From ad6bd780077407118afbff404ced5ba810ee758f Mon Sep 17 00:00:00 2001 From: "Dr. Stefan Schimanski" Date: Thu, 2 Jun 2016 15:44:57 +0200 Subject: [PATCH 1/3] Move /seccomp/ into domain prefix in seccomp annotations Double slashes are not allowed in annotation keys. Moreover, using the 63 characters of the name component in an annotation key will shorted the space for the container name. --- docs/design/seccomp.md | 10 +++++----- pkg/kubelet/dockertools/manager.go | 4 ++-- pkg/kubelet/dockertools/manager_test.go | 8 ++++---- 3 files changed, 11 insertions(+), 11 deletions(-) diff --git a/docs/design/seccomp.md b/docs/design/seccomp.md index 7d65611edfd..4a28d705b7e 100644 --- a/docs/design/seccomp.md +++ b/docs/design/seccomp.md @@ -202,11 +202,11 @@ use annotations instead of extending the API with new fields. In the alpha version of this feature we will use annotations to store the names of seccomp profiles. The keys will be: -`security.alpha.kubernetes.io/seccomp/container/` +`container.seccomp.security.alpha.kubernetes.io/` which will be used to set the seccomp profile of a container, and: -`security.alpha.kubernetes.io/seccomp/pod` +`seccomp.security.alpha.kubernetes.io/pod` which will set the seccomp profile for the containers of an entire pod. If a pod-level annotation is present, and a container-level annotation present for @@ -240,7 +240,7 @@ subdirectory of the kubelet root directory. The `PodSecurityPolicy` type should be annotated with the allowed seccomp profiles using the key -`security.alpha.kubernetes.io/allowedSeccompProfileNames`. The value of this +`seccomp.security.alpha.kubernetes.io/allowedProfileNames`. The value of this key should be a comma delimited list. ## Examples @@ -255,7 +255,7 @@ kind: Pod metadata: name: trustworthy-pod annotations: - security.alpha.kubernetes.io/seccomp/pod: unconfined + seccomp.security.alpha.kubernetes.io/pod: unconfined spec: containers: - name: trustworthy-container @@ -273,7 +273,7 @@ kind: Pod metadata: name: explorer annotations: - security.alpha.kubernetes.io/seccomp/container/explorer: localhost/example-explorer-profile + container.seccomp.security.alpha.kubernetes.io/explorer: localhost/example-explorer-profile spec: containers: - name: explorer diff --git a/pkg/kubelet/dockertools/manager.go b/pkg/kubelet/dockertools/manager.go index 282afd87a40..d8943cd54ac 100644 --- a/pkg/kubelet/dockertools/manager.go +++ b/pkg/kubelet/dockertools/manager.go @@ -993,10 +993,10 @@ func (dm *DockerManager) getSecurityOpt(pod *api.Pod, ctrName string) ([]string, return nil, nil } - profile, profileOK := pod.ObjectMeta.Annotations["security.alpha.kubernetes.io/seccomp/container/"+ctrName] + profile, profileOK := pod.ObjectMeta.Annotations["container.seccomp.security.alpha.kubernetes.io/"+ctrName] if !profileOK { // try the pod profile - profile, profileOK = pod.ObjectMeta.Annotations["security.alpha.kubernetes.io/seccomp/pod"] + profile, profileOK = pod.ObjectMeta.Annotations["seccomp.security.alpha.kubernetes.io/pod"] if !profileOK { // return early the default return defaultSecurityOpt, nil diff --git a/pkg/kubelet/dockertools/manager_test.go b/pkg/kubelet/dockertools/manager_test.go index 63c3bca13ea..cd3267c4e28 100644 --- a/pkg/kubelet/dockertools/manager_test.go +++ b/pkg/kubelet/dockertools/manager_test.go @@ -1762,7 +1762,7 @@ func TestUnconfinedSeccompProfileWithDockerV110(t *testing.T) { Name: "foo4", Namespace: "new", Annotations: map[string]string{ - "security.alpha.kubernetes.io/seccomp/pod": "unconfined", + "seccomp.security.alpha.kubernetes.io/pod": "unconfined", }, }, Spec: api.PodSpec{ @@ -1804,7 +1804,7 @@ func TestDefaultSeccompProfileWithDockerV110(t *testing.T) { Name: "foo1", Namespace: "new", Annotations: map[string]string{ - "security.alpha.kubernetes.io/seccomp/pod": "docker/default", + "seccomp.security.alpha.kubernetes.io/pod": "docker/default", }, }, Spec: api.PodSpec{ @@ -1846,8 +1846,8 @@ func TestSeccompContainerAnnotationTrumpsPod(t *testing.T) { Name: "foo2", Namespace: "new", Annotations: map[string]string{ - "security.alpha.kubernetes.io/seccomp/pod": "unconfined", - "security.alpha.kubernetes.io/seccomp/container/bar2": "docker/default", + "seccomp.security.alpha.kubernetes.io/pod": "unconfined", + "container.seccomp.security.alpha.kubernetes.io/bar2": "docker/default", }, }, Spec: api.PodSpec{ From 12346d51716369013da59bb989b93ccc6b9fa10a Mon Sep 17 00:00:00 2001 From: "Dr. Stefan Schimanski" Date: Mon, 6 Jun 2016 12:24:08 +0200 Subject: [PATCH 2/3] Fix seccomp prefix check --- pkg/kubelet/dockertools/manager.