Merge pull request #13447 from pweil-/pid-mode

Auto commit by PR queue bot

plugin/pkg/admission/exec/admission.go

@@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package denyprivileged
+package exec
 
 import (
 	"fmt"
@@ -28,19 +28,55 @@ import (
 )
 
 func init() {
+	admission.RegisterPlugin("DenyEscalatingExec", func(client client.Interface, config io.Reader) (admission.Interface, error) {
+		return NewDenyEscalatingExec(client), nil
+	})
+
+	// This is for legacy support of the DenyExecOnPrivileged admission controller.  Most
+	// of the time DenyEscalatingExec should be preferred.
 	admission.RegisterPlugin("DenyExecOnPrivileged", func(client client.Interface, config io.Reader) (admission.Interface, error) {
 		return NewDenyExecOnPrivileged(client), nil
 	})
 }
 
-// denyExecOnPrivileged is an implementation of admission.Interface which says no to a pod/exec on
-// a privileged pod
-type denyExecOnPrivileged struct {
+// denyExec is an implementation of admission.Interface which says no to a pod/exec on
+// a pod using host based configurations.
+type denyExec struct {
 	*admission.Handler
 	client client.Interface
+
+	// these flags control which items will be checked to deny exec/attach
+	hostIPC    bool
+	hostPID    bool
+	privileged bool
 }
 
-func (d *denyExecOnPrivileged) Admit(a admission.Attributes) (err error) {
+// NewDenyEscalatingExec creates a new admission controller that denies an exec operation on a pod
+// using host based configurations.
+func NewDenyEscalatingExec(client client.Interface) admission.Interface {
+	return &denyExec{
+		Handler:    admission.NewHandler(admission.Connect),
+		client:     client,
+		hostIPC:    true,
+		hostPID:    true,
+		privileged: true,
+	}
+}
+
+// NewDenyExecOnPrivileged creates a new admission controller that is only checking the privileged
+// option.  This is for legacy support of the DenyExecOnPrivileged admission controller.  Most
+// of the time NewDenyEscalatingExec should be preferred.
+func NewDenyExecOnPrivileged(client client.Interface) admission.Interface {
+	return &denyExec{
+		Handler:    admission.NewHandler(admission.Connect),
+		client:     client,
+		hostIPC:    false,
+		hostPID:    false,
+		privileged: true,
+	}
+}
+
+func (d *denyExec) Admit(a admission.Attributes) (err error) {
 	connectRequest, ok := a.GetObject().(*rest.ConnectRequest)
 	if !ok {
 		return errors.NewBadRequest("a connect request was received, but could not convert the request object.")
@@ -53,9 +89,20 @@ func (d *denyExecOnPrivileged) Admit(a admission.Attributes) (err error) {
 	if err != nil {
 		return admission.NewForbidden(a, err)
 	}
-	if isPrivileged(pod) {
+
+	if d.hostPID && pod.Spec.HostPID {
+		return admission.NewForbidden(a, fmt.Errorf("Cannot exec into or attach to a container using host pid"))
+	}
+
+	//TODO uncomment when this feature lands https://github.com/kubernetes/kubernetes/pull/12470
+	//	if d.hostIPC && pod.Spec.HostIPC {
+	//		return admission.NewForbidden(a, fmt.Errorf("Cannot exec into or attach to a container using host ipc"))
+	//	}
+
+	if d.privileged && isPrivileged(pod) {
 		return admission.NewForbidden(a, fmt.Errorf("Cannot exec into or attach to a privileged container"))
 	}
+
 	return nil
 }
 
@@ -71,11 +118,3 @@ func isPrivileged(pod *api.Pod) bool {
 	}
 	return false
 }
-
-// NewDenyExecOnPrivileged creates a new admission controller that denies an exec operation on a privileged pod
-func NewDenyExecOnPrivileged(client client.Interface) admission.Interface {
-	return &denyExecOnPrivileged{
-		Handler: admission.NewHandler(admission.Connect),
-		client:  client,
-	}
-}

plugin/pkg/admission/exec/admission_test.go

@@ -0,0 +1,183 @@
+/*
+Copyright 2015 The Kubernetes Authors All rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package exec
+
+import (
+	"testing"
+
+	"k8s.io/kubernetes/pkg/admission"
+	"k8s.io/kubernetes/pkg/api"
+	"k8s.io/kubernetes/pkg/api/rest"
+	"k8s.io/kubernetes/pkg/client/unversioned/testclient"
+	"k8s.io/kubernetes/pkg/runtime"
+)
+
+func TestAdmission(t *testing.T) {
+	privPod := validPod("privileged")
+	priv := true
+	privPod.Spec.Containers[0].SecurityContext = &api.SecurityContext{
+		Privileged: &priv,
+	}
+
+	hostPIDPod := validPod("hostPID")
+	hostPIDPod.Spec.HostPID = true
+
+	//	hostIPCPod := validPod("hostIPC")
+	//	hostIPCPod.Spec.HostIPC = true
+
+	testCases := map[string]struct {
+		pod          *api.Pod
+		shouldAccept bool
+	}{
+		"priv": {
+			shouldAccept: false,
+			pod:          privPod,
+		},
+		"hostPID": {
+			shouldAccept: false,
+			pod:          hostPIDPod,
+		},
+		//		"hostIPC": {
+		//			shouldAccept: false,
+		//			pod: hostIPCPod,
+		//		},
+		"non privileged": {
+			shouldAccept: true,
+			pod:          validPod("nonPrivileged"),
+		},
+	}
+
+	// use the same code as NewDenyEscalatingExec, using the direct object though to allow testAdmission to
+	// inject the client
+	handler := &denyExec{
+		Handler:    admission.NewHandler(admission.Connect),
+		hostIPC:    true,
+		hostPID:    true,
+		privileged: true,
+	}
+
+	for _, tc := range testCases {
+		testAdmission(t, tc.pod, handler, tc.shouldAccept)
+	}
+
+	// run with a permissive config and all cases should pass
+	handler.privileged = false
+	handler.hostPID = false
+	handler.hostIPC = false
+
+	for _, tc := range testCases {
+		testAdmission(t, tc.pod, handler, true)
+	}
+}
+
+func testAdmission(t *testing.T, pod *api.Pod, handler *denyExec, shouldAccept bool) {
+	mockClient := &testclient.Fake{}
+	mockClient.AddReactor("get", "pods", func(action testclient.Action) (bool, runtime.Object, error) {
+		if action.(testclient.GetAction).GetName() == pod.Name {
+			return true, pod, nil
+		}
+		t.Errorf("Unexpected API call: %#v", action)
+		return true, nil, nil
+	})
+
+	handler.client = mockClient
+
+	// pods/exec
+	{
+		req := &rest.ConnectRequest{Name: pod.Name, ResourcePath: "pods/exec"}
+		err := handler.Admit(admission.NewAttributesRecord(req, "Pod", "test", "name", "pods", "exec", admission.Connect, nil))
+		if shouldAccept && err != nil {
+			t.Errorf("Unexpected error returned from admission handler: %v", err)
+		}
+		if !shouldAccept && err == nil {
+			t.Errorf("An error was expected from the admission handler. Received nil")
+		}
+	}
+
+	// pods/attach
+	{
+		req := &rest.ConnectRequest{Name: pod.Name, ResourcePath: "pods/attach"}
+		err := handler.Admit(admission.NewAttributesRecord(req, "Pod", "test", "name", "pods", "attach", admission.Connect, nil))
+		if shouldAccept && err != nil {
+			t.Errorf("Unexpected error returned from admission handler: %v", err)
+		}
+		if !shouldAccept && err == nil {
+			t.Errorf("An error was expected from the admission handler. Received nil")
+		}
+	}
+}
+
+// Test to ensure legacy admission controller works as expected.
+func TestDenyExecOnPrivileged(t *testing.T) {
+	privPod := validPod("privileged")
+	priv := true
+	privPod.Spec.Containers[0].SecurityContext = &api.SecurityContext{
+		Privileged: &priv,
+	}
+
+	hostPIDPod := validPod("hostPID")
+	hostPIDPod.Spec.HostPID = true
+
+	//	hostIPCPod := validPod("hostIPC")
+	//	hostIPCPod.Spec.HostIPC = true
+
+	testCases := map[string]struct {
+		pod          *api.Pod
+		shouldAccept bool
+	}{
+		"priv": {
+			shouldAccept: false,
+			pod:          privPod,
+		},
+		"hostPID": {
+			shouldAccept: true,
+			pod:          hostPIDPod,
+		},
+		//		"hostIPC": {
+		//			shouldAccept: true,
+		//			pod: hostIPCPod,
+		//		},
+		"non privileged": {
+			shouldAccept: true,
+			pod:          validPod("nonPrivileged"),
+		},
+	}
+
+	// use the same code as NewDenyExecOnPrivileged, using the direct object though to allow testAdmission to
+	// inject the client
+	handler := &denyExec{
+		Handler:    admission.NewHandler(admission.Connect),
+		hostIPC:    false,
+		hostPID:    false,
+		privileged: true,
+	}
+	for _, tc := range testCases {
+		testAdmission(t, tc.pod, handler, tc.shouldAccept)
+	}
+}
+
+func validPod(name string) *api.Pod {
+	return &api.Pod{
+		ObjectMeta: api.ObjectMeta{Name: name, Namespace: "test"},
+		Spec: api.PodSpec{
+			Containers: []api.Container{
+				{Name: "ctr1", Image: "image"},
+				{Name: "ctr2", Image: "image2"},
+			},
+		},
+	}
+}

