github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #26710 from sttts/sttts-fix-seccomp-annotations

Browse Source 
Automatic merge from submit-queue

Move /seccomp/ into domain prefix in seccomp annotations

Fixes #26610.

/cc @mdshuai @ncdc @jfrazelle
This commit is contained in:
k8s-merge-robot
2016-06-11 07:03:50 -07:00
committed by GitHub
parent 584d6a1f94 ca7be7dc6d
commit 911e84ed1e
4 changed files with 46 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
docs/design/seccomp.md
View File

@@ -202,11 +202,11 @@ use annotations instead of extending the API with new fields.
In the alpha version of this feature we will use annotations to store the In the alpha version of this feature we will use annotations to store the
names of seccomp profiles. The keys will be: names of seccomp profiles. The keys will be:
`security.alpha.kubernetes.io/seccomp/container/<container name>` `container.seccomp.security.alpha.kubernetes.io/<container name>`
which will be used to set the seccomp profile of a container, and: which will be used to set the seccomp profile of a container, and:
`security.alpha.kubernetes.io/seccomp/pod` `seccomp.security.alpha.kubernetes.io/pod`
which will set the seccomp profile for the containers of an entire pod. If a which will set the seccomp profile for the containers of an entire pod. If a
pod-level annotation is present, and a container-level annotation present for pod-level annotation is present, and a container-level annotation present for
@@ -240,7 +240,7 @@ subdirectory of the kubelet root directory.
The `PodSecurityPolicy` type should be annotated with the allowed seccomp The `PodSecurityPolicy` type should be annotated with the allowed seccomp
profiles using the key profiles using the key
`security.alpha.kubernetes.io/allowedSeccompProfileNames`. The value of this `seccomp.security.alpha.kubernetes.io/allowedProfileNames`. The value of this
key should be a comma delimited list. key should be a comma delimited list.
## Examples ## Examples
@@ -255,7 +255,7 @@ kind: Pod
metadata: metadata:
name: trustworthy-pod name: trustworthy-pod
annotations: annotations:
security.alpha.kubernetes.io/seccomp/pod: unconfined seccomp.security.alpha.kubernetes.io/pod: unconfined
spec: spec:
containers: containers:
- name: trustworthy-container - name: trustworthy-container
@@ -273,7 +273,7 @@ kind: Pod
metadata: metadata:
name: explorer name: explorer
annotations: annotations:
security.alpha.kubernetes.io/seccomp/container/explorer: localhost/example-explorer-profile container.seccomp.security.alpha.kubernetes.io/explorer: localhost/example-explorer-profile
spec: spec:
containers: containers:
- name: explorer - name: explorer

6
pkg/kubelet/dockertools/manager.go
View File

@@ -993,10 +993,10 @@ func (dm *DockerManager) getSecurityOpt(pod *api.Pod, ctrName string) ([]string,
return nil, nil return nil, nil
} }
profile, profileOK := pod.ObjectMeta.Annotations["security.alpha.kubernetes.io/seccomp/container/"+ctrName] profile, profileOK := pod.ObjectMeta.Annotations["container.seccomp.security.alpha.kubernetes.io/"+ctrName]
if !profileOK { if !profileOK {
// try the pod profile // try the pod profile
profile, profileOK = pod.ObjectMeta.Annotations["security.alpha.kubernetes.io/seccomp/pod"] profile, profileOK = pod.ObjectMeta.Annotations["seccomp.security.alpha.kubernetes.io/pod"]
if !profileOK { if !profileOK {
// return early the default // return early the default
return defaultSecurityOpt, nil return defaultSecurityOpt, nil
@@ -1013,7 +1013,7 @@ func (dm *DockerManager) getSecurityOpt(pod *api.Pod, ctrName string) ([]string,
return nil, nil return nil, nil
} }
if !strings.HasPrefix(profile, "localhost") { if !strings.HasPrefix(profile, "localhost/") {
return nil, fmt.Errorf("unknown seccomp profile option: %s", profile) return nil, fmt.Errorf("unknown seccomp profile option: %s", profile)
} }

