Commit dc02dfe5 authored by Kubernetes Submit Queue's avatar Kubernetes Submit Queue Committed by GitHub

Merge pull request #52301 from tallclair/psp-seccomp

Automatic merge from submit-queue (batch tested with PRs 52339, 52343, 52125, 52360, 52301) '*' is valid for allowed seccomp profiles **What this PR does / why we need it**: This should be valid on a PodSecurityPolicy, but is currently rejected: ``` seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' ``` **Which issue this PR fixes**: fixes #52300 ```release-note NONE ```
parents 83c2f358 49a38728
...@@ -698,6 +698,9 @@ func ValidatePodSecurityPolicySpecificAnnotations(annotations map[string]string, ...@@ -698,6 +698,9 @@ func ValidatePodSecurityPolicySpecificAnnotations(annotations map[string]string,
} }
if allowed := annotations[seccomp.AllowedProfilesAnnotationKey]; allowed != "" { if allowed := annotations[seccomp.AllowedProfilesAnnotationKey]; allowed != "" {
for _, p := range strings.Split(allowed, ",") { for _, p := range strings.Split(allowed, ",") {
if p == seccomp.AllowAny {
continue
}
allErrs = append(allErrs, apivalidation.ValidateSeccompProfile(p, fldPath.Key(seccomp.AllowedProfilesAnnotationKey))...) allErrs = append(allErrs, apivalidation.ValidateSeccompProfile(p, fldPath.Key(seccomp.AllowedProfilesAnnotationKey))...)
} }
} }
......
...@@ -2496,6 +2496,10 @@ func TestValidatePodSecurityPolicy(t *testing.T) { ...@@ -2496,6 +2496,10 @@ func TestValidatePodSecurityPolicy(t *testing.T) {
invalidSeccompDefault.Annotations = map[string]string{ invalidSeccompDefault.Annotations = map[string]string{
seccomp.DefaultProfileAnnotationKey: "not-good", seccomp.DefaultProfileAnnotationKey: "not-good",
} }
invalidSeccompAllowAnyDefault := validPSP()
invalidSeccompAllowAnyDefault.Annotations = map[string]string{
seccomp.DefaultProfileAnnotationKey: "*",
}
invalidSeccompAllowed := validPSP() invalidSeccompAllowed := validPSP()
invalidSeccompAllowed.Annotations = map[string]string{ invalidSeccompAllowed.Annotations = map[string]string{
seccomp.AllowedProfilesAnnotationKey: "docker/default,not-good", seccomp.AllowedProfilesAnnotationKey: "docker/default,not-good",
...@@ -2616,6 +2620,11 @@ func TestValidatePodSecurityPolicy(t *testing.T) { ...@@ -2616,6 +2620,11 @@ func TestValidatePodSecurityPolicy(t *testing.T) {
errorType: field.ErrorTypeInvalid, errorType: field.ErrorTypeInvalid,
errorDetail: "must be a valid seccomp profile", errorDetail: "must be a valid seccomp profile",
}, },
"invalid seccomp allow any default profile": {
psp: invalidSeccompAllowAnyDefault,
errorType: field.ErrorTypeInvalid,
errorDetail: "must be a valid seccomp profile",
},
"invalid seccomp allowed profile": { "invalid seccomp allowed profile": {
psp: invalidSeccompAllowed, psp: invalidSeccompAllowed,
errorType: field.ErrorTypeInvalid, errorType: field.ErrorTypeInvalid,
...@@ -2707,7 +2716,7 @@ func TestValidatePodSecurityPolicy(t *testing.T) { ...@@ -2707,7 +2716,7 @@ func TestValidatePodSecurityPolicy(t *testing.T) {
validSeccomp := validPSP() validSeccomp := validPSP()
validSeccomp.Annotations = map[string]string{ validSeccomp.Annotations = map[string]string{
seccomp.DefaultProfileAnnotationKey: "docker/default", seccomp.DefaultProfileAnnotationKey: "docker/default",
seccomp.AllowedProfilesAnnotationKey: "docker/default,unconfined,localhost/foo", seccomp.AllowedProfilesAnnotationKey: "docker/default,unconfined,localhost/foo,*",
} }
validDefaultAllowPrivilegeEscalation := validPSP() validDefaultAllowPrivilegeEscalation := validPSP()
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment