github
/
k3s
mirror of https://github.com/k3s-io/k3s
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Fix incorrect procMount defaulting

k3s-v1.14.4
Jordan Liggitt 2019-06-10 21:47:00 -04:00
parent 0020140bf3
commit 702f00c2af
17 changed files with 45 additions and 153 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
pkg/api/pod/util.go
View File

@ -406,16 +406,26 @@ func dropDisabledProcMountField(podSpec, oldPodSpec *api.PodSpec) {
defaultProcMount := api.DefaultProcMount
for i := range podSpec.Containers {
if podSpec.Containers[i].SecurityContext != nil {
if podSpec.Containers[i].SecurityContext.ProcMount != nil {
// The ProcMount field was improperly forced to non-nil in 1.12.
// If the feature is disabled, and the existing object is not using any non-default values, and the ProcMount field is present in the incoming object, force to the default value.
// Note: we cannot force the field to nil when the feature is disabled because it causes a diff against previously persisted data.
podSpec.Containers[i].SecurityContext.ProcMount = &defaultProcMount
}
}
}
for i := range podSpec.InitContainers {
if podSpec.InitContainers[i].SecurityContext != nil {
if podSpec.InitContainers[i].SecurityContext.ProcMount != nil {
// The ProcMount field was improperly forced to non-nil in 1.12.
// If the feature is disabled, and the existing object is not using any non-default values, and the ProcMount field is present in the incoming object, force to the default value.
// Note: we cannot force the field to nil when the feature is disabled because it causes a diff against previously persisted data.
podSpec.InitContainers[i].SecurityContext.ProcMount = &defaultProcMount
}
}
}
}
}
// dropDisabledVolumeDevicesFields removes disabled fields from []VolumeDevice if it has not been already populated.
// This should be called from PrepareForCreate/PrepareForUpdate for all resources containing a VolumeDevice
@ -473,7 +483,7 @@ func runtimeClassInUse(podSpec *api.PodSpec) bool {
return false
}
// procMountInUse returns true if the pod spec is non-nil and has a SecurityContext's ProcMount field set
// procMountInUse returns true if the pod spec is non-nil and has a SecurityContext's ProcMount field set to a non-default value
func procMountInUse(podSpec *api.PodSpec) bool {
if podSpec == nil {
return false

20
pkg/api/pod/util_test.go
View File

@ -616,7 +616,7 @@ func TestDropProcMount(t *testing.T) {
},
}
}
podWithoutProcMount := func() *api.Pod {
podWithDefaultProcMount := func() *api.Pod {
return &api.Pod{
Spec: api.PodSpec{
RestartPolicy: api.RestartPolicyNever,
@ -625,6 +625,15 @@ func TestDropProcMount(t *testing.T) {
},
}
}
podWithoutProcMount := func() *api.Pod {
return &api.Pod{
Spec: api.PodSpec{
RestartPolicy: api.RestartPolicyNever,
Containers: []api.Container{{Name: "container1", Image: "testimage", SecurityContext: &api.SecurityContext{ProcMount: nil}}},
InitContainers: []api.Container{{Name: "container1", Image: "testimage", SecurityContext: &api.SecurityContext{ProcMount: nil}}},
},
}
}
podInfo := []struct {
description string
@ -636,6 +645,11 @@ func TestDropProcMount(t *testing.T) {
hasProcMount: true,
pod: podWithProcMount,
},
{
description: "has default ProcMount",
hasProcMount: false,
pod: podWithDefaultProcMount,
},
{
description: "does not have ProcMount",
hasProcMount: false,
@ -683,8 +697,8 @@ func TestDropProcMount(t *testing.T) {
t.Errorf("new pod was not changed")
}
// new pod should not have ProcMount
if !reflect.DeepEqual(newPod, podWithoutProcMount()) {
t.Errorf("new pod had ProcMount: %v", diff.ObjectReflectDiff(newPod, podWithoutProcMount()))
if procMountInUse(&newPod.Spec) {
t.Errorf("new pod had ProcMount: %#v", &newPod.Spec)
}
default:
// new pod should not need to be changed

