github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-09-15 14:14:39 +00:00
Code Issues Projects Releases Wiki Activity

Add seccomp least privilege for kuberuntime

Browse Source
This commit is contained in:
Paulo Gomes
2020-07-08 22:03:29 +01:00
parent bc60bdaded
commit b451563560
2 changed files with 16 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
pkg/kubelet/kuberuntime/kuberuntime_sandbox.go
View File

@@ -148,8 +148,11 @@ func (m *kubeGenericRuntimeManager) generatePodSandboxLinuxConfig(pod *v1.Pod) (
lc := &runtimeapi.LinuxPodSandboxConfig{ lc := &runtimeapi.LinuxPodSandboxConfig{
CgroupParent: cgroupParent, CgroupParent: cgroupParent,
SecurityContext: &runtimeapi.LinuxSandboxSecurityContext{ SecurityContext: &runtimeapi.LinuxSandboxSecurityContext{
Privileged: kubecontainer.HasPrivilegedContainer(pod), Privileged: kubecontainer.HasPrivilegedContainer(pod),
SeccompProfilePath: m.getSeccompProfile(pod.Annotations, "", pod.Spec.SecurityContext, nil),
// Forcing sandbox to run as `runtime/default` allow users to
// use least privileged seccomp profiles at pod level. Issue #84623
SeccompProfilePath: v1.SeccompProfileRuntimeDefault,
}, },
} }

30
pkg/kubelet/kuberuntime/kuberuntime_sandbox_test.go
View File

@@ -67,37 +67,29 @@ func TestGeneratePodSandboxLinuxConfigSeccomp(t *testing.T) {
expectedProfile string expectedProfile string
}{ }{
{ {
description: "no seccomp defined at pod level should return empty", description: "no seccomp defined at pod level should return runtime/default",
pod: newSeccompPod(nil, nil, "", ""), pod: newSeccompPod(nil, nil, "", "runtime/default"),
expectedProfile: "", expectedProfile: "runtime/default",
}, },
{ {
description: "seccomp field defined at pod level should be honoured", description: "seccomp field defined at pod level should not be honoured",
pod: newSeccompPod(&v1.SeccompProfile{Type: v1.SeccompProfileTypeRuntimeDefault}, nil, "", ""), pod: newSeccompPod(&v1.SeccompProfile{Type: v1.SeccompProfileTypeUnconfined}, nil, "", ""),
expectedProfile: "runtime/default", expectedProfile: "runtime/default",
}, },
{ {
description: "seccomp field defined at container level should not be honoured", description: "seccomp field defined at container level should not be honoured",
pod: newSeccompPod(nil, &v1.SeccompProfile{Type: v1.SeccompProfileTypeRuntimeDefault}, "", ""), pod: newSeccompPod(nil, &v1.SeccompProfile{Type: v1.SeccompProfileTypeUnconfined}, "", ""),
expectedProfile: "", expectedProfile: "runtime/default",
}, },
{ {
description: "seccomp annotation defined at pod level should be honoured", description: "seccomp annotation defined at pod level should not be honoured",
pod: newSeccompPod(nil, nil, v1.SeccompProfileRuntimeDefault, ""), pod: newSeccompPod(nil, nil, "unconfined", ""),
expectedProfile: "runtime/default", expectedProfile: "runtime/default",
}, },
{ {
description: "seccomp annotation defined at container level should not be honoured", description: "seccomp annotation defined at container level should not be honoured",
pod: newSeccompPod(nil, nil, "", v1.SeccompProfileRuntimeDefault), pod: newSeccompPod(nil, nil, "", "unconfined"),
expectedProfile: "", expectedProfile: "runtime/default",
},
{
description: "prioritise pod field over pod annotation",
pod: newSeccompPod(&v1.SeccompProfile{
Type: v1.SeccompProfileTypeLocalhost,
LocalhostProfile: pointer.StringPtr("pod-field"),
}, nil, "localhost/pod-annotation", ""),
expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "pod-field"),
}, },
} }