github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-23 19:56:01 +00:00
Code Issues Projects Releases Wiki Activity

Add seccomp least privilege for docker sandbox

Browse Source
This commit is contained in:
Paulo Gomes 2020-05-10 11:28:42 +01:00
parent 423c17d859
commit 6db5b5c50f
No known key found for this signature in database
GPG Key ID: 606D0A79BB9975E1
2 changed files with 20 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
pkg/kubelet/dockershim/docker_sandbox.go
View File

@ -659,16 +659,19 @@ func (ds *dockerService) makeSandboxDockerConfig(c *runtimeapi.PodSandboxConfig,
} }
// Set security options. // Set security options.
securityOpts, err := ds.getSecurityOpts(c.GetLinux().GetSecurityContext().GetSeccompProfilePath(), securityOptSeparator) securityOpts := ds.getSandBoxSecurityOpts(securityOptSeparator)
if err != nil {
return nil, fmt.Errorf("failed to generate sandbox security options for sandbox %q: %v", c.Metadata.Name, err)
}
hc.SecurityOpt = append(hc.SecurityOpt, securityOpts...) hc.SecurityOpt = append(hc.SecurityOpt, securityOpts...)
applyExperimentalCreateConfig(createConfig, c.Annotations) applyExperimentalCreateConfig(createConfig, c.Annotations)
return createConfig, nil return createConfig, nil
} }
func (ds *dockerService) getSandBoxSecurityOpts(separator rune) []string {
// run sandbox with no-new-privileges and using runtime/default
// sending no "seccomp=" means docker will use default profile
return []string{"no-new-privileges"}
}
// networkNamespaceMode returns the network runtimeapi.NamespaceMode for this container. // networkNamespaceMode returns the network runtimeapi.NamespaceMode for this container.
// Supports: POD, NODE // Supports: POD, NODE
func networkNamespaceMode(container *dockertypes.ContainerJSON) runtimeapi.NamespaceMode { func networkNamespaceMode(container *dockertypes.ContainerJSON) runtimeapi.NamespaceMode {

13
pkg/kubelet/dockershim/docker_sandbox_test.go
View File

@ -156,6 +156,19 @@ func TestSandboxStatus(t *testing.T) {
assert.Error(t, err, fmt.Sprintf("status of sandbox: %+v", statusResp)) assert.Error(t, err, fmt.Sprintf("status of sandbox: %+v", statusResp))
} }
// TestSandboxHasLeastPrivilegesConfig tests that the sandbox is set with no-new-privileges
// and it uses runtime/default seccomp profile.
func TestSandboxHasLeastPrivilegesConfig(t *testing.T) {
ds, _, _ := newTestDockerService()
config := makeSandboxConfig("foo", "bar", "1", 0)
// test the default
createConfig, err := ds.makeSandboxDockerConfig(config, defaultSandboxImage)
assert.NoError(t, err)
assert.Equal(t, len(createConfig.HostConfig.SecurityOpt), 1, "sandbox should use runtime/default")
assert.Equal(t, "no-new-privileges", createConfig.HostConfig.SecurityOpt[0], "no-new-privileges not set")
}
// TestSandboxStatusAfterRestart tests that retrieving sandbox status returns // TestSandboxStatusAfterRestart tests that retrieving sandbox status returns
// an IP address even if RunPodSandbox() was not yet called for this pod, as // an IP address even if RunPodSandbox() was not yet called for this pod, as
// would happen on kubelet restart // would happen on kubelet restart