Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
K
k3s
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Jacklull
k3s
Commits
445393fd
Commit
445393fd
authored
Nov 28, 2017
by
Slava Semushin
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
kubelet: MustRunAsNonRoot should reject a pod if it has non-numeric USER.
parent
710a1240
Hide whitespace changes
Inline
Side-by-side
Showing
4 changed files
with
26 additions
and
13 deletions
+26
-13
kuberuntime_container.go
pkg/kubelet/kuberuntime/kuberuntime_container.go
+4
-7
kuberuntime_container_test.go
pkg/kubelet/kuberuntime/kuberuntime_container_test.go
+13
-1
security_context.go
pkg/kubelet/kuberuntime/security_context.go
+7
-4
security_context_test.go
pkg/kubelet/kuberuntime/security_context_test.go
+2
-1
No files found.
pkg/kubelet/kuberuntime/kuberuntime_container.go
View file @
445393fd
...
...
@@ -183,13 +183,10 @@ func (m *kubeGenericRuntimeManager) generateContainerConfig(container *v1.Contai
if
err
!=
nil
{
return
nil
,
err
}
if
uid
!=
nil
{
// Verify RunAsNonRoot. Non-root verification only supports numeric user.
if
err
:=
verifyRunAsNonRoot
(
pod
,
container
,
*
uid
);
err
!=
nil
{
return
nil
,
err
}
}
else
if
username
!=
""
{
glog
.
Warningf
(
"Non-root verification doesn't support non-numeric user (%s)"
,
username
)
// Verify RunAsNonRoot. Non-root verification only supports numeric user.
if
err
:=
verifyRunAsNonRoot
(
pod
,
container
,
uid
,
username
);
err
!=
nil
{
return
nil
,
err
}
command
,
args
:=
kubecontainer
.
ExpandContainerCommandAndArgs
(
container
,
opts
.
Envs
)
...
...
pkg/kubelet/kuberuntime/kuberuntime_container_test.go
View file @
445393fd
...
...
@@ -236,7 +236,7 @@ func makeExpectedConfig(m *kubeGenericRuntimeManager, pod *v1.Pod, containerInde
}
func
TestGenerateContainerConfig
(
t
*
testing
.
T
)
{
_
,
_
,
m
,
err
:=
createTestRuntimeManager
()
_
,
imageService
,
m
,
err
:=
createTestRuntimeManager
()
assert
.
NoError
(
t
,
err
)
pod
:=
&
v1
.
Pod
{
...
...
@@ -290,6 +290,18 @@ func TestGenerateContainerConfig(t *testing.T) {
_
,
err
=
m
.
generateContainerConfig
(
&
podWithContainerSecurityContext
.
Spec
.
Containers
[
0
],
podWithContainerSecurityContext
,
0
,
""
,
podWithContainerSecurityContext
.
Spec
.
Containers
[
0
]
.
Image
)
assert
.
Error
(
t
,
err
)
imageId
,
_
:=
imageService
.
PullImage
(
&
runtimeapi
.
ImageSpec
{
Image
:
"busybox"
},
nil
)
image
,
_
:=
imageService
.
ImageStatus
(
&
runtimeapi
.
ImageSpec
{
Image
:
imageId
})
image
.
Uid
=
nil
image
.
Username
=
"test"
podWithContainerSecurityContext
.
Spec
.
Containers
[
0
]
.
SecurityContext
.
RunAsUser
=
nil
podWithContainerSecurityContext
.
Spec
.
Containers
[
0
]
.
SecurityContext
.
RunAsNonRoot
=
&
runAsNonRootTrue
_
,
err
=
m
.
generateContainerConfig
(
&
podWithContainerSecurityContext
.
Spec
.
Containers
[
0
],
podWithContainerSecurityContext
,
0
,
""
,
podWithContainerSecurityContext
.
Spec
.
Containers
[
0
]
.
Image
)
assert
.
Error
(
t
,
err
,
"RunAsNonRoot should fail for non-numeric username"
)
}
func
TestLifeCycleHook
(
t
*
testing
.
T
)
{
...
...
pkg/kubelet/kuberuntime/security_context.go
View file @
445393fd
...
...
@@ -75,7 +75,7 @@ func (m *kubeGenericRuntimeManager) determineEffectiveSecurityContext(pod *v1.Po
}
// verifyRunAsNonRoot verifies RunAsNonRoot.
func
verifyRunAsNonRoot
(
pod
*
v1
.
Pod
,
container
*
v1
.
Container
,
uid
int64
)
error
{
func
verifyRunAsNonRoot
(
pod
*
v1
.
Pod
,
container
*
v1
.
Container
,
uid
*
int64
,
username
string
)
error
{
effectiveSc
:=
securitycontext
.
DetermineEffectiveSecurityContext
(
pod
,
container
)
// If the option is not set, or if running as root is allowed, return nil.
if
effectiveSc
==
nil
||
effectiveSc
.
RunAsNonRoot
==
nil
||
!*
effectiveSc
.
RunAsNonRoot
{
...
...
@@ -89,11 +89,14 @@ func verifyRunAsNonRoot(pod *v1.Pod, container *v1.Container, uid int64) error {
return
nil
}
if
uid
==
0
{
switch
{
case
uid
!=
nil
&&
*
uid
==
0
:
return
fmt
.
Errorf
(
"container has runAsNonRoot and image will run as root"
)
case
uid
==
nil
&&
len
(
username
)
>
0
:
return
fmt
.
Errorf
(
"container has runAsNonRoot and image has non-numeric user (%s), cannot verify user is non-root"
,
username
)
default
:
return
nil
}
return
nil
}
// convertToRuntimeSecurityContext converts v1.SecurityContext to runtimeapi.SecurityContext.
...
...
pkg/kubelet/kuberuntime/security_context_test.go
View file @
445393fd
...
...
@@ -105,7 +105,8 @@ func TestVerifyRunAsNonRoot(t *testing.T) {
},
}
{
pod
.
Spec
.
Containers
[
0
]
.
SecurityContext
=
test
.
sc
err
:=
verifyRunAsNonRoot
(
pod
,
&
pod
.
Spec
.
Containers
[
0
],
int64
(
0
))
uid
:=
int64
(
0
)
err
:=
verifyRunAsNonRoot
(
pod
,
&
pod
.
Spec
.
Containers
[
0
],
&
uid
,
""
)
if
test
.
fail
{
assert
.
Error
(
t
,
err
,
test
.
desc
)
}
else
{
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment