Skip to content
This repository was archived by the owner on Mar 9, 2022. It is now read-only.

Commit 67c0b3e

Browse files
Random-LiuRandom-Liu
authored
Merge pull request #894 from Random-Liu/support-masked-readonly-paths
Support masked readonly paths
2 parents 1e471b1 + 3e4cec8 commit 67c0b3e

76 files changed

Lines changed: 4123 additions & 3601 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

pkg/server/container_create.go

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -357,6 +357,24 @@ func (c *criService) generateContainerSpec(id string, sandboxID string, sandboxP
357357
return nil, errors.Wrapf(err, "failed to set OCI bind mounts %+v", mounts)
358358
}
359359

360+
// Apply masked paths if specified.
361+
// When `MaskedPaths` is not specified, keep runtime default for backward compatibility;
362+
// When `MaskedPaths` is specified, but length is zero, clear masked path list.
363+
if securityContext.GetMaskedPaths() != nil {
364+
g.Config.Linux.MaskedPaths = nil
365+
for _, path := range securityContext.GetMaskedPaths() {
366+
g.AddLinuxMaskedPaths(path)
367+
}
368+
}
369+
370+
// Apply readonly paths if specified.
371+
if securityContext.GetReadonlyPaths() != nil {
372+
g.Config.Linux.ReadonlyPaths = nil
373+
for _, path := range securityContext.GetReadonlyPaths() {
374+
g.AddLinuxReadonlyPaths(path)
375+
}
376+
}
377+
360378
if securityContext.GetPrivileged() {
361379
if !sandboxConfig.GetLinux().GetSecurityContext().GetPrivileged() {
362380
return nil, errors.New("no privileged container allowed in sandbox")

pkg/server/container_create_test.go

Lines changed: 42 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -248,7 +248,6 @@ func TestContainerCapabilities(t *testing.T) {
248248
spec, err := c.generateContainerSpec(testID, testSandboxID, testPid, config, sandboxConfig, imageConfig, nil)
249249
require.NoError(t, err)
250250
specCheck(t, testID, testSandboxID, testPid, spec)
251-
t.Log(spec.Process.Capabilities.Bounding)
252251
for _, include := range test.includes {
253252
assert.Contains(t, spec.Process.Capabilities.Bounding, include)
254253
assert.Contains(t, spec.Process.Capabilities.Effective, include)
@@ -913,3 +912,45 @@ func TestGenerateApparmorSpecOpts(t *testing.T) {
913912
}
914913
}
915914
}
915+
916+
func TestMaskedAndReadonlyPaths(t *testing.T) {
917+
testID := "test-id"
918+
testSandboxID := "sandbox-id"
919+
testPid := uint32(1234)
920+
config, sandboxConfig, imageConfig, specCheck := getCreateContainerTestData()
921+
c := newTestCRIService()
922+
defaultSpec, err := defaultRuntimeSpec(testID)
923+
require.NoError(t, err)
924+
for desc, test := range map[string]struct {
925+
masked []string
926+
readonly []string
927+
expectedMasked []string
928+
expectedReadonly []string
929+
}{
930+
"should apply default if not specified": {
931+
expectedMasked: defaultSpec.Linux.MaskedPaths,
932+
expectedReadonly: defaultSpec.Linux.ReadonlyPaths,
933+
},
934+
"should be able to specify empty paths": {
935+
masked: []string{},
936+
readonly: []string{},
937+
expectedMasked: nil,
938+
expectedReadonly: nil,
939+
},
940+
"should apply CRI specified paths": {
941+
masked: []string{"/proc"},
942+
readonly: []string{"/sys"},
943+
expectedMasked: []string{"/proc"},
944+
expectedReadonly: []string{"/sys"},
945+
},
946+
} {
947+
t.Logf("TestCase %q", desc)
948+
config.Linux.SecurityContext.MaskedPaths = test.masked
949+
config.Linux.SecurityContext.ReadonlyPaths = test.readonly
950+
spec, err := c.generateContainerSpec(testID, testSandboxID, testPid, config, sandboxConfig, imageConfig, nil)
951+
require.NoError(t, err)
952+
specCheck(t, testID, testSandboxID, testPid, spec)
953+
assert.Equal(t, test.expectedMasked, spec.Linux.MaskedPaths)
954+
assert.Equal(t, test.expectedReadonly, spec.Linux.ReadonlyPaths)
955+
}
956+
}

vendor.conf

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -69,9 +69,9 @@ google.golang.org/genproto d80a6e20e776b0b17a324d0ba1ab50a39c8e8944
6969
google.golang.org/grpc v1.12.0
7070
gopkg.in/inf.v0 3887ee99ecf07df5b447e9b00d9c0b2adaa9f3e4
7171
gopkg.in/yaml.v2 53feefa2559fb8dfa8d81baad31be332c97d6c77
72-
k8s.io/api 9e5ffd1f1320950b238cfce291b926411f0af722
73-
k8s.io/apimachinery ed135c5b96450fd24e5e981c708114fbbd950697
74-
k8s.io/apiserver a90e3a95c2e91b944bfca8225c4e0d12e42a9eb5
75-
k8s.io/client-go 03bfb9bdcfe5482795b999f39ca3ed9ad42ce5bb
76-
k8s.io/kubernetes v1.11.0
77-
k8s.io/utils 733eca437aa39379e4bcc25e726439dfca40fcff
72+
k8s.io/api 12ee108019c2efdc50febb4937fe054aede5d660
73+
k8s.io/apimachinery c6b66c9c507abbefa93ad83f7fe8c9b52ca1ae30
74+
k8s.io/apiserver ecbc9eada272b5735d74d2dd0f944dfdefdbb2a5
75+
k8s.io/client-go 22e1ddcc4852ed93b2c34ef13fbb287f794200ae
76+
k8s.io/kubernetes 6b7c39a4f8d4c38e8724550cc3e6e41b7ac7a276
77+
k8s.io/utils 982821ea41da7e7c15f3d3738921eb2e7e241ccd

0 commit comments

Comments
 (0)