mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-08-04 01:40:07 +00:00
Support seccomp profile from container's security context
This commit is contained in:
Pengfei Ni
parent
2820b45caa
commit
f3150c9c8c
@ -819,7 +819,7 @@ func RunDockershim(c *componentconfig.KubeletConfiguration, r *options.Container
|
|||||||
SupportedPortForwardProtocols: streaming.DefaultConfig.SupportedPortForwardProtocols,
|
SupportedPortForwardProtocols: streaming.DefaultConfig.SupportedPortForwardProtocols,
|
||||||
}
|
}
|
||||||
|
|
||||||
ds, err := dockershim.NewDockerService(dockerClient, c.SeccompProfileRoot, r.PodSandboxImage,
|
ds, err := dockershim.NewDockerService(dockerClient, r.PodSandboxImage,
|
||||||
streamingConfig, &pluginSettings, c.RuntimeCgroups, c.CgroupDriver, r.DockerExecHandlerName, r.DockershimRootDirectory,
|
streamingConfig, &pluginSettings, c.RuntimeCgroups, c.CgroupDriver, r.DockerExecHandlerName, r.DockershimRootDirectory,
|
||||||
r.DockerDisableSharedPID)
|
r.DockerDisableSharedPID)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|||||||
@ -577,7 +577,7 @@ func NewMainKubelet(kubeCfg *componentconfig.KubeletConfiguration,
|
|||||||
case kubetypes.DockerContainerRuntime:
|
case kubetypes.DockerContainerRuntime:
|
||||||
// Create and start the CRI shim running as a grpc server.
|
// Create and start the CRI shim running as a grpc server.
|
||||||
streamingConfig := getStreamingConfig(kubeCfg, kubeDeps)
|
streamingConfig := getStreamingConfig(kubeCfg, kubeDeps)
|
||||||
ds, err := dockershim.NewDockerService(kubeDeps.DockerClient, kubeCfg.SeccompProfileRoot, crOptions.PodSandboxImage,
|
ds, err := dockershim.NewDockerService(kubeDeps.DockerClient, crOptions.PodSandboxImage,
|
||||||
streamingConfig, &pluginSettings, kubeCfg.RuntimeCgroups, kubeCfg.CgroupDriver, crOptions.DockerExecHandlerName,
|
streamingConfig, &pluginSettings, kubeCfg.RuntimeCgroups, kubeCfg.CgroupDriver, crOptions.DockerExecHandlerName,
|
||||||
crOptions.DockershimRootDirectory, crOptions.DockerDisableSharedPID)
|
crOptions.DockershimRootDirectory, crOptions.DockerDisableSharedPID)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
@ -621,6 +621,7 @@ func NewMainKubelet(kubeCfg *componentconfig.KubeletConfiguration,
|
|||||||
runtime, err := kuberuntime.NewKubeGenericRuntimeManager(
|
runtime, err := kuberuntime.NewKubeGenericRuntimeManager(
|
||||||
kubecontainer.FilterEventRecorder(kubeDeps.Recorder),
|
kubecontainer.FilterEventRecorder(kubeDeps.Recorder),
|
||||||
klet.livenessManager,
|
klet.livenessManager,
|
||||||
|
kubeCfg.SeccompProfileRoot,
|
||||||
containerRefManager,
|
containerRefManager,
|
||||||
machineInfo,
|
machineInfo,
|
||||||
klet.podManager,
|
klet.podManager,
|
||||||
|
|||||||
@ -20,6 +20,7 @@ import (
|
|||||||
"fmt"
|
"fmt"
|
||||||
"path/filepath"
|
"path/filepath"
|
||||||
"strconv"
|
"strconv"
|
||||||
|
"strings"
|
||||||
|
|
||||||
"github.com/golang/glog"
|
"github.com/golang/glog"
|
||||||
"k8s.io/api/core/v1"
|
"k8s.io/api/core/v1"
|
||||||
@ -255,3 +256,30 @@ func getSysctlsFromAnnotations(annotations map[string]string) (map[string]string
|
|||||||
|
|
||||||
return sysctls, nil
|
return sysctls, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// getSeccompProfileFromAnnotations gets seccomp profile from annotations.
|
||||||
|
// It gets pod's profile if containerName is null.
|
||||||
|
func (m *kubeGenericRuntimeManager) getSeccompProfileFromAnnotations(annotations map[string]string, containerName string) string {
|
||||||
|
// try the pod profile.
|
||||||
|
profile, profileOK := annotations[v1.SeccompPodAnnotationKey]
|
||||||
|
if containerName != "" {
|
||||||
|
// try the container profile.
