diff options
author | Qi Wang <qiwan@redhat.com> | 2020-02-21 17:59:56 -0500 |
---|---|---|
committer | Qi Wang <qiwan@redhat.com> | 2020-03-03 11:21:14 -0500 |
commit | 17bab33bd2b8719c84e5ede1bd21b435ebeedf0e (patch) | |
tree | a24a41a66c393cb66f2f6c708f18937fa4fe5a17 /libpod | |
parent | 47c4ea39196cedac87e7a4e4c1ead54ed9d7ed50 (diff) | |
download | podman-17bab33bd2b8719c84e5ede1bd21b435ebeedf0e.tar.gz podman-17bab33bd2b8719c84e5ede1bd21b435ebeedf0e.tar.bz2 podman-17bab33bd2b8719c84e5ede1bd21b435ebeedf0e.zip |
fix security-opt generate kube
fix #4950
add selinux options from --security-opt of the container to generate kube result
Signed-off-by: Qi Wang <qiwan@redhat.com>
Diffstat (limited to 'libpod')
-rw-r--r-- | libpod/kube.go | 23 |
1 files changed, 19 insertions, 4 deletions
diff --git a/libpod/kube.go b/libpod/kube.go index 7a5ab670d..5511d303d 100644 --- a/libpod/kube.go +++ b/libpod/kube.go @@ -468,11 +468,26 @@ func generateKubeSecurityContext(c *Container) (*v1.SecurityContext, error) { return nil, err } + var selinuxOpts v1.SELinuxOptions + opts := strings.SplitN(c.config.Spec.Annotations[InspectAnnotationLabel], ":", 2) + if len(opts) == 2 { + switch opts[0] { + case "type": + selinuxOpts.Type = opts[1] + case "level": + selinuxOpts.Level = opts[1] + } + } + if len(opts) == 1 { + if opts[0] == "disable" { + selinuxOpts.Type = "spc_t" + } + } + sc := v1.SecurityContext{ - Capabilities: newCaps, - Privileged: &priv, - // TODO How do we know if selinux were passed into podman - //SELinuxOptions: + Capabilities: newCaps, + Privileged: &priv, + SELinuxOptions: &selinuxOpts, // RunAsNonRoot is an optional parameter; our first implementations should be root only; however // I'm leaving this as a bread-crumb for later //RunAsNonRoot: &nonRoot, |