diff options
author | baude <bbaude@redhat.com> | 2018-03-23 09:00:42 -0500 |
---|---|---|
committer | Atomic Bot <atomic-devel@projectatomic.io> | 2018-03-27 21:55:33 +0000 |
commit | 9aba605ddecc84e070a55019bb34109c5d5fd9b6 (patch) | |
tree | 5e7f39a3c293602e13871ce5ebfd4e2c4f146ca1 /vendor/k8s.io/kubernetes/pkg/security | |
parent | af64e10400f8533a0c48ecdf5ab9b7fbf329e14e (diff) | |
download | podman-9aba605ddecc84e070a55019bb34109c5d5fd9b6.tar.gz podman-9aba605ddecc84e070a55019bb34109c5d5fd9b6.tar.bz2 podman-9aba605ddecc84e070a55019bb34109c5d5fd9b6.zip |
Remove dependency on kubernetes
podman parse and attach were using a very small portion of the kubernetes code
but using it caused a signficant increase in binary size.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #559
Approved by: rhatdan
Diffstat (limited to 'vendor/k8s.io/kubernetes/pkg/security')
3 files changed, 0 insertions, 333 deletions
diff --git a/vendor/k8s.io/kubernetes/pkg/security/apparmor/helpers.go b/vendor/k8s.io/kubernetes/pkg/security/apparmor/helpers.go deleted file mode 100644 index 5352f1332..000000000 --- a/vendor/k8s.io/kubernetes/pkg/security/apparmor/helpers.go +++ /dev/null @@ -1,80 +0,0 @@ -/* -Copyright 2016 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package apparmor - -import ( - "strings" - - "k8s.io/api/core/v1" -) - -// TODO: Move these values into the API package. -const ( - // The prefix to an annotation key specifying a container profile. - ContainerAnnotationKeyPrefix = "container.apparmor.security.beta.kubernetes.io/" - // The annotation key specifying the default AppArmor profile. - DefaultProfileAnnotationKey = "apparmor.security.beta.kubernetes.io/defaultProfileName" - // The annotation key specifying the allowed AppArmor profiles. - AllowedProfilesAnnotationKey = "apparmor.security.beta.kubernetes.io/allowedProfileNames" - - // The profile specifying the runtime default. - ProfileRuntimeDefault = "runtime/default" - // The prefix for specifying profiles loaded on the node. - ProfileNamePrefix = "localhost/" - - // Unconfined profile - ProfileNameUnconfined = "unconfined" -) - -// Checks whether app armor is required for pod to be run. -func isRequired(pod *v1.Pod) bool { - for key, value := range pod.Annotations { - if strings.HasPrefix(key, ContainerAnnotationKeyPrefix) { - return value != ProfileNameUnconfined - } - } - return false -} - -// Returns the name of the profile to use with the container. -func GetProfileName(pod *v1.Pod, containerName string) string { - return GetProfileNameFromPodAnnotations(pod.Annotations, containerName) -} - -// GetProfileNameFromPodAnnotations gets the name of the profile to use with container from -// pod annotations -func GetProfileNameFromPodAnnotations(annotations map[string]string, containerName string) string { - return annotations[ContainerAnnotationKeyPrefix+containerName] -} - -// Sets the name of the profile to use with the container. -func SetProfileName(pod *v1.Pod, containerName, profileName string) error { - if pod.Annotations == nil { - pod.Annotations = map[string]string{} - } - pod.Annotations[ContainerAnnotationKeyPrefix+containerName] = profileName - return nil -} - -// Sets the name of the profile to use with the container. -func SetProfileNameFromPodAnnotations(annotations map[string]string, containerName, profileName string) error { - if annotations == nil { - return nil - } - annotations[ContainerAnnotationKeyPrefix+containerName] = profileName - return nil -} diff --git a/vendor/k8s.io/kubernetes/pkg/security/apparmor/validate.go b/vendor/k8s.io/kubernetes/pkg/security/apparmor/validate.go deleted file mode 100644 index 740698f20..000000000 --- a/vendor/k8s.io/kubernetes/pkg/security/apparmor/validate.go +++ /dev/null @@ -1,229 +0,0 @@ -/* -Copyright 2016 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package apparmor - -import ( - "bufio" - "errors" - "fmt" - "io/ioutil" - "os" - "path" - "strings" - - "k8s.io/api/core/v1" - utilfeature "k8s.io/apiserver/pkg/util/feature" - "k8s.io/kubernetes/pkg/features" - kubetypes "k8s.io/kubernetes/pkg/kubelet/types" - utilfile "k8s.io/kubernetes/pkg/util/file" -) - -// Whether AppArmor should be disabled by default. -// Set to true if the wrong build tags are set (see validate_disabled.go). -var isDisabledBuild bool - -// Interface for validating that a pod with with an AppArmor profile can be run by a Node. -type Validator interface { - Validate(pod *v1.Pod) error - ValidateHost() error -} - -func NewValidator(runtime string) Validator { - if err := validateHost(runtime); err != nil { - return &validator{validateHostErr: err} - } - appArmorFS, err := getAppArmorFS() - if err != nil { - return &validator{ - validateHostErr: fmt.Errorf("error finding AppArmor FS: %v", err), - } - } - return &validator{ - appArmorFS: appArmorFS, - } -} - -type validator struct { - validateHostErr error - appArmorFS string -} - -func (v *validator) Validate(pod *v1.Pod) error { - if !isRequired(pod) { - return nil - } - - if v.ValidateHost() != nil { - return v.validateHostErr - } - - loadedProfiles, err := v.getLoadedProfiles() - if err != nil { - return fmt.Errorf("could