mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-23 11:50:44 +00:00
[podsecurity] OS based updates to restricted standard
This commit is contained in:
parent
3f630c415d
commit
b3a2e6a3f4
@ -52,6 +52,11 @@ func CheckAllowPrivilegeEscalation() Check {
|
||||
MinimumVersion: api.MajorMinorVersion(1, 8),
|
||||
CheckPod: allowPrivilegeEscalation_1_8,
|
||||
},
|
||||
{
|
||||
// Starting 1.25, windows pods would be exempted from this check using pod.spec.os field when set to windows.
|
||||
MinimumVersion: api.MajorMinorVersion(1, 25),
|
||||
CheckPod: allowPrivilegeEscalation_1_25,
|
||||
},
|
||||
},
|
||||
}
|
||||
}
|
||||
@ -77,3 +82,12 @@ func allowPrivilegeEscalation_1_8(podMetadata *metav1.ObjectMeta, podSpec *corev
|
||||
}
|
||||
return CheckResult{Allowed: true}
|
||||
}
|
||||
|
||||
func allowPrivilegeEscalation_1_25(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
|
||||
// Pod API validation would have failed if podOS == Windows and if privilegeEscalation has been set.
|
||||
// We can admit the Windows pod even if privilegeEscalation has not been set.
|
||||
if podSpec.OS != nil && podSpec.OS.Name == corev1.Windows {
|
||||
return CheckResult{Allowed: true}
|
||||
}
|
||||
return allowPrivilegeEscalation_1_8(podMetadata, podSpec)
|
||||
}
|
||||
|
@ -23,7 +23,66 @@ import (
|
||||
utilpointer "k8s.io/utils/pointer"
|
||||
)
|
||||
|
||||
func TestAllowPrivilegeEscalation(t *testing.T) {
|
||||
func TestAllowPrivilegeEscalation_1_25(t *testing.T) {
|
||||
tests := []struct {
|
||||
name string
|
||||
pod *corev1.Pod
|
||||
expectReason string
|
||||
expectDetail string
|
||||
allowed bool
|
||||
}{
|
||||
{
|
||||
name: "multiple containers",
|
||||
pod: &corev1.Pod{Spec: corev1.PodSpec{
|
||||
Containers: []corev1.Container{
|
||||
{Name: "a"},
|
||||
{Name: "b", SecurityContext: &corev1.SecurityContext{AllowPrivilegeEscalation: nil}},
|
||||
{Name: "c", SecurityContext: &corev1.SecurityContext{AllowPrivilegeEscalation: utilpointer.Bool(true)}},
|
||||
{Name: "d", SecurityContext: &corev1.SecurityContext{AllowPrivilegeEscalation: utilpointer.Bool(false)}},
|
||||
}}},
|
||||
expectReason: `allowPrivilegeEscalation != false`,
|
||||
expectDetail: `containers "a", "b", "c" must set securityContext.allowPrivilegeEscalation=false`,
|
||||
allowed: false,
|
||||
},
|
||||
{
|
||||
name: "windows pod, admit without checking privilegeEscalation",
|
||||
pod: &corev1.Pod{Spec: corev1.PodSpec{
|
||||
OS: &corev1.PodOS{Name: corev1.Windows},
|
||||
Containers: []corev1.Container{
|
||||
{Name: "a"},
|
||||
}}},
|
||||
allowed: true,
|
||||
},
|
||||
{
|
||||
name: "linux pod, reject if security context is not set",
|
||||
pod: &corev1.Pod{Spec: corev1.PodSpec{
|
||||
OS: &corev1.PodOS{Name: corev1.Linux},
|
||||
Containers: []corev1.Container{
|
||||
{Name: "a"},
|
||||
}}},
|
||||
expectReason: `allowPrivilegeEscalation != false`,
|
||||
expectDetail: `container "a" must set securityContext.allowPrivilegeEscalation=false`,
|
||||
allowed: false,
|
||||
},
|
||||
}
|
||||
|
||||
for _, tc := range tests {
|
||||
t.Run(tc.name, func(t *testing.T) {
|
||||
result := allowPrivilegeEscalation_1_25(&tc.pod.ObjectMeta, &tc.pod.Spec)
|
||||
if result.Allowed && !tc.allowed {
|
||||
t.Fatal("expected disallowed")
|
||||
}
|
||||
if e, a := tc.expectReason, result.ForbiddenReason; e != a {
|
||||
t.Errorf("expected\n%s\ngot\n%s", e, a)
|
||||
}
|
||||
if e, a := tc.expectDetail, result.ForbiddenDetail; e != a {
|
||||
t.Errorf("expected\n%s\ngot\n%s", e, a)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestAllowPrivilegeEscalation_1_8(t *testing.T) {
|
||||
tests := []struct {
|
||||
name string
|
||||
pod *corev1.Pod
|
||||
|
@ -66,6 +66,12 @@ func CheckCapabilitiesRestricted() Check {
|
||||
CheckPod: capabilitiesRestricted_1_22,
|
||||
OverrideCheckIDs: []CheckID{checkCapabilitiesBaselineID},
|
||||
},
|
||||
// Starting 1.25, windows pods would be exempted from this check using pod.spec.os field when set to windows.
