Use pointer for PSP allow escalation

parent 7b61fb37
......@@ -70224,7 +70224,7 @@
],
"properties": {
"allowPrivilegeEscalation": {
"description": "AllowPrivilegeEscalation determines if a pod can request to allow privilege escalation.",
"description": "AllowPrivilegeEscalation determines if a pod can request to allow privilege escalation. If unspecified, defaults to true.",
"type": "boolean"
},
"allowedCapabilities": {
......@@ -10197,7 +10197,7 @@
},
"allowPrivilegeEscalation": {
"type": "boolean",
"description": "AllowPrivilegeEscalation determines if a pod can request to allow privilege escalation."
"description": "AllowPrivilegeEscalation determines if a pod can request to allow privilege escalation. If unspecified, defaults to true."
},
"allowedHostPaths": {
"type": "array",
......
......@@ -7809,7 +7809,7 @@ Both these may change in the future. Incoming requests are matched against the h
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">allowPrivilegeEscalation</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">AllowPrivilegeEscalation determines if a pod can request to allow privilege escalation.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">AllowPrivilegeEscalation determines if a pod can request to allow privilege escalation. If unspecified, defaults to true.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">boolean</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
......
......@@ -105,6 +105,8 @@ func TestDefaulting(t *testing.T) {
{Group: "apps", Version: "v1beta1", Kind: "DeploymentList"}: {},
{Group: "apps", Version: "v1beta2", Kind: "Deployment"}: {},
{Group: "apps", Version: "v1beta2", Kind: "DeploymentList"}: {},
{Group: "extensions", Version: "v1beta1", Kind: "PodSecurityPolicy"}: {},
{Group: "extensions", Version: "v1beta1", Kind: "PodSecurityPolicyList"}: {},
{Group: "apps", Version: "v1beta2", Kind: "ReplicaSet"}: {},
{Group: "apps", Version: "v1beta2", Kind: "ReplicaSetList"}: {},
{Group: "extensions", Version: "v1beta1", Kind: "ReplicaSet"}: {},
......
......@@ -937,7 +937,7 @@ type PodSecurityPolicySpec struct {
// +optional
DefaultAllowPrivilegeEscalation *bool
// AllowPrivilegeEscalation determines if a pod can request to allow
// privilege escalation.
// privilege escalation. If unspecified, defaults to true.
// +optional
AllowPrivilegeEscalation bool
// AllowedHostPaths is a white list of allowed host paths. Empty indicates that all host paths may be used.
......
......@@ -63,6 +63,15 @@ func SetDefaults_DaemonSet(obj *extensionsv1beta1.DaemonSet) {
}
}
func SetDefaults_PodSecurityPolicySpec(obj *extensionsv1beta1.PodSecurityPolicySpec) {
// This field was added after PodSecurityPolicy was released.
// Policies that do not include this field must remain as permissive as they were prior to the introduction of this field.
if obj.AllowPrivilegeEscalation == nil {
t := true
obj.AllowPrivilegeEscalation = &t
}
}
func SetDefaults_Deployment(obj *extensionsv1beta1.Deployment) {
// Default labels and selector to labels from pod template spec.
labels := obj.Spec.Template.Labels
......
......@@ -509,6 +509,15 @@ func TestDefaultRequestIsNotSetForReplicaSet(t *testing.T) {
}
}
func TestDefaultAllowPrivilegeEscalationForPodSecurityPolicy(t *testing.T) {
psp := &extensionsv1beta1.PodSecurityPolicy{}
output := roundTrip(t, runtime.Object(psp))
psp2 := output.(*extensionsv1beta1.PodSecurityPolicy)
if psp2.Spec.AllowPrivilegeEscalation == nil || *psp2.Spec.AllowPrivilegeEscalation != true {
t.Errorf("Expected default to true, got: %#v", psp2.Spec.AllowPrivilegeEscalation)
}
}
func TestSetDefaultNetworkPolicy(t *testing.T) {
tests := []struct {
original *extensionsv1beta1.NetworkPolicy
......
......@@ -1075,7 +1075,9 @@ func autoConvert_v1beta1_PodSecurityPolicySpec_To_extensions_PodSecurityPolicySp
}
out.ReadOnlyRootFilesystem = in.ReadOnlyRootFilesystem
out.DefaultAllowPrivilegeEscalation = (*bool)(unsafe.Pointer(in.DefaultAllowPrivilegeEscalation))
out.AllowPrivilegeEscalation = in.AllowPrivilegeEscalation
if err := v1.Convert_Pointer_bool_To_bool(&in.AllowPrivilegeEscalation, &out.AllowPrivilegeEscalation, s); err != nil {
return err
}
out.AllowedHostPaths = *(*[]extensions.AllowedHostPath)(unsafe.Pointer(&in.AllowedHostPaths))
return nil
}
......@@ -1119,7 +1121,9 @@ func autoConvert_extensions_PodSecurityPolicySpec_To_v1beta1_PodSecurityPolicySp
}
out.ReadOnlyRootFilesystem = in.ReadOnlyRootFilesystem
out.DefaultAllowPrivilegeEscalation = (*bool)(unsafe.Pointer(in.DefaultAllowPrivilegeEscalation))
out.AllowPrivilegeEscalation = in.AllowPrivilegeEscalation
if err := v1.Convert_bool_To_Pointer_bool(&in.AllowPrivilegeEscalation, &out.AllowPrivilegeEscalation, s); err != nil {
return err
}
out.AllowedHostPaths = *(*[]v1beta1.AllowedHostPath)(unsafe.Pointer(&in.AllowedHostPaths))
return nil
}
......
