Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
K
k3s
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Jacklull
k3s
Commits
d02e3bd7
Commit
d02e3bd7
authored
Aug 16, 2018
by
Weibin Lin
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
use PodSecurityPolicySpec of policy/v1beta1 instead of extensions/v1beta1
parent
6f4b768c
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
31 additions
and
169 deletions
+31
-169
printers.go
pkg/printers/internalversion/printers.go
+9
-8
pod_security_policy.go
test/e2e/auth/pod_security_policy.go
+7
-146
psp_util.go
test/e2e/framework/psp_util.go
+15
-15
No files found.
pkg/printers/internalversion/printers.go
View file @
d02e3bd7
...
...
@@ -34,6 +34,7 @@ import (
coordinationv1beta1
"k8s.io/api/coordination/v1beta1"
apiv1
"k8s.io/api/core/v1"
extensionsv1beta1
"k8s.io/api/extensions/v1beta1"
policyv1beta1
"k8s.io/api/policy/v1beta1"
rbacv1beta1
"k8s.io/api/rbac/v1beta1"
schedulingv1beta1
"k8s.io/api/scheduling/v1beta1"
storagev1
"k8s.io/api/storage/v1"
...
...
@@ -346,14 +347,14 @@ func AddHandlers(h printers.PrintHandler) {
podSecurityPolicyColumnDefinitions
:=
[]
metav1beta1
.
TableColumnDefinition
{
{
Name
:
"Name"
,
Type
:
"string"
,
Format
:
"name"
,
Description
:
metav1
.
ObjectMeta
{}
.
SwaggerDoc
()[
"name"
]},
{
Name
:
"Priv"
,
Type
:
"string"
,
Description
:
extensions
v1beta1
.
PodSecurityPolicySpec
{}
.
SwaggerDoc
()[
"privileged"
]},
{
Name
:
"Caps"
,
Type
:
"string"
,
Description
:
extensions
v1beta1
.
PodSecurityPolicySpec
{}
.
SwaggerDoc
()[
"allowedCapabilities"
]},
{
Name
:
"SELinux"
,
Type
:
"string"
,
Description
:
extensions
v1beta1
.
PodSecurityPolicySpec
{}
.
SwaggerDoc
()[
"seLinux"
]},
{
Name
:
"RunAsUser"
,
Type
:
"string"
,
Description
:
extensions
v1beta1
.
PodSecurityPolicySpec
{}
.
SwaggerDoc
()[
"runAsUser"
]},
{
Name
:
"FsGroup"
,
Type
:
"string"
,
Description
:
extensions
v1beta1
.
PodSecurityPolicySpec
{}
.
SwaggerDoc
()[
"fsGroup"
]},
{
Name
:
"SupGroup"
,
Type
:
"string"
,
Description
:
extensions
v1beta1
.
PodSecurityPolicySpec
{}
.
SwaggerDoc
()[
"supplementalGroups"
]},
{
Name
:
"ReadOnlyRootFs"
,
Type
:
"string"
,
Description
:
extensions
v1beta1
.
PodSecurityPolicySpec
{}
.
SwaggerDoc
()[
"readOnlyRootFilesystem"
]},
{
Name
:
"Volumes"
,
Type
:
"string"
,
Description
:
extensions
v1beta1
.
PodSecurityPolicySpec
{}
.
SwaggerDoc
()[
"volumes"
]},
{
Name
:
"Priv"
,
Type
:
"string"
,
Description
:
policy
v1beta1
.
PodSecurityPolicySpec
{}
.
SwaggerDoc
()[
"privileged"
]},
{
Name
:
"Caps"
,
Type
:
"string"
,
Description
:
policy
v1beta1
.
PodSecurityPolicySpec
{}
.
SwaggerDoc
()[
"allowedCapabilities"
]},
{
Name
:
"SELinux"
,
Type
:
"string"
,
Description
:
policy
v1beta1
.
PodSecurityPolicySpec
{}
.
SwaggerDoc
()[
"seLinux"
]},
{
Name
:
"RunAsUser"
,
Type
:
"string"
,
Description
:
policy
v1beta1
.
PodSecurityPolicySpec
{}
.
SwaggerDoc
()[
"runAsUser"
]},
{
Name
:
"FsGroup"
,
Type
:
"string"
,
Description
:
policy
v1beta1
.
PodSecurityPolicySpec
{}
.
SwaggerDoc
()[
"fsGroup"
]},
{
Name
:
"SupGroup"
,
Type
:
"string"
,
Description
:
policy
v1beta1
.