24
pkg/apis/apps/v1/zz_generated.defaults.go generated
View File

@ -136,9 +136,6 @@ func SetObjectDefaults_DaemonSet(in *v1.DaemonSet) {
}
}
}
if a.SecurityContext != nil {
corev1.SetDefaults_SecurityContext(a.SecurityContext)
}
}
for i := range in.Spec.Template.Spec.Containers {
a := &in.Spec.Template.Spec.Containers[i]
@ -181,9 +178,6 @@ func SetObjectDefaults_DaemonSet(in *v1.DaemonSet) {
}
}
}
if a.SecurityContext != nil {
corev1.SetDefaults_SecurityContext(a.SecurityContext)
}
}
}
@ -289,9 +283,6 @@ func SetObjectDefaults_Deployment(in *v1.Deployment) {
}
}
}
if a.SecurityContext != nil {
corev1.SetDefaults_SecurityContext(a.SecurityContext)
}
}
for i := range in.Spec.Template.Spec.Containers {
a := &in.Spec.Template.Spec.Containers[i]
@ -334,9 +325,6 @@ func SetObjectDefaults_Deployment(in *v1.Deployment) {
}
}
}
if a.SecurityContext != nil {
corev1.SetDefaults_SecurityContext(a.SecurityContext)
}
}
}
@ -442,9 +430,6 @@ func SetObjectDefaults_ReplicaSet(in *v1.ReplicaSet) {
}
}
}
if a.SecurityContext != nil {
corev1.SetDefaults_SecurityContext(a.SecurityContext)
}
}
for i := range in.Spec.Template.Spec.Containers {
a := &in.Spec.Template.Spec.Containers[i]
@ -487,9 +472,6 @@ func SetObjectDefaults_ReplicaSet(in *v1.ReplicaSet) {
}
}
}
if a.SecurityContext != nil {
corev1.SetDefaults_SecurityContext(a.SecurityContext)
}
}
}
@ -595,9 +577,6 @@ func SetObjectDefaults_StatefulSet(in *v1.StatefulSet) {
}
}
}
if a.SecurityContext != nil {
corev1.SetDefaults_SecurityContext(a.SecurityContext)
}
}
for i := range in.Spec.Template.Spec.Containers {
a := &in.Spec.Template.Spec.Containers[i]
@ -640,9 +619,6 @@ func SetObjectDefaults_StatefulSet(in *v1.StatefulSet) {
}
}
}
if a.SecurityContext != nil {
corev1.SetDefaults_SecurityContext(a.SecurityContext)
}
}
for i := range in.Spec.VolumeClaimTemplates {
a := &in.Spec.VolumeClaimTemplates[i]

12
pkg/apis/apps/v1beta1/zz_generated.defaults.go generated
View File

@ -132,9 +132,6 @@ func SetObjectDefaults_Deployment(in *v1beta1.Deployment) {
}
}
}
if a.SecurityContext != nil {
v1.SetDefaults_SecurityContext(a.SecurityContext)
}
}
for i := range in.Spec.Template.Spec.Containers {
a := &in.Spec.Template.Spec.Containers[i]
@ -177,9 +174,6 @@ func SetObjectDefaults_Deployment(in *v1beta1.Deployment) {
}
}
}
if a.SecurityContext != nil {
v1.SetDefaults_SecurityContext(a.SecurityContext)
}
}
}
@ -285,9 +279,6 @@ func SetObjectDefaults_StatefulSet(in *v1beta1.StatefulSet) {
}
}
}
if a.SecurityContext != nil {
v1.SetDefaults_SecurityContext(a.SecurityContext)
}
}
for i := range in.Spec.Template.Spec.Containers {
a := &in.Spec.Template.Spec.Containers[i]
@ -330,9 +321,6 @@ func SetObjectDefaults_StatefulSet(in *v1beta1.StatefulSet) {
}
}
}
if a.SecurityContext != nil {
v1.SetDefaults_SecurityContext(a.SecurityContext)
}
}
for i := range in.Spec.VolumeClaimTemplates {
a := &in.Spec.VolumeClaimTemplates[i]

