mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-08-06 10:43:56 +00:00
PodSecurity: Drop field path from container visitor
This commit is contained in:
Jordan Liggitt
parent
7895399077
commit
36907db929
@ -21,7 +21,6 @@ import (
|
|||||||
|
|
||||||
corev1 "k8s.io/api/core/v1"
|
corev1 "k8s.io/api/core/v1"
|
||||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||||
"k8s.io/apimachinery/pkg/util/validation/field"
|
|
||||||
"k8s.io/pod-security-admission/api"
|
"k8s.io/pod-security-admission/api"
|
||||||
)
|
)
|
||||||
|
|
||||||
@ -59,7 +58,7 @@ func CheckAllowPrivilegeEscalation() Check {
|
|||||||
|
|
||||||
func allowPrivilegeEscalation_1_8(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
|
func allowPrivilegeEscalation_1_8(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
|
||||||
var badContainers []string
|
var badContainers []string
|
||||||
visitContainersWithPath(podSpec, field.NewPath("spec"), func(container *corev1.Container, path *field.Path) {
|
visitContainers(podSpec, func(container *corev1.Container) {
|
||||||
if container.SecurityContext == nil || container.SecurityContext.AllowPrivilegeEscalation == nil || *container.SecurityContext.AllowPrivilegeEscalation {
|
if container.SecurityContext == nil || container.SecurityContext.AllowPrivilegeEscalation == nil || *container.SecurityContext.AllowPrivilegeEscalation {
|
||||||
badContainers = append(badContainers, container.Name)
|
badContainers = append(badContainers, container.Name)
|
||||||
}
|
}
|
||||||
|
|||||||
@ -22,7 +22,6 @@ import (
|
|||||||
corev1 "k8s.io/api/core/v1"
|
corev1 "k8s.io/api/core/v1"
|
||||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||||
"k8s.io/apimachinery/pkg/util/sets"
|
"k8s.io/apimachinery/pkg/util/sets"
|
||||||
"k8s.io/apimachinery/pkg/util/validation/field"
|
|
||||||
"k8s.io/pod-security-admission/api"
|
"k8s.io/pod-security-admission/api"
|
||||||
)
|
)
|
||||||
|
|
||||||
@ -78,7 +77,7 @@ var (
|
|||||||
func capabilitiesBaseline_1_0(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
|
func capabilitiesBaseline_1_0(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
|
||||||
var badContainers []string
|
var badContainers []string
|
||||||
nonDefaultCapabilities := sets.NewString()
|
nonDefaultCapabilities := sets.NewString()
|
||||||
visitContainersWithPath(podSpec, field.NewPath("spec"), func(container *corev1.Container, path *field.Path) {
|
visitContainers(podSpec, func(container *corev1.Container) {
|
||||||
if container.SecurityContext != nil && container.SecurityContext.Capabilities != nil {
|
if container.SecurityContext != nil && container.SecurityContext.Capabilities != nil {
|
||||||
valid := true
|
valid := true
|
||||||
for _, c := range container.SecurityContext.Capabilities.Add {
|
for _, c := range container.SecurityContext.Capabilities.Add {
|
||||||
|
|||||||
@ -23,7 +23,6 @@ import (
|
|||||||
corev1 "k8s.io/api/core/v1"
|
corev1 "k8s.io/api/core/v1"
|
||||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||||
"k8s.io/apimachinery/pkg/util/sets"
|
"k8s.io/apimachinery/pkg/util/sets"
|
||||||
"k8s.io/apimachinery/pkg/util/validation/field"
|
|
||||||
"k8s.io/pod-security-admission/api"
|
"k8s.io/pod-security-admission/api"
|
||||||
)
|
)
|
||||||
|
|
||||||
@ -77,7 +76,7 @@ func capabilitiesRestricted_1_22(podMetadata *metav1.ObjectMeta, podSpec *corev1
|
|||||||
forbiddenCapabilities = sets.NewString()
|
forbiddenCapabilities = sets.NewString()
|
||||||
)
|
)
|
||||||
|
|
||||||
visitContainersWithPath(podSpec, field.NewPath("spec"), func(container *corev1.Container, path *field.Path) {
|
visitContainers(podSpec, func(container *corev1.Container) {
|
||||||
if container.SecurityContext == nil || container.SecurityContext.Capabilities == nil {
