Merge pull request #176 from georgibaltiev/forbid-container-privilege…

…-escalation

Forbid container escalation privileges

charts/gardener-extension-runtime-gvisor/templates/deployment.yaml

@@ -41,6 +41,8 @@ spec:
         - --max-concurrent-reconciles={{ .Values.controllers.concurrentSyncs }}
         - --ignore-operation-annotation={{ .Values.controllers.ignoreOperationAnnotation }}
         - --gardener-version={{ .Values.gardener.version }}
+        securityContext:
+          allowPrivilegeEscalation: false
         env:
         - name: LEADER_ELECTION_NAMESPACE
           valueFrom:

example/controller-registration.yaml

@@ -4,7 +4,7 @@ kind: ControllerDeployment
 metadata:
   name: runtime-gvisor
 helm:
-  rawChart: H4sIAAAAAAAAA+0c/W/bNrY/66/gqRu6DZP8ETvpGdhhWZJ1wdrESHK5OwxDQEu0zUUSNVJy6nW9v/0eSVEf/ojtpEvXGx8Kl6LIx0fyfZPKBPOQJIR75G1GEkFZ4vE8yWhMvMmMCsZbzx4NbYCDfl/9D7D4vyp39nqdbr+7vy/rO/t7vd4z1H/80JshFxnmCD3jjGX3tdv0/hOFycb996ckiukkYZw8cAy5wfuwoev2H7a9uf/ddr/deYbaH3Sma+Avvv/P0RBnGeGJQBlDepvR3ZQkaJTTKKTJBKU4uMUTInznObqaUoFEnqaMZ1AA1ojQJGIjFOMsmELrrxEnEc7ojEC/bFqrx0kICBIygbcsQV+knIzpWxKiOwrt/valj86TaI5YonpKklBKOIpoQnzHP768ucyANkBxxOIYEFwfXaKQcuH4E5q11K8m3/FHv/GW+jUV00lL/phHMUtaFaIRzC9P0ZhGRDhf+eIuhd8RvoXfLIbyf6HpNeaU5QKdHp/AgClnv5Agc3waEtzS7aDK8WciYCFpOR97V7eHzfJ/NMU88+c4jh46xib573Z7i/Lf3T+w8v8UgFN6Tbjc9wGadRycpuWj2/HbrhMSEXCaZqrqEP0AxgAFkiXQmHGUTQl6VbAQmlxLhkElJzkJjskAbWQxZ2aGbPsw5ickPZ8+bJb/kAX+hD1mjE3yv7+/t+D/HfR6fSv/TwGtFrocHv/b+x6s3xFL52Ayp9kVMMMAgRbuocvDIbo8QSDWOFEPeAyGkuKMoIDFKU7m0rBXOiBgScbpKAdbLZxWyzH4X9MA2It4p9Aso2NKOGgT8CymxOuCyEO7CRtMJAqJWkyRFyB3hKHw2avDi+OTs5OLmx8Oj368OT69aJl2nhqNRRHwLycTKjKunAsfujW5GPnosy8CnCHfb8G/65OLy9Pzsy+LR/IWx2lEWuvQSeMH3kKSYXBG+IXGPNCYXUk7OFHKRyo0I0nwCJwJ1JiSdpqU1iwqpXMlFWjAOAd3AlXDo8bwTlrH/mHV42b5zwisDcxAPDgS3Dn+67b3el0b/z0F7LL/N+Dug0su/CzdyRfcoP873aX4D/63+v9J4N07D6EQIjEIu1wag5Zxkff+vYOQfEPHaIrFUEVqyBVT3O3vD1zkX+Moh4BQtfczPEFlj5TTJBsj93Px7edisSUnKRMUTMP8PhQkEmQVwsGDEYKBgodaUZXNrEOSRmweg10q/FC9AuAKixa4xKabt9hPere66WYPt4GkgSXCI5iwD6P5t2ReDu3f5iMIgUkmp8RacqwGkjUoZnIR3KIFokkQ5WFJql9fhaXpaCzLfRcJlFgGaE2LYnw10vIsaALClgREdfcvSESwIP4ZELdA2ceWir8O7KL/wT8Z00mMU08J2Qx8FsY9BlJzx2lG1uYINvn/vYODBf1/0N9rW/3/FFBo+ab2VL/XanvPze5qiW4kC25pEg6kXwxc8QanTkwyHOIMD0Dv6tB/tQ5azT5FJwHO7goFoaq1StfqZrBCSUn0v0OljDFQT7Y25KgRxU2TVwfod4lki7k3kdYMycfevkfDLvJfGcrd0oEb5L/fXsr/7fXaNv/3JFAXaePxaLk+Lnd7a8H+Q0QYAUzpZOrhGabQiEY0m3vaFoEDKFjOA5Bew8h+ELE8bGXzFEioImpHpCSQ9HMCbA3T/QHia/AbX9OYylyHepNGNMBCU14ohaLyiIFQaGoETElqh4GiTJ1vvN5uOvsagRGoAkFtbSXgJGGZivuFqSp98e20tOkUTElwK/K4Zre1SK/Wv41N/UK53egz/6og1v8OtnEoT3TcrfwA90s1cx0yABF1wmr6c80EYVE4DYSvEymXAQc2TSb1Diln0GhK8tI9HiB3hVfprukhJE7ZJ+PgsK5pJBM2BdoFwlQqp459aU6GxU0DcILvGAfRmiyxKitVLkxTED6TyTEcReyOhNv1D4FZyh4buPClodFIhJ43ZbB386MIC3HWTNuLuQCW9f7ebheNJYk0IIdBIKXibMskf8GUJotWLo2Htj0mMEuhuK6pg4rI1a+ziKob5lE0ZCDC84ZYawlKy5cNuWFxjEEDlhUeam1PnIc8b0owz0YEZ16pDr9Zpw3Rmp4chrvzQAhhsXHkCQIrF4pvanOolJvwy36+6ndadLvUvZaGifFbqUGDnENzOZZ8kOef6/BXjS/nSSDqyyXx6YNVj6VEpyy9Soutw6i7nJseh2WHRdzl0hfReR1hKQnFu3pfkszqW6iZ7PXJ4fHJxc3J65Ojq9Pzs5uzwzcnl8PDo5OyJUIqhv0eFMGgVonQmJIovCDjZm1RLzXjoNTlfrntj9PghurTN4evTq6B5POLm/Prk4t/XZxeLVE8QC2VH655ua2Vbu8qnbVAXmlW69SUlcrQZew/Miu+3ON3lBSaptNe8JYftRgzFuUxeSNVjlje2HUhhYFY9tO7tLxMtXac4FDeQxggaRjWq/cHTEFPYEnv3U95YKKrOts9KLgyEJIxzqPsDQsBR6/brk3o/yWosbA17BL/pSwMqeC5ugwwysMJ2S4Q3Hj+217M//f3uvs2/nsKqMd/qXKFqghwyMLjcr+/U/v9cUNB47GC+/LPpAgHI0DfeXxYVuhzQWJQmUfyZJtD6398gzp+d99rQ4cjnOrgk4K+/zEfkWLd/Fc0u667H3kC3liUTeewfifgKMvVMy7oYXSH5+JQeup/jjTSLvLPRzh4yEWwDfK/d7DfXzz/6/Rt/vdJwPO8RlpX7THOsymEg7/p6we3L1UwXCV8I1gzwi9YRHZRB7sIOs8j6Sh5CEh7xVmeFl6TV10uW8z4OA0HVTcONKUCHkGqR2W9VGS6FFFhindSZSwOucOAXhXbFhIkVte2gOOyvEGUIakkyJAjS2lZylNYa7JMo+suEwMBIyeZqJdbY5rgiP62sCL3Dg4dsXIfy9ErkpboCBjjIYxRY5tlwpQVWCCgNoqkAVVEoMeOYuqV2dHvmgrOg6ahVIDSfshbi2pFltViGWKj1Yu3aXnUyGvSlauYN8YJOPJhWb8VE5cLKR9CmFL5YLa0zlHrearkKlmQeeGiOKr1XKsqTLcwpkIuXeMyU7NJSmvytXovTaSkfAZDBwQ4SWYeKlYv5E1nJ8u2SZgyWjWvjjEqBCqhtfCIdX6rxKuVCWcRWVE1AvVFk4l5U2+14vUvbGSK4FTXi62ITQwD5Jm6I3ZHRlPGbvW8cr2MJQVAAIvNeqmjfGreN7jF/cp1Hqfrv9NTWKHyt0mO1dOhq683bJsBlJ+j+GKqo/htO+16F0HuWZHrMXJxz3pBq2XTuP3qiHwkPydQBk/juWxkWHda6G287pr938X/K+RiZxdwg//X7XQXz/+7+wfW/3sS2PrgZeXZf8GnHz4qXDoFqx1/rD3zG3MWeziSyXISevqEx4PdBUspvOJ0xFNfLg3Qi5/eubLoDtaf7nztppxlLGCRO3Cvjobu+59fbE1MOU/PRKbFqLXQFAZ3m1qpkUGGUTVS9/0uI4MZ8ZS6LUeujiFgGag84aysrkL7HF2dH58P9Oddqq/UmJxhcMCgBiwmJwHogFBd9k4YilgyIRzIAZsTwk6re8zjPMs58dEFidmMyKoYYYEEg8gY/jdklocp3846/kFf3jBEI0IS+eWY5IXQ323HddrCW562OhJbxQwPwv/hGOghKQ99nl3Yl9Mh1ASmPEBnLJH2RlPmVKnlghw1XX2WuZ5W3aggFzjhaNhIqmxD658ioWFhJ3iA/S/84u3dgE353732Yv6n1+3Z73+fBO4z68b9/Kg5X/C3mTq8axJ1xW4JkDzGkSBW2zwcdpH/WYof9B3wpu8/QPYX/f92Z8/K/1PAYk7AlfImAnATwS8qswFuoRigWUbh5ZCFh0U7wre/9wsMtKWOMG7PQngiOdA4a/WLO806HTGUeVdVSWtZYfNC31x68dWL4gg8psmhdvKqw/YYfFmu7w5x8mtOObi77npy/AqHr7tK/9n0dO+ZyIqeix+wgBeo/NfyEsqqy5uyfukCp/J3t04h6JRgfS11jb4yUHMh5Szqjf2qnXUCPw3YrP9neq8f8QcgNun/fnvp7z/0u/b+95OAvkupVKj5lG6ASM4ZRMshC24hFE5vJ35IZtUdyOLPn7TSfARSX9a3qqRCa0mnZHgyQMqNkNoord3KPB2fsWwIylAqqudo1R0q+aHGc4SGylCgMWg3BLTlUrXpK4M0QROaTfORH7C4tZRokH/DoP75gr4Xd6MvSfmx/Ls08mN2iKKT7HTF+OIPJ8CpjjzQu/cOKFa5JzoLF5Z30VaZuWWjZUxWv/2GbtTmrrTjrgOzEySTpw1CfaFeJAe+RsSf+EiYPOBojlQ6pbom7RQtK3JN0rCk+rm5cmawlicyctnq39xrpnFMsuJl+2XbcWqXRuUgCzdRYZpQufYyqYkQ5LFBcXw30FdhV92THaC9NnKckAo5kaPawOinn53yM8+BPlwpHCbX2jkLFixYsGDBggULFixYsGDBggULFixYsGDBggULFixYsGDBggULFixYsGDBggULTwb/AxxjIlwAeAAA
