diff options
| author | OpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com> | 2020-03-09 22:22:29 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-03-09 22:22:29 +0100 |
| commit | 3d48940927b1133e2bfd1c3accba84345cc56ee6 (patch) | |
| tree | e9d4666d0b4b6a8f1a6449eca6c6d4919d537fe4 /libpod/kube.go | |
| parent | b54a5e1f2ff08fe6903411ba471ad9b3badc6acd (diff) | |
| parent | 17bab33bd2b8719c84e5ede1bd21b435ebeedf0e (diff) | |
| download | podman-3d48940927b1133e2bfd1c3accba84345cc56ee6.tar.gz podman-3d48940927b1133e2bfd1c3accba84345cc56ee6.tar.bz2 podman-3d48940927b1133e2bfd1c3accba84345cc56ee6.zip | |
Merge pull request #5307 from QiWang19/security-opt-genkube
fix security-opt generate kube
Diffstat (limited to 'libpod/kube.go')
| -rw-r--r-- | libpod/kube.go | 23 |
1 files changed, 19 insertions, 4 deletions
diff --git a/libpod/kube.go b/libpod/kube.go index 7a5ab670d..5511d303d 100644 --- a/libpod/kube.go +++ b/libpod/kube.go @@ -468,11 +468,26 @@ func generateKubeSecurityContext(c *Container) (*v1.SecurityContext, error) { return nil, err } + var selinuxOpts v1.SELinuxOptions + opts := strings.SplitN(c.config.Spec.Annotations[InspectAnnotationLabel], ":", 2) + if len(opts) == 2 { + switch opts[0] { + case "type": + selinuxOpts.Type = opts[1] + case "level": + selinuxOpts.Level = opts[1] + } + } + if len(opts) == 1 { + if opts[0] == "disable" { + selinuxOpts.Type = "spc_t" + } + } + sc := v1.SecurityContext{ - Capabilities: newCaps, - Privileged: &priv, - // TODO How do we know if selinux were passed into podman - //SELinuxOptions: + Capabilities: newCaps, + Privileged: &priv, + SELinuxOptions: &selinuxOpts, // RunAsNonRoot is an optional parameter; our first implementations should be root only; however // I'm leaving this as a bread-crumb for later //RunAsNonRoot: &nonRoot, |