Add support for kube securityContext\.procMount

Fixes: https://github.com/containers/podman/issues/19881 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2025-06-19 16:33:24 +08:00 · 2023-09-06 16:49:38 -04:00
parent c17c190f89
commit b83485022d
5 changed files with 30 additions and 1 deletions
--- a/docs/kubernetes_support.md
+++ b/docs/kubernetes_support.md
@ -121,7 +121,7 @@ Note: **N/A** means that the option cannot be supported in a single-node Podman
 | securityContext\.runAsNonRoot                       | no      |
 | securityContext\.runAsGroup                         | ✅      |
 | securityContext\.readOnlyRootFilesystem             | ✅      |
-| securityContext\.procMount                          | no      |
+| securityContext\.procMount                          | ✅      |
 | securityContext\.privileged                         | ✅      |
 | securityContext\.allowPrivilegeEscalation           | ✅      |
 | securityContext\.capabilities\.add                  | ✅      |
--- a/libpod/container_inspect.go
+++ b/libpod/container_inspect.go
@ -312,6 +312,10 @@ func (c *Container) GetSecurityOptions() []string {
 	if apparmor, ok := ctrSpec.Annotations[define.InspectAnnotationApparmor]; ok {
 		SecurityOpt = append(SecurityOpt, fmt.Sprintf("apparmor=%s", apparmor))
 	}
+	if c.config.Spec.Linux.MaskedPaths == nil {
+		SecurityOpt = append(SecurityOpt, "unmask=all")
+	}
+
 	return SecurityOpt
 }

--- a/libpod/kube.go
+++ b/libpod/kube.go
@ -1220,6 +1220,12 @@ func generateKubeSecurityContext(c *Container) (*v1.SecurityContext, bool, error
 		scHasData = true
 		sc.ReadOnlyRootFilesystem = &ro
 	}
+	if c.config.Spec.Linux.MaskedPaths == nil {
+		scHasData = true
+		unmask := v1.UnmaskedProcMount
+		sc.ProcMount = &unmask
+	}
+
 	if c.User() != "" {
 		if !c.batched {
 			c.lock.Lock()
--- a/pkg/specgen/generate/kube/kube.go
+++ b/pkg/specgen/generate/kube/kube.go
@ -807,6 +807,10 @@ func setupSecurityContext(s *specgen.SpecGenerator, securityContext *v1.Security
 		s.NoNewPrivileges = !*securityContext.AllowPrivilegeEscalation
 	}

+	if securityContext.ProcMount != nil && *securityContext.ProcMount == v1.UnmaskedProcMount {
+		s.ContainerSecurityConfig.Unmask = append(s.ContainerSecurityConfig.Unmask, []string{"ALL"}...)
+	}
+
 	seopt := securityContext.SELinuxOptions
 	if seopt == nil {
 		seopt = podSecurityContext.SELinuxOptions
--- a/test/system/710-kube.bats
+++ b/test/system/710-kube.bats
@ -74,6 +74,21 @@ status                           | =  | null
    run_podman rm $cname
 }

+@test "podman kube generate unmasked" {
+      KUBE=$PODMAN_TMPDIR/kube.yaml
+      run_podman create --name test --security-opt unmask=all $IMAGE
+      run_podman inspect --format '{{ .HostConfig.SecurityOpt }}' test
+      is "$output" "[unmask=all]" "Inspect should see unmask all"
+      run_podman kube generate test -f $KUBE
+      assert "$(< $KUBE)" =~ "procMount: Unmasked" "Generated kube yaml should have procMount unmasked"
+      run_podman kube play $KUBE
+      run_podman inspect --format '{{ .HostConfig.SecurityOpt }}' test-pod-test
+      is "$output" "[unmask=all]" "Inspect kube play container should see unmask all"
+      run_podman kube down $KUBE
+      run_podman pod rm -a
+      run_podman rm -a
+}
+
@test "podman kube generate - pod" {
    local pname=p$(random_string 15)
    local cname1=c1$(random_string 15)