k8s.io/kubernetes@v1.31.0-alpha.0.0.20240520171757-56147500dadc/pkg/kubelet/kuberuntime/security_context.go (about) 1 /* 2 Copyright 2016 The Kubernetes Authors. 3 4 Licensed under the Apache License, Version 2.0 (the "License"); 5 you may not use this file except in compliance with the License. 6 You may obtain a copy of the License at 7 8 http://www.apache.org/licenses/LICENSE-2.0 9 10 Unless required by applicable law or agreed to in writing, software 11 distributed under the License is distributed on an "AS IS" BASIS, 12 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 See the License for the specific language governing permissions and 14 limitations under the License. 15 */ 16 17 package kuberuntime 18 19 import ( 20 v1 "k8s.io/api/core/v1" 21 runtimeapi "k8s.io/cri-api/pkg/apis/runtime/v1" 22 runtimeutil "k8s.io/kubernetes/pkg/kubelet/kuberuntime/util" 23 "k8s.io/kubernetes/pkg/securitycontext" 24 ) 25 26 // determineEffectiveSecurityContext gets container's security context from v1.Pod and v1.Container. 27 func (m *kubeGenericRuntimeManager) determineEffectiveSecurityContext(pod *v1.Pod, container *v1.Container, uid *int64, username string) (*runtimeapi.LinuxContainerSecurityContext, error) { 28 effectiveSc := securitycontext.DetermineEffectiveSecurityContext(pod, container) 29 synthesized := convertToRuntimeSecurityContext(effectiveSc) 30 if synthesized == nil { 31 synthesized = &runtimeapi.LinuxContainerSecurityContext{ 32 MaskedPaths: securitycontext.ConvertToRuntimeMaskedPaths(effectiveSc.ProcMount), 33 ReadonlyPaths: securitycontext.ConvertToRuntimeReadonlyPaths(effectiveSc.ProcMount), 34 } 35 } 36 var err error 37 38 synthesized.Seccomp, err = m.getSeccompProfile(pod.Annotations, container.Name, pod.Spec.SecurityContext, container.SecurityContext, m.seccompDefault) 39 if err != nil { 40 return nil, err 41 } 42 43 // set ApparmorProfile. 44 synthesized.Apparmor, synthesized.ApparmorProfile, err = getAppArmorProfile(pod, container) 45 if err != nil { 46 return nil, err 47 } 48 49 // set RunAsUser. 50 if synthesized.RunAsUser == nil { 51 if uid != nil { 52 synthesized.RunAsUser = &runtimeapi.Int64Value{Value: *uid} 53 } 54 synthesized.RunAsUsername = username 55 } 56 57 // set namespace options and supplemental groups. 58 namespaceOptions, err := runtimeutil.NamespacesForPod(pod, m.runtimeHelper, m.runtimeClassManager) 59 if err != nil { 60 return nil, err 61 } 62 synthesized.NamespaceOptions = namespaceOptions 63 podSc := pod.Spec.SecurityContext 64 if podSc != nil { 65 if podSc.FSGroup != nil { 66 synthesized.SupplementalGroups = append(synthesized.SupplementalGroups, int64(*podSc.FSGroup)) 67 } 68 69 if podSc.SupplementalGroups != nil { 70 for _, sg := range podSc.SupplementalGroups { 71 synthesized.SupplementalGroups = append(synthesized.SupplementalGroups, int64(sg)) 72 } 73 } 74 } 75 if groups := m.runtimeHelper.GetExtraSupplementalGroupsForPod(pod); len(groups) > 0 { 76 synthesized.SupplementalGroups = append(synthesized.SupplementalGroups, groups...) 77 } 78 79 synthesized.NoNewPrivs = securitycontext.AddNoNewPrivileges(effectiveSc) 80 81 synthesized.MaskedPaths = securitycontext.ConvertToRuntimeMaskedPaths(effectiveSc.ProcMount) 82 synthesized.ReadonlyPaths = securitycontext.ConvertToRuntimeReadonlyPaths(effectiveSc.ProcMount) 83 84 return synthesized, nil 85 } 86 87 // convertToRuntimeSecurityContext converts v1.SecurityContext to runtimeapi.SecurityContext. 88 func convertToRuntimeSecurityContext(securityContext *v1.SecurityContext) *runtimeapi.LinuxContainerSecurityContext { 89 if securityContext == nil { 90 return nil 91 } 92 93 sc := &runtimeapi.LinuxContainerSecurityContext{ 94 Capabilities: convertToRuntimeCapabilities(securityContext.Capabilities), 95 SelinuxOptions: convertToRuntimeSELinuxOption(securityContext.SELinuxOptions), 96 } 97 if securityContext.RunAsUser != nil { 98 sc.RunAsUser = &runtimeapi.Int64Value{Value: int64(*securityContext.RunAsUser)} 99 } 100 if securityContext.RunAsGroup != nil { 101 sc.RunAsGroup = &runtimeapi.Int64Value{Value: int64(*securityContext.RunAsGroup)} 102 } 103 if securityContext.Privileged != nil { 104 sc.Privileged = *securityContext.Privileged 105 } 106 if securityContext.ReadOnlyRootFilesystem != nil { 107 sc.ReadonlyRootfs = *securityContext.ReadOnlyRootFilesystem 108 } 109 110 return sc 111 } 112 113 // convertToRuntimeSELinuxOption converts v1.SELinuxOptions to runtimeapi.SELinuxOption. 114 func convertToRuntimeSELinuxOption(opts *v1.SELinuxOptions) *runtimeapi.SELinuxOption { 115 if opts == nil { 116 return nil 117 } 118 119 return &runtimeapi.SELinuxOption{ 120 User: opts.User, 121 Role: opts.Role, 122 Type: opts.Type, 123 Level: opts.Level, 124 } 125 } 126 127 // convertToRuntimeCapabilities converts v1.Capabilities to runtimeapi.Capability. 128 func convertToRuntimeCapabilities(opts *v1.Capabilities) *runtimeapi.Capability { 129 if opts == nil { 130 return nil 131 } 132 133 capabilities := &runtimeapi.Capability{ 134 AddCapabilities: make([]string, len(opts.Add)), 135 DropCapabilities: make([]string, len(opts.Drop)), 136 } 137 for index, value := range opts.Add { 138 capabilities.AddCapabilities[index] = string(value) 139 } 140 for index, value := range opts.Drop { 141 capabilities.DropCapabilities[index] = string(value) 142 } 143 144 return capabilities 145 }