Create ValidatingAdmissionPolicies to replace mediawiki PSP
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	JMeybohm
	Jun 24 2024, 9:23 AM

Description

We need a replacement for the mediawiki PSP that basically consists of the restricted PodSecurityStandard profile but allows for SYS_PTRACE and access to specific host paths:

- pathPrefix: /usr/share/GeoIP
  readOnly: true
- pathPrefix: /usr/share/GeoIPInfo
  readOnly: true

The idea from the parent task and https://wikitech.wikimedia.org/wiki/User:JMeybohm/PSP_Replacement is to have ValidatingAdmissionPolicies replicating the various rules of the PSS profiles in a way that allows us to selectively enable/disable/replace particular rules for specific namespaces.

Details

Subject	Repo	Branch	Lines +/-
Add policy to allow GeoIP hostPath volumes	operations/deployment-charts	master	+735 -0
Add policy to allow only SYS_PTRACE	operations/deployment-charts	master	+609 -0
Initial commit validating-admission-policies chart	operations/deployment-charts	master	+7 K -0
jjb: [helm-lint] Update helm-linter image	integration/config	master	+1 -1
Docker: [helm-linter] Update helm to 3.11.3	integration/config	master	+6 -0
New upstream version 3.11.3	operations/debs/helm3	master	+11 -0
Add kyverno_policy_parser	operations/deployment-charts	master	+656 -0

Customize query in gerrit

Related Objects
Search...

Status	Assigned	Task
Open	None	T341984 Update Kubernetes clusters to >1.25
Stalled	JMeybohm	T273507 PodSecurityPolicies will be deprecated with Kubernetes 1.21
Resolved	JMeybohm	T368251 Create ValidatingAdmissionPolicies to replace mediawiki PSP

Event Timeline

JMeybohm created this task.Jun 24 2024, 9:23 AM

Although this is not technically blocking the k8s upgrade (because ValidationAdmissionPolicies require k8s >=1.26 anyways), we need this to be ready to deploy together with the next k8s upgrade or we'll have to configure mediawiki namespaces with the privileged PSS after the update.

Clement_Goubert added a project: MW-on-K8s.Jun 24 2024, 9:58 AM

Clement_Goubert subscribed.

Change #1052964 had a related patch set uploaded (by JMeybohm; author: JMeybohm):

[operations/deployment-charts@master] Add kyverno_policy_parser

https://gerrit.wikimedia.org/r/1052964

gerritbot added a project: Patch-For-Review.Jul 9 2024, 12:10 PM

JMeybohm renamed this task from Create ValidationAdmissionPolicies to replace mediawiki PSP to Create ValidatingAdmissionPolicies to replace mediawiki PSP.Jul 12 2024, 9:07 AM

JMeybohm updated the task description. (Show Details)

Change #1053911 had a related patch set uploaded (by JMeybohm; author: JMeybohm):

[operations/deployment-charts@master] Initial commit validating-admission-policies chart

https://gerrit.wikimedia.org/r/1053911

Change #1053934 had a related patch set uploaded (by JMeybohm; author: JMeybohm):

[operations/debs/helm3@master] New upstream version 3.11.3

https://gerrit.wikimedia.org/r/1053934

Change #1052964 abandoned by JMeybohm:

[operations/deployment-charts@master] Add kyverno_policy_parser

Reason:

Moved to https://gitlab.wikimedia.org/repos/sre/kyverno-policy-parser due to popular demand

https://gerrit.wikimedia.org/r/1052964

The policy parser tool has moved to https://gitlab.wikimedia.org/repos/sre/kyverno-policy-parser

JMeybohm added a subscriber: kamila.Jul 16 2024, 3:54 PM

Change #1053934 merged by JMeybohm:

[operations/debs/helm3@master] New upstream version 3.11.3

https://gerrit.wikimedia.org/r/1053934

Change #1054802 had a related patch set uploaded (by JMeybohm; author: JMeybohm):

[integration/config@master] Docker: [helm-linter] Update helm to 3.11.3

https://gerrit.wikimedia.org/r/1054802

Change #1054803 had a related patch set uploaded (by JMeybohm; author: JMeybohm):

[integration/config@master] jjib: [helm-lint] Update helm-linter image

https://gerrit.wikimedia.org/r/1054803

Change #1054802 merged by jenkins-bot:

[integration/config@master] Docker: [helm-linter] Update helm to 3.11.3

https://gerrit.wikimedia.org/r/1054802

Change #1054803 merged by jenkins-bot:

[integration/config@master] jjb: [helm-lint] Update helm-linter image

https://gerrit.wikimedia.org/r/1054803

Change #1054891 had a related patch set uploaded (by JMeybohm; author: JMeybohm):

[operations/deployment-charts@master] Add policy to allow only SYS_PTRACE

https://gerrit.wikimedia.org/r/1054891

Change #1054905 had a related patch set uploaded (by JMeybohm; author: JMeybohm):

[operations/deployment-charts@master] Add policy to allow GeoIP hostPath volumes

https://gerrit.wikimedia.org/r/1054905

Implementation is (I think) completed. There is a README which hopefully explains what my intentions where and how the policies can be used to create something PSS like but with exceptions.

JMeybohm closed this task as Resolved.Aug 22 2024, 8:57 AM

Change #1053911 merged by jenkins-bot: