github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-20 10:20:51 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #72213 from sbezverk/containers_procmount

Browse Source 
ProcMount - Update DropDisabled[Alpha]Fields behaviour
This commit is contained in:
Kubernetes Prow Robot 2018-12-21 11:28:57 -08:00 committed by GitHub
commit 91b81544d3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
14 changed files with 281 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
pkg/api/pod/util.go
View File

@ -322,31 +322,18 @@ func dropDisabledRunAsGroupField(podSpec, oldPodSpec *api.PodSpec) {
} }
// dropDisabledProcMountField removes disabled fields from PodSpec related // dropDisabledProcMountField removes disabled fields from PodSpec related
// to ProcMount // to ProcMount only if it is not already used by the old spec
func dropDisabledProcMountField(podSpec, oldPodSpec *api.PodSpec) { func dropDisabledProcMountField(podSpec, oldPodSpec *api.PodSpec) {
if !utilfeature.DefaultFeatureGate.Enabled(features.ProcMountType) { if !utilfeature.DefaultFeatureGate.Enabled(features.ProcMountType) && !procMountInUse(oldPodSpec) {
defProcMount := api.DefaultProcMount defaultProcMount := api.DefaultProcMount
for i := range podSpec.Containers { for i := range podSpec.Containers {
if podSpec.Containers[i].SecurityContext != nil { if podSpec.Containers[i].SecurityContext != nil {
podSpec.Containers[i].SecurityContext.ProcMount = &defProcMount podSpec.Containers[i].SecurityContext.ProcMount = &defaultProcMount
} }
} }
for i := range podSpec.InitContainers { for i := range podSpec.InitContainers {
if podSpec.InitContainers[i].SecurityContext != nil { if podSpec.InitContainers[i].SecurityContext != nil {
podSpec.InitContainers[i].SecurityContext.ProcMount = &defProcMount podSpec.InitContainers[i].SecurityContext.ProcMount = &defaultProcMount
}
}
if oldPodSpec != nil {
for i := range oldPodSpec.Containers {
if oldPodSpec.Containers[i].SecurityContext != nil {
oldPodSpec.Containers[i].SecurityContext.ProcMount = &defProcMount
}
}
for i := range oldPodSpec.InitContainers {
if oldPodSpec.InitContainers[i].SecurityContext != nil {
oldPodSpec.InitContainers[i].SecurityContext.ProcMount = &defProcMount
}
} }
} }
} }
@ -406,3 +393,29 @@ func runtimeClassInUse(podSpec *api.PodSpec) bool {
} }
return false return false
} }
// procMountInUse returns true if the pod spec is non-nil and has a SecurityContext's ProcMount field set
func procMountInUse(podSpec *api.PodSpec) bool {
if podSpec == nil {
return false
}
for i := range podSpec.Containers {
if podSpec.Containers[i].SecurityContext != nil {
if podSpec.Containers[i].SecurityContext.ProcMount != nil {
if *podSpec.Containers[i].SecurityContext.ProcMount != api.DefaultProcMount {
return true
}
}
}
}
for i := range podSpec.InitContainers {
if podSpec.InitContainers[i].SecurityContext != nil {
if podSpec.InitContainers[i].SecurityContext.ProcMount != nil {
if *podSpec.InitContainers[i].SecurityContext.ProcMount != api.DefaultProcMount {
return true
}
}
}
}
return false
}