PodSecurityPolicySpec
{}
.
SwaggerDoc
()[
"supplementalGroups"
]},
{
Name
:
"ReadOnlyRootFs"
,
Type
:
"string"
,
Description
:
policy
v1beta1
.
PodSecurityPolicySpec
{}
.
SwaggerDoc
()[
"readOnlyRootFilesystem"
]},
{
Name
:
"Volumes"
,
Type
:
"string"
,
Description
:
policy
v1beta1
.
PodSecurityPolicySpec
{}
.
SwaggerDoc
()[
"volumes"
]},
}
h
.
TableHandler
(
podSecurityPolicyColumnDefinitions
,
printPodSecurityPolicy
)
h
.
TableHandler
(
podSecurityPolicyColumnDefinitions
,
printPodSecurityPolicyList
)
...
...
test/e2e/auth/pod_security_policy.go
View file @
d02e3bd7
...
...
@@ -20,7 +20,6 @@ import (
"fmt"
"k8s.io/api/core/v1"
extensionsv1beta1
"k8s.io/api/extensions/v1beta1"
policy
"k8s.io/api/policy/v1beta1"
rbacv1beta1
"k8s.io/api/rbac/v1beta1"
apierrs
"k8s.io/apimachinery/pkg/api/errors"
...
...
@@ -79,27 +78,9 @@ var _ = SIGDescribe("PodSecurityPolicy", func() {
expectForbidden
(
err
)
})
// TODO: merge tests for extensions/policy API groups when PSP will be completely moved out of the extensions
It
(
"should enforce the restricted extensions.PodSecurityPolicy"
,
func
()
{
By
(
"Creating & Binding a restricted policy for the test service account"
)
_
,
cleanup
:=
createAndBindPSP
(
f
,
restrictedPSP
(
"restrictive"
))
defer
cleanup
()
By
(
"Running a restricted pod"
)
pod
,
err
:=
c
.
CoreV1
()
.
Pods
(
ns
)
.
Create
(
restrictedPod
(
"allowed"
))
framework
.
ExpectNoError
(
err
)
framework
.
ExpectNoError
(
framework
.
WaitForPodNameRunningInNamespace
(
c
,
pod
.
Name
,
pod
.
Namespace
))
testPrivilegedPods
(
func
(
pod
*
v1
.
Pod
)
{
_
,
err
:=
c
.
CoreV1
()
.
Pods
(
ns
)
.
Create
(
pod
)
expectForbidden
(
err
)
})
})
It
(
"should enforce the restricted policy.PodSecurityPolicy"
,
func
()
{
By
(
"Creating & Binding a restricted policy for the test service account"
)
_
,
cleanup
:=
createAndBindPSP
InPolicy
(
f
,
restrictedPSPInPolicy
(
"restrictive"
))
_
,
cleanup
:=
createAndBindPSP
(
f
,
restrictedPSP
(
"restrictive"
))
defer
cleanup
()
By
(
"Running a restricted pod"
)
...
...
@@ -113,34 +94,12 @@ var _ = SIGDescribe("PodSecurityPolicy", func() {
})
})
It
(
"should allow pods under the privileged extensions.PodSecurityPolicy"
,
func
()
{
By
(
"Creating & Binding a privileged policy for the test service account"
)
// Ensure that the permissive policy is used even in the presence of the restricted policy.
_
,
cleanup
:=
createAndBindPSP
(
f
,
restrictedPSP
(
"restrictive"
))
defer
cleanup
()
expectedPSP
,
cleanup
:=
createAndBindPSP
(
f
,
framework
.
PrivilegedPSP
(
"permissive"
))
defer
cleanup
()
testPrivilegedPods
(
func
(
pod
*
v1
.
Pod
)
{
p
,
err
:=
c
.
CoreV1
()
.
Pods
(
ns
)
.
Create
(
pod
)
framework
.
ExpectNoError
(
err
)
framework
.
ExpectNoError
(
framework
.
WaitForPodNameRunningInNamespace
(
c
,
p
.
Name
,
p
.
Namespace
))
// Verify expected PSP was used.
p
,
err
=
c
.
CoreV1
()
.
Pods
(
ns
)
.
Get
(
p
.
Name
,
metav1
.
GetOptions
{})
framework
.
ExpectNoError
(
err
)
validated
,
found
:=
p
.
Annotations
[
psputil
.
ValidatedPSPAnnotation
]
Expect
(
found
)
.
To
(
BeTrue
(),
"PSP annotation not found"
)
Expect
(
validated
)
.
To
(
Equal
(
expectedPSP
.
Name
),
"Unexpected validated PSP"
)
})
})
It
(
"should allow pods under the privileged policy.PodSecurityPolicy"
,
func
()
{
By
(
"Creating & Binding a privileged policy for the test service account"
)
// Ensure that the permissive policy is used even in the presence of the restricted policy.
_
,
cleanup
:=
createAndBindPSP
InPolicy
(
f
,
restrictedPSPInPolicy
(
"restrictive"
))
_
,
cleanup
:=
createAndBindPSP
(
f
,
restrictedPSP
(
"restrictive"
))
defer
cleanup
()
expectedPSP
,
cleanup
:=
createAndBindPSP
InPolicy
(
f
,
privilegedPSPInPolicy
(
"permissive"
))
expectedPSP
,
cleanup
:=
createAndBindPSP
(
f
,
privilegedPSP
(
"permissive"
))
defer
cleanup
()
testPrivilegedPods
(
func
(
pod
*
v1
.
Pod
)
{
...
...
@@ -229,49 +188,8 @@ func testPrivilegedPods(tester func(pod *v1.Pod)) {
})
}
func
createAndBindPSP
(
f
*
framework
.
Framework
,
pspTemplate
*
extensionsv1beta1
.
PodSecurityPolicy
)
(
psp
*
extensionsv1beta1
.
PodSecurityPolicy
,
cleanup
func
())
{
// Create the PodSecurityPolicy object.
psp
=
pspTemplate
.
DeepCopy
()
// Add the namespace to the name to ensure uniqueness and tie it to the namespace.
ns
:=
f
.
Namespace
.
Name
name
:=
fmt
.
Sprintf
(
"%s-%s"
,
ns
,
psp
.
Name
)
psp
.
Name
=
name
psp
,
err
:=
f
.
ClientSet
.
ExtensionsV1beta1
()
.
PodSecurityPolicies
()
.
Create
(
psp
)
framework
.
ExpectNoError
(
err
,
"Failed to create PSP"
)
// Create the Role to bind it to the namespace.
_
,
err
=
f
.
ClientSet
.
RbacV1beta1
()
.
Roles
(
ns
)
.
Create
(
&
rbacv1beta1
.
Role
{
ObjectMeta
:
metav1
.
ObjectMeta
{
Name
:
name
,
},
Rules
:
[]
rbacv1beta1
.
PolicyRule
{{
APIGroups
:
[]
string
{
"extensions"
},
Resources
:
[]
string
{
"podsecuritypolicies"
},
ResourceNames
:
[]
string
{
name
},
Verbs
:
[]
string
{
"use"
},
}},
})
framework
.
ExpectNoError
(
err
,
"Failed to create PSP role"
)
// Bind the role to the namespace.
framework
.
BindRoleInNamespace
(
f
.
ClientSet
.
RbacV1beta1
(),
name
,
ns
,
rbacv1beta1
.
Subject
{
Kind
:
rbacv1beta1
.
ServiceAccountKind
,
Namespace
:
ns
,
Name
:
"default"
,
})
framework
.
ExpectNoError
(
framework
.
WaitForNamedAuthorizationUpdate
(
f
.
ClientSet
.
AuthorizationV1beta1
(),
serviceaccount
.
MakeUsername
(
ns
,
"default"
),
ns
,
"use"
,
name
,
schema
.
GroupResource
{
Group
:
"extensions"
,
Resource
:
"podsecuritypolicies"
},
true
))
return
psp
,
func
()
{
// Cleanup non-namespaced PSP object.
f
.
ClientSet
.
ExtensionsV1beta1
()
.
PodSecurityPolicies
()
.
Delete
(
name
,
&
metav1
.
DeleteOptions
{})
}
}
// createAndBindPSPInPolicy creates a PSP in the policy API group (unlike createAndBindPSP()).
// TODO: merge these functions when PSP will be completely moved out of the extensions
func
createAndBindPSPInPolicy
(
f
*
framework
.
Framework
,
pspTemplate
*
policy
.
PodSecurityPolicy
)
(
psp
*
policy
.
PodSecurityPolicy
,
cleanup
func
())
{
// createAndBindPSP creates a PSP in the policy API group.
func
createAndBindPSP
(
f
*
framework
.
Framework
,
pspTemplate
*
policy
.
