From 6db5b5c50ffaf084eca9a5eb6906f4e80c3a7e08 Mon Sep 17 00:00:00 2001 From: Paulo Gomes Date: Sun, 10 May 2020 11:28:42 +0100 Subject: [PATCH] Add seccomp least privilege for docker sandbox --- pkg/kubelet/dockershim/docker_sandbox.go | 11 +++++++---- pkg/kubelet/dockershim/docker_sandbox_test.go | 13 +++++++++++++ 2 files changed, 20 insertions(+), 4 deletions(-) diff --git a/pkg/kubelet/dockershim/docker_sandbox.go b/pkg/kubelet/dockershim/docker_sandbox.go index b86ff9c7cd0..c190e10a806 100644 --- a/pkg/kubelet/dockershim/docker_sandbox.go +++ b/pkg/kubelet/dockershim/docker_sandbox.go @@ -659,16 +659,19 @@ func (ds *dockerService) makeSandboxDockerConfig(c *runtimeapi.PodSandboxConfig, } // Set security options. - securityOpts, err := ds.getSecurityOpts(c.GetLinux().GetSecurityContext().GetSeccompProfilePath(), securityOptSeparator) - if err != nil { - return nil, fmt.Errorf("failed to generate sandbox security options for sandbox %q: %v", c.Metadata.Name, err) - } + securityOpts := ds.getSandBoxSecurityOpts(securityOptSeparator) hc.SecurityOpt = append(hc.SecurityOpt, securityOpts...) applyExperimentalCreateConfig(createConfig, c.Annotations) return createConfig, nil } +func (ds *dockerService) getSandBoxSecurityOpts(separator rune) []string { + // run sandbox with no-new-privileges and using runtime/default + // sending no "seccomp=" means docker will use default profile + return []string{"no-new-privileges"} +} + // networkNamespaceMode returns the network runtimeapi.NamespaceMode for this container. // Supports: POD, NODE func networkNamespaceMode(container *dockertypes.ContainerJSON) runtimeapi.NamespaceMode { diff --git a/pkg/kubelet/dockershim/docker_sandbox_test.go b/pkg/kubelet/dockershim/docker_sandbox_test.go index 9d385a5f089..ae598dddaf3 100644 --- a/pkg/kubelet/dockershim/docker_sandbox_test.go +++ b/pkg/kubelet/dockershim/docker_sandbox_test.go @@ -156,6 +156,19 @@ func TestSandboxStatus(t *testing.T) { assert.Error(t, err, fmt.Sprintf("status of sandbox: %+v", statusResp)) } +// TestSandboxHasLeastPrivilegesConfig tests that the sandbox is set with no-new-privileges +// and it uses runtime/default seccomp profile. +func TestSandboxHasLeastPrivilegesConfig(t *testing.T) { + ds, _, _ := newTestDockerService() + config := makeSandboxConfig("foo", "bar", "1", 0) + + // test the default + createConfig, err := ds.makeSandboxDockerConfig(config, defaultSandboxImage) + assert.NoError(t, err) + assert.Equal(t, len(createConfig.HostConfig.SecurityOpt), 1, "sandbox should use runtime/default") + assert.Equal(t, "no-new-privileges", createConfig.HostConfig.SecurityOpt[0], "no-new-privileges not set") +} + // TestSandboxStatusAfterRestart tests that retrieving sandbox status returns // an IP address even if RunPodSandbox() was not yet called for this pod, as // would happen on kubelet restart