forked from openshift/origin
-
Notifications
You must be signed in to change notification settings - Fork 0
/
scc_exec.go
74 lines (62 loc) · 2.65 KB
/
scc_exec.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
package admission
import (
"io"
oadmission "github.com/openshift/origin/pkg/cmd/server/admission"
"github.com/openshift/origin/pkg/controller/shared"
kadmission "k8s.io/kubernetes/pkg/admission"
kapi "k8s.io/kubernetes/pkg/api"
clientset "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset"
)
func init() {
kadmission.RegisterPlugin("SCCExecRestrictions", func(client clientset.Interface, config io.Reader) (kadmission.Interface, error) {
execAdmitter := NewSCCExecRestrictions(client)
return execAdmitter, nil
})
}
var _ kadmission.Interface = &sccExecRestrictions{}
var _ = oadmission.WantsInformers(&sccExecRestrictions{})
// sccExecRestrictions is an implementation of admission.Interface which says no to a pod/exec on
// a pod that the user would not be allowed to create
type sccExecRestrictions struct {
*kadmission.Handler
constraintAdmission *constraint
client clientset.Interface
}
func (d *sccExecRestrictions) Admit(a kadmission.Attributes) (err error) {
if a.GetOperation() != kadmission.Connect {
return nil
}
if a.GetResource().GroupResource() != kapi.Resource("pods") {
return nil
}
if a.GetSubresource() != "attach" && a.GetSubresource() != "exec" {
return nil
}
pod, err := d.client.Core().Pods(a.GetNamespace()).Get(a.GetName())
if err != nil {
return kadmission.NewForbidden(a, err)
}
// TODO, if we want to actually limit who can use which service account, then we'll need to add logic here to make sure that
// we're allowed to use the SA the pod is using. Otherwise, user-A creates pod and user-B (who can't use the SA) can exec into it.
createAttributes := kadmission.NewAttributesRecord(pod, pod, kapi.Kind("Pod").WithVersion(""), a.GetNamespace(), a.GetName(), a.GetResource(), "", kadmission.Create, a.GetUserInfo())
if err := d.constraintAdmission.Admit(createAttributes); err != nil {
return kadmission.NewForbidden(a, err)
}
return nil
}
// NewSCCExecRestrictions creates a new admission controller that denies an exec operation on a privileged pod
func NewSCCExecRestrictions(client clientset.Interface) *sccExecRestrictions {
return &sccExecRestrictions{
Handler: kadmission.NewHandler(kadmission.Connect),
constraintAdmission: NewConstraint(client),
client: client,
}
}
// SetInformers implements WantsInformers interface for sccExecRestrictions.
func (d *sccExecRestrictions) SetInformers(informers shared.InformerFactory) {
d.constraintAdmission.sccLister = informers.SecurityContextConstraints().Lister()
}
// Validate defines actions to validate sccExecRestrictions
func (d *sccExecRestrictions) Validate() error {
return d.constraintAdmission.Validate()
}