Merge pull request #14167 from giuseppe/play-kube-honor-pod-security-context

kube: honor pod security context IDs
author: OpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com> 2022-05-10 10:04:08 -0400
committer: GitHub <noreply@github.com> 2022-05-10 10:04:08 -0400
commit: 23826c5063fcfc3cc1b8706d0d7dd2f532789254 (patch)
tree: 9438cd36ed20a00a08b631f20ad248b8d55be4a5 /pkg/specgen
parent: 28588235d2051bf673d528c293261f926fad0d92 (diff)
parent: 9e1ee081f8849cbba89fb0f79218812164527251 (diff)
download: podman-23826c5063fcfc3cc1b8706d0d7dd2f532789254.tar.gz
podman-23826c5063fcfc3cc1b8706d0d7dd2f532789254.tar.bz2
podman-23826c5063fcfc3cc1b8706d0d7dd2f532789254.zip
1 files changed, 38 insertions, 16 deletions
diff --git a/pkg/specgen/generate/kube/kube.go b/pkg/specgen/generate/kube/kube.go
index d56b50fd5..04195d15a 100644
--- a/pkg/specgen/generate/kube/kube.go
+++ b/pkg/specgen/generate/kube/kube.go
@@ -133,6 +133,8 @@ type CtrSpecGenOptions struct {
 	// InitContainerType sets what type the init container is
 	// Note: When playing a kube yaml, the inti container type will be set to "always" only
 	InitContainerType string
+	// PodSecurityContext is the security context specified for the pod
+	PodSecurityContext *v1.PodSecurityContext
 }
 
 func ToSpecGen(ctx context.Context, opts *CtrSpecGenOptions) (*specgen.SpecGenerator, error) {
@@ -188,7 +190,7 @@ func ToSpecGen(ctx context.Context, opts *CtrSpecGenOptions) (*specgen.SpecGener
 
 	s.InitContainerType = opts.InitContainerType
 
-	setupSecurityContext(s, opts.Container)
+	setupSecurityContext(s, opts.Container.SecurityContext, opts.PodSecurityContext)
 	err := setupLivenessProbe(s, opts.Container, opts.RestartPolicy)
 	if err != nil {
 		return nil, errors.Wrap(err, "Failed to configure livenessProbe")
@@ -531,22 +533,30 @@ func makeHealthCheck(inCmd string, interval int32, retries int32, timeout int32,
 	return &hc, nil
 }
 
-func setupSecurityContext(s *specgen.SpecGenerator, containerYAML v1.Container) {
-	if containerYAML.SecurityContext == nil {
-		return
+func setupSecurityContext(s *specgen.SpecGenerator, securityContext *v1.SecurityContext, podSecurityContext *v1.PodSecurityContext) {
+	if securityContext == nil {
+		securityContext = &v1.SecurityContext{}
 	}
-	if containerYAML.SecurityContext.ReadOnlyRootFilesystem != nil {
-		s.ReadOnlyFilesystem = *containerYAML.SecurityContext.ReadOnlyRootFilesystem
+	if podSecurityContext == nil {
+		podSecurityContext = &v1.PodSecurityContext{}
 	}
-	if containerYAML.SecurityContext.Privileged != nil {
-		s.Privileged = *containerYAML.SecurityContext.Privileged
+
+	if securityContext.ReadOnlyRootFilesystem != nil {
+		s.ReadOnlyFilesystem = *securityContext.ReadOnlyRootFilesystem
+	}
+	if securityContext.Privileged != nil {
+		s.Privileged = *securityContext.Privileged
 	}
 
-	if containerYAML.SecurityContext.AllowPrivilegeEscalation != nil {
-		s.NoNewPrivileges = !*containerYAML.SecurityContext.AllowPrivilegeEscalation
+	if securityContext.AllowPrivilegeEscalation != nil {
+		s.NoNewPrivileges = !*securityContext.AllowPrivilegeEscalation
 	}
 
-	if seopt := containerYAML.SecurityContext.SELinuxOptions; seopt != nil {
+	seopt := securityContext.SELinuxOptions
+	if seopt == nil {
+		seopt = podSecurityContext.SELinuxOptions
+	}
+	if seopt != nil {
 		if seopt.User != "" {
 			s.SelinuxOpts = append(s.SelinuxOpts, fmt.Sprintf("user:%s", seopt.User))
 		}
@@ -560,7 +570,7 @@ func setupSecurityContext(s *specgen.SpecGenerator, containerYAML v1.Container)
 			s.SelinuxOpts = append(s.SelinuxOpts, fmt.Sprintf("level:%s", seopt.Level))
 		}
 	}
-	if caps := containerYAML.SecurityContext.Capabilities; caps != nil {
+	if caps := securityContext.Capabilities; caps != nil {
 		for _, capability := range caps.Add {
 			s.CapAdd = append(s.CapAdd, string(capability))
 		}
@@ -568,14 +578,26 @@ func setupSecurityContext(s *specgen.SpecGenerator, containerYAML v1.Container)
 			s.CapDrop = append(s.CapDrop, string(capability))
 		}
 	}
-	if containerYAML.SecurityContext.RunAsUser != nil {
-		s.User = fmt.Sprintf("%d", *containerYAML.SecurityContext.RunAsUser)
+	runAsUser := securityContext.RunAsUser
+	if runAsUser == nil {
+		runAsUser = podSecurityContext.RunAsUser
+	}
+	if runAsUser != nil {
+		s.User = fmt.Sprintf("%d", *runAsUser)
 	}
-	if containerYAML.SecurityContext.RunAsGroup != nil {
+
+	runAsGroup := securityContext.RunAsGroup
+	if runAsGroup == nil {
+		runAsGroup = podSecurityContext.RunAsGroup
+	}
+	if runAsGroup != nil {
 		if s.User == "" {
 			s.User = "0"
 		}
-		s.User = fmt.Sprintf("%s:%d", s.User, *containerYAML.SecurityContext.RunAsGroup)
+		s.User = fmt.Sprintf("%s:%d", s.User, *runAsGroup)
+	}
+	for _, group := range podSecurityContext.SupplementalGroups {
+		s.Groups = append(s.Groups, fmt.Sprintf("%d", group))
 	}
 }
author	OpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com>	2022-05-10 10:04:08 -0400
committer	GitHub <noreply@github.com>	2022-05-10 10:04:08 -0400
commit	23826c5063fcfc3cc1b8706d0d7dd2f532789254 (patch)
tree	9438cd36ed20a00a08b631f20ad248b8d55be4a5 /pkg/specgen
parent	28588235d2051bf673d528c293261f926fad0d92 (diff)
parent	9e1ee081f8849cbba89fb0f79218812164527251 (diff)
download	podman-23826c5063fcfc3cc1b8706d0d7dd2f532789254.tar.gz podman-23826c5063fcfc3cc1b8706d0d7dd2f532789254.tar.bz2 podman-23826c5063fcfc3cc1b8706d0d7dd2f532789254.zip