github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-07-05 03:26:37 +00:00
Code Issues Projects Releases Wiki Activity

genpolicy: Parse secContext runAsGroup and allowPrivilegeEscalation

Browse Source 
Our policy should cover these fields for securityContexts at the pod or
container level of granularity.

Signed-off-by: Cameron Baird <cameronbaird@microsoft.com>
This commit is contained in:
Cameron Baird 2025-04-08 18:02:04 +00:00
parent 349ce8c339
commit c13d7796ee
2 changed files with 23 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
src/tools/genpolicy/src/pod.rs
View File

@ -296,6 +296,9 @@ struct SecurityContext {
#[serde(skip_serializing_if = "Option::is_none")]
runAsUser: Option<i64>,
#[serde(skip_serializing_if = "Option::is_none")]
runAsGroup: Option<i64>,
#[serde(skip_serializing_if = "Option::is_none")]
seccompProfile: Option<SeccompProfile>,
}
@ -318,6 +321,12 @@ pub struct PodSecurityContext {
#[serde(skip_serializing_if = "Option::is_none")]
pub sysctls: Option<Vec<Sysctl>>,
#[serde(skip_serializing_if = "Option::is_none")]
pub runAsGroup: Option<i64>,
#[serde(skip_serializing_if = "Option::is_none")]
pub allowPrivilegeEscalation: Option<bool>,
// TODO: additional fields.
}
@ -962,6 +971,11 @@ impl Container {
if let Some(uid) = context.runAsUser {
process.User.UID = uid.try_into().unwrap();
}
if let Some(gid) = context.runAsGroup {
process.User.GID = gid.try_into().unwrap();
}
if let Some(allow) = context.allowPrivilegeEscalation {
process.NoNewPrivileges = !allow
}
@ -1008,6 +1022,7 @@ pub async fn add_pause_container(containers: &mut Vec<Container>, config: &Confi
privileged: None,
capabilities: None,
runAsUser: None,
runAsGroup: None,
seccompProfile: None,
}),
..Default::default()

8
src/tools/genpolicy/src/yaml.rs
View File

@ -391,6 +391,14 @@ pub fn get_process_fields(
if let Some(uid) = context.runAsUser {
process.User.UID = uid.try_into().unwrap();
}
if let Some(gid) = context.runAsGroup {
process.User.GID = gid.try_into().unwrap();
}
if let Some(allow) = context.allowPrivilegeEscalation {
process.NoNewPrivileges = !allow
}
}
}