mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-31 15:25:57 +00:00
PodSecurity: Drop field path from container visitor
This commit is contained in:
Jordan Liggitt
parent
7895399077
commit
36907db929
@ -21,7 +21,6 @@ import (
|
||||
|
||||
corev1 "k8s.io/api/core/v1"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/util/validation/field"
|
||||
"k8s.io/pod-security-admission/api"
|
||||
)
|
||||
|
||||
@ -59,7 +58,7 @@ func CheckAllowPrivilegeEscalation() Check {
|
||||
|
||||
func allowPrivilegeEscalation_1_8(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
|
||||
var badContainers []string
|
||||
visitContainersWithPath(podSpec, field.NewPath("spec"), func(container *corev1.Container, path *field.Path) {
|
||||
visitContainers(podSpec, func(container *corev1.Container) {
|
||||
if container.SecurityContext == nil || container.SecurityContext.AllowPrivilegeEscalation == nil || *container.SecurityContext.AllowPrivilegeEscalation {
|
||||
badContainers = append(badContainers, container.Name)
|
||||
}
|
||||
|
||||
@ -22,7 +22,6 @@ import (
|
||||
corev1 "k8s.io/api/core/v1"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/util/sets"
|
||||
"k8s.io/apimachinery/pkg/util/validation/field"
|
||||
"k8s.io/pod-security-admission/api"
|
||||
)
|
||||
|
||||
@ -78,7 +77,7 @@ var (
|
||||
func capabilitiesBaseline_1_0(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
|
||||
var badContainers []string
|
||||
nonDefaultCapabilities := sets.NewString()
|
||||
visitContainersWithPath(podSpec, field.NewPath("spec"), func(container *corev1.Container, path *field.Path) {
|
||||
visitContainers(podSpec, func(container *corev1.Container) {
|
||||
if container.SecurityContext != nil && container.SecurityContext.Capabilities != nil {
|
||||
valid := true
|
||||
for _, c := range container.SecurityContext.Capabilities.Add {
|
||||
|
||||
@ -23,7 +23,6 @@ import (
|
||||
corev1 "k8s.io/api/core/v1"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/util/sets"
|
||||
"k8s.io/apimachinery/pkg/util/validation/field"
|
||||
"k8s.io/pod-security-admission/api"
|
||||
)
|
||||
|
||||
@ -77,7 +76,7 @@ func capabilitiesRestricted_1_22(podMetadata *metav1.ObjectMeta, podSpec *corev1
|
||||
forbiddenCapabilities = sets.NewString()
|
||||
)
|
||||
|
||||
visitContainersWithPath(podSpec, field.NewPath("spec"), func(container *corev1.Container, path *field.Path) {
|
||||
visitContainers(podSpec, func(container *corev1.Container) {
|
||||
if container.SecurityContext == nil || container.SecurityContext.Capabilities == nil {
|
||||
containersMissingDropAll = append(containersMissingDropAll, container.Name)
|
||||
return
|
||||
|
||||
@ -24,7 +24,6 @@ import (
|
||||
corev1 "k8s.io/api/core/v1"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/util/sets"
|
||||
"k8s.io/apimachinery/pkg/util/validation/field"
|
||||
"k8s.io/pod-security-admission/api"
|
||||
)
|
||||
|
||||
@ -61,7 +60,7 @@ func CheckHostPorts() Check {
|
||||
func hostPorts_1_0(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
|
||||
var badContainers []string
|
||||
forbiddenHostPorts := sets.NewString()
|
||||
visitContainersWithPath(podSpec, field.NewPath("spec"), func(container *corev1.Container, path *field.Path) {
|
||||
visitContainers(podSpec, func(container *corev1.Container) {
|
||||
valid := true
|
||||
for _, c := range container.Ports {
|
||||
if c.HostPort != 0 {
|
||||
|
||||
@ -21,7 +21,6 @@ import (
|
||||
|
||||
corev1 "k8s.io/api/core/v1"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/util/validation/field"
|
||||
"k8s.io/pod-security-admission/api"
|
||||
)
|
||||
|
||||
@ -56,7 +55,7 @@ func CheckPrivileged() Check {
|
||||
|
||||
func privileged_1_0(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
|
||||
var badContainers []string
|
||||
visitContainersWithPath(podSpec, field.NewPath("spec"), func(container *corev1.Container, path *field.Path) {
|
||||
visitContainers(podSpec, func(container *corev1.Container) {
|
||||
if container.SecurityContext != nil && container.SecurityContext.Privileged != nil && *container.SecurityContext.Privileged {
|
||||
badContainers = append(badContainers, container.Name)
|
||||
}
|
||||
|
||||
@ -23,7 +23,6 @@ import (
|
||||
v1 "k8s.io/api/core/v1"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/util/sets"
|
||||
"k8s.io/apimachinery/pkg/util/validation/field"
|
||||
"k8s.io/pod-security-admission/api"
|
||||
)
|
||||
|
||||
@ -62,7 +61,7 @@ func CheckProcMount() Check {
|
||||
func procMount_1_0(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
|
||||
var badContainers []string
|
||||
forbiddenProcMountTypes := sets.NewString()
|
||||
visitContainersWithPath(podSpec, field.NewPath("spec"), func(container *corev1.Container, path *field.Path) {
|
||||
visitContainers(podSpec, func(container *corev1.Container) {
|
||||
// allow if the security context is nil.
|
||||
if container.SecurityContext == nil {
|
||||
return
|
||||
|
||||
@ -22,7 +22,6 @@ import (
|
||||
|
||||
corev1 "k8s.io/api/core/v1"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/util/validation/field"
|
||||
"k8s.io/pod-security-admission/api"
|
||||
)
|
||||
|
||||
@ -77,7 +76,7 @@ func runAsNonRoot_1_0(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) C
|
||||
// containers that didn't set runAsNonRoot and aren't caught by a pod-level runAsNonRoot=true
|
||||
var implicitlyBadContainers []string
|
||||
|
||||
visitContainersWithPath(podSpec, field.NewPath("spec"), func(container *corev1.Container, path *field.Path) {
|
||||
visitContainers(podSpec, func(container *corev1.Container) {
|
||||
if container.SecurityContext != nil && container.SecurityContext.RunAsNonRoot != nil {
|
||||
// container explicitly set runAsNonRoot
|
||||
if !*container.SecurityContext.RunAsNonRoot {
|
||||
|
||||
@ -23,7 +23,6 @@ import (
|
||||
corev1 "k8s.io/api/core/v1"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/util/sets"
|
||||
"k8s.io/apimachinery/pkg/util/validation/field"
|
||||
"k8s.io/pod-security-admission/api"
|
||||
)
|
||||
|
||||
@ -112,7 +111,7 @@ func seLinuxOptions_1_0(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec)
|
||||
}
|
||||
|
||||
var badContainers []string
|
||||
visitContainersWithPath(podSpec, field.NewPath("spec"), func(container *corev1.Container, path *field.Path) {
|
||||
visitContainers(podSpec, func(container *corev1.Container) {
|
||||
if container.SecurityContext != nil && container.SecurityContext.SELinuxOptions != nil {
|
||||
if !validSELinuxOptions(container.SecurityContext.SELinuxOptions) {
|
||||
badContainers = append(badContainers, container.Name)
|
||||
|
||||
@ -23,7 +23,6 @@ import (
|
||||
corev1 "k8s.io/api/core/v1"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/util/sets"
|
||||
"k8s.io/apimachinery/pkg/util/validation/field"
|
||||
"k8s.io/pod-security-admission/api"
|
||||
)
|
||||
|
||||
@ -94,7 +93,7 @@ func seccompProfileBaseline_1_0(podMetadata *metav1.ObjectMeta, podSpec *corev1.
|
||||
}
|
||||
}
|
||||
|
||||
visitContainersWithPath(podSpec, field.NewPath("spec"), func(c *corev1.Container, path *field.Path) {
|
||||
visitContainers(podSpec, func(c *corev1.Container) {
|
||||
annotation := annotationKeyContainerPrefix + c.Name
|
||||
if val, ok := podMetadata.Annotations[annotation]; ok {
|
||||
if !validSeccompAnnotationValue(val) {
|
||||
@ -134,7 +133,7 @@ func seccompProfileBaseline_1_19(podMetadata *metav1.ObjectMeta, podSpec *corev1
|
||||
// containers that explicitly set seccompProfile.type to a bad value
|
||||
var explicitlyBadContainers []string
|
||||
|
||||
visitContainersWithPath(podSpec, field.NewPath("spec"), func(c *corev1.Container, path *field.Path) {
|
||||
visitContainers(podSpec, func(c *corev1.Container) {
|
||||
if c.SecurityContext != nil && c.SecurityContext.SeccompProfile != nil {
|
||||
// container explicitly set seccompProfile
|
||||
if !validSeccomp(c.SecurityContext.SeccompProfile.Type) {
|
||||
|
||||
@ -23,7 +23,6 @@ import (
|
||||
corev1 "k8s.io/api/core/v1"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/util/sets"
|
||||
"k8s.io/apimachinery/pkg/util/validation/field"
|
||||
"k8s.io/pod-security-admission/api"
|
||||
)
|
||||
|
||||
@ -81,7 +80,7 @@ func seccompProfileRestricted_1_19(podMetadata *metav1.ObjectMeta, podSpec *core
|
||||
// containers that didn't set seccompProfile and aren't caught by a pod-level seccompProfile
|
||||
var implicitlyBadContainers []string
|
||||
|
||||
visitContainersWithPath(podSpec, field.NewPath("spec"), func(c *corev1.Container, path *field.Path) {
|
||||
visitContainers(podSpec, func(c *corev1.Container) {
|
||||
if c.SecurityContext != nil && c.SecurityContext.SeccompProfile != nil {
|
||||
// container explicitly set seccompProfile
|
||||
if !validSeccomp(c.SecurityContext.SeccompProfile.Type) {
|
||||
|
||||
@ -22,7 +22,6 @@ import (
|
||||
|
||||
corev1 "k8s.io/api/core/v1"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/util/validation/field"
|
||||
"k8s.io/pod-security-admission/api"
|
||||
)
|
||||
|
||||
@ -59,7 +58,7 @@ func CheckWindowsHostProcess() Check {
|
||||
|
||||
func windowsHostProcess_1_0(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
|
||||
var badContainers []string
|
||||
visitContainersWithPath(podSpec, field.NewPath("spec"), func(container *corev1.Container, path *field.Path) {
|
||||
visitContainers(podSpec, func(container *corev1.Container) {
|
||||
if container.SecurityContext != nil &&
|
||||
container.SecurityContext.WindowsOptions != nil &&
|
||||
container.SecurityContext.WindowsOptions.HostProcess != nil &&
|
||||
|
||||
@ -18,25 +18,20 @@ package policy
|
||||
|
||||
import (
|
||||
corev1 "k8s.io/api/core/v1"
|
||||
"k8s.io/apimachinery/pkg/util/validation/field"
|
||||
)
|
||||
|
||||
// ContainerVisitorWithPath is called with each container and the field.Path to that container
|
||||
type ContainerVisitorWithPath func(container *corev1.Container, path *field.Path)
|
||||
// ContainerVisitor is called with each container and the field.Path to that container
|
||||
type ContainerVisitor func(container *corev1.Container)
|
||||
|
||||
// visitContainersWithPath invokes the visitor function with a pointer to the spec
|
||||
// of every container in the given pod spec and the field.Path to that container.
|
||||
func visitContainersWithPath(podSpec *corev1.PodSpec, specPath *field.Path, visitor ContainerVisitorWithPath) {
|
||||
fldPath := specPath.Child("initContainers")
|
||||
// visitContainers invokes the visitor function for every container in the given pod spec
|
||||
func visitContainers(podSpec *corev1.PodSpec, visitor ContainerVisitor) {
|
||||
for i := range podSpec.InitContainers {
|
||||
visitor(&podSpec.InitContainers[i], fldPath.Index(i))
|
||||
visitor(&podSpec.InitContainers[i])
|
||||
}
|
||||
fldPath = specPath.Child("containers")
|
||||
for i := range podSpec.Containers {
|
||||
visitor(&podSpec.Containers[i], fldPath.Index(i))
|
||||
visitor(&podSpec.Containers[i])
|
||||
}
|
||||
fldPath = specPath.Child("ephemeralContainers")
|
||||
for i := range podSpec.EphemeralContainers {
|
||||
visitor((*corev1.Container)(&podSpec.EphemeralContainers[i].EphemeralContainerCommon), fldPath.Index(i))
|
||||
visitor((*corev1.Container)(&podSpec.EphemeralContainers[i].EphemeralContainerCommon))
|
||||
}
|
||||
}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user