mirror of
https://github.com/ceph/ceph-csi.git
synced 2025-06-14 18:53:35 +00:00
.github
actions
api
assets
charts
cmd
deploy
docs
e2e
examples
internal
scripts
tools
troubleshooting
vendor
github.com
go.etcd.io
go.opentelemetry.io
go.uber.org
golang.org
gomodules.xyz
google.golang.org
gopkg.in
k8s.io
api
apiextensions-apiserver
apimachinery
apiserver
client-go
cloud-provider
component-base
component-helpers
controller-manager
klog
kms
kube-openapi
kubectl
kubelet
kubernetes
mount-utils
pod-security-admission
api
policy
check_allowPrivilegeEscalation.go
check_appArmorProfile.go
check_capabilities_baseline.go
check_capabilities_restricted.go
check_hostNamespaces.go
check_hostPathVolumes.go
check_hostPorts.go
check_privileged.go
check_procMount.go
check_restrictedVolumes.go
check_runAsNonRoot.go
check_runAsUser.go
check_seLinuxOptions.go
check_seccompProfile_baseline.go
check_seccompProfile_restricted.go
check_sysctls.go
check_windowsHostProcess.go
checks.go
doc.go
helpers.go
registry.go
visitor.go
LICENSE
utils
sigs.k8s.io
modules.txt
.commitlintrc.yml
.gitignore
.mergify.yml
.pre-commit-config.yaml
LICENSE
Makefile
README.md
build.env
deploy.sh
go.mod
go.sum
76 lines
2.0 KiB
Go
76 lines
2.0 KiB
Go
|
/*
|
||
|
|
Copyright 2021 The Kubernetes Authors.
|
||
|
|
|
||
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||
|
|
you may not use this file except in compliance with the License.
|
||
|
|
You may obtain a copy of the License at
|
||
|
|
|
||
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
||
|
|
|
||
|
|
Unless required by applicable law or agreed to in writing, software
|
||
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||
|
|
See the License for the specific language governing permissions and
|
||
|
|
limitations under the License.
|
||
|
|
*/
|
||
|
|
|
||
|
|
package policy
|
||
|
|
|
||
|
|
import (
|
||
|
|
"fmt"
|
||
|
|
|
||
|
|
corev1 "k8s.io/api/core/v1"
|
||
|
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||
|
|
"k8s.io/pod-security-admission/api"
|
||
|
|
)
|
||
|
|
|
||
|
|
/*
|
||
|
|
Privileged Pods disable most security mechanisms and must be disallowed.
|
||
|
|
|
||
|
|
Restricted Fields:
|
||
|
|
spec.containers[*].securityContext.privileged
|
||
|
|
spec.initContainers[*].securityContext.privileged
|
||
|
|
|
||
|
|
Allowed Values: false, undefined/null
|
||
|
|
*/
|
||
|
|
|
||
|
|
func init() {
|
||
|
|
addCheck(CheckPrivileged)
|
||
|
|
}
|
||
|
|
|
||
|
|
// CheckPrivileged returns a baseline level check
|
||
|
|
// that forbids privileged=true in 1.0+
|
||
|
|
func CheckPrivileged() Check {
|
||
|
|
return Check{
|
||
|
|
ID: "privileged",
|
||
|
|
Level: api.LevelBaseline,
|
||
|
|
Versions: []VersionedCheck{
|
||
|
|
{
|
||
|
|
MinimumVersion: api.MajorMinorVersion(1, 0),
|
||
|
|
CheckPod: privileged_1_0,
|
||
|
|
},
|
||
|
|
},
|
||
|
|
}
|
||
|
|
}
|
||
|
|
|
||
|
|
func privileged_1_0(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
|
||
|
|
var badContainers []string
|
||
|
|
visitContainers(podSpec, func(container *corev1.Container) {
|
||
|
|
if container.SecurityContext != nil && container.SecurityContext.Privileged != nil && *container.SecurityContext.Privileged {
|
||
|
|
badContainers = append(badContainers, container.Name)
|
||
|
|
}
|
||
|
|
})
|
||
|
|
if len(badContainers) > 0 {
|
||
|
|
return CheckResult{
|
||
|
|
Allowed: false,
|
||
|
|
ForbiddenReason: "privileged",
|
||
|
|
ForbiddenDetail: fmt.Sprintf(
|
||
|
|
`%s %s must not set securityContext.privileged=true`,
|
||
|
|
pluralize("container", "containers", len(badContainers)),
|
||
|
|
joinQuote(badContainers),
|
||
|
|
),
|
||
|
|
}
|
||
|
|
}
|
||
|
|
return CheckResult{Allowed: true}
|
||
|
|
}
|