-
Notifications
You must be signed in to change notification settings - Fork 38.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CRI: Add security context for sandbox/container #34811
Changes from all commits
453391e
766b570
476cd96
3df60eb
3aee57d
f8e5f81
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Large diffs are not rendered by default.
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -148,16 +148,35 @@ message NamespaceOption { | |
optional bool host_ipc = 3; | ||
} | ||
|
||
// LinuxSandboxSecurityContext holds linux security configuration that will be | ||
// applied to a sandbox. Note that: | ||
// 1) It does not apply to containers in the pods. | ||
// 2) It may not be applicable to a PodSandbox which does not contain any running | ||
// process. | ||
message LinuxSandboxSecurityContext { | ||
// The configurations for the sandbox's namespaces. | ||
// This will be used only if the PodSandbox uses namespace for isolation. | ||
optional NamespaceOption namespace_options = 1; | ||
// Optional SELinux context to be applied. | ||
optional SELinuxOption selinux_options = 2; | ||
// The UID to run the entrypoint of the sandbox process. | ||
optional int64 run_as_user = 3; | ||
// If set, the root filesystem of the sandbox is read-only. | ||
optional bool readonly_rootfs = 4; | ||
// A list of groups applied to the first process run in the sandbox, in addition | ||
// to the sandbox's primary GID. | ||
repeated int64 supplemental_groups = 5; | ||
} | ||
|
||
// LinuxPodSandboxConfig holds platform-specific configurations for Linux | ||
// host platforms and Linux-based containers. | ||
message LinuxPodSandboxConfig { | ||
// The parent cgroup of the pod sandbox. | ||
// The cgroupfs style syntax will be used, but the container runtime can | ||
// convert it to systemd semantics if needed. | ||
optional string cgroup_parent = 1; | ||
// The configurations for the sandbox's namespaces. | ||
// This will be used only if the PodSandbox uses namespace for isolation. | ||
optional NamespaceOption namespace_options = 2; | ||
// LinuxSandboxSecurityContext holds sandbox security attributes. | ||
optional LinuxSandboxSecurityContext security_context = 2; | ||
} | ||
|
||
// PodSandboxMetadata holds all necessary information for building the sandbox name. | ||
|
@@ -409,26 +428,34 @@ message Capability { | |
repeated string drop_capabilities = 2; | ||
} | ||
|
||
// LinuxContainerSecurityContext holds linux security configuration that will be applied to a container. | ||
message LinuxContainerSecurityContext { | ||
// Capabilities to add or drop. | ||
optional Capability capabilities = 1; | ||
// If set, run container in privileged mode. | ||
optional bool privileged = 2; | ||
// The configurations for the container's namespaces. | ||
// This will be used only if the container uses namespace for isolation. | ||
optional NamespaceOption namespace_options = 3; | ||
// Optional SELinux context to be applied. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Add a sentence about precedence here. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. ack |
||
optional SELinuxOption selinux_options = 4; | ||
// The UID to run the the container process as. | ||
// Defaults to user specified in image metadata if unspecified. | ||
optional int64 run_as_user = 5; | ||
// If set, the root filesystem of the container is read-only. | ||
optional bool readonly_rootfs = 6; | ||
// A list of groups applied to the first process run in the container, in addition | ||
// to the container's primary GID. | ||
repeated int64 supplemental_groups = 7; | ||
} | ||
|
||
// LinuxContainerConfig contains platform-specific configuration for | ||
// Linux-based containers. | ||
message LinuxContainerConfig { | ||
// Resources specification for the container. | ||
optional LinuxContainerResources resources = 1; | ||
// Capabilities to add or drop. | ||
optional Capability capabilities = 2; | ||
// Optional SELinux context to be applied. | ||
optional SELinuxOption selinux_options = 3; | ||
// User contains the user for the container process. | ||
optional LinuxUser user = 4; | ||
} | ||
|
||
message LinuxUser { | ||
// uid specifies the user ID the container process has. | ||
optional int64 uid = 1; | ||
// gid specifies the group ID the container process has. | ||
optional int64 gid = 2; | ||
