-
Notifications
You must be signed in to change notification settings - Fork 107
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Initial Security Model #693
Conversation
@jhrozek @JAORMX @saschagrunert keen on hearing thoughts on how we can improve this. Also, need some other pairs of eyes to double check on the selinux front. |
Codecov Report
@@ Coverage Diff @@
## master #693 +/- ##
=======================================
Coverage 46.41% 46.41%
=======================================
Files 35 35
Lines 2359 2359
=======================================
Hits 1095 1095
Misses 1211 1211
Partials 53 53 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I love it, it’s great to have these docs!
Do we plan in the future to only distinguish those two modes by configuration or do we wanna keep the operator configurable as is?
/hold |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is really great work. I left some comments inline.
Let's get this merged soon and then I'll add some OCP specific info on top of that (e.g. we are using the privileged SCC ...)
Btw does it make sense to mention that by default almost all the containers run with the spc_t
SELinux type which pretty much means "unconfined"? (If you prefer, I can propose another PR atop this)
security-model.md
Outdated
|
||
| | Seccomp | SELinux | AppArmor | | ||
|----------------------------------|---------|---------|----------| | ||
| Requires root user | No | Yes | Yes | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you help me understand this column better? Does it mean "the operator is running as root" or "anything in the DS is running as root"? Because if SELinux is enabled, only selinuxd is running as root, not the operator. The operator just writes to /etc/selinux.d
which is owned by the non-root user the operator is running as.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The idea here was to be more generic, meaning that for SELinux feature to be operational, something must be running at that given permission level to be able support it.
Initially I thought as marking with No*
and adding a caveat soon after, but then decided to make it easier. But I agree, it is not completely clear.
Do you think it would be better if we broke down each of the components that support each enforcement technology (selinux, apparmor, selinux)?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think your approach is better and we might want to just add a side-note or a sub-paragraph later.
security-model.md
Outdated
| | Seccomp | SELinux | AppArmor | | ||
|----------------------------------|---------|---------|----------| | ||
| Requires root user | No | Yes | Yes | | ||
| Requires HostPID | No | ? | Yes | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't see SELinux requiring hostPID, But then again, I must be looking at the wrong place, because I don't see AppArmor requiring hostpid either. Only the BPF recorder and the log enricher.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure, let me fix that - SELinux.
For AppArmor, it does currently as it needs to enter the host mnt
namespace to gain access to the AppArmorFS on demand. There are other ways of doing it, but that's the current approach.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, I know what confused me, the code that uses hostPIDs for AppArmor is not merged yet, but it is part of PR#680 right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes, that's correct. once that is merged and apparmor is enabled, spod will require HostPID.
security-model.md
Outdated
|----------------------------------|---------|---------|----------| | ||
| Requires root user | No | Yes | Yes | | ||
| Requires HostPID | No | ? | Yes | | ||
| Requires "privileged container" | No | Yes | Yes | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same question here, I only see the log-enricher and the BPF recorder being privileged. selinuxd
is running with its own SELinux policy.
security-model.md
Outdated
| Requires root user | No | Yes | Yes | | ||
| Requires HostPID | No | ? | Yes | | ||
| Requires "privileged container" | No | Yes | Yes | | ||
| Requires SSH Access to nodes | No | No | No | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure what this means?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same as #693 (comment)
In the future we could potentially have a page to compare with other projects and help folks decide. But that may be hard to keep up to date.
security-model.md
Outdated
| Requires HostPID | No | ? | Yes | | ||
| Requires "privileged container" | No | Yes | Yes | | ||
| Requires SSH Access to nodes | No | No | No | | ||
| Access to host's mount namespace | No | ? | On Demand| |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure what exactly do you mean here. SELinux integration makes use of HostPath
mounts, yes, but e.g. no mount propagation is used.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure, going through it again it does not come across as clear as I intented it to be.
On a follow-up PR I think this can be replaced by breaking down the "host paths" for each main feature (SAS) and the access (rw) they require. So regardless of this is implemented, for Seccomp to work it requires rw
access to {kubelet_path}/seccomp
. And the same for selinux/apparmor.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Right, selinuxd needs to write to the hosts's selinux db. Thanks for the explanation.
|
||
During the execution in profile generate mode, the observed applications may run less restricted than it | ||
would otherwise, to allow for their operations to be observed and recorded. Keep this in mind when using it | ||
against workloads you may not trust. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we should expand on this section. e.g. for seccomp, you have a choice of using the log-enricher or the BPF built-in recorder which seem to be using hostPID
or the seccomp OCI hook which doesn't (at least not in the operator context).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fair, to be honest I think we need to add a lot more meat to this section. But was thinking on leaving as is and improve on follow-up PRs.
