From b83485022da756c73f753f209fec9931d4bef5f9 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Wed, 6 Sep 2023 16:49:38 -0400 Subject: [PATCH] Add support for kube securityContext\.procMount Fixes: https://github.com/containers/podman/issues/19881 Signed-off-by: Daniel J Walsh --- docs/kubernetes_support.md | 2 +- libpod/container_inspect.go | 4 ++++ libpod/kube.go | 6 ++++++ pkg/specgen/generate/kube/kube.go | 4 ++++ test/system/710-kube.bats | 15 +++++++++++++++ 5 files changed, 30 insertions(+), 1 deletion(-) diff --git a/docs/kubernetes_support.md b/docs/kubernetes_support.md index f19a4a8358..fa427621ec 100644 --- a/docs/kubernetes_support.md +++ b/docs/kubernetes_support.md @@ -121,7 +121,7 @@ Note: **N/A** means that the option cannot be supported in a single-node Podman | securityContext\.runAsNonRoot | no | | securityContext\.runAsGroup | ✅ | | securityContext\.readOnlyRootFilesystem | ✅ | -| securityContext\.procMount | no | +| securityContext\.procMount | ✅ | | securityContext\.privileged | ✅ | | securityContext\.allowPrivilegeEscalation | ✅ | | securityContext\.capabilities\.add | ✅ | diff --git a/libpod/container_inspect.go b/libpod/container_inspect.go index 19242632fc..cf895103c6 100644 --- a/libpod/container_inspect.go +++ b/libpod/container_inspect.go @@ -312,6 +312,10 @@ func (c *Container) GetSecurityOptions() []string { if apparmor, ok := ctrSpec.Annotations[define.InspectAnnotationApparmor]; ok { SecurityOpt = append(SecurityOpt, fmt.Sprintf("apparmor=%s", apparmor)) } + if c.config.Spec.Linux.MaskedPaths == nil { + SecurityOpt = append(SecurityOpt, "unmask=all") + } + return SecurityOpt } diff --git a/libpod/kube.go b/libpod/kube.go index 072b98f421..15def203b7 100644 --- a/libpod/kube.go +++ b/libpod/kube.go @@ -1220,6 +1220,12 @@ func generateKubeSecurityContext(c *Container) (*v1.SecurityContext, bool, error scHasData = true sc.ReadOnlyRootFilesystem = &ro } + if c.config.Spec.Linux.MaskedPaths == nil { + scHasData = true + unmask := v1.UnmaskedProcMount + sc.ProcMount = &unmask + } + if c.User() != "" { if !c.batched { c.lock.Lock() diff --git a/pkg/specgen/generate/kube/kube.go b/pkg/specgen/generate/kube/kube.go index 0f97b551eb..9eb97d9897 100644 --- a/pkg/specgen/generate/kube/kube.go +++ b/pkg/specgen/generate/kube/kube.go @@ -807,6 +807,10 @@ func setupSecurityContext(s *specgen.SpecGenerator, securityContext *v1.Security s.NoNewPrivileges = !*securityContext.AllowPrivilegeEscalation } + if securityContext.ProcMount != nil && *securityContext.ProcMount == v1.UnmaskedProcMount { + s.ContainerSecurityConfig.Unmask = append(s.ContainerSecurityConfig.Unmask, []string{"ALL"}...) + } + seopt := securityContext.SELinuxOptions if seopt == nil { seopt = podSecurityContext.SELinuxOptions diff --git a/test/system/710-kube.bats b/test/system/710-kube.bats index 6e367432f5..f5e7d31ca1 100644 --- a/test/system/710-kube.bats +++ b/test/system/710-kube.bats @@ -74,6 +74,21 @@ status | = | null run_podman rm $cname } +@test "podman kube generate unmasked" { + KUBE=$PODMAN_TMPDIR/kube.yaml + run_podman create --name test --security-opt unmask=all $IMAGE + run_podman inspect --format '{{ .HostConfig.SecurityOpt }}' test + is "$output" "[unmask=all]" "Inspect should see unmask all" + run_podman kube generate test -f $KUBE + assert "$(< $KUBE)" =~ "procMount: Unmasked" "Generated kube yaml should have procMount unmasked" + run_podman kube play $KUBE + run_podman inspect --format '{{ .HostConfig.SecurityOpt }}' test-pod-test + is "$output" "[unmask=all]" "Inspect kube play container should see unmask all" + run_podman kube down $KUBE + run_podman pod rm -a + run_podman rm -a +} + @test "podman kube generate - pod" { local pname=p$(random_string 15) local cname1=c1$(random_string 15)