Initial Security Model #693
Conversation
k8s-ci-robot
added
release-note-none
k8s-ci-robot
added
approved
|
@jhrozek @JAORMX @saschagrunert keen on hearing thoughts on how we can improve this. Also, need some other pairs of eyes to double check on the selinux front. |
Codecov Report
@@ Coverage Diff @@
## master #693 +/- ##
=======================================
Coverage 46.41% 46.41%
=======================================
Files 35 35
Lines 2359 2359
=======================================
Hits 1095 1095
Misses 1211 1211
Partials 53 53 |
k8s-ci-robot
added
the
lgtm
|
/hold |
k8s-ci-robot
added
the
do-not-merge/hold
There was a problem hiding this comment.
This is really great work. I left some comments inline.
Let's get this merged soon and then I'll add some OCP specific info on top of that (e.g. we are using the privileged SCC ...)
Btw does it make sense to mention that by default almost all the containers run with the spc_t SELinux type which pretty much means "unconfined"? (If you prefer, I can propose another PR atop this)
security-model.md
Outdated
|
|
||
| | | Seccomp | SELinux | AppArmor | | ||
| |----------------------------------|---------|---------|----------| | ||
| | Requires root user | No | Yes | Yes | |
There was a problem hiding this comment.
Can you help me understand this column better? Does it mean "the operator is running as root" or "anything in the DS is running as root"? Because if SELinux is enabled, only selinuxd is running as root, not the operator. The operator just writes to /etc/selinux.d which is owned by the non-root user the operator is running as.
There was a problem hiding this comment.
The idea here was to be more generic, meaning that for SELinux feature to be operational, something must be running at that given permission level to be able support it.
Initially I thought as marking with No* and adding a caveat soon after, but then decided to make it easier. But I agree, it is not completely clear.
Do you think it would be better if we broke down each of the components that support each enforcement technology (selinux, apparmor, selinux)?
There was a problem hiding this comment.
I think your approach is better and we might want to just add a side-note or a sub-paragraph later.
security-model.md
Outdated
| | | Seccomp | SELinux | AppArmor | | ||
| |----------------------------------|---------|---------|----------| | ||
| | Requires root user | No | Yes | Yes | | ||
| | Requires HostPID | No | ? | Yes | |
There was a problem hiding this comment.
I don't see SELinux requiring hostPID, But then again, I must be looking at the wrong place, because I don't see AppArmor requiring hostpid either. Only the BPF recorder and the log enricher.
There was a problem hiding this comment.
Sure, let me fix that - SELinux.
For AppArmor, it does currently as it needs to enter the host mnt namespace to gain access to the AppArmorFS on demand. There are other ways of doing it, but that's the current approach.
There was a problem hiding this comment.
Ah, I know what confused me, the code that uses hostPIDs for AppArmor is not merged yet, but it is part of PR#680 right?
There was a problem hiding this comment.
yes, that's correct. once that is merged and apparmor is enabled, spod will require HostPID.
security-model.md
Outdated
| |----------------------------------|---------|---------|----------| | ||
| | Requires root user | No | Yes | Yes | | ||
| | Requires HostPID | No | ? | Yes | | ||
| | Requires "privileged container" | No | Yes | Yes | |
There was a problem hiding this comment.
Same question here, I only see the log-enricher and the BPF recorder being privileged. selinuxd is running with its own SELinux policy.
security-model.md
Outdated
| | Requires root user | No | Yes | Yes | | ||
| | Requires HostPID | No | ? | Yes | | ||
| | Requires "privileged container" | No | Yes | Yes | | ||
| | Requires SSH Access to nodes | No | No | No | |
There was a problem hiding this comment.
I'm not sure what this means?
There was a problem hiding this comment.
Same as #693 (comment)
In the future we could potentially have a page to compare with other projects and help folks decide. But that may be hard to keep up to date.
security-model.md
Outdated
| | Requires HostPID | No | ? | Yes | | ||
| | Requires "privileged container" | No | Yes | Yes | | ||
| | Requires SSH Access to nodes | No | No | No | | ||
| | Access to host's mount namespace | No | ? | On Demand| |
There was a problem hiding this comment.
I'm not sure what exactly do you mean here. SELinux integration makes use of HostPath mounts, yes, but e.g. no mount propagation is used.
There was a problem hiding this comment.
Sure, going through it again it does not come across as clear as I intented it to be.
On a follow-up PR I think this can be replaced by breaking down the "host paths" for each main feature (SAS) and the access (rw) they require. So regardless of this is implemented, for Seccomp to work it requires rw access to {kubelet_path}/seccomp. And the same for selinux/apparmor.
There was a problem hiding this comment.
Right, selinuxd needs to write to the hosts's selinux db. Thanks for the explanation.
|
|
||
| During the execution in profile generate mode, the observed applications may run less restricted than it | ||
| would otherwise, to allow for their operations to be observed and recorded. Keep this in mind when using it | ||
| against workloads you may not trust. |
There was a problem hiding this comment.
I think we should expand on this section. e.g. for seccomp, you have a choice of using the log-enricher or the BPF built-in recorder which seem to be using hostPID or the seccomp OCI hook which doesn't (at least not in the operator context).
There was a problem hiding this comment.
