Skip to content

Commit

Permalink
generate kube: support --privileged
Browse files Browse the repository at this point in the history
Do not play with capabilities for privileged containers where all
capabilities will be set implicitly.

Also, avoid the device check when running privileged since all of /dev/*
will be mounted in any case.

Fixes: #8897
Signed-off-by: Valentin Rothberg <[email protected]>
  • Loading branch information
vrothberg committed Feb 9, 2021
1 parent 9da4169 commit 48c612c
Show file tree
Hide file tree
Showing 2 changed files with 48 additions and 7 deletions.
20 changes: 13 additions & 7 deletions libpod/kube.go
Original file line number Diff line number Diff line change
Expand Up @@ -322,7 +322,8 @@ func containerToV1Container(c *Container) (v1.Container, []v1.Volume, *v1.PodDNS
return kubeContainer, kubeVolumes, nil, err
}

if len(c.config.Spec.Linux.Devices) > 0 {
// NOTE: a privileged container mounts all of /dev/*.
if !c.Privileged() && len(c.config.Spec.Linux.Devices) > 0 {
// TODO Enable when we can support devices and their names
kubeContainer.VolumeDevices = generateKubeVolumeDeviceFromLinuxDevice(c.Spec().Linux.Devices)
return kubeContainer, kubeVolumes, nil, errors.Wrapf(define.ErrNotImplemented, "linux devices")
Expand Down Expand Up @@ -625,13 +626,18 @@ func capAddDrop(caps *specs.LinuxCapabilities) (*v1.Capabilities, error) {

// generateKubeSecurityContext generates a securityContext based on the existing container
func generateKubeSecurityContext(c *Container) (*v1.SecurityContext, error) {
priv := c.Privileged()
privileged := c.Privileged()
ro := c.IsReadOnly()
allowPrivEscalation := !c.config.Spec.Process.NoNewPrivileges

newCaps, err := capAddDrop(c.config.Spec.Process.Capabilities)
if err != nil {
return nil, err
var capabilities *v1.Capabilities
if !privileged {
// Running privileged adds all caps.
newCaps, err := capAddDrop(c.config.Spec.Process.Capabilities)
if err != nil {
return nil, err
}
capabilities = newCaps
}

var selinuxOpts v1.SELinuxOptions
Expand All @@ -651,8 +657,8 @@ func generateKubeSecurityContext(c *Container) (*v1.SecurityContext, error) {
}

sc := v1.SecurityContext{
Capabilities: newCaps,
Privileged: &priv,
Capabilities: capabilities,
Privileged: &privileged,
SELinuxOptions: &selinuxOpts,
// RunAsNonRoot is an optional parameter; our first implementations should be root only; however
// I'm leaving this as a bread-crumb for later
Expand Down
35 changes: 35 additions & 0 deletions test/e2e/generate_kube_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -699,4 +699,39 @@ ENTRYPOINT /bin/sleep`
Expect(containers[0].Command).To(Equal([]string{"/bin/sh", "-c", "/bin/sleep"}))
Expect(containers[0].Args).To(Equal([]string{"10s"}))
})

It("podman generate kube - --privileged container", func() {
session := podmanTest.Podman([]string{"create", "--pod", "new:testpod", "--privileged", ALPINE, "ls"})
session.WaitWithDefaultTimeout()
Expect(session.ExitCode()).To(Equal(0))

kube := podmanTest.Podman([]string{"generate", "kube", "testpod"})
kube.WaitWithDefaultTimeout()
Expect(kube.ExitCode()).To(Equal(0))

// Now make sure that the capabilities aren't set.
pod := new(v1.Pod)
err := yaml.Unmarshal(kube.Out.Contents(), pod)
Expect(err).To(BeNil())

containers := pod.Spec.Containers
Expect(len(containers)).To(Equal(1))
Expect(containers[0].SecurityContext.Capabilities).To(BeNil())

// Now make sure we can also `play` it.
kubeFile := filepath.Join(podmanTest.TempDir, "kube.yaml")

kube = podmanTest.Podman([]string{"generate", "kube", "testpod", "-f", kubeFile})
kube.WaitWithDefaultTimeout()
Expect(kube.ExitCode()).To(Equal(0))

// Remove the pod so play can recreate it.
kube = podmanTest.Podman([]string{"pod", "rm", "-f", "testpod"})
kube.WaitWithDefaultTimeout()
Expect(kube.ExitCode()).To(Equal(0))

kube = podmanTest.Podman([]string{"play", "kube", kubeFile})
kube.WaitWithDefaultTimeout()
Expect(kube.ExitCode()).To(Equal(0))
})
})

0 comments on commit 48c612c

Please sign in to comment.