94
pkg/api/pod/util_test.go
View File

@ -518,3 +518,97 @@ func TestDropRuntimeClass(t *testing.T) {
} }
} }
} }
func TestDropProcMount(t *testing.T) {
procMount := api.UnmaskedProcMount
defaultProcMount := api.DefaultProcMount
podWithProcMount := func() *api.Pod {
return &api.Pod{
Spec: api.PodSpec{
RestartPolicy: api.RestartPolicyNever,
Containers: []api.Container{{Name: "container1", Image: "testimage", SecurityContext: &api.SecurityContext{ProcMount: &procMount}}},
InitContainers: []api.Container{{Name: "container1", Image: "testimage", SecurityContext: &api.SecurityContext{ProcMount: &procMount}}},
},
}
}
podWithoutProcMount := func() *api.Pod {
return &api.Pod{
Spec: api.PodSpec{
RestartPolicy: api.RestartPolicyNever,
Containers: []api.Container{{Name: "container1", Image: "testimage", SecurityContext: &api.SecurityContext{ProcMount: &defaultProcMount}}},
InitContainers: []api.Container{{Name: "container1", Image: "testimage", SecurityContext: &api.SecurityContext{ProcMount: &defaultProcMount}}},
},
}
}
podInfo := []struct {
description string
hasProcMount bool
pod func() *api.Pod
}{
{
description: "has ProcMount",
hasProcMount: true,
pod: podWithProcMount,
},
{
description: "does not have ProcMount",
hasProcMount: false,
pod: podWithoutProcMount,
},
{
description: "is nil",
hasProcMount: false,
pod: func() *api.Pod { return nil },
},
}
for _, enabled := range []bool{true, false} {
for _, oldPodInfo := range podInfo {
for _, newPodInfo := range podInfo {
oldPodHasProcMount, oldPod := oldPodInfo.hasProcMount, oldPodInfo.pod()
newPodHasProcMount, newPod := newPodInfo.hasProcMount, newPodInfo.pod()
if newPod == nil {
continue
}
t.Run(fmt.Sprintf("feature enabled=%v, old pod %v, new pod %v", enabled, oldPodInfo.description, newPodInfo.description), func(t *testing.T) {
defer utilfeaturetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.ProcMountType, enabled)()
var oldPodSpec *api.PodSpec
if oldPod != nil {
oldPodSpec = &oldPod.Spec
}
DropDisabledFields(&newPod.Spec, oldPodSpec)
// old pod should never be changed
if !reflect.DeepEqual(oldPod, oldPodInfo.pod()) {
t.Errorf("old pod changed: %v", diff.ObjectReflectDiff(oldPod, oldPodInfo.pod()))
}
switch {
case enabled || oldPodHasProcMount:
// new pod should not be changed if the feature is enabled, or if the old pod had ProcMount
if !reflect.DeepEqual(newPod, newPodInfo.pod()) {
t.Errorf("new pod changed: %v", diff.ObjectReflectDiff(newPod, newPodInfo.pod()))
}
case newPodHasProcMount:
// new pod should be changed
if reflect.DeepEqual(newPod, newPodInfo.pod()) {
t.Errorf("new pod was not changed")
}
// new pod should not have ProcMount
if !reflect.DeepEqual(newPod, podWithoutProcMount()) {
t.Errorf("new pod had ProcMount: %v", diff.ObjectReflectDiff(newPod, podWithoutProcMount()))
}
default:
// new pod should not need to be changed
if !reflect.DeepEqual(newPod, newPodInfo.pod()) {
t.Errorf("new pod changed: %v", diff.ObjectReflectDiff(newPod, newPodInfo.pod()))
}
}
})
}
}
}
}

24
pkg/apis/apps/v1/zz_generated.defaults.go generated
View File

@ -136,6 +136,9 @@ func SetObjectDefaults_DaemonSet(in *v1.DaemonSet) {
} }
} }
} }
if a.SecurityContext != nil {
corev1.SetDefaults_SecurityContext(a.SecurityContext)
}
} }
for i := range in.Spec.Template.Spec.Containers { for i := range in.Spec.Template.Spec.Containers {
a := &in.Spec.Template.Spec.Containers[i] a := &in.Spec.Template.Spec.Containers[i]
@ -178,6 +181,9 @@ func SetObjectDefaults_DaemonSet(in *v1.DaemonSet) {
} }
} }
} }
if a.SecurityContext != nil {
corev1.SetDefaults_SecurityContext(a.SecurityContext)
}
} }
} }
@ -283,6 +289,9 @@ func SetObjectDefaults_Deployment(in *v1.Deployment) {
} }
} }
} }
if a.SecurityContext != nil {
corev1.SetDefaults_SecurityContext(a.SecurityContext)
}
} }
for i := range in.Spec.Template.Spec.Containers { for i := range in.Spec.Template.Spec.Containers {
a := &in.Spec.Template.Spec.Containers[i] a := &in.Spec.Template.Spec.Containers[i]
@ -325,6 +334,9 @@ func SetObjectDefaults_Deployment(in *v1.Deployment) {
} }
} }
} }
if a.SecurityContext != nil {
corev1.SetDefaults_SecurityContext(a.SecurityContext)
}
} }
} }
@ -430,6 +442,9 @@ func SetObjectDefaults_ReplicaSet(in *v1.ReplicaSet) {
} }
} }
} }
if a.SecurityContext != nil {
corev1.SetDefaults_SecurityContext(a.SecurityContext)
}
} }
for i := range in.Spec.Template.Spec.Containers { for i := range in.Spec.Template.Spec.Containers {
a := &in.Spec.Template.Spec.Containers[i] a := &in.Spec.Template.Spec.Containers[i]
@ -472,6 +487,9 @@ func SetObjectDefaults_ReplicaSet(in *v1.ReplicaSet) {
} }
} }
} }
if a.SecurityContext != nil {
corev1.SetDefaults_SecurityContext(a.SecurityContext)
}
} }
} }
@ -577,6 +595,9 @@ func SetObjectDefaults_StatefulSet(in *v1.StatefulSet) {
} }
} }
} }
if a.SecurityContext != nil {
corev1.SetDefaults_SecurityContext(a.SecurityContext)
}
} }
for i := range in.Spec.Template.Spec.Containers { for i := range in.Spec.Template.Spec.Containers {
a := &in.Spec.Template.Spec.Containers[i] a := &in.Spec.Template.Spec.Containers[i]
@ -619,6 +640,9 @@ func SetObjectDefaults_StatefulSet(in *v1.StatefulSet) {
} }
} }
} }
if a.SecurityContext != nil {
corev1.SetDefaults_SecurityContext(a.SecurityContext)
}
} }
for i := range in.Spec.VolumeClaimTemplates { for i := range in.Spec.VolumeClaimTemplates {
a := &in.Spec.VolumeClaimTemplates[i] a := &in.Spec.VolumeClaimTemplates[i]

12
pkg/apis/apps/v1beta1/zz_generated.defaults.go generated
View File

@ -132,6 +132,9 @@ func SetObjectDefaults_Deployment(in *v1beta1.Deployment) {
} }
} }
} }
if a.SecurityContext != nil {
v1.SetDefaults_SecurityContext(a.SecurityContext)
}
} }
for i := range in.Spec.Template.Spec.Containers { for i := range in.Spec.Template.Spec.Containers {
a := &in.Spec.Template.Spec.Containers[i] a := &in.Spec.Template.Spec.Containers[i]
@ -174,6 +177,9 @@ func SetObjectDefaults_Deployment(in *v1beta1.Deployment) {
} }
} }
} }
if a.SecurityContext != nil {
v1.SetDefaults_SecurityContext(a.SecurityContext)
}
} }
} }
@ -279,6 +285,9 @@ func SetObjectDefaults_StatefulSet(in *v1beta1.StatefulSet) {
} }
} }
} }
if a.SecurityContext != nil {
v1.SetDefaults_SecurityContext(a.SecurityContext)
}
} }
for i := range in.Spec.Template.Spec.Containers { for i := range in.Spec.Template.Spec.Containers {
a := &in.Spec.Template.Spec.Containers[i] a := &in.Spec.Template.Spec.Containers[i]
@ -321,6 +330,9 @@ func SetObjectDefaults_StatefulSet(in *v1beta1.StatefulSet) {
} }
} }
} }
if a.SecurityContext != nil {
v1.SetDefaults_SecurityContext(a.SecurityContext)
}
} }
for i := range in.Spec.VolumeClaimTemplates { for i := range in.Spec.VolumeClaimTemplates {
a := &in.Spec.VolumeClaimTemplates[i] a := &in.Spec.VolumeClaimTemplates[i]

