Use containerd WithUserID.
Signed-off-by: Lantao Liu <lantaol@google.com>
This commit is contained in:
Lantao Liu
parent
55d3abdb89
commit
270e09ab26
@ -19,7 +19,6 @@ set -o pipefail
|
|||||||
source $(dirname "${BASH_SOURCE[0]}")/test-utils.sh
|
source $(dirname "${BASH_SOURCE[0]}")/test-utils.sh
|
||||||
|
|
||||||
DEFAULT_SKIP="\[Flaky\]|\[Slow\]|\[Serial\]"
|
DEFAULT_SKIP="\[Flaky\]|\[Slow\]|\[Serial\]"
|
||||||
DEFAULT_SKIP+="|runAsUser"
|
|
||||||
DEFAULT_SKIP+="|scheduling\sa\sGuaranteed\sPod"
|
DEFAULT_SKIP+="|scheduling\sa\sGuaranteed\sPod"
|
||||||
DEFAULT_SKIP+="|scheduling\sa\sBurstable\sPod"
|
DEFAULT_SKIP+="|scheduling\sa\sBurstable\sPod"
|
||||||
DEFAULT_SKIP+="|scheduling\sa\sBestEffort\sPod"
|
DEFAULT_SKIP+="|scheduling\sa\sBestEffort\sPod"
|
||||||
|
|||||||
@ -140,16 +140,18 @@ func (c *criContainerdService) CreateContainer(ctx context.Context, r *runtime.C
|
|||||||
containerMetadataLabel: string(metaBytes),
|
containerMetadataLabel: string(metaBytes),
|
||||||
}
|
}
|
||||||
|
|
||||||
specOpts := containerd.WithSpec(spec)
|
var specOpts []containerd.SpecOpts
|
||||||
// Set container username. This could only be done by containerd, because it needs
|
// Set container username. This could only be done by containerd, because it needs
|
||||||
// access to the container rootfs. Pass user name to containerd, and let it overwrite
|
// access to the container rootfs. Pass user name to containerd, and let it overwrite
|
||||||
// the spec for us.
|
// the spec for us.
|
||||||
if username := config.GetLinux().GetSecurityContext().GetRunAsUsername(); username != "" {
|
if uid := config.GetLinux().GetSecurityContext().GetRunAsUser(); uid != nil {
|
||||||
specOpts = containerd.WithSpec(spec, containerd.WithUsername(username))
|
specOpts = append(specOpts, containerd.WithUserID(uint32(uid.GetValue())))
|
||||||
|
}
|
||||||
|
if username := config.GetLinux().GetSecurityContext().GetRunAsUsername(); username != "" {
|
||||||
|
specOpts = append(specOpts, containerd.WithUsername(username))
|
||||||
}
|
}
|
||||||
|
|
||||||
opts = append(opts,
|
opts = append(opts,
|
||||||
specOpts,
|
containerd.WithSpec(spec, specOpts...),
|
||||||
containerd.WithRuntime(defaultRuntime),
|
containerd.WithRuntime(defaultRuntime),
|
||||||
containerd.WithContainerLabels(labels))
|
containerd.WithContainerLabels(labels))
|
||||||
var cntr containerd.Container
|
var cntr containerd.Container
|
||||||
@ -270,12 +272,6 @@ func (c *criContainerdService) generateContainerSpec(id string, sandboxPid uint3
|
|||||||
// Set namespaces, share namespace with sandbox container.
|
// Set namespaces, share namespace with sandbox container.
|
||||||
setOCINamespaces(&g, securityContext.GetNamespaceOptions(), sandboxPid)
|
setOCINamespaces(&g, securityContext.GetNamespaceOptions(), sandboxPid)
|
||||||
|
|
||||||
runAsUser := securityContext.GetRunAsUser()
|
|
||||||
if runAsUser != nil {
|
|
||||||
// TODO(random-liu): We should also set gid. Use containerd#1425 instead.
