Merge pull request #56839 from hzxuzhonghu/exec-admission

Automatic merge from submit-queue (batch tested with PRs 57746, 57621, 56839, 57464). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. check pod securityContext hostNetwork in exec admission controller **What this PR does / why we need it**: currently only hostIPC hostPID are checked in DenyEscalatingExec admission controller, hostNetwork should also be checked to deny exec /attach **Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*: Fixes #56838 **Special notes for your reviewer**: **Release note**: ```release-note check psp HostNetwork in DenyEscalatingExec admission controller. ```
2018-01-02 15:26:44 -08:00 · 2018-01-02 15:26:44 -08:00 · 45a069a241
parent 900177d033 e31ed07a9c
commit 45a069a241
1 changed files with 28 additions and 18 deletions
--- a/plugin/pkg/admission/exec/admission.go
+++ b/plugin/pkg/admission/exec/admission.go
@ -49,9 +49,10 @@ type DenyExec struct {
 	client internalclientset.Interface

 	// these flags control which items will be checked to deny exec/attach
-	hostIPC    bool
-	hostPID    bool
-	privileged bool
+	hostNetwork bool
+	hostIPC     bool
+	hostPID     bool
+	privileged  bool
 }

 var _ admission.ValidationInterface = &DenyExec{}
@ -62,22 +63,24 @@ var _ = kubeapiserveradmission.WantsInternalKubeClientSet(&DenyExec{})
 // using host based configurations.
 func NewDenyEscalatingExec() *DenyExec {
 	return &DenyExec{
-		Handler:    admission.NewHandler(admission.Connect),
-		hostIPC:    true,
-		hostPID:    true,
-		privileged: true,
+		Handler:     admission.NewHandler(admission.Connect),
+		hostNetwork: true,
+		hostIPC:     true,
+		hostPID:     true,
+		privileged:  true,
 	}
 }

 // NewDenyExecOnPrivileged creates a new admission controller that is only checking the privileged
-// option.  This is for legacy support of the DenyExecOnPrivileged admission controller.  Most
-// of the time NewDenyEscalatingExec should be preferred.
+// option. This is for legacy support of the DenyExecOnPrivileged admission controller.
+// Most of the time NewDenyEscalatingExec should be preferred.
 func NewDenyExecOnPrivileged() *DenyExec {
 	return &DenyExec{
-		Handler:    admission.NewHandler(admission.Connect),
-		hostIPC:    false,
-		hostPID:    false,
-		privileged: true,
+		Handler:     admission.NewHandler(admission.Connect),
+		hostNetwork: false,
+		hostIPC:     false,
+		hostPID:     false,
+		privileged:  true,
 	}
 }

@ -96,12 +99,19 @@ func (d *DenyExec) Validate(a admission.Attributes) (err error) {
 		return admission.NewForbidden(a, err)
 	}

-	if d.hostPID && pod.Spec.SecurityContext != nil && pod.Spec.SecurityContext.HostPID {
-		return admission.NewForbidden(a, fmt.Errorf("cannot exec into or attach to a container using host pid"))
-	}
+	if pod.Spec.SecurityContext != nil {
+		securityContext := pod.Spec.SecurityContext
+		if d.hostNetwork && securityContext.HostNetwork {
+			return admission.NewForbidden(a, fmt.Errorf("cannot exec into or attach to a container using host network"))
+		}

-	if d.hostIPC && pod.Spec.SecurityContext != nil && pod.Spec.SecurityContext.HostIPC {
-		return admission.NewForbidden(a, fmt.Errorf("cannot exec into or attach to a container using host ipc"))
+		if d.hostPID && securityContext.HostPID {
+			return admission.NewForbidden(a, fmt.Errorf("cannot exec into or attach to a container using host pid"))
+		}
+
+		if d.hostIPC && securityContext.HostIPC {
+			return admission.NewForbidden(a, fmt.Errorf("cannot exec into or attach to a container using host ipc"))
+		}
 	}

 	if d.privileged && isPrivileged(pod) {