Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
K
k3s
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Jacklull
k3s
Commits
fb6716e8
Unverified
Commit
fb6716e8
authored
Oct 29, 2018
by
k8s-ci-robot
Committed by
GitHub
Oct 29, 2018
Browse files
Options
Browse Files
Download
Plain Diff
Merge pull request #67495 from islinwb/policy_psp
use PodSecurityPolicySpec of policy/v1beta1 instead of extensions/v1beta1
parents
eb1aa875
e81776b1
Show whitespace changes
Inline
Side-by-side
Showing
5 changed files
with
32 additions
and
170 deletions
+32
-170
BUILD
pkg/printers/internalversion/BUILD
+1
-0
printers.go
pkg/printers/internalversion/printers.go
+9
-8
BUILD
test/e2e/auth/BUILD
+0
-1
pod_security_policy.go
test/e2e/auth/pod_security_policy.go
+7
-146
psp_util.go
test/e2e/framework/psp_util.go
+15
-15
No files found.
pkg/printers/internalversion/BUILD
View file @
fb6716e8
...
@@ -96,6 +96,7 @@ go_library(
...
@@ -96,6 +96,7 @@ go_library(
"//staging/src/k8s.io/api/coordination/v1beta1:go_default_library",
"//staging/src/k8s.io/api/coordination/v1beta1:go_default_library",
"//staging/src/k8s.io/api/core/v1:go_default_library",
"//staging/src/k8s.io/api/core/v1:go_default_library",
"//staging/src/k8s.io/api/extensions/v1beta1:go_default_library",
"//staging/src/k8s.io/api/extensions/v1beta1:go_default_library",
"//staging/src/k8s.io/api/policy/v1beta1:go_default_library",
"//staging/src/k8s.io/api/rbac/v1:go_default_library",
"//staging/src/k8s.io/api/rbac/v1:go_default_library",
"//staging/src/k8s.io/api/rbac/v1beta1:go_default_library",
"//staging/src/k8s.io/api/rbac/v1beta1:go_default_library",
"//staging/src/k8s.io/api/scheduling/v1beta1:go_default_library",
"//staging/src/k8s.io/api/scheduling/v1beta1:go_default_library",
...
...
pkg/printers/internalversion/printers.go
View file @
fb6716e8
...
@@ -34,6 +34,7 @@ import (
...
@@ -34,6 +34,7 @@ import (
coordinationv1beta1
"k8s.io/api/coordination/v1beta1"
coordinationv1beta1
"k8s.io/api/coordination/v1beta1"
apiv1
"k8s.io/api/core/v1"
apiv1
"k8s.io/api/core/v1"
extensionsv1beta1
"k8s.io/api/extensions/v1beta1"
extensionsv1beta1
"k8s.io/api/extensions/v1beta1"
policyv1beta1
"k8s.io/api/policy/v1beta1"
rbacv1beta1
"k8s.io/api/rbac/v1beta1"
rbacv1beta1
"k8s.io/api/rbac/v1beta1"
schedulingv1beta1
"k8s.io/api/scheduling/v1beta1"
schedulingv1beta1
"k8s.io/api/scheduling/v1beta1"
storagev1
"k8s.io/api/storage/v1"
storagev1
"k8s.io/api/storage/v1"
...
@@ -346,14 +347,14 @@ func AddHandlers(h printers.PrintHandler) {
...
@@ -346,14 +347,14 @@ func AddHandlers(h printers.PrintHandler) {
podSecurityPolicyColumnDefinitions
:=
[]
metav1beta1
.
TableColumnDefinition
{
podSecurityPolicyColumnDefinitions
:=
[]
metav1beta1
.
TableColumnDefinition
{
{
Name
:
"Name"
,
Type
:
"string"
,
Format
:
"name"
,
Description
:
metav1
.
ObjectMeta
{}
.
SwaggerDoc
()[
"name"
]},
{
Name
:
"Name"
,
Type
:
"string"
,
Format
:
"name"
,
Description
:
metav1
.
ObjectMeta
{}
.
SwaggerDoc
()[
"name"
]},
{
Name
:
"Priv"
,
Type
:
"string"
,
Description
:
extensions
v1beta1
.
PodSecurityPolicySpec
{}
.
