Promote {allowedUnsafe,forbidden}Sysctls from annotations to fields

Author: stlaz

pkg/oc/cli/describe/describer.go

@@ -1879,6 +1879,8 @@ func describeSecurityContextConstraints(scc *securityapi.SecurityContextConstrai
 		fmt.Fprintf(out, "  Allowed Seccomp Profiles:\t%s\n", stringOrNone(strings.Join(scc.SeccompProfiles, ",")))
 		fmt.Fprintf(out, "  Allowed Volume Types:\t%s\n", fsTypeToString(scc.Volumes))
 		fmt.Fprintf(out, "  Allowed Flexvolumes:\t%s\n", flexVolumesToString(scc.AllowedFlexVolumes))
+		fmt.Fprintf(out, "  Allowed Unsafe Sysctls:\t%s\n", sysctlsToString(scc.AllowedUnsafeSysctls))
+		fmt.Fprintf(out, "  Forbidden Sysctls:\t%s\n", sysctlsToString(scc.ForbiddenSysctls))
 		fmt.Fprintf(out, "  Allow Host Network:\t%t\n", scc.AllowHostNetwork)
 		fmt.Fprintf(out, "  Allow Host Ports:\t%t\n", scc.AllowHostPorts)
 		fmt.Fprintf(out, "  Allow Host PID:\t%t\n", scc.AllowHostPID)
@@ -1954,6 +1956,10 @@ func flexVolumesToString(flexVolumes []securityapi.AllowedFlexVolume) string {
 	return stringOrDefaultValue(strings.Join(volumes, ","), "<all>")
 }
 
+func sysctlsToString(sysctls []string) string {
+	return stringOrNone(strings.Join(sysctls, ","))
+}
+
 func idRangeToString(ranges []securityapi.IDRange) string {
 	formattedString := ""
 	if ranges != nil {

pkg/security/apis/security/types.go

@@ -84,6 +84,26 @@ type SecurityContextConstraints struct {
 	Users []string
 	// The groups that have permission to use this security context constraints
 	Groups []string
+
+	// AllowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none.
+	// Each entry is either a plain sysctl name or ends in "*" in which case it is considered
+	// as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed.
+	// Kubelet has to whitelist all allowed unsafe sysctls explicitly to avoid rejection.
+	//
+	// Examples:
+	// e.g. "foo/*" allows "foo/bar", "foo/baz", etc.
+	// e.g. "foo.*" allows "foo.bar", "foo.baz", etc.
+	// +optional
+	AllowedUnsafeSysctls []string
+	// ForbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none.
+	// Each entry is either a plain sysctl name or ends in "*" in which case it is considered
+	// as a prefix of forbidden sysctls. Single * means all sysctls are forbidden.
+	//
+	// Examples:
+	// e.g. "foo/*" forbids "foo/bar", "foo/baz", etc.
+	// e.g. "foo.*" forbids "foo.bar", "foo.baz", etc.
+	// +optional
+	ForbiddenSysctls []string
 }
 
 // FS Type gives strong typing to different file systems that are used by volumes.

pkg/security/apis/security/validation/validation.go

@@ -2,6 +2,7 @@ package validation
 
 import (
 	"fmt"
+	"regexp"
 	"strings"
 
 	"k8s.io/apimachinery/pkg/api/validation"
@@ -110,6 +111,98 @@ func ValidateSecurityContextConstraints(scc *securityapi.SecurityContextConstrai
 		}
 	}
 
+	allowedUnsafeSysctlsPath := field.NewPath("allowedUnsafeSysctls")
+	forbiddenSysctlsPath := field.NewPath("forbiddenSysctls")
+	allErrs = append(allErrs, validateSCCSysctls(allowedUnsafeSysctlsPath, scc.AllowedUnsafeSysctls)...)
+	allErrs = append(allErrs, validateSCCSysctls(forbiddenSysctlsPath, scc.ForbiddenSysctls)...)
+	allErrs = append(allErrs, validatePodSecurityPolicySysctlListsDoNotOverlap(allowedUnsafeSysctlsPath, forbiddenSysctlsPath, scc.AllowedUnsafeSysctls, scc.ForbiddenSysctls)...)
+
+	return allErrs
+}
+
+const sysctlPatternSegmentFmt string = "([a-z0-9][-_a-z0-9]*)?[a-z0-9*]"
+const SysctlPatternFmt string = "(" + kapivalidation.SysctlSegmentFmt + "\\.)*" + sysctlPatternSegmentFmt
+
+var sysctlPatternRegexp = regexp.MustCompile("^" + SysctlPatternFmt + "$")
+
+func IsValidSysctlPattern(name string) bool {
+	if len(name) > kapivalidation.SysctlMaxLength {
+		return false
+	}
+	return sysctlPatternRegexp.MatchString(name)
+}
+
+// validatePodSecurityPolicySysctlListsDoNotOverlap validates the values in forbiddenSysctls and allowedSysctls fields do not overlap.
+func validatePodSecurityPolicySysctlListsDoNotOverlap(allowedSysctlsFldPath, forbiddenSysctlsFldPath *field.Path, allowedUnsafeSysctls, forbiddenSysctls []string) field.ErrorList {
+	allErrs := field.ErrorList{}
+	for i, allowedSysctl := range allowedUnsafeSysctls {
+		isAllowedSysctlPattern := false
+		allowedSysctlPrefix := ""
+		if strings.HasSuffix(allowedSysctl, "*") {
+			isAllowedSysctlPattern = true
+			allowedSysctlPrefix = strings.TrimSuffix(allowedSysctl, "*")
+		}
+		for j, forbiddenSysctl := range forbiddenSysctls {
+			isForbiddenSysctlPattern := false
+			forbiddenSysctlPrefix := ""
+			if strings.HasSuffix(forbiddenSysctl, "*") {
+				isForbiddenSysctlPattern = true
+				forbiddenSysctlPrefix = strings.TrimSuffix(forbiddenSysctl, "*")
+			}
+			switch {
+			case isAllowedSysctlPattern && isForbiddenSysctlPattern:
+				if strings.HasPrefix(allowedSysctlPrefix, forbiddenSysctlPrefix) {
+					allErrs = append(allErrs, field.Invalid(allowedSysctlsFldPath.Index(i), allowedUnsafeSysctls[i], fmt.Sprintf("sysctl overlaps with %v", forbiddenSysctl)))
+				} else if strings.HasPrefix(forbiddenSysctlPrefix, allowedSysctlPrefix) {
+					allErrs = append(allErrs, field.Invalid(forbiddenSysctlsFldPath.Index(j), forbiddenSysctls[j], fmt.Sprintf("sysctl overlaps with %v", allowedSysctl)))
+				}
+			case isAllowedSysctlPattern:
+				if strings.HasPrefix(forbiddenSysctl, allowedSysctlPrefix) {
+					allErrs = append(allErrs, field.Invalid(forbiddenSysctlsFldPath.Index(j), forbiddenSysctls[j], fmt.Sprintf("sysctl overlaps with %v", allowedSysctl)))
+				}
+			case isForbiddenSysctlPattern:
+				if strings.HasPrefix(allowedSysctl, forbiddenSysctlPrefix) {
+					allErrs = append(allErrs, field.Invalid(allowedSysctlsFldPath.Index(i), allowedUnsafeSysctls[i], fmt.Sprintf("sysctl overlaps with %v", forbiddenSysctl)))
+				}
+			default:
+				if allowedSysctl == forbiddenSysctl {
+					allErrs = append(allErrs, field.Invalid(allowedSysctlsFldPath.Index(i), allowedUnsafeSysctls[i], fmt.Sprintf("sysctl overlaps with %v", forbiddenSysctl)))
+				}
+			}
+		}
+	}
+	return allErrs
+}
+
+// validatePodSecurityPolicySysctls validates the sysctls fields of PodSecurityPolicy.
+func validateSCCSysctls(fldPath *field.Path, sysctls []string) field.ErrorList {
+	allErrs := field.ErrorList{}
+
+	if len(sysctls) == 0 {
+		return allErrs
+	}
+
+	coversAll := false
+	for i, s := range sysctls {
+		if len(s) == 0 {
+			allErrs = append(allErrs, field.Invalid(fldPath.Index(i), sysctls[i], fmt.Sprintf("empty sysctl not allowed")))
+		} else if !IsValidSysctlPattern(string(s)) {
+			allErrs = append(
+				allErrs,
+				field.Invalid(fldPath.Index(i), sysctls[i], fmt.Sprintf("must have at most %d characters and match regex %s",
+					kapivalidation.SysctlMaxLength,
+					SysctlPatternFmt,
+				)),
+			)
+		} else if s[0] == '*' {
+			coversAll = true
+		}
+	}
+
+	if coversAll && len(sysctls) > 1 {
+		allErrs = append(allErrs, field.Forbidden(fldPath.Child("items"), fmt.Sprintf("if '*' is present, must not specify other sysctls")))
+	}
+
 	return allErrs
 }
 

