github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #28159 from sttts/sttts-seccomp-operator

Browse Source 
Automatic merge from submit-queue

Use : as seccomp security option operator for Docker 1.10

Compare https://docs.docker.com/v1.11/engine/reference/run/ and https://docs.docker.com/v1.10/engine/reference/run/

Fixes https://github.com/kubernetes/kubernetes/issues/28107
This commit is contained in:
k8s-merge-robot
2016-06-28 12:15:43 -07:00
committed by GitHub
parent c2de10e4a2 186c6b29c1
commit 7b532f6f03
2 changed files with 51 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
pkg/kubelet/dockertools/docker_manager.go
View File

@@ -104,8 +104,8 @@ var (
// TODO: make this a TTL based pull (if image older than X policy, pull) // TODO: make this a TTL based pull (if image older than X policy, pull)
podInfraContainerImagePullPolicy = api.PullIfNotPresent podInfraContainerImagePullPolicy = api.PullIfNotPresent
// Default set of security options. // Default security option, only seccomp for now
defaultSecurityOpt = []string{"seccomp:unconfined"} defaultSeccompProfile = "unconfined"
) )
type DockerManager struct { type DockerManager struct {
@@ -558,7 +558,7 @@ func (dm *DockerManager) runContainer(
ContainerName: container.Name, ContainerName: container.Name,
} }
securityOpts, err := dm.getSecurityOpt(pod, container.Name) securityOpts, err := dm.getSecurityOpts(pod, container.Name)
if err != nil { if err != nil {
return kubecontainer.ContainerID{}, err return kubecontainer.ContainerID{}, err
} }
@@ -977,7 +977,7 @@ func (dm *DockerManager) checkVersionCompatibility() error {
return nil return nil
} }
func (dm *DockerManager) getSecurityOpt(pod *api.Pod, ctrName string) ([]string, error) { func (dm *DockerManager) getSecurityOpts(pod *api.Pod, ctrName string) ([]string, error) {
version, err := dm.APIVersion() version, err := dm.APIVersion()
if err != nil { if err != nil {
return nil, err return nil, err
@@ -988,24 +988,31 @@ func (dm *DockerManager) getSecurityOpt(pod *api.Pod, ctrName string) ([]string,
if err != nil { if err != nil {
return nil, err return nil, err
} }
if result < 0 { var optFmt string
// return early for old versions switch {
return nil, nil case result < 0:
return nil, nil // return early for Docker < 1.10
case result == 0:
optFmt = "%s:%s" // use colon notation for Docker 1.10
case result > 0:
optFmt = "%s=%s" // use = notation for Docker >= 1.11
} }
defaultSecurityOpts := []string{fmt.Sprintf(optFmt, "seccomp", defaultSeccompProfile)}
profile, profileOK := pod.ObjectMeta.Annotations[api.SeccompContainerAnnotationKeyPrefix+ctrName] profile, profileOK := pod.ObjectMeta.Annotations[api.SeccompContainerAnnotationKeyPrefix+ctrName]
if !profileOK { if !profileOK {
// try the pod profile // try the pod profile
profile, profileOK = pod.ObjectMeta.Annotations[api.SeccompPodAnnotationKey] profile, profileOK = pod.ObjectMeta.Annotations[api.SeccompPodAnnotationKey]
if !profileOK { if !profileOK {
// return early the default // return early the default
return defaultSecurityOpt, nil return defaultSecurityOpts, nil
} }
} }
if profile == "unconfined" { if profile == "unconfined" {
// return early the default // return early the default
return defaultSecurityOpt, nil return defaultSecurityOpts, nil
} }
if profile == "docker/default" { if profile == "docker/default" {
@@ -1029,7 +1036,7 @@ func (dm *DockerManager) getSecurityOpt(pod *api.Pod, ctrName string) ([]string,
return nil, err return nil, err
} }
return []string{fmt.Sprintf("seccomp=%s", b.Bytes())}, nil return []string{fmt.Sprintf(optFmt, "seccomp", b.Bytes())}, nil
} }
type dockerExitError struct { type dockerExitError struct {

35
pkg/kubelet/dockertools/docker_manager_test.go
View File

@@ -1717,6 +1717,39 @@ func verifySyncResults(t *testing.T, expectedResults []*kubecontainer.SyncResult
} }
} }
func TestSecurityOptsOperator(t *testing.T) {
dm110, _ := newTestDockerManagerWithVersion("1.10.1", "1.22")
dm111, _ := newTestDockerManagerWithVersion("1.11.0", "1.23")
pod := &api.Pod{
ObjectMeta: api.ObjectMeta{
UID: "12345678",
Name: "foo",
Namespace: "new",
},
Spec: api.PodSpec{
Containers: []api.Container{
{Name: "bar"},
},
},
}
opts, err := dm110.getSecurityOpts(pod, "bar")
if err != nil {
t.Fatalf("error getting security opts for Docker 1.10: %v", err)
}
if expected := []string{"seccomp:unconfined"}; len(opts) != 1 || opts[0] != expected[0] {
t.Fatalf("security opts for Docker 1.10: expected %v, got: %v", expected, opts)
}
opts, err = dm111.getSecurityOpts(pod, "bar")
if err != nil {
t.Fatalf("error getting security opts for Docker 1.11: %v", err)
}
if expected := []string{"seccomp=unconfined"}; len(opts) != 1 || opts[0] != expected[0] {
t.Fatalf("security opts for Docker 1.11: expected %v, got: %v", expected, opts)
}
}
func TestSeccompIsUnconfinedByDefaultWithDockerV110(t *testing.T) { func TestSeccompIsUnconfinedByDefaultWithDockerV110(t *testing.T) {
dm, fakeDocker := newTestDockerManagerWithVersion("1.10.1", "1.22") dm, fakeDocker := newTestDockerManagerWithVersion("1.10.1", "1.22")
pod := &api.Pod{ pod := &api.Pod{
@@ -1910,7 +1943,7 @@ func TestSeccompLocalhostProfileIsLoaded(t *testing.T) {
} }
for _, test := range tests { for _, test := range tests {
dm, fakeDocker := newTestDockerManagerWithVersion("1.10.1", "1.22") dm, fakeDocker := newTestDockerManagerWithVersion("1.11.0", "1.23")
_, filename, _, _ := goruntime.Caller(0) _, filename, _, _ := goruntime.Caller(0)
dm.seccompProfileRoot = path.Join(path.Dir(filename), "fixtures", "seccomp") dm.seccompProfileRoot = path.Join(path.Dir(filename), "fixtures", "seccomp")