github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-29 14:37:00 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #68803 from dims/avoid-setting-masked-read-only-when-pod-is-privilged

Browse Source 
Avoid setting Masked/ReadOnly paths when pod is privileged
This commit is contained in:
k8s-ci-robot 2018-09-18 17:41:47 -07:00 committed by GitHub
commit 76518f154b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 25 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
pkg/kubelet/dockershim/security_context.go
View File

@ -137,8 +137,10 @@ func modifyHostConfig(sc *runtimeapi.LinuxContainerSecurityContext, hostConfig *
hostConfig.SecurityOpt = append(hostConfig.SecurityOpt, "no-new-privileges") hostConfig.SecurityOpt = append(hostConfig.SecurityOpt, "no-new-privileges")
} }
hostConfig.MaskedPaths = sc.MaskedPaths if !hostConfig.Privileged {
hostConfig.ReadonlyPaths = sc.ReadonlyPaths hostConfig.MaskedPaths = sc.MaskedPaths
hostConfig.ReadonlyPaths = sc.ReadonlyPaths
}
return nil return nil
} }

21
pkg/kubelet/dockershim/security_context_test.go
View File

@ -110,11 +110,27 @@ func TestModifyContainerConfig(t *testing.T) {
func TestModifyHostConfig(t *testing.T) { func TestModifyHostConfig(t *testing.T) {
setNetworkHC := &dockercontainer.HostConfig{} setNetworkHC := &dockercontainer.HostConfig{}
// When we have Privileged pods, we do not need to use the
// Masked / Readonly paths.
setPrivSC := &runtimeapi.LinuxContainerSecurityContext{} setPrivSC := &runtimeapi.LinuxContainerSecurityContext{}
setPrivSC.Privileged = true setPrivSC.Privileged = true
setPrivSC.MaskedPaths = []string{"/hello/world/masked"}
setPrivSC.ReadonlyPaths = []string{"/hello/world/readonly"}
setPrivHC := &dockercontainer.HostConfig{ setPrivHC := &dockercontainer.HostConfig{
Privileged: true, Privileged: true,
} }
unsetPrivSC := &runtimeapi.LinuxContainerSecurityContext{}
unsetPrivSC.Privileged = false
unsetPrivSC.MaskedPaths = []string{"/hello/world/masked"}
unsetPrivSC.ReadonlyPaths = []string{"/hello/world/readonly"}
unsetPrivHC := &dockercontainer.HostConfig{
Privileged: false,
MaskedPaths: []string{"/hello/world/masked"},
ReadonlyPaths: []string{"/hello/world/readonly"},
}
setCapsHC := &dockercontainer.HostConfig{ setCapsHC := &dockercontainer.HostConfig{
CapAdd: []string{"addCapA", "addCapB"}, CapAdd: []string{"addCapA", "addCapB"},
CapDrop: []string{"dropCapA", "dropCapB"}, CapDrop: []string{"dropCapA", "dropCapB"},
@ -148,6 +164,11 @@ func TestModifyHostConfig(t *testing.T) {
sc: setPrivSC, sc: setPrivSC,
expected: setPrivHC, expected: setPrivHC,
}, },
{
name: "container.SecurityContext.NoPrivileges",
sc: unsetPrivSC,
expected: unsetPrivHC,
},
{ {
name: "container.SecurityContext.Capabilities", name: "container.SecurityContext.Capabilities",
sc: &runtimeapi.LinuxContainerSecurityContext{ sc: &runtimeapi.LinuxContainerSecurityContext{