Merge pull request #43489 from liggitt/20170302-psp-authz

Automatic merge from submit-queue (batch tested with PRs 43492, 43489) Authorize PSP usage for pods without service accounts Fixes #43459 ```release-note PodSecurityPolicy authorization is correctly enforced by the PodSecurityPolicy admission plugin. ```
2025-07-30 23:15:14 +00:00 · 2017-03-21 22:53:18 -07:00 · 2017-03-21 22:53:18 -07:00 · 6f9074f069
commit 6f9074f069
parent 4862989d61 dd7561801a
2 changed files with 6 additions and 8 deletions
--- a/plugin/pkg/admission/security/podsecuritypolicy/admission.go
+++ b/plugin/pkg/admission/security/podsecuritypolicy/admission.go
@ -288,7 +288,8 @@ func getMatchingPolicies(lister extensionslisters.PodSecurityPolicyLister, user
 	}

 	for _, constraint := range list {
-		if authorizedForPolicy(user, constraint, authz) || authorizedForPolicy(sa, constraint, authz) {
+		// if no user info exists then the API is being hit via the unsecured port. In this case authorize the request.
+		if user == nil || authorizedForPolicy(user, constraint, authz) || authorizedForPolicy(sa, constraint, authz) {
 			matchedPolicies = append(matchedPolicies, constraint)
 		}
 	}
@ -298,10 +299,8 @@ func getMatchingPolicies(lister extensionslisters.PodSecurityPolicyLister, user

 // authorizedForPolicy returns true if info is authorized to perform a "get" on policy.
 func authorizedForPolicy(info user.Info, policy *extensions.PodSecurityPolicy, authz authorizer.Authorizer) bool {
-	// if no info exists then the API is being hit via the unsecured port.  In this case
-	// authorize the request.
 	if info == nil {
-		return true
+		return false
 	}
 	attr := buildAttributes(info, policy)
 	allowed, reason, err := authz.Authorize(attr)
--- a/plugin/pkg/admission/security/podsecuritypolicy/admission_test.go
+++ b/plugin/pkg/admission/security/podsecuritypolicy/admission_test.go
@ -1610,7 +1610,7 @@ func TestGetMatchingPolicies(t *testing.T) {
 			// (ie. a request hitting the unsecure port)
 			expectedPolicies: sets.NewString("policy1", "policy2", "policy3"),
 		},
-		"policies are allowed for nil sa info": {
+		"policies are not allowed for nil sa info": {
 			user: &user.DefaultInfo{Name: "user"},
 			sa:   nil,
 			disallowedPolicies: map[string][]string{
@ -1622,9 +1622,8 @@ func TestGetMatchingPolicies(t *testing.T) {
 				policyWithName("policy2"),
 				policyWithName("policy3"),
 			},
-			// all policies are allowed regardless of the permissions when sa info is nil
-			// (ie. a request hitting the unsecure port)
-			expectedPolicies: sets.NewString("policy1", "policy2", "policy3"),
+			// only the policies for the user are allowed when sa info is nil
+			expectedPolicies: sets.NewString("policy2"),
 		},
 	}
 	for k, v := range tests {