...

Source file src/k8s.io/kubernetes/pkg/kubelet/kuberuntime/security_context.go

Documentation: k8s.io/kubernetes/pkg/kubelet/kuberuntime 

     1  /*
     2  Copyright 2016 The Kubernetes Authors.
     3  
     4  Licensed under the Apache License, Version 2.0 (the "License");
     5  you may not use this file except in compliance with the License.
     6  You may obtain a copy of the License at
     7  
     8      http://www.apache.org/licenses/LICENSE-2.0
     9  
    10  Unless required by applicable law or agreed to in writing, software
    11  distributed under the License is distributed on an "AS IS" BASIS,
    12  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13  See the License for the specific language governing permissions and
    14  limitations under the License.
    15  */
    16  
    17  package kuberuntime
    18  
    19  import (
    20  	v1 "k8s.io/api/core/v1"
    21  	runtimeapi "k8s.io/cri-api/pkg/apis/runtime/v1"
    22  	runtimeutil "k8s.io/kubernetes/pkg/kubelet/kuberuntime/util"
    23  	"k8s.io/kubernetes/pkg/securitycontext"
    24  )
    25  
    26  // determineEffectiveSecurityContext gets container's security context from v1.Pod and v1.Container.
    27  func (m *kubeGenericRuntimeManager) determineEffectiveSecurityContext(pod *v1.Pod, container *v1.Container, uid *int64, username string) (*runtimeapi.LinuxContainerSecurityContext, error) {
    28  	effectiveSc := securitycontext.DetermineEffectiveSecurityContext(pod, container)
    29  	synthesized := convertToRuntimeSecurityContext(effectiveSc)
    30  	if synthesized == nil {
    31  		synthesized = &runtimeapi.LinuxContainerSecurityContext{
    32  			MaskedPaths:   securitycontext.ConvertToRuntimeMaskedPaths(effectiveSc.ProcMount),
    33  			ReadonlyPaths: securitycontext.ConvertToRuntimeReadonlyPaths(effectiveSc.ProcMount),
    34  		}
    35  	}
    36  	var err error
    37  
    38  	synthesized.Seccomp, err = m.getSeccompProfile(pod.Annotations, container.Name, pod.Spec.SecurityContext, container.SecurityContext, m.seccompDefault)
    39  	if err != nil {
    40  		return nil, err
    41  	}
    42  
    43  	// set ApparmorProfile.
    44  	synthesized.Apparmor, synthesized.ApparmorProfile, err = getAppArmorProfile(pod, container)
    45  	if err != nil {
    46  		return nil, err
    47  	}
    48  
    49  	// set RunAsUser.
    50  	if synthesized.RunAsUser == nil {
    51  		if uid != nil {
    52  			synthesized.RunAsUser = &runtimeapi.Int64Value{Value: *uid}
    53  		}
    54  		synthesized.RunAsUsername = username
    55  	}
    56  
    57  	// set namespace options and supplemental groups.
    58  	namespaceOptions, err := runtimeutil.NamespacesForPod(pod, m.runtimeHelper, m.runtimeClassManager)
    59  	if err != nil {
    60  		return nil, err
    61  	}
    62  	synthesized.NamespaceOptions = namespaceOptions
    63  	podSc := pod.Spec.SecurityContext
    64  	if podSc != nil {
    65  		if podSc.FSGroup != nil {
    66  			synthesized.SupplementalGroups = append(synthesized.SupplementalGroups, int64(*podSc.FSGroup))
    67  		}
    68  
    69  		if podSc.SupplementalGroups != nil {
    70  			for _, sg := range podSc.SupplementalGroups {
    71  				synthesized.SupplementalGroups = append(synthesized.SupplementalGroups, int64(sg))
    72  			}
    73  		}
    74  	}
    75  	if groups := m.runtimeHelper.GetExtraSupplementalGroupsForPod(pod); len(groups) > 0 {
    76  		synthesized.SupplementalGroups = append(synthesized.SupplementalGroups, groups...)
    77  	}
    78  
    79  	synthesized.NoNewPrivs = securitycontext.AddNoNewPrivileges(effectiveSc)
    80  
    81  	synthesized.MaskedPaths = securitycontext.ConvertToRuntimeMaskedPaths(effectiveSc.ProcMount)
    82  	synthesized.ReadonlyPaths = securitycontext.ConvertToRuntimeReadonlyPaths(effectiveSc.ProcMount)
    83  
    84  	return synthesized, nil
    85  }
    86  
    87  // convertToRuntimeSecurityContext converts v1.SecurityContext to runtimeapi.SecurityContext.
    88  func convertToRuntimeSecurityContext(securityContext *v1.SecurityContext) *runtimeapi.LinuxContainerSecurityContext {
    89  	if securityContext == nil {
    90  		return nil
    91  	}
    92  
    93  	sc := &runtimeapi.LinuxContainerSecurityContext{
    94  		Capabilities:   convertToRuntimeCapabilities(securityContext.Capabilities),
    95  		SelinuxOptions: convertToRuntimeSELinuxOption(securityContext.SELinuxOptions),
    96  	}
    97  	if securityContext.RunAsUser != nil {
    98  		sc.RunAsUser = &runtimeapi.Int64Value{Value: int64(*securityContext.RunAsUser)}
    99  	}
   100  	if securityContext.RunAsGroup != nil {
   101  		sc.RunAsGroup = &runtimeapi.Int64Value{Value: int64(*securityContext.RunAsGroup)}
   102  	}
   103  	if securityContext.Privileged != nil {
   104  		sc.Privileged = *securityContext.Privileged
   105  	}
   106  	if securityContext.ReadOnlyRootFilesystem != nil {
   107  		sc.ReadonlyRootfs = *securityContext.ReadOnlyRootFilesystem
   108  	}
   109  
   110  	return sc
   111  }
   112  
   113  // convertToRuntimeSELinuxOption converts v1.SELinuxOptions to runtimeapi.SELinuxOption.
   114  func convertToRuntimeSELinuxOption(opts *v1.SELinuxOptions) *runtimeapi.SELinuxOption {
   115  	if opts == nil {
   116  		return nil
   117  	}
   118  
   119  	return &runtimeapi.SELinuxOption{
   120  		User:  opts.User,
   121  		Role:  opts.Role,
   122  		Type:  opts.Type,
   123  		Level: opts.Level,
   124  	}
   125  }
   126  
   127  // convertToRuntimeCapabilities converts v1.Capabilities to runtimeapi.Capability.
   128  func convertToRuntimeCapabilities(opts *v1.Capabilities) *runtimeapi.Capability {
   129  	if opts == nil {
   130  		return nil
   131  	}
   132  
   133  	capabilities := &runtimeapi.Capability{
   134  		AddCapabilities:  make([]string, len(opts.Add)),
   135  		DropCapabilities: make([]string, len(opts.Drop)),
   136  	}
   137  	for index, value := range opts.Add {
   138  		capabilities.AddCapabilities[index] = string(value)
   139  	}
   140  	for index, value := range opts.Drop {
   141  		capabilities.DropCapabilities[index] = string(value)
   142  	}
   143  
   144  	return capabilities
   145  }
   146  

View as plain text