summaryrefslogtreecommitdiff
path: root/pkg/adapter/pods.go
diff options
context:
space:
mode:
authorDaniel J Walsh <dwalsh@redhat.com>2019-10-29 17:08:15 -0400
committerDaniel J Walsh <dwalsh@redhat.com>2019-11-05 04:09:01 -0500
commit65ed81993223e96243e0380b34afa40296ea11b3 (patch)
treea0a1ccd29f5f5ed0f1a57e6924c22751995ec18c /pkg/adapter/pods.go
parentcc19b09b44634fe689c2a8b2e9b0102adf47c419 (diff)
downloadpodman-65ed81993223e96243e0380b34afa40296ea11b3.tar.gz
podman-65ed81993223e96243e0380b34afa40296ea11b3.tar.bz2
podman-65ed81993223e96243e0380b34afa40296ea11b3.zip
Set SELinux labels based on the security context in the kube.yaml
If the kube.yaml specifieds the SELinux type or Level, we need the container to be launched with the correct label. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Diffstat (limited to 'pkg/adapter/pods.go')
-rw-r--r--pkg/adapter/pods.go18
1 files changed, 18 insertions, 0 deletions
diff --git a/pkg/adapter/pods.go b/pkg/adapter/pods.go
index d8d5b884f..f6795970b 100644
--- a/pkg/adapter/pods.go
+++ b/pkg/adapter/pods.go
@@ -704,6 +704,24 @@ func kubeContainerToCreateConfig(ctx context.Context, containerYAML v1.Container
}
}
+ if seopt := containerYAML.SecurityContext.SELinuxOptions; seopt != nil {
+ if seopt.User != "" {
+ containerConfig.SecurityOpts = append(containerConfig.SecurityOpts, fmt.Sprintf("label=user:%s", seopt.User))
+ containerConfig.LabelOpts = append(containerConfig.LabelOpts, fmt.Sprintf("user:%s", seopt.User))
+ }
+ if seopt.Role != "" {
+ containerConfig.SecurityOpts = append(containerConfig.SecurityOpts, fmt.Sprintf("label=role:%s", seopt.Role))
+ containerConfig.LabelOpts = append(containerConfig.LabelOpts, fmt.Sprintf("role:%s", seopt.Role))
+ }
+ if seopt.Type != "" {
+ containerConfig.SecurityOpts = append(containerConfig.SecurityOpts, fmt.Sprintf("label=type:%s", seopt.Type))
+ containerConfig.LabelOpts = append(containerConfig.LabelOpts, fmt.Sprintf("type:%s", seopt.Type))
+ }
+ if seopt.Level != "" {
+ containerConfig.SecurityOpts = append(containerConfig.SecurityOpts, fmt.Sprintf("label=level:%s", seopt.Level))
+ containerConfig.LabelOpts = append(containerConfig.LabelOpts, fmt.Sprintf("level:%s", seopt.Level))
+ }
+ }
if caps := containerYAML.SecurityContext.Capabilities; caps != nil {
for _, capability := range caps.Add {
containerConfig.CapAdd = append(containerConfig.CapAdd, string(capability))