mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-08-07 03:03:59 +00:00
Visit ephemeral containers when calculating fs user
This commit is contained in:
carlory
parent
a309fadbac
commit
dd2dcabe5b
@ -653,8 +653,7 @@ func GetPodVolumeNames(pod *v1.Pod) (mounts sets.String, devices sets.String, se
|
|||||||
// attributes.
|
// attributes.
|
||||||
func FsUserFrom(pod *v1.Pod) *int64 {
|
func FsUserFrom(pod *v1.Pod) *int64 {
|
||||||
var fsUser *int64
|
var fsUser *int64
|
||||||
// Exclude ephemeral containers because SecurityContext is not allowed.
|
podutil.VisitContainers(&pod.Spec, podutil.AllFeatureEnabledContainers(), func(container *v1.Container, containerType podutil.ContainerType) bool {
|
||||||
podutil.VisitContainers(&pod.Spec, podutil.InitContainers|podutil.Containers, func(container *v1.Container, containerType podutil.ContainerType) bool {
|
|
||||||
runAsUser, ok := securitycontext.DetermineEffectiveRunAsUser(pod, container)
|
runAsUser, ok := securitycontext.DetermineEffectiveRunAsUser(pod, container)
|
||||||
// One container doesn't specify user or there are more than one
|
// One container doesn't specify user or there are more than one
|
||||||
// non-root UIDs.
|
// non-root UIDs.
|
||||||
|
|||||||
@ -34,7 +34,7 @@ import (
|
|||||||
"k8s.io/kubernetes/pkg/features"
|
"k8s.io/kubernetes/pkg/features"
|
||||||
"k8s.io/kubernetes/pkg/util/slice"
|
"k8s.io/kubernetes/pkg/util/slice"
|
||||||
"k8s.io/kubernetes/pkg/volume"
|
"k8s.io/kubernetes/pkg/volume"
|
||||||
utilptr "k8s.io/utils/pointer"
|
"k8s.io/utils/ptr"
|
||||||
)
|
)
|
||||||
|
|
||||||
func TestLoadPodFromFile(t *testing.T) {
|
func TestLoadPodFromFile(t *testing.T) {
|
||||||
@ -169,14 +169,14 @@ func TestFsUserFrom(t *testing.T) {
|
|||||||
InitContainers: []v1.Container{
|
InitContainers: []v1.Container{
|
||||||
{
|
{
|
||||||
SecurityContext: &v1.SecurityContext{
|
SecurityContext: &v1.SecurityContext{
|
||||||
RunAsUser: utilptr.Int64Ptr(1000),
|
RunAsUser: ptr.To[int64](1000),
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
Containers: []v1.Container{
|
Containers: []v1.Container{
|
||||||
{
|
{
|
||||||
SecurityContext: &v1.SecurityContext{
|
SecurityContext: &v1.SecurityContext{
|
||||||
RunAsUser: utilptr.Int64Ptr(1000),
|
RunAsUser: ptr.To[int64](1000),
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
@ -195,19 +195,28 @@ func TestFsUserFrom(t *testing.T) {
|
|||||||
InitContainers: []v1.Container{
|
InitContainers: []v1.Container{
|
||||||
{
|
{
|
||||||
SecurityContext: &v1.SecurityContext{
|
SecurityContext: &v1.SecurityContext{
|
||||||
RunAsUser: utilptr.Int64Ptr(999),
|
RunAsUser: ptr.To[int64](999),
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
Containers: []v1.Container{
|
Containers: []v1.Container{
|
||||||
{
|
{
|
||||||
SecurityContext: &v1.SecurityContext{
|
SecurityContext: &v1.SecurityContext{
|
||||||
RunAsUser: utilptr.Int64Ptr(1000),
|
RunAsUser: ptr.To[int64](1000),
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
SecurityContext: &v1.SecurityContext{
|
SecurityContext: &v1.SecurityContext{
|
||||||
RunAsUser: utilptr.Int64Ptr(1000),
|
RunAsUser: ptr.To[int64](1000),
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
EphemeralContainers: []v1.EphemeralContainer{
|
||||||
|
{
|
||||||
|
EphemeralContainerCommon: v1.EphemeralContainerCommon{
|
||||||
|
SecurityContext: &v1.SecurityContext{
|
||||||
|
RunAsUser: ptr.To[int64](1001),
|
||||||
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
@ -215,6 +224,34 @@ func TestFsUserFrom(t *testing.T) {
|
|||||||
},
|
},
|
||||||
wantFsUser: nil,
|
wantFsUser: nil,
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
desc: "init and regular containers have runAsUser specified and the same",
|
||||||
|
pod: &v1.Pod{
|
||||||
|
Spec: v1.PodSpec{
|
||||||
|
SecurityContext: &v1.PodSecurityContext{},
|
||||||
|
InitContainers: []v1.Container{
|
||||||
|
{
|
||||||
|
SecurityContext: &v1.SecurityContext{
|
||||||
|
RunAsUser: ptr.To[int64](1000),
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
Containers: []v1.Container{
|
||||||
|
{
|
||||||
|
SecurityContext: &v1.SecurityContext{
|
||||||
|
RunAsUser: ptr.To[int64](1000),
|
||||||
|
},
|
||||||
|
},
|
||||||
|
{
|
||||||
|
SecurityContext: &v1.SecurityContext{
|
||||||
|
RunAsUser: ptr.To[int64](1000),
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
wantFsUser: ptr.To[int64](1000),
|
||||||
|
},
|
||||||
{
|
{
|
||||||
desc: "all have runAsUser specified and the same",
|
desc: "all have runAsUser specified and the same",
|
||||||
pod: &v1.Pod{
|
pod: &v1.Pod{
|
||||||
@ -223,25 +260,34 @@ func TestFsUserFrom(t *testing.T) {
|
|||||||
InitContainers: []v1.Container{
|
InitContainers: []v1.Container{
|
||||||
{
|
{
|
||||||
SecurityContext: &v1.SecurityContext{
|
SecurityContext: &v1.SecurityContext{
|
||||||
RunAsUser: utilptr.Int64Ptr(1000),
|
RunAsUser: ptr.To[int64](1000),
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
Containers: []v1.Container{
|
Containers: []v1.Container{
|
||||||
{
|
{
|
||||||
SecurityContext: &v1.SecurityContext{
|
SecurityContext: &v1.SecurityContext{
|
||||||
RunAsUser: utilptr.Int64Ptr(1000),
|
RunAsUser: ptr.To[int64](1000),
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
SecurityContext: &v1.SecurityContext{
|
SecurityContext: &v1.SecurityContext{
|
||||||
RunAsUser: utilptr.Int64Ptr(1000),
|
RunAsUser: ptr.To[int64](1000),
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
EphemeralContainers: []v1.EphemeralContainer{
|
||||||
|
{
|
||||||
|
EphemeralContainerCommon: v1.EphemeralContainerCommon{
|
||||||
|
SecurityContext: &v1.SecurityContext{
|
||||||
|
RunAsUser: ptr.To[int64](1000),
|
||||||
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
wantFsUser: utilptr.Int64Ptr(1000),
|
wantFsUser: ptr.To[int64](1000),
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user