Use dedicated Unix User and Group ID types

2026-01-05 07:27:21 +00:00 · 2017-04-20 12:57:07 +02:00
parent ee39d359dd
commit 9440a68744
120 changed files with 4881 additions and 4396 deletions
--- a/pkg/security/podsecuritypolicy/user/BUILD
+++ b/pkg/security/podsecuritypolicy/user/BUILD
@@ -22,6 +22,7 @@ go_library(
        "//pkg/api:go_default_library",
        "//pkg/apis/extensions:go_default_library",
        "//pkg/security/podsecuritypolicy/util:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/types:go_default_library",
        "//vendor/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
    ],
 )
@@ -38,6 +39,7 @@ go_test(
    deps = [
        "//pkg/api:go_default_library",
        "//pkg/apis/extensions:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/types:go_default_library",
    ],
 )

--- a/pkg/security/podsecuritypolicy/user/mustrunas.go
+++ b/pkg/security/podsecuritypolicy/user/mustrunas.go
@@ -19,6 +19,7 @@ package user
 import (
 	"fmt"

+	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	"k8s.io/kubernetes/pkg/api"
 	"k8s.io/kubernetes/pkg/apis/extensions"
@@ -44,7 +45,7 @@ func NewMustRunAs(options *extensions.RunAsUserStrategyOptions) (RunAsUserStrate
 }

 // Generate creates the uid based on policy rules.  MustRunAs returns the first range's Min.
-func (s *mustRunAs) Generate(pod *api.Pod, container *api.Container) (*int64, error) {
+func (s *mustRunAs) Generate(pod *api.Pod, container *api.Container) (*types.UnixUserID, error) {
 	return &s.opts.Ranges[0].Min, nil
 }

@@ -74,9 +75,9 @@ func (s *mustRunAs) Validate(pod *api.Pod, container *api.Container) field.Error
 	return allErrs
 }

-func (s *mustRunAs) isValidUID(id int64) bool {
+func (s *mustRunAs) isValidUID(id types.UnixUserID) bool {
 	for _, rng := range s.opts.Ranges {
-		if psputil.FallsInRange(id, rng) {
+		if psputil.UserFallsInRange(id, rng) {
 			return true
 		}
 	}
--- a/pkg/security/podsecuritypolicy/user/mustrunas_test.go
+++ b/pkg/security/podsecuritypolicy/user/mustrunas_test.go
@@ -20,6 +20,7 @@ import (
 	"strings"
 	"testing"

+	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/kubernetes/pkg/api"
 	"k8s.io/kubernetes/pkg/apis/extensions"
 )
@@ -39,7 +40,7 @@ func TestNewMustRunAs(t *testing.T) {
 		},
 		"valid opts": {
 			opts: &extensions.RunAsUserStrategyOptions{
-				Ranges: []extensions.IDRange{
+				Ranges: []extensions.UserIDRange{
 					{Min: 1, Max: 1},
 				},
 			},
@@ -59,7 +60,7 @@ func TestNewMustRunAs(t *testing.T) {

 func TestGenerate(t *testing.T) {
 	opts := &extensions.RunAsUserStrategyOptions{
-		Ranges: []extensions.IDRange{
+		Ranges: []extensions.UserIDRange{
 			{Min: 1, Max: 1},
 		},
 	}
@@ -78,12 +79,15 @@ func TestGenerate(t *testing.T) {

 func TestValidate(t *testing.T) {
 	opts := &extensions.RunAsUserStrategyOptions{
-		Ranges: []extensions.IDRange{
+		Ranges: []extensions.UserIDRange{
 			{Min: 1, Max: 1},
 			{Min: 10, Max: 20},
 		},
 	}

