PodSecurity: register/test v1beta1 config

This commit is contained in:
Jordan Liggitt 2021-11-02 11:42:51 -04:00
parent d997607eb9
commit 1f8f996dc9
4 changed files with 92 additions and 3 deletions

View File

@ -24,7 +24,7 @@ import (
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/pod-security-admission/admission/api"
"k8s.io/pod-security-admission/admission/api/scheme"
apiv1alpha1 "k8s.io/pod-security-admission/admission/api/v1alpha1"
apiv1beta1 "k8s.io/pod-security-admission/admission/api/v1beta1"
)
func LoadFromFile(file string) (*api.PodSecurityConfiguration, error) {
@ -57,7 +57,7 @@ func LoadFromReader(reader io.Reader) (*api.PodSecurityConfiguration, error) {
func LoadFromData(data []byte) (*api.PodSecurityConfiguration, error) {
if len(data) == 0 {
// no config provided, return default
externalConfig := &apiv1alpha1.PodSecurityConfiguration{}
externalConfig := &apiv1beta1.PodSecurityConfiguration{}
scheme.Scheme.Default(externalConfig)
internalConfig := &api.PodSecurityConfiguration{}
if err := scheme.Scheme.Convert(externalConfig, internalConfig, nil); err != nil {

View File

@ -98,6 +98,29 @@ func TestLoadFromFile(t *testing.T) {
}
}
// valid file
{
input := `{
"apiVersion":"pod-security.admission.config.k8s.io/v1beta1",
"kind":"PodSecurityConfiguration",
"defaults":{"enforce":"baseline"}}`
expect := &api.PodSecurityConfiguration{
Defaults: api.PodSecurityDefaults{
Enforce: "baseline", EnforceVersion: "latest",
Warn: "privileged", WarnVersion: "latest",
Audit: "privileged", AuditVersion: "latest",
},
}
config, err := LoadFromFile(writeTempFile(t, input))
if err != nil {
t.Fatalf("unexpected err: %v", err)
}
if !reflect.DeepEqual(config, expect) {
t.Fatalf("unexpected config:\n%s", cmp.Diff(expect, config))
}
}
// missing file
{
_, err := LoadFromFile(`bogus-missing-pod-security-policy-config-file`)
@ -172,6 +195,29 @@ func TestLoadFromReader(t *testing.T) {
}
}
// valid reader
{
input := `{
"apiVersion":"pod-security.admission.config.k8s.io/v1beta1",
"kind":"PodSecurityConfiguration",
"defaults":{"enforce":"baseline"}}`
expect := &api.PodSecurityConfiguration{
Defaults: api.PodSecurityDefaults{
Enforce: "baseline", EnforceVersion: "latest",
Warn: "privileged", WarnVersion: "latest",
Audit: "privileged", AuditVersion: "latest",
},
}
config, err := LoadFromReader(bytes.NewBufferString(input))
if err != nil {
t.Fatalf("unexpected err: %v", err)
}
if !reflect.DeepEqual(config, expect) {
t.Fatalf("unexpected config:\n%s", cmp.Diff(expect, config))
}
}
// invalid reader
{
input := `{
@ -225,6 +271,46 @@ func TestLoadFromData(t *testing.T) {
data: []byte(`
apiVersion: pod-security.admission.config.k8s.io/v1alpha1
kind: PodSecurityConfiguration
defaults:
enforce: baseline
enforce-version: v1.7
exemptions:
usernames: ["alice","bob"]
namespaces: ["kube-system"]
runtimeClasses: ["special"]
`),
expectConfig: &api.PodSecurityConfiguration{
Defaults: api.PodSecurityDefaults{
Enforce: "baseline", EnforceVersion: "v1.7",
Warn: "privileged", WarnVersion: "latest",
Audit: "privileged", AuditVersion: "latest",
},
Exemptions: api.PodSecurityExemptions{
Usernames: []string{"alice", "bob"},
Namespaces: []string{"kube-system"},
RuntimeClasses: []string{"special"},
},
},
},
{
name: "v1beta1 - json",
data: []byte(`{
"apiVersion":"pod-security.admission.config.k8s.io/v1beta1",
"kind":"PodSecurityConfiguration",
"defaults":{"enforce":"baseline"}}`),
expectConfig: &api.PodSecurityConfiguration{
Defaults: api.PodSecurityDefaults{
Enforce: "baseline", EnforceVersion: "latest",
Warn: "privileged", WarnVersion: "latest",
Audit: "privileged", AuditVersion: "latest",
},
},
},
{
name: "v1beta1 - yaml",
data: []byte(`
apiVersion: pod-security.admission.config.k8s.io/v1beta1
kind: PodSecurityConfiguration
defaults:
enforce: baseline
enforce-version: v1.7

View File

@ -22,6 +22,7 @@ import (
utilruntime "k8s.io/apimachinery/pkg/util/runtime"
podsecurityapi "k8s.io/pod-security-admission/admission/api"
podsecurityv1alpha1 "k8s.io/pod-security-admission/admission/api/v1alpha1"
podsecurityv1beta1 "k8s.io/pod-security-admission/admission/api/v1beta1"
)
var (
@ -40,5 +41,6 @@ func init() {
func AddToScheme(scheme *runtime.Scheme) {
utilruntime.Must(podsecurityapi.AddToScheme(scheme))
utilruntime.Must(podsecurityv1alpha1.AddToScheme(scheme))
utilruntime.Must(scheme.SetVersionPriority(podsecurityv1alpha1.SchemeGroupVersion))
utilruntime.Must(podsecurityv1beta1.AddToScheme(scheme))
utilruntime.Must(scheme.SetVersionPriority(podsecurityv1beta1.SchemeGroupVersion, podsecurityv1alpha1.SchemeGroupVersion))
}

1
vendor/modules.txt vendored
View File

@ -2254,6 +2254,7 @@ k8s.io/pod-security-admission/admission/api
k8s.io/pod-security-admission/admission/api/load
k8s.io/pod-security-admission/admission/api/scheme
k8s.io/pod-security-admission/admission/api/v1alpha1
k8s.io/pod-security-admission/admission/api/v1beta1
k8s.io/pod-security-admission/admission/api/validation
k8s.io/pod-security-admission/api
k8s.io/pod-security-admission/cmd/webhook/server