packages/kubernetes
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

update to 1.25.3

Browse Source 
Signed-off-by: zhangxiaoyu <zhangxiaoyu58@huawei.com>
This commit is contained in:
zhangxiaoyu 2023-07-21 10:41:06 +08:00
parent fdfbac74e0
commit 7f504c0be2
12 changed files with 690 additions and 1740 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
0001-fix-compile-options.patch
View File

@ -1,7 +1,7 @@
From 6f69a95a25dc6fb1b3d0e024cb28f5c83022dc58 Mon Sep 17 00:00:00 2001
From d49390e67b2d3027c8c0ad799bf294a89d4d149f Mon Sep 17 00:00:00 2001
From: zhangxiaoyu <zhangxiaoyu58@huawei.com>
Date: Tue, 3 Jan 2023 14:19:44 +0800
Subject: fix compile options
Date: Thu, 20 Jul 2023 17:27:05 +0800
Subject: [PATCH] fix compile options
Signed-off-by: zhangxiaoyu <zhangxiaoyu58@huawei.com>
---
@ -9,10 +9,10 @@ Signed-off-by: zhangxiaoyu <zhangxiaoyu58@huawei.com>
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/hack/lib/golang.sh b/hack/lib/golang.sh
index 2865da28..ed64483e 100755
index 232c17b3..c6cbce44 100755
--- a/hack/lib/golang.sh
+++ b/hack/lib/golang.sh
@@ -709,6 +709,7 @@ kube::golang::build_binaries_for_platform() {
@@ -744,6 +744,7 @@ kube::golang::build_binaries_for_platform() {
-installsuffix=static
${goflags:+"${goflags[@]}"}
-gcflags="${gogcflags}"
@ -20,7 +20,7 @@ index 2865da28..ed64483e 100755
-asmflags="${goasmflags}"
-ldflags="${goldflags}"
-tags="${gotags:-}"
@@ -720,6 +721,7 @@ kube::golang::build_binaries_for_platform() {
@@ -755,6 +756,7 @@ kube::golang::build_binaries_for_platform() {
build_args=(
${goflags:+"${goflags[@]}"}
-gcflags="${gogcflags}"
@ -28,8 +28,8 @@ index 2865da28..ed64483e 100755
-asmflags="${goasmflags}"
-ldflags="${goldflags}"
-tags="${gotags:-}"
@@ -808,7 +810,7 @@ kube::golang::build_binaries() {
gogcflags="${gogcflags} -N -l"
@@ -844,7 +846,7 @@ kube::golang::build_binaries() {
goasmflags=""
fi
- goldflags="all=$(kube::version::ldflags) ${GOLDFLAGS:-}"

24
0002-kubelet-support-exec-and-attach-websocket-protocol.patch
View File

@ -1,21 +1,21 @@
From 2bdde6764d529d9f0633178b171aa193280d6ecb Mon Sep 17 00:00:00 2001
From cb4f12375beffd61f3b2d666ca3f92d574ceb597 Mon Sep 17 00:00:00 2001
From: zhangxiaoyu <zhangxiaoyu58@huawei.com>
Date: Tue, 3 Jan 2023 14:20:10 +0800
Subject: kubelet support exec and attach websocket protocol
Subject: [PATCH] kubelet support exec and attach websocket protocol
Signed-off-by: zhangxiaoyu <zhangxiaoyu58@huawei.com>
---
.../cri/streaming/remotecommand/proxy.go | 206 ++++++++++++++++++
.../cri/streaming/remotecommand/proxy.go | 212 ++++++++++++++++++
pkg/kubelet/server/server.go | 43 +++-
2 files changed, 241 insertions(+), 8 deletions(-)
2 files changed, 247 insertions(+), 8 deletions(-)
create mode 100644 pkg/kubelet/cri/streaming/remotecommand/proxy.go
diff --git a/pkg/kubelet/cri/streaming/remotecommand/proxy.go b/pkg/kubelet/cri/streaming/remotecommand/proxy.go
new file mode 100644
index 00000000..f21629af
index 00000000..179d8183
--- /dev/null
+++ b/pkg/kubelet/cri/streaming/remotecommand/proxy.go
@@ -0,0 +1,206 @@
@@ -0,0 +1,212 @@
+package remotecommand
+
+import (
@ -33,8 +33,8 @@ index 00000000..f21629af
+ "k8s.io/apimachinery/pkg/apis/meta/v1"
+ remotecommandconsts "k8s.io/apimachinery/pkg/util/remotecommand"
+ "k8s.io/apimachinery/pkg/util/runtime"
+ "k8s.io/client-go/util/exec"
+ "k8s.io/klog/v2"
+ "k8s.io/kubernetes/staging/src/k8s.io/client-go/util/exec"
+)
+
+var (
@ -147,6 +147,12 @@ index 00000000..f21629af
+ case <-frontendResizeToBackendComplete:
+ }
+
+ select {
+ case <-backendToFrontendComplete:
+ case <-time.Tick(30 * time.Second):
+ klog.Errorf("Wait backend to frontend complete timeout")
+ }
+
+ if errConnection != nil {
+ klog.Errorf("SpdyProxy: the connection disconnected: %v", errConnection)
+ if exitErr, ok := errConnection.(exec.ExitError); ok && exitErr.Exited() {
@ -223,10 +229,10 @@ index 00000000..f21629af
+ return len(p), nil
+}
diff --git a/pkg/kubelet/server/server.go b/pkg/kubelet/server/server.go
index 127192e0..cd11f807 100644
index 84dbd545..73627d5b 100644
--- a/pkg/kubelet/server/server.go
+++ b/pkg/kubelet/server/server.go
@@ -769,51 +769,78 @@ func proxyStream(w http.ResponseWriter, r *http.Request, url *url.URL) {
@@ -797,51 +797,78 @@ func proxyStream(w http.ResponseWriter, r *http.Request, url *url.URL) {
// getAttach handles requests to attach to a container.
func (s *Server) getAttach(request *restful.Request, response *restful.Response) {

14
0005-Escape-terminal-special-characters-in-kubectl-112553.patch → 0003-Escape-terminal-special-characters-in-kubectl-112553.patch
View File

@ -1,7 +1,7 @@
From ffa3e2336c5f4078c84f8c719c48673c7e5f7290 Mon Sep 17 00:00:00 2001
From 98128bcf1bd9c9ea86c1c8d48c0b1acda4ec7e73 Mon Sep 17 00:00:00 2001
From: David Leadbeater <dgl@dgl.cx>
Date: Mon, 31 Oct 2022 01:08:43 +1000
Subject: Escape terminal special characters in kubectl (#112553)
Subject: [PATCH] Escape terminal special characters in kubectl (#112553)
* Escape terminal special characters in kubectl
@ -116,10 +116,10 @@ index 00000000..5a59491e
+ return terminalEscaper.Replace(in)
+}
diff --git a/staging/src/k8s.io/kubectl/pkg/cmd/get/customcolumn.go b/staging/src/k8s.io/kubectl/pkg/cmd/get/customcolumn.go
index f9f48176..64d6d6f1 100644
index 2b205667..38024cfa 100644
--- a/staging/src/k8s.io/kubectl/pkg/cmd/get/customcolumn.go
+++ b/staging/src/k8s.io/kubectl/pkg/cmd/get/customcolumn.go
@@ -250,7 +250,7 @@ func (s *CustomColumnsPrinter) printOneObject(obj runtime.Object, parsers []*jso
@@ -252,7 +252,7 @@ func (s *CustomColumnsPrinter) printOneObject(obj runtime.Object, parsers []*jso
}
for arrIx := range values {
for valIx := range values[arrIx] {
@ -156,7 +156,7 @@ index e4fb17a8..de403142 100644
},
}
diff --git a/staging/src/k8s.io/kubectl/pkg/describe/describe.go b/staging/src/k8s.io/kubectl/pkg/describe/describe.go
index 2a8bf9cc..ef8070f1 100644
index 484ed09f..d3b65132 100644
--- a/staging/src/k8s.io/kubectl/pkg/describe/describe.go
+++ b/staging/src/k8s.io/kubectl/pkg/describe/describe.go
@@ -65,6 +65,7 @@ import (
@ -184,10 +184,10 @@ index 2a8bf9cc..ef8070f1 100644
func (pw *prefixWriter) Flush() {
diff --git a/staging/src/k8s.io/kubectl/pkg/describe/describe_test.go b/staging/src/k8s.io/kubectl/pkg/describe/describe_test.go
index 7314feb2..5d8f1a0b 100644
index 5225ec2d..a3e2feba 100644
--- a/staging/src/k8s.io/kubectl/pkg/describe/describe_test.go
+++ b/staging/src/k8s.io/kubectl/pkg/describe/describe_test.go
@@ -5322,3 +5322,22 @@ func TestControllerRef(t *testing.T) {
@@ -5520,3 +5520,22 @@ func TestControllerRef(t *testing.T) {
t.Errorf("unexpected out: %s", out)
}
}

30
0003-timeout-wait-backend-to-frontend-complete.patch
View File

@ -1,30 +0,0 @@
From 61834dbb52cc71a7e511f5b9af11b9799391ef1a Mon Sep 17 00:00:00 2001
From: zhangxiaoyu <zhangxiaoyu58@huawei.com>
Date: Tue, 1 Nov 2022 15:34:16 +0800
Subject: timeout wait backend to frontend complete
Signed-off-by: zhangxiaoyu <zhangxiaoyu58@huawei.com>
---
pkg/kubelet/cri/streaming/remotecommand/proxy.go | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/pkg/kubelet/cri/streaming/remotecommand/proxy.go b/pkg/kubelet/cri/streaming/remotecommand/proxy.go
index f21629af..296c6122 100644
--- a/pkg/kubelet/cri/streaming/remotecommand/proxy.go
+++ b/pkg/kubelet/cri/streaming/remotecommand/proxy.go
@@ -129,6 +129,12 @@ func ProxyToWebSocket(w http.ResponseWriter, r *http.Request, url *url.URL, opts
case <-frontendResizeToBackendComplete:
}
+ select {
+ case <-backendToFrontendComplete:
+ case <-time.Tick(30 * time.Second):
+ klog.Errorf("Wait backend to frontend complete timeout")
+ }
+
if errConnection != nil {
klog.Errorf("SpdyProxy: the connection disconnected: %v", errConnection)
if exitErr, ok := errConnection.(exec.ExitError); ok && exitErr.Exited() {
--
2.25.1

284
0004-Add-an-option-for-aggregator.patch
View File

@ -1,284 +0,0 @@
From 978dcb825f2808bd298bfbc6e9c91b1fd7859ba3 Mon Sep 17 00:00:00 2001
From: Di Jin <dxmhu@google.com>
Date: Thu, 1 Sep 2022 15:25:26 -0700
Subject: Add an option for aggregator
---
cmd/kube-apiserver/app/aggregator.go | 9 ++-
cmd/kube-apiserver/app/options/options.go | 9 ++-
.../app/options/options_test.go | 5 +-
.../pkg/util/proxy/upgradeaware.go | 27 +++++++
.../pkg/util/proxy/upgradeaware_test.go | 77 +++++++++++++++++++
.../pkg/apiserver/apiserver.go | 7 ++
.../pkg/apiserver/handler_proxy.go | 6 ++
7 files changed, 132 insertions(+), 8 deletions(-)
diff --git a/cmd/kube-apiserver/app/aggregator.go b/cmd/kube-apiserver/app/aggregator.go
index 2466dcc2..9cf23362 100644
--- a/cmd/kube-apiserver/app/aggregator.go
+++ b/cmd/kube-apiserver/app/aggregator.go
@@ -111,10 +111,11 @@ func createAggregatorConfig(
SharedInformerFactory: externalInformers,
},
ExtraConfig: aggregatorapiserver.ExtraConfig{
- ProxyClientCertFile: commandOptions.ProxyClientCertFile,
- ProxyClientKeyFile: commandOptions.ProxyClientKeyFile,
- ServiceResolver: serviceResolver,
- ProxyTransport: proxyTransport,
+ ProxyClientCertFile: commandOptions.ProxyClientCertFile,
+ ProxyClientKeyFile: commandOptions.ProxyClientKeyFile,
+ ServiceResolver: serviceResolver,
+ ProxyTransport: proxyTransport,
+ RejectForwardingRedirects: commandOptions.AggregatorRejectForwardingRedirects,
},
}
diff --git a/cmd/kube-apiserver/app/options/options.go b/cmd/kube-apiserver/app/options/options.go
index 9672b187..794d0d9f 100644
--- a/cmd/kube-apiserver/app/options/options.go
+++ b/cmd/kube-apiserver/app/options/options.go
@@ -75,7 +75,8 @@ type ServerRunOptions struct {
ProxyClientCertFile string
ProxyClientKeyFile string
- EnableAggregatorRouting bool
+ EnableAggregatorRouting bool
+ AggregatorRejectForwardingRedirects bool
MasterCount int
EndpointReconcilerType string
@@ -131,7 +132,8 @@ func NewServerRunOptions() *ServerRunOptions {
},
HTTPTimeout: time.Duration(5) * time.Second,
},
- ServiceNodePortRange: kubeoptions.DefaultServiceNodePortRange,
+ ServiceNodePortRange: kubeoptions.DefaultServiceNodePortRange,
+ AggregatorRejectForwardingRedirects: true,
}
// Overwrite the default for storage data format.
@@ -243,6 +245,9 @@ func (s *ServerRunOptions) Flags() (fss cliflag.NamedFlagSets) {
fs.BoolVar(&s.EnableAggregatorRouting, "enable-aggregator-routing", s.EnableAggregatorRouting,
"Turns on aggregator routing requests to endpoints IP rather than cluster IP.")
+ fs.BoolVar(&s.AggregatorRejectForwardingRedirects, "aggregator-reject-forwarding-redirect", s.AggregatorRejectForwardingRedirects,
+ "Aggregator reject forwarding redirect response back to client.")
+
fs.StringVar(&s.ServiceAccountSigningKeyFile, "service-account-signing-key-file", s.ServiceAccountSigningKeyFile, ""+
"Path to the file that contains the current private key of the service account token issuer. The issuer will sign issued ID tokens with this private key.")
diff --git a/cmd/kube-apiserver/app/options/options_test.go b/cmd/kube-apiserver/app/options/options_test.go
index 26eb6a95..90e1f045 100644
--- a/cmd/kube-apiserver/app/options/options_test.go
+++ b/cmd/kube-apiserver/app/options/options_test.go
@@ -315,8 +315,9 @@ func TestAddFlags(t *testing.T) {
Traces: &apiserveroptions.TracingOptions{
ConfigFile: "/var/run/kubernetes/tracing_config.yaml",
},
- IdentityLeaseDurationSeconds: 3600,
- IdentityLeaseRenewIntervalSeconds: 10,
+ IdentityLeaseDurationSeconds: 3600,
+ IdentityLeaseRenewIntervalSeconds: 10,
+ AggregatorRejectForwardingRedirects: true,
}
if !reflect.DeepEqual(expected, s) {
diff --git a/staging/src/k8s.io/apimachinery/pkg/util/proxy/upgradeaware.go b/staging/src/k8s.io/apimachinery/pkg/util/proxy/upgradeaware.go
index f56c17ca..a3a14241 100644
--- a/staging/src/k8s.io/apimachinery/pkg/util/proxy/upgradeaware.go
+++ b/staging/src/k8s.io/apimachinery/pkg/util/proxy/upgradeaware.go
@@ -83,6 +83,8 @@ type UpgradeAwareHandler struct {
MaxBytesPerSec int64
// Responder is passed errors that occur while setting up proxying.
Responder ErrorResponder
+ // Reject to forward redirect response
+ RejectForwardingRedirects bool
}
const defaultFlushInterval = 200 * time.Millisecond
@@ -257,6 +259,31 @@ func (h *UpgradeAwareHandler) ServeHTTP(w http.ResponseWriter, req *http.Request
proxy.Transport = h.Transport
proxy.FlushInterval = h.FlushInterval
proxy.ErrorLog = log.New(noSuppressPanicError{}, "", log.LstdFlags)
+ if h.RejectForwardingRedirects {
+ oldModifyResponse := proxy.ModifyResponse
+ proxy.ModifyResponse = func(response *http.Response) error {
+ code := response.StatusCode
+ if code >= 300 && code <= 399 {
+ // close the original response
+ response.Body.Close()
+ msg := "the backend attempted to redirect this request, which is not permitted"
+ // replace the response
+ *response = http.Response{
+ StatusCode: http.StatusBadGateway,
+ Status: fmt.Sprintf("%d %s", response.StatusCode, http.StatusText(response.StatusCode)),
+ Body: io.NopCloser(strings.NewReader(msg)),
+ ContentLength: int64(len(msg)),
+ }
+ } else {
+ if oldModifyResponse != nil {
+ if err := oldModifyResponse(response); err != nil {
+ return err
+ }
+ }
+ }
+ return nil
+ }
+ }
if h.Responder != nil {
// if an optional error interceptor/responder was provided wire it
// the custom responder might be used for providing a unified error reporting
diff --git a/staging/src/k8s.io/apimachinery/pkg/util/proxy/upgradeaware_test.go b/staging/src/k8s.io/apimachinery/pkg/util/proxy/upgradeaware_test.go
index f57b69a0..0d77fb11 100644
--- a/staging/src/k8s.io/apimachinery/pkg/util/proxy/upgradeaware_test.go
+++ b/staging/src/k8s.io/apimachinery/pkg/util/proxy/upgradeaware_test.go
@@ -704,6 +704,83 @@ func TestProxyUpgradeErrorResponse(t *testing.T) {
}
}
+func TestRejectForwardingRedirectsOption(t *testing.T) {
+ originalBody := []byte(`some data`)
+ testCases := []struct {
+ name string
+ rejectForwardingRedirects bool
+ serverStatusCode int
+ expectStatusCode int
+ expectBody []byte
+ }{
+ {
+ name: "reject redirection enabled in proxy, backend server sending 200 response",
+ rejectForwardingRedirects: true,
+ serverStatusCode: 200,
+ expectStatusCode: 200,
+ expectBody: originalBody,
+ },
+ {
+ name: "reject redirection enabled in proxy, backend server sending 301 response",
+ rejectForwardingRedirects: true,
+ serverStatusCode: 301,
+ expectStatusCode: 502,
+ expectBody: []byte(`the backend attempted to redirect this request, which is not permitted`),
+ },
+ {
+ name: "reject redirection disabled in proxy, backend server sending 200 response",
+ rejectForwardingRedirects: false,
+ serverStatusCode: 200,
+ expectStatusCode: 200,
+ expectBody: originalBody,
+ },
+ {
+ name: "reject redirection disabled in proxy, backend server sending 301 response",
+ rejectForwardingRedirects: false,
+ serverStatusCode: 301,
+ expectStatusCode: 301,
+ expectBody: originalBody,
+ },
+ }
+ for _, tc := range testCases {
+ t.Run(tc.name, func(t *testing.T) {
+ // Set up a backend server
+ backendServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+ w.WriteHeader(tc.serverStatusCode)
+ w.Write(originalBody)
+ }))
+ defer backendServer.Close()
+ backendServerURL, _ := url.Parse(backendServer.URL)
+
+ // Set up a proxy pointing to the backend
+ proxyHandler := NewUpgradeAwareHandler(backendServerURL, nil, false, false, &fakeResponder{t: t})
+ proxyHandler.RejectForwardingRedirects = tc.rejectForwardingRedirects
+ proxy := httptest.NewServer(proxyHandler)
+ defer proxy.Close()
+ proxyURL, _ := url.Parse(proxy.URL)
+
+ conn, err := net.Dial("tcp", proxyURL.Host)
+ require.NoError(t, err)
+ bufferedReader := bufio.NewReader(conn)
+
+ req, _ := http.NewRequest("GET", proxyURL.String(), nil)
+ require.NoError(t, req.Write(conn))
+ // Verify we get the correct response and message body content
+ resp, err := http.ReadResponse(bufferedReader, nil)
+ require.NoError(t, err)
+ assert.Equal(t, tc.expectStatusCode, resp.StatusCode)
+ data, err := ioutil.ReadAll(resp.Body)
+ require.NoError(t, err)
+ assert.Equal(t, tc.expectBody, data)
+ assert.Equal(t, int64(len(tc.expectBody)), resp.ContentLength)
+ resp.Body.Close()
+
+ // clean up
+ conn.Close()
+ })
+ }
+}
+
func TestDefaultProxyTransport(t *testing.T) {
tests := []struct {
name,
diff --git a/staging/src/k8s.io/kube-aggregator/pkg/apiserver/apiserver.go b/staging/src/k8s.io/kube-aggregator/pkg/apiserver/apiserver.go
index e945fb48..133887e1 100644
--- a/staging/src/k8s.io/kube-aggregator/pkg/apiserver/apiserver.go
+++ b/staging/src/k8s.io/kube-aggregator/pkg/apiserver/apiserver.go
@@ -87,6 +87,8 @@ type ExtraConfig struct {
// Mechanism by which the Aggregator will resolve services. Required.
ServiceResolver ServiceResolver
+
+ RejectForwardingRedirects bool
}
// Config represents the configuration needed to create an APIAggregator.
@@ -156,6 +158,9 @@ type APIAggregator struct {
// egressSelector selects the proper egress dialer to communicate with the custom apiserver
// overwrites proxyTransport dialer if not nil
egressSelector *egressselector.EgressSelector
+
+ // rejectForwardingRedirects is whether to allow to forward redirect response
+ rejectForwardingRedirects bool
}
// Complete fills in any fields not set that are required to have valid data. It's mutating the receiver.
@@ -213,6 +218,7 @@ func (c completedConfig) NewWithDelegate(delegationTarget genericapiserver.Deleg
openAPIV3Config: c.GenericConfig.OpenAPIV3Config,
egressSelector: c.GenericConfig.EgressSelector,
proxyCurrentCertKeyContent: func() (bytes []byte, bytes2 []byte) { return nil, nil },
+ rejectForwardingRedirects: c.ExtraConfig.RejectForwardingRedirects,
}
// used later to filter the served resource by those that have expired.
@@ -443,6 +449,7 @@ func (s *APIAggregator) AddAPIService(apiService *v1.APIService) error {
proxyTransport: s.proxyTransport,
serviceResolver: s.serviceResolver,
egressSelector: s.egressSelector,
+ rejectForwardingRedirects: s.rejectForwardingRedirects,
}
proxyHandler.updateAPIService(apiService)
if s.openAPIAggregationController != nil {
diff --git a/staging/src/k8s.io/kube-aggregator/pkg/apiserver/handler_proxy.go b/staging/src/k8s.io/kube-aggregator/pkg/apiserver/handler_proxy.go
index 3a880b6b..e1282f2a 100644
--- a/staging/src/k8s.io/kube-aggregator/pkg/apiserver/handler_proxy.go
+++ b/staging/src/k8s.io/kube-aggregator/pkg/apiserver/handler_proxy.go
@@ -68,6 +68,9 @@ type proxyHandler struct {
// egressSelector selects the proper egress dialer to communicate with the custom apiserver
// overwrites proxyTransport dialer if not nil
egressSelector *egressselector.EgressSelector
+
+ // reject to forward redirect response
+ rejectForwardingRedirects bool
}
type proxyHandlingInfo struct {
@@ -172,6 +175,9 @@ func (r *proxyHandler) ServeHTTP(w http.ResponseWriter, req *http.Request) {
}
handler := proxy.NewUpgradeAwareHandler(location, proxyRoundTripper, true, upgrade, &responder{w: w})
+ if r.rejectForwardingRedirects {
+ handler.RejectForwardingRedirects = true
+ }
utilflowcontrol.RequestDelegated(req.Context())
handler.ServeHTTP(w, newReq)
}
--
2.25.1

439
0004-Return-error-for-localhost-seccomp-type-with-no-loca.patch Normal file
View File

@ -0,0 +1,439 @@
From 604ad21799c43d87456cc76d3e591487de0a5152 Mon Sep 17 00:00:00 2001
From: Craig Ingram <cjingram@google.com>
Date: Fri, 24 Feb 2023 15:24:49 -0500
Subject: [PATCH] Return error for localhost seccomp type with no localhost
profile defined
---
pkg/kubelet/kuberuntime/helpers.go | 60 +++++-----
pkg/kubelet/kuberuntime/helpers_test.go | 120 +++++++++++++-------
pkg/kubelet/kuberuntime/security_context.go | 11 +-
3 files changed, 121 insertions(+), 70 deletions(-)
diff --git a/pkg/kubelet/kuberuntime/helpers.go b/pkg/kubelet/kuberuntime/helpers.go
index 9343b78335a..14ed0dd3bfb 100644
--- a/pkg/kubelet/kuberuntime/helpers.go
+++ b/pkg/kubelet/kuberuntime/helpers.go
@@ -210,32 +210,36 @@ func toKubeRuntimeStatus(status *runtimeapi.RuntimeStatus) *kubecontainer.Runtim
return &kubecontainer.RuntimeStatus{Conditions: conditions}
}
-func fieldProfile(scmp *v1.SeccompProfile, profileRootPath string, fallbackToRuntimeDefault bool) string {
+func fieldProfile(scmp *v1.SeccompProfile, profileRootPath string, fallbackToRuntimeDefault bool) (string, error) {
if scmp == nil {
if fallbackToRuntimeDefault {
- return v1.SeccompProfileRuntimeDefault
+ return v1.SeccompProfileRuntimeDefault, nil
}
- return ""
+ return "", nil
}
if scmp.Type == v1.SeccompProfileTypeRuntimeDefault {
- return v1.SeccompProfileRuntimeDefault
+ return v1.SeccompProfileRuntimeDefault, nil
}
- if scmp.Type == v1.SeccompProfileTypeLocalhost && scmp.LocalhostProfile != nil && len(*scmp.LocalhostProfile) > 0 {
- fname := filepath.Join(profileRootPath, *scmp.LocalhostProfile)
- return v1.SeccompLocalhostProfileNamePrefix + fname
+ if scmp.Type == v1.SeccompProfileTypeLocalhost {
+ if scmp.LocalhostProfile != nil && len(*scmp.LocalhostProfile) > 0 {
+ fname := filepath.Join(profileRootPath, *scmp.LocalhostProfile)
+ return v1.SeccompLocalhostProfileNamePrefix + fname, nil
+ } else {
+ return "", fmt.Errorf("localhostProfile must be set if seccompProfile type is Localhost.")
+ }
}
if scmp.Type == v1.SeccompProfileTypeUnconfined {
- return v1.SeccompProfileNameUnconfined
+ return v1.SeccompProfileNameUnconfined, nil
}
if fallbackToRuntimeDefault {
- return v1.SeccompProfileRuntimeDefault
+ return v1.SeccompProfileRuntimeDefault, nil
}
- return ""
+ return "", nil
}
func (m *kubeGenericRuntimeManager) getSeccompProfilePath(annotations map[string]string, containerName string,
- podSecContext *v1.PodSecurityContext, containerSecContext *v1.SecurityContext, fallbackToRuntimeDefault bool) string {
+ podSecContext *v1.PodSecurityContext, containerSecContext *v1.SecurityContext, fallbackToRuntimeDefault bool) (string, error) {
// container fields are applied first
if containerSecContext != nil && containerSecContext.SeccompProfile != nil {
return fieldProfile(containerSecContext.SeccompProfile, m.seccompProfileRoot, fallbackToRuntimeDefault)
@@ -247,42 +251,46 @@ func (m *kubeGenericRuntimeManager) getSeccompProfilePath(annotations map[string
}
if fallbackToRuntimeDefault {
- return v1.SeccompProfileRuntimeDefault
+ return v1.SeccompProfileRuntimeDefault, nil
}
- return ""
+ return "", nil
}
-func fieldSeccompProfile(scmp *v1.SeccompProfile, profileRootPath string, fallbackToRuntimeDefault bool) *runtimeapi.SecurityProfile {
+func fieldSeccompProfile(scmp *v1.SeccompProfile, profileRootPath string, fallbackToRuntimeDefault bool) (*runtimeapi.SecurityProfile, error) {
if scmp == nil {
if fallbackToRuntimeDefault {
return &runtimeapi.SecurityProfile{
ProfileType: runtimeapi.SecurityProfile_RuntimeDefault,
- }
+ }, nil
}
return &runtimeapi.SecurityProfile{
ProfileType: runtimeapi.SecurityProfile_Unconfined,
- }
+ }, nil
}
if scmp.Type == v1.SeccompProfileTypeRuntimeDefault {
return &runtimeapi.SecurityProfile{
ProfileType: runtimeapi.SecurityProfile_RuntimeDefault,
- }
+ }, nil
}
- if scmp.Type == v1.SeccompProfileTypeLocalhost && scmp.LocalhostProfile != nil && len(*scmp.LocalhostProfile) > 0 {
- fname := filepath.Join(profileRootPath, *scmp.LocalhostProfile)
- return &runtimeapi.SecurityProfile{
- ProfileType: runtimeapi.SecurityProfile_Localhost,
- LocalhostRef: fname,
+ if scmp.Type == v1.SeccompProfileTypeLocalhost {
+ if scmp.LocalhostProfile != nil && len(*scmp.LocalhostProfile) > 0 {
+ fname := filepath.Join(profileRootPath, *scmp.LocalhostProfile)
+ return &runtimeapi.SecurityProfile{
+ ProfileType: runtimeapi.SecurityProfile_Localhost,
+ LocalhostRef: fname,
+ }, nil
+ } else {
+ return nil, fmt.Errorf("localhostProfile must be set if seccompProfile type is Localhost.")
}
}
return &runtimeapi.SecurityProfile{
ProfileType: runtimeapi.SecurityProfile_Unconfined,
- }
+ }, nil
}
func (m *kubeGenericRuntimeManager) getSeccompProfile(annotations map[string]string, containerName string,
- podSecContext *v1.PodSecurityContext, containerSecContext *v1.SecurityContext, fallbackToRuntimeDefault bool) *runtimeapi.SecurityProfile {
+ podSecContext *v1.PodSecurityContext, containerSecContext *v1.SecurityContext, fallbackToRuntimeDefault bool) (*runtimeapi.SecurityProfile, error) {
// container fields are applied first
if containerSecContext != nil && containerSecContext.SeccompProfile != nil {
return fieldSeccompProfile(containerSecContext.SeccompProfile, m.seccompProfileRoot, fallbackToRuntimeDefault)
@@ -296,10 +304,10 @@ func (m *kubeGenericRuntimeManager) getSeccompProfile(annotations map[string]str
if fallbackToRuntimeDefault {
return &runtimeapi.SecurityProfile{
ProfileType: runtimeapi.SecurityProfile_RuntimeDefault,
- }
+ }, nil
}
return &runtimeapi.SecurityProfile{
ProfileType: runtimeapi.SecurityProfile_Unconfined,
- }
+ }, nil
}
diff --git a/pkg/kubelet/kuberuntime/helpers_test.go b/pkg/kubelet/kuberuntime/helpers_test.go
index 83a8da8793a..5fbe640b44a 100644
--- a/pkg/kubelet/kuberuntime/helpers_test.go
+++ b/pkg/kubelet/kuberuntime/helpers_test.go
@@ -242,17 +242,18 @@ func TestFieldProfile(t *testing.T) {
scmpProfile *v1.SeccompProfile
rootPath string
expectedProfile string
+ expectedError string
}{
{
description: "no seccompProfile should return empty",
expectedProfile: "",
},
{
- description: "type localhost without profile should return empty",
+ description: "type localhost without profile should return error",
scmpProfile: &v1.SeccompProfile{
Type: v1.SeccompProfileTypeLocalhost,
},
- expectedProfile: "",
+ expectedError: "localhostProfile must be set if seccompProfile type is Localhost.",
},
{
description: "unknown type should return empty",
@@ -279,7 +280,7 @@ func TestFieldProfile(t *testing.T) {
description: "SeccompProfileTypeLocalhost should return localhost",
scmpProfile: &v1.SeccompProfile{
Type: v1.SeccompProfileTypeLocalhost,
- LocalhostProfile: utilpointer.StringPtr("profile.json"),
+ LocalhostProfile: utilpointer.String("profile.json"),
},
rootPath: "/test/",
expectedProfile: "localhost//test/profile.json",
@@ -287,8 +288,13 @@ func TestFieldProfile(t *testing.T) {
}
for i, test := range tests {
- seccompProfile := fieldProfile(test.scmpProfile, test.rootPath, false)
- assert.Equal(t, test.expectedProfile, seccompProfile, "TestCase[%d]: %s", i, test.description)
+ seccompProfile, err := fieldProfile(test.scmpProfile, test.rootPath, false)
+ if test.expectedError != "" {
+ assert.EqualError(t, err, test.expectedError, "TestCase[%d]: %s", i, test.description)
+ } else {
+ assert.NoError(t, err, "TestCase[%d]: %s", i, test.description)
+ assert.Equal(t, test.expectedProfile, seccompProfile, "TestCase[%d]: %s", i, test.description)
+ }
}
}
@@ -298,17 +304,18 @@ func TestFieldProfileDefaultSeccomp(t *testing.T) {
scmpProfile *v1.SeccompProfile
rootPath string
expectedProfile string
+ expectedError string
}{
{
description: "no seccompProfile should return runtime/default",
expectedProfile: v1.SeccompProfileRuntimeDefault,
},
{
- description: "type localhost without profile should return runtime/default",
+ description: "type localhost without profile should return error",
scmpProfile: &v1.SeccompProfile{
Type: v1.SeccompProfileTypeLocalhost,
},
- expectedProfile: v1.SeccompProfileRuntimeDefault,
+ expectedError: "localhostProfile must be set if seccompProfile type is Localhost.",
},
{
description: "unknown type should return runtime/default",
@@ -335,7 +342,7 @@ func TestFieldProfileDefaultSeccomp(t *testing.T) {
description: "SeccompProfileTypeLocalhost should return localhost",
scmpProfile: &v1.SeccompProfile{
Type: v1.SeccompProfileTypeLocalhost,
- LocalhostProfile: utilpointer.StringPtr("profile.json"),
+ LocalhostProfile: utilpointer.String("profile.json"),
},
rootPath: "/test/",
expectedProfile: "localhost//test/profile.json",
@@ -343,8 +350,13 @@ func TestFieldProfileDefaultSeccomp(t *testing.T) {
}
for i, test := range tests {
- seccompProfile := fieldProfile(test.scmpProfile, test.rootPath, true)
- assert.Equal(t, test.expectedProfile, seccompProfile, "TestCase[%d]: %s", i, test.description)
+ seccompProfile, err := fieldProfile(test.scmpProfile, test.rootPath, true)
+ if test.expectedError != "" {
+ assert.EqualError(t, err, test.expectedError, "TestCase[%d]: %s", i, test.description)
+ } else {
+ assert.NoError(t, err, "TestCase[%d]: %s", i, test.description)
+ assert.Equal(t, test.expectedProfile, seccompProfile, "TestCase[%d]: %s", i, test.description)
+ }
}
}
@@ -359,6 +371,7 @@ func TestGetSeccompProfilePath(t *testing.T) {
containerSc *v1.SecurityContext
containerName string
expectedProfile string
+ expectedError string
}{
{
description: "no seccomp should return empty",
@@ -395,14 +408,14 @@ func TestGetSeccompProfilePath(t *testing.T) {
expectedProfile: seccompLocalhostPath("filename"),
},
{
- description: "pod seccomp profile set to SeccompProfileTypeLocalhost with empty LocalhostProfile returns empty",
- podSc: &v1.PodSecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost}},
- expectedProfile: "",
