github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-25 12:43:23 +00:00
Code Issues Projects Releases Wiki Activity

add sysctls_allowed_1_27 and will add min version for it

Browse Source 
Signed-off-by: Paco Xu <paco.xu@daocloud.io>
This commit is contained in:
Paco Xu 2023-02-01 10:37:49 +08:00
parent ca4022c4da
commit 1a83393135
2 changed files with 99 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
staging/src/k8s.io/pod-security-admission/policy/check_sysctls.go
View File

@ -61,6 +61,10 @@ func CheckSysctls() Check {
MinimumVersion: api.MajorMinorVersion(1, 0), MinimumVersion: api.MajorMinorVersion(1, 0),
CheckPod: sysctls_1_0, CheckPod: sysctls_1_0,
}, },
{
MinimumVersion: api.MajorMinorVersion(1, 27),
CheckPod: sysctls_1_27,
},
}, },
} }
} }
@ -72,16 +76,31 @@ var (
"net.ipv4.tcp_syncookies", "net.ipv4.tcp_syncookies",
"net.ipv4.ping_group_range", "net.ipv4.ping_group_range",
"net.ipv4.ip_unprivileged_port_start", "net.ipv4.ip_unprivileged_port_start",
)
sysctls_allowed_1_27 = sets.NewString(
"kernel.shm_rmid_forced",
"net.ipv4.ip_local_port_range",
"net.ipv4.tcp_syncookies",
"net.ipv4.ping_group_range",
"net.ipv4.ip_unprivileged_port_start",
"net.ipv4.ip_local_reserved_ports", "net.ipv4.ip_local_reserved_ports",
) )
) )
func sysctls_1_0(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult { func sysctls_1_0(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
return sysctls(podMetadata, podSpec, sysctls_allowed_1_0)
}
func sysctls_1_27(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
return sysctls(podMetadata, podSpec, sysctls_allowed_1_27)
}
func sysctls(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec, sysctls_allowed_set sets.String) CheckResult {
var forbiddenSysctls []string var forbiddenSysctls []string
if podSpec.SecurityContext != nil { if podSpec.SecurityContext != nil {
for _, sysctl := range podSpec.SecurityContext.Sysctls { for _, sysctl := range podSpec.SecurityContext.Sysctls {
if !sysctls_allowed_1_0.Has(sysctl.Name) { if !sysctls_allowed_set.Has(sysctl.Name) {
forbiddenSysctls = append(forbiddenSysctls, sysctl.Name) forbiddenSysctls = append(forbiddenSysctls, sysctl.Name)
} }
} }

87
staging/src/k8s.io/pod-security-admission/policy/check_sysctls_test.go
View File

@ -26,6 +26,7 @@ func TestSysctls(t *testing.T) {
tests := []struct { tests := []struct {
name string name string
pod *corev1.Pod pod *corev1.Pod
allowed bool
expectReason string expectReason string
expectDetail string expectDetail string
}{ }{
@ -36,22 +37,92 @@ func TestSysctls(t *testing.T) {
Sysctls: []corev1.Sysctl{{Name: "a"}, {Name: "b"}}, Sysctls: []corev1.Sysctl{{Name: "a"}, {Name: "b"}},
}, },
}}, }},
allowed: false,
expectReason: `forbidden sysctls`, expectReason: `forbidden sysctls`,
expectDetail: `a, b`, expectDetail: `a, b`,
}, },
{
name: "new supported sysctls not supported",
pod: &corev1.Pod{Spec: corev1.PodSpec{
SecurityContext: &corev1.PodSecurityContext{
Sysctls: []corev1.Sysctl{{Name: "net.ipv4.ip_local_reserved_ports", Value: "1024-4999"},},
},
}},
allowed: false,
expectReason: `forbidden sysctls`,
expectDetail: `net.ipv4.ip_local_reserved_ports`,
},
} }
for _, tc := range tests { for _, tc := range tests {
t.Run(tc.name, func(t *testing.T) { t.Run(tc.name, func(t *testing.T) {
result := sysctls_1_0(&tc.pod.ObjectMeta, &tc.pod.Spec) result := sysctls_1_0(&tc.pod.ObjectMeta, &tc.pod.Spec)
if result.Allowed { if !tc.allowed {
t.Fatal("expected disallowed") if result.Allowed {
} t.Fatal("expected disallowed")
if e, a := tc.expectReason, result.ForbiddenReason; e != a { }
t.Errorf("expected\n%s\ngot\n%s", e, a) if e, a := tc.expectReason, result.ForbiddenReason; e != a {
} t.Errorf("expected\n%s\ngot\n%s", e, a)
if e, a := tc.expectDetail, result.ForbiddenDetail; e != a { }
t.Errorf("expected\n%s\ngot\n%s", e, a) if e, a := tc.expectDetail, result.ForbiddenDetail; e != a {
t.Errorf("expected\n%s\ngot\n%s", e, a)
}
} else {
if !result.Allowed {
t.Fatal("expected allowed")
}
}
})
}
}
func TestSysctls_1_27(t *testing.T) {
tests := []struct {
name string
pod *corev1.Pod
allowed bool
expectReason string
expectDetail string
}{
{
name: "forbidden sysctls",
pod: &corev1.Pod{Spec: corev1.PodSpec{
SecurityContext: &corev1.PodSecurityContext{
Sysctls: []corev1.Sysctl{{Name: "a"}, {Name: "b"}},
},
}},
allowed: false,
expectReason: `forbidden sysctls`,
expectDetail: `a, b`,
},
{
name: "new supported sysctls",
pod: &corev1.Pod{Spec: corev1.PodSpec{
SecurityContext: &corev1.PodSecurityContext{
Sysctls: []corev1.Sysctl{{Name: "net.ipv4.ip_local_reserved_ports", Value: "1024-4999"},},
},
}},
allowed: true,
},
}
for _, tc := range tests {
t.Run(tc.name, func(t *testing.T) {
result := sysctls_1_27(&tc.pod.ObjectMeta, &tc.pod.Spec)
if !tc.allowed {
if result.Allowed {
t.Fatal("expected disallowed")
}
if e, a := tc.expectReason, result.ForbiddenReason; e != a {
t.Errorf("expected\n%s\ngot\n%s", e, a)
}
if e, a := tc.expectDetail, result.ForbiddenDetail; e != a {
t.Errorf("expected\n%s\ngot\n%s", e, a)
}
} else {
if !result.Allowed {
t.Fatal("expected allowed")
}
} }
}) })
} }