github
/
k3s
mirror of https://github.com/k3s-io/k3s
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request #69685 from yue9944882/externalize-psp-admission-controller 

Externalize PSP admission controller
pull/58/head
k8s-ci-robot 2018-10-23 12:29:38 -07:00 committed by GitHub
parent eef8154833 e2c61169b1
commit 753dfbe8fd
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
32 changed files with 196 additions and 151 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
pkg/security/podsecuritypolicy/BUILD
View File

@ -17,7 +17,6 @@ go_library(
importpath = "k8s.io/kubernetes/pkg/security/podsecuritypolicy",
deps = [
"//pkg/apis/core:go_default_library",
"//pkg/apis/policy:go_default_library",
"//pkg/features:go_default_library",
"//pkg/security/podsecuritypolicy/apparmor:go_default_library",
"//pkg/security/podsecuritypolicy/capabilities:go_default_library",
@ -28,6 +27,8 @@ go_library(
"//pkg/security/podsecuritypolicy/user:go_default_library",
"//pkg/security/podsecuritypolicy/util:go_default_library",
"//pkg/securitycontext:go_default_library",
"//staging/src/k8s.io/api/core/v1:go_default_library",
"//staging/src/k8s.io/api/policy/v1beta1:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/util/errors:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/util/feature:go_default_library",
@ -41,11 +42,11 @@ go_test(
deps = [
"//pkg/apis/core:go_default_library",
"//pkg/apis/core/v1:go_default_library",
"//pkg/apis/policy:go_default_library",
"//pkg/security/apparmor:go_default_library",
"//pkg/security/podsecuritypolicy/seccomp:go_default_library",
"//pkg/security/podsecuritypolicy/util:go_default_library",
"//staging/src/k8s.io/api/core/v1:go_default_library",
"//staging/src/k8s.io/api/policy/v1beta1:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/util/diff:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",

6
pkg/security/podsecuritypolicy/capabilities/BUILD
View File

@ -16,7 +16,8 @@ go_library(
importpath = "k8s.io/kubernetes/pkg/security/podsecuritypolicy/capabilities",
deps = [
"//pkg/apis/core:go_default_library",
"//pkg/apis/policy:go_default_library",
"//staging/src/k8s.io/api/core/v1:go_default_library",
"//staging/src/k8s.io/api/policy/v1beta1:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/util/sets:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
],
@ -28,7 +29,8 @@ go_test(
embed = [":go_default_library"],
deps = [
"//pkg/apis/core:go_default_library",
"//pkg/apis/policy:go_default_library",
"//staging/src/k8s.io/api/core/v1:go_default_library",
"//staging/src/k8s.io/api/policy/v1beta1:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
],
)

23
pkg/security/podsecuritypolicy/capabilities/capabilities.go
View File

@ -19,10 +19,11 @@ package capabilities
import (
"fmt"
corev1 "k8s.io/api/core/v1"
policy "k8s.io/api/policy/v1beta1"
"k8s.io/apimachinery/pkg/util/sets"
"k8s.io/apimachinery/pkg/util/validation/field"
api "k8s.io/kubernetes/pkg/apis/core"
"k8s.io/kubernetes/pkg/apis/policy"
)
// defaultCapabilities implements the Strategy interface
@ -36,11 +37,23 @@ var _ Strategy = &defaultCapabilities{}
// NewDefaultCapabilities creates a new defaultCapabilities strategy that will provide defaults and validation
// based on the configured initial caps and allowed caps.
func NewDefaultCapabilities(defaultAddCapabilities, requiredDropCapabilities, allowedCaps []api.Capability) (Strategy, error) {
func NewDefaultCapabilities(defaultAddCapabilities, requiredDropCapabilities, allowedCaps []corev1.Capability) (Strategy, error) {
internalDefaultAddCaps := make([]api.Capability, len(defaultAddCapabilities))
for i, capability := range defaultAddCapabilities {
internalDefaultAddCaps[i] = api.Capability(capability)
}
internalRequiredDropCaps := make([]api.Capability, len(requiredDropCapabilities))
for i, capability := range requiredDropCapabilities {
internalRequiredDropCaps[i] = api.Capability(capability)
}
internalAllowedCaps := make([]api.Capability, len(allowedCaps))
for i, capability := range allowedCaps {
internalAllowedCaps[i] = api.Capability(capability)
}
return &defaultCapabilities{
defaultAddCapabilities: defaultAddCapabilities,
requiredDropCapabilities: requiredDropCapabilities,
allowedCaps: allowedCaps,
defaultAddCapabilities: internalDefaultAddCaps,
requiredDropCapabilities: internalRequiredDropCaps,
allowedCaps: internalAllowedCaps,
}, nil
}

