github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-27 13:37:30 +00:00
Code Issues Projects Releases Wiki Activity

PodSecurity: plumb kind in attributes

Browse Source
This commit is contained in:
Jordan Liggitt 2021-10-28 00:16:45 -04:00
parent 091724a6d8
commit 7cd905e897
3 changed files with 21 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
staging/src/k8s.io/pod-security-admission/admission/admission_test.go
View File

@ -460,7 +460,9 @@ func TestValidateNamespace(t *testing.T) {
attrs := &AttributesRecord{ attrs := &AttributesRecord{
Object: newObject, Object: newObject,
OldObject: oldObject, OldObject: oldObject,
Name: newObject.Name,
Namespace: newObject.Name, Namespace: newObject.Name,
Kind: schema.GroupVersionKind{Group: "", Version: "v1", Kind: "Namespace"},
Resource: schema.GroupVersionResource{Group: "", Version: "v1", Resource: "namespaces"}, Resource: schema.GroupVersionResource{Group: "", Version: "v1", Resource: "namespaces"},
Subresource: tc.subresource, Subresource: tc.subresource,
Operation: operation, Operation: operation,
@ -592,6 +594,7 @@ func TestValidatePodController(t *testing.T) {
newObject runtime.Object newObject runtime.Object
// for update // for update
oldObject runtime.Object oldObject runtime.Object
gvk schema.GroupVersionKind
gvr schema.GroupVersionResource gvr schema.GroupVersionResource
expectWarnings []string expectWarnings []string
@ -602,40 +605,47 @@ func TestValidatePodController(t *testing.T) {
subresource: "status", subresource: "status",
newObject: &badDeploy, newObject: &badDeploy,
oldObject: &goodDeploy, oldObject: &goodDeploy,
gvk: schema.GroupVersionKind{Group: "apps", Version: "v1", Kind: "Deployment"},
gvr: schema.GroupVersionResource{Group: "apps", Version: "v1", Resource: "deployments"}, gvr: schema.GroupVersionResource{Group: "apps", Version: "v1", Resource: "deployments"},
}, },
{ {
desc: "namespace in exemptNamespaces will be exempted", desc: "namespace in exemptNamespaces will be exempted",
newObject: &badDeploy, newObject: &badDeploy,
gvk: schema.GroupVersionKind{Group: "apps", Version: "v1", Kind: "Deployment"},
gvr: schema.GroupVersionResource{Group: "apps", Version: "v1", Resource: "deployments"}, gvr: schema.GroupVersionResource{Group: "apps", Version: "v1", Resource: "deployments"},
exemptNamespaces: []string{testNamespace}, exemptNamespaces: []string{testNamespace},
}, },
{ {
desc: "runtimeClass in exemptRuntimeClasses will be exempted", desc: "runtimeClass in exemptRuntimeClasses will be exempted",
newObject: &badDeploy, newObject: &badDeploy,
gvk: schema.GroupVersionKind{Group: "apps", Version: "v1", Kind: "Deployment"},
gvr: schema.GroupVersionResource{Group: "apps", Version: "v1", Resource: "deployments"}, gvr: schema.GroupVersionResource{Group: "apps", Version: "v1", Resource: "deployments"},
exemptRuntimeClasses: []string{"containerd"}, exemptRuntimeClasses: []string{"containerd"},
}, },
{ {
desc: "user in exemptUsers will be exempted", desc: "user in exemptUsers will be exempted",
newObject: &badDeploy, newObject: &badDeploy,
gvk: schema.GroupVersionKind{Group: "apps", Version: "v1", Kind: "Deployment"},
gvr: schema.GroupVersionResource{Group: "apps", Version: "v1", Resource: "deployments"}, gvr: schema.GroupVersionResource{Group: "apps", Version: "v1", Resource: "deployments"},
exemptUsers: []string{"testuser"}, exemptUsers: []string{"testuser"},
}, },
{ {
desc: "podMetadata == nil && podSpec == nil will skip verification", desc: "podMetadata == nil && podSpec == nil will skip verification",
newObject: &corev1.ReplicationController{ObjectMeta: metav1.ObjectMeta{Name: "foo-rc"}}, newObject: &corev1.ReplicationController{ObjectMeta: metav1.ObjectMeta{Name: "foo-rc"}},
gvk: schema.GroupVersionKind{Group: "", Version: "v1", Kind: "ReplicationController"},
gvr: schema.GroupVersionResource{Group: "", Version: "v1", Resource: "replicationcontrollers"}, gvr: schema.GroupVersionResource{Group: "", Version: "v1", Resource: "replicationcontrollers"},
}, },
{ {
desc: "good deploy creates and produce nothing", desc: "good deploy creates and produce nothing",
newObject: &goodDeploy, newObject: &goodDeploy,
gvk: schema.GroupVersionKind{Group: "apps", Version: "v1", Kind: "Deployment"},
gvr: schema.GroupVersionResource{Group: "apps", Version: "v1", Resource: "deployments"}, gvr: schema.GroupVersionResource{Group: "apps", Version: "v1", Resource: "deployments"},
expectAuditAnnotations: map[string]string{}, expectAuditAnnotations: map[string]string{},
}, },
{ {
desc: "bad deploy creates produce correct user-visible warnings and correct auditAnnotations", desc: "bad deploy creates produce correct user-visible warnings and correct auditAnnotations",
newObject: &badDeploy, newObject: &badDeploy,
gvk: schema.GroupVersionKind{Group: "apps", Version: "v1", Kind: "Deployment"},
gvr: schema.GroupVersionResource{Group: "apps", Version: "v1", Resource: "deployments"}, gvr: schema.GroupVersionResource{Group: "apps", Version: "v1", Resource: "deployments"},
expectAuditAnnotations: map[string]string{"audit": "would violate PodSecurity \"baseline:latest\": forbidden sysctls (unknown)"}, expectAuditAnnotations: map[string]string{"audit": "would violate PodSecurity \"baseline:latest\": forbidden sysctls (unknown)"},
expectWarnings: []string{"would violate PodSecurity \"baseline:latest\": forbidden sysctls (unknown)"}, expectWarnings: []string{"would violate PodSecurity \"baseline:latest\": forbidden sysctls (unknown)"},
@ -644,6 +654,7 @@ func TestValidatePodController(t *testing.T) {
desc: "bad spec updates don't block on enforce failures and returns correct information", desc: "bad spec updates don't block on enforce failures and returns correct information",
newObject: &badDeploy, newObject: &badDeploy,
oldObject: &goodDeploy, oldObject: &goodDeploy,
gvk: schema.GroupVersionKind{Group: "apps", Version: "v1", Kind: "Deployment"},
gvr: schema.GroupVersionResource{Group: "apps", Version: "v1", Resource: "deployments"}, gvr: schema.GroupVersionResource{Group: "apps", Version: "v1", Resource: "deployments"},
expectAuditAnnotations: map[string]string{"audit": "would violate PodSecurity \"baseline:latest\": forbidden sysctls (unknown)"}, expectAuditAnnotations: map[string]string{"audit": "would violate PodSecurity \"baseline:latest\": forbidden sysctls (unknown)"},
expectWarnings: []string{"would violate PodSecurity \"baseline:latest\": forbidden sysctls (unknown)"}, expectWarnings: []string{"would violate PodSecurity \"baseline:latest\": forbidden sysctls (unknown)"},
@ -660,6 +671,7 @@ func TestValidatePodController(t *testing.T) {
attrs := &AttributesRecord{ attrs := &AttributesRecord{
testName, testName,
testNamespace, testNamespace,
tc.gvk,
tc.gvr, tc.gvr,
tc.subresource, tc.subresource,
operation, operation,

7
staging/src/k8s.io/pod-security-admission/admission/attributes.go
View File

@ -27,6 +27,7 @@ import (
type AttributesRecord struct { type AttributesRecord struct {
Name string Name string
Namespace string Namespace string
Kind schema.GroupVersionKind
Resource schema.GroupVersionResource Resource schema.GroupVersionResource
Subresource string Subresource string
Operation admissionv1.Operation Operation admissionv1.Operation
@ -41,6 +42,9 @@ func (a *AttributesRecord) GetName() string {
func (a *AttributesRecord) GetNamespace() string { func (a *AttributesRecord) GetNamespace() string {
return a.Namespace return a.Namespace
} }
func (a *AttributesRecord) GetKind() schema.GroupVersionKind {
return a.Kind
}
func (a *AttributesRecord) GetResource() schema.GroupVersionResource { func (a *AttributesRecord) GetResource() schema.GroupVersionResource {
return a.Resource return a.Resource
} }
@ -81,6 +85,9 @@ func (a *attributes) GetName() string {
func (a *attributes) GetNamespace() string { func (a *attributes) GetNamespace() string {
return a.r.Namespace return a.r.Namespace
} }
func (a *attributes) GetKind() schema.GroupVersionKind {
return schema.GroupVersionKind(a.r.Kind)
}
func (a *attributes) GetResource() schema.GroupVersionResource { func (a *attributes) GetResource() schema.GroupVersionResource {
return schema.GroupVersionResource(a.r.Resource) return schema.GroupVersionResource(a.r.Resource)
} }

2
staging/src/k8s.io/pod-security-admission/api/interfaces.go
View File

@ -30,6 +30,8 @@ type Attributes interface {
GetNamespace() string GetNamespace() string
// GetResource is the name of the resource being requested. This is not the kind. For example: pods // GetResource is the name of the resource being requested. This is not the kind. For example: pods
GetResource() schema.GroupVersionResource GetResource() schema.GroupVersionResource
// GetKind is the name of the kind being requested. For example: Pod
GetKind() schema.GroupVersionKind
// GetSubresource is the name of the subresource being requested. This is a different resource, scoped to the parent resource, but it may have a different kind. // GetSubresource is the name of the subresource being requested. This is a different resource, scoped to the parent resource, but it may have a different kind.
// For instance, /pods has the resource "pods" and the kind "Pod", while /pods/foo/status has the resource "pods", the sub resource "status", and the kind "Pod" // For instance, /pods has the resource "pods" and the kind "Pod", while /pods/foo/status has the resource "pods", the sub resource "status", and the kind "Pod"
// (because status operates on pods). The binding resource for a pod though may be /pods/foo/binding, which has resource "pods", subresource "binding", and kind "Binding". // (because status operates on pods). The binding resource for a pod though may be /pods/foo/binding, which has resource "pods", subresource "binding", and kind "Binding".