Page MenuHomePhabricator
Create Task
Maniphest T368141

toolforge: kyverno: change policies to Enforce
Closed, ResolvedPublic
Actions

Description

We initially deployed Toolforge Kyverno pod security policies in Audit mode to evaluate how they operate in our cluster.

We need to change them to Enforce if we want to move forward with T279110: [infra] Replace PodSecurityPolicy in Toolforge Kubernetes.

Related Objects
Search...

Event Timeline

aborrero created this task.Jun 21 2024, 11:39 AM
aborrero mentioned this in T364297: [k8s,infra] track PSP migration plan.
aborrero changed the task status from Open to In Progress.Jun 21 2024, 11:41 AM
aborrero triaged this task as High priority.
aborrero moved this task from Backlog to Doing on the User-aborrero board.
CodeReviewBot added a project: Patch-For-Review.Jun 21 2024, 11:43 AM

aborrero opened https://gitlab.wikimedia.org/repos/cloud/toolforge/maintain-kubeusers/-/merge_requests/46

kyverno_pod_policy: set validation to Enforce

CodeReviewBot added a comment.Jun 21 2024, 11:49 AM

aborrero opened https://gitlab.wikimedia.org/repos/cloud/toolforge/maintain-kubeusers/-/merge_requests/47

kyverno_pod_policy: use patch operation in do_update()

CodeReviewBot added a comment.Jun 24 2024, 9:27 AM

aborrero merged https://gitlab.wikimedia.org/repos/cloud/toolforge/maintain-kubeusers/-/merge_requests/47

kyverno_pod_policy: use patch operation in do_update()

CodeReviewBot added a comment.Jun 24 2024, 9:30 AM

project_1317_bot_df3177307bed93c3f34e421e26c86e38 opened https://gitlab.wikimedia.org/repos/cloud/toolforge/toolforge-deploy/-/merge_requests/342

maintain-kubeusers: bump to 0.0.153-20240624092755-fd0244da

CodeReviewBot added a comment.Jun 24 2024, 10:19 AM

aborrero merged https://gitlab.wikimedia.org/repos/cloud/toolforge/toolforge-deploy/-/merge_requests/342

maintain-kubeusers: bump to 0.0.153-20240624092755-fd0244da

CodeReviewBot added a comment.Jun 24 2024, 11:10 AM

aborrero opened https://gitlab.wikimedia.org/repos/cloud/toolforge/toolforge-deploy/-/merge_requests/343

kyverno: re-enable the reports controller

CodeReviewBot added a comment.Jun 24 2024, 12:17 PM

aborrero merged https://gitlab.wikimedia.org/repos/cloud/toolforge/toolforge-deploy/-/merge_requests/343

kyverno: re-enable the reports controller

aborrero added a comment.EditedJun 25 2024, 12:29 PM

Question: how setting the policy to enforce will affect existing deployments that were created prior to the changes in T362050: toolforge: review pod templates for PSP replacement?

Well, per upstream docs:

Background scanning, enabled by default in a Policy or ClusterPolicy object with the spec.background field, allows Kyverno to periodically scan existing resources and find if they match any validate or verifyImages rules. If existing resources are found which would violate an existing policy, the background scan notes them in a ClusterPolicyReport or a PolicyReport object, depending on if the resource is namespaced or not. It does not block any existing resources that match a rule, even in Enforce mode. It has no effect on either generate or mutate rules for the purposes of reporting.

source: https://kyverno.io/docs/policy-reports/background/

Also:

background scanning and is enabled by default unless spec.background is set to false in a policy

aborrero added a comment.EditedJun 25 2024, 2:25 PM

Things I've checked:

  1. re-read the upstream docs about what happens if you set policies to enforce while there are offending resources defined in the cluster. This is the case of webservices defined by older versions of the CLI (same for jobs). See previous comment https://phabricator.wikimedia.org/T368141#9921404
  2. performance impact of changing thousand of policies from Audit to Enforce. I tested this in lima-kilo in my laptop. I did not see any relevant impact.
  3. templates generated by newer jobs/webservices are valid for the new policies. Tested as part of T362050: toolforge: review pod templates for PSP replacement
  4. functional tests passes pre/post changes, in lima-kilo

I plan to perform this change tomorrow wednesday 2024-06-26 at 08:30Z

aborrero added a comment.Jun 26 2024, 9:06 AM

Before setting policies to Enforce, I've checked again the policy reports.

