Skip to content

Commit

Permalink
fix security-opt generate kube
Browse files Browse the repository at this point in the history
fix #4950
add selinux options from --security-opt of the container to generate kube result

Signed-off-by: Qi Wang <[email protected]>
  • Loading branch information
QiWang19 committed Mar 3, 2020
1 parent 47c4ea3 commit 17bab33
Show file tree
Hide file tree
Showing 2 changed files with 65 additions and 5 deletions.
23 changes: 19 additions & 4 deletions libpod/kube.go
Original file line number Diff line number Diff line change
Expand Up @@ -468,11 +468,26 @@ func generateKubeSecurityContext(c *Container) (*v1.SecurityContext, error) {
return nil, err
}

var selinuxOpts v1.SELinuxOptions
opts := strings.SplitN(c.config.Spec.Annotations[InspectAnnotationLabel], ":", 2)
if len(opts) == 2 {
switch opts[0] {
case "type":
selinuxOpts.Type = opts[1]
case "level":
selinuxOpts.Level = opts[1]
}
}
if len(opts) == 1 {
if opts[0] == "disable" {
selinuxOpts.Type = "spc_t"
}
}

sc := v1.SecurityContext{
Capabilities: newCaps,
Privileged: &priv,
// TODO How do we know if selinux were passed into podman
//SELinuxOptions:
Capabilities: newCaps,
Privileged: &priv,
SELinuxOptions: &selinuxOpts,
// RunAsNonRoot is an optional parameter; our first implementations should be root only; however
// I'm leaving this as a bread-crumb for later
//RunAsNonRoot: &nonRoot,
Expand Down
47 changes: 46 additions & 1 deletion test/e2e/generate_kube_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ import (
"github.com/ghodss/yaml"
. "github.com/onsi/ginkgo"
. "github.com/onsi/gomega"
"k8s.io/api/core/v1"
v1 "k8s.io/api/core/v1"
)

var _ = Describe("Podman generate kube", func() {
Expand Down Expand Up @@ -69,6 +69,51 @@ var _ = Describe("Podman generate kube", func() {
Expect(numContainers).To(Equal(1))
})

It("podman generate service kube on container with --security-opt level", func() {
session := podmanTest.Podman([]string{"create", "--name", "test", "--security-opt", "label=level:s0:c100,c200", "alpine"})
session.WaitWithDefaultTimeout()
Expect(session.ExitCode()).To(Equal(0))

kube := podmanTest.Podman([]string{"generate", "kube", "test"})
kube.WaitWithDefaultTimeout()
Expect(kube.ExitCode()).To(Equal(0))

pod := new(v1.Pod)
err := yaml.Unmarshal(kube.Out.Contents(), pod)
Expect(err).To(BeNil())
Expect(kube.OutputToString()).To(ContainSubstring("level: s0:c100,c200"))
})

It("podman generate service kube on container with --security-opt disable", func() {
session := podmanTest.Podman([]string{"create", "--name", "test-disable", "--security-opt", "label=disable", "alpine"})
session.WaitWithDefaultTimeout()
Expect(session.ExitCode()).To(Equal(0))

kube := podmanTest.Podman([]string{"generate", "kube", "test-disable"})
kube.WaitWithDefaultTimeout()
Expect(kube.ExitCode()).To(Equal(0))

pod := new(v1.Pod)
err = yaml.Unmarshal(kube.Out.Contents(), pod)
Expect(err).To(BeNil())
Expect(kube.OutputToString()).To(ContainSubstring("type: spc_t"))
})

It("podman generate service kube on container with --security-opt type", func() {
session := podmanTest.Podman([]string{"create", "--name", "test", "--security-opt", "label=type:foo_bar_t", "alpine"})
session.WaitWithDefaultTimeout()
Expect(session.ExitCode()).To(Equal(0))

kube := podmanTest.Podman([]string{"generate", "kube", "test"})
kube.WaitWithDefaultTimeout()
Expect(kube.ExitCode()).To(Equal(0))

pod := new(v1.Pod)
err = yaml.Unmarshal(kube.Out.Contents(), pod)
Expect(err).To(BeNil())
Expect(kube.OutputToString()).To(ContainSubstring("type: foo_bar_t"))
})

It("podman generate service kube on container", func() {
session := podmanTest.RunTopContainer("top")
session.WaitWithDefaultTimeout()
Expand Down

0 comments on commit 17bab33

Please sign in to comment.