From 3193a4a469ef0c54c5fc173596e0754dfb3fcd0c Mon Sep 17 00:00:00 2001 From: Lantao Liu Date: Fri, 6 Jul 2018 15:42:26 -0700 Subject: [PATCH] Fix RunAsGroup. --- .../kuberuntime/kuberuntime_container_linux_test.go | 12 ++++++++++-- pkg/kubelet/kuberuntime/kuberuntime_sandbox.go | 3 +++ pkg/kubelet/kuberuntime/security_context.go | 3 +++ 3 files changed, 16 insertions(+), 2 deletions(-) diff --git a/pkg/kubelet/kuberuntime/kuberuntime_container_linux_test.go b/pkg/kubelet/kuberuntime/kuberuntime_container_linux_test.go index 3ab8803129b..d04b20f741f 100644 --- a/pkg/kubelet/kuberuntime/kuberuntime_container_linux_test.go +++ b/pkg/kubelet/kuberuntime/kuberuntime_container_linux_test.go @@ -64,6 +64,8 @@ func TestGenerateContainerConfig(t *testing.T) { _, imageService, m, err := createTestRuntimeManager() assert.NoError(t, err) + runAsUser := int64(1000) + runAsGroup := int64(2000) pod := &v1.Pod{ ObjectMeta: metav1.ObjectMeta{ UID: "12345678", @@ -78,6 +80,10 @@ func TestGenerateContainerConfig(t *testing.T) { ImagePullPolicy: v1.PullIfNotPresent, Command: []string{"testCommand"}, WorkingDir: "testWorkingDir", + SecurityContext: &v1.SecurityContext{ + RunAsUser: &runAsUser, + RunAsGroup: &runAsGroup, + }, }, }, }, @@ -87,8 +93,10 @@ func TestGenerateContainerConfig(t *testing.T) { containerConfig, _, err := m.generateContainerConfig(&pod.Spec.Containers[0], pod, 0, "", pod.Spec.Containers[0].Image, kubecontainer.ContainerTypeRegular) assert.NoError(t, err) assert.Equal(t, expectedConfig, containerConfig, "generate container config for kubelet runtime v1.") + assert.Equal(t, runAsUser, containerConfig.GetLinux().GetSecurityContext().GetRunAsUser().GetValue(), "RunAsUser should be set") + assert.Equal(t, runAsGroup, containerConfig.GetLinux().GetSecurityContext().GetRunAsGroup().GetValue(), "RunAsGroup should be set") - runAsUser := int64(0) + runAsRoot := int64(0) runAsNonRootTrue := true podWithContainerSecurityContext := &v1.Pod{ ObjectMeta: metav1.ObjectMeta{ @@ -106,7 +114,7 @@ func TestGenerateContainerConfig(t *testing.T) { WorkingDir: "testWorkingDir", SecurityContext: &v1.SecurityContext{ RunAsNonRoot: &runAsNonRootTrue, - RunAsUser: &runAsUser, + RunAsUser: &runAsRoot, }, }, }, diff --git a/pkg/kubelet/kuberuntime/kuberuntime_sandbox.go b/pkg/kubelet/kuberuntime/kuberuntime_sandbox.go index 33d0881f11e..04419a07fc1 100644 --- a/pkg/kubelet/kuberuntime/kuberuntime_sandbox.go +++ b/pkg/kubelet/kuberuntime/kuberuntime_sandbox.go @@ -152,6 +152,9 @@ func (m *kubeGenericRuntimeManager) generatePodSandboxLinuxConfig(pod *v1.Pod) ( if sc.RunAsUser != nil { lc.SecurityContext.RunAsUser = &runtimeapi.Int64Value{Value: int64(*sc.RunAsUser)} } + if sc.RunAsGroup != nil { + lc.SecurityContext.RunAsGroup = &runtimeapi.Int64Value{Value: int64(*sc.RunAsGroup)} + } lc.SecurityContext.NamespaceOptions = namespacesForPod(pod) if sc.FSGroup != nil { diff --git a/pkg/kubelet/kuberuntime/security_context.go b/pkg/kubelet/kuberuntime/security_context.go index c01fd52061e..20e11e7fca5 100644 --- a/pkg/kubelet/kuberuntime/security_context.go +++ b/pkg/kubelet/kuberuntime/security_context.go @@ -108,6 +108,9 @@ func convertToRuntimeSecurityContext(securityContext *v1.SecurityContext) *runti if securityContext.RunAsUser != nil { sc.RunAsUser = &runtimeapi.Int64Value{Value: int64(*securityContext.RunAsUser)} } + if securityContext.RunAsGroup != nil { + sc.RunAsGroup = &runtimeapi.Int64Value{Value: int64(*securityContext.RunAsGroup)} + } if securityContext.Privileged != nil { sc.Privileged = *securityContext.Privileged }