From aea228f5dd3ad928dcb4c932fce8a80a74539d7f Mon Sep 17 00:00:00 2001 From: wawa0210 Date: Wed, 15 Jul 2020 01:27:22 +0800 Subject: [PATCH] fix no-new-privileges on windows --- pkg/kubelet/dockershim/docker_sandbox.go | 6 ------ pkg/kubelet/dockershim/helpers_linux.go | 6 ++++++ pkg/kubelet/dockershim/helpers_unsupported.go | 5 +++++ pkg/kubelet/dockershim/helpers_windows.go | 6 ++++++ 4 files changed, 17 insertions(+), 6 deletions(-) diff --git a/pkg/kubelet/dockershim/docker_sandbox.go b/pkg/kubelet/dockershim/docker_sandbox.go index c7d3c4ae233..81f8b771897 100644 --- a/pkg/kubelet/dockershim/docker_sandbox.go +++ b/pkg/kubelet/dockershim/docker_sandbox.go @@ -666,12 +666,6 @@ func (ds *dockerService) makeSandboxDockerConfig(c *runtimeapi.PodSandboxConfig, return createConfig, nil } -func (ds *dockerService) getSandBoxSecurityOpts(separator rune) []string { - // run sandbox with no-new-privileges and using runtime/default - // sending no "seccomp=" means docker will use default profile - return []string{"no-new-privileges"} -} - // networkNamespaceMode returns the network runtimeapi.NamespaceMode for this container. // Supports: POD, NODE func networkNamespaceMode(container *dockertypes.ContainerJSON) runtimeapi.NamespaceMode { diff --git a/pkg/kubelet/dockershim/helpers_linux.go b/pkg/kubelet/dockershim/helpers_linux.go index 68173119e9f..a892499e754 100644 --- a/pkg/kubelet/dockershim/helpers_linux.go +++ b/pkg/kubelet/dockershim/helpers_linux.go @@ -48,6 +48,12 @@ func (ds *dockerService) getSecurityOpts(seccompProfile string, separator rune) return seccompSecurityOpts, nil } +func (ds *dockerService) getSandBoxSecurityOpts(separator rune) []string { + // run sandbox with no-new-privileges and using runtime/default + // sending no "seccomp=" means docker will use default profile + return []string{"no-new-privileges"} +} + func getSeccompDockerOpts(seccompProfile string) ([]dockerOpt, error) { if seccompProfile == "" || seccompProfile == v1.SeccompProfileNameUnconfined { // return early the default diff --git a/pkg/kubelet/dockershim/helpers_unsupported.go b/pkg/kubelet/dockershim/helpers_unsupported.go index 09b2d491409..cdf7128fd5b 100644 --- a/pkg/kubelet/dockershim/helpers_unsupported.go +++ b/pkg/kubelet/dockershim/helpers_unsupported.go @@ -36,6 +36,11 @@ func (ds *dockerService) getSecurityOpts(seccompProfile string, separator rune) return nil, nil } +func (ds *dockerService) getSandBoxSecurityOpts(separator rune) []string { + klog.Warningf("getSandBoxSecurityOpts is unsupported in this build") + return nil +} + func (ds *dockerService) updateCreateConfig( createConfig *dockertypes.ContainerCreateConfig, config *runtimeapi.ContainerConfig, diff --git a/pkg/kubelet/dockershim/helpers_windows.go b/pkg/kubelet/dockershim/helpers_windows.go index e8681485f83..119fcc66294 100644 --- a/pkg/kubelet/dockershim/helpers_windows.go +++ b/pkg/kubelet/dockershim/helpers_windows.go @@ -43,6 +43,12 @@ func (ds *dockerService) getSecurityOpts(seccompProfile string, separator rune) return nil, nil } +func (ds *dockerService) getSandBoxSecurityOpts(separator rune) []string { + // Currently, Windows container does not support privileged mode, so no no-new-privileges flag can be returned directly like Linux + // If the future Windows container has new support for privileged mode, we can adjust it here + return nil +} + // applyExperimentalCreateConfig applys experimental configures from sandbox annotations. func applyExperimentalCreateConfig(createConfig *dockertypes.ContainerCreateConfig, annotations map[string]string) { if kubeletapis.ShouldIsolatedByHyperV(annotations) {