|
||||
{
|
||||
MinimumVersion: api.MajorMinorVersion(1, 25),
|
||||
CheckPod: capabilitiesRestricted_1_25,
|
||||
OverrideCheckIDs: []CheckID{checkCapabilitiesBaselineID},
|
||||
},
|
||||
},
|
||||
}
|
||||
}
|
||||
@ -128,3 +134,12 @@ func capabilitiesRestricted_1_22(podMetadata *metav1.ObjectMeta, podSpec *corev1
|
||||
}
|
||||
return CheckResult{Allowed: true}
|
||||
}
|
||||
|
||||
func capabilitiesRestricted_1_25(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
|
||||
// Pod API validation would have failed if podOS == Windows and if capabilities have been set.
|
||||
// We can admit the Windows pod even if capabilities has not been set.
|
||||
if podSpec.OS != nil && podSpec.OS.Name == corev1.Windows {
|
||||
return CheckResult{Allowed: true}
|
||||
}
|
||||
return capabilitiesRestricted_1_22(podMetadata, podSpec)
|
||||
}
|
||||
|
@ -22,7 +22,63 @@ import (
|
||||
corev1 "k8s.io/api/core/v1"
|
||||
)
|
||||
|
||||
func TestCapabilitiesRestricted(t *testing.T) {
|
||||
func TestCapabilitiesRestricted_1_25(t *testing.T) {
|
||||
tests := []struct {
|
||||
name string
|
||||
pod *corev1.Pod
|
||||
expectReason string
|
||||
expectDetail string
|
||||
allowed bool
|
||||
}{
|
||||
{
|
||||
name: "multiple containers",
|
||||
pod: &corev1.Pod{Spec: corev1.PodSpec{
|
||||
Containers: []corev1.Container{
|
||||
{Name: "a", SecurityContext: &corev1.SecurityContext{Capabilities: &corev1.Capabilities{Add: []corev1.Capability{"FOO", "BAR"}}}},
|
||||
{Name: "b", SecurityContext: &corev1.SecurityContext{Capabilities: &corev1.Capabilities{Add: []corev1.Capability{"BAR", "BAZ"}}}},
|
||||
{Name: "c", SecurityContext: &corev1.SecurityContext{Capabilities: &corev1.Capabilities{Add: []corev1.Capability{"NET_BIND_SERVICE", "CHOWN"}, Drop: []corev1.Capability{"ALL", "FOO"}}}},
|
||||
}}},
|
||||
expectReason: `unrestricted capabilities`,
|
||||
expectDetail: `containers "a", "b" must set securityContext.capabilities.drop=["ALL"]; containers "a", "b", "c" must not include "BAR", "BAZ", "CHOWN", "FOO" in securityContext.capabilities.add`,
|
||||
},
|
||||
{
|
||||
name: "windows pod, admit without checking capabilities",
|
||||
pod: &corev1.Pod{Spec: corev1.PodSpec{
|
||||
OS: &corev1.PodOS{Name: corev1.Windows},
|
||||
Containers: []corev1.Container{
|
||||
{Name: "a"},
|
||||
}}},
|
||||
allowed: true,
|
||||
},
|
||||
{
|
||||
name: "linux pod, reject if security context is not set",
|
||||
pod: &corev1.Pod{Spec: corev1.PodSpec{
|
||||
OS: &corev1.PodOS{Name: corev1.Linux},