PodSecurityPolicy
)
(
psp
*
policy
.
PodSecurityPolicy
,
cleanup
func
())
{
// Create the PodSecurityPolicy object.
psp
=
pspTemplate
.
DeepCopy
()
// Add the namespace to the name to ensure uniqueness and tie it to the namespace.
...
...
@@ -334,8 +252,7 @@ func restrictedPod(name string) *v1.Pod {
}
// privilegedPSPInPolicy creates a PodSecurityPolicy (in the "policy" API Group) that allows everything.
// TODO: replace by PrivilegedPSP when PSP will be completely moved out of the extensions
func
privilegedPSPInPolicy
(
name
string
)
*
policy
.
PodSecurityPolicy
{
func
privilegedPSP
(
name
string
)
*
policy
.
PodSecurityPolicy
{
return
&
policy
.
PodSecurityPolicy
{
ObjectMeta
:
metav1
.
ObjectMeta
{
Name
:
name
,
...
...
@@ -368,8 +285,7 @@ func privilegedPSPInPolicy(name string) *policy.PodSecurityPolicy {
}
// restrictedPSPInPolicy creates a PodSecurityPolicy (in the "policy" API Group) that is most strict.
// TODO: replace by restrictedPSP when PSP will be completely moved out of the extensions
func
restrictedPSPInPolicy
(
name
string
)
*
policy
.
PodSecurityPolicy
{
func
restrictedPSP
(
name
string
)
*
policy
.
PodSecurityPolicy
{
return
&
policy
.
PodSecurityPolicy
{
ObjectMeta
:
metav1
.
ObjectMeta
{
Name
:
name
,
...
...
@@ -423,61 +339,6 @@ func restrictedPSPInPolicy(name string) *policy.PodSecurityPolicy {
}
}
// restrictedPSP creates a PodSecurityPolicy that is most strict.
func
restrictedPSP
(
name
string
)
*
extensionsv1beta1
.
PodSecurityPolicy
{
return
&
extensionsv1beta1
.
PodSecurityPolicy
{
ObjectMeta
:
metav1
.
ObjectMeta
{
Name
:
name
,
Annotations
:
map
[
string
]
string
{
seccomp
.
AllowedProfilesAnnotationKey
:
v1
.
SeccompProfileRuntimeDefault
,
seccomp
.
DefaultProfileAnnotationKey
:
v1
.
SeccompProfileRuntimeDefault
,
apparmor
.
AllowedProfilesAnnotationKey
:
apparmor
.
ProfileRuntimeDefault
,
apparmor
.
DefaultProfileAnnotationKey
:
apparmor
.
ProfileRuntimeDefault
,
},
},
Spec
:
extensionsv1beta1
.
PodSecurityPolicySpec
{
Privileged
:
false
,
AllowPrivilegeEscalation
:
utilpointer
.
BoolPtr
(
false
),
RequiredDropCapabilities
:
[]
v1
.
Capability
{
"AUDIT_WRITE"
,
"CHOWN"
,
"DAC_OVERRIDE"
,
"FOWNER"
,
"FSETID"
,
"KILL"
,
"MKNOD"
,
"NET_RAW"
,
"SETGID"
,
"SETUID"
,
"SYS_CHROOT"
,
},
Volumes
:
[]
extensionsv1beta1
.
FSType
{
extensionsv1beta1
.
ConfigMap
,
extensionsv1beta1
.
EmptyDir
,
extensionsv1beta1
.
PersistentVolumeClaim
,
"projected"
,
extensionsv1beta1
.
Secret
,
},
HostNetwork
:
false
,
HostIPC
:
false
,
HostPID
:
false
,
RunAsUser
:
extensionsv1beta1
.
RunAsUserStrategyOptions
{
Rule
:
extensionsv1beta1
.
RunAsUserStrategyMustRunAsNonRoot
,
},
SELinux
:
extensionsv1beta1
.
SELinuxStrategyOptions
{
Rule
:
extensionsv1beta1
.
SELinuxStrategyRunAsAny
,
},
SupplementalGroups
:
extensionsv1beta1
.
SupplementalGroupsStrategyOptions
{
Rule
:
extensionsv1beta1
.
SupplementalGroupsStrategyRunAsAny
,
},
FSGroup
:
extensionsv1beta1
.
FSGroupStrategyOptions
{
Rule
:
extensionsv1beta1
.
