Add SCC.AllowPrivilegeEscalation (aka no-new-privs)

[php-coder]

This PR adds two new members to SecurityContextConstraints:

• AllowPrivilegeEscalation -- controls whether a container may request privilege escalation or not (by setting SecurityContext.AllowPrivilegeEscalation: true). When SCC doesn't define this member, it defaulted to true for backward/Kubernetes compatibility reasons.
• DefaultAllowPrivilegeEscalation -- sets default value for container's SecurityContext.AllowPrivilegeEscalation field when it wasn't explicitly specified.

Kubernetes already has such support for their PodSecurityPolicy (kubernetes/kubernetes#47019) and, with that PR, OpenShift cluster admins will also have ability to deny execution of SUID-binaries.

Trello: https://trello.com/c/slL9l4pw/29-3-no-new-privs

[deads2k]

This looks off. Why doesn't false roundtrip?

[php-coder]

I suspect that to the original object were applied defaults that always set this value to true? But I'm not sure. I just know that it works :(

[deads2k]

This looks weird. Why can't it roundtrip for a value?

[php-coder]

Probably because this field has omitempty and after roundtrip it's always nil.

[php-coder]

I (still) stuck on serialization_test.go that now is failing with:

oundtrip.go:216: 	round tripping to /v1, Kind=SecurityContextConstraintsList v1.SecurityContextConstraintsList
roundtrip.go:332: SecurityContextConstraintsList: diff: 
object.Items[0].AllowedFlexVolumes:
a: []security.AllowedFlexVolume{}
b: []security.AllowedFlexVolume(nil)
object.Items[0].AllowPrivilegeEscalation:
a: true
b: false

This means that defaults don't get applied to SecurityContextConstraintsList. I don't know why, all my attempts failed.

[php-coder]

@deads2k any advice would be appreciated!

[php-coder]

@enj Thanks, Mo! I fixed the protobuf definition (here is the commit: 795b807) but it doesn't help. :-(

[php-coder]

/retest

[enj]

@php-coder see php-coder#3 to get your tests passing correctly.

[php-coder]

Rebased on top of #19624

[php-coder]

/hold cancel

[stlaz]

Given 5ca1e18#diff-0d673702b8c4f7d9b631d3bae9cc2d90R136, isn't this an invalid SCC?

[php-coder]

Good catch!

[php-coder]

It also exists in the upstream: https://github.com/kubernetes/kubernetes/blob/24ab69d358faeb3452bb76813fddd62afeefacb6/pkg/security/podsecuritypolicy/provider_test.go#L1290-L1293

[stlaz]

Thank you @php-coder for fixing the test cases.
/retest
/lgtm
We still need to wait for #19624 to be merged, though.

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: php-coder, stlaz
To fully approve this pull request, please assign additional approvers.
We suggest the following additional approver: mfojtik

Assign the PR to them by writing /assign @mfojtik in a comment when ready.

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

New changes are detected. LGTM label has been removed.

[php-coder]

Currently it fails with:

Running hack/lib/start.sh:291: executing 'oc get configmap kube-scheduler --namespace kube-system --config='/tmp/openshift/test-cmd/openshift.local.config/master/admin.kubeconfig'' expecting success; re-trying every 0.25s until completion or 160.000s...
SUCCESS after 0.308s: hack/lib/start.sh:291: executing 'oc get configmap kube-scheduler --namespace kube-system --config='/tmp/openshift/test-cmd/openshift.local.config/master/admin.kubeconfig'' expecting success; re-trying every 0.25s until completion or 160.000s
error: unable to decode "STDIN": no kind "List" is registered for the internal version of group "template.openshift.io"
error: no objects passed to create

@bparees @deads2k Could it be related to rebase?

[php-coder]

Currently it fails with:

This issue should be resolved now. Thanks to @liggitt :

<liggitt> your bump(*) commit is re-adding &corev1.List{} to github.com/openshift/api/template/v1/register.go
<liggitt> and reverting a fix made in the rebase and sitting in api#master
<liggitt> unpin openshift/api and set it back to master in glide.yaml

[bparees]

this is being handled in #20152

[openshift-ci-robot]

@php-coder: The following tests failed, say /retest to rerun them all:

Test name	Commit	Details	Rerun command
ci/openshift-jenkins/extended_networking_minimal	154a797	link	/test extended_networking_minimal
ci/prow/launch-gcp	42075fc	link	/test launch-gcp
ci/openshift-jenkins/cross	82cadc2	link	/test cross
ci/openshift-jenkins/extended_image_ecosystem	82cadc2	link	/test extended_image_ecosystem
ci/prow/verify	dcf5568	link	/test verify
ci/prow/unit	dcf5568	link	/test unit
ci/openshift-jenkins/extended_conformance_install	dcf5568	link	/test extended_conformance_install
ci/prow/gcp	dcf5568	link	/test gcp
ci/openshift-jenkins/cmd	dcf5568	link	/test cmd

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.