github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-30 15:02:23 +00:00
Code Issues Projects Releases Wiki Activity

InitContainers are not checked for hostPort ranges

Browse Source 
PodSecurityPolicy must verify that host port ranges are guarded on init
containers.
This commit is contained in:
Clayton Coleman 2016-07-20 22:20:42 -04:00
parent d0ddefffd9
commit affd79fdc0
No known key found for this signature in database
GPG Key ID: 3D16906B4F1C5CB3
2 changed files with 11 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
pkg/security/podsecuritypolicy/provider.go
View File

@ -250,6 +250,12 @@ func (s *simpleProvider) ValidateContainerSecurityContext(pod *api.Pod, containe
allErrs = append(allErrs, s.hasInvalidHostPort(&c, idxPath)...)
}
containersPath = fldPath.Child("initContainers")
for idx, c := range pod.Spec.InitContainers {
idxPath := containersPath.Index(idx)
allErrs = append(allErrs, s.hasInvalidHostPort(&c, idxPath)...)
}
if !s.psp.Spec.HostPID && pod.Spec.SecurityContext.HostPID {
allErrs = append(allErrs, field.Invalid(fldPath.Child("hostPID"), pod.Spec.SecurityContext.HostPID, "Host PID is not allowed to be used"))
}

7
plugin/pkg/admission/security/podsecuritypolicy/admission_test.go
View File

@ -394,8 +394,11 @@ func TestAdmitHostPorts(t *testing.T) {
},
}
for k, v := range tests {
testPSPAdmit(k, v.psps, v.pod, v.shouldPass, v.expectedPSP, t)
for i := 0; i < 2; i++ {
for k, v := range tests {
v.pod.Spec.Containers, v.pod.Spec.InitContainers = v.pod.Spec.InitContainers, v.pod.Spec.Containers
testPSPAdmit(k, v.psps, v.pod, v.shouldPass, v.expectedPSP, t)
}
}
}