github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-27 21:47:07 +00:00
Code Issues Projects Releases Wiki Activity

Implement PodSecurityPolicy enforcement for seccomp GA

Browse Source 
This implements the necessary pieced for the PodSecurityPolicy
enforcement like described in the appropriate KEP section:

https://github.com/kubernetes/enhancements/blob/master/keps/sig-node/20190717-seccomp-ga.md#podsecuritypolicy-enforcement

Signed-off-by: Sascha Grunert <sgrunert@suse.com>
This commit is contained in:
Sascha Grunert 2020-07-07 11:10:29 +02:00
parent 26f0227019
commit 96fb83c4c1
No known key found for this signature in database
GPG Key ID: 8CE029DD1A866E52
6 changed files with 159 additions and 60 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

55
pkg/api/pod/util.go
View File

@ -734,3 +734,58 @@ func setHostnameAsFQDNInUse(podSpec *api.PodSpec) bool {
} }
return *podSpec.SetHostnameAsFQDN return *podSpec.SetHostnameAsFQDN
} }
// SeccompAnnotationForField takes a pod seccomp profile field and returns the
// converted annotation value
func SeccompAnnotationForField(field *api.SeccompProfile) string {
// If only seccomp fields are specified, add the corresponding annotations.
// This ensures that the fields are enforced even if the node version
// trails the API version
switch field.Type {
case api.SeccompProfileTypeUnconfined:
return v1.SeccompProfileNameUnconfined
case api.SeccompProfileTypeRuntimeDefault:
return v1.SeccompProfileRuntimeDefault
case api.SeccompProfileTypeLocalhost:
if field.LocalhostProfile != nil {
return v1.SeccompLocalhostProfileNamePrefix + *field.LocalhostProfile
}
}
// we can only reach this code path if the LocalhostProfile is nil but the
// provided field type is SeccompProfileTypeLocalhost or if an unrecognized
// type is specified
return ""
}
// SeccompFieldForAnnotation takes a pod annotation and returns the converted
// seccomp profile field.
func SeccompFieldForAnnotation(annotation string) *api.SeccompProfile {
// If only seccomp annotations are specified, copy the values into the
// corresponding fields. This ensures that existing applications continue
// to enforce seccomp, and prevents the kubelet from needing to resolve
// annotations & fields.
if annotation == v1.SeccompProfileNameUnconfined {
return &api.SeccompProfile{Type: api.SeccompProfileTypeUnconfined}
}
if annotation == api.SeccompProfileRuntimeDefault || annotation == api.DeprecatedSeccompProfileDockerDefault {
return &api.SeccompProfile{Type: api.SeccompProfileTypeRuntimeDefault}
}
if strings.HasPrefix(annotation, v1.SeccompLocalhostProfileNamePrefix) {
localhostProfile := strings.TrimPrefix(annotation, v1.SeccompLocalhostProfileNamePrefix)
if localhostProfile != "" {
return &api.SeccompProfile{
Type: api.SeccompProfileTypeLocalhost,
LocalhostProfile: &localhostProfile,
}
}
}
// we can only reach this code path if the localhostProfile name has a zero
// length or if the annotation has an unrecognized value
return nil
}

63
pkg/registry/core/pod/strategy.go
View File

@ -587,7 +587,7 @@ func applySeccompVersionSkew(pod *api.Pod) {
// sync field and annotation // sync field and annotation
if hasField && !hasAnnotation { if hasField && !hasAnnotation {
newAnnotation := seccompAnnotationForField(field) newAnnotation := podutil.SeccompAnnotationForField(field)
if newAnnotation != "" { if newAnnotation != "" {
if pod.Annotations == nil { if pod.Annotations == nil {
@ -596,7 +596,7 @@ func applySeccompVersionSkew(pod *api.Pod) {
pod.Annotations[v1.SeccompPodAnnotationKey] = newAnnotation pod.Annotations[v1.SeccompPodAnnotationKey] = newAnnotation
} }
} else if hasAnnotation && !hasField { } else if hasAnnotation && !hasField {
newField := seccompFieldForAnnotation(annotation) newField := podutil.SeccompFieldForAnnotation(annotation)
if newField != nil { if newField != nil {
if pod.Spec.SecurityContext == nil { if pod.Spec.SecurityContext == nil {
@ -621,7 +621,7 @@ func applySeccompVersionSkew(pod *api.Pod) {
// sync field and annotation // sync field and annotation
if hasField && !hasAnnotation { if hasField && !hasAnnotation {
newAnnotation := seccompAnnotationForField(field) newAnnotation := podutil.SeccompAnnotationForField(field)
if newAnnotation != "" { if newAnnotation != "" {
if pod.Annotations == nil { if pod.Annotations == nil {
@ -630,7 +630,7 @@ func applySeccompVersionSkew(pod *api.Pod) {
pod.Annotations[key] = newAnnotation pod.Annotations[key] = newAnnotation
} }
} else if hasAnnotation && !hasField { } else if hasAnnotation && !hasField {
newField := seccompFieldForAnnotation(annotation) newField := podutil.SeccompFieldForAnnotation(annotation)
if newField != nil { if newField != nil {
if ctr.SecurityContext == nil { if ctr.SecurityContext == nil {
@ -643,58 +643,3 @@ func applySeccompVersionSkew(pod *api.Pod) {
return true return true
}) })
} }
// seccompFieldForAnnotation takes a pod seccomp profile field and returns the
// converted annotation value
func seccompAnnotationForField(field *api.SeccompProfile) string {
// If only seccomp fields are specified, add the corresponding annotations.
// This ensures that the fields are enforced even if the node version
// trails the API version
switch field.Type {
case api.SeccompProfileTypeUnconfined:
return v1.SeccompProfileNameUnconfined
case api.SeccompProfileTypeRuntimeDefault:
return v1.SeccompProfileRuntimeDefault
case api.SeccompProfileTypeLocalhost:
if field.LocalhostProfile != nil {
return v1.SeccompLocalhostProfileNamePrefix + *field.LocalhostProfile
}
}
// we can only reach this code path if the LocalhostProfile is nil but the
// provided field type is SeccompProfileTypeLocalhost or if an unrecognized
// type is specified
return ""
}
// seccompFieldForAnnotation takes a pod annotation and returns the converted
// seccomp profile field.
func seccompFieldForAnnotation(annotation string) *api.SeccompProfile {
// If only seccomp annotations are specified, copy the values into the
// corresponding fields. This ensures that existing applications continue
// to enforce seccomp, and prevents the kubelet from needing to resolve
// annotations & fields.
if annotation == v1.SeccompProfileNameUnconfined {
return &api.SeccompProfile{Type: api.SeccompProfileTypeUnconfined}
}
if annotation == api.SeccompProfileRuntimeDefault || annotation == api.DeprecatedSeccompProfileDockerDefault {
return &api.SeccompProfile{Type: api.SeccompProfileTypeRuntimeDefault}
}
if strings.HasPrefix(annotation, v1.SeccompLocalhostProfileNamePrefix) {
localhostProfile := strings.TrimPrefix(annotation, v1.SeccompLocalhostProfileNamePrefix)
if localhostProfile != "" {
return &api.SeccompProfile{
Type: api.SeccompProfileTypeLocalhost,
LocalhostProfile: &localhostProfile,
}
}
}
// we can only reach this code path if the localhostProfile name has a zero
// length or if the annotation has an unrecognized value
return nil
}

2
pkg/security/podsecuritypolicy/seccomp/BUILD
View File

@ -11,6 +11,7 @@ go_library(
srcs = ["strategy.go"], srcs = ["strategy.go"],
importpath = "k8s.io/kubernetes/pkg/security/podsecuritypolicy/seccomp", importpath = "k8s.io/kubernetes/pkg/security/podsecuritypolicy/seccomp",
deps = [ deps = [
"//pkg/api/pod:go_default_library",
"//pkg/apis/core:go_default_library", "//pkg/apis/core:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/util/validation/field:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
], ],
@ -22,6 +23,7 @@ go_test(
embed = [":go_default_library"], embed = [":go_default_library"],
deps = [ deps = [
"//pkg/apis/core:go_default_library", "//pkg/apis/core:go_default_library",
"//staging/src/k8s.io/api/core/v1:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
], ],
) )

19
pkg/security/podsecuritypolicy/seccomp/strategy.go
View File

@ -21,6 +21,7 @@ import (
"strings" "strings"
"k8s.io/apimachinery/pkg/util/validation/field" "k8s.io/apimachinery/pkg/util/validation/field"
podutil "k8s.io/kubernetes/pkg/api/pod"
api "k8s.io/kubernetes/pkg/apis/core" api "k8s.io/kubernetes/pkg/apis/core"
) )
@ -83,6 +84,10 @@ func (s *strategy) Generate(annotations map[string]string, pod *api.Pod) (string
// Profile already set, nothing to do. // Profile already set, nothing to do.
return annotations[api.SeccompPodAnnotationKey], nil return annotations[api.SeccompPodAnnotationKey], nil
} }
if pod.Spec.SecurityContext != nil && pod.Spec.SecurityContext.SeccompProfile != nil {
// Profile field already set, translate to annotation
return podutil.SeccompAnnotationForField(pod.Spec.SecurityContext.SeccompProfile), nil
}
return s.defaultProfile, nil return s.defaultProfile, nil
} }
@ -92,6 +97,10 @@ func (s *strategy) ValidatePod(pod *api.Pod) field.ErrorList {
allErrs := field.ErrorList{} allErrs := field.ErrorList{}
podSpecFieldPath := field.NewPath("pod", "metadata", "annotations").Key(api.SeccompPodAnnotationKey) podSpecFieldPath := field.NewPath("pod", "metadata", "annotations").Key(api.SeccompPodAnnotationKey)
podProfile := pod.Annotations[api.SeccompPodAnnotationKey] podProfile := pod.Annotations[api.SeccompPodAnnotationKey]
// if the annotation is not set, see if the field is set and derive the corresponding annotation value
if len(podProfile) == 0 && pod.Spec.SecurityContext != nil && pod.Spec.SecurityContext.SeccompProfile != nil {
podProfile = podutil.SeccompAnnotationForField(pod.Spec.SecurityContext.SeccompProfile)
}
if !s.allowAnyProfile && len(s.allowedProfiles) == 0 && podProfile != "" { if !s.allowAnyProfile && len(s.allowedProfiles) == 0 && podProfile != "" {
allErrs = append(allErrs, field.Forbidden(podSpecFieldPath, "seccomp may not be set")) allErrs = append(allErrs, field.Forbidden(podSpecFieldPath, "seccomp may not be set"))
@ -141,9 +150,19 @@ func (s *strategy) profileAllowed(profile string) bool {
// profileForContainer returns the container profile if set, otherwise the pod profile. // profileForContainer returns the container profile if set, otherwise the pod profile.
func profileForContainer(pod *api.Pod, container *api.Container) string { func profileForContainer(pod *api.Pod, container *api.Container) string {
if container.SecurityContext != nil && container.SecurityContext.SeccompProfile != nil {
// derive the annotation value from the container field
return podutil.SeccompAnnotationForField(container.SecurityContext.SeccompProfile)
}
containerProfile, ok := pod.Annotations[api.SeccompContainerAnnotationKeyPrefix+container.Name] containerProfile, ok := pod.Annotations[api.SeccompContainerAnnotationKeyPrefix+container.Name]
if ok { if ok {
// return the existing container annotation
return containerProfile return containerProfile
} }
if pod.Spec.SecurityContext != nil && pod.Spec.SecurityContext.SeccompProfile != nil {
// derive the annotation value from the pod field
return podutil.SeccompAnnotationForField(pod.Spec.SecurityContext.SeccompProfile)
}
// return the existing pod annotation
return pod.Annotations[api.SeccompPodAnnotationKey] return pod.Annotations[api.SeccompPodAnnotationKey]
} }

79
pkg/security/podsecuritypolicy/seccomp/strategy_test.go
View File

@ -21,6 +21,7 @@ import (
"strings" "strings"
"testing" "testing"
"k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
api "k8s.io/kubernetes/pkg/apis/core" api "k8s.io/kubernetes/pkg/apis/core"
) )
@ -41,6 +42,9 @@ var (
allowSpecific = map[string]string{ allowSpecific = map[string]string{
AllowedProfilesAnnotationKey: "foo", AllowedProfilesAnnotationKey: "foo",
} }
allowSpecificLocalhost = map[string]string{
AllowedProfilesAnnotationKey: v1.SeccompLocalhostProfileNamePrefix + "foo",
}
) )
func TestNewStrategy(t *testing.T) { func TestNewStrategy(t *testing.T) {
@ -102,9 +106,11 @@ func TestNewStrategy(t *testing.T) {
} }
func TestGenerate(t *testing.T) { func TestGenerate(t *testing.T) {
bar := "bar"
tests := map[string]struct { tests := map[string]struct {
pspAnnotations map[string]string pspAnnotations map[string]string
podAnnotations map[string]string podAnnotations map[string]string
seccompProfile *api.SeccompProfile
expectedProfile string expectedProfile string
}{ }{
"no seccomp, no pod annotations": { "no seccomp, no pod annotations": {
@ -143,10 +149,25 @@ func TestGenerate(t *testing.T) {
}, },
expectedProfile: "bar", expectedProfile: "bar",
}, },
"seccomp with default, pod field": {
pspAnnotations: allowAnyDefault,
seccompProfile: &api.SeccompProfile{
Type: api.SeccompProfileTypeLocalhost,
LocalhostProfile: &bar,
},
expectedProfile: "localhost/bar",
},
} }
for k, v := range tests { for k, v := range tests {
s := NewStrategy(v.pspAnnotations) s := NewStrategy(v.pspAnnotations)
actual, err := s.Generate(v.podAnnotations, nil) actual, err := s.Generate(v.podAnnotations, &api.Pod{
Spec: api.PodSpec{
SecurityContext: &api.PodSecurityContext{
SeccompProfile: v.seccompProfile,
},
},
})
if err != nil { if err != nil {
t.Errorf("%s received error during generation %#v", k, err) t.Errorf("%s received error during generation %#v", k, err)
continue continue
@ -158,9 +179,11 @@ func TestGenerate(t *testing.T) {
} }
func TestValidatePod(t *testing.T) { func TestValidatePod(t *testing.T) {
foo := "foo"
tests := map[string]struct { tests := map[string]struct {
pspAnnotations map[string]string pspAnnotations map[string]string
podAnnotations map[string]string podAnnotations map[string]string
seccompProfile *api.SeccompProfile
expectedError string expectedError string
}{ }{
"no pod annotations, required profiles": { "no pod annotations, required profiles": {
@ -206,12 +229,44 @@ func TestValidatePod(t *testing.T) {
podAnnotations: nil, podAnnotations: nil,
expectedError: "", expectedError: "",
}, },
"valid pod annotations and field, required profiles": {
pspAnnotations: allowSpecific,
podAnnotations: map[string]string{
api.SeccompPodAnnotationKey: "foo",
},
seccompProfile: &api.SeccompProfile{
Type: api.SeccompProfileTypeLocalhost,
LocalhostProfile: &foo,
},
expectedError: "",
},
"valid pod field and no annotation, required profiles": {
pspAnnotations: allowSpecific,
seccompProfile: &api.SeccompProfile{
Type: api.SeccompProfileTypeLocalhost,
LocalhostProfile: &foo,
},