pkg/security/apis/security/validation/validation_test.go

@@ -1,6 +1,7 @@
 package validation
 
 import (
+	"fmt"
 	"testing"
 
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -102,6 +103,20 @@ func TestValidateSecurityContextConstraints(t *testing.T) {
 	nonEmptyFlexVolumes := validSCC()
 	nonEmptyFlexVolumes.AllowedFlexVolumes = []securityapi.AllowedFlexVolume{{Driver: "example/driver"}}
 
+	invalidAllowedUnsafeSysctlPattern := validSCC()
+	invalidAllowedUnsafeSysctlPattern.AllowedUnsafeSysctls = []string{"a.*.b"}
+
+	invalidForbiddenSysctlPattern := validSCC()
+	invalidForbiddenSysctlPattern.ForbiddenSysctls = []string{"a.*.b"}
+
+	invalidOverlappingSysctls := validSCC()
+	invalidOverlappingSysctls.ForbiddenSysctls = []string{"kernel.*", "net.ipv4.ip_local_port_range"}
+	invalidOverlappingSysctls.AllowedUnsafeSysctls = []string{"kernel.shmmax", "net.ipv4.ip_local_port_range"}
+
+	invalidDuplicatedSysctls := validSCC()
+	invalidDuplicatedSysctls.ForbiddenSysctls = []string{"net.ipv4.ip_local_port_range"}
+	invalidDuplicatedSysctls.AllowedUnsafeSysctls = []string{"net.ipv4.ip_local_port_range"}
+
 	errorCases := map[string]struct {
 		scc         *securityapi.SecurityContextConstraints
 		errorType   field.ErrorType
@@ -202,6 +217,26 @@ func TestValidateSecurityContextConstraints(t *testing.T) {
 			errorType:   field.ErrorTypeInvalid,
 			errorDetail: "volumes does not include 'flexVolume' or '*', so no flex volumes are allowed",
 		},
+		"invalid allowed unsafe sysctl pattern": {
+			scc:         invalidAllowedUnsafeSysctlPattern,
+			errorType:   field.ErrorTypeInvalid,
+			errorDetail: fmt.Sprintf("must have at most 253 characters and match regex %s", SysctlPatternFmt),
+		},
+		"invalid forbidden sysctl pattern": {
+			scc:         invalidForbiddenSysctlPattern,
+			errorType:   field.ErrorTypeInvalid,
+			errorDetail: fmt.Sprintf("must have at most 253 characters and match regex %s", SysctlPatternFmt),
+		},
+		"invalid overlapping sysctl pattern": {
+			scc:         invalidOverlappingSysctls,
+			errorType:   field.ErrorTypeInvalid,
+			errorDetail: fmt.Sprintf("sysctl overlaps with %s", invalidOverlappingSysctls.ForbiddenSysctls[0]),
+		},
+		"invalid duplicated sysctls": {
+			scc:         invalidDuplicatedSysctls,
+			errorType:   field.ErrorTypeInvalid,
+			errorDetail: fmt.Sprintf("sysctl overlaps with %s", invalidDuplicatedSysctls.AllowedUnsafeSysctls[0]),
+		},
 	}
 
 	for k, v := range errorCases {
@@ -244,6 +279,12 @@ func TestValidateSecurityContextConstraints(t *testing.T) {
 		{Driver: "example/driver2"},
 	}
 
+	withForbiddenSysctl := validSCC()
+	withForbiddenSysctl.ForbiddenSysctls = []string{"net.*"}
+
+	withAllowedUnsafeSysctl := validSCC()
+	withAllowedUnsafeSysctl.AllowedUnsafeSysctls = []string{"net.ipv4.tcp_max_syn_backlog"}
+
 	successCases := map[string]struct {
 		scc *securityapi.SecurityContextConstraints
 	}{
@@ -268,6 +309,12 @@ func TestValidateSecurityContextConstraints(t *testing.T) {
 		"allow white-listed flexVolume when all volumes are allowed": {
 			scc: flexvolumeWhenAllVolumesAllowed,
 		},
+		"with network sysctls forbidden": {
+			scc: withForbiddenSysctl,
+		},
+		"with unsafe net.ipv4.tcp_max_syn_backlog sysctl allowed": {
+			scc: withAllowedUnsafeSysctl,
+		},
 	}
 
 	for k, v := range successCases {

pkg/security/securitycontextconstraints/provider.go

@@ -2,7 +2,6 @@ package securitycontextconstraints
 
 import (
 	"fmt"
-	"strings"
 
 	"github.com/openshift/origin/pkg/security/securitycontextconstraints/capabilities"
 	"github.com/openshift/origin/pkg/security/securitycontextconstraints/group"
@@ -77,15 +76,7 @@ func NewSimpleProvider(scc *securityapi.SecurityContextConstraints) (SecurityCon
 		return nil, err
 	}
 
-	var unsafeSysctls []string
-	if ann, found := scc.Annotations[SysctlsPodSecurityPolicyAnnotationKey]; found {
-		var err error
-		unsafeSysctls, err = SysctlsFromPodSecurityPolicyAnnotation(ann)
-		if err != nil {
-			return nil, err
-		}
-	}
-	sysctlsStrat, err := createSysctlsStrategy(sysctl.SafeSysctlWhitelist(), unsafeSysctls, []string{})
+	sysctlsStrat, err := createSysctlsStrategy(sysctl.SafeSysctlWhitelist(), scc.AllowedUnsafeSysctls, scc.ForbiddenSysctls)
 	if err != nil {
 		return nil, err
 	}
@@ -409,19 +400,7 @@ func createSeccompStrategy(allowedProfiles []string) (seccomp.SeccompStrategy, e
 	return seccomp.NewWithSeccompProfile(allowedProfiles)
 }
 
-// createSysctlsStrategy creates a new unsafe sysctls strategy.
+// createSysctlsStrategy creates a new sysctls strategy
 func createSysctlsStrategy(safeWhitelist, allowedUnsafeSysctls, forbiddenSysctls []string) (sysctl.SysctlsStrategy, error) {
 	return sysctl.NewMustMatchPatterns(safeWhitelist, allowedUnsafeSysctls, forbiddenSysctls), nil
 }
-
-// TODO promote like kube did
-const SysctlsPodSecurityPolicyAnnotationKey string = "security.alpha.kubernetes.io/sysctls"
-
-// TODO promote like kube did
-func SysctlsFromPodSecurityPolicyAnnotation(annotation string) ([]string, error) {
-	if len(annotation) == 0 {
-		return []string{}, nil
-	}
-
-	return strings.Split(annotation, ","), nil
-}

pkg/security/securitycontextconstraints/provider_test.go

@@ -199,6 +199,31 @@ func TestValidatePodSecurityContextFailures(t *testing.T) {
 		},
 	}
 
