@@ -65,8 +65,8 @@ be addressed with security contexts:
...
@@ -65,8 +65,8 @@ be addressed with security contexts:
### Overview
### Overview
A *security context* consists of a set of constraints that determine how a container
A *security context* consists of a set of constraints that determine how a container
is secured before getting created and run. It has a 1:1 correspondence to a
is secured before getting created and run. A security context resides on the container and represents the runtime parameters that will
[service account](https://github.com/GoogleCloudPlatform/kubernetes/pull/2297). A *security context provider* is passed to the Kubelet so it can have a chance
be used to create and run the container via container APIs. A *security context provider* is passed to the Kubelet so it can have a chance
to mutate Docker API calls in order to apply the security context.
to mutate Docker API calls in order to apply the security context.
It is recommended that this design be implemented in two phases:
It is recommended that this design be implemented in two phases:
...
@@ -88,7 +88,7 @@ type SecurityContextProvider interface {
...
@@ -88,7 +88,7 @@ type SecurityContextProvider interface {
// the container is created.
// the container is created.
// An error is returned if it's not possible to secure the container as
// An error is returned if it's not possible to secure the container as
// IDMapping specifies the requested user and group mappings for containers
// associated with a specific security context
typeIDMappingstruct{
// SharedUsers is the set of user ranges that must be unique to the entire cluster
SharedUsers[]IDMappingRange
// SharedGroups is the set of group ranges that must be unique to the entire cluster
SharedGroups[]IDMappingRange
// PrivateUsers are mapped to users on the host node, but are not necessarily
// SELinuxOptions are the labels to be applied to the container.
// unique to the entire cluster
typeSELinuxOptionsstruct{
PrivateUsers[]IDMappingRange
// SELinux user label
Userstring
// PrivateGroups are mapped to groups on the host node, but are not necessarily
// SELinux role label
// unique to the entire cluster
Rolestring
PrivateGroups[]IDMappingRange
}
// IDMappingRange specifies a mapping between container IDs and node IDs
// SELinux type label
typeIDMappingRangestruct{
Typestring
// ContainerID is the starting container UID or GID
ContainerIDint
// HostID is the starting host UID or GID
// SELinux level label.
HostIDint
Levelstring
// Length is the length of the UID/GID range
Lengthint
}
}
```
```
### Admission
It is up to an admission plugin to determine if the security context is acceptable or not. At the
time of writing, the admission control plugin for security contexts will only allow a context that
has defined capabilities or privileged. Contexts that attempt to define a UID or SELinux options
will be denied by default. In the future the admission plugin will base this decision upon
configurable policies that reside within the [service account](https://github.com/GoogleCloudPlatform/kubernetes/pull/2297).
#### Security Context Lifecycle
The lifecycle of a security context will be tied to that of a service account. It is expected that a service account with a default security context will be created for every Kubernetes namespace (without administrator intervention). If resources need to be allocated when creating a security context (for example, assign a range of host uids/gids), a pattern such as [finalizers](https://github.com/GoogleCloudPlatform/kubernetes/issues/3585) can be used before declaring the security context / service account / namespace ready for use.