Promote sysctl annotations to API fields
This commit is contained in:
Jan Chaloupka
@@ -19,7 +19,6 @@ package sysctl
|
||||
import (
|
||||
"fmt"
|
||||
|
||||
v1helper "k8s.io/kubernetes/pkg/apis/core/v1/helper"
|
||||
"k8s.io/kubernetes/pkg/kubelet/container"
|
||||
"k8s.io/kubernetes/pkg/kubelet/lifecycle"
|
||||
)
|
||||
@@ -83,17 +82,11 @@ func NewRuntimeAdmitHandler(runtime container.Runtime) (*runtimeAdmitHandler, er
|
||||
|
||||
// Admit checks whether the runtime supports sysctls.
|
||||
func (w *runtimeAdmitHandler) Admit(attrs *lifecycle.PodAdmitAttributes) lifecycle.PodAdmitResult {
|
||||
sysctls, unsafeSysctls, err := v1helper.SysctlsFromPodAnnotations(attrs.Pod.Annotations)
|
||||
if err != nil {
|
||||
return lifecycle.PodAdmitResult{
|
||||
Admit: false,
|
||||
Reason: AnnotationInvalidReason,
|
||||
Message: fmt.Sprintf("invalid sysctl annotation: %v", err),
|
||||
}
|
||||
}
|
||||
if attrs.Pod.Spec.SecurityContext != nil {
|
||||
|
||||
if len(sysctls)+len(unsafeSysctls) > 0 {
|
||||
return w.result
|
||||
if len(attrs.Pod.Spec.SecurityContext.Sysctls) > 0 {
|
||||
return w.result
|
||||
}
|
||||
}
|
||||
|
||||
return lifecycle.PodAdmitResult{
|
||||
|
||||
@@ -20,7 +20,6 @@ import (
|
||||
"fmt"
|
||||
"strings"
|
||||
|
||||
v1helper "k8s.io/kubernetes/pkg/apis/core/v1/helper"
|
||||
"k8s.io/kubernetes/pkg/apis/core/validation"
|
||||
policyvalidation "k8s.io/kubernetes/pkg/apis/policy/validation"
|
||||
"k8s.io/kubernetes/pkg/kubelet/lifecycle"
|
||||
@@ -31,36 +30,21 @@ const (
|
||||
ForbiddenReason = "SysctlForbidden"
|
||||
)
|
||||
|
||||
// SafeSysctlWhitelist returns the whitelist of safe sysctls and safe sysctl patterns (ending in *).
|
||||
//
|
||||
// A sysctl is called safe iff
|
||||
// - it is namespaced in the container or the pod
|
||||
// - it is isolated, i.e. has no influence on any other pod on the same node.
|
||||
func SafeSysctlWhitelist() []string {
|
||||
return []string{
|
||||
"kernel.shm_rmid_forced",
|
||||
"net.ipv4.ip_local_port_range",
|
||||
"net.ipv4.tcp_syncookies",
|
||||
}
|
||||
}
|
||||
|
||||
// patternWhitelist takes a list of sysctls or sysctl patterns (ending in *) and
|
||||
// checks validity via a sysctl and prefix map, rejecting those which are not known
|
||||
// to be namespaced.
|
||||
type patternWhitelist struct {
|
||||
sysctls map[string]Namespace
|
||||
prefixes map[string]Namespace
|
||||
annotationKey string
|
||||
sysctls map[string]Namespace
|
||||
prefixes map[string]Namespace
|
||||
}
|
||||
|
||||
var _ lifecycle.PodAdmitHandler = &patternWhitelist{}
|
||||
|
||||
// NewWhitelist creates a new Whitelist from a list of sysctls and sysctl pattern (ending in *).
