From a62a64550caa4e7dbcdb3a271549da2ac5cbb092 Mon Sep 17 00:00:00 2001 From: "Dr. Stefan Schimanski" Date: Fri, 30 Sep 2016 09:08:22 +0200 Subject: [PATCH] Cosmetical fixes for sysctl psp --- pkg/security/podsecuritypolicy/factory.go | 7 ++----- pkg/security/podsecuritypolicy/sysctl/mustmatchpatterns.go | 6 +++--- .../podsecuritypolicy/sysctl/mustmatchpatterns_test.go | 6 +----- .../admission/security/podsecuritypolicy/admission_test.go | 4 ++-- 4 files changed, 8 insertions(+), 15 deletions(-) diff --git a/pkg/security/podsecuritypolicy/factory.go b/pkg/security/podsecuritypolicy/factory.go index 8b187a45aba..64480b38d18 100644 --- a/pkg/security/podsecuritypolicy/factory.go +++ b/pkg/security/podsecuritypolicy/factory.go @@ -79,10 +79,7 @@ func (f *simpleStrategyFactory) CreateStrategies(psp *extensions.PodSecurityPoli errs = append(errs, err) } } - sysctlsStrat, err := createSysctlsStrategy(unsafeSysctls) - if err != nil { - errs = append(errs, err) - } + sysctlsStrat := createSysctlsStrategy(unsafeSysctls) if len(errs) > 0 { return nil, errors.NewAggregate(errs) @@ -162,6 +159,6 @@ func createCapabilitiesStrategy(defaultAddCaps, requiredDropCaps, allowedCaps [] } // createSysctlsStrategy creates a new unsafe sysctls strategy. -func createSysctlsStrategy(sysctlsPatterns []string) (sysctl.SysctlsStrategy, error) { +func createSysctlsStrategy(sysctlsPatterns []string) sysctl.SysctlsStrategy { return sysctl.NewMustMatchPatterns(sysctlsPatterns) } diff --git a/pkg/security/podsecuritypolicy/sysctl/mustmatchpatterns.go b/pkg/security/podsecuritypolicy/sysctl/mustmatchpatterns.go index 66b11f71446..f7480e42978 100644 --- a/pkg/security/podsecuritypolicy/sysctl/mustmatchpatterns.go +++ b/pkg/security/podsecuritypolicy/sysctl/mustmatchpatterns.go @@ -35,15 +35,15 @@ var ( defaultSysctlsPatterns = []string{"*"} ) -// NewMustMatchPatterns creates a new mustMatchPattern strategy that will provide validation. +// NewMustMatchPatterns creates a new mustMatchPatterns strategy that will provide validation. // Passing nil means the default pattern, passing an empty list means to disallow all sysctls. -func NewMustMatchPatterns(patterns []string) (SysctlsStrategy, error) { +func NewMustMatchPatterns(patterns []string) SysctlsStrategy { if patterns == nil { patterns = defaultSysctlsPatterns } return &mustMatchPatterns{ patterns: patterns, - }, nil + } } // Validate ensures that the specified values fall within the range of the strategy. diff --git a/pkg/security/podsecuritypolicy/sysctl/mustmatchpatterns_test.go b/pkg/security/podsecuritypolicy/sysctl/mustmatchpatterns_test.go index 23aefbcaabd..6716175bc46 100644 --- a/pkg/security/podsecuritypolicy/sysctl/mustmatchpatterns_test.go +++ b/pkg/security/podsecuritypolicy/sysctl/mustmatchpatterns_test.go @@ -58,11 +58,7 @@ func TestValidate(t *testing.T) { } for k, v := range tests { - strategy, err := NewMustMatchPatterns(v.patterns) - if err != nil { - t.Errorf("%s failed: %v", k, err) - continue - } + strategy := NewMustMatchPatterns(v.patterns) pod := &api.Pod{} errs := strategy.Validate(pod) diff --git a/plugin/pkg/admission/security/podsecuritypolicy/admission_test.go b/plugin/pkg/admission/security/podsecuritypolicy/admission_test.go index a0631d6d2b2..b6fa009df23 100644 --- a/plugin/pkg/admission/security/podsecuritypolicy/admission_test.go +++ b/plugin/pkg/admission/security/podsecuritypolicy/admission_test.go @@ -1117,12 +1117,12 @@ func TestAdmitSysctls(t *testing.T) { shouldPass: true, expectedPSP: mixedSysctls.Name, }, - "pod with not-matching unsafe sysctls request allowed under mixedSysctls PSP": { + "pod with not-matching unsafe sysctls request disallowed under mixedSysctls PSP": { pod: podWithSysctls([]string{"a.b", "b.c", "c", "d.e.f"}, []string{"e"}), psps: []*extensions.PodSecurityPolicy{mixedSysctls}, shouldPass: false, }, - "pod with not-matching safe sysctls request allowed under mixedSysctls PSP": { + "pod with not-matching safe sysctls request disallowed under mixedSysctls PSP": { pod: podWithSysctls([]string{"a.b", "b.c", "c", "d.e.f", "e"}, []string{}), psps: []*extensions.PodSecurityPolicy{mixedSysctls}, shouldPass: false,