24
pkg/apis/apps/v1beta2/zz_generated.defaults.go generated
View File

@ -136,6 +136,9 @@ func SetObjectDefaults_DaemonSet(in *v1beta2.DaemonSet) {
} }
} }
} }
if a.SecurityContext != nil {
v1.SetDefaults_SecurityContext(a.SecurityContext)
}
} }
for i := range in.Spec.Template.Spec.Containers { for i := range in.Spec.Template.Spec.Containers {
a := &in.Spec.Template.Spec.Containers[i] a := &in.Spec.Template.Spec.Containers[i]
@ -178,6 +181,9 @@ func SetObjectDefaults_DaemonSet(in *v1beta2.DaemonSet) {
} }
} }
} }
if a.SecurityContext != nil {
v1.SetDefaults_SecurityContext(a.SecurityContext)
}
} }
} }
@ -283,6 +289,9 @@ func SetObjectDefaults_Deployment(in *v1beta2.Deployment) {
} }
} }
} }
if a.SecurityContext != nil {
v1.SetDefaults_SecurityContext(a.SecurityContext)
}
} }
for i := range in.Spec.Template.Spec.Containers { for i := range in.Spec.Template.Spec.Containers {
a := &in.Spec.Template.Spec.Containers[i] a := &in.Spec.Template.Spec.Containers[i]
@ -325,6 +334,9 @@ func SetObjectDefaults_Deployment(in *v1beta2.Deployment) {
} }
} }
} }
if a.SecurityContext != nil {
v1.SetDefaults_SecurityContext(a.SecurityContext)
}
} }
} }
@ -430,6 +442,9 @@ func SetObjectDefaults_ReplicaSet(in *v1beta2.ReplicaSet) {
} }
} }
} }
if a.SecurityContext != nil {
v1.SetDefaults_SecurityContext(a.SecurityContext)
}
} }
for i := range in.Spec.Template.Spec.Containers { for i := range in.Spec.Template.Spec.Containers {
a := &in.Spec.Template.Spec.Containers[i] a := &in.Spec.Template.Spec.Containers[i]
@ -472,6 +487,9 @@ func SetObjectDefaults_ReplicaSet(in *v1beta2.ReplicaSet) {
} }
} }
} }
if a.SecurityContext != nil {
v1.SetDefaults_SecurityContext(a.SecurityContext)
}
} }
} }
@ -577,6 +595,9 @@ func SetObjectDefaults_StatefulSet(in *v1beta2.StatefulSet) {
} }
} }
} }
if a.SecurityContext != nil {
v1.SetDefaults_SecurityContext(a.SecurityContext)
}
} }
for i := range in.Spec.Template.Spec.Containers { for i := range in.Spec.Template.Spec.Containers {
a := &in.Spec.Template.Spec.Containers[i] a := &in.Spec.Template.Spec.Containers[i]
@ -619,6 +640,9 @@ func SetObjectDefaults_StatefulSet(in *v1beta2.StatefulSet) {
} }
} }
} }
if a.SecurityContext != nil {
v1.SetDefaults_SecurityContext(a.SecurityContext)
}
} }
for i := range in.Spec.VolumeClaimTemplates { for i := range in.Spec.VolumeClaimTemplates {
a := &in.Spec.VolumeClaimTemplates[i] a := &in.Spec.VolumeClaimTemplates[i]

6
pkg/apis/batch/v1/zz_generated.defaults.go generated
View File

@ -130,6 +130,9 @@ func SetObjectDefaults_Job(in *v1.Job) {
} }
} }
} }
if a.SecurityContext != nil {
corev1.SetDefaults_SecurityContext(a.SecurityContext)
}
} }
for i := range in.Spec.Template.Spec.Containers { for i := range in.Spec.Template.Spec.Containers {
a := &in.Spec.Template.Spec.Containers[i] a := &in.Spec.Template.Spec.Containers[i]
@ -172,6 +175,9 @@ func SetObjectDefaults_Job(in *v1.Job) {
} }
} }
} }
if a.SecurityContext != nil {
corev1.SetDefaults_SecurityContext(a.SecurityContext)
}
} }
} }

