Merge pull request #283 from nds-org/finer-grained-security-capabilities

Support finer grained security capabilities
nds-org · Aug 2, 2019 · 2df8abd · 2df8abd
2 parents f5e2ab5 + cea373f
commit 2df8abd
Show file tree

Hide file tree

Showing 4 changed files with 49 additions and 24 deletions.
diff --git a/apiserver/cmd/server/server.go b/apiserver/cmd/server/server.go
@@ -1146,7 +1146,7 @@ func (s *Server) PostService(w rest.ResponseWriter, r *rest.Request) {
 		glog.V(1).Infof("Added system service %s\n", service.Key)
 	} else {
 		// Don't allow privileged services in user catalogs
-		service.Privileged = false
+		service.SecurityContext = v1.SecurityContext{}
 
 		// Always require auth on user catalog services
 		service.AuthRequired = true
@@ -1223,7 +1223,7 @@ func (s *Server) PutService(w rest.ResponseWriter, r *rest.Request) {
 			return
 		}
 		// Don't allow privileged services in user catalogs
-		service.Privileged = false
+		service.SecurityContext = v1.SecurityContext{}
 
 		// Always require auth on user catalog services
 		service.AuthRequired = true
@@ -1810,11 +1810,6 @@ func (s *Server) startStackService(serviceKey string, userId string, stack *api.
 }
 
 func (s *Server) startController(userId string, serviceKey string, stack *api.Stack, addrPortMap *map[string]kube.ServiceAddrPort) (bool, error) {
-	_, err := s.kube.CreateNetworkPolicy(userId, stack.Id, stack.Id)
-	if err != nil {
-		glog.Errorf("Failed to start controller %s: Failed to create NetworkPolicy: %s\n", serviceKey, err)
-		return false, err
-	}
 
 	var stackService *api.StackService
 	found := false
@@ -1983,7 +1978,7 @@ func (s *Server) startController(userId string, serviceKey string, stack *api.St
 	template.Spec.Template.Spec.Volumes = k8vols
 
 	glog.V(4).Infof("Starting controller %s with volumes %s\n", name, template.Spec.Template.Spec.Volumes)
-	_, err = s.kube.StartController(userId, template)
+	_, err := s.kube.StartController(userId, template)
 	if err != nil {
 		stackService.Status = "error"
 		stackService.StatusMessages = append(stackService.StatusMessages,
@@ -2145,22 +2140,33 @@ func (s *Server) startStack(userId string, stack *api.Stack) (*api.Stack, error)
 	// Get the service/port mappinggs
 	addrPortMap := make(map[string]kube.ServiceAddrPort)
 	for _, stackService := range stackServices {
-		spec, _ := s.etcd.GetServiceSpec(userId, stackService.Service)
-		name := fmt.Sprintf("%s-%s", stack.Id, spec.Key)
-		svc, err := s.kube.GetService(userId, name)
-		if err == nil {
-			addrPort := kube.ServiceAddrPort{
-				Name:     stackService.Service,
-				Host:     svc.Spec.ClusterIP,
-				Port:     svc.Spec.Ports[0].Port,
-				NodePort: svc.Spec.Ports[0].NodePort,
-			}
-			addrPortMap[stackService.Service] = addrPort
+		spec, specErr := s.etcd.GetServiceSpec(userId, stackService.Service)
+		if specErr != nil {
+			glog.Error(specErr)	
 		} else {
-			glog.V(4).Infof("Error getting service %s: %s\n", name, err)
+			name := fmt.Sprintf("%s-%s", stack.Id, spec.Key)
+			svc, svcErr := s.kube.GetService(userId, name)
+			if svcErr == nil {
+				addrPort := kube.ServiceAddrPort{
+					Name:     stackService.Service,
+					Host:     svc.Spec.ClusterIP,
+					Port:     svc.Spec.Ports[0].Port,
+					NodePort: svc.Spec.Ports[0].NodePort,
+				}
+				addrPortMap[stackService.Service] = addrPort
+			} else {
+				glog.Error(svcErr)
+			}
 		}
 	}
 
+	glog.V(4).Infof("Creating network policy for %s %s\n", userId, sid)
+	_, err := s.kube.CreateNetworkPolicy(userId, sid, sid)
+	if err != nil {
+		glog.Errorf("Failed to start controller %s: Failed to create NetworkPolicy: %s\n", sid, err)
+		return stack, err
+	}
+
 	// For each stack service, if no dependencies or dependency == started,
 	// start service. Otherwise wait
 	started := map[string]int{}

diff --git a/apiserver/pkg/kube/kube.go b/apiserver/pkg/kube/kube.go
@@ -618,6 +618,7 @@ func (k *KubeHelper) CreateControllerTemplate(ns string, name string, stack stri
 	} else {
 		tag = "latest"
 	}
+
 	k8template := v1.PodTemplateSpec{
 		ObjectMeta: metav1.ObjectMeta{
 			Labels: map[string]string{
@@ -638,9 +639,7 @@ func (k *KubeHelper) CreateControllerTemplate(ns string, name string, stack stri
 					Command:         spec.Command,
 					Resources:       k8rq,
 					ImagePullPolicy: v1.PullAlways,
-					SecurityContext: &v1.SecurityContext{
-						Privileged: &spec.Privileged,
-					},
+					SecurityContext: &spec.SecurityContext,
 				},
 			},
 			NodeSelector: map[string]string{

diff --git a/apiserver/pkg/types/types.go b/apiserver/pkg/types/types.go
@@ -1,6 +1,10 @@
 // Copyright ÃÂÃÂ© 2016 National Data Service
 package types
 
+import (
+        "k8s.io/api/core/v1"
+)
+
 type ServiceSpec struct {
 	Id                   string              `json:"id"`
 	Key                  string              `json:"key"`
@@ -26,7 +30,7 @@ type ServiceSpec struct {
 	DeveloperEnvironment string              `json:"developerEnvironment"`
 	Tags                 []string            `json:"tags"`
 	Info                 string              `json:"info"`
-	Privileged           bool                `json:"privileged"`
+	SecurityContext      v1.SecurityContext  `json:"securityContext"`
 	AuthRequired         bool                `json:"authRequired"`
 }
 

diff --git a/apiserver/test/services/test/full.json b/apiserver/test/services/test/full.json
@@ -8,6 +8,22 @@
 		"name": "ndslabs/cowsay",
 		"tags": ["latest", "v1", "v2", "v3"]
 	},
+        "securityContext": {
+		"allowPrivilegeEscalation": true,
+		"capabilities": {
+			"add": ["NET_ADMIN", "SYS_TIME"],
+			"drop": ["NET_ADMIN"]
+		},
+		"privileged": true,
+		"procMount": "UnmaskedProcMount",
+		"readOnlyRootFilesystem": true,
+		"runAsGroup": 1000,
+		"runAsNonRoot": true,
+		"runAsUser": 1000,
+		"seLinuxOptions": {
+			"level": "s0:c123,c456"
+		}
+	},
 	"display": "stack",
 	"access": "external",
 	"depends": [{