Add seccomp enforcement and validation based on new GA fields

Adds seccomp validation. This ensures that field and annotation values must match when present. Co-authored-by: Sascha Grunert <sgrunert@suse.com>
2026-01-05 15:37:24 +00:00 · 2020-06-24 21:37:49 +01:00
parent 865cbf0bdf
commit 8976e3620f
93 changed files with 17247 additions and 15078 deletions
--- a/pkg/apis/core/pods/helpers_test.go
+++ b/pkg/apis/core/pods/helpers_test.go
@@ -32,16 +32,19 @@ func TestVisitContainersWithPath(t *testing.T) {

 	testCases := []struct {
 		description string
+		path        *field.Path
 		haveSpec    *api.PodSpec
 		wantNames   []string
 	}{
 		{
 			"empty podspec",
+			field.NewPath("spec"),
 			&api.PodSpec{},
 			[]string{},
 		},
 		{
 			"regular containers",
+			field.NewPath("spec"),
 			&api.PodSpec{
 				Containers: []api.Container{
 					{Name: "c1"},
@@ -52,6 +55,7 @@ func TestVisitContainersWithPath(t *testing.T) {
 		},
 		{
 			"init containers",
+			field.NewPath("spec"),
 			&api.PodSpec{
 				InitContainers: []api.Container{
 					{Name: "i1"},
@@ -62,6 +66,7 @@ func TestVisitContainersWithPath(t *testing.T) {
 		},
 		{
 			"regular and init containers",
+			field.NewPath("spec"),
 			&api.PodSpec{
 				Containers: []api.Container{
 					{Name: "c1"},
@@ -76,6 +81,7 @@ func TestVisitContainersWithPath(t *testing.T) {
 		},
 		{
 			"ephemeral containers",
+			field.NewPath("spec"),
 			&api.PodSpec{
 				Containers: []api.Container{
 					{Name: "c1"},
@@ -89,6 +95,7 @@ func TestVisitContainersWithPath(t *testing.T) {
 		},
 		{
 			"all container types",
+			field.NewPath("spec"),
 			&api.PodSpec{
 				Containers: []api.Container{
 					{Name: "c1"},
@@ -105,11 +112,30 @@ func TestVisitContainersWithPath(t *testing.T) {
 			},
 			[]string{"spec.initContainers[0]", "spec.initContainers[1]", "spec.containers[0]", "spec.containers[1]", "spec.ephemeralContainers[0]", "spec.ephemeralContainers[1]"},
 		},
+		{
+			"all container types with template pod path",
+			field.NewPath("template", "spec"),
+			&api.PodSpec{
+				Containers: []api.Container{
+					{Name: "c1"},
+					{Name: "c2"},
+				},
+				InitContainers: []api.Container{
+					{Name: "i1"},
+					{Name: "i2"},
+				},
+				EphemeralContainers: []api.EphemeralContainer{
+					{EphemeralContainerCommon: api.EphemeralContainerCommon{Name: "e1"}},
+					{EphemeralContainerCommon: api.EphemeralContainerCommon{Name: "e2"}},
+				},
+			},
+			[]string{"template.spec.initContainers[0]", "template.spec.initContainers[1]", "template.spec.containers[0]", "template.spec.containers[1]", "template.spec.ephemeralContainers[0]", "template.spec.ephemeralContainers[1]"},
+		},
 	}

 	for _, tc := range testCases {
 		gotNames := []string{}
-		VisitContainersWithPath(tc.haveSpec, func(c *api.Container, p *field.Path) bool {
+		VisitContainersWithPath(tc.haveSpec, tc.path, func(c *api.Container, p *field.Path) bool {
 			gotNames = append(gotNames, p.String())
 			return true
 		})