SwaggerDoc
()[
"privileged"
]},
{
Name
:
"Priv"
,
Type
:
"string"
,
Description
:
policy
v1beta1
.
PodSecurityPolicySpec
{}
.
SwaggerDoc
()[
"privileged"
]},
{
Name
:
"Caps"
,
Type
:
"string"
,
Description
:
extensions
v1beta1
.
PodSecurityPolicySpec
{}
.
SwaggerDoc
()[
"allowedCapabilities"
]},
{
Name
:
"Caps"
,
Type
:
"string"
,
Description
:
policy
v1beta1
.
PodSecurityPolicySpec
{}
.
SwaggerDoc
()[
"allowedCapabilities"
]},
{
Name
:
"SELinux"
,
Type
:
"string"
,
Description
:
extensions
v1beta1
.
PodSecurityPolicySpec
{}
.
SwaggerDoc
()[
"seLinux"
]},
{
Name
:
"SELinux"
,
Type
:
"string"
,
Description
:
policy
v1beta1
.
PodSecurityPolicySpec
{}
.
SwaggerDoc
()[
"seLinux"
]},
{
Name
:
"RunAsUser"
,
Type
:
"string"
,
Description
:
extensions
v1beta1
.
PodSecurityPolicySpec
{}
.
SwaggerDoc
()[
"runAsUser"
]},
{
Name
:
"RunAsUser"
,
Type
:
"string"
,
Description
:
policy
v1beta1
.
PodSecurityPolicySpec
{}
.
SwaggerDoc
()[
"runAsUser"
]},
{
Name
:
"FsGroup"
,
Type
:
"string"
,
Description
:
extensions
v1beta1
.
PodSecurityPolicySpec
{}
.
SwaggerDoc
()[
"fsGroup"
]},
{
Name
:
"FsGroup"
,
Type
:
"string"
,
Description
:
policy
v1beta1
.
PodSecurityPolicySpec
{}
.
SwaggerDoc
()[
"fsGroup"
]},
{
Name
:
"SupGroup"
,
Type
:
"string"
,
Description
:
extensions
v1beta1
.
PodSecurityPolicySpec
{}
.
SwaggerDoc
()[
"supplementalGroups"
]},
{
Name
:
"SupGroup"
,
Type
:
"string"
,
Description
:
policy
v1beta1
.
PodSecurityPolicySpec
{}
.
SwaggerDoc
()[
"supplementalGroups"
]},
{
Name
:
"ReadOnlyRootFs"
,
Type
:
"string"
,
Description
:
extensions
v1beta1
.
PodSecurityPolicySpec
{}
.
SwaggerDoc
()[
"readOnlyRootFilesystem"
]},
{
Name
:
"ReadOnlyRootFs"
,
Type
:
"string"
,
Description
:
policy
v1beta1
.
PodSecurityPolicySpec
{}
.
SwaggerDoc
()[
"readOnlyRootFilesystem"
]},
{
Name
:
"Volumes"
,
Type
:
"string"
,
Description
:
extensions
v1beta1
.
PodSecurityPolicySpec
{}
.
SwaggerDoc
()[
"volumes"
]},
{
Name
:
"Volumes"
,
Type
:
"string"
,
Description
:
policy
v1beta1
.
PodSecurityPolicySpec
{}
.
SwaggerDoc
()[
"volumes"
]},
}
}
h
.
TableHandler
(
podSecurityPolicyColumnDefinitions
,
printPodSecurityPolicy
)
h
.
TableHandler
(
podSecurityPolicyColumnDefinitions
,
printPodSecurityPolicy
)
h
.
TableHandler
(
podSecurityPolicyColumnDefinitions
,
printPodSecurityPolicyList
)
h
.
TableHandler
(
podSecurityPolicyColumnDefinitions
,
printPodSecurityPolicyList
)
...
...
test/e2e/auth/BUILD
View file @
fb6716e8
...
@@ -28,7 +28,6 @@ go_library(
...