24
pkg/apis/apps/v1beta2/zz_generated.defaults.go generated
View File

@ -136,9 +136,6 @@ func SetObjectDefaults_DaemonSet(in *v1beta2.DaemonSet) {
}
}
}
if a.SecurityContext != nil {
v1.SetDefaults_SecurityContext(a.SecurityContext)
}
}
for i := range in.Spec.Template.Spec.Containers {
a := &in.Spec.Template.Spec.Containers[i]
@ -181,9 +178,6 @@ func SetObjectDefaults_DaemonSet(in *v1beta2.DaemonSet) {
}
}
}
if a.SecurityContext != nil {
v1.SetDefaults_SecurityContext(a.SecurityContext)
}
}
}
@ -289,9 +283,6 @@ func SetObjectDefaults_Deployment(in *v1beta2.Deployment) {
}
}
}
if a.SecurityContext != nil {
v1.SetDefaults_SecurityContext(a.SecurityContext)
}
}
for i := range in.Spec.Template.Spec.Containers {
a := &in.Spec.Template.Spec.Containers[i]
@ -334,9 +325,6 @@ func SetObjectDefaults_Deployment(in *v1beta2.Deployment) {
}
}
}
if a.SecurityContext != nil {
v1.SetDefaults_SecurityContext(a.SecurityContext)
}
}
}
@ -442,9 +430,6 @@ func SetObjectDefaults_ReplicaSet(in *v1beta2.ReplicaSet) {
}
}
}
if a.SecurityContext != nil {
v1.SetDefaults_SecurityContext(a.SecurityContext)
}
}
for i := range in.Spec.Template.Spec.Containers {
a := &in.Spec.Template.Spec.Containers[i]
@ -487,9 +472,6 @@ func SetObjectDefaults_ReplicaSet(in *v1beta2.ReplicaSet) {
}
}
}
if a.SecurityContext != nil {
v1.SetDefaults_SecurityContext(a.SecurityContext)
}
}
}
@ -595,9 +577,6 @@ func SetObjectDefaults_StatefulSet(in *v1beta2.StatefulSet) {
}
}
}
if a.SecurityContext != nil {
v1.SetDefaults_SecurityContext(a.SecurityContext)
}
}
for i := range in.Spec.Template.Spec.Containers {
a := &in.Spec.Template.Spec.Containers[i]
@ -640,9 +619,6 @@ func SetObjectDefaults_StatefulSet(in *v1beta2.StatefulSet) {
}
}
}
if a.SecurityContext != nil {
v1.SetDefaults_SecurityContext(a.SecurityContext)
}
}
for i := range in.Spec.VolumeClaimTemplates {
a := &in.Spec.VolumeClaimTemplates[i]

6
pkg/apis/batch/v1/zz_generated.defaults.go generated
View File

@ -130,9 +130,6 @@ func SetObjectDefaults_Job(in *v1.Job) {
}
}
}
if a.SecurityContext != nil {
corev1.SetDefaults_SecurityContext(a.SecurityContext)
}
}
for i := range in.Spec.Template.Spec.Containers {
a := &in.Spec.Template.Spec.Containers[i]
@ -175,9 +172,6 @@ func SetObjectDefaults_Job(in *v1.Job) {
}
}
}
if a.SecurityContext != nil {
corev1.SetDefaults_SecurityContext(a.SecurityContext)
}
}
}

12
pkg/apis/batch/v1beta1/zz_generated.defaults.go generated
View File

@ -131,9 +131,6 @@ func SetObjectDefaults_CronJob(in *v1beta1.CronJob) {
}
}
}
if a.SecurityContext != nil {
v1.SetDefaults_SecurityContext(a.SecurityContext)
}
}
for i := range in.Spec.JobTemplate.Spec.Template.Spec.Containers {
a := &in.Spec.JobTemplate.Spec.Template.Spec.Containers[i]
@ -176,9 +173,6 @@ func SetObjectDefaults_CronJob(in *v1beta1.CronJob) {
}
}
}
if a.SecurityContext != nil {
v1.SetDefaults_SecurityContext(a.SecurityContext)
}
}
}
@ -283,9 +277,6 @@ func SetObjectDefaults_JobTemplate(in *v1beta1.JobTemplate) {
}
}
}
if a.SecurityContext != nil {
v1.SetDefaults_SecurityContext(a.SecurityContext)
}
}
for i := range in.Template.Spec.Template.Spec.Containers {
a := &in.Template.Spec.Template.Spec.Containers[i]
@ -328,8 +319,5 @@ func SetObjectDefaults_JobTemplate(in *v1beta1.JobTemplate) {
}
}
}
if a.SecurityContext != nil {
v1.SetDefaults_SecurityContext(a.SecurityContext)
}
}
}

12
pkg/apis/batch/v2alpha1/zz_generated.defaults.go generated
View File

@ -131,9 +131,6 @@ func SetObjectDefaults_CronJob(in *v2alpha1.CronJob) {
}
}
}
if a.SecurityContext != nil {
v1.SetDefaults_SecurityContext(a.SecurityContext)
}
}
for i := range in.Spec.JobTemplate.Spec.Template.Spec.Containers {
a := &in.Spec.JobTemplate.Spec.Template.Spec.Containers[i]
@ -176,9 +173,6 @@ func SetObjectDefaults_CronJob(in *v2alpha1.CronJob) {
}
}
}
if a.SecurityContext != nil {
v1.SetDefaults_SecurityContext(a.SecurityContext)
}
}
}
@ -283,9 +277,6 @@ func SetObjectDefaults_JobTemplate(in *v2alpha1.JobTemplate) {
}
}
}
if a.SecurityContext != nil {
v1.SetDefaults_SecurityContext(a.SecurityContext)
}
}
for i := range in.Template.Spec.Template.Spec.Containers {
a := &in.Template.Spec.Template.Spec.Containers[i]
@ -328,8 +319,5 @@ func SetObjectDefaults_JobTemplate(in *v2alpha1.JobTemplate) {
}
}
}
if a.SecurityContext != nil {
v1.SetDefaults_SecurityContext(a.SecurityContext)
}
}
}

4
pkg/apis/core/fuzzer/fuzzer.go
View File

@ -354,10 +354,6 @@ var Funcs = func(codecs runtimeserializer.CodecFactory) []interface{} {
c.Fuzz(&sc.Capabilities.Add)
c.Fuzz(&sc.Capabilities.Drop)
}
if sc.ProcMount == nil {
defProcMount := core.DefaultProcMount
sc.ProcMount = &defProcMount
}
},
func(s *core.Secret, c fuzz.Continue) {
c.FuzzNoCustom(s) // fuzz self without calling this function again

7
pkg/apis/core/v1/defaults.go
View File

@ -421,10 +421,3 @@ func SetDefaults_HostPathVolumeSource(obj *v1.HostPathVolumeSource) {
obj.Type = &typeVol
}
}
func SetDefaults_SecurityContext(obj *v1.SecurityContext) {
if obj.ProcMount == nil {
defProcMount := v1.DefaultProcMount
obj.ProcMount = &defProcMount
}
}

18
pkg/apis/core/v1/zz_generated.defaults.go generated
View File

@ -263,9 +263,6 @@ func SetObjectDefaults_Pod(in *v1.Pod) {
}
}
}
if a.SecurityContext != nil {
SetDefaults_SecurityContext(a.SecurityContext)
}
}
for i := range in.Spec.Containers {
a := &in.Spec.Containers[i]
@ -308,9 +305,6 @@ func SetObjectDefaults_Pod(in *v1.Pod) {
}
}
}
if a.SecurityContext != nil {
SetDefaults_SecurityContext(a.SecurityContext)
}
}
}
@ -415,9 +409,6 @@ func SetObjectDefaults_PodTemplate(in *v1.PodTemplate) {
}
}
}
if a.SecurityContext != nil {
SetDefaults_SecurityContext(a.SecurityContext)
}
}
for i := range in.Template.Spec.Containers {
a := &in.Template.Spec.Containers[i]
@ -460,9 +451,6 @@ func SetObjectDefaults_PodTemplate(in *v1.PodTemplate) {
}
}
}
if a.SecurityContext != nil {
SetDefaults_SecurityContext(a.SecurityContext)
}
}
}
@ -569,9 +557,6 @@ func SetObjectDefaults_ReplicationController(in *v1.ReplicationController) {
}
}
}
if a.SecurityContext != nil {
SetDefaults_SecurityContext(a.SecurityContext)
}
}
for i := range in.Spec.Template.Spec.Containers {
a := &in.Spec.Template.Spec.Containers[i]
@ -614,9 +599,6 @@ func SetObjectDefaults_ReplicationController(in *v1.ReplicationController) {
}
}
}
if a.SecurityContext != nil {
SetDefaults_SecurityContext(a.SecurityContext)
}
}
}
}