......@@ -36,6 +36,8 @@ func RegisterDefaults(scheme *runtime.Scheme) error {
scheme.AddTypeDefaultingFunc(&v1beta1.DeploymentList{}, func(obj interface{}) { SetObjectDefaults_DeploymentList(obj.(*v1beta1.DeploymentList)) })
scheme.AddTypeDefaultingFunc(&v1beta1.NetworkPolicy{}, func(obj interface{}) { SetObjectDefaults_NetworkPolicy(obj.(*v1beta1.NetworkPolicy)) })
scheme.AddTypeDefaultingFunc(&v1beta1.NetworkPolicyList{}, func(obj interface{}) { SetObjectDefaults_NetworkPolicyList(obj.(*v1beta1.NetworkPolicyList)) })
scheme.AddTypeDefaultingFunc(&v1beta1.PodSecurityPolicy{}, func(obj interface{}) { SetObjectDefaults_PodSecurityPolicy(obj.(*v1beta1.PodSecurityPolicy)) })
scheme.AddTypeDefaultingFunc(&v1beta1.PodSecurityPolicyList{}, func(obj interface{}) { SetObjectDefaults_PodSecurityPolicyList(obj.(*v1beta1.PodSecurityPolicyList)) })
scheme.AddTypeDefaultingFunc(&v1beta1.ReplicaSet{}, func(obj interface{}) { SetObjectDefaults_ReplicaSet(obj.(*v1beta1.ReplicaSet)) })
scheme.AddTypeDefaultingFunc(&v1beta1.ReplicaSetList{}, func(obj interface{}) { SetObjectDefaults_ReplicaSetList(obj.(*v1beta1.ReplicaSetList)) })
return nil
......@@ -340,6 +342,17 @@ func SetObjectDefaults_NetworkPolicyList(in *v1beta1.NetworkPolicyList) {
}
}
func SetObjectDefaults_PodSecurityPolicy(in *v1beta1.PodSecurityPolicy) {
SetDefaults_PodSecurityPolicySpec(&in.Spec)
}
func SetObjectDefaults_PodSecurityPolicyList(in *v1beta1.PodSecurityPolicyList) {
for i := range in.Items {
a := &in.Items[i]
SetObjectDefaults_PodSecurityPolicy(a)
}
}
func SetObjectDefaults_ReplicaSet(in *v1beta1.ReplicaSet) {
SetDefaults_ReplicaSet(in)
v1.SetDefaults_PodSpec(&in.Spec.Template.Spec)
......
......@@ -815,7 +815,7 @@ message PodSecurityPolicySpec {
optional bool defaultAllowPrivilegeEscalation = 15;
// AllowPrivilegeEscalation determines if a pod can request to allow
// privilege escalation.
// privilege escalation. If unspecified, defaults to true.
// +optional
optional bool allowPrivilegeEscalation = 16;
......
......@@ -975,9 +975,9 @@ type PodSecurityPolicySpec struct {
// +optional
DefaultAllowPrivilegeEscalation *bool `json:"defaultAllowPrivilegeEscalation,omitempty" protobuf:"varint,15,opt,name=defaultAllowPrivilegeEscalation"`
// AllowPrivilegeEscalation determines if a pod can request to allow
// privilege escalation.
// privilege escalation. If unspecified, defaults to true.
// +optional
AllowPrivilegeEscalation bool `json:"allowPrivilegeEscalation,omitempty" protobuf:"varint,16,opt,name=allowPrivilegeEscalation"`
AllowPrivilegeEscalation *bool `json:"allowPrivilegeEscalation,omitempty" protobuf:"varint,16,opt,name=allowPrivilegeEscalation"`
// is a white list of allowed host paths. Empty indicates that all host paths may be used.
// +optional
AllowedHostPaths []AllowedHostPath `json:"allowedHostPaths,omitempty" protobuf:"bytes,17,rep,name=allowedHostPaths"`
......
......@@ -458,7 +458,7 @@ var map_PodSecurityPolicySpec = map[string]string{
"fsGroup": "FSGroup is the strategy that will dictate what fs group is used by the SecurityContext.",
"readOnlyRootFilesystem": "ReadOnlyRootFilesystem when set to true will force containers to run with a read only root file system. If the container specifically requests to run with a non-read only root file system the PSP should deny the pod. If set to false the container may run with a read only root file system if it wishes but it will not be forced to.",
"defaultAllowPrivilegeEscalation": "DefaultAllowPrivilegeEscalation controls the default setting for whether a process can gain more privileges than its parent process.",
"allowPrivilegeEscalation": "AllowPrivilegeEscalation determines if a pod can request to allow privilege escalation.",
"allowPrivilegeEscalation": "AllowPrivilegeEscalation determines if a pod can request to allow privilege escalation. If unspecified, defaults to true.",
"allowedHostPaths": "is a white list of allowed host paths. Empty indicates that all host paths may be used.",
}
......
......@@ -1431,6 +1431,15 @@ func (in *PodSecurityPolicySpec) DeepCopyInto(out *PodSecurityPolicySpec) {
**out = **in
}
}
if in.AllowPrivilegeEscalation != nil {
in, out := &in.AllowPrivilegeEscalation, &out.AllowPrivilegeEscalation
if *in == nil {
*out = nil
} else {
*out = new(bool)
**out = **in
}
}
if in.AllowedHostPaths != nil {
in, out := &in.AllowedHostPaths, &out.AllowedHostPaths
*out = make([]AllowedHostPath, len(*in))
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment