Skip to content

Commit

Permalink
Merge pull request #233 from microsoft/danmihai1/uid-for-more-resourc…
Browse files Browse the repository at this point in the history 
…e-types

genpolicy: get UID from PodSecurityContext
  • Loading branch information
@danmihai1
danmihai1 authored Sep 17, 2024
2 parents d2b13a8 + 2c07620 commit 3a0ca4e
Show file tree
Hide file tree
Showing 14 changed files with 58 additions and 16 deletions.
4 changes: 3 additions & 1 deletion src/agent/samples/policy/yaml/deployment/deployment-busybox.yaml
View file

Large diffs are not rendered by default.

4 changes: 3 additions & 1 deletion src/agent/samples/policy/yaml/job/test-job.yaml
View file

Large diffs are not rendered by default.

4 changes: 3 additions & 1 deletion src/agent/samples/policy/yaml/kubernetes/conformance/netexecrc.yaml
View file

Large diffs are not rendered by default.

4 changes: 3 additions & 1 deletion src/agent/samples/policy/yaml/kubernetes/fixtures/daemon.yaml
View file

Large diffs are not rendered by default.

4 changes: 3 additions & 1 deletion src/agent/samples/policy/yaml/replica-set/replica-busy.yaml
View file

Large diffs are not rendered by default.

4 changes: 3 additions & 1 deletion src/agent/samples/policy/yaml/stateful-set/web.yaml
View file

Large diffs are not rendered by default.

4 changes: 4 additions & 0 deletions src/tools/genpolicy/src/daemon_set.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -143,4 +143,8 @@ impl yaml::K8sResource for DaemonSet {
}
false
}

fn get_process_fields(&self, process: &mut policy::KataProcess) {
yaml::get_process_fields(process, &self.spec.template.spec.securityContext);
}
}
4 changes: 4 additions & 0 deletions src/tools/genpolicy/src/deployment.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -141,4 +141,8 @@ impl yaml::K8sResource for Deployment {
}
false
}

fn get_process_fields(&self, process: &mut policy::KataProcess) {
yaml::get_process_fields(process, &self.spec.template.spec.securityContext);
}
}
4 changes: 4 additions & 0 deletions src/tools/genpolicy/src/job.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -115,4 +115,8 @@ impl yaml::K8sResource for Job {
}
false
}

fn get_process_fields(&self, process: &mut policy::KataProcess) {
yaml::get_process_fields(process, &self.spec.template.spec.securityContext);
}
}
12 changes: 4 additions & 8 deletions src/tools/genpolicy/src/pod.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -95,7 +95,7 @@ pub struct PodSpec {
topologySpreadConstraints: Option<Vec<TopologySpreadConstraint>>,

#[serde(skip_serializing_if = "Option::is_none")]
securityContext: Option<PodSecurityContext>,
pub securityContext: Option<PodSecurityContext>,

#[serde(skip_serializing_if = "Option::is_none")]
priorityClassName: Option<String>,
Expand Down Expand Up @@ -310,9 +310,9 @@ struct SeccompProfile {

/// See Reference / Kubernetes API / Workload Resources / Pod.
#[derive(Clone, Debug, Serialize, Deserialize)]
struct PodSecurityContext {
pub struct PodSecurityContext {
#[serde(skip_serializing_if = "Option::is_none")]
runAsUser: Option<i64>,
pub runAsUser: Option<i64>,
// TODO: additional fields.
}

Expand Down Expand Up @@ -880,11 +880,7 @@ impl yaml::K8sResource for Pod {
}

fn get_process_fields(&self, process: &mut policy::KataProcess) {
if let Some(context) = &self.spec.securityContext {
if let Some(uid) = context.runAsUser {
process.User.UID = uid.try_into().unwrap();
}
}
yaml::get_process_fields(process, &self.spec.securityContext);
}
}

Expand Down
4 changes: 4 additions & 0 deletions src/tools/genpolicy/src/replica_set.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -113,4 +113,8 @@ impl yaml::K8sResource for ReplicaSet {
}
false
}

fn get_process_fields(&self, process: &mut policy::KataProcess) {
yaml::get_process_fields(process, &self.spec.template.spec.securityContext);
}
}
4 changes: 4 additions & 0 deletions src/tools/genpolicy/src/replication_controller.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -115,4 +115,8 @@ impl yaml::K8sResource for ReplicationController {
}
false
}

fn get_process_fields(&self, process: &mut policy::KataProcess) {
yaml::get_process_fields(process, &self.spec.template.spec.securityContext);
}
}
3 changes: 3 additions & 0 deletions src/tools/genpolicy/src/stateful_set.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -194,6 +194,9 @@ impl yaml::K8sResource for StatefulSet {
}
false
}
fn get_process_fields(&self, process: &mut policy::KataProcess) {
yaml::get_process_fields(process, &self.spec.template.spec.securityContext);
}
}

impl StatefulSet {
Expand Down
15 changes: 13 additions & 2 deletions src/tools/genpolicy/src/yaml.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -73,8 +73,8 @@ pub trait K8sResource {
fn use_host_network(&self) -> bool;
fn use_sandbox_pidns(&self) -> bool;
fn get_process_fields(&self, _process: &mut policy::KataProcess) {
// Just Pods can have a PodSecurityContext field, so the other
// resources can use this default get_process_fields implementation.
// No need to implement support for securityContext or similar fields
// for some of the K8s resource types.
}
}

Expand Down Expand Up @@ -339,3 +339,14 @@ fn handle_unused_field(path: &str, silent_unsupported_fields: bool) {
panic!("Unsupported field: {}", path);
}
}

pub fn get_process_fields(
process: &mut policy::KataProcess,
security_context: &Option<pod::PodSecurityContext>,
) {
if let Some(context) = security_context {
if let Some(uid) = context.runAsUser {
process.User.UID = uid.try_into().unwrap();
}
}
}

0 comments on commit 3a0ca4e

Please sign in to comment.