security context initial implementation - squash

pkg/securitycontext/doc.go

@@ -0,0 +1,18 @@
+/*
+Copyright 2014 The Kubernetes Authors All rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package securitycontext contains security context api implementations
+package securitycontext

pkg/securitycontext/fake.go

@@ -0,0 +1,45 @@
+/*
+Copyright 2014 The Kubernetes Authors All rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package securitycontext
+
+import (
+	"github.com/GoogleCloudPlatform/kubernetes/pkg/api"
+
+	docker "github.com/fsouza/go-dockerclient"
+)
+
+// ValidSecurityContextWithContainerDefaults creates a valid security context provider based on
+// empty container defaults.  Used for testing.
+func ValidSecurityContextWithContainerDefaults() *api.SecurityContext {
+	priv := false
+	return &api.SecurityContext{
+		Capabilities: &api.Capabilities{},
+		Privileged:   &priv,
+	}
+}
+
+// NewFakeSecurityContextProvider creates a new, no-op security context provider.
+func NewFakeSecurityContextProvider() SecurityContextProvider {
+	return FakeSecurityContextProvider{}
+}
+
+type FakeSecurityContextProvider struct{}
+
+func (p FakeSecurityContextProvider) ModifyContainerConfig(pod *api.Pod, container *api.Container, config *docker.Config) {
+}
+func (p FakeSecurityContextProvider) ModifyHostConfig(pod *api.Pod, container *api.Container, hostConfig *docker.HostConfig) {
+}

pkg/securitycontext/provider.go

@@ -0,0 +1,97 @@
+/*
+Copyright 2014 The Kubernetes Authors All rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package securitycontext
+
+import (
+	"fmt"
+	"strconv"
+
+	"github.com/GoogleCloudPlatform/kubernetes/pkg/api"
+
+	docker "github.com/fsouza/go-dockerclient"
+)
+
+// NewSimpleSecurityContextProvider creates a new SimpleSecurityContextProvider.
+func NewSimpleSecurityContextProvider() SecurityContextProvider {
+	return SimpleSecurityContextProvider{}
+}
+
+// SimpleSecurityContextProvider is the default implementation of a SecurityContextProvider.
+type SimpleSecurityContextProvider struct{}
+
+// ModifyContainerConfig is called before the Docker createContainer call.
+// The security context provider can make changes to the Config with which
+// the container is created.
+func (p SimpleSecurityContextProvider) ModifyContainerConfig(pod *api.Pod, container *api.Container, config *docker.Config) {
+	if container.SecurityContext == nil {
+		return
+	}
+	if container.SecurityContext.RunAsUser != nil {
+		config.User = strconv.FormatInt(*container.SecurityContext.RunAsUser, 10)
+	}
+}
+
+// ModifyHostConfig is called before the Docker runContainer call.
+// The security context provider can make changes to the HostConfig, affecting
+// security options, whether the container is privileged, volume binds, etc.
+// An error is returned if it's not possible to secure the container as requested
+// with a security context.
+func (p SimpleSecurityContextProvider) ModifyHostConfig(pod *api.Pod, container *api.Container, hostConfig *docker.HostConfig) {
+	if container.SecurityContext == nil {
+		return
+	}
+	if container.SecurityContext.Privileged != nil {
+		hostConfig.Privileged = *container.SecurityContext.Privileged
+	}
+
+	if container.SecurityContext.Capabilities != nil {
+		add, drop := makeCapabilites(container.SecurityContext.Capabilities.Add, container.SecurityContext.Capabilities.Drop)
+		hostConfig.CapAdd = add
+		hostConfig.CapDrop = drop
+	}
+
+	if container.SecurityContext.SELinuxOptions != nil {
+		hostConfig.SecurityOpt = modifySecurityOption(hostConfig.SecurityOpt, dockerLabelUser, container.SecurityContext.SELinuxOptions.User)
+		hostConfig.SecurityOpt = modifySecurityOption(hostConfig.SecurityOpt, dockerLabelRole, container.SecurityContext.SELinuxOptions.Role)
+		hostConfig.SecurityOpt = modifySecurityOption(hostConfig.SecurityOpt, dockerLabelType, container.SecurityContext.SELinuxOptions.Type)
+		hostConfig.SecurityOpt = modifySecurityOption(hostConfig.SecurityOpt, dockerLabelLevel, container.SecurityContext.SELinuxOptions.Level)
+	}
+}
+
+// modifySecurityOption adds the security option of name to the config array with value in the form
+// of name:value
+func modifySecurityOption(config []string, name, value string) []string {
+	if len(value) > 0 {
+		config = append(config, fmt.Sprintf("%s:%s", name, value))
+	}
+	return config
+}
+
+// makeCapabilites creates string slices from CapabilityType slices
+func makeCapabilites(capAdd []api.CapabilityType, capDrop []api.CapabilityType) ([]string, []string) {
+	var (
+		addCaps  []string
+		dropCaps []string
+	)
+	for _, cap := range capAdd {
+		addCaps = append(addCaps, string(cap))
+	}
+	for _, cap := range capDrop {
+		dropCaps = append(dropCaps, string(cap))
+	}
+	return addCaps, dropCaps
+}

