github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-05 18:24:07 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #8022 from ddysher/kubelet-privilege

Browse Source 
Check Pod privileged container
This commit is contained in:
Victor Marmol 2015-05-11 09:01:58 -07:00
commit 307d677e06
4 changed files with 65 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
pkg/kubelet/dockertools/manager.go
View File

@ -30,7 +30,6 @@ import (
"sync" "sync"
"github.com/GoogleCloudPlatform/kubernetes/pkg/api" "github.com/GoogleCloudPlatform/kubernetes/pkg/api"
"github.com/GoogleCloudPlatform/kubernetes/pkg/capabilities"
"github.com/GoogleCloudPlatform/kubernetes/pkg/client/record" "github.com/GoogleCloudPlatform/kubernetes/pkg/client/record"
kubecontainer "github.com/GoogleCloudPlatform/kubernetes/pkg/kubelet/container" kubecontainer "github.com/GoogleCloudPlatform/kubernetes/pkg/kubelet/container"
"github.com/GoogleCloudPlatform/kubernetes/pkg/kubelet/lifecycle" "github.com/GoogleCloudPlatform/kubernetes/pkg/kubelet/lifecycle"
@ -542,10 +541,6 @@ func (dm *DockerManager) runContainer(pod *api.Pod, container *api.Container, op
} }
} }
if !capabilities.Get().AllowPrivileged && securitycontext.HasPrivilegedRequest(container) {
return "", fmt.Errorf("container requested privileged mode, but it is disallowed globally.")
}
hc := &docker.HostConfig{ hc := &docker.HostConfig{
PortBindings: portBindings, PortBindings: portBindings,
Binds: opts.Binds, Binds: opts.Binds,

53
pkg/kubelet/kubelet_test.go
View File

@ -3754,6 +3754,59 @@ func TestHostNetworkDisallowed(t *testing.T) {
} }
} }
func TestPrivilegeContainerAllowed(t *testing.T) {
testKubelet := newTestKubelet(t)
kubelet := testKubelet.kubelet
capabilities.SetForTests(capabilities.Capabilities{
AllowPrivileged: true,
})
privileged := true
pod := &api.Pod{
ObjectMeta: api.ObjectMeta{
UID: "12345678",
Name: "foo",
Namespace: "new",
},
Spec: api.PodSpec{
Containers: []api.Container{
{Name: "foo", SecurityContext: &api.SecurityContext{Privileged: &privileged}},
},
},
}
kubelet.podManager.SetPods([]*api.Pod{pod})
err := kubelet.syncPod(pod, nil, container.Pod{})
if err != nil {
t.Errorf("expected pod infra creation to succeed: %v", err)
}
}
func TestPrivilegeContainerDisallowed(t *testing.T) {
testKubelet := newTestKubelet(t)
kubelet := testKubelet.kubelet
capabilities.SetForTests(capabilities.Capabilities{
AllowPrivileged: false,
})
privileged := true
pod := &api.Pod{
ObjectMeta: api.ObjectMeta{
UID: "12345678",
Name: "foo",
Namespace: "new",
},
Spec: api.PodSpec{
Containers: []api.Container{
{Name: "foo", SecurityContext: &api.SecurityContext{Privileged: &privileged}},
},
},
}
err := kubelet.syncPod(pod, nil, container.Pod{})
if err == nil {
t.Errorf("expected pod infra creation to fail")
}
}
func TestSyncPodsWithRestartPolicy(t *testing.T) { func TestSyncPodsWithRestartPolicy(t *testing.T) {
testKubelet := newTestKubelet(t) testKubelet := newTestKubelet(t)
testKubelet.fakeCadvisor.On("MachineInfo").Return(&cadvisorApi.MachineInfo{}, nil) testKubelet.fakeCadvisor.On("MachineInfo").Return(&cadvisorApi.MachineInfo{}, nil)

6
pkg/kubelet/rkt/rkt.go
View File

@ -31,7 +31,6 @@ import (
"time" "time"
"github.com/GoogleCloudPlatform/kubernetes/pkg/api" "github.com/GoogleCloudPlatform/kubernetes/pkg/api"
"github.com/GoogleCloudPlatform/kubernetes/pkg/capabilities"
"github.com/GoogleCloudPlatform/kubernetes/pkg/client/record" "github.com/GoogleCloudPlatform/kubernetes/pkg/client/record"
"github.com/GoogleCloudPlatform/kubernetes/pkg/credentialprovider" "github.com/GoogleCloudPlatform/kubernetes/pkg/credentialprovider"
kubecontainer "github.com/GoogleCloudPlatform/kubernetes/pkg/kubelet/container" kubecontainer "github.com/GoogleCloudPlatform/kubernetes/pkg/kubelet/container"
@ -213,13 +212,10 @@ func setIsolators(app *appctypes.App, c *api.Container) error {
// Retained capabilities/privileged. // Retained capabilities/privileged.
privileged := false privileged := false
if !capabilities.Get().AllowPrivileged && securitycontext.HasPrivilegedRequest(c) {
return fmt.Errorf("container requested privileged mode, but it is disallowed globally.")
} else {
if c.SecurityContext != nil && c.SecurityContext.Privileged != nil { if c.SecurityContext != nil && c.SecurityContext.Privileged != nil {
privileged = *c.SecurityContext.Privileged privileged = *c.SecurityContext.Privileged
} }
}
var addCaps string var addCaps string
if privileged { if privileged {
addCaps = getAllCapabilities() addCaps = getAllCapabilities()

10
pkg/kubelet/util.go
View File

@ -22,6 +22,7 @@ import (
"github.com/GoogleCloudPlatform/kubernetes/pkg/api" "github.com/GoogleCloudPlatform/kubernetes/pkg/api"
"github.com/GoogleCloudPlatform/kubernetes/pkg/api/resource" "github.com/GoogleCloudPlatform/kubernetes/pkg/api/resource"
"github.com/GoogleCloudPlatform/kubernetes/pkg/capabilities" "github.com/GoogleCloudPlatform/kubernetes/pkg/capabilities"
"github.com/GoogleCloudPlatform/kubernetes/pkg/securitycontext"
cadvisorApi "github.com/google/cadvisor/info/v1" cadvisorApi "github.com/google/cadvisor/info/v1"
) )
@ -48,7 +49,14 @@ func canRunPod(pod *api.Pod) error {
return fmt.Errorf("pod with UID %q specified host networking, but is disallowed", pod.UID) return fmt.Errorf("pod with UID %q specified host networking, but is disallowed", pod.UID)
} }
} }
// TODO(vmarmol): Check Privileged too.
if !capabilities.Get().AllowPrivileged {
for _, container := range pod.Spec.Containers {
if securitycontext.HasPrivilegedRequest(&container) {
return fmt.Errorf("pod with UID %q specified privileged container, but is disallowed", pod.UID)
}
}
}
return nil return nil
} }