+	failSysctlDisallowedSCC := defaultSCC()
+	failSysctlDisallowedSCC.ForbiddenSysctls = []string{"kernel.shm_rmid_forced"}
+
+	failNoSafeSysctlAllowedSCC := defaultSCC()
+	failNoSafeSysctlAllowedSCC.ForbiddenSysctls = []string{"*"}
+
+	failAllUnsafeSysctlsSCC := defaultSCC()
+	failAllUnsafeSysctlsSCC.AllowedUnsafeSysctls = []string{}
+
+	failSafeSysctlKernelPod := defaultPod()
+	failSafeSysctlKernelPod.Spec.SecurityContext.Sysctls = []api.Sysctl{
+		{
+			Name:  "kernel.shm_rmid_forced",
+			Value: "1",
+		},
+	}
+
+	failUnsafeSysctlPod := defaultPod()
+	failUnsafeSysctlPod.Spec.SecurityContext.Sysctls = []api.Sysctl{
+		{
+			Name:  "kernel.sem",
+			Value: "32000",
+		},
+	}
+
 	errorCases := map[string]struct {
 		pod           *api.Pod
 		scc           *securityapi.SecurityContextConstraints
@@ -274,6 +299,21 @@ func TestValidatePodSecurityContextFailures(t *testing.T) {
 			scc:           allowFlexVolumesSCC(false, true),
 			expectedError: "Flexvolume driver is not allowed to be used",
 		},
+		"failSafeSysctlKernelPod with failNoSafeSysctlAllowedSCC": {
+			pod:           failSafeSysctlKernelPod,
+			scc:           failNoSafeSysctlAllowedSCC,
+			expectedError: "sysctl \"kernel.shm_rmid_forced\" is not allowed",
+		},
+		"failSafeSysctlKernelPod with failSysctlDisallowedSCC": {
+			pod:           failSafeSysctlKernelPod,
+			scc:           failSysctlDisallowedSCC,
+			expectedError: "sysctl \"kernel.shm_rmid_forced\" is not allowed",
+		},
+		"failUnsafeSysctlPod with failAllUnsafeSysctlsSCC": {
+			pod:           failUnsafeSysctlPod,
+			scc:           failAllUnsafeSysctlsSCC,
+			expectedError: "unsafe sysctl \"kernel.sem\" is not allowed",
+		},
 	}
 	for k, v := range errorCases {
 		provider, err := NewSimpleProvider(v.scc)
@@ -494,6 +534,26 @@ func TestValidatePodSecurityContextSuccess(t *testing.T) {
 		},
 	}
 
+	sysctlAllowAllSCC := defaultSCC()
+	sysctlAllowAllSCC.ForbiddenSysctls = []string{}
+	sysctlAllowAllSCC.AllowedUnsafeSysctls = []string{"*"}
+
+	safeSysctlKernelPod := defaultPod()
+	safeSysctlKernelPod.Spec.SecurityContext.Sysctls = []api.Sysctl{
+		{
+			Name:  "kernel.shm_rmid_forced",
+			Value: "1",
+		},
+	}
+
+	unsafeSysctlKernelPod := defaultPod()
+	unsafeSysctlKernelPod.Spec.SecurityContext.Sysctls = []api.Sysctl{
+		{
+			Name:  "kernel.sem",
+			Value: "32000",
+		},
+	}
+
 	successCases := map[string]struct {
 		pod *api.Pod
 		scc *securityapi.SecurityContextConstraints
@@ -554,6 +614,14 @@ func TestValidatePodSecurityContextSuccess(t *testing.T) {
 			pod: flexVolumePod,
 			scc: allowFlexVolumesSCC(true, false),
 		},
+		"pass sysctl specific profile with safe kernel sysctl": {
+			pod: safeSysctlKernelPod,
+			scc: sysctlAllowAllSCC,
+		},
+		"pass sysctl specific profile with unsafe kernel sysctl": {
+			pod: unsafeSysctlKernelPod,
+			scc: sysctlAllowAllSCC,
+		},
 	}
 
 	for k, v := range successCases {
@@ -836,7 +904,7 @@ func defaultPod() *api.Pod {
 		ObjectMeta: metav1.ObjectMeta{Annotations: map[string]string{}},
 		Spec: api.PodSpec{
 			SecurityContext: &api.PodSecurityContext{
-			// fill in for test cases
+				// fill in for test cases
 			},
 			Containers: []api.Container{
 				{