From be1c85d915d98f7a8a069a8512b036410eb341ca Mon Sep 17 00:00:00 2001 From: wawa0210 Date: Sat, 19 Sep 2020 09:54:09 +0800 Subject: [PATCH] Enhance the prompt information of verifyRunAsNonRoot, add pod, container information --- pkg/kubelet/kuberuntime/security_context_others.go | 7 ++++--- pkg/kubelet/kuberuntime/security_context_windows.go | 11 ++++++----- 2 files changed, 10 insertions(+), 8 deletions(-) diff --git a/pkg/kubelet/kuberuntime/security_context_others.go b/pkg/kubelet/kuberuntime/security_context_others.go index 1f847a56784..3ea7526b094 100644 --- a/pkg/kubelet/kuberuntime/security_context_others.go +++ b/pkg/kubelet/kuberuntime/security_context_others.go @@ -22,6 +22,7 @@ import ( "fmt" "k8s.io/api/core/v1" + "k8s.io/kubernetes/pkg/kubelet/util/format" "k8s.io/kubernetes/pkg/securitycontext" ) @@ -35,16 +36,16 @@ func verifyRunAsNonRoot(pod *v1.Pod, container *v1.Container, uid *int64, userna if effectiveSc.RunAsUser != nil { if *effectiveSc.RunAsUser == 0 { - return fmt.Errorf("container's runAsUser breaks non-root policy") + return fmt.Errorf("container's runAsUser breaks non-root policy (pod: %q, container: %s)", format.Pod(pod), container.Name) } return nil } switch { case uid != nil && *uid == 0: - return fmt.Errorf("container has runAsNonRoot and image will run as root") + return fmt.Errorf("container has runAsNonRoot and image will run as root (pod: %q, container: %s)", format.Pod(pod), container.Name) case uid == nil && len(username) > 0: - return fmt.Errorf("container has runAsNonRoot and image has non-numeric user (%s), cannot verify user is non-root", username) + return fmt.Errorf("container has runAsNonRoot and image has non-numeric user (%s), cannot verify user is non-root (pod: %q, container: %s)", username, format.Pod(pod), container.Name) default: return nil } diff --git a/pkg/kubelet/kuberuntime/security_context_windows.go b/pkg/kubelet/kuberuntime/security_context_windows.go index 400116f7d1c..6320d217737 100644 --- a/pkg/kubelet/kuberuntime/security_context_windows.go +++ b/pkg/kubelet/kuberuntime/security_context_windows.go @@ -22,6 +22,7 @@ import ( "fmt" "k8s.io/api/core/v1" "k8s.io/klog/v2" + "k8s.io/kubernetes/pkg/kubelet/util/format" "k8s.io/kubernetes/pkg/securitycontext" ) @@ -42,24 +43,24 @@ func verifyRunAsNonRoot(pod *v1.Pod, container *v1.Container, uid *int64, userna return nil } if effectiveSc.RunAsUser != nil { - klog.Warningf("Windows container does not support SecurityContext.RunAsUser, please use SecurityContext.WindowsOptions") + klog.Warningf("Windows container does not support SecurityContext.RunAsUser, please use SecurityContext.WindowsOptions (pod: %q, container: %s)", format.Pod(pod), container.Name) } if effectiveSc.SELinuxOptions != nil { - klog.Warningf("Windows container does not support SecurityContext.SELinuxOptions, please use SecurityContext.WindowsOptions") + klog.Warningf("Windows container does not support SecurityContext.SELinuxOptions, please use SecurityContext.WindowsOptions (pod: %q, container: %s)", format.Pod(pod), container.Name) } if effectiveSc.RunAsGroup != nil { - klog.Warningf("Windows container does not support SecurityContext.RunAsGroup") + klog.Warningf("Windows container does not support SecurityContext.RunAsGroup (pod: %q, container: %s)", format.Pod(pod), container.Name) } if effectiveSc.WindowsOptions != nil { if effectiveSc.WindowsOptions.RunAsUserName != nil { if *effectiveSc.WindowsOptions.RunAsUserName == windowsRootUserName { - return fmt.Errorf("container's runAsUser (%s) which will be regarded as root identity and will break non-root policy", username) + return fmt.Errorf("container's runAsUser (%s) which will be regarded as root identity and will break non-root policy (pod: %q, container: %s)", username, format.Pod(pod), container.Name) } return nil } } if len(username) > 0 && username == windowsRootUserName { - return fmt.Errorf("container's runAsUser (%s) which will be regarded as root identity and will break non-root policy", username) + return fmt.Errorf("container's runAsUser (%s) which will be regarded as root identity and will break non-root policy (pod: %q, container: %s)", username, format.Pod(pod), container.Name) } return nil }