diff --git a/pkg/security/podsecuritypolicy/provider.go b/pkg/security/podsecuritypolicy/provider.go index 9ad19ab73dc..6587267d93c 100644 --- a/pkg/security/podsecuritypolicy/provider.go +++ b/pkg/security/podsecuritypolicy/provider.go @@ -18,6 +18,7 @@ package podsecuritypolicy import ( "fmt" + "strings" "k8s.io/apimachinery/pkg/util/validation/field" "k8s.io/kubernetes/pkg/api" @@ -308,7 +309,7 @@ func (s *simpleProvider) hasInvalidHostPort(container *api.Container, fldPath *f allErrs := field.ErrorList{} for _, cp := range container.Ports { if cp.HostPort > 0 && !s.isValidHostPort(int(cp.HostPort)) { - detail := fmt.Sprintf("Host port %d is not allowed to be used. Allowed ports: %v", cp.HostPort, s.psp.Spec.HostPorts) + detail := fmt.Sprintf("Host port %d is not allowed to be used. Allowed ports: [%s]", cp.HostPort, hostPortRangesToString(s.psp.Spec.HostPorts)) allErrs = append(allErrs, field.Invalid(fldPath.Child("hostPort"), cp.HostPort, detail)) } } @@ -329,3 +330,19 @@ func (s *simpleProvider) isValidHostPort(port int) bool { func (s *simpleProvider) GetPSPName() string { return s.psp.Name } + +func hostPortRangesToString(ranges []extensions.HostPortRange) string { + formattedString := "" + if ranges != nil { + strRanges := []string{} + for _, r := range ranges { + if r.Min == r.Max { + strRanges = append(strRanges, fmt.Sprintf("%d", r.Min)) + } else { + strRanges = append(strRanges, fmt.Sprintf("%d-%d", r.Min, r.Max)) + } + } + formattedString = strings.Join(strRanges, ",") + } + return formattedString +} diff --git a/pkg/security/podsecuritypolicy/provider_test.go b/pkg/security/podsecuritypolicy/provider_test.go index 94e33340aee..767172ed512 100644 --- a/pkg/security/podsecuritypolicy/provider_test.go +++ b/pkg/security/podsecuritypolicy/provider_test.go @@ -463,7 +463,7 @@ func TestValidateContainerSecurityContextFailures(t *testing.T) { "failHostPortPSP": { pod: failHostPortPod, psp: defaultPSP(), - expectedError: "Host port 1 is not allowed to be used. Allowed ports: []", + expectedError: "Host port 1 is not allowed to be used. Allowed ports: []", }, "failReadOnlyRootFS - nil": { pod: defaultPod(), @@ -498,7 +498,7 @@ func TestValidateContainerSecurityContextFailures(t *testing.T) { continue } if !strings.Contains(errs[0].Error(), v.expectedError) { - t.Errorf("%s received unexpected error %v", k, errs) + t.Errorf("%s received unexpected error %v\nexpected: %s", k, errs, v.expectedError) } } }