Merge pull request #126011 from haircommander/sc-userns

securitycontext: add support for HostUsers
2025-07-25 12:43:23 +00:00 · 2024-07-11 12:16:16 -07:00 · 2024-07-11 12:16:16 -07:00 · 5b3040d12a
commit 5b3040d12a
parent ccbbbc0f1f de3f5be0f2
2 changed files with 35 additions and 0 deletions
--- a/pkg/securitycontext/accessors.go
+++ b/pkg/securitycontext/accessors.go
@ -27,6 +27,7 @@ type PodSecurityContextAccessor interface {
 	HostNetwork() bool
 	HostPID() bool
 	HostIPC() bool
+	HostUsers() *bool
 	SELinuxOptions() *api.SELinuxOptions
 	RunAsUser() *int64
 	RunAsGroup() *int64
@ -43,6 +44,7 @@ type PodSecurityContextMutator interface {
 	SetHostNetwork(bool)
 	SetHostPID(bool)
 	SetHostIPC(bool)
+	SetHostUsers(*bool)
 	SetSELinuxOptions(*api.SELinuxOptions)
 	SetRunAsUser(*int64)
 	SetRunAsGroup(*int64)
@ -120,6 +122,19 @@ func (w *podSecurityContextWrapper) SetHostIPC(v bool) {
 	w.ensurePodSC()
 	w.podSC.HostIPC = v
 }
+func (w *podSecurityContextWrapper) HostUsers() *bool {
+	if w.podSC == nil {
+		return nil
+	}
+	return w.podSC.HostUsers
+}
+func (w *podSecurityContextWrapper) SetHostUsers(v *bool) {
+	if w.podSC == nil && v == nil {
+		return
+	}
+	w.ensurePodSC()
+	w.podSC.HostUsers = v
+}
 func (w *podSecurityContextWrapper) SELinuxOptions() *api.SELinuxOptions {
 	if w.podSC == nil {
 		return nil
--- a/pkg/securitycontext/accessors_test.go
+++ b/pkg/securitycontext/accessors_test.go
@ -30,6 +30,7 @@ func TestPodSecurityContextAccessor(t *testing.T) {
 	runAsUser := int64(1)
 	runAsGroup := int64(1)
 	runAsNonRoot := true
+	hostUsers := false

 	testcases := []*api.PodSecurityContext{
 		nil,
@ -38,6 +39,7 @@ func TestPodSecurityContextAccessor(t *testing.T) {
 		{HostIPC: true},
 		{HostNetwork: true},
 		{HostPID: true},
+		{HostUsers: &hostUsers},
 		{RunAsNonRoot: &runAsNonRoot},
 		{RunAsUser: &runAsUser},
 		{RunAsGroup: &runAsGroup},
@ -66,6 +68,9 @@ func TestPodSecurityContextAccessor(t *testing.T) {
 		if v := a.HostPID(); !reflect.DeepEqual(expected.HostPID, v) {
 			t.Errorf("%d: expected %#v, got %#v", i, expected.HostPID, v)
 		}
+		if v := a.HostUsers(); !reflect.DeepEqual(expected.HostUsers, v) {
+			t.Errorf("%d: expected %#v, got %#v", i, expected.HostUsers, v)
+		}
 		if v := a.RunAsNonRoot(); !reflect.DeepEqual(expected.RunAsNonRoot, v) {
 			t.Errorf("%d: expected %#v, got %#v", i, expected.RunAsNonRoot, v)
 		}
@ -103,6 +108,7 @@ func TestPodSecurityContextMutator(t *testing.T) {
 					HostNetwork:        true,
 					HostIPC:            true,
 					HostPID:            true,
+					HostUsers:          nil,
 					SELinuxOptions:     &api.SELinuxOptions{},
 					RunAsUser:          nil,
 					RunAsGroup:         nil,
@ -133,6 +139,7 @@ func TestPodSecurityContextMutator(t *testing.T) {
 			m.SetHostNetwork(m.HostNetwork())
 			m.SetHostIPC(m.HostIPC())
 			m.SetHostPID(m.HostPID())
+			m.SetHostUsers(m.HostUsers())
 			m.SetRunAsNonRoot(m.RunAsNonRoot())
 			m.SetRunAsUser(m.RunAsUser())
 			m.SetRunAsGroup(m.RunAsGroup())
@ -196,6 +203,19 @@ func TestPodSecurityContextMutator(t *testing.T) {
 			}
 		}

+		// HostUsers
+		{
+			modifiedSC := nonNilSC(tc.newSC())
+			m := NewPodSecurityContextMutator(tc.newSC())
+			b := false
+			modifiedSC.HostUsers = &b
+			m.SetHostUsers(&b)
+			if !reflect.DeepEqual(m.PodSecurityContext(), modifiedSC) {
+				t.Errorf("%s: unexpected object:\n%s", k, diff.ObjectGoPrintSideBySide(modifiedSC, m.PodSecurityContext()))
+				continue
+			}
+		}
+
 		// RunAsNonRoot
 		{
 			modifiedSC := nonNilSC(tc.newSC())