github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-26 13:07:07 +00:00
Code Issues Projects Releases Wiki Activity

[PSA] default warn to enforce level

Browse Source
This commit is contained in:
Tim Allclair 2022-10-05 17:17:47 -07:00
parent 748daeb862
commit 0574a8181d
3 changed files with 165 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
staging/src/k8s.io/pod-security-admission/admission/admission_test.go
View File

@ -278,7 +278,7 @@ func TestValidateNamespace(t *testing.T) {
expectAllowed: true, expectAllowed: true,
expectListPods: false, expectListPods: false,
expectWarnings: []string{ expectWarnings: []string{
`namespace "test" is exempt from Pod Security, and the policy (enforce=restricted:latest) will be ignored`, `namespace "test" is exempt from Pod Security, and the policy (enforce=restricted:latest, warn=restricted:latest) will be ignored`,
}, },
}, },
{ {
@ -1180,7 +1180,7 @@ func TestExemptNamespaceWarning(t *testing.T) {
api.EnforceLevelLabel: string(api.LevelBaseline), api.EnforceLevelLabel: string(api.LevelBaseline),
}, },
expectWarning: true, expectWarning: true,
expectWarningContains: "(enforce=baseline:latest)", expectWarningContains: "(enforce=baseline:latest, warn=baseline:latest)",
}, { }, {
name: "warn-on-warn", name: "warn-on-warn",
labels: map[string]string{ labels: map[string]string{

15
staging/src/k8s.io/pod-security-admission/api/helpers.go
View File

@ -213,12 +213,16 @@ func PolicyToEvaluate(labels map[string]string, defaults Policy) (Policy, field.
errs field.ErrorList errs field.ErrorList
p = defaults p = defaults
hasEnforceLevel bool
hasWarnLevel, hasWarnVersion bool
) )
if len(labels) == 0 { if len(labels) == 0 {
return p, nil return p, nil
} }
if level, ok := labels[EnforceLevelLabel]; ok { if level, ok := labels[EnforceLevelLabel]; ok {
p.Enforce.Level, err = ParseLevel(level) p.Enforce.Level, err = ParseLevel(level)
hasEnforceLevel = (err == nil) // Don't default warn in case of error
errs = appendErr(errs, err, EnforceLevelLabel, level) errs = appendErr(errs, err, EnforceLevelLabel, level)
} }
if version, ok := labels[EnforceVersionLabel]; ok { if version, ok := labels[EnforceVersionLabel]; ok {
@ -237,6 +241,7 @@ func PolicyToEvaluate(labels map[string]string, defaults Policy) (Policy, field.
errs = appendErr(errs, err, AuditVersionLabel, version) errs = appendErr(errs, err, AuditVersionLabel, version)
} }
if level, ok := labels[WarnLevelLabel]; ok { if level, ok := labels[WarnLevelLabel]; ok {
hasWarnLevel = true
p.Warn.Level, err = ParseLevel(level) p.Warn.Level, err = ParseLevel(level)
errs = appendErr(errs, err, WarnLevelLabel, level) errs = appendErr(errs, err, WarnLevelLabel, level)
if err != nil { if err != nil {
@ -244,9 +249,19 @@ func PolicyToEvaluate(labels map[string]string, defaults Policy) (Policy, field.
} }
} }
if version, ok := labels[WarnVersionLabel]; ok { if version, ok := labels[WarnVersionLabel]; ok {
hasWarnVersion = true
p.Warn.Version, err = ParseVersion(version) p.Warn.Version, err = ParseVersion(version)
errs = appendErr(errs, err, WarnVersionLabel, version) errs = appendErr(errs, err, WarnVersionLabel, version)
} }
// Default warn to the enforce level when explicitly set to a more restrictive level.
if !hasWarnLevel && hasEnforceLevel && CompareLevels(p.Enforce.Level, p.Warn.Level) > 0 {
p.Warn.Level = p.Enforce.Level
if !hasWarnVersion {
p.Warn.Version = p.Enforce.Version
}
}
return p, errs return p, errs
} }

