github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-23 03:41:45 +00:00
Code Issues Projects Releases Wiki Activity

RunAsUser causes pods to not start on Windows

Browse Source
This commit is contained in:
James Sturtevant 2022-05-26 18:05:57 +00:00
parent ee0a070865
commit 061b8e8049
1 changed files with 27 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
test/e2e/framework/pod/utils.go
View File

@ -85,6 +85,16 @@ func GetTestImageID(id imageutils.ImageID) imageutils.ImageID {
return id return id
} }
// GetDefaultNonRootUser returns default non root user
// If the Node OS is windows, we return nill due to issue with invalid permissions set on projected volumes
// https://github.com/kubernetes/kubernetes/issues/102849
func GetDefaultNonRootUser() *int64 {
if NodeOSDistroIs("windows") {
return nil
}
return pointer.Int64(DefaultNonRootUser)
}
// GeneratePodSecurityContext generates the corresponding pod security context with the given inputs // GeneratePodSecurityContext generates the corresponding pod security context with the given inputs
// If the Node OS is windows, currently we will ignore the inputs and return nil. // If the Node OS is windows, currently we will ignore the inputs and return nil.
// TODO: Will modify it after windows has its own security context // TODO: Will modify it after windows has its own security context
@ -123,15 +133,25 @@ func GetLinuxLabel() *v1.SELinuxOptions {
// DefaultNonRootUser is the default user ID used for running restricted (non-root) containers. // DefaultNonRootUser is the default user ID used for running restricted (non-root) containers.
const DefaultNonRootUser = 1000 const DefaultNonRootUser = 1000
// DefaultNonRootUserName is the default username in Windows used for running restricted (non-root) containers
const DefaultNonRootUserName = "ContainerUser"
// GetRestrictedPodSecurityContext returns a restricted pod security context. // GetRestrictedPodSecurityContext returns a restricted pod security context.
// This includes setting RunAsUser for convenience, to pass the RunAsNonRoot check. // This includes setting RunAsUser for convenience, to pass the RunAsNonRoot check.
// Tests that require a specific user ID should override this. // Tests that require a specific user ID should override this.
func GetRestrictedPodSecurityContext() *v1.PodSecurityContext { func GetRestrictedPodSecurityContext() *v1.PodSecurityContext {
return &v1.PodSecurityContext{ psc := &v1.PodSecurityContext{
RunAsNonRoot: pointer.BoolPtr(true), RunAsNonRoot: pointer.BoolPtr(true),
RunAsUser: pointer.Int64(DefaultNonRootUser), RunAsUser: GetDefaultNonRootUser(),
SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeRuntimeDefault}, SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeRuntimeDefault},
} }
if NodeOSDistroIs("windows") {
psc.WindowsOptions = &v1.WindowsSecurityContextOptions{}
psc.WindowsOptions.RunAsUserName = pointer.StringPtr(DefaultNonRootUserName)
}
return psc
} }
// GetRestrictedContainerSecurityContext returns a minimal restricted container security context. // GetRestrictedContainerSecurityContext returns a minimal restricted container security context.
@ -164,11 +184,15 @@ func MixinRestrictedPodSecurity(pod *v1.Pod) error {
pod.Spec.SecurityContext.RunAsNonRoot = pointer.BoolPtr(true) pod.Spec.SecurityContext.RunAsNonRoot = pointer.BoolPtr(true)
} }
if pod.Spec.SecurityContext.RunAsUser == nil { if pod.Spec.SecurityContext.RunAsUser == nil {
pod.Spec.SecurityContext.RunAsUser = pointer.Int64Ptr(DefaultNonRootUser) pod.Spec.SecurityContext.RunAsUser = GetDefaultNonRootUser()
} }
if pod.Spec.SecurityContext.SeccompProfile == nil { if pod.Spec.SecurityContext.SeccompProfile == nil {
pod.Spec.SecurityContext.SeccompProfile = &v1.SeccompProfile{Type: v1.SeccompProfileTypeRuntimeDefault} pod.Spec.SecurityContext.SeccompProfile = &v1.SeccompProfile{Type: v1.SeccompProfileTypeRuntimeDefault}
} }
if NodeOSDistroIs("windows") && pod.Spec.SecurityContext.WindowsOptions == nil {
pod.Spec.SecurityContext.WindowsOptions = &v1.WindowsSecurityContextOptions{}
pod.Spec.SecurityContext.WindowsOptions.RunAsUserName = pointer.StringPtr(DefaultNonRootUserName)
}
} }
for i := range pod.Spec.Containers { for i := range pod.Spec.Containers {
mixinRestrictedContainerSecurityContext(&pod.Spec.Containers[i]) mixinRestrictedContainerSecurityContext(&pod.Spec.Containers[i])