podman

seccomp.go
88 строк · 2.8 Кб
Перенос по словам
1
//go:build !remote
2

3
package kube
4

5
import (
6
	"fmt"
7
	"path/filepath"
8
	"strings"
9

10
	"github.com/containers/podman/v5/libpod"
11
	v1 "github.com/containers/podman/v5/pkg/k8s.io/api/core/v1"
12
)
13

14
// KubeSeccompPaths holds information about a pod YAML's seccomp configuration
15
// it holds both container and pod seccomp paths
16
//
17
//nolint:revive
18
type KubeSeccompPaths struct {
19
	containerPaths map[string]string
20
	podPath        string
21
}
22

23
// FindForContainer checks whether a container has a seccomp path configured for it
24
// if not, it returns the podPath, which should always have a value
25
func (k *KubeSeccompPaths) FindForContainer(ctrName string) string {
26
	if path, ok := k.containerPaths[ctrName]; ok {
27
		return path
28
	}
29
	return k.podPath
30
}
31

32
// InitializeSeccompPaths takes annotations from the pod object metadata and finds annotations pertaining to seccomp
33
// it parses both pod and container level
34
// if the annotation is of the form "localhost/%s", the seccomp profile will be set to profileRoot/%s
35
func InitializeSeccompPaths(annotations map[string]string, profileRoot string) (*KubeSeccompPaths, error) {
36
	seccompPaths := &KubeSeccompPaths{containerPaths: make(map[string]string)}
37
	var err error
38
	if annotations != nil {
39
		for annKeyValue, seccomp := range annotations {
40
			// check if it is prefaced with container.seccomp.security.alpha.kubernetes.io/
41
			prefixAndCtr := strings.Split(annKeyValue, "/")
42
			if prefixAndCtr[0]+"/" != v1.SeccompContainerAnnotationKeyPrefix {
43
				continue
44
			} else if len(prefixAndCtr) != 2 {
45
				// this could be caused by a user inputting either of
46
				// container.seccomp.security.alpha.kubernetes.io{,/}
47
				// both of which are invalid
48
				return nil, fmt.Errorf("invalid seccomp path: %s", prefixAndCtr[0])
49
			}
50

51
			path, err := verifySeccompPath(seccomp, profileRoot)
52
			if err != nil {
53
				return nil, err
54
			}
55
			seccompPaths.containerPaths[prefixAndCtr[1]] = path
56
		}
57

58
		podSeccomp, ok := annotations[v1.SeccompPodAnnotationKey]
59
		if ok {
60
			seccompPaths.podPath, err = verifySeccompPath(podSeccomp, profileRoot)
61
		} else {
62
			seccompPaths.podPath, err = libpod.DefaultSeccompPath()
63
		}
64
		if err != nil {
65
			return nil, err
66
		}
67
	}
68
	return seccompPaths, nil
69
}
70

71
// verifySeccompPath takes a path and checks whether it is a default, unconfined, or a path
72
// the available options are parsed as defined in https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp
73
func verifySeccompPath(path string, profileRoot string) (string, error) {
74
	switch path {
75
	case v1.DeprecatedSeccompProfileDockerDefault:
76
		fallthrough
77
	case v1.SeccompProfileRuntimeDefault:
78
		return libpod.DefaultSeccompPath()
79
	case "unconfined":
80
		return path, nil
81
	default:
82
		parts := strings.Split(path, "/")
83
		if parts[0] == "localhost" {
84
			return filepath.Join(profileRoot, parts[1]), nil
85
		}
86
		return "", fmt.Errorf("invalid seccomp path: %s", path)
87
	}
88
}
89
podman

Использование cookies