18
pkg/apis/extensions/v1beta1/zz_generated.defaults.go generated
View File

@ -138,9 +138,6 @@ func SetObjectDefaults_DaemonSet(in *v1beta1.DaemonSet) {
}
}
}
if a.SecurityContext != nil {
v1.SetDefaults_SecurityContext(a.SecurityContext)
}
}
for i := range in.Spec.Template.Spec.Containers {
a := &in.Spec.Template.Spec.Containers[i]
@ -183,9 +180,6 @@ func SetObjectDefaults_DaemonSet(in *v1beta1.DaemonSet) {
}
}
}
if a.SecurityContext != nil {
v1.SetDefaults_SecurityContext(a.SecurityContext)
}
}
}
@ -291,9 +285,6 @@ func SetObjectDefaults_Deployment(in *v1beta1.Deployment) {
}
}
}
if a.SecurityContext != nil {
v1.SetDefaults_SecurityContext(a.SecurityContext)
}
}
for i := range in.Spec.Template.Spec.Containers {
a := &in.Spec.Template.Spec.Containers[i]
@ -336,9 +327,6 @@ func SetObjectDefaults_Deployment(in *v1beta1.Deployment) {
}
}
}
if a.SecurityContext != nil {
v1.SetDefaults_SecurityContext(a.SecurityContext)
}
}
}
@ -466,9 +454,6 @@ func SetObjectDefaults_ReplicaSet(in *v1beta1.ReplicaSet) {
}
}
}
if a.SecurityContext != nil {
v1.SetDefaults_SecurityContext(a.SecurityContext)
}
}
for i := range in.Spec.Template.Spec.Containers {
a := &in.Spec.Template.Spec.Containers[i]
@ -511,9 +496,6 @@ func SetObjectDefaults_ReplicaSet(in *v1beta1.ReplicaSet) {
}
}
}
if a.SecurityContext != nil {
v1.SetDefaults_SecurityContext(a.SecurityContext)
}
}
}

1
test/e2e/framework/deployment_util.go
View File

@ -109,6 +109,7 @@ func NewDeployment(deploymentName string, replicas int32, podLabels map[string]s
{
Name: imageName,
Image: image,
SecurityContext: &v1.SecurityContext{},
},
},
},

1
test/e2e/framework/jobs_util.go
View File

@ -83,6 +83,7 @@ func NewTestJob(behavior, name string, rPol v1.RestartPolicy, parallelism, compl
Name: "data",
},
},
SecurityContext: &v1.SecurityContext{},
},
},
},

1
test/e2e/framework/rs_util.go
View File

@ -150,6 +150,7 @@ func NewReplicaSet(name, namespace string, replicas int32, podLabels map[string]
{
Name: imageName,
Image: image,
SecurityContext: &v1.SecurityContext{},
},
},
},

1
test/e2e/framework/statefulset_utils.go
View File

@ -810,6 +810,7 @@ func NewStatefulSet(name, ns, governingSvcName string, replicas int32, statefulP
Name: "nginx",
Image: imageutils.GetE2EImage(imageutils.Nginx),
VolumeMounts: mounts,
SecurityContext: &v1.SecurityContext{},
},
},
Volumes: vols,

1
test/e2e/upgrades/apps/daemonsets.go
View File

@ -68,6 +68,7 @@ func (t *DaemonSetUpgradeTest) Setup(f *framework.Framework) {
Name: daemonSetName,
Image: image,
Ports: []v1.ContainerPort{{ContainerPort: 9376}},
SecurityContext: &v1.SecurityContext{},
},
},
},