+	validID := types.UnixUserID(15)
+	invalidID := types.UnixUserID(21)
+
 	tests := map[string]struct {
 		container   *api.Container
 		expectedMsg string
@@ -91,7 +95,7 @@ func TestValidate(t *testing.T) {
 		"good container": {
 			container: &api.Container{
 				SecurityContext: &api.SecurityContext{
-					RunAsUser: int64Ptr(15),
+					RunAsUser: &validID,
 				},
 			},
 		},
@@ -112,7 +116,7 @@ func TestValidate(t *testing.T) {
 		"invalid id": {
 			container: &api.Container{
 				SecurityContext: &api.SecurityContext{
-					RunAsUser: int64Ptr(21),
+					RunAsUser: &invalidID,
 				},
 			},
 			expectedMsg: "does not match required range",
@@ -146,7 +150,3 @@ func TestValidate(t *testing.T) {
 		}
 	}
 }
-
-func int64Ptr(i int64) *int64 {
-	return &i
-}
--- a/pkg/security/podsecuritypolicy/user/nonroot.go
+++ b/pkg/security/podsecuritypolicy/user/nonroot.go
@@ -19,6 +19,7 @@ package user
 import (
 	"fmt"

+	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	"k8s.io/kubernetes/pkg/api"
 	"k8s.io/kubernetes/pkg/apis/extensions"
@@ -34,7 +35,7 @@ func NewRunAsNonRoot(options *extensions.RunAsUserStrategyOptions) (RunAsUserStr

 // Generate creates the uid based on policy rules.  This strategy does return a UID.  It assumes
 // that the user will specify a UID or the container image specifies a UID.
-func (s *nonRoot) Generate(pod *api.Pod, container *api.Container) (*int64, error) {
+func (s *nonRoot) Generate(pod *api.Pod, container *api.Container) (*types.UnixUserID, error) {
 	return nil, nil
 }

--- a/pkg/security/podsecuritypolicy/user/nonroot_test.go
+++ b/pkg/security/podsecuritypolicy/user/nonroot_test.go
@@ -19,6 +19,7 @@ package user
 import (
 	"testing"

+	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/kubernetes/pkg/api"
 	"k8s.io/kubernetes/pkg/apis/extensions"
 )
@@ -49,8 +50,8 @@ func TestNonRootGenerate(t *testing.T) {
 }

 func TestNonRootValidate(t *testing.T) {
-	var uid int64 = 1
-	var badUID int64 = 0
+	goodUID := types.UnixUserID(1)
+	badUID := types.UnixUserID(0)
 	s, err := NewRunAsNonRoot(&extensions.RunAsUserStrategyOptions{})
 	if err != nil {
 		t.Fatalf("unexpected error initializing NewMustRunAs %v", err)
@@ -66,7 +67,7 @@ func TestNonRootValidate(t *testing.T) {
 		t.Errorf("expected errors from root uid but got none")
 	}

-	container.SecurityContext.RunAsUser = &uid
+	container.SecurityContext.RunAsUser = &goodUID
 	errs = s.Validate(nil, container)
 	if len(errs) != 0 {
 		t.Errorf("expected no errors from non-root uid but got %v", errs)
--- a/pkg/security/podsecuritypolicy/user/runasany.go
+++ b/pkg/security/podsecuritypolicy/user/runasany.go
@@ -17,6 +17,7 @@ limitations under the License.
 package user

 import (
+	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	"k8s.io/kubernetes/pkg/api"
 	"k8s.io/kubernetes/pkg/apis/extensions"
@@ -33,7 +34,7 @@ func NewRunAsAny(options *extensions.RunAsUserStrategyOptions) (RunAsUserStrateg
 }

 // Generate creates the uid based on policy rules.
-func (s *runAsAny) Generate(pod *api.Pod, container *api.Container) (*int64, error) {
+func (s *runAsAny) Generate(pod *api.Pod, container *api.Container) (*types.UnixUserID, error) {
 	return nil, nil
 }

--- a/pkg/security/podsecuritypolicy/user/types.go
+++ b/pkg/security/podsecuritypolicy/user/types.go
@@ -17,6 +17,7 @@ limitations under the License.
 package user

 import (
+	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	"k8s.io/kubernetes/pkg/api"
 )
@@ -24,7 +25,7 @@ import (
 // RunAsUserStrategy defines the interface for all uid constraint strategies.
 type RunAsUserStrategy interface {
 	// Generate creates the uid based on policy rules.
-	Generate(pod *api.Pod, container *api.Container) (*int64, error)
+	Generate(pod *api.Pod, container *api.Container) (*types.UnixUserID, error)
 	// Validate ensures that the specified values fall within the range of the strategy.
 	Validate(pod *api.Pod, container *api.Container) field.ErrorList
 }