Skip to content

genpolicy: add support for runAsUser #153

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Jan 24, 2024
Merged

genpolicy: add support for runAsUser #153

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
f16fbd1
genpolicy: add support for runAsUser
danmihai1 Jan 22, 2024
3e01311
policy: update sample files
danmihai1 Jan 22, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion src/agent/samples/policy/yaml/configmap/pod-cm1.yaml
View file
Open in desktop

Large diffs are not rendered by default.

19 changes: 18 additions & 1 deletion src/agent/samples/policy/yaml/configmap/pod-cm2.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/deployment/deployment-azure-vote-back.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/deployment/deployment-azure-vote-front.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/deployment/deployment-busybox.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/deployment/deployment-docker-busybox.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/job/test-job.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/job/test-job2.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/kubernetes/conformance/conformance-e2e.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/kubernetes/conformance/csi-hostpath-plugin.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/kubernetes/conformance/csi-hostpath-testing.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/kubernetes/conformance/etcd-statefulset.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/kubernetes/conformance/hello-populator-deploy.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/kubernetes/conformance/netexecrc.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/kubernetes/conformance2/ingress-http-rc.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/kubernetes/conformance2/ingress-http2-rc.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/kubernetes/conformance2/ingress-multiple-certs-rc.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/kubernetes/conformance2/ingress-nginx-rc.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/kubernetes/conformance2/ingress-static-ip-rc.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/kubernetes/fixtures/appsv1deployment.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/kubernetes/fixtures/daemon.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/kubernetes/fixtures/deploy-clientside.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/kubernetes/fixtures/job.yaml
View file
Open in desktop

Large diffs are not rendered by default.

4 changes: 2 additions & 2 deletions src/agent/samples/policy/yaml/kubernetes/fixtures/multi-resource-yaml.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/kubernetes/fixtures/rc-lastapplied.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/kubernetes/fixtures/rc-noexist.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/kubernetes/fixtures/replication.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/kubernetes/fixtures2/rc-service.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/kubernetes/fixtures2/valid-pod.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/kubernetes/incomplete-init/cassandra-statefulset.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/kubernetes/incomplete-init/cockroachdb-statefulset.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/kubernetes/incomplete-init/controller.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/kubernetes/incomplete-init/node_ds.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/pod/pod-exec.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/pod/pod-lifecycle.yaml
View file
Open in desktop

Large diffs are not rendered by default.

6 changes: 4 additions & 2 deletions src/agent/samples/policy/yaml/pod/pod-one-container.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/pod/pod-persistent-volumes.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/pod/pod-same-containers.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/pod/pod-spark.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/pod/pod-three-containers.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/pod/pod-ubuntu.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/replica-set/replica-busy.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/replica-set/replica2.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/secrets/azure-file-secrets.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/stateful-set/web.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/stateful-set/web2.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/webhook/webhook-pod1.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/webhook/webhook-pod2.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/webhook/webhook-pod3.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/webhook/webhook-pod4.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/webhook/webhook-pod5.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/webhook/webhook-pod6.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/webhook/webhook-pod7.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/webhook2/webhook-pod10.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/webhook2/webhook-pod11.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/webhook2/webhook-pod12.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/webhook2/webhook-pod13.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/webhook2/webhook-pod8.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/webhook2/webhook-pod9.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/webhook3/dns-test.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/agent/samples/policy/yaml/webhook3/many-layers.yaml
View file
Open in desktop

Large diffs are not rendered by default.

7 changes: 2 additions & 5 deletions src/tools/genpolicy/rules.rego
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -468,11 +468,8 @@ allow_user(p_process, i_process) {
p_user := p_process.User
i_user := i_process.User

# TODO: track down the reason for mcr.microsoft.com/oss/bitnami/redis:6.0.8 being
# executed with uid = 0 despite having "User": "1001" in its container image
# config.
#print("allow_user: input uid =", i_user.UID, "policy uid =", p_user.UID)
#p_user.UID == i_user.UID
print("allow_user: input uid =", i_user.UID, "policy uid =", p_user.UID)
p_user.UID == i_user.UID

# TODO: track down the reason for registry.k8s.io/pause:3.9 being
# executed with gid = 0 despite having "65535:65535" in its container image
Expand Down
2 changes: 1 addition & 1 deletion src/tools/genpolicy/src/containerd.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ pub fn get_process(privileged_container: bool, common: &policy::CommonData) -> p
Env: Vec::new(),
Cwd: "/".to_string(),
Capabilities: capabilities,
NoNewPrivileges: true,
NoNewPrivileges: false,
}
}

Expand Down
45 changes: 33 additions & 12 deletions src/tools/genpolicy/src/pod.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -88,6 +88,9 @@ pub struct PodSpec {

#[serde(skip_serializing_if = "Option::is_none")]
topologySpreadConstraints: Option<Vec<TopologySpreadConstraint>>,

#[serde(skip_serializing_if = "Option::is_none")]
securityContext: Option<PodSecurityContext>,
}

/// See Reference / Kubernetes API / Workload Resources / Pod.
Expand Down Expand Up @@ -224,7 +227,7 @@ struct Probe {

#[serde(skip_serializing_if = "Option::is_none")]
tcpSocket: Option<TCPSocketAction>,
// TODO: additional fiels.
// TODO: additional fields.
}

/// See Reference / Kubernetes API / Workload Resources / Pod.
Expand Down Expand Up @@ -252,7 +255,7 @@ struct HTTPGetAction {

#[serde(skip_serializing_if = "Option::is_none")]
httpHeaders: Option<Vec<HTTPHeader>>,
// TODO: additional fiels.
// TODO: additional fields.
}

/// See Reference / Kubernetes API / Workload Resources / Pod.
Expand Down Expand Up @@ -281,6 +284,14 @@ struct SecurityContext {
runAsUser: Option<i64>,
}

/// See Reference / Kubernetes API / Workload Resources / Pod.
#[derive(Clone, Debug, Serialize, Deserialize)]
struct PodSecurityContext {
#[serde(skip_serializing_if = "Option::is_none")]
runAsUser: Option<i64>,
// TODO: additional fields.
}

/// See Reference / Kubernetes API / Workload Resources / Pod.
#[derive(Clone, Debug, Serialize, Deserialize)]
struct Lifecycle {
Expand All @@ -296,7 +307,7 @@ struct Lifecycle {
struct LifecycleHandler {
#[serde(skip_serializing_if = "Option::is_none")]
exec: Option<ExecAction>,
// TODO: additional fiels.
// TODO: additional fields.
}

/// See Reference / Kubernetes API / Workload Resources / Pod.
Expand Down Expand Up @@ -585,15 +596,6 @@ impl Container {
false
}

pub fn allow_privilege_escalation(&self) -> bool {
if let Some(context) = &self.securityContext {
if let Some(allow) = context.allowPrivilegeEscalation {
return allow;
}
}
true
}

pub fn read_only_root_filesystem(&self) -> bool {
if let Some(context) = &self.securityContext {
if let Some(read_only) = context.readOnlyRootFilesystem {
Expand Down Expand Up @@ -849,6 +851,14 @@ impl yaml::K8sResource for Pod {
}
false
}

fn get_process_fields(&self, process: &mut policy::KataProcess) {
if let Some(context) = &self.spec.securityContext {
if let Some(uid) = context.runAsUser {
process.User.UID = uid.try_into().unwrap();
}
}
}
}

impl Container {
Expand Down Expand Up @@ -896,6 +906,17 @@ impl Container {
}
compress_default_capabilities(capabilities, defaults);
}

pub fn get_process_fields(&self, process: &mut policy::KataProcess) {
if let Some(context) = &self.securityContext {
if let Some(uid) = context.runAsUser {
process.User.UID = uid.try_into().unwrap();
}
if let Some(allow) = context.allowPrivilegeEscalation {
process.NoNewPrivileges = !allow
Copy link

@sprt sprt Jan 23, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this compile with the missing semicolon? I'm guessing Rust considers this as a void expression?

Copy link
Author

@danmihai1 danmihai1 Jan 23, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It does - even the make check below passed.

I would rather change this in a future PR, to avoid re-testing. I agree it looks odd, and it wasn't intentional. I forgot it in there because this code used to look a bit differently:

        process.NoNewPrivileges = if let Some(allow) = context.allowPrivilegeEscalation {
            !allow
        } else {
            // something else that we don't need here
        };

}
}
}
}

fn compress_default_capabilities(
Expand Down
4 changes: 3 additions & 1 deletion src/tools/genpolicy/src/policy.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -606,8 +606,10 @@ impl AgentPolicy {

substitute_env_variables(&mut process.Env);
substitute_args_env_variables(&mut process.Args, &process.Env);

c_settings.get_process_fields(&mut process);
process.NoNewPrivileges = !yaml_container.allow_privilege_escalation();
resource.get_process_fields(&mut process);
yaml_container.get_process_fields(&mut process);

process
}
Expand Down
4 changes: 4 additions & 0 deletions src/tools/genpolicy/src/yaml.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,10 @@ pub trait K8sResource {
fn get_annotations(&self) -> &Option<BTreeMap<String, String>>;
fn use_host_network(&self) -> bool;
fn use_sandbox_pidns(&self) -> bool;
fn get_process_fields(&self, _process: &mut policy::KataProcess) {
// Just Pods can have a PodSecurityContext field, so the other
// resources can use this default get_process_fields implementation.
}
}

/// See Reference / Kubernetes API / Common Definitions / LabelSelector.
Expand Down