Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions Cargo.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

15 changes: 15 additions & 0 deletions crates/openshell-core/src/sandbox_env.rs
Original file line number Diff line number Diff line change
Expand Up @@ -71,3 +71,18 @@ pub const K8S_SA_TOKEN_FILE: &str = "OPENSHELL_K8S_SA_TOKEN_FILE";
/// exchanges without using SPIFFE for gateway authentication.
pub const PROVIDER_SPIFFE_WORKLOAD_API_SOCKET: &str =
"OPENSHELL_PROVIDER_SPIFFE_WORKLOAD_API_SOCKET";

/// Resolved sandbox UID used to override `run_as_user` when the policy
/// specifies a numeric value instead of the hardcoded "sandbox" user name.
///
/// Set by compute drivers (Kubernetes, Docker, VM) from resolved config or
/// cluster autodetection. The supervisor reads this at startup and uses it
/// directly with `setuid()` / `chown()` without requiring an `/etc/passwd`
/// entry in the sandbox image.
pub const SANDBOX_UID: &str = "OPENSHELL_SANDBOX_UID";

/// Resolved sandbox GID paired with [`SANDBOX_UID`].
///
/// Used alongside UID for PVC init container `chown` operations and when the
/// supervisor drops privileges to a group other than the UID's primary group.
pub const SANDBOX_GID: &str = "OPENSHELL_SANDBOX_GID";
1 change: 1 addition & 0 deletions crates/openshell-driver-kubernetes/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ path = "src/main.rs"

[dependencies]
openshell-core = { path = "../openshell-core", default-features = false }
openshell-policy = { path = "../openshell-policy" }

tokio = { workspace = true }
tonic = { workspace = true, features = ["transport"] }
Expand Down
275 changes: 275 additions & 0 deletions crates/openshell-driver-kubernetes/src/config.rs
Original file line number Diff line number Diff line change
Expand Up @@ -241,6 +241,19 @@ pub struct KubernetesComputeConfig {
deserialize_with = "deserialize_provider_spiffe_workload_api_socket_path"
)]
pub provider_spiffe_workload_api_socket_path: String,
/// UID used for privilege-drop operations and workspace init container
/// ownership. The supervisor container always runs as UID 0 (root) to
/// create network namespaces and configure Landlock/seccomp; the
/// `sandbox_uid` is injected as the `SANDBOX_UID` environment variable so
/// the supervisor knows which UID to drop to for child processes.
/// When empty, the driver auto-detects from `OpenShift` SCC annotations on
/// the target namespace; if those are also absent, falls back to `1000`.
#[serde(default, skip_serializing_if = "Option::is_none")]
pub sandbox_uid: Option<u32>,
/// GID used alongside `sandbox_uid` for PVC init container operations.
/// When empty and `sandbox_uid` is set, defaults to the resolved UID.
#[serde(default, skip_serializing_if = "Option::is_none")]
pub sandbox_gid: Option<u32>,
}

/// Lower bound enforced by kubelet for projected SA tokens.
Expand All @@ -251,6 +264,18 @@ pub const MIN_SA_TOKEN_TTL_SECS: i64 = 600;
/// pod start).
pub const MAX_SA_TOKEN_TTL_SECS: i64 = 86_400;

/// Default sandbox UID used when neither config nor `OpenShift` SCC annotations
/// provide a resolved value.
pub(crate) const DEFAULT_SANDBOX_UID: u32 = 1000;

/// The annotation key for the `OpenShift` `ServiceAccount` UID range.
/// Format: `<start>/<size>` (e.g. `1000000000/10000`).
pub const ANNOTATION_SCC_UID_RANGE: &str = "openshift.io/sa.scc.uid-range";

@elezar elezar Jun 23, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Question: Do we want to leak openshift-specifics into the general k8s driver? What is the alternative? Does it make sense to make the annotation(s) configurable?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we really don't. Ideally, a restricted pod in OpenShift will have runAsUser set to some high UID automatically. However, because the supervisor currently needs to run as root and then setuid to the unprivileged user, we can't allow the platform to assign runAsUser.


/// The annotation key for the `OpenShift` `ServiceAccount` supplemental groups.
/// Format: `<start>/<size>` (e.g. `1000000000/10000`).
pub const ANNOTATION_SCC_SUPPLEMENTAL_GROUPS: &str = "openshift.io/sa.scc.supplemental-groups";

impl Default for KubernetesComputeConfig {
fn default() -> Self {
Self {
Expand All @@ -277,6 +302,8 @@ impl Default for KubernetesComputeConfig {
default_runtime_class_name: String::new(),
sa_token_ttl_secs: 3600,
provider_spiffe_workload_api_socket_path: String::new(),
sandbox_uid: None,
sandbox_gid: None,
}
}
}
Expand Down Expand Up @@ -308,6 +335,84 @@ impl KubernetesComputeConfig {
&self.provider_spiffe_workload_api_socket_path,
)
}

