also check pod securityContextt hostNetwork in exec admission controller

2017-12-05 15:15:46 +08:00 · 2017-12-05 15:15:46 +08:00 · e31ed07a9c
parent 0d22ddc802
commit e31ed07a9c
1 changed files with 28 additions and 18 deletions
--- a/plugin/pkg/admission/exec/admission.go
+++ b/plugin/pkg/admission/exec/admission.go
@ -49,9 +49,10 @@ type DenyExec struct {
 	client internalclientset.Interface

 	// these flags control which items will be checked to deny exec/attach
-	hostIPC    bool
-	hostPID    bool
-	privileged bool
+	hostNetwork bool
+	hostIPC     bool
+	hostPID     bool
+	privileged  bool
 }

 var _ admission.ValidationInterface = &DenyExec{}
@ -62,22 +63,24 @@ var _ = kubeapiserveradmission.WantsInternalKubeClientSet(&DenyExec{})
 // using host based configurations.
 func NewDenyEscalatingExec() *DenyExec {
 	return &DenyExec{
-		Handler:    admission.NewHandler(admission.Connect),
-		hostIPC:    true,
-		hostPID:    true,
-		privileged: true,
+		Handler:     admission.NewHandler(admission.Connect),
+		hostNetwork: true,
+		hostIPC:     true,
+		hostPID:     true,
+		privileged:  true,
 	}
 }

 // NewDenyExecOnPrivileged creates a new admission controller that is only checking the privileged
-// option.  This is for legacy support of the DenyExecOnPrivileged admission controller.  Most
-// of the time NewDenyEscalatingExec should be preferred.
+// option. This is for legacy support of the DenyExecOnPrivileged admission controller.
+// Most of the time NewDenyEscalatingExec should be preferred.
 func NewDenyExecOnPrivileged() *DenyExec {
 	return &DenyExec{
-		Handler:    admission.NewHandler(admission.Connect),
-		hostIPC:    false,
-		hostPID:    false,
-		privileged: true,
+		Handler:     admission.NewHandler(admission.Connect),
+		hostNetwork: false,
+		hostIPC:     false,
+		hostPID:     false,
+		privileged:  true,
 	}
 }

@ -96,12 +99,19 @@ func (d *DenyExec) Validate(a admission.Attributes) (err error) {
 		return admission.NewForbidden(a, err)
 	}

-	if d.hostPID && pod.Spec.SecurityContext != nil && pod.Spec.SecurityContext.HostPID {
-		return admission.NewForbidden(a, fmt.Errorf("cannot exec into or attach to a container using host pid"))
-	}
+	if pod.Spec.SecurityContext != nil {
+		securityContext := pod.Spec.SecurityContext
+		if d.hostNetwork && securityContext.HostNetwork {
+			return admission.NewForbidden(a, fmt.Errorf("cannot exec into or attach to a container using host network"))
+		}

-	if d.hostIPC && pod.Spec.SecurityContext != nil && pod.Spec.SecurityContext.HostIPC {
-		return admission.NewForbidden(a, fmt.Errorf("cannot exec into or attach to a container using host ipc"))
+		if d.hostPID && securityContext.HostPID {
+			return admission.NewForbidden(a, fmt.Errorf("cannot exec into or attach to a container using host pid"))
+		}
+
+		if d.hostIPC && securityContext.HostIPC {
+			return admission.NewForbidden(a, fmt.Errorf("cannot exec into or attach to a container using host ipc"))
+		}
 	}

 	if d.privileged && isPrivileged(pod) {