@@ -28,7 +28,6 @@ go_library(
"//staging/src/k8s.io/api/batch/v1:go_default_library",
"//staging/src/k8s.io/api/batch/v1:go_default_library",
"//staging/src/k8s.io/api/certificates/v1beta1:go_default_library",
"//staging/src/k8s.io/api/certificates/v1beta1:go_default_library",
"//staging/src/k8s.io/api/core/v1:go_default_library",
"//staging/src/k8s.io/api/core/v1:go_default_library",
"//staging/src/k8s.io/api/extensions/v1beta1:go_default_library",
"//staging/src/k8s.io/api/policy/v1beta1:go_default_library",
"//staging/src/k8s.io/api/policy/v1beta1:go_default_library",
"//staging/src/k8s.io/api/rbac/v1beta1:go_default_library",
"//staging/src/k8s.io/api/rbac/v1beta1:go_default_library",
"//staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1:go_default_library",
"//staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1:go_default_library",
...
...
test/e2e/auth/pod_security_policy.go
View file @
fb6716e8
...
@@ -20,7 +20,6 @@ import (
...
@@ -20,7 +20,6 @@ import (
"fmt"
"fmt"
"k8s.io/api/core/v1"
"k8s.io/api/core/v1"
extensionsv1beta1
"k8s.io/api/extensions/v1beta1"
policy
"k8s.io/api/policy/v1beta1"
policy
"k8s.io/api/policy/v1beta1"
rbacv1beta1
"k8s.io/api/rbac/v1beta1"
rbacv1beta1
"k8s.io/api/rbac/v1beta1"
apierrs
"k8s.io/apimachinery/pkg/api/errors"
apierrs
"k8s.io/apimachinery/pkg/api/errors"
...
@@ -79,27 +78,9 @@ var _ = SIGDescribe("PodSecurityPolicy", func() {
...
@@ -79,27 +78,9 @@ var _ = SIGDescribe("PodSecurityPolicy", func() {
expectForbidden
(
err
)
expectForbidden
(
err
)
})
})
// TODO: merge tests for extensions/policy API groups when PSP will be completely moved out of the extensions
It
(
"should enforce the restricted extensions.PodSecurityPolicy"
,
func
()
{
By
(
"Creating & Binding a restricted policy for the test service account"
)
_
,
cleanup
:=
createAndBindPSP
(
f
,
restrictedPSP
(
"restrictive"
))
defer
cleanup
()
By
(
"Running a restricted pod"
)
pod
,
err
:=
c
.
CoreV1
()
.
Pods
(
ns
)
.
Create
(
restrictedPod
(
"allowed"
))
framework
.
ExpectNoError
(
err
)
framework
.
ExpectNoError
(
framework
.
WaitForPodNameRunningInNamespace
(
c
,
pod
.
Name
,
pod
.
Namespace
))
testPrivilegedPods
(
func
(
pod
*
v1
.
Pod
)
{
_
,
err
:=
c
.
CoreV1
()
.
Pods
(
ns
)
.
Create
(
pod
)
expectForbidden
(
err
)
})
})
It
(
"should enforce the restricted policy.PodSecurityPolicy"
,
func
()
{
It
(
"should enforce the restricted policy.PodSecurityPolicy"
,
func
()
{
By
(
"Creating & Binding a restricted policy for the test service account"
)
By
(
"Creating & Binding a restricted policy for the test service account"
)
_
,
cleanup
:=
createAndBindPSP
InPolicy
(
f
,
restrictedPSPInPolicy
(
"restrictive"
))
_
,
cleanup
:=
createAndBindPSP
(
f
,
restrictedPSP
(
"restrictive"
))
defer
cleanup
()
defer
cleanup
()
By
(
"Running a restricted pod"
)
By
(
"Running a restricted pod"
)
...
@@ -113,34 +94,12 @@ var _ = SIGDescribe("PodSecurityPolicy", func() {
...
@@ -113,34 +94,12 @@ var _ = SIGDescribe("PodSecurityPolicy", func() {
})
})
})
})
It
(
"should allow pods under the privileged extensions.PodSecurityPolicy"
,
func
()
{
By
(
"Creating & Binding a privileged policy for the test service account"
)
// Ensure that the permissive policy is used even in the presence of the restricted policy.
_
,
cleanup
:=
createAndBindPSP
(
f
,
restrictedPSP
(
"restrictive"
))
defer
cleanup
()
expectedPSP
,
cleanup
:=
createAndBindPSP
(
f
,
framework
.
PrivilegedPSP
(
"permissive"
))
defer
cleanup
()
testPrivilegedPods
(
func
(
pod
*
v1
.
Pod
)
{
p
,
err
:=
c
.
CoreV1
()
.