83
pkg/security/podsecuritypolicy/capabilities/capabilities_test.go
View File

@ -20,14 +20,15 @@ import (
"reflect"
"testing"
corev1 "k8s.io/api/core/v1"
policy "k8s.io/api/policy/v1beta1"
"k8s.io/apimachinery/pkg/util/validation/field"
api "k8s.io/kubernetes/pkg/apis/core"
"k8s.io/kubernetes/pkg/apis/policy"
)
func TestGenerateAdds(t *testing.T) {
tests := map[string]struct {
defaultAddCaps []api.Capability
defaultAddCaps []corev1.Capability
containerCaps *api.Capabilities
expectedCaps *api.Capabilities
}{
@ -37,13 +38,13 @@ func TestGenerateAdds(t *testing.T) {
expectedCaps: &api.Capabilities{},
},
"required, no container requests": {
defaultAddCaps: []api.Capability{"foo"},
defaultAddCaps: []corev1.Capability{"foo"},
expectedCaps: &api.Capabilities{
Add: []api.Capability{"foo"},
},
},
"required, container requests add required": {
defaultAddCaps: []api.Capability{"foo"},
defaultAddCaps: []corev1.Capability{"foo"},
containerCaps: &api.Capabilities{
Add: []api.Capability{"foo"},
},
@ -52,7 +53,7 @@ func TestGenerateAdds(t *testing.T) {
},
},
"multiple required, container requests add required": {
defaultAddCaps: []api.Capability{"foo", "bar", "baz"},
defaultAddCaps: []corev1.Capability{"foo", "bar", "baz"},
containerCaps: &api.Capabilities{
Add: []api.Capability{"foo"},
},
@ -61,7 +62,7 @@ func TestGenerateAdds(t *testing.T) {
},
},
"required, container requests add non-required": {
defaultAddCaps: []api.Capability{"foo"},
defaultAddCaps: []corev1.Capability{"foo"},
containerCaps: &api.Capabilities{
Add: []api.Capability{"bar"},
},
@ -70,7 +71,7 @@ func TestGenerateAdds(t *testing.T) {
},
},
"generation does not mutate unnecessarily": {
defaultAddCaps: []api.Capability{"foo", "bar"},
defaultAddCaps: []corev1.Capability{"foo", "bar"},
containerCaps: &api.Capabilities{
Add: []api.Capability{"foo", "foo", "bar", "baz"},
},
@ -79,7 +80,7 @@ func TestGenerateAdds(t *testing.T) {
},
},
"generation dedupes": {
defaultAddCaps: []api.Capability{"foo", "bar"},
defaultAddCaps: []corev1.Capability{"foo", "bar"},
containerCaps: &api.Capabilities{
Add: []api.Capability{"foo", "baz"},
},
@ -88,7 +89,7 @@ func TestGenerateAdds(t *testing.T) {
},
},
"generation is case sensitive - will not dedupe": {
defaultAddCaps: []api.Capability{"foo"},
defaultAddCaps: []corev1.Capability{"foo"},
containerCaps: &api.Capabilities{
Add: []api.Capability{"FOO"},
},
@ -127,8 +128,8 @@ func TestGenerateAdds(t *testing.T) {
func TestGenerateDrops(t *testing.T) {
tests := map[string]struct {
defaultAddCaps []api.Capability
requiredDropCaps []api.Capability
defaultAddCaps []corev1.Capability
requiredDropCaps []corev1.Capability
containerCaps *api.Capabilities
expectedCaps *api.Capabilities
}{
@ -140,13 +141,13 @@ func TestGenerateDrops(t *testing.T) {
expectedCaps: &api.Capabilities{},
},
"required drops are defaulted": {
requiredDropCaps: []api.Capability{"foo"},
requiredDropCaps: []corev1.Capability{"foo"},
expectedCaps: &api.Capabilities{
Drop: []api.Capability{"foo"},
},
},
"required drops are defaulted when making container requests": {
requiredDropCaps: []api.Capability{"baz"},
requiredDropCaps: []corev1.Capability{"baz"},
containerCaps: &api.Capabilities{
Drop: []api.Capability{"foo", "bar"},
},
@ -155,7 +156,7 @@ func TestGenerateDrops(t *testing.T) {
},
},
"required drops do not mutate unnecessarily": {
requiredDropCaps: []api.Capability{"baz"},
requiredDropCaps: []corev1.Capability{"baz"},
containerCaps: &api.Capabilities{
Drop: []api.Capability{"foo", "bar", "baz"},
},
@ -164,7 +165,7 @@ func TestGenerateDrops(t *testing.T) {
},
},
"can drop a required add": {
defaultAddCaps: []api.Capability{"foo"},
defaultAddCaps: []corev1.Capability{"foo"},
containerCaps: &api.Capabilities{
Drop: []api.Capability{"foo"},
},
@ -173,7 +174,7 @@ func TestGenerateDrops(t *testing.T) {
},
},
"can drop non-required add": {
defaultAddCaps: []api.Capability{"foo"},
defaultAddCaps: []corev1.Capability{"foo"},
containerCaps: &api.Capabilities{
Drop: []api.Capability{"bar"},
},
@ -183,8 +184,8 @@ func TestGenerateDrops(t *testing.T) {
},
},
"defaulting adds and drops, dropping a required add": {
defaultAddCaps: []api.Capability{"foo", "bar", "baz"},
requiredDropCaps: []api.Capability{"abc"},
defaultAddCaps: []corev1.Capability{"foo", "bar", "baz"},
requiredDropCaps: []corev1.Capability{"abc"},
containerCaps: &api.Capabilities{
Drop: []api.Capability{"foo"},
},
@ -194,7 +195,7 @@ func TestGenerateDrops(t *testing.T) {
},
},
"generation dedupes": {
requiredDropCaps: []api.Capability{"baz", "foo"},
requiredDropCaps: []corev1.Capability{"baz", "foo"},
containerCaps: &api.Capabilities{
Drop: []api.Capability{"bar", "foo"},
},
@ -203,7 +204,7 @@ func TestGenerateDrops(t *testing.T) {
},
},
"generation is case sensitive - will not dedupe": {
requiredDropCaps: []api.Capability{"bar"},
requiredDropCaps: []corev1.Capability{"bar"},
containerCaps: &api.Capabilities{
Drop: []api.Capability{"BAR"},
},
@ -241,30 +242,30 @@ func TestGenerateDrops(t *testing.T) {
func TestValidateAdds(t *testing.T) {
tests := map[string]struct {
defaultAddCaps []api.Capability
allowedCaps []api.Capability
defaultAddCaps []corev1.Capability
allowedCaps []corev1.Capability
containerCaps *api.Capabilities
expectedError string
}{
// no container requests
"no required, no allowed, no container requests": {},
"no required, allowed, no container requests": {
allowedCaps: []api.Capability{"foo"},
allowedCaps: []corev1.Capability{"foo"},
},
"required, no allowed, no container requests": {
defaultAddCaps: []api.Capability{"foo"},
defaultAddCaps: []corev1.Capability{"foo"},
expectedError: `capabilities: Invalid value: "null": required capabilities are not set on the securityContext`,
},
// container requests match required
"required, no allowed, container requests valid": {
defaultAddCaps: []api.Capability{"foo"},
defaultAddCaps: []corev1.Capability{"foo"},
containerCaps: &api.Capabilities{
Add: []api.Capability{"foo"},
},
},
"required, no allowed, container requests invalid": {
defaultAddCaps: []api.Capability{"foo"},
defaultAddCaps: []corev1.Capability{"foo"},
containerCaps: &api.Capabilities{
Add: []api.Capability{"bar"},
},
@ -273,19 +274,19 @@ func TestValidateAdds(t *testing.T) {
// container requests match allowed
"no required, allowed, container requests valid": {
allowedCaps: []api.Capability{"foo"},
allowedCaps: []corev1.Capability{"foo"},
containerCaps: &api.Capabilities{
Add: []api.Capability{"foo"},
},
},
"no required, all allowed, container requests valid": {
allowedCaps: []api.Capability{policy.AllowAllCapabilities},
allowedCaps: []corev1.Capability{policy.AllowAllCapabilities},
containerCaps: &api.Capabilities{
Add: []api.Capability{"foo"},
},
},
"no required, allowed, container requests invalid": {
allowedCaps: []api.Capability{"foo"},
allowedCaps: []corev1.Capability{"foo"},
containerCaps: &api.Capabilities{
Add: []api.Capability{"bar"},
},
@ -294,29 +295,29 @@ func TestValidateAdds(t *testing.T) {
// required and allowed
"required, allowed, container requests valid required": {
defaultAddCaps: []api.Capability{"foo"},
allowedCaps: []api.Capability{"bar"},
defaultAddCaps: []corev1.Capability{"foo"},
allowedCaps: []corev1.Capability{"bar"},
containerCaps: &api.Capabilities{
Add: []api.Capability{"foo"},
},
},
"required, allowed, container requests valid allowed": {
defaultAddCaps: []api.Capability{"foo"},
allowedCaps: []api.Capability{"bar"},
defaultAddCaps: []corev1.Capability{"foo"},
allowedCaps: []corev1.Capability{"bar"},
containerCaps: &api.Capabilities{
Add: []api.Capability{"bar"},
},
},
"required, allowed, container requests invalid": {
defaultAddCaps: []api.Capability{"foo"},
allowedCaps: []api.Capability{"bar"},
defaultAddCaps: []corev1.Capability{"foo"},
allowedCaps: []corev1.Capability{"bar"},
containerCaps: &api.Capabilities{
Add: []api.Capability{"baz"},
},
expectedError: `capabilities.add: Invalid value: "baz": capability may not be added`,
},
"validation is case sensitive": {
defaultAddCaps: []api.Capability{"foo"},
defaultAddCaps: []corev1.Capability{"foo"},
containerCaps: &api.Capabilities{
Add: []api.Capability{"FOO"},
},
@ -351,33 +352,33 @@ func TestValidateAdds(t *testing.T) {
func TestValidateDrops(t *testing.T) {
tests := map[string]struct {
requiredDropCaps []api.Capability
requiredDropCaps []corev1.Capability
containerCaps *api.Capabilities
expectedError string
}{
// no container requests
"no required, no container requests": {},
"required, no container requests": {
requiredDropCaps: []api.Capability{"foo"},
requiredDropCaps: []corev1.Capability{"foo"},
expectedError: `capabilities: Invalid value: "null": required capabilities are not set on the securityContext`,
},
// container requests match required
"required, container requests valid": {
requiredDropCaps: []api.Capability{"foo"},
requiredDropCaps: []corev1.Capability{"foo"},
containerCaps: &api.Capabilities{
Drop: []api.Capability{"foo"},
},
},
"required, container requests invalid": {
requiredDropCaps: []api.Capability{"foo"},
requiredDropCaps: []corev1.Capability{"foo"},
containerCaps: &api.Capabilities{
Drop: []api.Capability{"bar"},
},
expectedError: `capabilities.drop: Invalid value: []core.Capability{"bar"}: foo is required to be dropped but was not found`,
},
"validation is case sensitive": {
requiredDropCaps: []api.Capability{"foo"},
requiredDropCaps: []corev1.Capability{"foo"},
containerCaps: &api.Capabilities{
Drop: []api.Capability{"FOO"},
},

