github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-08-02 00:02:01 +00:00
Code Issues Projects Releases Wiki Activity

genpolicy: support sysctl settings

Browse Source 
Sysctls may be added to a container by the Kubernetes pod definition or
by containerd configuration. This commit adds support for the
corresponding PodSecurityContext field and an option to specify
environment-dependent sysctls in the settings file.

The sysctls requested in a CreateContainerRequest are checked against
the sysctls in the pod definition, or if not defined there in the
defaults in genpolicy-settings.json. There is no check for the presence
of expected sysctls, though, because Kubernetes might legitimately
omit unsafe syscalls itself and because default sysctls might not apply
to all containers.

Fixes: #10064
Signed-off-by: Markus Rudy <mr@edgeless.systems>
This commit is contained in:
Markus Rudy 2024-07-24 09:48:48 +02:00
parent 5aa89bc1d7
commit 70709455ef
16 changed files with 668 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
src/tools/genpolicy/genpolicy-settings.json
View File

@ -39,6 +39,10 @@
]
},
"Linux": {
"Sysctl": {
"net.ipv4.ip_unprivileged_port_start": "0",
"net.ipv4.ping_group_range": "0 2147483647"
},
"MaskedPaths": [
"/proc/acpi",
"/proc/asound",
@ -132,6 +136,12 @@
"io.kubernetes.cri.sandbox-id": "^[a-z0-9]{64}$",
"io.katacontainers.pkg.oci.container_type": "pod_container",
"io.kubernetes.cri.container-type": "container"
},
"Linux": {
"Sysctl": {
"net.ipv4.ip_unprivileged_port_start": "0",
"net.ipv4.ping_group_range": "0 2147483647"
}
}
},
"volumes": {

19
src/tools/genpolicy/rules.rego
View File

@ -132,7 +132,6 @@ allow_create_container_input {
is_null(i_linux.Resources.Network)
is_null(i_linux.Resources.Pids)
is_null(i_linux.Seccomp)
i_linux.Sysctl == {}
i_process := i_oci.Process
count(i_process.SelinuxLabel) == 0
@ -461,6 +460,7 @@ allow_linux(state_ops, p_oci, i_oci) := {"ops": ops, "allowed": true} {
allow_masked_paths(p_oci, i_oci)
allow_readonly_paths(p_oci, i_oci)
allow_linux_devices(p_oci.Linux.Devices, i_oci.Linux.Devices)
allow_linux_sysctl(p_oci.Linux, i_oci.Linux)
ret := allow_network_namespace_start(state_ops, p_oci, i_oci)
ret.allowed
@ -607,6 +607,23 @@ allow_linux_devices(p_devices, i_devices) {
print("allow_linux_devices: true")
}
allow_linux_sysctl(p_linux, i_linux) {
print("allow_linux_sysctl 1: start")
not i_linux.Sysctl
print("allow_linux_sysctl 1: true")
}
allow_linux_sysctl(p_linux, i_linux) {
print("allow_linux_sysctl 2: start")
p_sysctl := p_linux.Sysctl
i_sysctl := i_linux.Sysctl
every i_name, i_val in i_sysctl {
print("allow_linux_sysctl 2: i_name =", i_name, "i_val =", i_val)
p_sysctl[i_name] == i_val
}
print("allow_linux_sysctl 2: true")
}
# Check the consistency of the input "io.katacontainers.pkg.oci.bundle_path"
# and io.kubernetes.cri.sandbox-id" values with other fields.
allow_by_bundle_or_sandbox_id(p_oci, i_oci, p_storages, i_storages) {