148
staging/src/k8s.io/pod-security-admission/api/helpers_test.go
View File

@ -117,3 +117,151 @@ func TestPolicyEquals(t *testing.T) {
assert.True(t, baseline.Equivalent(&baseline), "baseline policy equals itself") assert.True(t, baseline.Equivalent(&baseline), "baseline policy equals itself")
assert.False(t, privileged.Equivalent(&baseline), "privileged != baseline") assert.False(t, privileged.Equivalent(&baseline), "privileged != baseline")
} }
func TestPolicyToEvaluate(t *testing.T) {
privilegedLV := LevelVersion{
Level: LevelPrivileged,
Version: LatestVersion(),
}
privilegedPolicy := Policy{
Enforce: privilegedLV,
Warn: privilegedLV,
Audit: privilegedLV,
}
type testcase struct {
desc string
labels map[string]string
defaults Policy
expect Policy
expectErr bool
}
tests := []testcase{{
desc: "simple enforce",
labels: makeLabels("enforce", "baseline"),
expect: Policy{
Enforce: LevelVersion{LevelBaseline, LatestVersion()},
Warn: LevelVersion{LevelBaseline, LatestVersion()},
Audit: privilegedLV,
},
}, {
desc: "simple warn",
labels: makeLabels("warn", "restricted"),
expect: Policy{
Enforce: privilegedLV,
Warn: LevelVersion{LevelRestricted, LatestVersion()},
Audit: privilegedLV,
},
}, {
desc: "simple audit",
labels: makeLabels("audit", "baseline"),
expect: Policy{
Enforce: privilegedLV,
Warn: privilegedLV,
Audit: LevelVersion{LevelBaseline, LatestVersion()},
},
}, {
desc: "enforce & warn",
labels: makeLabels("enforce", "baseline", "warn", "restricted"),
expect: Policy{
Enforce: LevelVersion{LevelBaseline, LatestVersion()},
Warn: LevelVersion{LevelRestricted, LatestVersion()},
Audit: privilegedLV,
},
}, {
desc: "enforce version",
labels: makeLabels("enforce", "baseline", "enforce-version", "v1.22"),
expect: Policy{
Enforce: LevelVersion{LevelBaseline, MajorMinorVersion(1, 22)},
Warn: LevelVersion{LevelBaseline, MajorMinorVersion(1, 22)},
Audit: privilegedLV,
},
}, {
desc: "enforce version & warn-version",
labels: makeLabels("enforce", "baseline", "enforce-version", "v1.22", "warn-version", "latest"),
expect: Policy{
Enforce: LevelVersion{LevelBaseline, MajorMinorVersion(1, 22)},
Warn: LevelVersion{LevelBaseline, LatestVersion()},
Audit: privilegedLV,
},
}, {
desc: "enforce & warn-version",
labels: makeLabels("enforce", "baseline", "warn-version", "v1.23"),
expect: Policy{
Enforce: LevelVersion{LevelBaseline, LatestVersion()},
Warn: LevelVersion{LevelBaseline, MajorMinorVersion(1, 23)},
Audit: privilegedLV,
},
}, {
desc: "fully specd",
labels: makeLabels(
"enforce", "baseline", "enforce-version", "v1.20",
"warn", "restricted", "warn-version", "v1.21",
"audit", "restricted", "audit-version", "v1.22"),
expect: Policy{
Enforce: LevelVersion{LevelBaseline, MajorMinorVersion(1, 20)},
Warn: LevelVersion{LevelRestricted, MajorMinorVersion(1, 21)},
Audit: LevelVersion{LevelRestricted, MajorMinorVersion(1, 22)},
},
}, {
desc: "enforce no warn",
labels: makeLabels("enforce", "baseline", "warn", "privileged"),
expect: Policy{
Enforce: LevelVersion{LevelBaseline, LatestVersion()},
Warn: privilegedLV,
Audit: privilegedLV,
},
}, {
desc: "enforce warn error",
labels: makeLabels("enforce", "baseline", "warn", "foo"),
expect: Policy{
Enforce: LevelVersion{LevelBaseline, LatestVersion()},
Warn: privilegedLV,
Audit: privilegedLV,
},
expectErr: true,
}, {
desc: "enforce error",
labels: makeLabels("enforce", "foo"),
expect: Policy{
Enforce: LevelVersion{LevelRestricted, LatestVersion()},
Warn: privilegedLV,
Audit: privilegedLV,
},
expectErr: true,
}}
for _, test := range tests {
t.Run(test.desc, func(t *testing.T) {
if test.defaults == (Policy{}) {
test.defaults = privilegedPolicy
}
actual, errs := PolicyToEvaluate(test.labels, test.defaults)
if test.expectErr {
assert.Error(t, errs.ToAggregate())
} else {
assert.NoError(t, errs.ToAggregate())
}
assert.Equal(t, test.expect, actual)
})
}
}
// makeLabels turns the kev-value pairs into a labels map[string]string.
func makeLabels(kvs ...string) map[string]string {
if len(kvs)%2 != 0 {
panic("makeLabels called with mismatched key-values")
}
labels := map[string]string{
"other-label": "foo-bar",
}
for i := 0; i < len(kvs); i += 2 {
key, value := kvs[i], kvs[i+1]
key = labelPrefix + key
labels[key] = value
}
return labels
}