6
pkg/security/podsecuritypolicy/factory.go
View File

@ -22,9 +22,9 @@ import (
utilfeature "k8s.io/apiserver/pkg/util/feature"
"k8s.io/kubernetes/pkg/features"
corev1 "k8s.io/api/core/v1"
policy "k8s.io/api/policy/v1beta1"
"k8s.io/apimachinery/pkg/util/errors"
api "k8s.io/kubernetes/pkg/apis/core"
"k8s.io/kubernetes/pkg/apis/policy"
"k8s.io/kubernetes/pkg/security/podsecuritypolicy/apparmor"
"k8s.io/kubernetes/pkg/security/podsecuritypolicy/capabilities"
"k8s.io/kubernetes/pkg/security/podsecuritypolicy/group"
@ -191,7 +191,7 @@ func createSupplementalGroupStrategy(opts *policy.SupplementalGroupsStrategyOpti
}
// createCapabilitiesStrategy creates a new capabilities strategy.
func createCapabilitiesStrategy(defaultAddCaps, requiredDropCaps, allowedCaps []api.Capability) (capabilities.Strategy, error) {
func createCapabilitiesStrategy(defaultAddCaps, requiredDropCaps, allowedCaps []corev1.Capability) (capabilities.Strategy, error) {
return capabilities.NewDefaultCapabilities(defaultAddCaps, requiredDropCaps, allowedCaps)
}

4
pkg/security/podsecuritypolicy/group/BUILD
View File

@ -19,8 +19,8 @@ go_library(
importpath = "k8s.io/kubernetes/pkg/security/podsecuritypolicy/group",
deps = [
"//pkg/apis/core:go_default_library",
"//pkg/apis/policy:go_default_library",
"//pkg/security/podsecuritypolicy/util:go_default_library",
"//staging/src/k8s.io/api/policy/v1beta1:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
],
)
@ -34,7 +34,7 @@ go_test(
],
embed = [":go_default_library"],
deps = [
"//pkg/apis/policy:go_default_library",
"//staging/src/k8s.io/api/policy/v1beta1:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
],
)

2
pkg/security/podsecuritypolicy/group/helpers.go
View File

@ -19,8 +19,8 @@ package group
import (
"fmt"
policy "k8s.io/api/policy/v1beta1"
"k8s.io/apimachinery/pkg/util/validation/field"
"k8s.io/kubernetes/pkg/apis/policy"
psputil "k8s.io/kubernetes/pkg/security/podsecuritypolicy/util"
)

2
pkg/security/podsecuritypolicy/group/mayrunas.go
View File

@ -19,9 +19,9 @@ package group
import (
"fmt"
policy "k8s.io/api/policy/v1beta1"
"k8s.io/apimachinery/pkg/util/validation/field"
api "k8s.io/kubernetes/pkg/apis/core"
"k8s.io/kubernetes/pkg/apis/policy"
)
// mayRunAs implements the GroupStrategy interface.

2
pkg/security/podsecuritypolicy/group/mayrunas_test.go
View File

@ -21,8 +21,8 @@ import (
"strings"
"testing"
policy "k8s.io/api/policy/v1beta1"
"k8s.io/apimachinery/pkg/util/validation/field"
"k8s.io/kubernetes/pkg/apis/policy"
)
func TestMayRunAsOptions(t *testing.T) {

2
pkg/security/podsecuritypolicy/group/mustrunas.go
View File

@ -19,9 +19,9 @@ package group
import (
"fmt"
policy "k8s.io/api/policy/v1beta1"
"k8s.io/apimachinery/pkg/util/validation/field"
api "k8s.io/kubernetes/pkg/apis/core"
"k8s.io/kubernetes/pkg/apis/policy"
)
// mustRunAs implements the GroupStrategy interface

2
pkg/security/podsecuritypolicy/group/mustrunas_test.go
View File

@ -20,8 +20,8 @@ import (
"strings"
"testing"
policy "k8s.io/api/policy/v1beta1"
"k8s.io/apimachinery/pkg/util/validation/field"
"k8s.io/kubernetes/pkg/apis/policy"
)
func TestMustRunAsOptions(t *testing.T) {

20
pkg/security/podsecuritypolicy/provider.go
View File

@ -20,10 +20,11 @@ import (
"fmt"
"strings"
corev1 "k8s.io/api/core/v1"
policy "k8s.io/api/policy/v1beta1"
"k8s.io/apimachinery/pkg/util/validation/field"
utilfeature "k8s.io/apiserver/pkg/util/feature"
api "k8s.io/kubernetes/pkg/apis/core"
"k8s.io/kubernetes/pkg/apis/policy"
"k8s.io/kubernetes/pkg/features"
psputil "k8s.io/kubernetes/pkg/security/podsecuritypolicy/util"
"k8s.io/kubernetes/pkg/securitycontext"
@ -174,9 +175,9 @@ func (s *simpleProvider) DefaultContainerSecurityContext(pod *api.Pod, container
sc.SetAllowPrivilegeEscalation(s.psp.Spec.DefaultAllowPrivilegeEscalation)
}
// if the PSP sets psp.AllowPrivilegeEscalation to false set that as the default
if !s.psp.Spec.AllowPrivilegeEscalation && sc.AllowPrivilegeEscalation() == nil {
sc.SetAllowPrivilegeEscalation(&s.psp.Spec.AllowPrivilegeEscalation)
// if the PSP sets psp.AllowPrivilegeEscalation to false, set that as the default
if !*s.psp.Spec.AllowPrivilegeEscalation && sc.AllowPrivilegeEscalation() == nil {
sc.SetAllowPrivilegeEscalation(s.psp.Spec.AllowPrivilegeEscalation)
}
pod.Annotations = annotations
@ -313,14 +314,15 @@ func (s *simpleProvider) ValidateContainer(pod *api.Pod, container *api.Containe
procMount := sc.ProcMount()
allowedProcMounts := s.psp.Spec.AllowedProcMountTypes
if len(allowedProcMounts) == 0 {
allowedProcMounts = []api.ProcMountType{api.DefaultProcMount}
allowedProcMounts = []corev1.ProcMountType{corev1.DefaultProcMount}
}
foundProcMountType := false
for _, pm := range allowedProcMounts {
if pm == procMount {
if string(pm) == string(procMount) {
foundProcMountType = true
}
}
if !foundProcMountType {
allErrs = append(allErrs, field.Invalid(scPath.Child("procMount"), procMount, "ProcMountType is not allowed"))
}
@ -339,14 +341,10 @@ func (s *simpleProvider) ValidateContainer(pod *api.Pod, container *api.Containe
}
allowEscalation := sc.AllowPrivilegeEscalation()
if !s.psp.Spec.AllowPrivilegeEscalation && allowEscalation == nil {
if !*s.psp.Spec.AllowPrivilegeEscalation && (allowEscalation == nil || *allowEscalation) {
allErrs = append(allErrs, field.Invalid(scPath.Child("allowPrivilegeEscalation"), allowEscalation, "Allowing privilege escalation for containers is not allowed"))
}
if !s.psp.Spec.AllowPrivilegeEscalation && allowEscalation != nil && *allowEscalation {
allErrs = append(allErrs, field.Invalid(scPath.Child("allowPrivilegeEscalation"), *allowEscalation, "Allowing privilege escalation for containers is not allowed"))
}
return allErrs
}

