summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorQi Wang <qiwan@redhat.com>2020-02-21 17:59:56 -0500
committerQi Wang <qiwan@redhat.com>2020-03-03 11:21:14 -0500
commit17bab33bd2b8719c84e5ede1bd21b435ebeedf0e (patch)
treea24a41a66c393cb66f2f6c708f18937fa4fe5a17
parent47c4ea39196cedac87e7a4e4c1ead54ed9d7ed50 (diff)
downloadpodman-17bab33bd2b8719c84e5ede1bd21b435ebeedf0e.tar.gz
podman-17bab33bd2b8719c84e5ede1bd21b435ebeedf0e.tar.bz2
podman-17bab33bd2b8719c84e5ede1bd21b435ebeedf0e.zip
fix security-opt generate kube
fix #4950 add selinux options from --security-opt of the container to generate kube result Signed-off-by: Qi Wang <qiwan@redhat.com>
-rw-r--r--libpod/kube.go23
-rw-r--r--test/e2e/generate_kube_test.go47
2 files changed, 65 insertions, 5 deletions
diff --git a/libpod/kube.go b/libpod/kube.go
index 7a5ab670d..5511d303d 100644
--- a/libpod/kube.go
+++ b/libpod/kube.go
@@ -468,11 +468,26 @@ func generateKubeSecurityContext(c *Container) (*v1.SecurityContext, error) {
return nil, err
}
+ var selinuxOpts v1.SELinuxOptions
+ opts := strings.SplitN(c.config.Spec.Annotations[InspectAnnotationLabel], ":", 2)
+ if len(opts) == 2 {
+ switch opts[0] {
+ case "type":
+ selinuxOpts.Type = opts[1]
+ case "level":
+ selinuxOpts.Level = opts[1]
+ }
+ }
+ if len(opts) == 1 {
+ if opts[0] == "disable" {
+ selinuxOpts.Type = "spc_t"
+ }
+ }
+
sc := v1.SecurityContext{
- Capabilities: newCaps,
- Privileged: &priv,
- // TODO How do we know if selinux were passed into podman
- //SELinuxOptions:
+ Capabilities: newCaps,
+ Privileged: &priv,
+ SELinuxOptions: &selinuxOpts,
// RunAsNonRoot is an optional parameter; our first implementations should be root only; however
// I'm leaving this as a bread-crumb for later
//RunAsNonRoot: &nonRoot,
diff --git a/test/e2e/generate_kube_test.go b/test/e2e/generate_kube_test.go
index 603edbe6b..389f2c822 100644
--- a/test/e2e/generate_kube_test.go
+++ b/test/e2e/generate_kube_test.go
@@ -10,7 +10,7 @@ import (
"github.com/ghodss/yaml"
. "github.com/onsi/ginkgo"
. "github.com/onsi/gomega"
- "k8s.io/api/core/v1"
+ v1 "k8s.io/api/core/v1"
)
var _ = Describe("Podman generate kube", func() {
@@ -69,6 +69,51 @@ var _ = Describe("Podman generate kube", func() {
Expect(numContainers).To(Equal(1))
})
+ It("podman generate service kube on container with --security-opt level", func() {
+ session := podmanTest.Podman([]string{"create", "--name", "test", "--security-opt", "label=level:s0:c100,c200", "alpine"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+
+ kube := podmanTest.Podman([]string{"generate", "kube", "test"})
+ kube.WaitWithDefaultTimeout()
+ Expect(kube.ExitCode()).To(Equal(0))
+
+ pod := new(v1.Pod)
+ err := yaml.Unmarshal(kube.Out.Contents(), pod)
+ Expect(err).To(BeNil())
+ Expect(kube.OutputToString()).To(ContainSubstring("level: s0:c100,c200"))
+ })
+
+ It("podman generate service kube on container with --security-opt disable", func() {
+ session := podmanTest.Podman([]string{"create", "--name", "test-disable", "--security-opt", "label=disable", "alpine"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+
+ kube := podmanTest.Podman([]string{"generate", "kube", "test-disable"})
+ kube.WaitWithDefaultTimeout()
+ Expect(kube.ExitCode()).To(Equal(0))
+
+ pod := new(v1.Pod)
+ err = yaml.Unmarshal(kube.Out.Contents(), pod)
+ Expect(err).To(BeNil())
+ Expect(kube.OutputToString()).To(ContainSubstring("type: spc_t"))
+ })
+
+ It("podman generate service kube on container with --security-opt type", func() {
+ session := podmanTest.Podman([]string{"create", "--name", "test", "--security-opt", "label=type:foo_bar_t", "alpine"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+
+ kube := podmanTest.Podman([]string{"generate", "kube", "test"})
+ kube.WaitWithDefaultTimeout()
+ Expect(kube.ExitCode()).To(Equal(0))
+
+ pod := new(v1.Pod)
+ err = yaml.Unmarshal(kube.Out.Contents(), pod)
+ Expect(err).To(BeNil())
+ Expect(kube.OutputToString()).To(ContainSubstring("type: foo_bar_t"))
+ })
+
It("podman generate service kube on container", func() {
session := podmanTest.RunTopContainer("top")
session.WaitWithDefaultTimeout()