Fair, to be honest I think we need to add a lot more meat to this section. But was thinking on leaving as is and improve on follow-up PRs.
Overall, profile generation is tricky and generally can be done either with target workload being a) unrestricted or b) restricted with existing/template profile. The former may have security implications and the latter would yield a partial profile - assuming that those execution paths may not be fully materialised when restricted.
In my point of view, we can have here a disclaimer of potential risks, but then have a full on section on profiling in which we suggest how to do that correctly and securely. Would you be OK with that?
security-model.md
Outdated
| | Requires root user | Yes | Yes | Yes | | ||
| | Requires HostPID | No | ? | Yes | | ||
| | Requires "privileged container" | No | Yes | Yes | | ||
| | Requires SSH Access to nodes | No | No | No | |
There was a problem hiding this comment.
I'm not sure what does SSH access to nodes mean here.
There was a problem hiding this comment.
Fair point, this was just a reference to help end users to compare SPO with other projects that provide similar capabilities.
Some of those projects require SSH credentials in order to executec commands in the nodes to install/remove profiles.
There was a problem hiding this comment.
Oh I didn't know that. Leave it in then, I like to show off where SPO is better!
security-model.md
Outdated
| | | Seccomp | SELinux | AppArmor | | ||
| |----------------------------------|---------|---------|----------| | ||
| | Requires root user | Yes | Yes | Yes | | ||
| | Requires HostPID | No | ? | Yes | |
There was a problem hiding this comment.
Since SELinux recording depend on the log enricher which uses hostPID, then the answer is yes.
@jhrozek great point - yes. I think we should get out at a container level:
I added it here - as I had to make some changes anyway. But happy for you to improve it via a follow-up PR on that. On the mid/long term, it would be great if we could think on ways to automatically extract such information (like we do for RBAC). |
k8s-ci-robot
removed
the
lgtm
|
@jhrozek went through your poinds - thank you so much for the extensive feedback. PTAL |
| #### Host Paths | ||
|
|
||
| Throughout their operation they require read and write permissions into host paths: | ||
|
|
||
| - `/var/lib/kubelet/seccomp` | ||
| - `/etc/selinux.d` | ||
| - `/etc/apparmor.d` |
There was a problem hiding this comment.
There are a bunch of more host paths, should we cover them as well: https://cs.k8s.io/?q=HostPathVolumeSource&i=nope&files=&excludeFiles=vendor&repos=kubernetes-sigs/security-profiles-operator
There was a problem hiding this comment.
@saschagrunert nice! I did not know about https://cs.k8s.io 👍
Yes, I think we should break it all down and make it explicit what we need and to what level.
This will also help when we create our AppArmor profiles - which could actually become our official documentation on host-level disk permissions.
@saschagrunert thank you. In my opinion we can keep as is right now. Once we are a bit more settled in terms of features - specially around AppArmor and the great bits around eBPF profiling you are working on - we review it. What do you think? |
Sounds great! |
|
/test pull-security-profiles-operator-test-e2e |
1 similar comment
|
/test pull-security-profiles-operator-test-e2e |
|
/test pull-security-profiles-operator-verify |
|
I'm happy with the current state! |
k8s-ci-robot
added
the
lgtm
|
/retest |
|
/test pull-security-profiles-operator-verify |
2 similar comments
|
/test pull-security-profiles-operator-verify |
|
/test pull-security-profiles-operator-verify |
| | Access to host's mount namespace | No | Yes | On Demand | | ||
| | AppArmor Profile | `default` | `default` | `default` | | ||
| | SELinux type | `spc_t` | `spc_t` | `spc_t` | | ||
| | Seccomp Profile | `unconfined`| `unconfined`| `unconfined`| |
There was a problem hiding this comment.
one thing to note (maybe this can go in a separate PR) is that when SELinux is enabled, the SPOd has a sidecar container running selinuxd. selinuxd actually runs with a selinux.process type and is not a privileged container. Although it does run as root. Something we could start investigating is trying to run it with a non-root user and seeing if we can make do with enabling extra capabilities.... However, a lot of the attack surface of that container is mitigated by the custom policy we use for it.
| Throughout their operation they require read and write permissions into host paths: | ||
|
|
||
| - `/var/lib/kubelet/seccomp` | ||
| - `/etc/selinux.d` |
There was a problem hiding this comment.
we've removed this now #698
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: JAORMX, pjbgf, saschagrunert The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/unhold |
k8s-ci-robot
removed
the
do-not-merge/hold
|
/retest |
1 similar comment
|
/retest |
|
/test pull-security-profiles-operator-verify |
|
/retest |
1 similar comment
|
/retest |
|
/override pull-security-profiles-operator-verify |
|
@saschagrunert: Overrode contexts on behalf of saschagrunert: pull-security-profiles-operator-verify In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/override pull-security-profiles-operator-verify |
|
@saschagrunert: Overrode contexts on behalf of saschagrunert: pull-security-profiles-operator-verify In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
What type of PR is this?
/kind documentation
What this PR does / why we need it:
Initial security model markdown to inform users on permissions, and overall security related information.
In the future, this will contain also include compliance status (i.e. NIST, SLSA, etc.)
Which issue(s) this PR fixes:
Relates to #653
Does this PR have test?
N/A
Special notes for your reviewer:
N/A
Does this PR introduce a user-facing change?