Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

generate kube: do not set caps with --privileged #9283

Merged
merged 1 commit into from
Feb 9, 2021
Merged

generate kube: do not set caps with --privileged #9283

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 13 additions & 7 deletions libpod/kube.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -322,7 +322,8 @@ func containerToV1Container(c *Container) (v1.Container, []v1.Volume, *v1.PodDNS
return kubeContainer, kubeVolumes, nil, err
}

if len(c.config.Spec.Linux.Devices) > 0 {
// NOTE: a privileged container mounts all of /dev/*.
if !c.Privileged() && len(c.config.Spec.Linux.Devices) > 0 {
// TODO Enable when we can support devices and their names
kubeContainer.VolumeDevices = generateKubeVolumeDeviceFromLinuxDevice(c.Spec().Linux.Devices)
return kubeContainer, kubeVolumes, nil, errors.Wrapf(define.ErrNotImplemented, "linux devices")
Expand Down Expand Up @@ -625,13 +626,18 @@ func capAddDrop(caps *specs.LinuxCapabilities) (*v1.Capabilities, error) {

// generateKubeSecurityContext generates a securityContext based on the existing container
func generateKubeSecurityContext(c *Container) (*v1.SecurityContext, error) {
priv := c.Privileged()
privileged := c.Privileged()
ro := c.IsReadOnly()
allowPrivEscalation := !c.config.Spec.Process.NoNewPrivileges

newCaps, err := capAddDrop(c.config.Spec.Process.Capabilities)
if err != nil {
return nil, err
var capabilities *v1.Capabilities
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't this be initialized? (I'm not a Gohead; I may be missing something obvious)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's no required here. Setting the container to privileged implies that all caps get set later on:

$ podman (fix-8897) $ podman top 5e5eb6e0fb43 capeff
EFFECTIVE CAPS
full

if !privileged {
// Running privileged adds all caps.
newCaps, err := capAddDrop(c.config.Spec.Process.Capabilities)
if err != nil {
return nil, err
}
capabilities = newCaps
}

var selinuxOpts v1.SELinuxOptions
Expand All @@ -651,8 +657,8 @@ func generateKubeSecurityContext(c *Container) (*v1.SecurityContext, error) {
}

sc := v1.SecurityContext{
Capabilities: newCaps,
Privileged: &priv,
Capabilities: capabilities,
Privileged: &privileged,
SELinuxOptions: &selinuxOpts,
// RunAsNonRoot is an optional parameter; our first implementations should be root only; however
// I'm leaving this as a bread-crumb for later
Expand Down
35 changes: 35 additions & 0 deletions test/e2e/generate_kube_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -699,4 +699,39 @@ ENTRYPOINT /bin/sleep`
Expect(containers[0].Command).To(Equal([]string{"/bin/sh", "-c", "/bin/sleep"}))
Expect(containers[0].Args).To(Equal([]string{"10s"}))
})

It("podman generate kube - --privileged container", func() {
session := podmanTest.Podman([]string{"create", "--pod", "new:testpod", "--privileged", ALPINE, "ls"})
session.WaitWithDefaultTimeout()
Expect(session.ExitCode()).To(Equal(0))

kube := podmanTest.Podman([]string{"generate", "kube", "testpod"})
kube.WaitWithDefaultTimeout()
Expect(kube.ExitCode()).To(Equal(0))

// Now make sure that the capabilities aren't set.
pod := new(v1.Pod)
err := yaml.Unmarshal(kube.Out.Contents(), pod)
Expect(err).To(BeNil())

containers := pod.Spec.Containers
Expect(len(containers)).To(Equal(1))
Expect(containers[0].SecurityContext.Capabilities).To(BeNil())

// Now make sure we can also `play` it.
kubeFile := filepath.Join(podmanTest.TempDir, "kube.yaml")

kube = podmanTest.Podman([]string{"generate", "kube", "testpod", "-f", kubeFile})
kube.WaitWithDefaultTimeout()
Expect(kube.ExitCode()).To(Equal(0))

// Remove the pod so play can recreate it.
kube = podmanTest.Podman([]string{"pod", "rm", "-f", "testpod"})
kube.WaitWithDefaultTimeout()
Expect(kube.ExitCode()).To(Equal(0))

kube = podmanTest.Podman([]string{"play", "kube", kubeFile})
kube.WaitWithDefaultTimeout()
Expect(kube.ExitCode()).To(Equal(0))
})
})