github/containerd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

Add config flag to default empty seccomp profile

Browse Source 
This changes adds `default_seccomp_profile` config switch to apply default seccomp profile when not provided by k8s.a

Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
This commit is contained in:
Maksym Pavlenko 2020-05-08 13:24:38 -07:00
parent 65830369b6
commit 38f19f991e
4 changed files with 36 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
pkg/config/config.go
View File

@ -225,6 +225,8 @@ type PluginConfig struct {
// DisableProcMount disables Kubernetes ProcMount support. This MUST be set to `true` // DisableProcMount disables Kubernetes ProcMount support. This MUST be set to `true`
// when using containerd with Kubernetes <=1.11. // when using containerd with Kubernetes <=1.11.
DisableProcMount bool `toml:"disable_proc_mount" json:"disableProcMount"` DisableProcMount bool `toml:"disable_proc_mount" json:"disableProcMount"`
// DefaultSeccompProfile is a seccomp profile to use if not provided by k8s.
DefaultSeccompProfile string `toml:"default_seccomp_profile" json:"defaultSeccompProfile"`
} }
// X509KeyPairStreaming contains the x509 configuration for streaming // X509KeyPairStreaming contains the x509 configuration for streaming

7
pkg/server/container_create_unix.go
View File

@ -286,7 +286,7 @@ func (c *criService) containerSpecOpts(config *runtime.ContainerConfig, imageCon
specOpts = append(specOpts, apparmorSpecOpts) specOpts = append(specOpts, apparmorSpecOpts)
} }
seccompSpecOpts, err := generateSeccompSpecOpts( seccompSpecOpts, err := c.generateSeccompSpecOpts(
securityContext.GetSeccompProfilePath(), securityContext.GetSeccompProfilePath(),
securityContext.GetPrivileged(), securityContext.GetPrivileged(),
c.seccompEnabled()) c.seccompEnabled())
@ -300,11 +300,14 @@ func (c *criService) containerSpecOpts(config *runtime.ContainerConfig, imageCon
} }
// generateSeccompSpecOpts generates containerd SpecOpts for seccomp. // generateSeccompSpecOpts generates containerd SpecOpts for seccomp.
func generateSeccompSpecOpts(seccompProf string, privileged, seccompEnabled bool) (oci.SpecOpts, error) { func (c *criService) generateSeccompSpecOpts(seccompProf string, privileged, seccompEnabled bool) (oci.SpecOpts, error) {
if privileged { if privileged {
// Do not set seccomp profile when container is privileged // Do not set seccomp profile when container is privileged
return nil, nil return nil, nil
} }
if seccompProf == "" {
seccompProf = c.config.DefaultSeccompProfile
}
// Set seccomp profile // Set seccomp profile
if seccompProf == runtimeDefault || seccompProf == dockerDefault { if seccompProf == runtimeDefault || seccompProf == dockerDefault {
// use correct default profile (Eg. if not configured otherwise, the default is docker/default) // use correct default profile (Eg. if not configured otherwise, the default is docker/default)

43
pkg/server/container_create_unix_test.go
View File

@ -20,6 +20,7 @@ package server
import ( import (
"context" "context"
"fmt"
"os" "os"
"path/filepath" "path/filepath"
"reflect" "reflect"
@ -779,11 +780,12 @@ func TestNoDefaultRunMount(t *testing.T) {
func TestGenerateSeccompSpecOpts(t *testing.T) { func TestGenerateSeccompSpecOpts(t *testing.T) {
for desc, test := range map[string]struct { for desc, test := range map[string]struct {
profile string profile string
privileged bool privileged bool
disable bool disable bool
specOpts oci.SpecOpts specOpts oci.SpecOpts
expectErr bool expectErr bool
defaultProfile string
}{ }{
"should return error if seccomp is specified when seccomp is not supported": { "should return error if seccomp is specified when seccomp is not supported": {
profile: runtimeDefault, profile: runtimeDefault,
@ -824,17 +826,28 @@ func TestGenerateSeccompSpecOpts(t *testing.T) {
profile: "test-profile", profile: "test-profile",
expectErr: true, expectErr: true,
}, },
"should use default profile when seccomp is empty": {
defaultProfile: profileNamePrefix + "test-profile",
specOpts: seccomp.WithProfile("test-profile"),
},
"should fallback to docker/default when seccomp is empty and default is runtime/default": {
defaultProfile: runtimeDefault,
specOpts: seccomp.WithDefaultProfile(),
},
} { } {
t.Logf("TestCase %q", desc) t.Run(fmt.Sprintf("TestCase %q", desc), func(t *testing.T) {
specOpts, err := generateSeccompSpecOpts(test.profile, test.privileged, !test.disable) cri := &criService{}
assert.Equal(t, cri.config.DefaultSeccompProfile = test.defaultProfile
reflect.ValueOf(test.specOpts).Pointer(), specOpts, err := cri.generateSeccompSpecOpts(test.profile, test.privileged, !test.disable)
reflect.ValueOf(specOpts).Pointer()) assert.Equal(t,
if test.expectErr { reflect.ValueOf(test.specOpts).Pointer(),
assert.Error(t, err) reflect.ValueOf(specOpts).Pointer())
} else { if test.expectErr {
assert.NoError(t, err) assert.Error(t, err)
} } else {
assert.NoError(t, err)
}
})
} }
} }

2
pkg/server/sandbox_run_unix.go
View File

@ -161,7 +161,7 @@ func (c *criService) sandboxContainerSpecOpts(config *runtime.PodSandboxConfig,
securityContext = config.GetLinux().GetSecurityContext() securityContext = config.GetLinux().GetSecurityContext()
specOpts []oci.SpecOpts specOpts []oci.SpecOpts
) )
seccompSpecOpts, err := generateSeccompSpecOpts( seccompSpecOpts, err := c.generateSeccompSpecOpts(
securityContext.GetSeccompProfilePath(), securityContext.GetSeccompProfilePath(),
securityContext.GetPrivileged(), securityContext.GetPrivileged(),
c.seccompEnabled()) c.seccompEnabled())