gatekeeper-library icon indicating copy to clipboard operation
gatekeeper-library copied to clipboard
verified publisher icon open-policy-agent

Add an allow list parameter, allowedSysctls, to the Forbidden sysctl constraint template

Open shomron opened this issue 5 years ago • 14 comments

The K8sPSPForbiddenSysctls constraint template allows limiting sysctls available to pods using a deny list. This change adds another option, allowedSysctls, which allows a constraint to specify an allow list in addition to, or instead of, the deny list.

The matching logic is as follows:

  1. When specified, any sysctl not in the allow list is considered to be forbidden.
  2. The allow list can be omitted.
  3. The deny list takes precedence.

shomron avatar Oct 14 '20 05:10 shomron

A little bit of background on how PSPs handle a similar concern:

PSPs define allowedUnsafeSysctls and forbiddenSysctls fields. The semantics are a bit different:

  1. If a sysctl is explicitly forbidden, it is blocked.
  2. If a sysctl is in the hardcoded safe list, and not explicitly forbidden, it is allowed.
  3. If a sysctl is not in the safe list, it must be explicitly allowed in allowedUnsafeSysctls to be allowed.

What I'm not 100% sure about is whether this logic runs on only sysctls listed explicitly in the PodSecurityContext, or whether the defaults are also considered in step 1. The relevant code is here.

shomron avatar Oct 14 '20 17:10 shomron

Following up with additional context:

PSP's allowedUnsafeSysctls and forbiddenSysctls fields only affect kernel parameters specified via a pod's securityContext.sysctl field. They do not affect a container's ability to set these parameters directly in any way. A privileged container can set a forbidden sysctl by writing to /proc/sys/, regardless of what is set on the pod's securityContext.sysctl and regardless of effective PSP restrictions.

The hardcoded safe list only affects PSP validation of pod securityContext.sysctl fields and means that those parameters can be set without a PSP explicitly allowing them.

I believe that the semantics of allowedSysctls in this PR has the advantage over the PSP implementation in that it is more explicit and does not merge in a Kubernetes version-specific default set.

In both native PSPs as well as this constraint template, forbiddenSysctls takes precedence over allowedSysctls and behaves similarly.

shomron avatar Oct 26 '20 20:10 shomron

@ritazh @sozercan @maxsmythe let me know what you think!

shomron avatar Oct 26 '20 20:10 shomron

+1 to the idea of making things explicit. I don't like the idea of trying to make sure a list of "safe" sysctls is up-to-date

maxsmythe avatar Oct 28 '20 06:10 maxsmythe

+1 on adding allowedSysctls

ritazh avatar Oct 28 '20 15:10 ritazh

It would be great if we can add an allowed example too.

sozercan avatar Nov 19 '20 20:11 sozercan

any chance of getting this merged?

chrisns avatar Nov 24 '21 12:11 chrisns

@shomron ready to merge?

maxsmythe avatar Nov 30 '21 02:11 maxsmythe

Ready as ever :)

shomron avatar Nov 30 '21 02:11 shomron

Awesome! Can we add a description for the new field and merge?

maxsmythe avatar Dec 01 '21 03:12 maxsmythe

@shomron ping :)

maxsmythe avatar Jan 07 '22 00:01 maxsmythe

Is there something wrong with this PR? If the changes are ok, why not merge it once and then add a description?

superbrothers avatar Jun 24 '22 09:06 superbrothers

@shomron are you okay if I take over this PR?

maxsmythe avatar Jun 24 '22 23:06 maxsmythe

By all means 🙂

shomron avatar Jun 24 '22 23:06 shomron

Hi! I made a successor PR #253 which adds description for the new field. Please take a look.

ordovicia avatar Nov 02 '22 02:11 ordovicia

Maybe this PR should be closed? https://github.com/open-policy-agent/gatekeeper-library/pull/253 was merged with the same goal.

Ping @maxsmythe @shomron

sathieu avatar Nov 29 '22 09:11 sathieu