kube: honor pod security context IDs

If the RunAsUser, RunAsGroup, SupplementalGroups settings are not overriden in the container security context, then take the value from the pod security context. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
author: Giuseppe Scrivano <gscrivan@redhat.com> 2022-05-09 16:37:34 +0200
committer: Giuseppe Scrivano <gscrivan@redhat.com> 2022-05-10 09:09:14 +0200
commit: 9e1ee081f8849cbba89fb0f79218812164527251 (patch)
tree: 8d8c161ebce56588faee0f79a04b7da8a84e2f43 /pkg
parent: 82a4b8f01c8061c022e7c9222746865a44f25d64 (diff)
download: podman-9e1ee081f8849cbba89fb0f79218812164527251.tar.gz
podman-9e1ee081f8849cbba89fb0f79218812164527251.tar.bz2
podman-9e1ee081f8849cbba89fb0f79218812164527251.zip
2 files changed, 63 insertions, 39 deletions
diff --git a/pkg/domain/infra/abi/play.go b/pkg/domain/infra/abi/play.go
index b3ded7db6..f44b46a6d 100644
--- a/pkg/domain/infra/abi/play.go
+++ b/pkg/domain/infra/abi/play.go
@@ -412,22 +412,23 @@ func (ic *ContainerEngine) playKubePod(ctx context.Context, podName string, podY
 		}
 
 		specgenOpts := kube.CtrSpecGenOptions{
-			Annotations:       annotations,
-			Container:         initCtr,
-			Image:             pulledImage,
-			Volumes:           volumes,
-			PodID:             pod.ID(),
-			PodName:           podName,
-			PodInfraID:        podInfraID,
-			ConfigMaps:        configMaps,
-			SeccompPaths:      seccompPaths,
-			RestartPolicy:     ctrRestartPolicy,
-			NetNSIsHost:       p.NetNS.IsHost(),
-			SecretsManager:    secretsManager,
-			LogDriver:         options.LogDriver,
-			LogOptions:        options.LogOptions,
-			Labels:            labels,
-			InitContainerType: define.AlwaysInitContainer,
+			Annotations:        annotations,
+			ConfigMaps:         configMaps,
+			Container:          initCtr,
+			Image:              pulledImage,
+			InitContainerType:  define.AlwaysInitContainer,
+			Labels:             labels,
+			LogDriver:          options.LogDriver,
+			LogOptions:         options.LogOptions,
+			NetNSIsHost:        p.NetNS.IsHost(),
+			PodID:              pod.ID(),
+			PodInfraID:         podInfraID,
+			PodName:            podName,
+			PodSecurityContext: podYAML.Spec.SecurityContext,
+			RestartPolicy:      ctrRestartPolicy,
+			SeccompPaths:       seccompPaths,
+			SecretsManager:     secretsManager,
+			Volumes:            volumes,
 		}
 		specGen, err := kube.ToSpecGen(ctx, &specgenOpts)
 		if err != nil {
@@ -460,21 +461,22 @@ func (ic *ContainerEngine) playKubePod(ctx context.Context, podName string, podY
 		}
 
 		specgenOpts := kube.CtrSpecGenOptions{
-			Annotations:    annotations,
-			Container:      container,
-			Image:          pulledImage,
-			Volumes:        volumes,
-			PodID:          pod.ID(),
-			PodName:        podName,
-			PodInfraID:     podInfraID,
-			ConfigMaps:     configMaps,
-			SeccompPaths:   seccompPaths,
-			RestartPolicy:  ctrRestartPolicy,
-			NetNSIsHost:    p.NetNS.IsHost(),
-			SecretsManager: secretsManager,
-			LogDriver:      options.LogDriver,
-			LogOptions:     options.LogOptions,
-			Labels:         labels,
+			Annotations:        annotations,
+			ConfigMaps:         configMaps,
+			Container:          container,
+			Image:              pulledImage,
+			Labels:             labels,
+			LogDriver:          options.LogDriver,
+			LogOptions:         options.LogOptions,
+			NetNSIsHost:        p.NetNS.IsHost(),
+			PodID:              pod.ID(),
+			PodInfraID:         podInfraID,
+			PodName:            podName,
+			PodSecurityContext: podYAML.Spec.SecurityContext,
+			RestartPolicy:      ctrRestartPolicy,
+			SeccompPaths:       seccompPaths,
+			SecretsManager:     secretsManager,
+			Volumes:            volumes,
 		}
 		specGen, err := kube.ToSpecGen(ctx, &specgenOpts)
 		if err != nil {
diff --git a/pkg/specgen/generate/kube/kube.go b/pkg/specgen/generate/kube/kube.go
index c04b94d4e..04195d15a 100644
--- a/pkg/specgen/generate/kube/kube.go
+++ b/pkg/specgen/generate/kube/kube.go
@@ -133,6 +133,8 @@ type CtrSpecGenOptions struct {
 	// InitContainerType sets what type the init container is
 	// Note: When playing a kube yaml, the inti container type will be set to "always" only
 	InitContainerType string
+	// PodSecurityContext is the security context specified for the pod
+	PodSecurityContext *v1.PodSecurityContext
 }
 
