github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-27 05:27:21 +00:00
Code Issues Projects Releases Wiki Activity

also check pod securityContextt hostNetwork in exec admission controller

Browse Source
This commit is contained in:
hzxuzhonghu 2017-12-05 15:15:46 +08:00
parent 0d22ddc802
commit e31ed07a9c
1 changed files with 28 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
plugin/pkg/admission/exec/admission.go
View File

@ -49,9 +49,10 @@ type DenyExec struct {
client internalclientset.Interface client internalclientset.Interface
// these flags control which items will be checked to deny exec/attach // these flags control which items will be checked to deny exec/attach
hostIPC bool hostNetwork bool
hostPID bool hostIPC bool
privileged bool hostPID bool
privileged bool
} }
var _ admission.ValidationInterface = &DenyExec{} var _ admission.ValidationInterface = &DenyExec{}
@ -62,22 +63,24 @@ var _ = kubeapiserveradmission.WantsInternalKubeClientSet(&DenyExec{})
// using host based configurations. // using host based configurations.
func NewDenyEscalatingExec() *DenyExec { func NewDenyEscalatingExec() *DenyExec {
return &DenyExec{ return &DenyExec{
Handler: admission.NewHandler(admission.Connect), Handler: admission.NewHandler(admission.Connect),
hostIPC: true, hostNetwork: true,
hostPID: true, hostIPC: true,
privileged: true, hostPID: true,
privileged: true,
} }
} }
// NewDenyExecOnPrivileged creates a new admission controller that is only checking the privileged // NewDenyExecOnPrivileged creates a new admission controller that is only checking the privileged
// option. This is for legacy support of the DenyExecOnPrivileged admission controller. Most // option. This is for legacy support of the DenyExecOnPrivileged admission controller.
// of the time NewDenyEscalatingExec should be preferred. // Most of the time NewDenyEscalatingExec should be preferred.
func NewDenyExecOnPrivileged() *DenyExec { func NewDenyExecOnPrivileged() *DenyExec {
return &DenyExec{ return &DenyExec{
Handler: admission.NewHandler(admission.Connect), Handler: admission.NewHandler(admission.Connect),
hostIPC: false, hostNetwork: false,
hostPID: false, hostIPC: false,
privileged: true, hostPID: false,
privileged: true,
} }
} }
@ -96,12 +99,19 @@ func (d *DenyExec) Validate(a admission.Attributes) (err error) {
return admission.NewForbidden(a, err) return admission.NewForbidden(a, err)
} }
if d.hostPID && pod.Spec.SecurityContext != nil && pod.Spec.SecurityContext.HostPID { if pod.Spec.SecurityContext != nil {
return admission.NewForbidden(a, fmt.Errorf("cannot exec into or attach to a container using host pid")) securityContext := pod.Spec.SecurityContext
} if d.hostNetwork && securityContext.HostNetwork {
return admission.NewForbidden(a, fmt.Errorf("cannot exec into or attach to a container using host network"))
}
if d.hostIPC && pod.Spec.SecurityContext != nil && pod.Spec.SecurityContext.HostIPC { if d.hostPID && securityContext.HostPID {
return admission.NewForbidden(a, fmt.Errorf("cannot exec into or attach to a container using host ipc")) return admission.NewForbidden(a, fmt.Errorf("cannot exec into or attach to a container using host pid"))
}
if d.hostIPC && securityContext.HostIPC {
return admission.NewForbidden(a, fmt.Errorf("cannot exec into or attach to a container using host ipc"))
}
} }
if d.privileged && isPrivileged(pod) { if d.privileged && isPrivileged(pod) {