Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security hardening guide for scheduler configuration #45080

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Security hardening guide for scheduler configuration #45080

wants to merge 2 commits into from
+84 −0

Conversation

AnshumanTripathi
Copy link
Contributor

@AnshumanTripathi AnshumanTripathi commented Feb 10, 2024
edited
Loading

@k8s-ci-robot k8s-ci-robot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Feb 10, 2024
@linux-foundation-easycla Linux Foundation: EasyCLA
Copy link

linux-foundation-easycla bot commented Feb 10, 2024
edited
Loading

CLA Signed

The committers listed above are authorized under a signed CLA.

  • ✅ login: AnshumanTripathi / name: Anshuman Tripathi (0b307ff, dda9966)

@k8s-ci-robot
Copy link
Contributor

Welcome @AnshumanTripathi!

It looks like this is your first PR to kubernetes/website 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes/website has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

@k8s-ci-robot k8s-ci-robot added cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Feb 10, 2024
@k8s-ci-robot k8s-ci-robot added the language/en Issues or PRs related to English language label Feb 10, 2024
@k8s-ci-robot k8s-ci-robot requested a review from tengqm February 10, 2024 08:07
@k8s-ci-robot k8s-ci-robot added the sig/docs Categorizes an issue or PR as relevant to SIG Docs. label Feb 10, 2024
@netlify Netlify
Copy link

netlify bot commented Feb 10, 2024
edited
Loading

Pull request preview available for checking

Built without sensitive environment variables

Name Link
🔨 Latest commit dda9966
🔍 Latest deploy log https://app.netlify.com/sites/kubernetes-io-main-staging/deploys/67319b3c15ec33000825b023
😎 Deploy Preview https://deploy-preview-45080--kubernetes-io-main-staging.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. and removed cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. labels Feb 10, 2024
@sftim
Copy link
Contributor

sftim commented Feb 10, 2024

/sig security

@k8s-ci-robot k8s-ci-robot added the sig/security Categorizes an issue or PR as relevant to SIG Security. label Feb 10, 2024
@AnshumanTripathi AnshumanTripathi marked this pull request as ready for review February 13, 2024 06:34
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Feb 13, 2024
@reylejano
Copy link
Member

@kubernetes/sig-security-pr-reviews please take a look

@AnshumanTripathi AnshumanTripathi force-pushed the anshuman/scheduler_hardening_guide branch 3 times, most recently from 0728e98 to 2cae0ed Compare February 18, 2024 21:05
@AnshumanTripathi AnshumanTripathi force-pushed the anshuman/scheduler_hardening_guide branch from 5958b41 to 90fb6d6 Compare February 18, 2024 21:10
sftim
sftim reviewed Mar 14, 2024
View reviewed changes
Copy link
Contributor

@sftim sftim left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some more feedback.

content/en/docs/concepts/security/hardening-guide/scheduler.md Outdated Show resolved Hide resolved
content/en/docs/concepts/security/hardening-guide/scheduler.md Outdated Show resolved Hide resolved
content/en/docs/concepts/security/hardening-guide/scheduler.md Outdated Show resolved Hide resolved
content/en/docs/concepts/security/hardening-guide/scheduler.md Outdated Show resolved Hide resolved
content/en/docs/concepts/security/hardening-guide/scheduler.md Outdated Show resolved Hide resolved
content/en/docs/concepts/security/hardening-guide/scheduler.md Outdated Show resolved Hide resolved
content/en/docs/concepts/security/hardening-guide/scheduler.md Outdated Show resolved Hide resolved
content/en/docs/concepts/security/hardening-guide/scheduler.md Outdated Show resolved Hide resolved
content/en/docs/concepts/security/hardening-guide/scheduler.md Outdated Show resolved Hide resolved
@AnshumanTripathi AnshumanTripathi force-pushed the anshuman/scheduler_hardening_guide branch from beca647 to 2aa72f3 Compare March 15, 2024 05:57
@AnshumanTripathi AnshumanTripathi force-pushed the anshuman/scheduler_hardening_guide branch from 19972a5 to ab53e96 Compare March 24, 2024 20:13
@AnshumanTripathi AnshumanTripathi force-pushed the anshuman/scheduler_hardening_guide branch 3 times, most recently from e3ece46 to b0b839d Compare May 11, 2024 21:30
@sftim
Copy link
Contributor

sftim commented May 12, 2024

@kubernetes/sig-security-pr-reviews please take a look at this one. SIG Scheduling can confirm details where appropriate.

