Add Support for supplemental groups

pkg/securitycontext/provider.go

@@ -21,6 +21,7 @@ import (
 	"strconv"
 
 	"k8s.io/kubernetes/pkg/api"
+	"k8s.io/kubernetes/pkg/kubelet/leaky"
 
 	docker "github.com/fsouza/go-dockerclient"
 )
@@ -48,9 +49,25 @@ func (p SimpleSecurityContextProvider) ModifyContainerConfig(pod *api.Pod, conta
 // ModifyHostConfig is called before the Docker runContainer call.
 // The security context provider can make changes to the HostConfig, affecting
 // security options, whether the container is privileged, volume binds, etc.
-// An error is returned if it's not possible to secure the container as requested
-// with a security context.
 func (p SimpleSecurityContextProvider) ModifyHostConfig(pod *api.Pod, container *api.Container, hostConfig *docker.HostConfig) {
+	// Apply pod security context
+	if pod.Spec.SecurityContext != nil {
+		// We skip application of supplemental groups to the
+		// infra container to work around a runc issue which
+		// requires containers to have the '/etc/group'. For
+		// more information see:
+		// https://github.com/opencontainers/runc/pull/313
+		// This can be removed once the fix makes it into the
+		// required version of docker.
+		if pod.Spec.SecurityContext.SupplementalGroups != nil && container.Name != leaky.PodInfraContainerName {
+			hostConfig.GroupAdd = make([]string, len(pod.Spec.SecurityContext.SupplementalGroups))
+			for i, group := range pod.Spec.SecurityContext.SupplementalGroups {
+				hostConfig.GroupAdd[i] = strconv.FormatInt(group, 10)
+			}
+		}
+	}
+
+	// Apply container security context
 	if container.SecurityContext == nil {
 		return
 	}

pkg/securitycontext/provider_test.go

@@ -22,9 +22,9 @@ import (
 	"strconv"
 	"testing"
 
-	"k8s.io/kubernetes/pkg/api"
-
 	docker "github.com/fsouza/go-dockerclient"
+	"k8s.io/kubernetes/pkg/api"
+	apitesting "k8s.io/kubernetes/pkg/api/testing"
 )
 
 func TestModifyContainerConfig(t *testing.T) {
@@ -107,10 +107,50 @@ func TestModifyHostConfig(t *testing.T) {
 
 	provider := NewSimpleSecurityContextProvider()
 	dummyContainer := &api.Container{}
+	dummyPod := &api.Pod{
+		Spec: apitesting.DeepEqualSafePodSpec(),
+	}
 	for k, v := range testCases {
 		dummyContainer.SecurityContext = v.securityContext
 		dockerCfg := &docker.HostConfig{}
-		provider.ModifyHostConfig(nil, dummyContainer, dockerCfg)
+		provider.ModifyHostConfig(dummyPod, dummyContainer, dockerCfg)
+		if !reflect.DeepEqual(v.expected, dockerCfg) {
+			t.Errorf("unexpected modification of host config for %s.  Expected: %#v Got: %#v", k, v.expected, dockerCfg)
+		}
+	}
+}
+
+func TestModifyHostConfigPodSecurityContext(t *testing.T) {
+	supplementalGroupsSC := &api.PodSecurityContext{}
+	supplementalGroupsSC.SupplementalGroups = []int64{2222}
+	supplementalGroupHC := fullValidHostConfig()
+	supplementalGroupHC.GroupAdd = []string{"2222"}
+
+	testCases := map[string]struct {
+		securityContext *api.PodSecurityContext
+		expected        *docker.HostConfig
+	}{
+		"nil Security Context": {
+			securityContext: nil,
+			expected:        fullValidHostConfig(),
+		},
+		"Security Context with SupplementalGroup": {
+			securityContext: supplementalGroupsSC,
+			expected:        supplementalGroupHC,
+		},
+	}
+
+	provider := NewSimpleSecurityContextProvider()
+	dummyContainer := &api.Container{}
+	dummyContainer.SecurityContext = fullValidSecurityContext()
+	dummyPod := &api.Pod{
+		Spec: apitesting.DeepEqualSafePodSpec(),
+	}
+
+	for k, v := range testCases {
+		dummyPod.Spec.SecurityContext = v.securityContext
+		dockerCfg := &docker.HostConfig{}
+		provider.ModifyHostConfig(dummyPod, dummyContainer, dockerCfg)
 		if !reflect.DeepEqual(v.expected, dockerCfg) {
 			t.Errorf("unexpected modification of host config for %s.  Expected: %#v Got: %#v", k, v.expected, dockerCfg)
 		}