add sysctls_allowed_1_27 and will add min version for it

Signed-off-by: Paco Xu <paco.xu@daocloud.io>
This commit is contained in:
Paco Xu 2023-02-01 10:37:49 +08:00
parent ca4022c4da
commit 1a83393135
2 changed files with 99 additions and 9 deletions

View File

@ -61,6 +61,10 @@ func CheckSysctls() Check {
MinimumVersion: api.MajorMinorVersion(1, 0),
CheckPod: sysctls_1_0,
},
{
MinimumVersion: api.MajorMinorVersion(1, 27),
CheckPod: sysctls_1_27,
},
},
}
}
@ -72,16 +76,31 @@ var (
"net.ipv4.tcp_syncookies",
"net.ipv4.ping_group_range",
"net.ipv4.ip_unprivileged_port_start",
)
sysctls_allowed_1_27 = sets.NewString(
"kernel.shm_rmid_forced",
"net.ipv4.ip_local_port_range",
"net.ipv4.tcp_syncookies",
"net.ipv4.ping_group_range",
"net.ipv4.ip_unprivileged_port_start",
"net.ipv4.ip_local_reserved_ports",
)
)
func sysctls_1_0(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
return sysctls(podMetadata, podSpec, sysctls_allowed_1_0)
}
func sysctls_1_27(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
return sysctls(podMetadata, podSpec, sysctls_allowed_1_27)
}
func sysctls(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec, sysctls_allowed_set sets.String) CheckResult {
var forbiddenSysctls []string
if podSpec.SecurityContext != nil {
for _, sysctl := range podSpec.SecurityContext.Sysctls {
if !sysctls_allowed_1_0.Has(sysctl.Name) {
if !sysctls_allowed_set.Has(sysctl.Name) {
forbiddenSysctls = append(forbiddenSysctls, sysctl.Name)
}
}

View File

@ -26,6 +26,7 @@ func TestSysctls(t *testing.T) {
tests := []struct {
name string
pod *corev1.Pod
allowed bool
expectReason string
expectDetail string
}{
@ -36,22 +37,92 @@ func TestSysctls(t *testing.T) {
Sysctls: []corev1.Sysctl{{Name: "a"}, {Name: "b"}},
},
}},
allowed: false,
expectReason: `forbidden sysctls`,
expectDetail: `a, b`,
},
{
name: "new supported sysctls not supported",
pod: &corev1.Pod{Spec: corev1.PodSpec{
SecurityContext: &corev1.PodSecurityContext{
Sysctls: []corev1.Sysctl{{Name: "net.ipv4.ip_local_reserved_ports", Value: "1024-4999"},},
},
}},
allowed: false,
expectReason: `forbidden sysctls`,
expectDetail: `net.ipv4.ip_local_reserved_ports`,
},
}
for _, tc := range tests {
t.Run(tc.name, func(t *testing.T) {
result := sysctls_1_0(&tc.pod.ObjectMeta, &tc.pod.Spec)
if result.Allowed {
t.Fatal("expected disallowed")
}
if e, a := tc.expectReason, result.ForbiddenReason; e != a {
t.Errorf("expected\n%s\ngot\n%s", e, a)
}
if e, a := tc.expectDetail, result.ForbiddenDetail; e != a {
t.Errorf("expected\n%s\ngot\n%s", e, a)
if !tc.allowed {
if result.Allowed {
t.Fatal("expected disallowed")
}
if e, a := tc.expectReason, result.ForbiddenReason; e != a {
t.Errorf("expected\n%s\ngot\n%s", e, a)
}
if e, a := tc.expectDetail, result.ForbiddenDetail; e != a {
t.Errorf("expected\n%s\ngot\n%s", e, a)
}
} else {
if !result.Allowed {
t.Fatal("expected allowed")
}
}
})
}
}
func TestSysctls_1_27(t *testing.T) {
tests := []struct {
name string
pod *corev1.Pod
allowed bool
expectReason string
expectDetail string
}{
{
name: "forbidden sysctls",
pod: &corev1.Pod{Spec: corev1.PodSpec{
SecurityContext: &corev1.PodSecurityContext{
Sysctls: []corev1.Sysctl{{Name: "a"}, {Name: "b"}},
},
}},
allowed: false,
expectReason: `forbidden sysctls`,
expectDetail: `a, b`,
},
{
name: "new supported sysctls",
pod: &corev1.Pod{Spec: corev1.PodSpec{
SecurityContext: &corev1.PodSecurityContext{
Sysctls: []corev1.Sysctl{{Name: "net.ipv4.ip_local_reserved_ports", Value: "1024-4999"},},
},
}},
allowed: true,
},
}
for _, tc := range tests {
t.Run(tc.name, func(t *testing.T) {
result := sysctls_1_27(&tc.pod.ObjectMeta, &tc.pod.Spec)
if !tc.allowed {
if result.Allowed {
t.Fatal("expected disallowed")
}
if e, a := tc.expectReason, result.ForbiddenReason; e != a {
t.Errorf("expected\n%s\ngot\n%s", e, a)
}
if e, a := tc.expectDetail, result.ForbiddenDetail; e != a {
t.Errorf("expected\n%s\ngot\n%s", e, a)
}
} else {
if !result.Allowed {
t.Fatal("expected allowed")
}
}
})
}