mirror of
https://github.com/woodpecker-ci/woodpecker.git
synced 2025-09-17 10:06:17 +00:00
Switched to profile-based AppArmor configuration (#4008)
Co-authored-by: qwerty287 <80460567+qwerty287@users.noreply.github.com>
This commit is contained in:
Thomas Anderson
GitHub
@@ -197,7 +197,7 @@ backend_options:
|
|||||||
```
|
```
|
||||||
|
|
||||||
:::note
|
:::note
|
||||||
AppArmor syntax follows [KEP-24](https://github.com/kubernetes/enhancements/blob/fddcbb9cbf3df39ded03bad71228265ac6e5215f/keps/sig-node/24-apparmor/README.md).
|
The feature requires Kubernetes v1.30 or above.
|
||||||
:::
|
:::
|
||||||
|
|
||||||
### Annotations and labels
|
### Annotations and labels
|
||||||
|
|||||||
@@ -84,7 +84,7 @@ func podMeta(step *types.Step, config *config, options BackendOptions, podName s
|
|||||||
meta := meta_v1.ObjectMeta{
|
meta := meta_v1.ObjectMeta{
|
||||||
Name: podName,
|
Name: podName,
|
||||||
Namespace: config.Namespace,
|
Namespace: config.Namespace,
|
||||||
Annotations: podAnnotations(config, options, podName),
|
Annotations: podAnnotations(config, options),
|
||||||
}
|
}
|
||||||
|
|
||||||
meta.Labels, err = podLabels(step, config, options)
|
meta.Labels, err = podLabels(step, config, options)
|
||||||
@@ -126,7 +126,7 @@ func stepLabel(step *types.Step) (string, error) {
|
|||||||
return toDNSName(step.Name)
|
return toDNSName(step.Name)
|
||||||
}
|
}
|
||||||
|
|
||||||
func podAnnotations(config *config, options BackendOptions, podName string) map[string]string {
|
func podAnnotations(config *config, options BackendOptions) map[string]string {
|
||||||
annotations := make(map[string]string)
|
annotations := make(map[string]string)
|
||||||
|
|
||||||
if len(options.Annotations) > 0 {
|
if len(options.Annotations) > 0 {
|
||||||
@@ -141,13 +141,6 @@ func podAnnotations(config *config, options BackendOptions, podName string) map[
|
|||||||
log.Trace().Msgf("using annotations from the configuration: %v", config.PodAnnotations)
|
log.Trace().Msgf("using annotations from the configuration: %v", config.PodAnnotations)
|
||||||
maps.Copy(annotations, config.PodAnnotations)
|
maps.Copy(annotations, config.PodAnnotations)
|
||||||
}
|
}
|
||||||
securityContext := options.SecurityContext
|
|
||||||
if securityContext != nil {
|
|
||||||
key, value := apparmorAnnotation(podName, securityContext.ApparmorProfile)
|
|
||||||
if key != nil && value != nil {
|
|
||||||
annotations[*key] = *value
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
return annotations
|
return annotations
|
||||||
}
|
}
|
||||||
@@ -382,6 +375,7 @@ func podSecurityContext(sc *SecurityContext, secCtxConf SecurityContextConfig, s
|
|||||||
group *int64
|
group *int64
|
||||||
fsGroup *int64
|
fsGroup *int64
|
||||||
seccomp *v1.SeccompProfile
|
seccomp *v1.SeccompProfile
|
||||||
|
apparmor *v1.AppArmorProfile
|
||||||
)
|
)
|
||||||
|
|
||||||
if secCtxConf.RunAsNonRoot {
|
if secCtxConf.RunAsNonRoot {
|
||||||
@@ -410,6 +404,7 @@ func podSecurityContext(sc *SecurityContext, secCtxConf SecurityContextConfig, s
|
|||||||
}
|
}
|
||||||
|
|
||||||
seccomp = seccompProfile(sc.SeccompProfile)
|
seccomp = seccompProfile(sc.SeccompProfile)
|
||||||
|
apparmor = apparmorProfile(sc.ApparmorProfile)
|
||||||
}
|
}
|
||||||
|
|
||||||
if nonRoot == nil && user == nil && group == nil && fsGroup == nil && seccomp == nil {
|
if nonRoot == nil && user == nil && group == nil && fsGroup == nil && seccomp == nil {
|
||||||
@@ -422,6 +417,7 @@ func podSecurityContext(sc *SecurityContext, secCtxConf SecurityContextConfig, s
|
|||||||
RunAsGroup: group,
|
RunAsGroup: group,
|
||||||
FSGroup: fsGroup,
|
FSGroup: fsGroup,
|
||||||
SeccompProfile: seccomp,
|
SeccompProfile: seccomp,
|
||||||
|
AppArmorProfile: apparmor,
|
||||||
}
|
}
|
||||||
