github/containerd
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

KEP-3619: Fine grained SupplementalGroups control

Browse Source 
Signed-off-by: Shingo Omura <everpeace@gmail.com>
This commit is contained in:
Shingo Omura
2024-02-02 15:52:14 +09:00
parent eb8b3de9d3
commit 8bcffa9446
18 changed files with 1762 additions and 635 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
internal/cri/server/container_create_linux.go
View File

@@ -65,8 +65,23 @@ func (c *criService) containerSpecOpts(config *runtime.ContainerConfig, imageCon
} else if imageConfig.User != "" {
userstr, _, _ = strings.Cut(imageConfig.User, ":")
}
specOpts = append(specOpts, customopts.WithAdditionalGIDs(userstr),
customopts.WithSupplementalGroups(securityContext.GetSupplementalGroups()))
switch securityContext.GetSupplementalGroupsPolicy() {
case runtime.SupplementalGroupsPolicy_Merge:
// merging group defined in /etc/passwd
// and SupplementalGroups defined in security context
specOpts = append(specOpts,
customopts.WithAdditionalGIDs(userstr),
customopts.WithSupplementalGroups(securityContext.GetSupplementalGroups()),
)
case runtime.SupplementalGroupsPolicy_Strict:
// no merging group defined in /etc/passwd
specOpts = append(specOpts,
customopts.WithSupplementalGroups(securityContext.GetSupplementalGroups()),
)
default:
return nil, fmt.Errorf("not implemented in this containerd release: SupplementalGroupsPolicy=%d", securityContext.GetSupplementalGroupsPolicy())
}
asp := securityContext.GetApparmor()
if asp == nil {