pkg/securitycontext/provider_test.go

@@ -0,0 +1,181 @@
+/*
+Copyright 2014 The Kubernetes Authors All rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package securitycontext
+
+import (
+	"fmt"
+	"reflect"
+	"strconv"
+	"testing"
+
+	"github.com/GoogleCloudPlatform/kubernetes/pkg/api"
+
+	docker "github.com/fsouza/go-dockerclient"
+)
+
+func TestModifyContainerConfig(t *testing.T) {
+	var uid int64 = 1
+	testCases := map[string]struct {
+		securityContext *api.SecurityContext
+		expected        *docker.Config
+	}{
+		"modify config, value set for user": {
+			securityContext: &api.SecurityContext{
+				RunAsUser: &uid,
+			},
+			expected: &docker.Config{
+				User: strconv.FormatInt(uid, 10),
+			},
+		},
+		"modify config, nil user value": {
+			securityContext: &api.SecurityContext{},
+			expected:        &docker.Config{},
+		},
+	}
+
+	provider := NewSimpleSecurityContextProvider()
+	dummyContainer := &api.Container{}
+	for k, v := range testCases {
+		dummyContainer.SecurityContext = v.securityContext
+		dockerCfg := &docker.Config{}
+		provider.ModifyContainerConfig(nil, dummyContainer, dockerCfg)
+		if !reflect.DeepEqual(v.expected, dockerCfg) {
+			t.Errorf("unexpected modification of docker config for %s.  Expected: %#v Got: %#v", k, v.expected, dockerCfg)
+		}
+	}
+}
+
+func TestModifyHostConfig(t *testing.T) {
+	nilPrivSC := fullValidSecurityContext()
+	nilPrivSC.Privileged = nil
+	nilPrivHC := fullValidHostConfig()
+	nilPrivHC.Privileged = false
+
+	nilCapsSC := fullValidSecurityContext()
+	nilCapsSC.Capabilities = nil
+	nilCapsHC := fullValidHostConfig()
+	nilCapsHC.CapAdd = *new([]string)
+	nilCapsHC.CapDrop = *new([]string)
+
+	nilSELinuxSC := fullValidSecurityContext()
+	nilSELinuxSC.SELinuxOptions = nil
+	nilSELinuxHC := fullValidHostConfig()
+	nilSELinuxHC.SecurityOpt = *new([]string)
+
+	seLinuxLabelsSC := fullValidSecurityContext()
+	seLinuxLabelsHC := fullValidHostConfig()
+
+	testCases := map[string]struct {
+		securityContext *api.SecurityContext
+		expected        *docker.HostConfig
+	}{
+		"full settings": {
+			securityContext: fullValidSecurityContext(),
+			expected:        fullValidHostConfig(),
+		},
+		"nil privileged": {
+			securityContext: nilPrivSC,
+			expected:        nilPrivHC,
+		},
+		"nil capabilities": {
+			securityContext: nilCapsSC,
+			expected:        nilCapsHC,
+		},
+		"nil selinux options": {
+			securityContext: nilSELinuxSC,
+			expected:        nilSELinuxHC,
+		},
+		"selinux labels": {
+			securityContext: seLinuxLabelsSC,
+			expected:        seLinuxLabelsHC,
+		},
+	}
+
+	provider := NewSimpleSecurityContextProvider()
+	dummyContainer := &api.Container{}
+	for k, v := range testCases {
+		dummyContainer.SecurityContext = v.securityContext
+		dockerCfg := &docker.HostConfig{}
+		provider.ModifyHostConfig(nil, dummyContainer, dockerCfg)
+		if !reflect.DeepEqual(v.expected, dockerCfg) {
+			t.Errorf("unexpected modification of host config for %s.  Expected: %#v Got: %#v", k, v.expected, dockerCfg)
+		}
+	}
+}
+
+func TestModifySecurityOption(t *testing.T) {
+	testCases := []struct {
+		name     string
+		config   []string
+		optName  string
+		optVal   string
+		expected []string
+	}{
+		{
+			name:     "Empty val",
+			config:   []string{"a:b", "c:d"},
+			optName:  "optA",
+			optVal:   "",
+			expected: []string{"a:b", "c:d"},
+		},
+		{
+			name:     "Valid",
+			config:   []string{"a:b", "c:d"},
+			optName:  "e",
+			optVal:   "f",
+			expected: []string{"a:b", "c:d", "e:f"},
+		},
+	}
+
+	for _, tc := range testCases {
+		actual := modifySecurityOption(tc.config, tc.optName, tc.optVal)
+		if !reflect.DeepEqual(tc.expected, actual) {
+			t.Errorf("Failed to apply options correctly for tc: %S.  Expected: %v but got %v", tc.name, tc.expected, actual)
+		}
+	}
+}
+
+func fullValidSecurityContext() *api.SecurityContext {
+	priv := true
+	return &api.SecurityContext{
+		Privileged: &priv,
+		Capabilities: &api.Capabilities{
+			Add:  []api.CapabilityType{"addCapA", "addCapB"},
+			Drop: []api.CapabilityType{"dropCapA", "dropCapB"},
+		},
+		SELinuxOptions: &api.SELinuxOptions{
+			User:  "user",
+			Role:  "role",
+			Type:  "type",
+			Level: "level",
+		},
+	}
+}
+
+func fullValidHostConfig() *docker.HostConfig {
+	return &docker.HostConfig{
+		Privileged: true,
+		CapAdd:     []string{"addCapA", "addCapB"},
+		CapDrop:    []string{"dropCapA", "dropCapB"},
+		SecurityOpt: []string{
+			fmt.Sprintf("%s:%s", dockerLabelUser, "user"),
+			fmt.Sprintf("%s:%s", dockerLabelRole, "role"),
+			fmt.Sprintf("%s:%s", dockerLabelType, "type"),
+			fmt.Sprintf("%s:%s", dockerLabelLevel, "level"),
+		},
+	}
+}