/// Resolve the sandbox UID/GID pair.
///
/// Resolution order:
/// 1. Configured `sandbox_uid` / `sandbox_gid` (explicit override)
/// 2. `OpenShift` SCC namespace annotations (`sa.scc.uid-range`,
/// `sa.scc.supplemental-groups`) — passed in as the optional
/// `namespace_annotations` map
/// 3. Fallback defaults: UID=`1000`, GID=UID
pub fn resolve_sandbox_uid(
&self,
namespace_annotations: Option<&std::collections::BTreeMap<String, String>>,
) -> u32 {
if let Some(uid) = self.sandbox_uid {
return uid;
}
if let Some(anns) = namespace_annotations
&& let Some(range) = anns.get(ANNOTATION_SCC_UID_RANGE)
&& let Some(uid) = Self::from_open_shift_uid_range(range)
{
return uid;
}
DEFAULT_SANDBOX_UID
}

pub fn resolve_sandbox_gid(
&self,
resolved_uid: u32,
_namespace_annotations: Option<&std::collections::BTreeMap<String, String>>,
) -> u32 {
self.sandbox_gid
.or(self.sandbox_uid)
.unwrap_or(resolved_uid)
}

/// Parse `OpenShift` SCC `sa.scc.uid-range` annotation.
///
/// Format: `<start>/<size>` (e.g. `1000000000/10000`).
pub fn from_open_shift_uid_range(annotation: &str) -> Option<u32> {
let (start, _) = annotation.split_once('/')?;
start.trim().parse::<u32>().ok().filter(|&uid| {
(openshell_policy::MIN_SANDBOX_UID..=openshell_policy::MAX_SANDBOX_UID).contains(&uid)
})
}

/// Parse `OpenShift` SCC `sa.scc.supplemental-groups` annotation.
pub fn from_open_shift_supplemental_groups(annotation: &str) -> Option<u32> {
let (start, _) = annotation.split_once('/')?;
start.trim().parse::<u32>().ok().filter(|&gid| {
(openshell_policy::MIN_SANDBOX_UID..=openshell_policy::MAX_SANDBOX_UID).contains(&gid)
})
}

/// Validate that configured `sandbox_uid` and `sandbox_gid` fall within
/// the policy-enforced UID/GID range. Called during driver initialization
/// before any pod parameters are rendered.
pub fn validate_sandbox_identity_config(&self) -> Result<(), String> {
let range = openshell_policy::MIN_SANDBOX_UID..=openshell_policy::MAX_SANDBOX_UID;
if let Some(uid) = self.sandbox_uid
&& !range.contains(&uid)
{
return Err(format!(
"sandbox_uid {uid} is outside the allowed range [{}, {}]",
openshell_policy::MIN_SANDBOX_UID,
openshell_policy::MAX_SANDBOX_UID,
));
}
if let Some(gid) = self.sandbox_gid
&& !range.contains(&gid)
{
return Err(format!(
"sandbox_gid {gid} is outside the allowed range [{}, {}]",
openshell_policy::MIN_SANDBOX_UID,
openshell_policy::MAX_SANDBOX_UID,
));
}
Ok(())
}

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there any reason that this is a separate implementation if the two annotations have exactly the same format?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, they can use the same parsing function

}

fn validate_provider_spiffe_workload_api_socket_path_value(
Expand Down Expand Up @@ -345,6 +450,7 @@ fn validate_provider_spiffe_workload_api_socket_path_value(
#[cfg(test)]
mod tests {
use super::*;
use std::collections::BTreeMap as HashMap;

#[test]
fn default_workspace_storage_size_is_2gi() {
Expand Down Expand Up @@ -515,4 +621,173 @@ mod tests {
let cfg: KubernetesComputeConfig = serde_json::from_value(json).unwrap();
assert_eq!(cfg.image_pull_secrets, ["regcred", "backup-regcred"]);
}

#[test]
fn default_sandbox_uid_and_gid_are_none() {
let cfg = KubernetesComputeConfig::default();
assert_eq!(cfg.sandbox_uid, None);
assert_eq!(cfg.sandbox_gid, None);
}

#[test]
fn serde_override_sandbox_uid() {
let json = serde_json::json!({
"sandbox_uid": 1500
});
let cfg: KubernetesComputeConfig = serde_json::from_value(json).unwrap();
assert_eq!(cfg.sandbox_uid, Some(1500));
}

#[test]
fn serde_override_sandbox_gid() {
let json = serde_json::json!({
"sandbox_gid": 2000
});
let cfg: KubernetesComputeConfig = serde_json::from_value(json).unwrap();
assert_eq!(cfg.sandbox_gid, Some(2000));
}

