From e31ed07a9cf60fbf9cecfbd5938e09d85d53d086 Mon Sep 17 00:00:00 2001 From: hzxuzhonghu Date: Tue, 5 Dec 2017 15:15:46 +0800 Subject: [PATCH] also check pod securityContextt hostNetwork in exec admission controller --- plugin/pkg/admission/exec/admission.go | 46 ++++++++++++++++---------- 1 file changed, 28 insertions(+), 18 deletions(-) diff --git a/plugin/pkg/admission/exec/admission.go b/plugin/pkg/admission/exec/admission.go index 456d47e07e..0188b2ac76 100644 --- a/plugin/pkg/admission/exec/admission.go +++ b/plugin/pkg/admission/exec/admission.go @@ -49,9 +49,10 @@ type DenyExec struct { client internalclientset.Interface // these flags control which items will be checked to deny exec/attach - hostIPC bool - hostPID bool - privileged bool + hostNetwork bool + hostIPC bool + hostPID bool + privileged bool } var _ admission.ValidationInterface = &DenyExec{} @@ -62,22 +63,24 @@ var _ = kubeapiserveradmission.WantsInternalKubeClientSet(&DenyExec{}) // using host based configurations. func NewDenyEscalatingExec() *DenyExec { return &DenyExec{ - Handler: admission.NewHandler(admission.Connect), - hostIPC: true, - hostPID: true, - privileged: true, + Handler: admission.NewHandler(admission.Connect), + hostNetwork: true, + hostIPC: true, + hostPID: true, + privileged: true, } } // NewDenyExecOnPrivileged creates a new admission controller that is only checking the privileged -// option. This is for legacy support of the DenyExecOnPrivileged admission controller. Most -// of the time NewDenyEscalatingExec should be preferred. +// option. This is for legacy support of the DenyExecOnPrivileged admission controller. +// Most of the time NewDenyEscalatingExec should be preferred. func NewDenyExecOnPrivileged() *DenyExec { return &DenyExec{ - Handler: admission.NewHandler(admission.Connect), - hostIPC: false, - hostPID: false, - privileged: true, + Handler: admission.NewHandler(admission.Connect), + hostNetwork: false, + hostIPC: false, + hostPID: false, + privileged: true, } } @@ -96,12 +99,19 @@ func (d *DenyExec) Validate(a admission.Attributes) (err error) { return admission.NewForbidden(a, err) } - if d.hostPID && pod.Spec.SecurityContext != nil && pod.Spec.SecurityContext.HostPID { - return admission.NewForbidden(a, fmt.Errorf("cannot exec into or attach to a container using host pid")) - } + if pod.Spec.SecurityContext != nil { + securityContext := pod.Spec.SecurityContext + if d.hostNetwork && securityContext.HostNetwork { + return admission.NewForbidden(a, fmt.Errorf("cannot exec into or attach to a container using host network")) + } - if d.hostIPC && pod.Spec.SecurityContext != nil && pod.Spec.SecurityContext.HostIPC { - return admission.NewForbidden(a, fmt.Errorf("cannot exec into or attach to a container using host ipc")) + if d.hostPID && securityContext.HostPID { + return admission.NewForbidden(a, fmt.Errorf("cannot exec into or attach to a container using host pid")) + } + + if d.hostIPC && securityContext.HostIPC { + return admission.NewForbidden(a, fmt.Errorf("cannot exec into or attach to a container using host ipc")) + } } if d.privileged && isPrivileged(pod) {