not read loaded profiles: %v", err) - } - - for _, container := range pod.Spec.InitContainers { - if err := validateProfile(GetProfileName(pod, container.Name), loadedProfiles); err != nil { - return err - } - } - for _, container := range pod.Spec.Containers { - if err := validateProfile(GetProfileName(pod, container.Name), loadedProfiles); err != nil { - return err - } - } - - return nil -} - -func (v *validator) ValidateHost() error { - return v.validateHostErr -} - -// Verify that the host and runtime is capable of enforcing AppArmor profiles. -func validateHost(runtime string) error { - // Check feature-gates - if !utilfeature.DefaultFeatureGate.Enabled(features.AppArmor) { - return errors.New("AppArmor disabled by feature-gate") - } - - // Check build support. - if isDisabledBuild { - return errors.New("Binary not compiled for linux") - } - - // Check kernel support. - if !IsAppArmorEnabled() { - return errors.New("AppArmor is not enabled on the host") - } - - // Check runtime support. Currently only Docker is supported. - if runtime != kubetypes.DockerContainerRuntime && runtime != kubetypes.RemoteContainerRuntime { - return fmt.Errorf("AppArmor is only enabled for 'docker' and 'remote' runtimes. Found: %q.", runtime) - } - - return nil -} - -// Verify that the profile is valid and loaded. -func validateProfile(profile string, loadedProfiles map[string]bool) error { - if err := ValidateProfileFormat(profile); err != nil { - return err - } - - if strings.HasPrefix(profile, ProfileNamePrefix) { - profileName := strings.TrimPrefix(profile, ProfileNamePrefix) - if !loadedProfiles[profileName] { - return fmt.Errorf("profile %q is not loaded", profileName) - } - } - - return nil -} - -func ValidateProfileFormat(profile string) error { - if profile == "" || profile == ProfileRuntimeDefault || profile == ProfileNameUnconfined { - return nil - } - if !strings.HasPrefix(profile, ProfileNamePrefix) { - return fmt.Errorf("invalid AppArmor profile name: %q", profile) - } - return nil -} - -func (v *validator) getLoadedProfiles() (map[string]bool, error) { - profilesPath := path.Join(v.appArmorFS, "profiles") - profilesFile, err := os.Open(profilesPath) - if err != nil { - return nil, fmt.Errorf("failed to open %s: %v", profilesPath, err) - } - defer profilesFile.Close() - - profiles := map[string]bool{} - scanner := bufio.NewScanner(profilesFile) - for scanner.Scan() { - profileName := parseProfileName(scanner.Text()) - if profileName == "" { - // Unknown line format; skip it. - continue - } - profiles[profileName] = true - } - return profiles, nil -} - -// The profiles file is formatted with one profile per line, matching a form: -// namespace://profile-name (mode) -// profile-name (mode) -// Where mode is {enforce, complain, kill}. The "namespace://" is only included for namespaced -// profiles. For the purposes of Kubernetes, we consider the namespace part of the profile name. -func parseProfileName(profileLine string) string { - modeIndex := strings.IndexRune(profileLine, '(') - if modeIndex < 0 { - return "" - } - return strings.TrimSpace(profileLine[:modeIndex]) -} - -func getAppArmorFS() (string, error) { - mountsFile, err := os.Open("/proc/mounts") - if err != nil { - return "", fmt.Errorf("could not open /proc/mounts: %v", err) - } - defer mountsFile.Close() - - scanner := bufio.NewScanner(mountsFile) - for scanner.Scan() { - fields := strings.Fields(scanner.Text()) - if len(fields) < 3 { - // Unknown line format; skip it. - continue - } - if fields[2] == "securityfs" { - appArmorFS := path.Join(fields[1], "apparmor") - if ok, err := utilfile.FileExists(appArmorFS); !ok { - msg := fmt.Sprintf("path %s does not exist", appArmorFS) - if err != nil { - return "", fmt.Errorf("%s: %v", msg, err) - } else { - return "", errors.New(msg) - } - } else { - return appArmorFS, nil - } - } - } - if err := scanner.Err(); err != nil { - return "", fmt.Errorf("error scanning mounts: %v", err) - } - - return "", errors.New("securityfs not found") -} - -// IsAppArmorEnabled returns true if apparmor is enabled for the host. -// This function is forked from -// https://github.com/opencontainers/runc/blob/1a81e9ab1f138c091fe5c86d0883f87716088527/libcontainer/apparmor/apparmor.go -// to avoid the libapparmor dependency. -func IsAppArmorEnabled() bool { - if _, err := os.Stat("/sys/kernel/security/apparmor"); err == nil && os.Getenv("container") == "" { - if _, err = os.Stat("/sbin/apparmor_parser"); err == nil { - buf, err := ioutil.ReadFile("/sys/module/apparmor/parameters/enabled") - return err == nil && len(buf) > 1 && buf[0] == 'Y' - } - } - return false -} diff --git a/vendor/k8s.io/kubernetes/pkg/security/apparmor/validate_disabled.go b/vendor/k8s.io/kubernetes/pkg/security/apparmor/validate_disabled.go deleted file mode 100644 index 875054a94..000000000 --- a/vendor/k8s.io/kubernetes/pkg/security/apparmor/validate_disabled.go +++ /dev/null @@ -1,24 +0,0 @@ -// +build !linux - -/* -Copyright 2016 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package apparmor - -func init() { - // If Kubernetes was not built for linux, apparmor is always disabled. - isDisabledBuild = true -} |