mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-09-21 01:50:55 +00:00
Promote RunAsGroup to GA
This commit is contained in:
Mayank Kumar
@@ -484,8 +484,6 @@ func dropDisabledFields(
|
||||
})
|
||||
}
|
||||
|
||||
dropDisabledRunAsGroupField(podSpec, oldPodSpec)
|
||||
|
||||
dropDisabledFSGroupFields(podSpec, oldPodSpec)
|
||||
|
||||
if !utilfeature.DefaultFeatureGate.Enabled(features.PodOverhead) && !overheadInUse(oldPodSpec) {
|
||||
@@ -512,22 +510,6 @@ func dropDisabledFields(
|
||||
|
||||
}
|
||||
|
||||
// dropDisabledRunAsGroupField removes disabled fields from PodSpec related
|
||||
// to RunAsGroup
|
||||
func dropDisabledRunAsGroupField(podSpec, oldPodSpec *api.PodSpec) {
|
||||
if !utilfeature.DefaultFeatureGate.Enabled(features.RunAsGroup) && !runAsGroupInUse(oldPodSpec) {
|
||||
if podSpec.SecurityContext != nil {
|
||||
podSpec.SecurityContext.RunAsGroup = nil
|
||||
}
|
||||
VisitContainers(podSpec, AllContainers, func(c *api.Container, containerType ContainerType) bool {
|
||||
if c.SecurityContext != nil {
|
||||
c.SecurityContext.RunAsGroup = nil
|
||||
}
|
||||
return true
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
// dropDisabledProcMountField removes disabled fields from PodSpec related
|
||||
// to ProcMount only if it is not already used by the old spec
|
||||
func dropDisabledProcMountField(podSpec, oldPodSpec *api.PodSpec) {
|
||||
@@ -691,28 +673,6 @@ func emptyDirSizeLimitInUse(podSpec *api.PodSpec) bool {
|
||||
return false
|
||||
}
|
||||
|
||||
// runAsGroupInUse returns true if the pod spec is non-nil and has a SecurityContext's RunAsGroup field set
|
||||
func runAsGroupInUse(podSpec *api.PodSpec) bool {
|
||||
if podSpec == nil {
|
||||
return false
|
||||
}
|
||||
|
||||
if podSpec.SecurityContext != nil && podSpec.SecurityContext.RunAsGroup != nil {
|
||||
return true
|
||||
}
|
||||
|
||||
var inUse bool
|
||||
VisitContainers(podSpec, AllContainers, func(c *api.Container, containerType ContainerType) bool {
|
||||
if c.SecurityContext != nil && c.SecurityContext.RunAsGroup != nil {
|
||||
inUse = true
|
||||
return false
|
||||
}
|
||||
return true
|
||||
})
|
||||
|
||||
return inUse
|
||||
}
|
||||
|
||||
// subpathExprInUse returns true if the pod spec is non-nil and has a volume mount that makes use of the subPathExpr feature
|
||||
func subpathExprInUse(podSpec *api.PodSpec) bool {
|
||||
if podSpec == nil {
|
||||
|
||||
@@ -1017,143 +1017,6 @@ func TestDropAppArmor(t *testing.T) {
|
||||
}
|
||||
}
|
||||
|
||||
func TestDropRunAsGroup(t *testing.T) {
|
||||
group := func() *int64 {
|
||||
testGroup := int64(1000)
|
||||
return &testGroup
|
||||
}
|
||||
defaultProcMount := api.DefaultProcMount
|
||||
defaultSecurityContext := func() *api.SecurityContext {
|
||||
return &api.SecurityContext{ProcMount: &defaultProcMount}
|
||||
}
|
||||
securityContextWithRunAsGroup := func() *api.SecurityContext {
|
||||
return &api.SecurityContext{ProcMount: &defaultProcMount, RunAsGroup: group()}
|
||||
}
|
||||
podWithoutRunAsGroup := func() *api.Pod {
|
||||
return &api.Pod{
|
||||
Spec: api.PodSpec{
|
||||
RestartPolicy: api.RestartPolicyNever,
|
||||
SecurityContext: &api.PodSecurityContext{},
|
||||
Containers: []api.Container{{Name: "container1", Image: "testimage", SecurityContext: defaultSecurityContext()}},
|
||||
InitContainers: []api.Container{{Name: "initContainer1", Image: "testimage", SecurityContext: defaultSecurityContext()}},
|
||||
},
|
||||
}
|
||||
}
|
||||
podWithRunAsGroupInPod := func() *api.Pod {
|
||||
return &api.Pod{
|
||||
Spec: api.PodSpec{
|
||||
RestartPolicy: api.RestartPolicyNever,
|
||||
SecurityContext: &api.PodSecurityContext{RunAsGroup: group()},
|
||||
Containers: []api.Container{{Name: "container1", Image: "testimage", SecurityContext: defaultSecurityContext()}},
|
||||
InitContainers: []api.Container{{Name: "initContainer1", Image: "testimage", SecurityContext: defaultSecurityContext()}},
|
||||
},
|
||||
}
|
||||
}
|
||||