pkg/securitycontext/types.go

@@ -0,0 +1,45 @@
+/*
+Copyright 2014 The Kubernetes Authors All rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package securitycontext
+
+import (
+	"github.com/GoogleCloudPlatform/kubernetes/pkg/api"
+
+	docker "github.com/fsouza/go-dockerclient"
+)
+
+type SecurityContextProvider interface {
+	// ModifyContainerConfig is called before the Docker createContainer call.
+	// The security context provider can make changes to the Config with which
+	// the container is created.
+	ModifyContainerConfig(pod *api.Pod, container *api.Container, config *docker.Config)
+
+	// ModifyHostConfig is called before the Docker runContainer call.
+	// The security context provider can make changes to the HostConfig, affecting
+	// security options, whether the container is privileged, volume binds, etc.
+	// An error is returned if it's not possible to secure the container as requested
+	// with a security context.
+	ModifyHostConfig(pod *api.Pod, container *api.Container, hostConfig *docker.HostConfig)
+}
+
+const (
+	dockerLabelUser    string = "label:user"
+	dockerLabelRole    string = "label:role"
+	dockerLabelType    string = "label:type"
+	dockerLabelLevel   string = "label:level"
+	dockerLabelDisable string = "label:disable"
+)

pkg/securitycontext/util.go

@@ -0,0 +1,43 @@
+/*
+Copyright 2014 The Kubernetes Authors All rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package securitycontext
+
+import "github.com/GoogleCloudPlatform/kubernetes/pkg/api"
+
+// HasPrivilegedRequest returns the value of SecurityContext.Privileged, taking into account
+// the possibility of nils
+func HasPrivilegedRequest(container *api.Container) bool {
+	if container.SecurityContext == nil {
+		return false
+	}
+	if container.SecurityContext.Privileged == nil {
+		return false
+	}
+	return *container.SecurityContext.Privileged
+}
+
+// HasCapabilitiesRequest returns true if Adds or Drops are defined in the security context
+// capabilities, taking into account nils
+func HasCapabilitiesRequest(container *api.Container) bool {
+	if container.SecurityContext == nil {
+		return false
+	}
+	if container.SecurityContext.Capabilities == nil {
+		return false
+	}
+	return len(container.SecurityContext.Capabilities.Add) > 0 || len(container.SecurityContext.Capabilities.Drop) > 0
+}