play kube: make seccomp handling better conform to k8s

Add flag --seccomp-profile-root in play kube to allow users to specify where to look for seccomp profiles update tests Signed-off-by: Peter Hunt <pehunt@redhat.com>
containers · Jan 3, 2020 · 20b6408 · 20b6408
1 parent 50b4446
commit 20b6408
Show file tree

Hide file tree

Showing 6 changed files with 35 additions and 26 deletions.
diff --git a/cmd/podman/cliconfig/config.go b/cmd/podman/cliconfig/config.go
@@ -308,12 +308,13 @@ type HealthCheckValues struct {
 
 type KubePlayValues struct {
 	PodmanCommand
-	Authfile        string
-	CertDir         string
-	Creds           string
-	Quiet           bool
-	SignaturePolicy string
-	TlsVerify       bool
+	Authfile           string
+	CertDir            string
+	Creds              string
+	Quiet              bool
+	SignaturePolicy    string
+	TlsVerify          bool
+	SeccompProfileRoot string
 }
 
 type PodCreateValues struct {

diff --git a/cmd/podman/play_kube.go b/cmd/podman/play_kube.go
@@ -28,6 +28,8 @@ var (
 		},
 		Example: `podman play kube demo.yml`,
 	}
+	// https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/
+	defaultSeccompRoot = "/var/lib/kubelet/seccomp"
 )
 
 func init() {
@@ -46,6 +48,7 @@ func init() {
 		flags.StringVar(&playKubeCommand.CertDir, "cert-dir", "", "`Pathname` of a directory containing TLS certificates and keys")
 		flags.StringVar(&playKubeCommand.SignaturePolicy, "signature-policy", "", "`Pathname` of signature policy file (not usually used)")
 		flags.BoolVar(&playKubeCommand.TlsVerify, "tls-verify", true, "Require HTTPS and verify certificates when contacting registries")
+		flags.StringVar(&playKubeCommand.SeccompProfileRoot, "seccomp-profile-root", defaultSeccompRoot, "Directory path for seccomp profiles")
 		markFlagHidden(flags, "signature-policy")
 	}
 }

diff --git a/completions/bash/podman b/completions/bash/podman
@@ -2672,6 +2672,7 @@ _podman_play_kube() {
     --quiet
     -q
     --tls-verify
+    --seccomp-profile-root
     "
 
     case "$cur" in

diff --git a/docs/source/markdown/podman-play-kube.1.md b/docs/source/markdown/podman-play-kube.1.md
@@ -40,6 +40,10 @@ value can be entered.  The password is entered without echo.
 
 Suppress output information when pulling images
 
+**--seccomp-profile-root**=*path*
+
+Directory path for seccomp profiles. (Not available for remote commands)
+
 **--tls-verify**=*true|false*
 
 Require HTTPS and verify certificates when contacting registries (default: true). If explicitly set to true,

diff --git a/pkg/adapter/pods.go b/pkg/adapter/pods.go
@@ -8,6 +8,7 @@ import (
 	"io"
 	"io/ioutil"
 	"os"
+	"path/filepath"
 	"strings"
 
 	"github.com/containers/buildah/pkg/parse"
@@ -597,7 +598,7 @@ func (r *LocalRuntime) PlayKubeYAML(ctx context.Context, c *cliconfig.KubePlayVa
 		volumes[volume.Name] = hostPath.Path
 	}
 
-	seccompPaths, err := initializeSeccompPaths(podYAML.ObjectMeta.Annotations)
+	seccompPaths, err := initializeSeccompPaths(podYAML.ObjectMeta.Annotations, c.SeccompProfileRoot)
 	if err != nil {
 		return nil, err
 	}
@@ -847,7 +848,8 @@ func (k *kubeSeccompPaths) findForContainer(ctrName string) string {
 
 // initializeSeccompPaths takes annotations from the pod object metadata and finds annotations pertaining to seccomp
 // it parses both pod and container level
-func initializeSeccompPaths(annotations map[string]string) (*kubeSeccompPaths, error) {
+// if the annotation is of the form "localhost/%s", the seccomp profile will be set to profileRoot/%s
+func initializeSeccompPaths(annotations map[string]string, profileRoot string) (*kubeSeccompPaths, error) {
 	seccompPaths := &kubeSeccompPaths{containerPaths: make(map[string]string)}
 	var err error
 	if annotations != nil {
@@ -863,7 +865,7 @@ func initializeSeccompPaths(annotations map[string]string) (*kubeSeccompPaths, e
 				return nil, errors.Errorf("Invalid seccomp path: %s", prefixAndCtr[0])
 			}
 
