Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
K
k3s
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Jacklull
k3s
Commits
99ee3f4b
Commit
99ee3f4b
authored
Nov 07, 2016
by
Random-Liu
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Add non-numeric user name support.
parent
d8fa6a99
Expand all
Hide whitespace changes
Inline
Side-by-side
Showing
12 changed files
with
69 additions
and
43 deletions
+69
-43
api.pb.go
pkg/kubelet/api/v1alpha1/runtime/api.pb.go
+0
-0
api.proto
pkg/kubelet/api/v1alpha1/runtime/api.proto
+8
-6
convert.go
pkg/kubelet/dockershim/convert.go
+2
-13
security_context.go
pkg/kubelet/dockershim/security_context.go
+1
-3
security_context_test.go
pkg/kubelet/dockershim/security_context_test.go
+2
-3
docker_manager.go
pkg/kubelet/dockertools/docker_manager.go
+5
-5
docker_manager_test.go
pkg/kubelet/dockertools/docker_manager_test.go
+10
-2
BUILD
pkg/kubelet/kuberuntime/BUILD
+1
-0
helpers.go
pkg/kubelet/kuberuntime/helpers.go
+8
-3
kuberuntime_container.go
pkg/kubelet/kuberuntime/kuberuntime_container.go
+1
-1
kuberuntime_sandbox.go
pkg/kubelet/kuberuntime/kuberuntime_sandbox.go
+1
-1
security_context.go
pkg/kubelet/kuberuntime/security_context.go
+30
-6
No files found.
pkg/kubelet/api/v1alpha1/runtime/api.pb.go
View file @
99ee3f4b
This diff is collapsed.
Click to expand it.
pkg/kubelet/api/v1alpha1/runtime/api.proto
View file @
99ee3f4b
...
...
@@ -159,8 +159,9 @@ message LinuxSandboxSecurityContext {
optional
NamespaceOption
namespace_options
=
1
;
// Optional SELinux context to be applied.
optional
SELinuxOption
selinux_options
=
2
;
// The UID to run the entrypoint of the sandbox process.
optional
int64
run_as_user
=
3
;
// The user to run the entrypoint of the sandbox process, it could be uid or
// user name.
optional
string
run_as_user
=
3
;
// If set, the root filesystem of the sandbox is read-only.
optional
bool
readonly_rootfs
=
4
;
// A list of groups applied to the first process run in the sandbox, in addition
...
...
@@ -439,9 +440,10 @@ message LinuxContainerSecurityContext {
optional
NamespaceOption
namespace_options
=
3
;
// Optional SELinux context to be applied.
optional
SELinuxOption
selinux_options
=
4
;
// The UID to run the the container process as.
// The user to run the the container process as, it could be uid or user
// name.
// Defaults to user specified in image metadata if unspecified.
optional
int64
run_as_user
=
5
;
optional
string
run_as_user
=
5
;
// If set, the root filesystem of the container is read-only.
optional
bool
readonly_rootfs
=
6
;
// A list of groups applied to the first process run in the container, in addition
...
...
@@ -758,8 +760,8 @@ message Image {
repeated
string
repo_digests
=
3
;
// The size of the image in bytes.
optional
uint64
size
=
4
;
// The u
id
that will run the command(s).
optional
int64
uid
=
5
;
// The u
ser
that will run the command(s).
optional
string
user
=
5
;
}
message
ListImagesResponse
{
...
...
pkg/kubelet/dockershim/convert.go
View file @
99ee3f4b
...
...
@@ -18,7 +18,6 @@ package dockershim
import
(
"fmt"
"strconv"
"strings"
"time"
...
...
@@ -57,24 +56,14 @@ func imageInspectToRuntimeAPIImage(image *dockertypes.ImageInspect) (*runtimeApi
return
nil
,
fmt
.
Errorf
(
"unable to convert a nil pointer to a runtime API image"
)
}
var
err
error
var
uid
int64
size
:=
uint64
(
image
.
VirtualSize
)
imageUid
:=
dockertools
.
GetUidFromUser
(
image
.
Config
.
User
)
// Convert image UID to int64 format. Not that it assumes the process in
// the image is running as root if image.Config.User is not set.
if
imageUid
!=
""
{
uid
,
err
=
strconv
.
ParseInt
(
imageUid
,
10
,
64
)
if
err
!=
nil
{
return
nil
,
fmt
.
Errorf
(
"non-numeric user (%q)"
,
imageUid
)
}
}
user
:=
dockertools
.
GetUserFromImageUser
(
image
.
Config
.
User
)
return
&
runtimeApi
.
Image
{
Id
:
&
image
.
ID
,
RepoTags
:
image
.
RepoTags
,
RepoDigests
:
image
.
RepoDigests
,
Size_
:
&
size
,
U
id
:
&
uid
,
U
ser
:
&
user
,
},
nil
}
...
...
pkg/kubelet/dockershim/security_context.go
View file @
99ee3f4b
...
...
@@ -61,9 +61,7 @@ func applyContainerSecurityContext(lc *runtimeapi.LinuxContainerConfig, sandboxI
// modifyContainerConfig applies container security context config to dockercontainer.Config.
func
modifyContainerConfig
(
sc
*
runtimeapi
.
LinuxContainerSecurityContext
,
config
*
dockercontainer
.
Config
)
{
if
sc
!=
nil
&&
sc
.
RunAsUser
!=
nil
{
config
.
User
=
strconv
.
FormatInt
(
sc
.
GetRunAsUser
(),
10
)
}
config
.
User
=
sc
.
GetRunAsUser
()
}
// modifyHostConfig applies security context config to dockercontainer.HostConfig.
...
...
pkg/kubelet/dockershim/security_context_test.go
View file @
99ee3f4b
...
...
@@ -18,7 +18,6 @@ package dockershim
import
(
"fmt"
"strconv"
"testing"
dockercontainer
"github.com/docker/engine-api/types/container"
...
...
@@ -29,7 +28,7 @@ import (
)
func
TestModifyContainerConfig
(
t
*
testing
.
T
)
{
var
uid
int64
=
123
var
uid
string
=
"123"
cases
:=
[]
struct
{
name
string
...
...
@@ -42,7 +41,7 @@ func TestModifyContainerConfig(t *testing.T) {
RunAsUser
:
&
uid
,
},
expected
:
&
dockercontainer
.
Config
{
User
:
strconv
.
FormatInt
(
uid
,
10
)
,
User
:
uid
,
},
},
{
...
...
pkg/kubelet/dockertools/docker_manager.go
View file @
99ee3f4b
...
...
@@ -2474,7 +2474,7 @@ func (dm *DockerManager) isImageRoot(image string) (bool, error) {
return
false
,
fmt
.
Errorf
(
"unable to inspect image %s, nil Config"
,
image
)
}
user
:=
GetU
idFrom
User
(
img
.
Config
.
User
)
user
:=
GetU
serFromImage
User
(
img
.
Config
.
User
)
// if no user is defined container will run as root
if
user
==
""
{
return
true
,
nil
...
...
@@ -2488,16 +2488,16 @@ func (dm *DockerManager) isImageRoot(image string) (bool, error) {
return
uid
==
0
,
nil
}
// GetU
idFromUser splits the uid out of an uid:gid
string.
func
GetU
idFrom
User
(
id
string
)
string
{
// GetU
serFromImageUser splits the user out of an user:group
string.
func
GetU
serFromImage
User
(
id
string
)
string
{
if
id
==
""
{
return
id
}
// split instances where the id may contain u
id:gid
// split instances where the id may contain u
ser:group
if
strings
.
Contains
(
id
,
":"
)
{
return
strings
.
Split
(
id
,
":"
)[
0
]
}
// no g
id
, just return the id
// no g
roup
, just return the id
return
id
}
...
...
pkg/kubelet/dockertools/docker_manager_test.go
View file @
99ee3f4b
...
...
@@ -1431,7 +1431,7 @@ func TestVerifyNonRoot(t *testing.T) {
}
}
func
TestGetU
idFrom
User
(
t
*
testing
.
T
)
{
func
TestGetU
serFromImage
User
(
t
*
testing
.
T
)
{
tests
:=
map
[
string
]
struct
{
input
string
expect
string
...
...
@@ -1452,9 +1452,17 @@ func TestGetUidFromUser(t *testing.T) {
input
:
"1:2:3"
,
expect
:
"1"
,
},
"root username"
:
{
input
:
"root:root"
,
expect
:
"root"
,
},
"username"
:
{
input
:
"test:test"
,
expect
:
"test"
,
},
}
for
k
,
v
:=
range
tests
{
actual
:=
GetU
idFrom
User
(
v
.
input
)
actual
:=
GetU
serFromImage
User
(
v
.
input
)
if
actual
!=
v
.
expect
{
t
.
Errorf
(
"%s failed. Expected %s but got %s"
,
k
,
v
.
expect
,
actual
)
}
...
...
pkg/kubelet/kuberuntime/BUILD
View file @
99ee3f4b
...
...
@@ -60,6 +60,7 @@ go_library(
"//vendor:github.com/coreos/go-semver/semver",
"//vendor:github.com/docker/docker/pkg/jsonlog",
"//vendor:github.com/fsnotify/fsnotify",
"//vendor:github.com/gogo/protobuf/proto",
"//vendor:github.com/golang/glog",
"//vendor:github.com/google/cadvisor/info/v1",
],
...
...
pkg/kubelet/kuberuntime/helpers.go
View file @
99ee3f4b
...
...
@@ -147,13 +147,18 @@ func getContainerSpec(pod *api.Pod, containerName string) *api.Container {
}
// getImageUID gets uid that will run the command(s) from image.
func
(
m
*
kubeGenericRuntimeManager
)
getImageUser
(
image
string
)
(
int64
,
error
)
{
func
(
m
*
kubeGenericRuntimeManager
)
getImageUser
(
image
string
)
(
string
,
error
)
{
imageStatus
,
err
:=
m
.
imageService
.
ImageStatus
(
&
runtimeApi
.
ImageSpec
{
Image
:
&
image
})
if
err
!=
nil
{
return
0
,
err
return
""
,
err
}
return
imageStatus
.
GetUid
(),
nil
user
:=
imageStatus
.
GetUser
()
// kuberuntime treats empty user as root.
if
user
==
""
{
return
"0"
,
nil
}
return
user
,
nil
}
// isContainerFailed returns true if container has exited and exitcode is not zero.
...
...
pkg/kubelet/kuberuntime/kuberuntime_container.go
View file @
99ee3f4b
...
...
@@ -184,7 +184,7 @@ func (m *kubeGenericRuntimeManager) generateContainerConfig(container *api.Conta
}
// generateLinuxContainerConfig generates linux container config for kubelet runtime api.
func
(
m
*
kubeGenericRuntimeManager
)
generateLinuxContainerConfig
(
container
*
api
.
Container
,
pod
*
api
.
Pod
,
imageUser
int64
)
*
runtimeApi
.
LinuxContainerConfig
{
func
(
m
*
kubeGenericRuntimeManager
)
generateLinuxContainerConfig
(
container
*
api
.
Container
,
pod
*
api
.
Pod
,
imageUser
string
)
*
runtimeApi
.
LinuxContainerConfig
{
lc
:=
&
runtimeApi
.
LinuxContainerConfig
{
Resources
:
&
runtimeApi
.
LinuxContainerResources
{},
SecurityContext
:
m
.
determineEffectiveSecurityContext
(
pod
,
container
,
imageUser
),
...
...
pkg/kubelet/kuberuntime/kuberuntime_sandbox.go
View file @
99ee3f4b
...
...
@@ -146,7 +146,7 @@ func (m *kubeGenericRuntimeManager) generatePodSandboxLinuxConfig(pod *api.Pod,
HostIpc
:
&
sc
.
HostIPC
,
HostPid
:
&
sc
.
HostPID
,
},
RunAsUser
:
sc
.
RunAsUser
,
RunAsUser
:
convertToRuntimeRunAsUser
(
sc
.
RunAsUser
)
,
}
if
sc
.
FSGroup
!=
nil
{
...
...
pkg/kubelet/kuberuntime/security_context.go
View file @
99ee3f4b
...
...
@@ -18,6 +18,10 @@ package kuberuntime
import
(
"fmt"
"strconv"
"github.com/gogo/protobuf/proto"
"github.com/golang/glog"
"k8s.io/kubernetes/pkg/api"
runtimeapi
"k8s.io/kubernetes/pkg/kubelet/api/v1alpha1/runtime"
...
...
@@ -25,7 +29,7 @@ import (
)
// determineEffectiveSecurityContext gets container's security context from api.Pod and api.Container.
func
(
m
*
kubeGenericRuntimeManager
)
determineEffectiveSecurityContext
(
pod
*
api
.
Pod
,
container
*
api
.
Container
,
imageUser
int64
)
*
runtimeapi
.
LinuxContainerSecurityContext
{
func
(
m
*
kubeGenericRuntimeManager
)
determineEffectiveSecurityContext
(
pod
*
api
.
Pod
,
container
*
api
.
Container
,
imageUser
string
)
*
runtimeapi
.
LinuxContainerSecurityContext
{
effectiveSc
:=
securitycontext
.
DetermineEffectiveSecurityContext
(
pod
,
container
)
synthesized
:=
convertToRuntimeSecurityContext
(
effectiveSc
)
if
synthesized
==
nil
{
...
...
@@ -61,17 +65,29 @@ func (m *kubeGenericRuntimeManager) determineEffectiveSecurityContext(pod *api.P
}
// verifyRunAsNonRoot verifies RunAsNonRoot.
func
verifyRunAsNonRoot
(
pod
*
api
.
Pod
,
container
*
api
.
Container
,
imageUser
int64
)
error
{
func
verifyRunAsNonRoot
(
pod
*
api
.
Pod
,
container
*
api
.
Container
,
imageUser
string
)
error
{
effectiveSc
:=
securitycontext
.
DetermineEffectiveSecurityContext
(
pod
,
container
)
if
effectiveSc
==
nil
||
effectiveSc
.
RunAsNonRoot
==
nil
{
return
nil
}
if
effectiveSc
.
RunAsUser
!=
nil
&&
*
effectiveSc
.
RunAsUser
==
0
{
return
fmt
.
Errorf
(
"container's runAsUser breaks non-root policy"
)
if
effectiveSc
.
RunAsUser
!=
nil
{
if
*
effectiveSc
.
RunAsUser
==
0
{
return
fmt
.
Errorf
(
"container's runAsUser breaks non-root policy"
)
}
return
nil
}
// Non-root verification only supports numeric user now. For non-numeric user,
// just return nil to by-pass the verfication.
// TODO: Support non-numeric user.
uid
,
err
:=
strconv
.
ParseInt
(
imageUser
,
10
,
64
)
if
err
!=
nil
{
glog
.
Warningf
(
"Non-root verification doesn't support non-numeric user (%s)"
,
imageUser
)
return
nil
}
if
imageUser
==
0
{
if
uid
==
0
{
return
fmt
.
Errorf
(
"container has runAsNonRoot and image will run as root"
)
}
...
...
@@ -85,7 +101,7 @@ func convertToRuntimeSecurityContext(securityContext *api.SecurityContext) *runt
}
return
&
runtimeapi
.
LinuxContainerSecurityContext
{
RunAsUser
:
securityContext
.
RunAsUser
,
RunAsUser
:
convertToRuntimeRunAsUser
(
securityContext
.
RunAsUser
)
,
Privileged
:
securityContext
.
Privileged
,
ReadonlyRootfs
:
securityContext
.
ReadOnlyRootFilesystem
,
Capabilities
:
convertToRuntimeCapabilities
(
securityContext
.
Capabilities
),
...
...
@@ -93,6 +109,14 @@ func convertToRuntimeSecurityContext(securityContext *api.SecurityContext) *runt
}
}
// convertToRuntimeRunAsUser converts RunAsUser from *int64 to *string.
func
convertToRuntimeRunAsUser
(
runAsUser
*
int64
)
*
string
{
if
runAsUser
==
nil
{
return
nil
}
return
proto
.
String
(
strconv
.
FormatInt
(
*
runAsUser
,
10
))
}
// convertToRuntimeSELinuxOption converts api.SELinuxOptions to runtimeapi.SELinuxOption.
func
convertToRuntimeSELinuxOption
(
opts
*
api
.
SELinuxOptions
)
*
runtimeapi
.
SELinuxOption
{
if
opts
==
nil
{
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment