From 9259693826fadc773dc3f420e5c9e5d5481548e3 Mon Sep 17 00:00:00 2001 From: Peter Hunt Date: Fri, 6 Sep 2019 08:41:02 -0400 Subject: play kube: fix segfault when securityContext wasn't specified in yaml. add a test as well Signed-off-by: Peter Hunt --- pkg/adapter/pods.go | 34 ++++++++++++++++++---------------- test/e2e/play_kube_test.go | 46 ++++++++++++++++++++++++++++++++++------------ 2 files changed, 52 insertions(+), 28 deletions(-) diff --git a/pkg/adapter/pods.go b/pkg/adapter/pods.go index ded805de2..70293a2c5 100644 --- a/pkg/adapter/pods.go +++ b/pkg/adapter/pods.go @@ -683,25 +683,27 @@ func kubeContainerToCreateConfig(ctx context.Context, containerYAML v1.Container containerConfig.User = imageData.Config.User } - if containerConfig.SecurityOpts != nil { - if containerYAML.SecurityContext.ReadOnlyRootFilesystem != nil { - containerConfig.ReadOnlyRootfs = *containerYAML.SecurityContext.ReadOnlyRootFilesystem - } - if containerYAML.SecurityContext.Privileged != nil { - containerConfig.Privileged = *containerYAML.SecurityContext.Privileged - } + if containerYAML.SecurityContext != nil { + if containerConfig.SecurityOpts != nil { + if containerYAML.SecurityContext.ReadOnlyRootFilesystem != nil { + containerConfig.ReadOnlyRootfs = *containerYAML.SecurityContext.ReadOnlyRootFilesystem + } + if containerYAML.SecurityContext.Privileged != nil { + containerConfig.Privileged = *containerYAML.SecurityContext.Privileged + } - if containerYAML.SecurityContext.AllowPrivilegeEscalation != nil { - containerConfig.NoNewPrivs = !*containerYAML.SecurityContext.AllowPrivilegeEscalation - } + if containerYAML.SecurityContext.AllowPrivilegeEscalation != nil { + containerConfig.NoNewPrivs = !*containerYAML.SecurityContext.AllowPrivilegeEscalation + } - } - if caps := containerYAML.SecurityContext.Capabilities; caps != nil { - for _, capability := range caps.Add { - containerConfig.CapAdd = append(containerConfig.CapAdd, string(capability)) } - for _, capability := range caps.Drop { - containerConfig.CapDrop = append(containerConfig.CapDrop, string(capability)) + if caps := containerYAML.SecurityContext.Capabilities; caps != nil { + for _, capability := range caps.Add { + containerConfig.CapAdd = append(containerConfig.CapAdd, string(capability)) + } + for _, capability := range caps.Drop { + containerConfig.CapDrop = append(containerConfig.CapDrop, string(capability)) + } } } diff --git a/test/e2e/play_kube_test.go b/test/e2e/play_kube_test.go index af3cab379..5d59f0eb0 100644 --- a/test/e2e/play_kube_test.go +++ b/test/e2e/play_kube_test.go @@ -40,6 +40,7 @@ spec: image: {{ .Image }} name: {{ .Name }} resources: {} + {{ if .SecurityContext }} securityContext: allowPrivilegeEscalation: true {{ if .Caps }} @@ -60,6 +61,7 @@ spec: privileged: false readOnlyRootFilesystem: false workingDir: / + {{ end }} {{ end }} {{ end }} status: {} @@ -72,12 +74,13 @@ type Pod struct { } type Container struct { - Cmd []string - Image string - Name string - Caps bool - CapAdd []string - CapDrop []string + Cmd []string + Image string + Name string + SecurityContext bool + Caps bool + CapAdd []string + CapDrop []string } func generateKubeYaml(name string, hostname string, ctrs []Container, fileName string) error { @@ -126,7 +129,7 @@ var _ = Describe("Podman generate kube", func() { It("podman play kube test correct command", func() { ctrName := "testCtr" ctrCmd := []string{"top"} - testContainer := Container{ctrCmd, ALPINE, ctrName, false, nil, nil} + testContainer := Container{ctrCmd, ALPINE, ctrName, true, false, nil, nil} tempFile := filepath.Join(podmanTest.TempDir, "kube.yaml") err := generateKubeYaml("test", "", []Container{testContainer}, tempFile) @@ -145,7 +148,7 @@ var _ = Describe("Podman generate kube", func() { It("podman play kube test correct output", func() { ctrName := "testCtr" ctrCmd := []string{"echo", "hello"} - testContainer := Container{ctrCmd, ALPINE, ctrName, false, nil, nil} + testContainer := Container{ctrCmd, ALPINE, ctrName, true, false, nil, nil} tempFile := filepath.Join(podmanTest.TempDir, "kube.yaml") err := generateKubeYaml("test", "", []Container{testContainer}, tempFile) @@ -170,7 +173,7 @@ var _ = Describe("Podman generate kube", func() { podName := "test" ctrName := "testCtr" ctrCmd := []string{"top"} - testContainer := Container{ctrCmd, ALPINE, ctrName, false, nil, nil} + testContainer := Container{ctrCmd, ALPINE, ctrName, true, false, nil, nil} tempFile := filepath.Join(podmanTest.TempDir, "kube.yaml") err := generateKubeYaml(podName, "", []Container{testContainer}, tempFile) @@ -190,7 +193,7 @@ var _ = Describe("Podman generate kube", func() { hostname := "myhostname" ctrName := "testCtr" ctrCmd := []string{"top"} - testContainer := Container{ctrCmd, ALPINE, ctrName, false, nil, nil} + testContainer := Container{ctrCmd, ALPINE, ctrName, true, false, nil, nil} tempFile := filepath.Join(podmanTest.TempDir, "kube.yaml") err := generateKubeYaml("test", hostname, []Container{testContainer}, tempFile) @@ -210,7 +213,7 @@ var _ = Describe("Podman generate kube", func() { ctrName := "testCtr" ctrCmd := []string{"cat", "/proc/self/status"} capAdd := "CAP_SYS_ADMIN" - testContainer := Container{ctrCmd, ALPINE, ctrName, true, []string{capAdd}, nil} + testContainer := Container{ctrCmd, ALPINE, ctrName, true, true, []string{capAdd}, nil} tempFile := filepath.Join(podmanTest.TempDir, "kube.yaml") err := generateKubeYaml("test", "", []Container{testContainer}, tempFile) @@ -230,7 +233,7 @@ var _ = Describe("Podman generate kube", func() { ctrName := "testCtr" ctrCmd := []string{"cat", "/proc/self/status"} capDrop := "CAP_SYS_ADMIN" - testContainer := Container{ctrCmd, ALPINE, ctrName, true, []string{capDrop}, nil} + testContainer := Container{ctrCmd, ALPINE, ctrName, true, true, []string{capDrop}, nil} tempFile := filepath.Join(podmanTest.TempDir, "kube.yaml") err := generateKubeYaml("test", "", []Container{testContainer}, tempFile) @@ -245,4 +248,23 @@ var _ = Describe("Podman generate kube", func() { Expect(inspect.ExitCode()).To(Equal(0)) Expect(inspect.OutputToString()).To(ContainSubstring(capDrop)) }) + + It("podman play kube no security context", func() { + // expect play kube to not fail if no security context is specified + ctrName := "testCtr" + ctrCmd := "ls" + testContainer := Container{[]string{ctrCmd}, ALPINE, ctrName, false, false, nil, nil} + tempFile := filepath.Join(podmanTest.TempDir, "kube.yaml") + + err := generateKubeYaml("test", "", []Container{testContainer}, tempFile) + Expect(err).To(BeNil()) + + kube := podmanTest.Podman([]string{"play", "kube", tempFile}) + kube.WaitWithDefaultTimeout() + Expect(kube.ExitCode()).To(Equal(0)) + + inspect := podmanTest.Podman([]string{"inspect", ctrName}) + inspect.WaitWithDefaultTimeout() + Expect(inspect.ExitCode()).To(Equal(0)) + }) }) -- cgit v1.2.3-54-g00ecf