summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSoumya Sambu <soumya.sambu@windriver.com>2023-11-13 04:16:09 +0000
committerBruce Ashfield <bruce.ashfield@gmail.com>2023-11-21 04:07:47 +0000
commit86126c9b348ffbe4156fbe489c74829efdb7fb43 (patch)
tree3f67a9d82f51ea5226a76e96dd7ac06a98d5229a
parent72ef3ba3b2044ca979a7db833d3b60847a84efea (diff)
downloadmeta-virtualization-86126c9b348ffbe4156fbe489c74829efdb7fb43.tar.gz
kubernetes: Fix CVE-2023-2431
A security issue was discovered in Kubelet that allows pods to bypass the seccomp profile enforcement. Pods that use localhost type for seccomp profile but specify an empty profile field, are affected by this issue. In this scenario, this vulnerability allows the pod to run in unconfined (seccomp disabled) mode. This bug affects Kubelet. CVE: CVE-2023-2431 Affected Versions v1.27.0 - v1.27.1 v1.26.0 - v1.26.4 v1.25.0 - v1.25.9 <= v1.24.13 master branch(kubernetes v1.28.2) is not impacted mickledore branch(kubernetes v1.27.5) is not impacted References: https://nvd.nist.gov/vuln/detail/CVE-2023-2431 Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Diffstat
-rw-r--r--recipes-containers/kubernetes/kubernetes/CVE-2023-2431.patch863
-rw-r--r--recipes-containers/kubernetes/kubernetes_git.bb1
2 files changed, 864 insertions, 0 deletions
diff --git a/recipes-containers/kubernetes/kubernetes/CVE-2023-2431.patch b/recipes-containers/kubernetes/kubernetes/CVE-2023-2431.patch
new file mode 100644
index 00000000..56c3a6e1
--- /dev/null
+++ b/recipes-containers/kubernetes/kubernetes/CVE-2023-2431.patch
@@ -0,0 +1,863 @@
1From 73174f870735251e7d4240cdc36983d1bef7db5f Mon Sep 17 00:00:00 2001
2From: Craig Ingram <cjingram@google.com>
3Date: Fri, 24 Feb 2023 15:24:49 -0500
4Subject: [PATCH] Return error for localhost seccomp type with no localhost
5 profile defined
6
7CVE: CVE-2023-2431
8
9Upstream-Status: Backport [https://github.com/kubernetes/kubernetes/commit/73174f870735251e7d4240cdc36983d1bef7db5f]
10
11Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
12---
13 pkg/kubelet/kuberuntime/helpers.go | 66 ++--
14 pkg/kubelet/kuberuntime/helpers_test.go | 350 ++++--------------
15 .../kuberuntime_container_linux.go | 16 +-
16 .../kuberuntime_container_linux_test.go | 22 +-
17 pkg/kubelet/kuberuntime/security_context.go | 15 +-
18 5 files changed, 153 insertions(+), 316 deletions(-)
19
20diff --git a/pkg/kubelet/kuberuntime/helpers.go b/pkg/kubelet/kuberuntime/helpers.go
21index fa580335cf8..b36e01166f8 100644
22--- a/pkg/kubelet/kuberuntime/helpers.go
23+++ b/pkg/kubelet/kuberuntime/helpers.go
24@@ -209,28 +209,32 @@ func toKubeRuntimeStatus(status *runtimeapi.RuntimeStatus) *kubecontainer.Runtim
25 return &kubecontainer.RuntimeStatus{Conditions: conditions}
26 }
27
28-func fieldProfile(scmp *v1.SeccompProfile, profileRootPath string, fallbackToRuntimeDefault bool) string {
29+func fieldProfile(scmp *v1.SeccompProfile, profileRootPath string, fallbackToRuntimeDefault bool) (string, error) {
30 if scmp == nil {
31 if fallbackToRuntimeDefault {
32- return v1.SeccompProfileRuntimeDefault
33+ return v1.SeccompProfileRuntimeDefault, nil
34 }
35- return ""
36+ return "", nil
37 }
38 if scmp.Type == v1.SeccompProfileTypeRuntimeDefault {
39- return v1.SeccompProfileRuntimeDefault
40- }
41- if scmp.Type == v1.SeccompProfileTypeLocalhost && scmp.LocalhostProfile != nil && len(*scmp.LocalhostProfile) > 0 {
42- fname := filepath.Join(profileRootPath, *scmp.LocalhostProfile)
43- return v1.SeccompLocalhostProfileNamePrefix + fname
44+ return v1.SeccompProfileRuntimeDefault, nil
45+ }
46+ if scmp.Type == v1.SeccompProfileTypeLocalhost {
47+ if scmp.LocalhostProfile != nil && len(*scmp.LocalhostProfile) > 0 {
48+ fname := filepath.Join(profileRootPath, *scmp.LocalhostProfile)
49+ return v1.SeccompLocalhostProfileNamePrefix + fname, nil
50+ } else {
51+ return "", fmt.Errorf("localhostProfile must be set if seccompProfile type is Localhost.")
