ROX-10034: Make PodSecurityPolicies Opt-Out#1249
Conversation
|
Tag for build #645421 is 💻 For deploying this image using the dev scripts, run the following first: export MAIN_IMAGE_TAG='3.70.x-307-gb13a08e56e'🕹️ A |
ca52e01 to
579bb3b
Compare
01d8d94 to
ece9a14
Compare
ece9a14 to
2fb6f8d
Compare
|
/retest |
f0c1fde to
3b51eed
Compare
|
/retest |
|
/test openshift-api-e2e-tests |
|
@mtesseract: The specified target(s) for
Use DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
5bb7917 to
515a874
Compare
515a874 to
d02c258
Compare
| # Verify that submodules have been initialized, otherwise we cannot build much. | ||
| [ -f content/.git ] || { echo >&2 "Submodule docs/content is not initialized, please run 'git submodules update --init'" ; exit 1 ; } | ||
| [ -f tools/.git ] || { echo >&2 "Submodule docs/tools is not initialized, please run 'git submodules update --init'" ; exit 1 ; } | ||
| [ -f content/.git ] || { echo >&2 "Submodule docs/content is not initialized, please run 'git submodule update --init'" ; exit 1 ; } |
There was a problem hiding this comment.
Just a doc fix I stumbled over.
SimonBaeumer
left a comment
There was a problem hiding this comment.
Great job @mtesseract!
Two major things I noticed:
- CI tests are too costly compared to how little it tests. Deploying to a cluster without PSPs works if PSPs are disabled, we only need to test that our Helm option does work properly.
- Speaking of
DeprecatedPodSecurityPoliciesis not optimal. The deprecation is relative to the used kubernetes version, rather mentioning that this is a setting for k8s < 1.25.
| key: null # string | ||
| generate: null # bool | ||
| system: | ||
| enableDeprecatedPodSecurityPolicies: null # bool |
There was a problem hiding this comment.
| enableDeprecatedPodSecurityPolicies: null # bool | |
| enablePodSecurityPolicies: null # bool |
| @@ -0,0 +1,69 @@ | |||
| {{- include "srox.init" . -}} | |||
|
|
|||
| {{- if and (not ._rox.scanner.disable) ._rox.system.enableDeprecatedPodSecurityPolicies }} | |||
There was a problem hiding this comment.
| {{- if and (not ._rox.scanner.disable) ._rox.system.enableDeprecatedPodSecurityPolicies }} | |
| {{- if and (not ._rox.scanner.disable) ._rox.system.enablePodSecurityPolicies }} |
| globalPrefix: null # string | ||
| system: | ||
| createSCCs: null # bool | ||
| enableDeprecatedPodSecurityPolicies: null # bool |
There was a problem hiding this comment.
| enableDeprecatedPodSecurityPolicies: null # bool | |
| enablePodSecurityPolicies: null # bool |
| @@ -1,5 +1,6 @@ | |||
| {{- include "srox.init" . -}} | |||
|
|
|||
| {{- if ._rox.system.enableDeprecatedPodSecurityPolicies }} | |||
There was a problem hiding this comment.
| {{- if ._rox.system.enableDeprecatedPodSecurityPolicies }} | |
| {{- if ._rox.system.enablePodSecurityPolicies }} |
pkg/apiparams/cluster_zip.go
Outdated
| SlimCollector *bool `json:"slimCollector"` | ||
| IstioVersion string `json:"istioVersion"` | ||
|
|
||
| DisableDeprecatedPodSecurityPolicies bool `json:"disableDeprecatedPodSecurityPolicies"` |
There was a problem hiding this comment.
Can this field be inverted so that it aligns with the other configurations to enablePodSecurityPolicies?
| DisableDeprecatedPodSecurityPolicies bool `json:"disableDeprecatedPodSecurityPolicies"` | |
| DisableDeprecatedPodSecurityPolicies bool `json:"enablePodSecurityPolicies"` |
There was a problem hiding this comment.
Well, as I tried to explain in the PR description, I inverted the logic here on purpose for backwards compatibility reasons: If it is a positive toggle (enable...) and it is missing, then it would be implicitly understood to be false when an old roxctl is speaking to a new central.
