recover: fix security contexts for bootstrap pods. (#577)

diegs · web-flow · commit 55014c786e04 · 2017-06-09T12:06:20.000-07:00
Bootstrapping relies on the bootstrap pods running as root so they can
access files on the host machine. Bootkube now runs self-hosted pods as
non-root, so recover needs to strip the security context when outputting
bootstrap manifests.
diff --git a/pkg/recovery/recover.go b/pkg/recovery/recover.go
@@ -192,14 +192,21 @@ func setBootstrapPodMetadata(pod *v1.Pod, parent metav1.ObjectMeta) error {
 }
 
 // fixUpBootstrapPods modifies extracted bootstrap pod specs to have correct metadata and point to
-// filesystem-mount-based secrets. It returns mappings from configMap and secret names to output
+// filesystem-mount-based secrets, and removes any security contexts that might prevent the pods
+// from accessing those secrets. It returns mappings from configMap and secret names to output
 // paths that must also be rendered in order for the bootstrap pods to be functional.
 // If selfHostedEtcd is true, it also fixes up the etcd servers flag for the API server.
 func fixUpBootstrapPods(pods []v1.Pod, selfHostedEtcd bool) (requiredConfigMaps, requiredSecrets map[string]string) {
 	requiredConfigMaps, requiredSecrets = make(map[string]string), make(map[string]string)
 	for i := range pods {
 		pod := &pods[i]
 
+		// Fix SecurityContext to ensure the pod runs as root.
+		if pod.Spec.SecurityContext != nil {
+			pod.Spec.SecurityContext.RunAsNonRoot = nil
+			pod.Spec.SecurityContext.RunAsUser = nil
+		}
+
 		// Change secret volumes to point to file mounts.
 		for i := range pod.Spec.Volumes {
 			vol := &pod.Spec.Volumes[i]
@@ -219,6 +226,13 @@ func fixUpBootstrapPods(pods []v1.Pod, selfHostedEtcd bool) (requiredConfigMaps,
 		// Make sure the kubeconfig is in the commandline.
 		for i := range pod.Spec.Containers {
 			cn := &pod.Spec.Containers[i]
+
+			// Fix SecurityContext to ensure the container runs as root.
+			if cn.SecurityContext != nil {
+				cn.SecurityContext.RunAsNonRoot = nil
+				cn.SecurityContext.RunAsUser = nil
+			}
+
 			// Assumes the bootkube naming convention is used. Could also just make sure the image uses hyperkube.
 			if _, ok := kubeConfigK8sContainers[cn.Name]; ok {
 				cn.Command = append(cn.Command, "--kubeconfig=/kubeconfig/kubeconfig")
diff --git a/pkg/recovery/recover_test.go b/pkg/recovery/recover_test.go
@@ -207,6 +207,7 @@ func TestFixUpBootstrapPods(t *testing.T) {
 			Namespace: "kube-system",
 		},
 		Spec: v1.PodSpec{
+			SecurityContext: &v1.PodSecurityContext{RunAsNonRoot: boolPtr(true), RunAsUser: int64Ptr(65543)},
 			Containers: []v1.Container{{
 				Name:    "kube-scheduler",
 				Image:   "quay.io/coreos/hyperkube:v1.6.4_coreos.0",
@@ -266,6 +267,7 @@ func TestFixUpBootstrapPods(t *testing.T) {
 			Namespace: "kube-system",
 		},
 		Spec: v1.PodSpec{
+			SecurityContext: &v1.PodSecurityContext{},
 			Containers: []v1.Container{{
 				Name:    "kube-scheduler",
 				Image:   "quay.io/coreos/hyperkube:v1.6.4_coreos.0",
@@ -378,3 +380,7 @@ func TestSetTypeMeta(t *testing.T) {
 		}
 	}
 }
+
+func boolPtr(b bool) *bool { return &b }
+
+func int64Ptr(i int64) *int64 { return &i }