sftim
sftim reviewed May 12, 2024
View reviewed changes
Copy link
Contributor

@sftim sftim left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we could clarify what we mean by “configurations”. Did you mean command line settings?

content/en/docs/concepts/security/hardening-guide/scheduler.md Outdated Show resolved Hide resolved
content/en/docs/concepts/security/hardening-guide/scheduler.md Outdated Show resolved Hide resolved
content/en/docs/concepts/security/hardening-guide/scheduler.md Outdated Show resolved Hide resolved
content/en/docs/concepts/security/hardening-guide/scheduler.md Outdated Show resolved Hide resolved
content/en/docs/concepts/security/hardening-guide/scheduler.md Outdated Show resolved Hide resolved
content/en/docs/concepts/security/hardening-guide/scheduler.md Outdated Show resolved Hide resolved
content/en/docs/concepts/security/hardening-guide/scheduler.md Outdated Show resolved Hide resolved
content/en/docs/concepts/security/hardening-guide/scheduler.md Outdated Show resolved Hide resolved
content/en/docs/concepts/security/hardening-guide/scheduler.md Outdated Show resolved Hide resolved
content/en/docs/concepts/security/hardening-guide/scheduler.md Outdated Show resolved Hide resolved
@AnshumanTripathi AnshumanTripathi force-pushed the anshuman/scheduler_hardening_guide branch from a56a358 to 898ba26 Compare May 12, 2024 02:26
Huang-Wei
Huang-Wei reviewed May 16, 2024
View reviewed changes
content/en/docs/concepts/security/hardening-guide/scheduler.md Outdated Show resolved Hide resolved
content/en/docs/concepts/security/hardening-guide/scheduler.md Outdated Show resolved Hide resolved
content/en/docs/concepts/security/hardening-guide/scheduler.md Outdated Show resolved Hide resolved
content/en/docs/concepts/security/hardening-guide/scheduler.md Outdated Show resolved Hide resolved
content/en/docs/concepts/security/hardening-guide/scheduler.md Outdated Show resolved Hide resolved
content/en/docs/concepts/security/hardening-guide/scheduler.md Outdated Show resolved Hide resolved
content/en/docs/concepts/security/hardening-guide/scheduler.md Outdated Show resolved Hide resolved
content/en/docs/concepts/security/hardening-guide/scheduler.md Outdated Show resolved Hide resolved
content/en/docs/concepts/security/hardening-guide/scheduler.md Outdated Show resolved Hide resolved
@AnshumanTripathi AnshumanTripathi force-pushed the anshuman/scheduler_hardening_guide branch from 90a0df4 to b702281 Compare June 8, 2024 14:22
@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jun 27, 2024
@AnshumanTripathi AnshumanTripathi force-pushed the anshuman/scheduler_hardening_guide branch 2 times, most recently from 48f872a to aff9201 Compare July 21, 2024 07:28
@AnshumanTripathi AnshumanTripathi mentioned this pull request Sep 15, 2024
Closed
11 tasks
@AnshumanTripathi AnshumanTripathi force-pushed the anshuman/scheduler_hardening_guide branch from a3bc006 to 3006e43 Compare September 21, 2024 20:47
This was referenced Sep 21, 2024
Open
Open
@AnshumanTripathi AnshumanTripathi force-pushed the anshuman/scheduler_hardening_guide branch from 82c18fd to 645c130 Compare September 29, 2024 21:26
@AnshumanTripathi AnshumanTripathi force-pushed the anshuman/scheduler_hardening_guide branch 2 times, most recently from 3257350 to 0f58ec4 Compare October 6, 2024 04:40
@AnshumanTripathi
Security hardening guide for scheduler configuration
0b307ff 
Signed-off-by: Anshuman Tripathi <[email protected]>

[WIP] Security hardening guide for scheduler configurations

Signed-off-by: Anshuman Tripathi <[email protected]>

Updates after passing through hemmingway.app

Signed-off-by: Anshuman Tripathi <[email protected]>

Update scheduling configurations

Signed-off-by: Anshuman Tripathi <[email protected]>

Apply suggestions from code review

Co-authored-by: Tim Bannister <[email protected]>
Co-authored-by: Daniel Register <[email protected]>

Updates based on PR feedback

Signed-off-by: Anshuman Tripathi <[email protected]>

Update bind-address definition

Signed-off-by: Anshuman Tripathi <[email protected]>

Update phrasing of permit-address-sharing

Signed-off-by: Anshuman Tripathi <[email protected]>

Add -- to args

Signed-off-by: Anshuman Tripathi <[email protected]>

Sentence case in table title

Signed-off-by: Anshuman Tripathi <[email protected]>

Reword and correct grammer based on feedback

Signed-off-by: Anshuman Tripathi <[email protected]>

Remove verbatim argument description

Signed-off-by: Anshuman Tripathi <[email protected]>

More updates

Signed-off-by: Anshuman Tripathi <[email protected]>

Update custom scheduler heading and description

Signed-off-by: Anshuman Tripathi <[email protected]>

Remove dashes on args

Signed-off-by: Anshuman Tripathi <[email protected]>

Apply suggestions from code review

Co-authored-by: Tim Bannister <[email protected]>
Signed-off-by: Anshuman Tripathi <[email protected]>

Update table title

Signed-off-by: Anshuman Tripathi <[email protected]>

Update based on feedback

Signed-off-by: Anshuman Tripathi <[email protected]>

node selector

Signed-off-by: Anshuman Tripathi <[email protected]>

Feedback

Signed-off-by: Anshuman Tripathi <[email protected]>

Update authentication and TLS configuration

Signed-off-by: Anshuman Tripathi <[email protected]>

profiling

Signed-off-by: Anshuman Tripathi <[email protected]>

Replace tables with bullets

Signed-off-by: Anshuman Tripathi <[email protected]>

Fix custom scheduler directive and link

Signed-off-by: Anshuman Tripathi <[email protected]>

style

Signed-off-by: Anshuman Tripathi <[email protected]>
@AnshumanTripathi AnshumanTripathi force-pushed the anshuman/scheduler_hardening_guide branch from 0f58ec4 to 0b307ff Compare November 11, 2024 04:42
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign chanieljdan for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@AnshumanTripathi
Update based on feedback
dda9966 
Signed-off-by: Anshuman Tripathi <[email protected]>
tabbysable
tabbysable reviewed Dec 13, 2024
View reviewed changes
content/en/docs/concepts/security/hardening-guide/scheduler.md
This creates two scheduler profiles: `default-scheduler` and ` my-custom-scheduler`.
Whenever the `.spec` of a Pod does not have a value for `.spec.schedulerName`, the kube-scheduler runs for that Pod, using its main configuration, and default plugins.
If you define a Pod with `.spec.schedulerName` set to `my-custom-scheduler`, the kube-scheduler also runs but with a custom configuration; in that custom configuration,
the `queueSort`, `filter` and `permit` extension points are disabled.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What in that configuration disables the filter extension point? Is it bundled in somehow with either queueSort or permit?

@sftim
Copy link
Contributor

sftim commented Dec 13, 2024

See #45080 (comment) for some relevant commentary about where these docs should live.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tabbysable tabbysable tabbysable left review comments

@network-charles network-charles network-charles left review comments

@sftim sftim sftim left review comments

@bijou-code bijou-code bijou-code left review comments

@tengqm tengqm tengqm left review comments

@Huang-Wei Huang-Wei Huang-Wei left review comments

@raesene raesene raesene left review comments

@shannonxtreme shannonxtreme Awaiting requested review from shannonxtreme

@dipesh-rawat dipesh-rawat Awaiting requested review from dipesh-rawat

Assignees
No one assigned
Labels
cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. language/en Issues or PRs related to English language sig/docs Categorizes an issue or PR as relevant to SIG Docs. sig/security Categorizes an issue or PR as relevant to SIG Security. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
10 participants
@AnshumanTripathi @k8s-ci-robot @sftim @reylejano @raesene @Huang-Wei @tengqm @bijou-code @network-charles @tabbysable