+  rawChart: H4sIAAAAAAAAA+0c/W/bNnY/66/gqRu6DZPsOHHSM7DDZYnXBWsTI8nl7jAMAS3RMhdJ1JGUU6/r/e33SIr68EdtJ1263vQQOBJFPj6S75uUIsxDkhLukTeSpIKy1ON5KmlCvGhGBeOdzx4NXYCjfl//B1j8r6/39g/2ev3e4aEq3zvcPzj4DPUf3/VmyIXEHKHPOGPyffU2Pf9EIdq4/v6UxAmNUsbJA/tQC3wIC7pu/WHZm+vf6/a7e5+h7gcd6Rr4k6//MzTCUhKeCiQZMsuM7qckReOcxiFNI5Th4A5HRPjOM3Q9pQKJPMsYl3ABrBGjKGZjlGAZTKH2N4iTGEs6I9BOTmvlOA0BQUoieMpS9GXGyYS+ISG6p1DvL1/56CKN54iluqUiCWWEo5imxHf806vbKwm0AYoTliSA4ObkCoWUC8ePqOzoX0O+449/5R39awumUUf92FsxSzsVojGML8/QhMZEOF/74j6D3zG+g1+ZwPV/oeoN5pTlAp2dDqHDjLNfSCAdn4YEd0w9KHL8mQhYSDrOx17V7WGz/J9MMZf+HCfxQ/vYJP+93sGi/PcOj1r5fwrAGb0hXK37AM32HJxl5a2753ddJyQi4DSTuugY/QDGAAWKJdCEcSSnBL0sWAhFN4phUMlJTooTMkAbWcyZ2S67PvT5CUnPpw+b5T9kgR+xx/SxSf4PD/cX/L+jg4N+K/9PAZ0Ouhqd/sv7HqzfCcvmYDKn8hqYYYBACx+gq+MRuhoiEGuc6hs8AUNJsSQoYEmG07ky7JUOCFgqOR3nYKuF0+k4Fv8rGgB7Ee8Mqkk6oYSDNgHPYkq8Hog81IvYIFIoFGoxRV6A3DGGi89fHl+eDs+Hl7c/HJ/8eHt6dtmx9TzdG4tj4F9OIiok186FD82aXIx89PmXAZbI9zvwdzO8vDq7OP+quCVvcJLFpLMOnTJ+4C2kEoMzwi8N5oHB7CrawYnSPlKhGUmKx+BMoMaQjNOktWZRqJwrpUADxjm4E6jqHjW6d7I69g+rHjfLvyQwNzAC8eBIcOf4r9fdP+i18d9TwC7rfwvuPrjkwpfZTr7gBv2/11uK/+B/q/+fBN6+9RAKIRKDsMulCWgZF3nv3jkIqSd0gqZYjHSkhlwxxb3+4cBF/g2OcwgIdX1f4giVLTJOUzlB7hfi71+IxZqcZExQMA3z96EgsSCrEA4ejBAMFNzULvW1HXVIspjNE7BLhR9qZgBcYdEBl9g28xbbKe/WVN3s4TaQNLDEeAwD9qE3/47My679u3wMITCRakiso/pqIFmDYqYmwS1qIJoGcR6WpPr1WVgajsGy3HaRQIVlgNbUKPrXPS2PgqYgbGlAdHP/ksQEC+KfA3ELlH1sqfjzwC76H/yTCY0SnHlayGbgszDuMZCae04lWZsj2OT/HxwdLej/o/5+t9X/TwGFlm9qT/17o5f3wq6ukehGsuCOpuFA+cXAFa9x5iRE4hBLPAC9a0L/1TpoNfsUjQQ4uysUhC42Kt2om8EKJaXQ/waFKsZAB6q2JUf3KG6bvDpAvykkW4y9ibRmSD728j0adpH/ylDulg7cIP/9vd6i/MPNfiv/TwF1kbYej5Hr03K1txbs30WEEcCURlMPzzCFSjSmcu4ZWwQOoGA5D0B6LSP7QczysCPnGZBQRdSOyEig6OcE2BqG+wPE1+A3vqIJVbkO/SSLaYCFobxQCkXhCQOhMNQIGJLSDgNNmd7feLXdcA4NAitQBYLa3CrAacqkjvuFLSp98e20tG0UTElwJ/KkZreNSK/Wv41F/VK73ehz/7og1v8OlnGkdnTcrfwA9ys9chMyABF1wmr6c80AYVI4DYRvEilXAQc2TaN6g4wzqDQleekeD5C7wqt017QQCqdqIzk4rGsqqYRNgXaBMJ3KqWNfGpNlcVsBnOB7xkG0oiVWZaXKhWEKwmcqOYbjmN2TcLv2ITBL2WIDF76wNFqJMOOmDNZufhJjIc6baXsxF8Cy3l+73aKyIpEG5DgIlFScb5nkL5jSZtHKqfHQttsEdio01zV1UBG5+nUW0WWjPI5HDER43hBrI0FZ+bAhNyxJMGjAssBDne2J85DnTQnmckyw9Ep1+O06bYjWtOTQ3b0HQgiTjWNPEJi5UHxbG0Ol3IRftvN1u7Oi2ZVptdRNgt8oDRrkHKqrvtSN2v9ch7+qfDVPA1GfLoXPbKx6LCMmZelVWmwdRtPkwrY4Lhss4i6nvojO6whLSSie1dvCjOWapaFTlc8uHyAjKSNOZzDkiAxFgGNsNrgmOBakrEnSWZ0LDJ++Gh6fDi9vh6+GJ9dnF+e358evh1ej45NhrQMdBn8PuqTeK0ITSuLwkkyapUW5Uq6D0hz4Jec8zghYqs9eH78c3gDJF5e3FzfDy39enl0vUTxAHZ1irjnKnZWe8yq1t0BeaZnr1JSF2lZK9m+VWF9u8RtKC2W1111wuB81GTMW5wl5rbSWWF7YdVGJhUS1M6u0PE21epzgUB1lGCBlW9ZbiAcMwQxgSXW+n/LABmh1tntQfGYhJBOcx/I1CwHHQa9bG9D/S1z0Z4Fd4r+MhSEVPNeHAcZ5GJHtAsGN+7/dxfx/f7932MZ/TwH1+C/TrlAVAY5YeFqu93d6vT9uKGg9VnBf/pEW4WAM6PceH5YVyliQBPTdidrZ5lD7b9+iPb936HWhwQnOTPBJQVn/mI9JMW/+Sypv6u5HnoI3FsvpHOZvCI6ymj3rgh7H93gujpX/8cdII+0i/3yMg4ccBNsg//tHh/3F/b+9fpv/fRLwPK+R1tVrjHM5hXDwV3P84O6FDoarhG8Mc0b4JYvJLupgF0Hneay8HA8BaS85y7PC5fGqw2WLGR+n4V2ayoGhVMAtSPW4LFeKzFzFVNjLe6UyFrvcoUOvim0LCRKrSzvAcTJvEGVJKgmy5KirrLzKM5hrskyj6y4TA+EPJ1LUrzsTmuKY/rowI+/tHBpi7fuVvVckLdERMMZD6KPGNsuEaSuwQECtF0UDqohAj+3FlmuzY541FZwHVUOlAJX9UKcW9Ywsq8UyxEarJ2/T9Oie16QrVzFvglPwwsOyfCsmLidS3YQwpPLGLmmdo9bzVMlV6kLlhYvLca3lWlVhm4UJFWrqGoeZmlUyWpOv1WtpwxztM1g6IDpJpb2pWL2QN5OdLOumYcZoVb3axqgQ6ITWwi02+a0Sr1EmnMVkRdEY1BdNI/ukXmvF41/Y2F6CU12/7MQssgyQS31G7J6Mp4zdmXHlZhpLCoAAltj50lv51D5vcIv7tes8Ttd/Z4awQuVvkxyrp0NXH2/YNgOoXkfxxdSE4Ns22vUsglqzIlFj5eI98wW1lk3j9rMj8rF6nUAbPIPnqpFh3Wmit/G6a/Z/F/+vkIudXcAN/l9vef+vd