AllowPrivilegeEscalation: add validations for caps and privileged

Signed-off-by: Jess Frazelle <acidburn@microsoft.com>
2025-10-07 11:04:44 +00:00 · 2017-09-21 18:35:06 -04:00
parent d699a6f30c
commit 0ad51ed763
4 changed files with 52 additions and 61 deletions
--- a/pkg/api/validation/validation_test.go
+++ b/pkg/api/validation/validation_test.go
@@ -4704,6 +4704,38 @@ func TestValidatePodSpec(t *testing.T) {
 			DNSPolicy:         api.DNSClusterFirst,
 			PriorityClassName: "InvalidName",
 		},
+		"with privileged and allowPrivilegeEscalation false": {
+			Containers: []api.Container{
+				{
+					Name:            "ctr",
+					Image:           "image",
+					ImagePullPolicy: "IfNotPresent",
+					Ports: []api.ContainerPort{
+						{HostPort: 8080, ContainerPort: 2600, Protocol: "TCP"}},
+					SecurityContext: &api.SecurityContext{
+						Privileged:               boolPtr(true),
+						AllowPrivilegeEscalation: boolPtr(false),
+					},
+				},
+			},
+		},
+		"with CAP_SYS_ADMIN and allowPrivilegeEscalation false": {
+			Containers: []api.Container{
+				{
+					Name:            "ctr",
+					Image:           "image",
+					ImagePullPolicy: "IfNotPresent",
+					Ports: []api.ContainerPort{
+						{HostPort: 8080, ContainerPort: 2600, Protocol: "TCP"}},
+					SecurityContext: &api.SecurityContext{
+						Capabilities: &api.Capabilities{
+							Add: []api.Capability{"CAP_SYS_ADMIN"},
+						},
+						AllowPrivilegeEscalation: boolPtr(false),
+					},
+				},
+			},
+		},
 	}
 	for k, v := range failureCases {
 		if errs := ValidatePodSpec(&v, field.NewPath("field")); len(errs) == 0 {
@@ -11082,3 +11114,7 @@ func TestValidateOrSetClientIPAffinityConfig(t *testing.T) {
 		}
 	}
 }
+
+func boolPtr(b bool) *bool {
+	return &b
+}