|
|
||||||
g.SetProcessUID(uint32(runAsUser.GetValue()))
|
|
||||||
}
|
|
||||||
|
|
||||||
supplementalGroups := securityContext.GetSupplementalGroups()
|
supplementalGroups := securityContext.GetSupplementalGroups()
|
||||||
for _, group := range supplementalGroups {
|
for _, group := range supplementalGroups {
|
||||||
g.AddProcessAdditionalGid(uint32(group))
|
g.AddProcessAdditionalGid(uint32(group))
|
||||||
|
|||||||
@ -91,7 +91,6 @@ func getCreateContainerTestData() (*runtime.ContainerConfig, *runtime.PodSandbox
|
|||||||
},
|
},
|
||||||
SupplementalGroups: []int64{1111, 2222},
|
SupplementalGroups: []int64{1111, 2222},
|
||||||
NoNewPrivs: true,
|
NoNewPrivs: true,
|
||||||
RunAsUser: &runtime.Int64Value{Value: 255},
|
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
@ -144,9 +143,6 @@ func getCreateContainerTestData() (*runtime.ContainerConfig, *runtime.PodSandbox
|
|||||||
assert.NotContains(t, spec.Process.Capabilities.Permitted, "CAP_CHOWN")
|
assert.NotContains(t, spec.Process.Capabilities.Permitted, "CAP_CHOWN")
|
||||||
assert.NotContains(t, spec.Process.Capabilities.Ambient, "CAP_CHOWN")
|
assert.NotContains(t, spec.Process.Capabilities.Ambient, "CAP_CHOWN")
|
||||||
|
|
||||||
t.Logf("Check uid")
|
|
||||||
assert.EqualValues(t, spec.Process.User.UID, 255)
|
|
||||||
|
|
||||||
t.Logf("Check supplemental groups")
|
t.Logf("Check supplemental groups")
|
||||||
assert.Contains(t, spec.Process.User.AdditionalGids, uint32(1111))
|
assert.Contains(t, spec.Process.User.AdditionalGids, uint32(1111))
|
||||||
assert.Contains(t, spec.Process.User.AdditionalGids, uint32(2222))
|
assert.Contains(t, spec.Process.User.AdditionalGids, uint32(2222))
|
||||||
|
|||||||
@ -126,8 +126,12 @@ func (c *criContainerdService) RunPodSandbox(ctx context.Context, r *runtime.Run
|
|||||||
sandboxMetadataLabel: string(metaBytes),
|
sandboxMetadataLabel: string(metaBytes),
|
||||||
}
|
}
|
||||||
|
|
||||||
|
var specOpts []containerd.SpecOpts
|
||||||
|
if uid := config.GetLinux().GetSecurityContext().GetRunAsUser(); uid != nil {
|
||||||
|
specOpts = append(specOpts, containerd.WithUserID(uint32(uid.GetValue())))
|
||||||
|
}
|
||||||
opts := []containerd.NewContainerOpts{
|
opts := []containerd.NewContainerOpts{
|
||||||
containerd.WithSpec(spec),
|
containerd.WithSpec(spec, specOpts...),
|
||||||
containerd.WithContainerLabels(labels),
|
containerd.WithContainerLabels(labels),
|
||||||
containerd.WithRuntime(defaultRuntime),
|
containerd.WithRuntime(defaultRuntime),
|
||||||
containerd.WithNewSnapshotView(id, image.Image)}
|
containerd.WithNewSnapshotView(id, image.Image)}
|
||||||
@ -268,12 +272,6 @@ func (c *criContainerdService) generateSandboxContainerSpec(id string, config *r
|
|||||||
|
|
||||||
// TODO(random-liu): [P1] Apply SeLinux options.
|
// TODO(random-liu): [P1] Apply SeLinux options.
|
||||||
|
|
||||||
runAsUser := securityContext.GetRunAsUser()
|
|
||||||
if runAsUser != nil {
|
|
||||||
// TODO(random-liu): We should also set gid. Use containerd#1425 instead.
|
|
||||||
g.SetProcessUID(uint32(runAsUser.GetValue()))
|
|
||||||
}
|
|
||||||
|
|
||||||
supplementalGroups := securityContext.GetSupplementalGroups()
|
supplementalGroups := securityContext.GetSupplementalGroups()
|
||||||
for _, group := range supplementalGroups {
|
for _, group := range supplementalGroups {
|
||||||
g.AddProcessAdditionalGid(uint32(group))
|
g.AddProcessAdditionalGid(uint32(group))
|
||||||
|
|||||||
@ -128,16 +128,14 @@ func TestGenerateSandboxContainerSpec(t *testing.T) {
|
|||||||
},
|
},
|
||||||
expectErr: true,
|
expectErr: true,
|
||||||
},
|
},
|
||||||
"should set user correctly": {
|
"should set supplemental groups correctly": {
|
||||||
configChange: func(c *runtime.PodSandboxConfig) {
|
configChange: func(c *runtime.PodSandboxConfig) {
|
||||||
c.Linux.SecurityContext = &runtime.LinuxSandboxSecurityContext{
|
c.Linux.SecurityContext = &runtime.LinuxSandboxSecurityContext{
|
||||||
RunAsUser: &runtime.Int64Value{Value: 255},
|
|
||||||
SupplementalGroups: []int64{1111, 2222},
|
SupplementalGroups: []int64{1111, 2222},
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
specCheck: func(t *testing.T, spec *runtimespec.Spec) {
|
specCheck: func(t *testing.T, spec *runtimespec.Spec) {
|
||||||
require.NotNil(t, spec.Process)
|
require.NotNil(t, spec.Process)
|
||||||
assert.EqualValues(t, spec.Process.User.UID, 255)
|
|
||||||
assert.Contains(t, spec.Process.User.AdditionalGids, uint32(1111))
|
assert.Contains(t, spec.Process.User.AdditionalGids, uint32(1111))
|
||||||
assert.Contains(t, spec.Process.User.AdditionalGids, uint32(2222))
|
assert.Contains(t, spec.Process.User.AdditionalGids, uint32(2222))
|
||||||
},
|
},
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user