FSGroupStrategyRunAsAny
,
},
ReadOnlyRootFilesystem
:
false
,
},
}
}
func
boolPtr
(
b
bool
)
*
bool
{
return
&
b
}
test/e2e/framework/psp_util.go
View file @
d02e3bd7
...
...
@@ -21,7 +21,7 @@ import (
"sync"
corev1
"k8s.io/api/core/v1"
extensionsv1beta1
"k8s.io/api/extensions
/v1beta1"
policy
"k8s.io/api/policy
/v1beta1"
rbacv1beta1
"k8s.io/api/rbac/v1beta1"
apierrs
"k8s.io/apimachinery/pkg/api/errors"
metav1
"k8s.io/apimachinery/pkg/apis/meta/v1"
...
...
@@ -42,33 +42,33 @@ var (
)
// Creates a PodSecurityPolicy that allows everything.
func
PrivilegedPSP
(
name
string
)
*
extensionsv1beta1
.
PodSecurityPolicy
{
func
PrivilegedPSP
(
name
string
)
*
policy
.
PodSecurityPolicy
{
allowPrivilegeEscalation
:=
true
return
&
extensionsv1beta1
.
PodSecurityPolicy
{
return
&
policy
.
PodSecurityPolicy
{
ObjectMeta
:
metav1
.
ObjectMeta
{
Name
:
name
,
Annotations
:
map
[
string
]
string
{
seccomp
.
AllowedProfilesAnnotationKey
:
seccomp
.
AllowAny
},
},
Spec
:
extensionsv1beta1
.
PodSecurityPolicySpec
{
Spec
:
policy
.
PodSecurityPolicySpec
{
Privileged
:
true
,
AllowPrivilegeEscalation
:
&
allowPrivilegeEscalation
,
AllowedCapabilities
:
[]
corev1
.
Capability
{
"*"
},
Volumes
:
[]
extensionsv1beta1
.
FSType
{
extensionsv1beta1
.
All
},
Volumes
:
[]
policy
.
FSType
{
policy
.
All
},
HostNetwork
:
true
,
HostPorts
:
[]
extensionsv1beta1
.
HostPortRange
{{
Min
:
0
,
Max
:
65535
}},
HostPorts
:
[]
policy
.
HostPortRange
{{
Min
:
0
,
Max
:
65535
}},
HostIPC
:
true
,
HostPID
:
true
,
RunAsUser
:
extensionsv1beta1
.
RunAsUserStrategyOptions
{
Rule
:
extensionsv1beta1
.
RunAsUserStrategyRunAsAny
,
RunAsUser
:
policy
.
RunAsUserStrategyOptions
{
Rule
:
policy
.
RunAsUserStrategyRunAsAny
,
},
SELinux
:
extensionsv1beta1
.
SELinuxStrategyOptions
{
Rule
:
extensionsv1beta1
.
SELinuxStrategyRunAsAny
,
SELinux
:
policy
.
SELinuxStrategyOptions
{
Rule
:
policy
.
SELinuxStrategyRunAsAny
,
},
SupplementalGroups
:
extensionsv1beta1
.
SupplementalGroupsStrategyOptions
{
Rule
:
extensionsv1beta1
.
SupplementalGroupsStrategyRunAsAny
,
SupplementalGroups
:
policy
.
SupplementalGroupsStrategyOptions
{
Rule
:
policy
.
SupplementalGroupsStrategyRunAsAny
,
},
FSGroup
:
extensionsv1beta1
.
FSGroupStrategyOptions
{
Rule
:
extensionsv1beta1
.
FSGroupStrategyRunAsAny
,
FSGroup
:
policy
.
FSGroupStrategyOptions
{
Rule
:
policy
.
FSGroupStrategyRunAsAny
,
},
ReadOnlyRootFilesystem
:
false
,
AllowedUnsafeSysctls
:
[]
string
{
"*"
},
...
...
@@ -112,7 +112,7 @@ func CreatePrivilegedPSPBinding(f *Framework, namespace string) {
}
psp
:=
PrivilegedPSP
(
podSecurityPolicyPrivileged
)
psp
,
err
=
f
.
ClientSet
.
Extensions
V1beta1
()
.
PodSecurityPolicies
()
.
Create
(
psp
)
psp
,
err
=
f
.
ClientSet
.
Policy
V1beta1
()
.
PodSecurityPolicies
()
.
Create
(
psp
)
if
!
apierrs
.
IsAlreadyExists
(
err
)
{
ExpectNoError
(
err
,
"Failed to create PSP %s"
,
podSecurityPolicyPrivileged
)
}
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment