Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WIP: feat: Add SELinux metrics #2513

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

WIP: feat: Add SELinux metrics #2513

wants to merge 1 commit into from

Conversation

jsafrane
Copy link
Member

@jsafrane jsafrane commented Sep 27, 2024
edited
Loading

What this PR does / why we need it:
This is a proof of concept for metrics suggested by SELinuxMount feature.

Using these metrics I think with lot of joins and label replaces I can detect if two containers use the same volume in parallel, and the containers have the same SELinux label (good) or a different one (bad, those Pods will not run when SELinuxMount gets enabled).

New metrics:

  • kube_pod_security_context: pod's spec.securityContext fields. The only values I need are seLinuxOptions.
  • kube_pod_container_security_context: pod's spec.containers[*].securityContext fields. I need privileged flag + seLinuxOptions.
  • kube_pod_container_volume_mount: report volumes used by containers. The existing kube_pod_spec_volumes_persistentvolumeclaims_info tracks volumes used in pods.
  • kube_csidriver_info: report CSIDriver object fields. I need just seLinuxMount flag.

WIP. TODO when the KEP is approved:

  • Add RBACs for reading CSIDriver objects.
  • Add unit tests + docs.
  • Add more labels to the metrics. What other SecurityContext, PodSecrutyContext and CSIDriver fields are useful?
  • Add proposed pod spec.securityContext.seLinuxChangePolicy to kube_pod_security_context.
  • Consider adding kube_persistentvolume_unique_volume_id. kube_persistentvolume_info does misses some volume types (e.g. in-tree vSphere or Cinder) and is declared STABLE. And it's clumsy to work with.

How does this change affect the cardinality of KSM: increases
(no change to any existing metric, new metrics do have nozero cardinality)

KEP update proposal: kubernetes/enhancements#4843

@jsafrane
Add metrics necessary for SELinuxMount feature
99e7120 
This is a proof of concept for kubernetes/enhancements#4843

* Report pod spec.securityContext as kube_pod_security_context. The only
  values I need are seLinuxOptions.
* Report container securityContext as kube_pod_container_security_context.
  I need privileged flag + seLinuxOptions.
* Report volumes used by *containers* as kube_pod_container_volume_mount.
  The existing kube_pod_spec_volumes_persistentvolumeclaims_info tracks
  volumes used in a *Pod*, while I need volumes used by *containers*.
* Report CSIDriver object fields as kube_csidriver_info. I need just
  seLinuxMount flag.
@k8s-ci-robot k8s-ci-robot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Sep 27, 2024
@k8s-ci-robot
Copy link
Contributor

This issue is currently awaiting triage.

If kube-state-metrics contributors determine this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot k8s-ci-robot added the needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. label Sep 27, 2024
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: jsafrane
Once this PR has been reviewed and has the lgtm label, please assign rexagod for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Sep 27, 2024
@jsafrane jsafrane changed the title WIP: Add SELinux metrics WIP: feat: Add SELinux metrics Sep 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@CatherineF-dev CatherineF-dev Awaiting requested review from CatherineF-dev

@mrueg mrueg Awaiting requested review from mrueg

Assignees
No one assigned
Labels
cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jsafrane @k8s-ci-robot