Page MenuHomePhabricator
Create Task
Maniphest T369492

Migrate dse cluster off of Pod Security Policies
Closed, ResolvedPublic
Actions

Description

As a pre-dependency for the next Kubernetes update, the cluster needs to be migrated from Pod Security Policies to Pod Security Standards.

The process is described in (feel free to extend where you see fit):
https://wikitech.wikimedia.org/wiki/Kubernetes/Clusters/PSP_replacement

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
spark-operator: enable the definition of securitycontext.seccompProfile for spark containersoperations/deployment-chartsmaster+81 -1
dse-k8s-eqiad: Disable PSPoperations/puppetproduction+8 -0
cloudnative-pg: include the restricted security context in the test podoperations/deployment-chartsmaster+13 -1
cloudnative-pg: upgrade operator to v1.24.0operations/deployment-chartsmaster+1 -1
dse-k8s-eqiad: Enforce the `restricted` PSS for all namespacesoperations/deployment-chartsmaster+2 -2
airflow: add restrictedSecurityContext to the git-sync initcontaineroperations/deployment-chartsmaster+2 -1
dse-k8s-eqiad: Disable mutating parts of the restricted PSPoperations/deployment-chartsmaster+6 -1
dse: Add securityContext to istio componentsoperations/deployment-chartsmaster+13 -0
Customize query in gerrit
Related Changes in GitLab:
TitleReferenceAuthorSource BranchDest Branch
Upgrade cloudnative-pg operator to v1.24.0repos/data-engineering/postgresql-kubernetes!14brouberolT369492-cloudnative-pg-upgrademain
Customize query in GitLab

Related Objects
Search...

Event Timeline

JMeybohm created this task.Jul 8 2024, 10:12 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 8 2024, 10:12 AM
JMeybohm mentioned this in T273507: PodSecurityPolicies will be deprecated with Kubernetes 1.21.Jul 8 2024, 10:19 AM
gerritbot added a comment.Jul 8 2024, 10:39 AM

Change #1052701 had a related patch set uploaded (by JMeybohm; author: JMeybohm):

[operations/deployment-charts@master] dse: Add securityContext to istio components

https://gerrit.wikimedia.org/r/1052701

gerritbot added a project: Patch-For-Review.Jul 8 2024, 10:39 AM
bking subscribed.Jul 8 2024, 12:56 PM
lbowmaker moved this task from Incoming (new tickets) to Tag with Radar on the Data-Engineering board.Jul 15 2024, 2:33 PM
gerritbot added a comment.Jul 22 2024, 8:09 AM

Change #1052701 merged by jenkins-bot:

[operations/deployment-charts@master] dse: Add securityContext to istio components

https://gerrit.wikimedia.org/r/1052701

Maintenance_bot removed a project: Patch-For-Review.Jul 22 2024, 8:30 AM
BTullis added a project: Data-Platform-SRE.Aug 27 2024, 4:04 PM
Gehel triaged this task as Medium priority.Aug 28 2024, 8:24 AM
Gehel edited projects, added Data-Platform-SRE (2024.08.17 - 2024.09.06); removed Data-Platform-SRE.
brouberol closed this task as Resolved.Sep 2 2024, 7:31 AM
brouberol claimed this task.
brouberol subscribed.

No PSS violations occurred in dse-k8s-eqiad in the last 7 days:

Screenshot 2024-09-02 at 09.31.12.png (1×2 px, 438 KB)

brouberol added a comment.Sep 2 2024, 7:33 AM

The current workload does validate against the new PSS:

root@deploy1003:~# kubectl get ns -l pod-security.kubernetes.io/audit=restricted -o name | while read ns; do
    kubectl label --dry-run=server --overwrite "$ns" pod-security.kubernetes.io/enforce=restricted;
done
namespace/airflow-test-k8s labeled
namespace/cert-manager labeled
namespace/cloudnative-pg-operator labeled
namespace/datahub labeled
namespace/datahub-next labeled
namespace/datasets-config labeled
namespace/datasets-config-next labeled
namespace/echoserver labeled
namespace/external-services labeled
namespace/flink-operator labeled
namespace/growthbook labeled
namespace/istio-system labeled
namespace/mpic labeled
namespace/mpic-next labeled
namespace/postgresql-test labeled
namespace/rdf-streaming-updater labeled
namespace/spark labeled
namespace/spark-history labeled
namespace/spark-history-test labeled
namespace/spark-operator labeled
namespace/superset labeled
namespace/superset-next labeled
brouberol added a comment.Sep 2 2024, 7:34 AM

