mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-23 11:50:44 +00:00
Add overrides for hostpath, seccomp, and capabilities checks
This commit is contained in:
parent
305e0b1210
commit
928448dd36
@ -41,11 +41,13 @@ func init() {
|
||||
addCheck(CheckCapabilitiesBaseline)
|
||||
}
|
||||
|
||||
const checkCapabilitiesBaselineID CheckID = "capabilities_baseline"
|
||||
|
||||
// CheckCapabilitiesBaseline returns a baseline level check
|
||||
// that limits the capabilities that can be added in 1.0+
|
||||
func CheckCapabilitiesBaseline() Check {
|
||||
return Check{
|
||||
ID: "capabilities_baseline",
|
||||
ID: checkCapabilitiesBaselineID,
|
||||
Level: api.LevelBaseline,
|
||||
Versions: []VersionedCheck{
|
||||
{
|
||||
|
@ -62,8 +62,9 @@ func CheckCapabilitiesRestricted() Check {
|
||||
Level: api.LevelRestricted,
|
||||
Versions: []VersionedCheck{
|
||||
{
|
||||
MinimumVersion: api.MajorMinorVersion(1, 22),
|
||||
CheckPod: capabilitiesRestricted_1_22,
|
||||
MinimumVersion: api.MajorMinorVersion(1, 22),
|
||||
CheckPod: capabilitiesRestricted_1_22,
|
||||
OverrideCheckIDs: []CheckID{checkCapabilitiesBaselineID},
|
||||
},
|
||||
},
|
||||
}
|
||||
|
@ -38,11 +38,13 @@ func init() {
|
||||
addCheck(CheckHostPathVolumes)
|
||||
}
|
||||
|
||||
const checkHostPathVolumesID CheckID = "hostPathVolumes"
|
||||
|
||||
// CheckHostPathVolumes returns a baseline level check
|
||||
// that requires hostPath=undefined/null in 1.0+
|
||||
func CheckHostPathVolumes() Check {
|
||||
return Check{
|
||||
ID: "hostPathVolumes",
|
||||
ID: checkHostPathVolumesID,
|
||||
Level: api.LevelBaseline,
|
||||
Versions: []VersionedCheck{
|
||||
{
|
||||
|
@ -76,8 +76,9 @@ func CheckRestrictedVolumes() Check {
|
||||
Level: api.LevelRestricted,
|
||||
Versions: []VersionedCheck{
|
||||
{
|
||||
MinimumVersion: api.MajorMinorVersion(1, 0),
|
||||
CheckPod: restrictedVolumes_1_0,
|
||||
MinimumVersion: api.MajorMinorVersion(1, 0),
|
||||
CheckPod: restrictedVolumes_1_0,
|
||||
OverrideCheckIDs: []CheckID{checkHostPathVolumesID},
|
||||
},
|
||||
},
|
||||
}
|
||||
|
@ -49,6 +49,8 @@ spec.initContainers[*].securityContext.seccompProfile.type
|
||||
const (
|
||||
annotationKeyPod = "seccomp.security.alpha.kubernetes.io/pod"
|
||||
annotationKeyContainerPrefix = "container.seccomp.security.alpha.kubernetes.io/"
|
||||
|
||||
checkSeccompBaselineID CheckID = "seccompProfile_baseline"
|
||||
)
|
||||
|
||||
func init() {
|
||||
@ -57,7 +59,7 @@ func init() {
|
||||
|
||||
func CheckSeccompBaseline() Check {
|
||||
return Check{
|
||||
ID: "seccompProfile_baseline",
|
||||
ID: checkSeccompBaselineID,
|
||||
Level: api.LevelBaseline,
|
||||
Versions: []VersionedCheck{
|
||||
{
|
||||
|
@ -51,8 +51,9 @@ func CheckSeccompProfileRestricted() Check {
|
||||
Level: api.LevelRestricted,
|
||||
Versions: []VersionedCheck{
|
||||
{
|
||||
MinimumVersion: api.MajorMinorVersion(1, 19),
|
||||
CheckPod: seccompProfileRestricted_1_19,
|
||||
MinimumVersion: api.MajorMinorVersion(1, 19),
|
||||
CheckPod: seccompProfileRestricted_1_19,
|
||||
OverrideCheckIDs: []CheckID{checkSeccompBaselineID},
|
||||
},
|
||||
},
|
||||
}
|
||||
|
@ -36,7 +36,7 @@ func TestValidChecks(t *testing.T) {
|
||||
for _, check := range allChecks {
|
||||
for _, c := range check.Versions {
|
||||
for _, override := range c.OverrideCheckIDs {
|
||||
assert.Contains(t, allIDs, override, "check %s overrides non-existant check %s", check.ID, override)
|
||||
assert.Contains(t, allIDs, override, "check %s overrides non-existent check %s", check.ID, override)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -33,7 +33,7 @@ type Evaluator interface {
|
||||
|
||||
// checkRegistry provides a default implementation of an Evaluator.
|
||||
type checkRegistry struct {
|
||||
// The checks are a map policy verison to a slice of checks registered for that version.
|
||||
// The checks are a map policy version to a slice of checks registered for that version.
|
||||
baselineChecks, restrictedChecks map[api.Version][]CheckPodFn
|
||||
// maxVersion is the maximum version that is cached, guaranteed to be at least
|
||||
// the max MinimumVersion of all registered checks.
|
||||
|
@ -47,7 +47,7 @@ func ensureCapabilities(p *corev1.Pod) *corev1.Pod {
|
||||
|
||||
func init() {
|
||||
fixtureData_1_0 := fixtureGenerator{
|
||||
expectErrorSubstring: "non-default capabilities",
|
||||
expectErrorSubstring: "capabilities",
|
||||
generatePass: func(p *corev1.Pod) []*corev1.Pod {
|
||||
// don't generate fixtures if minimal valid pod drops ALL
|
||||
if p.Spec.Containers[0].SecurityContext != nil && p.Spec.Containers[0].SecurityContext.Capabilities != nil {
|
||||
|
@ -28,7 +28,7 @@ TODO: include field paths in reflect-based unit test
|
||||
func init() {
|
||||
|
||||
fixtureData_1_0 := fixtureGenerator{
|
||||
expectErrorSubstring: "hostPath volumes",
|
||||
expectErrorSubstring: "hostPath",
|
||||
generatePass: func(p *corev1.Pod) []*corev1.Pod {
|
||||
// minimal valid pod already captures all valid combinations
|
||||
return nil
|
||||
|
Loading…
Reference in New Issue
Block a user