feat(kubernetes): add sidecar supervisor topology#2076
Conversation
|
Auto-sync is disabled for draft pull requests in this repository. Workflows must be run manually. Contributors can view more details about this message here. |
|
🌿 Preview your docs: https://nvidia-preview-pr-2076.docs.buildwithfern.com/openshell |
|
Label |
4f981c2 to
8c9ae53
Compare
Some comments with help of agent1. Central trust boundary — the workload can use the sandbox's gateway identity . 2. nftables fence only covers TCP/UDP. 3. 4. Doc drift in the debug skill. |
e00a00b to
ed858eb
Compare
Addressed this by moving the supervisor and sandbox to run with different GIDs. Updated the other areas with clarifying comments. |
|
Deployed this branch on an OpenShift 4.22 cluster (K8s 1.35) with Root causeIn
Step 2 runs as root with Note the state dir was already changed to |
|
@mrunalp I reproduced locally and pushed a fix. Please have a look when you get a chance! |
3d80066 to
254cdbe
Compare
Looks like you've rebased now since that's been merged? |
|
Discussed with @TaylorMutch: Suggestion: keep Landlock (and seccomp) in sidecar
|
Add the Kubernetes sidecar supervisor topology, its Helm/Skaffold configuration, topology documentation, and sidecar e2e matrix coverage. Skip root-only sandbox identity rewriting when process enforcement is network-only so the low-permission sidecar process container can start successfully. Signed-off-by: Taylor Mutch <taylormutch@gmail.com>
Signed-off-by: Taylor Mutch <taylormutch@gmail.com>
Signed-off-by: Taylor Mutch <taylormutch@gmail.com>
Signed-off-by: Taylor Mutch <taylormutch@gmail.com>
Signed-off-by: Taylor Mutch <taylormutch@gmail.com>
Signed-off-by: Taylor Mutch <taylormutch@gmail.com>
Signed-off-by: Taylor Mutch <taylormutch@gmail.com>
Signed-off-by: Taylor Mutch <taylormutch@gmail.com>
Signed-off-by: Taylor Mutch <taylormutch@gmail.com>
Signed-off-by: Taylor Mutch <taylormutch@gmail.com>
Signed-off-by: Taylor Mutch <taylormutch@gmail.com>
Signed-off-by: Taylor Mutch <taylormutch@gmail.com>
Signed-off-by: Taylor Mutch <taylormutch@gmail.com>
Run nftables setup as individual commands so optional conntrack and log expressions can fail without rolling back required table, chain, and reject rules. Signed-off-by: Seth Jennings <sjenning@redhat.com> Signed-off-by: Taylor Mutch <taylormutch@gmail.com>
Render sidecar pods with a shared process namespace, keep binary-aware network policy enabled, and move Kubernetes sidecar settings under the nested sidecar config table. Also apply unprivileged Landlock/seccomp setup in NetworkOnly supervisor mode so sidecar topology keeps sandbox child hardening without privileged process setup. Signed-off-by: Taylor Mutch <taylormutch@gmail.com>
Coordinate sidecar policy and provider bootstrap over a local Unix socket so the process leaf no longer reads policy/provider snapshot files. Report entrypoint startup through the control channel and keep gateway credentials confined to the network sidecar. Signed-off-by: Taylor Mutch <taylormutch@gmail.com>
Signed-off-by: Taylor Mutch <taylormutch@gmail.com>
Signed-off-by: Taylor Mutch <taylormutch@gmail.com>
Signed-off-by: Taylor Mutch <taylormutch@gmail.com>
Signed-off-by: Taylor Mutch <taylormutch@gmail.com>
Signed-off-by: Taylor Mutch <taylormutch@gmail.com>
Signed-off-by: Taylor Mutch <taylormutch@gmail.com>
Signed-off-by: Taylor Mutch <taylormutch@gmail.com>
Signed-off-by: Taylor Mutch <taylormutch@gmail.com>
Signed-off-by: Taylor Mutch <taylormutch@gmail.com>
Signed-off-by: Taylor Mutch <taylormutch@gmail.com>
9d3bef7 to
93b86f8
Compare
Summary
Adds an experimental Kubernetes
sidecarsupervisor topology after the combined-topology base from #2074. The defaultcombinedtopology remains unchanged;sidecaris opt-in and may change as we continue validating the permission model, pod layout, and configuration surface across Kubernetes runtimes.The goal of
sidecaris to move pod-level network enforcement, gateway authentication, gateway session handling, and SSH relay ownership out of the agent container and into a dedicated network sidecar. The agent container runs as the resolved sandbox UID/GID withrunAsNonRoot,allowPrivilegeEscalation: false, and all Linux capabilities dropped.Outcome
combinedas the default topology and full OpenShell enforcement path.topology = "sidecar"under[openshell.drivers.kubernetes]and nests sidecar-only settings under[openshell.drivers.kubernetes.sidecar]; Helm renders the same shape fromsupervisor.topologyandsupervisor.sidecar.*.shareProcessNamespace: truefor sidecar pods so the network sidecar can resolve workload process and binary identity through/proc.supervisor.sidecar.processBinaryAwareNetworkPolicy=falsedrops the sidecarSYS_PTRACEcapability and downgrades sidecar network policy to endpoint/L7 enforcement without matchingpolicy.binaries.deploy/helm/openshell/ci/values-sidecar-kata.yamlas the local/CI-dev overlay used for Kata validation.Enforcement Model
combinedremains the complete OpenShell sandbox contract: network policy, filesystem policy, process controls, supervisor privilege drop, supervisor identity mount isolation, gateway relay, SSH, exec, and file sync all run through the existing agent-container supervisor path.sidecaris network-focused but no longer disables all process-side enforcement:/procinspection.Runtime Validation Status
gcloud container clusters create-auto --workload-policies=allow-net-admin; the Google Cloud CLI reference listsallow-net-adminas the supported Autopilot workload policy: https://docs.cloud.google.com/sdk/gcloud/reference/container/clusters/create-auto#--workload-policiesdeploy/helm/openshell/ci/values-sidecar-kata.yaml. This validation passed without using the supervisor sideload init container.Related Issue
References #1827, #981, #899, #1305.
Related PRs: #1973, #2074, #2016.
Changes
sidecartopology and sidecar-specific configuration.supervisor_topologytotopologyand move sidecar settings underopenshell.drivers.kubernetes.sidecar.network-onlybehavior for sidecar mode while preserving workload launch, Landlock/seccomp application, and SSH/session relay behavior.SYS_PTRACEcapability when users accept the downgrade.Testing
git diff --check origin/main..feat/kubernetes-sidecar-topology-v2cargo check -p openshell-driver-kubernetes -p openshell-sandbox -p openshell-supervisor-process -p openshell-supervisor-networkcargo test -p openshell-driver-kubernetes --libcargo test -p openshell-supervisor-process --libmise run helm:testmarkdownlint-cli2 docs/kubernetes/topology.mdx docs/kubernetes/setup.mdxruby -e 'require "yaml"; YAML.load_file(".github/workflows/branch-e2e.yml"); puts "ok"'mise run rust:lintmise run rust:format:check && mise run rust:lintcargo test -p openshell-supervisor-processCARGO_BUILD_JOBS=1 mise run pre-commitOpenShell / Branch Checkspassing on this branch, including Linux amd64 and arm64 Rust jobs.HELM_K3S_LB_HOST_PORT=18080 mise run e2e:kubernetes:sidecar--workload-policies=allow-net-admin.deploy/helm/openshell/ci/values-sidecar-kata.yaml; validation passed without the supervisor sideload init container.Checklist