From 9e1ee081f8849cbba89fb0f79218812164527251 Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Mon, 9 May 2022 16:37:34 +0200 Subject: kube: honor pod security context IDs If the RunAsUser, RunAsGroup, SupplementalGroups settings are not overriden in the container security context, then take the value from the pod security context. Signed-off-by: Giuseppe Scrivano --- pkg/domain/infra/abi/play.go | 64 ++++++++++++++++++++------------------- pkg/specgen/generate/kube/kube.go | 38 ++++++++++++++++++----- 2 files changed, 63 insertions(+), 39 deletions(-) (limited to 'pkg') diff --git a/pkg/domain/infra/abi/play.go b/pkg/domain/infra/abi/play.go index b3ded7db6..f44b46a6d 100644 --- a/pkg/domain/infra/abi/play.go +++ b/pkg/domain/infra/abi/play.go @@ -412,22 +412,23 @@ func (ic *ContainerEngine) playKubePod(ctx context.Context, podName string, podY } specgenOpts := kube.CtrSpecGenOptions{ - Annotations: annotations, - Container: initCtr, - Image: pulledImage, - Volumes: volumes, - PodID: pod.ID(), - PodName: podName, - PodInfraID: podInfraID, - ConfigMaps: configMaps, - SeccompPaths: seccompPaths, - RestartPolicy: ctrRestartPolicy, - NetNSIsHost: p.NetNS.IsHost(), - SecretsManager: secretsManager, - LogDriver: options.LogDriver, - LogOptions: options.LogOptions, - Labels: labels, - InitContainerType: define.AlwaysInitContainer, + Annotations: annotations, + ConfigMaps: configMaps, + Container: initCtr, + Image: pulledImage, + InitContainerType: define.AlwaysInitContainer, + Labels: labels, + LogDriver: options.LogDriver, + LogOptions: options.LogOptions, + NetNSIsHost: p.NetNS.IsHost(), + PodID: pod.ID(), + PodInfraID: podInfraID, + PodName: podName, + PodSecurityContext: podYAML.Spec.SecurityContext, + RestartPolicy: ctrRestartPolicy, + SeccompPaths: seccompPaths, + SecretsManager: secretsManager, + Volumes: volumes, } specGen, err := kube.ToSpecGen(ctx, &specgenOpts) if err != nil { @@ -460,21 +461,22 @@ func (ic *ContainerEngine) playKubePod(ctx context.Context, podName string, podY } specgenOpts := kube.CtrSpecGenOptions{ - Annotations: annotations, - Container: container, - Image: pulledImage, - Volumes: volumes, - PodID: pod.ID(), - PodName: podName, - PodInfraID: podInfraID, - ConfigMaps: configMaps, - SeccompPaths: seccompPaths, - RestartPolicy: ctrRestartPolicy, - NetNSIsHost: p.NetNS.IsHost(), - SecretsManager: secretsManager, - LogDriver: options.LogDriver, - LogOptions: options.LogOptions, - Labels: labels, + Annotations: annotations, + ConfigMaps: configMaps, + Container: container, + Image: pulledImage, + Labels: labels, + LogDriver: options.LogDriver, + LogOptions: options.LogOptions, + NetNSIsHost: p.NetNS.IsHost(), + PodID: pod.ID(), + PodInfraID: podInfraID, + PodName: podName, + PodSecurityContext: podYAML.Spec.SecurityContext, + RestartPolicy: ctrRestartPolicy, + SeccompPaths: seccompPaths, + SecretsManager: secretsManager, + Volumes: volumes, } specGen, err := kube.ToSpecGen(ctx, &specgenOpts) if err != nil { diff --git a/pkg/specgen/generate/kube/kube.go b/pkg/specgen/generate/kube/kube.go index c04b94d4e..04195d15a 100644 --- a/pkg/specgen/generate/kube/kube.go +++ b/pkg/specgen/generate/kube/kube.go @@ -133,6 +133,8 @@ type CtrSpecGenOptions struct { // InitContainerType sets what type the init container is // Note: When playing a kube yaml, the inti container type will be set to "always" only InitContainerType string + // PodSecurityContext is the security context specified for the pod + PodSecurityContext *v1.PodSecurityContext } func ToSpecGen(ctx context.Context, opts *CtrSpecGenOptions) (*specgen.SpecGenerator, error) { @@ -188,7 +190,7 @@ func ToSpecGen(ctx context.Context, opts *CtrSpecGenOptions) (*specgen.SpecGener s.InitContainerType = opts.InitContainerType - setupSecurityContext(s, opts.Container.SecurityContext) + setupSecurityContext(s, opts.Container.SecurityContext, opts.PodSecurityContext) err := setupLivenessProbe(s, opts.Container, opts.RestartPolicy) if err != nil { return nil, errors.Wrap(err, "Failed to configure livenessProbe") @@ -531,10 +533,14 @@ func makeHealthCheck(inCmd string, interval int32, retries int32, timeout int32, return &hc, nil } -func setupSecurityContext(s *specgen.SpecGenerator, securityContext *v1.SecurityContext) { +func setupSecurityContext(s *specgen.SpecGenerator, securityContext *v1.SecurityContext, podSecurityContext *v1.PodSecurityContext) { if securityContext == nil { - return + securityContext = &v1.SecurityContext{} } + if podSecurityContext == nil { + podSecurityContext = &v1.PodSecurityContext{} + } + if securityContext.ReadOnlyRootFilesystem != nil { s.ReadOnlyFilesystem = *securityContext.ReadOnlyRootFilesystem } @@ -546,7 +552,11 @@ func setupSecurityContext(s *specgen.SpecGenerator, securityContext *v1.Security s.NoNewPrivileges = !*securityContext.AllowPrivilegeEscalation } - if seopt := securityContext.SELinuxOptions; seopt != nil { + seopt := securityContext.SELinuxOptions + if seopt == nil { + seopt = podSecurityContext.SELinuxOptions + } + if seopt != nil { if seopt.User != "" { s.SelinuxOpts = append(s.SelinuxOpts, fmt.Sprintf("user:%s", seopt.User)) } @@ -568,14 +578,26 @@ func setupSecurityContext(s *specgen.SpecGenerator, securityContext *v1.Security s.CapDrop = append(s.CapDrop, string(capability)) } } - if securityContext.RunAsUser != nil { - s.User = fmt.Sprintf("%d", *securityContext.RunAsUser) + runAsUser := securityContext.RunAsUser + if runAsUser == nil { + runAsUser = podSecurityContext.RunAsUser + } + if runAsUser != nil { + s.User = fmt.Sprintf("%d", *runAsUser) } - if securityContext.RunAsGroup != nil { + + runAsGroup := securityContext.RunAsGroup + if runAsGroup == nil { + runAsGroup = podSecurityContext.RunAsGroup + } + if runAsGroup != nil { if s.User == "" { s.User = "0" } - s.User = fmt.Sprintf("%s:%d", s.User, *securityContext.RunAsGroup) + s.User = fmt.Sprintf("%s:%d", s.User, *runAsGroup) + } + for _, group := range podSecurityContext.SupplementalGroups { + s.Groups = append(s.Groups, fmt.Sprintf("%d", group)) } } -- cgit v1.2.3-54-g00ecf