#[test]
fn parse_openshift_uid_range() {
assert_eq!(
KubernetesComputeConfig::from_open_shift_uid_range("1000000000/10000"),
Some(1_000_000_000)
);
assert_eq!(
KubernetesComputeConfig::from_open_shift_uid_range("1000/50000"),
Some(1000)
);
}

#[test]
fn parse_openshift_uid_range_rejects_below_min() {
// 999 is below MIN_SANDBOX_UID (1000) — should be rejected.
assert_eq!(
KubernetesComputeConfig::from_open_shift_uid_range("999/50000"),
None
);
}

#[test]
fn parse_openshift_uid_range_rejects_above_max() {
// u32::MAX is well above MAX_SANDBOX_UID — should be rejected.
assert_eq!(
KubernetesComputeConfig::from_open_shift_uid_range("4294967295/10000"),
None
);
}

#[test]
fn validate_sandbox_identity_config_accepts_valid_range() {
let cfg = KubernetesComputeConfig {
sandbox_uid: Some(1000),
sandbox_gid: Some(1000),
..KubernetesComputeConfig::default()
};
assert!(cfg.validate_sandbox_identity_config().is_ok());
}

#[test]
fn validate_sandbox_identity_config_rejects_uid_zero() {
let cfg = KubernetesComputeConfig {
sandbox_uid: Some(0),
..KubernetesComputeConfig::default()
};
let err = cfg.validate_sandbox_identity_config().unwrap_err();
assert!(err.contains("sandbox_uid"));
}

#[test]
fn validate_sandbox_identity_config_rejects_gid_above_max() {
let cfg = KubernetesComputeConfig {
sandbox_gid: Some(openshell_policy::MAX_SANDBOX_UID + 1),
..KubernetesComputeConfig::default()
};
let err = cfg.validate_sandbox_identity_config().unwrap_err();
assert!(err.contains("sandbox_gid"));
}

#[test]
fn validate_sandbox_identity_config_accepts_none_fields() {
let cfg = KubernetesComputeConfig::default();
assert!(cfg.validate_sandbox_identity_config().is_ok());
}

#[test]
fn parse_openshift_supplemental_groups() {
assert_eq!(
KubernetesComputeConfig::from_open_shift_supplemental_groups("1000/50000"),
Some(1000)
);
}

#[test]
fn resolve_sandbox_uid_prefers_config() {
let cfg = KubernetesComputeConfig {
sandbox_uid: Some(5000),
..KubernetesComputeConfig::default()
};
// Config value should win even when annotations are present.
let mut anns: HashMap<String, String> = HashMap::new();
anns.insert(
ANNOTATION_SCC_UID_RANGE.to_string(),
"1000000000/10000".to_string(),
);
assert_eq!(cfg.resolve_sandbox_uid(Some(&anns)), 5000);
}

#[test]
fn resolve_sandbox_uid_falls_back_to_openshift_annotation() {
let cfg = KubernetesComputeConfig::default();
let mut anns: HashMap<String, String> = HashMap::new();
anns.insert(
ANNOTATION_SCC_UID_RANGE.to_string(),
"1000000000/10000".to_string(),
);
assert_eq!(cfg.resolve_sandbox_uid(Some(&anns)), 1_000_000_000);
}

#[test]
fn resolve_sandbox_uid_falls_back_to_default() {
let cfg = KubernetesComputeConfig::default();
// No config, no annotations.
assert_eq!(cfg.resolve_sandbox_uid(None), DEFAULT_SANDBOX_UID);
// Empty annotations map.
let anns: HashMap<String, String> = HashMap::new();
assert_eq!(cfg.resolve_sandbox_uid(Some(&anns)), DEFAULT_SANDBOX_UID);
}

#[test]
fn resolve_sandbox_gid_prefers_config() {
let cfg = KubernetesComputeConfig {
sandbox_uid: Some(5000),
sandbox_gid: Some(6000),
..KubernetesComputeConfig::default()
};
assert_eq!(
cfg.resolve_sandbox_gid(cfg.resolve_sandbox_uid(None), None),
6000
);
}

#[test]
fn resolve_sandbox_gid_falls_back_to_uid() {
let cfg = KubernetesComputeConfig {
sandbox_uid: Some(5000),
..KubernetesComputeConfig::default()
};
// sandbox_gid is None, should fall back to sandbox_uid.
assert_eq!(
cfg.resolve_sandbox_gid(cfg.resolve_sandbox_uid(None), None),
5000
);
}

#[test]
fn resolve_sandbox_gid_falls_back_to_resolved_uid() {
let cfg = KubernetesComputeConfig::default();
// Both are None, should use the resolved UID.
let uid = cfg.resolve_sandbox_uid(None);
assert_eq!(cfg.resolve_sandbox_gid(uid, None), uid);
}
}
Loading
Loading