Allow setting securityContext in ephemeral containers

[verb]

What type of PR is this?

/kind feature
/sig node
/priority important-soon

What this PR does / why we need it: This adds securityContext to the whitelist of fields allowed in ephemeral containers (kubernetes/enhancements#277).

Which issue(s) this PR fixes:

Fixes #53188

Special notes for your reviewer:

KEP-277 was amended to allow securityContext in kubernetes/enhancements#1690.

Does this PR introduce a user-facing change?

Ephemeral containers are now allowed to configure a securityContext that differs from that of the Pod.

action required: Cluster administrators should ensure that security policy controllers support EphemeralContainers before enabling this feature in clusters.

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

- [KEP]: https://git.k8s.io/enhancements/keps/sig-node/277-ephemeral-containers

[k8s-ci-robot]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[k8s-ci-robot]

@verb: This issue is currently awaiting triage.

If a SIG or subproject determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[verb]

/test all

[verb]

/assign @tallclair

[verb]

/retest

[fejta-bot]

This PR may require API review.

If so, when the changes are ready, complete the pre-review checklist and request an API review.

Status of requested reviews is tracked in the API Review project.

[verb]

/retest

[tallclair]

/lgtm

[verb]

@tallclair now that we've got the /ephemeralcontainers API changes, I think we can pick this up again. I've added the tests you requested. PTAL. Thanks!

/hold cancel

[akifkhan01]

Which release version are we planning to add this support for securityContext ?
@verb
this would be a critical support to enable ptrace and other tools in ephemeral containers via kubectl debug

[verb]

@akifkhan01 Ideally this will merge in time for 1.22. This PR is all that's required for configurable security context.

[tallclair]

/lgtm
/approve

[verb]

/assign @liggitt

[liggitt]

is there any coverage of this field for PodSecurity and PodSecurityPolicy?

[verb]

For PodSecurityPolicy I added tests to podsecuritypolicy/provider_test.go to run the Container tests on EphemeralContainer as well.

I wasn't following the PSP replacement and didn't know about PodSecurity until you mentioned it. I'm happy to add test coverage there as well once I bring myself up to speed. If the PSP coverage looks sufficient, how do you feel about addressing PodSecurity in a follow-up PR since it's still in alpha?

[liggitt]

as long as there's double opt-in and we have test coverage for the interaction before either this feature or PodSecurity graduates from alpha, that's ok

[liggitt]

including test coverage for ephemeral containers is in the PodSecurity KEP for alpha → beta graduation

fwiw, running with PodSecurity enabled, I just verified the PodSecurity enforce level already applies to ephemeral containers as well:

FEATURE_GATES=PodSecurity=true,EphemeralContainers=true hack/local-up-cluster.sh 

kubectl label ns default pod-security.kubernetes.io/enforce=restricted

kubectl apply -f ~/snippets/pods/restricted_pod.json 

kubectl debug restricted -it --image=busybox

Defaulting debug container name to debugger-86nkb.
Error from server (Forbidden): allowPrivilegeEscalation != false (container "debugger-86nkb" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "debugger-86nkb" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "debugger-86nkb" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "debugger-86nkb" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

[liggitt]

/lgtm
/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: liggitt, tallclair, verb

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• api/OWNERS [liggitt]
• pkg/api/OWNERS [liggitt]
• pkg/apis/OWNERS [liggitt]
• pkg/security/podsecuritypolicy/OWNERS [liggitt,tallclair]
• staging/src/k8s.io/api/OWNERS [liggitt]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[JamesLaverack]

Hi v1.22 Enhancements Lead here. Enhancement 277 was not opted into v1.22. If you would still like to land this change in this release, please file an exception request.

/milestone clear

[fejta-bot]

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to fejta).

Review the full test history for this PR.

Silence the bot with an /lgtm cancel or /hold comment for consistent failures.

[enj]

/milestone v1.22

Exception was approved.

[verb]

/retest

[fejta-bot]

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to fejta).

Review the full test history for this PR.

Silence the bot with an /lgtm cancel or /hold comment for consistent failures.

[fejta-bot]

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to fejta).

Review the full test history for this PR.

Silence the bot with an /lgtm cancel or /hold comment for consistent failures.