Kh add readonly for hostpath (#13)

* add test service account * minor change * fix read-only attribute for allowedHostPath
sysdiglabs · Mar 5, 2019 · b364ebd · b364ebd
1 parent 331256c
commit b364ebd
Show file tree

Hide file tree

Showing 4 changed files with 40 additions and 19 deletions.
diff --git a/advisor/processor/generate.go b/advisor/processor/generate.go
@@ -8,7 +8,7 @@ import (
 	"github.com/sysdiglabs/kube-psp-advisor/advisor/types"
 	"github.com/sysdiglabs/kube-psp-advisor/utils"
 
-	v1 "k8s.io/api/core/v1"
+	"k8s.io/api/core/v1"
 	"k8s.io/api/policy/v1beta1"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/tools/clientcmd"
@@ -22,6 +22,7 @@ type Processor struct {
 	serverGitVersion   string
 }
 
+// NewProcessor returns a new processor
 func NewProcessor(kubeconfig string) (*Processor, error) {
 	config, err := clientcmd.BuildConfigFromFlags("", kubeconfig)
 	if err != nil {
@@ -89,8 +90,12 @@ func (p *Processor) GeneratePSP(cssList []types.ContainerSecuritySpec, pssList [
 			volumeTypes[t] = true
 		}
 
-		for _, path := range sc.MountHostPaths {
-			hostPaths[path] = true
+		for path, readOnly := range sc.MountHostPaths {
+			if _, exists := hostPaths[path]; !exists {
+				hostPaths[path] = readOnly
+			} else {
+				hostPaths[path] = readOnly && hostPaths[path]
+			}
 		}
 	}
 
@@ -155,14 +160,12 @@ func (p *Processor) GeneratePSP(cssList []types.ContainerSecuritySpec, pssList [
 	}
 
 	// set allowed host path
-	hostPathList := utils.MapToArray(hostPaths)
-
-	readOnly, _ := utils.CompareVersion(p.serverGitVersion, types.Version1_11)
+	enforceReadOnly, _ := utils.CompareVersion(p.serverGitVersion, types.Version1_11)
 
-	for _, path := range hostPathList {
+	for path, readOnly := range hostPaths {
 		psp.Spec.AllowedHostPaths = append(psp.Spec.AllowedHostPaths, v1beta1.AllowedHostPath{
 			PathPrefix: path,
-			ReadOnly:   readOnly,
+			ReadOnly:   readOnly || enforceReadOnly,
 		})
 	}
 
@@ -224,6 +227,7 @@ func (p *Processor) GeneratePSP(cssList []types.ContainerSecuritySpec, pssList [
 	return psp
 }
 
+// GenerateReport generate a JSON report
 func (p *Processor) GenerateReport(cssList []types.ContainerSecuritySpec, pssList []types.PodSecuritySpec) *report.Report {
 	r := report.NewReport()
 

diff --git a/advisor/processor/get.go b/advisor/processor/get.go
@@ -42,6 +42,7 @@ func getSecuritySpec(metadata types.Metadata, namespace string, spec v1.PodSpec,
 			Metadata:                 metadata,
 			ContainerName:            container.Name,
 			ImageName:                container.Image,
+			PodName:                  metadata.Name,
 			Namespace:                namespace,
 			HostName:                 spec.NodeName,
 			Capabilities:             getEffectiveCapablities(addCapList, dropCapList),
@@ -321,17 +322,30 @@ func getVolumeTypes(spec v1.PodSpec, sa v1.ServiceAccount) (volumeTypes []string
 	return
 }
 
-func getVolumeHostPaths(spec v1.PodSpec) (hostPaths []string) {
+func getVolumeHostPaths(spec v1.PodSpec) map[string]bool {
 	hostPathMap := map[string]bool{}
 
+	containerMountMap := map[string]bool{}
+
+	for _, c := range spec.Containers {
+		for _, vm := range c.VolumeMounts {
+			if _, exists := containerMountMap[vm.Name]; !exists {
+				containerMountMap[vm.Name] = vm.ReadOnly
+			} else {
+				containerMountMap[vm.Name] = containerMountMap[vm.Name] && vm.ReadOnly
+			}
+		}
+	}
+
 	for _, v := range spec.Volumes {
 		if v.HostPath != nil {
-			hostPathMap[v.HostPath.Path] = true
+			if _, exists := containerMountMap[v.Name]; exists {
+				hostPathMap[v.HostPath.Path] = containerMountMap[v.Name]
+			}
 		}
 	}
 
-	hostPaths = utils.MapToArray(hostPathMap)
-	return
+	return hostPathMap
 }
 
 func getVolumeType(v v1.Volume) string {

diff --git a/advisor/types/securityspec.go b/advisor/types/securityspec.go
@@ -60,13 +60,13 @@ type ContainerSecuritySpec struct {
 }
 
 type PodSecuritySpec struct {
-	Metadata       Metadata `json:"metadata"`
-	Namespace      string   `json:"namespace"`
-	HostPID        bool     `json:"hostPID,omitempty"`
-	HostNetwork    bool     `json:"hostMetwork,omitempty"`
-	HostIPC        bool     `json:"hostIPC,omitempty"`
-	VolumeTypes    []string `json:"volumeTypes,omitempty"`
-	MountHostPaths []string `json:"mountedHostPath,omitempty"`
+	Metadata       Metadata        `json:"metadata"`
+	Namespace      string          `json:"namespace"`
+	HostPID        bool            `json:"hostPID,omitempty"`
+	HostNetwork    bool            `json:"hostMetwork,omitempty"`
+	HostIPC        bool            `json:"hostIPC,omitempty"`
+	VolumeTypes    []string        `json:"volumeTypes,omitempty"`
+	MountHostPaths map[string]bool `json:"mountedHostPath,omitempty"`
 }
 
 type Metadata struct {

diff --git a/test-yaml/base-busybox.yaml b/test-yaml/base-busybox.yaml
@@ -15,6 +15,7 @@ spec:
     volumeMounts:
     - mountPath: /test-hostpath
       name: test-volume
+      readOnly: true
     command:
     - sleep
     - "3600"
@@ -49,6 +50,7 @@ spec:
         volumeMounts:
         - mountPath: /test-hostpath
           name: test-volume
+          readOnly: true
         command:
         - sleep
         - "3600"
@@ -140,6 +142,7 @@ spec:
         volumeMounts:
         - mountPath: /test-hostpath
           name: test-volume
+          readOnly: true
         command:
         - sleep
         - "3600"