From f0b7063481828ec632e22cff29c179745bbe23e3 Mon Sep 17 00:00:00 2001 From: Shang Ding Date: Thu, 9 Feb 2023 19:22:52 -0600 Subject: [PATCH] fix restricted debug profile Ensure that the restricted debug profile with the node debugging styles doesn't clear security context after we have already set runAsNonRoot and drop-all capabilities. --- .../k8s.io/kubectl/pkg/cmd/debug/debug_test.go | 6 ++++++ .../k8s.io/kubectl/pkg/cmd/debug/profiles.go | 17 +++++++++-------- .../kubectl/pkg/cmd/debug/profiles_test.go | 16 +++++++++++++++- 3 files changed, 30 insertions(+), 9 deletions(-) diff --git a/staging/src/k8s.io/kubectl/pkg/cmd/debug/debug_test.go b/staging/src/k8s.io/kubectl/pkg/cmd/debug/debug_test.go index e46280b259c..7869655b1c4 100644 --- a/staging/src/k8s.io/kubectl/pkg/cmd/debug/debug_test.go +++ b/staging/src/k8s.io/kubectl/pkg/cmd/debug/debug_test.go @@ -1601,6 +1601,12 @@ func TestGenerateNodeDebugPod(t *testing.T) { ImagePullPolicy: corev1.PullIfNotPresent, TerminationMessagePolicy: corev1.TerminationMessageReadFile, VolumeMounts: nil, + SecurityContext: &corev1.SecurityContext{ + RunAsNonRoot: pointer.Bool(true), + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + }, }, }, HostIPC: false, diff --git a/staging/src/k8s.io/kubectl/pkg/cmd/debug/profiles.go b/staging/src/k8s.io/kubectl/pkg/cmd/debug/profiles.go index 57f4e07b27a..609e4575267 100644 --- a/staging/src/k8s.io/kubectl/pkg/cmd/debug/profiles.go +++ b/staging/src/k8s.io/kubectl/pkg/cmd/debug/profiles.go @@ -173,17 +173,15 @@ func (p *restrictedProfile) Apply(pod *corev1.Pod, containerName string, target return fmt.Errorf("restricted profile: %s", err) } + clearSecurityContext(pod, containerName) disallowRoot(pod, containerName) dropCapabilities(pod, containerName) switch style { - case node: - clearSecurityContext(pod, containerName) - case podCopy: shareProcessNamespace(pod) - case ephemeral: + case ephemeral, node: // no additional modifications needed } @@ -286,9 +284,10 @@ func disallowRoot(p *corev1.Pod, containerName string) { if c.Name != containerName { return true } - c.SecurityContext = &corev1.SecurityContext{ - RunAsNonRoot: pointer.Bool(true), + if c.SecurityContext == nil { + c.SecurityContext = &corev1.SecurityContext{} } + c.SecurityContext.RunAsNonRoot = pointer.Bool(true) return false }) } @@ -302,9 +301,11 @@ func dropCapabilities(p *corev1.Pod, containerName string) { if c.SecurityContext == nil { c.SecurityContext = &corev1.SecurityContext{} } - c.SecurityContext.Capabilities = &corev1.Capabilities{ - Drop: []corev1.Capability{"ALL"}, + if c.SecurityContext.Capabilities == nil { + c.SecurityContext.Capabilities = &corev1.Capabilities{} } + c.SecurityContext.Capabilities.Drop = []corev1.Capability{"ALL"} + c.SecurityContext.Capabilities.Add = nil return false }) } diff --git a/staging/src/k8s.io/kubectl/pkg/cmd/debug/profiles_test.go b/staging/src/k8s.io/kubectl/pkg/cmd/debug/profiles_test.go index 6dfe3f994aa..a397fa272ad 100644 --- a/staging/src/k8s.io/kubectl/pkg/cmd/debug/profiles_test.go +++ b/staging/src/k8s.io/kubectl/pkg/cmd/debug/profiles_test.go @@ -397,7 +397,15 @@ func TestRestrictedProfile(t *testing.T) { ObjectMeta: metav1.ObjectMeta{Name: "pod"}, Spec: corev1.PodSpec{ Containers: []corev1.Container{ - {Name: "dbg", Image: "dbgimage"}, + { + Name: "dbg", + Image: "dbgimage", + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Add: []corev1.Capability{"ALL"}, + }, + }, + }, }, }, }, @@ -410,6 +418,12 @@ func TestRestrictedProfile(t *testing.T) { { Name: "dbg", Image: "dbgimage", + SecurityContext: &corev1.SecurityContext{ + RunAsNonRoot: pointer.Bool(true), + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + }, }, }, },