mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-24 04:06:03 +00:00
Merge pull request #115968 from stlaz/sc_accessors
add SeccompProfile to Pod and Container accessors/mutators
This commit is contained in:
commit
388ad23561
@ -31,6 +31,7 @@ type PodSecurityContextAccessor interface {
|
||||
RunAsUser() *int64
|
||||
RunAsGroup() *int64
|
||||
RunAsNonRoot() *bool
|
||||
SeccompProfile() *api.SeccompProfile
|
||||
SupplementalGroups() []int64
|
||||
FSGroup() *int64
|
||||
}
|
||||
@ -46,6 +47,7 @@ type PodSecurityContextMutator interface {
|
||||
SetRunAsUser(*int64)
|
||||
SetRunAsGroup(*int64)
|
||||
SetRunAsNonRoot(*bool)
|
||||
SetSeccompProfile(*api.SeccompProfile)
|
||||
SetSupplementalGroups([]int64)
|
||||
SetFSGroup(*int64)
|
||||
|
||||
@ -171,6 +173,19 @@ func (w *podSecurityContextWrapper) SetRunAsNonRoot(v *bool) {
|
||||
w.ensurePodSC()
|
||||
w.podSC.RunAsNonRoot = v
|
||||
}
|
||||
func (w *podSecurityContextWrapper) SeccompProfile() *api.SeccompProfile {
|
||||
if w.podSC == nil {
|
||||
return nil
|
||||
}
|
||||
return w.podSC.SeccompProfile
|
||||
}
|
||||
func (w *podSecurityContextWrapper) SetSeccompProfile(p *api.SeccompProfile) {
|
||||
if w.podSC == nil && p == nil {
|
||||
return
|
||||
}
|
||||
w.ensurePodSC()
|
||||
w.podSC.SeccompProfile = p
|
||||
}
|
||||
func (w *podSecurityContextWrapper) SupplementalGroups() []int64 {
|
||||
if w.podSC == nil {
|
||||
return nil
|
||||
@ -211,6 +226,7 @@ type ContainerSecurityContextAccessor interface {
|
||||
RunAsGroup() *int64
|
||||
RunAsNonRoot() *bool
|
||||
ReadOnlyRootFilesystem() *bool
|
||||
SeccompProfile() *api.SeccompProfile
|
||||
AllowPrivilegeEscalation() *bool
|
||||
}
|
||||
|
||||
@ -227,6 +243,7 @@ type ContainerSecurityContextMutator interface {
|
||||
SetRunAsGroup(*int64)
|
||||
SetRunAsNonRoot(*bool)
|
||||
SetReadOnlyRootFilesystem(*bool)
|
||||
SetSeccompProfile(*api.SeccompProfile)
|
||||
SetAllowPrivilegeEscalation(*bool)
|
||||
}
|
||||
|
||||
@ -357,6 +374,20 @@ func (w *containerSecurityContextWrapper) SetReadOnlyRootFilesystem(v *bool) {
|
||||
w.ensureContainerSC()
|
||||
w.containerSC.ReadOnlyRootFilesystem = v
|
||||
}
|
||||
func (w *containerSecurityContextWrapper) SeccompProfile() *api.SeccompProfile {
|
||||
if w.containerSC == nil {
|
||||
return nil
|
||||
}
|
||||
return w.containerSC.SeccompProfile
|
||||
}
|
||||
func (w *containerSecurityContextWrapper) SetSeccompProfile(p *api.SeccompProfile) {
|
||||
if w.containerSC == nil && p == nil {
|
||||
return
|
||||
}
|
||||
w.ensureContainerSC()
|
||||
w.containerSC.SeccompProfile = p
|
||||
}
|
||||
|
||||
func (w *containerSecurityContextWrapper) AllowPrivilegeEscalation() *bool {
|
||||
if w.containerSC == nil {
|
||||
return nil
|
||||
@ -464,6 +495,14 @@ func (w *effectiveContainerSecurityContextWrapper) SetReadOnlyRootFilesystem(v *
|
||||
w.containerSC.SetReadOnlyRootFilesystem(v)
|
||||
}
|
||||
}
|
||||
func (w *effectiveContainerSecurityContextWrapper) SeccompProfile() *api.SeccompProfile {
|
||||
return w.containerSC.SeccompProfile()
|
||||
}
|
||||
