github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-08 03:33:56 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #90949 from pjbgf/seccomp-least-priv-kuberuntime

Browse Source 
Add seccomp least privilege for kuberuntime
This commit is contained in:
Kubernetes Prow Robot 2020-07-14 04:35:21 -07:00 committed by GitHub
commit 428b500c5a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 16 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
pkg/kubelet/kuberuntime/kuberuntime_sandbox.go
View File

@ -148,8 +148,11 @@ func (m *kubeGenericRuntimeManager) generatePodSandboxLinuxConfig(pod *v1.Pod) (
lc := &runtimeapi.LinuxPodSandboxConfig{ lc := &runtimeapi.LinuxPodSandboxConfig{
CgroupParent: cgroupParent, CgroupParent: cgroupParent,
SecurityContext: &runtimeapi.LinuxSandboxSecurityContext{ SecurityContext: &runtimeapi.LinuxSandboxSecurityContext{
Privileged: kubecontainer.HasPrivilegedContainer(pod), Privileged: kubecontainer.HasPrivilegedContainer(pod),
SeccompProfilePath: m.getSeccompProfile(pod.Annotations, "", pod.Spec.SecurityContext, nil),
// Forcing sandbox to run as `runtime/default` allow users to
// use least privileged seccomp profiles at pod level. Issue #84623
SeccompProfilePath: v1.SeccompProfileRuntimeDefault,
}, },
} }

30
pkg/kubelet/kuberuntime/kuberuntime_sandbox_test.go
View File

@ -67,37 +67,29 @@ func TestGeneratePodSandboxLinuxConfigSeccomp(t *testing.T) {
expectedProfile string expectedProfile string
}{ }{
{ {
description: "no seccomp defined at pod level should return empty", description: "no seccomp defined at pod level should return runtime/default",
pod: newSeccompPod(nil, nil, "", ""), pod: newSeccompPod(nil, nil, "", "runtime/default"),
expectedProfile: "", expectedProfile: "runtime/default",
}, },
{ {
description: "seccomp field defined at pod level should be honoured", description: "seccomp field defined at pod level should not be honoured",
pod: newSeccompPod(&v1.SeccompProfile{Type: v1.SeccompProfileTypeRuntimeDefault}, nil, "", ""), pod: newSeccompPod(&v1.SeccompProfile{Type: v1.SeccompProfileTypeUnconfined}, nil, "", ""),
expectedProfile: "runtime/default", expectedProfile: "runtime/default",
}, },
{ {
description: "seccomp field defined at container level should not be honoured", description: "seccomp field defined at container level should not be honoured",
pod: newSeccompPod(nil, &v1.SeccompProfile{Type: v1.SeccompProfileTypeRuntimeDefault}, "", ""), pod: newSeccompPod(nil, &v1.SeccompProfile{Type: v1.SeccompProfileTypeUnconfined}, "", ""),
expectedProfile: "", expectedProfile: "runtime/default",
}, },
{ {
description: "seccomp annotation defined at pod level should be honoured", description: "seccomp annotation defined at pod level should not be honoured",
pod: newSeccompPod(nil, nil, v1.SeccompProfileRuntimeDefault, ""), pod: newSeccompPod(nil, nil, "unconfined", ""),
expectedProfile: "runtime/default", expectedProfile: "runtime/default",
}, },
{ {
description: "seccomp annotation defined at container level should not be honoured", description: "seccomp annotation defined at container level should not be honoured",
pod: newSeccompPod(nil, nil, "", v1.SeccompProfileRuntimeDefault), pod: newSeccompPod(nil, nil, "", "unconfined"),
expectedProfile: "", expectedProfile: "runtime/default",
},
{
description: "prioritise pod field over pod annotation",
pod: newSeccompPod(&v1.SeccompProfile{
Type: v1.SeccompProfileTypeLocalhost,
LocalhostProfile: pointer.StringPtr("pod-field"),
}, nil, "localhost/pod-annotation", ""),
expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "pod-field"),
}, },
} }