mirror of https://github.com/k3s-io/k3s
72c6251508
Automatic merge from submit-queue (batch tested with PRs 49651, 49707, 49662, 47019, 49747) Add support for `no_new_privs` via AllowPrivilegeEscalation **What this PR does / why we need it**: Implements kubernetes/community#639 Fixes #38417 Adds `AllowPrivilegeEscalation` and `DefaultAllowPrivilegeEscalation` to `PodSecurityPolicy`. Adds `AllowPrivilegeEscalation` to container `SecurityContext`. Adds the proposed behavior to `kuberuntime`, `dockershim`, and `rkt`. Adds a bunch of unit tests to ensure the desired default behavior and that when `DefaultAllowPrivilegeEscalation` is explicitly set. Tests pass locally with docker and rkt runtimes. There are also a few integration tests with a `setuid` binary for sanity. **Release note**: ```release-note Adds AllowPrivilegeEscalation to control whether a process can gain more privileges than it's parent process ``` |
||
|---|---|---|
| .. | ||
| clusterapi-tester | ||
| cuda-vector-add | ||
| dnsutils | ||
| entrypoint-tester | ||
| fakegitserver | ||
| goproxy | ||
| hostexec | ||
| iperf | ||
| jessie-dnsutils | ||
| kitten | ||
| liveness | ||
| logs-generator | ||
| mounttest | ||
| mounttest-user | ||
| n-way-http | ||
| nautilus | ||
| net | ||
| netexec | ||
| nettest | ||
| no-snat-test | ||
| no-snat-test-proxy | ||
| nonewprivs | ||
| pets | ||
| port-forward-tester | ||
| porter | ||
| redis | ||
| resource-consumer | ||
| serve-hostname | ||
| test-webserver | ||
| volumes-tester | ||
| BUILD | ||
| Makefile | ||
| image-util.sh | ||