github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-06-27 15:57:09 +00:00
Code Issues Projects Releases Wiki Activity

genpolicy: get UID from PodSecurityContext

Browse Source 
Get UID from PodSecurityContext for other k8s resource types too,
not just for Pods.

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
This commit is contained in:
Dan Mihai 2024-09-10 22:01:45 +00:00
parent 5badc30a69
commit 16f5ebf5f9
8 changed files with 41 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/tools/genpolicy/src/daemon_set.rs
View File

@ -147,4 +147,8 @@ impl yaml::K8sResource for DaemonSet {
.clone() .clone()
.or_else(|| Some(String::new())) .or_else(|| Some(String::new()))
} }
fn get_process_fields(&self, process: &mut policy::KataProcess) {
yaml::get_process_fields(process, &self.spec.template.spec.securityContext);
}
} }

4
src/tools/genpolicy/src/deployment.rs
View File

@ -145,4 +145,8 @@ impl yaml::K8sResource for Deployment {
.clone() .clone()
.or_else(|| Some(String::new())) .or_else(|| Some(String::new()))
} }
fn get_process_fields(&self, process: &mut policy::KataProcess) {
yaml::get_process_fields(process, &self.spec.template.spec.securityContext);
}
} }

4
src/tools/genpolicy/src/job.rs
View File

@ -110,4 +110,8 @@ impl yaml::K8sResource for Job {
} }
false false
} }
fn get_process_fields(&self, process: &mut policy::KataProcess) {
yaml::get_process_fields(process, &self.spec.template.spec.securityContext);
}
} }

12
src/tools/genpolicy/src/pod.rs
View File

@ -94,7 +94,7 @@ pub struct PodSpec {
topologySpreadConstraints: Option<Vec<TopologySpreadConstraint>>, topologySpreadConstraints: Option<Vec<TopologySpreadConstraint>>,
#[serde(skip_serializing_if = "Option::is_none")] #[serde(skip_serializing_if = "Option::is_none")]
securityContext: Option<PodSecurityContext>, pub securityContext: Option<PodSecurityContext>,
#[serde(skip_serializing_if = "Option::is_none")] #[serde(skip_serializing_if = "Option::is_none")]
priorityClassName: Option<String>, priorityClassName: Option<String>,
@ -312,9 +312,9 @@ struct SeccompProfile {
/// See Reference / Kubernetes API / Workload Resources / Pod. /// See Reference / Kubernetes API / Workload Resources / Pod.
#[derive(Clone, Debug, Serialize, Deserialize)] #[derive(Clone, Debug, Serialize, Deserialize)]
struct PodSecurityContext { pub struct PodSecurityContext {
#[serde(skip_serializing_if = "Option::is_none")] #[serde(skip_serializing_if = "Option::is_none")]
runAsUser: Option<i64>, pub runAsUser: Option<i64>,
// TODO: additional fields. // TODO: additional fields.
} }
@ -893,11 +893,7 @@ impl yaml::K8sResource for Pod {
} }
fn get_process_fields(&self, process: &mut policy::KataProcess) { fn get_process_fields(&self, process: &mut policy::KataProcess) {
if let Some(context) = &self.spec.securityContext { yaml::get_process_fields(process, &self.spec.securityContext);
if let Some(uid) = context.runAsUser {
process.User.UID = uid.try_into().unwrap();
}
}
} }
} }

4
src/tools/genpolicy/src/replica_set.rs
View File

@ -108,4 +108,8 @@ impl yaml::K8sResource for ReplicaSet {
} }
false false
} }
fn get_process_fields(&self, process: &mut policy::KataProcess) {
yaml::get_process_fields(process, &self.spec.template.spec.securityContext);
}
} }

4
src/tools/genpolicy/src/replication_controller.rs
View File

@ -110,4 +110,8 @@ impl yaml::K8sResource for ReplicationController {
} }
false false
} }
fn get_process_fields(&self, process: &mut policy::KataProcess) {
yaml::get_process_fields(process, &self.spec.template.spec.securityContext);
}
} }

4
src/tools/genpolicy/src/stateful_set.rs
View File

@ -192,6 +192,10 @@ impl yaml::K8sResource for StatefulSet {
.clone() .clone()
.or_else(|| Some(String::new())) .or_else(|| Some(String::new()))
} }
fn get_process_fields(&self, process: &mut policy::KataProcess) {
yaml::get_process_fields(process, &self.spec.template.spec.securityContext);
}
} }
impl StatefulSet { impl StatefulSet {

15
src/tools/genpolicy/src/yaml.rs
View File

@ -97,8 +97,8 @@ pub trait K8sResource {
} }
fn get_process_fields(&self, _process: &mut policy::KataProcess) { fn get_process_fields(&self, _process: &mut policy::KataProcess) {
// Just Pods can have a PodSecurityContext field, so the other // No need to implement support for securityContext or similar fields
// resources can use this default get_process_fields implementation. // for some of the K8s resource types.
} }
} }
@ -378,3 +378,14 @@ fn handle_unused_field(path: &str, silent_unsupported_fields: bool) {
panic!("Unsupported field: {}", path); panic!("Unsupported field: {}", path);
} }
} }
pub fn get_process_fields(
process: &mut policy::KataProcess,
security_context: &Option<pod::PodSecurityContext>,
) {
if let Some(context) = security_context {
if let Some(uid) = context.runAsUser {
process.User.UID = uid.try_into().unwrap();
}
}
}