|
if container.SecurityContext == nil || container.SecurityContext.Capabilities == nil {
|
||||||
containersMissingDropAll = append(containersMissingDropAll, container.Name)
|
containersMissingDropAll = append(containersMissingDropAll, container.Name)
|
||||||
return
|
return
|
||||||
|
|||||||
@ -24,7 +24,6 @@ import (
|
|||||||
corev1 "k8s.io/api/core/v1"
|
corev1 "k8s.io/api/core/v1"
|
||||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||||
"k8s.io/apimachinery/pkg/util/sets"
|
"k8s.io/apimachinery/pkg/util/sets"
|
||||||
"k8s.io/apimachinery/pkg/util/validation/field"
|
|
||||||
"k8s.io/pod-security-admission/api"
|
"k8s.io/pod-security-admission/api"
|
||||||
)
|
)
|
||||||
|
|
||||||
@ -61,7 +60,7 @@ func CheckHostPorts() Check {
|
|||||||
func hostPorts_1_0(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
|
func hostPorts_1_0(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
|
||||||
var badContainers []string
|
var badContainers []string
|
||||||
forbiddenHostPorts := sets.NewString()
|
forbiddenHostPorts := sets.NewString()
|
||||||
visitContainersWithPath(podSpec, field.NewPath("spec"), func(container *corev1.Container, path *field.Path) {
|
visitContainers(podSpec, func(container *corev1.Container) {
|
||||||
valid := true
|
valid := true
|
||||||
for _, c := range container.Ports {
|
for _, c := range container.Ports {
|
||||||
if c.HostPort != 0 {
|
if c.HostPort != 0 {
|
||||||
|
|||||||
@ -21,7 +21,6 @@ import (
|
|||||||
|
|
||||||
corev1 "k8s.io/api/core/v1"
|
corev1 "k8s.io/api/core/v1"
|
||||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||||
"k8s.io/apimachinery/pkg/util/validation/field"
|
|
||||||
"k8s.io/pod-security-admission/api"
|
"k8s.io/pod-security-admission/api"
|
||||||
)
|
)
|
||||||
|
|
||||||
@ -56,7 +55,7 @@ func CheckPrivileged() Check {
|
|||||||
|
|
||||||
func privileged_1_0(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
|
func privileged_1_0(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
|
||||||
var badContainers []string
|
var badContainers []string
|
||||||
visitContainersWithPath(podSpec, field.NewPath("spec"), func(container *corev1.Container, path *field.Path) {
|
visitContainers(podSpec, func(container *corev1.Container) {
|
||||||
if container.SecurityContext != nil && container.SecurityContext.Privileged != nil && *container.SecurityContext.Privileged {
|
if container.SecurityContext != nil && container.SecurityContext.Privileged != nil && *container.SecurityContext.Privileged {
|
||||||
badContainers = append(badContainers, container.Name)
|
badContainers = append(badContainers, container.Name)
|
||||||
}
|
}
|
||||||
|
|||||||
@ -23,7 +23,6 @@ import (
|
|||||||
v1 "k8s.io/api/core/v1"
|
v1 "k8s.io/api/core/v1"
|
||||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||||
"k8s.io/apimachinery/pkg/util/sets"
|
"k8s.io/apimachinery/pkg/util/sets"
|
||||||
"k8s.io/apimachinery/pkg/util/validation/field"
|
|
||||||
"k8s.io/pod-security-admission/api"
|
"k8s.io/pod-security-admission/api"
|
||||||
)
|
)
|
||||||
|
|
||||||
@ -62,7 +61,7 @@ func CheckProcMount() Check {
|
|||||||
func procMount_1_0(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
|
func procMount_1_0(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
|
||||||
var badContainers []string
|
var badContainers []string
|
||||||
forbiddenProcMountTypes := sets.NewString()
|
forbiddenProcMountTypes := sets.NewString()
|
||||||
visitContainersWithPath(podSpec, field.NewPath("spec"), func(container *corev1.Container, path *field.Path) {
|
visitContainers(podSpec, func(container *corev1.Container) {
|
||||||
// allow if the security context is nil.
|
// allow if the security context is nil.
