From bcd939cb080922d648b6e3a2f7e0406061f4ef5c Mon Sep 17 00:00:00 2001 From: Euan Kemp Date: Wed, 7 Dec 2016 17:22:33 -0800 Subject: [PATCH] kuberuntime: set privileged for sandboxes --- pkg/kubelet/container/helpers.go | 12 ++++++ pkg/kubelet/container/helpers_test.go | 41 +++++++++++++++++++ pkg/kubelet/kubelet_pods.go | 14 +------ pkg/kubelet/kubelet_pods_test.go | 41 ------------------- .../kuberuntime/kuberuntime_sandbox.go | 23 ++++++----- 5 files changed, 67 insertions(+), 64 deletions(-) diff --git a/pkg/kubelet/container/helpers.go b/pkg/kubelet/container/helpers.go index 66fdc284fca..2824db0dd9d 100644 --- a/pkg/kubelet/container/helpers.go +++ b/pkg/kubelet/container/helpers.go @@ -261,3 +261,15 @@ func GetContainerSpec(pod *v1.Pod, containerName string) *v1.Container { } return nil } + +// HasPrivilegedContainer returns true if any of the containers in the pod are privileged. +func HasPrivilegedContainer(pod *v1.Pod) bool { + for _, c := range pod.Spec.Containers { + if c.SecurityContext != nil && + c.SecurityContext.Privileged != nil && + *c.SecurityContext.Privileged { + return true + } + } + return false +} diff --git a/pkg/kubelet/container/helpers_test.go b/pkg/kubelet/container/helpers_test.go index 23669158269..0f68556197d 100644 --- a/pkg/kubelet/container/helpers_test.go +++ b/pkg/kubelet/container/helpers_test.go @@ -211,3 +211,44 @@ func TestShouldContainerBeRestarted(t *testing.T) { } } } + +func TestHasPrivilegedContainer(t *testing.T) { + newBoolPtr := func(b bool) *bool { + return &b + } + tests := map[string]struct { + securityContext *v1.SecurityContext + expected bool + }{ + "nil security context": { + securityContext: nil, + expected: false, + }, + "nil privileged": { + securityContext: &v1.SecurityContext{}, + expected: false, + }, + "false privileged": { + securityContext: &v1.SecurityContext{Privileged: newBoolPtr(false)}, + expected: false, + }, + "true privileged": { + securityContext: &v1.SecurityContext{Privileged: newBoolPtr(true)}, + expected: true, + }, + } + + for k, v := range tests { + pod := &v1.Pod{ + Spec: v1.PodSpec{ + Containers: []v1.Container{ + {SecurityContext: v.securityContext}, + }, + }, + } + actual := HasPrivilegedContainer(pod) + if actual != v.expected { + t.Errorf("%s expected %t but got %t", k, v.expected, actual) + } + } +} diff --git a/pkg/kubelet/kubelet_pods.go b/pkg/kubelet/kubelet_pods.go index 32f3ca3506d..3d644a108ef 100644 --- a/pkg/kubelet/kubelet_pods.go +++ b/pkg/kubelet/kubelet_pods.go @@ -1441,25 +1441,13 @@ func (kl *Kubelet) cleanupOrphanedPodCgroups( // or it will not have the correct capabilities in the namespace. This means that host user namespace // is enabled per pod, not per container. func (kl *Kubelet) enableHostUserNamespace(pod *v1.Pod) bool { - if hasPrivilegedContainer(pod) || hasHostNamespace(pod) || + if kubecontainer.HasPrivilegedContainer(pod) || hasHostNamespace(pod) || hasHostVolume(pod) || hasNonNamespacedCapability(pod) || kl.hasHostMountPVC(pod) { return true } return false } -// hasPrivilegedContainer returns true if any of the containers in the pod are privileged. -func hasPrivilegedContainer(pod *v1.Pod) bool { - for _, c := range pod.Spec.Containers { - if c.SecurityContext != nil && - c.SecurityContext.Privileged != nil && - *c.SecurityContext.Privileged { - return true - } - } - return false -} - // hasNonNamespacedCapability returns true if MKNOD, SYS_TIME, or SYS_MODULE is requested for any container. func hasNonNamespacedCapability(pod *v1.Pod) bool { for _, c := range pod.Spec.Containers { diff --git a/pkg/kubelet/kubelet_pods_test.go b/pkg/kubelet/kubelet_pods_test.go index 7cac9533835..f8a7982e3e7 100644 --- a/pkg/kubelet/kubelet_pods_test.go +++ b/pkg/kubelet/kubelet_pods_test.go @@ -1266,47 +1266,6 @@ func TestMakeDevices(t *testing.T) { } } -func TestHasPrivilegedContainer(t *testing.T) { - newBoolPtr := func(b bool) *bool { - return &b - } - tests := map[string]struct { - securityContext *v1.SecurityContext - expected bool - }{ - "nil sc": { - securityContext: nil, - expected: false, - }, - "nil privleged": { - securityContext: &v1.SecurityContext{}, - expected: false, - }, - "false privleged": { - securityContext: &v1.SecurityContext{Privileged: newBoolPtr(false)}, - expected: false, - }, - "true privleged": { - securityContext: &v1.SecurityContext{Privileged: newBoolPtr(true)}, - expected: true, - }, - } - - for k, v := range tests { - pod := &v1.Pod{ - Spec: v1.PodSpec{ - Containers: []v1.Container{ - {SecurityContext: v.securityContext}, - }, - }, - } - actual := hasPrivilegedContainer(pod) - if actual != v.expected { - t.Errorf("%s expected %t but got %t", k, v.expected, actual) - } - } -} - func TestHasHostMountPVC(t *testing.T) { tests := map[string]struct { pvError error diff --git a/pkg/kubelet/kuberuntime/kuberuntime_sandbox.go b/pkg/kubelet/kuberuntime/kuberuntime_sandbox.go index 137cfe8fbf2..46a13b160bd 100644 --- a/pkg/kubelet/kuberuntime/kuberuntime_sandbox.go +++ b/pkg/kubelet/kuberuntime/kuberuntime_sandbox.go @@ -130,23 +130,21 @@ func (m *kubeGenericRuntimeManager) generatePodSandboxConfig(pod *v1.Pod, attemp // generatePodSandboxLinuxConfig generates LinuxPodSandboxConfig from v1.Pod. func (m *kubeGenericRuntimeManager) generatePodSandboxLinuxConfig(pod *v1.Pod, cgroupParent string) *runtimeapi.LinuxPodSandboxConfig { - if pod.Spec.SecurityContext == nil && cgroupParent == "" { - return nil + lc := &runtimeapi.LinuxPodSandboxConfig{ + SecurityContext: &runtimeapi.LinuxSandboxSecurityContext{}, } - lc := &runtimeapi.LinuxPodSandboxConfig{} if cgroupParent != "" { lc.CgroupParent = &cgroupParent } + if pod.Spec.SecurityContext != nil { sc := pod.Spec.SecurityContext - lc.SecurityContext = &runtimeapi.LinuxSandboxSecurityContext{ - NamespaceOptions: &runtimeapi.NamespaceOption{ - HostNetwork: &pod.Spec.HostNetwork, - HostIpc: &pod.Spec.HostIPC, - HostPid: &pod.Spec.HostPID, - }, - RunAsUser: sc.RunAsUser, + lc.SecurityContext.RunAsUser = sc.RunAsUser + lc.SecurityContext.NamespaceOptions = &runtimeapi.NamespaceOption{ + HostNetwork: &pod.Spec.HostNetwork, + HostIpc: &pod.Spec.HostIPC, + HostPid: &pod.Spec.HostPID, } if sc.FSGroup != nil { @@ -168,6 +166,11 @@ func (m *kubeGenericRuntimeManager) generatePodSandboxLinuxConfig(pod *v1.Pod, c } } + if kubecontainer.HasPrivilegedContainer(pod) { + privileged := true + lc.SecurityContext.Privileged = &privileged + } + return lc }