aboutsummaryrefslogtreecommitdiff
path: root/pkg/specgen/generate/kube/kube.go
diff options
context:
space:
mode:
Diffstat (limited to 'pkg/specgen/generate/kube/kube.go')
-rw-r--r--pkg/specgen/generate/kube/kube.go61
1 files changed, 43 insertions, 18 deletions
diff --git a/pkg/specgen/generate/kube/kube.go b/pkg/specgen/generate/kube/kube.go
index d56b50fd5..e4c149abf 100644
--- a/pkg/specgen/generate/kube/kube.go
+++ b/pkg/specgen/generate/kube/kube.go
@@ -120,6 +120,8 @@ type CtrSpecGenOptions struct {
RestartPolicy string
// NetNSIsHost tells the container to use the host netns
NetNSIsHost bool
+ // UserNSIsHost tells the container to use the host userns
+ UserNSIsHost bool
// SecretManager to access the secrets
SecretsManager *secrets.SecretsManager
// LogDriver which should be used for the container
@@ -133,6 +135,8 @@ type CtrSpecGenOptions struct {
// InitContainerType sets what type the init container is
// Note: When playing a kube yaml, the inti container type will be set to "always" only
InitContainerType string
+ // PodSecurityContext is the security context specified for the pod
+ PodSecurityContext *v1.PodSecurityContext
}
func ToSpecGen(ctx context.Context, opts *CtrSpecGenOptions) (*specgen.SpecGenerator, error) {
@@ -188,7 +192,7 @@ func ToSpecGen(ctx context.Context, opts *CtrSpecGenOptions) (*specgen.SpecGener
s.InitContainerType = opts.InitContainerType
- setupSecurityContext(s, opts.Container)
+ setupSecurityContext(s, opts.Container.SecurityContext, opts.PodSecurityContext)
err := setupLivenessProbe(s, opts.Container, opts.RestartPolicy)
if err != nil {
return nil, errors.Wrap(err, "Failed to configure livenessProbe")
@@ -387,8 +391,9 @@ func ToSpecGen(ctx context.Context, opts *CtrSpecGenOptions) (*specgen.SpecGener
if opts.NetNSIsHost {
s.NetNS.NSMode = specgen.Host
}
- // Always set the userns to host since k8s doesn't have support for userns yet
- s.UserNS.NSMode = specgen.Host
+ if opts.UserNSIsHost {
+ s.UserNS.NSMode = specgen.Host
+ }
// Add labels that come from kube
if len(s.Labels) == 0 {
@@ -531,22 +536,30 @@ func makeHealthCheck(inCmd string, interval int32, retries int32, timeout int32,
return &hc, nil
}
-func setupSecurityContext(s *specgen.SpecGenerator, containerYAML v1.Container) {
- if containerYAML.SecurityContext == nil {
- return
+func setupSecurityContext(s *specgen.SpecGenerator, securityContext *v1.SecurityContext, podSecurityContext *v1.PodSecurityContext) {
+ if securityContext == nil {
+ securityContext = &v1.SecurityContext{}
+ }
+ if podSecurityContext == nil {
+ podSecurityContext = &v1.PodSecurityContext{}
}
- if containerYAML.SecurityContext.ReadOnlyRootFilesystem != nil {
- s.ReadOnlyFilesystem = *containerYAML.SecurityContext.ReadOnlyRootFilesystem
+
+ if securityContext.ReadOnlyRootFilesystem != nil {
+ s.ReadOnlyFilesystem = *securityContext.ReadOnlyRootFilesystem
}
- if containerYAML.SecurityContext.Privileged != nil {
- s.Privileged = *containerYAML.SecurityContext.Privileged
+ if securityContext.Privileged != nil {
+ s.Privileged = *securityContext.Privileged
}
- if containerYAML.SecurityContext.AllowPrivilegeEscalation != nil {
- s.NoNewPrivileges = !*containerYAML.SecurityContext.AllowPrivilegeEscalation
+ if securityContext.AllowPrivilegeEscalation != nil {
+ s.NoNewPrivileges = !*securityContext.AllowPrivilegeEscalation
}
- if seopt := containerYAML.SecurityContext.SELinuxOptions; seopt != nil {
+ seopt := securityContext.SELinuxOptions
+ if seopt == nil {
+ seopt = podSecurityContext.SELinuxOptions
+ }
+ if seopt != nil {
if seopt.User != "" {
s.SelinuxOpts = append(s.SelinuxOpts, fmt.Sprintf("user:%s", seopt.User))
}
@@ -560,7 +573,7 @@ func setupSecurityContext(s *specgen.SpecGenerator, containerYAML v1.Container)
s.SelinuxOpts = append(s.SelinuxOpts, fmt.Sprintf("level:%s", seopt.Level))
}
}
- if caps := containerYAML.SecurityContext.Capabilities; caps != nil {
+ if caps := securityContext.Capabilities; caps != nil {
for _, capability := range caps.Add {
s.CapAdd = append(s.CapAdd, string(capability))
}
@@ -568,14 +581,26 @@ func setupSecurityContext(s *specgen.SpecGenerator, containerYAML v1.Container)
s.CapDrop = append(s.CapDrop, string(capability))
}
}
- if containerYAML.SecurityContext.RunAsUser != nil {
- s.User = fmt.Sprintf("%d", *containerYAML.SecurityContext.RunAsUser)
+ runAsUser := securityContext.RunAsUser
+ if runAsUser == nil {
+ runAsUser = podSecurityContext.RunAsUser
}
- if containerYAML.SecurityContext.RunAsGroup != nil {
+ if runAsUser != nil {
+ s.User = fmt.Sprintf("%d", *runAsUser)
+ }
+
+ runAsGroup := securityContext.RunAsGroup
+ if runAsGroup == nil {
+ runAsGroup = podSecurityContext.RunAsGroup
+ }
+ if runAsGroup != nil {
if s.User == "" {
s.User = "0"
}
- s.User = fmt.Sprintf("%s:%d", s.User, *containerYAML.SecurityContext.RunAsGroup)
+ s.User = fmt.Sprintf("%s:%d", s.User, *runAsGroup)
+ }
+ for _, group := range podSecurityContext.SupplementalGroups {
+ s.Groups = append(s.Groups, fmt.Sprintf("%d", group))
}
}
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2025-10-04 11:25:20 +0000