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/kubelet/dockertools/manager.go b/pkg/kubelet/dockertools/manager.go index d8943cd54ac..2de6d37ed2d 100644 --- a/pkg/kubelet/dockertools/manager.go +++ b/pkg/kubelet/dockertools/manager.go @@ -1013,7 +1013,7 @@ func (dm *DockerManager) getSecurityOpt(pod *api.Pod, ctrName string) ([]string, return nil, nil } - if !strings.HasPrefix(profile, "localhost") { + if !strings.HasPrefix(profile, "localhost/") { return nil, fmt.Errorf("unknown seccomp profile option: %s", profile) } From ca7be7dc6d566980f5bfc85add965d40d55a269c Mon Sep 17 00:00:00 2001 From: "Dr. Stefan Schimanski" Date: Mon, 6 Jun 2016 14:05:26 +0200 Subject: [PATCH 3/3] Add e2e tests for seccomp --- test/e2e/security_context.go | 36 ++++++++++++++++++++++++++++++++++-- 1 file changed, 34 insertions(+), 2 deletions(-) diff --git a/test/e2e/security_context.go b/test/e2e/security_context.go index a0d41b5f3f5..af9d3bac33f 100644 --- a/test/e2e/security_context.go +++ b/test/e2e/security_context.go @@ -37,8 +37,9 @@ func scTestPod(hostIPC bool, hostPID bool) *api.Pod { podName := "security-context-" + string(util.NewUUID()) pod := &api.Pod{ ObjectMeta: api.ObjectMeta{ - Name: podName, - Labels: map[string]string{"name": podName}, + Name: podName, + Labels: map[string]string{"name": podName}, + Annotations: map[string]string{}, }, Spec: api.PodSpec{ SecurityContext: &api.PodSecurityContext{ @@ -106,6 +107,37 @@ var _ = framework.KubeDescribe("Security Context [Feature:SecurityContext]", fun testPodSELinuxLabeling(f, false, true) }) + It("should support seccomp alpha unconfined annotation on the container [Feature:Seccomp]", func() { + // TODO: port to SecurityContext as soon as seccomp is out of alpha + pod := scTestPod(false, false) + pod.Annotations["container.seccomp.security.alpha.kubernetes.io/test-container"] = "unconfined" + pod.Annotations["seccomp.security.alpha.kubernetes.io/pod"] = "docker/default" + pod.Spec.Containers[0].Command = []string{"grep", "ecc", "/proc/self/status"} + f.TestContainerOutput("pod.Spec.SecurityContext.Seccomp", pod, 0, []string{"0"}) // seccomp disabled + }) + + It("should support seccomp alpha unconfined annotation on the pod [Feature:Seccomp]", func() { + // TODO: port to SecurityContext as soon as seccomp is out of alpha + pod := scTestPod(false, false) + pod.Annotations["seccomp.security.alpha.kubernetes.io/pod"] = "unconfined" + pod.Spec.Containers[0].Command = []string{"grep", "ecc", "/proc/self/status"} + f.TestContainerOutput("pod.Spec.SecurityContext.Seccomp", pod, 0, []string{"0"}) // seccomp disabled + }) + + It("should support seccomp alpha docker/default annotation [Feature:Seccomp]", func() { + // TODO: port to SecurityContext as soon as seccomp is out of alpha + pod := scTestPod(false, false) + pod.Annotations["container.seccomp.security.alpha.kubernetes.io/test-container"] = "docker/default" + pod.Spec.Containers[0].Command = []string{"grep", "ecc", "/proc/self/status"} + f.TestContainerOutput("pod.Spec.SecurityContext.Seccomp", pod, 0, []string{"2"}) // seccomp filtered + }) + + It("should support seccomp default which is unconfined [Feature:Seccomp]", func() { + // TODO: port to SecurityContext as soon as seccomp is out of alpha + pod := scTestPod(false, false) + pod.Spec.Containers[0].Command = []string{"grep", "ecc", "/proc/self/status"} + f.TestContainerOutput("pod.Spec.SecurityContext.Seccomp", pod, 0, []string{"0"}) // seccomp disabled + }) }) func testPodSELinuxLabeling(f *framework.Framework, hostIPC bool, hostPID bool) {