UPSTREAM: <carry>: SCC seccomp support

:100644 100644 91fc2f2... b7714d3... M	api/swagger-spec/v1.json
:100644 100644 21100a6... da0acb3... M	pkg/api/deep_copy_generated.go
:100644 100644 9db4614... 6939e04... M	pkg/api/types.go
:100644 100644 67eff6d... 421cc88... M	pkg/api/v1/conversion_generated.go
:100644 100644 ea1f301... beaae9e... M	pkg/api/v1/deep_copy_generated.go
:100644 100644 841f0f9... 6284a88... M	pkg/api/v1/generated.pb.go
:100644 100644 c2c5f52... 1ff0493... M	pkg/api/v1/generated.proto
:100644 100644 7a52060... 90e90c0... M	pkg/api/v1/types.go
:100644 100644 5adbb1e... dc5a8bb... M	pkg/api/v1/types_swagger_doc_generated.go
:100644 100644 face966... 14a6a4c... M	pkg/securitycontextconstraints/provider.go
:100644 100644 caf017f... c9f7526... M	pkg/securitycontextconstraints/provider_test.go
:000000 100644 0000000... ce8d2c6... A	pkg/securitycontextconstraints/seccomp/types.go
:000000 100644 0000000... 029dc7a... A	pkg/securitycontextconstraints/seccomp/withseccomp.go
:000000 100644 0000000... f75e33d... A	pkg/securitycontextconstraints/seccomp/withseccomp_test.go
:100644 100644 4fe4ee2... 2fd9310... M	pkg/securitycontextconstraints/types.go

Author: pweil-

api/swagger-spec/v1.json

@@ -20351,6 +20351,13 @@
        "type": "string"
       },
       "description": "The groups that have permission to use this security context constraints"
+     },
+     "seccompProfiles": {
+      "type": "array",
+      "items": {
+       "type": "string"
+      },
+      "description": "SeccompProfiles lists the allowed profiles that may be set for the pod or container's seccomp annotations.  An unset (nil) or empty value means that no profiles may be specifid by the pod or container.\tThe wildcard '*' may be used to allow all profiles.  When used to generate a value for a pod the first non-wildcard profile will be used as the default."
      }
     }
    },

pkg/api/deep_copy_generated.go

@@ -3032,6 +3032,13 @@ func DeepCopy_api_SecurityContextConstraints(in SecurityContextConstraints, out
 		return err
 	}
 	out.ReadOnlyRootFilesystem = in.ReadOnlyRootFilesystem
+	if in.SeccompProfiles != nil {
+		in, out := in.SeccompProfiles, &out.SeccompProfiles
+		*out = make([]string, len(in))
+		copy(*out, in)
+	} else {
+		out.SeccompProfiles = nil
+	}
 	if in.Users != nil {
 		in, out := in.Users, &out.Users
 		*out = make([]string, len(in))

pkg/api/types.go

@@ -2936,6 +2936,12 @@ type SecurityContextConstraints struct {
 	// If set to false the container may run with a read only root file system if it wishes but it
 	// will not be forced to.
 	ReadOnlyRootFilesystem bool
+	// SeccompProfiles lists the allowed profiles that may be set for the pod or
+	// container's seccomp annotations.  An unset (nil) or empty value means that no profiles may
+	// be specifid by the pod or container.	The wildcard '*' may be used to allow all profiles.  When
+	// used to generate a value for a pod the first non-wildcard profile will be used as
+	// the default.
+	SeccompProfiles []string
 
 	// The users who have permissions to use this security context constraints
 	Users []string

pkg/api/v1/conversion_generated.go

@@ -6040,6 +6040,7 @@ func autoConvert_v1_SecurityContextConstraints_To_api_SecurityContextConstraints
 	out.ReadOnlyRootFilesystem = in.ReadOnlyRootFilesystem
 	out.Users = in.Users
 	out.Groups = in.Groups
+	out.SeccompProfiles = in.SeccompProfiles
 	return nil
 }
 
@@ -6105,6 +6106,7 @@ func autoConvert_api_SecurityContextConstraints_To_v1_SecurityContextConstraints
 		return err
 	}
 	out.ReadOnlyRootFilesystem = in.ReadOnlyRootFilesystem
+	out.SeccompProfiles = in.SeccompProfiles
 	out.Users = in.Users
 	out.Groups = in.Groups
 	return nil

pkg/api/v1/deep_copy_generated.go

@@ -3042,6 +3042,13 @@ func DeepCopy_v1_SecurityContextConstraints(in SecurityContextConstraints, out *
 	} else {
 		out.Groups = nil
 	}
+	if in.SeccompProfiles != nil {
+		in, out := in.SeccompProfiles, &out.SeccompProfiles
+		*out = make([]string, len(in))
+		copy(*out, in)
+	} else {
+		out.SeccompProfiles = nil
+	}
 	return nil
 }
 

pkg/api/v1/generated.pb.go

@@ -3405,6 +3405,13 @@ type SecurityContextConstraints struct {
 	Users []string `json:"users,omitempty" description:"users allowed to use this SecurityContextConstraints" protobuf:"bytes,18,rep,name=users"`
 	// The groups that have permission to use this security context constraints
 	Groups []string `json:"groups,omitempty" description:"groups allowed to use this SecurityContextConstraints" protobuf:"bytes,19,rep,name=groups"`
+
+	// SeccompProfiles lists the allowed profiles that may be set for the pod or
+	// container's seccomp annotations.  An unset (nil) or empty value means that no profiles may
+	// be specifid by the pod or container.	The wildcard '*' may be used to allow all profiles.  When
+	// used to generate a value for a pod the first non-wildcard profile will be used as
+	// the default.
+	SeccompProfiles []string `json:"seccompProfiles,omitempty" description:"seccomp profiles allowed to be used by pods and containers" protobuf:"bytes,20,opt,name=seccompProfiles"`
 }
 
 // FS Type gives strong typing to different file systems that are used by volumes.

pkg/api/v1/generated.proto

@@ -1621,6 +1621,7 @@ var map_SecurityContextConstraints = map[string]string{
 	"readOnlyRootFilesystem":   "ReadOnlyRootFilesystem when set to true will force containers to run with a read only root file system.  If the container specifically requests to run with a non-read only root file system the SCC should deny the pod. If set to false the container may run with a read only root file system if it wishes but it will not be forced to.",
 	"users":                    "The users who have permissions to use this security context constraints",
 	"groups":                   "The groups that have permission to use this security context constraints",
+	"seccompProfiles":          "SeccompProfiles lists the allowed profiles that may be set for the pod or container's seccomp annotations.  An unset (nil) or empty value means that no profiles may be specifid by the pod or container.\tThe wildcard '*' may be used to allow all profiles.  When used to generate a value for a pod the first non-wildcard profile will be used as the default.",
 }
 
 func (SecurityContextConstraints) SwaggerDoc() map[string]string {

pkg/api/v1/types.go

@@ -22,6 +22,7 @@ import (
 	"k8s.io/kubernetes/pkg/api"
 	"k8s.io/kubernetes/pkg/securitycontextconstraints/capabilities"
 	"k8s.io/kubernetes/pkg/securitycontextconstraints/group"
+	"k8s.io/kubernetes/pkg/securitycontextconstraints/seccomp"
 	"k8s.io/kubernetes/pkg/securitycontextconstraints/selinux"
 	"k8s.io/kubernetes/pkg/securitycontextconstraints/user"
 	sccutil "k8s.io/kubernetes/pkg/securitycontextconstraints/util"
@@ -43,6 +44,7 @@ type simpleProvider struct {
 	fsGroupStrategy           group.GroupSecurityContextConstraintsStrategy
 	supplementalGroupStrategy group.GroupSecurityContextConstraintsStrategy
 	capabilitiesStrategy      capabilities.CapabilitiesSecurityContextConstraintsStrategy
+	seccompStrategy           seccomp.SeccompStrategy
 }
 
 // ensure we implement the interface correctly.
@@ -79,13 +81,19 @@ func NewSimpleProvider(scc *api.SecurityContextConstraints) (SecurityContextCons
 		return nil, err
 	}
 
+	seccompStrat, err := createSeccompStrategy(scc.SeccompProfiles)
+	if err != nil {
+		return nil, err
+	}
+
 	return &simpleProvider{
 		scc:                       scc,
 		runAsUserStrategy:         userStrat,
 		seLinuxStrategy:           seLinuxStrat,
 		fsGroupStrategy:           fsGroupStrat,
 		supplementalGroupStrategy: supGroupStrat,
 		capabilitiesStrategy:      capStrat,
+		seccompStrategy:           seccompStrat,
 	}, nil
 }
 