|
||||||
if container.SecurityContext == nil {
|
if container.SecurityContext == nil {
|
||||||
return
|
return
|
||||||
|
|||||||
@ -22,7 +22,6 @@ import (
|
|||||||
|
|
||||||
corev1 "k8s.io/api/core/v1"
|
corev1 "k8s.io/api/core/v1"
|
||||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||||
"k8s.io/apimachinery/pkg/util/validation/field"
|
|
||||||
"k8s.io/pod-security-admission/api"
|
"k8s.io/pod-security-admission/api"
|
||||||
)
|
)
|
||||||
|
|
||||||
@ -77,7 +76,7 @@ func runAsNonRoot_1_0(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) C
|
|||||||
// containers that didn't set runAsNonRoot and aren't caught by a pod-level runAsNonRoot=true
|
// containers that didn't set runAsNonRoot and aren't caught by a pod-level runAsNonRoot=true
|
||||||
var implicitlyBadContainers []string
|
var implicitlyBadContainers []string
|
||||||
|
|
||||||
visitContainersWithPath(podSpec, field.NewPath("spec"), func(container *corev1.Container, path *field.Path) {
|
visitContainers(podSpec, func(container *corev1.Container) {
|
||||||
if container.SecurityContext != nil && container.SecurityContext.RunAsNonRoot != nil {
|
if container.SecurityContext != nil && container.SecurityContext.RunAsNonRoot != nil {
|
||||||
// container explicitly set runAsNonRoot
|
// container explicitly set runAsNonRoot
|
||||||
if !*container.SecurityContext.RunAsNonRoot {
|
if !*container.SecurityContext.RunAsNonRoot {
|
||||||
|
|||||||
@ -23,7 +23,6 @@ import (
|
|||||||
corev1 "k8s.io/api/core/v1"
|
corev1 "k8s.io/api/core/v1"
|
||||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||||
"k8s.io/apimachinery/pkg/util/sets"
|
"k8s.io/apimachinery/pkg/util/sets"
|
||||||
"k8s.io/apimachinery/pkg/util/validation/field"
|
|
||||||
"k8s.io/pod-security-admission/api"
|
"k8s.io/pod-security-admission/api"
|
||||||
)
|
)
|
||||||
|
|
||||||
@ -112,7 +111,7 @@ func seLinuxOptions_1_0(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec)
|
|||||||
}
|
}
|
||||||
|
|
||||||
var badContainers []string
|
var badContainers []string
|
||||||
visitContainersWithPath(podSpec, field.NewPath("spec"), func(container *corev1.Container, path *field.Path) {
|
visitContainers(podSpec, func(container *corev1.Container) {
|
||||||
if container.SecurityContext != nil && container.SecurityContext.SELinuxOptions != nil {
|
if container.SecurityContext != nil && container.SecurityContext.SELinuxOptions != nil {
|
||||||
if !validSELinuxOptions(container.SecurityContext.SELinuxOptions) {
|
if !validSELinuxOptions(container.SecurityContext.SELinuxOptions) {
|
||||||
badContainers = append(badContainers, container.Name)
|
badContainers = append(badContainers, container.Name)
|
||||||
|
|||||||
@ -23,7 +23,6 @@ import (
|
|||||||
corev1 "k8s.io/api/core/v1"
|
corev1 "k8s.io/api/core/v1"
|
||||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||||
"k8s.io/apimachinery/pkg/util/sets"
|
"k8s.io/apimachinery/pkg/util/sets"
|
||||||
"k8s.io/apimachinery/pkg/util/validation/field"
|
|
||||||
"k8s.io/pod-security-admission/api"
|
"k8s.io/pod-security-admission/api"
|
||||||
)
|
)
|
||||||
|
|
||||||
@ -94,7 +93,7 @@ func seccompProfileBaseline_1_0(podMetadata *metav1.ObjectMeta, podSpec *corev1.
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
visitContainersWithPath(podSpec, field.NewPath("spec"), func(c *corev1.Container, path *field.Path) {
|
visitContainers(podSpec, func(c *corev1.Container) {
|
||||||
annotation := annotationKeyContainerPrefix + c.Name
|
annotation := annotationKeyContainerPrefix + c.Name
|
||||||
if val, ok := podMetadata.Annotations[annotation]; ok {
|
if val, ok := podMetadata.Annotations[annotation]; ok {
|
||||||
if !validSeccompAnnotationValue(val) {
|
if !validSeccompAnnotationValue(val) {
|
||||||
@ -134,7 +133,7 @@ func seccompProfileBaseline_1_19(podMetadata *metav1.ObjectMeta, podSpec *corev1
|
|||||||
// containers that explicitly set seccompProfile.type to a bad value
|
// containers that explicitly set seccompProfile.type to a bad value
|
||||||
var explicitlyBadContainers []string
|
var explicitlyBadContainers []string
|
||||||
|
|
||||||
visitContainersWithPath(podSpec, field.NewPath("spec"), func(c *corev1.Container, path *field.Path) {
|
visitContainers(podSpec, func(c *corev1.Container) {
|
||||||
if c.SecurityContext != nil && c.SecurityContext.SeccompProfile != nil {
|
if c.SecurityContext != nil && c.SecurityContext.SeccompProfile != nil {
|
||||||
// container explicitly set seccompProfile
|
// container explicitly set seccompProfile
|
||||||
if !validSeccomp(c.SecurityContext.SeccompProfile.Type) {
|
if !validSeccomp(c.SecurityContext.SeccompProfile.Type) {
|
||||||
|
|||||||
@ -23,7 +23,6 @@ import (
|
|||||||
corev1 "k8s.io/api/core/v1"
|
corev1 "k8s.io/api/core/v1"
|
||||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||||
"k8s.io/apimachinery/pkg/util/sets"
|
"k8s.io/apimachinery/pkg/util/sets"
|
||||||
"k8s.io/apimachinery/pkg/util/validation/field"
|
|
||||||
"k8s.io/pod-security-admission/api"
|
"k8s.io/pod-security-admission/api"
|
||||||
)
|
)
|
||||||
|
|
||||||
@ -81,7 +80,7 @@ func seccompProfileRestricted_1_19(podMetadata *metav1.ObjectMeta, podSpec *core
|
|||||||
// containers that didn't set seccompProfile and aren't caught by a pod-level seccompProfile
|
// containers that didn't set seccompProfile and aren't caught by a pod-level seccompProfile
|
||||||
var implicitlyBadContainers []string
|
var implicitlyBadContainers []string
|
||||||
|
|
||||||
visitContainersWithPath(podSpec, field.NewPath("spec"), func(c *corev1.Container, path *field.Path) {
|
visitContainers(podSpec, func(c *corev1.Container) {
|
||||||
if c.SecurityContext != nil && c.SecurityContext.SeccompProfile != nil {
|
if c.SecurityContext != nil && c.SecurityContext.SeccompProfile != nil {
|
||||||
// container explicitly set seccompProfile
|
// container explicitly set seccompProfile
|
||||||
if !validSeccomp(c.SecurityContext.SeccompProfile.Type) {
|
if !validSeccomp(c.SecurityContext.SeccompProfile.Type) {
|
||||||
|
|||||||
@ -22,7 +22,6 @@ import (
|
|||||||
|
|
||||||
corev1 "k8s.io/api/core/v1"
|
corev1 "k8s.io/api/core/v1"
|
||||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||||
"k8s.io/apimachinery/pkg/util/validation/field"
|
|
||||||
"k8s.io/pod-security-admission/api"
|
"k8s.io/pod-security-admission/api"
|
||||||
)
|
)
|
||||||
|
|
||||||
@ -59,7 +58,7 @@ func CheckWindowsHostProcess() Check {
|
|||||||
|
|
||||||
func windowsHostProcess_1_0(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
|
func windowsHostProcess_1_0(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
|
||||||
var badContainers []string
|
var badContainers []string
|
||||||
visitContainersWithPath(podSpec, field.NewPath("spec"), func(container *corev1.Container, path *field.Path) {
|
visitContainers(podSpec, func(container *corev1.Container) {
|
||||||
if container.SecurityContext != nil &&
|
if container.SecurityContext != nil &&
|
||||||
container.SecurityContext.WindowsOptions != nil &&
|
container.SecurityContext.WindowsOptions != nil &&
|
||||||
container.SecurityContext.WindowsOptions.HostProcess != nil &&
|
container.SecurityContext.WindowsOptions.HostProcess != nil &&
|
||||||
|
|||||||
@ -18,25 +18,20 @@ package policy
|
|||||||
|
|
||||||
import (
|
import (
|
||||||
corev1 "k8s.io/api/core/v1"
|
corev1 "k8s.io/api/core/v1"
|
||||||
"k8s.io/apimachinery/pkg/util/validation/field"
|
|
||||||
)
|
)
|
||||||
|
|
||||||
// ContainerVisitorWithPath is called with each container and the field.Path to that container
|
// ContainerVisitor is called with each container and the field.Path to that container
|
||||||
type ContainerVisitorWithPath func(container *corev1.Container, path *field.Path)
|
type ContainerVisitor func(container *corev1.Container)
|
||||||
|
|
||||||
// visitContainersWithPath invokes the visitor function with a pointer to the spec
|
// visitContainers invokes the visitor function for every container in the given pod spec
|
||||||
// of every container in the given pod spec and the field.Path to that container.
|
func visitContainers(podSpec *corev1.PodSpec, visitor ContainerVisitor) {
|
||||||
func visitContainersWithPath(podSpec *corev1.PodSpec, specPath *field.Path, visitor ContainerVisitorWithPath) {
|
|
||||||
fldPath := specPath.Child("initContainers")
|
|
||||||
for i := range podSpec.InitContainers {
|
for i := range podSpec.InitContainers {
|
||||||
visitor(&podSpec.InitContainers[i], fldPath.Index(i))
|
visitor(&podSpec.InitContainers[i])
|
||||||
}
|
}
|
||||||
fldPath = specPath.Child("containers")
|
|
||||||
for i := range podSpec.Containers {
|
for i := range podSpec.Containers {
|
||||||
visitor(&podSpec.Containers[i], fldPath.Index(i))
|
visitor(&podSpec.Containers[i])
|
||||||
}
|
}
|
||||||
fldPath = specPath.Child("ephemeralContainers")
|
|
||||||
for i := range podSpec.EphemeralContainers {
|
for i := range podSpec.EphemeralContainers {
|
||||||
visitor((*corev1.Container)(&podSpec.EphemeralContainers[i].EphemeralContainerCommon), fldPath.Index(i))
|
visitor((*corev1.Container)(&podSpec.EphemeralContainers[i].EphemeralContainerCommon))
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user