Merge pull request #19885 from rhatdan/kube

Add support for kube securityContext.procMount
containers · Sep 8, 2023 · 6ee8f73 · 6ee8f73
2 parents 5d6ec27 + b834850
commit 6ee8f73
Show file tree

Hide file tree

Showing 5 changed files with 30 additions and 1 deletion.
diff --git a/docs/kubernetes_support.md b/docs/kubernetes_support.md
@@ -121,7 +121,7 @@ Note: **N/A** means that the option cannot be supported in a single-node Podman
 | securityContext\.runAsNonRoot                       | no      |
 | securityContext\.runAsGroup                         | ✅      |
 | securityContext\.readOnlyRootFilesystem             | ✅      |
-| securityContext\.procMount                          | no      |
+| securityContext\.procMount                          | ✅      |
 | securityContext\.privileged                         | ✅      |
 | securityContext\.allowPrivilegeEscalation           | ✅      |
 | securityContext\.capabilities\.add                  | ✅      |

diff --git a/libpod/container_inspect.go b/libpod/container_inspect.go
@@ -313,6 +313,10 @@ func (c *Container) GetSecurityOptions() []string {
 	if apparmor, ok := ctrSpec.Annotations[define.InspectAnnotationApparmor]; ok {
 		SecurityOpt = append(SecurityOpt, fmt.Sprintf("apparmor=%s", apparmor))
 	}
+	if c.config.Spec.Linux.MaskedPaths == nil {
+		SecurityOpt = append(SecurityOpt, "unmask=all")
+	}
+
 	return SecurityOpt
 }
 

diff --git a/libpod/kube.go b/libpod/kube.go
@@ -1220,6 +1220,12 @@ func generateKubeSecurityContext(c *Container) (*v1.SecurityContext, bool, error
 		scHasData = true
 		sc.ReadOnlyRootFilesystem = &ro
 	}
+	if c.config.Spec.Linux.MaskedPaths == nil {
+		scHasData = true
+		unmask := v1.UnmaskedProcMount
+		sc.ProcMount = &unmask
+	}
+
 	if c.User() != "" {
 		if !c.batched {
 			c.lock.Lock()

diff --git a/pkg/specgen/generate/kube/kube.go b/pkg/specgen/generate/kube/kube.go
@@ -807,6 +807,10 @@ func setupSecurityContext(s *specgen.SpecGenerator, securityContext *v1.Security
 		s.NoNewPrivileges = !*securityContext.AllowPrivilegeEscalation
 	}
 
+	if securityContext.ProcMount != nil && *securityContext.ProcMount == v1.UnmaskedProcMount {
+		s.ContainerSecurityConfig.Unmask = append(s.ContainerSecurityConfig.Unmask, []string{"ALL"}...)
+	}
+
 	seopt := securityContext.SELinuxOptions
 	if seopt == nil {
 		seopt = podSecurityContext.SELinuxOptions

diff --git a/test/system/710-kube.bats b/test/system/710-kube.bats
@@ -74,6 +74,21 @@ status                           | =  | null
     run_podman rm $cname
 }
 
+@test "podman kube generate unmasked" {
+      KUBE=$PODMAN_TMPDIR/kube.yaml
+      run_podman create --name test --security-opt unmask=all $IMAGE
+      run_podman inspect --format '{{ .HostConfig.SecurityOpt }}' test
+      is "$output" "[unmask=all]" "Inspect should see unmask all"
+      run_podman kube generate test -f $KUBE
+      assert "$(< $KUBE)" =~ "procMount: Unmasked" "Generated kube yaml should have procMount unmasked"
+      run_podman kube play $KUBE
+      run_podman inspect --format '{{ .HostConfig.SecurityOpt }}' test-pod-test
+      is "$output" "[unmask=all]" "Inspect kube play container should see unmask all"
+      run_podman kube down $KUBE
+      run_podman pod rm -a
+      run_podman rm -a
+}
+
 @test "podman kube generate - pod" {
     local pname=p$(random_string 15)
     local cname1=c1$(random_string 15)