Add RuntimeHandler support #891
Conversation
|
/ok-to-test |
|
@tallclair Please use |
tallclair
force-pushed
the
runtimehandler
branch
from
0a4e04e to
18bbb92
Compare
Signed-off-by: Tim Allclair <tallclair@google.com>
tallclair
force-pushed
the
runtimehandler
branch
from
18bbb92 to
27d36ad
Compare
|
Done. |
cri.go
Outdated
| @@ -104,6 +108,18 @@ func initCRIService(ic *plugin.InitContext) (interface{}, error) { | |||
| return s, nil | |||
| } | |||
|
|
|||
| // validateConfig validates that the given configuration. | |||
pkg/config/config.go
Outdated
|
|
||
| const ( | ||
| // RuntimeUntrusted is the implicit runtime defined for ContainerdConfig.UntrustedWorkloadRuntime | ||
| RuntimeUntrusted = "unstrusted" |
There was a problem hiding this comment.
oh, good catch. Done.
| defaultRuntime: defaultRuntime, | ||
| runtimes: map[string]criconfig.Runtime{"foo": fooRuntime}, | ||
| expectErr: true, | ||
| }, |
There was a problem hiding this comment.
missing test case: should return error if both annotation and runtime handler are specified.
pkg/config/config.go
Outdated
| DefaultRuntime Runtime `toml:"default_runtime" json:"defaultRuntime"` | ||
| // UntrustedWorkloadRuntime is a runtime to run untrusted workloads on it. | ||
| // DEPRECATED: use Runtimes instead. If provided, this runtime is mapped to the runtime handler | ||
| // named 'untrusted'. It is a configuration error to provide both. |
There was a problem hiding this comment.
How about this: It is a configuration error to provide both the (now deprecated) UntrustedWorkloadRuntime and a handler in the Runtimes handler map (below) for 'untrusted' workloads at the same time. Please provide one or the other.
pkg/config/config.go
Outdated
| UntrustedWorkloadRuntime Runtime `toml:"untrusted_workload_runtime" json:"untrustedWorkloadRuntime"` | ||
| // Runtimes maps a CRI RuntimeHandler string to a runtime configuration. |
There was a problem hiding this comment.
How about this: Runtimes is a map from CRI RuntimeHandler strings, that specify types of workloads, to runtimes for handling those types of workloads.
There was a problem hiding this comment.
It's not entirely accurate that the RuntimeHandler "specifies types of workloads". For example, one user might want their ngnix workload to be sandboxed, while another is comfortable running it with native isolation. It's not that those are different workloads, necessarily, just different threat models.
There was a problem hiding this comment.
Could it be any type of classification. Development, Test, Production; or High, low, no threat model; or multi-tenant vs. uni-tenant; or ... Is it any type system or class dreamed up by the user mapped to particular runtimes chosen by the user?
At any rate the amount of threat secured by the runtime will be dependent on other factors outside just the version of the runtime selected. If we are saying these are threat model classes who's to say which runtime is best for which type of threat model?
There was a problem hiding this comment.
ok I like your text as it's vague enough here I suppose. Just needs some explanation elsewhere for patterns of use.
| @@ -33,10 +33,15 @@ type Runtime struct { | |||
| type ContainerdConfig struct { | |||
| // Snapshotter is the snapshotter used by containerd. | |||
| Snapshotter string `toml:"snapshotter" json:"snapshotter"` | |||
| // DefaultRuntime is the runtime to use in containerd. | |||
| // DefaultRuntime is the default runtime to use in containerd. | |||
There was a problem hiding this comment.
The documentation for these fields has to be cut and pasted to here: https://github.com/containerd/cri/blame/master/docs/config.md#L52
There was a problem hiding this comment.
Done. Add a clarification about the example to the runtimes entry.
pkg/server/sandbox_run.go
Outdated
| if untrustedWorkload(config) { | ||
| // If the untrusted annotation is provided, runtimeHandler MUST be empty. | ||
| if runtimeHandler != "" { | ||
| return criconfig.Runtime{}, errors.New("untrusted workload with explicit runtime handler is not allowed") |
There was a problem hiding this comment.
Why can't we match untrusted workloads with a runtime handler for untrusted workloads? I must be missing something.
There was a problem hiding this comment.
Suppose I add the untrusted annotation, and ask for the 'native' runtime? Those are conflictiing. Originally, I was thinking RuntimeHandler should take precedence, but that would be "failing open" in this case, and potentially present a security risk.
