Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
K
k3s
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Jacklull
k3s
Commits
0ad51ed7
Unverified
Commit
0ad51ed7
authored
Sep 21, 2017
by
Jess Frazelle
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
AllowPrivilegeEscalation: add validations for caps and privileged
Signed-off-by:
Jess Frazelle
<
acidburn@microsoft.com
>
parent
d699a6f3
Show whitespace changes
Inline
Side-by-side
Showing
4 changed files
with
52 additions
and
61 deletions
+52
-61
validation.go
pkg/api/validation/validation.go
+15
-0
validation_test.go
pkg/api/validation/validation_test.go
+36
-0
util.go
pkg/securitycontext/util.go
+1
-21
util_test.go
pkg/securitycontext/util_test.go
+0
-40
No files found.
pkg/api/validation/validation.go
View file @
0ad51ed7
...
@@ -4388,6 +4388,21 @@ func ValidateSecurityContext(sc *api.SecurityContext, fldPath *field.Path) field
...
@@ -4388,6 +4388,21 @@ func ValidateSecurityContext(sc *api.SecurityContext, fldPath *field.Path) field
allErrs
=
append
(
allErrs
,
field
.
Invalid
(
fldPath
.
Child
(
"runAsUser"
),
*
sc
.
RunAsUser
,
isNegativeErrorMsg
))
allErrs
=
append
(
allErrs
,
field
.
Invalid
(
fldPath
.
Child
(
"runAsUser"
),
*
sc
.
RunAsUser
,
isNegativeErrorMsg
))
}
}
}
}
if
sc
.
AllowPrivilegeEscalation
!=
nil
&&
!*
sc
.
AllowPrivilegeEscalation
{
if
sc
.
Privileged
!=
nil
&&
*
sc
.
Privileged
{
allErrs
=
append
(
allErrs
,
field
.
Invalid
(
fldPath
,
sc
,
"cannot set `allowPrivilegeEscalation` to false and `privileged` to true"
))
}
if
sc
.
Capabilities
!=
nil
{
for
_
,
cap
:=
range
sc
.
Capabilities
.
Add
{
if
string
(
cap
)
==
"CAP_SYS_ADMIN"
{
allErrs
=
append
(
allErrs
,
field
.
Invalid
(
fldPath
,
sc
,
"cannot set `allowPrivilegeEscalation` to false and `capabilities.Add` CAP_SYS_ADMIN"
))
}
}
}
}
return
allErrs
return
allErrs
}
}
...
...
pkg/api/validation/validation_test.go
View file @
0ad51ed7
...
@@ -4704,6 +4704,38 @@ func TestValidatePodSpec(t *testing.T) {
...
@@ -4704,6 +4704,38 @@ func TestValidatePodSpec(t *testing.T) {
DNSPolicy
:
api
.
DNSClusterFirst
,
DNSPolicy
:
api
.
DNSClusterFirst
,
PriorityClassName
:
"InvalidName"
,
PriorityClassName
:
"InvalidName"
,
},
},
"with privileged and allowPrivilegeEscalation false"
:
{
Containers
:
[]
api
.
Container
{
{
Name
:
"ctr"
,
Image
:
"image"
,
ImagePullPolicy
:
"IfNotPresent"
,
Ports
:
[]
api
.
ContainerPort
{
{
HostPort
:
8080
,
ContainerPort
:
2600
,
Protocol
:
"TCP"
}},
SecurityContext
:
&
api
.
SecurityContext
{
Privileged
:
boolPtr
(
true
),
AllowPrivilegeEscalation
:
boolPtr
(
false
),
},
},
},
},
"with CAP_SYS_ADMIN and allowPrivilegeEscalation false"
:
{
Containers
:
[]
api
.
Container
{
{
Name
:
"ctr"
,
Image
:
"image"
,
ImagePullPolicy
:
"IfNotPresent"
,
Ports
:
[]
api
.
ContainerPort
{
{
HostPort
:
8080
,
ContainerPort
:
2600
,
Protocol
:
"TCP"
}},
SecurityContext
:
&
api
.
SecurityContext
{
Capabilities
:
&
api
.
Capabilities
{
Add
:
[]
api
.
Capability
{
"CAP_SYS_ADMIN"
},
},
AllowPrivilegeEscalation
:
boolPtr
(
false
),
},
},
},
},
}
}
for
k
,
v
:=
range
failureCases
{
for
k
,
v
:=
range
failureCases
{
if
errs
:=
ValidatePodSpec
(
&
v
,
field
.
NewPath
(
"field"
));
len
(
errs
)
==
0
{
if
errs
:=
ValidatePodSpec
(
&
v
,
field
.
NewPath
(
"field"
));
len
(
errs
)
==
0
{
...
@@ -11082,3 +11114,7 @@ func TestValidateOrSetClientIPAffinityConfig(t *testing.T) {
...
@@ -11082,3 +11114,7 @@ func TestValidateOrSetClientIPAffinityConfig(t *testing.T) {
}
}
}
}
}
}
func
boolPtr
(
b
bool
)
*
bool
{
return
&
b
}
pkg/securitycontext/util.go
View file @
0ad51ed7
...
@@ -242,32 +242,12 @@ func internalSecurityContextFromPodSecurityContext(pod *api.Pod) *api.SecurityCo
...
@@ -242,32 +242,12 @@ func internalSecurityContextFromPodSecurityContext(pod *api.Pod) *api.SecurityCo
return
synthesized
return
synthesized
}
}
// AddNoNewPrivileges returns if we should add the no_new_privs option. This will return true if:
// AddNoNewPrivileges returns if we should add the no_new_privs option.
// 1) the container is not privileged
// 2) CAP_SYS_ADMIN is not being added
// 3) if podSecurityPolicy.DefaultAllowPrivilegeEscalation is:
// - nil, then return false
// - true, then return false
// - false, then return true
func
AddNoNewPrivileges
(
sc
*
v1
.
SecurityContext
)
bool
{
func
AddNoNewPrivileges
(
sc
*
v1
.
SecurityContext
)
bool
{
if
sc
==
nil
{
if
sc
==
nil
{
return
false
return
false
}
}
// handle the case where the container is privileged
if
sc
.
Privileged
!=
nil
&&
*
sc
.
Privileged
{
return
false
}
// handle the case where we are adding CAP_SYS_ADMIN
if
sc
.
Capabilities
!=
nil
{
for
_
,
cap
:=
range
sc
.
Capabilities
.
Add
{
if
string
(
cap
)
==
"CAP_SYS_ADMIN"
{
return
false
}
}
}
// handle the case where the user did not set the default and did not explicitly set allowPrivilegeEscalation
// handle the case where the user did not set the default and did not explicitly set allowPrivilegeEscalation
if
sc
.
AllowPrivilegeEscalation
==
nil
{
if
sc
.
AllowPrivilegeEscalation
==
nil
{
return
false
return
false
...
...
pkg/securitycontext/util_test.go
View file @
0ad51ed7
...
@@ -188,18 +188,6 @@ func TestAddNoNewPrivileges(t *testing.T) {
...
@@ -188,18 +188,6 @@ func TestAddNoNewPrivileges(t *testing.T) {
expect
bool
expect
bool
}{
}{
"allowPrivilegeEscalation nil security context nil"
:
{},
"allowPrivilegeEscalation nil security context nil"
:
{},
"allowPrivilegeEscalation nil capAddSysadmin"
:
{
sc
:
v1
.
SecurityContext
{
Capabilities
:
&
v1
.
Capabilities
{
Add
:
[]
v1
.
Capability
{
"CAP_SYS_ADMIN"
},
},
},
},
"allowPrivilegeEscalation nil privileged"
:
{
sc
:
v1
.
SecurityContext
{
Privileged
:
&
ptrue
,
},
},
"allowPrivilegeEscalation nil nonRoot"
:
{
"allowPrivilegeEscalation nil nonRoot"
:
{
sc
:
v1
.
SecurityContext
{
sc
:
v1
.
SecurityContext
{
RunAsUser
:
&
nonRoot
,
RunAsUser
:
&
nonRoot
,
...
@@ -210,20 +198,6 @@ func TestAddNoNewPrivileges(t *testing.T) {
...
@@ -210,20 +198,6 @@ func TestAddNoNewPrivileges(t *testing.T) {
RunAsUser
:
&
root
,
RunAsUser
:
&
root
,
},
},
},
},
"allowPrivilegeEscalation false capAddSysadmin"
:
{
sc
:
v1
.
SecurityContext
{
Capabilities
:
&
v1
.
Capabilities
{
Add
:
[]
v1
.
Capability
{
"CAP_SYS_ADMIN"
},
},
AllowPrivilegeEscalation
:
&
pfalse
,
},
},
"allowPrivilegeEscalation false privileged"
:
{
sc
:
v1
.
SecurityContext
{
Privileged
:
&
ptrue
,
AllowPrivilegeEscalation
:
&
pfalse
,
},
},
"allowPrivilegeEscalation false nonRoot"
:
{
"allowPrivilegeEscalation false nonRoot"
:
{
sc
:
v1
.
SecurityContext
{
sc
:
v1
.
SecurityContext
{
RunAsUser
:
&
nonRoot
,
RunAsUser
:
&
nonRoot
,
...
@@ -238,20 +212,6 @@ func TestAddNoNewPrivileges(t *testing.T) {
...
@@ -238,20 +212,6 @@ func TestAddNoNewPrivileges(t *testing.T) {
},
},
expect
:
true
,
expect
:
true
,
},
},
"allowPrivilegeEscalation true capAddSysadmin"
:
{
sc
:
v1
.
SecurityContext
{
Capabilities
:
&
v1
.
Capabilities
{
Add
:
[]
v1
.
Capability
{
"CAP_SYS_ADMIN"
},
},
AllowPrivilegeEscalation
:
&
ptrue
,
},
},
"allowPrivilegeEscalation true privileged"
:
{
sc
:
v1
.
SecurityContext
{
Privileged
:
&
ptrue
,
AllowPrivilegeEscalation
:
&
ptrue
,
},
},
"allowPrivilegeEscalation true nonRoot"
:
{
"allowPrivilegeEscalation true nonRoot"
:
{
sc
:
v1
.
SecurityContext
{
sc
:
v1
.
SecurityContext
{
RunAsUser
:
&
nonRoot
,
RunAsUser
:
&
nonRoot
,
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment