PodSecurity: plumb kind in attributes

This commit is contained in:
Jordan Liggitt 2021-10-28 00:16:45 -04:00
parent 091724a6d8
commit 7cd905e897
3 changed files with 21 additions and 0 deletions

View File

@ -460,7 +460,9 @@ func TestValidateNamespace(t *testing.T) {
attrs := &AttributesRecord{
Object: newObject,
OldObject: oldObject,
Name: newObject.Name,
Namespace: newObject.Name,
Kind: schema.GroupVersionKind{Group: "", Version: "v1", Kind: "Namespace"},
Resource: schema.GroupVersionResource{Group: "", Version: "v1", Resource: "namespaces"},
Subresource: tc.subresource,
Operation: operation,
@ -592,6 +594,7 @@ func TestValidatePodController(t *testing.T) {
newObject runtime.Object
// for update
oldObject runtime.Object
gvk schema.GroupVersionKind
gvr schema.GroupVersionResource
expectWarnings []string
@ -602,40 +605,47 @@ func TestValidatePodController(t *testing.T) {
subresource: "status",
newObject: &badDeploy,
oldObject: &goodDeploy,
gvk: schema.GroupVersionKind{Group: "apps", Version: "v1", Kind: "Deployment"},
gvr: schema.GroupVersionResource{Group: "apps", Version: "v1", Resource: "deployments"},
},
{
desc: "namespace in exemptNamespaces will be exempted",
newObject: &badDeploy,
gvk: schema.GroupVersionKind{Group: "apps", Version: "v1", Kind: "Deployment"},
gvr: schema.GroupVersionResource{Group: "apps", Version: "v1", Resource: "deployments"},
exemptNamespaces: []string{testNamespace},
},
{
desc: "runtimeClass in exemptRuntimeClasses will be exempted",
newObject: &badDeploy,
gvk: schema.GroupVersionKind{Group: "apps", Version: "v1", Kind: "Deployment"},
gvr: schema.GroupVersionResource{Group: "apps", Version: "v1", Resource: "deployments"},
exemptRuntimeClasses: []string{"containerd"},
},
{
desc: "user in exemptUsers will be exempted",
newObject: &badDeploy,
gvk: schema.GroupVersionKind{Group: "apps", Version: "v1", Kind: "Deployment"},
gvr: schema.GroupVersionResource{Group: "apps", Version: "v1", Resource: "deployments"},
exemptUsers: []string{"testuser"},
},
{
desc: "podMetadata == nil && podSpec == nil will skip verification",
newObject: &corev1.ReplicationController{ObjectMeta: metav1.ObjectMeta{Name: "foo-rc"}},
gvk: schema.GroupVersionKind{Group: "", Version: "v1", Kind: "ReplicationController"},
gvr: schema.GroupVersionResource{Group: "", Version: "v1", Resource: "replicationcontrollers"},
},
{
desc: "good deploy creates and produce nothing",
newObject: &goodDeploy,
gvk: schema.GroupVersionKind{Group: "apps", Version: "v1", Kind: "Deployment"},
gvr: schema.GroupVersionResource{Group: "apps", Version: "v1", Resource: "deployments"},
expectAuditAnnotations: map[string]string{},
},
{
desc: "bad deploy creates produce correct user-visible warnings and correct auditAnnotations",
newObject: &badDeploy,
gvk: schema.GroupVersionKind{Group: "apps", Version: "v1", Kind: "Deployment"},
gvr: schema.GroupVersionResource{Group: "apps", Version: "v1", Resource: "deployments"},
expectAuditAnnotations: map[string]string{"audit": "would violate PodSecurity \"baseline:latest\": forbidden sysctls (unknown)"},
expectWarnings: []string{"would violate PodSecurity \"baseline:latest\": forbidden sysctls (unknown)"},
@ -644,6 +654,7 @@ func TestValidatePodController(t *testing.T) {
desc: "bad spec updates don't block on enforce failures and returns correct information",
newObject: &badDeploy,
oldObject: &goodDeploy,
gvk: schema.GroupVersionKind{Group: "apps", Version: "v1", Kind: "Deployment"},
gvr: schema.GroupVersionResource{Group: "apps", Version: "v1", Resource: "deployments"},
expectAuditAnnotations: map[string]string{"audit": "would violate PodSecurity \"baseline:latest\": forbidden sysctls (unknown)"},
expectWarnings: []string{"would violate PodSecurity \"baseline:latest\": forbidden sysctls (unknown)"},
@ -660,6 +671,7 @@ func TestValidatePodController(t *testing.T) {
attrs := &AttributesRecord{
testName,
testNamespace,
tc.gvk,
tc.gvr,
tc.subresource,
operation,

View File

@ -27,6 +27,7 @@ import (
type AttributesRecord struct {
Name string
Namespace string
Kind schema.GroupVersionKind
Resource schema.GroupVersionResource
Subresource string
Operation admissionv1.Operation
@ -41,6 +42,9 @@ func (a *AttributesRecord) GetName() string {
func (a *AttributesRecord) GetNamespace() string {
return a.Namespace
}
func (a *AttributesRecord) GetKind() schema.GroupVersionKind {
return a.Kind
}
func (a *AttributesRecord) GetResource() schema.GroupVersionResource {
return a.Resource
}
@ -81,6 +85,9 @@ func (a *attributes) GetName() string {
func (a *attributes) GetNamespace() string {
return a.r.Namespace
}
func (a *attributes) GetKind() schema.GroupVersionKind {
return schema.GroupVersionKind(a.r.Kind)
}
func (a *attributes) GetResource() schema.GroupVersionResource {
return schema.GroupVersionResource(a.r.Resource)
}

View File

@ -30,6 +30,8 @@ type Attributes interface {
GetNamespace() string
// GetResource is the name of the resource being requested. This is not the kind. For example: pods
GetResource() schema.GroupVersionResource
// GetKind is the name of the kind being requested. For example: Pod
GetKind() schema.GroupVersionKind
// GetSubresource is the name of the subresource being requested. This is a different resource, scoped to the parent resource, but it may have a different kind.
// For instance, /pods has the resource "pods" and the kind "Pod", while /pods/foo/status has the resource "pods", the sub resource "status", and the kind "Pod"
// (because status operates on pods). The binding resource for a pod though may be /pods/foo/binding, which has resource "pods", subresource "binding", and kind "Binding".