+ description: "pod seccomp profile set to SeccompProfileTypeLocalhost with empty LocalhostProfile returns error",
+ podSc: &v1.PodSecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost}},
+ expectedError: "localhostProfile must be set if seccompProfile type is Localhost.",
},
{
- description: "container seccomp profile set to SeccompProfileTypeLocalhost with empty LocalhostProfile returns empty",
- containerSc: &v1.SecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost}},
- expectedProfile: "",
+ description: "container seccomp profile set to SeccompProfileTypeLocalhost with empty LocalhostProfile returns error",
+ containerSc: &v1.SecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost}},
+ expectedError: "localhostProfile must be set if seccompProfile type is Localhost.",
},
{
description: "container seccomp profile set to SeccompProfileTypeLocalhost returns 'localhost/' + LocalhostProfile",
@@ -418,8 +431,13 @@ func TestGetSeccompProfilePath(t *testing.T) {
}
for i, test := range tests {
- seccompProfile := m.getSeccompProfilePath(test.annotation, test.containerName, test.podSc, test.containerSc, false)
- assert.Equal(t, test.expectedProfile, seccompProfile, "TestCase[%d]: %s", i, test.description)
+ seccompProfile, err := m.getSeccompProfilePath(test.annotation, test.containerName, test.podSc, test.containerSc, false)
+ if test.expectedError != "" {
+ assert.EqualError(t, err, test.expectedError, "TestCase[%d]: %s", i, test.description)
+ } else {
+ assert.NoError(t, err, "TestCase[%d]: %s", i, test.description)
+ assert.Equal(t, test.expectedProfile, seccompProfile, "TestCase[%d]: %s", i, test.description)
+ }
}
}
@@ -434,6 +452,7 @@ func TestGetSeccompProfilePathDefaultSeccomp(t *testing.T) {
containerSc *v1.SecurityContext
containerName string
expectedProfile string
+ expectedError string
}{
{
description: "no seccomp should return runtime/default",
@@ -470,14 +489,14 @@ func TestGetSeccompProfilePathDefaultSeccomp(t *testing.T) {
expectedProfile: seccompLocalhostPath("filename"),
},
{
- description: "pod seccomp profile set to SeccompProfileTypeLocalhost with empty LocalhostProfile returns runtime/default",
- podSc: &v1.PodSecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost}},
- expectedProfile: v1.SeccompProfileRuntimeDefault,
+ description: "pod seccomp profile set to SeccompProfileTypeLocalhost with empty LocalhostProfile returns error",
+ podSc: &v1.PodSecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost}},
+ expectedError: "localhostProfile must be set if seccompProfile type is Localhost.",
},
{
- description: "container seccomp profile set to SeccompProfileTypeLocalhost with empty LocalhostProfile returns runtime/default",
- containerSc: &v1.SecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost}},
- expectedProfile: v1.SeccompProfileRuntimeDefault,
+ description: "container seccomp profile set to SeccompProfileTypeLocalhost with empty LocalhostProfile returns error",
+ containerSc: &v1.SecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost}},
+ expectedError: "localhostProfile must be set if seccompProfile type is Localhost.",
},
{
description: "container seccomp profile set to SeccompProfileTypeLocalhost returns 'localhost/' + LocalhostProfile",
@@ -493,8 +512,13 @@ func TestGetSeccompProfilePathDefaultSeccomp(t *testing.T) {
}
for i, test := range tests {
- seccompProfile := m.getSeccompProfilePath(test.annotation, test.containerName, test.podSc, test.containerSc, true)
- assert.Equal(t, test.expectedProfile, seccompProfile, "TestCase[%d]: %s", i, test.description)
+ seccompProfile, err := m.getSeccompProfilePath(test.annotation, test.containerName, test.podSc, test.containerSc, true)
+ if test.expectedError != "" {
+ assert.EqualError(t, err, test.expectedError, "TestCase[%d]: %s", i, test.description)
+ } else {
+ assert.NoError(t, err, "TestCase[%d]: %s", i, test.description)
+ assert.Equal(t, test.expectedProfile, seccompProfile, "TestCase[%d]: %s", i, test.description)
+ }
}
}
@@ -517,6 +541,7 @@ func TestGetSeccompProfile(t *testing.T) {
containerSc *v1.SecurityContext
containerName string
expectedProfile *runtimeapi.SecurityProfile
+ expectedError string
}{
{
description: "no seccomp should return unconfined",
@@ -551,14 +576,14 @@ func TestGetSeccompProfile(t *testing.T) {
},
},
{
- description: "pod seccomp profile set to SeccompProfileTypeLocalhost with empty LocalhostProfile returns unconfined",
- podSc: &v1.PodSecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost}},
- expectedProfile: unconfinedProfile,
+ description: "pod seccomp profile set to SeccompProfileTypeLocalhost with empty LocalhostProfile returns error",
+ podSc: &v1.PodSecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost}},
+ expectedError: "localhostProfile must be set if seccompProfile type is Localhost.",
},
{
- description: "container seccomp profile set to SeccompProfileTypeLocalhost with empty LocalhostProfile returns unconfined",
- containerSc: &v1.SecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost}},
- expectedProfile: unconfinedProfile,
+ description: "container seccomp profile set to SeccompProfileTypeLocalhost with empty LocalhostProfile returns error",
+ containerSc: &v1.SecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost}},
+ expectedError: "localhostProfile must be set if seccompProfile type is Localhost.",
},
{
description: "container seccomp profile set to SeccompProfileTypeLocalhost returns 'localhost/' + LocalhostProfile",
@@ -587,8 +612,13 @@ func TestGetSeccompProfile(t *testing.T) {
}
for i, test := range tests {
- seccompProfile := m.getSeccompProfile(test.annotation, test.containerName, test.podSc, test.containerSc, false)
- assert.Equal(t, test.expectedProfile, seccompProfile, "TestCase[%d]: %s", i, test.description)
+ seccompProfile, err := m.getSeccompProfile(test.annotation, test.containerName, test.podSc, test.containerSc, false)
+ if test.expectedError != "" {
+ assert.EqualError(t, err, test.expectedError, "TestCase[%d]: %s", i, test.description)
+ } else {
+ assert.NoError(t, err, "TestCase[%d]: %s", i, test.description)
+ assert.Equal(t, test.expectedProfile, seccompProfile, "TestCase[%d]: %s", i, test.description)
+ }
}
}
@@ -611,6 +641,7 @@ func TestGetSeccompProfileDefaultSeccomp(t *testing.T) {
containerSc *v1.SecurityContext
containerName string
expectedProfile *runtimeapi.SecurityProfile
+ expectedError string
}{
{
description: "no seccomp should return RuntimeDefault",
@@ -645,14 +676,14 @@ func TestGetSeccompProfileDefaultSeccomp(t *testing.T) {
},
},
{
- description: "pod seccomp profile set to SeccompProfileTypeLocalhost with empty LocalhostProfile returns unconfined",
- podSc: &v1.PodSecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost}},
- expectedProfile: unconfinedProfile,
+ description: "pod seccomp profile set to SeccompProfileTypeLocalhost with empty LocalhostProfile returns error",
+ podSc: &v1.PodSecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost}},
+ expectedError: "localhostProfile must be set if seccompProfile type is Localhost.",
},
{
- description: "container seccomp profile set to SeccompProfileTypeLocalhost with empty LocalhostProfile returns unconfined",
- containerSc: &v1.SecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost}},
- expectedProfile: unconfinedProfile,
+ description: "container seccomp profile set to SeccompProfileTypeLocalhost with empty LocalhostProfile returns error",
+ containerSc: &v1.SecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost}},
+ expectedError: "localhostProfile must be set if seccompProfile type is Localhost.",
},
{
description: "container seccomp profile set to SeccompProfileTypeLocalhost returns 'localhost/' + LocalhostProfile",
@@ -681,8 +712,13 @@ func TestGetSeccompProfileDefaultSeccomp(t *testing.T) {
}
for i, test := range tests {
- seccompProfile := m.getSeccompProfile(test.annotation, test.containerName, test.podSc, test.containerSc, true)
- assert.Equal(t, test.expectedProfile, seccompProfile, "TestCase[%d]: %s", i, test.description)
+ seccompProfile, err := m.getSeccompProfile(test.annotation, test.containerName, test.podSc, test.containerSc, true)
+ if test.expectedError != "" {
+ assert.EqualError(t, err, test.expectedError, "TestCase[%d]: %s", i, test.description)
+ } else {
+ assert.NoError(t, err, "TestCase[%d]: %s", i, test.description)
+ assert.Equal(t, test.expectedProfile, seccompProfile, "TestCase[%d]: %s", i, test.description)
+ }
}
}
diff --git a/pkg/kubelet/kuberuntime/security_context.go b/pkg/kubelet/kuberuntime/security_context.go
index 5e6f05b4e18..d933a710424 100644
--- a/pkg/kubelet/kuberuntime/security_context.go
+++ b/pkg/kubelet/kuberuntime/security_context.go
@@ -37,9 +37,16 @@ func (m *kubeGenericRuntimeManager) determineEffectiveSecurityContext(pod *v1.Po
// TODO: Deprecated, remove after we switch to Seccomp field
// set SeccompProfilePath.
- synthesized.SeccompProfilePath = m.getSeccompProfilePath(pod.Annotations, container.Name, pod.Spec.SecurityContext, container.SecurityContext, m.seccompDefault)
+ var err error
+ synthesized.SeccompProfilePath, err = m.getSeccompProfilePath(pod.Annotations, container.Name, pod.Spec.SecurityContext, container.SecurityContext, m.seccompDefault)
+ if err != nil {
+ return nil, err
+ }
- synthesized.Seccomp = m.getSeccompProfile(pod.Annotations, container.Name, pod.Spec.SecurityContext, container.SecurityContext, m.seccompDefault)
+ synthesized.Seccomp, err = m.getSeccompProfile(pod.Annotations, container.Name, pod.Spec.SecurityContext, container.SecurityContext, m.seccompDefault)
+ if err != nil {
+ return nil, err
+ }
// set ApparmorProfile.
synthesized.ApparmorProfile = apparmor.GetProfileNameFromPodAnnotations(pod.Annotations, container.Name)
--
2.25.1

