github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-20 10:20:51 +00:00
Code Issues Projects Releases Wiki Activity

Not share process namespace if user explicitly disables it

Browse Source 
This PR sets higher priority to the `share-processes` flag than
provided profile.

For example, if user tries to use copy-to debugging with restricted
profiling, share process namespace should be false if user explicitly
disables it via `--share-processes=false`.
This commit is contained in:
Arda Güçlü 2023-03-08 11:58:28 +03:00
parent e390791e5f
commit 0e98533d1b
2 changed files with 43 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
staging/src/k8s.io/kubectl/pkg/cmd/debug/debug_test.go
View File

@ -1201,6 +1201,46 @@ func TestGeneratePodCopyWithDebugContainer(t *testing.T) {
}, },
}, },
}, },
{
name: "baseline profile not share process when user explicitly disables it",
opts: &DebugOptions{
CopyTo: "debugger",
Container: "debugger",
Image: "busybox",
PullPolicy: corev1.PullIfNotPresent,
Profile: ProfileBaseline,
ShareProcesses: false,
shareProcessedChanged: true,
},
havePod: &corev1.Pod{
ObjectMeta: metav1.ObjectMeta{
Name: "target",
},
Spec: corev1.PodSpec{
Containers: []corev1.Container{
{
Name: "debugger",
},
},
NodeName: "node-1",
},
},
wantPod: &corev1.Pod{
ObjectMeta: metav1.ObjectMeta{
Name: "debugger",
},
Spec: corev1.PodSpec{
Containers: []corev1.Container{
{
Name: "debugger",
Image: "busybox",
ImagePullPolicy: corev1.PullIfNotPresent,
},
},
ShareProcessNamespace: pointer.Bool(false),
},
},
},
{ {
name: "restricted profile", name: "restricted profile",
opts: &DebugOptions{ opts: &DebugOptions{

4
staging/src/k8s.io/kubectl/pkg/cmd/debug/profiles.go
View File

@ -250,7 +250,9 @@ func useHostNamespaces(p *corev1.Pod) {
// shareProcessNamespace configures all containers in the pod to share the // shareProcessNamespace configures all containers in the pod to share the
// process namespace. // process namespace.
func shareProcessNamespace(p *corev1.Pod) { func shareProcessNamespace(p *corev1.Pod) {
p.Spec.ShareProcessNamespace = pointer.Bool(true) if p.Spec.ShareProcessNamespace == nil {
p.Spec.ShareProcessNamespace = pointer.Bool(true)
}
} }
// clearSecurityContext clears the security context for the container. // clearSecurityContext clears the security context for the container.