-			path, err := verifySeccompPath(seccomp)
+			path, err := verifySeccompPath(seccomp, profileRoot)
 			if err != nil {
 				return nil, err
 			}
@@ -872,7 +874,7 @@ func initializeSeccompPaths(annotations map[string]string) (*kubeSeccompPaths, e
 
 		podSeccomp, ok := annotations[v1.SeccompPodAnnotationKey]
 		if ok {
-			seccompPaths.podPath, err = verifySeccompPath(podSeccomp)
+			seccompPaths.podPath, err = verifySeccompPath(podSeccomp, profileRoot)
 		} else {
 			seccompPaths.podPath, err = libpod.DefaultSeccompPath()
 		}
@@ -885,7 +887,7 @@ func initializeSeccompPaths(annotations map[string]string) (*kubeSeccompPaths, e
 
 // verifySeccompPath takes a path and checks whether it is a default, unconfined, or a path
 // the available options are parsed as defined in https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp
-func verifySeccompPath(path string) (string, error) {
+func verifySeccompPath(path string, profileRoot string) (string, error) {
 	switch path {
 	case v1.DeprecatedSeccompProfileDockerDefault:
 		fallthrough
@@ -894,13 +896,9 @@ func verifySeccompPath(path string) (string, error) {
 	case "unconfined":
 		return path, nil
 	default:
-		// TODO we have an inconsistency here
-		// k8s parses `localhost/<path>` which is found at `<seccomp_root>`
-		// we currently parse `localhost:<seccomp_root>/<path>
-		// to fully conform, we need to find a good location for the seccomp root
-		parts := strings.Split(path, ":")
+		parts := strings.Split(path, "/")
 		if parts[0] == "localhost" {
-			return parts[1], nil
+			return filepath.Join(profileRoot, parts[1]), nil
 		}
 		return "", errors.Errorf("invalid seccomp path: %s", path)
 	}

diff --git a/test/e2e/play_kube_test.go b/test/e2e/play_kube_test.go
@@ -76,11 +76,12 @@ status: {}
 `
 
 var (
-	defaultCtrName  = "testCtr"
-	defaultCtrCmd   = []string{"top"}
-	defaultCtrImage = ALPINE
-	defaultPodName  = "testPod"
-	seccompPwdEPERM = []byte(`{"defaultAction":"SCMP_ACT_ALLOW","syscalls":[{"name":"getcwd","action":"SCMP_ACT_ERRNO"}]}`)
+	defaultCtrName     = "testCtr"
+	defaultCtrCmd      = []string{"top"}
+	defaultCtrImage    = ALPINE
+	defaultPodName     = "testPod"
+	defaultSeccompRoot = "/var/lib/kubelet/seccomp"
+	seccompPwdEPERM    = []byte(`{"defaultAction":"SCMP_ACT_ALLOW","syscalls":[{"name":"getcwd","action":"SCMP_ACT_ERRNO"}]}`)
 )
 
 func generateKubeYaml(pod *Pod, fileName string) error {
@@ -358,10 +359,10 @@ var _ = Describe("Podman generate kube", func() {
 		ctrAnnotation := "container.seccomp.security.alpha.kubernetes.io/" + defaultCtrName
 		ctr := getCtr(withCmd([]string{"pwd"}))
 
-		err = generateKubeYaml(getPod(withCtr(ctr), withAnnotation(ctrAnnotation, "localhost:"+jsonFile)), kubeYaml)
+		err = generateKubeYaml(getPod(withCtr(ctr), withAnnotation(ctrAnnotation, "localhost/"+filepath.Base(jsonFile))), kubeYaml)
 		Expect(err).To(BeNil())
 
-		kube := podmanTest.Podman([]string{"play", "kube", kubeYaml})
+		kube := podmanTest.Podman([]string{"play", "kube", "--seccomp-profile-root", podmanTest.TempDir, kubeYaml})
 		kube.WaitWithDefaultTimeout()
 		Expect(kube.ExitCode()).To(Equal(0))
 
@@ -378,13 +379,14 @@ var _ = Describe("Podman generate kube", func() {
 			fmt.Println(err)
 			Skip("Failed to prepare seccomp.json for test.")
 		}
+		defer os.Remove(jsonFile)
 
 		ctr := getCtr(withCmd([]string{"pwd"}))
 
-		err = generateKubeYaml(getPod(withCtr(ctr), withAnnotation("seccomp.security.alpha.kubernetes.io/pod", "localhost:"+jsonFile)), kubeYaml)
+		err = generateKubeYaml(getPod(withCtr(ctr), withAnnotation("seccomp.security.alpha.kubernetes.io/pod", "localhost/"+filepath.Base(jsonFile))), kubeYaml)
 		Expect(err).To(BeNil())
 
-		kube := podmanTest.Podman([]string{"play", "kube", kubeYaml})
+		kube := podmanTest.Podman([]string{"play", "kube", "--seccomp-profile-root", podmanTest.TempDir, kubeYaml})
 		kube.WaitWithDefaultTimeout()
 		Expect(kube.ExitCode()).To(Equal(0))