When it is a negative toggle (disable...), then the absence would be understood as false, i.e. PSPs are enabled -- I guess this would follow the principle of the least surprise for users using older roxctl versions?
pkg/apiparams/scanner.go
Outdated
|
|
||
| IstioVersion string `json:"istioVersion"` | ||
|
|
||
| DisableDeprecatedPodSecurityPolicies bool `json:"disableDeprecatedPodSecurityPolicies"` |
There was a problem hiding this comment.
| DisableDeprecatedPodSecurityPolicies bool `json:"disableDeprecatedPodSecurityPolicies"` | |
| DisablePodSecurityPolicies bool `json:"disableDeprecatedPodSecurityPolicies"` |
.circleci/config.yml
Outdated
| - check-label-to-skip-tests: | ||
| label: ci-no-qa-tests | ||
|
|
||
| gke-api-e2e-tests-no-psps: |
There was a problem hiding this comment.
Great job testing it the Helm chart without PSPs but these tests look very costly to me to only test that our application can be installed into a cluster without PSPs.
In cases like these it makes more sense to have a forward test, so that our CI always runs our test suite against the next unstable kubernetes version under development.
To me PSPs seem sufficient to test via Helm test.
porridge
left a comment
There was a problem hiding this comment.
Please consider:
- including the ticket number in the PR title
- mentioning that
POD_SECURITY_POLICIESis a variable we already use in CI to control PSP support in the control plane, and that we're also honoring it in deploy scripts - splitting out doc fixes to a separate PR (to not lose them in case this change needs to be rolled back for whatever reason)
I don't know whether skipping PSP installation has any impact on the core product functionality, so just running the API e2e tests might be of limited usefulness. But then again, saying "I don't know" proves it's a good idea to run them :-) so +1 on this careful approach. As you say, we can flip the flag in the 3.71 release cycle and then remove this flavor. Let's use those CircleCI credits while we still have them!
|
Also, since this is intended to be a preparatory no-visible-impact change, I think you can tick those last two checkboxes already? |
done |
Done
You mean in the PR description or where?
done
Yeah, I am still not exactly sure what to do about the tests for the non-PSP case. |
022fb3f to
3fb087b
Compare
Yes. LGTM |
ec47717 to
8ad8b24
Compare
0cfdeb8 to
54bf9f1
Compare
|
Images are ready for the commit at b13a08e. To use with deploy scripts, first |
a7b931c to
67b38af
Compare
e5cf243 to
5d03cec
Compare
|
@SimonBaeumer The API e2e were removed from the CircleCI configuration (fon master, I mean). For the purpose of this PR I would like to leave it this way and skip no-psp tests for two reasons:
and
Are you OK with this? We could still open a PR for |
|
@mtesseract: The following test failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
Regarding the test failures: (openshift-4-6-operator-e2e-tests) https://app.circleci.com/pipelines/github/stackrox/stackrox/13738/workflows/1bfe6392-2320-4603-bc2a-ab3f15bdcfa4/jobs/645649: is already tracked as ROX-11141. (openshift-4-api-e2e-tests) https://app.circleci.com/pipelines/github/stackrox/stackrox/13738/workflows/1bfe6392-2320-4603-bc2a-ab3f15bdcfa4/jobs/645609: looks like a flake. (openshift-aro-api-e2e-tests) https://app.circleci.com/pipelines/github/stackrox/stackrox/13738/workflows/1bfe6392-2320-4603-bc2a-ab3f15bdcfa4/jobs/645631: apparently same issue. (ci/prow/gke-qa-e2e-tests) https://prow.ci.openshift.org/view/gs/origin-ci-test/pr-logs/pull/stackrox_stackrox/1249/pull-ci-stackrox-stackrox-master-gke-qa-e2e-tests/1534506729507655680 has been observed by others as well, regarding as an independent test failure. |
Description
ROX-10034
This PR is the first step towards deprecation of PSPs (PodSecurityPolicies), which are to be removed with Kubernetes 1.25.
More concretely, this PR...
$POD_SECURITY_POLICIESenvironment variable (defaulting totrue)For a follow-up PR (#1747) we can then change the above defaults so that
POD_SECURITY_POLICIES=false.Some more detailed explanations:
trueto retain current behaviour and will be changed tofalsein the future (before arrival of K8s 1.25).This PR should be safe to merge without any feature flags because it retains the current behaviour of producing PSPs while allowing to switch them off.
Note that this PR extends the meaning of an environment variable which is used in our CI pipeline:
$POD_SECURITY_POLICIES=true/false. Irregardless of this PR the configuration of clusters to be provisionsed with respect to PSPs is based on this environment setting. E.g.,$POD_SECURITY_POLICIES=falsecauses a cluster to be provisionsed with the PSP Admission Controller being disabled. With this PR the same environment variable is also taken into account by deployment scripts and controls whether StackRox itself should be installed including PSP resources or not.Checklist
Evaluated and added CHANGELOG entry if required(don't think we need another CHANGELOG entry for this)Testing Performed
CI plus some manual tests.