We don't currently have any PSP applied in the cluster except privileged or restricted:

root@deploy1003:~# kubectl get pods -A -o=jsonpath='{range .items[?(@.metadata.annotations.kubernetes\.io/psp!="privileged")]}{@.metadata.namespace}{" "}{@.metadata.annotations.kubernetes\.io/psp}{"\n"}{end}' | sort -u | column -t -s' ' | grep -v 'restricted$'
root@deploy1003:~#
gerritbot added a comment.Sep 2 2024, 7:54 AM

Change #1069943 had a related patch set uploaded (by Brouberol; author: Brouberol):

[operations/deployment-charts@master] dse-k8s-eqiad: Disable mutating parts of the restricted PSP

https://gerrit.wikimedia.org/r/1069943

gerritbot added a project: Patch-For-Review.Sep 2 2024, 7:54 AM

Change #1069944 had a related patch set uploaded (by Brouberol; author: Brouberol):

[operations/deployment-charts@master] dse-k8s-eqiad: Enforce the `restricted` PSS for all namespaces

https://gerrit.wikimedia.org/r/1069944

gerritbot added a comment.Sep 2 2024, 7:54 AM

Change #1069945 had a related patch set uploaded (by Brouberol; author: Brouberol):

[operations/puppet@production] dse-k8s-eqiad: Disable PSP

https://gerrit.wikimedia.org/r/1069945

brouberol reopened this task as Open.Sep 2 2024, 8:10 AM
brouberol moved this task from Backlog - project to In Progress on the Data-Platform-SRE (2024.08.17 - 2024.09.06) board.
gerritbot added a comment.Sep 2 2024, 10:02 AM

Change #1069943 merged by Brouberol:

[operations/deployment-charts@master] dse-k8s-eqiad: Disable mutating parts of the restricted PSP

https://gerrit.wikimedia.org/r/1069943

brouberol added a comment.Sep 2 2024, 10:08 AM

After having disabled mutating parts of the restricted PSP, I'm going to let things simmer for a while, to let any potential issues creep up.

brouberol moved this task from In Progress to Blocked/Waiting on the Data-Platform-SRE (2024.08.17 - 2024.09.06) board.Sep 2 2024, 11:46 AM
gerritbot added a comment.Sep 3 2024, 8:28 AM

Change #1070202 had a related patch set uploaded (by Brouberol; author: Brouberol):

[operations/deployment-charts@master] airflow: add restrictedSecurityContext to the git-sync initcontainer

https://gerrit.wikimedia.org/r/1070202

gerritbot added a comment.Sep 3 2024, 9:15 AM

Change #1070202 merged by Brouberol:

[operations/deployment-charts@master] airflow: add restrictedSecurityContext to the git-sync initcontainer

https://gerrit.wikimedia.org/r/1070202

Gehel edited projects, added Data-Platform-SRE (2024.09.06 - 2024.09.27); removed Data-Platform-SRE (2024.08.17 - 2024.09.06).Sep 6 2024, 9:48 AM
Gehel moved this task from Backlog - project to Blocked/Waiting on the Data-Platform-SRE (2024.09.06 - 2024.09.27) board.
gerritbot added a comment.Sep 9 2024, 8:04 AM

Change #1069944 merged by Brouberol:

[operations/deployment-charts@master] dse-k8s-eqiad: Enforce the `restricted` PSS for all namespaces

https://gerrit.wikimedia.org/r/1069944

CodeReviewBot added a comment.Sep 9 2024, 9:27 AM

brouberol opened https://gitlab.wikimedia.org/repos/data-engineering/postgresql-kubernetes/-/merge_requests/14

Upgrade cloudnative-pg operator to v1.24.0

CodeReviewBot added a comment.Sep 9 2024, 9:29 AM

brouberol merged https://gitlab.wikimedia.org/repos/data-engineering/postgresql-kubernetes/-/merge_requests/14

Upgrade cloudnative-pg operator to v1.24.0

gerritbot added a comment.Sep 9 2024, 9:33 AM

Change #1071571 had a related patch set uploaded (by Brouberol; author: Brouberol):

[operations/deployment-charts@master] cloudnative-pg: upgrade operator to v1.24.0

https://gerrit.wikimedia.org/r/1071571

gerritbot added a comment.Sep 9 2024, 9:37 AM

Change #1071571 merged by Brouberol:

[operations/deployment-charts@master] cloudnative-pg: upgrade operator to v1.24.0

https://gerrit.wikimedia.org/r/1071571

gerritbot added a comment.Sep 9 2024, 9:44 AM

Change #1071574 had a related patch set uploaded (by Brouberol; author: Brouberol):

[operations/deployment-charts@master] cloudnative-pg: include the restricted security context in the test pod

https://gerrit.wikimedia.org/r/1071574

gerritbot added a comment.Sep 9 2024, 9:47 AM

Change #1071574 merged by Brouberol:

