Add overrides for hostpath, seccomp, and capabilities checks

staging/src/k8s.io/pod-security-admission/policy/check_capabilities_baseline.go

@@ -41,11 +41,13 @@ func init() {
 	addCheck(CheckCapabilitiesBaseline)
 }
 
+const checkCapabilitiesBaselineID CheckID = "capabilities_baseline"
+
 // CheckCapabilitiesBaseline returns a baseline level check
 // that limits the capabilities that can be added in 1.0+
 func CheckCapabilitiesBaseline() Check {
 	return Check{
-		ID:    "capabilities_baseline",
+		ID:    checkCapabilitiesBaselineID,
 		Level: api.LevelBaseline,
 		Versions: []VersionedCheck{
 			{

staging/src/k8s.io/pod-security-admission/policy/check_capabilities_restricted.go

@@ -62,8 +62,9 @@ func CheckCapabilitiesRestricted() Check {
 		Level: api.LevelRestricted,
 		Versions: []VersionedCheck{
 			{
-				MinimumVersion: api.MajorMinorVersion(1, 22),
-				CheckPod:       capabilitiesRestricted_1_22,
+				MinimumVersion:   api.MajorMinorVersion(1, 22),
+				CheckPod:         capabilitiesRestricted_1_22,
+				OverrideCheckIDs: []CheckID{checkCapabilitiesBaselineID},
 			},
 		},
 	}

staging/src/k8s.io/pod-security-admission/policy/check_hostPathVolumes.go

@@ -38,11 +38,13 @@ func init() {
 	addCheck(CheckHostPathVolumes)
 }
 
+const checkHostPathVolumesID CheckID = "hostPathVolumes"
+
 // CheckHostPathVolumes returns a baseline level check
 // that requires hostPath=undefined/null in 1.0+
 func CheckHostPathVolumes() Check {
 	return Check{
-		ID:    "hostPathVolumes",
+		ID:    checkHostPathVolumesID,
 		Level: api.LevelBaseline,
 		Versions: []VersionedCheck{
 			{

staging/src/k8s.io/pod-security-admission/policy/check_restrictedVolumes.go

@@ -76,8 +76,9 @@ func CheckRestrictedVolumes() Check {
 		Level: api.LevelRestricted,
 		Versions: []VersionedCheck{
 			{
-				MinimumVersion: api.MajorMinorVersion(1, 0),
-				CheckPod:       restrictedVolumes_1_0,
+				MinimumVersion:   api.MajorMinorVersion(1, 0),
+				CheckPod:         restrictedVolumes_1_0,
+				OverrideCheckIDs: []CheckID{checkHostPathVolumesID},
 			},
 		},
 	}

staging/src/k8s.io/pod-security-admission/policy/check_seccompProfile_baseline.go

@@ -49,6 +49,8 @@ spec.initContainers[*].securityContext.seccompProfile.type
 const (
 	annotationKeyPod             = "seccomp.security.alpha.kubernetes.io/pod"
 	annotationKeyContainerPrefix = "container.seccomp.security.alpha.kubernetes.io/"
+
+	checkSeccompBaselineID CheckID = "seccompProfile_baseline"
 )
 
 func init() {
@@ -57,7 +59,7 @@ func init() {
 
 func CheckSeccompBaseline() Check {
 	return Check{
-		ID:    "seccompProfile_baseline",
+		ID:    checkSeccompBaselineID,
 		Level: api.LevelBaseline,
 		Versions: []VersionedCheck{
 			{

staging/src/k8s.io/pod-security-admission/policy/check_seccompProfile_restricted.go

@@ -51,8 +51,9 @@ func CheckSeccompProfileRestricted() Check {
 		Level: api.LevelRestricted,
 		Versions: []VersionedCheck{
 			{
-				MinimumVersion: api.MajorMinorVersion(1, 19),
-				CheckPod:       seccompProfileRestricted_1_19,
+				MinimumVersion:   api.MajorMinorVersion(1, 19),
+				CheckPod:         seccompProfileRestricted_1_19,
+				OverrideCheckIDs: []CheckID{checkSeccompBaselineID},
 			},
 		},
 	}

staging/src/k8s.io/pod-security-admission/policy/checks_test.go

@@ -36,7 +36,7 @@ func TestValidChecks(t *testing.T) {
 	for _, check := range allChecks {
 		for _, c := range check.Versions {
 			for _, override := range c.OverrideCheckIDs {
-				assert.Contains(t, allIDs, override, "check %s overrides non-existant check %s", check.ID, override)
+				assert.Contains(t, allIDs, override, "check %s overrides non-existent check %s", check.ID, override)
 			}
 		}
 	}

staging/src/k8s.io/pod-security-admission/policy/registry.go

@@ -33,7 +33,7 @@ type Evaluator interface {
 
 // checkRegistry provides a default implementation of an Evaluator.
 type checkRegistry struct {
-	// The checks are a map policy verison to a slice of checks registered for that version.
+	// The checks are a map policy version to a slice of checks registered for that version.
 	baselineChecks, restrictedChecks map[api.Version][]CheckPodFn
 	// maxVersion is the maximum version that is cached, guaranteed to be at least
 	// the max MinimumVersion of all registered checks.

staging/src/k8s.io/pod-security-admission/test/fixtures_capabilities_baseline.go

@@ -47,7 +47,7 @@ func ensureCapabilities(p *corev1.Pod) *corev1.Pod {
 
 func init() {
 	fixtureData_1_0 := fixtureGenerator{
-		expectErrorSubstring: "non-default capabilities",
+		expectErrorSubstring: "capabilities",
 		generatePass: func(p *corev1.Pod) []*corev1.Pod {
 			// don't generate fixtures if minimal valid pod drops ALL
 			if p.Spec.Containers[0].SecurityContext != nil && p.Spec.Containers[0].SecurityContext.Capabilities != nil {

staging/src/k8s.io/pod-security-admission/test/fixtures_hostPathVolumes.go

@@ -28,7 +28,7 @@ TODO: include field paths in reflect-based unit test
 func init() {
 
 	fixtureData_1_0 := fixtureGenerator{
-		expectErrorSubstring: "hostPath volumes",
+		expectErrorSubstring: "hostPath",
 		generatePass: func(p *corev1.Pod) []*corev1.Pod {
 			// minimal valid pod already captures all valid combinations
 			return nil