github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-29 06:27:05 +00:00
Code Issues Projects Releases Wiki Activity

PodSecurityPolicy: limit validation to provided groups

Browse Source
This commit is contained in:
Jordan Liggitt 2017-10-06 16:29:57 -04:00
parent 9e34f2b968
commit 5dc4da7c6a
No known key found for this signature in database
GPG Key ID: 39928704103C7229
3 changed files with 7 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
pkg/security/podsecuritypolicy/group/mustrunas.go
View File

@ -46,13 +46,13 @@ func NewMustRunAs(ranges []extensions.GroupIDRange, field string) (GroupStrategy
// Generate creates the group based on policy rules. By default this returns the first group of the // Generate creates the group based on policy rules. By default this returns the first group of the
// first range (min val). // first range (min val).
func (s *mustRunAs) Generate(pod *api.Pod) ([]int64, error) { func (s *mustRunAs) Generate(_ *api.Pod) ([]int64, error) {
return []int64{s.ranges[0].Min}, nil return []int64{s.ranges[0].Min}, nil
} }
// Generate a single value to be applied. This is used for FSGroup. This strategy will return // Generate a single value to be applied. This is used for FSGroup. This strategy will return
// the first group of the first range (min val). // the first group of the first range (min val).
func (s *mustRunAs) GenerateSingle(pod *api.Pod) (*int64, error) { func (s *mustRunAs) GenerateSingle(_ *api.Pod) (*int64, error) {
single := new(int64) single := new(int64)
*single = s.ranges[0].Min *single = s.ranges[0].Min
return single, nil return single, nil
@ -61,14 +61,9 @@ func (s *mustRunAs) GenerateSingle(pod *api.Pod) (*int64, error) {
// Validate ensures that the specified values fall within the range of the strategy. // Validate ensures that the specified values fall within the range of the strategy.
// Groups are passed in here to allow this strategy to support multiple group fields (fsgroup and // Groups are passed in here to allow this strategy to support multiple group fields (fsgroup and
// supplemental groups). // supplemental groups).
func (s *mustRunAs) Validate(pod *api.Pod, groups []int64) field.ErrorList { func (s *mustRunAs) Validate(_ *api.Pod, groups []int64) field.ErrorList {
allErrs := field.ErrorList{} allErrs := field.ErrorList{}
if pod.Spec.SecurityContext == nil {
allErrs = append(allErrs, field.Invalid(field.NewPath("securityContext"), pod.Spec.SecurityContext, "unable to validate nil security context"))
return allErrs
}
if len(groups) == 0 && len(s.ranges) > 0 { if len(groups) == 0 && len(s.ranges) > 0 {
allErrs = append(allErrs, field.Invalid(field.NewPath(s.field), groups, "unable to validate empty groups against required ranges")) allErrs = append(allErrs, field.Invalid(field.NewPath(s.field), groups, "unable to validate empty groups against required ranges"))
} }

17
pkg/security/podsecuritypolicy/group/mustrunas_test.go
View File

@ -109,14 +109,6 @@ func TestGenerate(t *testing.T) {
} }
func TestValidate(t *testing.T) { func TestValidate(t *testing.T) {
validPod := func() *api.Pod {
return &api.Pod{
Spec: api.PodSpec{
SecurityContext: &api.PodSecurityContext{},
},
}
}
tests := map[string]struct { tests := map[string]struct {
ranges []extensions.GroupIDRange ranges []extensions.GroupIDRange
pod *api.Pod pod *api.Pod
@ -124,19 +116,16 @@ func TestValidate(t *testing.T) {
pass bool pass bool
}{ }{
"nil security context": { "nil security context": {
pod: &api.Pod{},
ranges: []extensions.GroupIDRange{ ranges: []extensions.GroupIDRange{
{Min: 1, Max: 3}, {Min: 1, Max: 3},
}, },
}, },
"empty groups": { "empty groups": {
pod: validPod(),
ranges: []extensions.GroupIDRange{ ranges: []extensions.GroupIDRange{
{Min: 1, Max: 3}, {Min: 1, Max: 3},
}, },
}, },
"not in range": { "not in range": {
pod: validPod(),
groups: []int64{5}, groups: []int64{5},
ranges: []extensions.GroupIDRange{ ranges: []extensions.GroupIDRange{
{Min: 1, Max: 3}, {Min: 1, Max: 3},
@ -144,7 +133,6 @@ func TestValidate(t *testing.T) {
}, },
}, },
"in range 1": { "in range 1": {
pod: validPod(),
groups: []int64{2}, groups: []int64{2},
ranges: []extensions.GroupIDRange{ ranges: []extensions.GroupIDRange{
{Min: 1, Max: 3}, {Min: 1, Max: 3},
@ -152,7 +140,6 @@ func TestValidate(t *testing.T) {
pass: true, pass: true,
}, },
"in range boundry min": { "in range boundry min": {
pod: validPod(),
groups: []int64{1}, groups: []int64{1},
ranges: []extensions.GroupIDRange{ ranges: []extensions.GroupIDRange{
{Min: 1, Max: 3}, {Min: 1, Max: 3},
@ -160,7 +147,6 @@ func TestValidate(t *testing.T) {
pass: true, pass: true,
}, },
"in range boundry max": { "in range boundry max": {
pod: validPod(),
groups: []int64{3}, groups: []int64{3},
ranges: []extensions.GroupIDRange{ ranges: []extensions.GroupIDRange{
{Min: 1, Max: 3}, {Min: 1, Max: 3},
@ -168,7 +154,6 @@ func TestValidate(t *testing.T) {
pass: true, pass: true,
}, },
"singular range": { "singular range": {
pod: validPod(),
groups: []int64{4}, groups: []int64{4},
ranges: []extensions.GroupIDRange{ ranges: []extensions.GroupIDRange{
{Min: 4, Max: 4}, {Min: 4, Max: 4},
@ -182,7 +167,7 @@ func TestValidate(t *testing.T) {
if err != nil { if err != nil {
t.Errorf("error creating strategy for %s: %v", k, err) t.Errorf("error creating strategy for %s: %v", k, err)
} }
errs := s.Validate(v.pod, v.groups) errs := s.Validate(nil, v.groups)
if v.pass && len(errs) > 0 { if v.pass && len(errs) > 0 {
t.Errorf("unexpected errors for %s: %v", k, errs) t.Errorf("unexpected errors for %s: %v", k, errs)
} }

6
pkg/security/podsecuritypolicy/group/runasany.go
View File

@ -33,17 +33,17 @@ func NewRunAsAny() (GroupStrategy, error) {
} }
// Generate creates the group based on policy rules. This strategy returns an empty slice. // Generate creates the group based on policy rules. This strategy returns an empty slice.
func (s *runAsAny) Generate(pod *api.Pod) ([]int64, error) { func (s *runAsAny) Generate(_ *api.Pod) ([]int64, error) {
return nil, nil return nil, nil
} }
// Generate a single value to be applied. This is used for FSGroup. This strategy returns nil. // Generate a single value to be applied. This is used for FSGroup. This strategy returns nil.
func (s *runAsAny) GenerateSingle(pod *api.Pod) (*int64, error) { func (s *runAsAny) GenerateSingle(_ *api.Pod) (*int64, error) {
return nil, nil return nil, nil
} }
// Validate ensures that the specified values fall within the range of the strategy. // Validate ensures that the specified values fall within the range of the strategy.
func (s *runAsAny) Validate(pod *api.Pod, groups []int64) field.ErrorList { func (s *runAsAny) Validate(_ *api.Pod, groups []int64) field.ErrorList {
return field.ErrorList{} return field.ErrorList{}
} }