From 36907db929e4e3a2f624620572ea693990cb6083 Mon Sep 17 00:00:00 2001
From: Jordan Liggitt <liggitt@google.com>
Date: Thu, 8 Jul 2021 01:24:52 -0400
Subject: [PATCH] PodSecurity: Drop field path from container visitor

---
 .../policy/check_allowPrivilegeEscalation.go  |  3 +--
 .../policy/check_capabilities_baseline.go     |  3 +--
 .../policy/check_capabilities_restricted.go   |  3 +--
 .../policy/check_hostPorts.go                 |  3 +--
 .../policy/check_privileged.go                |  3 +--
 .../policy/check_procMount.go                 |  3 +--
 .../policy/check_runAsNonRoot.go              |  3 +--
 .../policy/check_seLinuxOptions.go            |  3 +--
 .../policy/check_seccompProfile_baseline.go   |  5 ++---
 .../policy/check_seccompProfile_restricted.go |  3 +--
 .../policy/check_windowsHostProcess.go        |  3 +--
 .../pod-security-admission/policy/visitor.go  | 19 +++++++------------
 12 files changed, 19 insertions(+), 35 deletions(-)

diff --git a/staging/src/k8s.io/pod-security-admission/policy/check_allowPrivilegeEscalation.go b/staging/src/k8s.io/pod-security-admission/policy/check_allowPrivilegeEscalation.go
index a3c952f7f34..496b746d0a5 100644
--- a/staging/src/k8s.io/pod-security-admission/policy/check_allowPrivilegeEscalation.go
+++ b/staging/src/k8s.io/pod-security-admission/policy/check_allowPrivilegeEscalation.go
@@ -21,7 +21,6 @@ import (
 
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/util/validation/field"
 	"k8s.io/pod-security-admission/api"
 )
 
@@ -59,7 +58,7 @@ func CheckAllowPrivilegeEscalation() Check {
 
 func allowPrivilegeEscalation_1_8(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
 	var badContainers []string
-	visitContainersWithPath(podSpec, field.NewPath("spec"), func(container *corev1.Container, path *field.Path) {
+	visitContainers(podSpec, func(container *corev1.Container) {
 		if container.SecurityContext == nil || container.SecurityContext.AllowPrivilegeEscalation == nil || *container.SecurityContext.AllowPrivilegeEscalation {
 			badContainers = append(badContainers, container.Name)
 		}
diff --git a/staging/src/k8s.io/pod-security-admission/policy/check_capabilities_baseline.go b/staging/src/k8s.io/pod-security-admission/policy/check_capabilities_baseline.go
index ac6f1ba121b..1fa62953ee6 100644
--- a/staging/src/k8s.io/pod-security-admission/policy/check_capabilities_baseline.go
+++ b/staging/src/k8s.io/pod-security-admission/policy/check_capabilities_baseline.go
@@ -22,7 +22,6 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/sets"
-	"k8s.io/apimachinery/pkg/util/validation/field"
 	"k8s.io/pod-security-admission/api"
 )
 
@@ -78,7 +77,7 @@ var (
 func capabilitiesBaseline_1_0(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
 	var badContainers []string
 	nonDefaultCapabilities := sets.NewString()
-	visitContainersWithPath(podSpec, field.NewPath("spec"), func(container *corev1.Container, path *field.Path) {
+	visitContainers(podSpec, func(container *corev1.Container) {
 		if container.SecurityContext != nil && container.SecurityContext.Capabilities != nil {
 			valid := true
 			for _, c := range container.SecurityContext.Capabilities.Add {
diff --git a/staging/src/k8s.io/pod-security-admission/policy/check_capabilities_restricted.go b/staging/src/k8s.io/pod-security-admission/policy/check_capabilities_restricted.go
index 4042108477d..fd2e09729a6 100644
--- a/staging/src/k8s.io/pod-security-admission/policy/check_capabilities_restricted.go
+++ b/staging/src/k8s.io/pod-security-admission/policy/check_capabilities_restricted.go
@@ -23,7 +23,6 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/sets"
-	"k8s.io/apimachinery/pkg/util/validation/field"
 	"k8s.io/pod-security-admission/api"
 )
 
