summaryrefslogtreecommitdiff
path: root/pkg/domain/infra/abi
diff options
context:
space:
mode:
authorGiuseppe Scrivano <gscrivan@redhat.com>2022-05-09 16:37:34 +0200
committerGiuseppe Scrivano <gscrivan@redhat.com>2022-05-10 09:09:14 +0200
commit9e1ee081f8849cbba89fb0f79218812164527251 (patch)
tree8d8c161ebce56588faee0f79a04b7da8a84e2f43 /pkg/domain/infra/abi
parent82a4b8f01c8061c022e7c9222746865a44f25d64 (diff)
downloadpodman-9e1ee081f8849cbba89fb0f79218812164527251.tar.gz
podman-9e1ee081f8849cbba89fb0f79218812164527251.tar.bz2
podman-9e1ee081f8849cbba89fb0f79218812164527251.zip
kube: honor pod security context IDs
If the RunAsUser, RunAsGroup, SupplementalGroups settings are not overriden in the container security context, then take the value from the pod security context. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Diffstat (limited to 'pkg/domain/infra/abi')
-rw-r--r--pkg/domain/infra/abi/play.go64
1 files changed, 33 insertions, 31 deletions
diff --git a/pkg/domain/infra/abi/play.go b/pkg/domain/infra/abi/play.go
index b3ded7db6..f44b46a6d 100644
--- a/pkg/domain/infra/abi/play.go
+++ b/pkg/domain/infra/abi/play.go
@@ -412,22 +412,23 @@ func (ic *ContainerEngine) playKubePod(ctx context.Context, podName string, podY
}
specgenOpts := kube.CtrSpecGenOptions{
- Annotations: annotations,
- Container: initCtr,
- Image: pulledImage,
- Volumes: volumes,
- PodID: pod.ID(),
- PodName: podName,
- PodInfraID: podInfraID,
- ConfigMaps: configMaps,
- SeccompPaths: seccompPaths,
- RestartPolicy: ctrRestartPolicy,
- NetNSIsHost: p.NetNS.IsHost(),
- SecretsManager: secretsManager,
- LogDriver: options.LogDriver,
- LogOptions: options.LogOptions,
- Labels: labels,
- InitContainerType: define.AlwaysInitContainer,
+ Annotations: annotations,
+ ConfigMaps: configMaps,
+ Container: initCtr,
+ Image: pulledImage,
+ InitContainerType: define.AlwaysInitContainer,
+ Labels: labels,
+ LogDriver: options.LogDriver,
+ LogOptions: options.LogOptions,
+ NetNSIsHost: p.NetNS.IsHost(),
+ PodID: pod.ID(),
+ PodInfraID: podInfraID,
+ PodName: podName,
+ PodSecurityContext: podYAML.Spec.SecurityContext,
+ RestartPolicy: ctrRestartPolicy,
+ SeccompPaths: seccompPaths,
+ SecretsManager: secretsManager,
+ Volumes: volumes,
}
specGen, err := kube.ToSpecGen(ctx, &specgenOpts)
if err != nil {
@@ -460,21 +461,22 @@ func (ic *ContainerEngine) playKubePod(ctx context.Context, podName string, podY
}
specgenOpts := kube.CtrSpecGenOptions{
- Annotations: annotations,
- Container: container,
- Image: pulledImage,
- Volumes: volumes,
- PodID: pod.ID(),
- PodName: podName,
- PodInfraID: podInfraID,
- ConfigMaps: configMaps,
- SeccompPaths: seccompPaths,
- RestartPolicy: ctrRestartPolicy,
- NetNSIsHost: p.NetNS.IsHost(),
- SecretsManager: secretsManager,
- LogDriver: options.LogDriver,
- LogOptions: options.LogOptions,
- Labels: labels,
+ Annotations: annotations,
+ ConfigMaps: configMaps,
+ Container: container,
+ Image: pulledImage,
+ Labels: labels,
+ LogDriver: options.LogDriver,
+ LogOptions: options.LogOptions,
+ NetNSIsHost: p.NetNS.IsHost(),
+ PodID: pod.ID(),
+ PodInfraID: podInfraID,
+ PodName: podName,
+ PodSecurityContext: podYAML.Spec.SecurityContext,
+ RestartPolicy: ctrRestartPolicy,
+ SeccompPaths: seccompPaths,
+ SecretsManager: secretsManager,
+ Volumes: volumes,
}
specGen, err := kube.ToSpecGen(ctx, &specgenOpts)
if err != nil {