kubernetes · pweil- · Apr 14, 2015 · Apr 15, 2015 · Apr 15, 2015 · Apr 22, 2015
diff --git a/cmd/kube-apiserver/app/plugins.go b/cmd/kube-apiserver/app/plugins.go
@@ -36,4 +36,5 @@ import (
 	_ "github.com/GoogleCloudPlatform/kubernetes/plugin/pkg/admission/namespace/exists"
 	_ "github.com/GoogleCloudPlatform/kubernetes/plugin/pkg/admission/namespace/lifecycle"
 	_ "github.com/GoogleCloudPlatform/kubernetes/plugin/pkg/admission/resourcequota"
+	_ "github.com/GoogleCloudPlatform/kubernetes/plugin/pkg/admission/securitycontext"
 )
diff --git a/cmd/kube-apiserver/app/server.go b/cmd/kube-apiserver/app/server.go
@@ -33,10 +33,10 @@ import (
 	"github.com/GoogleCloudPlatform/kubernetes/pkg/admission"
 	"github.com/GoogleCloudPlatform/kubernetes/pkg/api"
 	"github.com/GoogleCloudPlatform/kubernetes/pkg/apiserver"
-	"github.com/GoogleCloudPlatform/kubernetes/pkg/capabilities"
 	"github.com/GoogleCloudPlatform/kubernetes/pkg/client"
 	"github.com/GoogleCloudPlatform/kubernetes/pkg/cloudprovider"
 	"github.com/GoogleCloudPlatform/kubernetes/pkg/master"
+	"github.com/GoogleCloudPlatform/kubernetes/pkg/securitycontext"
 	"github.com/GoogleCloudPlatform/kubernetes/pkg/tools"
 	"github.com/GoogleCloudPlatform/kubernetes/pkg/util"
 
@@ -203,7 +203,7 @@ func (s *APIServer) Run(_ []string) error {
 		glog.Fatalf("specify either --etcd_servers or --etcd_config")
 	}
 
-	capabilities.Initialize(capabilities.Capabilities{
+	securitycontext.Initialize(api.SecurityConstraints{
 		AllowPrivileged: s.AllowPrivileged,
 		// TODO(vmarmol): Implement support for HostNetworkSources.
 		HostNetworkSources: []string{},

diff --git a/cmd/kubelet/app/server.go b/cmd/kubelet/app/server.go
@@ -30,7 +30,6 @@ import (
 	"time"
 
 	"github.com/GoogleCloudPlatform/kubernetes/pkg/api"
-	"github.com/GoogleCloudPlatform/kubernetes/pkg/capabilities"
 	"github.com/GoogleCloudPlatform/kubernetes/pkg/client"
 	"github.com/GoogleCloudPlatform/kubernetes/pkg/client/chaosclient"
 	"github.com/GoogleCloudPlatform/kubernetes/pkg/client/record"
@@ -47,6 +46,7 @@ import (
 	"github.com/GoogleCloudPlatform/kubernetes/pkg/volume"
 
 	"github.com/GoogleCloudPlatform/kubernetes/pkg/cloudprovider"
+	"github.com/GoogleCloudPlatform/kubernetes/pkg/securitycontext"
 	"github.com/golang/glog"
 	"github.com/spf13/pflag"
 )
@@ -98,6 +98,7 @@ type KubeletServer struct {
 	CertDirectory                  string
 	NodeStatusUpdateFrequency      time.Duration
 	ResourceContainer              string
+	SecurityContextProvider        string
 
 	// Flags intended for testing
 
@@ -201,6 +202,7 @@ func (s *KubeletServer) AddFlags(fs *pflag.FlagSet) {
 	fs.StringVar(&s.CloudProvider, "cloud_provider", s.CloudProvider, "The provider for cloud services.  Empty string for no provider.")
 	fs.StringVar(&s.CloudConfigFile, "cloud_config", s.CloudConfigFile, "The path to the cloud provider configuration file.  Empty string for no configuration file.")
 	fs.StringVar(&s.ResourceContainer, "resource_container", s.ResourceContainer, "Absolute name of the resource-only container to create and run the Kubelet in (Default: /kubelet).")
+	fs.StringVar(&s.SecurityContextProvider, "security_context", s.SecurityContextProvider, "Name of the security context provider to use. Allowable values are <empty>|permit|restrict")
 
 	// Flags intended for testing, not recommended used in production environments.
 	fs.BoolVar(&s.ReallyCrashForTesting, "really_crash_for_testing", s.ReallyCrashForTesting, "If true, when panics occur crash. Intended for testing.")
@@ -302,6 +304,8 @@ func (s *KubeletServer) Run(_ []string) error {
 		ResourceContainer:         s.ResourceContainer,
 	}
 
+	InitializeSecurityContextProvider(&kcfg, s.SecurityContextProvider)
+
 	RunKubelet(&kcfg, nil)
 
 	if s.HealthzPort > 0 {
@@ -406,6 +410,7 @@ func SimpleKubelet(client *client.Client,
 		Cloud:                   cloud,
 		NodeStatusUpdateFrequency: 10 * time.Second,
 		ResourceContainer:         "/kubelet",
+		SecurityContextProvider:   securitycontext.NewPermitSecurityContextProvider(securitycontext.Get()),
 	}
 	return &kcfg
 }
@@ -415,6 +420,7 @@ func SimpleKubelet(client *client.Client,
 //   2 Kubelet binary
 //   3 Standalone 'kubernetes' binary
 // Eventually, #2 will be replaced with instances of #3
+// NOTE:  please see the comments on InitializeSecurityContextProvider for important information about the SecurityContextProvider!!
 func RunKubelet(kcfg *KubeletConfig, builder KubeletBuilder) {
 	kcfg.Hostname = util.GetHostname(kcfg.HostnameOverride)
 	eventBroadcaster := record.NewBroadcaster()
@@ -426,7 +432,10 @@ func RunKubelet(kcfg *KubeletConfig, builder KubeletBuilder) {
 	} else {
 		glog.Infof("No api server defined - no events will be sent to API server.")
 	}
-	capabilities.Setup(kcfg.AllowPrivileged, kcfg.HostNetworkSources)
+
+	//initialize the security context provider if it hasn't already happened
+	//NOTE:  please see the comments on InitializeSecurityContextProvider!
+	InitializeSecurityContextProvider(kcfg, "")
 
 	credentialprovider.SetPreferredDockercfgPath(kcfg.RootDirectory)
 
@@ -449,6 +458,43 @@ func RunKubelet(kcfg *KubeletConfig, builder KubeletBuilder) {
 	glog.Infof("Started kubelet")
 }
 
+// InitializeSecurityContextProvider initializes a global security context and sets the security context provider.
+// This should eventually be pulled as a resource but this is replacing the existing capabilities functionality for now.
+// This method is called twice: once by Run and once by RunKubelet.
+//
+// Issue: the old global capabilities code has migrated into a security constraint.  This is initialized only once
+// for the system.  We also want to pass that global context into the global provider until the security constraints
+// are fetched at runtime based on the namespace.  In order to have both items you MUST initialize the context and
+// provider yourself before you use RunKubelet or SimpleKubelet since they set up a default security context provider
+// to catch anything that is not set. (this is where the old capabilities code was originally called) unless you are ok
+// with using the default permit provider which ignores the cap add/drop settings and priv container requests and
+// allows them to be run.
+//
+// SimpleKubelet example:
+//				myKcfg := KubeletConfig{}
+//				InitializeSecurityContextProvider(myKcfg, type)
+// 				simpleKubeletCfg := SimpleKubelet()
+//				simpleKubeletCfg.SecurityContextProvider = myKcfg.SecurityContextProvider
+// RunKubelet example:
+//				myKcfg := KubeletConfig{}
+//				InitializeSecurityContextProvider(myKcfg, type)
+//				RunKubelet(myKcfg, ...)
+//
+//
+// Using the Run method pre-initializes the provider base on the command line settings
+func InitializeSecurityContextProvider(kcfg *KubeletConfig, providerType string) {
+	securitycontext.Setup(kcfg.AllowPrivileged, kcfg.HostNetworkSources)
+
+	if kcfg.SecurityContextProvider == nil {
+		switch providerType {
+		case "restrict":
+			kcfg.SecurityContextProvider = securitycontext.NewRestrictSecurityContextProvider(securitycontext.Get())
+		default:
+			kcfg.SecurityContextProvider = securitycontext.NewPermitSecurityContextProvider(securitycontext.Get())
+		}
+	}
+}
+
 func startKubelet(k KubeletBootstrap, podCfg *config.PodConfig, kc *KubeletConfig) {
 	// start the kubelet
 	go util.Forever(func() { k.Run(podCfg.Updates()) }, 0)
@@ -529,6 +575,7 @@ type KubeletConfig struct {
 	Cloud                          cloudprovider.Interface
 	NodeStatusUpdateFrequency      time.Duration
 	ResourceContainer              string
+	SecurityContextProvider        securitycontext.SecurityContextProvider
 }
 
 func createAndInitKubelet(kc *KubeletConfig) (k KubeletBootstrap, pc *config.PodConfig, err error) {
@@ -572,7 +619,8 @@ func createAndInitKubelet(kc *KubeletConfig) (k KubeletBootstrap, pc *config.Pod
 		kc.ImageGCPolicy,
 		kc.Cloud,
 		kc.NodeStatusUpdateFrequency,
-		kc.ResourceContainer)
+		kc.ResourceContainer,
+		kc.SecurityContextProvider)
 
 	if err != nil {
 		return nil, nil, err

diff --git a/hack/local-up-cluster.sh b/hack/local-up-cluster.sh
@@ -116,7 +116,7 @@ echo "Starting etcd"
 kube::etcd::start
 
 # Admission Controllers to invoke prior to persisting objects in cluster
-ADMISSION_CONTROL=NamespaceLifecycle,NamespaceAutoProvision,LimitRanger,ResourceQuota
+ADMISSION_CONTROL=NamespaceLifecycle,NamespaceAutoProvision,LimitRanger,ResourceQuota,SecurityContext
 
 APISERVER_LOG=/tmp/kube-apiserver.log
 sudo -E "${GO_OUT}/kube-apiserver" \
@@ -149,6 +149,7 @@ sudo -E "${GO_OUT}/kubelet" \
   --address="127.0.0.1" \
   --api_servers="${API_HOST}:${API_PORT}" \
   --auth_path="${KUBE_ROOT}/hack/.test-cmd-auth" \
+  --security_context="restrict" \
   --port="$KUBELET_PORT" >"${KUBELET_LOG}" 2>&1 &
 KUBELET_PID=$!
 

diff --git a/pkg/api/types.go b/pkg/api/types.go
@@ -599,12 +599,10 @@ type Container struct {
 	Lifecycle      *Lifecycle           `json:"lifecycle,omitempty"`
 	// Required.
 	TerminationMessagePath string `json:"terminationMessagePath,omitempty"`
-	// Optional: Default to false.
-	Privileged bool `json:"privileged,omitempty"`
 	// Required: Policy for pulling images for this container
 	ImagePullPolicy PullPolicy `json:"imagePullPolicy"`
-	// Optional: Capabilities for container.
-	Capabilities Capabilities `json:"capabilities,omitempty"`
+	// SecurityContext defines the security context the pod should run with
+	SecurityContext `json:",inline"`
 }
 
 // Handler defines a specific action that should be taken
@@ -1776,6 +1774,110 @@ type SecretList struct {
 	Items []Secret `json:"items"`
 }
 
+// SecurityContext holds security configuration that will be applied to a container.  If a security context
+// is set on the container spec then it must comply with any constraints defined in the SecurityConstraints context
+// it is running in.  If a security context is not supplied and the pod is running under a SecurityConstraints context
+// then a default SecurityContext may be applied.
+type SecurityContext struct {
+	// Capabilities are the capabilities to add/drop when running the container
+	Capabilities *Capabilities `json:"capabilities,omitempty"`
+
+	// Run the container in privileged mode
+	Privileged bool `json:"privileged,omitempty"`
+
+	// SELinuxOptions are the labels to be applied to the container
+	// and volumes
+	SELinuxOptions *SELinuxOptions `json:"seLinuxOptions,omitempty"`
+
+	// RunAsUser is the UID to run the entrypoint of the container process.  Corresponding option is --user or -u
+	RunAsUser int64 `json:"runAsUser,omitempty"`
+}
+
+// SELinuxOptions are the labels to be applied to the container
+type SELinuxOptions struct {
+	// User --security-opt="label:user:USER"
+	User string `json:"user,omitempty"`
+
+	// Role --security-opt="label:role:ROLE"
+	Role string `json:"role,omitempty"`
+
+	// Type --security-opt="label:type:TYPE"
+	Type string `json:"type,omitempty"`
+
+	// Level --security-opt="label:level:LEVEL"
+	Level string `json:"level,omitempty"`
+
+	// Disabled --security-opt="label:disable"
+	Disabled bool `json:"disabled,omitempty"`
+}
+
+// SecurityConstraints provides the constraints that at security context provider will
+// ensure that applied SecurityContext requests follow.  When a setting is provided in the SecurityConstraints
+// that conflicts with an actual request it will be implementation specific whether that request is
+// ignored and the container is still run (without the requested constraint) or if the container will be failed
+type SecurityConstraints struct {
+	// EnforcementPolicy will drive behavior for how the constraints are enforce
+	EnforcementPolicy SecurityConstraintPolicy `json:"enforcementPolicy,omitempty"`
+
+	// AllowPrivileged indicates whether this context allows privileged mode containers
+	AllowPrivileged bool `json:"allowPrivileged,omitempty"`
+
+	// SELinux provides the security constraint options for selinux
+	SELinux *SELinuxSecurityConstraints `json:"seLinux,omitempty"`
+
+	// AllowCapabilities dictates if a container can request to add or drop capabilites
+	AllowCapabilities bool `json:"allowCapabilities,omitempty"`
+
+	// AllowCapabilities dictates if a container can request to run the entry point process as a specific user
+	AllowRunAsUser bool `json:"allowRunAsUser,omitempty"`
+
+	// Capabilities represents, if AllowCapabilities is true, the caps that requests
+	// are allowed to add or drop.
+	Capabilities *Capabilities `json:"capabilities,omitempty"`
+
+	// DefaultSecurityContext is applied to any container that does not have a security context set.  It must
+	// also conform to the constraints defined in SecurityConstraints object
+	DefaultSecurityContext *SecurityContext `json:"defaultSecurityContext,omitempty"`
+
+	// List of pod sources for which using host network is allowed.
+	HostNetworkSources []string
+}
+
+// SELinuxSecurityConstraints defines what is allowed in SecurityContext requests with regards to SELinux label options
+// that are currently supported by docker
+type SELinuxSecurityConstraints struct {
+	// AllowUserLabel --security-opt="label:user:USER"
+	AllowUserLabel bool `json:"allowUserLabel,omitempty"`
+
+	// AllowRoleLabel --security-opt="label:role:ROLE"
+	AllowRoleLabel bool `json:"allowRoleLabel,omitempty"`
+
+	// AllowTypeLabel --security-opt="label:type:TYPE"
+	AllowTypeLabel bool `json:"allowTypeLabel,omitempty"`
+
+	// AllowLevelLabel --security-opt="label:level:LEVEL"
+	AllowLevelLabel bool `json:"allowLevelLabel,omitempty"`
+
+	// AllowDisable --security-opt="label:disable"
+	AllowDisable bool `json:"allowDisable,omitempty"`
+}
+
+// SecurityConstraintPolicy dictates how the security context provider should behave with regards to contexts that
+// do not meet the requirements of the policy.
+type SecurityConstraintPolicy string
+
+const (
+	// SecurityConstraintPolicyDisabled means that any containers that do not meet policy constraints are still
+	// allowed to run and will be given their requested permissions.  This could be used if an admin needs to allow
+	// a pod to run for testing without deleting and recreating the policy.  Implementation may log warnings for
+	// permission requests that do not comply with the policy that would be enforced
+	SecurityConstraintPolicyDisable = "Disable"
+
+	// SecurityConstraintPolicyReject means that any containers that do not meet policy constraints will be rejected
+	// (in the case of the api server) or not run (in the case of the kubelet)
+	SecurityConstraintPolicyReject = "Reject"
+)
+
 // These constants are for remote command execution and port forwarding and are
 // used by both the client side and server side components.
 //

diff --git a/pkg/api/v1beta1/conversion.go b/pkg/api/v1beta1/conversion.go
@@ -579,6 +579,9 @@ func init() {
 			if err := s.Convert(&in.Capabilities, &out.Capabilities, 0); err != nil {
 				return err
 			}
+			if err := s.Convert(&in.SecurityContext, &out.SecurityContext, 0); err != nil {
+				return err
+			}
 			return nil
 		},
 		// Internal API does not support CPU to be specified via an explicit field.
@@ -665,6 +668,9 @@ func init() {
 			if err := s.Convert(&in.Capabilities, &out.Capabilities, 0); err != nil {
 				return err
 			}
+			if err := s.Convert(&in.SecurityContext, &out.SecurityContext, 0); err != nil {
+				return err
+			}
 			return nil
 		},
 		func(in *newer.PodSpec, out *ContainerManifest, s conversion.Scope) error {

diff --git a/pkg/api/v1beta1/register.go b/pkg/api/v1beta1/register.go
@@ -70,6 +70,8 @@ func init() {
 		&PodProxyOptions{},
 		&ComponentStatus{},
 		&ComponentStatusList{},
+		&SecurityContext{},
+		&SecurityConstraints{},
 	)
 	// Future names are supported
 	api.Scheme.AddKnownTypeWithName("v1beta1", "Node", &Minion{})
@@ -114,3 +116,5 @@ func (*PodExecOptions) IsAnAPIObject()            {}
 func (*PodProxyOptions) IsAnAPIObject()           {}
 func (*ComponentStatus) IsAnAPIObject()           {}
 func (*ComponentStatusList) IsAnAPIObject()       {}
+func (*SecurityContext) IsAnAPIObject()           {}
+func (*SecurityConstraints) IsAnAPIObject()       {}