summaryrefslogtreecommitdiff
path: root/libpod
diff options
context:
space:
mode:
authorQi Wang <qiwan@redhat.com>2020-02-21 17:59:56 -0500
committerQi Wang <qiwan@redhat.com>2020-03-03 11:21:14 -0500
commit17bab33bd2b8719c84e5ede1bd21b435ebeedf0e (patch)
treea24a41a66c393cb66f2f6c708f18937fa4fe5a17 /libpod
parent47c4ea39196cedac87e7a4e4c1ead54ed9d7ed50 (diff)
downloadpodman-17bab33bd2b8719c84e5ede1bd21b435ebeedf0e.tar.gz
podman-17bab33bd2b8719c84e5ede1bd21b435ebeedf0e.tar.bz2
podman-17bab33bd2b8719c84e5ede1bd21b435ebeedf0e.zip
fix security-opt generate kube
fix #4950 add selinux options from --security-opt of the container to generate kube result Signed-off-by: Qi Wang <qiwan@redhat.com>
Diffstat (limited to 'libpod')
-rw-r--r--libpod/kube.go23
1 files changed, 19 insertions, 4 deletions
diff --git a/libpod/kube.go b/libpod/kube.go
index 7a5ab670d..5511d303d 100644
--- a/libpod/kube.go
+++ b/libpod/kube.go
@@ -468,11 +468,26 @@ func generateKubeSecurityContext(c *Container) (*v1.SecurityContext, error) {
return nil, err
}
+ var selinuxOpts v1.SELinuxOptions
+ opts := strings.SplitN(c.config.Spec.Annotations[InspectAnnotationLabel], ":", 2)
+ if len(opts) == 2 {
+ switch opts[0] {
+ case "type":
+ selinuxOpts.Type = opts[1]
+ case "level":
+ selinuxOpts.Level = opts[1]
+ }
+ }
+ if len(opts) == 1 {
+ if opts[0] == "disable" {
+ selinuxOpts.Type = "spc_t"
+ }
+ }
+
sc := v1.SecurityContext{
- Capabilities: newCaps,
- Privileged: &priv,
- // TODO How do we know if selinux were passed into podman
- //SELinuxOptions:
+ Capabilities: newCaps,
+ Privileged: &priv,
+ SELinuxOptions: &selinuxOpts,
// RunAsNonRoot is an optional parameter; our first implementations should be root only; however
// I'm leaving this as a bread-crumb for later
//RunAsNonRoot: &nonRoot,