diff options
author | Valentin Rothberg <rothberg@redhat.com> | 2021-02-09 14:12:06 +0100 |
---|---|---|
committer | Valentin Rothberg <rothberg@redhat.com> | 2021-02-09 17:40:35 +0100 |
commit | 48c612cf6671c918e8f11e836de8c6172bd73663 (patch) | |
tree | 1906c29e6fd41333170311b5af2c542ee0e16de0 /libpod | |
parent | 9da4169e312bb822a0fbae8e18a0eb7c7eff6e64 (diff) | |
download | podman-48c612cf6671c918e8f11e836de8c6172bd73663.tar.gz podman-48c612cf6671c918e8f11e836de8c6172bd73663.tar.bz2 podman-48c612cf6671c918e8f11e836de8c6172bd73663.zip |
generate kube: support --privileged
Do not play with capabilities for privileged containers where all
capabilities will be set implicitly.
Also, avoid the device check when running privileged since all of /dev/*
will be mounted in any case.
Fixes: #8897
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Diffstat (limited to 'libpod')
-rw-r--r-- | libpod/kube.go | 20 |
1 files changed, 13 insertions, 7 deletions
diff --git a/libpod/kube.go b/libpod/kube.go index f9ead027d..6cb7723c9 100644 --- a/libpod/kube.go +++ b/libpod/kube.go @@ -322,7 +322,8 @@ func containerToV1Container(c *Container) (v1.Container, []v1.Volume, *v1.PodDNS return kubeContainer, kubeVolumes, nil, err } - if len(c.config.Spec.Linux.Devices) > 0 { + // NOTE: a privileged container mounts all of /dev/*. + if !c.Privileged() && len(c.config.Spec.Linux.Devices) > 0 { // TODO Enable when we can support devices and their names kubeContainer.VolumeDevices = generateKubeVolumeDeviceFromLinuxDevice(c.Spec().Linux.Devices) return kubeContainer, kubeVolumes, nil, errors.Wrapf(define.ErrNotImplemented, "linux devices") @@ -625,13 +626,18 @@ func capAddDrop(caps *specs.LinuxCapabilities) (*v1.Capabilities, error) { // generateKubeSecurityContext generates a securityContext based on the existing container func generateKubeSecurityContext(c *Container) (*v1.SecurityContext, error) { - priv := c.Privileged() + privileged := c.Privileged() ro := c.IsReadOnly() allowPrivEscalation := !c.config.Spec.Process.NoNewPrivileges - newCaps, err := capAddDrop(c.config.Spec.Process.Capabilities) - if err != nil { - return nil, err + var capabilities *v1.Capabilities + if !privileged { + // Running privileged adds all caps. + newCaps, err := capAddDrop(c.config.Spec.Process.Capabilities) + if err != nil { + return nil, err + } + capabilities = newCaps } var selinuxOpts v1.SELinuxOptions @@ -651,8 +657,8 @@ func generateKubeSecurityContext(c *Container) (*v1.SecurityContext, error) { } sc := v1.SecurityContext{ - Capabilities: newCaps, - Privileged: &priv, + Capabilities: capabilities, + Privileged: &privileged, SELinuxOptions: &selinuxOpts, // RunAsNonRoot is an optional parameter; our first implementations should be root only; however // I'm leaving this as a bread-crumb for later |