containers
/
podman
mirror of https://github.com/containers/podman.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #3892 from cevich/google_vpc 

Cirrus: Block CNI use of google VPCs
This commit is contained in:
OpenShift Merge Robot 2019-08-28 13:03:51 -07:00 committed by GitHub
parent bdf9e56813 e06f17f580
commit 9926a299f7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 33 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
contrib/cirrus/99-do-not-use-google-subnets.conflist Normal file
View File

@ -0,0 +1,21 @@
{
"cniVersion": "0.4.0",
"name": "do-not-use-google-subnets",
"plugins": [
{
"type": "bridge",
"name": "do-not-use-google-subnets",
"bridge": "do-not-use-google-subnets",
"ipam": {
"type": "host-local",
"ranges": [
[
{
"subnet": "10.128.0.0/9"
}
]
]
}
}
]
}

16
contrib/cirrus/lib.sh
View File

@ -321,13 +321,15 @@ EOF
install_test_configs(){ install_test_configs(){
echo "Installing cni config, policy and registry config" echo "Installing cni config, policy and registry config"
req_env_var GOSRC req_env_var GOSRC SCRIPT_BASE
sudo install -D -m 755 $GOSRC/cni/87-podman-bridge.conflist \ cd $GOSRC
/etc/cni/net.d/87-podman-bridge.conflist install -v -D -m 644 ./cni/87-podman-bridge.conflist /etc/cni/net.d/
sudo install -D -m 755 $GOSRC/test/policy.json \ # This config must always sort last in the list of networks (podman picks first one
/etc/containers/policy.json # as the default). This config prevents allocation of network address space used
sudo install -D -m 755 $GOSRC/test/registries.conf \ # by default in google cloud. https://cloud.google.com/vpc/docs/vpc#ip-ranges
/etc/containers/registries.conf install -v -D -m 644 $SCRIPT_BASE/99-do-not-use-google-subnets.conflist /etc/cni/net.d/
install -v -D -m 644 ./test/policy.json /etc/containers/
install -v -D -m 644 ./test/registries.conf /etc/containers/
} }
# Remove all files (except conmon, for now) provided by the distro version of podman. # Remove all files (except conmon, for now) provided by the distro version of podman.

5
contrib/cirrus/setup_environment.sh
View File

@ -61,8 +61,7 @@ esac
# Reload to incorporate any changes from above # Reload to incorporate any changes from above
source "$SCRIPT_BASE/lib.sh" source "$SCRIPT_BASE/lib.sh"
install_test_configs # Must execute before possible setup_rootless()
make install.tools make install.tools
case "$SPECIALMODE" in case "$SPECIALMODE" in
@ -97,3 +96,5 @@ case "$SPECIALMODE" in
*) *)
die 111 "Unsupported \$SPECIALMODE: $SPECIALMODE" die 111 "Unsupported \$SPECIALMODE: $SPECIALMODE"
esac esac
install_test_configs