12
pkg/apis/batch/v1beta1/zz_generated.defaults.go generated
View File

@ -131,6 +131,9 @@ func SetObjectDefaults_CronJob(in *v1beta1.CronJob) {
} }
} }
} }
if a.SecurityContext != nil {
v1.SetDefaults_SecurityContext(a.SecurityContext)
}
} }
for i := range in.Spec.JobTemplate.Spec.Template.Spec.Containers { for i := range in.Spec.JobTemplate.Spec.Template.Spec.Containers {
a := &in.Spec.JobTemplate.Spec.Template.Spec.Containers[i] a := &in.Spec.JobTemplate.Spec.Template.Spec.Containers[i]
@ -173,6 +176,9 @@ func SetObjectDefaults_CronJob(in *v1beta1.CronJob) {
} }
} }
} }
if a.SecurityContext != nil {
v1.SetDefaults_SecurityContext(a.SecurityContext)
}
} }
} }
@ -277,6 +283,9 @@ func SetObjectDefaults_JobTemplate(in *v1beta1.JobTemplate) {
} }
} }
} }
if a.SecurityContext != nil {
v1.SetDefaults_SecurityContext(a.SecurityContext)
}
} }
for i := range in.Template.Spec.Template.Spec.Containers { for i := range in.Template.Spec.Template.Spec.Containers {
a := &in.Template.Spec.Template.Spec.Containers[i] a := &in.Template.Spec.Template.Spec.Containers[i]
@ -319,5 +328,8 @@ func SetObjectDefaults_JobTemplate(in *v1beta1.JobTemplate) {
} }
} }
} }
if a.SecurityContext != nil {
v1.SetDefaults_SecurityContext(a.SecurityContext)
}
} }
} }

12
pkg/apis/batch/v2alpha1/zz_generated.defaults.go generated
View File

@ -131,6 +131,9 @@ func SetObjectDefaults_CronJob(in *v2alpha1.CronJob) {
} }
} }
} }
if a.SecurityContext != nil {
v1.SetDefaults_SecurityContext(a.SecurityContext)
}
} }
for i := range in.Spec.JobTemplate.Spec.Template.Spec.Containers { for i := range in.Spec.JobTemplate.Spec.Template.Spec.Containers {
a := &in.Spec.JobTemplate.Spec.Template.Spec.Containers[i] a := &in.Spec.JobTemplate.Spec.Template.Spec.Containers[i]
@ -173,6 +176,9 @@ func SetObjectDefaults_CronJob(in *v2alpha1.CronJob) {
} }
} }
} }
if a.SecurityContext != nil {
v1.SetDefaults_SecurityContext(a.SecurityContext)
}
} }
} }
@ -277,6 +283,9 @@ func SetObjectDefaults_JobTemplate(in *v2alpha1.JobTemplate) {
} }
} }
} }
if a.SecurityContext != nil {
v1.SetDefaults_SecurityContext(a.SecurityContext)
}
} }
for i := range in.Template.Spec.Template.Spec.Containers { for i := range in.Template.Spec.Template.Spec.Containers {
a := &in.Template.Spec.Template.Spec.Containers[i] a := &in.Template.Spec.Template.Spec.Containers[i]
@ -319,5 +328,8 @@ func SetObjectDefaults_JobTemplate(in *v2alpha1.JobTemplate) {
} }
} }
} }
if a.SecurityContext != nil {
v1.SetDefaults_SecurityContext(a.SecurityContext)
}
} }
} }

4
pkg/apis/core/fuzzer/fuzzer.go
View File

@ -354,6 +354,10 @@ var Funcs = func(codecs runtimeserializer.CodecFactory) []interface{} {
c.Fuzz(&sc.Capabilities.Add) c.Fuzz(&sc.Capabilities.Add)
c.Fuzz(&sc.Capabilities.Drop) c.Fuzz(&sc.Capabilities.Drop)
} }
if sc.ProcMount == nil {
defProcMount := core.DefaultProcMount
sc.ProcMount = &defProcMount
}
}, },
func(s *core.Secret, c fuzz.Continue) { func(s *core.Secret, c fuzz.Continue) {
c.FuzzNoCustom(s) // fuzz self without calling this function again c.FuzzNoCustom(s) // fuzz self without calling this function again

