github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-27 05:27:21 +00:00
Code Issues Projects Releases Wiki Activity

also check pod securityContextt hostNetwork in exec admission controller

Browse Source
This commit is contained in:
hzxuzhonghu 2017-12-05 15:15:46 +08:00
parent 0d22ddc802
commit e31ed07a9c
1 changed files with 28 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
plugin/pkg/admission/exec/admission.go
View File

@ -49,6 +49,7 @@ type DenyExec struct {
client internalclientset.Interface client internalclientset.Interface
// these flags control which items will be checked to deny exec/attach // these flags control which items will be checked to deny exec/attach
hostNetwork bool
hostIPC bool hostIPC bool
hostPID bool hostPID bool
privileged bool privileged bool
@ -63,6 +64,7 @@ var _ = kubeapiserveradmission.WantsInternalKubeClientSet(&DenyExec{})
func NewDenyEscalatingExec() *DenyExec { func NewDenyEscalatingExec() *DenyExec {
return &DenyExec{ return &DenyExec{
Handler: admission.NewHandler(admission.Connect), Handler: admission.NewHandler(admission.Connect),
hostNetwork: true,
hostIPC: true, hostIPC: true,
hostPID: true, hostPID: true,
privileged: true, privileged: true,
@ -70,11 +72,12 @@ func NewDenyEscalatingExec() *DenyExec {
} }
// NewDenyExecOnPrivileged creates a new admission controller that is only checking the privileged // NewDenyExecOnPrivileged creates a new admission controller that is only checking the privileged
// option. This is for legacy support of the DenyExecOnPrivileged admission controller. Most // option. This is for legacy support of the DenyExecOnPrivileged admission controller.
// of the time NewDenyEscalatingExec should be preferred. // Most of the time NewDenyEscalatingExec should be preferred.
func NewDenyExecOnPrivileged() *DenyExec { func NewDenyExecOnPrivileged() *DenyExec {
return &DenyExec{ return &DenyExec{
Handler: admission.NewHandler(admission.Connect), Handler: admission.NewHandler(admission.Connect),
hostNetwork: false,
hostIPC: false, hostIPC: false,
hostPID: false, hostPID: false,
privileged: true, privileged: true,
@ -96,13 +99,20 @@ func (d *DenyExec) Validate(a admission.Attributes) (err error) {
return admission.NewForbidden(a, err) return admission.NewForbidden(a, err)
} }
if d.hostPID && pod.Spec.SecurityContext != nil && pod.Spec.SecurityContext.HostPID { if pod.Spec.SecurityContext != nil {
securityContext := pod.Spec.SecurityContext
if d.hostNetwork && securityContext.HostNetwork {
return admission.NewForbidden(a, fmt.Errorf("cannot exec into or attach to a container using host network"))
}
if d.hostPID && securityContext.HostPID {
return admission.NewForbidden(a, fmt.Errorf("cannot exec into or attach to a container using host pid")) return admission.NewForbidden(a, fmt.Errorf("cannot exec into or attach to a container using host pid"))
} }
if d.hostIPC && pod.Spec.SecurityContext != nil && pod.Spec.SecurityContext.HostIPC { if d.hostIPC && securityContext.HostIPC {
return admission.NewForbidden(a, fmt.Errorf("cannot exec into or attach to a container using host ipc")) return admission.NewForbidden(a, fmt.Errorf("cannot exec into or attach to a container using host ipc"))
} }
}
if d.privileged && isPrivileged(pod) { if d.privileged && isPrivileged(pod) {
return admission.NewForbidden(a, fmt.Errorf("cannot exec into or attach to a privileged container")) return admission.NewForbidden(a, fmt.Errorf("cannot exec into or attach to a privileged container"))