10
"github.com/containers/podman/v5/libpod"
11
v1 "github.com/containers/podman/v5/pkg/k8s.io/api/core/v1"
14
// KubeSeccompPaths holds information about a pod YAML's seccomp configuration
15
// it holds both container and pod seccomp paths
18
type KubeSeccompPaths struct {
19
containerPaths map[string]string
23
// FindForContainer checks whether a container has a seccomp path configured for it
24
// if not, it returns the podPath, which should always have a value
25
func (k *KubeSeccompPaths) FindForContainer(ctrName string) string {
26
if path, ok := k.containerPaths[ctrName]; ok {
32
// InitializeSeccompPaths takes annotations from the pod object metadata and finds annotations pertaining to seccomp
33
// it parses both pod and container level
34
// if the annotation is of the form "localhost/%s", the seccomp profile will be set to profileRoot/%s
35
func InitializeSeccompPaths(annotations map[string]string, profileRoot string) (*KubeSeccompPaths, error) {
36
seccompPaths := &KubeSeccompPaths{containerPaths: make(map[string]string)}
38
if annotations != nil {
39
for annKeyValue, seccomp := range annotations {
40
// check if it is prefaced with container.seccomp.security.alpha.kubernetes.io/
41
prefixAndCtr := strings.Split(annKeyValue, "/")
42
if prefixAndCtr[0]+"/" != v1.SeccompContainerAnnotationKeyPrefix {
44
} else if len(prefixAndCtr) != 2 {
45
// this could be caused by a user inputting either of
46
// container.seccomp.security.alpha.kubernetes.io{,/}
47
// both of which are invalid
48
return nil, fmt.Errorf("invalid seccomp path: %s", prefixAndCtr[0])
51
path, err := verifySeccompPath(seccomp, profileRoot)
55
seccompPaths.containerPaths[prefixAndCtr[1]] = path
58
podSeccomp, ok := annotations[v1.SeccompPodAnnotationKey]
60
seccompPaths.podPath, err = verifySeccompPath(podSeccomp, profileRoot)
62
seccompPaths.podPath, err = libpod.DefaultSeccompPath()
68
return seccompPaths, nil
71
// verifySeccompPath takes a path and checks whether it is a default, unconfined, or a path
72
// the available options are parsed as defined in https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp
73
func verifySeccompPath(path string, profileRoot string) (string, error) {
75
case v1.DeprecatedSeccompProfileDockerDefault:
77
case v1.SeccompProfileRuntimeDefault:
78
return libpod.DefaultSeccompPath()
82
parts := strings.Split(path, "/")
83
if parts[0] == "localhost" {
84
return filepath.Join(profileRoot, parts[1]), nil
86
return "", fmt.Errorf("invalid seccomp path: %s", path)