@@ -77,7 +76,7 @@ func capabilitiesRestricted_1_22(podMetadata *metav1.ObjectMeta, podSpec *corev1
 		forbiddenCapabilities     = sets.NewString()
 	)
 
-	visitContainersWithPath(podSpec, field.NewPath("spec"), func(container *corev1.Container, path *field.Path) {
+	visitContainers(podSpec, func(container *corev1.Container) {
 		if container.SecurityContext == nil || container.SecurityContext.Capabilities == nil {
 			containersMissingDropAll = append(containersMissingDropAll, container.Name)
 			return
diff --git a/staging/src/k8s.io/pod-security-admission/policy/check_hostPorts.go b/staging/src/k8s.io/pod-security-admission/policy/check_hostPorts.go
index 5ae5150e501..9e598cde8fd 100644
--- a/staging/src/k8s.io/pod-security-admission/policy/check_hostPorts.go
+++ b/staging/src/k8s.io/pod-security-admission/policy/check_hostPorts.go
@@ -24,7 +24,6 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/sets"
-	"k8s.io/apimachinery/pkg/util/validation/field"
 	"k8s.io/pod-security-admission/api"
 )
 
@@ -61,7 +60,7 @@ func CheckHostPorts() Check {
 func hostPorts_1_0(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
 	var badContainers []string
 	forbiddenHostPorts := sets.NewString()
-	visitContainersWithPath(podSpec, field.NewPath("spec"), func(container *corev1.Container, path *field.Path) {
+	visitContainers(podSpec, func(container *corev1.Container) {
 		valid := true
 		for _, c := range container.Ports {
 			if c.HostPort != 0 {
diff --git a/staging/src/k8s.io/pod-security-admission/policy/check_privileged.go b/staging/src/k8s.io/pod-security-admission/policy/check_privileged.go
index 6824cf8d8bc..899642e4cda 100644
--- a/staging/src/k8s.io/pod-security-admission/policy/check_privileged.go
+++ b/staging/src/k8s.io/pod-security-admission/policy/check_privileged.go
@@ -21,7 +21,6 @@ import (
 
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/util/validation/field"
 	"k8s.io/pod-security-admission/api"
 )
 
@@ -56,7 +55,7 @@ func CheckPrivileged() Check {
 
 func privileged_1_0(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
 	var badContainers []string
-	visitContainersWithPath(podSpec, field.NewPath("spec"), func(container *corev1.Container, path *field.Path) {
+	visitContainers(podSpec, func(container *corev1.Container) {
 		if container.SecurityContext != nil && container.SecurityContext.Privileged != nil && *container.SecurityContext.Privileged {
 			badContainers = append(badContainers, container.Name)
 		}
diff --git a/staging/src/k8s.io/pod-security-admission/policy/check_procMount.go b/staging/src/k8s.io/pod-security-admission/policy/check_procMount.go
index 9fa277b5996..a3ed8246162 100644
--- a/staging/src/k8s.io/pod-security-admission/policy/check_procMount.go
+++ b/staging/src/k8s.io/pod-security-admission/policy/check_procMount.go
@@ -23,7 +23,6 @@ import (
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/sets"
-	"k8s.io/apimachinery/pkg/util/validation/field"
 	"k8s.io/pod-security-admission/api"
 )
 
@@ -62,7 +61,7 @@ func CheckProcMount() Check {
 func procMount_1_0(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
 	var badContainers []string
 	forbiddenProcMountTypes := sets.NewString()
-	visitContainersWithPath(podSpec, field.NewPath("spec"), func(container *corev1.Container, path *field.Path) {
+	visitContainers(podSpec, func(container *corev1.Container) {
 		// allow if the security context is nil.
 		if container.SecurityContext == nil {
 			return
diff --git a/staging/src/k8s.io/pod-security-admission/policy/check_runAsNonRoot.go b/staging/src/k8s.io/pod-security-admission/policy/check_runAsNonRoot.go
index 5b9cb77771a..c8dfcfdde3d 100644
--- a/staging/src/k8s.io/pod-security-admission/policy/check_runAsNonRoot.go
+++ b/staging/src/k8s.io/pod-security-admission/policy/check_runAsNonRoot.go
@@ -22,7 +22,6 @@ import (
 
