Sign In
golang
/
flannel
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: e6edfac9cb
Branches Tags
flannel
/
vendor
/
k8s.io
/
kubernetes
/
pkg
/
securitycontext
/
provider.go

provider.go 6.4 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194 
  1. /*
    2. 

  2. Copyright 2014 The Kubernetes Authors.
    3. 

  3. 

  4. Licensed under the Apache License, Version 2.0 (the "License");
    5. 

  5. you may not use this file except in compliance with the License.
    6. 

  6. You may obtain a copy of the License at
    7. 

  7. 

  8.     http://www.apache.org/licenses/LICENSE-2.0
    9. 

  9. 

  10. Unless required by applicable law or agreed to in writing, software
    11. 

  11. distributed under the License is distributed on an "AS IS" BASIS,
    12. 

  12. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13. 

  13. See the License for the specific language governing permissions and
    14. 

  14. limitations under the License.
    15. 

  15. */
    16. 

  16. 

  17. package securitycontext
    18. 

  18. 

  19. import (
    20. 

  20. 	"fmt"
    21. 

  21. 	"strconv"
    22. 

  22. 

  23. 	"k8s.io/kubernetes/pkg/api"
    24. 

  24. 	"k8s.io/kubernetes/pkg/kubelet/leaky"
    25. 

  25. 

  26. 	dockercontainer "github.com/docker/engine-api/types/container"
    27. 

  27. )
    28. 

  28. 

  29. // NewSimpleSecurityContextProvider creates a new SimpleSecurityContextProvider.
    30. 

  30. func NewSimpleSecurityContextProvider() SecurityContextProvider {
    31. 

  31. 	return SimpleSecurityContextProvider{}
    32. 

  32. }
    33. 

  33. 

  34. // SimpleSecurityContextProvider is the default implementation of a SecurityContextProvider.
    35. 

  35. type SimpleSecurityContextProvider struct{}
    36. 

  36. 

  37. // ModifyContainerConfig is called before the Docker createContainer call.
    38. 

  38. // The security context provider can make changes to the Config with which
    39. 

  39. // the container is created.
    40. 

  40. func (p SimpleSecurityContextProvider) ModifyContainerConfig(pod *api.Pod, container *api.Container, config *dockercontainer.Config) {
    41. 

  41. 	effectiveSC := DetermineEffectiveSecurityContext(pod, container)
    42. 

  42. 	if effectiveSC == nil {
    43. 

  43. 		return
    44. 

  44. 	}
    45. 

  45. 	if effectiveSC.RunAsUser != nil {
    46. 

  46. 		config.User = strconv.Itoa(int(*effectiveSC.RunAsUser))
    47. 

  47. 	}
    48. 

  48. }
    49. 

  49. 

  50. // ModifyHostConfig is called before the Docker runContainer call. The
    51. 

  51. // security context provider can make changes to the HostConfig, affecting
    52. 

  52. // security options, whether the container is privileged, volume binds, etc.
    53. 

  53. func (p SimpleSecurityContextProvider) ModifyHostConfig(pod *api.Pod, container *api.Container, hostConfig *dockercontainer.HostConfig, supplementalGids []int64) {
    54. 

  54. 	// Apply supplemental groups
    55. 

  55. 	if container.Name != leaky.PodInfraContainerName {
    56. 

  56. 		// TODO: We skip application of supplemental groups to the
    57. 

  57. 		// infra container to work around a runc issue which
    58. 

  58. 		// requires containers to have the '/etc/group'. For
    59. 

  59. 		// more information see:
    60. 

  60. 		// https://github.com/opencontainers/runc/pull/313
    61. 

  61. 		// This can be removed once the fix makes it into the
    62. 

  62. 		// required version of docker.
    63. 

  63. 		if pod.Spec.SecurityContext != nil {
    64. 

  64. 			for _, group := range pod.Spec.SecurityContext.SupplementalGroups {
    65. 

