diff --git a/pkg/security/podsecuritypolicy/provider.go b/pkg/security/podsecuritypolicy/provider.go index b374b265f56..ccf897ec751 100644 --- a/pkg/security/podsecuritypolicy/provider.go +++ b/pkg/security/podsecuritypolicy/provider.go @@ -64,17 +64,16 @@ func NewSimpleProvider(psp *extensions.PodSecurityPolicy, namespace string, stra }, nil } -// Create a PodSecurityContext based on the given constraints. If a setting is already set -// on the PodSecurityContext it will not be changed. Validate should be used after the context -// is created to ensure it complies with the required restrictions. -func (s *simpleProvider) CreatePodSecurityContext(pod *api.Pod) (*api.PodSecurityContext, map[string]string, error) { +// DefaultPodSecurityContext sets the default values of the required but not filled fields. +// It modifies the SecurityContext and annotations of the provided pod. Validation should be +// used after the context is defaulted to ensure it complies with the required restrictions. +func (s *simpleProvider) DefaultPodSecurityContext(pod *api.Pod) error { sc := securitycontext.NewPodSecurityContextMutator(pod.Spec.SecurityContext) - annotations := maps.CopySS(pod.Annotations) if sc.SupplementalGroups() == nil { supGroups, err := s.strategies.SupplementalGroupStrategy.Generate(pod) if err != nil { - return nil, nil, err + return err } sc.SetSupplementalGroups(supGroups) } @@ -82,7 +81,7 @@ func (s *simpleProvider) CreatePodSecurityContext(pod *api.Pod) (*api.PodSecurit if sc.FSGroup() == nil { fsGroup, err := s.strategies.FSGroupStrategy.GenerateSingle(pod) if err != nil { - return nil, nil, err + return err } sc.SetFSGroup(fsGroup) } @@ -90,24 +89,27 @@ func (s *simpleProvider) CreatePodSecurityContext(pod *api.Pod) (*api.PodSecurit if sc.SELinuxOptions() == nil { seLinux, err := s.strategies.SELinuxStrategy.Generate(pod, nil) if err != nil { - return nil, nil, err + return err } sc.SetSELinuxOptions(seLinux) } // This is only generated on the pod level. Containers inherit the pod's profile. If the // container has a specific profile set then it will be caught in the validation step. - seccompProfile, err := s.strategies.SeccompStrategy.Generate(annotations, pod) + seccompProfile, err := s.strategies.SeccompStrategy.Generate(pod.Annotations, pod) if err != nil { - return nil, nil, err + return err } if seccompProfile != "" { - if annotations == nil { - annotations = map[string]string{} + if pod.Annotations == nil { + pod.Annotations = map[string]string{} } - annotations[api.SeccompPodAnnotationKey] = seccompProfile + pod.Annotations[api.SeccompPodAnnotationKey] = seccompProfile } - return sc.PodSecurityContext(), annotations, nil + + pod.Spec.SecurityContext = sc.PodSecurityContext() + + return nil } // Create a SecurityContext based on the given constraints. If a setting is already set on the diff --git a/pkg/security/podsecuritypolicy/provider_test.go b/pkg/security/podsecuritypolicy/provider_test.go index b0389e33aac..1c740842d8d 100644 --- a/pkg/security/podsecuritypolicy/provider_test.go +++ b/pkg/security/podsecuritypolicy/provider_test.go @@ -38,7 +38,7 @@ import ( const defaultContainerName = "test-c" -func TestCreatePodSecurityContextNonmutating(t *testing.T) { +func TestDefaultPodSecurityContextNonmutating(t *testing.T) { // Create a pod with a security context that needs filling in createPod := func() *api.Pod { return &api.Pod{ @@ -82,7 +82,7 @@ func TestCreatePodSecurityContextNonmutating(t *testing.T) { if err != nil { t.Fatalf("unable to create provider %v", err) } - _, _, err = provider.CreatePodSecurityContext(pod) + err = provider.DefaultPodSecurityContext(pod) if err != nil { t.Fatalf("unable to create psc %v", err) } @@ -91,10 +91,10 @@ func TestCreatePodSecurityContextNonmutating(t *testing.T) { // since all the strategies were permissive if !reflect.DeepEqual(createPod(), pod) { diffs := diff.ObjectDiff(createPod(), pod) - t.Errorf("pod was mutated by CreatePodSecurityContext. diff:\n%s", diffs) + t.Errorf("pod was mutated by DefaultPodSecurityContext. diff:\n%s", diffs) } if !reflect.DeepEqual(createPSP(), psp) { - t.Error("psp was mutated by CreatePodSecurityContext") + t.Error("psp was mutated by DefaultPodSecurityContext") } } diff --git a/pkg/security/podsecuritypolicy/types.go b/pkg/security/podsecuritypolicy/types.go index 31fcc5484d8..405ac65df74 100644 --- a/pkg/security/podsecuritypolicy/types.go +++ b/pkg/security/podsecuritypolicy/types.go @@ -32,9 +32,9 @@ import ( // Provider provides the implementation to generate a new security // context based on constraints or validate an existing security context against constraints. type Provider interface { - // Create a PodSecurityContext based on the given constraints. Also returns an updated set - // of Pod annotations for alpha feature support. - CreatePodSecurityContext(pod *api.Pod) (*api.PodSecurityContext, map[string]string, error) + // DefaultPodSecurityContext sets the default values of the required but not filled fields. + // It modifies the SecurityContext and annotations of the provided pod. + DefaultPodSecurityContext(pod *api.Pod) error // Create a container SecurityContext based on the given constraints. Also returns an updated set // of Pod annotations for alpha feature support. CreateContainerSecurityContext(pod *api.Pod, container *api.Container) (*api.SecurityContext, map[string]string, error) diff --git a/plugin/pkg/admission/security/podsecuritypolicy/admission.go b/plugin/pkg/admission/security/podsecuritypolicy/admission.go index da6ec45695d..c7b545ec996 100644 --- a/plugin/pkg/admission/security/podsecuritypolicy/admission.go +++ b/plugin/pkg/admission/security/podsecuritypolicy/admission.go @@ -273,12 +273,10 @@ func (c *PodSecurityPolicyPlugin) computeSecurityContext(a admission.Attributes, func assignSecurityContext(provider psp.Provider, pod *api.Pod, fldPath *field.Path) field.ErrorList { errs := field.ErrorList{} - psc, pscAnnotations, err := provider.CreatePodSecurityContext(pod) + err := provider.DefaultPodSecurityContext(pod) if err != nil { errs = append(errs, field.Invalid(field.NewPath("spec", "securityContext"), pod.Spec.SecurityContext, err.Error())) } - pod.Spec.SecurityContext = psc - pod.Annotations = pscAnnotations errs = append(errs, provider.ValidatePodSecurityContext(pod, field.NewPath("spec", "securityContext"))...)