Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add CAP_NET_RAW to netadmin debugging profile #118647

Merged
merged 1 commit into from
Oct 19, 2023
Merged

Add CAP_NET_RAW to netadmin debugging profile #118647

merged 1 commit into from
Oct 19, 2023

Conversation

mochizuki875
Copy link
Member

@mochizuki875 mochizuki875 commented Jun 14, 2023
edited

What type of PR is this?

/kind bug

What this PR does / why we need it:

netadmin profile adds only CAP_NET_ADMIN to EphemeralContainer and DebuggingContainer.
(In case of debugging Node, debugging Pod will be added privileged and CAP_NET_ADMIN.)

As disscussed here, I add CAP_NET_RAW to netadmin profile and remove privileged when debug Node in this PR.

Which issue(s) this PR fixes:

Fixes: #118962 kubernetes/enhancements#1441 (comment)
Related: #115712 kubernetes/kubectl#1108
KEP Update: kubernetes/enhancements#4160

Special notes for your reviewer:

In this PR:
I add CAP_NET_RAW to netadmin profile in each case of EphemeralContainer, Pod Copy and Node.
Especially in case of Node, since privileged is added, it seems that the CAP_NET_ADMIN currently added and CAP_NET_RAW to be newly added this time overlap.(Should privileged be added netadmin? It added #115712)

Does this PR introduce a user-facing change?

Add CAP_NET_RAW to netadmin debug profile and remove privileges when debugging nodes

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

https://github.com/kubernetes/enhancements/tree/master/keps/sig-cli/1441-kubectl-debug#profile-netadmin

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. kind/bug Categorizes issue or PR as related to a bug. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Jun 14, 2023
@k8s-ci-robot
Copy link
Contributor

Hi @mochizuki875. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels Jun 14, 2023
@k8s-ci-robot k8s-ci-robot added area/kubectl area/test sig/cli Categorizes an issue or PR as relevant to SIG CLI. sig/testing Categorizes an issue or PR as relevant to SIG Testing. and removed do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Jun 14, 2023
@mochizuki875
Copy link
Member Author

/sig cli
/area kubectl

This was referenced Jun 14, 2023
Open
Closed
@mochizuki875
Copy link
Member Author

@verb @ardaguclu
PTAL?

ardaguclu
ardaguclu reviewed Jul 6, 2023
View reviewed changes
Copy link
Member

@ardaguclu ardaguclu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think, we first need to update KEP as stated in here #118962 (comment) to reflect the NET_RAW capability is needed for network admins. After it is updated, we can return back to this PR. What do you think?.

hack/make-rules/test-cmd.sh Outdated Show resolved Hide resolved
@ardaguclu
Copy link
Member

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Jul 6, 2023
@mochizuki875 mochizuki875 mentioned this pull request Jul 7, 2023
Closed
@mochizuki875
Copy link
Member Author

@ardaguclu
Thank you for your comment!
I left a comment here and I'll back this PR when KEP has been updated.

@alban alban mentioned this pull request Jul 10, 2023
Merged
@k8s-ci-robot k8s-ci-robot added the do-not-merge/contains-merge-commits Indicates a PR which contains merge commits. label Sep 5, 2023
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/contains-merge-commits Indicates a PR which contains merge commits. label Sep 5, 2023
@mochizuki875
Copy link
Member Author

/retest

@mochizuki875
Copy link
Member Author

@eiffel-fl

sadly I do not think I can have any influence here as KEP are decided by kubernetes members?

I understand that the content of the KEP update has been discussed(kubernetes/enhancements#1441 (comment) , #118962) and there are no restrictions on who can submit PR to KEP.

Although I can't directly update the KEP, I think it will be merged based on member's reviews and approval.
In fact, there are similar cases:
kubernetes/enhancements#4123
kubernetes/enhancements#4124

@mochizuki875
Copy link
Member Author

/retest

@mochizuki875
Copy link
Member Author

/retest

1 similar comment
@mochizuki875
Copy link
Member Author

/retest

@mochizuki875 mochizuki875 force-pushed the fix_netadmin_debugging_profile branch 2 times, most recently from a4a3cf6 to 0ecb8f4 Compare September 13, 2023 01:04
@mochizuki875
Copy link
Member Author

/retest

eiffel-fl
eiffel-fl approved these changes Sep 18, 2023
View reviewed changes
Copy link
Contributor

@eiffel-fl eiffel-fl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I renew my approval!
I would maybe split the commit in two: one to add the capability and another to remove privileged (order does not really matter).

@mochizuki875
Copy link
Member Author

@ardaguclu @verb
OK, kubernetes/enhancements#4160 has been approved.
So could you please review this PR?

verb
verb approved these changes Oct 6, 2023
View reviewed changes
Copy link
Contributor

@verb verb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Oct 6, 2023
@k8s-ci-robot
Copy link
Contributor

LGTM label has been added.

Git tree hash: 893cc89c8083104cb65772bb4ebf060b259b9d8e

@mochizuki875
Copy link
Member Author

@ardaguclu
PTAL?

@ardaguclu
Copy link
Member

Thanks

/triage accepted
/priority backlog
/approve

@k8s-ci-robot k8s-ci-robot added triage/accepted Indicates an issue or PR is ready to be actively worked on. priority/backlog Higher priority than priority/awaiting-more-evidence. and removed needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels Oct 19, 2023
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ardaguclu, eiffel-fl, mochizuki875, verb

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Oct 19, 2023
@k8s-ci-robot k8s-ci-robot merged commit b4fd162 into kubernetes:master Oct 19, 2023
15 checks passed
@k8s-ci-robot k8s-ci-robot added this to the v1.29 milestone Oct 19, 2023
@mochizuki875 mochizuki875 mentioned this pull request Nov 24, 2023
Closed
9 tasks
@mochizuki875 mochizuki875 deleted the fix_netadmin_debugging_profile branch June 7, 2024 13:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ardaguclu ardaguclu ardaguclu left review comments

@verb verb verb approved these changes

@eiffel-fl eiffel-fl eiffel-fl approved these changes

@mikedanese mikedanese Awaiting requested review from mikedanese

Assignees

@verb verb

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/kubectl area/test cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. lgtm "Looks good to me", indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. priority/backlog Higher priority than priority/awaiting-more-evidence. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/cli Categorizes an issue or PR as relevant to SIG CLI. sig/testing Categorizes an issue or PR as relevant to SIG Testing. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
SIG CLI
Archived in project
Milestone
v1.29
Development

Successfully merging this pull request may close these issues.

NET_RAW isn't added to ephemeral container via netadmin debugging profile
5 participants
@mochizuki875 @k8s-ci-robot @ardaguclu @eiffel-fl @verb