Merge pull request #115672 from sding3/fix-restricted-profile

fix restricted debug profile
2025-07-21 10:51:29 +00:00 · 2023-03-03 12:28:57 -08:00 · 2023-03-03 12:28:57 -08:00 · 20df9dd6b7
commit 20df9dd6b7
parent a1b12e49ea f0b7063481
3 changed files with 30 additions and 9 deletions
--- a/staging/src/k8s.io/kubectl/pkg/cmd/debug/debug_test.go
+++ b/staging/src/k8s.io/kubectl/pkg/cmd/debug/debug_test.go
@ -1601,6 +1601,12 @@ func TestGenerateNodeDebugPod(t *testing.T) {
 							ImagePullPolicy:          corev1.PullIfNotPresent,
 							TerminationMessagePolicy: corev1.TerminationMessageReadFile,
 							VolumeMounts:             nil,
+							SecurityContext: &corev1.SecurityContext{
+								RunAsNonRoot: pointer.Bool(true),
+								Capabilities: &corev1.Capabilities{
+									Drop: []corev1.Capability{"ALL"},
+								},
+							},
 						},
 					},
 					HostIPC:       false,
--- a/staging/src/k8s.io/kubectl/pkg/cmd/debug/profiles.go
+++ b/staging/src/k8s.io/kubectl/pkg/cmd/debug/profiles.go
@ -173,17 +173,15 @@ func (p *restrictedProfile) Apply(pod *corev1.Pod, containerName string, target
 		return fmt.Errorf("restricted profile: %s", err)
 	}

+	clearSecurityContext(pod, containerName)
 	disallowRoot(pod, containerName)
 	dropCapabilities(pod, containerName)

 	switch style {
-	case node:
-		clearSecurityContext(pod, containerName)
-
 	case podCopy:
 		shareProcessNamespace(pod)

-	case ephemeral:
+	case ephemeral, node:
 		// no additional modifications needed
 	}

@ -286,9 +284,10 @@ func disallowRoot(p *corev1.Pod, containerName string) {
 		if c.Name != containerName {
 			return true
 		}
-		c.SecurityContext = &corev1.SecurityContext{
-			RunAsNonRoot: pointer.Bool(true),
+		if c.SecurityContext == nil {
+			c.SecurityContext = &corev1.SecurityContext{}
 		}
+		c.SecurityContext.RunAsNonRoot = pointer.Bool(true)
 		return false
 	})
 }
@ -302,9 +301,11 @@ func dropCapabilities(p *corev1.Pod, containerName string) {
 		if c.SecurityContext == nil {
 			c.SecurityContext = &corev1.SecurityContext{}
 		}
-		c.SecurityContext.Capabilities = &corev1.Capabilities{
-			Drop: []corev1.Capability{"ALL"},
+		if c.SecurityContext.Capabilities == nil {
+			c.SecurityContext.Capabilities = &corev1.Capabilities{}
 		}
+		c.SecurityContext.Capabilities.Drop = []corev1.Capability{"ALL"}
+		c.SecurityContext.Capabilities.Add = nil
 		return false
 	})
 }
--- a/staging/src/k8s.io/kubectl/pkg/cmd/debug/profiles_test.go
+++ b/staging/src/k8s.io/kubectl/pkg/cmd/debug/profiles_test.go
@ -397,7 +397,15 @@ func TestRestrictedProfile(t *testing.T) {
 				ObjectMeta: metav1.ObjectMeta{Name: "pod"},
 				Spec: corev1.PodSpec{
 					Containers: []corev1.Container{
-						{Name: "dbg", Image: "dbgimage"},
+						{
+							Name:  "dbg",
+							Image: "dbgimage",
+							SecurityContext: &corev1.SecurityContext{
+								Capabilities: &corev1.Capabilities{
+									Add: []corev1.Capability{"ALL"},
+								},
+							},
+						},
 					},
 				},
 			},
@ -410,6 +418,12 @@ func TestRestrictedProfile(t *testing.T) {
 						{
 							Name:  "dbg",
 							Image: "dbgimage",
+							SecurityContext: &corev1.SecurityContext{
+								RunAsNonRoot: pointer.Bool(true),
+								Capabilities: &corev1.Capabilities{
+									Drop: []corev1.Capability{"ALL"},
+								},
+							},
 						},
 					},
 				},