mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-11-27 19:16:16 +00:00
security context initial implementation - squash
This commit is contained in:
Paul Weil
File diff suppressed because it is too large
Load Diff
@@ -45,3 +45,63 @@ func TestNodeConversion(t *testing.T) {
|
||||
t.Fatalf("unexpected error: %v", err)
|
||||
}
|
||||
}
|
||||
|
||||
func TestBadSecurityContextConversion(t *testing.T) {
|
||||
priv := false
|
||||
testCases := map[string]struct {
|
||||
c *current.Container
|
||||
err string
|
||||
}{
|
||||
// this use case must use true for the container and false for the sc. Otherwise the defaulter
|
||||
// will assume privileged was left undefined (since it is the default value) and copy the
|
||||
// sc setting upwards
|
||||
"mismatched privileged": {
|
||||
c: ¤t.Container{
|
||||
Privileged: true,
|
||||
SecurityContext: ¤t.SecurityContext{
|
||||
Privileged: &priv,
|
||||
},
|
||||
},
|
||||
err: "container privileged settings do not match security context settings, cannot convert",
|
||||
},
|
||||
"mismatched caps add": {
|
||||
c: ¤t.Container{
|
||||
Capabilities: current.Capabilities{
|
||||
Add: []current.CapabilityType{"foo"},
|
||||
},
|
||||
SecurityContext: ¤t.SecurityContext{
|
||||
Capabilities: ¤t.Capabilities{
|
||||
Add: []current.CapabilityType{"bar"},
|
||||
},
|
||||
},
|
||||
},
|
||||
err: "container capability settings do not match security context settings, cannot convert",
|
||||
},
|
||||
"mismatched caps drop": {
|
||||
c: ¤t.Container{
|
||||
Capabilities: current.Capabilities{
|
||||
Drop: []current.CapabilityType{"foo"},
|
||||
},
|
||||
SecurityContext: ¤t.SecurityContext{
|
||||
Capabilities: ¤t.Capabilities{
|
||||
Drop: []current.CapabilityType{"bar"},
|
||||
},
|
||||
},
|
||||
},
|
||||
err: "container capability settings do not match security context settings, cannot convert",
|
||||
},
|
||||
}
|
||||
|
||||
for k, v := range testCases {
|
||||
got := newer.Container{}
|
||||
err := newer.Scheme.Convert(v.c, &got)
|
||||
if err == nil {
|
||||
t.Errorf("expected error for case %s but got none", k)
|
||||
} else {
|
||||
if err.Error() != v.err {
|
||||
t.Errorf("unexpected error for case %s. Expected: %s but got: %s", k, v.err, err.Error())
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@@ -21,6 +21,7 @@ import (
|
||||
|
||||
"github.com/GoogleCloudPlatform/kubernetes/pkg/api"
|
||||
"github.com/GoogleCloudPlatform/kubernetes/pkg/util"
|
||||
"github.com/golang/glog"
|
||||
)
|
||||
|
||||
func init() {
|
||||
@@ -66,6 +67,7 @@ func init() {
|
||||
if obj.TerminationMessagePath == "" {
|
||||
obj.TerminationMessagePath = TerminationMessagePathDefault
|
||||
}
|
||||
defaultSecurityContext(obj)
|
||||
},
|
||||
func(obj *ServiceSpec) {
|
||||
if obj.SessionAffinity == "" {
|
||||
@@ -156,3 +158,44 @@ func defaultHostNetworkPorts(containers *[]Container) {
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// defaultSecurityContext performs the downward and upward merges of a pod definition
|
||||
func defaultSecurityContext(container *Container) {
|
||||
if container.SecurityContext == nil {
|
||||
glog.V(4).Infof("creating security context for container %s", container.Name)
|
||||
container.SecurityContext = &SecurityContext{}
|
||||
}
|
||||
// if there are no capabilities defined on the SecurityContext then copy the container settings
|
||||
if container.SecurityContext.Capabilities == nil {
|
||||
glog.V(4).Infof("downward merge of container.Capabilities for container %s", container.Name)
|
||||
container.SecurityContext.Capabilities = &container.Capabilities
|
||||
} else {
|
||||
// if there are capabilities defined on the security context and the container setting is
|
||||
// empty then assume that it was left off the pod definition and ensure that the container
|
||||
// settings match the security context settings (checked by the convert functions). If
|
||||
// there are settings in both then don't touch it, the converter will error if they don't
|
||||
// match
|
||||
if len(container.Capabilities.Add) == 0 {
|
||||
glog.V(4).Infof("upward merge of container.Capabilities.Add for container %s", container.Name)
|
||||
container.Capabilities.Add = container.SecurityContext.Capabilities.Add
|
||||
}
|
||||
if len(container.Capabilities.Drop) == 0 {
|
||||
glog.V(4).Infof("upward merge of container.Capabilities.Drop for container %s", container.Name)
|
||||
container.Capabilities.Drop = container.SecurityContext.Capabilities.Drop
|
||||
}
|
||||
}
|
||||
// if there are no privileged settings on the security context then copy the container settings
|
||||
if container.SecurityContext.Privileged == nil {
|
||||
glog.V(4).Infof("downward merge of container.Privileged for container %s", container.Name)
|
||||
container.SecurityContext.Privileged = &container.Privileged
|
||||
} else {
|
||||
// we don't have a good way to know if container.Privileged was set or just defaulted to false
|
||||
// so the best we can do here is check if the securityContext is set to true and the
|
||||
// container is set to false and assume that the Privileged field was left off the container
|
||||
// definition and not an intentional mismatch
|
||||
if *container.SecurityContext.Privileged && !container.Privileged {
|
||||
glog.V(4).Infof("upward merge of container.Privileged for container %s", container.Name)
|
||||
container.Privileged = *container.SecurityContext.Privileged
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -349,3 +349,104 @@ func TestSetDefaultObjectFieldSelectorAPIVersion(t *testing.T) {
|
||||
t.Errorf("Expected default APIVersion v1beta3, got: %v", apiVersion)
|
||||
}
|
||||
}
|
||||
|
||||
func TestSetDefaultSecurityContext(t *testing.T) {
|
||||
priv := false
|
||||
privTrue := true
|
||||
testCases := map[string]struct {
|
||||
c current.Container
|
||||
}{
|
||||
"downward defaulting caps": {
|
||||
c: current.Container{
|
||||
Privileged: false,
|
||||
Capabilities: current.Capabilities{
|
||||
Add: []current.CapabilityType{"foo"},
|
||||
Drop: []current.CapabilityType{"bar"},
|
||||
},
|
||||
SecurityContext: ¤t.SecurityContext{
|
||||
Privileged: &priv,
|
||||
},
|
||||
},
|
||||
},
|
||||
"downward defaulting priv": {
|
||||
c: current.Container{
|
||||
Privileged: false,
|
||||
Capabilities: current.Capabilities{
|
||||
Add: []current.CapabilityType{"foo"},
|
||||
Drop: []current.CapabilityType{"bar"},
|
||||
},
|
||||
SecurityContext: ¤t.SecurityContext{
|
||||
Capabilities: ¤t.Capabilities{
|
||||
Add: []current.CapabilityType{"foo"},
|
||||
Drop: []current.CapabilityType{"bar"},
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
"upward defaulting caps": {
|
||||
c: current.Container{
|
||||
Privileged: false,
|
||||
SecurityContext: ¤t.SecurityContext{
|
||||
Privileged: &priv,
|
||||
Capabilities: ¤t.Capabilities{
|
||||
Add: []current.CapabilityType{"biz"},
|
||||
Drop: []current.CapabilityType{"baz"},
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
"upward defaulting priv": {
|
||||
c: current.Container{
|
||||
Capabilities: current.Capabilities{
|
||||
Add: []current.CapabilityType{"foo"},
|
||||
Drop: []current.CapabilityType{"bar"},
|
||||
},
|
||||
SecurityContext: ¤t.SecurityContext{
|
||||
Privileged: &privTrue,
|
||||
Capabilities: ¤t.Capabilities{
|
||||
Add: []current.CapabilityType{"foo"},
|
||||
Drop: []current.CapabilityType{"bar"},
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
pod := ¤t.Pod{
|
||||
Spec: current.PodSpec{},
|
||||
}
|
||||
|
||||
for k, v := range testCases {
|
||||
pod.Spec.Containers = []current.Container{v.c}
|
||||
obj := roundTrip(t, runtime.Object(pod))
|
||||
defaultedPod := obj.(*current.Pod)
|
||||
c := defaultedPod.Spec.Containers[0]
|
||||
if isEqual, issues := areSecurityContextAndContainerEqual(&c); !isEqual {
|
||||
t.Errorf("test case %s expected the security context to have the same values as the container but found %#v", k, issues)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func areSecurityContextAndContainerEqual(c *current.Container) (bool, []string) {
|
||||
issues := make([]string, 0)
|
||||
equal := true
|
||||
|
||||
if c.SecurityContext == nil || c.SecurityContext.Privileged == nil || c.SecurityContext.Capabilities == nil {
|
||||
equal = false
|
||||
issues = append(issues, "Expected non nil settings for SecurityContext")
|
||||
return equal, issues
|
||||
}
|
||||
if *c.SecurityContext.Privileged != c.Privileged {
|
||||
equal = false
|
||||
issues = append(issues, "The defaulted SecurityContext.Privileged value did not match the container value")
|
||||
}
|
||||
if !reflect.DeepEqual(c.Capabilities.Add, c.Capabilities.Add) {
|
||||
equal = false
|
||||
issues = append(issues, "The defaulted SecurityContext.Capabilities.Add did not match the container settings")
|
||||
}
|
||||
if !reflect.DeepEqual(c.Capabilities.Drop, c.Capabilities.Drop) {
|
||||
equal = false
|
||||
issues = append(issues, "The defaulted SecurityContext.Capabilities.Drop did not match the container settings")
|
||||
}
|
||||
return equal, issues
|
||||
}
|
||||
|
||||
@@ -636,12 +636,14 @@ type Container struct {
|
||||
Lifecycle *Lifecycle `json:"lifecycle,omitempty" description:"actions that the management system should take in response to container lifecycle events; cannot be updated"`
|
||||
// Optional: Defaults to /dev/termination-log
|
||||
TerminationMessagePath string `json:"terminationMessagePath,omitempty" description:"path at which the file to which the container's termination message will be written is mounted into the container's filesystem; message written is intended to be brief final status, such as an assertion failure message; defaults to /dev/termination-log; cannot be updated"`
|
||||
// Optional: Default to false.