expectedError: "Forbidden: localhost/foo is not an allowed seccomp profile. Valid values are foo",
},
"valid pod field and no annotation, required profiles (localhost)": {
pspAnnotations: allowSpecificLocalhost,
seccompProfile: &api.SeccompProfile{
Type: api.SeccompProfileTypeLocalhost,
LocalhostProfile: &foo,
},
expectedError: "",
},
} }
for k, v := range tests { for k, v := range tests {
pod := &api.Pod{ pod := &api.Pod{
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Annotations: v.podAnnotations, Annotations: v.podAnnotations,
}, },
Spec: api.PodSpec{
SecurityContext: &api.PodSecurityContext{
SeccompProfile: v.seccompProfile,
},
},
} }
s := NewStrategy(v.pspAnnotations) s := NewStrategy(v.pspAnnotations)
errs := s.ValidatePod(pod) errs := s.ValidatePod(pod)
@ -231,9 +286,12 @@ func TestValidatePod(t *testing.T) {
} }
func TestValidateContainer(t *testing.T) { func TestValidateContainer(t *testing.T) {
foo := "foo"
bar := "bar"
tests := map[string]struct { tests := map[string]struct {
pspAnnotations map[string]string pspAnnotations map[string]string
podAnnotations map[string]string podAnnotations map[string]string
seccompProfile *api.SeccompProfile
expectedError string expectedError string
}{ }{
"no pod annotations, required profiles": { "no pod annotations, required profiles": {
@ -293,6 +351,22 @@ func TestValidateContainer(t *testing.T) {
}, },
expectedError: "Forbidden: bar is not an allowed seccomp profile. Valid values are foo", expectedError: "Forbidden: bar is not an allowed seccomp profile. Valid values are foo",
}, },
"valid container field and no annotation, required profiles": {
pspAnnotations: allowSpecificLocalhost,
seccompProfile: &api.SeccompProfile{
Type: api.SeccompProfileTypeLocalhost,
LocalhostProfile: &foo,
},
expectedError: "",
},
"invalid container field and no annotation, required profiles": {
pspAnnotations: allowSpecificLocalhost,
seccompProfile: &api.SeccompProfile{
Type: api.SeccompProfileTypeLocalhost,
LocalhostProfile: &bar,
},
expectedError: "Forbidden: localhost/bar is not an allowed seccomp profile. Valid values are localhost/foo",
},
} }
for k, v := range tests { for k, v := range tests {
pod := &api.Pod{ pod := &api.Pod{
@ -302,6 +376,9 @@ func TestValidateContainer(t *testing.T) {
} }
container := &api.Container{ container := &api.Container{
Name: "container", Name: "container",
SecurityContext: &api.SecurityContext{
SeccompProfile: v.seccompProfile,
},
} }
s := NewStrategy(v.pspAnnotations) s := NewStrategy(v.pspAnnotations)

1
test/e2e/framework/.import-restrictions
View File

@ -6,6 +6,7 @@ rules:
- k8s.io/kubernetes/pkg/api/v1/pod - k8s.io/kubernetes/pkg/api/v1/pod
- k8s.io/kubernetes/pkg/api/v1/resource - k8s.io/kubernetes/pkg/api/v1/resource
- k8s.io/kubernetes/pkg/api/v1/service - k8s.io/kubernetes/pkg/api/v1/service
- k8s.io/kubernetes/pkg/api/pod
- k8s.io/kubernetes/pkg/apis/apps - k8s.io/kubernetes/pkg/apis/apps
- k8s.io/kubernetes/pkg/apis/apps/validation - k8s.io/kubernetes/pkg/apis/apps/validation
- k8s.io/kubernetes/pkg/apis/autoscaling - k8s.io/kubernetes/pkg/apis/autoscaling