mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-24 04:06:03 +00:00
PodSecurity: register/test v1beta1 config
This commit is contained in:
parent
d997607eb9
commit
1f8f996dc9
@ -24,7 +24,7 @@ import (
|
||||
"k8s.io/apimachinery/pkg/runtime"
|
||||
"k8s.io/pod-security-admission/admission/api"
|
||||
"k8s.io/pod-security-admission/admission/api/scheme"
|
||||
apiv1alpha1 "k8s.io/pod-security-admission/admission/api/v1alpha1"
|
||||
apiv1beta1 "k8s.io/pod-security-admission/admission/api/v1beta1"
|
||||
)
|
||||
|
||||
func LoadFromFile(file string) (*api.PodSecurityConfiguration, error) {
|
||||
@ -57,7 +57,7 @@ func LoadFromReader(reader io.Reader) (*api.PodSecurityConfiguration, error) {
|
||||
func LoadFromData(data []byte) (*api.PodSecurityConfiguration, error) {
|
||||
if len(data) == 0 {
|
||||
// no config provided, return default
|
||||
externalConfig := &apiv1alpha1.PodSecurityConfiguration{}
|
||||
externalConfig := &apiv1beta1.PodSecurityConfiguration{}
|
||||
scheme.Scheme.Default(externalConfig)
|
||||
internalConfig := &api.PodSecurityConfiguration{}
|
||||
if err := scheme.Scheme.Convert(externalConfig, internalConfig, nil); err != nil {
|
||||
|
@ -98,6 +98,29 @@ func TestLoadFromFile(t *testing.T) {
|
||||
}
|
||||
}
|
||||
|
||||
// valid file
|
||||
{
|
||||
input := `{
|
||||
"apiVersion":"pod-security.admission.config.k8s.io/v1beta1",
|
||||
"kind":"PodSecurityConfiguration",
|
||||
"defaults":{"enforce":"baseline"}}`
|
||||
expect := &api.PodSecurityConfiguration{
|
||||
Defaults: api.PodSecurityDefaults{
|
||||
Enforce: "baseline", EnforceVersion: "latest",
|
||||
Warn: "privileged", WarnVersion: "latest",
|
||||
Audit: "privileged", AuditVersion: "latest",
|
||||
},
|
||||
}
|
||||
|
||||
config, err := LoadFromFile(writeTempFile(t, input))
|
||||
if err != nil {
|
||||
t.Fatalf("unexpected err: %v", err)
|
||||
}
|
||||
if !reflect.DeepEqual(config, expect) {
|
||||
t.Fatalf("unexpected config:\n%s", cmp.Diff(expect, config))
|
||||
}
|
||||
}
|
||||
|
||||
// missing file
|
||||
{
|
||||
_, err := LoadFromFile(`bogus-missing-pod-security-policy-config-file`)
|
||||
@ -172,6 +195,29 @@ func TestLoadFromReader(t *testing.T) {
|
||||
}
|
||||
}
|
||||
|
||||
// valid reader
|
||||
{
|
||||
input := `{
|
||||
"apiVersion":"pod-security.admission.config.k8s.io/v1beta1",
|
||||
"kind":"PodSecurityConfiguration",
|
||||
"defaults":{"enforce":"baseline"}}`
|
||||
expect := &api.PodSecurityConfiguration{
|
||||
Defaults: api.PodSecurityDefaults{
|
||||
Enforce: "baseline", EnforceVersion: "latest",
|
||||
Warn: "privileged", WarnVersion: "latest",
|
||||
Audit: "privileged", AuditVersion: "latest",
|
||||
},
|
||||
}
|
||||
|
||||
config, err := LoadFromReader(bytes.NewBufferString(input))
|
||||
if err != nil {
|
||||
t.Fatalf("unexpected err: %v", err)
|
||||
}
|
||||
if !reflect.DeepEqual(config, expect) {
|
||||
t.Fatalf("unexpected config:\n%s", cmp.Diff(expect, config))
|
||||
}
|
||||
}
|
||||
|
||||
// invalid reader
|
||||
{
|
||||
input := `{
|
||||
@ -225,6 +271,46 @@ func TestLoadFromData(t *testing.T) {
|
||||
data: []byte(`
|
||||
apiVersion: pod-security.admission.config.k8s.io/v1alpha1
|
||||
kind: PodSecurityConfiguration
|
||||
defaults:
|
||||
enforce: baseline
|
||||
enforce-version: v1.7
|
||||
exemptions:
|
||||
usernames: ["alice","bob"]
|
||||
namespaces: ["kube-system"]
|
||||
runtimeClasses: ["special"]
|
||||
`),
|
||||
expectConfig: &api.PodSecurityConfiguration{
|
||||
Defaults: api.PodSecurityDefaults{
|
||||
Enforce: "baseline", EnforceVersion: "v1.7",
|
||||
Warn: "privileged", WarnVersion: "latest",
|
||||
Audit: "privileged", AuditVersion: "latest",
|
||||
},
|
||||
Exemptions: api.PodSecurityExemptions{
|
||||
Usernames: []string{"alice", "bob"},
|
||||
Namespaces: []string{"kube-system"},
|
||||
RuntimeClasses: []string{"special"},
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "v1beta1 - json",
|
||||
data: []byte(`{
|
||||
"apiVersion":"pod-security.admission.config.k8s.io/v1beta1",
|
||||
"kind":"PodSecurityConfiguration",
|
||||
"defaults":{"enforce":"baseline"}}`),
|
||||
expectConfig: &api.PodSecurityConfiguration{
|
||||
Defaults: api.PodSecurityDefaults{
|
||||
Enforce: "baseline", EnforceVersion: "latest",
|
||||
Warn: "privileged", WarnVersion: "latest",
|
||||
Audit: "privileged", AuditVersion: "latest",
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "v1beta1 - yaml",
|
||||
data: []byte(`
|
||||
apiVersion: pod-security.admission.config.k8s.io/v1beta1
|
||||
kind: PodSecurityConfiguration
|
||||
defaults:
|
||||
enforce: baseline
|
||||
enforce-version: v1.7
|
||||
|
@ -22,6 +22,7 @@ import (
|
||||
utilruntime "k8s.io/apimachinery/pkg/util/runtime"
|
||||
podsecurityapi "k8s.io/pod-security-admission/admission/api"
|
||||
podsecurityv1alpha1 "k8s.io/pod-security-admission/admission/api/v1alpha1"
|
||||
podsecurityv1beta1 "k8s.io/pod-security-admission/admission/api/v1beta1"
|
||||
)
|
||||
|
||||
var (
|
||||
@ -40,5 +41,6 @@ func init() {
|
||||
func AddToScheme(scheme *runtime.Scheme) {
|
||||
utilruntime.Must(podsecurityapi.AddToScheme(scheme))
|
||||
utilruntime.Must(podsecurityv1alpha1.AddToScheme(scheme))
|
||||
utilruntime.Must(scheme.SetVersionPriority(podsecurityv1alpha1.SchemeGroupVersion))
|
||||
utilruntime.Must(podsecurityv1beta1.AddToScheme(scheme))
|
||||
utilruntime.Must(scheme.SetVersionPriority(podsecurityv1beta1.SchemeGroupVersion, podsecurityv1alpha1.SchemeGroupVersion))
|
||||
}
|
||||
|
1
vendor/modules.txt
vendored
1
vendor/modules.txt
vendored
@ -2254,6 +2254,7 @@ k8s.io/pod-security-admission/admission/api
|
||||
k8s.io/pod-security-admission/admission/api/load
|
||||
k8s.io/pod-security-admission/admission/api/scheme
|
||||
k8s.io/pod-security-admission/admission/api/v1alpha1
|
||||
k8s.io/pod-security-admission/admission/api/v1beta1
|
||||
k8s.io/pod-security-admission/admission/api/validation
|
||||
k8s.io/pod-security-admission/api
|
||||
k8s.io/pod-security-admission/cmd/webhook/server
|
||||
|
Loading…
Reference in New Issue
Block a user