mirror of
https://github.com/containers/podman.git
synced 2025-06-21 01:19:15 +08:00
Set runAsNonRoot=true in gen kube
If the image being used has a user set that is a positive integer greater than 0, then set the securityContext.runAsNonRoot to true for the container in the generated kube yaml. Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
This commit is contained in:
@ -686,6 +686,13 @@ func containerToV1Container(ctx context.Context, c *Container) (v1.Container, []
|
|||||||
if imgData.User == c.User() && hasSecData {
|
if imgData.User == c.User() && hasSecData {
|
||||||
kubeSec.RunAsGroup, kubeSec.RunAsUser = nil, nil
|
kubeSec.RunAsGroup, kubeSec.RunAsUser = nil, nil
|
||||||
}
|
}
|
||||||
|
// If the image has user set as a positive integer value, then set runAsNonRoot to true
|
||||||
|
// in the kube yaml
|
||||||
|
imgUserID, err := strconv.Atoi(imgData.User)
|
||||||
|
if err == nil && imgUserID > 0 {
|
||||||
|
trueBool := true
|
||||||
|
kubeSec.RunAsNonRoot = &trueBool
|
||||||
|
}
|
||||||
|
|
||||||
envVariables, err := libpodEnvVarsToKubeEnvVars(c.config.Spec.Process.Env, imgData.Config.Env)
|
envVariables, err := libpodEnvVarsToKubeEnvVars(c.config.Spec.Process.Env, imgData.Config.Env)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
@ -1085,6 +1085,41 @@ ENTRYPOINT ["sleep"]`
|
|||||||
Expect(containers[0]).To(HaveField("Args", []string{"hello"}))
|
Expect(containers[0]).To(HaveField("Args", []string{"hello"}))
|
||||||
})
|
})
|
||||||
|
|
||||||
|
It("podman generate kube - image has positive integer user set", func() {
|
||||||
|
// Build an image with user=1000.
|
||||||
|
containerfile := `FROM quay.io/libpod/alpine:latest
|
||||||
|
USER 1000`
|
||||||
|
|
||||||
|
targetPath, err := CreateTempDirInTempDir()
|
||||||
|
Expect(err).ToNot(HaveOccurred())
|
||||||
|
containerfilePath := filepath.Join(targetPath, "Containerfile")
|
||||||
|
err = os.WriteFile(containerfilePath, []byte(containerfile), 0644)
|
||||||
|
Expect(err).ToNot(HaveOccurred())
|
||||||
|
|
||||||
|
image := "generatekube:test"
|
||||||
|
session := podmanTest.Podman([]string{"build", "--pull-never", "-f", containerfilePath, "-t", image})
|
||||||
|
session.WaitWithDefaultTimeout()
|
||||||
|
Expect(session).Should(Exit(0))
|
||||||
|
|
||||||
|
session = podmanTest.Podman([]string{"create", "--pod", "new:testpod", image, "top"})
|
||||||
|
session.WaitWithDefaultTimeout()
|
||||||
|
Expect(session).Should(Exit(0))
|
||||||
|
|
||||||
|
kube := podmanTest.Podman([]string{"generate", "kube", "testpod"})
|
||||||
|
kube.WaitWithDefaultTimeout()
|
||||||
|
Expect(kube).Should(Exit(0))
|
||||||
|
|
||||||
|
// Now make sure that the container's securityContext has runAsNonRoot=true
|
||||||
|
pod := new(v1.Pod)
|
||||||
|
err = yaml.Unmarshal(kube.Out.Contents(), pod)
|
||||||
|
Expect(err).ToNot(HaveOccurred())
|
||||||
|
|
||||||
|
containers := pod.Spec.Containers
|
||||||
|
Expect(containers).To(HaveLen(1))
|
||||||
|
trueBool := true
|
||||||
|
Expect(containers[0]).To(HaveField("SecurityContext.RunAsNonRoot", &trueBool))
|
||||||
|
})
|
||||||
|
|
||||||
It("podman generate kube - --privileged container", func() {
|
It("podman generate kube - --privileged container", func() {
|
||||||
session := podmanTest.Podman([]string{"create", "--pod", "new:testpod", "--privileged", ALPINE, "ls"})
|
session := podmanTest.Podman([]string{"create", "--pod", "new:testpod", "--privileged", ALPINE, "ls"})
|
||||||
session.WaitWithDefaultTimeout()
|
session.WaitWithDefaultTimeout()
|
||||||
|
Reference in New Issue
Block a user