Kubernetes Control Plane Charm

Make pod security policies configurable

Bug #1908753 reported by Jorge Niedbalski
18
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Kubernetes Control Plane Charm
Fix Released
High
George Kraft
Kubernetes Control Plane Charm 1.22+ck1

Bug Description

[Environment]

Kubernetes 1.19

[Description]

There is no configuration option to allow for a more restrictive PSP policy to be provided when using rbac different to the privileged one provided as a template.

Default cluster role bindings defined for rbac pod security policies [0] are rendered once in the leader unit when setting up the kubernetes-master nodes. Those will get overwritten
if the juju leader changes for any reason (that's up to the consensus protocol and can't be guaranteed).

[0] https://github.com/charmed-kubernetes/charm-kubernetes-master/blob/e03d8394eac686ecd8c061f051ca01c02bfe375f/reactive/kubernetes_master.py#L1715
[1] https://github.com/charmed-kubernetes/charm-kubernetes-master/blob/master/templates/rbac-pod-security-policy.yaml

[Possible Solution]

Allow a custom rbad-pod-security-policy to be passed via a configuration directive to prevent
the charm to overwrite them.

This is linked to https://bugs.launchpad.net/cdk-addons/+bug/1906303

George Kraft (cynerva)
Changed in charm-kubernetes-master:
importance: Undecided → Medium
status: New → Triaged
Revision history for this message
Jorge Niedbalski (niedbalski) wrote :

Submitted PR https://github.com/charmed-kubernetes/charm-kubernetes-master/pull/139

Changed in charm-kubernetes-master:
status: Triaged → In Progress
James Troup (elmo)
tags: added: review-needed
Revision history for this message
Paul Goins (vultaire) wrote :

Based on reviewing the CDK 1.20 version of the kubernetes-master charm, this seems like it will occur on the first time any kubernetes-master unit is promoted to leader.

While dirty, a mitigation which can be performed on newly added units (assuming they don't get promoted to leader right away) is to run this SQL query against the /var/lib/juju/agents/<unit>/charm/.unit-state.db SQLite3 DB:

  insert into kv (key, data) values ("reactive.states.kubernetes-master.pod-security-policy.applied", "null")

This will set the flag which indicates the settings have already been applied, and thus they won't be re-applied.

Revision history for this message
Paul Goins (vultaire) wrote :

(Note: I have not tested the above workaround, but based upon code review, I'm pretty sure it should work.)

Revision history for this message
Paul Goins (vultaire) wrote :

Actually, just got a chance to test the workaround above for preventing re-writing of the privileged cluster security policies - it does seem to work, for what it's worth.

Revision history for this message
Jeff Hillman (jhillman) wrote :

Subscribed Field-High.

George Kraft (cynerva)
Changed in charm-kubernetes-master:
importance: Medium → High
George Kraft (cynerva)
Changed in charm-kubernetes-master:
assignee: nobody → George Kraft (cynerva)
milestone: none → 1.22+ck1
Revision history for this message
George Kraft (cynerva) wrote :

PR: https://github.com/charmed-kubernetes/charm-kubernetes-master/pull/178

Cory Johns (johnsca)
Changed in charm-kubernetes-master:
status: In Progress → Fix Committed
tags: added: backport-needed
removed: review-needed
Revision history for this message
George Kraft (cynerva) wrote :

Cherry-pick to stable branch: https://github.com/charmed-kubernetes/charm-kubernetes-master/commit/bfc2ffb5b156f20933b77bcf37d2f80d56b012c1

tags: removed: backport-needed
George Kraft (cynerva)
Changed in charm-kubernetes-master:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.