There are a bunch of policy violations:

aborrero@tools-k8s-control-7:~$ sudo -i kubectl get event -A | grep PolicyViolation  | wc -l
11760

All of them contain the same content, an autogen rule complaining about the runAsGroup parameter:

tool-zumraband                              33m         Warning   PolicyViolation           deployment/zumraband                                             policy toolforge-kyverno-pod-policy/autogen-toolforge-validate-pod-policy fail: validation error: pod security configuration must be correct. rule autogen-toolforge-validate-pod-policy failed at path /spec/template/spec/securityContext/runAsGroup/

I think this happens because Deployment and other pod-generators that were created by old version of jobs-cli and webservice don't inject the securityContext. They were relying on PSP mutating the Pod resources.

All these PolicyViolations are from autogen rules. They are not for Pod resources, but for Pod-generators, like Deployments. Pod resources have a good securityContext, either by the PSP mutation, or by the new Kyverno mutation.

This means that if we set policies to Enforce, Pods being created will all pass the validations.

CodeReviewBot added a comment.Jun 26 2024, 9:08 AM

aborrero merged https://gitlab.wikimedia.org/repos/cloud/toolforge/maintain-kubeusers/-/merge_requests/46

kyverno_pod_policy: set validation to Enforce

CodeReviewBot added a comment.Jun 26 2024, 9:11 AM

project_1317_bot_df3177307bed93c3f34e421e26c86e38 opened https://gitlab.wikimedia.org/repos/cloud/toolforge/toolforge-deploy/-/merge_requests/351

maintain-kubeusers: bump to 0.0.155-20240626090852-f6b198f9

Stashbot added a comment.Jun 26 2024, 9:15 AM

Mentioned in SAL (#wikimedia-cloud) [2024-06-26T09:15:41Z] <arturo> setting kyverno policies to Enforce (T368141)

Stashbot added a comment.Jun 26 2024, 9:18 AM

Mentioned in SAL (#wikimedia-cloud) [2024-06-26T09:18:19Z] <arturo> setting kyverno policies to Enforce (T368141)

CodeReviewBot added a comment.Jun 26 2024, 9:20 AM

aborrero merged https://gitlab.wikimedia.org/repos/cloud/toolforge/toolforge-deploy/-/merge_requests/351

maintain-kubeusers: bump to 0.0.155-20240626090852-f6b198f9

CodeReviewBot added a comment.Jun 26 2024, 9:25 AM

aborrero opened https://gitlab.wikimedia.org/repos/cloud/toolforge/maintain-kubeusers/-/merge_requests/51

kyverno_pod_policy: don't autogenerate validation rules

CodeReviewBot added a comment.Jun 26 2024, 10:26 AM

aborrero merged https://gitlab.wikimedia.org/repos/cloud/toolforge/maintain-kubeusers/-/merge_requests/51

kyverno_pod_policy: don't autogenerate validation rules

Maintenance_bot removed a project: Patch-For-Review.Jun 26 2024, 10:31 AM
CodeReviewBot added a project: Patch-For-Review.Jun 26 2024, 10:39 AM

project_1317_bot_df3177307bed93c3f34e421e26c86e38 opened https://gitlab.wikimedia.org/repos/cloud/toolforge/toolforge-deploy/-/merge_requests/353

maintain-kubeusers: bump to 0.0.156-20240626103707-3aa9727d

CodeReviewBot added a comment.Jun 26 2024, 10:44 AM

aborrero merged https://gitlab.wikimedia.org/repos/cloud/toolforge/toolforge-deploy/-/merge_requests/353

maintain-kubeusers: bump to 0.0.156-20240626103707-3aa9727d

aborrero closed this task as Resolved.Jun 26 2024, 11:09 AM
Maintenance_bot removed a project: Patch-For-Review.Jun 26 2024, 11:31 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits