mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-24 12:15:52 +00:00
PodSecurity: avoid double parsing policy from namespace labels
benchmark old ns/op new ns/op delta BenchmarkVerifyPod/enforce-implicit_pod-12 224 225 +0.40% BenchmarkVerifyPod/enforce-implicit_deployment-12 237 234 -1.31% BenchmarkVerifyPod/enforce-privileged_pod-12 259 245 -5.26% BenchmarkVerifyPod/enforce-privileged_deployment-12 261 254 -2.72% BenchmarkVerifyPod/enforce-baseline_pod-12 2967 2850 -3.94% BenchmarkVerifyPod/enforce-baseline_deployment-12 252 255 +0.87% BenchmarkVerifyPod/enforce-restricted_pod-12 3244 3125 -3.67% BenchmarkVerifyPod/enforce-restricted_deployment-12 258 261 +0.97% BenchmarkVerifyPod/warn-baseline_pod-12 2956 2841 -3.89% BenchmarkVerifyPod/warn-baseline_deployment-12 3034 2913 -3.99% BenchmarkVerifyPod/warn-restricted_pod-12 3276 3176 -3.05% BenchmarkVerifyPod/warn-restricted_deployment-12 3302 3157 -4.39% BenchmarkVerifyPod/enforce-warn-audit-baseline_pod-12 5159 5132 -0.52% BenchmarkVerifyPod/enforce-warn-audit-baseline_deployment-12 4208 4069 -3.30% BenchmarkVerifyPod/warn-baseline-audit-restricted_pod-12 4336 4252 -1.94% BenchmarkVerifyPod/warn-baseline-audit-restricted_deployment-12 4436 4316 -2.71%
This commit is contained in:
parent
636c769fb8
commit
32a5f41ec4
@ -319,8 +319,8 @@ func (a *Admission) ValidatePod(ctx context.Context, attrs Attributes) *admissio
|
||||
klog.ErrorS(err, "failed to fetch pod namespace", "namespace", attrs.GetNamespace())
|
||||
return internalErrorResponse(fmt.Sprintf("failed to lookup namespace %s", attrs.GetNamespace()))
|
||||
}
|
||||
nsPolicy, _ := a.PolicyToEvaluate(namespace.Labels)
|
||||
if nsPolicy.Enforce.Level == api.LevelPrivileged && nsPolicy.Warn.Level == api.LevelPrivileged && nsPolicy.Audit.Level == api.LevelPrivileged {
|
||||
nsPolicy, nsPolicyErr := a.PolicyToEvaluate(namespace.Labels)
|
||||
if nsPolicyErr == nil && nsPolicy.Enforce.Level == api.LevelPrivileged && nsPolicy.Warn.Level == api.LevelPrivileged && nsPolicy.Audit.Level == api.LevelPrivileged {
|
||||
return sharedAllowedResponse()
|
||||
}
|
||||
|
||||
@ -350,7 +350,7 @@ func (a *Admission) ValidatePod(ctx context.Context, attrs Attributes) *admissio
|
||||
return sharedAllowedResponse()
|
||||
}
|
||||
}
|
||||
return a.EvaluatePod(ctx, attrs.GetNamespace(), &pod.ObjectMeta, &pod.Spec, true)
|
||||
return a.EvaluatePod(ctx, nsPolicy, nsPolicyErr, &pod.ObjectMeta, &pod.Spec, true)
|
||||
}
|
||||
|
||||
// ValidatePodController evaluates a pod controller create or update request against the effective policy for the namespace.
|
||||
@ -371,8 +371,8 @@ func (a *Admission) ValidatePodController(ctx context.Context, attrs Attributes)
|
||||
klog.ErrorS(err, "failed to fetch pod namespace", "namespace", attrs.GetNamespace())
|
||||
return internalErrorResponse(fmt.Sprintf("failed to lookup namespace %s", attrs.GetNamespace()))
|
||||
}
|
||||
nsPolicy, _ := a.PolicyToEvaluate(namespace.Labels)
|
||||
if nsPolicy.Warn.Level == api.LevelPrivileged && nsPolicy.Audit.Level == api.LevelPrivileged {
|
||||
nsPolicy, nsPolicyErr := a.PolicyToEvaluate(namespace.Labels)
|
||||
if nsPolicyErr == nil && nsPolicy.Warn.Level == api.LevelPrivileged && nsPolicy.Audit.Level == api.LevelPrivileged {
|
||||
return sharedAllowedResponse()
|
||||
}
|
||||
|
||||
@ -390,29 +390,22 @@ func (a *Admission) ValidatePodController(ctx context.Context, attrs Attributes)
|
||||
// if a controller with an optional pod spec does not contain a pod spec, skip validation
|
||||
return sharedAllowedResponse()
|
||||
}
|
||||
return a.EvaluatePod(ctx, attrs.GetNamespace(), podMetadata, podSpec, false)
|
||||
return a.EvaluatePod(ctx, nsPolicy, nsPolicyErr, podMetadata, podSpec, false)
|
||||
}
|
||||
|
||||
// EvaluatePod looks up the policy for the pods namespace, and checks it against the given pod(-like) object.
|
||||
// EvaluatePod evaluates the given policy against the given pod(-like) object.
|
||||
// The enforce policy is only checked if enforce=true.
|
||||
// The returned response may be shared between evaluations and must not be mutated.
|
||||
func (a *Admission) EvaluatePod(ctx context.Context, namespaceName string, podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec, enforce bool) *admissionv1.AdmissionResponse {
|
||||
func (a *Admission) EvaluatePod(ctx context.Context, nsPolicy api.Policy, nsPolicyErr error, podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec, enforce bool) *admissionv1.AdmissionResponse {
|
||||
// short-circuit on exempt runtimeclass
|
||||
if a.exemptRuntimeClass(podSpec.RuntimeClassName) {
|
||||
return sharedAllowedResponse()
|
||||
}
|
||||
|
||||
namespace, err := a.NamespaceGetter.GetNamespace(ctx, namespaceName)
|
||||
if err != nil {
|
||||
klog.ErrorS(err, "failed to fetch pod namespace", "namespace", namespaceName)
|
||||
return internalErrorResponse(fmt.Sprintf("failed to lookup namespace %s", namespaceName))
|
||||
}
|
||||
|
||||
auditAnnotations := map[string]string{}
|
||||
nsPolicy, err := a.PolicyToEvaluate(namespace.Labels)
|
||||
if err != nil {
|
||||
klog.V(2).InfoS("failed to parse PodSecurity namespace labels", "err", err)
|
||||
auditAnnotations["error"] = fmt.Sprintf("Failed to parse policy: %v", err)
|
||||
if nsPolicyErr != nil {
|
||||
klog.V(2).InfoS("failed to parse PodSecurity namespace labels", "err", nsPolicyErr)
|
||||
auditAnnotations["error"] = fmt.Sprintf("Failed to parse policy: %v", nsPolicyErr)
|
||||
}
|
||||
// TODO: log nsPolicy evaluation with context (op, resource, namespace, name) for the request.
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user