podWithRunAsGroupInContainers := func() *api.Pod {
|
||||
return &api.Pod{
|
||||
Spec: api.PodSpec{
|
||||
RestartPolicy: api.RestartPolicyNever,
|
||||
SecurityContext: &api.PodSecurityContext{},
|
||||
Containers: []api.Container{{Name: "container1", Image: "testimage", SecurityContext: securityContextWithRunAsGroup()}},
|
||||
InitContainers: []api.Container{{Name: "initContainer1", Image: "testimage", SecurityContext: defaultSecurityContext()}},
|
||||
},
|
||||
}
|
||||
}
|
||||
podWithRunAsGroupInInitContainers := func() *api.Pod {
|
||||
return &api.Pod{
|
||||
Spec: api.PodSpec{
|
||||
RestartPolicy: api.RestartPolicyNever,
|
||||
SecurityContext: &api.PodSecurityContext{},
|
||||
Containers: []api.Container{{Name: "container1", Image: "testimage", SecurityContext: defaultSecurityContext()}},
|
||||
InitContainers: []api.Container{{Name: "initContainer1", Image: "testimage", SecurityContext: securityContextWithRunAsGroup()}},
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
podInfo := []struct {
|
||||
description string
|
||||
hasRunAsGroup bool
|
||||
pod func() *api.Pod
|
||||
}{
|
||||
{
|
||||
description: "have RunAsGroup in Pod",
|
||||
hasRunAsGroup: true,
|
||||
pod: podWithRunAsGroupInPod,
|
||||
},
|
||||
{
|
||||
description: "have RunAsGroup in Container",
|
||||
hasRunAsGroup: true,
|
||||
pod: podWithRunAsGroupInContainers,
|
||||
},
|
||||
{
|
||||
description: "have RunAsGroup in InitContainer",
|
||||
hasRunAsGroup: true,
|
||||
pod: podWithRunAsGroupInInitContainers,
|
||||
},
|
||||
{
|
||||
description: "does not have RunAsGroup",
|
||||
hasRunAsGroup: false,
|
||||
pod: podWithoutRunAsGroup,
|
||||
},
|
||||
{
|
||||
description: "is nil",
|
||||
hasRunAsGroup: false,
|
||||
pod: func() *api.Pod { return nil },
|
||||
},
|
||||
}
|
||||
|
||||
for _, enabled := range []bool{true, false} {
|
||||
for _, oldPodInfo := range podInfo {
|
||||
for _, newPodInfo := range podInfo {
|
||||
oldPodHasRunAsGroup, oldPod := oldPodInfo.hasRunAsGroup, oldPodInfo.pod()
|
||||
newPodHasRunAsGroup, newPod := newPodInfo.hasRunAsGroup, newPodInfo.pod()
|
||||
if newPod == nil {
|
||||
continue
|
||||
}
|
||||
|
||||
t.Run(fmt.Sprintf("feature enabled=%v, old pod %v, new pod %v", enabled, oldPodInfo.description, newPodInfo.description), func(t *testing.T) {
|
||||
defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.RunAsGroup, enabled)()
|
||||
|
||||
var oldPodSpec *api.PodSpec
|
||||
if oldPod != nil {
|
||||
oldPodSpec = &oldPod.Spec
|
||||
}
|
||||
dropDisabledFields(&newPod.Spec, nil, oldPodSpec, nil)
|
||||
|
||||
// old pod should never be changed
|
||||
if !reflect.DeepEqual(oldPod, oldPodInfo.pod()) {
|
||||
t.Errorf("old pod changed: %v", diff.ObjectReflectDiff(oldPod, oldPodInfo.pod()))
|
||||
}
|
||||
|
||||
switch {
|
||||
case enabled || oldPodHasRunAsGroup:
|
||||
// new pod should not be changed if the feature is enabled, or if the old pod had RunAsGroup
|
||||
if !reflect.DeepEqual(newPod, newPodInfo.pod()) {
|
||||
t.Errorf("new pod changed: %v", diff.ObjectReflectDiff(newPod, newPodInfo.pod()))
|
||||
}
|
||||
case newPodHasRunAsGroup:
|
||||
// new pod should be changed
|
||||
if reflect.DeepEqual(newPod, newPodInfo.pod()) {
|
||||
t.Errorf("%v", oldPod)
|
||||
t.Errorf("%v", newPod)
|
||||
t.Errorf("new pod was not changed")
|
||||
}
|
||||
// new pod should not have RunAsGroup
|
||||
if !reflect.DeepEqual(newPod, podWithoutRunAsGroup()) {
|
||||
t.Errorf("new pod had RunAsGroup: %v", diff.ObjectReflectDiff(newPod, podWithoutRunAsGroup()))
|
||||
}
|
||||
default:
|
||||
// new pod should not need to be changed
|
||||
if !reflect.DeepEqual(newPod, newPodInfo.pod()) {
|
||||
t.Errorf("new pod changed: %v", diff.ObjectReflectDiff(newPod, newPodInfo.pod()))
|
||||
}
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func TestDropPodSysctls(t *testing.T) {
|
||||
podWithSysctls := func() *api.Pod {
|
||||
return &api.Pod{
|
||||
|
||||
Reference in New Issue
Block a user