github/containerd
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

sandbox: separate host accessing workload and privileged

Browse Source 
VM isolated runtimes can support privileged workloads. In this
scenario, access to the guest VM is provided instead of the host.
Based on this, allow untrusted runtimes to run privileged workloads.

If the workload is specifically asking for node PID/IPC/network, etc.,
then continue to require the trusted runtime.

This commit repurposes the hostPrivilegedSandbox utility function to
only check for node namespace checking.

Fixes: #855

Signed-off-by: Eric Ernst <eric.ernst@intel.com>
This commit is contained in:
Eric Ernst
2018-07-20 09:01:02 -07:00
parent 42a98de252
commit 9a01272dc2
2 changed files with 21 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
pkg/server/sandbox_run_test.go
View File

@@ -474,7 +474,7 @@ func TestTypeurlMarshalUnmarshalSandboxMeta(t *testing.T) {
}
}
func TestHostPrivilegedSandbox(t *testing.T) {
func TestHostAccessingSandbox(t *testing.T) {
privilegedContext := &runtime.PodSandboxConfig{
Linux: &runtime.LinuxPodSandboxConfig{
SecurityContext: &runtime.LinuxSandboxSecurityContext{
@@ -507,14 +507,14 @@ func TestHostPrivilegedSandbox(t *testing.T) {
want bool
}{
{"Security Context is nil", nil, false},
{"Security Context is privileged", privilegedContext, true},
{"Security Context is privileged", privilegedContext, false},
{"Security Context is not privileged", nonPrivilegedContext, false},
{"Security Context namespace host access", hostNamespace, true},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
if got := hostPrivilegedSandbox(tt.config); got != tt.want {
t.Errorf("hostPrivilegedSandbox() = %v, want %v", got, tt.want)
if got := hostAccessingSandbox(tt.config); got != tt.want {
t.Errorf("hostAccessingSandbox() = %v, want %v", got, tt.want)
}
})
}
@@ -540,11 +540,16 @@ func TestGetSandboxRuntime(t *testing.T) {
expectErr bool
expectedRuntime criconfig.Runtime
}{
"should return error if untrusted workload requires host privilege": {
"should return error if untrusted workload requires host access": {
sandboxConfig: &runtime.PodSandboxConfig{
Linux: &runtime.LinuxPodSandboxConfig{
SecurityContext: &runtime.LinuxSandboxSecurityContext{
Privileged: true,
Privileged: false,
NamespaceOptions: &runtime.NamespaceOption{
Network: runtime.NamespaceMode_NODE,
Pid: runtime.NamespaceMode_NODE,
Ipc: runtime.NamespaceMode_NODE,
},
},
},
Annotations: map[string]string{