52+ }
53 }
54 if scmp.Type == v1.SeccompProfileTypeUnconfined {
55- return v1.SeccompProfileNameUnconfined
56+ return v1.SeccompProfileNameUnconfined, nil
57 }
58
59 if fallbackToRuntimeDefault {
60- return v1.SeccompProfileRuntimeDefault
61+ return v1.SeccompProfileRuntimeDefault, nil
62 }
63- return ""
64+ return "", nil
65 }
66
67 func annotationProfile(profile, profileRootPath string) string {
68@@ -243,7 +247,7 @@ func annotationProfile(profile, profileRootPath string) string {
69 }
70
71 func (m *kubeGenericRuntimeManager) getSeccompProfilePath(annotations map[string]string, containerName string,
72- podSecContext *v1.PodSecurityContext, containerSecContext *v1.SecurityContext, fallbackToRuntimeDefault bool) string {
73+ podSecContext *v1.PodSecurityContext, containerSecContext *v1.SecurityContext, fallbackToRuntimeDefault bool) (string, error) {
74 // container fields are applied first
75 if containerSecContext != nil && containerSecContext.SeccompProfile != nil {
76 return fieldProfile(containerSecContext.SeccompProfile, m.seccompProfileRoot, fallbackToRuntimeDefault)
77@@ -252,7 +256,7 @@ func (m *kubeGenericRuntimeManager) getSeccompProfilePath(annotations map[string
78 // if container field does not exist, try container annotation (deprecated)
79 if containerName != "" {
80 if profile, ok := annotations[v1.SeccompContainerAnnotationKeyPrefix+containerName]; ok {
81- return annotationProfile(profile, m.seccompProfileRoot)
82+ return annotationProfile(profile, m.seccompProfileRoot), nil
83 }
84 }
85
86@@ -263,46 +267,50 @@ func (m *kubeGenericRuntimeManager) getSeccompProfilePath(annotations map[string
87
88 // as last resort, try to apply pod annotation (deprecated)
89 if profile, ok := annotations[v1.SeccompPodAnnotationKey]; ok {
90- return annotationProfile(profile, m.seccompProfileRoot)
91+ return annotationProfile(profile, m.seccompProfileRoot), nil
92 }
93
94 if fallbackToRuntimeDefault {
95- return v1.SeccompProfileRuntimeDefault
96+ return v1.SeccompProfileRuntimeDefault, nil
97 }
98
99- return ""
100+ return "", nil
101 }
102
103-func fieldSeccompProfile(scmp *v1.SeccompProfile, profileRootPath string, fallbackToRuntimeDefault bool) *runtimeapi.SecurityProfile {
104+func fieldSeccompProfile(scmp *v1.SeccompProfile, profileRootPath string, fallbackToRuntimeDefault bool) (*runtimeapi.SecurityProfile, error) {
105 if scmp == nil {
106 if fallbackToRuntimeDefault {
107 return &runtimeapi.SecurityProfile{
108 ProfileType: runtimeapi.SecurityProfile_RuntimeDefault,
109- }
110+ }, nil
111 }
112 return &runtimeapi.SecurityProfile{
113 ProfileType: runtimeapi.SecurityProfile_Unconfined,
114- }
115+ }, nil
116 }
117 if scmp.Type == v1.SeccompProfileTypeRuntimeDefault {
118 return &runtimeapi.SecurityProfile{
119 ProfileType: runtimeapi.SecurityProfile_RuntimeDefault,
120- }
121+ }, nil
122 }
123- if scmp.Type == v1.SeccompProfileTypeLocalhost && scmp.LocalhostProfile != nil && len(*scmp.LocalhostProfile) > 0 {
124- fname := filepath.Join(profileRootPath, *scmp.LocalhostProfile)
125- return &runtimeapi.SecurityProfile{
126- ProfileType: runtimeapi.SecurityProfile_Localhost,
127- LocalhostRef: fname,
128+ if scmp.Type == v1.SeccompProfileTypeLocalhost {
129+ if scmp.LocalhostProfile != nil && len(*scmp.LocalhostProfile) > 0 {
130+ fname := filepath.Join(profileRootPath, *scmp.LocalhostProfile)
131+ return &runtimeapi.SecurityProfile{
132+ ProfileType: runtimeapi.SecurityProfile_Localhost,
133+ LocalhostRef: fname,
134+ }, nil
135+ } else {
136+ return nil, fmt.Errorf("localhostProfile must be set if seccompProfile type is Localhost.")
137 }
138 }
139 return &runtimeapi.SecurityProfile{
140 ProfileType: runtimeapi.SecurityProfile_Unconfined,
141- }
142+ }, nil
143 }
144
145 func (m *kubeGenericRuntimeManager) getSeccompProfile(annotations map[string]string, containerName string,
146- podSecContext *v1.PodSecurityContext, containerSecContext *v1.SecurityContext, fallbackToRuntimeDefault bool) *runtimeapi.SecurityProfile {
147+ podSecContext *v1.PodSecurityContext, containerSecContext *v1.SecurityContext, fallbackToRuntimeDefault bool) (*runtimeapi.SecurityProfile, error) {
148 // container fields are applied first
149 if containerSecContext != nil && containerSecContext.SeccompProfile != nil {
150 return fieldSeccompProfile(containerSecContext.SeccompProfile, m.seccompProfileRoot, fallbackToRuntimeDefault)
151@@ -316,12 +324,12 @@ func (m *kubeGenericRuntimeManager) getSeccompProfile(annotations map[string]str
152 if fallbackToRuntimeDefault {
153 return &runtimeapi.SecurityProfile{
154 ProfileType: runtimeapi.SecurityProfile_RuntimeDefault,
155- }
156+ }, nil
157 }
158
159 return &runtimeapi.SecurityProfile{
160 ProfileType: runtimeapi.SecurityProfile_Unconfined,
161- }
162+ }, nil
163 }
164
165 func ipcNamespaceForPod(pod *v1.Pod) runtimeapi.NamespaceMode {
166diff --git a/pkg/kubelet/kuberuntime/helpers_test.go b/pkg/kubelet/kuberuntime/helpers_test.go
167index 25065f30411..70ad7250ce2 100644
168--- a/pkg/kubelet/kuberuntime/helpers_test.go
169+++ b/pkg/kubelet/kuberuntime/helpers_test.go
170@@ -242,17 +242,18 @@ func TestFieldProfile(t *testing.T) {
171 scmpProfile *v1.SeccompProfile
172 rootPath string
173 expectedProfile string
174+ expectedError string
175 }{
176 {
177 description: "no seccompProfile should return empty",
178 expectedProfile: "",
179 },
180 {
181- description: "type localhost without profile should return empty",
182+ description: "type localhost without profile should return error",
183 scmpProfile: &v1.SeccompProfile{
184 Type: v1.SeccompProfileTypeLocalhost,
185 },
186- expectedProfile: "",
187+ expectedError: "localhostProfile must be set if seccompProfile type is Localhost.",
188 },
189 {
190 description: "unknown type should return empty",
191@@ -279,7 +280,7 @@ func TestFieldProfile(t *testing.T) {
192 description: "SeccompProfileTypeLocalhost should return localhost",
193 scmpProfile: &v1.SeccompProfile{
194 Type: v1.SeccompProfileTypeLocalhost,
195- LocalhostProfile: utilpointer.StringPtr("profile.json"),
196+ LocalhostProfile: utilpointer.String("profile.json"),
197 },
198 rootPath: "/test/",
199 expectedProfile: "localhost//test/profile.json",
200@@ -287,8 +288,13 @@ func TestFieldProfile(t *testing.T) {
201 }
202
203 for i, test := range tests {
204- seccompProfile := fieldProfile(test.scmpProfile, test.rootPath, false)
205- assert.Equal(t, test.expectedProfile, seccompProfile, "TestCase[%d]: %s", i, test.description)
206+ seccompProfile, err := fieldProfile(test.scmpProfile, test.rootPath, false)
207+ if test.expectedError != "" {
208+ assert.EqualError(t, err, test.expectedError, "TestCase[%d]: %s", i, test.description)
209+ } else {
210+ assert.NoError(t, err, "TestCase[%d]: %s", i, test.description)
211+ assert.Equal(t, test.expectedProfile, seccompProfile, "TestCase[%d]: %s", i, test.description)
212+ }
213 }
214 }
215
216@@ -298,17 +304,18 @@ func TestFieldProfileDefaultSeccomp(t *testing.T) {
217 scmpProfile *v1.SeccompProfile
218 rootPath string
219 expectedProfile string
220+ expectedError string
221 }{
222 {
223 description: "no seccompProfile should return runtime/default",
224 expectedProfile: v1.SeccompProfileRuntimeDefault,
225 },
226 {
227- description: "type localhost without profile should return runtime/default",
228+ description: "type localhost without profile should return error",
229 scmpProfile: &v1.SeccompProfile{
230 Type: v1.SeccompProfileTypeLocalhost,
231 },
232- expectedProfile: v1.SeccompProfileRuntimeDefault,
233+ expectedError: "localhostProfile must be set if seccompProfile type is Localhost.",
234 },
235 {
236 description: "unknown type should return runtime/default",
237@@ -335,7 +342,7 @@ func TestFieldProfileDefaultSeccomp(t *testing.T) {
238 description: "SeccompProfileTypeLocalhost should return localhost",
239 scmpProfile: &v1.SeccompProfile{
240 Type: v1.SeccompProfileTypeLocalhost,
241- LocalhostProfile: utilpointer.StringPtr("profile.json"),
242+ LocalhostProfile: utilpointer.String("profile.json"),
243 },
244 rootPath: "/test/",
245 expectedProfile: "localhost//test/profile.json",
246@@ -343,8 +350,13 @@ func TestFieldProfileDefaultSeccomp(t *testing.T) {
247 }
248
249 for i, test := range tests {
250- seccompProfile := fieldProfile(test.scmpProfile, test.rootPath, true)
251- assert.Equal(t, test.expectedProfile, seccompProfile, "TestCase[%d]: %s", i, test.description)
252+ seccompProfile, err := fieldProfile(test.scmpProfile, test.rootPath, true)
253+ if test.expectedError != "" {
254+ assert.EqualError(t, err, test.expectedError, "TestCase[%d]: %s", i, test.description)
255+ } else {
256+ assert.NoError(t, err, "TestCase[%d]: %s", i, test.description)
257+ assert.Equal(t, test.expectedProfile, seccompProfile, "TestCase[%d]: %s", i, test.description)
258+ }
259 }
260 }
261
262@@ -359,6 +371,7 @@ func TestGetSeccompProfilePath(t *testing.T) {
263 containerSc *v1.SecurityContext
264 containerName string
265 expectedProfile string
266+ expectedError string
267 }{
268 {
269 description: "no seccomp should return empty",
270@@ -369,91 +382,6 @@ func TestGetSeccompProfilePath(t *testing.T) {
271 containerName: "container1",
272 expectedProfile: "",
273 },
274- {
275- description: "annotations: pod runtime/default seccomp profile should return runtime/default",
276- annotation: map[string]string{
277- v1.SeccompPodAnnotationKey: v1.SeccompProfileRuntimeDefault,
278- },
279- expectedProfile: "runtime/default",
280- },
281- {
282- description: "annotations: pod docker/default seccomp profile should return docker/default",
283- annotation: map[string]string{
284- v1.SeccompPodAnnotationKey: v1.DeprecatedSeccompProfileDockerDefault,
285- },
286- expectedProfile: "docker/default",
287- },
288- {
289- description: "annotations: pod runtime/default seccomp profile with containerName should return runtime/default",
290- annotation: map[string]string{
291- v1.SeccompPodAnnotationKey: v1.SeccompProfileRuntimeDefault,
292- },
293- containerName: "container1",
294- expectedProfile: "runtime/default",
295- },
296- {
297- description: "annotations: pod docker/default seccomp profile with containerName should return docker/default",
298- annotation: map[string]string{
299- v1.SeccompPodAnnotationKey: v1.DeprecatedSeccompProfileDockerDefault,
300- },
301- containerName: "container1",
302- expectedProfile: "docker/default",
303- },
304- {
305- description: "annotations: pod unconfined seccomp profile should return unconfined",
306- annotation: map[string]string{
307- v1.SeccompPodAnnotationKey: v1.SeccompProfileNameUnconfined,
308- },
309- expectedProfile: "unconfined",
310- },
311- {
312- description: "annotations: pod unconfined seccomp profile with containerName should return unconfined",
313- annotation: map[string]string{
314- v1.SeccompPodAnnotationKey: v1.SeccompProfileNameUnconfined,
315- },
316- containerName: "container1",
317- expectedProfile: "unconfined",
318- },
319- {
320- description: "annotations: pod localhost seccomp profile should return local profile path",
321- annotation: map[string]string{
322- v1.SeccompPodAnnotationKey: "localhost/chmod.json",
323- },
324- expectedProfile: seccompLocalhostPath("chmod.json"),
325- },
326- {
327- description: "annotations: pod localhost seccomp profile with containerName should return local profile path",
328- annotation: map[string]string{
329- v1.SeccompPodAnnotationKey: "localhost/chmod.json",
330- },
331- containerName: "container1",
332- expectedProfile: seccompLocalhostPath("chmod.json"),
333- },
334- {
335- description: "annotations: container localhost seccomp profile with containerName should return local profile path",
336- annotation: map[string]string{
337- v1.SeccompContainerAnnotationKeyPrefix + "container1": "localhost/chmod.json",
338- },
339- containerName: "container1",
340- expectedProfile: seccompLocalhostPath("chmod.json"),
341- },
342- {
343- description: "annotations: container localhost seccomp profile should override pod profile",
344- annotation: map[string]string{
345- v1.SeccompPodAnnotationKey: v1.SeccompProfileNameUnconfined,
346- v1.SeccompContainerAnnotationKeyPrefix + "container1": "localhost/chmod.json",
347- },
348- containerName: "container1",