Pods
(
ns
)
.
Create
(
pod
)
framework
.
ExpectNoError
(
err
)
framework
.
ExpectNoError
(
framework
.
WaitForPodNameRunningInNamespace
(
c
,
p
.
Name
,
p
.
Namespace
))
// Verify expected PSP was used.
p
,
err
=
c
.
CoreV1
()
.
Pods
(
ns
)
.
Get
(
p
.
Name
,
metav1
.
GetOptions
{})
framework
.
ExpectNoError
(
err
)
validated
,
found
:=
p
.
Annotations
[
psputil
.
ValidatedPSPAnnotation
]
Expect
(
found
)
.
To
(
BeTrue
(),
"PSP annotation not found"
)
Expect
(
validated
)
.
To
(
Equal
(
expectedPSP
.
Name
),
"Unexpected validated PSP"
)
})
})
It
(
"should allow pods under the privileged policy.PodSecurityPolicy"
,
func
()
{
It
(
"should allow pods under the privileged policy.PodSecurityPolicy"
,
func
()
{
By
(
"Creating & Binding a privileged policy for the test service account"
)
By
(
"Creating & Binding a privileged policy for the test service account"
)
// Ensure that the permissive policy is used even in the presence of the restricted policy.
// Ensure that the permissive policy is used even in the presence of the restricted policy.
_
,
cleanup
:=
createAndBindPSP
InPolicy
(
f
,
restrictedPSPInPolicy
(
"restrictive"
))
_
,
cleanup
:=
createAndBindPSP
(
f
,
restrictedPSP
(
"restrictive"
))
defer
cleanup
()
defer
cleanup
()
expectedPSP
,
cleanup
:=
createAndBindPSP
InPolicy
(
f
,
privilegedPSPInPolicy
(
"permissive"
))
expectedPSP
,
cleanup
:=
createAndBindPSP
(
f
,
privilegedPSP
(
"permissive"
))
defer
cleanup
()
defer
cleanup
()
testPrivilegedPods
(
func
(
pod
*
v1
.
Pod
)
{
testPrivilegedPods
(
func
(
pod
*
v1
.
Pod
)
{
...
@@ -229,49 +188,8 @@ func testPrivilegedPods(tester func(pod *v1.Pod)) {
...
@@ -229,49 +188,8 @@ func testPrivilegedPods(tester func(pod *v1.Pod)) {
})
})
}
}
func
createAndBindPSP
(
f
*
framework
.
Framework
,
pspTemplate
*
extensionsv1beta1
.
PodSecurityPolicy
)
(
psp
*
extensionsv1beta1
.
PodSecurityPolicy
,
cleanup
func
())
{
// createAndBindPSP creates a PSP in the policy API group.
// Create the PodSecurityPolicy object.
func
createAndBindPSP
(
f
*
framework
.
Framework
,
pspTemplate
*
policy
.
PodSecurityPolicy
)
(
psp
*
policy
.
PodSecurityPolicy
,
cleanup
func
())
{
psp
=
pspTemplate
.
DeepCopy
()
// Add the namespace to the name to ensure uniqueness and tie it to the namespace.
ns
:=
f
.
Namespace
.
Name
name
:=
fmt
.
Sprintf
(
"%s-%s"
,
ns
,
psp
.
Name
)
psp
.
Name
=
name
psp
,
err
:=
f
.
ClientSet
.
ExtensionsV1beta1
()
.
PodSecurityPolicies
()
.
Create
(
psp
)
framework
.
ExpectNoError
(
err
,
"Failed to create PSP"
)
// Create the Role to bind it to the namespace.
_
,
err
=
f
.
ClientSet
.
RbacV1beta1
()
.
Roles
(
ns
)
.
Create
(
&
rbacv1beta1
.
Role
{
ObjectMeta
:
metav1
.
ObjectMeta
{
Name
:
name
,
},
Rules
:
[]
rbacv1beta1
.
PolicyRule
{{
APIGroups
:
[]
string
{
"extensions"
},
Resources
:
[]
string
{
"podsecuritypolicies"
},
ResourceNames
:
[]
string
{
name
},
Verbs
:
[]
string
{
"use"
},
}},
})
framework
.
ExpectNoError
(
err
,
"Failed to create PSP role"
)
// Bind the role to the namespace.
framework
.
