github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-31 23:37:01 +00:00
Code Issues Projects Releases Wiki Activity

allowPrivilegeEscalation: apply to correct docker api versions

Browse Source 
Signed-off-by: Jess Frazelle <acidburn@google.com>
This commit is contained in:
Jess Frazelle 2017-06-07 10:43:59 -04:00
parent 0f349cc61f
commit e1493c9c88
No known key found for this signature in database
GPG Key ID: 18F3685C0022BFF3
2 changed files with 72 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
pkg/kubelet/kubelet.go
View File

@ -811,6 +811,7 @@ func NewMainKubelet(kubeCfg *componentconfig.KubeletConfiguration, kubeDeps *Dep
klet.appArmorValidator = apparmor.NewValidator(kubeCfg.ContainerRuntime) klet.appArmorValidator = apparmor.NewValidator(kubeCfg.ContainerRuntime)
klet.softAdmitHandlers.AddPodAdmitHandler(lifecycle.NewAppArmorAdmitHandler(klet.appArmorValidator)) klet.softAdmitHandlers.AddPodAdmitHandler(lifecycle.NewAppArmorAdmitHandler(klet.appArmorValidator))
klet.softAdmitHandlers.AddPodAdmitHandler(lifecycle.NewNoNewPrivsAdmitHandler(klet.containerRuntime))
if utilfeature.DefaultFeatureGate.Enabled(features.Accelerators) { if utilfeature.DefaultFeatureGate.Enabled(features.Accelerators) {
if kubeCfg.ContainerRuntime == kubetypes.DockerContainerRuntime { if kubeCfg.ContainerRuntime == kubetypes.DockerContainerRuntime {
if klet.gpuManager, err = nvidia.NewNvidiaGPUManager(klet, kubeDeps.DockerClient); err != nil { if klet.gpuManager, err = nvidia.NewNvidiaGPUManager(klet, kubeDeps.DockerClient); err != nil {

71
pkg/kubelet/lifecycle/handlers.go
View File

@ -165,3 +165,74 @@ func (a *appArmorAdmitHandler) Admit(attrs *PodAdmitAttributes) PodAdmitResult {
Message: fmt.Sprintf("Cannot enforce AppArmor: %v", err), Message: fmt.Sprintf("Cannot enforce AppArmor: %v", err),
} }
} }
func NewNoNewPrivsAdmitHandler(runtime kubecontainer.Runtime) PodAdmitHandler {
return &noNewPrivsAdmitHandler{
Runtime: runtime,
}
}
type noNewPrivsAdmitHandler struct {
kubecontainer.Runtime
}
func (a *noNewPrivsAdmitHandler) Admit(attrs *PodAdmitAttributes) PodAdmitResult {
// If the pod is already running or terminated, no need to recheck NoNewPrivs.
if attrs.Pod.Status.Phase != v1.PodPending {
return PodAdmitResult{Admit: true}
}
// If the containers in a pod do not require no-new-privs, admit it.
if !noNewPrivsRequired(attrs.Pod) {
return PodAdmitResult{Admit: true}
}
// Make sure it is either docker or rkt runtimes.
if a.Runtime.Type() != kubetypes.DockerContainerRuntime && a.Runtime.Type() != kubetypes.RktContainerRuntime {
return PodAdmitResult{
Admit: false,
Reason: "NoNewPrivs",
Message: fmt.Sprintf("Cannot enforce NoNewPrivs: %s runtime not supported", a.Runtime.Type()),
}
}
if a.Runtime.Type() != kubetypes.DockerContainerRuntime {
// Make sure docker api version is valid.
rversion, err := a.Runtime.APIVersion()
if err != nil {
return PodAdmitResult{
Admit: false,
Reason: "NoNewPrivs",
Message: fmt.Sprintf("Cannot enforce NoNewPrivs: %v", err),
}
}
v, err := rversion.Compare("1.23")
if err != nil {
return PodAdmitResult{
Admit: false,
Reason: "NoNewPrivs",
Message: fmt.Sprintf("Cannot enforce NoNewPrivs: %v", err),
}
}
// If the version is less than 1.23 it will return -1 above.
if v == -1 {
return PodAdmitResult{
Admit: false,
Reason: "NoNewPrivs",
Message: fmt.Sprintf("Cannot enforce NoNewPrivs: docker runtime API version %q must be greater than or equal to 1.23", rversion.String()),
}
}
}
return PodAdmitResult{Admit: true}
}
func noNewPrivsRequired(pod *v1.Pod) bool {
// Iterate over pod containers and check if we added no-new-privs.
for _, c := range pod.Spec.Containers {
if c.SecurityContext != nil && c.SecurityContext.AllowPrivilegeEscalation != nil && !*c.SecurityContext.AllowPrivilegeEscalation {
return true
}
}
return false
}