// additional_gids specifies additional GIDs the container process has. | ||
repeated int64 additional_gids = 3; | ||
// LinuxContainerSecurityContext configuration for the container. | ||
optional LinuxContainerSecurityContext security_context = 2; | ||
} | ||
|
||
// ContainerMetadata holds all necessary information for building the container | ||
|
@@ -488,11 +515,6 @@ message ContainerConfig { | |
// Annotations is an unstructured key value map that may be set by external | ||
// tools to store and retrieve arbitrary metadata. | ||
map<string, string> annotations = 10; | ||
// If set, run container in privileged mode. | ||
// Processes in privileged containers are essentially equivalent to root on the host. | ||
optional bool privileged = 11; | ||
// If set, the root filesystem of the container is read-only. | ||
optional bool readonly_rootfs = 12; | ||
// Path relative to PodSandboxConfig.LogDirectory for container to store | ||
// the log (STDOUT and STDERR) on the host. | ||
// E.g., | ||
|
@@ -503,19 +525,18 @@ message ContainerConfig { | |
// container logs are under active discussion in | ||
// https://issues.k8s.io/24677. There *may* be future change of direction | ||
// for logging as the discussion carries on. | ||
optional string log_path = 13; | ||
// The hash of container config | ||
optional string log_path = 11; | ||
|
||
// Variables for interactive containers, these have very specialized | ||
// use-cases (e.g. debugging). | ||
// TODO: Determine if we need to continue supporting these fields that are | ||
// part of Kubernetes's Container Spec. | ||
optional bool stdin = 14; | ||
optional bool stdin_once = 15; | ||
optional bool tty = 16; | ||
optional bool stdin = 12; | ||
optional bool stdin_once = 13; | ||
optional bool tty = 14; | ||
|
||
// Linux contains configuration specific to Linux containers. | ||
optional LinuxContainerConfig linux = 17; | ||
optional LinuxContainerConfig linux = 15; | ||
} | ||
|
||
message CreateContainerRequest { | ||
|
@@ -737,6 +758,8 @@ message Image { | |
repeated string repo_digests = 3; | ||
// The size of the image in bytes. | ||
optional uint64 size = 4; | ||
// The uid that will run the command(s). | ||
optional int64 uid = 5; | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. @euank @yifan-gu are you ok with this or do you prefer runtime itself checks the Background: In the initial version, kubelet set the There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Yeah, we have that image info handy as well. I'm 👍 for kubelet doing that check. My nit for this field is that There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Actually, reading more it looks like this is strictly only UID and k8s just doesn't support looks like my concern isn't valid. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
IIRC the reason it doesn't support non-numeric users is that it is not trivial to get at an image's /etc/passwd without actually creating a container. @yujuhong I support Kubelet implementing the |
||
} | ||
|
||
message ListImagesResponse { | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -123,13 +123,16 @@ func extractLabels(input map[string]string) (map[string]string, map[string]strin | |
// '<HostPath>:<ContainerPath>:Z', if the volume requires SELinux | ||
// relabeling and the pod provides an SELinux label | ||
func generateMountBindings(mounts []*runtimeApi.Mount) (result []string) { | ||
// TODO: resolve podHasSELinuxLabel | ||
for _, m := range mounts { | ||
bind := fmt.Sprintf("%s:%s", m.GetHostPath(), m.GetContainerPath()) | ||
readOnly := m.GetReadonly() | ||
if readOnly { | ||
bind += ":ro" | ||
} | ||
// Only request relabeling if the pod provides an SELinux context. If the pod | ||
// does not provide an SELinux context relabeling will label the volume with | ||
// the container's randomly allocated MCS label. This would restrict access | ||
// to the volume to the container which mounts it first. | ||
if m.GetSelinuxRelabel() { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Might as well handle this TODO now that #33663 has merged, IMO. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. |
||
if readOnly { | ||
bind += ",Z" | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should add a sentence about precedence here as well.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ack. thanks.