Merge pull request #115968 from stlaz/sc_accessors

add SeccompProfile to Pod and Container accessors/mutators
2025-07-30 23:15:14 +00:00 · 2023-03-06 08:18:41 -08:00 · 2023-03-06 08:18:41 -08:00 · 388ad23561
commit 388ad23561
parent d6e9cff212 c4a2bb82db
2 changed files with 97 additions and 0 deletions
--- a/pkg/securitycontext/accessors.go
+++ b/pkg/securitycontext/accessors.go
@ -31,6 +31,7 @@ type PodSecurityContextAccessor interface {
 	RunAsUser() *int64
 	RunAsGroup() *int64
 	RunAsNonRoot() *bool
+	SeccompProfile() *api.SeccompProfile
 	SupplementalGroups() []int64
 	FSGroup() *int64
 }
@ -46,6 +47,7 @@ type PodSecurityContextMutator interface {
 	SetRunAsUser(*int64)
 	SetRunAsGroup(*int64)
 	SetRunAsNonRoot(*bool)
+	SetSeccompProfile(*api.SeccompProfile)
 	SetSupplementalGroups([]int64)
 	SetFSGroup(*int64)

@ -171,6 +173,19 @@ func (w *podSecurityContextWrapper) SetRunAsNonRoot(v *bool) {
 	w.ensurePodSC()
 	w.podSC.RunAsNonRoot = v
 }
+func (w *podSecurityContextWrapper) SeccompProfile() *api.SeccompProfile {
+	if w.podSC == nil {
+		return nil
+	}
+	return w.podSC.SeccompProfile
+}
+func (w *podSecurityContextWrapper) SetSeccompProfile(p *api.SeccompProfile) {
+	if w.podSC == nil && p == nil {
+		return
+	}
+	w.ensurePodSC()
+	w.podSC.SeccompProfile = p
+}
 func (w *podSecurityContextWrapper) SupplementalGroups() []int64 {
 	if w.podSC == nil {
 		return nil
@ -211,6 +226,7 @@ type ContainerSecurityContextAccessor interface {
 	RunAsGroup() *int64
 	RunAsNonRoot() *bool
 	ReadOnlyRootFilesystem() *bool
+	SeccompProfile() *api.SeccompProfile
 	AllowPrivilegeEscalation() *bool
 }

@ -227,6 +243,7 @@ type ContainerSecurityContextMutator interface {
 	SetRunAsGroup(*int64)
 	SetRunAsNonRoot(*bool)
 	SetReadOnlyRootFilesystem(*bool)
+	SetSeccompProfile(*api.SeccompProfile)
 	SetAllowPrivilegeEscalation(*bool)
 }

@ -357,6 +374,20 @@ func (w *containerSecurityContextWrapper) SetReadOnlyRootFilesystem(v *bool) {
 	w.ensureContainerSC()
 	w.containerSC.ReadOnlyRootFilesystem = v
 }
+func (w *containerSecurityContextWrapper) SeccompProfile() *api.SeccompProfile {
+	if w.containerSC == nil {
+		return nil
+	}
+	return w.containerSC.SeccompProfile
+}
+func (w *containerSecurityContextWrapper) SetSeccompProfile(p *api.SeccompProfile) {
+	if w.containerSC == nil && p == nil {
+		return
+	}
+	w.ensureContainerSC()
+	w.containerSC.SeccompProfile = p
+}
+
 func (w *containerSecurityContextWrapper) AllowPrivilegeEscalation() *bool {
 	if w.containerSC == nil {
 		return nil
@ -464,6 +495,14 @@ func (w *effectiveContainerSecurityContextWrapper) SetReadOnlyRootFilesystem(v *
 		w.containerSC.SetReadOnlyRootFilesystem(v)
 	}
 }
+func (w *effectiveContainerSecurityContextWrapper) SeccompProfile() *api.SeccompProfile {
+	return w.containerSC.SeccompProfile()
+}
+func (w *effectiveContainerSecurityContextWrapper) SetSeccompProfile(p *api.SeccompProfile) {
+	if !reflect.DeepEqual(w.SeccompProfile(), p) {
+		w.containerSC.SetSeccompProfile(p)
+	}
+}
 func (w *effectiveContainerSecurityContextWrapper) AllowPrivilegeEscalation() *bool {
 	return w.containerSC.AllowPrivilegeEscalation()
 }
--- a/pkg/securitycontext/accessors_test.go
+++ b/pkg/securitycontext/accessors_test.go
@ -22,6 +22,7 @@ import (

 	"k8s.io/apimachinery/pkg/util/diff"
 	api "k8s.io/kubernetes/pkg/apis/core"
+	"k8s.io/utils/pointer"
 )

 func TestPodSecurityContextAccessor(t *testing.T) {
@ -41,6 +42,7 @@ func TestPodSecurityContextAccessor(t *testing.T) {
 		{RunAsUser: &runAsUser},
 		{RunAsGroup: &runAsGroup},
 		{SELinuxOptions: &api.SELinuxOptions{User: "bob"}},
+		{SeccompProfile: &api.SeccompProfile{Type: api.SeccompProfileTypeRuntimeDefault}},
 		{SupplementalGroups: []int64{1, 2, 3}},
 	}

@ -73,6 +75,9 @@ func TestPodSecurityContextAccessor(t *testing.T) {
 		if v := a.RunAsGroup(); !reflect.DeepEqual(expected.RunAsGroup, v) {
 			t.Errorf("%d: expected %#v, got %#v", i, expected.RunAsGroup, v)
 		}
+		if v := a.SeccompProfile(); !reflect.DeepEqual(expected.SeccompProfile, v) {
+			t.Errorf("%d: expected %#v, got %#v", i, expected.SeccompProfile, v)
+		}
 		if v := a.SELinuxOptions(); !reflect.DeepEqual(expected.SELinuxOptions, v) {
 			t.Errorf("%d: expected %#v, got %#v", i, expected.SELinuxOptions, v)
 		}
@ -102,6 +107,7 @@ func TestPodSecurityContextMutator(t *testing.T) {
 					RunAsUser:          nil,
 					RunAsGroup:         nil,
 					RunAsNonRoot:       nil,
+					SeccompProfile:     nil,
 					SupplementalGroups: nil,
 					FSGroup:            nil,
 				}
@ -130,6 +136,7 @@ func TestPodSecurityContextMutator(t *testing.T) {
 			m.SetRunAsNonRoot(m.RunAsNonRoot())
 			m.SetRunAsUser(m.RunAsUser())
 			m.SetRunAsGroup(m.RunAsGroup())
+			m.SetSeccompProfile(m.SeccompProfile())
 			m.SetSELinuxOptions(m.SELinuxOptions())
 			m.SetSupplementalGroups(m.SupplementalGroups())
 			if !reflect.DeepEqual(sc, originalSC) {
@ -240,6 +247,18 @@ func TestPodSecurityContextMutator(t *testing.T) {
 			}
 		}

+		// SeccompProfile
+		{
+			modifiedSC := nonNilSC(tc.newSC())
+			m := NewPodSecurityContextMutator(tc.newSC())
+			modifiedSC.SeccompProfile = &api.SeccompProfile{Type: api.SeccompProfileTypeLocalhost, LocalhostProfile: pointer.String("verylocalhostey")}
+			m.SetSeccompProfile(&api.SeccompProfile{Type: api.SeccompProfileTypeLocalhost, LocalhostProfile: pointer.String("verylocalhostey")})
+			if !reflect.DeepEqual(m.PodSecurityContext(), modifiedSC) {
+				t.Errorf("%s: unexpected object:\n%s", k, diff.ObjectGoPrintSideBySide(modifiedSC, m.PodSecurityContext()))
+				continue
+			}
+		}
+
 		// SupplementalGroups
 		{
 			modifiedSC := nonNilSC(tc.newSC())
@ -272,6 +291,7 @@ func TestContainerSecurityContextAccessor(t *testing.T) {
 		{RunAsGroup: &runAsGroup},
 		{RunAsNonRoot: &runAsNonRoot},
 		{ReadOnlyRootFilesystem: &readOnlyRootFilesystem},
+		{SeccompProfile: &api.SeccompProfile{Type: api.SeccompProfileTypeRuntimeDefault}},
 		{AllowPrivilegeEscalation: &allowPrivilegeEscalation},
 	}

@ -304,6 +324,9 @@ func TestContainerSecurityContextAccessor(t *testing.T) {
 		if v := a.ReadOnlyRootFilesystem(); !reflect.DeepEqual(expected.ReadOnlyRootFilesystem, v) {
 			t.Errorf("%d: expected %#v, got %#v", i, expected.ReadOnlyRootFilesystem, v)
 		}
+		if v := a.SeccompProfile(); !reflect.DeepEqual(expected.SeccompProfile, v) {
+			t.Errorf("%d: expected %#v, got %#v", i, expected.SeccompProfile, v)
+		}
 		if v := a.AllowPrivilegeEscalation(); !reflect.DeepEqual(expected.AllowPrivilegeEscalation, v) {
 			t.Errorf("%d: expected %#v, got %#v", i, expected.AllowPrivilegeEscalation, v)
 		}
@ -325,6 +348,7 @@ func TestContainerSecurityContextMutator(t *testing.T) {
 				return &api.SecurityContext{
 					Capabilities:   &api.Capabilities{Drop: []api.Capability{"test"}},
 					SELinuxOptions: &api.SELinuxOptions{},
+					SeccompProfile: &api.SeccompProfile{},
 				}
 			},
 		},
@ -450,6 +474,18 @@ func TestContainerSecurityContextMutator(t *testing.T) {
 			}
 		}

