Skip to content

Commit feb1b53

Browse files
KaizheKaizhe
authored
add subpath usage to the report (#48)
Signed-off-by: Kaizhe Huang <[email protected]>
1 parent 2c5da5e commit feb1b53

File tree

3 files changed

+46
-0
lines changed

3 files changed

+46
-0
lines changed

advisor/report/report.go

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,7 @@ const (
1616
hostPID = "hostPID"
1717
hostIPC = "hostIPC"
1818
hostNetwork = "hostNetwork"
19+
subPath = "subPath"
1920
)
2021

2122
type Report struct {
@@ -40,6 +41,7 @@ func NewReport() *Report {
4041
r.Containers[runAsGroup] = []types.ContainerSecuritySpec{}
4142
r.Containers[privileged] = []types.ContainerSecuritySpec{}
4243
r.Containers[readOnlyRootFileSystem] = []types.ContainerSecuritySpec{}
44+
r.Containers[subPath] = []types.ContainerSecuritySpec{}
4345

4446
// pod related security posture report
4547
r.PodSecuritySpecs[hostPID] = []types.PodSecuritySpec{}
@@ -103,4 +105,10 @@ func (r *Report) AddContainer(c types.ContainerSecuritySpec) {
103105
if c.ReadOnlyRootFS {
104106
r.Containers[readOnlyRootFileSystem] = append(r.Containers[readOnlyRootFileSystem], c)
105107
}
108+
109+
for _, vm := range c.VolumeMounts {
110+
if vm.UsesSubPath() {
111+
r.Containers[subPath] = append(r.Containers[subPath], c)
112+
}
113+
}
106114
}

advisor/types/securityspec.go

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -47,6 +47,18 @@ type VolumeMount struct {
4747
SubPathExpr string `json:"subPathExpr,omitempty"`
4848
}
4949

50+
func (vm VolumeMount) IsReadOnlyMount() bool {
51+
return vm.ReadOnly == true
52+
}
53+
54+
func (vm VolumeMount) UsesSubPath() bool {
55+
if vm.SubPath != "" || vm.SubPathExpr != "" {
56+
return true
57+
}
58+
59+
return false
60+
}
61+
5062
type ContainerSecuritySpec struct {
5163
Metadata Metadata `json:"parentMetadata"`
5264
ContainerID string `json:"containerID"`

test-yaml/subpath.yaml

Lines changed: 26 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,26 @@
1+
apiVersion: v1
2+
kind: Pod
3+
metadata:
4+
name: my-lamp-site
5+
spec:
6+
containers:
7+
- name: mysql
8+
image: mysql
9+
env:
10+
# this is a bad example for testing purpose
11+
- name: MYSQL_ROOT_PASSWORD
12+
value: "rootpasswd"
13+
volumeMounts:
14+
- mountPath: /var/lib/mysql
15+
name: site-data
16+
subPath: mysql
17+
- name: php
18+
image: php:7.0-apache
19+
volumeMounts:
20+
- mountPath: /var/www/html
21+
name: site-data
22+
subPath: html
23+
volumes:
24+
- name: site-data
25+
persistentVolumeClaim:
26+
claimName: my-lamp-site-data

0 commit comments

Comments
 (0)