349- expectedProfile: seccompLocalhostPath("chmod.json"),
350- },
351- {
352- description: "annotations: container localhost seccomp profile with unmatched containerName should return empty",
353- annotation: map[string]string{
354- v1.SeccompContainerAnnotationKeyPrefix + "container1": "localhost/chmod.json",
355- },
356- containerName: "container2",
357- expectedProfile: "",
358- },
359 {
360 description: "pod seccomp profile set to unconfined returns unconfined",
361 podSc: &v1.PodSecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeUnconfined}},
362@@ -480,14 +408,14 @@ func TestGetSeccompProfilePath(t *testing.T) {
363 expectedProfile: seccompLocalhostPath("filename"),
364 },
365 {
366- description: "pod seccomp profile set to SeccompProfileTypeLocalhost with empty LocalhostProfile returns empty",
367- podSc: &v1.PodSecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost}},
368- expectedProfile: "",
369+ description: "pod seccomp profile set to SeccompProfileTypeLocalhost with empty LocalhostProfile returns error",
370+ podSc: &v1.PodSecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost}},
371+ expectedError: "localhostProfile must be set if seccompProfile type is Localhost.",
372 },
373 {
374- description: "container seccomp profile set to SeccompProfileTypeLocalhost with empty LocalhostProfile returns empty",
375- containerSc: &v1.SecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost}},
376- expectedProfile: "",
377+ description: "container seccomp profile set to SeccompProfileTypeLocalhost with empty LocalhostProfile returns error",
378+ containerSc: &v1.SecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost}},
379+ expectedError: "localhostProfile must be set if seccompProfile type is Localhost.",
380 },
381 {
382 description: "container seccomp profile set to SeccompProfileTypeLocalhost returns 'localhost/' + LocalhostProfile",
383@@ -500,41 +428,16 @@ func TestGetSeccompProfilePath(t *testing.T) {
384 containerSc: &v1.SecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeRuntimeDefault}},
385 expectedProfile: "runtime/default",
386 },
387- {
388- description: "prioritise container field over container annotation, pod field and pod annotation",
389- podSc: &v1.PodSecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost, LocalhostProfile: getLocal("field-pod-profile.json")}},
390- containerSc: &v1.SecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost, LocalhostProfile: getLocal("field-cont-profile.json")}},
391- annotation: map[string]string{
392- v1.SeccompPodAnnotationKey: "localhost/annota-pod-profile.json",
393- v1.SeccompContainerAnnotationKeyPrefix + "container1": "localhost/annota-cont-profile.json",
394- },
395- containerName: "container1",
396- expectedProfile: seccompLocalhostPath("field-cont-profile.json"),
397- },
398- {
399- description: "prioritise container annotation over pod field",
400- podSc: &v1.PodSecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost, LocalhostProfile: getLocal("field-pod-profile.json")}},
401- annotation: map[string]string{
402- v1.SeccompPodAnnotationKey: "localhost/annota-pod-profile.json",
403- v1.SeccompContainerAnnotationKeyPrefix + "container1": "localhost/annota-cont-profile.json",
404- },
405- containerName: "container1",
406- expectedProfile: seccompLocalhostPath("annota-cont-profile.json"),
407- },
408- {
409- description: "prioritise pod field over pod annotation",
410- podSc: &v1.PodSecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost, LocalhostProfile: getLocal("field-pod-profile.json")}},
411- annotation: map[string]string{
412- v1.SeccompPodAnnotationKey: "localhost/annota-pod-profile.json",
413- },
414- containerName: "container1",
415- expectedProfile: seccompLocalhostPath("field-pod-profile.json"),
416- },
417 }
418
419 for i, test := range tests {
420- seccompProfile := m.getSeccompProfilePath(test.annotation, test.containerName, test.podSc, test.containerSc, false)
421- assert.Equal(t, test.expectedProfile, seccompProfile, "TestCase[%d]: %s", i, test.description)
422+ seccompProfile, err := m.getSeccompProfilePath(test.annotation, test.containerName, test.podSc, test.containerSc, false)
423+ if test.expectedError != "" {
424+ assert.EqualError(t, err, test.expectedError, "TestCase[%d]: %s", i, test.description)
425+ } else {
426+ assert.NoError(t, err, "TestCase[%d]: %s", i, test.description)
427+ assert.Equal(t, test.expectedProfile, seccompProfile, "TestCase[%d]: %s", i, test.description)
428+ }
429 }
430 }
431
432@@ -549,6 +452,7 @@ func TestGetSeccompProfilePathDefaultSeccomp(t *testing.T) {
433 containerSc *v1.SecurityContext
434 containerName string
435 expectedProfile string
436+ expectedError string
437 }{
438 {
439 description: "no seccomp should return runtime/default",
440@@ -559,91 +463,6 @@ func TestGetSeccompProfilePathDefaultSeccomp(t *testing.T) {
441 containerName: "container1",
442 expectedProfile: v1.SeccompProfileRuntimeDefault,
443 },
444- {
445- description: "annotations: pod runtime/default seccomp profile should return runtime/default",
446- annotation: map[string]string{
447- v1.SeccompPodAnnotationKey: v1.SeccompProfileRuntimeDefault,
448- },
449- expectedProfile: v1.SeccompProfileRuntimeDefault,
450- },
451- {
452- description: "annotations: pod docker/default seccomp profile should return docker/default",
453- annotation: map[string]string{
454- v1.SeccompPodAnnotationKey: v1.DeprecatedSeccompProfileDockerDefault,
455- },
456- expectedProfile: "docker/default",
457- },
458- {
459- description: "annotations: pod runtime/default seccomp profile with containerName should return runtime/default",
460- annotation: map[string]string{
461- v1.SeccompPodAnnotationKey: v1.SeccompProfileRuntimeDefault,
462- },
463- containerName: "container1",
464- expectedProfile: v1.SeccompProfileRuntimeDefault,
465- },
466- {
467- description: "annotations: pod docker/default seccomp profile with containerName should return docker/default",
468- annotation: map[string]string{
469- v1.SeccompPodAnnotationKey: v1.DeprecatedSeccompProfileDockerDefault,
470- },
471- containerName: "container1",
