diff --git a/pkg/api/testing/fuzzer.go b/pkg/api/testing/fuzzer.go index 1807dd5c004..7dabebf903a 100644 --- a/pkg/api/testing/fuzzer.go +++ b/pkg/api/testing/fuzzer.go @@ -408,10 +408,10 @@ func FuzzerFor(t *testing.T, version unversioned.GroupVersion, src rand.Source) }, func(psp *extensions.PodSecurityPolicySpec, c fuzz.Continue) { c.FuzzNoCustom(psp) // fuzz self without calling this function again - userTypes := []extensions.RunAsUserStrategy{extensions.RunAsUserStrategyMustRunAsNonRoot, extensions.RunAsUserStrategyMustRunAs, extensions.RunAsUserStrategyRunAsAny} - psp.RunAsUser.Type = userTypes[c.Rand.Intn(len(userTypes))] - seLinuxTypes := []extensions.SELinuxContextStrategy{extensions.SELinuxStrategyRunAsAny, extensions.SELinuxStrategyMustRunAs} - psp.SELinuxContext.Type = seLinuxTypes[c.Rand.Intn(len(seLinuxTypes))] + runAsUserRules := []extensions.RunAsUserStrategy{extensions.RunAsUserStrategyMustRunAsNonRoot, extensions.RunAsUserStrategyMustRunAs, extensions.RunAsUserStrategyRunAsAny} + psp.RunAsUser.Rule = runAsUserRules[c.Rand.Intn(len(runAsUserRules))] + seLinuxRules := []extensions.SELinuxStrategy{extensions.SELinuxStrategyRunAsAny, extensions.SELinuxStrategyMustRunAs} + psp.SELinux.Rule = seLinuxRules[c.Rand.Intn(len(seLinuxRules))] }, ) return f diff --git a/pkg/apis/extensions/types.go b/pkg/apis/extensions/types.go index 176349c366d..fa6b3572381 100644 --- a/pkg/apis/extensions/types.go +++ b/pkg/apis/extensions/types.go @@ -845,8 +845,8 @@ type PodSecurityPolicySpec struct { HostPID bool `json:"hostPID,omitempty"` // HostIPC determines if the policy allows the use of HostIPC in the pod spec. HostIPC bool `json:"hostIPC,omitempty"` - // SELinuxContext is the strategy that will dictate the allowable labels that may be set. - SELinuxContext SELinuxContextStrategyOptions `json:"seLinuxContext,omitempty"` + // SELinux is the strategy that will dictate the allowable labels that may be set. + SELinux SELinuxStrategyOptions `json:"seLinux,omitempty"` // RunAsUser is the strategy that will dictate the allowable RunAsUser values that may be set. RunAsUser RunAsUserStrategyOptions `json:"runAsUser,omitempty"` } @@ -881,30 +881,30 @@ var ( FC FSType = "fc" ) -// SELinuxContextStrategyOptions defines the strategy type and any options used to create the strategy. -type SELinuxContextStrategyOptions struct { - // Type is the strategy that will dictate the allowable labels that may be set. - Type SELinuxContextStrategy `json:"type"` +// SELinuxStrategyOptions defines the strategy type and any options used to create the strategy. +type SELinuxStrategyOptions struct { + // Rule is the strategy that will dictate the allowable labels that may be set. + Rule SELinuxStrategy `json:"rule"` // seLinuxOptions required to run as; required for MustRunAs // More info: http://releases.k8s.io/HEAD/docs/design/security_context.md#security-context SELinuxOptions *api.SELinuxOptions `json:"seLinuxOptions,omitempty"` } -// SELinuxContextStrategyType denotes strategy types for generating SELinux options for a -// SecurityContext. -type SELinuxContextStrategy string +// SELinuxStrategy denotes strategy types for generating SELinux options for a +// Security. +type SELinuxStrategy string const ( // container must have SELinux labels of X applied. - SELinuxStrategyMustRunAs SELinuxContextStrategy = "MustRunAs" + SELinuxStrategyMustRunAs SELinuxStrategy = "MustRunAs" // container may make requests for any SELinux context labels. - SELinuxStrategyRunAsAny SELinuxContextStrategy = "RunAsAny" + SELinuxStrategyRunAsAny SELinuxStrategy = "RunAsAny" ) // RunAsUserStrategyOptions