Fix incorrect procMount defaulting

2026-01-05 07:27:21 +00:00 · 2019-06-10 21:47:00 -04:00
parent 3a50c00692
commit 899d00a529
17 changed files with 47 additions and 155 deletions
--- a/pkg/api/pod/util.go
+++ b/pkg/api/pod/util.go
@@ -447,12 +447,22 @@ func dropDisabledProcMountField(podSpec, oldPodSpec *api.PodSpec) {
 		defaultProcMount := api.DefaultProcMount
 		for i := range podSpec.Containers {
 			if podSpec.Containers[i].SecurityContext != nil {
-				podSpec.Containers[i].SecurityContext.ProcMount = &defaultProcMount
+				if podSpec.Containers[i].SecurityContext.ProcMount != nil {
+					// The ProcMount field was improperly forced to non-nil in 1.12.
+					// If the feature is disabled, and the existing object is not using any non-default values, and the ProcMount field is present in the incoming object, force to the default value.
+					// Note: we cannot force the field to nil when the feature is disabled because it causes a diff against previously persisted data.
+					podSpec.Containers[i].SecurityContext.ProcMount = &defaultProcMount
+				}
 			}
 		}
 		for i := range podSpec.InitContainers {
 			if podSpec.InitContainers[i].SecurityContext != nil {
-				podSpec.InitContainers[i].SecurityContext.ProcMount = &defaultProcMount
+				if podSpec.InitContainers[i].SecurityContext.ProcMount != nil {
+					// The ProcMount field was improperly forced to non-nil in 1.12.
+					// If the feature is disabled, and the existing object is not using any non-default values, and the ProcMount field is present in the incoming object, force to the default value.
+					// Note: we cannot force the field to nil when the feature is disabled because it causes a diff against previously persisted data.
+					podSpec.InitContainers[i].SecurityContext.ProcMount = &defaultProcMount
+				}
 			}
 		}
 	}
@@ -514,7 +524,7 @@ func runtimeClassInUse(podSpec *api.PodSpec) bool {
 	return false
 }

-// procMountInUse returns true if the pod spec is non-nil and has a SecurityContext's ProcMount field set
+// procMountInUse returns true if the pod spec is non-nil and has a SecurityContext's ProcMount field set to a non-default value
 func procMountInUse(podSpec *api.PodSpec) bool {
 	if podSpec == nil {
 		return false
--- a/pkg/api/pod/util_test.go
+++ b/pkg/api/pod/util_test.go
@@ -616,7 +616,7 @@ func TestDropProcMount(t *testing.T) {
 			},
 		}
 	}
-	podWithoutProcMount := func() *api.Pod {
+	podWithDefaultProcMount := func() *api.Pod {
 		return &api.Pod{
 			Spec: api.PodSpec{
 				RestartPolicy:  api.RestartPolicyNever,
@@ -625,6 +625,15 @@ func TestDropProcMount(t *testing.T) {
 			},
 		}
 	}
+	podWithoutProcMount := func() *api.Pod {
+		return &api.Pod{
+			Spec: api.PodSpec{
+				RestartPolicy:  api.RestartPolicyNever,
+				Containers:     []api.Container{{Name: "container1", Image: "testimage", SecurityContext: &api.SecurityContext{ProcMount: nil}}},
+				InitContainers: []api.Container{{Name: "container1", Image: "testimage", SecurityContext: &api.SecurityContext{ProcMount: nil}}},
+			},
+		}
+	}

 	podInfo := []struct {
 		description  string
@@ -636,6 +645,11 @@ func TestDropProcMount(t *testing.T) {
 			hasProcMount: true,
 			pod:          podWithProcMount,
 		},
+		{
+			description:  "has default ProcMount",
+			hasProcMount: false,
+			pod:          podWithDefaultProcMount,
+		},
 		{
 			description:  "does not have ProcMount",
 			hasProcMount: false,
@@ -683,8 +697,8 @@ func TestDropProcMount(t *testing.T) {
 							t.Errorf("new pod was not changed")
 						}
 						// new pod should not have ProcMount
-						if !reflect.DeepEqual(newPod, podWithoutProcMount()) {
-							t.Errorf("new pod had ProcMount: %v", diff.ObjectReflectDiff(newPod, podWithoutProcMount()))
+						if procMountInUse(&newPod.Spec) {
+							t.Errorf("new pod had ProcMount: %#v", &newPod.Spec)
 						}
 					default:
 						// new pod should not need to be changed