  65. 				hostConfig.GroupAdd = append(hostConfig.GroupAdd, strconv.Itoa(int(group)))
    66. 

  66. 			}
    67. 

  67. 			if pod.Spec.SecurityContext.FSGroup != nil {
    68. 

  68. 				hostConfig.GroupAdd = append(hostConfig.GroupAdd, strconv.Itoa(int(*pod.Spec.SecurityContext.FSGroup)))
    69. 

  69. 			}
    70. 

  70. 		}
    71. 

  71. 

  72. 		for _, group := range supplementalGids {
    73. 

  73. 			hostConfig.GroupAdd = append(hostConfig.GroupAdd, strconv.Itoa(int(group)))
    74. 

  74. 		}
    75. 

  75. 	}
    76. 

  76. 

  77. 	// Apply effective security context for container
    78. 

  78. 	effectiveSC := DetermineEffectiveSecurityContext(pod, container)
    79. 

  79. 	if effectiveSC == nil {
    80. 

  80. 		return
    81. 

  81. 	}
    82. 

  82. 

  83. 	if effectiveSC.Privileged != nil {
    84. 

  84. 		hostConfig.Privileged = *effectiveSC.Privileged
    85. 

  85. 	}
    86. 

  86. 

  87. 	if effectiveSC.Capabilities != nil {
    88. 

  88. 		add, drop := MakeCapabilities(effectiveSC.Capabilities.Add, effectiveSC.Capabilities.Drop)
    89. 

  89. 		hostConfig.CapAdd = add
    90. 

  90. 		hostConfig.CapDrop = drop
    91. 

  91. 	}
    92. 

  92. 

  93. 	if effectiveSC.SELinuxOptions != nil {
    94. 

  94. 		hostConfig.SecurityOpt = modifySecurityOption(hostConfig.SecurityOpt, dockerLabelUser, effectiveSC.SELinuxOptions.User)
    95. 

  95. 		hostConfig.SecurityOpt = modifySecurityOption(hostConfig.SecurityOpt, dockerLabelRole, effectiveSC.SELinuxOptions.Role)
    96. 

  96. 		hostConfig.SecurityOpt = modifySecurityOption(hostConfig.SecurityOpt, dockerLabelType, effectiveSC.SELinuxOptions.Type)
    97. 

  97. 		hostConfig.SecurityOpt = modifySecurityOption(hostConfig.SecurityOpt, dockerLabelLevel, effectiveSC.SELinuxOptions.Level)
    98. 

  98. 	}
    99. 

  99. }
    100. 

  100. 

  101. // modifySecurityOption adds the security option of name to the config array with value in the form
    102. 

  102. // of name:value
    103. 

  103. func modifySecurityOption(config []string, name, value string) []string {
    104. 

  104. 	if len(value) > 0 {
    105. 

  105. 		config = append(config, fmt.Sprintf("%s:%s", name, value))
    106. 

  106. 	}
    107. 

  107. 	return config
    108. 

  108. }
    109. 

  109. 

  110. // MakeCapabilities creates string slices from Capability slices
    111. 

  111. func MakeCapabilities(capAdd []api.Capability, capDrop []api.Capability) ([]string, []string) {
    112. 

  112. 	var (
    113. 

  113. 		addCaps  []string
    114. 

  114. 		dropCaps []string
    115. 

  115. 	)
    116. 

  116. 	for _, cap := range capAdd {
    117. 

  117. 		addCaps = append(addCaps, string(cap))
    118. 

  118. 	}
    119. 

  119. 	for _, cap := range capDrop {
    120. 

  120. 		dropCaps = append(dropCaps, string(cap))
    121. 

  121. 	}
    122. 

  122. 	return addCaps, dropCaps
    123. 

  123. }
    124. 

  124. 

  125. func DetermineEffectiveSecurityContext(pod *api.Pod, container *api.Container) *api.SecurityContext {
    126. 

