|
| 1 | +# Allow Pod Security Policy to manage access to the Flexvolumes |
| 2 | + |
| 3 | +## Current state |
| 4 | + |
| 5 | +Cluster admins can control the usage of specific volume types by using Pod |
| 6 | +Security Policy (PSP). Admins can allow the use of Flexvolumes by listing the |
| 7 | +`flexVolume` type in the `volumes` field. The only thing that can be managed is |
| 8 | +allowance or disallowance of Flexvolumes. |
| 9 | + |
| 10 | +Technically, Flexvolumes are implemented as vendor drivers. They are executable |
| 11 | +files that must be placed on every node at |
| 12 | +`/usr/libexec/kubernetes/kubelet-plugins/volume/exec/<vendor~driver>/<driver>`. |
| 13 | +In most cases they are scripts. Limiting driver access means not only limiting |
| 14 | +an access to the volumes that this driver can provide, but also managing access |
| 15 | +to executing a driver’s code (that is arbitrary, in fact). |
| 16 | + |
| 17 | +It is possible to have many flex drivers for the different storage types. In |
| 18 | +essence, Flexvolumes represent not a single volume type, but the different |
| 19 | +types that allow usage of various vendor volumes. |
| 20 | + |
| 21 | +## Desired state |
| 22 | + |
| 23 | +In order to further improve security and to provide more granular control for |
| 24 | +the usage of the different Flexvolumes, we need to enhance PSP. When such a |
| 25 | +change takes place, cluster admins will be able to grant access to any |
| 26 | +Flexvolumes of a particular driver (in contrast to any volume of all drivers). |
| 27 | + |
| 28 | +For example, if we have two drivers for Flexvolumes (`cifs` and |
| 29 | +`digitalocean`), it will become possible to grant access for one group to use |
| 30 | +only volumes from DigitalOcean and grant access for another group to use |
| 31 | +volumes from all Flexvolumes. |
| 32 | + |
| 33 | +## Proposed changes |
| 34 | + |
| 35 | +It has been suggested to add a whitelist of allowed Flexvolume drivers to the |
| 36 | +PSP. It should behave similar to [the existing |
| 37 | +`allowedHostPaths`](https://github.com/kubernetes/kubernetes/pull/50212) except |
| 38 | +that: |
| 39 | + |
| 40 | +1) comparison of equality will be used instead of comparison of prefixes. |
| 41 | +2) Flexvolume’s driver field will be inspected rather than `hostPath`’s path field. |
| 42 | + |
| 43 | +### PodSecurityPolicy modifications |
| 44 | + |
| 45 | +```go |
| 46 | +// PodSecurityPolicySpec defines the policy enforced. |
| 47 | +type PodSecurityPolicySpec struct { |
| 48 | + ... |
| 49 | + // AllowedFlexVolumes is a whitelist of allowed Flexvolumes. Empty or nil indicates that all |
| 50 | + // Flexvolumes may be used. This parameter is effective only when the usage of the Flexvolumes |
| 51 | + // is allowed in the "Volumes" field. |
| 52 | + // +optional |
| 53 | + AllowedFlexVolumes []AllowedFlexVolume |
| 54 | +} |
| 55 | + |
| 56 | +// AllowedFlexVolume represents a single Flexvolume that is allowed to be used. |
| 57 | +type AllowedFlexVolume struct { |
| 58 | + // Driver is the name of the Flexvolume driver. |
| 59 | + Driver string |
| 60 | +} |
| 61 | +``` |
| 62 | + |
| 63 | +Empty `AllowedFlexVolumes` allows usage of Flexvolumes with any driver. It must |
| 64 | +behave as before and provide backward compatibility. |
| 65 | + |
| 66 | +Non-empty `AllowedFlexVolumes` changes the behavior from "all allowed" to "all |
| 67 | +disallowed except those that are explicitly listed here". |
| 68 | + |
| 69 | +### Admission controller modifications |
| 70 | + |
| 71 | +Admission controller should be updated accordingly to inspect a Pod's volumes. |
| 72 | +If it finds a `flexVolume`, it should ensure that its driver is allowed to be |
| 73 | +used. |
| 74 | + |
| 75 | +### Validation rules |
| 76 | + |
| 77 | +Flexvolume driver names must be non-empty. |
| 78 | + |
| 79 | +If a PSP disallows to pods to request volumes of type `flexVolume` then |
| 80 | +`AllowedFlexVolumes` must be empty. In case it is not empty, API server must |
| 81 | +report an error. |
| 82 | + |
| 83 | +API server should allow granting an access to Flexvolumes that do not exist at |
| 84 | +time of PSP creation. |
| 85 | + |
| 86 | +## Notes |
| 87 | +It is possible to have even more flexible control over the Flexvolumes and take |
| 88 | +into account options that have been passed to a driver. We decided that this is |
| 89 | +a desirable feature but outside the scope of this proposal. |
| 90 | + |
| 91 | +The current change could be enough for many cases. Also, when cluster admins |
| 92 | +are able to manage access to particular Flexvolume drivers, it becomes possible |
| 93 | +to "emulate" control over the driver’s options by using many drivers with |
| 94 | +hard-coded options. |
0 commit comments