github
/
k3s
mirror of https://github.com/k3s-io/k3s
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
60,153 Commits
32 Branches
881 Tags
633 MiB
Commit Graph

24 Commits (3b4070258619a6743d6dcb36181132d5ed228107)

Author SHA1 Message Date
Kubernetes Submit Queue 72c6251508 Merge pull request #47019 from jessfraz/allowPrivilegeEscalation 
Automatic merge from submit-queue (batch tested with PRs 49651, 49707, 49662, 47019, 49747)

Add support for `no_new_privs` via AllowPrivilegeEscalation

**What this PR does / why we need it**:
Implements kubernetes/community#639
Fixes #38417

Adds `AllowPrivilegeEscalation` and `DefaultAllowPrivilegeEscalation` to `PodSecurityPolicy`.
Adds `AllowPrivilegeEscalation` to container `SecurityContext`.

Adds the proposed behavior to `kuberuntime`, `dockershim`, and `rkt`. Adds a bunch of unit tests to ensure the desired default behavior and that when `DefaultAllowPrivilegeEscalation` is explicitly set.

Tests pass locally with docker and rkt runtimes. There are also a few integration tests with a `setuid` binary for sanity.

**Release note**:

```release-note
Adds AllowPrivilegeEscalation to control whether a process can gain more privileges than it's parent process
```
 2017-07-31 16:56:58 -07:00
Jess Frazelle 0f349cc61f
allowPrivilegeEscalation: modify api types & add functionality 
Signed-off-by: Jess Frazelle <acidburn@google.com>
 2017-07-24 12:52:41 -04:00
Casey Davenport 78709456ab Fix TODO: rename podInfraContainerID to podSandboxID 2017-07-20 17:45:55 -07:00
Yang Guo bf2ced837c Updates Docker Engine API 2017-07-13 12:55:07 -07:00
Yu-Ju Hong e6ad8f8e48 dockershim: clean up unused security context code 
Also remove references to kubernetes api objects
 2017-07-10 17:48:26 -07:00
Chao Xu f4989a45a5 run root-rewrite-v1-..., compile 2017-06-22 10:25:57 -07:00
Pengfei Ni 22e99504d7 Update CRI references 2017-06-09 10:16:40 +08:00
Michael Taufen cbad320205 Reorganize kubelet tree so apis can be independently versioned 2017-05-12 10:02:33 -07:00
Yu-Ju Hong 951b2d922b move securitycontext from dockertools to dockershim 2017-05-01 17:32:38 -07:00
Pengfei Ni ac76766a92 CRI: move apparmor annotations to container security context 2017-05-01 20:55:16 +08:00
Lee Verberne d22dd0fa35 Implement shared PID namespace in the dockershim 2017-04-27 23:43:53 +00:00
Pengfei Ni 023fe48c98 Do not clear hostPid for host-networked container 2017-04-05 22:34:30 +08:00
Xianglin Gao e5b3e0879d make func modifySandboxNamespaceOptions() more robust 
Signed-off-by: Xianglin Gao <xlgao@zju.edu.cn>
 2017-03-31 14:14:10 +08:00
Dan Williams aafd5c9ef6 dockershim: use network PluginManager to synchronize pod network operations 2017-02-16 13:51:19 -06:00
Yu-Ju Hong d8e29e782f dockershim: set security option separators based on the docker version 
Also add a version cache to avoid hitting the docker daemon frequently.
 2017-02-07 11:06:40 -08:00
Yu-Ju Hong 05c3b8c1cf Set docker opt separator correctly for SELinux options 2017-02-06 14:47:30 -08:00
Yu-Ju Hong 4506f4c2d0 securitycontext: move docker-specific logic into kubelet/dockertools 
This change moves the code specific to docker to kubelet/dockertools,
while leaving the common utility functions at its current package
(pkg/securitycontext).

When we deprecate dockertools in the future, the code will be moved to
pkg/kubelet/dockershim instead.
 2017-01-27 12:25:46 -08:00
Pengfei Ni d4bfcd1fda kubelet/dockershim: update cri to protobuf v3 2017-01-20 09:55:37 +08:00
Minhan Xia 04c3757a06 apply sandbox network mode based on network plugin 2016-12-13 16:00:23 -08:00
Chao Xu 5e1adf91df cmd/kubelet 2016-11-23 15:53:09 -08:00
Random-Liu 2ce5deb6fd Add separate username field in CRI and use it. 2016-11-15 16:50:02 -08:00
Random-Liu 99ee3f4b76 Add non-numeric user name support. 2016-11-08 16:07:29 -08:00
Pengfei Ni f8e5f81fed cleanup TODOs in dockershim 2016-11-07 11:41:06 +08:00
Pengfei Ni 3aee57d4ae Add security context support in dockershim 2016-11-07 11:07:56 +08:00