4
src/tools/genpolicy/src/containerd.rs
View File

@ -3,6 +3,8 @@
// SPDX-License-Identifier: Apache-2.0
//
use std::collections::BTreeMap;
use crate::policy;
// Default process field from containerd.
@ -153,6 +155,7 @@ pub fn get_linux(privileged_container: bool) -> policy::KataLinux {
"/proc/sysrq-trigger".to_string(),
],
Devices: vec![],
Sysctl: BTreeMap::new(),
}
} else {
policy::KataLinux {
@ -160,6 +163,7 @@ pub fn get_linux(privileged_container: bool) -> policy::KataLinux {
MaskedPaths: vec![],
ReadonlyPaths: vec![],
Devices: vec![],
Sysctl: BTreeMap::new(),
}
}
}

4
src/tools/genpolicy/src/cronjob.rs
View File

@ -154,4 +154,8 @@ impl yaml::K8sResource for CronJob {
&self.spec.jobTemplate.spec.template.spec.securityContext,
);
}
fn get_sysctls(&self) -> Vec<pod::Sysctl> {
yaml::get_sysctls(&self.spec.jobTemplate.spec.template.spec.securityContext)
}
}

4
src/tools/genpolicy/src/daemon_set.rs
View File

@ -151,4 +151,8 @@ impl yaml::K8sResource for DaemonSet {
fn get_process_fields(&self, process: &mut policy::KataProcess) {
yaml::get_process_fields(process, &self.spec.template.spec.securityContext);
}
fn get_sysctls(&self) -> Vec<pod::Sysctl> {
yaml::get_sysctls(&self.spec.template.spec.securityContext)
}
}

4
src/tools/genpolicy/src/deployment.rs
View File

@ -149,4 +149,8 @@ impl yaml::K8sResource for Deployment {
fn get_process_fields(&self, process: &mut policy::KataProcess) {
yaml::get_process_fields(process, &self.spec.template.spec.securityContext);
}
fn get_sysctls(&self) -> Vec<pod::Sysctl> {
yaml::get_sysctls(&self.spec.template.spec.securityContext)
}
}

4
src/tools/genpolicy/src/job.rs
View File

@ -114,4 +114,8 @@ impl yaml::K8sResource for Job {
fn get_process_fields(&self, process: &mut policy::KataProcess) {
yaml::get_process_fields(process, &self.spec.template.spec.securityContext);
}
fn get_sysctls(&self) -> Vec<pod::Sysctl> {
yaml::get_sysctls(&self.spec.template.spec.securityContext)
}
}

14
src/tools/genpolicy/src/pod.rs
View File

@ -315,9 +315,19 @@ struct SeccompProfile {
pub struct PodSecurityContext {
#[serde(skip_serializing_if = "Option::is_none")]
pub runAsUser: Option<i64>,
#[serde(skip_serializing_if = "Option::is_none")]
pub sysctls: Option<Vec<Sysctl>>,
// TODO: additional fields.
}
/// See Reference / Kubernetes API / Workload Resources / Pod.
#[derive(Clone, Debug, Serialize, Deserialize)]
pub struct Sysctl {
pub name: String,
pub value: String,
}
/// See Reference / Kubernetes API / Workload Resources / Pod.
#[derive(Clone, Debug, Serialize, Deserialize)]
struct Lifecycle {
@ -895,6 +905,10 @@ impl yaml::K8sResource for Pod {
fn get_process_fields(&self, process: &mut policy::KataProcess) {
yaml::get_process_fields(process, &self.spec.securityContext);
}
fn get_sysctls(&self) -> Vec<Sysctl> {
yaml::get_sysctls(&self.spec.securityContext)
}
}
impl Container {

