github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-21 10:51:29 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #115672 from sding3/fix-restricted-profile

Browse Source 
fix restricted debug profile
This commit is contained in:
Kubernetes Prow Robot 2023-03-03 12:28:57 -08:00 committed by GitHub
commit 20df9dd6b7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 30 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
staging/src/k8s.io/kubectl/pkg/cmd/debug/debug_test.go
View File

@ -1601,6 +1601,12 @@ func TestGenerateNodeDebugPod(t *testing.T) {
ImagePullPolicy: corev1.PullIfNotPresent, ImagePullPolicy: corev1.PullIfNotPresent,
TerminationMessagePolicy: corev1.TerminationMessageReadFile, TerminationMessagePolicy: corev1.TerminationMessageReadFile,
VolumeMounts: nil, VolumeMounts: nil,
SecurityContext: &corev1.SecurityContext{
RunAsNonRoot: pointer.Bool(true),
Capabilities: &corev1.Capabilities{
Drop: []corev1.Capability{"ALL"},
},
},
}, },
}, },
HostIPC: false, HostIPC: false,

17
staging/src/k8s.io/kubectl/pkg/cmd/debug/profiles.go
View File

@ -173,17 +173,15 @@ func (p *restrictedProfile) Apply(pod *corev1.Pod, containerName string, target
return fmt.Errorf("restricted profile: %s", err) return fmt.Errorf("restricted profile: %s", err)
} }
clearSecurityContext(pod, containerName)
disallowRoot(pod, containerName) disallowRoot(pod, containerName)
dropCapabilities(pod, containerName) dropCapabilities(pod, containerName)
switch style { switch style {
case node:
clearSecurityContext(pod, containerName)
case podCopy: case podCopy:
shareProcessNamespace(pod) shareProcessNamespace(pod)
case ephemeral: case ephemeral, node:
// no additional modifications needed // no additional modifications needed
} }
@ -286,9 +284,10 @@ func disallowRoot(p *corev1.Pod, containerName string) {
if c.Name != containerName { if c.Name != containerName {
return true return true
} }
c.SecurityContext = &corev1.SecurityContext{ if c.SecurityContext == nil {
RunAsNonRoot: pointer.Bool(true), c.SecurityContext = &corev1.SecurityContext{}
} }
c.SecurityContext.RunAsNonRoot = pointer.Bool(true)
return false return false
}) })
} }
@ -302,9 +301,11 @@ func dropCapabilities(p *corev1.Pod, containerName string) {
if c.SecurityContext == nil { if c.SecurityContext == nil {
c.SecurityContext = &corev1.SecurityContext{} c.SecurityContext = &corev1.SecurityContext{}
} }
c.SecurityContext.Capabilities = &corev1.Capabilities{ if c.SecurityContext.Capabilities == nil {
Drop: []corev1.Capability{"ALL"}, c.SecurityContext.Capabilities = &corev1.Capabilities{}
} }
c.SecurityContext.Capabilities.Drop = []corev1.Capability{"ALL"}
c.SecurityContext.Capabilities.Add = nil
return false return false
}) })
} }

16
staging/src/k8s.io/kubectl/pkg/cmd/debug/profiles_test.go
View File

@ -397,7 +397,15 @@ func TestRestrictedProfile(t *testing.T) {
ObjectMeta: metav1.ObjectMeta{Name: "pod"}, ObjectMeta: metav1.ObjectMeta{Name: "pod"},
Spec: corev1.PodSpec{ Spec: corev1.PodSpec{
Containers: []corev1.Container{ Containers: []corev1.Container{
{Name: "dbg", Image: "dbgimage"}, {
Name: "dbg",
Image: "dbgimage",
SecurityContext: &corev1.SecurityContext{
Capabilities: &corev1.Capabilities{
Add: []corev1.Capability{"ALL"},
},
},
},
}, },
}, },
}, },
@ -410,6 +418,12 @@ func TestRestrictedProfile(t *testing.T) {
{ {
Name: "dbg", Name: "dbg",
Image: "dbgimage", Image: "dbgimage",
SecurityContext: &corev1.SecurityContext{
RunAsNonRoot: pointer.Bool(true),
Capabilities: &corev1.Capabilities{
Drop: []corev1.Capability{"ALL"},
},
},
}, },
}, },
}, },