aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniel J Walsh <dwalsh@redhat.com>2019-10-29 17:08:15 -0400
committerDaniel J Walsh <dwalsh@redhat.com>2019-11-05 04:09:01 -0500
commit65ed81993223e96243e0380b34afa40296ea11b3 (patch)
treea0a1ccd29f5f5ed0f1a57e6924c22751995ec18c
parentcc19b09b44634fe689c2a8b2e9b0102adf47c419 (diff)
downloadpodman-65ed81993223e96243e0380b34afa40296ea11b3.tar.gz
podman-65ed81993223e96243e0380b34afa40296ea11b3.tar.bz2
podman-65ed81993223e96243e0380b34afa40296ea11b3.zip
Set SELinux labels based on the security context in the kube.yaml
If the kube.yaml specifieds the SELinux type or Level, we need the container to be launched with the correct label. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
-rw-r--r--libpod/util.go3
-rw-r--r--pkg/adapter/pods.go18
-rw-r--r--test/e2e/test.yaml34
3 files changed, 55 insertions, 0 deletions
diff --git a/libpod/util.go b/libpod/util.go
index 7bd834e30..bae2f4eb8 100644
--- a/libpod/util.go
+++ b/libpod/util.go
@@ -187,6 +187,9 @@ func programVersion(mountProgram string) (string, error) {
return strings.TrimSuffix(output, "\n"), nil
}
+// DefaultSeccompPath returns the path to the default seccomp.json file
+// if it exists, first it checks OverrideSeccomp and then default.
+// If neither exist function returns ""
func DefaultSeccompPath() (string, error) {
_, err := os.Stat(config.SeccompOverridePath)
if err == nil {
diff --git a/pkg/adapter/pods.go b/pkg/adapter/pods.go
index d8d5b884f..f6795970b 100644
--- a/pkg/adapter/pods.go
+++ b/pkg/adapter/pods.go
@@ -704,6 +704,24 @@ func kubeContainerToCreateConfig(ctx context.Context, containerYAML v1.Container
}
}
+ if seopt := containerYAML.SecurityContext.SELinuxOptions; seopt != nil {
+ if seopt.User != "" {
+ containerConfig.SecurityOpts = append(containerConfig.SecurityOpts, fmt.Sprintf("label=user:%s", seopt.User))
+ containerConfig.LabelOpts = append(containerConfig.LabelOpts, fmt.Sprintf("user:%s", seopt.User))
+ }
+ if seopt.Role != "" {
+ containerConfig.SecurityOpts = append(containerConfig.SecurityOpts, fmt.Sprintf("label=role:%s", seopt.Role))
+ containerConfig.LabelOpts = append(containerConfig.LabelOpts, fmt.Sprintf("role:%s", seopt.Role))
+ }
+ if seopt.Type != "" {
+ containerConfig.SecurityOpts = append(containerConfig.SecurityOpts, fmt.Sprintf("label=type:%s", seopt.Type))
+ containerConfig.LabelOpts = append(containerConfig.LabelOpts, fmt.Sprintf("type:%s", seopt.Type))
+ }
+ if seopt.Level != "" {
+ containerConfig.SecurityOpts = append(containerConfig.SecurityOpts, fmt.Sprintf("label=level:%s", seopt.Level))
+ containerConfig.LabelOpts = append(containerConfig.LabelOpts, fmt.Sprintf("level:%s", seopt.Level))
+ }
+ }
if caps := containerYAML.SecurityContext.Capabilities; caps != nil {
for _, capability := range caps.Add {
containerConfig.CapAdd = append(containerConfig.CapAdd, string(capability))
diff --git a/test/e2e/test.yaml b/test/e2e/test.yaml
new file mode 100644
index 000000000..319d6a4a0
--- /dev/null
+++ b/test/e2e/test.yaml
@@ -0,0 +1,34 @@
+# Save the output of this file and use kubectl create -f to import
+# it into Kubernetes.
+#
+# Created with podman-1.6.2
+apiVersion: v1
+kind: Pod
+metadata:
+ labels:
+ app: test
+ name: test
+spec:
+ containers:
+ - command:
+ - sleep
+ - "100"
+ env:
+ - name: PATH
+ value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+ - name: TERM
+ value: xterm
+ - name: container
+ value: podman
+ image: docker.io/library/fedora:latest
+ name: test
+ resources: {}
+ securityContext:
+ allowPrivilegeEscalation: true
+ capabilities: {}
+ privileged: false
+ seLinuxOptions:
+ level: "s0:c1,c2"
+ readOnlyRootFilesystem: false
+ workingDir: /
+status: {}