Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[PSA] default warn to enforce level #113491

Merged
merged 2 commits into from Nov 6, 2022
Merged

[PSA] default warn to enforce level #113491

merged 2 commits into from Nov 6, 2022

Conversation

tallclair
Copy link
Member

What type of PR is this?

/kind feature

What this PR does / why we need it:

Goal: in most cases, setting just the pod-security enforce level on a namespace should give warning on workload resource creation & update, rather than requiring both warn & enforce to be set.

When the pod-security enforce level is set, but the warn version is not set (and the default is less-restrictive), then default the warn level to the enforce level.

I wasn't sure exactly what the right behavior was for the version, so I went with this:

  • when defaulting warn to enforce, also default the warn-version to the enforce-version

If only enforce and warn-version but not warn is set, should warn still be defaulted? I went with yes, but kept the warn-version.

Special notes for your reviewer:

I think we've discussed this change in the past. The issue is that if a defaulting admission controller causes a workload to pass, then this could lead to erroneous warnings. This is not the common case, and can easily be bypassed by setting the warn level to privileged across all namespaces. I'd prefer to optimize for the common case here.

Does this PR introduce a user-facing change?

Pod Security admission: the pod-security `warn` level will now default to the `enforce` level.

/sig auth security
/milestone v1.26

/assign @liggitt

@k8s-ci-robot k8s-ci-robot added the release-note Denotes a PR that will be considered when it comes time to generate release notes. label Oct 31, 2022
@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. kind/feature Categorizes issue or PR as related to a new feature. labels Oct 31, 2022
@k8s-ci-robot k8s-ci-robot added this to the v1.26 milestone Oct 31, 2022
@k8s-ci-robot k8s-ci-robot added sig/auth Categorizes an issue or PR as relevant to SIG Auth. sig/security Categorizes an issue or PR as relevant to SIG Security. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Oct 31, 2022
@k8s-ci-robot
Copy link
Contributor

@tallclair: This issue is currently awaiting triage.

If a SIG or subproject determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. approved Indicates a PR has been approved by an approver from all required OWNERS files. labels Oct 31, 2022
@dims
Copy link
Member

dims commented Nov 1, 2022

/priority important-soon
/triage accepted

LGTM - will leave /lgtm to @liggitt

@liggitt
Copy link
Member

liggitt commented Nov 2, 2022

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Nov 2, 2022
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: liggitt, tallclair

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@pacoxu
Copy link
Member

pacoxu commented Nov 3, 2022

/retest

@pacoxu
Copy link
Member

pacoxu commented Nov 6, 2022

/skip
/retest
/test pull-kubernetes-conformance-kind-ga-only-parallel

@k8s-ci-robot k8s-ci-robot merged commit 3efd107 into kubernetes:master Nov 6, 2022
@ialidzhikov ialidzhikov mentioned this pull request Dec 16, 2022
Closed
20 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@liggitt liggitt liggitt left review comments

@deads2k deads2k Awaiting requested review from deads2k

Assignees

@liggitt liggitt

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/auth Categorizes an issue or PR as relevant to SIG Auth. sig/security Categorizes an issue or PR as relevant to SIG Security. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
[sig-release] Bug Triage
Archived in project
Milestone
v1.26
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@tallclair @k8s-ci-robot @dims @liggitt @pacoxu