472- expectedProfile: "docker/default",
473- },
474- {
475- description: "annotations: pod unconfined seccomp profile should return unconfined",
476- annotation: map[string]string{
477- v1.SeccompPodAnnotationKey: v1.SeccompProfileNameUnconfined,
478- },
479- expectedProfile: "unconfined",
480- },
481- {
482- description: "annotations: pod unconfined seccomp profile with containerName should return unconfined",
483- annotation: map[string]string{
484- v1.SeccompPodAnnotationKey: v1.SeccompProfileNameUnconfined,
485- },
486- containerName: "container1",
487- expectedProfile: "unconfined",
488- },
489- {
490- description: "annotations: pod localhost seccomp profile should return local profile path",
491- annotation: map[string]string{
492- v1.SeccompPodAnnotationKey: "localhost/chmod.json",
493- },
494- expectedProfile: seccompLocalhostPath("chmod.json"),
495- },
496- {
497- description: "annotations: pod localhost seccomp profile with containerName should return local profile path",
498- annotation: map[string]string{
499- v1.SeccompPodAnnotationKey: "localhost/chmod.json",
500- },
501- containerName: "container1",
502- expectedProfile: seccompLocalhostPath("chmod.json"),
503- },
504- {
505- description: "annotations: container localhost seccomp profile with containerName should return local profile path",
506- annotation: map[string]string{
507- v1.SeccompContainerAnnotationKeyPrefix + "container1": "localhost/chmod.json",
508- },
509- containerName: "container1",
510- expectedProfile: seccompLocalhostPath("chmod.json"),
511- },
512- {
513- description: "annotations: container localhost seccomp profile should override pod profile",
514- annotation: map[string]string{
515- v1.SeccompPodAnnotationKey: v1.SeccompProfileNameUnconfined,
516- v1.SeccompContainerAnnotationKeyPrefix + "container1": "localhost/chmod.json",
517- },
518- containerName: "container1",
519- expectedProfile: seccompLocalhostPath("chmod.json"),
520- },
521- {
522- description: "annotations: container localhost seccomp profile with unmatched containerName should return runtime/default",
523- annotation: map[string]string{
524- v1.SeccompContainerAnnotationKeyPrefix + "container1": "localhost/chmod.json",
525- },
526- containerName: "container2",
527- expectedProfile: v1.SeccompProfileRuntimeDefault,
528- },
529 {
530 description: "pod seccomp profile set to unconfined returns unconfined",
531 podSc: &v1.PodSecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeUnconfined}},
532@@ -670,14 +489,14 @@ func TestGetSeccompProfilePathDefaultSeccomp(t *testing.T) {
533 expectedProfile: seccompLocalhostPath("filename"),
534 },
535 {
536- description: "pod seccomp profile set to SeccompProfileTypeLocalhost with empty LocalhostProfile returns runtime/default",
537- podSc: &v1.PodSecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost}},
538- expectedProfile: v1.SeccompProfileRuntimeDefault,
539+ description: "pod seccomp profile set to SeccompProfileTypeLocalhost with empty LocalhostProfile returns error",
540+ podSc: &v1.PodSecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost}},
541+ expectedError: "localhostProfile must be set if seccompProfile type is Localhost.",
542 },
543 {
544- description: "container seccomp profile set to SeccompProfileTypeLocalhost with empty LocalhostProfile returns runtime/default",
545- containerSc: &v1.SecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost}},
546- expectedProfile: v1.SeccompProfileRuntimeDefault,
547+ description: "container seccomp profile set to SeccompProfileTypeLocalhost with empty LocalhostProfile returns error",
548+ containerSc: &v1.SecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost}},
549+ expectedError: "localhostProfile must be set if seccompProfile type is Localhost.",
550 },
551 {
552 description: "container seccomp profile set to SeccompProfileTypeLocalhost returns 'localhost/' + LocalhostProfile",
553@@ -690,41 +509,16 @@ func TestGetSeccompProfilePathDefaultSeccomp(t *testing.T) {
554 containerSc: &v1.SecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeRuntimeDefault}},
555 expectedProfile: "runtime/default",
556 },
557- {
558- description: "prioritise container field over container annotation, pod field and pod annotation",
559- podSc: &v1.PodSecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost, LocalhostProfile: getLocal("field-pod-profile.json")}},
560- containerSc: &v1.SecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost, LocalhostProfile: getLocal("field-cont-profile.json")}},
561- annotation: map[string]string{
562- v1.SeccompPodAnnotationKey: "localhost/annota-pod-profile.json",
563- v1.SeccompContainerAnnotationKeyPrefix + "container1": "localhost/annota-cont-profile.json",
564- },
565- containerName: "container1",
566- expectedProfile: seccompLocalhostPath("field-cont-profile.json"),
567- },
568- {
569- description: "prioritise container annotation over pod field",
570- podSc: &v1.PodSecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost, LocalhostProfile: getLocal("field-pod-profile.json")}},
571- annotation: map[string]string{
572- v1.SeccompPodAnnotationKey: "localhost/annota-pod-profile.json",
573- v1.SeccompContainerAnnotationKeyPrefix + "container1": "localhost/annota-cont-profile.json",
574- },
575- containerName: "container1",
576- expectedProfile: seccompLocalhostPath("annota-cont-profile.json"),
577- },
578- {
579- description: "prioritise pod field over pod annotation",
580- podSc: &v1.PodSecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost, LocalhostProfile: getLocal("field-pod-profile.json")}},
581- annotation: map[string]string{
582- v1.SeccompPodAnnotationKey: "localhost/annota-pod-profile.json",
583- },
584- containerName: "container1",
585- expectedProfile: seccompLocalhostPath("field-pod-profile.json"),
586- },
587 }
588
589 for i, test := range tests {
590- seccompProfile := m.getSeccompProfilePath(test.annotation, test.containerName, test.podSc, test.containerSc, true)
591- assert.Equal(t, test.expectedProfile, seccompProfile, "TestCase[%d]: %s", i, test.description)