func (w *effectiveContainerSecurityContextWrapper) SetSeccompProfile(p *api.SeccompProfile) {
|
||||
if !reflect.DeepEqual(w.SeccompProfile(), p) {
|
||||
w.containerSC.SetSeccompProfile(p)
|
||||
}
|
||||
}
|
||||
func (w *effectiveContainerSecurityContextWrapper) AllowPrivilegeEscalation() *bool {
|
||||
return w.containerSC.AllowPrivilegeEscalation()
|
||||
}
|
||||
|
@ -22,6 +22,7 @@ import (
|
||||
|
||||
"k8s.io/apimachinery/pkg/util/diff"
|
||||
api "k8s.io/kubernetes/pkg/apis/core"
|
||||
"k8s.io/utils/pointer"
|
||||
)
|
||||
|
||||
func TestPodSecurityContextAccessor(t *testing.T) {
|
||||
@ -41,6 +42,7 @@ func TestPodSecurityContextAccessor(t *testing.T) {
|
||||
{RunAsUser: &runAsUser},
|
||||
{RunAsGroup: &runAsGroup},
|
||||
{SELinuxOptions: &api.SELinuxOptions{User: "bob"}},
|
||||
{SeccompProfile: &api.SeccompProfile{Type: api.SeccompProfileTypeRuntimeDefault}},
|
||||
{SupplementalGroups: []int64{1, 2, 3}},
|
||||
}
|
||||
|
||||
@ -73,6 +75,9 @@ func TestPodSecurityContextAccessor(t *testing.T) {
|
||||
if v := a.RunAsGroup(); !reflect.DeepEqual(expected.RunAsGroup, v) {
|
||||
t.Errorf("%d: expected %#v, got %#v", i, expected.RunAsGroup, v)
|
||||
}
|
||||
if v := a.SeccompProfile(); !reflect.DeepEqual(expected.SeccompProfile, v) {
|
||||
t.Errorf("%d: expected %#v, got %#v", i, expected.SeccompProfile, v)
|
||||
}
|
||||
if v := a.SELinuxOptions(); !reflect.DeepEqual(expected.SELinuxOptions, v) {
|
||||
t.Errorf("%d: expected %#v, got %#v", i, expected.SELinuxOptions, v)
|
||||
}
|
||||
@ -102,6 +107,7 @@ func TestPodSecurityContextMutator(t *testing.T) {
|
||||
RunAsUser: nil,
|
||||
RunAsGroup: nil,
|
||||
RunAsNonRoot: nil,
|
||||
SeccompProfile: nil,
|
||||
SupplementalGroups: nil,
|
||||
FSGroup: nil,
|
||||
}
|
||||
@ -130,6 +136,7 @@ func TestPodSecurityContextMutator(t *testing.T) {
|
||||
m.SetRunAsNonRoot(m.RunAsNonRoot())
|
||||
m.SetRunAsUser(m.RunAsUser())
|
||||
m.SetRunAsGroup(m.RunAsGroup())
|
||||
m.SetSeccompProfile(m.SeccompProfile())
|
||||
m.SetSELinuxOptions(m.SELinuxOptions())
|
||||
m.SetSupplementalGroups(m.SupplementalGroups())
|
||||
if !reflect.DeepEqual(sc, originalSC) {
|
||||
@ -240,6 +247,18 @@ func TestPodSecurityContextMutator(t *testing.T) {
|
||||
}
|
||||
}
|
||||
|
||||
// SeccompProfile
|
||||
{
|
||||
modifiedSC := nonNilSC(tc.newSC())
|
||||
m := NewPodSecurityContextMutator(tc.newSC())
|
||||
modifiedSC.SeccompProfile = &api.SeccompProfile{Type: api.SeccompProfileTypeLocalhost, LocalhostProfile: pointer.String("verylocalhostey")}
|
||||
m.SetSeccompProfile(&api.SeccompProfile{Type: api.SeccompProfileTypeLocalhost, LocalhostProfile: pointer.String("verylocalhostey")})
|
||||
if !reflect.DeepEqual(m.PodSecurityContext(), modifiedSC) {
|
||||
t.Errorf("%s: unexpected object:\n%s", k, diff.ObjectGoPrintSideBySide(modifiedSC, m.PodSecurityContext()))
|
||||
continue
|
||||
}
|
||||
}
|
||||
|
||||
// SupplementalGroups
|
||||
{
|
||||
modifiedSC := nonNilSC(tc.newSC())
|
||||
@ -272,6 +291,7 @@ func TestContainerSecurityContextAccessor(t *testing.T) {
|
||||
{RunAsGroup: &runAsGroup},
|
||||
{RunAsNonRoot: &runAsNonRoot},
|
||||
{ReadOnlyRootFilesystem: &readOnlyRootFilesystem},
|
||||
{SeccompProfile: &api.SeccompProfile{Type: api.SeccompProfileTypeRuntimeDefault}},
|
||||
{AllowPrivilegeEscalation: &allowPrivilegeEscalation},
|
||||
}
|
||||
|
||||
@ -304,6 +324,9 @@ func TestContainerSecurityContextAccessor(t *testing.T) {
|
||||
if v := a.ReadOnlyRootFilesystem(); !reflect.DeepEqual(expected.ReadOnlyRootFilesystem, v) {
|
||||
t.Errorf("%d: expected %#v, got %#v", i, expected.ReadOnlyRootFilesystem, v)
|
||||
}
|
||||
if v := a.SeccompProfile(); !reflect.DeepEqual(expected.SeccompProfile, v) {
|
||||
t.Errorf("%d: expected %#v, got %#v", i, expected.SeccompProfile, v)
|
||||
}
|
||||
if v := a.AllowPrivilegeEscalation(); !reflect.DeepEqual(expected.AllowPrivilegeEscalation, v) {
|
||||
t.Errorf("%d: expected %#v, got %#v", i, expected.AllowPrivilegeEscalation, v)
|
||||
}
|
||||
@ -325,6 +348,7 @@ func TestContainerSecurityContextMutator(t *testing.T) {
|
||||
return &api.SecurityContext{
|
||||
Capabilities: &api.Capabilities{Drop: []api.Capability{"test"}},
|
||||
SELinuxOptions: &api.SELinuxOptions{},
|
||||
SeccompProfile: &api.SeccompProfile{},
|
||||
}
|
||||
},
|
||||
},
|
||||
@ -450,6 +474,18 @@ func TestContainerSecurityContextMutator(t *testing.T) {
|
||||
}
|
||||
}
|
||||
|
||||
// SeccompProfile
|
||||
{
|
||||
modifiedSC := nonNilSC(tc.newSC())
|
||||
m := NewContainerSecurityContextMutator(tc.newSC())
|
||||
modifiedSC.SeccompProfile = &api.SeccompProfile{Type: api.SeccompProfileTypeUnconfined}
|
||||
m.SetSeccompProfile(&api.SeccompProfile{Type: api.SeccompProfileTypeUnconfined})
|
||||
if !reflect.DeepEqual(m.ContainerSecurityContext(), modifiedSC) {
|
||||
t.Errorf("%s: unexpected object:\n%s", k, diff.ObjectGoPrintSideBySide(modifiedSC, m.ContainerSecurityContext()))
|
||||
continue
|
||||
}
|
||||
}
|
||||
|
||||
// SELinuxOptions
|
||||
{
|
||||
modifiedSC := nonNilSC(tc.newSC())
|
||||
@ -493,12 +529,14 @@ func TestEffectiveContainerSecurityContextAccessor(t *testing.T) {
|
||||
{
|
||||
PodSC: &api.PodSecurityContext{
|
||||
SELinuxOptions: &api.SELinuxOptions{User: "bob"},
|
||||
SeccompProfile: &api.SeccompProfile{Type: api.SeccompProfileTypeUnconfined},
|
||||
RunAsUser: &runAsUser,
|
||||
RunAsNonRoot: &runAsNonRoot,
|
||||
},
|
||||
SC: nil,
|
||||
Effective: &api.SecurityContext{
|
||||
SELinuxOptions: &api.SELinuxOptions{User: "bob"},
|
||||
SeccompProfile: &api.SeccompProfile{Type: api.SeccompProfileTypeUnconfined},
|
||||
RunAsUser: &runAsUser,
|
||||
RunAsNonRoot: &runAsNonRoot,
|
||||
},
|
||||
@ -506,12 +544,14 @@ func TestEffectiveContainerSecurityContextAccessor(t *testing.T) {
|
||||
{
|
||||
PodSC: &api.PodSecurityContext{
|
||||
SELinuxOptions: &api.SELinuxOptions{User: "bob"},
|
||||
SeccompProfile: &api.SeccompProfile{Type: api.SeccompProfileTypeUnconfined},
|
||||
RunAsUser: &runAsUserPod,
|
||||
RunAsNonRoot: &runAsNonRootPod,
|
||||
},
|
||||
SC: &api.SecurityContext{},
|
||||
Effective: &api.SecurityContext{
|
||||
SELinuxOptions: &api.SELinuxOptions{User: "bob"},
|
||||
SeccompProfile: &api.SeccompProfile{Type: api.SeccompProfileTypeUnconfined},
|
||||
RunAsUser: &runAsUserPod,
|
||||
RunAsNonRoot: &runAsNonRootPod,
|
||||
},
|
||||
@ -519,6 +559,7 @@ func TestEffectiveContainerSecurityContextAccessor(t *testing.T) {
|
||||
{
|
||||
PodSC: &api.PodSecurityContext{
|
||||
SELinuxOptions: &api.SELinuxOptions{User: "bob"},
|
||||
SeccompProfile: &api.SeccompProfile{Type: api.SeccompProfileTypeUnconfined},
|
||||
RunAsUser: &runAsUserPod,
|
||||
RunAsNonRoot: &runAsNonRootPod,
|
||||
},
|
||||
@ -530,6 +571,7 @@ func TestEffectiveContainerSecurityContextAccessor(t *testing.T) {
|
||||
RunAsUser: &runAsUser,
|
||||
RunAsNonRoot: &runAsNonRoot,
|
||||
SELinuxOptions: &api.SELinuxOptions{User: "bob"},
|
||||
SeccompProfile: &api.SeccompProfile{Type: api.SeccompProfileTypeRuntimeDefault},
|
||||
},
|
||||
Effective: &api.SecurityContext{
|
||||
AllowPrivilegeEscalation: &allowPrivilegeEscalation,
|
||||
@ -539,6 +581,7 @@ func TestEffectiveContainerSecurityContextAccessor(t *testing.T) {
|
||||
RunAsUser: &runAsUser,
|
||||
RunAsNonRoot: &runAsNonRoot,
|
||||
SELinuxOptions: &api.SELinuxOptions{User: "bob"},
|
||||
SeccompProfile: &api.SeccompProfile{Type: api.SeccompProfileTypeRuntimeDefault},
|
||||
},
|
||||
},
|
||||
{
|
||||
@ -621,6 +664,7 @@ func TestEffectiveContainerSecurityContextMutator(t *testing.T) {
|
||||
newPodSC: func() *api.PodSecurityContext {
|
||||
return &api.PodSecurityContext{
|
||||
SELinuxOptions: &api.SELinuxOptions{User: "poduser"},
|
||||
SeccompProfile: &api.SeccompProfile{},
|
||||
RunAsNonRoot: &runAsNonRootPod,
|
||||
RunAsUser: &runAsUserPod,
|
||||
}
|
||||
@ -635,6 +679,7 @@ func TestEffectiveContainerSecurityContextMutator(t *testing.T) {
|
||||
return &api.SecurityContext{
|
||||
Capabilities: &api.Capabilities{Drop: []api.Capability{"test"}},
|
||||
SELinuxOptions: &api.SELinuxOptions{},
|
||||
SeccompProfile: &api.SeccompProfile{},
|
||||
}
|
||||
},
|
||||
},
|
||||
@ -667,6 +712,7 @@ func TestEffectiveContainerSecurityContextMutator(t *testing.T) {
|
||||
m.SetRunAsUser(m.RunAsUser())
|
||||
m.SetRunAsGroup(m.RunAsGroup())
|
||||
m.SetSELinuxOptions(m.SELinuxOptions())
|
||||
m.SetSeccompProfile(m.SeccompProfile())
|
||||
if !reflect.DeepEqual(podSC, originalPodSC) {
|
||||
t.Errorf("%s: unexpected mutation: %#v, %#v", k, podSC, originalPodSC)
|
||||
}
|
||||
@ -789,6 +835,18 @@ func TestEffectiveContainerSecurityContextMutator(t *testing.T) {
|
||||
}
|
||||
}
|
||||
|
||||
// SeccompProfile
|
||||
{
|
||||
modifiedSC := nonNilSC(tc.newSC())
|
||||
m := NewContainerSecurityContextMutator(tc.newSC())
|
||||
modifiedSC.SeccompProfile = &api.SeccompProfile{Type: api.SeccompProfileTypeUnconfined}
|
||||
m.SetSeccompProfile(&api.SeccompProfile{Type: api.SeccompProfileTypeUnconfined})
|
||||
if !reflect.DeepEqual(m.ContainerSecurityContext(), modifiedSC) {
|
||||
t.Errorf("%s: unexpected object:\n%s", k, diff.ObjectGoPrintSideBySide(modifiedSC, m.ContainerSecurityContext()))
|
||||
continue
|
||||
}
|
||||
}
|
||||
|
||||
// SELinuxOptions
|
||||
{
|
||||
modifiedSC := nonNilSC(tc.newSC())
|
||||
|
Loading…
Reference in New Issue
Block a user