mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-21 10:51:29 +00:00
Fix seccomp PSP docker/default annotation handling
With the graduation of seccomp to GA we automatically convert the deprecated seccomp profile annotation `docker/default` to `runtime/default`. This means that we now have to automatically allow `runtime/default` if a user specifies `docker/default` and vice versa in an allowed PSP seccomp profile. Signed-off-by: Sascha Grunert <sgrunert@suse.com>
This commit is contained in:
parent
518b826b1d
commit
5588f025e2
@ -13,6 +13,7 @@ go_library(
|
|||||||
deps = [
|
deps = [
|
||||||
"//pkg/api/pod:go_default_library",
|
"//pkg/api/pod:go_default_library",
|
||||||
"//pkg/apis/core:go_default_library",
|
"//pkg/apis/core:go_default_library",
|
||||||
|
"//staging/src/k8s.io/api/core/v1:go_default_library",
|
||||||
"//staging/src/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
|
"//staging/src/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
|
||||||
],
|
],
|
||||||
)
|
)
|
||||||
|
@ -20,6 +20,7 @@ import (
|
|||||||
"fmt"
|
"fmt"
|
||||||
"strings"
|
"strings"
|
||||||
|
|
||||||
|
v1 "k8s.io/api/core/v1"
|
||||||
"k8s.io/apimachinery/pkg/util/validation/field"
|
"k8s.io/apimachinery/pkg/util/validation/field"
|
||||||
podutil "k8s.io/kubernetes/pkg/api/pod"
|
podutil "k8s.io/kubernetes/pkg/api/pod"
|
||||||
api "k8s.io/kubernetes/pkg/apis/core"
|
api "k8s.io/kubernetes/pkg/apis/core"
|
||||||
@ -67,6 +68,15 @@ func NewStrategy(pspAnnotations map[string]string) Strategy {
|
|||||||
allowAnyProfile = true
|
allowAnyProfile = true
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
|
// With the graduation of seccomp to GA we automatically convert
|
||||||
|
// the deprecated seccomp profile annotation `docker/default` to
|
||||||
|
// `runtime/default`. This means that we now have to automatically
|
||||||
|
// allow `runtime/default` if a user specifies `docker/default` and
|
||||||
|
// vice versa in a PSP.
|
||||||
|
if p == v1.DeprecatedSeccompProfileDockerDefault || p == v1.SeccompProfileRuntimeDefault {
|
||||||
|
allowedProfiles[v1.SeccompProfileRuntimeDefault] = true
|
||||||
|
allowedProfiles[v1.DeprecatedSeccompProfileDockerDefault] = true
|
||||||
|
}
|
||||||
allowedProfiles[p] = true
|
allowedProfiles[p] = true
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -21,7 +21,7 @@ import (
|
|||||||
"strings"
|
"strings"
|
||||||
"testing"
|
"testing"
|
||||||
|
|
||||||
"k8s.io/api/core/v1"
|
v1 "k8s.io/api/core/v1"
|
||||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||||
api "k8s.io/kubernetes/pkg/apis/core"
|
api "k8s.io/kubernetes/pkg/apis/core"
|
||||||
)
|
)
|
||||||
@ -45,6 +45,12 @@ var (
|
|||||||
allowSpecificLocalhost = map[string]string{
|
allowSpecificLocalhost = map[string]string{
|
||||||
AllowedProfilesAnnotationKey: v1.SeccompLocalhostProfileNamePrefix + "foo",
|
AllowedProfilesAnnotationKey: v1.SeccompLocalhostProfileNamePrefix + "foo",
|
||||||
}
|
}
|
||||||
|
allowSpecificDockerDefault = map[string]string{
|
||||||
|
AllowedProfilesAnnotationKey: v1.DeprecatedSeccompProfileDockerDefault,
|
||||||
|
}
|
||||||
|
allowSpecificRuntimeDefault = map[string]string{
|
||||||
|
AllowedProfilesAnnotationKey: v1.SeccompProfileRuntimeDefault,
|
||||||
|
}
|
||||||
)
|
)
|
||||||
|
|
||||||
func TestNewStrategy(t *testing.T) {
|
func TestNewStrategy(t *testing.T) {
|
||||||
@ -256,6 +262,20 @@ func TestValidatePod(t *testing.T) {
|
|||||||
},
|
},
|
||||||
expectedError: "",
|
expectedError: "",
|
||||||
},
|
},
|
||||||
|
"docker/default PSP annotation automatically allows runtime/default pods": {
|
||||||
|
pspAnnotations: allowSpecificDockerDefault,
|
||||||
|
podAnnotations: map[string]string{
|
||||||
|
api.SeccompPodAnnotationKey: v1.SeccompProfileRuntimeDefault,
|
||||||
|
},
|
||||||
|
expectedError: "",
|
||||||
|
},
|
||||||
|
"runtime/default PSP annotation automatically allows docker/default pods": {
|
||||||
|
pspAnnotations: allowSpecificRuntimeDefault,
|
||||||
|
podAnnotations: map[string]string{
|
||||||
|
api.SeccompPodAnnotationKey: v1.DeprecatedSeccompProfileDockerDefault,
|
||||||
|
},
|
||||||
|
expectedError: "",
|
||||||
|
},
|
||||||
}
|
}
|
||||||
for k, v := range tests {
|
for k, v := range tests {
|
||||||
pod := &api.Pod{
|
pod := &api.Pod{
|
||||||
|
Loading…
Reference in New Issue
Block a user