25
pkg/security/podsecuritypolicy/provider_test.go
View File

@ -28,12 +28,12 @@ import (
"github.com/stretchr/testify/require"
"k8s.io/api/core/v1"
policy "k8s.io/api/policy/v1beta1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/util/diff"
"k8s.io/apimachinery/pkg/util/validation/field"
api "k8s.io/kubernetes/pkg/apis/core"
k8s_api_v1 "k8s.io/kubernetes/pkg/apis/core/v1"
"k8s.io/kubernetes/pkg/apis/policy"
"k8s.io/kubernetes/pkg/security/apparmor"
"k8s.io/kubernetes/pkg/security/podsecuritypolicy/seccomp"
psputil "k8s.io/kubernetes/pkg/security/podsecuritypolicy/util"
@ -52,6 +52,7 @@ func TestDefaultPodSecurityContextNonmutating(t *testing.T) {
}
// Create a PSP with strategies that will populate a blank psc
allowPrivilegeEscalation := true
createPSP := func() *policy.PodSecurityPolicy {
return &policy.PodSecurityPolicy{
ObjectMeta: metav1.ObjectMeta{
@ -61,7 +62,7 @@ func TestDefaultPodSecurityContextNonmutating(t *testing.T) {
},
},
Spec: policy.PodSecurityPolicySpec{
AllowPrivilegeEscalation: true,
AllowPrivilegeEscalation: &allowPrivilegeEscalation,
RunAsUser: policy.RunAsUserStrategyOptions{
Rule: policy.RunAsUserStrategyRunAsAny,
},
@ -126,6 +127,7 @@ func TestDefaultContainerSecurityContextNonmutating(t *testing.T) {
}
// Create a PSP with strategies that will populate a blank security context
allowPrivilegeEscalation := true
createPSP := func() *policy.PodSecurityPolicy {
return &policy.PodSecurityPolicy{
ObjectMeta: metav1.ObjectMeta{
@ -136,7 +138,7 @@ func TestDefaultContainerSecurityContextNonmutating(t *testing.T) {
},
},
Spec: policy.PodSecurityPolicySpec{
AllowPrivilegeEscalation: true,
AllowPrivilegeEscalation: &allowPrivilegeEscalation,
RunAsUser: policy.RunAsUserStrategyOptions{
Rule: policy.RunAsUserStrategyRunAsAny,
},
@ -231,7 +233,7 @@ func TestValidatePodSecurityContextFailures(t *testing.T) {
failNilSELinuxPod := defaultPod()
failSELinuxPSP := defaultPSP()
failSELinuxPSP.Spec.SELinux.Rule = policy.SELinuxStrategyMustRunAs
failSELinuxPSP.Spec.SELinux.SELinuxOptions = &api.SELinuxOptions{
failSELinuxPSP.Spec.SELinux.SELinuxOptions = &v1.SELinuxOptions{
Level: "foo",
}
@ -497,7 +499,7 @@ func TestValidateContainerFailures(t *testing.T) {
failSELinuxPSP := defaultPSP()
failSELinuxPSP.Spec.SELinux = policy.SELinuxStrategyOptions{
Rule: policy.SELinuxStrategyMustRunAs,
SELinuxOptions: &api.SELinuxOptions{
SELinuxOptions: &v1.SELinuxOptions{
Level: "foo",
},
}
@ -693,7 +695,7 @@ func TestValidatePodSecurityContextSuccess(t *testing.T) {
}
seLinuxPSP := defaultPSP()
seLinuxPSP.Spec.SELinux.Rule = policy.SELinuxStrategyMustRunAs
seLinuxPSP.Spec.SELinux.SELinuxOptions = &api.SELinuxOptions{
seLinuxPSP.Spec.SELinux.SELinuxOptions = &v1.SELinuxOptions{
User: "user",
Role: "role",
Type: "type",
@ -934,7 +936,7 @@ func TestValidateContainerSuccess(t *testing.T) {
seLinuxPSP := defaultPSP()
seLinuxPSP.Spec.SELinux = policy.SELinuxStrategyOptions{
Rule: policy.SELinuxStrategyMustRunAs,
SELinuxOptions: &api.SELinuxOptions{
SELinuxOptions: &v1.SELinuxOptions{
Level: "foo",
},
}
@ -959,7 +961,7 @@ func TestValidateContainerSuccess(t *testing.T) {
privPod.Spec.Containers[0].SecurityContext.Privileged = &priv
capsPSP := defaultPSP()
capsPSP.Spec.AllowedCapabilities = []api.Capability{"foo"}
capsPSP.Spec.AllowedCapabilities = []v1.Capability{"foo"}
capsPod := defaultPod()
capsPod.Spec.Containers[0].SecurityContext.Capabilities = &api.Capabilities{
Add: []api.Capability{"foo"},
@ -967,7 +969,7 @@ func TestValidateContainerSuccess(t *testing.T) {
// pod should be able to request caps that are in the required set even if not specified in the allowed set
requiredCapsPSP := defaultPSP()
requiredCapsPSP.Spec.DefaultAddCapabilities = []api.Capability{"foo"}
requiredCapsPSP.Spec.DefaultAddCapabilities = []v1.Capability{"foo"}
requiredCapsPod := defaultPod()
requiredCapsPod.Spec.Containers[0].SecurityContext.Capabilities = &api.Capabilities{
Add: []api.Capability{"foo"},
@ -1165,6 +1167,7 @@ func TestGenerateContainerSecurityContextReadOnlyRootFS(t *testing.T) {
}
func defaultPSP() *policy.PodSecurityPolicy {
allowPrivilegeEscalation := true
return &policy.PodSecurityPolicy{
ObjectMeta: metav1.ObjectMeta{
Name: "psp-sa",
@ -1186,7 +1189,7 @@ func defaultPSP() *policy.PodSecurityPolicy {
SupplementalGroups: policy.SupplementalGroupsStrategyOptions{
Rule: policy.SupplementalGroupsStrategyRunAsAny,
},
AllowPrivilegeEscalation: true,
AllowPrivilegeEscalation: &allowPrivilegeEscalation,
},
}
}
@ -1342,7 +1345,7 @@ func TestAllowPrivilegeEscalation(t *testing.T) {
pod.Spec.Containers[0].SecurityContext.AllowPrivilegeEscalation = test.podAPE
psp := defaultPSP()
psp.Spec.AllowPrivilegeEscalation = test.pspAPE
psp.Spec.AllowPrivilegeEscalation = &test.pspAPE
psp.Spec.DefaultAllowPrivilegeEscalation = test.pspDAPE
provider, err := NewSimpleProvider(psp, "namespace", NewSimpleStrategyFactory())

