mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-22 19:31:44 +00:00
add sysctls_allowed_1_27 and will add min version for it
Signed-off-by: Paco Xu <paco.xu@daocloud.io>
This commit is contained in:
parent
ca4022c4da
commit
1a83393135
@ -61,6 +61,10 @@ func CheckSysctls() Check {
|
||||
MinimumVersion: api.MajorMinorVersion(1, 0),
|
||||
CheckPod: sysctls_1_0,
|
||||
},
|
||||
{
|
||||
MinimumVersion: api.MajorMinorVersion(1, 27),
|
||||
CheckPod: sysctls_1_27,
|
||||
},
|
||||
},
|
||||
}
|
||||
}
|
||||
@ -72,16 +76,31 @@ var (
|
||||
"net.ipv4.tcp_syncookies",
|
||||
"net.ipv4.ping_group_range",
|
||||
"net.ipv4.ip_unprivileged_port_start",
|
||||
)
|
||||
sysctls_allowed_1_27 = sets.NewString(
|
||||
"kernel.shm_rmid_forced",
|
||||
"net.ipv4.ip_local_port_range",
|
||||
"net.ipv4.tcp_syncookies",
|
||||
"net.ipv4.ping_group_range",
|
||||
"net.ipv4.ip_unprivileged_port_start",
|
||||
"net.ipv4.ip_local_reserved_ports",
|
||||
)
|
||||
)
|
||||
|
||||
func sysctls_1_0(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
|
||||
return sysctls(podMetadata, podSpec, sysctls_allowed_1_0)
|
||||
}
|
||||
|
||||
func sysctls_1_27(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
|
||||
return sysctls(podMetadata, podSpec, sysctls_allowed_1_27)
|
||||
}
|
||||
|
||||
func sysctls(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec, sysctls_allowed_set sets.String) CheckResult {
|
||||
var forbiddenSysctls []string
|
||||
|
||||
if podSpec.SecurityContext != nil {
|
||||
for _, sysctl := range podSpec.SecurityContext.Sysctls {
|
||||
if !sysctls_allowed_1_0.Has(sysctl.Name) {
|
||||
if !sysctls_allowed_set.Has(sysctl.Name) {
|
||||
forbiddenSysctls = append(forbiddenSysctls, sysctl.Name)
|
||||
}
|
||||
}
|
||||
|
@ -26,6 +26,7 @@ func TestSysctls(t *testing.T) {
|
||||
tests := []struct {
|
||||
name string
|
||||
pod *corev1.Pod
|
||||
allowed bool
|
||||
expectReason string
|
||||
expectDetail string
|
||||
}{
|
||||
@ -36,22 +37,92 @@ func TestSysctls(t *testing.T) {
|
||||
Sysctls: []corev1.Sysctl{{Name: "a"}, {Name: "b"}},
|
||||
},
|
||||
}},
|
||||
allowed: false,
|
||||
expectReason: `forbidden sysctls`,
|
||||
expectDetail: `a, b`,
|
||||
},
|
||||
{
|
||||
name: "new supported sysctls not supported",
|
||||
pod: &corev1.Pod{Spec: corev1.PodSpec{
|
||||
SecurityContext: &corev1.PodSecurityContext{
|
||||
Sysctls: []corev1.Sysctl{{Name: "net.ipv4.ip_local_reserved_ports", Value: "1024-4999"},},
|
||||
},
|
||||
}},
|
||||
allowed: false,
|
||||
expectReason: `forbidden sysctls`,
|
||||
expectDetail: `net.ipv4.ip_local_reserved_ports`,
|
||||
},
|
||||
}
|
||||
|
||||
for _, tc := range tests {
|
||||
t.Run(tc.name, func(t *testing.T) {
|
||||
result := sysctls_1_0(&tc.pod.ObjectMeta, &tc.pod.Spec)
|
||||
if result.Allowed {
|
||||
t.Fatal("expected disallowed")
|
||||
}
|
||||
if e, a := tc.expectReason, result.ForbiddenReason; e != a {
|
||||
t.Errorf("expected\n%s\ngot\n%s", e, a)
|
||||
}
|
||||
if e, a := tc.expectDetail, result.ForbiddenDetail; e != a {
|
||||
t.Errorf("expected\n%s\ngot\n%s", e, a)
|
||||
if !tc.allowed {
|
||||
if result.Allowed {
|
||||
t.Fatal("expected disallowed")
|
||||
}
|
||||
if e, a := tc.expectReason, result.ForbiddenReason; e != a {
|
||||
t.Errorf("expected\n%s\ngot\n%s", e, a)
|
||||
}
|
||||
if e, a := tc.expectDetail, result.ForbiddenDetail; e != a {
|
||||
t.Errorf("expected\n%s\ngot\n%s", e, a)
|
||||
}
|
||||
} else {
|
||||
if !result.Allowed {
|
||||
t.Fatal("expected allowed")
|
||||
}
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestSysctls_1_27(t *testing.T) {
|
||||
tests := []struct {
|
||||
name string
|
||||
pod *corev1.Pod
|
||||
allowed bool
|
||||
expectReason string
|
||||
expectDetail string
|
||||
}{
|
||||
{
|
||||
name: "forbidden sysctls",
|
||||
pod: &corev1.Pod{Spec: corev1.PodSpec{
|
||||
SecurityContext: &corev1.PodSecurityContext{
|
||||
Sysctls: []corev1.Sysctl{{Name: "a"}, {Name: "b"}},
|
||||
},
|
||||
}},
|
||||
allowed: false,
|
||||
expectReason: `forbidden sysctls`,
|
||||
expectDetail: `a, b`,
|
||||
},
|
||||
{
|
||||
name: "new supported sysctls",
|
||||
pod: &corev1.Pod{Spec: corev1.PodSpec{
|
||||
SecurityContext: &corev1.PodSecurityContext{
|
||||
Sysctls: []corev1.Sysctl{{Name: "net.ipv4.ip_local_reserved_ports", Value: "1024-4999"},},
|
||||
},
|
||||
}},
|
||||
allowed: true,
|
||||
},
|
||||
}
|
||||
|
||||
for _, tc := range tests {
|
||||
t.Run(tc.name, func(t *testing.T) {
|
||||
result := sysctls_1_27(&tc.pod.ObjectMeta, &tc.pod.Spec)
|
||||
if !tc.allowed {
|
||||
if result.Allowed {
|
||||
t.Fatal("expected disallowed")
|
||||
}
|
||||
if e, a := tc.expectReason, result.ForbiddenReason; e != a {
|
||||
t.Errorf("expected\n%s\ngot\n%s", e, a)
|
||||
}
|
||||
if e, a := tc.expectDetail, result.ForbiddenDetail; e != a {
|
||||
t.Errorf("expected\n%s\ngot\n%s", e, a)
|
||||
}
|
||||
} else {
|
||||
if !result.Allowed {
|
||||
t.Fatal("expected allowed")
|
||||
}
|
||||
}
|
||||
})
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user