plugin/pkg/admission/exec/denyprivileged/admission_test.go

@@ -1,105 +0,0 @@
-/*
-Copyright 2015 The Kubernetes Authors All rights reserved.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package denyprivileged
-
-import (
-	"testing"
-
-	"k8s.io/kubernetes/pkg/admission"
-	"k8s.io/kubernetes/pkg/api"
-	"k8s.io/kubernetes/pkg/api/rest"
-	"k8s.io/kubernetes/pkg/client/unversioned/testclient"
-	"k8s.io/kubernetes/pkg/runtime"
-)
-
-// TestAdmission verifies a namespace is created on create requests for namespace managed resources
-func TestAdmissionAccept(t *testing.T) {
-	testAdmission(t, acceptPod("podname"), true)
-}
-
-func TestAdmissionDeny(t *testing.T) {
-	testAdmission(t, denyPod("podname"), false)
-}
-
-func testAdmission(t *testing.T, pod *api.Pod, shouldAccept bool) {
-	mockClient := &testclient.Fake{}
-	mockClient.AddReactor("get", "pods", func(action testclient.Action) (bool, runtime.Object, error) {
-		if action.(testclient.GetAction).GetName() == pod.Name {
-			return true, pod, nil
-		}
-		t.Errorf("Unexpected API call: %#v", action)
-		return true, nil, nil
-	})
-	handler := &denyExecOnPrivileged{
-		client: mockClient,
-	}
-
-	// pods/exec
-	{
-		req := &rest.ConnectRequest{Name: pod.Name, ResourcePath: "pods/exec"}
-		err := handler.Admit(admission.NewAttributesRecord(req, "Pod", "test", "name", "pods", "exec", admission.Connect, nil))
-		if shouldAccept && err != nil {
-			t.Errorf("Unexpected error returned from admission handler: %v", err)
-		}
-		if !shouldAccept && err == nil {
-			t.Errorf("An error was expected from the admission handler. Received nil")
-		}
-	}
-
-	// pods/attach
-	{
-		req := &rest.ConnectRequest{Name: pod.Name, ResourcePath: "pods/attach"}
-		err := handler.Admit(admission.NewAttributesRecord(req, "Pod", "test", "name", "pods", "attach", admission.Connect, nil))
-		if shouldAccept && err != nil {
-			t.Errorf("Unexpected error returned from admission handler: %v", err)
-		}
-		if !shouldAccept && err == nil {
-			t.Errorf("An error was expected from the admission handler. Received nil")
-		}
-	}
-}
-
-func acceptPod(name string) *api.Pod {
-	return &api.Pod{
-		ObjectMeta: api.ObjectMeta{Name: name, Namespace: "test"},
-		Spec: api.PodSpec{
-			Containers: []api.Container{
-				{Name: "ctr1", Image: "image"},
-				{Name: "ctr2", Image: "image2"},
-			},
-		},
-	}
-}
-
-func denyPod(name string) *api.Pod {
-	privileged := true
-	return &api.Pod{
-		ObjectMeta: api.ObjectMeta{Name: name, Namespace: "test"},
-		Spec: api.PodSpec{
-			Containers: []api.Container{
-				{Name: "ctr1", Image: "image"},
-				{
-					Name:  "ctr2",
-					Image: "image2",
-					SecurityContext: &api.SecurityContext{
-						Privileged: &privileged,
-					},
-				},
-			},
-		},
-	}
-}