log.Trace().Msgf("pod security context that will be used: %v", securityContext)
|
log.Trace().Msgf("pod security context that will be used: %v", securityContext)
|
||||||
return securityContext
|
return securityContext
|
||||||
@@ -443,6 +439,22 @@ func seccompProfile(scp *SecProfile) *v1.SeccompProfile {
|
|||||||
return seccompProfile
|
return seccompProfile
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func apparmorProfile(scp *SecProfile) *v1.AppArmorProfile {
|
||||||
|
if scp == nil || len(scp.Type) == 0 {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
log.Trace().Msgf("using AppArmor profile: %v", scp)
|
||||||
|
|
||||||
|
apparmorProfile := &v1.AppArmorProfile{
|
||||||
|
Type: v1.AppArmorProfileType(scp.Type),
|
||||||
|
}
|
||||||
|
if len(scp.LocalhostProfile) > 0 {
|
||||||
|
apparmorProfile.LocalhostProfile = &scp.LocalhostProfile
|
||||||
|
}
|
||||||
|
|
||||||
|
return apparmorProfile
|
||||||
|
}
|
||||||
|
|
||||||
func containerSecurityContext(sc *SecurityContext, stepPrivileged bool) *v1.SecurityContext {
|
func containerSecurityContext(sc *SecurityContext, stepPrivileged bool) *v1.SecurityContext {
|
||||||
if !stepPrivileged {
|
if !stepPrivileged {
|
||||||
return nil
|
return nil
|
||||||
@@ -471,36 +483,6 @@ func containerSecurityContext(sc *SecurityContext, stepPrivileged bool) *v1.Secu
|
|||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func apparmorAnnotation(containerName string, scp *SecProfile) (*string, *string) {
|
|
||||||
if scp == nil {
|
|
||||||
return nil, nil
|
|
||||||
}
|
|
||||||
log.Trace().Msgf("using AppArmor profile: %v", scp)
|
|
||||||
|
|
||||||
var (
|
|
||||||
profileType string
|
|
||||||
profilePath string
|
|
||||||
)
|
|
||||||
|
|
||||||
if scp.Type == SecProfileTypeRuntimeDefault {
|
|
||||||
profileType = "runtime"
|
|
||||||
profilePath = "default"
|
|
||||||
}
|
|
||||||
|
|
||||||
if scp.Type == SecProfileTypeLocalhost {
|
|
||||||
profileType = "localhost"
|
|
||||||
profilePath = scp.LocalhostProfile
|
|
||||||
}
|
|
||||||
|
|
||||||
if len(profileType) == 0 {
|
|
||||||
return nil, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
key := v1.DeprecatedAppArmorBetaContainerAnnotationKeyPrefix + containerName
|
|
||||||
value := profileType + "/" + profilePath
|
|
||||||
return &key, &value
|
|
||||||
}
|
|
||||||
|
|
||||||
func mapToEnvVars(m map[string]string) []v1.EnvVar {
|
func mapToEnvVars(m map[string]string) []v1.EnvVar {
|
||||||
var ev []v1.EnvVar
|
var ev []v1.EnvVar
|
||||||
for k, v := range m {
|
for k, v := range m {
|
||||||
|
|||||||
@@ -162,7 +162,6 @@ func TestFullPod(t *testing.T) {
|
|||||||
},
|
},
|
||||||
"annotations": {
|
"annotations": {
|
||||||
"apps.kubernetes.io/pod-index": "0",
|
"apps.kubernetes.io/pod-index": "0",
|
||||||
"container.apparmor.security.beta.kubernetes.io/wp-01he8bebctabr3kgk0qj36d2me-0": "localhost/k8s-apparmor-example-deny-write",
|
|
||||||
"kubernetes.io/limit-ranger": "LimitRanger plugin set: cpu, memory request and limit for container"
|
"kubernetes.io/limit-ranger": "LimitRanger plugin set: cpu, memory request and limit for container"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
@@ -250,6 +249,10 @@ func TestFullPod(t *testing.T) {
|
|||||||
"runAsGroup": 101,
|
"runAsGroup": 101,
|
||||||
"runAsNonRoot": true,
|
"runAsNonRoot": true,
|
||||||
"fsGroup": 101,
|
"fsGroup": 101,
|
||||||
|
"appArmorProfile": {
|
||||||
|
"type": "Localhost",
|
||||||
|
"localhostProfile": "k8s-apparmor-example-deny-write"
|
||||||
|
},
|
||||||
"seccompProfile": {
|
"seccompProfile": {
|
||||||
"type": "Localhost",
|
"type": "Localhost",
|
||||||
"localhostProfile": "profiles/audit.json"
|
"localhostProfile": "profiles/audit.json"
|
||||||
|
|||||||
Reference in New Issue
Block a user