Overall, profile generation is tricky and generally can be done either with target workload being a) unrestricted or b) restricted with existing/template profile. The former may have security implications and the latter would yield a partial profile - assuming that those execution paths may not be fully materialised when restricted.
In my point of view, we can have here a disclaimer of potential risks, but then have a full on section on profiling in which we suggest how to do that correctly and securely. Would you be OK with that?
security-model.md
Outdated
| Requires root user | Yes | Yes | Yes | | ||
| Requires HostPID | No | ? | Yes | | ||
| Requires "privileged container" | No | Yes | Yes | | ||
| Requires SSH Access to nodes | No | No | No | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure what does SSH access to nodes mean here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fair point, this was just a reference to help end users to compare SPO with other projects that provide similar capabilities.
Some of those projects require SSH credentials in order to executec commands in the nodes to install/remove profiles.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh I didn't know that. Leave it in then, I like to show off where SPO is better!
security-model.md
Outdated
| | Seccomp | SELinux | AppArmor | | ||
|----------------------------------|---------|---------|----------| | ||
| Requires root user | Yes | Yes | Yes | | ||
| Requires HostPID | No | ? | Yes | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since SELinux recording depend on the log enricher which uses hostPID, then the answer is yes.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed it accordingly.
@jhrozek great point - yes. I think we should get out at a container level:
I added it here - as I had to make some changes anyway. But happy for you to improve it via a follow-up PR on that. On the mid/long term, it would be great if we could think on ways to automatically extract such information (like we do for RBAC). |
@jhrozek went through your poinds - thank you so much for the extensive feedback. PTAL |
#### Host Paths | ||
|
||
Throughout their operation they require read and write permissions into host paths: | ||
|
||
- `/var/lib/kubelet/seccomp` | ||
- `/etc/selinux.d` | ||
- `/etc/apparmor.d` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There are a bunch of more host paths, should we cover them as well: https://cs.k8s.io/?q=HostPathVolumeSource&i=nope&files=&excludeFiles=vendor&repos=kubernetes-sigs/security-profiles-operator
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@saschagrunert nice! I did not know about https://cs.k8s.io
👍
Yes, I think we should break it all down and make it explicit what we need and to what level.
This will also help when we create our AppArmor profiles - which could actually become our official documentation on host-level disk permissions.
@saschagrunert thank you. In my opinion we can keep as is right now. Once we are a bit more settled in terms of features - specially around AppArmor and the great bits around eBPF profiling you are working on - we review it. What do you think? |
Sounds great! |
/test pull-security-profiles-operator-test-e2e |
1 similar comment
/test pull-security-profiles-operator-test-e2e |
/test pull-security-profiles-operator-verify |
I'm happy with the current state! |
/retest |
/test pull-security-profiles-operator-verify |
2 similar comments
/test pull-security-profiles-operator-verify |
/test pull-security-profiles-operator-verify |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like a good start! Thanks for setting this up!
| Access to host's mount namespace | No | Yes | On Demand | | ||
| AppArmor Profile | `default` | `default` | `default` | | ||
| SELinux type | `spc_t` | `spc_t` | `spc_t` | | ||
| Seccomp Profile | `unconfined`| `unconfined`| `unconfined`| |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
one thing to note (maybe this can go in a separate PR) is that when SELinux is enabled, the SPOd has a sidecar container running selinuxd. selinuxd actually runs with a selinux.process
type and is not a privileged container. Although it does run as root. Something we could start investigating is trying to run it with a non-root user and seeing if we can make do with enabling extra capabilities.... However, a lot of the attack surface of that container is mitigated by the custom policy we use for it.
Throughout their operation they require read and write permissions into host paths: | ||
|
||
- `/var/lib/kubelet/seccomp` | ||
- `/etc/selinux.d` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we've removed this now #698
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: JAORMX, pjbgf, saschagrunert The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/unhold |
/retest |
1 similar comment
/retest |
/test pull-security-profiles-operator-verify |
/retest |
1 similar comment
/retest |
/override pull-security-profiles-operator-verify |
@saschagrunert: Overrode contexts on behalf of saschagrunert: pull-security-profiles-operator-verify In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/override pull-security-profiles-operator-verify |
@saschagrunert: Overrode contexts on behalf of saschagrunert: pull-security-profiles-operator-verify In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
What type of PR is this?
/kind documentation
What this PR does / why we need it:
Initial security model markdown to inform users on permissions, and overall security related information.
In the future, this will contain also include compliance status (i.e. NIST, SLSA, etc.)
Which issue(s) this PR fixes:
Relates to #653
Does this PR have test?
N/A
Special notes for your reviewer:
N/A
Does this PR introduce a user-facing change?