github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-21 19:01:49 +00:00
Code Issues Projects Releases Wiki Activity

refuse serviceaccount projection volume request when pod has no serviceaccount bounded

Browse Source
This commit is contained in:
WanLinghao 2018-07-27 10:52:36 +08:00
parent 6764a79586
commit 5a27ee9282
2 changed files with 43 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
pkg/apis/core/validation/validation.go
View File

@ -2913,6 +2913,20 @@ func ValidatePod(pod *core.Pod) field.ErrorList {
// this was done to preserve backwards compatibility // this was done to preserve backwards compatibility
specPath := field.NewPath("spec") specPath := field.NewPath("spec")
if pod.Spec.ServiceAccountName == "" {
for vi, volume := range pod.Spec.Volumes {
path := specPath.Child("volumes").Index(vi).Child("projected")
if volume.Projected != nil {
for si, source := range volume.Projected.Sources {
saPath := path.Child("sources").Index(si).Child("serviceAccountToken")
if source.ServiceAccountToken != nil {
allErrs = append(allErrs, field.Forbidden(saPath, "must not be specified when serviceAccountName is not set"))
}
}
}
}
}
allErrs = append(allErrs, validateContainersOnlyForPod(pod.Spec.Containers, specPath.Child("containers"))...) allErrs = append(allErrs, validateContainersOnlyForPod(pod.Spec.Containers, specPath.Child("containers"))...)
allErrs = append(allErrs, validateContainersOnlyForPod(pod.Spec.InitContainers, specPath.Child("initContainers"))...) allErrs = append(allErrs, validateContainersOnlyForPod(pod.Spec.InitContainers, specPath.Child("initContainers"))...)

29
pkg/apis/core/validation/validation_test.go
View File

@ -7670,6 +7670,35 @@ func TestValidatePod(t *testing.T) {
}, },
}, },
}, },
"serviceaccount token projected volume with no serviceaccount name specified": {
expectedError: "must not be specified when serviceAccountName is not set",
spec: core.Pod{
ObjectMeta: metav1.ObjectMeta{Name: "123", Namespace: "ns"},
Spec: core.PodSpec{
Containers: []core.Container{{Name: "ctr", Image: "image", ImagePullPolicy: "IfNotPresent", TerminationMessagePolicy: "File"}},
RestartPolicy: core.RestartPolicyAlways,
DNSPolicy: core.DNSClusterFirst,
Volumes: []core.Volume{
{
Name: "projected-volume",
VolumeSource: core.VolumeSource{
Projected: &core.ProjectedVolumeSource{
Sources: []core.VolumeProjection{
{
ServiceAccountToken: &core.ServiceAccountTokenProjection{
Audience: "foo-audience",
ExpirationSeconds: 6000,
Path: "foo-path",
},
},
},
},
},
},
},
},
},
},
} }
for k, v := range errorCases { for k, v := range errorCases {
if errs := ValidatePod(&v.spec); len(errs) == 0 { if errs := ValidatePod(&v.spec); len(errs) == 0 {