7
pkg/apis/core/v1/defaults.go
View File

@ -423,3 +423,10 @@ func SetDefaults_HostPathVolumeSource(obj *v1.HostPathVolumeSource) {
obj.Type = &typeVol obj.Type = &typeVol
} }
} }
func SetDefaults_SecurityContext(obj *v1.SecurityContext) {
if obj.ProcMount == nil {
defProcMount := v1.DefaultProcMount
obj.ProcMount = &defProcMount
}
}

18
pkg/apis/core/v1/zz_generated.defaults.go generated
View File

@ -263,6 +263,9 @@ func SetObjectDefaults_Pod(in *v1.Pod) {
} }
} }
} }
if a.SecurityContext != nil {
SetDefaults_SecurityContext(a.SecurityContext)
}
} }
for i := range in.Spec.Containers { for i := range in.Spec.Containers {
a := &in.Spec.Containers[i] a := &in.Spec.Containers[i]
@ -305,6 +308,9 @@ func SetObjectDefaults_Pod(in *v1.Pod) {
} }
} }
} }
if a.SecurityContext != nil {
SetDefaults_SecurityContext(a.SecurityContext)
}
} }
} }
@ -409,6 +415,9 @@ func SetObjectDefaults_PodTemplate(in *v1.PodTemplate) {
} }
} }
} }
if a.SecurityContext != nil {
SetDefaults_SecurityContext(a.SecurityContext)
}
} }
for i := range in.Template.Spec.Containers { for i := range in.Template.Spec.Containers {
a := &in.Template.Spec.Containers[i] a := &in.Template.Spec.Containers[i]
@ -451,6 +460,9 @@ func SetObjectDefaults_PodTemplate(in *v1.PodTemplate) {
} }
} }
} }
if a.SecurityContext != nil {
SetDefaults_SecurityContext(a.SecurityContext)
}
} }
} }
@ -557,6 +569,9 @@ func SetObjectDefaults_ReplicationController(in *v1.ReplicationController) {
} }
} }
} }
if a.SecurityContext != nil {
SetDefaults_SecurityContext(a.SecurityContext)
}
} }
for i := range in.Spec.Template.Spec.Containers { for i := range in.Spec.Template.Spec.Containers {
a := &in.Spec.Template.Spec.Containers[i] a := &in.Spec.Template.Spec.Containers[i]
@ -599,6 +614,9 @@ func SetObjectDefaults_ReplicationController(in *v1.ReplicationController) {
} }
} }
} }
if a.SecurityContext != nil {
SetDefaults_SecurityContext(a.SecurityContext)
}
} }
} }
} }

18
pkg/apis/core/validation/validation.go
View File

@ -3468,7 +3468,6 @@ func ValidatePodSecurityContext(securityContext *core.PodSecurityContext, spec *
allErrs = append(allErrs, field.Invalid(fldPath.Child("runAsGroup"), *(securityContext.RunAsGroup), msg)) allErrs = append(allErrs, field.Invalid(fldPath.Child("runAsGroup"), *(securityContext.RunAsGroup), msg))
} }
} }
for g, gid := range securityContext.SupplementalGroups { for g, gid := range securityContext.SupplementalGroups {
for _, msg := range validation.IsValidGroupID(gid) { for _, msg := range validation.IsValidGroupID(gid) {
allErrs = append(allErrs, field.Invalid(fldPath.Child("supplementalGroups").Index(g), gid, msg)) allErrs = append(allErrs, field.Invalid(fldPath.Child("supplementalGroups").Index(g), gid, msg))
@ -5272,6 +5271,12 @@ func ValidateSecurityContext(sc *core.SecurityContext, fldPath *field.Path) fiel
} }
} }
if sc.ProcMount != nil {
if err := IsValidProcMount(*sc.ProcMount); err != nil {
allErrs = append(allErrs, field.NotSupported(fldPath.Child("procMount"), *sc.ProcMount, []string{string(core.DefaultProcMount), string(core.UnmaskedProcMount)}))
}
}
if sc.AllowPrivilegeEscalation != nil && !*sc.AllowPrivilegeEscalation { if sc.AllowPrivilegeEscalation != nil && !*sc.AllowPrivilegeEscalation {
if sc.Privileged != nil && *sc.Privileged { if sc.Privileged != nil && *sc.Privileged {
allErrs = append(allErrs, field.Invalid(fldPath, sc, "cannot set `allowPrivilegeEscalation` to false and `privileged` to true")) allErrs = append(allErrs, field.Invalid(fldPath, sc, "cannot set `allowPrivilegeEscalation` to false and `privileged` to true"))
@ -5372,3 +5377,14 @@ func IsDecremented(update, old *int32) bool {
} }
return *update < *old return *update < *old
} }
// IsValidProcMount tests that the argument is a valid ProcMountType.
func IsValidProcMount(procMountType core.ProcMountType) error {
switch procMountType {
case core.DefaultProcMount:
case core.UnmaskedProcMount:
default:
return fmt.Errorf("unsupported ProcMount type %s", procMountType)
}
return nil
}