714
0007-Validate-etcd-paths.patch → 0005-Validate-etcd-paths.patch
View File

File diff suppressed because it is too large Load Diff

859
0006-Return-error-for-localhost-seccomp-type-with-no-loca.patch
View File

@ -1,859 +0,0 @@
From 73174f870735251e7d4240cdc36983d1bef7db5f Mon Sep 17 00:00:00 2001
From: Craig Ingram <cjingram@google.com>
Date: Fri, 24 Feb 2023 15:24:49 -0500
Subject: [PATCH] Return error for localhost seccomp type with no localhost
profile defined
---
pkg/kubelet/kuberuntime/helpers.go | 66 ++--
pkg/kubelet/kuberuntime/helpers_test.go | 350 ++++--------------
.../kuberuntime_container_linux.go | 16 +-
.../kuberuntime_container_linux_test.go | 22 +-
pkg/kubelet/kuberuntime/security_context.go | 15 +-
5 files changed, 153 insertions(+), 316 deletions(-)
diff --git a/pkg/kubelet/kuberuntime/helpers.go b/pkg/kubelet/kuberuntime/helpers.go
index de289836a8b..6138fc958d7 100644
--- a/pkg/kubelet/kuberuntime/helpers.go
+++ b/pkg/kubelet/kuberuntime/helpers.go
@@ -210,28 +210,32 @@ func toKubeRuntimeStatus(status *runtimeapi.RuntimeStatus) *kubecontainer.Runtim
return &kubecontainer.RuntimeStatus{Conditions: conditions}
}
-func fieldProfile(scmp *v1.SeccompProfile, profileRootPath string, fallbackToRuntimeDefault bool) string {
+func fieldProfile(scmp *v1.SeccompProfile, profileRootPath string, fallbackToRuntimeDefault bool) (string, error) {
if scmp == nil {
if fallbackToRuntimeDefault {
- return v1.SeccompProfileRuntimeDefault
+ return v1.SeccompProfileRuntimeDefault, nil
}
- return ""
+ return "", nil
}
if scmp.Type == v1.SeccompProfileTypeRuntimeDefault {
- return v1.SeccompProfileRuntimeDefault
- }
- if scmp.Type == v1.SeccompProfileTypeLocalhost && scmp.LocalhostProfile != nil && len(*scmp.LocalhostProfile) > 0 {
- fname := filepath.Join(profileRootPath, *scmp.LocalhostProfile)
- return v1.SeccompLocalhostProfileNamePrefix + fname
+ return v1.SeccompProfileRuntimeDefault, nil
+ }
+ if scmp.Type == v1.SeccompProfileTypeLocalhost {
+ if scmp.LocalhostProfile != nil && len(*scmp.LocalhostProfile) > 0 {
+ fname := filepath.Join(profileRootPath, *scmp.LocalhostProfile)
+ return v1.SeccompLocalhostProfileNamePrefix + fname, nil
+ } else {
+ return "", fmt.Errorf("localhostProfile must be set if seccompProfile type is Localhost.")
+ }
}
if scmp.Type == v1.SeccompProfileTypeUnconfined {
- return v1.SeccompProfileNameUnconfined
+ return v1.SeccompProfileNameUnconfined, nil
}
if fallbackToRuntimeDefault {
- return v1.SeccompProfileRuntimeDefault
+ return v1.SeccompProfileRuntimeDefault, nil
}
- return ""
+ return "", nil
}
func annotationProfile(profile, profileRootPath string) string {
@@ -244,7 +248,7 @@ func annotationProfile(profile, profileRootPath string) string {
}
func (m *kubeGenericRuntimeManager) getSeccompProfilePath(annotations map[string]string, containerName string,
- podSecContext *v1.PodSecurityContext, containerSecContext *v1.SecurityContext, fallbackToRuntimeDefault bool) string {
+ podSecContext *v1.PodSecurityContext, containerSecContext *v1.SecurityContext, fallbackToRuntimeDefault bool) (string, error) {
// container fields are applied first
if containerSecContext != nil && containerSecContext.SeccompProfile != nil {
return fieldProfile(containerSecContext.SeccompProfile, m.seccompProfileRoot, fallbackToRuntimeDefault)
@@ -253,7 +257,7 @@ func (m *kubeGenericRuntimeManager) getSeccompProfilePath(annotations map[string
// if container field does not exist, try container annotation (deprecated)
if containerName != "" {
if profile, ok := annotations[v1.SeccompContainerAnnotationKeyPrefix+containerName]; ok {
- return annotationProfile(profile, m.seccompProfileRoot)
+ return annotationProfile(profile, m.seccompProfileRoot), nil
}
}
@@ -264,46 +268,50 @@ func (m *kubeGenericRuntimeManager) getSeccompProfilePath(annotations map[string
// as last resort, try to apply pod annotation (deprecated)
if profile, ok := annotations[v1.SeccompPodAnnotationKey]; ok {
- return annotationProfile(profile, m.seccompProfileRoot)
+ return annotationProfile(profile, m.seccompProfileRoot), nil
}
if fallbackToRuntimeDefault {
- return v1.SeccompProfileRuntimeDefault
+ return v1.SeccompProfileRuntimeDefault, nil
}
- return ""
+ return "", nil
}
-func fieldSeccompProfile(scmp *v1.SeccompProfile, profileRootPath string, fallbackToRuntimeDefault bool) *runtimeapi.SecurityProfile {
+func fieldSeccompProfile(scmp *v1.SeccompProfile, profileRootPath string, fallbackToRuntimeDefault bool) (*runtimeapi.SecurityProfile, error) {
if scmp == nil {
if fallbackToRuntimeDefault {
return &runtimeapi.SecurityProfile{
ProfileType: runtimeapi.SecurityProfile_RuntimeDefault,
- }
+ }, nil
}
return &runtimeapi.SecurityProfile{
ProfileType: runtimeapi.SecurityProfile_Unconfined,
- }
+ }, nil
}
if scmp.Type == v1.SeccompProfileTypeRuntimeDefault {
return &runtimeapi.SecurityProfile{
ProfileType: runtimeapi.SecurityProfile_RuntimeDefault,
- }
+ }, nil
}
- if scmp.Type == v1.SeccompProfileTypeLocalhost && scmp.LocalhostProfile != nil && len(*scmp.LocalhostProfile) > 0 {
- fname := filepath.Join(profileRootPath, *scmp.LocalhostProfile)
- return &runtimeapi.SecurityProfile{
- ProfileType: runtimeapi.SecurityProfile_Localhost,
- LocalhostRef: fname,
+ if scmp.Type == v1.SeccompProfileTypeLocalhost {
+ if scmp.LocalhostProfile != nil && len(*scmp.LocalhostProfile) > 0 {
+ fname := filepath.Join(profileRootPath, *scmp.LocalhostProfile)
+ return &runtimeapi.SecurityProfile{
+ ProfileType: runtimeapi.SecurityProfile_Localhost,
+ LocalhostRef: fname,
+ }, nil
+ } else {
+ return nil, fmt.Errorf("localhostProfile must be set if seccompProfile type is Localhost.")
}
}
return &runtimeapi.SecurityProfile{
ProfileType: runtimeapi.SecurityProfile_Unconfined,
- }
+ }, nil
}
func (m *kubeGenericRuntimeManager) getSeccompProfile(annotations map[string]string, containerName string,
- podSecContext *v1.PodSecurityContext, containerSecContext *v1.SecurityContext, fallbackToRuntimeDefault bool) *runtimeapi.SecurityProfile {
+ podSecContext *v1.PodSecurityContext, containerSecContext *v1.SecurityContext, fallbackToRuntimeDefault bool) (*runtimeapi.SecurityProfile, error) {
// container fields are applied first
if containerSecContext != nil && containerSecContext.SeccompProfile != nil {
return fieldSeccompProfile(containerSecContext.SeccompProfile, m.seccompProfileRoot, fallbackToRuntimeDefault)
@@ -317,12 +325,12 @@ func (m *kubeGenericRuntimeManager) getSeccompProfile(annotations map[string]str
if fallbackToRuntimeDefault {
return &runtimeapi.SecurityProfile{
ProfileType: runtimeapi.SecurityProfile_RuntimeDefault,
- }
+ }, nil
}
return &runtimeapi.SecurityProfile{
ProfileType: runtimeapi.SecurityProfile_Unconfined,
- }
+ }, nil
}
func ipcNamespaceForPod(pod *v1.Pod) runtimeapi.NamespaceMode {
diff --git a/pkg/kubelet/kuberuntime/helpers_test.go b/pkg/kubelet/kuberuntime/helpers_test.go
index 25065f30411..70ad7250ce2 100644
--- a/pkg/kubelet/kuberuntime/helpers_test.go
+++ b/pkg/kubelet/kuberuntime/helpers_test.go
@@ -242,17 +242,18 @@ func TestFieldProfile(t *testing.T) {
scmpProfile *v1.SeccompProfile
rootPath string
expectedProfile string
+ expectedError string
}{
{
description: "no seccompProfile should return empty",
expectedProfile: "",
},
{
- description: "type localhost without profile should return empty",
+ description: "type localhost without profile should return error",
scmpProfile: &v1.SeccompProfile{
Type: v1.SeccompProfileTypeLocalhost,
},
- expectedProfile: "",
+ expectedError: "localhostProfile must be set if seccompProfile type is Localhost.",
},
{
description: "unknown type should return empty",
@@ -279,7 +280,7 @@ func TestFieldProfile(t *testing.T) {
description: "SeccompProfileTypeLocalhost should return localhost",
scmpProfile: &v1.SeccompProfile{
Type: v1.SeccompProfileTypeLocalhost,
- LocalhostProfile: utilpointer.StringPtr("profile.json"),
+ LocalhostProfile: utilpointer.String("profile.json"),
},
rootPath: "/test/",
expectedProfile: "localhost//test/profile.json",
@@ -287,8 +288,13 @@ func TestFieldProfile(t *testing.T) {
}
for i, test := range tests {
- seccompProfile := fieldProfile(test.scmpProfile, test.rootPath, false)
- assert.Equal(t, test.expectedProfile, seccompProfile, "TestCase[%d]: %s", i, test.description)
+ seccompProfile, err := fieldProfile(test.scmpProfile, test.rootPath, false)
+ if test.expectedError != "" {
+ assert.EqualError(t, err, test.expectedError, "TestCase[%d]: %s", i, test.description)
+ } else {
+ assert.NoError(t, err, "TestCase[%d]: %s", i, test.description)
+ assert.Equal(t, test.expectedProfile, seccompProfile, "TestCase[%d]: %s", i, test.description)
+ }
}
}
@@ -298,17 +304,18 @@ func TestFieldProfileDefaultSeccomp(t *testing.T) {
scmpProfile *v1.SeccompProfile
rootPath string
expectedProfile string
+ expectedError string
}{
{
description: "no seccompProfile should return runtime/default",
expectedProfile: v1.SeccompProfileRuntimeDefault,
},
{
- description: "type localhost without profile should return runtime/default",
+ description: "type localhost without profile should return error",
scmpProfile: &v1.SeccompProfile{
Type: v1.SeccompProfileTypeLocalhost,
},
- expectedProfile: v1.SeccompProfileRuntimeDefault,
+ expectedError: "localhostProfile must be set if seccompProfile type is Localhost.",
},
{
description: "unknown type should return runtime/default",
@@ -335,7 +342,7 @@ func TestFieldProfileDefaultSeccomp(t *testing.T) {
description: "SeccompProfileTypeLocalhost should return localhost",
scmpProfile: &v1.SeccompProfile{
Type: v1.SeccompProfileTypeLocalhost,
- LocalhostProfile: utilpointer.StringPtr("profile.json"),
+ LocalhostProfile: utilpointer.String("profile.json"),
},
rootPath: "/test/",
expectedProfile: "localhost//test/profile.json",
@@ -343,8 +350,13 @@ func TestFieldProfileDefaultSeccomp(t *testing.T) {
}
for i, test := range tests {
- seccompProfile := fieldProfile(test.scmpProfile, test.rootPath, true)
- assert.Equal(t, test.expectedProfile, seccompProfile, "TestCase[%d]: %s", i, test.description)
+ seccompProfile, err := fieldProfile(test.scmpProfile, test.rootPath, true)
+ if test.expectedError != "" {
+ assert.EqualError(t, err, test.expectedError, "TestCase[%d]: %s", i, test.description)
+ } else {
+ assert.NoError(t, err, "TestCase[%d]: %s", i, test.description)
+ assert.Equal(t, test.expectedProfile, seccompProfile, "TestCase[%d]: %s", i, test.description)
+ }
}
}
@@ -359,6 +371,7 @@ func TestGetSeccompProfilePath(t *testing.T) {
containerSc *v1.SecurityContext
containerName string
expectedProfile string
+ expectedError string
}{
{
description: "no seccomp should return empty",
@@ -369,91 +382,6 @@ func TestGetSeccompProfilePath(t *testing.T) {
containerName: "container1",
expectedProfile: "",
},
- {
- description: "annotations: pod runtime/default seccomp profile should return runtime/default",
- annotation: map[string]string{
- v1.SeccompPodAnnotationKey: v1.SeccompProfileRuntimeDefault,
- },
- expectedProfile: "runtime/default",
- },
- {
- description: "annotations: pod docker/default seccomp profile should return docker/default",
- annotation: map[string]string{
- v1.SeccompPodAnnotationKey: v1.DeprecatedSeccompProfileDockerDefault,
- },
- expectedProfile: "docker/default",
- },
- {
- description: "annotations: pod runtime/default seccomp profile with containerName should return runtime/default",
- annotation: map[string]string{
- v1.SeccompPodAnnotationKey: v1.SeccompProfileRuntimeDefault,
- },
- containerName: "container1",
- expectedProfile: "runtime/default",
- },
- {
- description: "annotations: pod docker/default seccomp profile with containerName should return docker/default",
- annotation: map[string]string{
- v1.SeccompPodAnnotationKey: v1.DeprecatedSeccompProfileDockerDefault,
- },
- containerName: "container1",
- expectedProfile: "docker/default",
- },
- {
- description: "annotations: pod unconfined seccomp profile should return unconfined",
- annotation: map[string]string{
- v1.SeccompPodAnnotationKey: v1.SeccompProfileNameUnconfined,
- },
- expectedProfile: "unconfined",
- },
- {
- description: "annotations: pod unconfined seccomp profile with containerName should return unconfined",
- annotation: map[string]string{
- v1.SeccompPodAnnotationKey: v1.SeccompProfileNameUnconfined,
- },
- containerName: "container1",
- expectedProfile: "unconfined",
- },
- {
- description: "annotations: pod localhost seccomp profile should return local profile path",
- annotation: map[string]string{
- v1.SeccompPodAnnotationKey: "localhost/chmod.json",
- },
- expectedProfile: seccompLocalhostPath("chmod.json"),
- },
- {
- description: "annotations: pod localhost seccomp profile with containerName should return local profile path",
- annotation: map[string]string{
- v1.SeccompPodAnnotationKey: "localhost/chmod.json",
- },
- containerName: "container1",
- expectedProfile: seccompLocalhostPath("chmod.json"),
