Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add validation for NoNewPrivs #141

Merged
merged 1 commit into from
Sep 23, 2017
Merged

Add validation for NoNewPrivs #141

merged 1 commit into from
Sep 23, 2017

Conversation

feiskyer
Copy link
Member

Part of #131.

@feiskyer feiskyer requested a review from mikebrow September 20, 2017 06:17
@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Sep 20, 2017
@feiskyer feiskyer requested a review from Random-Liu September 20, 2017 06:17
@Random-Liu Random-Liu mentioned this pull request Sep 20, 2017
Closed
2 tasks
@Random-Liu Random-Liu self-assigned this Sep 20, 2017
@Random-Liu
Copy link
Contributor

LGTM

@Random-Liu Random-Liu added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Sep 21, 2017
mikebrow
mikebrow reviewed Sep 21, 2017
View reviewed changes
Copy link
Contributor

@mikebrow mikebrow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See comment

pkg/validate/security_context.go Outdated
},
LogPath: fmt.Sprintf("%s.log", name),
}
if noNewPrivs != nil {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't understand the nil test. The spec doesn't use *bool.. so nil isn't an option. Will be false or true.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is for testing the default behavior. Do you think we should remove this case?

pkg/validate/security_context.go Outdated
verifyLogContents(podConfig, fmt.Sprintf("%s.log", name), expectedLog)
}

It("should allow privilege escalation when not explicitly set and uid != 0", func() {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same test as below below since unset isn't an option. If the CRI guys want unset let's see if it's not to late to change it to *bool.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mikebrow yep, default is equal to false.

Copy link
Contributor

@mikebrow mikebrow Sep 21, 2017
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So yeah, since it's not a *bool, nil isn't an option. Go is one of those languages where a bool starts out life as a false, an int starts with the value 0, a float 0.0 etc.. I'd just change the internal api parameter to a bool instead of *bool.. and remove the nil test..

Cheers!

@feiskyer feiskyer force-pushed the no-new-privs-validation branch from bc740dc to d59dc4c Compare September 21, 2017 06:31
@feiskyer
Copy link
Member Author

@mikebrow Addressed comments. PTAL.

mikebrow
mikebrow approved these changes Sep 21, 2017
View reviewed changes
Copy link
Contributor

@mikebrow mikebrow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/LGTM just a simple build break to fix.

pkg/validate/security_context.go
By(fmt.Sprintf("create container %s", name))
containerConfig := &runtimeapi.ContainerConfig{
Metadata: framework.BuildContainerMetadata(name, framework.DefaultAttempt),
Image: &runtimeapi.ImageSpec{Image: noNewPrivsImage},
Copy link
Contributor

@mikebrow mikebrow Sep 21, 2017
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you either lost your noNewPrivsImage in a rebase or maybe while cut and pasting the constant to move it to this context?

But this looks good to me.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hmm, lost in the rebase. Fixed.

@feiskyer feiskyer force-pushed the no-new-privs-validation branch from d59dc4c to b091a22 Compare September 21, 2017 07:52
@feiskyer feiskyer mentioned this pull request Sep 22, 2017
Closed
3 tasks
@feiskyer feiskyer added this to the v0.2 milestone Sep 22, 2017
@Random-Liu
Copy link
Contributor

Seems good to go? @feiskyer Feel free to merge it.

@feiskyer feiskyer merged commit 055ff3b into kubernetes-sigs:master Sep 23, 2017
@feiskyer feiskyer deleted the no-new-privs-validation branch September 23, 2017 11:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mikebrow mikebrow mikebrow approved these changes

@Random-Liu Random-Liu Awaiting requested review from Random-Liu

Assignees
No one assigned
Labels
cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
v0.2
Development

Successfully merging this pull request may close these issues.
4 participants
@feiskyer @Random-Liu @mikebrow @k8s-ci-robot