From 02489f89884718bb6f0219b5c4a1e3a1e6e31150 Mon Sep 17 00:00:00 2001 From: Davanum Srinivas Date: Tue, 18 Sep 2018 16:53:53 -0400 Subject: [PATCH] Avoid setting Masked/ReadOnly paths when pod is privileged In the recent PR on adding ProcMount, we introduced a regression when pods are privileged. This shows up in 18.06 docker with kubeadm in the kube-proxy container. The kube-proxy container is privilged, but we end up setting the `/proc/sys` to Read-Only which causes failures when running kube-proxy as a pod. This shows up as a failure when using sysctl to set various network things. Change-Id: Ic61c4c9c961843a4e064e783fab0b54350762a8d --- pkg/kubelet/dockershim/security_context.go | 6 ++++-- .../dockershim/security_context_test.go | 21 +++++++++++++++++++ 2 files changed, 25 insertions(+), 2 deletions(-) diff --git a/pkg/kubelet/dockershim/security_context.go b/pkg/kubelet/dockershim/security_context.go index e2724357136..17969a1172f 100644 --- a/pkg/kubelet/dockershim/security_context.go +++ b/pkg/kubelet/dockershim/security_context.go @@ -137,8 +137,10 @@ func modifyHostConfig(sc *runtimeapi.LinuxContainerSecurityContext, hostConfig * hostConfig.SecurityOpt = append(hostConfig.SecurityOpt, "no-new-privileges") } - hostConfig.MaskedPaths = sc.MaskedPaths - hostConfig.ReadonlyPaths = sc.ReadonlyPaths + if !hostConfig.Privileged { + hostConfig.MaskedPaths = sc.MaskedPaths + hostConfig.ReadonlyPaths = sc.ReadonlyPaths + } return nil } diff --git a/pkg/kubelet/dockershim/security_context_test.go b/pkg/kubelet/dockershim/security_context_test.go index 59876e72a22..3fe3646906d 100644 --- a/pkg/kubelet/dockershim/security_context_test.go +++ b/pkg/kubelet/dockershim/security_context_test.go @@ -110,11 +110,27 @@ func TestModifyContainerConfig(t *testing.T) { func TestModifyHostConfig(t *testing.T) { setNetworkHC := &dockercontainer.HostConfig{} + + // When we have Privileged pods, we do not need to use the + // Masked / Readonly paths. setPrivSC := &runtimeapi.LinuxContainerSecurityContext{} setPrivSC.Privileged = true + setPrivSC.MaskedPaths = []string{"/hello/world/masked"} + setPrivSC.ReadonlyPaths = []string{"/hello/world/readonly"} setPrivHC := &dockercontainer.HostConfig{ Privileged: true, } + + unsetPrivSC := &runtimeapi.LinuxContainerSecurityContext{} + unsetPrivSC.Privileged = false + unsetPrivSC.MaskedPaths = []string{"/hello/world/masked"} + unsetPrivSC.ReadonlyPaths = []string{"/hello/world/readonly"} + unsetPrivHC := &dockercontainer.HostConfig{ + Privileged: false, + MaskedPaths: []string{"/hello/world/masked"}, + ReadonlyPaths: []string{"/hello/world/readonly"}, + } + setCapsHC := &dockercontainer.HostConfig{ CapAdd: []string{"addCapA", "addCapB"}, CapDrop: []string{"dropCapA", "dropCapB"}, @@ -148,6 +164,11 @@ func TestModifyHostConfig(t *testing.T) { sc: setPrivSC, expected: setPrivHC, }, + { + name: "container.SecurityContext.NoPrivileges", + sc: unsetPrivSC, + expected: unsetPrivHC, + }, { name: "container.SecurityContext.Capabilities", sc: &runtimeapi.LinuxContainerSecurityContext{