+		// SeccompProfile
+		{
+			modifiedSC := nonNilSC(tc.newSC())
+			m := NewContainerSecurityContextMutator(tc.newSC())
+			modifiedSC.SeccompProfile = &api.SeccompProfile{Type: api.SeccompProfileTypeUnconfined}
+			m.SetSeccompProfile(&api.SeccompProfile{Type: api.SeccompProfileTypeUnconfined})
+			if !reflect.DeepEqual(m.ContainerSecurityContext(), modifiedSC) {
+				t.Errorf("%s: unexpected object:\n%s", k, diff.ObjectGoPrintSideBySide(modifiedSC, m.ContainerSecurityContext()))
+				continue
+			}
+		}
+
 		// SELinuxOptions
 		{
 			modifiedSC := nonNilSC(tc.newSC())
@ -493,12 +529,14 @@ func TestEffectiveContainerSecurityContextAccessor(t *testing.T) {
 		{
 			PodSC: &api.PodSecurityContext{
 				SELinuxOptions: &api.SELinuxOptions{User: "bob"},
+				SeccompProfile: &api.SeccompProfile{Type: api.SeccompProfileTypeUnconfined},
 				RunAsUser:      &runAsUser,
 				RunAsNonRoot:   &runAsNonRoot,
 			},
 			SC: nil,
 			Effective: &api.SecurityContext{
 				SELinuxOptions: &api.SELinuxOptions{User: "bob"},
+				SeccompProfile: &api.SeccompProfile{Type: api.SeccompProfileTypeUnconfined},
 				RunAsUser:      &runAsUser,
 				RunAsNonRoot:   &runAsNonRoot,
 			},
@ -506,12 +544,14 @@ func TestEffectiveContainerSecurityContextAccessor(t *testing.T) {
 		{
 			PodSC: &api.PodSecurityContext{
 				SELinuxOptions: &api.SELinuxOptions{User: "bob"},
+				SeccompProfile: &api.SeccompProfile{Type: api.SeccompProfileTypeUnconfined},
 				RunAsUser:      &runAsUserPod,
 				RunAsNonRoot:   &runAsNonRootPod,
 			},
 			SC: &api.SecurityContext{},
 			Effective: &api.SecurityContext{
 				SELinuxOptions: &api.SELinuxOptions{User: "bob"},
+				SeccompProfile: &api.SeccompProfile{Type: api.SeccompProfileTypeUnconfined},
 				RunAsUser:      &runAsUserPod,
 				RunAsNonRoot:   &runAsNonRootPod,
 			},
@ -519,6 +559,7 @@ func TestEffectiveContainerSecurityContextAccessor(t *testing.T) {
 		{
 			PodSC: &api.PodSecurityContext{
 				SELinuxOptions: &api.SELinuxOptions{User: "bob"},
+				SeccompProfile: &api.SeccompProfile{Type: api.SeccompProfileTypeUnconfined},
 				RunAsUser:      &runAsUserPod,
 				RunAsNonRoot:   &runAsNonRootPod,
 			},
@ -530,6 +571,7 @@ func TestEffectiveContainerSecurityContextAccessor(t *testing.T) {
 				RunAsUser:                &runAsUser,
 				RunAsNonRoot:             &runAsNonRoot,
 				SELinuxOptions:           &api.SELinuxOptions{User: "bob"},
+				SeccompProfile:           &api.SeccompProfile{Type: api.SeccompProfileTypeRuntimeDefault},
 			},
 			Effective: &api.SecurityContext{
 				AllowPrivilegeEscalation: &allowPrivilegeEscalation,
@ -539,6 +581,7 @@ func TestEffectiveContainerSecurityContextAccessor(t *testing.T) {
 				RunAsUser:                &runAsUser,
 				RunAsNonRoot:             &runAsNonRoot,
 				SELinuxOptions:           &api.SELinuxOptions{User: "bob"},
+				SeccompProfile:           &api.SeccompProfile{Type: api.SeccompProfileTypeRuntimeDefault},
 			},
 		},
 		{
@ -621,6 +664,7 @@ func TestEffectiveContainerSecurityContextMutator(t *testing.T) {
 			newPodSC: func() *api.PodSecurityContext {
 				return &api.PodSecurityContext{
 					SELinuxOptions: &api.SELinuxOptions{User: "poduser"},
+					SeccompProfile: &api.SeccompProfile{},
 					RunAsNonRoot:   &runAsNonRootPod,
 					RunAsUser:      &runAsUserPod,
 				}
@ -635,6 +679,7 @@ func TestEffectiveContainerSecurityContextMutator(t *testing.T) {
 				return &api.SecurityContext{
 					Capabilities:   &api.Capabilities{Drop: []api.Capability{"test"}},
 					SELinuxOptions: &api.SELinuxOptions{},
+					SeccompProfile: &api.SeccompProfile{},
 				}
 			},
 		},
@ -667,6 +712,7 @@ func TestEffectiveContainerSecurityContextMutator(t *testing.T) {
 			m.SetRunAsUser(m.RunAsUser())
 			m.SetRunAsGroup(m.RunAsGroup())
 			m.SetSELinuxOptions(m.SELinuxOptions())
+			m.SetSeccompProfile(m.SeccompProfile())
 			if !reflect.DeepEqual(podSC, originalPodSC) {
 				t.Errorf("%s: unexpected mutation: %#v, %#v", k, podSC, originalPodSC)
 			}
@ -789,6 +835,18 @@ func TestEffectiveContainerSecurityContextMutator(t *testing.T) {
 			}
 		}

+		// SeccompProfile
+		{
+			modifiedSC := nonNilSC(tc.newSC())
+			m := NewContainerSecurityContextMutator(tc.newSC())
+			modifiedSC.SeccompProfile = &api.SeccompProfile{Type: api.SeccompProfileTypeUnconfined}
+			m.SetSeccompProfile(&api.SeccompProfile{Type: api.SeccompProfileTypeUnconfined})
+			if !reflect.DeepEqual(m.ContainerSecurityContext(), modifiedSC) {
+				t.Errorf("%s: unexpected object:\n%s", k, diff.ObjectGoPrintSideBySide(modifiedSC, m.ContainerSecurityContext()))
+				continue
+			}
+		}
+
 		// SELinuxOptions
 		{
 			modifiedSC := nonNilSC(tc.newSC())