github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-22 11:21:47 +00:00
Code Issues Projects Releases Wiki Activity

Enhance the prompt information of verifyRunAsNonRoot, add pod, container information

Browse Source
This commit is contained in:
wawa0210 2020-09-19 09:54:09 +08:00
parent 66ea0f568c
commit be1c85d915
No known key found for this signature in database
GPG Key ID: 900C83A2C098B3B1
2 changed files with 10 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
pkg/kubelet/kuberuntime/security_context_others.go
View File

@ -22,6 +22,7 @@ import (
"fmt"
"k8s.io/api/core/v1"
"k8s.io/kubernetes/pkg/kubelet/util/format"
"k8s.io/kubernetes/pkg/securitycontext"
)
@ -35,16 +36,16 @@ func verifyRunAsNonRoot(pod *v1.Pod, container *v1.Container, uid *int64, userna
if effectiveSc.RunAsUser != nil {
if *effectiveSc.RunAsUser == 0 {
return fmt.Errorf("container's runAsUser breaks non-root policy")
return fmt.Errorf("container's runAsUser breaks non-root policy (pod: %q, container: %s)", format.Pod(pod), container.Name)
}
return nil
}
switch {
case uid != nil && *uid == 0:
return fmt.Errorf("container has runAsNonRoot and image will run as root")
return fmt.Errorf("container has runAsNonRoot and image will run as root (pod: %q, container: %s)", format.Pod(pod), container.Name)
case uid == nil && len(username) > 0:
return fmt.Errorf("container has runAsNonRoot and image has non-numeric user (%s), cannot verify user is non-root", username)
return fmt.Errorf("container has runAsNonRoot and image has non-numeric user (%s), cannot verify user is non-root (pod: %q, container: %s)", username, format.Pod(pod), container.Name)
default:
return nil
}

11
pkg/kubelet/kuberuntime/security_context_windows.go
View File

@ -22,6 +22,7 @@ import (
"fmt"
"k8s.io/api/core/v1"
"k8s.io/klog/v2"
"k8s.io/kubernetes/pkg/kubelet/util/format"
"k8s.io/kubernetes/pkg/securitycontext"
)
@ -42,24 +43,24 @@ func verifyRunAsNonRoot(pod *v1.Pod, container *v1.Container, uid *int64, userna
return nil
}
if effectiveSc.RunAsUser != nil {
klog.Warningf("Windows container does not support SecurityContext.RunAsUser, please use SecurityContext.WindowsOptions")
klog.Warningf("Windows container does not support SecurityContext.RunAsUser, please use SecurityContext.WindowsOptions (pod: %q, container: %s)", format.Pod(pod), container.Name)
}
if effectiveSc.SELinuxOptions != nil {
klog.Warningf("Windows container does not support SecurityContext.SELinuxOptions, please use SecurityContext.WindowsOptions")
klog.Warningf("Windows container does not support SecurityContext.SELinuxOptions, please use SecurityContext.WindowsOptions (pod: %q, container: %s)", format.Pod(pod), container.Name)
}
if effectiveSc.RunAsGroup != nil {
klog.Warningf("Windows container does not support SecurityContext.RunAsGroup")
klog.Warningf("Windows container does not support SecurityContext.RunAsGroup (pod: %q, container: %s)", format.Pod(pod), container.Name)
}
if effectiveSc.WindowsOptions != nil {
if effectiveSc.WindowsOptions.RunAsUserName != nil {
if *effectiveSc.WindowsOptions.RunAsUserName == windowsRootUserName {
return fmt.Errorf("container's runAsUser (%s) which will be regarded as root identity and will break non-root policy", username)
return fmt.Errorf("container's runAsUser (%s) which will be regarded as root identity and will break non-root policy (pod: %q, container: %s)", username, format.Pod(pod), container.Name)
}
return nil
}
}
if len(username) > 0 && username == windowsRootUserName {
return fmt.Errorf("container's runAsUser (%s) which will be regarded as root identity and will break non-root policy", username)
return fmt.Errorf("container's runAsUser (%s) which will be regarded as root identity and will break non-root policy (pod: %q, container: %s)", username, format.Pod(pod), container.Name)
}
return nil
}