18
pkg/apis/extensions/v1beta1/zz_generated.defaults.go generated
View File

@ -138,6 +138,9 @@ func SetObjectDefaults_DaemonSet(in *v1beta1.DaemonSet) {
} }
} }
} }
if a.SecurityContext != nil {
v1.SetDefaults_SecurityContext(a.SecurityContext)
}
} }
for i := range in.Spec.Template.Spec.Containers { for i := range in.Spec.Template.Spec.Containers {
a := &in.Spec.Template.Spec.Containers[i] a := &in.Spec.Template.Spec.Containers[i]
@ -180,6 +183,9 @@ func SetObjectDefaults_DaemonSet(in *v1beta1.DaemonSet) {
} }
} }
} }
if a.SecurityContext != nil {
v1.SetDefaults_SecurityContext(a.SecurityContext)
}
} }
} }
@ -285,6 +291,9 @@ func SetObjectDefaults_Deployment(in *v1beta1.Deployment) {
} }
} }
} }
if a.SecurityContext != nil {
v1.SetDefaults_SecurityContext(a.SecurityContext)
}
} }
for i := range in.Spec.Template.Spec.Containers { for i := range in.Spec.Template.Spec.Containers {
a := &in.Spec.Template.Spec.Containers[i] a := &in.Spec.Template.Spec.Containers[i]
@ -327,6 +336,9 @@ func SetObjectDefaults_Deployment(in *v1beta1.Deployment) {
} }
} }
} }
if a.SecurityContext != nil {
v1.SetDefaults_SecurityContext(a.SecurityContext)
}
} }
} }
@ -454,6 +466,9 @@ func SetObjectDefaults_ReplicaSet(in *v1beta1.ReplicaSet) {
} }
} }
} }
if a.SecurityContext != nil {
v1.SetDefaults_SecurityContext(a.SecurityContext)
}
} }
for i := range in.Spec.Template.Spec.Containers { for i := range in.Spec.Template.Spec.Containers {
a := &in.Spec.Template.Spec.Containers[i] a := &in.Spec.Template.Spec.Containers[i]
@ -496,6 +511,9 @@ func SetObjectDefaults_ReplicaSet(in *v1beta1.ReplicaSet) {
} }
} }
} }
if a.SecurityContext != nil {
v1.SetDefaults_SecurityContext(a.SecurityContext)
}
} }
} }

2
pkg/securitycontext/fake.go
View File

@ -25,9 +25,11 @@ import (
// empty container defaults. Used for testing. // empty container defaults. Used for testing.
func ValidSecurityContextWithContainerDefaults() *v1.SecurityContext { func ValidSecurityContextWithContainerDefaults() *v1.SecurityContext {
priv := false priv := false
defProcMount := v1.DefaultProcMount
return &v1.SecurityContext{ return &v1.SecurityContext{
Capabilities: &v1.Capabilities{}, Capabilities: &v1.Capabilities{},
Privileged: &priv, Privileged: &priv,
ProcMount: &defProcMount,
} }
} }