github/containerd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

Add RunAsUserName functionality for the Windows Pod Sandbox Container

Browse Source 
There was recent changes to cri to bring in a Windows section containing a
security context object to the pod config. Before this there was no way to specify
a user for the pod sandbox container to run as. In addition, the security context
is a field for field mirror of the Windows container version of it, so add the
ability to specify a GMSA credential spec for the pod sandbox container as well.

Signed-off-by: Daniel Canter <dcanter@microsoft.com>
This commit is contained in:
Daniel Canter 2021-08-12 14:07:39 -07:00
parent f43f22966d
commit 25644b4614
2 changed files with 27 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
pkg/cri/server/sandbox_run_windows.go
View File

@ -56,6 +56,25 @@ func (c *criService) sandboxContainerSpec(id string, config *runtime.PodSandboxC
specOpts = append(specOpts, customopts.WithWindowsDefaultSandboxShares) specOpts = append(specOpts, customopts.WithWindowsDefaultSandboxShares)
// Start with the image config user and override below if RunAsUsername is not "".
username := imageConfig.User
runAsUser := config.GetWindows().GetSecurityContext().GetRunAsUsername()
if runAsUser != "" {
username = runAsUser
}
cs := config.GetWindows().GetSecurityContext().GetCredentialSpec()
if cs != "" {
specOpts = append(specOpts, customopts.WithWindowsCredentialSpec(cs))
}
// There really isn't a good Windows way to verify that the username is available in the
// image as early as here like there is for Linux. Later on in the stack hcsshim
// will handle the behavior of erroring out if the user isn't available in the image
// when trying to run the init process.
specOpts = append(specOpts, oci.WithUser(username))
for pKey, pValue := range getPassthroughAnnotations(config.Annotations, for pKey, pValue := range getPassthroughAnnotations(config.Annotations,
runtimePodAnnotations) { runtimePodAnnotations) {
specOpts = append(specOpts, customopts.WithAnnotation(pKey, pValue)) specOpts = append(specOpts, customopts.WithAnnotation(pKey, pValue))

8
pkg/cri/server/sandbox_run_windows_test.go
View File

@ -53,6 +53,7 @@ func getRunPodSandboxTestData() (*runtime.PodSandboxConfig, *imagespec.ImageConf
Entrypoint: []string{"/pause"}, Entrypoint: []string{"/pause"},
Cmd: []string{"forever"}, Cmd: []string{"forever"},
WorkingDir: "/workspace", WorkingDir: "/workspace",
User: "test-image-user",
} }
specCheck := func(t *testing.T, id string, spec *runtimespec.Spec) { specCheck := func(t *testing.T, id string, spec *runtimespec.Spec) {
assert.Equal(t, "test-hostname", spec.Hostname) assert.Equal(t, "test-hostname", spec.Hostname)
@ -62,6 +63,13 @@ func getRunPodSandboxTestData() (*runtime.PodSandboxConfig, *imagespec.ImageConf
assert.Equal(t, "/workspace", spec.Process.Cwd) assert.Equal(t, "/workspace", spec.Process.Cwd)
assert.EqualValues(t, *spec.Windows.Resources.CPU.Shares, opts.DefaultSandboxCPUshares) assert.EqualValues(t, *spec.Windows.Resources.CPU.Shares, opts.DefaultSandboxCPUshares)
// Also checks if override of the image configs user is behaving.
t.Logf("Check username")
assert.Contains(t, spec.Process.User.Username, "test-user")
t.Logf("Check credential spec")
assert.Contains(t, spec.Windows.CredentialSpec, "{\"test\": \"spec\"}")
t.Logf("Check PodSandbox annotations") t.Logf("Check PodSandbox annotations")
assert.Contains(t, spec.Annotations, annotations.SandboxID) assert.Contains(t, spec.Annotations, annotations.SandboxID)
assert.EqualValues(t, spec.Annotations[annotations.SandboxID], id) assert.EqualValues(t, spec.Annotations[annotations.SandboxID], id)