From 1a833931351240d302380e9e66b210f77c553e12 Mon Sep 17 00:00:00 2001
From: Paco Xu <paco.xu@daocloud.io>
Date: Wed, 1 Feb 2023 10:37:49 +0800
Subject: [PATCH] add sysctls_allowed_1_27 and will add min version for it

Signed-off-by: Paco Xu <paco.xu@daocloud.io>
---
 .../policy/check_sysctls.go                   | 21 ++++-
 .../policy/check_sysctls_test.go              | 87 +++++++++++++++++--
 2 files changed, 99 insertions(+), 9 deletions(-)

diff --git a/staging/src/k8s.io/pod-security-admission/policy/check_sysctls.go b/staging/src/k8s.io/pod-security-admission/policy/check_sysctls.go
index dcb59077b61..95c5eff286a 100644
--- a/staging/src/k8s.io/pod-security-admission/policy/check_sysctls.go
+++ b/staging/src/k8s.io/pod-security-admission/policy/check_sysctls.go
@@ -61,6 +61,10 @@ func CheckSysctls() Check {
 				MinimumVersion: api.MajorMinorVersion(1, 0),
 				CheckPod:       sysctls_1_0,
 			},
+			{
+				MinimumVersion: api.MajorMinorVersion(1, 27),
+				CheckPod:       sysctls_1_27,
+			},
 		},
 	}
 }
@@ -72,16 +76,31 @@ var (
 		"net.ipv4.tcp_syncookies",
 		"net.ipv4.ping_group_range",
 		"net.ipv4.ip_unprivileged_port_start",
+	)
+	sysctls_allowed_1_27 = sets.NewString(
+		"kernel.shm_rmid_forced",
+		"net.ipv4.ip_local_port_range",
+		"net.ipv4.tcp_syncookies",
+		"net.ipv4.ping_group_range",
+		"net.ipv4.ip_unprivileged_port_start",
 		"net.ipv4.ip_local_reserved_ports",
 	)
 )
 
 func sysctls_1_0(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
+	return sysctls(podMetadata, podSpec, sysctls_allowed_1_0)
+}
+
+func sysctls_1_27(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
+	return sysctls(podMetadata, podSpec, sysctls_allowed_1_27)
+}
+
+func sysctls(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec, sysctls_allowed_set sets.String) CheckResult {
 	var forbiddenSysctls []string
 
 	if podSpec.SecurityContext != nil {
 		for _, sysctl := range podSpec.SecurityContext.Sysctls {
-			if !sysctls_allowed_1_0.Has(sysctl.Name) {
+			if !sysctls_allowed_set.Has(sysctl.Name) {
 				forbiddenSysctls = append(forbiddenSysctls, sysctl.Name)
 			}
 		}
diff --git a/staging/src/k8s.io/pod-security-admission/policy/check_sysctls_test.go b/staging/src/k8s.io/pod-security-admission/policy/check_sysctls_test.go
index 450b383146e..011563d7b99 100644
--- a/staging/src/k8s.io/pod-security-admission/policy/check_sysctls_test.go
+++ b/staging/src/k8s.io/pod-security-admission/policy/check_sysctls_test.go
@@ -26,6 +26,7 @@ func TestSysctls(t *testing.T) {
 	tests := []struct {
 		name         string
 		pod          *corev1.Pod
+		allowed      bool
 		expectReason string
 		expectDetail string
 	}{
@@ -36,22 +37,92 @@ func TestSysctls(t *testing.T) {
 					Sysctls: []corev1.Sysctl{{Name: "a"}, {Name: "b"}},
 				},
 			}},
+			allowed: false,
 			expectReason: `forbidden sysctls`,
 			expectDetail: `a, b`,
 		},
+		{
+			name: "new supported sysctls not supported",
+			pod: &corev1.Pod{Spec: corev1.PodSpec{
+				SecurityContext: &corev1.PodSecurityContext{
+					Sysctls: []corev1.Sysctl{{Name: "net.ipv4.ip_local_reserved_ports", Value: "1024-4999"},},
+				},
+			}},
+			allowed: false,
+			expectReason: `forbidden sysctls`,
+			expectDetail: `net.ipv4.ip_local_reserved_ports`,
+		},
 	}
 
 	for _, tc := range tests {
 		t.Run(tc.name, func(t *testing.T) {
 			result := sysctls_1_0(&tc.pod.ObjectMeta, &tc.pod.Spec)
-			if result.Allowed {
-				t.Fatal("expected disallowed")
-			}
-			if e, a := tc.expectReason, result.ForbiddenReason; e != a {
-				t.Errorf("expected\n%s\ngot\n%s", e, a)
-			}
-			if e, a := tc.expectDetail, result.ForbiddenDetail; e != a {
-				t.Errorf("expected\n%s\ngot\n%s", e, a)
+			if !tc.allowed {
+				if result.Allowed {
+					t.Fatal("expected disallowed")
+				}
+				if e, a := tc.expectReason, result.ForbiddenReason; e != a {
+					t.Errorf("expected\n%s\ngot\n%s", e, a)
+				}
+				if e, a := tc.expectDetail, result.ForbiddenDetail; e != a {
+					t.Errorf("expected\n%s\ngot\n%s", e, a)
+				}
+			} else {
+				if !result.Allowed {
+					t.Fatal("expected allowed")
+				}
+			}
+		})
+	}
+}
+
+func TestSysctls_1_27(t *testing.T) {
+	tests := []struct {
+		name         string
+		pod          *corev1.Pod
+		allowed      bool
+		expectReason string
+		expectDetail string
+	}{
+		{
+			name: "forbidden sysctls",
+			pod: &corev1.Pod{Spec: corev1.PodSpec{
+				SecurityContext: &corev1.PodSecurityContext{
+					Sysctls: []corev1.Sysctl{{Name: "a"}, {Name: "b"}},
+				},
+			}},
+			allowed: false,
+			expectReason: `forbidden sysctls`,
+			expectDetail: `a, b`,
+		},
+		{
+			name: "new supported sysctls",
+			pod: &corev1.Pod{Spec: corev1.PodSpec{
+				SecurityContext: &corev1.PodSecurityContext{
+					Sysctls: []corev1.Sysctl{{Name: "net.ipv4.ip_local_reserved_ports", Value: "1024-4999"},},
+				},
+			}},
+			allowed: true,
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			result := sysctls_1_27(&tc.pod.ObjectMeta, &tc.pod.Spec)
+			if !tc.allowed {
+				if result.Allowed {
+					t.Fatal("expected disallowed")
+				}
+				if e, a := tc.expectReason, result.ForbiddenReason; e != a {
+					t.Errorf("expected\n%s\ngot\n%s", e, a)
+				}
+				if e, a := tc.expectDetail, result.ForbiddenDetail; e != a {
+					t.Errorf("expected\n%s\ngot\n%s", e, a)
+				}
+			} else {
+				if !result.Allowed {
+					t.Fatal("expected allowed")
+				}
 			}
 		})
 	}