github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-25 20:53:33 +00:00
Code Issues Projects Releases Wiki Activity

fix no-new-privileges on windows

Browse Source
This commit is contained in:
wawa0210 2020-07-15 01:27:22 +08:00 committed by Jordan Liggitt
parent 886727a4c0
commit aea228f5dd
4 changed files with 17 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
pkg/kubelet/dockershim/docker_sandbox.go
View File

@ -666,12 +666,6 @@ func (ds *dockerService) makeSandboxDockerConfig(c *runtimeapi.PodSandboxConfig,
return createConfig, nil return createConfig, nil
} }
func (ds *dockerService) getSandBoxSecurityOpts(separator rune) []string {
// run sandbox with no-new-privileges and using runtime/default
// sending no "seccomp=" means docker will use default profile
return []string{"no-new-privileges"}
}
// networkNamespaceMode returns the network runtimeapi.NamespaceMode for this container. // networkNamespaceMode returns the network runtimeapi.NamespaceMode for this container.
// Supports: POD, NODE // Supports: POD, NODE
func networkNamespaceMode(container *dockertypes.ContainerJSON) runtimeapi.NamespaceMode { func networkNamespaceMode(container *dockertypes.ContainerJSON) runtimeapi.NamespaceMode {

6
pkg/kubelet/dockershim/helpers_linux.go
View File

@ -48,6 +48,12 @@ func (ds *dockerService) getSecurityOpts(seccompProfile string, separator rune)
return seccompSecurityOpts, nil return seccompSecurityOpts, nil
} }
func (ds *dockerService) getSandBoxSecurityOpts(separator rune) []string {
// run sandbox with no-new-privileges and using runtime/default
// sending no "seccomp=" means docker will use default profile
return []string{"no-new-privileges"}
}
func getSeccompDockerOpts(seccompProfile string) ([]dockerOpt, error) { func getSeccompDockerOpts(seccompProfile string) ([]dockerOpt, error) {
if seccompProfile == "" || seccompProfile == v1.SeccompProfileNameUnconfined { if seccompProfile == "" || seccompProfile == v1.SeccompProfileNameUnconfined {
// return early the default // return early the default

5
pkg/kubelet/dockershim/helpers_unsupported.go
View File

@ -36,6 +36,11 @@ func (ds *dockerService) getSecurityOpts(seccompProfile string, separator rune)
return nil, nil return nil, nil
} }
func (ds *dockerService) getSandBoxSecurityOpts(separator rune) []string {
klog.Warningf("getSandBoxSecurityOpts is unsupported in this build")
return nil
}
func (ds *dockerService) updateCreateConfig( func (ds *dockerService) updateCreateConfig(
createConfig *dockertypes.ContainerCreateConfig, createConfig *dockertypes.ContainerCreateConfig,
config *runtimeapi.ContainerConfig, config *runtimeapi.ContainerConfig,

6
pkg/kubelet/dockershim/helpers_windows.go
View File

@ -43,6 +43,12 @@ func (ds *dockerService) getSecurityOpts(seccompProfile string, separator rune)
return nil, nil return nil, nil
} }
func (ds *dockerService) getSandBoxSecurityOpts(separator rune) []string {
// Currently, Windows container does not support privileged mode, so no no-new-privileges flag can be returned directly like Linux
// If the future Windows container has new support for privileged mode, we can adjust it here
return nil
}
// applyExperimentalCreateConfig applys experimental configures from sandbox annotations. // applyExperimentalCreateConfig applys experimental configures from sandbox annotations.
func applyExperimentalCreateConfig(createConfig *dockertypes.ContainerCreateConfig, annotations map[string]string) { func applyExperimentalCreateConfig(createConfig *dockertypes.ContainerCreateConfig, annotations map[string]string) {
if kubeletapis.ShouldIsolatedByHyperV(annotations) { if kubeletapis.ShouldIsolatedByHyperV(annotations) {