 func ToSpecGen(ctx context.Context, opts *CtrSpecGenOptions) (*specgen.SpecGenerator, error) {
@@ -188,7 +190,7 @@ func ToSpecGen(ctx context.Context, opts *CtrSpecGenOptions) (*specgen.SpecGener
 
 	s.InitContainerType = opts.InitContainerType
 
-	setupSecurityContext(s, opts.Container.SecurityContext)
+	setupSecurityContext(s, opts.Container.SecurityContext, opts.PodSecurityContext)
 	err := setupLivenessProbe(s, opts.Container, opts.RestartPolicy)
 	if err != nil {
 		return nil, errors.Wrap(err, "Failed to configure livenessProbe")
@@ -531,10 +533,14 @@ func makeHealthCheck(inCmd string, interval int32, retries int32, timeout int32,
 	return &hc, nil
 }
 
-func setupSecurityContext(s *specgen.SpecGenerator, securityContext *v1.SecurityContext) {
+func setupSecurityContext(s *specgen.SpecGenerator, securityContext *v1.SecurityContext, podSecurityContext *v1.PodSecurityContext) {
 	if securityContext == nil {
-		return
+		securityContext = &v1.SecurityContext{}
 	}
+	if podSecurityContext == nil {
+		podSecurityContext = &v1.PodSecurityContext{}
+	}
+
 	if securityContext.ReadOnlyRootFilesystem != nil {
 		s.ReadOnlyFilesystem = *securityContext.ReadOnlyRootFilesystem
 	}
@@ -546,7 +552,11 @@ func setupSecurityContext(s *specgen.SpecGenerator, securityContext *v1.Security
 		s.NoNewPrivileges = !*securityContext.AllowPrivilegeEscalation
 	}
 
-	if seopt := securityContext.SELinuxOptions; seopt != nil {
+	seopt := securityContext.SELinuxOptions
+	if seopt == nil {
+		seopt = podSecurityContext.SELinuxOptions
+	}
+	if seopt != nil {
 		if seopt.User != "" {
 			s.SelinuxOpts = append(s.SelinuxOpts, fmt.Sprintf("user:%s", seopt.User))
 		}
@@ -568,14 +578,26 @@ func setupSecurityContext(s *specgen.SpecGenerator, securityContext *v1.Security
 			s.CapDrop = append(s.CapDrop, string(capability))
 		}
 	}
-	if securityContext.RunAsUser != nil {
-		s.User = fmt.Sprintf("%d", *securityContext.RunAsUser)
+	runAsUser := securityContext.RunAsUser
+	if runAsUser == nil {
+		runAsUser = podSecurityContext.RunAsUser
+	}
+	if runAsUser != nil {
+		s.User = fmt.Sprintf("%d", *runAsUser)
 	}
-	if securityContext.RunAsGroup != nil {
+
+	runAsGroup := securityContext.RunAsGroup
+	if runAsGroup == nil {
+		runAsGroup = podSecurityContext.RunAsGroup
+	}
+	if runAsGroup != nil {
 		if s.User == "" {
 			s.User = "0"
 		}
-		s.User = fmt.Sprintf("%s:%d", s.User, *securityContext.RunAsGroup)
+		s.User = fmt.Sprintf("%s:%d", s.User, *runAsGroup)
+	}
+	for _, group := range podSecurityContext.SupplementalGroups {
+		s.Groups = append(s.Groups, fmt.Sprintf("%d", group))
 	}
 }
author	Giuseppe Scrivano <gscrivan@redhat.com>	2022-05-09 16:37:34 +0200
committer	Giuseppe Scrivano <gscrivan@redhat.com>	2022-05-10 09:09:14 +0200
commit	9e1ee081f8849cbba89fb0f79218812164527251 (patch)
tree	8d8c161ebce56588faee0f79a04b7da8a84e2f43 /pkg
parent	82a4b8f01c8061c022e7c9222746865a44f25d64 (diff)
download	podman-9e1ee081f8849cbba89fb0f79218812164527251.tar.gz podman-9e1ee081f8849cbba89fb0f79218812164527251.tar.bz2 podman-9e1ee081f8849cbba89fb0f79218812164527251.zip