Merge pull request #113111 from liggitt/selinux-msg

Fix SELinux PodSecurity message when only user or role are set
2025-07-20 18:31:15 +00:00 · 2022-10-18 14:01:12 -07:00 · 2022-10-18 14:01:12 -07:00 · 48dbfffaf6
commit 48dbfffaf6
parent fe9c94ec02 5f75c39cb0
2 changed files with 42 additions and 6 deletions
--- a/staging/src/k8s.io/pod-security-admission/policy/check_seLinuxOptions.go
+++ b/staging/src/k8s.io/pod-security-admission/policy/check_seLinuxOptions.go
@ -137,12 +137,12 @@ func seLinuxOptions_1_0(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec)
 				pluralize("type", "types", len(badTypes)),
 				joinQuote(badTypes.List()),
 			))
-			if setUser {
-				badData = append(badData, "user may not be set")
-			}
-			if setRole {
-				badData = append(badData, "role may not be set")
-			}
+		}
+		if setUser {
+			badData = append(badData, "user may not be set")
+		}
+		if setRole {
+			badData = append(badData, "role may not be set")
 		}

 		return CheckResult{
--- a/staging/src/k8s.io/pod-security-admission/policy/check_seLinuxOptions_test.go
+++ b/staging/src/k8s.io/pod-security-admission/policy/check_seLinuxOptions_test.go
@ -118,6 +118,42 @@ func TestSELinuxOptions(t *testing.T) {
 			expectReason: `seLinuxOptions`,
 			expectDetail: `containers "d", "e", "f" set forbidden securityContext.seLinuxOptions: type "bar"; user may not be set; role may not be set`,
 		},
+		{
+			name: "bad type",
+			pod: &corev1.Pod{Spec: corev1.PodSpec{
+				SecurityContext: &corev1.PodSecurityContext{
+					SELinuxOptions: &corev1.SELinuxOptions{
+						Type: "bad",
+					},
+				},
+			}},
+			expectReason: `seLinuxOptions`,
+			expectDetail: `pod set forbidden securityContext.seLinuxOptions: type "bad"`,
+		},
+		{
+			name: "bad user",
+			pod: &corev1.Pod{Spec: corev1.PodSpec{
+				SecurityContext: &corev1.PodSecurityContext{
+					SELinuxOptions: &corev1.SELinuxOptions{
+						User: "bad",
+					},
+				},
+			}},
+			expectReason: `seLinuxOptions`,
+			expectDetail: `pod set forbidden securityContext.seLinuxOptions: user may not be set`,
+		},
+		{
+			name: "bad role",
+			pod: &corev1.Pod{Spec: corev1.PodSpec{
+				SecurityContext: &corev1.PodSecurityContext{
+					SELinuxOptions: &corev1.SELinuxOptions{
+						Role: "bad",
+					},
+				},
+			}},
+			expectReason: `seLinuxOptions`,
+			expectDetail: `pod set forbidden securityContext.seLinuxOptions: role may not be set`,
+		},
 	}

 	for _, tc := range tests {