[operations/deployment-charts@master] cloudnative-pg: include the restricted security context in the test pod

https://gerrit.wikimedia.org/r/1071574

brouberol added a comment.Sep 9 2024, 10:45 AM

The restricted PSS has been enforced for all namespaces in dse-k8s-eqiad.

brouberol moved this task from Blocked/Waiting to In Progress on the Data-Platform-SRE (2024.09.06 - 2024.09.27) board.Sep 9 2024, 10:59 AM
gerritbot added a comment.Sep 9 2024, 11:01 AM

Change #1069945 merged by Brouberol:

[operations/puppet@production] dse-k8s-eqiad: Disable PSP

https://gerrit.wikimedia.org/r/1069945

brouberol closed this task as Resolved.Sep 9 2024, 11:07 AM

I've run puppet on both Kube masters

brouberol@dse-k8s-ctrl1001:~$ sudo run-puppet-agent
Info: Using environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Info: Caching catalog for dse-k8s-ctrl1001.eqiad.wmnet
Info: Applying configuration version '(24e7fa8440) Brouberol - dse-k8s-eqiad: Disable PSP'
Notice: /Stage[main]/K8s::Apiserver/File[/etc/default/kube-apiserver]/content:
--- /etc/default/kube-apiserver	2024-04-16 10:21:14.527805313 +0000
+++ /tmp/puppet-file20240909-2085104-i9dwim	2024-09-09 11:04:24.094744165 +0000
@@ -12,8 +12,8 @@
  --audit-policy-file=/etc/kubernetes/audit-policy.yaml \
  --authorization-mode=Node,RBAC \
  --client-ca-file=/etc/kubernetes/pki/dse__kube-apiserver_server.chain.pem \
- --disable-admission-plugins=PersistentVolumeClaimResize,StorageObjectInUseProtection \
- --enable-admission-plugins=DenyServiceExternalIPs,NodeRestriction,PodSecurityPolicy \
+ --disable-admission-plugins=PersistentVolumeClaimResize,PodSecurityPolicy,StorageObjectInUseProtection \
+ --enable-admission-plugins=DenyServiceExternalIPs,NodeRestriction \
  --etcd-servers=https://dse-k8s-etcd1001.eqiad.wmnet:2379,https://dse-k8s-etcd1002.eqiad.wmnet:2379,https://dse-k8s-etcd1003.eqiad.wmnet:2379 \
  --kubelet-client-certificate=/etc/kubernetes/pki/dse__kube-apiserver-kubelet-client.pem \
  --kubelet-client-key=/etc/kubernetes/pki/dse__kube-apiserver-kubelet-client-key.pem \

Notice: /Stage[main]/K8s::Apiserver/File[/etc/default/kube-apiserver]/content: content changed '{sha256}64c1337dd43e858add75a7f5356eed925f5db86cc243fc2f126835903a29a6eb' to '{sha256}b732a3cc20d16bd1c522bc9d85f967eb8157e7cd717f50823fc66fdf369e5762'
Info: /Stage[main]/K8s::Apiserver/File[/etc/default/kube-apiserver]: Scheduling refresh of Service[kube-apiserver-safe-restart]
brouberol moved this task from In Progress to Done on the Data-Platform-SRE (2024.09.06 - 2024.09.27) board.Sep 9 2024, 11:08 AM
Maintenance_bot removed a project: Patch-For-Review.Sep 9 2024, 11:30 AM
brouberol reopened this task as Open.Sep 9 2024, 11:52 AM

Reopening as we've found out that our Spark operator does not support setting seccompProfile.

brouberol moved this task from Done to In Progress on the Data-Platform-SRE (2024.09.06 - 2024.09.27) board.Sep 9 2024, 12:20 PM
gerritbot added a comment.Sep 9 2024, 12:22 PM

Change #1071596 had a related patch set uploaded (by Brouberol; author: Brouberol):

[operations/deployment-charts@master] spark-operator: enable the definition of securitycontext.seccompProfile for spark containers

https://gerrit.wikimedia.org/r/1071596

gerritbot added a project: Patch-For-Review.Sep 9 2024, 12:22 PM
gerritbot added a comment.Sep 9 2024, 1:25 PM

Change #1071596 merged by Brouberol:

[operations/deployment-charts@master] spark-operator: enable the definition of securitycontext.seccompProfile for spark containers

https://gerrit.wikimedia.org/r/1071596

brouberol closed this task as Resolved.Sep 9 2024, 1:29 PM
brouberol moved this task from In Progress to Done on the Data-Platform-SRE (2024.09.06 - 2024.09.27) board.
Maintenance_bot removed a project: Patch-For-Review.Sep 9 2024, 1:32 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits