github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-03 09:22:44 +00:00
Code Issues Projects Releases Wiki Activity

Set extra supplemental groups for rkt

Browse Source
This commit is contained in:
Matthew Wong 2016-07-22 17:43:24 -04:00
parent cbdd121d2d
commit ae1575b5cc
3 changed files with 42 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
pkg/kubelet/rkt/fake_rkt_interface_test.go
View File

@ -175,6 +175,10 @@ func (f *fakeRuntimeHelper) GetPodDir(podUID types.UID) string {
return "/poddir/" + string(podUID) return "/poddir/" + string(podUID)
} }
func (f *fakeRuntimeHelper) GetExtraSupplementalGroupsForPod(pod *api.Pod) []int64 {
return nil
}
type fakeRktCli struct { type fakeRktCli struct {
sync.Mutex sync.Mutex
cmds []string cmds []string

16
pkg/kubelet/rkt/rkt.go
View File

@ -510,9 +510,11 @@ func verifyNonRoot(app *appctypes.App, ctx *api.SecurityContext) error {
return nil return nil
} }
func setSupplementaryGIDs(app *appctypes.App, podCtx *api.PodSecurityContext) { func setSupplementalGIDs(app *appctypes.App, podCtx *api.PodSecurityContext, supplementalGids []int64) {
if podCtx != nil { if podCtx != nil || len(supplementalGids) != 0 {
app.SupplementaryGIDs = app.SupplementaryGIDs[:0] app.SupplementaryGIDs = app.SupplementaryGIDs[:0]
}
if podCtx != nil {
for _, v := range podCtx.SupplementalGroups { for _, v := range podCtx.SupplementalGroups {
app.SupplementaryGIDs = append(app.SupplementaryGIDs, int(v)) app.SupplementaryGIDs = append(app.SupplementaryGIDs, int(v))
} }
@ -520,10 +522,13 @@ func setSupplementaryGIDs(app *appctypes.App, podCtx *api.PodSecurityContext) {
app.SupplementaryGIDs = append(app.SupplementaryGIDs, int(*podCtx.FSGroup)) app.SupplementaryGIDs = append(app.SupplementaryGIDs, int(*podCtx.FSGroup))
} }
} }
for _, v := range supplementalGids {
app.SupplementaryGIDs = append(app.SupplementaryGIDs, int(v))
}
} }
// setApp merges the container spec with the image's manifest. // setApp merges the container spec with the image's manifest.
func setApp(imgManifest *appcschema.ImageManifest, c *api.Container, opts *kubecontainer.RunContainerOptions, ctx *api.SecurityContext, podCtx *api.PodSecurityContext) error { func setApp(imgManifest *appcschema.ImageManifest, c *api.Container, opts *kubecontainer.RunContainerOptions, ctx *api.SecurityContext, podCtx *api.PodSecurityContext, supplementalGids []int64) error {
app := imgManifest.App app := imgManifest.App
// Set up Exec. // Set up Exec.
@ -564,7 +569,7 @@ func setApp(imgManifest *appcschema.ImageManifest, c *api.Container, opts *kubec
if ctx != nil && ctx.RunAsUser != nil { if ctx != nil && ctx.RunAsUser != nil {
app.User = strconv.Itoa(int(*ctx.RunAsUser)) app.User = strconv.Itoa(int(*ctx.RunAsUser))
} }
setSupplementaryGIDs(app, podCtx) setSupplementalGIDs(app, podCtx, supplementalGids)
// If 'User' or 'Group' are still empty at this point, // If 'User' or 'Group' are still empty at this point,
// then apply the root UID and GID. // then apply the root UID and GID.
@ -806,8 +811,9 @@ func (r *Runtime) newAppcRuntimeApp(pod *api.Pod, podIP string, c api.Container,
}) })
} }
supplementalGids := r.runtimeHelper.GetExtraSupplementalGroupsForPod(pod)
ctx := securitycontext.DetermineEffectiveSecurityContext(pod, &c) ctx := securitycontext.DetermineEffectiveSecurityContext(pod, &c)
if err := setApp(imgManifest, &c, opts, ctx, pod.Spec.SecurityContext); err != nil { if err := setApp(imgManifest, &c, opts, ctx, pod.Spec.SecurityContext, supplementalGids); err != nil {
return err return err
} }