|
||||||
|
cProfile, cProfileOK := annotations[v1.SeccompContainerAnnotationKeyPrefix+containerName]
|
||||||
|
if cProfileOK {
|
||||||
|
profile = cProfile
|
||||||
|
profileOK = cProfileOK
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if !profileOK {
|
||||||
|
return ""
|
||||||
|
}
|
||||||
|
|
||||||
|
if strings.HasPrefix(profile, "localhost/") {
|
||||||
|
name := strings.TrimPrefix(profile, "localhost/")
|
||||||
|
fname := filepath.Join(m.seccompProfileRoot, filepath.FromSlash(name))
|
||||||
|
return fname
|
||||||
|
}
|
||||||
|
|
||||||
|
return profile
|
||||||
|
}
|
||||||
|
|||||||
@ -105,6 +105,9 @@ type kubeGenericRuntimeManager struct {
|
|||||||
|
|
||||||
// The version cache of runtime daemon.
|
// The version cache of runtime daemon.
|
||||||
versionCache *cache.ObjectCache
|
versionCache *cache.ObjectCache
|
||||||
|
|
||||||
|
// The directory path for seccomp profiles.
|
||||||
|
seccompProfileRoot string
|
||||||
}
|
}
|
||||||
|
|
||||||
type KubeGenericRuntime interface {
|
type KubeGenericRuntime interface {
|
||||||
@ -117,6 +120,7 @@ type KubeGenericRuntime interface {
|
|||||||
func NewKubeGenericRuntimeManager(
|
func NewKubeGenericRuntimeManager(
|
||||||
recorder record.EventRecorder,
|
recorder record.EventRecorder,
|
||||||
livenessManager proberesults.Manager,
|
livenessManager proberesults.Manager,
|
||||||
|
seccompProfileRoot string,
|
||||||
containerRefManager *kubecontainer.RefManager,
|
containerRefManager *kubecontainer.RefManager,
|
||||||
machineInfo *cadvisorapi.MachineInfo,
|
machineInfo *cadvisorapi.MachineInfo,
|
||||||
podGetter podGetter,
|
podGetter podGetter,
|
||||||
@ -134,6 +138,7 @@ func NewKubeGenericRuntimeManager(
|
|||||||
kubeRuntimeManager := &kubeGenericRuntimeManager{
|
kubeRuntimeManager := &kubeGenericRuntimeManager{
|
||||||
recorder: recorder,
|
recorder: recorder,
|
||||||
cpuCFSQuota: cpuCFSQuota,
|
cpuCFSQuota: cpuCFSQuota,
|
||||||
|
seccompProfileRoot: seccompProfileRoot,
|
||||||
livenessManager: livenessManager,
|
livenessManager: livenessManager,
|
||||||
containerRefManager: containerRefManager,
|
containerRefManager: containerRefManager,
|
||||||
machineInfo: machineInfo,
|
machineInfo: machineInfo,
|
||||||
|
|||||||
@ -136,6 +136,7 @@ func (m *kubeGenericRuntimeManager) generatePodSandboxLinuxConfig(pod *v1.Pod) (
|
|||||||
CgroupParent: cgroupParent,
|
CgroupParent: cgroupParent,
|
||||||
SecurityContext: &runtimeapi.LinuxSandboxSecurityContext{
|
SecurityContext: &runtimeapi.LinuxSandboxSecurityContext{
|
||||||
Privileged: kubecontainer.HasPrivilegedContainer(pod),
|
Privileged: kubecontainer.HasPrivilegedContainer(pod),
|
||||||
|
SeccompProfilePath: m.getSeccompProfileFromAnnotations(pod.Annotations, ""),
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@ -33,6 +33,9 @@ func (m *kubeGenericRuntimeManager) determineEffectiveSecurityContext(pod *v1.Po
|
|||||||
synthesized = &runtimeapi.LinuxContainerSecurityContext{}
|
synthesized = &runtimeapi.LinuxContainerSecurityContext{}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// set SeccompProfilePath.
|
||||||
|
synthesized.SeccompProfilePath = m.getSeccompProfileFromAnnotations(pod.Annotations, container.Name)
|
||||||
|
|
||||||
// set ApparmorProfile.
|
// set ApparmorProfile.
|
||||||
synthesized.ApparmorProfile = apparmor.GetProfileNameFromPodAnnotations(pod.Annotations, container.Name)
|
synthesized.ApparmorProfile = apparmor.GetProfileNameFromPodAnnotations(pod.Annotations, container.Name)
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user