Add overrides for hostpath, seccomp, and capabilities checks

2025-07-30 15:05:27 +00:00 · 2022-01-21 17:20:03 -08:00 · 2022-01-21 17:20:03 -08:00 · 928448dd36
commit 928448dd36
parent 305e0b1210
10 changed files with 22 additions and 13 deletions
--- a/staging/src/k8s.io/pod-security-admission/policy/check_capabilities_baseline.go
+++ b/staging/src/k8s.io/pod-security-admission/policy/check_capabilities_baseline.go
@ -41,11 +41,13 @@ func init() {
 	addCheck(CheckCapabilitiesBaseline)
 }
 const checkCapabilitiesBaselineID CheckID = "capabilities_baseline"
 // CheckCapabilitiesBaseline returns a baseline level check
 // that limits the capabilities that can be added in 1.0+
 func CheckCapabilitiesBaseline() Check {
 	return Check{
-		ID:    "capabilities_baseline",
+		ID:    checkCapabilitiesBaselineID,
 		Level: api.LevelBaseline,
 		Versions: []VersionedCheck{
 			{
--- a/staging/src/k8s.io/pod-security-admission/policy/check_capabilities_restricted.go
+++ b/staging/src/k8s.io/pod-security-admission/policy/check_capabilities_restricted.go
@ -64,6 +64,7 @@ func CheckCapabilitiesRestricted() Check {
 			{
 				MinimumVersion:   api.MajorMinorVersion(1, 22),
 				CheckPod:         capabilitiesRestricted_1_22,
 				OverrideCheckIDs: []CheckID{checkCapabilitiesBaselineID},
 			},
 		},
 	}
--- a/staging/src/k8s.io/pod-security-admission/policy/check_hostPathVolumes.go
+++ b/staging/src/k8s.io/pod-security-admission/policy/check_hostPathVolumes.go
@ -38,11 +38,13 @@ func init() {
 	addCheck(CheckHostPathVolumes)
 }
 const checkHostPathVolumesID CheckID = "hostPathVolumes"
 // CheckHostPathVolumes returns a baseline level check
 // that requires hostPath=undefined/null in 1.0+
 func CheckHostPathVolumes() Check {
 	return Check{
-		ID:    "hostPathVolumes",
+		ID:    checkHostPathVolumesID,
 		Level: api.LevelBaseline,
 		Versions: []VersionedCheck{
 			{
--- a/staging/src/k8s.io/pod-security-admission/policy/check_restrictedVolumes.go
+++ b/staging/src/k8s.io/pod-security-admission/policy/check_restrictedVolumes.go
@ -78,6 +78,7 @@ func CheckRestrictedVolumes() Check {
 			{
 				MinimumVersion:   api.MajorMinorVersion(1, 0),
 				CheckPod:         restrictedVolumes_1_0,
 				OverrideCheckIDs: []CheckID{checkHostPathVolumesID},
 			},
 		},
 	}
--- a/staging/src/k8s.io/pod-security-admission/policy/check_seccompProfile_baseline.go
+++ b/staging/src/k8s.io/pod-security-admission/policy/check_seccompProfile_baseline.go
@ -49,6 +49,8 @@ spec.initContainers[*].securityContext.seccompProfile.type
 const (
 	annotationKeyPod             = "seccomp.security.alpha.kubernetes.io/pod"
 	annotationKeyContainerPrefix = "container.seccomp.security.alpha.kubernetes.io/"
 	checkSeccompBaselineID CheckID = "seccompProfile_baseline"
 )
 func init() {
@ -57,7 +59,7 @@ func init() {
 func CheckSeccompBaseline() Check {
 	return Check{
-		ID:    "seccompProfile_baseline",
+		ID:    checkSeccompBaselineID,
 		Level: api.LevelBaseline,
 		Versions: []VersionedCheck{
 			{
--- a/staging/src/k8s.io/pod-security-admission/policy/check_seccompProfile_restricted.go
+++ b/staging/src/k8s.io/pod-security-admission/policy/check_seccompProfile_restricted.go
@ -53,6 +53,7 @@ func CheckSeccompProfileRestricted() Check {
 			{
 				MinimumVersion:   api.MajorMinorVersion(1, 19),
 				CheckPod:         seccompProfileRestricted_1_19,
 				OverrideCheckIDs: []CheckID{checkSeccompBaselineID},
 			},
 		},
 	}
--- a/staging/src/k8s.io/pod-security-admission/policy/checks_test.go
+++ b/staging/src/k8s.io/pod-security-admission/policy/checks_test.go
@ -36,7 +36,7 @@ func TestValidChecks(t *testing.T) {
 	for _, check := range allChecks {
 		for _, c := range check.Versions {
 			for _, override := range c.OverrideCheckIDs {
-				assert.Contains(t, allIDs, override, "check %s overrides non-existant check %s", check.ID, override)
+				assert.Contains(t, allIDs, override, "check %s overrides non-existent check %s", check.ID, override)
 			}
 		}
 	}
--- a/staging/src/k8s.io/pod-security-admission/policy/registry.go
+++ b/staging/src/k8s.io/pod-security-admission/policy/registry.go
@ -33,7 +33,7 @@ type Evaluator interface {
 // checkRegistry provides a default implementation of an Evaluator.
 type checkRegistry struct {
-	// The checks are a map policy verison to a slice of checks registered for that version.
+	// The checks are a map policy version to a slice of checks registered for that version.
 	baselineChecks, restrictedChecks map[api.Version][]CheckPodFn
 	// maxVersion is the maximum version that is cached, guaranteed to be at least
 	// the max MinimumVersion of all registered checks.
--- a/staging/src/k8s.io/pod-security-admission/test/fixtures_capabilities_baseline.go
+++ b/staging/src/k8s.io/pod-security-admission/test/fixtures_capabilities_baseline.go
@ -47,7 +47,7 @@ func ensureCapabilities(p *corev1.Pod) *corev1.Pod {
 func init() {
 	fixtureData_1_0 := fixtureGenerator{
-		expectErrorSubstring: "non-default capabilities",
+		expectErrorSubstring: "capabilities",
 		generatePass: func(p *corev1.Pod) []*corev1.Pod {
 			// don't generate fixtures if minimal valid pod drops ALL
 			if p.Spec.Containers[0].SecurityContext != nil && p.Spec.Containers[0].SecurityContext.Capabilities != nil {
--- a/staging/src/k8s.io/pod-security-admission/test/fixtures_hostPathVolumes.go
+++ b/staging/src/k8s.io/pod-security-admission/test/fixtures_hostPathVolumes.go
@ -28,7 +28,7 @@ TODO: include field paths in reflect-based unit test
 func init() {
 	fixtureData_1_0 := fixtureGenerator{
-		expectErrorSubstring: "hostPath volumes",
+		expectErrorSubstring: "hostPath",
 		generatePass: func(p *corev1.Pod) []*corev1.Pod {
 			// minimal valid pod already captures all valid combinations
 			return nil