11
src/tools/genpolicy/src/policy.rs
View File

@ -180,14 +180,20 @@ pub struct KataLinux {
pub Namespaces: Vec<KataLinuxNamespace>,
/// MaskedPaths masks over the provided paths inside the container.
#[serde(default)]
pub MaskedPaths: Vec<String>,
/// ReadonlyPaths sets the provided paths as RO inside the container.
#[serde(default)]
pub ReadonlyPaths: Vec<String>,
/// Devices contains devices to be created inside the container.
#[serde(default)]
pub Devices: Vec<KataLinuxDevice>,
/// Sysctls contains sysctls to be applied inside the container.
#[serde(default, skip_serializing_if = "BTreeMap::is_empty")]
pub Sysctl: BTreeMap<String, String>,
}
/// OCI container LinuxNamespace struct. This struct is similar to the LinuxNamespace
@ -606,6 +612,11 @@ impl AgentPolicy {
linux.Devices.push(default_device.clone())
}
linux.Sysctl.extend(c_settings.Linux.Sysctl.clone());
for sysctl in resource.get_sysctls() {
linux.Sysctl.insert(sysctl.name, sysctl.value);
}
ContainerPolicy {
OCI: KataSpec {
Version: self.config.settings.kata_config.oci_version.clone(),

4
src/tools/genpolicy/src/replica_set.rs
View File

@ -112,4 +112,8 @@ impl yaml::K8sResource for ReplicaSet {
fn get_process_fields(&self, process: &mut policy::KataProcess) {
yaml::get_process_fields(process, &self.spec.template.spec.securityContext);
}
fn get_sysctls(&self) -> Vec<pod::Sysctl> {
yaml::get_sysctls(&self.spec.template.spec.securityContext)
}
}

4
src/tools/genpolicy/src/replication_controller.rs
View File

@ -114,4 +114,8 @@ impl yaml::K8sResource for ReplicationController {
fn get_process_fields(&self, process: &mut policy::KataProcess) {
yaml::get_process_fields(process, &self.spec.template.spec.securityContext);
}
fn get_sysctls(&self) -> Vec<pod::Sysctl> {
yaml::get_sysctls(&self.spec.template.spec.securityContext)
}
}

4
src/tools/genpolicy/src/stateful_set.rs
View File

@ -196,6 +196,10 @@ impl yaml::K8sResource for StatefulSet {
fn get_process_fields(&self, process: &mut policy::KataProcess) {
yaml::get_process_fields(process, &self.spec.template.spec.securityContext);
}
fn get_sysctls(&self) -> Vec<pod::Sysctl> {
yaml::get_sysctls(&self.spec.template.spec.securityContext)
}
}
impl StatefulSet {

13
src/tools/genpolicy/src/yaml.rs
View File

@ -100,6 +100,10 @@ pub trait K8sResource {
// No need to implement support for securityContext or similar fields
// for some of the K8s resource types.
}
fn get_sysctls(&self) -> Vec<pod::Sysctl> {
vec![]
}
}
/// See Reference / Kubernetes API / Common Definitions / LabelSelector.
@ -389,3 +393,12 @@ pub fn get_process_fields(
}
}
}
pub fn get_sysctls(security_context: &Option<pod::PodSecurityContext>) -> Vec<pod::Sysctl> {
if let Some(context) = security_context {
if let Some(ref sysctls) = context.sysctls {
return sysctls.clone();
}
}
vec![]
}

5
src/tools/genpolicy/tests/main.rs
View File

@ -139,4 +139,9 @@ mod tests {
async fn test_create_container_network_namespace() {
runtests::<CreateContainerRequest>("createcontainer/network_namespace").await;
}
#[tokio::test]
async fn test_create_container_sysctls() {
runtests::<CreateContainerRequest>("createcontainer/sysctls").await;
}
}

13
src/tools/genpolicy/tests/testdata/createcontainer/sysctls/pod.yaml vendored Normal file
View File

@ -0,0 +1,13 @@
apiVersion: v1
kind: Pod
metadata:
name: policy-redis-deployment-6674f9448-xjrzf
spec:
runtimeClassName: kata-cc-isolation
securityContext:
sysctls:
- name: net.ipv4.ip_forward
value: 1
containers:
- name: redis
image: registry.k8s.io/pause:3.6@sha256:3d380ca8864549e74af4b29c10f9cb0956236dfb01c40ca076fb6c37253234db

552
src/tools/genpolicy/tests/testdata/createcontainer/sysctls/testcases.json vendored Normal file
View File

@ -0,0 +1,552 @@
[
{
"description": "sysctls listed in yaml or settings",
"allowed": true,
"state": {"sandbox_name": "policy-redis-deployment-6674f9448-xjrzf"},
"request": {
"OCI": {
"Annotations": {
"io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/4bae4a8e74302a8edfe17424aff0b632cae893687f4d9ad2f2115666899f9a12",
"io.katacontainers.pkg.oci.container_type": "pod_sandbox",
"io.kubernetes.cri.container-type": "sandbox",
"io.kubernetes.cri.podsandbox.image-name": "registry.k8s.io/pause:3.10",
"io.kubernetes.cri.sandbox-cpu-period": "100000",
"io.kubernetes.cri.sandbox-cpu-quota": "0",
"io.kubernetes.cri.sandbox-cpu-shares": "102",
"io.kubernetes.cri.sandbox-id": "4bae4a8e74302a8edfe17424aff0b632cae893687f4d9ad2f2115666899f9a12",
"io.kubernetes.cri.sandbox-log-directory": "/var/log/pods/default_policy-redis-deployment-6674f9448-xjrzf_9c64c5bf-298f-46c4-ad63-e2270a2ff44c",
"io.kubernetes.cri.sandbox-memory": "0",
"io.kubernetes.cri.sandbox-name": "policy-redis-deployment-6674f9448-xjrzf",
"io.kubernetes.cri.sandbox-namespace": "default",
"io.kubernetes.cri.sandbox-uid": "9c64c5bf-298f-46c4-ad63-e2270a2ff44c",
"nerdctl/network-namespace": "/var/run/netns/cni-22190131-6f68-2878-6d7b-418baf176cdf"
},
"Hooks": null,
"Hostname": "policy-redis-deployment-6674f9448-xjrzf",
"Linux": {
"CgroupsPath": "/kubepods/burstable/pod9c64c5bf-298f-46c4-ad63-e2270a2ff44c/4bae4a8e74302a8edfe17424aff0b632cae893687f4d9ad2f2115666899f9a12",
"Devices": [],
"GIDMappings": [],
"IntelRdt": null,
"MaskedPaths": [
"/proc/acpi",
"/proc/asound",
"/proc/kcore",
"/proc/keys",
"/proc/latency_stats",
"/proc/timer_list",
"/proc/timer_stats",
"/proc/sched_debug",
"/sys/firmware",
"/sys/devices/virtual/powercap",
"/proc/scsi"
],
"MountLabel": "",
"Namespaces": [
{
"Path": "",
"Type": "ipc"
},
{
"Path": "",
"Type": "uts"
},
{
"Path": "",
"Type": "mount"
}
],
"ReadonlyPaths": [
"/proc/bus",
"/proc/fs",
"/proc/irq",
"/proc/sys",
"/proc/sysrq-trigger"
],
"Resources": {
"BlockIO": null,
"CPU": {
"Cpus": "",
"Mems": "",
"Period": 0,
"Quota": 0,
"RealtimePeriod": 0,
"RealtimeRuntime": 0,
"Shares": 2
},
"Devices": [],
"HugepageLimits": [],
"Memory": null,
"Network": null,
"Pids": null
},
"RootfsPropagation": "",
"Seccomp": null,
"Sysctl": {
"net.ipv4.ip_unprivileged_port_start": "0",
"net.ipv4.ping_group_range": "0 2147483647",
"net.ipv4.ip_forward": "1"
},
"UIDMappings": []
},
"Mounts": [
{
"destination": "/proc",
"options": [
"nosuid",
"noexec",
"nodev"
],
"source": "proc",
