summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorOpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com>2019-11-05 21:52:22 +0100
committerGitHub <noreply@github.com>2019-11-05 21:52:22 +0100
commitb4b727256c728295e6a3fcb69593347df9e90b23 (patch)
tree347305da1e3e0c8141b0f54a6451d8b21ff051fc
parent7eda1b08401ad9ab430261f2b2d236eb9a834454 (diff)
parent65ed81993223e96243e0380b34afa40296ea11b3 (diff)
downloadpodman-b4b727256c728295e6a3fcb69593347df9e90b23.tar.gz
podman-b4b727256c728295e6a3fcb69593347df9e90b23.tar.bz2
podman-b4b727256c728295e6a3fcb69593347df9e90b23.zip
Merge pull request #4370 from rhatdan/seccomp
Set SELinux labels based on the security context in the kube.yaml
-rw-r--r--libpod/util.go3
-rw-r--r--pkg/adapter/pods.go18
-rw-r--r--test/e2e/test.yaml34
3 files changed, 55 insertions, 0 deletions
diff --git a/libpod/util.go b/libpod/util.go
index 7bd834e30..bae2f4eb8 100644
--- a/libpod/util.go
+++ b/libpod/util.go
@@ -187,6 +187,9 @@ func programVersion(mountProgram string) (string, error) {
return strings.TrimSuffix(output, "\n"), nil
}
+// DefaultSeccompPath returns the path to the default seccomp.json file
+// if it exists, first it checks OverrideSeccomp and then default.
+// If neither exist function returns ""
func DefaultSeccompPath() (string, error) {
_, err := os.Stat(config.SeccompOverridePath)
if err == nil {
diff --git a/pkg/adapter/pods.go b/pkg/adapter/pods.go
index d8d5b884f..f6795970b 100644
--- a/pkg/adapter/pods.go
+++ b/pkg/adapter/pods.go
@@ -704,6 +704,24 @@ func kubeContainerToCreateConfig(ctx context.Context, containerYAML v1.Container
}
}
+ if seopt := containerYAML.SecurityContext.SELinuxOptions; seopt != nil {
+ if seopt.User != "" {
+ containerConfig.SecurityOpts = append(containerConfig.SecurityOpts, fmt.Sprintf("label=user:%s", seopt.User))
+ containerConfig.LabelOpts = append(containerConfig.LabelOpts, fmt.Sprintf("user:%s", seopt.User))
+ }
+ if seopt.Role != "" {
+ containerConfig.SecurityOpts = append(containerConfig.SecurityOpts, fmt.Sprintf("label=role:%s", seopt.Role))
+ containerConfig.LabelOpts = append(containerConfig.LabelOpts, fmt.Sprintf("role:%s", seopt.Role))
+ }
+ if seopt.Type != "" {
+ containerConfig.SecurityOpts = append(containerConfig.SecurityOpts, fmt.Sprintf("label=type:%s", seopt.Type))
+ containerConfig.LabelOpts = append(containerConfig.LabelOpts, fmt.Sprintf("type:%s", seopt.Type))
+ }
+ if seopt.Level != "" {
+ containerConfig.SecurityOpts = append(containerConfig.SecurityOpts, fmt.Sprintf("label=level:%s", seopt.Level))
+ containerConfig.LabelOpts = append(containerConfig.LabelOpts, fmt.Sprintf("level:%s", seopt.Level))
+ }
+ }
if caps := containerYAML.SecurityContext.Capabilities; caps != nil {
for _, capability := range caps.Add {
containerConfig.CapAdd = append(containerConfig.CapAdd, string(capability))
diff --git a/test/e2e/test.yaml b/test/e2e/test.yaml
new file mode 100644
index 000000000..319d6a4a0
--- /dev/null
+++ b/test/e2e/test.yaml
@@ -0,0 +1,34 @@
+# Save the output of this file and use kubectl create -f to import
+# it into Kubernetes.
+#
+# Created with podman-1.6.2
+apiVersion: v1
+kind: Pod
+metadata:
+ labels:
+ app: test
+ name: test
+spec:
+ containers:
+ - command:
+ - sleep
+ - "100"
+ env:
+ - name: PATH
+ value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+ - name: TERM
+ value: xterm
+ - name: container
+ value: podman
+ image: docker.io/library/fedora:latest
+ name: test
+ resources: {}
+ securityContext:
+ allowPrivilegeEscalation: true
+ capabilities: {}
+ privileged: false
+ seLinuxOptions:
+ level: "s0:c1,c2"
+ readOnlyRootFilesystem: false
+ workingDir: /
+status: {}