From d5589ba65fa2d057d16030a275fc609922390f53 Mon Sep 17 00:00:00 2001 From: Jordan Liggitt Date: Wed, 25 Aug 2021 17:08:06 -0400 Subject: [PATCH] PodSecurity: optimize evaluation of fully-privileged namespaces benchmark old ns/op new ns/op delta BenchmarkVerifyPod/enforce-implicit_pod-12 2658 370 -86.07% BenchmarkVerifyPod/enforce-implicit_deployment-12 2462 408 -83.42% BenchmarkVerifyPod/enforce-privileged_pod-12 2346 420 -82.11% BenchmarkVerifyPod/enforce-privileged_deployment-12 2318 426 -81.64% BenchmarkVerifyPod/enforce-baseline_pod-12 3606 4259 +18.11% BenchmarkVerifyPod/enforce-baseline_deployment-12 2032 341 -83.22% BenchmarkVerifyPod/enforce-restricted_pod-12 3522 3322 -5.68% BenchmarkVerifyPod/enforce-restricted_deployment-12 1893 327 -82.70% BenchmarkVerifyPod/warn-baseline_pod-12 3076 2964 -3.64% BenchmarkVerifyPod/warn-baseline_deployment-12 3111 3069 -1.35% BenchmarkVerifyPod/warn-restricted_pod-12 3155 3223 +2.16% BenchmarkVerifyPod/warn-restricted_deployment-12 3235 3443 +6.43% BenchmarkVerifyPod/enforce-warn-audit-baseline_pod-12 5148 5193 +0.87% BenchmarkVerifyPod/enforce-warn-audit-baseline_deployment-12 4147 4295 +3.57% BenchmarkVerifyPod/warn-baseline-audit-restricted_pod-12 4286 4363 +1.80% BenchmarkVerifyPod/warn-baseline-audit-restricted_deployment-12 4447 4482 +0.79% benchmark old allocs new allocs delta BenchmarkVerifyPod/enforce-implicit_pod-12 12 2 -83.33% BenchmarkVerifyPod/enforce-implicit_deployment-12 14 2 -85.71% BenchmarkVerifyPod/enforce-privileged_pod-12 12 2 -83.33% BenchmarkVerifyPod/enforce-privileged_deployment-12 14 2 -85.71% BenchmarkVerifyPod/enforce-baseline_pod-12 17 17 +0.00% BenchmarkVerifyPod/enforce-baseline_deployment-12 14 2 -85.71% BenchmarkVerifyPod/enforce-restricted_pod-12 17 17 +0.00% BenchmarkVerifyPod/enforce-restricted_deployment-12 14 2 -85.71% BenchmarkVerifyPod/warn-baseline_pod-12 17 17 +0.00% BenchmarkVerifyPod/warn-baseline_deployment-12 19 19 +0.00% BenchmarkVerifyPod/warn-restricted_pod-12 17 17 +0.00% BenchmarkVerifyPod/warn-restricted_deployment-12 19 19 +0.00% BenchmarkVerifyPod/enforce-warn-audit-baseline_pod-12 27 27 +0.00% BenchmarkVerifyPod/enforce-warn-audit-baseline_deployment-12 24 24 +0.00% BenchmarkVerifyPod/warn-baseline-audit-restricted_pod-12 22 22 +0.00% BenchmarkVerifyPod/warn-baseline-audit-restricted_deployment-12 24 24 +0.00% benchmark old bytes new bytes delta BenchmarkVerifyPod/enforce-implicit_pod-12 2120 208 -90.19% BenchmarkVerifyPod/enforce-implicit_deployment-12 2304 208 -90.97% BenchmarkVerifyPod/enforce-privileged_pod-12 2120 208 -90.19% BenchmarkVerifyPod/enforce-privileged_deployment-12 2304 208 -90.97% BenchmarkVerifyPod/enforce-baseline_pod-12 3368 3368 +0.00% BenchmarkVerifyPod/enforce-baseline_deployment-12 2304 208 -90.97% BenchmarkVerifyPod/enforce-restricted_pod-12 3368 3368 +0.00% BenchmarkVerifyPod/enforce-restricted_deployment-12 2304 208 -90.97% BenchmarkVerifyPod/warn-baseline_pod-12 3368 3368 +0.00% BenchmarkVerifyPod/warn-baseline_deployment-12 3552 3552 +0.00% BenchmarkVerifyPod/warn-restricted_pod-12 3368 3368 +0.00% BenchmarkVerifyPod/warn-restricted_deployment-12 3552 3552 +0.00% BenchmarkVerifyPod/enforce-warn-audit-baseline_pod-12 5864 5864 +0.00% BenchmarkVerifyPod/enforce-warn-audit-baseline_deployment-12 4800 4800 +0.00% BenchmarkVerifyPod/warn-baseline-audit-restricted_pod-12 4616 4616 +0.00% BenchmarkVerifyPod/warn-baseline-audit-restricted_deployment-12 4800 4800 +0.00% --- .../admission/admission.go | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/staging/src/k8s.io/pod-security-admission/admission/admission.go b/staging/src/k8s.io/pod-security-admission/admission/admission.go index 33fdcc5ba85..4269b740383 100644 --- a/staging/src/k8s.io/pod-security-admission/admission/admission.go +++ b/staging/src/k8s.io/pod-security-admission/admission/admission.go @@ -302,6 +302,17 @@ func (a *Admission) ValidatePod(ctx context.Context, attrs Attributes) *admissio return allowedResponse() } + // short-circuit on privileged enforce+audit+warn namespaces + namespace, err := a.NamespaceGetter.GetNamespace(ctx, attrs.GetNamespace()) + if err != nil { + klog.ErrorS(err, "failed to fetch pod namespace", "namespace", attrs.GetNamespace()) + return internalErrorResponse(fmt.Sprintf("failed to lookup namespace %s", attrs.GetNamespace())) + } + nsPolicy, _ := a.PolicyToEvaluate(namespace.Labels) + if nsPolicy.Enforce.Level == api.LevelPrivileged && nsPolicy.Warn.Level == api.LevelPrivileged && nsPolicy.Audit.Level == api.LevelPrivileged { + return allowedResponse() + } + obj, err := attrs.GetObject() if err != nil { klog.ErrorS(err, "failed to decode object") @@ -341,6 +352,17 @@ func (a *Admission) ValidatePodController(ctx context.Context, attrs Attributes) return allowedResponse() } + // short-circuit on privileged audit+warn namespaces + namespace, err := a.NamespaceGetter.GetNamespace(ctx, attrs.GetNamespace()) + if err != nil { + klog.ErrorS(err, "failed to fetch pod namespace", "namespace", attrs.GetNamespace()) + return internalErrorResponse(fmt.Sprintf("failed to lookup namespace %s", attrs.GetNamespace())) + } + nsPolicy, _ := a.PolicyToEvaluate(namespace.Labels) + if nsPolicy.Warn.Level == api.LevelPrivileged && nsPolicy.Audit.Level == api.LevelPrivileged { + return allowedResponse() + } + obj, err := attrs.GetObject() if err != nil { klog.ErrorS(err, "failed to decode object")