mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-24 20:24:09 +00:00
PodSecurity: plumb kind in attributes
This commit is contained in:
parent
091724a6d8
commit
7cd905e897
@ -460,7 +460,9 @@ func TestValidateNamespace(t *testing.T) {
|
||||
attrs := &AttributesRecord{
|
||||
Object: newObject,
|
||||
OldObject: oldObject,
|
||||
Name: newObject.Name,
|
||||
Namespace: newObject.Name,
|
||||
Kind: schema.GroupVersionKind{Group: "", Version: "v1", Kind: "Namespace"},
|
||||
Resource: schema.GroupVersionResource{Group: "", Version: "v1", Resource: "namespaces"},
|
||||
Subresource: tc.subresource,
|
||||
Operation: operation,
|
||||
@ -592,6 +594,7 @@ func TestValidatePodController(t *testing.T) {
|
||||
newObject runtime.Object
|
||||
// for update
|
||||
oldObject runtime.Object
|
||||
gvk schema.GroupVersionKind
|
||||
gvr schema.GroupVersionResource
|
||||
|
||||
expectWarnings []string
|
||||
@ -602,40 +605,47 @@ func TestValidatePodController(t *testing.T) {
|
||||
subresource: "status",
|
||||
newObject: &badDeploy,
|
||||
oldObject: &goodDeploy,
|
||||
gvk: schema.GroupVersionKind{Group: "apps", Version: "v1", Kind: "Deployment"},
|
||||
gvr: schema.GroupVersionResource{Group: "apps", Version: "v1", Resource: "deployments"},
|
||||
},
|
||||
{
|
||||
desc: "namespace in exemptNamespaces will be exempted",
|
||||
newObject: &badDeploy,
|
||||
gvk: schema.GroupVersionKind{Group: "apps", Version: "v1", Kind: "Deployment"},
|
||||
gvr: schema.GroupVersionResource{Group: "apps", Version: "v1", Resource: "deployments"},
|
||||
exemptNamespaces: []string{testNamespace},
|
||||
},
|
||||
{
|
||||
desc: "runtimeClass in exemptRuntimeClasses will be exempted",
|
||||
newObject: &badDeploy,
|
||||
gvk: schema.GroupVersionKind{Group: "apps", Version: "v1", Kind: "Deployment"},
|
||||
gvr: schema.GroupVersionResource{Group: "apps", Version: "v1", Resource: "deployments"},
|
||||
exemptRuntimeClasses: []string{"containerd"},
|
||||
},
|
||||
{
|
||||
desc: "user in exemptUsers will be exempted",
|
||||
newObject: &badDeploy,
|
||||
gvk: schema.GroupVersionKind{Group: "apps", Version: "v1", Kind: "Deployment"},
|
||||
gvr: schema.GroupVersionResource{Group: "apps", Version: "v1", Resource: "deployments"},
|
||||
exemptUsers: []string{"testuser"},
|
||||
},
|
||||
{
|
||||
desc: "podMetadata == nil && podSpec == nil will skip verification",
|
||||
newObject: &corev1.ReplicationController{ObjectMeta: metav1.ObjectMeta{Name: "foo-rc"}},
|
||||
gvk: schema.GroupVersionKind{Group: "", Version: "v1", Kind: "ReplicationController"},
|
||||
gvr: schema.GroupVersionResource{Group: "", Version: "v1", Resource: "replicationcontrollers"},
|
||||
},
|
||||
{
|
||||
desc: "good deploy creates and produce nothing",
|
||||
newObject: &goodDeploy,
|
||||
gvk: schema.GroupVersionKind{Group: "apps", Version: "v1", Kind: "Deployment"},
|
||||
gvr: schema.GroupVersionResource{Group: "apps", Version: "v1", Resource: "deployments"},
|
||||
expectAuditAnnotations: map[string]string{},
|
||||
},
|
||||
{
|
||||
desc: "bad deploy creates produce correct user-visible warnings and correct auditAnnotations",
|
||||
newObject: &badDeploy,
|
||||
gvk: schema.GroupVersionKind{Group: "apps", Version: "v1", Kind: "Deployment"},
|
||||
gvr: schema.GroupVersionResource{Group: "apps", Version: "v1", Resource: "deployments"},
|
||||
expectAuditAnnotations: map[string]string{"audit": "would violate PodSecurity \"baseline:latest\": forbidden sysctls (unknown)"},
|
||||
expectWarnings: []string{"would violate PodSecurity \"baseline:latest\": forbidden sysctls (unknown)"},
|
||||
@ -644,6 +654,7 @@ func TestValidatePodController(t *testing.T) {
|
||||
desc: "bad spec updates don't block on enforce failures and returns correct information",
|
||||
newObject: &badDeploy,
|
||||
oldObject: &goodDeploy,
|
||||
gvk: schema.GroupVersionKind{Group: "apps", Version: "v1", Kind: "Deployment"},
|
||||
gvr: schema.GroupVersionResource{Group: "apps", Version: "v1", Resource: "deployments"},
|
||||
expectAuditAnnotations: map[string]string{"audit": "would violate PodSecurity \"baseline:latest\": forbidden sysctls (unknown)"},
|
||||
expectWarnings: []string{"would violate PodSecurity \"baseline:latest\": forbidden sysctls (unknown)"},
|
||||
@ -660,6 +671,7 @@ func TestValidatePodController(t *testing.T) {
|
||||
attrs := &AttributesRecord{
|
||||
testName,
|
||||
testNamespace,
|
||||
tc.gvk,
|
||||
tc.gvr,
|
||||
tc.subresource,
|
||||
operation,
|
||||
|
@ -27,6 +27,7 @@ import (
|
||||
type AttributesRecord struct {
|
||||
Name string
|
||||
Namespace string
|
||||
Kind schema.GroupVersionKind
|
||||
Resource schema.GroupVersionResource
|
||||
Subresource string
|
||||
Operation admissionv1.Operation
|
||||
@ -41,6 +42,9 @@ func (a *AttributesRecord) GetName() string {
|
||||
func (a *AttributesRecord) GetNamespace() string {
|
||||
return a.Namespace
|
||||
}
|
||||
func (a *AttributesRecord) GetKind() schema.GroupVersionKind {
|
||||
return a.Kind
|
||||
}
|
||||
func (a *AttributesRecord) GetResource() schema.GroupVersionResource {
|
||||
return a.Resource
|
||||
}
|
||||
@ -81,6 +85,9 @@ func (a *attributes) GetName() string {
|
||||
func (a *attributes) GetNamespace() string {
|
||||
return a.r.Namespace
|
||||
}
|
||||
func (a *attributes) GetKind() schema.GroupVersionKind {
|
||||
return schema.GroupVersionKind(a.r.Kind)
|
||||
}
|
||||
func (a *attributes) GetResource() schema.GroupVersionResource {
|
||||
return schema.GroupVersionResource(a.r.Resource)
|
||||
}
|
||||
|
@ -30,6 +30,8 @@ type Attributes interface {
|
||||
GetNamespace() string
|
||||
// GetResource is the name of the resource being requested. This is not the kind. For example: pods
|
||||
GetResource() schema.GroupVersionResource
|
||||
// GetKind is the name of the kind being requested. For example: Pod
|
||||
GetKind() schema.GroupVersionKind
|
||||
// GetSubresource is the name of the subresource being requested. This is a different resource, scoped to the parent resource, but it may have a different kind.
|
||||
// For instance, /pods has the resource "pods" and the kind "Pod", while /pods/foo/status has the resource "pods", the sub resource "status", and the kind "Pod"
|
||||
// (because status operates on pods). The binding resource for a pod though may be /pods/foo/binding, which has resource "pods", subresource "binding", and kind "Binding".
|
||||
|
Loading…
Reference in New Issue
Block a user