3jU+n9PAltvvKzc+y/49MNHhUu7YLXtj7V7fhPOEg/HKllOQs/s8HiwumAphVfsjnj6zaUBev7TW1dduoP1uzvfuBlnkgUsdgfu9cnIfffz862JKcfp2ci06LUWmkLnblMrNdK/0KtB6r7bpWcwI55Wt2XP1TYETANVO5yV1dVon6Hri9OLgXm9S7dVGpMzDA4YlIDF5CQAHRDqw94pQzFLI8KBHLA5Iay0Psc8yWXOiY8uScJmRBUlCAskGETG8N+SWW6m/H225x/11QlDNCYkVW+OKV4I/d1W3KQtvOVh6y2xVczwIPwfjoEekvIw+9mFfTkbQUlgrwfonKXK3hjKnCovXJCjh2v2MtfTaioV5AInnIwaSZVtaP1DJDRa2AkeYP8Lv3h7N2BT/ne/u5j/OegdtO//Pgm8z6xb9/Oj5nzB32Z6561J1DW7I+V+7ceexE8YdpH/WYYf9B7wpvc/QPYX/f9ue/7vaWAxJ+AqeVMHIpRfVGYD3EIxQDVJ4eGIhcdFPcK3P/cLDLSljrBuz0J4ojjQOmv1gzvNMhMxlHlXXUhrWWH7wJxcev7182L/OqHpsXHyqp3yBHxZbs4OcfKfnHJwd9315PgVDt80Vf6zbem+ZyArWi6+wAJeoPZfyxMkqw5vqvKlA5za3906hWBSgvW5NCVmv7/mQqpR1Cv7Vb3WCfw0YLP+n5m1fsQHIDbp/3536fsP/V77/YcnAXOWUqtQ+yrdAJGcM4iWQxbcQSic3UV+SGbVGcji8yedLB+D1JflnSqp0FnSKRJHA6TdCKWNstqpzLPJOZMjUIZKUT1Dqw5AqRc1niE00oYCTUC7IaAtV6rNHBmkKYqonOZjP2BJZynRoL5hUH99wRxquzUnnPxEfZdGvcwOUXQqz1b0L353ApxqywO9feeAYlVrYrJwYXmQbJWZWzZa1mT1u6/pRm3uKjvuOjA6QaTabRD6DfUiOfANIn7kI2HzgOM50umU6pi0U9SsyLVJw5LqZ/a8mMVa7sioaau/c2+YxrHJihfdF13HqR0aVZ0snESFYULh2sOk1YnOcvtuYI7CrjonO0D7XeQ4IRVqICe1jtFPPzvla54Ds7lSOExua+daaKGFFlpooYUWWmihhRZaaKGFFlpooYUWWmihhRZaaKGFFlpooYUWWmihhRZaaKGFFlp4Mvgf3ZbVPQB4AAA=
   values:
     image:
       tag: v0.18.0-dev

test/integration/container-runtime/container_runtime.go

@@ -20,6 +20,7 @@ import (
 	g "github.com/onsi/gomega"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/utils/ptr"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
@@ -234,6 +235,9 @@ func deployGVisorPod(ctx context.Context, c client.Client) (*corev1.Pod, error)
 						"sleep",
 						"10000000",
 					},
+					SecurityContext: &corev1.SecurityContext{
+						AllowPrivilegeEscalation: ptr.To(false),
+					},
 				},
 			},
 		},