mirror of https://github.com/k3s-io/k3s
72c6251508
Automatic merge from submit-queue (batch tested with PRs 49651, 49707, 49662, 47019, 49747) Add support for `no_new_privs` via AllowPrivilegeEscalation **What this PR does / why we need it**: Implements kubernetes/community#639 Fixes #38417 Adds `AllowPrivilegeEscalation` and `DefaultAllowPrivilegeEscalation` to `PodSecurityPolicy`. Adds `AllowPrivilegeEscalation` to container `SecurityContext`. Adds the proposed behavior to `kuberuntime`, `dockershim`, and `rkt`. Adds a bunch of unit tests to ensure the desired default behavior and that when `DefaultAllowPrivilegeEscalation` is explicitly set. Tests pass locally with docker and rkt runtimes. There are also a few integration tests with a `setuid` binary for sanity. **Release note**: ```release-note Adds AllowPrivilegeEscalation to control whether a process can gain more privileges than it's parent process ``` |
||
|---|---|---|
| .. | ||
| cm | ||
| errors | ||
| fixtures/seccomp | ||
| libdocker | ||
| remote | ||
| testing | ||
| BUILD | ||
| checkpoint_store.go | ||
| checkpoint_store_test.go | ||
| convert.go | ||
| convert_test.go | ||
| doc.go | ||
| docker_checkpoint.go | ||
| docker_checkpoint_test.go | ||
| docker_container.go | ||
| docker_container_test.go | ||
| docker_image.go | ||
| docker_image_test.go | ||
| docker_legacy.go | ||
| docker_legacy_test.go | ||
| docker_sandbox.go | ||
| docker_sandbox_test.go | ||
| docker_service.go | ||
| docker_service_test.go | ||
| docker_stats.go | ||
| docker_streaming.go | ||
| exec.go | ||
| helpers.go | ||
| helpers_linux.go | ||
| helpers_linux_test.go | ||
| helpers_test.go | ||
| helpers_unsupported.go | ||
| helpers_windows.go | ||
| naming.go | ||
| naming_test.go | ||
| security_context.go | ||
| security_context_test.go | ||
| selinux_util.go | ||
| selinux_util_test.go | ||