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/util/validation/field"
 	"k8s.io/pod-security-admission/api"
 )
 
@@ -77,7 +76,7 @@ func runAsNonRoot_1_0(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) C
 	// containers that didn't set runAsNonRoot and aren't caught by a pod-level runAsNonRoot=true
 	var implicitlyBadContainers []string
 
-	visitContainersWithPath(podSpec, field.NewPath("spec"), func(container *corev1.Container, path *field.Path) {
+	visitContainers(podSpec, func(container *corev1.Container) {
 		if container.SecurityContext != nil && container.SecurityContext.RunAsNonRoot != nil {
 			// container explicitly set runAsNonRoot
 			if !*container.SecurityContext.RunAsNonRoot {
diff --git a/staging/src/k8s.io/pod-security-admission/policy/check_seLinuxOptions.go b/staging/src/k8s.io/pod-security-admission/policy/check_seLinuxOptions.go
index 90ae37942b4..0a654352252 100644
--- a/staging/src/k8s.io/pod-security-admission/policy/check_seLinuxOptions.go
+++ b/staging/src/k8s.io/pod-security-admission/policy/check_seLinuxOptions.go
@@ -23,7 +23,6 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/sets"
-	"k8s.io/apimachinery/pkg/util/validation/field"
 	"k8s.io/pod-security-admission/api"
 )
 
@@ -112,7 +111,7 @@ func seLinuxOptions_1_0(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec)
 	}
 
 	var badContainers []string
-	visitContainersWithPath(podSpec, field.NewPath("spec"), func(container *corev1.Container, path *field.Path) {
+	visitContainers(podSpec, func(container *corev1.Container) {
 		if container.SecurityContext != nil && container.SecurityContext.SELinuxOptions != nil {
 			if !validSELinuxOptions(container.SecurityContext.SELinuxOptions) {
 				badContainers = append(badContainers, container.Name)
diff --git a/staging/src/k8s.io/pod-security-admission/policy/check_seccompProfile_baseline.go b/staging/src/k8s.io/pod-security-admission/policy/check_seccompProfile_baseline.go
index ca1dd098ab4..0409f93e70d 100644
--- a/staging/src/k8s.io/pod-security-admission/policy/check_seccompProfile_baseline.go
+++ b/staging/src/k8s.io/pod-security-admission/policy/check_seccompProfile_baseline.go
@@ -23,7 +23,6 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/sets"
-	"k8s.io/apimachinery/pkg/util/validation/field"
 	"k8s.io/pod-security-admission/api"
 )
 
@@ -94,7 +93,7 @@ func seccompProfileBaseline_1_0(podMetadata *metav1.ObjectMeta, podSpec *corev1.
 		}
 	}
 
-	visitContainersWithPath(podSpec, field.NewPath("spec"), func(c *corev1.Container, path *field.Path) {
+	visitContainers(podSpec, func(c *corev1.Container) {
 		annotation := annotationKeyContainerPrefix + c.Name
 		if val, ok := podMetadata.Annotations[annotation]; ok {
 			if !validSeccompAnnotationValue(val) {
@@ -134,7 +133,7 @@ func seccompProfileBaseline_1_19(podMetadata *metav1.ObjectMeta, podSpec *corev1
 	// containers that explicitly set seccompProfile.type to a bad value
 	var explicitlyBadContainers []string
 
-	visitContainersWithPath(podSpec, field.NewPath("spec"), func(c *corev1.Container, path *field.Path) {
+	visitContainers(podSpec, func(c *corev1.Container) {
 		if c.SecurityContext != nil && c.SecurityContext.SeccompProfile != nil {
 			// container explicitly set seccompProfile
 			if !validSeccomp(c.SecurityContext.SeccompProfile.Type) {
diff --git a/staging/src/k8s.io/pod-security-admission/policy/check_seccompProfile_restricted.go b/staging/src/k8s.io/pod-security-admission/policy/check_seccompProfile_restricted.go
index 031ffb11633..66bec6e05d9 100644
--- a/staging/src/k8s.io/pod-security-admission/policy/check_seccompProfile_restricted.go
+++ b/staging/src/k8s.io/pod-security-admission/policy/check_seccompProfile_restricted.go
@@ -23,7 +23,6 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/sets"
-	"k8s.io/apimachinery/pkg/util/validation/field"
 	"k8s.io/pod-security-admission/api"
 )
 
@@ -81,7 +80,7 @@ func seccompProfileRestricted_1_19(podMetadata *metav1.ObjectMeta, podSpec *core
 	// containers that didn't set seccompProfile and aren't caught by a pod-level seccompProfile
 	var implicitlyBadContainers []string
 
-	visitContainersWithPath(podSpec, field.NewPath("spec"), func(c *corev1.Container, path *field.Path) {
+	visitContainers(podSpec, func(c *corev1.Container) {
 		if c.SecurityContext != nil && c.SecurityContext.SeccompProfile != nil {
 			// container explicitly set seccompProfile
 			if !validSeccomp(c.SecurityContext.SeccompProfile.Type) {
diff --git a/staging/src/k8s.io/pod-security-admission/policy/check_windowsHostProcess.go b/staging/src/k8s.io/pod-security-admission/policy/check_windowsHostProcess.go
index d8d189cb35d..9e6dbe2e351 100644
--- a/staging/src/k8s.io/pod-security-admission/policy/check_windowsHostProcess.go
+++ b/staging/src/k8s.io/pod-security-admission/policy/check_windowsHostProcess.go
@@ -22,7 +22,6 @@ import (
 
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/util/validation/field"
 	"k8s.io/pod-security-admission/api"
 )
 
@@ -59,7 +58,7 @@ func CheckWindowsHostProcess() Check {
 
 func windowsHostProcess_1_0(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
 	var badContainers []string
-	visitContainersWithPath(podSpec, field.NewPath("spec"), func(container *corev1.Container, path *field.Path) {
+	visitContainers(podSpec, func(container *corev1.Container) {
 		if container.SecurityContext != nil &&
 			container.SecurityContext.WindowsOptions != nil &&
 			container.SecurityContext.WindowsOptions.HostProcess != nil &&
diff --git a/staging/src/k8s.io/pod-security-admission/policy/visitor.go b/staging/src/k8s.io/pod-security-admission/policy/visitor.go
index d8e3cbe0e9e..5778651c9b0 100644
--- a/staging/src/k8s.io/pod-security-admission/policy/visitor.go
+++ b/staging/src/k8s.io/pod-security-admission/policy/visitor.go
@@ -18,25 +18,20 @@ package policy
 
 import (
 	corev1 "k8s.io/api/core/v1"
-	"k8s.io/apimachinery/pkg/util/validation/field"
 )
 
-// ContainerVisitorWithPath is called with each container and the field.Path to that container
-type ContainerVisitorWithPath func(container *corev1.Container, path *field.Path)
+// ContainerVisitor is called with each container and the field.Path to that container
+type ContainerVisitor func(container *corev1.Container)
 
-// visitContainersWithPath invokes the visitor function with a pointer to the spec
-// of every container in the given pod spec and the field.Path to that container.
-func visitContainersWithPath(podSpec *corev1.PodSpec, specPath *field.Path, visitor ContainerVisitorWithPath) {
-	fldPath := specPath.Child("initContainers")
+// visitContainers invokes the visitor function for every container in the given pod spec
+func visitContainers(podSpec *corev1.PodSpec, visitor ContainerVisitor) {
 	for i := range podSpec.InitContainers {
-		visitor(&podSpec.InitContainers[i], fldPath.Index(i))
+		visitor(&podSpec.InitContainers[i])
 	}
-	fldPath = specPath.Child("containers")
 	for i := range podSpec.Containers {
-		visitor(&podSpec.Containers[i], fldPath.Index(i))
+		visitor(&podSpec.Containers[i])
 	}
-	fldPath = specPath.Child("ephemeralContainers")
 	for i := range podSpec.EphemeralContainers {
-		visitor((*corev1.Container)(&podSpec.EphemeralContainers[i].EphemeralContainerCommon), fldPath.Index(i))
+		visitor((*corev1.Container)(&podSpec.EphemeralContainers[i].EphemeralContainerCommon))
 	}
 }