Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
K
k3s
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Jacklull
k3s
Commits
e2afc975
Unverified
Commit
e2afc975
authored
May 18, 2016
by
Clayton Coleman
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Add init containers to PSP admission
Treat them just like regular containers.
parent
01cf9869
Show whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
58 additions
and
0 deletions
+58
-0
admission.go
plugin/pkg/admission/security/podsecuritypolicy/admission.go
+24
-0
admission_test.go
...kg/admission/security/podsecuritypolicy/admission_test.go
+34
-0
No files found.
plugin/pkg/admission/security/podsecuritypolicy/admission.go
View file @
e2afc975
...
@@ -186,6 +186,7 @@ func (c *podSecurityPolicyPlugin) Admit(a admission.Attributes) error {
...
@@ -186,6 +186,7 @@ func (c *podSecurityPolicyPlugin) Admit(a admission.Attributes) error {
// the same psp or is not considered valid.
// the same psp or is not considered valid.
func
assignSecurityContext
(
provider
psp
.
Provider
,
pod
*
api
.
Pod
,
fldPath
*
field
.
Path
)
field
.
ErrorList
{
func
assignSecurityContext
(
provider
psp
.
Provider
,
pod
*
api
.
Pod
,
fldPath
*
field
.
Path
)
field
.
ErrorList
{
generatedSCs
:=
make
([]
*
api
.
SecurityContext
,
len
(
pod
.
Spec
.
Containers
))
generatedSCs
:=
make
([]
*
api
.
SecurityContext
,
len
(
pod
.
Spec
.
Containers
))
var
generatedInitSCs
[]
*
api
.
SecurityContext
errs
:=
field
.
ErrorList
{}
errs
:=
field
.
ErrorList
{}
...
@@ -203,6 +204,26 @@ func assignSecurityContext(provider psp.Provider, pod *api.Pod, fldPath *field.P
...
@@ -203,6 +204,26 @@ func assignSecurityContext(provider psp.Provider, pod *api.Pod, fldPath *field.P
// Note: this is not changing the original container, we will set container SCs later so long
// Note: this is not changing the original container, we will set container SCs later so long
// as all containers validated under the same PSP.
// as all containers validated under the same PSP.
for
i
,
containerCopy
:=
range
pod
.
Spec
.
InitContainers
{
// We will determine the effective security context for the container and validate against that
// since that is how the sc provider will eventually apply settings in the runtime.
// This results in an SC that is based on the Pod's PSC with the set fields from the container
// overriding pod level settings.
containerCopy
.
SecurityContext
=
sc
.
DetermineEffectiveSecurityContext
(
pod
,
&
containerCopy
)
sc
,
err
:=
provider
.
CreateContainerSecurityContext
(
pod
,
&
containerCopy
)
if
err
!=
nil
{
errs
=
append
(
errs
,
field
.
Invalid
(
field
.
NewPath
(
"spec"
,
"initContainers"
)
.
Index
(
i
)
.
Child
(
"securityContext"
),
""
,
err
.
Error
()))
continue
}
generatedInitSCs
=
append
(
generatedInitSCs
,
sc
)
containerCopy
.
SecurityContext
=
sc
errs
=
append
(
errs
,
provider
.
ValidateContainerSecurityContext
(
pod
,
&
containerCopy
,
field
.
NewPath
(
"spec"
,
"initContainers"
)
.
Index
(
i
)
.
Child
(
"securityContext"
))
...
)
}
// Note: this is not changing the original container, we will set container SCs later so long
// as all containers validated under the same PSP.
for
i
,
containerCopy
:=
range
pod
.
Spec
.
Containers
{
for
i
,
containerCopy
:=
range
pod
.
Spec
.
Containers
{
// We will determine the effective security context for the container and validate against that
// We will determine the effective security context for the container and validate against that
// since that is how the sc provider will eventually apply settings in the runtime.
// since that is how the sc provider will eventually apply settings in the runtime.
...
@@ -229,6 +250,9 @@ func assignSecurityContext(provider psp.Provider, pod *api.Pod, fldPath *field.P
...
@@ -229,6 +250,9 @@ func assignSecurityContext(provider psp.Provider, pod *api.Pod, fldPath *field.P
// if we've reached this code then we've generated and validated an SC for every container in the
// if we've reached this code then we've generated and validated an SC for every container in the
// pod so let's apply what we generated. Note: the psc is already applied.
// pod so let's apply what we generated. Note: the psc is already applied.
for
i
,
sc
:=
range
generatedInitSCs
{
pod
.
Spec
.
InitContainers
[
i
]
.
SecurityContext
=
sc
}
for
i
,
sc
:=
range
generatedSCs
{
for
i
,
sc
:=
range
generatedSCs
{
pod
.
Spec
.
Containers
[
i
]
.
SecurityContext
=
sc
pod
.
Spec
.
Containers
[
i
]
.
SecurityContext
=
sc
}
}
...
...
plugin/pkg/admission/security/podsecuritypolicy/admission_test.go
View file @
e2afc975
...
@@ -44,6 +44,12 @@ func NewTestAdmission(store cache.Store, kclient clientset.Interface) kadmission
...
@@ -44,6 +44,12 @@ func NewTestAdmission(store cache.Store, kclient clientset.Interface) kadmission
}
}
}
}
func
useInitContainers
(
pod
*
kapi
.
Pod
)
*
kapi
.
Pod
{
pod
.
Spec
.
InitContainers
=
pod
.
Spec
.
Containers
pod
.
Spec
.
Containers
=
[]
kapi
.
Container
{}
return
pod
}
func
TestAdmitPrivileged
(
t
*
testing
.
T
)
{
func
TestAdmitPrivileged
(
t
*
testing
.
T
)
{
createPodWithPriv
:=
func
(
priv
bool
)
*
kapi
.
Pod
{
createPodWithPriv
:=
func
(
priv
bool
)
*
kapi
.
Pod
{
pod
:=
goodPod
()
pod
:=
goodPod
()
...
@@ -203,6 +209,18 @@ func TestAdmitCaps(t *testing.T) {
...
@@ -203,6 +209,18 @@ func TestAdmitCaps(t *testing.T) {
}
}
}
}
}
}
for
k
,
v
:=
range
tc
{
useInitContainers
(
v
.
pod
)
testPSPAdmit
(
k
,
v
.
psps
,
v
.
pod
,
v
.
shouldPass
,
v
.
expectedPSP
,
t
)
if
v
.
expectedCapabilities
!=
nil
{
if
!
reflect
.
DeepEqual
(
v
.
expectedCapabilities
,
v
.
pod
.
Spec
.
InitContainers
[
0
]
.
SecurityContext
.
Capabilities
)
{
t
.
Errorf
(
"%s resulted in caps that were not expected - expected: %v, received: %v"
,
k
,
v
.
expectedCapabilities
,
v
.
pod
.
Spec
.
InitContainers
[
0
]
.
SecurityContext
.
Capabilities
)
}
}
}
}
}
func
TestAdmitVolumes
(
t
*
testing
.
T
)
{
func
TestAdmitVolumes
(
t
*
testing
.
T
)
{
...
@@ -235,6 +253,10 @@ func TestAdmitVolumes(t *testing.T) {
...
@@ -235,6 +253,10 @@ func TestAdmitVolumes(t *testing.T) {
// expect a denial for this PSP
// expect a denial for this PSP
testPSPAdmit
(
fmt
.
Sprintf
(
"%s denial"
,
string
(
fsType
)),
[]
*
extensions
.
PodSecurityPolicy
{
psp
},
pod
,
false
,
""
,
t
)
testPSPAdmit
(
fmt
.
Sprintf
(
"%s denial"
,
string
(
fsType
)),
[]
*
extensions
.
PodSecurityPolicy
{
psp
},
pod
,
false
,
""
,
t
)
// also expect a denial for this PSP if it's an init container
useInitContainers
(
pod
)
testPSPAdmit
(
fmt
.
Sprintf
(
"%s denial"
,
string
(
fsType
)),
[]
*
extensions
.
PodSecurityPolicy
{
psp
},
pod
,
false
,
""
,
t
)
// now add the fstype directly to the psp and it should validate
// now add the fstype directly to the psp and it should validate
psp
.
Spec
.
Volumes
=
[]
extensions
.
FSType
{
fsType
}
psp
.
Spec
.
Volumes
=
[]
extensions
.
FSType
{
fsType
}
testPSPAdmit
(
fmt
.
Sprintf
(
"%s direct accept"
,
string
(
fsType
)),
[]
*
extensions
.
PodSecurityPolicy
{
psp
},
pod
,
true
,
psp
.
Name
,
t
)
testPSPAdmit
(
fmt
.
Sprintf
(
"%s direct accept"
,
string
(
fsType
)),
[]
*
extensions
.
PodSecurityPolicy
{
psp
},
pod
,
true
,
psp
.
Name
,
t
)
...
@@ -304,6 +326,18 @@ func TestAdmitHostNetwork(t *testing.T) {
...
@@ -304,6 +326,18 @@ func TestAdmitHostNetwork(t *testing.T) {
}
}
}
}
}
}
// test again with init containers
for
k
,
v
:=
range
tests
{
useInitContainers
(
v
.
pod
)
testPSPAdmit
(
k
,
v
.
psps
,
v
.
pod
,
v
.
shouldPass
,
v
.
expectedPSP
,
t
)
if
v
.
shouldPass
{
if
v
.
pod
.
Spec
.
SecurityContext
.
HostNetwork
!=
v
.
expectedHostNetwork
{
t
.
Errorf
(
"%s expected hostNetwork to be %t"
,
k
,
v
.
expectedHostNetwork
)
}
}
}
}
}
func
TestAdmitHostPorts
(
t
*
testing
.
T
)
{
func
TestAdmitHostPorts
(
t
*
testing
.
T
)
{
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment