aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPeter Hunt <pehunt@redhat.com>2019-11-15 15:49:42 -0500
committerPeter Hunt <pehunt@redhat.com>2019-11-18 10:11:35 -0500
commit8d585ccfa89e4f4e1eabf652528d3f7306af3268 (patch)
treeb2cf161144a7d38dd07c7806ac8c0d48bfe3cf28
parentdb32ed1ae8374aac9c4058607ad9cf294505c952 (diff)
downloadpodman-8d585ccfa89e4f4e1eabf652528d3f7306af3268.tar.gz
podman-8d585ccfa89e4f4e1eabf652528d3f7306af3268.tar.bz2
podman-8d585ccfa89e4f4e1eabf652528d3f7306af3268.zip
play kube: handle seccomp labels
Add handling of seccomp annotations to play kube at both container and pod levels. also add a test Signed-off-by: Peter Hunt <pehunt@redhat.com>
-rw-r--r--pkg/adapter/pods.go92
-rw-r--r--test/e2e/common_test.go9
-rw-r--r--test/e2e/play_kube_test.go71
-rw-r--r--test/e2e/run_test.go4
4 files changed, 163 insertions, 13 deletions
diff --git a/pkg/adapter/pods.go b/pkg/adapter/pods.go
index 2003b55ad..d73a8b21b 100644
--- a/pkg/adapter/pods.go
+++ b/pkg/adapter/pods.go
@@ -596,12 +596,17 @@ func (r *LocalRuntime) PlayKubeYAML(ctx context.Context, c *cliconfig.KubePlayVa
volumes[volume.Name] = hostPath.Path
}
+ seccompPaths, err := initializeSeccompPaths(podYAML.ObjectMeta.Annotations)
+ if err != nil {
+ return nil, err
+ }
+
for _, container := range podYAML.Spec.Containers {
newImage, err := r.ImageRuntime().New(ctx, container.Image, c.SignaturePolicy, c.Authfile, writer, &dockerRegistryOptions, image.SigningOptions{}, nil, util.PullImageMissing)
if err != nil {
return nil, err
}
- createConfig, err := kubeContainerToCreateConfig(ctx, container, r.Runtime, newImage, namespaces, volumes, pod.ID(), podInfraID)
+ createConfig, err := kubeContainerToCreateConfig(ctx, container, r.Runtime, newImage, namespaces, volumes, pod.ID(), podInfraID, seccompPaths)
if err != nil {
return nil, err
}
@@ -720,7 +725,7 @@ func setupSecurityContext(securityConfig *createconfig.SecurityConfig, userConfi
}
// kubeContainerToCreateConfig takes a v1.Container and returns a createconfig describing a container
-func kubeContainerToCreateConfig(ctx context.Context, containerYAML v1.Container, runtime *libpod.Runtime, newImage *image.Image, namespaces map[string]string, volumes map[string]string, podID, infraID string) (*createconfig.CreateConfig, error) {
+func kubeContainerToCreateConfig(ctx context.Context, containerYAML v1.Container, runtime *libpod.Runtime, newImage *image.Image, namespaces map[string]string, volumes map[string]string, podID, infraID string, seccompPaths *kubeSeccompPaths) (*createconfig.CreateConfig, error) {
var (
containerConfig createconfig.CreateConfig
pidConfig createconfig.PidConfig
@@ -752,11 +757,7 @@ func kubeContainerToCreateConfig(ctx context.Context, containerYAML v1.Container
setupSecurityContext(&securityConfig, &userConfig, containerYAML)
- var err error
- containerConfig.Security.SeccompProfilePath, err = libpod.DefaultSeccompPath()
- if err != nil {
- return nil, err
- }
+ securityConfig.SeccompProfilePath = seccompPaths.findForContainer(containerConfig.Name)
containerConfig.Command = []string{}
if imageData != nil && imageData.Config != nil {
@@ -826,3 +827,80 @@ func kubeContainerToCreateConfig(ctx context.Context, containerYAML v1.Container
}
return &containerConfig, nil
}
+
+// kubeSeccompPaths holds information about a pod YAML's seccomp configuration
+// it holds both container and pod seccomp paths
+type kubeSeccompPaths struct {
+ containerPaths map[string]string
+ podPath string
+}
+
+// findForContainer checks whether a container has a seccomp path configured for it
+// if not, it returns the podPath, which should always have a value
+func (k *kubeSeccompPaths) findForContainer(ctrName string) string {
+ if path, ok := k.containerPaths[ctrName]; ok {
+ return path
+ }
+ return k.podPath
+}
+
+// initializeSeccompPaths takes annotations from the pod object metadata and finds annotations pertaining to seccomp
+// it parses both pod and container level
+func initializeSeccompPaths(annotations map[string]string) (*kubeSeccompPaths, error) {
+ seccompPaths := &kubeSeccompPaths{containerPaths: make(map[string]string)}
+ var err error
+ if annotations != nil {
+ for annKeyValue, seccomp := range annotations {
+ // check if it is prefaced with container.seccomp.security.alpha.kubernetes.io/
+ prefixAndCtr := strings.Split(annKeyValue, "/")
+ if prefixAndCtr[0]+"/" != v1.SeccompContainerAnnotationKeyPrefix {
+ continue
+ } else if len(prefixAndCtr) != 2 {
+ // this could be caused by a user inputting either of
+ // container.seccomp.security.alpha.kubernetes.io{,/}
+ // both of which are invalid
+ return nil, errors.Errorf("Invalid seccomp path: %s", prefixAndCtr[0])
+ }
+
+ path, err := verifySeccompPath(seccomp)
+ if err != nil {
+ return nil, err
+ }
+ seccompPaths.containerPaths[prefixAndCtr[1]] = path
+ }
+
+ podSeccomp, ok := annotations[v1.SeccompPodAnnotationKey]
+ if ok {
+ seccompPaths.podPath, err = verifySeccompPath(podSeccomp)
+ } else {
+ seccompPaths.podPath, err = libpod.DefaultSeccompPath()
+ }
+ if err != nil {
+ return nil, err
+ }
+ }
+ return seccompPaths, nil
+}
+
+// verifySeccompPath takes a path and checks whether it is a default, unconfined, or a path
+// the available options are parsed as defined in https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp
+func verifySeccompPath(path string) (string, error) {
+ switch path {
+ case v1.DeprecatedSeccompProfileDockerDefault:
+ fallthrough
+ case v1.SeccompProfileRuntimeDefault:
+ return libpod.DefaultSeccompPath()
+ case "unconfined":
+ return path, nil
+ default:
+ // TODO we have an inconsistency here
+ // k8s parses `localhost/<path>` which is found at `<seccomp_root>`
+ // we currently parse `localhost:<seccomp_root>/<path>
+ // to fully conform, we need to find a good location for the seccomp root
+ parts := strings.Split(path, ":")
+ if parts[0] == "localhost" {
+ return parts[1], nil
+ }
+ return "", errors.Errorf("invalid seccomp path: %s", path)
+ }
+}
diff --git a/test/e2e/common_test.go b/test/e2e/common_test.go
index b390df8b2..16b971e65 100644
--- a/test/e2e/common_test.go
+++ b/test/e2e/common_test.go
@@ -559,3 +559,12 @@ func (p *PodmanTestIntegration) RunHealthCheck(cid string) error {
}
return errors.Errorf("unable to detect %s as running", cid)
}
+
+func (p *PodmanTestIntegration) CreateSeccompJson(in []byte) (string, error) {
+ jsonFile := filepath.Join(p.TempDir, "seccomp.json")
+ err := WriteJsonFile(in, jsonFile)
+ if err != nil {
+ return "", err
+ }
+ return jsonFile, nil
+}
diff --git a/test/e2e/play_kube_test.go b/test/e2e/play_kube_test.go
index 416c64b5a..29c60d7ac 100644
--- a/test/e2e/play_kube_test.go
+++ b/test/e2e/play_kube_test.go
@@ -3,6 +3,7 @@
package integration
import (
+ "fmt"
"os"
"path/filepath"
"text/template"
@@ -20,6 +21,13 @@ metadata:
labels:
app: {{ .Name }}
name: {{ .Name }}
+{{ with .Annotations }}
+ annotations:
+ {{ range $key, $value := . }}
+ {{ $key }}: {{ $value }}
+ {{ end }}
+{{ end }}
+
spec:
hostname: {{ .Hostname }}
containers:
@@ -72,6 +80,7 @@ var (
defaultCtrCmd = []string{"top"}
defaultCtrImage = ALPINE
defaultPodName = "testPod"
+ seccompPwdEPERM = []byte(`{"defaultAction":"SCMP_ACT_ALLOW","syscalls":[{"name":"getcwd","action":"SCMP_ACT_ERRNO"}]}`)
