles for system daemons outside of Kubernetes.
Is this working as intended? Our stance has previously been that if you need finer grained control over localhost profiles, you should use another admission control. If not, do we want to address it in the transition to GA? One way we could address it is by requiring a designated prefix for Kubernetes profiles, but such a large change seems out of scope as defined by your goals. WDYT?
/cc @liggitt for Pod Security discussion
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
I think the remaining issues are things that can be hashed out in the implementation / API reivew, so I'm comfortable approving this KEP. However, we're past enhancements freeze so this will need an extension if you still want to get it into 1.26. IMO this is a low-risk change, so I don't see any issues with including it.
/lgtm /approve
Thanks! I've submitted an enhancements freeze exception for this KEP to be included in 1.26. :crossed_fingers:
Hi, Thanks for raising the exception request. The exception request has been approved by the 1.26 release team and your updated deadline to make any changes to your KEP is 18:00 PST Tuesday 18 October 2022. /milestone v1.26
Working on some documentation updates in https://github.com/kubernetes/website/pull/37191 - does this block us from approving the KEP?
If so I think that and a PRR approval are all we need? cc @deads2k @tallclair
[APPROVALNOTIFIER] This PR is NOT APPROVED
This pull-request has been approved by: deads2k, jan0ski, tallclair
Once this PR has been reviewed and has the lgtm label, please assign derekwaynecarr for approval by writing /assign @derekwaynecarr in a comment. For more information see the Kubernetes Code Review Process.
The full list of commands accepted by this bot can be found here.
- ~~keps/prod-readiness/OWNERS~~ [deads2k]
- keps/sig-node/OWNERS
Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment
/lgtm
This looks good to me. There might be a few more implementation details to iron out, but we can handle those in PR reviews.
Just a heads up: code freeze is coming up in 3 weeks (Nov 8th), so we'll need to move quickly on this.
@dchen1107: Can not set label lead-opted-in: Must be member in one of these teams: [release-team-enhancements release-team-leads sig-api-machinery-leads sig-apps-leads sig-architecture-leads sig-auth-leads sig-autoscaling-leads sig-cli-leads sig-cloud-provider-leads sig-cluster-lifecycle-leads sig-contributor-experience-leads sig-docs-leads sig-instrumentation-leads sig-k8s-infra-leads sig-multicluster-leads sig-network-leads sig-node-leads sig-release-leads sig-scalability-leads sig-scheduling-leads sig-security-leads sig-storage-leads sig-testing-leads sig-windows-leads]
In response to this:
/label lead-opted-in /milestone v1.27
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
Looks like there are still some PRR questions open. It would be good to get the API changes in for this though. I wonder if we should decouple the API changes from graduation to GA? In other words, implement the fields for v1.27, and punt GA to v1.28?
If you have time to address the open debuggability concerns that works too.
Looks like there are still some PRR questions open. ... If you have time to address the open debuggability concerns that works too.
@tallclair can you point these concerns out for me? I might be missing context, and had assumed PRR questions were addressed already. Happy to try and answer whatever I can.
Back in october the PRR was approved https://github.com/kubernetes/enhancements/pull/3298#issuecomment-1283041979
There was a new question added to scalability: https://github.com/kubernetes/enhancements/blob/master/keps/NNNN-kep-template/README.md#scalability , but that should be easy to update.
All the feedback left on this KEP can be addressed by adding action items into the Graduation Criteria for GA. There is no absolutely blocking comments, mostly work items
[APPROVALNOTIFIER] This PR is NOT APPROVED
This pull-request has been approved by: deads2k, jan0ski, tallclair Once this PR has been reviewed and has the lgtm label, please ask for approval from derekwaynecarr. For more information see the Kubernetes Code Review Process.
The full list of commands accepted by this bot can be found here.
- ~~keps/prod-readiness/OWNERS~~ [deads2k]
- keps/sig-node/OWNERS
Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment
The Kubernetes project currently lacks enough contributors to adequately respond to all PRs.
This bot triages PRs according to the following rules:
- After 90d of inactivity,
lifecycle/staleis applied - After 30d of inactivity since
lifecycle/stalewas applied,lifecycle/rottenis applied - After 30d of inactivity since
lifecycle/rottenwas applied, the PR is closed
You can:
- Mark this PR as fresh with
/remove-lifecycle stale - Close this PR with
/close - Offer to help out with Issue Triage
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
The Kubernetes project currently lacks enough active contributors to adequately respond to all PRs.
This bot triages PRs according to the following rules:
- After 90d of inactivity,
lifecycle/staleis applied - After 30d of inactivity since
lifecycle/stalewas applied,lifecycle/rottenis applied - After 30d of inactivity since
lifecycle/rottenwas applied, the PR is closed
You can:
- Mark this PR as fresh with
/remove-lifecycle rotten - Close this PR with
/close - Offer to help out with Issue Triage
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle rotten