48
pkg/kubelet/rkt/rkt_test.go
View File

@ -940,21 +940,23 @@ func TestSetApp(t *testing.T) {
fsgid := int64(3) fsgid := int64(3)
tests := []struct { tests := []struct {
container *api.Container container *api.Container
opts *kubecontainer.RunContainerOptions opts *kubecontainer.RunContainerOptions
ctx *api.SecurityContext ctx *api.SecurityContext
podCtx *api.PodSecurityContext podCtx *api.PodSecurityContext
expect *appctypes.App supplementalGids []int64
err error expect *appctypes.App
err error
}{ }{
// Nothing should change, but the "User" and "Group" should be filled. // Nothing should change, but the "User" and "Group" should be filled.
{ {
container: &api.Container{}, container: &api.Container{},
opts: &kubecontainer.RunContainerOptions{}, opts: &kubecontainer.RunContainerOptions{},
ctx: nil, ctx: nil,
podCtx: nil, podCtx: nil,
expect: baseAppWithRootUserGroup(t), supplementalGids: nil,
err: nil, expect: baseAppWithRootUserGroup(t),
err: nil,
}, },
// error verifying non-root. // error verifying non-root.
@ -965,9 +967,10 @@ func TestSetApp(t *testing.T) {
RunAsNonRoot: &runAsNonRootTrue, RunAsNonRoot: &runAsNonRootTrue,
RunAsUser: &rootUser, RunAsUser: &rootUser,
}, },
podCtx: nil, podCtx: nil,
expect: nil, supplementalGids: nil,
err: fmt.Errorf("container has no runAsUser and image will run as root"), expect: nil,
err: fmt.Errorf("container has no runAsUser and image will run as root"),
}, },
// app's args should be changed. // app's args should be changed.
@ -975,9 +978,10 @@ func TestSetApp(t *testing.T) {
container: &api.Container{ container: &api.Container{
Args: []string{"foo"}, Args: []string{"foo"},
}, },
opts: &kubecontainer.RunContainerOptions{}, opts: &kubecontainer.RunContainerOptions{},
ctx: nil, ctx: nil,
podCtx: nil, podCtx: nil,
supplementalGids: nil,
expect: &appctypes.App{ expect: &appctypes.App{
Exec: appctypes.Exec{"/bin/foo", "foo"}, Exec: appctypes.Exec{"/bin/foo", "foo"},
User: "0", User: "0",
@ -1036,11 +1040,12 @@ func TestSetApp(t *testing.T) {
SupplementalGroups: []int64{1, 2}, SupplementalGroups: []int64{1, 2},
FSGroup: &fsgid, FSGroup: &fsgid,
}, },
supplementalGids: []int64{4},
expect: &appctypes.App{ expect: &appctypes.App{
Exec: appctypes.Exec{"/bin/bar", "foo"}, Exec: appctypes.Exec{"/bin/bar", "foo"},
User: "42", User: "42",
Group: "0", Group: "0",
SupplementaryGIDs: []int{1, 2, 3}, SupplementaryGIDs: []int{1, 2, 3, 4},
WorkingDirectory: tmpDir, WorkingDirectory: tmpDir,
Environment: []appctypes.EnvironmentVariable{ Environment: []appctypes.EnvironmentVariable{
{"env-foo", "bar"}, {"env-foo", "bar"},
@ -1099,11 +1104,12 @@ func TestSetApp(t *testing.T) {
SupplementalGroups: []int64{1, 2}, SupplementalGroups: []int64{1, 2},
FSGroup: &fsgid, FSGroup: &fsgid,
}, },
supplementalGids: []int64{4},
expect: &appctypes.App{ expect: &appctypes.App{
Exec: appctypes.Exec{"/bin/hello", "foo", "hello", "world", "bar"}, Exec: appctypes.Exec{"/bin/hello", "foo", "hello", "world", "bar"},
User: "42", User: "42",
Group: "0", Group: "0",
SupplementaryGIDs: []int{1, 2, 3}, SupplementaryGIDs: []int{1, 2, 3, 4},
WorkingDirectory: tmpDir, WorkingDirectory: tmpDir,
Environment: []appctypes.EnvironmentVariable{ Environment: []appctypes.EnvironmentVariable{
{"env-foo", "foo"}, {"env-foo", "foo"},
@ -1128,7 +1134,7 @@ func TestSetApp(t *testing.T) {
for i, tt := range tests { for i, tt := range tests {
testCaseHint := fmt.Sprintf("test case #%d", i) testCaseHint := fmt.Sprintf("test case #%d", i)
img := baseImageManifest(t) img := baseImageManifest(t)
err := setApp(img, tt.container, tt.opts, tt.ctx, tt.podCtx) err := setApp(img, tt.container, tt.opts, tt.ctx, tt.podCtx, tt.supplementalGids)
if err == nil && tt.err != nil || err != nil && tt.err == nil { if err == nil && tt.err != nil || err != nil && tt.err == nil {
t.Errorf("%s: expect %v, saw %v", testCaseHint, tt.err, err) t.Errorf("%s: expect %v, saw %v", testCaseHint, tt.err, err)
} }