Specify intent for container isolation and add details for id mapping

duda · Feb 9, 2015 · 2b01746 · 2b01746
1 parent 8b72dd9
commit 2b01746
Showing 1 changed file with 59 additions and 27 deletions.
diff --git a/docs/design/security_context.md b/docs/design/security_context.md
@@ -98,6 +98,7 @@ type SecurityContextProvider interface {
 	ModifyHostConfig(pod *api.BoundPod, container *api.Container, hostConfig *docker.HostConfig)
 }
 ```
+
 If the value of the SecurityContextProvider field on the Kubelet is nil, the kubelet will create and run the container as it does today.   
 
 ### Security Context
@@ -106,53 +107,84 @@ A security context has a 1:1 correspondence to a service account and it can be i
 part of the service account resource. Following is an example of an initial implementation:
 
 ```go
+
+// SecurityContext specifies the security constraints associated with a service account
 type SecurityContext struct {
     // user is the uid to use when running the container
 	User int
 
-	// allowPrivileged indicates whether this context allows privileged mode containers
+	// AllowPrivileged indicates whether this context allows privileged mode containers
 	AllowPrivileged bool
 
-	// allowedVolumeTypes lists the types of volumes that a container can bind
+	// AllowedVolumeTypes lists the types of volumes that a container can bind
 	AllowedVolumeTypes []string
 
-	// addCapabilities is the list of Linux kernel capabilities to add
+	// AddCapabilities is the list of Linux kernel capabilities to add
 	AddCapabilities []string
 
-	// removeCapabilities is the list of Linux kernel capabilities to remove
+	// RemoveCapabilities is the list of Linux kernel capabilities to remove
 	RemoveCapabilities []string
 
-	// SELinux specific settings (optional)
-	SELinux *SELinuxContext
-
-	// AppArmor specific settings (optional)
-	AppArmor *AppArmorContext
+	// Isolation specifies the type of isolation required for containers 
+	// in this security context 
+	Isolation ContainerIsolationSpec
+}
+
+// ContainerIsolationSpec indicates intent for container isolation
+type ContainerIsolationSpec struct {
+	// Type is the container isolation type (None, Private)
+	Type ContainerIsolationType
 
-	// FUTURE:
-	// With Linux user namespace support, it should be possible to map
-	// a range of container uids/gids to arbitrary host uids/gids
-	// UserMappings []IDMapping
-	// GroupMappings []IDMapping
+	// FUTURE: IDMapping specifies how users and groups from the host will be mapped
+	IDMapping *IDMapping
 }
 
-type SELinuxContext struct {
-    // MCS label/SELinux level to run the container under
-    Level string
-
-    // SELinux type label for container processes
-    Type  string    
-
-    // FUTURE:
-    // LabelVolumeMountsExclusive []Volume
-    // LabelVolumeMountsShared    []Volume
+// ContainerIsolationType is the type of container isolation for a security context
+type ContainerIsolationType string
+
+const (
+    // ContainerIsolationNone means that no additional consraints are added to
+    // containers to isolate them from their host
+	ContainerIsolationNone ContainerIsolationType = "None"
+
+	// ContainerIsolationPrivate means that containers are isolated in process
+	// and storage from their host and other containers.
+	ContainerIsolationPrivate ContainerIsolationType = "Private"
+)
+
+// IDMapping specifies the requested user and group mappings for containers 
+// associated with a specific security context
+type IDMapping struct {
+	// SharedUsers is the set of user ranges that must be unique to the entire cluster
+	SharedUsers []IDMappingRange
+
+	// SharedGroups is the set of group ranges that must be unique to the entire cluster
+	SharedGroups []IDMappingRange
+
+	// PrivateUsers are mapped to users on the host node, but are not necessarily
+	// unique to the entire cluster
+	PrivateUsers []IDMappingRange
+
+	// PrivateGroups are mapped to groups on the host node, but are not necessarily
+	// unique to the entire cluster
+	PrivateGroups []IDMappingRange
 }
 
-type AppArmorContext struct {
-	// AppArmor profile
-	Profile string
+// IDMappingRange specifies a mapping between container IDs and node IDs
+type IDMappingRange struct {
+	// ContainerID is the starting container ID
+	ContainerID int
+
+	// HostID is the starting host ID
+	HostID int
+
+	// Length is the length of the ID range
+	Length int
 }
+
 ```
 
+
 #### Security Context Lifecycle
 
 The lifecycle of a security context will be tied to that of a service account. It is expected that a service account with a default security context will be created for every Kubernetes namespace (without administrator intervention). If resources need to be allocated when creating a security context (for example, assign a range of host uids/gids), a pattern such as [finalizers](https://github.com/GoogleCloudPlatform/kubernetes/issues/3585) can be used before declaring the security context / service account / namespace ready for use.