8
pkg/kubelet/dockertools/manager_test.go
View File

@@ -1762,7 +1762,7 @@ func TestUnconfinedSeccompProfileWithDockerV110(t *testing.T) {
Name: "foo4", Name: "foo4",
Namespace: "new", Namespace: "new",
Annotations: map[string]string{ Annotations: map[string]string{
"security.alpha.kubernetes.io/seccomp/pod": "unconfined", "seccomp.security.alpha.kubernetes.io/pod": "unconfined",
}, },
}, },
Spec: api.PodSpec{ Spec: api.PodSpec{
@@ -1804,7 +1804,7 @@ func TestDefaultSeccompProfileWithDockerV110(t *testing.T) {
Name: "foo1", Name: "foo1",
Namespace: "new", Namespace: "new",
Annotations: map[string]string{ Annotations: map[string]string{
"security.alpha.kubernetes.io/seccomp/pod": "docker/default", "seccomp.security.alpha.kubernetes.io/pod": "docker/default",
}, },
}, },
Spec: api.PodSpec{ Spec: api.PodSpec{
@@ -1846,8 +1846,8 @@ func TestSeccompContainerAnnotationTrumpsPod(t *testing.T) {
Name: "foo2", Name: "foo2",
Namespace: "new", Namespace: "new",
Annotations: map[string]string{ Annotations: map[string]string{
"security.alpha.kubernetes.io/seccomp/pod": "unconfined", "seccomp.security.alpha.kubernetes.io/pod": "unconfined",
"security.alpha.kubernetes.io/seccomp/container/bar2": "docker/default", "container.seccomp.security.alpha.kubernetes.io/bar2": "docker/default",
}, },
}, },
Spec: api.PodSpec{ Spec: api.PodSpec{

36
test/e2e/security_context.go
View File

@@ -37,8 +37,9 @@ func scTestPod(hostIPC bool, hostPID bool) *api.Pod {
podName := "security-context-" + string(util.NewUUID()) podName := "security-context-" + string(util.NewUUID())
pod := &api.Pod{ pod := &api.Pod{
ObjectMeta: api.ObjectMeta{ ObjectMeta: api.ObjectMeta{
Name: podName, Name: podName,
Labels: map[string]string{"name": podName}, Labels: map[string]string{"name": podName},
Annotations: map[string]string{},
}, },
Spec: api.PodSpec{ Spec: api.PodSpec{
SecurityContext: &api.PodSecurityContext{ SecurityContext: &api.PodSecurityContext{
@@ -106,6 +107,37 @@ var _ = framework.KubeDescribe("Security Context [Feature:SecurityContext]", fun
testPodSELinuxLabeling(f, false, true) testPodSELinuxLabeling(f, false, true)
}) })
It("should support seccomp alpha unconfined annotation on the container [Feature:Seccomp]", func() {
// TODO: port to SecurityContext as soon as seccomp is out of alpha
pod := scTestPod(false, false)
pod.Annotations["container.seccomp.security.alpha.kubernetes.io/test-container"] = "unconfined"
pod.Annotations["seccomp.security.alpha.kubernetes.io/pod"] = "docker/default"
pod.Spec.Containers[0].Command = []string{"grep", "ecc", "/proc/self/status"}
f.TestContainerOutput("pod.Spec.SecurityContext.Seccomp", pod, 0, []string{"0"}) // seccomp disabled
})
It("should support seccomp alpha unconfined annotation on the pod [Feature:Seccomp]", func() {
// TODO: port to SecurityContext as soon as seccomp is out of alpha
pod := scTestPod(false, false)
pod.Annotations["seccomp.security.alpha.kubernetes.io/pod"] = "unconfined"
pod.Spec.Containers[0].Command = []string{"grep", "ecc", "/proc/self/status"}
f.TestContainerOutput("pod.Spec.SecurityContext.Seccomp", pod, 0, []string{"0"}) // seccomp disabled
})
It("should support seccomp alpha docker/default annotation [Feature:Seccomp]", func() {
// TODO: port to SecurityContext as soon as seccomp is out of alpha
pod := scTestPod(false, false)
pod.Annotations["container.seccomp.security.alpha.kubernetes.io/test-container"] = "docker/default"
pod.Spec.Containers[0].Command = []string{"grep", "ecc", "/proc/self/status"}
f.TestContainerOutput("pod.Spec.SecurityContext.Seccomp", pod, 0, []string{"2"}) // seccomp filtered
})
It("should support seccomp default which is unconfined [Feature:Seccomp]", func() {
// TODO: port to SecurityContext as soon as seccomp is out of alpha
pod := scTestPod(false, false)
pod.Spec.Containers[0].Command = []string{"grep", "ecc", "/proc/self/status"}
f.TestContainerOutput("pod.Spec.SecurityContext.Seccomp", pod, 0, []string{"0"}) // seccomp disabled
})
}) })
func testPodSELinuxLabeling(f *framework.Framework, hostIPC bool, hostPID bool) { func testPodSELinuxLabeling(f *framework.Framework, hostIPC bool, hostPID bool) {