  126. 	effectiveSc := securityContextFromPodSecurityContext(pod)
    127. 

  127. 	containerSc := container.SecurityContext
    128. 

  128. 

  129. 	if effectiveSc == nil && containerSc == nil {
    130. 

  130. 		return nil
    131. 

  131. 	}
    132. 

  132. 	if effectiveSc != nil && containerSc == nil {
    133. 

  133. 		return effectiveSc
    134. 

  134. 	}
    135. 

  135. 	if effectiveSc == nil && containerSc != nil {
    136. 

  136. 		return containerSc
    137. 

  137. 	}
    138. 

  138. 

  139. 	if containerSc.SELinuxOptions != nil {
    140. 

  140. 		effectiveSc.SELinuxOptions = new(api.SELinuxOptions)
    141. 

  141. 		*effectiveSc.SELinuxOptions = *containerSc.SELinuxOptions
    142. 

  142. 	}
    143. 

  143. 

  144. 	if containerSc.Capabilities != nil {
    145. 

  145. 		effectiveSc.Capabilities = new(api.Capabilities)
    146. 

  146. 		*effectiveSc.Capabilities = *containerSc.Capabilities
    147. 

  147. 	}
    148. 

  148. 

  149. 	if containerSc.Privileged != nil {
    150. 

  150. 		effectiveSc.Privileged = new(bool)
    151. 

  151. 		*effectiveSc.Privileged = *containerSc.Privileged
    152. 

  152. 	}
    153. 

  153. 

  154. 	if containerSc.RunAsUser != nil {
    155. 

  155. 		effectiveSc.RunAsUser = new(int64)
    156. 

  156. 		*effectiveSc.RunAsUser = *containerSc.RunAsUser
    157. 

  157. 	}
    158. 

  158. 

  159. 	if containerSc.RunAsNonRoot != nil {
    160. 

  160. 		effectiveSc.RunAsNonRoot = new(bool)
    161. 

  161. 		*effectiveSc.RunAsNonRoot = *containerSc.RunAsNonRoot
    162. 

  162. 	}
    163. 

  163. 

  164. 	if containerSc.ReadOnlyRootFilesystem != nil {
    165. 

  165. 		effectiveSc.ReadOnlyRootFilesystem = new(bool)
    166. 

  166. 		*effectiveSc.ReadOnlyRootFilesystem = *containerSc.ReadOnlyRootFilesystem
    167. 

  167. 	}
    168. 

  168. 

  169. 	return effectiveSc
    170. 

  170. }
    171. 

  171. 

  172. func securityContextFromPodSecurityContext(pod *api.Pod) *api.SecurityContext {
    173. 

  173. 	if pod.Spec.SecurityContext == nil {
    174. 

  174. 		return nil
    175. 

  175. 	}
    176. 

  176. 

  177. 	synthesized := &api.SecurityContext{}
    178. 

  178. 

  179. 	if pod.Spec.SecurityContext.SELinuxOptions != nil {
    180. 

  180. 		synthesized.SELinuxOptions = &api.SELinuxOptions{}
    181. 

  181. 		*synthesized.SELinuxOptions = *pod.Spec.SecurityContext.SELinuxOptions
    182. 

  182. 	}
    183. 

  183. 	if pod.Spec.SecurityContext.RunAsUser != nil {
    184. 

  184. 		synthesized.RunAsUser = new(int64)
    185. 

  185. 		*synthesized.RunAsUser = *pod.Spec.SecurityContext.RunAsUser
    186. 

  186. 	}
    187. 

  187. 

  188. 	if pod.Spec.SecurityContext.RunAsNonRoot != nil {
    189. 

  189. 		synthesized.RunAsNonRoot = new(bool)
    190. 

  190. 		*synthesized.RunAsNonRoot = *pod.Spec.SecurityContext.RunAsNonRoot
    191. 

  191. 	}
    192. 

  192. 

  193. 	return synthesized
    194. 

  194. }
    195.