BindRoleInNamespace
(
f
.
ClientSet
.
RbacV1beta1
(),
name
,
ns
,
rbacv1beta1
.
Subject
{
Kind
:
rbacv1beta1
.
ServiceAccountKind
,
Namespace
:
ns
,
Name
:
"default"
,
})
framework
.
ExpectNoError
(
framework
.
WaitForNamedAuthorizationUpdate
(
f
.
ClientSet
.
AuthorizationV1beta1
(),
serviceaccount
.
MakeUsername
(
ns
,
"default"
),
ns
,
"use"
,
name
,
schema
.
GroupResource
{
Group
:
"extensions"
,
Resource
:
"podsecuritypolicies"
},
true
))
return
psp
,
func
()
{
// Cleanup non-namespaced PSP object.
f
.
ClientSet
.
ExtensionsV1beta1
()
.
PodSecurityPolicies
()
.
Delete
(
name
,
&
metav1
.
DeleteOptions
{})
}
}
// createAndBindPSPInPolicy creates a PSP in the policy API group (unlike createAndBindPSP()).
// TODO: merge these functions when PSP will be completely moved out of the extensions
func
createAndBindPSPInPolicy
(
f
*
framework
.
Framework
,
pspTemplate
*
policy
.
PodSecurityPolicy
)
(
psp
*
policy
.
PodSecurityPolicy
,
cleanup
func
())
{
// Create the PodSecurityPolicy object.
// Create the PodSecurityPolicy object.
psp
=
pspTemplate
.
DeepCopy
()
psp
=
pspTemplate
.
DeepCopy
()
// Add the namespace to the name to ensure uniqueness and tie it to the namespace.
// Add the namespace to the name to ensure uniqueness and tie it to the namespace.
...
@@ -334,8 +252,7 @@ func restrictedPod(name string) *v1.Pod {
...
@@ -334,8 +252,7 @@ func restrictedPod(name string) *v1.Pod {
}
}
// privilegedPSPInPolicy creates a PodSecurityPolicy (in the "policy" API Group) that allows everything.
// privilegedPSPInPolicy creates a PodSecurityPolicy (in the "policy" API Group) that allows everything.
// TODO: replace by PrivilegedPSP when PSP will be completely moved out of the extensions
func
privilegedPSP
(
name
string
)
*
policy
.
PodSecurityPolicy
{
func
privilegedPSPInPolicy
(
name
string
)
*
policy
.
PodSecurityPolicy
{
return
&
policy
.
PodSecurityPolicy
{
return
&
policy
.
PodSecurityPolicy
{
ObjectMeta
:
metav1
.
ObjectMeta
{
ObjectMeta
:
metav1
.
ObjectMeta
{
Name
:
name
,
Name
:
name
,
...
@@ -368,8 +285,7 @@ func privilegedPSPInPolicy(name string) *policy.PodSecurityPolicy {
...
@@ -368,8 +285,7 @@ func privilegedPSPInPolicy(name string) *policy.PodSecurityPolicy {
}
}
// restrictedPSPInPolicy creates a PodSecurityPolicy (in the "policy" API Group) that is most strict.
// restrictedPSPInPolicy creates a PodSecurityPolicy (in the "policy" API Group) that is most strict.
// TODO: replace by restrictedPSP when PSP will be completely moved out of the extensions
func
restrictedPSP
(
name
string
)
*
policy
.
PodSecurityPolicy
{
func
restrictedPSPInPolicy
(
name
string
)
*
policy
.
PodSecurityPolicy
{
return
&
policy
.
PodSecurityPolicy
{
return
&
policy
.
PodSecurityPolicy
{
ObjectMeta
:
metav1
.
ObjectMeta
{
ObjectMeta
:
metav1
.
ObjectMeta
{
Name
:
name
,
Name
:
name
,
...
@@ -423,61 +339,6 @@ func restrictedPSPInPolicy(name string) *policy.PodSecurityPolicy {
...
@@ -423,61 +339,6 @@ func restrictedPSPInPolicy(name string) *policy.PodSecurityPolicy {
}
}
}
}
// restrictedPSP creates a PodSecurityPolicy that is most strict.
func
restrictedPSP
(
name
string
)
*
extensionsv1beta1
.
PodSecurityPolicy
{
return
&
extensionsv1beta1
.
