diff --git a/pkg/cmd/debug/debug_test.go b/pkg/cmd/debug/debug_test.go index 8d92dc772..3febf5210 100644 --- a/pkg/cmd/debug/debug_test.go +++ b/pkg/cmd/debug/debug_test.go @@ -289,6 +289,8 @@ func TestGenerateDebugContainer(t *testing.T) { Capabilities: &corev1.Capabilities{ Drop: []corev1.Capability{"ALL"}, }, + AllowPrivilegeEscalation: pointer.Bool(false), + SeccompProfile: &corev1.SeccompProfile{Type: "RuntimeDefault"}, }, }, }, @@ -1274,10 +1276,12 @@ func TestGeneratePodCopyWithDebugContainer(t *testing.T) { Image: "busybox", ImagePullPolicy: corev1.PullIfNotPresent, SecurityContext: &corev1.SecurityContext{ + RunAsNonRoot: pointer.Bool(true), Capabilities: &corev1.Capabilities{ Drop: []corev1.Capability{"ALL"}, }, - RunAsNonRoot: pointer.Bool(true), + AllowPrivilegeEscalation: pointer.Bool(false), + SeccompProfile: &corev1.SeccompProfile{Type: "RuntimeDefault"}, }, }, }, @@ -1646,6 +1650,8 @@ func TestGenerateNodeDebugPod(t *testing.T) { Capabilities: &corev1.Capabilities{ Drop: []corev1.Capability{"ALL"}, }, + AllowPrivilegeEscalation: pointer.Bool(false), + SeccompProfile: &corev1.SeccompProfile{Type: "RuntimeDefault"}, }, }, }, diff --git a/pkg/cmd/debug/profiles.go b/pkg/cmd/debug/profiles.go index 3684478d5..656f92bf8 100644 --- a/pkg/cmd/debug/profiles.go +++ b/pkg/cmd/debug/profiles.go @@ -176,6 +176,8 @@ func (p *restrictedProfile) Apply(pod *corev1.Pod, containerName string, target clearSecurityContext(pod, containerName) disallowRoot(pod, containerName) dropCapabilities(pod, containerName) + disallowPrivilegeEscalation(pod, containerName) + setSeccompProfile(pod, containerName) switch style { case podCopy: @@ -343,3 +345,31 @@ func addCapability(c *corev1.Container, capability corev1.Capability) { } c.SecurityContext.Capabilities.Add = append(c.SecurityContext.Capabilities.Add, capability) } + +// disallowPrivilegeEscalation configures the containers not allowed PrivilegeEscalation +func disallowPrivilegeEscalation(p *corev1.Pod, containerName string) { + podutils.VisitContainers(&p.Spec, podutils.AllContainers, func(c *corev1.Container, _ podutils.ContainerType) bool { + if c.Name != containerName { + return true + } + if c.SecurityContext == nil { + c.SecurityContext = &corev1.SecurityContext{} + } + c.SecurityContext.AllowPrivilegeEscalation = pointer.Bool(false) + return false + }) +} + +// setSeccompProfile apply SeccompProfile to the containers +func setSeccompProfile(p *corev1.Pod, containerName string) { + podutils.VisitContainers(&p.Spec, podutils.AllContainers, func(c *corev1.Container, _ podutils.ContainerType) bool { + if c.Name != containerName { + return true + } + if c.SecurityContext == nil { + c.SecurityContext = &corev1.SecurityContext{} + } + c.SecurityContext.SeccompProfile = &corev1.SeccompProfile{Type: "RuntimeDefault"} + return false + }) +} diff --git a/pkg/cmd/debug/profiles_test.go b/pkg/cmd/debug/profiles_test.go index a397fa272..fa45f5105 100644 --- a/pkg/cmd/debug/profiles_test.go +++ b/pkg/cmd/debug/profiles_test.go @@ -347,6 +347,8 @@ func TestRestrictedProfile(t *testing.T) { Capabilities: &corev1.Capabilities{ Drop: []corev1.Capability{"ALL"}, }, + AllowPrivilegeEscalation: pointer.Bool(false), + SeccompProfile: &corev1.SeccompProfile{Type: "RuntimeDefault"}, }, }, }, @@ -386,6 +388,8 @@ func TestRestrictedProfile(t *testing.T) { Capabilities: &corev1.Capabilities{ Drop: []corev1.Capability{"ALL"}, }, + AllowPrivilegeEscalation: pointer.Bool(false), + SeccompProfile: &corev1.SeccompProfile{Type: "RuntimeDefault"}, }, }, }, @@ -404,6 +408,8 @@ func TestRestrictedProfile(t *testing.T) { Capabilities: &corev1.Capabilities{ Add: []corev1.Capability{"ALL"}, }, + AllowPrivilegeEscalation: pointer.Bool(false), + SeccompProfile: &corev1.SeccompProfile{Type: "RuntimeDefault"}, }, }, }, @@ -423,6 +429,8 @@ func TestRestrictedProfile(t *testing.T) { Capabilities: &corev1.Capabilities{ Drop: []corev1.Capability{"ALL"}, }, + AllowPrivilegeEscalation: pointer.Bool(false), + SeccompProfile: &corev1.SeccompProfile{Type: "RuntimeDefault"}, }, }, },