However, to smooth roll out / upgrade, I decided we should allow setting the untrusted annotation and setting the 'untrusted' runtimeHandler.
cri.go
Outdated
| @@ -104,6 +108,18 @@ func initCRIService(ic *plugin.InitContext) (interface{}, error) { | |||
| return s, nil | |||
| } | |||
|
|
|||
| // validateConfig validates that the given configuration. | |||
pkg/config/config.go
Outdated
|
|
||
| const ( | ||
| // RuntimeUntrusted is the implicit runtime defined for ContainerdConfig.UntrustedWorkloadRuntime | ||
| RuntimeUntrusted = "unstrusted" |
There was a problem hiding this comment.
oh, good catch. Done.
pkg/server/sandbox_run.go
Outdated
| if untrustedWorkload(config) { | ||
| // If the untrusted annotation is provided, runtimeHandler MUST be empty. | ||
| if runtimeHandler != "" { | ||
| return criconfig.Runtime{}, errors.New("untrusted workload with explicit runtime handler is not allowed") |
There was a problem hiding this comment.
Suppose I add the untrusted annotation, and ask for the 'native' runtime? Those are conflictiing. Originally, I was thinking RuntimeHandler should take precedence, but that would be "failing open" in this case, and potentially present a security risk.
However, to smooth roll out / upgrade, I decided we should allow setting the untrusted annotation and setting the 'untrusted' runtimeHandler.
pkg/config/config.go
Outdated
| UntrustedWorkloadRuntime Runtime `toml:"untrusted_workload_runtime" json:"untrustedWorkloadRuntime"` | ||
| // Runtimes maps a CRI RuntimeHandler string to a runtime configuration. |
There was a problem hiding this comment.
It's not entirely accurate that the RuntimeHandler "specifies types of workloads". For example, one user might want their ngnix workload to be sandboxed, while another is comfortable running it with native isolation. It's not that those are different workloads, necessarily, just different threat models.
pkg/config/config.go
Outdated
| DefaultRuntime Runtime `toml:"default_runtime" json:"defaultRuntime"` | ||
| // UntrustedWorkloadRuntime is a runtime to run untrusted workloads on it. | ||
| // DEPRECATED: use Runtimes instead. If provided, this runtime is mapped to the runtime handler | ||
| // named 'untrusted'. It is a configuration error to provide both. |
| @@ -33,10 +33,15 @@ type Runtime struct { | |||
| type ContainerdConfig struct { | |||
| // Snapshotter is the snapshotter used by containerd. | |||
| Snapshotter string `toml:"snapshotter" json:"snapshotter"` | |||
| // DefaultRuntime is the runtime to use in containerd. | |||
| // DefaultRuntime is the default runtime to use in containerd. | |||
There was a problem hiding this comment.
Done. Add a clarification about the example to the runtimes entry.
| defaultRuntime: defaultRuntime, | ||
| runtimes: map[string]criconfig.Runtime{"foo": fooRuntime}, | ||
| expectErr: true, | ||
| }, |
cri.go
Outdated
| // It is an error to provide both an UntrustedWorkloadRuntime & define an 'untrusted' runtime. | ||
| if _, ok := c.ContainerdConfig.Runtimes[criconfig.RuntimeUntrusted]; ok { | ||
| if c.ContainerdConfig.UntrustedWorkloadRuntime.Type != "" { | ||
| return errors.New("conflicting untrusted runtimes defined") |
There was a problem hiding this comment.
maybe: "duplicate/conflicting definitions, configuration includes untrusted_workload_runtime and runtimes[untrusted]"
|
|
||
| const ( | ||
| // RuntimeUntrusted is the implicit runtime defined for ContainerdConfig.UntrustedWorkloadRuntime | ||
| RuntimeUntrusted = "untrusted" |
There was a problem hiding this comment.
Would be nice if we could move this string over to CRI maybe a TODO?
There was a problem hiding this comment.
This isn't an "official" concept, even though most (all?) runtimes have implemented it. We've talked about something like that with RuntimeClass, but for now we decided to keep it open ended. I just used this string as a transitional thing while migrating to the runtime handler based configuration. Once the annotation is no longer used, the runtime can be called anything.
There was a problem hiding this comment.
true.. yet it would be beneficial to have example patterns and reserved names that have more meaning than .. anything :-)
Signed-off-by: Tim Allclair <tallclair@google.com>
tallclair
force-pushed
the
runtimehandler
branch
from
f3d4e72 to
e7189a2
Compare
cri.go
Outdated
| // It is an error to provide both an UntrustedWorkloadRuntime & define an 'untrusted' runtime. | ||
| if _, ok := c.ContainerdConfig.Runtimes[criconfig.RuntimeUntrusted]; ok { | ||
| if c.ContainerdConfig.UntrustedWorkloadRuntime.Type != "" { | ||
| return errors.New("conflicting untrusted runtimes defined") |
|
The e2e test is completely broken now, probably caused by #895, but I need to verify. Before that I'll avoid merging any new PRs. |
|
/lgtm |
Implement the changes proposed in #879:
plugins.cri.containerd.untrusted_workload_runtime. If it is provided, give it the implicit configuration name ofuntrusted.ContainerdConfigfield:Runtimes map[string]RuntimecriService.getSandboxRuntimeto take the runtime handler as a parameter, and map it to the correct runtime configIntegration tests to follow
/cc @Random-Liu