From 059dee36f8493261cf29c2d94abfbd0587e2e6fd Mon Sep 17 00:00:00 2001 From: bmordeha Date: Mon, 24 Feb 2025 15:09:22 +0200 Subject: [PATCH] Allow ImageVolume for Restricted PSA profiles Stop referring to ImageVolume as an unknown type during pod security admission validation. Avoid restricting ImageVolume for the Restricted profile, as users who can create a pod with a certain image should also be able to use ImageVolume with an image. Signed-off-by: bmordeha --- .../pod-security-admission/policy/check_restrictedVolumes.go | 2 ++ .../policy/check_restrictedVolumes_test.go | 1 + 2 files changed, 3 insertions(+) diff --git a/staging/src/k8s.io/pod-security-admission/policy/check_restrictedVolumes.go b/staging/src/k8s.io/pod-security-admission/policy/check_restrictedVolumes.go index e171cdd60f1..06ae4890c92 100644 --- a/staging/src/k8s.io/pod-security-admission/policy/check_restrictedVolumes.go +++ b/staging/src/k8s.io/pod-security-admission/policy/check_restrictedVolumes.go @@ -36,6 +36,7 @@ limits usage of inline pod volume sources to: * csi * persistentVolumeClaim * ephemeral +* image **Restricted Fields:** @@ -95,6 +96,7 @@ func restrictedVolumes_1_0(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSp volume.DownwardAPI != nil, volume.EmptyDir != nil, volume.Ephemeral != nil, + volume.Image != nil, volume.PersistentVolumeClaim != nil, volume.Projected != nil, volume.Secret != nil: diff --git a/staging/src/k8s.io/pod-security-admission/policy/check_restrictedVolumes_test.go b/staging/src/k8s.io/pod-security-admission/policy/check_restrictedVolumes_test.go index 45b08235bdb..611ef3c0550 100644 --- a/staging/src/k8s.io/pod-security-admission/policy/check_restrictedVolumes_test.go +++ b/staging/src/k8s.io/pod-security-admission/policy/check_restrictedVolumes_test.go @@ -42,6 +42,7 @@ func TestRestrictedVolumes(t *testing.T) { {Name: "a6", VolumeSource: corev1.VolumeSource{Projected: &corev1.ProjectedVolumeSource{}}}, {Name: "a7", VolumeSource: corev1.VolumeSource{CSI: &corev1.CSIVolumeSource{}}}, {Name: "a8", VolumeSource: corev1.VolumeSource{Ephemeral: &corev1.EphemeralVolumeSource{}}}, + {Name: "a9", VolumeSource: corev1.VolumeSource{Image: &corev1.ImageVolumeSource{}}}, // known restricted types {Name: "b1", VolumeSource: corev1.VolumeSource{HostPath: &corev1.HostPathVolumeSource{}}},