Merge pull request #64009 from feiskyer/windows-security-context

Automatic merge from submit-queue (batch tested with PRs 64009, 64780, 64354, 64727, 63650). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Kubelet: Add security context for Windows containers

**What this PR does / why we need it**:

This PR adds windows containers to Kubelet CRI and also implements security context setting for docker containers.

**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #

**Special notes for your reviewer**:

RunAsUser from Kubernetes API only accept int64 today, which is not supported on Windows. It should be changed to intstr for working with both Windows and Linux containers in a separate PR.

**Release note**:

```release-note
Kubelet: Add security context for Windows containers
```

/cc @PatrickLang @taylorb-microsoft @michmike @JiangtianLi @yujuhong @dchen1107

pkg/kubelet/apis/cri/runtime/v1alpha2/api.proto

@@ -597,11 +597,21 @@ message LinuxContainerConfig {
     LinuxContainerSecurityContext security_context = 2;
 }
 
+// WindowsContainerSecurityContext holds windows security configuration that will be applied to a container.
+message WindowsContainerSecurityContext {
+    // User name to run the container process as. If specified, the user MUST
+    // exist in the container image and be resolved there by the runtime;
+    // otherwise, the runtime MUST return error.
+    string run_as_username = 1;
+}
+
 // WindowsContainerConfig contains platform-specific configuration for
 // Windows-based containers.
 message WindowsContainerConfig {
     // Resources specification for the container.
     WindowsContainerResources resources = 1;
+    // WindowsContainerSecurityContext configuration for the container.
+    WindowsContainerSecurityContext security_context = 2;
 }
 
 // WindowsContainerResources specifies Windows specific configuration for

pkg/kubelet/dockershim/helpers_windows.go

@@ -76,6 +76,9 @@ func (ds *dockerService) updateCreateConfig(
 				CPUPercent: rOpts.CpuMaximum,
 			}
 		}
+
+		// Apply security context.
+		applyWindowsContainerSecurityContext(wc.GetSecurityContext(), createConfig.Config, createConfig.HostConfig)
 	}
 
 	applyExperimentalCreateConfig(createConfig, sandboxConfig.Annotations)
@@ -83,6 +86,17 @@ func (ds *dockerService) updateCreateConfig(
 	return nil
 }
 
+// applyWindowsContainerSecurityContext updates docker container options according to security context.
+func applyWindowsContainerSecurityContext(wsc *runtimeapi.WindowsContainerSecurityContext, config *dockercontainer.Config, hc *dockercontainer.HostConfig) {
+	if wsc == nil {
+		return
+	}
+
+	if wsc.GetRunAsUsername() != "" {
+		config.User = wsc.GetRunAsUsername()
+	}
+}
+
 func (ds *dockerService) determinePodIPBySandboxID(sandboxID string, sandbox *dockertypes.ContainerJSON) string {
 	// Versions and feature support
 	// ============================

pkg/kubelet/kuberuntime/kuberuntime_container_windows.go

@@ -19,24 +19,32 @@ limitations under the License.
 package kuberuntime
 
 import (
+	"fmt"
 	"github.com/docker/docker/pkg/sysinfo"
 
 	"k8s.io/api/core/v1"
 	kubeletapis "k8s.io/kubernetes/pkg/kubelet/apis"
 	runtimeapi "k8s.io/kubernetes/pkg/kubelet/apis/cri/runtime/v1alpha2"
+	"k8s.io/kubernetes/pkg/securitycontext"
 )
 
 // applyPlatformSpecificContainerConfig applies platform specific configurations to runtimeapi.ContainerConfig.
 func (m *kubeGenericRuntimeManager) applyPlatformSpecificContainerConfig(config *runtimeapi.ContainerConfig, container *v1.Container, pod *v1.Pod, uid *int64, username string) error {
-	config.Windows = m.generateWindowsContainerConfig(container, pod, uid, username)
+	windowsConfig, err := m.generateWindowsContainerConfig(container, pod, uid, username)
+	if err != nil {
+		return err
+	}
+
+	config.Windows = windowsConfig
 	return nil
 }
 
 // generateWindowsContainerConfig generates windows container config for kubelet runtime v1.
 // Refer https://github.com/kubernetes/community/blob/master/contributors/design-proposals/node/cri-windows.md.
-func (m *kubeGenericRuntimeManager) generateWindowsContainerConfig(container *v1.Container, pod *v1.Pod, uid *int64, username string) *runtimeapi.WindowsContainerConfig {
+func (m *kubeGenericRuntimeManager) generateWindowsContainerConfig(container *v1.Container, pod *v1.Pod, uid *int64, username string) (*runtimeapi.WindowsContainerConfig, error) {
 	wc := &runtimeapi.WindowsContainerConfig{
-		Resources: &runtimeapi.WindowsContainerResources{},
+		Resources:       &runtimeapi.WindowsContainerResources{},
+		SecurityContext: &runtimeapi.WindowsContainerSecurityContext{},
 	}
 
 	cpuRequest := container.Resources.Requests.Cpu()
@@ -77,5 +85,15 @@ func (m *kubeGenericRuntimeManager) generateWindowsContainerConfig(container *v1
 		wc.Resources.MemoryLimitInBytes = memoryLimit
 	}
 
-	return wc
+	// setup security context
+	effectiveSc := securitycontext.DetermineEffectiveSecurityContext(pod, container)
+	// RunAsUser only supports int64 from Kubernetes API, but Windows containers only support username.
+	if effectiveSc.RunAsUser != nil {
+		return nil, fmt.Errorf("run as uid (%d) is not supported on Windows", *effectiveSc.RunAsUser)
+	}
+	if username != "" {
+		wc.SecurityContext.RunAsUsername = username
+	}
+
+	return wc, nil
 }