defines the strategy type and any options used to create the strategy. type RunAsUserStrategyOptions struct { - // Type is the strategy that will dictate the allowable RunAsUser values that may be set. - Type RunAsUserStrategy `json:"type"` + // Rule is the strategy that will dictate the allowable RunAsUser values that may be set. + Rule RunAsUserStrategy `json:"rule"` // Ranges are the allowed ranges of uids that may be used. Ranges []IDRange `json:"ranges,omitempty"` } @@ -917,7 +917,7 @@ type IDRange struct { Max int64 `json:"max"` } -// RunAsUserStrategyType denotes strategy types for generating RunAsUser values for a +// RunAsUserStrategy denotes strategy types for generating RunAsUser values for a // SecurityContext. type RunAsUserStrategy string diff --git a/pkg/apis/extensions/v1beta1/types.go b/pkg/apis/extensions/v1beta1/types.go index 1d7a483ac66..3b9462aae98 100644 --- a/pkg/apis/extensions/v1beta1/types.go +++ b/pkg/apis/extensions/v1beta1/types.go @@ -932,8 +932,8 @@ type PodSecurityPolicySpec struct { HostPID bool `json:"hostPID,omitempty"` // hostIPC determines if the policy allows the use of HostIPC in the pod spec. HostIPC bool `json:"hostIPC,omitempty"` - // seLinuxContext is the strategy that will dictate the allowable labels that may be set. - SELinuxContext SELinuxContextStrategyOptions `json:"seLinuxContext,omitempty"` + // seLinux is the strategy that will dictate the allowable labels that may be set. + SELinux SELinuxStrategyOptions `json:"seLinux,omitempty"` // runAsUser is the strategy that will dictate the allowable RunAsUser values that may be set. RunAsUser RunAsUserStrategyOptions `json:"runAsUser,omitempty"` } @@ -968,30 +968,30 @@ type HostPortRange struct { Max int32 `json:"max"` } -// SELinux Context Strategy Options defines the strategy type and any options used to create the strategy. -type SELinuxContextStrategyOptions struct { +// SELinux Strategy Options defines the strategy type and any options used to create the strategy. +type SELinuxStrategyOptions struct { // type is the strategy that will dictate the allowable labels that may be set. - Type SELinuxContextStrategy `json:"type"` + Rule SELinuxStrategy `json:"rule"` // seLinuxOptions required to run as; required for MustRunAs // More info: http://releases.k8s.io/HEAD/docs/design/security_context.md#security-context SELinuxOptions *v1.SELinuxOptions `json:"seLinuxOptions,omitempty"` } -// SELinux Context Strategy Type denotes strategy types for generating SELinux options for a +// SELinuxStrategy denotes strategy types for generating SELinux options for a // Security Context. -type SELinuxContextStrategy string +type SELinuxStrategy string const ( // container must have SELinux labels of X applied. - SELinuxStrategyMustRunAs SELinuxContextStrategy = "MustRunAs" + SELinuxStrategyMustRunAs SELinuxStrategy = "MustRunAs" // container may make requests for any SELinux context labels. - SELinuxStrategyRunAsAny SELinuxContextStrategy = "RunAsAny" + SELinuxStrategyRunAsAny SELinuxStrategy = "RunAsAny" ) // Run A sUser Strategy Options defines the strategy type and any options used to create the strategy. type RunAsUserStrategyOptions struct { - // type is the strategy that will dictate the allowable RunAsUser values that may be set. - Type RunAsUserStrategy `json:"type"` + // Rule is the strategy that will dictate the allowable RunAsUser values that may be set. + Rule RunAsUserStrategy `json:"rule"` // Ranges are the allowed ranges of uids that may be used. Ranges []IDRange `json:"ranges,omitempty"` } @@ -1004,7 +1004,7 @@ type IDRange struct { Max int64 `json:"max"` } -// Run