|
||||
Containers: []corev1.Container{
|
||||
{Name: "a"},
|
||||
}}},
|
||||
expectReason: `unrestricted capabilities`,
|
||||
expectDetail: `container "a" must set securityContext.capabilities.drop=["ALL"]`,
|
||||
allowed: false,
|
||||
},
|
||||
}
|
||||
for _, tc := range tests {
|
||||
t.Run(tc.name, func(t *testing.T) {
|
||||
result := capabilitiesRestricted_1_25(&tc.pod.ObjectMeta, &tc.pod.Spec)
|
||||
if result.Allowed && !tc.allowed {
|
||||
t.Fatal("expected disallowed")
|
||||
}
|
||||
if e, a := tc.expectReason, result.ForbiddenReason; e != a {
|
||||
t.Errorf("expected\n%s\ngot\n%s", e, a)
|
||||
}
|
||||
if e, a := tc.expectDetail, result.ForbiddenDetail; e != a {
|
||||
t.Errorf("expected\n%s\ngot\n%s", e, a)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestCapabilitiesRestricted_1_22(t *testing.T) {
|
||||
tests := []struct {
|
||||
name string
|
||||
pod *corev1.Pod
|
||||
@ -41,7 +97,6 @@ func TestCapabilitiesRestricted(t *testing.T) {
|
||||
expectDetail: `containers "a", "b" must set securityContext.capabilities.drop=["ALL"]; containers "a", "b", "c" must not include "BAR", "BAZ", "CHOWN", "FOO" in securityContext.capabilities.add`,
|
||||
},
|
||||
}
|
||||
|
||||
for _, tc := range tests {
|
||||
t.Run(tc.name, func(t *testing.T) {
|
||||
result := capabilitiesRestricted_1_22(&tc.pod.ObjectMeta, &tc.pod.Spec)
|
||||
|
@ -55,6 +55,12 @@ func CheckSeccompProfileRestricted() Check {
|
||||
CheckPod: seccompProfileRestricted_1_19,
|
||||
OverrideCheckIDs: []CheckID{checkSeccompBaselineID},
|
||||
},
|
||||
// Starting 1.25, windows pods would be exempted from this check using pod.spec.os field when set to windows.
|
||||
{
|
||||
MinimumVersion: api.MajorMinorVersion(1, 25),
|
||||
CheckPod: seccompProfileRestricted_1_25,
|
||||
OverrideCheckIDs: []CheckID{checkSeccompBaselineID},
|
||||
},
|
||||
},
|
||||
}
|
||||
}
|
||||
@ -136,3 +142,14 @@ func seccompProfileRestricted_1_19(podMetadata *metav1.ObjectMeta, podSpec *core
|
||||
|
||||
return CheckResult{Allowed: true}
|
||||
}
|
||||
|
||||
// seccompProfileRestricted_1_25 checks restricted policy on securityContext.seccompProfile field for kubernetes
|
||||
// version 1.25 and above
|
||||
func seccompProfileRestricted_1_25(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
|
||||
// Pod API validation would have failed if podOS == Windows and if secCompProfile has been set.
|
||||
// We can admit the Windows pod even if seccompProfile has not been set.
