api: add support for security profiles #1722
Conversation
stevvooe
force-pushed
the
security-profiles
branch
from
c799ab0 to
939be4d
Compare
|
I don't think |
| @@ -50,6 +50,16 @@ message NodeSpec { | |||
| // Availability allows a user to control the current scheduling status of a | |||
| // node. | |||
| Availability availability = 4; | |||
|
|
|||
| // AllowedSecurityProfiles let's an operator select which security profiles | |||
Current coverage is 56.29% (diff: 100%)@@ master #1722 diff @@
==========================================
Files 96 93 -3
Lines 14902 14796 -106
Methods 0 0
Messages 0 0
Branches 0 0
==========================================
+ Hits 8328 8330 +2
+ Misses 5469 5379 -90
+ Partials 1105 1087 -18
|
|
@justincormack How do we define that minimum set? To which mistake are you referring? |
|
For this PR you don't need to specify anything, as the options are the empty set of privileges The mistake was capabilities, which we added a default set which corresponds to a lot of root capabilities (even if you are not root), which you then have to drop. |
|
@justincormack Agreed. Let's work this out:
Above, we have a table representing the requested profiles, node ACLs and the operations/equality to calculate whether a profile may run on a given node. We evaluate both with and without privileged, showing that the container profile must be a subset of the Node ACL to progress. We then have third profile, of unknown contents. We evaluate in conditions when the |
|
@justincormack how do you want to represent the current configuration that we have today? |
|
@crosbymichael I added the contents of the actual fields next to the set operations. Hopefully, that makes things a little more concrete. He is saying that the "default profile", what we do today, is represented as the empty set, which is really a base set where all sets satisfy That said, to reduce permissions with this model, we do need to define operations that negate items in the base set, but I don't think that is too much of a stretch. |
|
@crosbymichael specify them explicitly or specify them as defaults in the daemon config explicitly so that everyone gets them, but suggest people remove them from the config @stevvooe negative capabilities dont work. We need to move towards an empty base set, and a way users can go to it sooner. |
|
Could we have the base set be nothing, no caps, no syscalls, and the "default" docker profile adds these? This way you don't have to know about what is in the base set and figureout what you have to remove/unset if you are building a new profile. |
What would custom profiles look like? In this PR we assume that the behavior is hardcoded in the profile name (e.g. |
|
@justincormack With a base set, how would one remove functionality from the "Default" profile?
This depends on where we enforce the policy. Typically, a node may not actually know its own policy and there are implications to trusting that node. Under this proposal, we can do a set based model enforced on the managers.
We can make default ACLs on the global cluster config. We may need to control how these combine with existing ACLs (are they a union or do they replace?).
Of course.
This really depends on the trust model we have for the security profiles. If we allow nodes to declare what they are willing to run, we need to think about how that works in practice.
For upgraded clusters, the fields are empty (config and acl), so everything just continues working. We can add
As long as they can be expressed as set semantics, there are no limitations. I think there are some examples in @justincormack's proposal, but we should work some examples out to make sure everything lines up. |
We define the basis for a profile-based security dispatch. We put forward a model, based on existing `--privileged` flag that can be extended in the future to support more complex workflows. The first aspect is to allow the container runtime to select a security profile, keyed by name. We introduce two profiles, "default" and "privileged" corresponding to the currently available control we have today. We will extend this model to support more complex scenarios, with more granular control, in the future. We balance this model with a Node security profile ACL that can select which profiles can be run on a node. Users can add and remove items from this ACL to control which security levels can run on a given node. We define the empty list to be allowing the "Default" security profile. To support future interaction, we also define that profiles are additive. This means that the capability of a set of profiles is a union of all the specified profiles. Signed-off-by: Stephen J Day <stephen.day@docker.com>
stevvooe
force-pushed
the
security-profiles
branch
from
939be4d to
6530531
Compare
|
Updated with feedback from @aaronlehmann and added a sub-message on nodespec and containerspec. |
|
After some discussion, the idea came up that requiring an update to every Node's ACL would be expensive. It might be better to introduce an ACL object that specifies the profiles allowed and the nodes to which it applies, such that when new nodes come on line that can have the ACL automatically apply or be matched via some mechanism, such as labeling. |
|
@stevvooe is there any ETA about the merge of this PR? |
|
@galindro There are still some details to be worked out. The base concepts are likely to be similar but their needs to be ACL aggregation to make it easier to specify what can and cannot be run on an individual node. |
|
@stevvooe is there an ETA for this? |
|
@marcellodesales At this time, no. We had discussed introducing an ACL object and moving the allowed_profiles from node to that. That would allow batch update of the configuration of a large set of nodes. I think we may also be blocked on the details of representing a security profile. @aluzzardi What is wrong with this proposal, other than the bulk update issue? |
|
@stevvooe @aluzzardi any updates? |
|
This PR allows ACL to be enforced/propagated per node, enabling only a subset of the security rights (Capabilities, SECCOMP, no-new-privileges, etc.). But shouldn't this come after we actually have support for those security rights/features? I'm thinking: |
This is a narrow interpretation of the design proposed in this PR. The goal is to span the gap of priveleged support while not just having a |
|
@stevvooe any return about this feature? Is it almost completed or needs more discussion? |
There is more discussion to be had. I am not directly working on this, but there is definitely something coming in the future. I appreciate the patience, as getting this right is very challenging. |
|
Actually, I think we can close this down in favor of moby/moby#32801. |
We define the basis for a profile-based security dispatch. We put
forward a model, based on existing
--privilegedflag that can beextended in the future to support more complex workflows.
The first aspect is to allow the container runtime to select a security
profile, keyed by name. We introduce two profiles, "default" and
"privileged" corresponding to the currently available control we have
today. We will extend this model to support more complex scenarios, with
more granular control, in the future.
We balance this model with a Node security profile ACL that can select
which profiles can be run on a node. Users can add and remove items from
this ACL to control which security levels can run on a given node. We
define the empty list to be allowing the "Default" security profile.
To support future interaction, we also define that profiles are
additive. This means that the capability of a set of profiles is a union
of all the specified profiles.
Signed-off-by: Stephen J Day stephen.day@docker.com
@mgoelzer @justincormack @icecrime @aluzzardi @crosbymichael