diff options
| author | OpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com> | 2019-11-05 21:52:22 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2019-11-05 21:52:22 +0100 |
| commit | b4b727256c728295e6a3fcb69593347df9e90b23 (patch) | |
| tree | 347305da1e3e0c8141b0f54a6451d8b21ff051fc | |
| parent | 7eda1b08401ad9ab430261f2b2d236eb9a834454 (diff) | |
| parent | 65ed81993223e96243e0380b34afa40296ea11b3 (diff) | |
| download | podman-b4b727256c728295e6a3fcb69593347df9e90b23.tar.gz podman-b4b727256c728295e6a3fcb69593347df9e90b23.tar.bz2 podman-b4b727256c728295e6a3fcb69593347df9e90b23.zip | |
Merge pull request #4370 from rhatdan/seccomp
Set SELinux labels based on the security context in the kube.yaml
| -rw-r--r-- | libpod/util.go | 3 | ||||
| -rw-r--r-- | pkg/adapter/pods.go | 18 | ||||
| -rw-r--r-- | test/e2e/test.yaml | 34 |
3 files changed, 55 insertions, 0 deletions
diff --git a/libpod/util.go b/libpod/util.go index 7bd834e30..bae2f4eb8 100644 --- a/libpod/util.go +++ b/libpod/util.go @@ -187,6 +187,9 @@ func programVersion(mountProgram string) (string, error) { return strings.TrimSuffix(output, "\n"), nil } +// DefaultSeccompPath returns the path to the default seccomp.json file +// if it exists, first it checks OverrideSeccomp and then default. +// If neither exist function returns "" func DefaultSeccompPath() (string, error) { _, err := os.Stat(config.SeccompOverridePath) if err == nil { diff --git a/pkg/adapter/pods.go b/pkg/adapter/pods.go index d8d5b884f..f6795970b 100644 --- a/pkg/adapter/pods.go +++ b/pkg/adapter/pods.go @@ -704,6 +704,24 @@ func kubeContainerToCreateConfig(ctx context.Context, containerYAML v1.Container } } + if seopt := containerYAML.SecurityContext.SELinuxOptions; seopt != nil { + if seopt.User != "" { + containerConfig.SecurityOpts = append(containerConfig.SecurityOpts, fmt.Sprintf("label=user:%s", seopt.User)) + containerConfig.LabelOpts = append(containerConfig.LabelOpts, fmt.Sprintf("user:%s", seopt.User)) + } + if seopt.Role != "" { + containerConfig.SecurityOpts = append(containerConfig.SecurityOpts, fmt.Sprintf("label=role:%s", seopt.Role)) + containerConfig.LabelOpts = append(containerConfig.LabelOpts, fmt.Sprintf("role:%s", seopt.Role)) + } + if seopt.Type != "" { + containerConfig.SecurityOpts = append(containerConfig.SecurityOpts, fmt.Sprintf("label=type:%s", seopt.Type)) + containerConfig.LabelOpts = append(containerConfig.LabelOpts, fmt.Sprintf("type:%s", seopt.Type)) + } + if seopt.Level != "" { + containerConfig.SecurityOpts = append(containerConfig.SecurityOpts, fmt.Sprintf("label=level:%s", seopt.Level)) + containerConfig.LabelOpts = append(containerConfig.LabelOpts, fmt.Sprintf("level:%s", seopt.Level)) + } + } if caps := containerYAML.SecurityContext.Capabilities; caps != nil { for _, capability := range caps.Add { containerConfig.CapAdd = append(containerConfig.CapAdd, string(capability)) diff --git a/test/e2e/test.yaml b/test/e2e/test.yaml new file mode 100644 index 000000000..319d6a4a0 --- /dev/null +++ b/test/e2e/test.yaml @@ -0,0 +1,34 @@ +# Save the output of this file and use kubectl create -f to import +# it into Kubernetes. +# +# Created with podman-1.6.2 +apiVersion: v1 +kind: Pod +metadata: + labels: + app: test + name: test +spec: + containers: + - command: + - sleep + - "100" + env: + - name: PATH + value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin + - name: TERM + value: xterm + - name: container + value: podman + image: docker.io/library/fedora:latest + name: test + resources: {} + securityContext: + allowPrivilegeEscalation: true + capabilities: {} + privileged: false + seLinuxOptions: + level: "s0:c1,c2" + readOnlyRootFilesystem: false + workingDir: / +status: {} |