|
||||
Privileged bool `json:"privileged,omitempty" description:"whether or not the container is granted privileged status; defaults to false; cannot be updated"`
|
||||
// Deprecated - see SecurityContext. Optional: Default to false.
|
||||
Privileged bool `json:"privileged,omitempty" description:"whether or not the container is granted privileged status; defaults to false; cannot be updated; deprecated; See SecurityContext."`
|
||||
// Optional: Policy for pulling images for this container
|
||||
ImagePullPolicy PullPolicy `json:"imagePullPolicy" description:"image pull policy; one of PullAlways, PullNever, PullIfNotPresent; defaults to PullAlways if :latest tag is specified, or PullIfNotPresent otherwise; cannot be updated"`
|
||||
// Optional: Capabilities for container.
|
||||
Capabilities Capabilities `json:"capabilities,omitempty" description:"capabilities for container; cannot be updated"`
|
||||
// Deprecated - see SecurityContext. Optional: Capabilities for container.
|
||||
Capabilities Capabilities `json:"capabilities,omitempty" description:"capabilities for container; cannot be updated; deprecated; See SecurityContext."`
|
||||
// Optional: SecurityContext defines the security options the pod should be run with
|
||||
SecurityContext *SecurityContext `json:"securityContext,omitempty" description:"security options the pod should run with"`
|
||||
}
|
||||
|
||||
// Handler defines a specific action that should be taken
|
||||
@@ -1735,3 +1737,39 @@ type ComponentStatusList struct {
|
||||
|
||||
Items []ComponentStatus `json:"items" description:"list of component status objects"`
|
||||
}
|
||||
|
||||
// SecurityContext holds security configuration that will be applied to a container. SecurityContext
|
||||
// contains duplication of some existing fields from the Container resource. These duplicate fields
|
||||
// will be populated based on the Container configuration if they are not set. Defining them on
|
||||
// both the Container AND the SecurityContext will result in an error.
|
||||
type SecurityContext struct {
|
||||
// Capabilities are the capabilities to add/drop when running the container
|
||||
// Must match Container.Capabilities or be unset. Will be defaulted to Container.Capabilities if left unset
|
||||
Capabilities *Capabilities `json:"capabilities,omitempty" description:"the linux capabilites that should be added or removed"`
|
||||
|
||||
// Run the container in privileged mode
|
||||
// Must match Container.Privileged or be unset. Will be defaulted to Container.Privileged if left unset
|
||||
Privileged *bool `json:"privileged,omitempty" description:"run the container in privileged mode"`
|
||||
|
||||
// SELinuxOptions are the labels to be applied to the container
|
||||
// and volumes
|
||||
SELinuxOptions *SELinuxOptions `json:"seLinuxOptions,omitempty" description:"options that control the SELinux labels applied"`
|
||||
|
||||
// RunAsUser is the UID to run the entrypoint of the container process.
|
||||
RunAsUser *int64 `json:"runAsUser,omitempty" description:"the user id that runs the first process in the container"`
|
||||
}
|
||||
|
||||
// SELinuxOptions are the labels to be applied to the container.
|
||||
type SELinuxOptions struct {
|
||||
// SELinux user label
|
||||
User string `json:"user,omitempty" description:"the user label to apply to the container"`
|
||||
|
||||
// SELinux role label
|
||||
Role string `json:"role,omitempty" description:"the role label to apply to the container"`
|
||||
|
||||
// SELinux type label
|
||||
Type string `json:"type,omitempty" description:"the type label to apply to the container"`
|
||||
|
||||
// SELinux level label.
|
||||
Level string `json:"level,omitempty" description:"the level label to apply to the container"`
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user