592+ seccompProfile, err := m.getSeccompProfilePath(test.annotation, test.containerName, test.podSc, test.containerSc, true)
593+ if test.expectedError != "" {
594+ assert.EqualError(t, err, test.expectedError, "TestCase[%d]: %s", i, test.description)
595+ } else {
596+ assert.NoError(t, err, "TestCase[%d]: %s", i, test.description)
597+ assert.Equal(t, test.expectedProfile, seccompProfile, "TestCase[%d]: %s", i, test.description)
598+ }
599 }
600 }
601
602@@ -747,6 +541,7 @@ func TestGetSeccompProfile(t *testing.T) {
603 containerSc *v1.SecurityContext
604 containerName string
605 expectedProfile *runtimeapi.SecurityProfile
606+ expectedError string
607 }{
608 {
609 description: "no seccomp should return unconfined",
610@@ -781,14 +576,14 @@ func TestGetSeccompProfile(t *testing.T) {
611 },
612 },
613 {
614- description: "pod seccomp profile set to SeccompProfileTypeLocalhost with empty LocalhostProfile returns unconfined",
615- podSc: &v1.PodSecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost}},
616- expectedProfile: unconfinedProfile,
617+ description: "pod seccomp profile set to SeccompProfileTypeLocalhost with empty LocalhostProfile returns error",
618+ podSc: &v1.PodSecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost}},
619+ expectedError: "localhostProfile must be set if seccompProfile type is Localhost.",
620 },
621 {
622- description: "container seccomp profile set to SeccompProfileTypeLocalhost with empty LocalhostProfile returns unconfined",
623- containerSc: &v1.SecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost}},
624- expectedProfile: unconfinedProfile,
625+ description: "container seccomp profile set to SeccompProfileTypeLocalhost with empty LocalhostProfile returns error",
626+ containerSc: &v1.SecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost}},
627+ expectedError: "localhostProfile must be set if seccompProfile type is Localhost.",
628 },
629 {
630 description: "container seccomp profile set to SeccompProfileTypeLocalhost returns 'localhost/' + LocalhostProfile",
631@@ -817,8 +612,13 @@ func TestGetSeccompProfile(t *testing.T) {
632 }
633
634 for i, test := range tests {
635- seccompProfile := m.getSeccompProfile(test.annotation, test.containerName, test.podSc, test.containerSc, false)
636- assert.Equal(t, test.expectedProfile, seccompProfile, "TestCase[%d]: %s", i, test.description)
637+ seccompProfile, err := m.getSeccompProfile(test.annotation, test.containerName, test.podSc, test.containerSc, false)
638+ if test.expectedError != "" {
639+ assert.EqualError(t, err, test.expectedError, "TestCase[%d]: %s", i, test.description)
640+ } else {
641+ assert.NoError(t, err, "TestCase[%d]: %s", i, test.description)
642+ assert.Equal(t, test.expectedProfile, seccompProfile, "TestCase[%d]: %s", i, test.description)
643+ }
644 }
645 }
646
647@@ -841,6 +641,7 @@ func TestGetSeccompProfileDefaultSeccomp(t *testing.T) {
648 containerSc *v1.SecurityContext
649 containerName string
650 expectedProfile *runtimeapi.SecurityProfile
651+ expectedError string
652 }{
653 {
654 description: "no seccomp should return RuntimeDefault",
655@@ -875,14 +676,14 @@ func TestGetSeccompProfileDefaultSeccomp(t *testing.T) {
656 },
657 },
658 {
659- description: "pod seccomp profile set to SeccompProfileTypeLocalhost with empty LocalhostProfile returns unconfined",
660- podSc: &v1.PodSecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost}},
661- expectedProfile: unconfinedProfile,
662+ description: "pod seccomp profile set to SeccompProfileTypeLocalhost with empty LocalhostProfile returns error",
663+ podSc: &v1.PodSecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost}},
664+ expectedError: "localhostProfile must be set if seccompProfile type is Localhost.",
665 },
666 {
667- description: "container seccomp profile set to SeccompProfileTypeLocalhost with empty LocalhostProfile returns unconfined",
668- containerSc: &v1.SecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost}},
669- expectedProfile: unconfinedProfile,
670+ description: "container seccomp profile set to SeccompProfileTypeLocalhost with empty LocalhostProfile returns error",
671+ containerSc: &v1.SecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost}},
672+ expectedError: "localhostProfile must be set if seccompProfile type is Localhost.",
673 },
674 {
675 description: "container seccomp profile set to SeccompProfileTypeLocalhost returns 'localhost/' + LocalhostProfile",
676@@ -911,8 +712,13 @@ func TestGetSeccompProfileDefaultSeccomp(t *testing.T) {
677 }
678
679 for i, test := range tests {
680- seccompProfile := m.getSeccompProfile(test.annotation, test.containerName, test.podSc, test.containerSc, true)
681- assert.Equal(t, test.expectedProfile, seccompProfile, "TestCase[%d]: %s", i, test.description)
682+ seccompProfile, err := m.getSeccompProfile(test.annotation, test.containerName, test.podSc, test.containerSc, true)
683+ if test.expectedError != "" {
684+ assert.EqualError(t, err, test.expectedError, "TestCase[%d]: %s", i, test.description)
685+ } else {
686+ assert.NoError(t, err, "TestCase[%d]: %s", i, test.description)
687+ assert.Equal(t, test.expectedProfile, seccompProfile, "TestCase[%d]: %s", i, test.description)
688+ }
689 }
690 }
691
692diff --git a/pkg/kubelet/kuberuntime/kuberuntime_container_linux.go b/pkg/kubelet/kuberuntime/kuberuntime_container_linux.go
693index 6cb9e54729e..54670673bcd 100644
694--- a/pkg/kubelet/kuberuntime/kuberuntime_container_linux.go
695+++ b/pkg/kubelet/kuberuntime/kuberuntime_container_linux.go
696@@ -46,15 +46,23 @@ func (m *kubeGenericRuntimeManager) applyPlatformSpecificContainerConfig(config
697 libcontainercgroups.IsCgroup2UnifiedMode() {
698 enforceMemoryQoS = true
699 }
700- config.Linux = m.generateLinuxContainerConfig(container, pod, uid, username, nsTarget, enforceMemoryQoS)
701+ cl, err := m.generateLinuxContainerConfig(container, pod, uid, username, nsTarget, enforceMemoryQoS)
702+ if err != nil {
703+ return err
704+ }
705+ config.Linux = cl
706 return nil
707 }
708
709 // generateLinuxContainerConfig generates linux container config for kubelet runtime v1.
710-func (m *kubeGenericRuntimeManager) generateLinuxContainerConfig(container *v1.Container, pod *v1.Pod, uid *int64, username string, nsTarget *kubecontainer.ContainerID, enforceMemoryQoS bool) *runtimeapi.LinuxContainerConfig {
711+func (m *kubeGenericRuntimeManager) generateLinuxContainerConfig(container *v1.Container, pod *v1.Pod, uid *int64, username string, nsTarget *kubecontainer.ContainerID, enforceMemoryQoS bool) (*runtimeapi.LinuxContainerConfig, error) {
712+ sc, err := m.determineEffectiveSecurityContext(pod, container, uid, username)
713+ if err != nil {
714+ return nil, err
715+ }
716 lc := &runtimeapi.LinuxContainerConfig{
717 Resources: &runtimeapi.LinuxContainerResources{},
718- SecurityContext: m.determineEffectiveSecurityContext(pod, container, uid, username),
719+ SecurityContext: sc,
720 }
721
722 if nsTarget != nil && lc.SecurityContext.NamespaceOptions.Pid == runtimeapi.NamespaceMode_CONTAINER {
723@@ -125,7 +133,7 @@ func (m *kubeGenericRuntimeManager) generateLinuxContainerConfig(container *v1.C
724 }
725 }
726
727- return lc
728+ return lc, nil
729 }
730
731 // calculateLinuxResources will create the linuxContainerResources type based on the provided CPU and memory resource requests, limits
732diff --git a/pkg/kubelet/kuberuntime/kuberuntime_container_linux_test.go b/pkg/kubelet/kuberuntime/kuberuntime_container_linux_test.go
733index 46817e00fb0..98f635cc932 100644
734--- a/pkg/kubelet/kuberuntime/kuberuntime_container_linux_test.go
735+++ b/pkg/kubelet/kuberuntime/kuberuntime_container_linux_test.go
736@@ -47,6 +47,8 @@ func makeExpectedConfig(m *kubeGenericRuntimeManager, pod *v1.Pod, containerInde
737 restartCountUint32 := uint32(restartCount)
738 envs := make([]*runtimeapi.KeyValue, len(opts.Envs))
739
740+ l, _ := m.generateLinuxContainerConfig(container, pod, new(int64), "", nil, enforceMemoryQoS)
741+
742 expectedConfig := &runtimeapi.ContainerConfig{
743 Metadata: &runtimeapi.ContainerMetadata{
744 Name: container.Name,
745@@ -64,7 +66,7 @@ func makeExpectedConfig(m *kubeGenericRuntimeManager, pod *v1.Pod, containerInde
746 Stdin: container.Stdin,
747 StdinOnce: container.StdinOnce,
748 Tty: container.TTY,
749- Linux: m.generateLinuxContainerConfig(container, pod, new(int64), "", nil, enforceMemoryQoS),
750+ Linux: l,
751 Envs: envs,
752 }
753 return expectedConfig
754@@ -215,7 +217,8 @@ func TestGenerateLinuxContainerConfigResources(t *testing.T) {
755 },
756 }
757
758- linuxConfig := m.generateLinuxContainerConfig(&pod.Spec.Containers[0], pod, new(int64), "", nil, false)
759+ linuxConfig, err := m.generateLinuxContainerConfig(&pod.Spec.Containers[0], pod, new(int64), "", nil, false)
760+ assert.NoError(t, err)
761 assert.Equal(t, test.expected.CpuPeriod, linuxConfig.GetResources().CpuPeriod, test.name)
762 assert.Equal(t, test.expected.CpuQuota, linuxConfig.GetResources().CpuQuota, test.name)
763 assert.Equal(t, test.expected.CpuShares, linuxConfig.GetResources().CpuShares, test.name)
764@@ -329,6 +332,8 @@ func TestGenerateContainerConfigWithMemoryQoSEnforced(t *testing.T) {
765 memoryLow int64
766 memoryHigh int64
767 }
768+ l1, _ := m.generateLinuxContainerConfig(&pod1.Spec.Containers[0], pod1, new(int64), "", nil, true)
769+ l2, _ := m.generateLinuxContainerConfig(&pod2.Spec.Containers[0], pod2, new(int64), "", nil, true)
770 tests := []struct {
771 name string
772 pod *v1.Pod
773@@ -338,7 +343,7 @@ func TestGenerateContainerConfigWithMemoryQoSEnforced(t *testing.T) {
774 name: "Request128MBLimit256MB",
775 pod: pod1,
776 expected: &expectedResult{
777- m.generateLinuxContainerConfig(&pod1.Spec.Containers[0], pod1, new(int64), "", nil, true),
778+ l1,
779 128 * 1024 * 1024,
780 int64(float64(256*1024*1024) * m.memoryThrottlingFactor),
781 },
782@@ -347,7 +352,7 @@ func TestGenerateContainerConfigWithMemoryQoSEnforced(t *testing.T) {
783 name: "Request128MBWithoutLimit",
784 pod: pod2,
785 expected: &expectedResult{
786- m.generateLinuxContainerConfig(&pod2.Spec.Containers[0], pod2, new(int64), "", nil, true),
787+ l2,
788 128 * 1024 * 1024,
789 int64(pod2MemoryHigh),
790 },
791@@ -355,7 +360,8 @@ func TestGenerateContainerConfigWithMemoryQoSEnforced(t *testing.T) {
792 }
793
794 for _, test := range tests {
795- linuxConfig := m.generateLinuxContainerConfig(&test.pod.Spec.Containers[0], test.pod, new(int64), "", nil, true)
796+ linuxConfig, err := m.generateLinuxContainerConfig(&test.pod.Spec.Containers[0], test.pod, new(int64), "", nil, true)
797+ assert.NoError(t, err)
798 assert.Equal(t, test.expected.containerConfig, linuxConfig, test.name)
799 assert.Equal(t, linuxConfig.GetResources().GetUnified()["memory.min"], strconv.FormatInt(test.expected.memoryLow, 10), test.name)
800 assert.Equal(t, linuxConfig.GetResources().GetUnified()["memory.high"], strconv.FormatInt(test.expected.memoryHigh, 10), test.name)
801@@ -578,7 +584,8 @@ func TestGenerateLinuxContainerConfigNamespaces(t *testing.T) {
802 },
803 } {
804 t.Run(tc.name, func(t *testing.T) {
805- got := m.generateLinuxContainerConfig(&tc.pod.Spec.Containers[0], tc.pod, nil, "", tc.target, false)
806+ got, err := m.generateLinuxContainerConfig(&tc.pod.Spec.Containers[0], tc.pod, nil, "", tc.target, false)
807+ assert.NoError(t, err)
808 if diff := cmp.Diff(tc.want, got.SecurityContext.NamespaceOptions); diff != "" {
809 t.Errorf("%v: diff (-want +got):\n%v", t.Name(), diff)
810 }
811@@ -669,7 +676,8 @@ func TestGenerateLinuxContainerConfigSwap(t *testing.T) {
812 } {
813 t.Run(tc.name, func(t *testing.T) {
814 m.memorySwapBehavior = tc.swapSetting
815- actual := m.generateLinuxContainerConfig(&tc.pod.Spec.Containers[0], tc.pod, nil, "", nil, false)
816+ actual, err := m.generateLinuxContainerConfig(&tc.pod.Spec.Containers[0], tc.pod, nil, "", nil, false)
817+ assert.NoError(t, err)
818 assert.Equal(t, tc.expected, actual.Resources.MemorySwapLimitInBytes, "memory swap config for %s", tc.name)
819 })
820 }
821diff --git a/pkg/kubelet/kuberuntime/security_context.go b/pkg/kubelet/kuberuntime/security_context.go
822index c9d33e44305..3b575c8e974 100644
823--- a/pkg/kubelet/kuberuntime/security_context.go
824+++ b/pkg/kubelet/kuberuntime/security_context.go
825@@ -24,7 +24,7 @@ import (
826 )
827
828 // determineEffectiveSecurityContext gets container's security context from v1.Pod and v1.Container.
829-func (m *kubeGenericRuntimeManager) determineEffectiveSecurityContext(pod *v1.Pod, container *v1.Container, uid *int64, username string) *runtimeapi.LinuxContainerSecurityContext {
830+func (m *kubeGenericRuntimeManager) determineEffectiveSecurityContext(pod *v1.Pod, container *v1.Container, uid *int64, username string) (*runtimeapi.LinuxContainerSecurityContext, error) {
831 effectiveSc := securitycontext.DetermineEffectiveSecurityContext(pod, container)
832 synthesized := convertToRuntimeSecurityContext(effectiveSc)
833 if synthesized == nil {
834@@ -36,9 +36,16 @@ func (m *kubeGenericRuntimeManager) determineEffectiveSecurityContext(pod *v1.Po
835
836 // TODO: Deprecated, remove after we switch to Seccomp field
837 // set SeccompProfilePath.
838- synthesized.SeccompProfilePath = m.getSeccompProfilePath(pod.Annotations, container.Name, pod.Spec.SecurityContext, container.SecurityContext, m.seccompDefault)
839+ var err error
840+ synthesized.SeccompProfilePath, err = m.getSeccompProfilePath(pod.Annotations, container.Name, pod.Spec.SecurityContext, container.SecurityContext, m.seccompDefault)
841+ if err != nil {
842+ return nil, err
843+ }
844
845- synthesized.Seccomp = m.getSeccompProfile(pod.Annotations, container.Name, pod.Spec.SecurityContext, container.SecurityContext, m.seccompDefault)
846+ synthesized.Seccomp, err = m.getSeccompProfile(pod.Annotations, container.Name, pod.Spec.SecurityContext, container.SecurityContext, m.seccompDefault)
847+ if err != nil {
848+ return nil, err
849+ }
850
851 // set ApparmorProfile.
852 synthesized.ApparmorProfile = apparmor.GetProfileNameFromPodAnnotations(pod.Annotations, container.Name)
853@@ -74,7 +81,7 @@ func (m *kubeGenericRuntimeManager) determineEffectiveSecurityContext(pod *v1.Po
854 synthesized.MaskedPaths = securitycontext.ConvertToRuntimeMaskedPaths(effectiveSc.ProcMount)
855 synthesized.ReadonlyPaths = securitycontext.ConvertToRuntimeReadonlyPaths(effectiveSc.ProcMount)
856
857- return synthesized
858+ return synthesized, nil
859 }
860
861 // convertToRuntimeSecurityContext converts v1.SecurityContext to runtimeapi.SecurityContext.
862--
8632.40.0
diff --git a/recipes-containers/kubernetes/kubernetes_git.bb b/recipes-containers/kubernetes/kubernetes_git.bb
index 59892c92..dc741bbf 100644
--- a/recipes-containers/kubernetes/kubernetes_git.bb
+++ b/recipes-containers/kubernetes/kubernetes_git.bb
@@ -30,6 +30,7 @@ SRC_URI:append = " \
30 file://0001-cross-don-t-build-tests-by-default.patch;patchdir=src/import \ 30 file://0001-cross-don-t-build-tests-by-default.patch;patchdir=src/import \
31 file://0001-build-golang.sh-convert-remaining-go-calls-to-use.patch;patchdir=src/import \ 31 file://0001-build-golang.sh-convert-remaining-go-calls-to-use.patch;patchdir=src/import \
32 file://0001-Makefile.generated_files-Fix-race-issue-for-installi.patch;patchdir=src/import \ 32 file://0001-Makefile.generated_files-Fix-race-issue-for-installi.patch;patchdir=src/import \
33 file://CVE-2023-2431.patch;patchdir=src/import \
33 file://cni-containerd-net.conflist \ 34 file://cni-containerd-net.conflist \
34 file://k8s-init \ 35 file://k8s-init \
35 file://99-kubernetes.conf \ 36 file://99-kubernetes.conf \
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2026-02-13 08:45:09 +0000