Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
K
k3s
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Jacklull
k3s
Commits
0ad51ed7
Unverified
Commit
0ad51ed7
authored
Sep 21, 2017
by
Jess Frazelle
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
AllowPrivilegeEscalation: add validations for caps and privileged
Signed-off-by:
Jess Frazelle
<
acidburn@microsoft.com
>
parent
d699a6f3
Hide whitespace changes
Inline
Side-by-side
Showing
4 changed files
with
52 additions
and
61 deletions
+52
-61
validation.go
pkg/api/validation/validation.go
+15
-0
validation_test.go
pkg/api/validation/validation_test.go
+36
-0
util.go
pkg/securitycontext/util.go
+1
-21
util_test.go
pkg/securitycontext/util_test.go
+0
-40
No files found.
pkg/api/validation/validation.go
View file @
0ad51ed7
...
...
@@ -4388,6 +4388,21 @@ func ValidateSecurityContext(sc *api.SecurityContext, fldPath *field.Path) field
allErrs
=
append
(
allErrs
,
field
.
Invalid
(
fldPath
.
Child
(
"runAsUser"
),
*
sc
.
RunAsUser
,
isNegativeErrorMsg
))
}
}
if
sc
.
AllowPrivilegeEscalation
!=
nil
&&
!*
sc
.
AllowPrivilegeEscalation
{
if
sc
.
Privileged
!=
nil
&&
*
sc
.
Privileged
{
allErrs
=
append
(
allErrs
,
field
.
Invalid
(
fldPath
,
sc
,
"cannot set `allowPrivilegeEscalation` to false and `privileged` to true"
))
}
if
sc
.
Capabilities
!=
nil
{
for
_
,
cap
:=
range
sc
.
Capabilities
.
Add
{
if
string
(
cap
)
==
"CAP_SYS_ADMIN"
{
allErrs
=
append
(
allErrs
,
field
.
Invalid
(
fldPath
,
sc
,
"cannot set `allowPrivilegeEscalation` to false and `capabilities.Add` CAP_SYS_ADMIN"
))
}
}
}
}
return
allErrs
}
...
...
pkg/api/validation/validation_test.go
View file @
0ad51ed7
...
...
@@ -4704,6 +4704,38 @@ func TestValidatePodSpec(t *testing.T) {
DNSPolicy
:
api
.
DNSClusterFirst
,
PriorityClassName
:
"InvalidName"
,
},
"with privileged and allowPrivilegeEscalation false"
:
{
Containers
:
[]
api
.
Container
{
{
Name
:
"ctr"
,
Image
:
"image"
,
ImagePullPolicy
:
"IfNotPresent"
,
Ports
:
[]
api
.
ContainerPort
{
{
HostPort
:
8080
,
ContainerPort
:
2600
,
Protocol
:
"TCP"
}},
SecurityContext
:
&
api
.
SecurityContext
{
Privileged
:
boolPtr
(
true
),
AllowPrivilegeEscalation
:
boolPtr
(
false
),
},
},
},
},
"with CAP_SYS_ADMIN and allowPrivilegeEscalation false"
:
{
Containers
:
[]
api
.
Container
{
{
Name
:
"ctr"
,
Image
:
"image"
,
ImagePullPolicy
:
"IfNotPresent"
,
Ports
:
[]
api
.
ContainerPort
{
{
HostPort
:
8080
,
ContainerPort
:
2600
,
Protocol
:
"TCP"
}},
SecurityContext
:
&
api
.
SecurityContext
{
Capabilities
:
&
api
.
Capabilities
{
Add
:
[]
api
.
Capability
{
"CAP_SYS_ADMIN"
},
},
AllowPrivilegeEscalation
:
boolPtr
(
false
),
},
},
},
},
}
for
k
,
v
:=
range
failureCases
{
if
errs
:=
ValidatePodSpec
(
&
v
,
field
.
NewPath
(
"field"
));
len
(
errs
)
==
0
{
...
...
@@ -11082,3 +11114,7 @@ func TestValidateOrSetClientIPAffinityConfig(t *testing.T) {
}
}
}
func
boolPtr
(
b
bool
)
*
bool
{
return
&
b
}
pkg/securitycontext/util.go
View file @
0ad51ed7
...
...
@@ -242,32 +242,12 @@ func internalSecurityContextFromPodSecurityContext(pod *api.Pod) *api.SecurityCo
return
synthesized
}
// AddNoNewPrivileges returns if we should add the no_new_privs option. This will return true if:
// 1) the container is not privileged
// 2) CAP_SYS_ADMIN is not being added
// 3) if podSecurityPolicy.DefaultAllowPrivilegeEscalation is:
// - nil, then return false
// - true, then return false
// - false, then return true
// AddNoNewPrivileges returns if we should add the no_new_privs option.
func
AddNoNewPrivileges
(
sc
*
v1
.
SecurityContext
)
bool
{
if
sc
==
nil
{
return
false
}
// handle the case where the container is privileged
if
sc
.
Privileged
!=
nil
&&
*
sc
.
Privileged
{
return
false
}
// handle the case where we are adding CAP_SYS_ADMIN
if
sc
.
Capabilities
!=
nil
{
for
_
,
cap
:=
range
sc
.
Capabilities
.
Add
{
if
string
(
cap
)
==
"CAP_SYS_ADMIN"
{
return
false
}
}
}
// handle the case where the user did not set the default and did not explicitly set allowPrivilegeEscalation
if
sc
.
AllowPrivilegeEscalation
==
nil
{
return
false
...
...
pkg/securitycontext/util_test.go
View file @
0ad51ed7
...
...
@@ -188,18 +188,6 @@ func TestAddNoNewPrivileges(t *testing.T) {
expect
bool
}{
"allowPrivilegeEscalation nil security context nil"
:
{},
"allowPrivilegeEscalation nil capAddSysadmin"
:
{
sc
:
v1
.
SecurityContext
{
Capabilities
:
&
v1
.
Capabilities
{
Add
:
[]
v1
.
Capability
{
"CAP_SYS_ADMIN"
},
},
},
},
"allowPrivilegeEscalation nil privileged"
:
{
sc
:
v1
.
SecurityContext
{
Privileged
:
&
ptrue
,
},
},
"allowPrivilegeEscalation nil nonRoot"
:
{
sc
:
v1
.
SecurityContext
{
RunAsUser
:
&
nonRoot
,
...
...
@@ -210,20 +198,6 @@ func TestAddNoNewPrivileges(t *testing.T) {
RunAsUser
:
&
root
,
},
},
"allowPrivilegeEscalation false capAddSysadmin"
:
{
sc
:
v1
.
SecurityContext
{
Capabilities
:
&
v1
.
Capabilities
{
Add
:
[]
v1
.
Capability
{
"CAP_SYS_ADMIN"
},
},
AllowPrivilegeEscalation
:
&
pfalse
,
},
},
"allowPrivilegeEscalation false privileged"
:
{
sc
:
v1
.
SecurityContext
{
Privileged
:
&
ptrue
,
AllowPrivilegeEscalation
:
&
pfalse
,
},
},
"allowPrivilegeEscalation false nonRoot"
:
{
sc
:
v1
.
SecurityContext
{
RunAsUser
:
&
nonRoot
,
...
...
@@ -238,20 +212,6 @@ func TestAddNoNewPrivileges(t *testing.T) {
},
expect
:
true
,
},
"allowPrivilegeEscalation true capAddSysadmin"
:
{
sc
:
v1
.
SecurityContext
{
Capabilities
:
&
v1
.
Capabilities
{
Add
:
[]
v1
.
Capability
{
"CAP_SYS_ADMIN"
},
},
AllowPrivilegeEscalation
:
&
ptrue
,
},
},
"allowPrivilegeEscalation true privileged"
:
{
sc
:
v1
.
SecurityContext
{
Privileged
:
&
ptrue
,
AllowPrivilegeEscalation
:
&
ptrue
,
},
},
"allowPrivilegeEscalation true nonRoot"
:
{
sc
:
v1
.
SecurityContext
{
RunAsUser
:
&
nonRoot
,
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment