PodSecurityPolicy should respect and validate user-supplied RunAsNonRoot fields.

pkg/security/podsecuritypolicy/provider.go

@@ -165,7 +165,7 @@ func (s *simpleProvider) CreateContainerSecurityContext(pod *api.Pod, container
 	// if we're using the non-root strategy set the marker that this container should not be
 	// run as root which will signal to the kubelet to do a final check either on the runAsUser
 	// or, if runAsUser is not set, the image UID will be checked.
-	if s.psp.Spec.RunAsUser.Rule == extensions.RunAsUserStrategyMustRunAsNonRoot {
+	if sc.RunAsNonRoot == nil && s.psp.Spec.RunAsUser.Rule == extensions.RunAsUserStrategyMustRunAsNonRoot {
 		nonRoot := true
 		sc.RunAsNonRoot = &nonRoot
 	}

pkg/security/podsecuritypolicy/provider_test.go

@@ -112,12 +112,21 @@ func TestCreatePodSecurityContextNonmutating(t *testing.T) {
 }
 
 func TestCreateContainerSecurityContextNonmutating(t *testing.T) {
+	untrue := false
+	tests := []struct {
+		security *api.SecurityContext
+	}{
+		{nil},
+		{&api.SecurityContext{RunAsNonRoot: &untrue}},
+	}
+
+	for _, tc := range tests {
 		// Create a pod with a security context that needs filling in
 		createPod := func() *api.Pod {
 			return &api.Pod{
 				Spec: api.PodSpec{
 					Containers: []api.Container{{
-					SecurityContext: &api.SecurityContext{},
+						SecurityContext: tc.security,
 					}},
 				},
 			}
@@ -184,6 +193,7 @@ func TestCreateContainerSecurityContextNonmutating(t *testing.T) {
 			t.Error("psp was mutated by CreateContainerSecurityContext")
 		}
 	}
+}
 
 func TestValidatePodSecurityContextFailures(t *testing.T) {
 	failHostNetworkPod := defaultPod()

pkg/security/podsecuritypolicy/user/nonroot.go

@@ -41,8 +41,9 @@ func (s *nonRoot) Generate(pod *api.Pod, container *api.Container) (*types.UnixU
 
 // Validate ensures that the specified values fall within the range of the strategy.  Validation
 // of this will pass if either the UID is not set, assuming that the image will provided the UID
-// or if the UID is set it is not root.  In order to work properly this assumes that the kubelet
+// or if the UID is set it is not root.  Validation will fail if RunAsNonRoot is set to false.
-// performs a final check on runAsUser or the image UID when runAsUser is nil.
+// In order to work properly this assumes that the kubelet performs a final check on runAsUser
+// or the image UID when runAsUser is nil.
 func (s *nonRoot) Validate(pod *api.Pod, container *api.Container) field.ErrorList {
 	allErrs := field.ErrorList{}
 	securityContextPath := field.NewPath("securityContext")
@@ -51,8 +52,13 @@ func (s *nonRoot) Validate(pod *api.Pod, container *api.Container) field.ErrorLi
 		allErrs = append(allErrs, field.Invalid(securityContextPath, container.SecurityContext, detail))
 		return allErrs
 	}
+	if container.SecurityContext.RunAsNonRoot != nil && *container.SecurityContext.RunAsNonRoot == false {
+		detail := fmt.Sprintf("RunAsNonRoot must be true for container %s", container.Name)
+		allErrs = append(allErrs, field.Invalid(securityContextPath.Child("runAsNonRoot"), *container.SecurityContext.RunAsNonRoot, detail))
+		return allErrs
+	}
 	if container.SecurityContext.RunAsUser != nil && *container.SecurityContext.RunAsUser == 0 {
-		detail := fmt.Sprintf("running with the root UID is forbidden by the pod security policy %s", container.Name)
+		detail := fmt.Sprintf("running with the root UID is forbidden by the pod security policy for container %s", container.Name)
 		allErrs = append(allErrs, field.Invalid(securityContextPath.Child("runAsUser"), *container.SecurityContext.RunAsUser, detail))
 		return allErrs
 	}

pkg/security/podsecuritypolicy/user/nonroot_test.go

@@ -52,30 +52,70 @@ func TestNonRootGenerate(t *testing.T) {
 func TestNonRootValidate(t *testing.T) {
 	goodUID := types.UnixUserID(1)
 	badUID := types.UnixUserID(0)
+	untrue := false
+	unfalse := true
 	s, err := NewRunAsNonRoot(&extensions.RunAsUserStrategyOptions{})
 	if err != nil {
 		t.Fatalf("unexpected error initializing NewMustRunAs %v", err)
 	}
-	container := &api.Container{
+	tests := []struct {
+		container   *api.Container
+		expectedErr bool
+		msg         string
+	}{
+		{
+			container: &api.Container{
 				SecurityContext: &api.SecurityContext{
 					RunAsUser: &badUID,
 				},
+			},
+			expectedErr: true,
+			msg:         "in test case %d, expected errors from root uid but got none: %v",
+		},
+		{
+			container: &api.Container{
+				SecurityContext: &api.SecurityContext{
+					RunAsUser: &goodUID,
+				},
+			},
+			expectedErr: false,
+			msg:         "in test case %d, expected no errors from non-root uid but got %v",
+		},
+		{
+			container: &api.Container{
+				SecurityContext: &api.SecurityContext{
+					RunAsNonRoot: &untrue,
+				},
+			},
+			expectedErr: true,
+			msg:         "in test case %d, expected errors from RunAsNonRoot but got none: %v",
+		},
+		{
+			container: &api.Container{
+				SecurityContext: &api.SecurityContext{
+					RunAsNonRoot: &unfalse,
+					RunAsUser:    &goodUID,
+				},
+			},
+			expectedErr: false,
+			msg:         "in test case %d, expected no errors from non-root uid but got %v",
+		},
+		{
+			container: &api.Container{
+				SecurityContext: &api.SecurityContext{
+					RunAsNonRoot: &unfalse,
+					RunAsUser:    &badUID,
+				},
+			},
+			expectedErr: true,
+			msg:         "in test case %d, expected errors from root uid but got %v",
+		},
 	}
 
-	errs := s.Validate(nil, container)
+	for i, tc := range tests {
-	if len(errs) == 0 {
+		errs := s.Validate(nil, tc.container)
-		t.Errorf("expected errors from root uid but got none")
+		if (len(errs) == 0) == tc.expectedErr {
-	}
+			t.Errorf(tc.msg, i, errs)
-
+		}
-	container.SecurityContext.RunAsUser = &goodUID
-	errs = s.Validate(nil, container)
-	if len(errs) != 0 {
-		t.Errorf("expected no errors from non-root uid but got %v", errs)
-	}
-
-	container.SecurityContext.RunAsUser = nil
-	errs = s.Validate(nil, container)
-	if len(errs) != 0 {
-		t.Errorf("expected no errors from nil uid but got %v", errs)
 	}
 }