"type_": "proc"
},
{
"destination": "/dev",
"options": [
"nosuid",
"strictatime",
"mode=755",
"size=65536k"
],
"source": "tmpfs",
"type_": "tmpfs"
},
{
"destination": "/dev/pts",
"options": [
"nosuid",
"noexec",
"newinstance",
"ptmxmode=0666",
"mode=0620",
"gid=5"
],
"source": "devpts",
"type_": "devpts"
},
{
"destination": "/dev/mqueue",
"options": [
"nosuid",
"noexec",
"nodev"
],
"source": "mqueue",
"type_": "mqueue"
},
{
"destination": "/sys",
"options": [
"nosuid",
"noexec",
"nodev",
"ro"
],
"source": "sysfs",
"type_": "sysfs"
},
{
"destination": "/dev/shm",
"options": [
"rbind"
],
"source": "/run/kata-containers/sandbox/shm",
"type_": "bind"
},
{
"destination": "/etc/resolv.conf",
"options": [
"rbind",
"ro",
"nosuid",
"nodev",
"noexec"
],
"source": "/run/kata-containers/shared/containers/4bae4a8e74302a8edfe17424aff0b632cae893687f4d9ad2f2115666899f9a12-b3930b9af7125931-resolv.conf",
"type_": "bind"
}
],
"Process": {
"ApparmorProfile": "",
"Args": [
"/pause"
],
"Capabilities": {
"Ambient": [],
"Bounding": [
"CAP_CHOWN",
"CAP_DAC_OVERRIDE",
"CAP_FSETID",
"CAP_FOWNER",
"CAP_MKNOD",
"CAP_NET_RAW",
"CAP_SETGID",
"CAP_SETUID",
"CAP_SETFCAP",
"CAP_SETPCAP",
"CAP_NET_BIND_SERVICE",
"CAP_SYS_CHROOT",
"CAP_KILL",
"CAP_AUDIT_WRITE"
],
"Effective": [
"CAP_CHOWN",
"CAP_DAC_OVERRIDE",
"CAP_FSETID",
"CAP_FOWNER",
"CAP_MKNOD",
"CAP_NET_RAW",
"CAP_SETGID",
"CAP_SETUID",
"CAP_SETFCAP",
"CAP_SETPCAP",
"CAP_NET_BIND_SERVICE",
"CAP_SYS_CHROOT",
"CAP_KILL",
"CAP_AUDIT_WRITE"
],
"Inheritable": [],
"Permitted": [
"CAP_CHOWN",
"CAP_DAC_OVERRIDE",
"CAP_FSETID",
"CAP_FOWNER",
"CAP_MKNOD",
"CAP_NET_RAW",
"CAP_SETGID",
"CAP_SETUID",
"CAP_SETFCAP",
"CAP_SETPCAP",
"CAP_NET_BIND_SERVICE",
"CAP_SYS_CHROOT",
"CAP_KILL",
"CAP_AUDIT_WRITE"
]
},
"ConsoleSize": null,
"Cwd": "/",
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
],
"NoNewPrivileges": true,
"OOMScoreAdj": -998,
"Rlimits": [],
"SelinuxLabel": "",
"Terminal": false,
"User": {
"AdditionalGids": [
0
],
"GID": 0,
"UID": 65535,
"Username": ""
}
},
"Root": {
"Path": "/run/kata-containers/shared/containers/4bae4a8e74302a8edfe17424aff0b632cae893687f4d9ad2f2115666899f9a12/rootfs",
"Readonly": true
},
"Solaris": null,
"Version": "1.1.0",
"Windows": null
},
"container_id": "4bae4a8e74302a8edfe17424aff0b632cae893687f4d9ad2f2115666899f9a12",
"devices": [],
"exec_id": "4bae4a8e74302a8edfe17424aff0b632cae893687f4d9ad2f2115666899f9a12",
"sandbox_pidns": false,
"shared_mounts": [],
"stderr_port": 0,
"stdin_port": 0,
"stdout_port": 0,
"storages": [
{
"driver": "image_guest_pull",
"driver_options": [
"image_guest_pull={\"metadata\":{\"io.katacontainers.pkg.oci.bundle_path\":\"/run/containerd/io.containerd.runtime.v2.task/k8s.io/4bae4a8e74302a8edfe17424aff0b632cae893687f4d9ad2f2115666899f9a12\",\"io.katacontainers.pkg.oci.container_type\":\"pod_sandbox\",\"io.kubernetes.cri.container-type\":\"sandbox\",\"io.kubernetes.cri.podsandbox.image-name\":\"registry.k8s.io/pause:3.10\",\"io.kubernetes.cri.sandbox-cpu-period\":\"100000\",\"io.kubernetes.cri.sandbox-cpu-quota\":\"0\",\"io.kubernetes.cri.sandbox-cpu-shares\":\"102\",\"io.kubernetes.cri.sandbox-id\":\"4bae4a8e74302a8edfe17424aff0b632cae893687f4d9ad2f2115666899f9a12\",\"io.kubernetes.cri.sandbox-log-directory\":\"/var/log/pods/default_policy-redis-deployment-6674f9448-xjrzf_9c64c5bf-298f-46c4-ad63-e2270a2ff44c\",\"io.kubernetes.cri.sandbox-memory\":\"0\",\"io.kubernetes.cri.sandbox-name\":\"policy-redis-deployment-6674f9448-xjrzf\",\"io.kubernetes.cri.sandbox-namespace\":\"default\",\"io.kubernetes.cri.sandbox-uid\":\"9c64c5bf-298f-46c4-ad63-e2270a2ff44c\",\"nerdctl/network-namespace\":\"/var/run/netns/cni-22190131-6f68-2878-6d7b-418baf176cdf\"}}"
],
"fs_group": null,
"fstype": "overlay",
"mount_point": "/run/kata-containers/shared/containers/4bae4a8e74302a8edfe17424aff0b632cae893687f4d9ad2f2115666899f9a12/rootfs",
"options": [],
"source": "pause"
}
],
"string_user": null
}
},
{
"description": "sysctl not listed in yaml or settings",
"allowed": false,
"state": {"sandbox_name": "policy-redis-deployment-6674f9448-xjrzf"},
"request": {
"OCI": {
"Annotations": {
"io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/4bae4a8e74302a8edfe17424aff0b632cae893687f4d9ad2f2115666899f9a12",
"io.katacontainers.pkg.oci.container_type": "pod_sandbox",
"io.kubernetes.cri.container-type": "sandbox",
"io.kubernetes.cri.podsandbox.image-name": "registry.k8s.io/pause:3.10",
"io.kubernetes.cri.sandbox-cpu-period": "100000",
"io.kubernetes.cri.sandbox-cpu-quota": "0",
"io.kubernetes.cri.sandbox-cpu-shares": "102",
"io.kubernetes.cri.sandbox-id": "4bae4a8e74302a8edfe17424aff0b632cae893687f4d9ad2f2115666899f9a12",
"io.kubernetes.cri.sandbox-log-directory": "/var/log/pods/default_policy-redis-deployment-6674f9448-xjrzf_9c64c5bf-298f-46c4-ad63-e2270a2ff44c",
"io.kubernetes.cri.sandbox-memory": "0",
"io.kubernetes.cri.sandbox-name": "policy-redis-deployment-6674f9448-xjrzf",
"io.kubernetes.cri.sandbox-namespace": "default",
"io.kubernetes.cri.sandbox-uid": "9c64c5bf-298f-46c4-ad63-e2270a2ff44c",
"nerdctl/network-namespace": "/var/run/netns/cni-22190131-6f68-2878-6d7b-418baf176cdf"
},
"Hooks": null,
"Hostname": "policy-redis-deployment-6674f9448-xjrzf",
"Linux": {
"CgroupsPath": "/kubepods/burstable/pod9c64c5bf-298f-46c4-ad63-e2270a2ff44c/4bae4a8e74302a8edfe17424aff0b632cae893687f4d9ad2f2115666899f9a12",
"Devices": [],
"GIDMappings": [],
"IntelRdt": null,
"MaskedPaths": [
"/proc/acpi",
"/proc/asound",
"/proc/kcore",
"/proc/keys",
"/proc/latency_stats",
"/proc/timer_list",
"/proc/timer_stats",
"/proc/sched_debug",
"/sys/firmware",
"/sys/devices/virtual/powercap",
"/proc/scsi"
],
"MountLabel": "",
"Namespaces": [
{
"Path": "",
"Type": "ipc"
},
{
"Path": "",
"Type": "uts"
},
{
"Path": "",
"Type": "mount"
}
],
"ReadonlyPaths": [
"/proc/bus",
"/proc/fs",
"/proc/irq",
"/proc/sys",
"/proc/sysrq-trigger"
],
"Resources": {
"BlockIO": null,
"CPU": {
"Cpus": "",
"Mems": "",
"Period": 0,
"Quota": 0,
"RealtimePeriod": 0,
"RealtimeRuntime": 0,
"Shares": 2
},
"Devices": [],
"HugepageLimits": [],
"Memory": null,
"Network": null,
"Pids": null
},
"RootfsPropagation": "",
"Seccomp": null,
"Sysctl": {
"net.ipv4.ip_unprivileged_port_start": "0",
"net.ipv4.ping_group_range": "0 2147483647",
"net.ipv4.conf.all.src_valid_mark": "1"
},
"UIDMappings": []
},
"Mounts": [
{
"destination": "/proc",
"options": [
"nosuid",
"noexec",
"nodev"
],
"source": "proc",
"type_": "proc"
},
{
"destination": "/dev",
"options": [
"nosuid",
"strictatime",
"mode=755",
"size=65536k"
],
"source": "tmpfs",
"type_": "tmpfs"
},
{
"destination": "/dev/pts",
"options": [
"nosuid",
"noexec",
"newinstance",
"ptmxmode=0666",
"mode=0620",
"gid=5"
],
"source": "devpts",
"type_": "devpts"
},
{
"destination": "/dev/mqueue",
"options": [
"nosuid",
"noexec",
"nodev"
],
"source": "mqueue",
"type_": "mqueue"
},
{
"destination": "/sys",
"options": [
"nosuid",
"noexec",
"nodev",
"ro"
],
"source": "sysfs",
"type_": "sysfs"
},
{
"destination": "/dev/shm",
"options": [
"rbind"
],
"source": "/run/kata-containers/sandbox/shm",
"type_": "bind"
},
{
"destination": "/etc/resolv.conf",
"options": [
"rbind",
"ro",
"nosuid",
"nodev",
"noexec"
],
"source": "/run/kata-containers/shared/containers/4bae4a8e74302a8edfe17424aff0b632cae893687f4d9ad2f2115666899f9a12-b3930b9af7125931-resolv.conf",
"type_": "bind"
}
],
"Process": {
"ApparmorProfile": "",
"Args": [
"/pause"
],
"Capabilities": {
"Ambient": [],
"Bounding": [
"CAP_CHOWN",
"CAP_DAC_OVERRIDE",
"CAP_FSETID",
"CAP_FOWNER",
"CAP_MKNOD",
"CAP_NET_RAW",
"CAP_SETGID",
"CAP_SETUID",
"CAP_SETFCAP",
"CAP_SETPCAP",
"CAP_NET_BIND_SERVICE",
"CAP_SYS_CHROOT",
"CAP_KILL",
"CAP_AUDIT_WRITE"
],
"Effective": [
"CAP_CHOWN",
"CAP_DAC_OVERRIDE",
"CAP_FSETID",
"CAP_FOWNER",
"CAP_MKNOD",
"CAP_NET_RAW",
"CAP_SETGID",
"CAP_SETUID",
"CAP_SETFCAP",
"CAP_SETPCAP",
"CAP_NET_BIND_SERVICE",
"CAP_SYS_CHROOT",
"CAP_KILL",
"CAP_AUDIT_WRITE"
],
"Inheritable": [],
"Permitted": [
"CAP_CHOWN",
"CAP_DAC_OVERRIDE",
"CAP_FSETID",
"CAP_FOWNER",
"CAP_MKNOD",
"CAP_NET_RAW",
"CAP_SETGID",
"CAP_SETUID",
"CAP_SETFCAP",
"CAP_SETPCAP",
"CAP_NET_BIND_SERVICE",
"CAP_SYS_CHROOT",
"CAP_KILL",
"CAP_AUDIT_WRITE"
]
},
"ConsoleSize": null,
"Cwd": "/",
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
],
"NoNewPrivileges": true,
"OOMScoreAdj": -998,
"Rlimits": [],
"SelinuxLabel": "",
"Terminal": false,
"User": {
"AdditionalGids": [
0
],
"GID": 0,
"UID": 65535,
"Username": ""
}
},
"Root": {
"Path": "/run/kata-containers/shared/containers/4bae4a8e74302a8edfe17424aff0b632cae893687f4d9ad2f2115666899f9a12/rootfs",
"Readonly": true
},
"Solaris": null,
"Version": "1.1.0",
"Windows": null
},
"container_id": "4bae4a8e74302a8edfe17424aff0b632cae893687f4d9ad2f2115666899f9a12",
"devices": [],
"exec_id": "4bae4a8e74302a8edfe17424aff0b632cae893687f4d9ad2f2115666899f9a12",
"sandbox_pidns": false,
"shared_mounts": [],
"stderr_port": 0,
"stdin_port": 0,
"stdout_port": 0,
"storages": [
{
"driver": "image_guest_pull",
"driver_options": [
"image_guest_pull={\"metadata\":{\"io.katacontainers.pkg.oci.bundle_path\":\"/run/containerd/io.containerd.runtime.v2.task/k8s.io/4bae4a8e74302a8edfe17424aff0b632cae893687f4d9ad2f2115666899f9a12\",\"io.katacontainers.pkg.oci.container_type\":\"pod_sandbox\",\"io.kubernetes.cri.container-type\":\"sandbox\",\"io.kubernetes.cri.podsandbox.image-name\":\"registry.k8s.io/pause:3.10\",\"io.kubernetes.cri.sandbox-cpu-period\":\"100000\",\"io.kubernetes.cri.sandbox-cpu-quota\":\"0\",\"io.kubernetes.cri.sandbox-cpu-shares\":\"102\",\"io.kubernetes.cri.sandbox-id\":\"4bae4a8e74302a8edfe17424aff0b632cae893687f4d9ad2f2115666899f9a12\",\"io.kubernetes.cri.sandbox-log-directory\":\"/var/log/pods/default_policy-redis-deployment-6674f9448-xjrzf_9c64c5bf-298f-46c4-ad63-e2270a2ff44c\",\"io.kubernetes.cri.sandbox-memory\":\"0\",\"io.kubernetes.cri.sandbox-name\":\"policy-redis-deployment-6674f9448-xjrzf\",\"io.kubernetes.cri.sandbox-namespace\":\"default\",\"io.kubernetes.cri.sandbox-uid\":\"9c64c5bf-298f-46c4-ad63-e2270a2ff44c\",\"nerdctl/network-namespace\":\"/var/run/netns/cni-22190131-6f68-2878-6d7b-418baf176cdf\"}}"
],
"fs_group": null,
"fstype": "overlay",
"mount_point": "/run/kata-containers/shared/containers/4bae4a8e74302a8edfe17424aff0b632cae893687f4d9ad2f2115666899f9a12/rootfs",
"options": [],
"source": "pause"
}
],
"string_user": null
}
}
]