|
||||
func NewWhitelist(patterns []string, annotationKey string) (*patternWhitelist, error) {
|
||||
func NewWhitelist(patterns []string) (*patternWhitelist, error) {
|
||||
w := &patternWhitelist{
|
||||
sysctls: map[string]Namespace{},
|
||||
prefixes: map[string]Namespace{},
|
||||
annotationKey: annotationKey,
|
||||
sysctls: map[string]Namespace{},
|
||||
prefixes: map[string]Namespace{},
|
||||
}
|
||||
|
||||
for _, s := range patterns {
|
||||
@@ -121,32 +105,22 @@ func (w *patternWhitelist) validateSysctl(sysctl string, hostNet, hostIPC bool)
|
||||
return fmt.Errorf("%q not whitelisted", sysctl)
|
||||
}
|
||||
|
||||
// Admit checks that all sysctls given in annotations v1.SysctlsPodAnnotationKey and v1.UnsafeSysctlsPodAnnotationKey
|
||||
// Admit checks that all sysctls given in pod's security context
|
||||
// are valid according to the whitelist.
|
||||
func (w *patternWhitelist) Admit(attrs *lifecycle.PodAdmitAttributes) lifecycle.PodAdmitResult {
|
||||
pod := attrs.Pod
|
||||
a := pod.Annotations[w.annotationKey]
|
||||
if a == "" {
|
||||
if pod.Spec.SecurityContext == nil || len(pod.Spec.SecurityContext.Sysctls) == 0 {
|
||||
return lifecycle.PodAdmitResult{
|
||||
Admit: true,
|
||||
}
|
||||
}
|
||||
|
||||
sysctls, err := v1helper.SysctlsFromPodAnnotation(a)
|
||||
if err != nil {
|
||||
return lifecycle.PodAdmitResult{
|
||||
Admit: false,
|
||||
Reason: AnnotationInvalidReason,
|
||||
Message: fmt.Sprintf("invalid %s annotation: %v", w.annotationKey, err),
|
||||
}
|
||||
}
|
||||
|
||||
var hostNet, hostIPC bool
|
||||
if pod.Spec.SecurityContext != nil {
|
||||
hostNet = pod.Spec.HostNetwork
|
||||
hostIPC = pod.Spec.HostIPC
|
||||
}
|
||||
for _, s := range sysctls {
|
||||
for _, s := range pod.Spec.SecurityContext.Sysctls {
|
||||
if err := w.validateSysctl(s.Name, hostNet, hostIPC); err != nil {
|
||||
return lifecycle.PodAdmitResult{
|
||||
Admit: false,
|
||||
|
||||
@@ -19,7 +19,7 @@ package sysctl
|
||||
import (
|
||||
"testing"
|
||||
|
||||
"k8s.io/api/core/v1"
|
||||
"k8s.io/kubernetes/pkg/security/podsecuritypolicy/sysctl"
|
||||
)
|
||||
|
||||
func TestNewWhitelist(t *testing.T) {
|
||||
@@ -35,7 +35,7 @@ func TestNewWhitelist(t *testing.T) {
|
||||
{sysctls: []string{"net.*.foo"}, err: true},
|
||||
{sysctls: []string{"foo"}, err: true},
|
||||
} {
|
||||
_, err := NewWhitelist(append(SafeSysctlWhitelist(), test.sysctls...), v1.SysctlsPodAnnotationKey)
|
||||
_, err := NewWhitelist(append(sysctl.SafeSysctlWhitelist(), test.sysctls...))
|
||||
if test.err && err == nil {
|
||||
t.Errorf("expected an error creating a whitelist for %v", test.sysctls)
|
||||
} else if !test.err && err != nil {
|
||||
@@ -65,7 +65,7 @@ func TestWhitelist(t *testing.T) {
|
||||
{sysctl: "kernel.sem", hostIPC: true},
|
||||
}
|
||||
|
||||
w, err := NewWhitelist(append(SafeSysctlWhitelist(), "kernel.msg*", "kernel.sem"), v1.SysctlsPodAnnotationKey)
|
||||
w, err := NewWhitelist(append(sysctl.SafeSysctlWhitelist(), "kernel.msg*", "kernel.sem"))
|
||||
if err != nil {
|
||||
t.Fatalf("failed to create whitelist: %v", err)
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user