diff --git a/pkg/kubelet/dockershim/helpers.go b/pkg/kubelet/dockershim/helpers.go index 111388f97ba..9d7ec54d5aa 100644 --- a/pkg/kubelet/dockershim/helpers.go +++ b/pkg/kubelet/dockershim/helpers.go @@ -133,8 +133,6 @@ func generateMountBindings(mounts []*runtimeApi.Mount) (result []string) { // does not provide an SELinux context relabeling will label the volume with // the container's randomly allocated MCS label. This would restrict access // to the volume to the container which mounts it first. - // TODO: always relabel if SELinux is enabled and the volume support relabeling - // (refer #33951 and #33663). if m.GetSelinuxRelabel() { if readOnly { bind += ",Z" diff --git a/pkg/kubelet/dockershim/security_context.go b/pkg/kubelet/dockershim/security_context.go index db56d149ba4..102fbd84401 100644 --- a/pkg/kubelet/dockershim/security_context.go +++ b/pkg/kubelet/dockershim/security_context.go @@ -36,16 +36,11 @@ func applySandboxSecurityContext(lc *runtimeapi.LinuxPodSandboxConfig, config *d var sc *runtimeapi.LinuxContainerSecurityContext if lc.SecurityContext != nil { sc = &runtimeapi.LinuxContainerSecurityContext{ - // TODO: We skip application of supplemental groups to the - // sandbox container to work around a runc issue which - // requires containers to have the '/etc/group'. For more - // information see: https://github.com/opencontainers/runc/pull/313. - // This can be removed once the fix makes it into the required - // version of docker. - RunAsUser: lc.SecurityContext.RunAsUser, - ReadonlyRootfs: lc.SecurityContext.ReadonlyRootfs, - SelinuxOptions: lc.SecurityContext.SelinuxOptions, - NamespaceOptions: lc.SecurityContext.NamespaceOptions, + SupplementalGroups: lc.SecurityContext.SupplementalGroups, + RunAsUser: lc.SecurityContext.RunAsUser, + ReadonlyRootfs: lc.SecurityContext.ReadonlyRootfs, + SelinuxOptions: lc.SecurityContext.SelinuxOptions, + NamespaceOptions: lc.SecurityContext.NamespaceOptions, } } @@ -128,7 +123,7 @@ func modifyNamespaceOptions(nsOpts *runtimeapi.NamespaceOption, sandboxID string if sandboxID == "" { modifyHostNetworkOptionForSandbox(hostNetwork, hostConfig) } else { - // Set for container is sandboxID is provided. + // Set for container if sandboxID is provided. modifyHostNetworkOptionForContainer(hostNetwork, sandboxID, hostConfig) } } diff --git a/pkg/kubelet/dockershim/security_context_test.go b/pkg/kubelet/dockershim/security_context_test.go index b22dc396b0f..859b737d861 100644 --- a/pkg/kubelet/dockershim/security_context_test.go +++ b/pkg/kubelet/dockershim/security_context_test.go @@ -61,6 +61,9 @@ func TestModifyContainerConfig(t *testing.T) { func TestModifyHostConfig(t *testing.T) { priv := true + setNetworkHC := &dockercontainer.HostConfig{ + NetworkMode: "none", + } setPrivSC := &runtimeapi.LinuxContainerSecurityContext{} setPrivSC.Privileged = &priv setPrivHC := &dockercontainer.HostConfig{ @@ -92,6 +95,11 @@ func TestModifyHostConfig(t *testing.T) { sc: fullValidSecurityContext(), expected: fullValidHostConfig(), }, + { + name: "empty container.SecurityContext", + sc: &runtimeapi.LinuxContainerSecurityContext{}, + expected: setNetworkHC, + }, { name: "container.SecurityContext.Privileged", sc: setPrivSC, diff --git a/pkg/kubelet/kuberuntime/kuberuntime_sandbox.go b/pkg/kubelet/kuberuntime/kuberuntime_sandbox.go index 3333e8e0aab..2374ecd4e31 100644 --- a/pkg/kubelet/kuberuntime/kuberuntime_sandbox.go +++ b/pkg/kubelet/kuberuntime/kuberuntime_sandbox.go @@ -149,6 +149,9 @@ func (m *kubeGenericRuntimeManager) generatePodSandboxLinuxConfig(pod *api.Pod, RunAsUser: sc.RunAsUser, } + if sc.FSGroup != nil { + lc.SecurityContext.SupplementalGroups = append(lc.SecurityContext.SupplementalGroups, *sc.FSGroup) + } if groups := m.runtimeHelper.GetExtraSupplementalGroupsForPod(pod); len(groups) > 0 { lc.SecurityContext.SupplementalGroups = append(lc.SecurityContext.SupplementalGroups, groups...) }