7
pkg/security/podsecuritypolicy/selinux/BUILD
View File

@ -17,8 +17,9 @@ go_library(
importpath = "k8s.io/kubernetes/pkg/security/podsecuritypolicy/selinux",
deps = [
"//pkg/apis/core:go_default_library",
"//pkg/apis/policy:go_default_library",
"//pkg/apis/core/v1:go_default_library",
"//pkg/security/podsecuritypolicy/util:go_default_library",
"//staging/src/k8s.io/api/policy/v1beta1:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
],
)
@ -32,7 +33,9 @@ go_test(
embed = [":go_default_library"],
deps = [
"//pkg/apis/core:go_default_library",
"//pkg/apis/policy:go_default_library",
"//pkg/apis/core/v1:go_default_library",
"//staging/src/k8s.io/api/core/v1:go_default_library",
"//staging/src/k8s.io/api/policy/v1beta1:go_default_library",
],
)

30
pkg/security/podsecuritypolicy/selinux/mustrunas.go
View File

@ -21,14 +21,15 @@ import (
"sort"
"strings"
policy "k8s.io/api/policy/v1beta1"
"k8s.io/apimachinery/pkg/util/validation/field"
api "k8s.io/kubernetes/pkg/apis/core"
"k8s.io/kubernetes/pkg/apis/policy"
"k8s.io/kubernetes/pkg/apis/core/v1"
"k8s.io/kubernetes/pkg/security/podsecuritypolicy/util"
)
type mustRunAs struct {
opts *policy.SELinuxStrategyOptions
opts *api.SELinuxOptions
}
var _ SELinuxStrategy = &mustRunAs{}
@ -40,14 +41,19 @@ func NewMustRunAs(options *policy.SELinuxStrategyOptions) (SELinuxStrategy, erro
if options.SELinuxOptions == nil {
return nil, fmt.Errorf("MustRunAs requires SELinuxOptions")
}
internalSELinuxOptions := &api.SELinuxOptions{}
if err := v1.Convert_v1_SELinuxOptions_To_core_SELinuxOptions(options.SELinuxOptions, internalSELinuxOptions, nil); err != nil {
return nil, err
}
return &mustRunAs{
opts: options,
opts: internalSELinuxOptions,
}, nil
}
// Generate creates the SELinuxOptions based on constraint rules.
func (s *mustRunAs) Generate(_ *api.Pod, _ *api.Container) (*api.SELinuxOptions, error) {
return s.opts.SELinuxOptions, nil
return s.opts, nil
}
// Validate ensures that the specified values fall within the range of the strategy.
@ -58,20 +64,20 @@ func (s *mustRunAs) Validate(fldPath *field.Path, _ *api.Pod, _ *api.Container,
allErrs = append(allErrs, field.Required(fldPath, ""))
return allErrs
}
if !equalLevels(s.opts.SELinuxOptions.Level, seLinux.Level) {
detail := fmt.Sprintf("must be %s", s.opts.SELinuxOptions.Level)
if !equalLevels(s.opts.Level, seLinux.Level) {
detail := fmt.Sprintf("must be %s", s.opts.Level)
allErrs = append(allErrs, field.Invalid(fldPath.Child("level"), seLinux.Level, detail))
}
if seLinux.Role != s.opts.SELinuxOptions.Role {
detail := fmt.Sprintf("must be %s", s.opts.SELinuxOptions.Role)
if seLinux.Role != s.opts.Role {
detail := fmt.Sprintf("must be %s", s.opts.Role)
allErrs = append(allErrs, field.Invalid(fldPath.Child("role"), seLinux.Role, detail))
}
if seLinux.Type != s.opts.SELinuxOptions.Type {
detail := fmt.Sprintf("must be %s", s.opts.SELinuxOptions.Type)
if seLinux.Type != s.opts.Type {
detail := fmt.Sprintf("must be %s", s.opts.Type)
allErrs = append(allErrs, field.Invalid(fldPath.Child("type"), seLinux.Type, detail))
}
if seLinux.User != s.opts.SELinuxOptions.User {
detail := fmt.Sprintf("must be %s", s.opts.SELinuxOptions.User)
if seLinux.User != s.opts.User {
detail := fmt.Sprintf("must be %s", s.opts.User)
allErrs = append(allErrs, field.Invalid(fldPath.Child("user"), seLinux.User, detail))
}

26
pkg/security/podsecuritypolicy/selinux/mustrunas_test.go
View File

@ -17,8 +17,10 @@ limitations under the License.
package selinux
import (
corev1 "k8s.io/api/core/v1"
policy "k8s.io/api/policy/v1beta1"
api "k8s.io/kubernetes/pkg/apis/core"
"k8s.io/kubernetes/pkg/apis/policy"
"k8s.io/kubernetes/pkg/apis/core/v1"
"reflect"
"strings"
"testing"
@ -38,7 +40,7 @@ func TestMustRunAsOptions(t *testing.T) {
pass: false,
},
"valid opts": {
opts: &policy.SELinuxStrategyOptions{SELinuxOptions: &api.SELinuxOptions{}},
opts: &policy.SELinuxStrategyOptions{SELinuxOptions: &corev1.SELinuxOptions{}},
pass: true,
},
}
@ -55,7 +57,7 @@ func TestMustRunAsOptions(t *testing.T) {
func TestMustRunAsGenerate(t *testing.T) {
opts := &policy.SELinuxStrategyOptions{
SELinuxOptions: &api.SELinuxOptions{
SELinuxOptions: &corev1.SELinuxOptions{
User: "user",
Role: "role",
Type: "type",
@ -70,14 +72,16 @@ func TestMustRunAsGenerate(t *testing.T) {
if err != nil {
t.Fatalf("unexpected error generating selinux %v", err)
}
if !reflect.DeepEqual(generated, opts.SELinuxOptions) {
internalSELinuxOptions := &api.SELinuxOptions{}
v1.Convert_v1_SELinuxOptions_To_core_SELinuxOptions(opts.SELinuxOptions, internalSELinuxOptions, nil)
if !reflect.DeepEqual(generated, internalSELinuxOptions) {
t.Errorf("generated selinux does not equal configured selinux")
}
}
func TestMustRunAsValidate(t *testing.T) {
newValidOpts := func() *api.SELinuxOptions {
return &api.SELinuxOptions{
newValidOpts := func() *corev1.SELinuxOptions {
return &corev1.SELinuxOptions{
User: "user",
Role: "role",
Level: "s0:c0,c6",
@ -85,7 +89,7 @@ func TestMustRunAsValidate(t *testing.T) {
}
}
newValidOptsWithLevel := func(level string) *api.SELinuxOptions {
newValidOptsWithLevel := func(level string) *corev1.SELinuxOptions {
opts := newValidOpts()
opts.Level = level
return opts
@ -103,8 +107,8 @@ func TestMustRunAsValidate(t *testing.T) {
validOpts := newValidOpts()
tests := map[string]struct {
podSeLinux *api.SELinuxOptions
pspSeLinux *api.SELinuxOptions
podSeLinux *corev1.SELinuxOptions
pspSeLinux *corev1.SELinuxOptions
expectedMsg string
}{
"invalid role": {
@ -154,7 +158,9 @@ func TestMustRunAsValidate(t *testing.T) {
continue
}
errs := mustRunAs.Validate(nil, nil, nil, tc.podSeLinux)
internalSELinuxOptions := api.SELinuxOptions{}
v1.Convert_v1_SELinuxOptions_To_core_SELinuxOptions(tc.podSeLinux, &internalSELinuxOptions, nil)
errs := mustRunAs.Validate(nil, nil, nil, &internalSELinuxOptions)
//should've passed but didn't
if len(tc.expectedMsg) == 0 && len(errs) > 0 {
t.Errorf("%s expected no errors but received %v", name, errs)

