k8s.io/kubernetes@v1.29.3/pkg/kubelet/kuberuntime/security_context.go (about) 1 /* 2 Copyright 2016 The Kubernetes Authors. 3 4 Licensed under the Apache License, Version 2.0 (the "License"); 5 you may not use this file except in compliance with the License. 6 You may obtain a copy of the License at 7 8 http://www.apache.org/licenses/LICENSE-2.0 9 10 Unless required by applicable law or agreed to in writing, software 11 distributed under the License is distributed on an "AS IS" BASIS, 12 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 See the License for the specific language governing permissions and 14 limitations under the License. 15 */ 16 17 package kuberuntime 18 19 import ( 20 v1 "k8s.io/api/core/v1" 21 runtimeapi "k8s.io/cri-api/pkg/apis/runtime/v1" 22 runtimeutil "k8s.io/kubernetes/pkg/kubelet/kuberuntime/util" 23 "k8s.io/kubernetes/pkg/security/apparmor" 24 "k8s.io/kubernetes/pkg/securitycontext" 25 ) 26 27 // determineEffectiveSecurityContext gets container's security context from v1.Pod and v1.Container. 28 func (m *kubeGenericRuntimeManager) determineEffectiveSecurityContext(pod *v1.Pod, container *v1.Container, uid *int64, username string) (*runtimeapi.LinuxContainerSecurityContext, error) { 29 effectiveSc := securitycontext.DetermineEffectiveSecurityContext(pod, container) 30 synthesized := convertToRuntimeSecurityContext(effectiveSc) 31 if synthesized == nil { 32 synthesized = &runtimeapi.LinuxContainerSecurityContext{ 33 MaskedPaths: securitycontext.ConvertToRuntimeMaskedPaths(effectiveSc.ProcMount), 34 ReadonlyPaths: securitycontext.ConvertToRuntimeReadonlyPaths(effectiveSc.ProcMount), 35 } 36 } 37 var err error 38 39 synthesized.Seccomp, err = m.getSeccompProfile(pod.Annotations, container.Name, pod.Spec.SecurityContext, container.SecurityContext, m.seccompDefault) 40 if err != nil { 41 return nil, err 42 } 43 44 // set ApparmorProfile. 45 synthesized.ApparmorProfile = apparmor.GetProfileNameFromPodAnnotations(pod.Annotations, container.Name) 46 47 // set RunAsUser. 48 if synthesized.RunAsUser == nil { 49 if uid != nil { 50 synthesized.RunAsUser = &runtimeapi.Int64Value{Value: *uid} 51 } 52 synthesized.RunAsUsername = username 53 } 54 55 // set namespace options and supplemental groups. 56 namespaceOptions, err := runtimeutil.NamespacesForPod(pod, m.runtimeHelper) 57 if err != nil { 58 return nil, err 59 } 60 synthesized.NamespaceOptions = namespaceOptions 61 podSc := pod.Spec.SecurityContext 62 if podSc != nil { 63 if podSc.FSGroup != nil { 64 synthesized.SupplementalGroups = append(synthesized.SupplementalGroups, int64(*podSc.FSGroup)) 65 } 66 67 if podSc.SupplementalGroups != nil { 68 for _, sg := range podSc.SupplementalGroups { 69 synthesized.SupplementalGroups = append(synthesized.SupplementalGroups, int64(sg)) 70 } 71 } 72 } 73 if groups := m.runtimeHelper.GetExtraSupplementalGroupsForPod(pod); len(groups) > 0 { 74 synthesized.SupplementalGroups = append(synthesized.SupplementalGroups, groups...) 75 } 76 77 synthesized.NoNewPrivs = securitycontext.AddNoNewPrivileges(effectiveSc) 78 79 synthesized.MaskedPaths = securitycontext.ConvertToRuntimeMaskedPaths(effectiveSc.ProcMount) 80 synthesized.ReadonlyPaths = securitycontext.ConvertToRuntimeReadonlyPaths(effectiveSc.ProcMount) 81 82 return synthesized, nil 83 } 84 85 // convertToRuntimeSecurityContext converts v1.SecurityContext to runtimeapi.SecurityContext. 86 func convertToRuntimeSecurityContext(securityContext *v1.SecurityContext) *runtimeapi.LinuxContainerSecurityContext { 87 if securityContext == nil { 88 return nil 89 } 90 91 sc := &runtimeapi.LinuxContainerSecurityContext{ 92 Capabilities: convertToRuntimeCapabilities(securityContext.Capabilities), 93 SelinuxOptions: convertToRuntimeSELinuxOption(securityContext.SELinuxOptions), 94 } 95 if securityContext.RunAsUser != nil { 96 sc.RunAsUser = &runtimeapi.Int64Value{Value: int64(*securityContext.RunAsUser)} 97 } 98 if securityContext.RunAsGroup != nil { 99 sc.RunAsGroup = &runtimeapi.Int64Value{Value: int64(*securityContext.RunAsGroup)} 100 } 101 if securityContext.Privileged != nil { 102 sc.Privileged = *securityContext.Privileged 103 } 104 if securityContext.ReadOnlyRootFilesystem != nil { 105 sc.ReadonlyRootfs = *securityContext.ReadOnlyRootFilesystem 106 } 107 108 return sc 109 } 110 111 // convertToRuntimeSELinuxOption converts v1.SELinuxOptions to runtimeapi.SELinuxOption. 112 func convertToRuntimeSELinuxOption(opts *v1.SELinuxOptions) *runtimeapi.SELinuxOption { 113 if opts == nil { 114 return nil 115 } 116 117 return &runtimeapi.SELinuxOption{ 118 User: opts.User, 119 Role: opts.Role, 120 Type: opts.Type, 121 Level: opts.Level, 122 } 123 } 124 125 // convertToRuntimeCapabilities converts v1.Capabilities to runtimeapi.Capability. 126 func convertToRuntimeCapabilities(opts *v1.Capabilities) *runtimeapi.Capability { 127 if opts == nil { 128 return nil 129 } 130 131 capabilities := &runtimeapi.Capability{ 132 AddCapabilities: make([]string, len(opts.Add)), 133 DropCapabilities: make([]string, len(opts.Drop)), 134 } 135 for index, value := range opts.Add { 136 capabilities.AddCapabilities[index] = string(value) 137 } 138 for index, value := range opts.Drop { 139 capabilities.DropCapabilities[index] = string(value) 140 } 141 142 return capabilities 143 }