diff --git a/pkg/security/podsecuritypolicy/provider.go b/pkg/security/podsecuritypolicy/provider.go index cc5132654b..8567ecf437 100644 --- a/pkg/security/podsecuritypolicy/provider.go +++ b/pkg/security/podsecuritypolicy/provider.go @@ -179,8 +179,8 @@ func (s *simpleProvider) DefaultContainerSecurityContext(pod *api.Pod, container return nil } -// Ensure a pod's SecurityContext is in compliance with the given constraints. -func (s *simpleProvider) ValidatePodSecurityContext(pod *api.Pod, fldPath *field.Path) field.ErrorList { +// ValidatePod ensure a pod is in compliance with the given constraints. +func (s *simpleProvider) ValidatePod(pod *api.Pod, fldPath *field.Path) field.ErrorList { allErrs := field.ErrorList{} sc := securitycontext.NewPodSecurityContextAccessor(pod.Spec.SecurityContext) @@ -209,8 +209,6 @@ func (s *simpleProvider) ValidatePodSecurityContext(pod *api.Pod, fldPath *field allErrs = append(allErrs, s.strategies.SysctlsStrategy.Validate(pod)...) - // TODO(tallclair): ValidatePodSecurityContext should be renamed to ValidatePod since its scope - // is not limited to the PodSecurityContext. if len(pod.Spec.Volumes) > 0 { allowsAllVolumeTypes := psputil.PSPAllowsAllVolumes(s.psp) allowedVolumes := psputil.FSTypeToStringSet(s.psp.Spec.Volumes) diff --git a/pkg/security/podsecuritypolicy/provider_test.go b/pkg/security/podsecuritypolicy/provider_test.go index 0f90663c33..aabaf9ffb9 100644 --- a/pkg/security/podsecuritypolicy/provider_test.go +++ b/pkg/security/podsecuritypolicy/provider_test.go @@ -369,7 +369,7 @@ func TestValidatePodSecurityContextFailures(t *testing.T) { if err != nil { t.Fatalf("unable to create provider %v", err) } - errs := provider.ValidatePodSecurityContext(v.pod, field.NewPath("")) + errs := provider.ValidatePod(v.pod, field.NewPath("")) if len(errs) == 0 { t.Errorf("%s expected validation failure but did not receive errors", k) continue @@ -732,7 +732,7 @@ func TestValidatePodSecurityContextSuccess(t *testing.T) { if err != nil { t.Fatalf("unable to create provider %v", err) } - errs := provider.ValidatePodSecurityContext(v.pod, field.NewPath("")) + errs := provider.ValidatePod(v.pod, field.NewPath("")) if len(errs) != 0 { t.Errorf("%s expected validation pass but received errors %v", k, errs) continue @@ -1094,7 +1094,7 @@ func TestValidateAllowedVolumes(t *testing.T) { } // expect a denial for this PSP and test the error message to ensure it's related to the volumesource - errs := provider.ValidatePodSecurityContext(pod, field.NewPath("")) + errs := provider.ValidatePod(pod, field.NewPath("")) if len(errs) != 1 { t.Errorf("expected exactly 1 error for %s but got %v", fieldVal.Name, errs) } else { @@ -1105,14 +1105,14 @@ func TestValidateAllowedVolumes(t *testing.T) { // now add the fstype directly to the psp and it should validate psp.Spec.Volumes = []extensions.FSType{fsType} - errs = provider.ValidatePodSecurityContext(pod, field.NewPath("")) + errs = provider.ValidatePod(pod, field.NewPath("")) if len(errs) != 0 { t.Errorf("directly allowing volume expected no errors for %s but got %v", fieldVal.Name, errs) } // now change the psp to allow any volumes and the pod should still validate psp.Spec.Volumes = []extensions.FSType{extensions.All} - errs = provider.ValidatePodSecurityContext(pod, field.NewPath("")) + errs = provider.ValidatePod(pod, field.NewPath("")) if len(errs) != 0 { t.Errorf("wildcard volume expected no errors for %s but got %v", fieldVal.Name, errs) } diff --git a/pkg/security/podsecuritypolicy/types.go b/pkg/security/podsecuritypolicy/types.go index 1cb7b025b4..c839c680e3 100644 --- a/pkg/security/podsecuritypolicy/types.go +++ b/pkg/security/podsecuritypolicy/types.go @@ -38,8 +38,8 @@ type Provider interface { // DefaultContainerSecurityContext sets the default values of the required but not filled fields. // It modifies the SecurityContext of the container and annotations of the pod. DefaultContainerSecurityContext(pod *api.Pod, container *api.Container) error - // Ensure a pod's SecurityContext is in compliance with the given constraints. - ValidatePodSecurityContext(pod *api.Pod, fldPath *field.Path) field.ErrorList + // Ensure a pod is in compliance with the given constraints. + ValidatePod(pod *api.Pod, fldPath *field.Path) field.ErrorList // Ensure a container's SecurityContext is in compliance with the given constraints ValidateContainerSecurityContext(pod *api.Pod, container *api.Container, fldPath *field.Path) field.ErrorList // Get the name of the PSP that this provider was initialized with. diff --git a/plugin/pkg/admission/security/podsecuritypolicy/admission.go b/plugin/pkg/admission/security/podsecuritypolicy/admission.go index 380cf2b63a..17a2a6c052 100644 --- a/plugin/pkg/admission/security/podsecuritypolicy/admission.go +++ b/plugin/pkg/admission/security/podsecuritypolicy/admission.go @@ -301,7 +301,7 @@ func assignSecurityContext(provider psp.Provider, pod *api.Pod, fldPath *field.P errs = append(errs, field.Invalid(field.NewPath("spec", "securityContext"), pod.Spec.SecurityContext, err.Error())) } - errs = append(errs, provider.ValidatePodSecurityContext(pod, field.NewPath("spec", "securityContext"))...) + errs = append(errs, provider.ValidatePod(pod, field.NewPath("spec", "securityContext"))...) for i := range pod.Spec.InitContainers { err := provider.DefaultContainerSecurityContext(pod, &pod.Spec.InitContainers[i])