As User Strategy Type denotes strategy types for generating RunAsUser values for a +// RunAsUserStrategy denotes strategy types for generating RunAsUser values for a // Security Context. type RunAsUserStrategy string diff --git a/pkg/apis/extensions/validation/validation.go b/pkg/apis/extensions/validation/validation.go index 70c40a53f26..e249ab965ba 100644 --- a/pkg/apis/extensions/validation/validation.go +++ b/pkg/apis/extensions/validation/validation.go @@ -759,21 +759,21 @@ func ValidatePodSecurityPolicySpec(spec *extensions.PodSecurityPolicySpec, fldPa allErrs := field.ErrorList{} allErrs = append(allErrs, validatePSPRunAsUser(fldPath.Child("runAsUser"), &spec.RunAsUser)...) - allErrs = append(allErrs, validatePSPSELinuxContext(fldPath.Child("seLinuxContext"), &spec.SELinuxContext)...) + allErrs = append(allErrs, validatePSPSELinux(fldPath.Child("seLinux"), &spec.SELinux)...) allErrs = append(allErrs, validatePodSecurityPolicyVolumes(fldPath, spec.Volumes)...) return allErrs } -// validatePSPSELinuxContext validates the SELinuxContext fields of PodSecurityPolicy. -func validatePSPSELinuxContext(fldPath *field.Path, seLinuxContext *extensions.SELinuxContextStrategyOptions) field.ErrorList { +// validatePSPSELinux validates the SELinux fields of PodSecurityPolicy. +func validatePSPSELinux(fldPath *field.Path, seLinux *extensions.SELinuxStrategyOptions) field.ErrorList { allErrs := field.ErrorList{} - // ensure the selinux strategy has a valid type - supportedSELinuxContextTypes := sets.NewString(string(extensions.SELinuxStrategyMustRunAs), + // ensure the selinux strategy has a valid rule + supportedSELinuxRules := sets.NewString(string(extensions.SELinuxStrategyMustRunAs), string(extensions.SELinuxStrategyRunAsAny)) - if !supportedSELinuxContextTypes.Has(string(seLinuxContext.Type)) { - allErrs = append(allErrs, field.NotSupported(fldPath.Child("type"), seLinuxContext.Type, supportedSELinuxContextTypes.List())) + if !supportedSELinuxRules.Has(string(seLinux.Rule)) { + allErrs = append(allErrs, field.NotSupported(fldPath.Child("rule"), seLinux.Rule, supportedSELinuxRules.List())) } return allErrs @@ -783,12 +783,12 @@ func validatePSPSELinuxContext(fldPath *field.Path, seLinuxContext *extensions.S func validatePSPRunAsUser(fldPath *field.Path, runAsUser *extensions.RunAsUserStrategyOptions) field.ErrorList { allErrs := field.ErrorList{} - // ensure the user strategy has a valid type - supportedRunAsUserTypes := sets.NewString(string(extensions.RunAsUserStrategyMustRunAs), + // ensure the user strategy has a valid rule + supportedRunAsUserRules := sets.NewString(string(extensions.RunAsUserStrategyMustRunAs), string(extensions.RunAsUserStrategyMustRunAsNonRoot), string(extensions.RunAsUserStrategyRunAsAny)) - if !supportedRunAsUserTypes.Has(string(runAsUser.Type)) { - allErrs = append(allErrs, field.NotSupported(fldPath.Child("type"), runAsUser.Type, supportedRunAsUserTypes.List())) + if !supportedRunAsUserRules.Has(string(runAsUser.Rule)) { + allErrs = append(allErrs, field.NotSupported(fldPath.Child("rule"), runAsUser.Rule, supportedRunAsUserRules.List())) } // validate range settings diff --git a/pkg/apis/extensions/validation/validation_test.go b/pkg/apis/extensions/validation/validation_test.go index ce6f8aecc4f..e93f8f3f2ab 100644 --- a/pkg/apis/extensions/validation/validation_test.go +++ b/pkg/apis/extensions/validation/validation_test.go @@ -1898,27 +1898,27 @@ func TestValidatePodSecurityPolicy(t *testing.T) { return &extensions.PodSecurityPolicy{ ObjectMeta: api.ObjectMeta{Name: "foo"}, Spec: extensions.PodSecurityPolicySpec{ - SELinuxContext: extensions.SELinuxContextStrategyOptions{ - Type: extensions.SELinuxStrategyRunAsAny, + SELinux: extensions.SELinuxStrategyOptions{ + Rule: extensions.SELinuxStrategyRunAsAny, }, RunAsUser: extensions.RunAsUserStrategyOptions{ - Type: extensions.RunAsUserStrategyRunAsAny, + Rule: extensions.RunAsUserStrategyRunAsAny, }, }, } } noUserOptions := validSCC() - noUserOptions.Spec.RunAsUser.Type = "" + noUserOptions.Spec.RunAsUser.Rule = "" noSELinuxOptions := validSCC() - noSELinuxOptions.Spec.SELinuxContext.Type = "" + noSELinuxOptions.Spec.SELinux.Rule = "" - invalidUserStratType := validSCC() - invalidUserStratType.Spec.RunAsUser.Type = "invalid" + invalidUserStratRule := validSCC() + invalidUserStratRule.Spec.RunAsUser.Rule = "invalid" - invalidSELinuxStratType := validSCC() - invalidSELinuxStratType.Spec.SELinuxContext.Type = "invalid" + invalidSELinuxStratRule := validSCC() + invalidSELinuxStratRule.Spec.SELinux.Rule = "invalid" missingObjectMetaName := validSCC() missingObjectMetaName.ObjectMeta.Name = "" @@ -1950,12 +1950,12 @@ func TestValidatePodSecurityPolicy(t *testing.T) { scc: noSELinuxOptions, errorDetail: "supported values: MustRunAs, RunAsAny", }, - "invalid user strategy type": { - scc: invalidUserStratType, + "invalid user strategy rule": { + scc: invalidUserStratRule, errorDetail: "supported values: MustRunAs, MustRunAsNonRoot, RunAsAny", }, - "invalid selinux strategy type": { - scc: invalidSELinuxStratType, + "invalid selinux strategy rule": { + scc: invalidSELinuxStratRule, errorDetail: "supported values: MustRunAs, RunAsAny", }, "missing object meta name": { @@ -1983,17 +1983,17 @@ func TestValidatePodSecurityPolicy(t *testing.T) { } mustRunAs := validSCC() - mustRunAs.Spec.RunAsUser.Type = extensions.RunAsUserStrategyMustRunAs + mustRunAs.Spec.RunAsUser.Rule = extensions.RunAsUserStrategyMustRunAs mustRunAs.Spec.RunAsUser.Ranges = []extensions.IDRange{ { Min: 1, Max: 1, }, } - mustRunAs.Spec.SELinuxContext.Type = extensions.SELinuxStrategyMustRunAs + mustRunAs.Spec.SELinux.Rule = extensions.SELinuxStrategyMustRunAs runAsNonRoot := validSCC() - runAsNonRoot.Spec.RunAsUser.Type = extensions.RunAsUserStrategyMustRunAsNonRoot + runAsNonRoot.Spec.RunAsUser.Rule = extensions.RunAsUserStrategyMustRunAsNonRoot successCases := map[string]struct { scc *extensions.PodSecurityPolicy diff --git a/pkg/kubectl/resource_printer.go b/pkg/kubectl/resource_printer.go index 5d58ebb6eb4..bd3c8f2053c 100644 --- a/pkg/kubectl/resource_printer.go +++ b/pkg/kubectl/resource_printer.go @@ -1669,8 +1669,8 @@ func printConfigMapList(list *api.ConfigMapList, w io.Writer, options PrintOptio func printPodSecurityPolicy(item *extensions.PodSecurityPolicy, w io.Writer, options PrintOptions) error { _, err := fmt.Fprintf(w, "%s\t%t\t%v\t%t\t%s\t%s\n", item.Name, item.Spec.Privileged, - item.Spec.Capabilities, item.Spec.Volumes, item.Spec.SELinuxContext.Type, - item.Spec.RunAsUser.Type) + item.Spec.Capabilities, item.Spec.Volumes, item.Spec.SELinux.Rule, + item.Spec.RunAsUser.Rule) return err } diff --git a/pkg/registry/podsecuritypolicy/etcd/etcd_test.go b/pkg/registry/podsecuritypolicy/etcd/etcd_test.go index e2f0b373a81..6c47bb0fda3 100644 --- a/pkg/registry/podsecuritypolicy/etcd/etcd_test.go +++ b/pkg/registry/podsecuritypolicy/etcd/etcd_test.go @@ -43,11 +43,11 @@ func validNewPodSecurityPolicy() *extensions.PodSecurityPolicy { Name: "foo", }, Spec: extensions.PodSecurityPolicySpec{ - SELinuxContext: extensions.SELinuxContextStrategyOptions{ - Type: extensions.SELinuxStrategyRunAsAny, + SELinux: extensions.SELinuxStrategyOptions{ + Rule: extensions.SELinuxStrategyRunAsAny, }, RunAsUser: extensions.RunAsUserStrategyOptions{ - Type: extensions.RunAsUserStrategyRunAsAny, + Rule: extensions.RunAsUserStrategyRunAsAny, }, }, } diff --git a/pkg/securitycontext/util.go b/pkg/securitycontext/util.go index 893a4d825fa..32b97af2388 100644 --- a/pkg/securitycontext/util.go +++ b/pkg/securitycontext/util.go @@ -47,16 +47,16 @@ func HasCapabilitiesRequest(container *api.Container) bool { return len(container.SecurityContext.Capabilities.Add) > 0 || len(container.SecurityContext.Capabilities.Drop) > 0 } -const expectedSELinuxContextFields = 4 +const expectedSELinuxFields = 4 // ParseSELinuxOptions parses a string containing a full SELinux context // (user, role, type, and level) into an SELinuxOptions object. If the // context is malformed, an error is returned. func ParseSELinuxOptions(context string) (*api.SELinuxOptions, error) { - fields := strings.SplitN(context, ":", expectedSELinuxContextFields) + fields := strings.SplitN(context, ":", expectedSELinuxFields) - if len(fields) != expectedSELinuxContextFields { - return nil, fmt.Errorf("expected %v fields in selinuxcontext; got %v (context: %v)", expectedSELinuxContextFields, len(fields), context) + if len(fields) != expectedSELinuxFields { + return nil, fmt.Errorf("expected %v fields in selinux; got %v (context: %v)", expectedSELinuxFields, len(fields), context) } return &api.SELinuxOptions{ diff --git a/pkg/volume/empty_dir/empty_dir.go b/pkg/volume/empty_dir/empty_dir.go index 4d862930408..bec81a340d7 100644 --- a/pkg/volume/empty_dir/empty_dir.go +++ b/pkg/volume/empty_dir/empty_dir.go @@ -200,7 +200,7 @@ func (ed *emptyDir) SetUpAt(dir string, fsGroup *int64) error { // setupTmpfs creates a tmpfs mount at the specified directory with the // specified SELinux context. -func (ed *emptyDir) setupTmpfs(dir string, selinuxContext string) error { +func (ed *emptyDir) setupTmpfs(dir string, selinux string) error { if ed.mounter == nil { return fmt.Errorf("memory storage requested, but mounter is nil") } @@ -221,8 +221,8 @@ func (ed *emptyDir) setupTmpfs(dir string, selinuxContext string) error { // By default a tmpfs mount will receive a different SELinux context // which is not readable from the SELinux context of a docker container. var opts []string - if selinuxContext != "" { - opts = []string{fmt.Sprintf("rootcontext=\"%v\"", selinuxContext)} + if selinux != "" { + opts = []string{fmt.Sprintf("rootcontext=\"%v\"", selinux)} } else { opts = []string{} } diff --git a/pkg/volume/empty_dir/empty_dir_test.go b/pkg/volume/empty_dir/empty_dir_test.go index 9ba7c7f9d2b..df7c411257d 100644 --- a/pkg/volume/empty_dir/empty_dir_test.go +++ b/pkg/volume/empty_dir/empty_dir_test.go @@ -88,7 +88,7 @@ func TestPluginRootContextSet(t *testing.T) { doTestPlugin(t, pluginTestConfig{ medium: api.StorageMediumDefault, rootContext: "user:role:type:range", - expectedSELinuxContext: "user:role:type:range", + expectedSELinux: "user:role:type:range", expectedSetupMounts: 0, expectedTeardownMounts: 0}) } @@ -101,7 +101,7 @@ func TestPluginTmpfs(t *testing.T) { doTestPlugin(t, pluginTestConfig{ medium: api.StorageMediumMemory, rootContext: "user:role:type:range", - expectedSELinuxContext: "user:role:type:range", + expectedSELinux: "user:role:type:range", expectedSetupMounts: 1, shouldBeMountedBeforeTeardown: true, expectedTeardownMounts: 1}) @@ -112,7 +112,7 @@ type pluginTestConfig struct { rootContext string SELinuxOptions *api.SELinuxOptions idempotent bool - expectedSELinuxContext string + expectedSELinux string expectedSetupMounts int shouldBeMountedBeforeTeardown bool expectedTeardownMounts int