- },
- {
- description: "annotations: container localhost seccomp profile with containerName should return local profile path",
- annotation: map[string]string{
- v1.SeccompContainerAnnotationKeyPrefix + "container1": "localhost/chmod.json",
- },
- containerName: "container1",
- expectedProfile: seccompLocalhostPath("chmod.json"),
- },
- {
- description: "annotations: container localhost seccomp profile should override pod profile",
- annotation: map[string]string{
- v1.SeccompPodAnnotationKey: v1.SeccompProfileNameUnconfined,
- v1.SeccompContainerAnnotationKeyPrefix + "container1": "localhost/chmod.json",
- },
- containerName: "container1",
- expectedProfile: seccompLocalhostPath("chmod.json"),
- },
- {
- description: "annotations: container localhost seccomp profile with unmatched containerName should return empty",
- annotation: map[string]string{
- v1.SeccompContainerAnnotationKeyPrefix + "container1": "localhost/chmod.json",
- },
- containerName: "container2",
- expectedProfile: "",
- },
{
description: "pod seccomp profile set to unconfined returns unconfined",
podSc: &v1.PodSecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeUnconfined}},
@@ -480,14 +408,14 @@ func TestGetSeccompProfilePath(t *testing.T) {
expectedProfile: seccompLocalhostPath("filename"),
},
{
- description: "pod seccomp profile set to SeccompProfileTypeLocalhost with empty LocalhostProfile returns empty",
- podSc: &v1.PodSecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost}},
- expectedProfile: "",
+ description: "pod seccomp profile set to SeccompProfileTypeLocalhost with empty LocalhostProfile returns error",
+ podSc: &v1.PodSecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost}},
+ expectedError: "localhostProfile must be set if seccompProfile type is Localhost.",
},
{
- description: "container seccomp profile set to SeccompProfileTypeLocalhost with empty LocalhostProfile returns empty",
- containerSc: &v1.SecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost}},
- expectedProfile: "",
+ description: "container seccomp profile set to SeccompProfileTypeLocalhost with empty LocalhostProfile returns error",
+ containerSc: &v1.SecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost}},
+ expectedError: "localhostProfile must be set if seccompProfile type is Localhost.",
},
{
description: "container seccomp profile set to SeccompProfileTypeLocalhost returns 'localhost/' + LocalhostProfile",
@@ -500,41 +428,16 @@ func TestGetSeccompProfilePath(t *testing.T) {
containerSc: &v1.SecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeRuntimeDefault}},
expectedProfile: "runtime/default",
},
- {
- description: "prioritise container field over container annotation, pod field and pod annotation",
- podSc: &v1.PodSecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost, LocalhostProfile: getLocal("field-pod-profile.json")}},
- containerSc: &v1.SecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost, LocalhostProfile: getLocal("field-cont-profile.json")}},
- annotation: map[string]string{
- v1.SeccompPodAnnotationKey: "localhost/annota-pod-profile.json",
- v1.SeccompContainerAnnotationKeyPrefix + "container1": "localhost/annota-cont-profile.json",
- },
- containerName: "container1",
- expectedProfile: seccompLocalhostPath("field-cont-profile.json"),
- },
- {
- description: "prioritise container annotation over pod field",
- podSc: &v1.PodSecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost, LocalhostProfile: getLocal("field-pod-profile.json")}},
- annotation: map[string]string{
- v1.SeccompPodAnnotationKey: "localhost/annota-pod-profile.json",
- v1.SeccompContainerAnnotationKeyPrefix + "container1": "localhost/annota-cont-profile.json",
- },
- containerName: "container1",
- expectedProfile: seccompLocalhostPath("annota-cont-profile.json"),
- },
- {
- description: "prioritise pod field over pod annotation",
- podSc: &v1.PodSecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost, LocalhostProfile: getLocal("field-pod-profile.json")}},
- annotation: map[string]string{
- v1.SeccompPodAnnotationKey: "localhost/annota-pod-profile.json",
- },
- containerName: "container1",
- expectedProfile: seccompLocalhostPath("field-pod-profile.json"),
- },
}
for i, test := range tests {
- seccompProfile := m.getSeccompProfilePath(test.annotation, test.containerName, test.podSc, test.containerSc, false)
- assert.Equal(t, test.expectedProfile, seccompProfile, "TestCase[%d]: %s", i, test.description)
+ seccompProfile, err := m.getSeccompProfilePath(test.annotation, test.containerName, test.podSc, test.containerSc, false)
+ if test.expectedError != "" {
+ assert.EqualError(t, err, test.expectedError, "TestCase[%d]: %s", i, test.description)
+ } else {
+ assert.NoError(t, err, "TestCase[%d]: %s", i, test.description)
+ assert.Equal(t, test.expectedProfile, seccompProfile, "TestCase[%d]: %s", i, test.description)
+ }
}
}
@@ -549,6 +452,7 @@ func TestGetSeccompProfilePathDefaultSeccomp(t *testing.T) {
containerSc *v1.SecurityContext
containerName string
expectedProfile string
+ expectedError string
}{
{
description: "no seccomp should return runtime/default",
@@ -559,91 +463,6 @@ func TestGetSeccompProfilePathDefaultSeccomp(t *testing.T) {
containerName: "container1",
expectedProfile: v1.SeccompProfileRuntimeDefault,
},
- {
- description: "annotations: pod runtime/default seccomp profile should return runtime/default",
- annotation: map[string]string{
- v1.SeccompPodAnnotationKey: v1.SeccompProfileRuntimeDefault,
- },
- expectedProfile: v1.SeccompProfileRuntimeDefault,
- },
- {
- description: "annotations: pod docker/default seccomp profile should return docker/default",
- annotation: map[string]string{
- v1.SeccompPodAnnotationKey: v1.DeprecatedSeccompProfileDockerDefault,
- },
- expectedProfile: "docker/default",
- },
- {
- description: "annotations: pod runtime/default seccomp profile with containerName should return runtime/default",
- annotation: map[string]string{
- v1.SeccompPodAnnotationKey: v1.SeccompProfileRuntimeDefault,
- },
- containerName: "container1",
- expectedProfile: v1.SeccompProfileRuntimeDefault,
- },
- {
- description: "annotations: pod docker/default seccomp profile with containerName should return docker/default",
- annotation: map[string]string{
- v1.SeccompPodAnnotationKey: v1.DeprecatedSeccompProfileDockerDefault,
- },
- containerName: "container1",
- expectedProfile: "docker/default",
- },
- {
- description: "annotations: pod unconfined seccomp profile should return unconfined",
- annotation: map[string]string{
- v1.SeccompPodAnnotationKey: v1.SeccompProfileNameUnconfined,
- },
- expectedProfile: "unconfined",
- },
- {
- description: "annotations: pod unconfined seccomp profile with containerName should return unconfined",
- annotation: map[string]string{
- v1.SeccompPodAnnotationKey: v1.SeccompProfileNameUnconfined,
- },
- containerName: "container1",
- expectedProfile: "unconfined",
- },
- {
- description: "annotations: pod localhost seccomp profile should return local profile path",
- annotation: map[string]string{
- v1.SeccompPodAnnotationKey: "localhost/chmod.json",
- },
- expectedProfile: seccompLocalhostPath("chmod.json"),
- },
- {
- description: "annotations: pod localhost seccomp profile with containerName should return local profile path",
- annotation: map[string]string{
- v1.SeccompPodAnnotationKey: "localhost/chmod.json",
- },
- containerName: "container1",
- expectedProfile: seccompLocalhostPath("chmod.json"),
- },
- {
- description: "annotations: container localhost seccomp profile with containerName should return local profile path",
- annotation: map[string]string{
- v1.SeccompContainerAnnotationKeyPrefix + "container1": "localhost/chmod.json",
- },
- containerName: "container1",
- expectedProfile: seccompLocalhostPath("chmod.json"),
- },
- {
- description: "annotations: container localhost seccomp profile should override pod profile",
- annotation: map[string]string{
- v1.SeccompPodAnnotationKey: v1.SeccompProfileNameUnconfined,
- v1.SeccompContainerAnnotationKeyPrefix + "container1": "localhost/chmod.json",
- },
- containerName: "container1",
- expectedProfile: seccompLocalhostPath("chmod.json"),
- },
- {
- description: "annotations: container localhost seccomp profile with unmatched containerName should return runtime/default",
- annotation: map[string]string{
- v1.SeccompContainerAnnotationKeyPrefix + "container1": "localhost/chmod.json",
- },
- containerName: "container2",
- expectedProfile: v1.SeccompProfileRuntimeDefault,
- },
{
description: "pod seccomp profile set to unconfined returns unconfined",
podSc: &v1.PodSecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeUnconfined}},
@@ -670,14 +489,14 @@ func TestGetSeccompProfilePathDefaultSeccomp(t *testing.T) {
expectedProfile: seccompLocalhostPath("filename"),
},
{
- description: "pod seccomp profile set to SeccompProfileTypeLocalhost with empty LocalhostProfile returns runtime/default",
- podSc: &v1.PodSecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost}},
- expectedProfile: v1.SeccompProfileRuntimeDefault,
+ description: "pod seccomp profile set to SeccompProfileTypeLocalhost with empty LocalhostProfile returns error",
+ podSc: &v1.PodSecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost}},
+ expectedError: "localhostProfile must be set if seccompProfile type is Localhost.",
},
{
- description: "container seccomp profile set to SeccompProfileTypeLocalhost with empty LocalhostProfile returns runtime/default",
- containerSc: &v1.SecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost}},
- expectedProfile: v1.SeccompProfileRuntimeDefault,
+ description: "container seccomp profile set to SeccompProfileTypeLocalhost with empty LocalhostProfile returns error",
+ containerSc: &v1.SecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost}},
+ expectedError: "localhostProfile must be set if seccompProfile type is Localhost.",
},
{
description: "container seccomp profile set to SeccompProfileTypeLocalhost returns 'localhost/' + LocalhostProfile",
@@ -690,41 +509,16 @@ func TestGetSeccompProfilePathDefaultSeccomp(t *testing.T) {
containerSc: &v1.SecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeRuntimeDefault}},
expectedProfile: "runtime/default",
},
- {
- description: "prioritise container field over container annotation, pod field and pod annotation",
- podSc: &v1.PodSecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost, LocalhostProfile: getLocal("field-pod-profile.json")}},
- containerSc: &v1.SecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost, LocalhostProfile: getLocal("field-cont-profile.json")}},
- annotation: map[string]string{
- v1.SeccompPodAnnotationKey: "localhost/annota-pod-profile.json",
- v1.SeccompContainerAnnotationKeyPrefix + "container1": "localhost/annota-cont-profile.json",
- },
- containerName: "container1",
- expectedProfile: seccompLocalhostPath("field-cont-profile.json"),
- },
- {
- description: "prioritise container annotation over pod field",
- podSc: &v1.PodSecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost, LocalhostProfile: getLocal("field-pod-profile.json")}},
- annotation: map[string]string{
- v1.SeccompPodAnnotationKey: "localhost/annota-pod-profile.json",
- v1.SeccompContainerAnnotationKeyPrefix + "container1": "localhost/annota-cont-profile.json",
- },
- containerName: "container1",
- expectedProfile: seccompLocalhostPath("annota-cont-profile.json"),
- },
- {
- description: "prioritise pod field over pod annotation",
- podSc: &v1.PodSecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost, LocalhostProfile: getLocal("field-pod-profile.json")}},
- annotation: map[string]string{
- v1.SeccompPodAnnotationKey: "localhost/annota-pod-profile.json",
- },
- containerName: "container1",
- expectedProfile: seccompLocalhostPath("field-pod-profile.json"),
- },
}
for i, test := range tests {
- seccompProfile := m.getSeccompProfilePath(test.annotation, test.containerName, test.podSc, test.containerSc, true)
- assert.Equal(t, test.expectedProfile, seccompProfile, "TestCase[%d]: %s", i, test.description)
+ seccompProfile, err := m.getSeccompProfilePath(test.annotation, test.containerName, test.podSc, test.containerSc, true)
+ if test.expectedError != "" {
+ assert.EqualError(t, err, test.expectedError, "TestCase[%d]: %s", i, test.description)
+ } else {
+ assert.NoError(t, err, "TestCase[%d]: %s", i, test.description)
+ assert.Equal(t, test.expectedProfile, seccompProfile, "TestCase[%d]: %s", i, test.description)
+ }
}
}
@@ -747,6 +541,7 @@ func TestGetSeccompProfile(t *testing.T) {
containerSc *v1.SecurityContext
containerName string
expectedProfile *runtimeapi.SecurityProfile
+ expectedError string
}{
{
description: "no seccomp should return unconfined",
@@ -781,14 +576,14 @@ func TestGetSeccompProfile(t *testing.T) {
},
},
{
- description: "pod seccomp profile set to SeccompProfileTypeLocalhost with empty LocalhostProfile returns unconfined",
- podSc: &v1.PodSecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost}},
- expectedProfile: unconfinedProfile,
+ description: "pod seccomp profile set to SeccompProfileTypeLocalhost with empty LocalhostProfile returns error",
+ podSc: &v1.PodSecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost}},
+ expectedError: "localhostProfile must be set if seccompProfile type is Localhost.",
},
{
- description: "container seccomp profile set to SeccompProfileTypeLocalhost with empty LocalhostProfile returns unconfined",
- containerSc: &v1.SecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost}},
- expectedProfile: unconfinedProfile,
+ description: "container seccomp profile set to SeccompProfileTypeLocalhost with empty LocalhostProfile returns error",
+ containerSc: &v1.SecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost}},
+ expectedError: "localhostProfile must be set if seccompProfile type is Localhost.",
},
{
description: "container seccomp profile set to SeccompProfileTypeLocalhost returns 'localhost/' + LocalhostProfile",
@@ -817,8 +612,13 @@ func TestGetSeccompProfile(t *testing.T) {
}
for i, test := range tests {
- seccompProfile := m.getSeccompProfile(test.annotation, test.containerName, test.podSc, test.containerSc, false)
- assert.Equal(t, test.expectedProfile, seccompProfile, "TestCase[%d]: %s", i, test.description)
+ seccompProfile, err := m.getSeccompProfile(test.annotation, test.containerName, test.podSc, test.containerSc, false)
+ if test.expectedError != "" {
+ assert.EqualError(t, err, test.expectedError, "TestCase[%d]: %s", i, test.description)
+ } else {
+ assert.NoError(t, err, "TestCase[%d]: %s", i, test.description)
+ assert.Equal(t, test.expectedProfile, seccompProfile, "TestCase[%d]: %s", i, test.description)
+ }
}
}
@@ -841,6 +641,7 @@ func TestGetSeccompProfileDefaultSeccomp(t *testing.T) {
containerSc *v1.SecurityContext
containerName string
expectedProfile *runtimeapi.SecurityProfile
+ expectedError string
}{
{
description: "no seccomp should return RuntimeDefault",
@@ -875,14 +676,14 @@ func TestGetSeccompProfileDefaultSeccomp(t *testing.T) {
},
},
{
- description: "pod seccomp profile set to SeccompProfileTypeLocalhost with empty LocalhostProfile returns unconfined",
- podSc: &v1.PodSecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost}},
- expectedProfile: unconfinedProfile,
+ description: "pod seccomp profile set to SeccompProfileTypeLocalhost with empty LocalhostProfile returns error",
+ podSc: &v1.PodSecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost}},
+ expectedError: "localhostProfile must be set if seccompProfile type is Localhost.",
},
{
- description: "container seccomp profile set to SeccompProfileTypeLocalhost with empty LocalhostProfile returns unconfined",
- containerSc: &v1.SecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost}},
- expectedProfile: unconfinedProfile,
+ description: "container seccomp profile set to SeccompProfileTypeLocalhost with empty LocalhostProfile returns error",
+ containerSc: &v1.SecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost}},
+ expectedError: "localhostProfile must be set if seccompProfile type is Localhost.",
},
{
description: "container seccomp profile set to SeccompProfileTypeLocalhost returns 'localhost/' + LocalhostProfile",
@@ -911,8 +712,13 @@ func TestGetSeccompProfileDefaultSeccomp(t *testing.T) {
}
for i, test := range tests {
- seccompProfile := m.getSeccompProfile(test.annotation, test.containerName, test.podSc, test.containerSc, true)
- assert.Equal(t, test.expectedProfile, seccompProfile, "TestCase[%d]: %s", i, test.description)
+ seccompProfile, err := m.getSeccompProfile(test.annotation, test.containerName, test.podSc, test.containerSc, true)
+ if test.expectedError != "" {
+ assert.EqualError(t, err, test.expectedError, "TestCase[%d]: %s", i, test.description)
+ } else {
+ assert.NoError(t, err, "TestCase[%d]: %s", i, test.description)
+ assert.Equal(t, test.expectedProfile, seccompProfile, "TestCase[%d]: %s", i, test.description)
+ }
}
}
diff --git a/pkg/kubelet/kuberuntime/kuberuntime_container_linux.go b/pkg/kubelet/kuberuntime/kuberuntime_container_linux.go
index 25917803b1c..1e9a2377b51 100644
--- a/pkg/kubelet/kuberuntime/kuberuntime_container_linux.go
+++ b/pkg/kubelet/kuberuntime/kuberuntime_container_linux.go
@@ -45,15 +45,23 @@ func (m *kubeGenericRuntimeManager) applyPlatformSpecificContainerConfig(config
libcontainercgroups.IsCgroup2UnifiedMode() {
enforceMemoryQoS = true
}
- config.Linux = m.generateLinuxContainerConfig(container, pod, uid, username, nsTarget, enforceMemoryQoS)
+ cl, err := m.generateLinuxContainerConfig(container, pod, uid, username, nsTarget, enforceMemoryQoS)
+ if err != nil {
+ return err
+ }
+ config.Linux = cl
return nil
}
// generateLinuxContainerConfig generates linux container config for kubelet runtime v1.
-func (m *kubeGenericRuntimeManager) generateLinuxContainerConfig(container *v1.Container, pod *v1.Pod, uid *int64, username string, nsTarget *kubecontainer.ContainerID, enforceMemoryQoS bool) *runtimeapi.LinuxContainerConfig {
+func (m *kubeGenericRuntimeManager) generateLinuxContainerConfig(container *v1.Container, pod *v1.Pod, uid *int64, username string, nsTarget *kubecontainer.ContainerID, enforceMemoryQoS bool) (*runtimeapi.LinuxContainerConfig, error) {
+ sc, err := m.determineEffectiveSecurityContext(pod, container, uid, username)
+ if err != nil {
+ return nil, err
+ }
lc := &runtimeapi.LinuxContainerConfig{
Resources: &runtimeapi.LinuxContainerResources{},
- SecurityContext: m.determineEffectiveSecurityContext(pod, container, uid, username),
+ SecurityContext: sc,
}
if nsTarget != nil && lc.SecurityContext.NamespaceOptions.Pid == runtimeapi.NamespaceMode_CONTAINER {
@@ -124,7 +132,7 @@ func (m *kubeGenericRuntimeManager) generateLinuxContainerConfig(container *v1.C
}
}
- return lc
+ return lc, nil
}
// calculateLinuxResources will create the linuxContainerResources type based on the provided CPU and memory resource requests, limits
diff --git a/pkg/kubelet/kuberuntime/kuberuntime_container_linux_test.go b/pkg/kubelet/kuberuntime/kuberuntime_container_linux_test.go
index 29d0bbfc9b4..838ecf8c6f5 100644
--- a/pkg/kubelet/kuberuntime/kuberuntime_container_linux_test.go
+++ b/pkg/kubelet/kuberuntime/kuberuntime_container_linux_test.go
@@ -47,6 +47,8 @@ func makeExpectedConfig(m *kubeGenericRuntimeManager, pod *v1.Pod, containerInde
restartCountUint32 := uint32(restartCount)
envs := make([]*runtimeapi.KeyValue, len(opts.Envs))
+ l, _ := m.generateLinuxContainerConfig(container, pod, new(int64), "", nil, enforceMemoryQoS)
+
expectedConfig := &runtimeapi.ContainerConfig{
Metadata: &runtimeapi.ContainerMetadata{
Name: container.Name,
@@ -64,7 +66,7 @@ func makeExpectedConfig(m *kubeGenericRuntimeManager, pod *v1.Pod, containerInde
Stdin: container.Stdin,
StdinOnce: container.StdinOnce,
Tty: container.TTY,
- Linux: m.generateLinuxContainerConfig(container, pod, new(int64), "", nil, enforceMemoryQoS),
+ Linux: l,
Envs: envs,
}
return expectedConfig
@@ -215,7 +217,8 @@ func TestGenerateLinuxContainerConfigResources(t *testing.T) {
},
}
- linuxConfig := m.generateLinuxContainerConfig(&pod.Spec.Containers[0], pod, new(int64), "", nil, false)
+ linuxConfig, err := m.generateLinuxContainerConfig(&pod.Spec.Containers[0], pod, new(int64), "", nil, false)
+ assert.NoError(t, err)
assert.Equal(t, test.expected.CpuPeriod, linuxConfig.GetResources().CpuPeriod, test.name)
assert.Equal(t, test.expected.CpuQuota, linuxConfig.GetResources().CpuQuota, test.name)
assert.Equal(t, test.expected.CpuShares, linuxConfig.GetResources().CpuShares, test.name)
@@ -329,6 +332,8 @@ func TestGenerateContainerConfigWithMemoryQoSEnforced(t *testing.T) {
memoryLow int64
memoryHigh int64
}
+ l1, _ := m.generateLinuxContainerConfig(&pod1.Spec.Containers[0], pod1, new(int64), "", nil, true)
+ l2, _ := m.generateLinuxContainerConfig(&pod2.Spec.Containers[0], pod2, new(int64), "", nil, true)
tests := []struct {
name string
pod *v1.Pod
@@ -338,7 +343,7 @@ func TestGenerateContainerConfigWithMemoryQoSEnforced(t *testing.T) {
name: "Request128MBLimit256MB",
pod: pod1,
expected: &expectedResult{
- m.generateLinuxContainerConfig(&pod1.Spec.Containers[0], pod1, new(int64), "", nil, true),
+ l1,
128 * 1024 * 1024,
int64(float64(256*1024*1024) * m.memoryThrottlingFactor),
},
@@ -347,7 +352,7 @@ func TestGenerateContainerConfigWithMemoryQoSEnforced(t *testing.T) {
name: "Request128MBWithoutLimit",
pod: pod2,
expected: &expectedResult{
- m.generateLinuxContainerConfig(&pod2.Spec.Containers[0], pod2, new(int64), "", nil, true),
+ l2,
128 * 1024 * 1024,
int64(pod2MemoryHigh),
},
@@ -355,7 +360,8 @@ func TestGenerateContainerConfigWithMemoryQoSEnforced(t *testing.T) {
}
for _, test := range tests {
- linuxConfig := m.generateLinuxContainerConfig(&test.pod.Spec.Containers[0], test.pod, new(int64), "", nil, true)
+ linuxConfig, err := m.generateLinuxContainerConfig(&test.pod.Spec.Containers[0], test.pod, new(int64), "", nil, true)
+ assert.NoError(t, err)
assert.Equal(t, test.expected.containerConfig, linuxConfig, test.name)
assert.Equal(t, linuxConfig.GetResources().GetUnified()["memory.min"], strconv.FormatInt(test.expected.memoryLow, 10), test.name)
assert.Equal(t, linuxConfig.GetResources().GetUnified()["memory.high"], strconv.FormatInt(test.expected.memoryHigh, 10), test.name)
@@ -578,7 +584,8 @@ func TestGenerateLinuxContainerConfigNamespaces(t *testing.T) {
},
} {
t.Run(tc.name, func(t *testing.T) {
- got := m.generateLinuxContainerConfig(&tc.pod.Spec.Containers[0], tc.pod, nil, "", tc.target, false)
+ got, err := m.generateLinuxContainerConfig(&tc.pod.Spec.Containers[0], tc.pod, nil, "", tc.target, false)
+ assert.NoError(t, err)
if diff := cmp.Diff(tc.want, got.SecurityContext.NamespaceOptions); diff != "" {
t.Errorf("%v: diff (-want +got):\n%v", t.Name(), diff)
}
@@ -669,7 +676,8 @@ func TestGenerateLinuxContainerConfigSwap(t *testing.T) {
} {
t.Run(tc.name, func(t *testing.T) {
m.memorySwapBehavior = tc.swapSetting
- actual := m.generateLinuxContainerConfig(&tc.pod.Spec.Containers[0], tc.pod, nil, "", nil, false)
+ actual, err := m.generateLinuxContainerConfig(&tc.pod.Spec.Containers[0], tc.pod, nil, "", nil, false)
+ assert.NoError(t, err)
assert.Equal(t, tc.expected, actual.Resources.MemorySwapLimitInBytes, "memory swap config for %s", tc.name)
})
}
diff --git a/pkg/kubelet/kuberuntime/security_context.go b/pkg/kubelet/kuberuntime/security_context.go
index c9d33e44305..3b575c8e974 100644
--- a/pkg/kubelet/kuberuntime/security_context.go
+++ b/pkg/kubelet/kuberuntime/security_context.go
@@ -24,7 +24,7 @@ import (
)
// determineEffectiveSecurityContext gets container's security context from v1.Pod and v1.Container.
-func (m *kubeGenericRuntimeManager) determineEffectiveSecurityContext(pod *v1.Pod, container *v1.Container, uid *int64, username string) *runtimeapi.LinuxContainerSecurityContext {
+func (m *kubeGenericRuntimeManager) determineEffectiveSecurityContext(pod *v1.Pod, container *v1.Container, uid *int64, username string) (*runtimeapi.LinuxContainerSecurityContext, error) {
effectiveSc := securitycontext.DetermineEffectiveSecurityContext(pod, container)
synthesized := convertToRuntimeSecurityContext(effectiveSc)
if synthesized == nil {
@@ -36,9 +36,16 @@ func (m *kubeGenericRuntimeManager) determineEffectiveSecurityContext(pod *v1.Po
// TODO: Deprecated, remove after we switch to Seccomp field
// set SeccompProfilePath.
- synthesized.SeccompProfilePath = m.getSeccompProfilePath(pod.Annotations, container.Name, pod.Spec.SecurityContext, container.SecurityContext, m.seccompDefault)
+ var err error
+ synthesized.SeccompProfilePath, err = m.getSeccompProfilePath(pod.Annotations, container.Name, pod.Spec.SecurityContext, container.SecurityContext, m.seccompDefault)
+ if err != nil {
+ return nil, err
+ }
- synthesized.Seccomp = m.getSeccompProfile(pod.Annotations, container.Name, pod.Spec.SecurityContext, container.SecurityContext, m.seccompDefault)
+ synthesized.Seccomp, err = m.getSeccompProfile(pod.Annotations, container.Name, pod.Spec.SecurityContext, container.SecurityContext, m.seccompDefault)
+ if err != nil {
+ return nil, err
+ }
// set ApparmorProfile.
synthesized.ApparmorProfile = apparmor.GetProfileNameFromPodAnnotations(pod.Annotations, container.Name)
@@ -74,7 +81,7 @@ func (m *kubeGenericRuntimeManager) determineEffectiveSecurityContext(pod *v1.Po
synthesized.MaskedPaths = securitycontext.ConvertToRuntimeMaskedPaths(effectiveSc.ProcMount)
synthesized.ReadonlyPaths = securitycontext.ConvertToRuntimeReadonlyPaths(effectiveSc.ProcMount)
- return synthesized
+ return synthesized, nil
}
// convertToRuntimeSecurityContext converts v1.SecurityContext to runtimeapi.SecurityContext.
--
2.25.1

2
0008-fix-node-address-validation.patch → 0006-fix-node-address-validation.patch
View File

@ -1,4 +1,4 @@
From 78d552efe620879599509ff0f9b04b8764e1878f Mon Sep 17 00:00:00 2001
From f85027fcc12d02f79a0649115bdbaf7c9d8aab17 Mon Sep 17 00:00:00 2001
From: Andrew Sy Kim <andrewsy@google.com>
Date: Mon, 7 Nov 2022 10:22:44 -0500
Subject: [PATCH] fix node address validation

24
0009-Add-ephemeralcontainer-to-imagepolicy-securityaccoun.patch → 0007-Add-ephemeralcontainer-to-imagepolicy-securityaccoun.patch
View File

@ -1,4 +1,4 @@
From f754a4dee31455a0d7fc0f51cb85348af9ea5e1f Mon Sep 17 00:00:00 2001
From 8781d503a08ff8a1a29179c80252470ac77b3bd5 Mon Sep 17 00:00:00 2001
From: Rita Zhang <rita.z.zhang@gmail.com>
Date: Tue, 30 May 2023 20:35:33 +0000
Subject: [PATCH] Add ephemeralcontainer to imagepolicy securityaccount
@ -334,10 +334,10 @@ index d1f81d51950..a9188462fb9 100644
err = wh.Validate(context.TODO(), attr, nil)
if tt.wantAllowed {
diff --git a/plugin/pkg/admission/serviceaccount/admission.go b/plugin/pkg/admission/serviceaccount/admission.go
index 035d54ea8ea..f6e25f3c19d 100644
index 769a115aef5..c844a051c24 100644
--- a/plugin/pkg/admission/serviceaccount/admission.go
+++ b/plugin/pkg/admission/serviceaccount/admission.go
@@ -100,7 +100,7 @@ var _ = genericadmissioninitializer.WantsExternalKubeInformerFactory(&Plugin{})
@@ -99,7 +99,7 @@ var _ = genericadmissioninitializer.WantsExternalKubeInformerFactory(&Plugin{})
// 5. If MountServiceAccountToken is true, it adds a VolumeMount with the pod's ServiceAccount's api token secret to containers
func NewServiceAccount() *Plugin {
return &Plugin{
@ -346,7 +346,7 @@ index 035d54ea8ea..f6e25f3c19d 100644
// TODO: enable this once we've swept secret usage to account for adding secret references to service accounts
LimitSecretReferences: false,
// Auto mount service account API token secrets
@@ -140,7 +140,10 @@ func (s *Plugin) Admit(ctx context.Context, a admission.Attributes, o admission.
@@ -139,7 +139,10 @@ func (s *Plugin) Admit(ctx context.Context, a admission.Attributes, o admission.
if shouldIgnore(a) {
return nil
}
@ -358,7 +358,7 @@ index 035d54ea8ea..f6e25f3c19d 100644
pod := a.GetObject().(*api.Pod)
// Don't modify the spec of mirror pods.
@@ -157,7 +160,7 @@ func (s *Plugin) Admit(ctx context.Context, a admission.Attributes, o admission.
@@ -156,7 +159,7 @@ func (s *Plugin) Admit(ctx context.Context, a admission.Attributes, o admission.
serviceAccount, err := s.getServiceAccount(a.GetNamespace(), pod.Spec.ServiceAccountName)
if err != nil {
@ -367,7 +367,7 @@ index 035d54ea8ea..f6e25f3c19d 100644
}
if s.MountServiceAccountToken && shouldAutomount(serviceAccount, pod) {
s.mountServiceAccountToken(serviceAccount, pod)
@@ -180,6 +183,15 @@ func (s *Plugin) Validate(ctx context.Context, a admission.Attributes, o admissi
@@ -179,6 +182,15 @@ func (s *Plugin) Validate(ctx context.Context, a admission.Attributes, o admissi
pod := a.GetObject().(*api.Pod)
@ -383,7 +383,7 @@ index 035d54ea8ea..f6e25f3c19d 100644
// Mirror pods have restrictions on what they can reference
if _, isMirrorPod := pod.Annotations[api.MirrorPodAnnotationKey]; isMirrorPod {
if len(pod.Spec.ServiceAccountName) != 0 {
@@ -205,6 +217,10 @@ func (s *Plugin) Validate(ctx context.Context, a admission.Attributes, o admissi
@@ -204,6 +216,10 @@ func (s *Plugin) Validate(ctx context.Context, a admission.Attributes, o admissi
return nil
}
@ -394,7 +394,7 @@ index 035d54ea8ea..f6e25f3c19d 100644
// Ensure the referenced service account exists
serviceAccount, err := s.getServiceAccount(a.GetNamespace(), pod.Spec.ServiceAccountName)
if err != nil {
@@ -221,10 +237,7 @@ func (s *Plugin) Validate(ctx context.Context, a admission.Attributes, o admissi
@@ -220,10 +236,7 @@ func (s *Plugin) Validate(ctx context.Context, a admission.Attributes, o admissi
}
func shouldIgnore(a admission.Attributes) bool {
@ -406,7 +406,7 @@ index 035d54ea8ea..f6e25f3c19d 100644
return true
}
obj := a.GetObject()
@@ -350,6 +363,36 @@ func (s *Plugin) limitSecretReferences(serviceAccount *corev1.ServiceAccount, po
@@ -349,6 +362,36 @@ func (s *Plugin) limitSecretReferences(serviceAccount *corev1.ServiceAccount, po
return nil
}
@ -444,10 +444,10 @@ index 035d54ea8ea..f6e25f3c19d 100644
// Find the volume and volume name for the ServiceAccountTokenSecret if it already exists
tokenVolumeName := ""
diff --git a/plugin/pkg/admission/serviceaccount/admission_test.go b/plugin/pkg/admission/serviceaccount/admission_test.go
index ca43abf9c3f..f5359253985 100644
index d50f321a8be..bf15f870d75 100644
--- a/plugin/pkg/admission/serviceaccount/admission_test.go
+++ b/plugin/pkg/admission/serviceaccount/admission_test.go
@@ -545,6 +545,34 @@ func TestAllowsReferencedSecret(t *testing.T) {
@@ -544,6 +544,34 @@ func TestAllowsReferencedSecret(t *testing.T) {
if err := admissiontesting.WithReinvocationTesting(t, admit).Admit(context.TODO(), attrs, nil); err != nil {
t.Errorf("Unexpected error: %v", err)
}
@ -482,7 +482,7 @@ index ca43abf9c3f..f5359253985 100644
}
func TestRejectsUnreferencedSecretVolumes(t *testing.T) {
@@ -622,6 +650,66 @@ func TestRejectsUnreferencedSecretVolumes(t *testing.T) {
@@ -621,6 +649,66 @@ func TestRejectsUnreferencedSecretVolumes(t *testing.T) {
if err := admissiontesting.WithReinvocationTesting(t, admit).Admit(context.TODO(), attrs, nil); err == nil || !strings.Contains(err.Error(), "with envVar") {
t.Errorf("Unexpected error: %v", err)
}

24
kubernetes.spec
View File

@ -2,12 +2,12 @@
%global _buildshell /bin/bash
Name: kubernetes
Version: 1.24.0
Release: 5
Version: 1.25.3
Release: 1
Summary: Container cluster management
License: ASL 2.0
URL: https://k8s.io/kubernetes
Source0: https://github.com/kubernetes/kubernetes/archive/v1.24.0.tar.gz
Source0: https://github.com/kubernetes/kubernetes/archive/v1.25.3.tar.gz
Source1: kube-proxy.service
Source2: kube-apiserver.service
Source3: kube-scheduler.service
@ -26,13 +26,11 @@ Source15: kubernetes.conf
Patch0001: 0001-fix-compile-options.patch
Patch0002: 0002-kubelet-support-exec-and-attach-websocket-protocol.patch
Patch0003: 0003-timeout-wait-backend-to-frontend-complete.patch
Patch0004: 0004-Add-an-option-for-aggregator.patch
Patch0005: 0005-Escape-terminal-special-characters-in-kubectl-112553.patch
Patch0006: 0006-Return-error-for-localhost-seccomp-type-with-no-loca.patch
Patch0007: 0007-Validate-etcd-paths.patch
Patch0008: 0008-fix-node-address-validation.patch
Patch0009: 0009-Add-ephemeralcontainer-to-imagepolicy-securityaccoun.patch
Patch0003: 0003-Escape-terminal-special-characters-in-kubectl-112553.patch
Patch0004: 0004-Return-error-for-localhost-seccomp-type-with-no-loca.patch
Patch0005: 0005-Validate-etcd-paths.patch
Patch0006: 0006-fix-node-address-validation.patch
Patch0007: 0007-Add-ephemeralcontainer-to-imagepolicy-securityaccoun.patch
%description
Container cluster management.
@ -264,6 +262,12 @@ getent passwd kube >/dev/null || useradd -r -g kube -d / -s /sbin/nologin \
%systemd_postun kubelet kube-proxy
%changelog
* Fri Jul 21 2023 zhangxiaoyu <zhangxiaoyu58@huawei.com> - 1.25.3-1
- Type:update
- CVE:NA
- SUG:NA
- DESC:update to 1.25.3
* Tue Jul 04 2023 zhangxiaoyu <zhangxiaoyu58@huawei.com> - 1.24.0-5
- Type:bugfix
- CVE:NA

BIN
v1.24.0.tar.gz → v1.25.3.tar.gz
View File

Binary file not shown.