github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-21 10:51:29 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #113111 from liggitt/selinux-msg

Browse Source 
Fix SELinux PodSecurity message when only user or role are set
This commit is contained in:
Kubernetes Prow Robot 2022-10-18 14:01:12 -07:00 committed by GitHub
commit 48dbfffaf6
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 42 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
staging/src/k8s.io/pod-security-admission/policy/check_seLinuxOptions.go
View File

@ -137,12 +137,12 @@ func seLinuxOptions_1_0(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec)
pluralize("type", "types", len(badTypes)), pluralize("type", "types", len(badTypes)),
joinQuote(badTypes.List()), joinQuote(badTypes.List()),
)) ))
if setUser { }
badData = append(badData, "user may not be set") if setUser {
} badData = append(badData, "user may not be set")
if setRole { }
badData = append(badData, "role may not be set") if setRole {
} badData = append(badData, "role may not be set")
} }
return CheckResult{ return CheckResult{

36
staging/src/k8s.io/pod-security-admission/policy/check_seLinuxOptions_test.go
View File

@ -118,6 +118,42 @@ func TestSELinuxOptions(t *testing.T) {
expectReason: `seLinuxOptions`, expectReason: `seLinuxOptions`,
expectDetail: `containers "d", "e", "f" set forbidden securityContext.seLinuxOptions: type "bar"; user may not be set; role may not be set`, expectDetail: `containers "d", "e", "f" set forbidden securityContext.seLinuxOptions: type "bar"; user may not be set; role may not be set`,
}, },
{
name: "bad type",
pod: &corev1.Pod{Spec: corev1.PodSpec{
SecurityContext: &corev1.PodSecurityContext{
SELinuxOptions: &corev1.SELinuxOptions{
Type: "bad",
},
},
}},
expectReason: `seLinuxOptions`,
expectDetail: `pod set forbidden securityContext.seLinuxOptions: type "bad"`,
},
{
name: "bad user",
pod: &corev1.Pod{Spec: corev1.PodSpec{
SecurityContext: &corev1.PodSecurityContext{
SELinuxOptions: &corev1.SELinuxOptions{
User: "bad",
},
},
}},
expectReason: `seLinuxOptions`,
expectDetail: `pod set forbidden securityContext.seLinuxOptions: user may not be set`,
},
{
name: "bad role",
pod: &corev1.Pod{Spec: corev1.PodSpec{
SecurityContext: &corev1.PodSecurityContext{
SELinuxOptions: &corev1.SELinuxOptions{
Role: "bad",
},
},
}},
expectReason: `seLinuxOptions`,
expectDetail: `pod set forbidden securityContext.seLinuxOptions: role may not be set`,
},
} }
for _, tc := range tests { for _, tc := range tests {