|
||||
if podSpec.OS != nil && podSpec.OS.Name == corev1.Windows {
|
||||
return CheckResult{Allowed: true}
|
||||
}
|
||||
return seccompProfileRestricted_1_19(podMetadata, podSpec)
|
||||
}
|
||||
|
@ -22,7 +22,105 @@ import (
|
||||
corev1 "k8s.io/api/core/v1"
|
||||
)
|
||||
|
||||
func TestSeccompProfileRestricted(t *testing.T) {
|
||||
func TestSeccompProfileRestricted_1_25(t *testing.T) {
|
||||
tests := []struct {
|
||||
name string
|
||||
pod *corev1.Pod
|
||||
expectReason string
|
||||
expectDetail string
|
||||
allowed bool
|
||||
}{
|
||||
{
|
||||
name: "no explicit seccomp",
|
||||
pod: &corev1.Pod{Spec: corev1.PodSpec{
|
||||
Containers: []corev1.Container{
|
||||
{Name: "a"},
|
||||
},
|
||||
}},
|
||||
expectReason: `seccompProfile`,
|
||||
expectDetail: `pod or container "a" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost"`,
|
||||
},
|
||||
{
|
||||
name: "no explicit seccomp, windows Pod",
|
||||
pod: &corev1.Pod{Spec: corev1.PodSpec{
|
||||
OS: &corev1.PodOS{Name: corev1.Windows},
|
||||
Containers: []corev1.Container{
|
||||
{Name: "a"},
|
||||
},
|
||||
}},
|
||||
allowed: true,
|
||||
},
|
||||
{
|
||||
name: "no explicit seccomp, linux pod",
|
||||
pod: &corev1.Pod{Spec: corev1.PodSpec{
|
||||
OS: &corev1.PodOS{Name: corev1.Linux},
|
||||
Containers: []corev1.Container{
|
||||
{Name: "a"},
|
||||
},
|
||||
}},
|
||||
expectReason: `seccompProfile`,
|
||||
expectDetail: `pod or container "a" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost"`,
|
||||
allowed: false,
|
||||
},
|
||||
{
|
||||
name: "pod seccomp invalid",
|
||||
pod: &corev1.Pod{Spec: corev1.PodSpec{
|
||||
SecurityContext: &corev1.PodSecurityContext{SeccompProfile: &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeUnconfined}},
|
||||
Containers: []corev1.Container{
|
||||
{Name: "a", SecurityContext: nil},
|
||||
},
|
||||
}},
|
||||
expectReason: `seccompProfile`,
|
||||
expectDetail: `pod must not set securityContext.seccompProfile.type to "Unconfined"`,
|
||||
},
|
||||
{
|
||||
name: "containers seccomp invalid",
|
||||
pod: &corev1.Pod{Spec: corev1.PodSpec{
|
||||
SecurityContext: &corev1.PodSecurityContext{SeccompProfile: &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeRuntimeDefault}},
|
||||
Containers: []corev1.Container{
|
||||
{Name: "a", SecurityContext: nil},
|
||||
{Name: "b", SecurityContext: &corev1.SecurityContext{}},
|
||||
{Name: "c", SecurityContext: &corev1.SecurityContext{SeccompProfile: &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeUnconfined}}},
|
||||
{Name: "d", SecurityContext: &corev1.SecurityContext{SeccompProfile: &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeUnconfined}}},
|
||||
{Name: "e", SecurityContext: &corev1.SecurityContext{SeccompProfile: &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeRuntimeDefault}}},
|
||||
{Name: "f", SecurityContext: &corev1.SecurityContext{SeccompProfile: &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeRuntimeDefault}}},
|
||||
},
|
||||
}},
|
||||
expectReason: `seccompProfile`,
|
||||
expectDetail: `containers "c", "d" must not set securityContext.seccompProfile.type to "Unconfined"`,
|
||||
},
|
||||
{
|
||||
name: "pod nil, container fallthrough",
|
||||
pod: &corev1.Pod{Spec: corev1.PodSpec{
|
||||
Containers: []corev1.Container{
|
||||
{Name: "a", SecurityContext: nil},
|
||||
{Name: "b", SecurityContext: &corev1.SecurityContext{}},
|
||||
{Name: "d", SecurityContext: &corev1.SecurityContext{SeccompProfile: &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeRuntimeDefault}}},
|
||||
{Name: "e", SecurityContext: &corev1.SecurityContext{SeccompProfile: &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeRuntimeDefault}}},
|
||||
},
|
||||
}},
|
||||
expectReason: `seccompProfile`,
|
||||
expectDetail: `pod or containers "a", "b" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost"`,
|
||||
},
|
||||
}
|
||||
|
||||
for _, tc := range tests {
|
||||
t.Run(tc.name, func(t *testing.T) {
|
||||
result := seccompProfileRestricted_1_25(&tc.pod.ObjectMeta, &tc.pod.Spec)
|
||||
if result.Allowed && !tc.allowed {
|
||||
t.Fatal("expected disallowed")
|
||||
}
|
||||
if e, a := tc.expectReason, result.ForbiddenReason; e != a {
|
||||
t.Errorf("expected\n%s\ngot\n%s", e, a)
|
||||
}
|
||||
if e, a := tc.expectDetail, result.ForbiddenDetail; e != a {
|
||||
t.Errorf("expected\n%s\ngot\n%s", e, a)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestSeccompProfileRestricted_1_19(t *testing.T) {
|
||||
tests := []struct {
|
||||
name string
|
||||
pod *corev1.Pod
|
||||
|
Loading…
Reference in New Issue
Block a user