PodSecurityPolicy
{
ObjectMeta
:
metav1
.
ObjectMeta
{
Name
:
name
,
Annotations
:
map
[
string
]
string
{
seccomp
.
AllowedProfilesAnnotationKey
:
v1
.
SeccompProfileRuntimeDefault
,
seccomp
.
DefaultProfileAnnotationKey
:
v1
.
SeccompProfileRuntimeDefault
,
apparmor
.
AllowedProfilesAnnotationKey
:
apparmor
.
ProfileRuntimeDefault
,
apparmor
.
DefaultProfileAnnotationKey
:
apparmor
.
ProfileRuntimeDefault
,
},
},
Spec
:
extensionsv1beta1
.
PodSecurityPolicySpec
{
Privileged
:
false
,
AllowPrivilegeEscalation
:
utilpointer
.
BoolPtr
(
false
),
RequiredDropCapabilities
:
[]
v1
.
Capability
{
"AUDIT_WRITE"
,
"CHOWN"
,
"DAC_OVERRIDE"
,
"FOWNER"
,
"FSETID"
,
"KILL"
,
"MKNOD"
,
"NET_RAW"
,
"SETGID"
,
"SETUID"
,
"SYS_CHROOT"
,
},
Volumes
:
[]
extensionsv1beta1
.
FSType
{
extensionsv1beta1
.
ConfigMap
,
extensionsv1beta1
.
EmptyDir
,
extensionsv1beta1
.
PersistentVolumeClaim
,
"projected"
,
extensionsv1beta1
.
Secret
,
},
HostNetwork
:
false
,
HostIPC
:
false
,
HostPID
:
false
,
RunAsUser
:
extensionsv1beta1
.
RunAsUserStrategyOptions
{
Rule
:
extensionsv1beta1
.
RunAsUserStrategyMustRunAsNonRoot
,
},
SELinux
:
extensionsv1beta1
.
SELinuxStrategyOptions
{
Rule
:
extensionsv1beta1
.
SELinuxStrategyRunAsAny
,
},
SupplementalGroups
:
extensionsv1beta1
.
SupplementalGroupsStrategyOptions
{
Rule
:
extensionsv1beta1
.
SupplementalGroupsStrategyRunAsAny
,
},
FSGroup
:
extensionsv1beta1
.
FSGroupStrategyOptions
{
Rule
:
extensionsv1beta1
.
FSGroupStrategyRunAsAny
,
},
ReadOnlyRootFilesystem
:
false
,
},
}
}
func
boolPtr
(
b
bool
)
*
bool
{
func
boolPtr
(
b
bool
)
*
bool
{
return
&
b
return
&
b
}
}
test/e2e/framework/psp_util.go
View file @
fb6716e8
...
@@ -21,7 +21,7 @@ import (
...
@@ -21,7 +21,7 @@ import (
"sync"
"sync"
corev1
"k8s.io/api/core/v1"
corev1
"k8s.io/api/core/v1"
extensionsv1beta1
"k8s.io/api/extensions
/v1beta1"
policy
"k8s.io/api/policy
/v1beta1"
rbacv1beta1
"k8s.io/api/rbac/v1beta1"
rbacv1beta1
"k8s.io/api/rbac/v1beta1"
apierrs
"k8s.io/apimachinery/pkg/api/errors"
apierrs
"k8s.io/apimachinery/pkg/api/errors"
metav1
"k8s.io/apimachinery/pkg/apis/meta/v1"
metav1
"k8s.io/apimachinery/pkg/apis/meta/v1"
...
@@ -42,33 +42,33 @@ var (
...
@@ -42,33 +42,33 @@ var (
)
)
// Creates a PodSecurityPolicy that allows everything.
// Creates a PodSecurityPolicy that allows everything.
func
PrivilegedPSP
(
name
string
)
*
extensionsv1beta1
.
PodSecurityPolicy
{
func
PrivilegedPSP
(
name
string
)
*
policy
.
PodSecurityPolicy
{
allowPrivilegeEscalation
:=
true
allowPrivilegeEscalation
:=
true
return
&
extensionsv1beta1
.
PodSecurityPolicy
{
return
&
policy
.
PodSecurityPolicy
{
ObjectMeta
:
metav1
.
ObjectMeta
{
ObjectMeta
:
metav1
.
ObjectMeta
{
Name
:
name
,
Name
:
name
,
Annotations
:
map
[
string
]
string
{
seccomp
.
AllowedProfilesAnnotationKey
:
seccomp
.
AllowAny
},
Annotations
:
map
[
string
]
string
{
seccomp
.
AllowedProfilesAnnotationKey
:
seccomp
.
AllowAny
},
},
},
Spec
:
extensionsv1beta1
.
PodSecurityPolicySpec
{
Spec
:
policy
.
PodSecurityPolicySpec
{
Privileged
:
true
,
Privileged
:
true
,
AllowPrivilegeEscalation
:
&
allowPrivilegeEscalation
,
AllowPrivilegeEscalation
:
&
allowPrivilegeEscalation
,
AllowedCapabilities
:
[]
corev1
.
Capability
{
"*"
},
AllowedCapabilities
:
[]
corev1
.
Capability
{
"*"
},
Volumes
:
[]
extensionsv1beta1
.
FSType
{
extensionsv1beta1
.
All
},
Volumes
:
[]
policy
.
FSType
{
policy
.
All
},
HostNetwork
:
true
,
HostNetwork
:
true
,
HostPorts
:
[]
extensionsv1beta1
.
HostPortRange
{{
Min
:
0
,
Max
:
65535
}},
HostPorts
:
[]
policy
.
HostPortRange
{{
Min
:
0
,
Max
:
65535
}},
HostIPC
:
true
,
HostIPC
:
true
,
HostPID
:
true
,
HostPID
:
true
,
RunAsUser
:
extensionsv1beta1
.
RunAsUserStrategyOptions
{
RunAsUser
:
policy
.
RunAsUserStrategyOptions
{
Rule
:
extensionsv1beta1
.
RunAsUserStrategyRunAsAny
,
Rule
:
policy
.
RunAsUserStrategyRunAsAny
,
},
},
SELinux
:
extensionsv1beta1
.
SELinuxStrategyOptions
{
SELinux
:
policy
.
SELinuxStrategyOptions
{
Rule
:
extensionsv1beta1
.
SELinuxStrategyRunAsAny
,
Rule
:
policy
.
SELinuxStrategyRunAsAny
,
},
},
SupplementalGroups
:
extensionsv1beta1
.
SupplementalGroupsStrategyOptions
{
SupplementalGroups
:
policy
.
SupplementalGroupsStrategyOptions
{
Rule
:
extensionsv1beta1
.
SupplementalGroupsStrategyRunAsAny
,
Rule
:
policy
.
SupplementalGroupsStrategyRunAsAny
,
},
},
FSGroup
:
extensionsv1beta1
.
FSGroupStrategyOptions
{
FSGroup
:
policy
.
FSGroupStrategyOptions
{
Rule
:
extensionsv1beta1
.
FSGroupStrategyRunAsAny
,
Rule
:
policy
.
FSGroupStrategyRunAsAny
,
},
},
ReadOnlyRootFilesystem
:
false
,
ReadOnlyRootFilesystem
:
false
,
AllowedUnsafeSysctls
:
[]
string
{
"*"
},
AllowedUnsafeSysctls
:
[]
string
{
"*"
},
...
@@ -112,7 +112,7 @@ func CreatePrivilegedPSPBinding(f *Framework, namespace string) {
...
@@ -112,7 +112,7 @@ func CreatePrivilegedPSPBinding(f *Framework, namespace string) {
}
}
psp
:=
PrivilegedPSP
(
podSecurityPolicyPrivileged
)
psp
:=
PrivilegedPSP
(
podSecurityPolicyPrivileged
)
psp
,
err
=
f
.
ClientSet
.
Extensions
V1beta1
()
.
PodSecurityPolicies
()
.
Create
(
psp
)
psp
,
err
=
f
.
ClientSet
.
Policy
V1beta1
()
.
PodSecurityPolicies
()
.
Create
(
psp
)
if
!
apierrs
.
IsAlreadyExists
(
err
)
{
if
!
apierrs
.
IsAlreadyExists
(
err
)
{
ExpectNoError
(
err
,
"Failed to create PSP %s"
,
podSecurityPolicyPrivileged
)
ExpectNoError
(
err
,
"Failed to create PSP %s"
,
podSecurityPolicyPrivileged
)
}
}
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment