github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-07 03:03:59 +00:00
Code Issues Projects Releases Wiki Activity

Visit ephemeral containers when calculating fs user

Browse Source
This commit is contained in:
carlory 2024-03-21 14:17:26 +08:00
parent a309fadbac
commit dd2dcabe5b
2 changed files with 57 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
pkg/volume/util/util.go
View File

@ -653,8 +653,7 @@ func GetPodVolumeNames(pod *v1.Pod) (mounts sets.String, devices sets.String, se
// attributes.
func FsUserFrom(pod *v1.Pod) *int64 {
var fsUser *int64
// Exclude ephemeral containers because SecurityContext is not allowed.
podutil.VisitContainers(&pod.Spec, podutil.InitContainers|podutil.Containers, func(container *v1.Container, containerType podutil.ContainerType) bool {
podutil.VisitContainers(&pod.Spec, podutil.AllFeatureEnabledContainers(), func(container *v1.Container, containerType podutil.ContainerType) bool {
runAsUser, ok := securitycontext.DetermineEffectiveRunAsUser(pod, container)
// One container doesn't specify user or there are more than one
// non-root UIDs.

66
pkg/volume/util/util_test.go
View File

@ -34,7 +34,7 @@ import (
"k8s.io/kubernetes/pkg/features"
"k8s.io/kubernetes/pkg/util/slice"
"k8s.io/kubernetes/pkg/volume"
utilptr "k8s.io/utils/pointer"
"k8s.io/utils/ptr"
)
func TestLoadPodFromFile(t *testing.T) {
@ -169,14 +169,14 @@ func TestFsUserFrom(t *testing.T) {
InitContainers: []v1.Container{
{
SecurityContext: &v1.SecurityContext{
RunAsUser: utilptr.Int64Ptr(1000),
RunAsUser: ptr.To[int64](1000),
},
},
},
Containers: []v1.Container{
{
SecurityContext: &v1.SecurityContext{
RunAsUser: utilptr.Int64Ptr(1000),
RunAsUser: ptr.To[int64](1000),
},
},
{
@ -195,19 +195,28 @@ func TestFsUserFrom(t *testing.T) {
InitContainers: []v1.Container{
{
SecurityContext: &v1.SecurityContext{
RunAsUser: utilptr.Int64Ptr(999),
RunAsUser: ptr.To[int64](999),
},
},
},
Containers: []v1.Container{
{
SecurityContext: &v1.SecurityContext{
RunAsUser: utilptr.Int64Ptr(1000),
RunAsUser: ptr.To[int64](1000),
},
},
{
SecurityContext: &v1.SecurityContext{
RunAsUser: utilptr.Int64Ptr(1000),
RunAsUser: ptr.To[int64](1000),
},
},
},
EphemeralContainers: []v1.EphemeralContainer{
{
EphemeralContainerCommon: v1.EphemeralContainerCommon{
SecurityContext: &v1.SecurityContext{
RunAsUser: ptr.To[int64](1001),
},
},
},
},
@ -215,6 +224,34 @@ func TestFsUserFrom(t *testing.T) {
},
wantFsUser: nil,
},
{
desc: "init and regular containers have runAsUser specified and the same",
pod: &v1.Pod{
Spec: v1.PodSpec{
SecurityContext: &v1.PodSecurityContext{},
InitContainers: []v1.Container{
{
SecurityContext: &v1.SecurityContext{
RunAsUser: ptr.To[int64](1000),
},
},
},
Containers: []v1.Container{
{
SecurityContext: &v1.SecurityContext{
RunAsUser: ptr.To[int64](1000),
},
},
{
SecurityContext: &v1.SecurityContext{
RunAsUser: ptr.To[int64](1000),
},
},
},
},
},
wantFsUser: ptr.To[int64](1000),
},
{
desc: "all have runAsUser specified and the same",
pod: &v1.Pod{
@ -223,25 +260,34 @@ func TestFsUserFrom(t *testing.T) {
InitContainers: []v1.Container{
{
SecurityContext: &v1.SecurityContext{
RunAsUser: utilptr.Int64Ptr(1000),
RunAsUser: ptr.To[int64](1000),
},
},
},
Containers: []v1.Container{
{
SecurityContext: &v1.SecurityContext{
RunAsUser: utilptr.Int64Ptr(1000),
RunAsUser: ptr.To[int64](1000),
},
},
{
SecurityContext: &v1.SecurityContext{
RunAsUser: utilptr.Int64Ptr(1000),
RunAsUser: ptr.To[int64](1000),
},
},
},
EphemeralContainers: []v1.EphemeralContainer{
{
EphemeralContainerCommon: v1.EphemeralContainerCommon{
SecurityContext: &v1.SecurityContext{
RunAsUser: ptr.To[int64](1000),
},
},
},
},
},
},
wantFsUser: utilptr.Int64Ptr(1000),
wantFsUser: ptr.To[int64](1000),
},
}