github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-05-09 00:47:30 +00:00
Code Issues Projects Releases Wiki Activity

genpolicy: get UID from PodSecurityContext

Browse Source 
Get UID from PodSecurityContext for other k8s resource types too,
not just for Pods.

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
This commit is contained in:
Dan Mihai 2024-09-10 22:01:45 +00:00
parent 5badc30a69
commit 16f5ebf5f9
8 changed files with 41 additions and 10 deletions

4
src/tools/genpolicy/src/daemon_set.rs
View File

@ -147,4 +147,8 @@ impl yaml::K8sResource for DaemonSet {
.clone()
.or_else(|| Some(String::new()))
}
fn get_process_fields(&self, process: &mut policy::KataProcess) {
yaml::get_process_fields(process, &self.spec.template.spec.securityContext);
}
}

4
src/tools/genpolicy/src/deployment.rs
View File

@ -145,4 +145,8 @@ impl yaml::K8sResource for Deployment {
.clone()
.or_else(|| Some(String::new()))
}
fn get_process_fields(&self, process: &mut policy::KataProcess) {
yaml::get_process_fields(process, &self.spec.template.spec.securityContext);
}
}

4
src/tools/genpolicy/src/job.rs
View File

@ -110,4 +110,8 @@ impl yaml::K8sResource for Job {
}
false
}
fn get_process_fields(&self, process: &mut policy::KataProcess) {
yaml::get_process_fields(process, &self.spec.template.spec.securityContext);
}
}

12
src/tools/genpolicy/src/pod.rs
View File

@ -94,7 +94,7 @@ pub struct PodSpec {
topologySpreadConstraints: Option<Vec<TopologySpreadConstraint>>,
#[serde(skip_serializing_if = "Option::is_none")]
securityContext: Option<PodSecurityContext>,
pub securityContext: Option<PodSecurityContext>,
#[serde(skip_serializing_if = "Option::is_none")]
priorityClassName: Option<String>,
@ -312,9 +312,9 @@ struct SeccompProfile {
/// See Reference / Kubernetes API / Workload Resources / Pod.
#[derive(Clone, Debug, Serialize, Deserialize)]
struct PodSecurityContext {
pub struct PodSecurityContext {
#[serde(skip_serializing_if = "Option::is_none")]
runAsUser: Option<i64>,
pub runAsUser: Option<i64>,
// TODO: additional fields.
}
@ -893,11 +893,7 @@ impl yaml::K8sResource for Pod {
}
fn get_process_fields(&self, process: &mut policy::KataProcess) {
if let Some(context) = &self.spec.securityContext {
if let Some(uid) = context.runAsUser {
process.User.UID = uid.try_into().unwrap();
}
}
yaml::get_process_fields(process, &self.spec.securityContext);
}
}

4
src/tools/genpolicy/src/replica_set.rs
View File

@ -108,4 +108,8 @@ impl yaml::K8sResource for ReplicaSet {
}
false
}
fn get_process_fields(&self, process: &mut policy::KataProcess) {
yaml::get_process_fields(process, &self.spec.template.spec.securityContext);
}
}

4
src/tools/genpolicy/src/replication_controller.rs
View File

@ -110,4 +110,8 @@ impl yaml::K8sResource for ReplicationController {
}
false
}
fn get_process_fields(&self, process: &mut policy::KataProcess) {
yaml::get_process_fields(process, &self.spec.template.spec.securityContext);
}
}

4
src/tools/genpolicy/src/stateful_set.rs
View File

@ -192,6 +192,10 @@ impl yaml::K8sResource for StatefulSet {
.clone()
.or_else(|| Some(String::new()))
}
fn get_process_fields(&self, process: &mut policy::KataProcess) {
yaml::get_process_fields(process, &self.spec.template.spec.securityContext);
}
}
impl StatefulSet {

15
src/tools/genpolicy/src/yaml.rs
View File

@ -97,8 +97,8 @@ pub trait K8sResource {
}
fn get_process_fields(&self, _process: &mut policy::KataProcess) {
// Just Pods can have a PodSecurityContext field, so the other
// resources can use this default get_process_fields implementation.
// No need to implement support for securityContext or similar fields
// for some of the K8s resource types.
}
}
@ -378,3 +378,14 @@ fn handle_unused_field(path: &str, silent_unsupported_fields: bool) {
panic!("Unsupported field: {}", path);
}
}
pub fn get_process_fields(
process: &mut policy::KataProcess,
security_context: &Option<pod::PodSecurityContext>,
) {
if let Some(context) = security_context {
if let Some(uid) = context.runAsUser {
process.User.UID = uid.try_into().unwrap();
}
}
}