Merge pull request #17258 from openshift-cherrypick-robot/cherry-pick…

…-17213-to-v4.4 [v4.4] Set runAsNonRoot=true in gen kube
containers · Jan 29, 2023 · 1f96d03 · 1f96d03
2 parents cc91db6 + f4bf448
commit 1f96d03
Show file tree

Hide file tree

Showing 2 changed files with 42 additions and 0 deletions.
diff --git a/libpod/kube.go b/libpod/kube.go
@@ -686,6 +686,13 @@ func containerToV1Container(ctx context.Context, c *Container) (v1.Container, []
 	if imgData.User == c.User() && hasSecData {
 		kubeSec.RunAsGroup, kubeSec.RunAsUser = nil, nil
 	}
+	// If the image has user set as a positive integer value, then set runAsNonRoot to true
+	// in the kube yaml
+	imgUserID, err := strconv.Atoi(imgData.User)
+	if err == nil && imgUserID > 0 {
+		trueBool := true
+		kubeSec.RunAsNonRoot = &trueBool
+	}
 
 	envVariables, err := libpodEnvVarsToKubeEnvVars(c.config.Spec.Process.Env, imgData.Config.Env)
 	if err != nil {

diff --git a/test/e2e/generate_kube_test.go b/test/e2e/generate_kube_test.go
@@ -1085,6 +1085,41 @@ ENTRYPOINT ["sleep"]`
 		Expect(containers[0]).To(HaveField("Args", []string{"hello"}))
 	})
 
+	It("podman generate kube - image has positive integer user set", func() {
+		// Build an image with user=1000.
+		containerfile := `FROM quay.io/libpod/alpine:latest
+USER 1000`
+
+		targetPath, err := CreateTempDirInTempDir()
+		Expect(err).ToNot(HaveOccurred())
+		containerfilePath := filepath.Join(targetPath, "Containerfile")
+		err = os.WriteFile(containerfilePath, []byte(containerfile), 0644)
+		Expect(err).ToNot(HaveOccurred())
+
+		image := "generatekube:test"
+		session := podmanTest.Podman([]string{"build", "--pull-never", "-f", containerfilePath, "-t", image})
+		session.WaitWithDefaultTimeout()
+		Expect(session).Should(Exit(0))
+
+		session = podmanTest.Podman([]string{"create", "--pod", "new:testpod", image, "top"})
+		session.WaitWithDefaultTimeout()
+		Expect(session).Should(Exit(0))
+
+		kube := podmanTest.Podman([]string{"generate", "kube", "testpod"})
+		kube.WaitWithDefaultTimeout()
+		Expect(kube).Should(Exit(0))
+
+		// Now make sure that the container's securityContext has runAsNonRoot=true
+		pod := new(v1.Pod)
+		err = yaml.Unmarshal(kube.Out.Contents(), pod)
+		Expect(err).ToNot(HaveOccurred())
+
+		containers := pod.Spec.Containers
+		Expect(containers).To(HaveLen(1))
+		trueBool := true
+		Expect(containers[0]).To(HaveField("SecurityContext.RunAsNonRoot", &trueBool))
+	})
+
 	It("podman generate kube - --privileged container", func() {
 		session := podmanTest.Podman([]string{"create", "--pod", "new:testpod", "--privileged", ALPINE, "ls"})
 		session.WaitWithDefaultTimeout()