Inline some SecurityContext fields into PodSecurityContext

2026-01-04 23:17:50 +00:00 · 2015-10-20 14:03:32 -04:00
parent 236193a26d
commit 393e2bc019
22 changed files with 22183 additions and 21218 deletions
--- a/pkg/securitycontext/provider.go
+++ b/pkg/securitycontext/provider.go
@@ -38,11 +38,12 @@ type SimpleSecurityContextProvider struct{}
 // The security context provider can make changes to the Config with which
 // the container is created.
 func (p SimpleSecurityContextProvider) ModifyContainerConfig(pod *api.Pod, container *api.Container, config *docker.Config) {
-	if container.SecurityContext == nil {
+	effectiveSC := determineEffectiveSecurityContext(pod, container)
+	if effectiveSC == nil {
 		return
 	}
-	if container.SecurityContext.RunAsUser != nil {
-		config.User = strconv.FormatInt(*container.SecurityContext.RunAsUser, 10)
+	if effectiveSC.RunAsUser != nil {
+		config.User = strconv.Itoa(int(*effectiveSC.RunAsUser))
 	}
 }

@@ -62,30 +63,32 @@ func (p SimpleSecurityContextProvider) ModifyHostConfig(pod *api.Pod, container
 		if pod.Spec.SecurityContext.SupplementalGroups != nil && container.Name != leaky.PodInfraContainerName {
 			hostConfig.GroupAdd = make([]string, len(pod.Spec.SecurityContext.SupplementalGroups))
 			for i, group := range pod.Spec.SecurityContext.SupplementalGroups {
-				hostConfig.GroupAdd[i] = strconv.FormatInt(group, 10)
+				hostConfig.GroupAdd[i] = strconv.Itoa(int(group))
 			}
 		}
 	}

-	// Apply container security context
-	if container.SecurityContext == nil {
+	// Apply effective security context for container
+	effectiveSC := determineEffectiveSecurityContext(pod, container)
+	if effectiveSC == nil {
 		return
 	}
-	if container.SecurityContext.Privileged != nil {
-		hostConfig.Privileged = *container.SecurityContext.Privileged
+
+	if effectiveSC.Privileged != nil {
+		hostConfig.Privileged = *effectiveSC.Privileged
 	}

-	if container.SecurityContext.Capabilities != nil {
-		add, drop := makeCapabilites(container.SecurityContext.Capabilities.Add, container.SecurityContext.Capabilities.Drop)
+	if effectiveSC.Capabilities != nil {
+		add, drop := makeCapabilites(effectiveSC.Capabilities.Add, effectiveSC.Capabilities.Drop)
 		hostConfig.CapAdd = add
 		hostConfig.CapDrop = drop
 	}

-	if container.SecurityContext.SELinuxOptions != nil {
-		hostConfig.SecurityOpt = modifySecurityOption(hostConfig.SecurityOpt, dockerLabelUser, container.SecurityContext.SELinuxOptions.User)
-		hostConfig.SecurityOpt = modifySecurityOption(hostConfig.SecurityOpt, dockerLabelRole, container.SecurityContext.SELinuxOptions.Role)
-		hostConfig.SecurityOpt = modifySecurityOption(hostConfig.SecurityOpt, dockerLabelType, container.SecurityContext.SELinuxOptions.Type)
-		hostConfig.SecurityOpt = modifySecurityOption(hostConfig.SecurityOpt, dockerLabelLevel, container.SecurityContext.SELinuxOptions.Level)
+	if effectiveSC.SELinuxOptions != nil {
+		hostConfig.SecurityOpt = modifySecurityOption(hostConfig.SecurityOpt, dockerLabelUser, effectiveSC.SELinuxOptions.User)
+		hostConfig.SecurityOpt = modifySecurityOption(hostConfig.SecurityOpt, dockerLabelRole, effectiveSC.SELinuxOptions.Role)
+		hostConfig.SecurityOpt = modifySecurityOption(hostConfig.SecurityOpt, dockerLabelType, effectiveSC.SELinuxOptions.Type)
+		hostConfig.SecurityOpt = modifySecurityOption(hostConfig.SecurityOpt, dockerLabelLevel, effectiveSC.SELinuxOptions.Level)
 	}
 }

@@ -112,3 +115,69 @@ func makeCapabilites(capAdd []api.Capability, capDrop []api.Capability) ([]strin
 	}
 	return addCaps, dropCaps
 }
+
+func determineEffectiveSecurityContext(pod *api.Pod, container *api.Container) *api.SecurityContext {
+	effectiveSc := securityContextFromPodSecurityContext(pod)
+	containerSc := container.SecurityContext
+
+	if effectiveSc == nil && containerSc == nil {
+		return nil
+	}
+	if effectiveSc != nil && containerSc == nil {
+		return effectiveSc
+	}
+	if effectiveSc == nil && containerSc != nil {
+		return containerSc
+	}
+
+	if containerSc.SELinuxOptions != nil {
+		effectiveSc.SELinuxOptions = new(api.SELinuxOptions)
+		*effectiveSc.SELinuxOptions = *containerSc.SELinuxOptions
+	}
+
+	if containerSc.Capabilities != nil {
+		effectiveSc.Capabilities = new(api.Capabilities)
+		*effectiveSc.Capabilities = *containerSc.Capabilities
+	}
+
+	if containerSc.Privileged != nil {
+		effectiveSc.Privileged = new(bool)
+		*effectiveSc.Privileged = *containerSc.Privileged
+	}
+
+	if containerSc.RunAsUser != nil {
+		effectiveSc.RunAsUser = new(int64)
+		*effectiveSc.RunAsUser = *containerSc.RunAsUser
+	}
+
+	if containerSc.RunAsNonRoot != nil {
+		effectiveSc.RunAsNonRoot = new(bool)
+		*effectiveSc.RunAsNonRoot = *containerSc.RunAsNonRoot
+	}
+
+	return effectiveSc
+}
+
+func securityContextFromPodSecurityContext(pod *api.Pod) *api.SecurityContext {
+	if pod.Spec.SecurityContext == nil {
+		return nil
+	}
+
+	synthesized := &api.SecurityContext{}
+
+	if pod.Spec.SecurityContext.SELinuxOptions != nil {
+		synthesized.SELinuxOptions = &api.SELinuxOptions{}
+		*synthesized.SELinuxOptions = *pod.Spec.SecurityContext.SELinuxOptions
+	}
+	if pod.Spec.SecurityContext.RunAsUser != nil {
+		synthesized.RunAsUser = new(int64)
+		*synthesized.RunAsUser = *pod.Spec.SecurityContext.RunAsUser
+	}
+
+	if pod.Spec.SecurityContext.RunAsNonRoot != nil {
+		synthesized.RunAsNonRoot = new(bool)
+		*synthesized.RunAsNonRoot = *pod.Spec.SecurityContext.RunAsNonRoot
+	}
+
+	return synthesized
+}