When introducing the new "generic" volume type for generic ephemeral
inline volumes, the storage policy for PodSecurityPolicy objects
should have been extended so that this new type is valid only
if the generic ephemeral volume feature is enabled or an
existing object already has it.
Adding the new type to the internal API was also missed.
The `apparmor_parser` binary is not really required for a system to run
AppArmor from a Kubernetes perspective. How to apply the profile is more
in the responsibility of lower level runtimes like CRI-O and containerd,
which may do the binary check on their own.
This synchronizes the current libcontainer implementation with the
vendored Kubernetes source code and allows distributions to use
AppArmor, even when they do not have the parser available in
`/sbin/apparmor_parser`.
Signed-off-by: Sascha Grunert <mail@saschagrunert.de>
With the graduation of seccomp to GA we automatically convert the
deprecated seccomp profile annotation `docker/default` to
`runtime/default`. This means that we now have to automatically allow
`runtime/default` if a user specifies `docker/default` and vice versa in
an allowed PSP seccomp profile.
Signed-off-by: Sascha Grunert <sgrunert@suse.com>
sysctl value `net.ipv4.ping_group_range` can be used for allowing `ping`
command without `CAP_NET_RAW` capability.
e.g. `net.ipv4.ping_group_range="0 42"` to allow ping for users with
GID 0-GID 42.
This sysctl value was introduced in kernel 3.0 and has been namespaced
since its birth.
c319b4d76b (diff-5b536a7a92abed603bbb4caa61613270R57)
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Adds "MayRunAs" value among other group strategies. This strategy
allows to define a certain range of GIDs for FSGroupStrategy and
SupplementalGroupStrategy in a PSP.
This new strategy works similarly to the "MustRunAs" one, except that
when no GID is specified in a pod/container security context then no
GID is generated for the respective containers.
Resolves#56173
Automatic merge from submit-queue (batch tested with PRs 65251, 67255, 67224, 67297, 68105). If you want to cherry-pick this change to another branch, please follow the instructions here: https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md.
Cleanup PodSecurityPolicy AllowPrivEsc tests
**What this PR does / why we need it**:
Old tests were confusing and missing a lot of combinations. The new test is a simple table-driven test with all valid combinations.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes ##67387
**Special notes for your reviewer**:
Alternative to https://github.com/kubernetes/kubernetes/pull/67388
**Release note**:
```release-note
NONE
```