@@ -95,7 +103,7 @@ func NewSimpleProvider(scc *api.SecurityContextConstraints) (SecurityContextCons
 //
 // NOTE: this method works on a copy of the PodSecurityContext.  It is up to the caller to
 // apply the PSC if validation passes.
-func (s *simpleProvider) CreatePodSecurityContext(pod *api.Pod) (*api.PodSecurityContext, error) {
+func (s *simpleProvider) CreatePodSecurityContext(pod *api.Pod) (*api.PodSecurityContext, map[string]string, error) {
 	var sc *api.PodSecurityContext = nil
 	if pod.Spec.SecurityContext != nil {
 		// work with a copy
@@ -105,31 +113,57 @@ func (s *simpleProvider) CreatePodSecurityContext(pod *api.Pod) (*api.PodSecurit
 		sc = &api.PodSecurityContext{}
 	}
 
+	var annotationsCopy map[string]string = nil
+	if pod.Annotations != nil {
+		annotationsCopy = make(map[string]string, len(pod.Annotations))
+		for k, v := range pod.Annotations {
+			annotationsCopy[k] = v
+		}
+	}
+
 	if len(sc.SupplementalGroups) == 0 {
 		supGroups, err := s.supplementalGroupStrategy.Generate(pod)
 		if err != nil {
-			return nil, err
+			return nil, nil, err
 		}
 		sc.SupplementalGroups = supGroups
 	}
 
 	if sc.FSGroup == nil {
 		fsGroup, err := s.fsGroupStrategy.GenerateSingle(pod)
 		if err != nil {
-			return nil, err
+			return nil, nil, err
 		}
 		sc.FSGroup = fsGroup
 	}
 
 	if sc.SELinuxOptions == nil {
 		seLinux, err := s.seLinuxStrategy.Generate(pod, nil)
 		if err != nil {
-			return nil, err
+			return nil, nil, err
 		}
 		sc.SELinuxOptions = seLinux
 	}
 
-	return sc, nil
+	// we only generate a seccomp annotation for the entire pod.  Validation
+	// will catch any container annotations that are invalid and containers
+	// will inherit the pod annotation.
+	_, hasPodProfile := pod.Annotations[api.SeccompPodAnnotationKey]
+	if !hasPodProfile {
+		profile, err := s.seccompStrategy.Generate(pod)
+		if err != nil {
+			return nil, nil, err
+		}
+
+		if profile != "" {
+			if annotationsCopy == nil {
+				annotationsCopy = map[string]string{}
+			}
+			annotationsCopy[api.SeccompPodAnnotationKey] = profile
+		}
+	}
+
+	return sc, annotationsCopy, nil
 }
 
 // Create a SecurityContext based on the given constraints.  If a setting is already set on the
@@ -207,6 +241,7 @@ func (s *simpleProvider) ValidatePodSecurityContext(pod *api.Pod, fldPath *field
 	}
 	allErrs = append(allErrs, s.fsGroupStrategy.Validate(pod, fsGroups)...)
 	allErrs = append(allErrs, s.supplementalGroupStrategy.Validate(pod, pod.Spec.SecurityContext.SupplementalGroups)...)
+	allErrs = append(allErrs, s.seccompStrategy.ValidatePod(pod)...)
 
 	// make a dummy container context to reuse the selinux strategies
 	container := &api.Container{
@@ -244,6 +279,7 @@ func (s *simpleProvider) ValidateContainerSecurityContext(pod *api.Pod, containe
 	sc := container.SecurityContext
 	allErrs = append(allErrs, s.runAsUserStrategy.Validate(pod, container)...)
 	allErrs = append(allErrs, s.seLinuxStrategy.Validate(pod, container)...)
+	allErrs = append(allErrs, s.seccompStrategy.ValidateContainer(pod, container)...)
 
 	if !s.scc.AllowPrivilegedContainer && *sc.Privileged {
 		allErrs = append(allErrs, field.Invalid(fldPath.Child("privileged"), *sc.Privileged, "Privileged containers are not allowed"))
@@ -377,3 +413,8 @@ func createSupplementalGroupStrategy(opts *api.SupplementalGroupsStrategyOptions
 func createCapabilitiesStrategy(defaultAddCaps, requiredDropCaps, allowedCaps []api.Capability) (capabilities.CapabilitiesSecurityContextConstraintsStrategy, error) {
 	return capabilities.NewDefaultCapabilities(defaultAddCaps, requiredDropCaps, allowedCaps)
 }
+
+// createSeccompStrategy creates a new seccomp strategy
+func createSeccompStrategy(allowedProfiles []string) (seccomp.SeccompStrategy, error) {
+	return seccomp.NewWithSeccompProfile(allowedProfiles)
+}