2
pkg/security/podsecuritypolicy/selinux/runasany.go
View File

@ -17,9 +17,9 @@ limitations under the License.
package selinux
import (
policy "k8s.io/api/policy/v1beta1"
"k8s.io/apimachinery/pkg/util/validation/field"
api "k8s.io/kubernetes/pkg/apis/core"
"k8s.io/kubernetes/pkg/apis/policy"
)
// runAsAny implements the SELinuxStrategy interface.

6
pkg/security/podsecuritypolicy/selinux/runasany_test.go
View File

@ -17,8 +17,8 @@ limitations under the License.
package selinux
import (
api "k8s.io/kubernetes/pkg/apis/core"
"k8s.io/kubernetes/pkg/apis/policy"
corev1 "k8s.io/api/core/v1"
policy "k8s.io/api/policy/v1beta1"
"testing"
)
@ -49,7 +49,7 @@ func TestRunAsAnyGenerate(t *testing.T) {
func TestRunAsAnyValidate(t *testing.T) {
s, err := NewRunAsAny(&policy.SELinuxStrategyOptions{
SELinuxOptions: &api.SELinuxOptions{
SELinuxOptions: &corev1.SELinuxOptions{
Level: "foo",
},
},

2
pkg/security/podsecuritypolicy/types.go
View File

@ -17,9 +17,9 @@ limitations under the License.
package podsecuritypolicy
import (
policy "k8s.io/api/policy/v1beta1"
"k8s.io/apimachinery/pkg/util/validation/field"
api "k8s.io/kubernetes/pkg/apis/core"
"k8s.io/kubernetes/pkg/apis/policy"
"k8s.io/kubernetes/pkg/security/podsecuritypolicy/apparmor"
"k8s.io/kubernetes/pkg/security/podsecuritypolicy/capabilities"
"k8s.io/kubernetes/pkg/security/podsecuritypolicy/group"

5
pkg/security/podsecuritypolicy/user/BUILD
View File

@ -18,8 +18,8 @@ go_library(
importpath = "k8s.io/kubernetes/pkg/security/podsecuritypolicy/user",
deps = [
"//pkg/apis/core:go_default_library",
"//pkg/apis/policy:go_default_library",
"//pkg/security/podsecuritypolicy/util:go_default_library",
"//staging/src/k8s.io/api/policy/v1beta1:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
],
)
@ -34,7 +34,8 @@ go_test(
embed = [":go_default_library"],
deps = [
"//pkg/apis/core:go_default_library",
"//pkg/apis/policy:go_default_library",
"//staging/src/k8s.io/api/core/v1:go_default_library",
"//staging/src/k8s.io/api/policy/v1beta1:go_default_library",
],
)

2
pkg/security/podsecuritypolicy/user/mustrunas.go
View File

@ -19,9 +19,9 @@ package user
import (
"fmt"
policy "k8s.io/api/policy/v1beta1"
"k8s.io/apimachinery/pkg/util/validation/field"
api "k8s.io/kubernetes/pkg/apis/core"
"k8s.io/kubernetes/pkg/apis/policy"
psputil "k8s.io/kubernetes/pkg/security/podsecuritypolicy/util"
)

2
pkg/security/podsecuritypolicy/user/mustrunas_test.go
View File

@ -17,8 +17,8 @@ limitations under the License.
package user
import (
policy "k8s.io/api/policy/v1beta1"
api "k8s.io/kubernetes/pkg/apis/core"
"k8s.io/kubernetes/pkg/apis/policy"
"strings"
"testing"
)

2
pkg/security/podsecuritypolicy/user/nonroot.go
View File

@ -17,9 +17,9 @@ limitations under the License.
package user
import (
policy "k8s.io/api/policy/v1beta1"
"k8s.io/apimachinery/pkg/util/validation/field"
api "k8s.io/kubernetes/pkg/apis/core"
"k8s.io/kubernetes/pkg/apis/policy"
)
type nonRoot struct{}

4
pkg/security/podsecuritypolicy/user/nonroot_test.go
View File

@ -17,8 +17,8 @@ limitations under the License.
package user
import (
api "k8s.io/kubernetes/pkg/apis/core"
"k8s.io/kubernetes/pkg/apis/policy"
api "k8s.io/api/core/v1"
policy "k8s.io/api/policy/v1beta1"
"testing"
)

2
pkg/security/podsecuritypolicy/user/runasany.go
View File

@ -17,9 +17,9 @@ limitations under the License.
package user
import (
policy "k8s.io/api/policy/v1beta1"
"k8s.io/apimachinery/pkg/util/validation/field"
api "k8s.io/kubernetes/pkg/apis/core"
"k8s.io/kubernetes/pkg/apis/policy"
)
// runAsAny implements the interface RunAsUserStrategy.

2
pkg/security/podsecuritypolicy/user/runasany_test.go
View File

@ -19,7 +19,7 @@ package user
import (
"testing"
"k8s.io/kubernetes/pkg/apis/policy"
policy "k8s.io/api/policy/v1beta1"
)
func TestRunAsAnyOptions(t *testing.T) {

4
pkg/security/podsecuritypolicy/util/BUILD
View File

@ -15,7 +15,7 @@ go_library(
importpath = "k8s.io/kubernetes/pkg/security/podsecuritypolicy/util",
deps = [
"//pkg/apis/core:go_default_library",
"//pkg/apis/policy:go_default_library",
"//staging/src/k8s.io/api/policy/v1beta1:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/util/sets:go_default_library",
],
)
@ -26,7 +26,7 @@ go_test(
embed = [":go_default_library"],
deps = [
"//pkg/apis/core:go_default_library",
"//pkg/apis/policy:go_default_library",
"//staging/src/k8s.io/api/policy/v1beta1:go_default_library",
],
)

2
pkg/security/podsecuritypolicy/util/util.go
View File

@ -20,9 +20,9 @@ import (
"fmt"
"strings"
policy "k8s.io/api/policy/v1beta1"
"k8s.io/apimachinery/pkg/util/sets"
api "k8s.io/kubernetes/pkg/apis/core"
"k8s.io/kubernetes/pkg/apis/policy"
)
const (

2
pkg/security/podsecuritypolicy/util/util_test.go
View File

@ -20,8 +20,8 @@ import (
"reflect"
"testing"
policy "k8s.io/api/policy/v1beta1"
api "k8s.io/kubernetes/pkg/apis/core"
"k8s.io/kubernetes/pkg/apis/policy"
)
// TestVolumeSourceFSTypeDrift ensures that for every known type of volume source (by the fields on

11
plugin/pkg/admission/security/podsecuritypolicy/BUILD
View File

@ -14,13 +14,11 @@ go_library(
"//pkg/apis/core:go_default_library",
"//pkg/apis/extensions:go_default_library",
"//pkg/apis/policy:go_default_library",
"//pkg/client/informers/informers_generated/internalversion:go_default_library",
"//pkg/client/listers/policy/internalversion:go_default_library",
"//pkg/kubeapiserver/admission:go_default_library",
"//pkg/registry/rbac:go_default_library",
"//pkg/security/podsecuritypolicy:go_default_library",
"//pkg/security/podsecuritypolicy/util:go_default_library",
"//pkg/serviceaccount:go_default_library",
"//staging/src/k8s.io/api/policy/v1beta1:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/api/equality:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/labels:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
@ -28,6 +26,8 @@ go_library(
"//staging/src/k8s.io/apiserver/pkg/admission/initializer:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authorization/authorizer:go_default_library",
"//staging/src/k8s.io/client-go/informers:go_default_library",
"//staging/src/k8s.io/client-go/listers/policy/v1beta1:go_default_library",
"//vendor/github.com/golang/glog:go_default_library",
],
)
@ -39,14 +39,14 @@ go_test(
deps = [
"//pkg/api/legacyscheme:go_default_library",
"//pkg/apis/core:go_default_library",
"//pkg/apis/policy:go_default_library",
"//pkg/client/informers/informers_generated/internalversion:go_default_library",
"//pkg/apis/core/v1:go_default_library",
"//pkg/controller:go_default_library",
"//pkg/security/apparmor:go_default_library",
"//pkg/security/podsecuritypolicy:go_default_library",
"//pkg/security/podsecuritypolicy/seccomp:go_default_library",
"//pkg/security/podsecuritypolicy/util:go_default_library",
"//staging/src/k8s.io/api/core/v1:go_default_library",
"//staging/src/k8s.io/api/policy/v1beta1:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/api/equality:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/util/diff:go_default_library",
@ -55,6 +55,7 @@ go_test(
"//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authorization/authorizer:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authorization/authorizerfactory:go_default_library",
"//staging/src/k8s.io/client-go/informers:go_default_library",
"//vendor/github.com/stretchr/testify/assert:go_default_library",
"//vendor/k8s.io/utils/pointer:go_default_library",
],

14
plugin/pkg/admission/security/podsecuritypolicy/admission.go
View File

@ -24,6 +24,7 @@ import (
"github.com/golang/glog"
policyv1beta1 "k8s.io/api/policy/v1beta1"
apiequality "k8s.io/apimachinery/pkg/api/equality"
"k8s.io/apimachinery/pkg/labels"
"k8s.io/apimachinery/pkg/util/validation/field"
@ -31,12 +32,11 @@ import (
genericadmissioninit "k8s.io/apiserver/pkg/admission/initializer"
"k8s.io/apiserver/pkg/authentication/user"
"k8s.io/apiserver/pkg/authorization/authorizer"
"k8s.io/client-go/informers"
policylisters "k8s.io/client-go/listers/policy/v1beta1"
api "k8s.io/kubernetes/pkg/apis/core"
"k8s.io/kubernetes/pkg/apis/extensions"
"k8s.io/kubernetes/pkg/apis/policy"
informers "k8s.io/kubernetes/pkg/client/informers/informers_generated/internalversion"
policylisters "k8s.io/kubernetes/pkg/client/listers/policy/internalversion"
kubeapiserveradmission "k8s.io/kubernetes/pkg/kubeapiserver/admission"
rbacregistry "k8s.io/kubernetes/pkg/registry/rbac"
psp "k8s.io/kubernetes/pkg/security/podsecuritypolicy"
psputil "k8s.io/kubernetes/pkg/security/podsecuritypolicy/util"
@ -83,7 +83,7 @@ func (plugin *PodSecurityPolicyPlugin) ValidateInitialization() error {
var _ admission.MutationInterface = &PodSecurityPolicyPlugin{}
var _ admission.ValidationInterface = &PodSecurityPolicyPlugin{}
var _ genericadmissioninit.WantsAuthorizer = &PodSecurityPolicyPlugin{}
var _ kubeapiserveradmission.WantsInternalKubeInformerFactory = &PodSecurityPolicyPlugin{}
var _ genericadmissioninit.WantsExternalKubeInformerFactory = &PodSecurityPolicyPlugin{}
var auditKeyPrefix = strings.ToLower(PluginName) + "." + policy.GroupName + ".k8s.io"
// newPlugin creates a new PSP admission plugin.
@ -95,8 +95,8 @@ func newPlugin(strategyFactory psp.StrategyFactory, failOnNoPolicies bool) *PodS
}
}
func (a *PodSecurityPolicyPlugin) SetInternalKubeInformerFactory(f informers.SharedInformerFactory) {
podSecurityPolicyInformer := f.Policy().InternalVersion().PodSecurityPolicies()
func (a *PodSecurityPolicyPlugin) SetExternalKubeInformerFactory(f informers.SharedInformerFactory) {
podSecurityPolicyInformer := f.Policy().V1beta1().PodSecurityPolicies()
a.lister = podSecurityPolicyInformer.Lister()
a.SetReadyFunc(podSecurityPolicyInformer.Informer().HasSynced)
}
@ -338,7 +338,7 @@ func assignSecurityContext(provider psp.Provider, pod *api.Pod) field.ErrorList
}
// createProvidersFromPolicies creates providers from the constraints supplied.
func (c *PodSecurityPolicyPlugin) createProvidersFromPolicies(psps []*policy.PodSecurityPolicy, namespace string) ([]psp.Provider, []error) {
func (c *PodSecurityPolicyPlugin) createProvidersFromPolicies(psps []*policyv1beta1.PodSecurityPolicy, namespace string) ([]psp.Provider, []error) {
var (
// collected providers
providers []psp.Provider

40
plugin/pkg/admission/security/podsecuritypolicy/admission_test.go
View File

@ -25,6 +25,7 @@ import (
"github.com/stretchr/testify/assert"
"k8s.io/api/core/v1"
policy "k8s.io/api/policy/v1beta1"
apiequality "k8s.io/apimachinery/pkg/api/equality"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/util/diff"
@ -33,10 +34,10 @@ import (
"k8s.io/apiserver/pkg/authentication/user"
"k8s.io/apiserver/pkg/authorization/authorizer"
"k8s.io/apiserver/pkg/authorization/authorizerfactory"
"k8s.io/client-go/informers"
"k8s.io/kubernetes/pkg/api/legacyscheme"
kapi "k8s.io/kubernetes/pkg/apis/core"
"k8s.io/kubernetes/pkg/apis/policy"
informers "k8s.io/kubernetes/pkg/client/informers/informers_generated/internalversion"
k8s_api_v1 "k8s.io/kubernetes/pkg/apis/core/v1"
"k8s.io/kubernetes/pkg/controller"
"k8s.io/kubernetes/pkg/security/apparmor"
kpsp "k8s.io/kubernetes/pkg/security/podsecuritypolicy"
@ -50,11 +51,11 @@ const defaultContainerName = "test-c"
// NewTestAdmission provides an admission plugin with test implementations of internal structs.
func NewTestAdmission(psps []*policy.PodSecurityPolicy, authz authorizer.Authorizer) *PodSecurityPolicyPlugin {
informerFactory := informers.NewSharedInformerFactory(nil, controller.NoResyncPeriodFunc())
store := informerFactory.Policy().InternalVersion().PodSecurityPolicies().Informer().GetStore()
store := informerFactory.Policy().V1beta1().PodSecurityPolicies().Informer().GetStore()
for _, psp := range psps {
store.Add(psp)
}
lister := informerFactory.Policy().InternalVersion().PodSecurityPolicies().Lister()
lister := informerFactory.Policy().V1beta1().PodSecurityPolicies().Lister()
if authz == nil {
authz = &TestAuthorizer{}
}
@ -502,19 +503,19 @@ func TestAdmitCaps(t *testing.T) {
allowsFooInAllowed := restrictivePSP()
allowsFooInAllowed.Name = "allowCapInAllowed"
allowsFooInAllowed.Spec.AllowedCapabilities = []kapi.Capability{"foo"}
allowsFooInAllowed.Spec.AllowedCapabilities = []v1.Capability{"foo"}
allowsFooInRequired := restrictivePSP()
allowsFooInRequired.Name = "allowCapInRequired"
allowsFooInRequired.Spec.DefaultAddCapabilities = []kapi.Capability{"foo"}
allowsFooInRequired.Spec.DefaultAddCapabilities = []v1.Capability{"foo"}
requiresFooToBeDropped := restrictivePSP()
requiresFooToBeDropped.Name = "requireDrop"
requiresFooToBeDropped.Spec.RequiredDropCapabilities = []kapi.Capability{"foo"}
requiresFooToBeDropped.Spec.RequiredDropCapabilities = []v1.Capability{"foo"}
allowAllInAllowed := restrictivePSP()
allowAllInAllowed.Name = "allowAllCapsInAllowed"
allowAllInAllowed.Spec.AllowedCapabilities = []kapi.Capability{policy.AllowAllCapabilities}
allowAllInAllowed.Spec.AllowedCapabilities = []v1.Capability{policy.AllowAllCapabilities}
tc := map[string]struct {
pod *kapi.Pod
@ -959,12 +960,18 @@ func TestAdmitSELinux(t *testing.T) {
mustRunAs := permissivePSP()
mustRunAs.Name = "mustRunAs"
mustRunAs.Spec.SELinux.Rule = policy.SELinuxStrategyMustRunAs
mustRunAs.Spec.SELinux.SELinuxOptions = &kapi.SELinuxOptions{}
mustRunAs.Spec.SELinux.SELinuxOptions = &v1.SELinuxOptions{}
mustRunAs.Spec.SELinux.SELinuxOptions.Level = "level"
mustRunAs.Spec.SELinux.SELinuxOptions.Role = "role"
mustRunAs.Spec.SELinux.SELinuxOptions.Type = "type"
mustRunAs.Spec.SELinux.SELinuxOptions.User = "user"
getInternalSEOptions := func(policy *policy.PodSecurityPolicy) *kapi.SELinuxOptions {
opt := kapi.SELinuxOptions{}
k8s_api_v1.Convert_v1_SELinuxOptions_To_core_SELinuxOptions(policy.Spec.SELinux.SELinuxOptions, &opt, nil)
return &opt
}
tests := map[string]struct {
pod *kapi.Pod
psps []*policy.PodSecurityPolicy
@ -1047,7 +1054,7 @@ func TestAdmitSELinux(t *testing.T) {
psps: []*policy.PodSecurityPolicy{mustRunAs},
shouldPassAdmit: true,
shouldPassValidate: true,
expectedPodSC: &kapi.PodSecurityContext{SELinuxOptions: mustRunAs.Spec.SELinux.SELinuxOptions},
expectedPodSC: &kapi.PodSecurityContext{SELinuxOptions: getInternalSEOptions(mustRunAs)},
expectedContainerSC: nil,
expectedPSP: mustRunAs.Name,
},
@ -1059,7 +1066,7 @@ func TestAdmitSELinux(t *testing.T) {
psps: []*policy.PodSecurityPolicy{mustRunAs},
shouldPassAdmit: true,
shouldPassValidate: true,
expectedPodSC: &kapi.PodSecurityContext{SELinuxOptions: mustRunAs.Spec.SELinux.SELinuxOptions},
expectedPodSC: &kapi.PodSecurityContext{SELinuxOptions: getInternalSEOptions(mustRunAs)},
expectedContainerSC: nil,
expectedPSP: mustRunAs.Name,
},
@ -1071,7 +1078,7 @@ func TestAdmitSELinux(t *testing.T) {
psps: []*policy.PodSecurityPolicy{mustRunAs},
shouldPassAdmit: true,
shouldPassValidate: true,
expectedPodSC: &kapi.PodSecurityContext{SELinuxOptions: mustRunAs.Spec.SELinux.SELinuxOptions},
expectedPodSC: &kapi.PodSecurityContext{SELinuxOptions: getInternalSEOptions(mustRunAs)},
expectedContainerSC: nil,
expectedPSP: mustRunAs.Name,
},
@ -2337,12 +2344,14 @@ func TestPreferValidatedPSP(t *testing.T) {
}
func restrictivePSP() *policy.PodSecurityPolicy {
allowPrivilegeEscalation := false
return &policy.PodSecurityPolicy{
ObjectMeta: metav1.ObjectMeta{
Name: "restrictive",
Annotations: map[string]string{},
},
Spec: policy.PodSecurityPolicySpec{
AllowPrivilegeEscalation: &allowPrivilegeEscalation,
RunAsUser: policy.RunAsUserStrategyOptions{
Rule: policy.RunAsUserStrategyMustRunAs,
Ranges: []policy.IDRange{
@ -2357,7 +2366,7 @@ func restrictivePSP() *policy.PodSecurityPolicy {
},
SELinux: policy.SELinuxStrategyOptions{
Rule: policy.SELinuxStrategyMustRunAs,
SELinuxOptions: &kapi.SELinuxOptions{
SELinuxOptions: &v1.SELinuxOptions{
Level: "s9:z0,z1",
},
},
@ -2378,19 +2387,20 @@ func restrictivePSP() *policy.PodSecurityPolicy {
}
func permissivePSP() *policy.PodSecurityPolicy {
allowPrivilegeEscalation := true
return &policy.PodSecurityPolicy{
ObjectMeta: metav1.ObjectMeta{
Name: "privileged",
Annotations: map[string]string{},
},
Spec: policy.PodSecurityPolicySpec{
AllowPrivilegeEscalation: true,
AllowPrivilegeEscalation: &allowPrivilegeEscalation,
HostIPC: true,
HostNetwork: true,
HostPID: true,
HostPorts: []policy.HostPortRange{{Min: 0, Max: 65536}},
Volumes: []policy.FSType{policy.All},
AllowedCapabilities: []kapi.Capability{policy.AllowAllCapabilities},
AllowedCapabilities: []v1.Capability{policy.AllowAllCapabilities},
RunAsUser: policy.RunAsUserStrategyOptions{
Rule: policy.RunAsUserStrategyRunAsAny,
},