)
func generateKubeYaml(pod *Pod, fileName string) error {
@@ -95,16 +104,17 @@ func generateKubeYaml(pod *Pod, fileName string) error {
// Pod describes the options a kube yaml can be configured at pod level
type Pod struct {
- Name string
- Hostname string
- Ctrs []*Ctr
+ Name string
+ Hostname string
+ Ctrs []*Ctr
+ Annotations map[string]string
}
// getPod takes a list of podOptions and returns a pod with sane defaults
// and the configured options
// if no containers are added, it will add the default container
func getPod(options ...podOption) *Pod {
- p := Pod{defaultPodName, "", make([]*Ctr, 0)}
+ p := Pod{defaultPodName, "", make([]*Ctr, 0), make(map[string]string)}
for _, option := range options {
option(&p)
}
@@ -128,6 +138,12 @@ func withCtr(c *Ctr) podOption {
}
}
+func withAnnotation(k, v string) podOption {
+ return func(pod *Pod) {
+ pod.Annotations[k] = v
+ }
+}
+
// Ctr describes the options a kube yaml can be configured at container level
type Ctr struct {
Name string
@@ -330,4 +346,51 @@ var _ = Describe("Podman generate kube", func() {
inspect.WaitWithDefaultTimeout()
Expect(inspect.ExitCode()).To(Equal(0))
})
+
+ It("podman play kube seccomp container level", func() {
+ // expect play kube is expected to set a seccomp label if it's applied as an annotation
+ jsonFile, err := podmanTest.CreateSeccompJson(seccompPwdEPERM)
+ if err != nil {
+ fmt.Println(err)
+ Skip("Failed to prepare seccomp.json for test.")
+ }
+
+ ctrAnnotation := "container.seccomp.security.alpha.kubernetes.io/" + defaultCtrName
+ ctr := getCtr(withCmd([]string{"pwd"}))
+
+ err = generateKubeYaml(getPod(withCtr(ctr), withAnnotation(ctrAnnotation, "localhost:"+jsonFile)), kubeYaml)
+ Expect(err).To(BeNil())
+
+ kube := podmanTest.Podman([]string{"play", "kube", kubeYaml})
+ kube.WaitWithDefaultTimeout()
+ Expect(kube.ExitCode()).To(Equal(0))
+
+ logs := podmanTest.Podman([]string{"logs", defaultCtrName})
+ logs.WaitWithDefaultTimeout()
+ Expect(logs.ExitCode()).To(Equal(0))
+ Expect(logs.OutputToString()).To(ContainSubstring("Operation not permitted"))
+ })
+
+ It("podman play kube seccomp pod level", func() {
+ // expect play kube is expected to set a seccomp label if it's applied as an annotation
+ jsonFile, err := podmanTest.CreateSeccompJson(seccompPwdEPERM)
+ if err != nil {
+ fmt.Println(err)
+ Skip("Failed to prepare seccomp.json for test.")
+ }
+
+ ctr := getCtr(withCmd([]string{"pwd"}))
+
+ err = generateKubeYaml(getPod(withCtr(ctr), withAnnotation("seccomp.security.alpha.kubernetes.io/pod", "localhost:"+jsonFile)), kubeYaml)
+ Expect(err).To(BeNil())
+
+ kube := podmanTest.Podman([]string{"play", "kube", kubeYaml})
+ kube.WaitWithDefaultTimeout()
+ Expect(kube.ExitCode()).To(Equal(0))
+
+ logs := podmanTest.Podman([]string{"logs", defaultCtrName})
+ logs.WaitWithDefaultTimeout()
+ Expect(logs.ExitCode()).To(Equal(0))
+ Expect(logs.OutputToString()).To(ContainSubstring("Operation not permitted"))
+ })
})
diff --git a/test/e2e/run_test.go b/test/e2e/run_test.go
index 7fc85c9ce..72547ea00 100644
--- a/test/e2e/run_test.go
+++ b/test/e2e/run_test.go
@@ -160,9 +160,9 @@ var _ = Describe("Podman run", func() {
})
It("podman run seccomp test", func() {
- jsonFile := filepath.Join(podmanTest.TempDir, "seccomp.json")
+
in := []byte(`{"defaultAction":"SCMP_ACT_ALLOW","syscalls":[{"name":"getcwd","action":"SCMP_ACT_ERRNO"}]}`)
- err := WriteJsonFile(in, jsonFile)
+ jsonFile, err := podmanTest.CreateSeccompJson(in)
if err != nil {
fmt.Println(err)
Skip("Failed to prepare seccomp.json for test.")