InitContainers are not checked for hostPort ranges

PodSecurityPolicy must verify that host port ranges are guarded on init
containers.

pkg/security/podsecuritypolicy/provider.go

@@ -250,6 +250,12 @@ func (s *simpleProvider) ValidateContainerSecurityContext(pod *api.Pod, containe
 		allErrs = append(allErrs, s.hasInvalidHostPort(&c, idxPath)...)
 	}
 
+	containersPath = fldPath.Child("initContainers")
+	for idx, c := range pod.Spec.InitContainers {
+		idxPath := containersPath.Index(idx)
+		allErrs = append(allErrs, s.hasInvalidHostPort(&c, idxPath)...)
+	}
+
 	if !s.psp.Spec.HostPID && pod.Spec.SecurityContext.HostPID {
 		allErrs = append(allErrs, field.Invalid(fldPath.Child("hostPID"), pod.Spec.SecurityContext.HostPID, "Host PID is not allowed to be used"))
 	}

plugin/pkg/admission/security/podsecuritypolicy/admission_test.go

@@ -394,10 +394,13 @@ func TestAdmitHostPorts(t *testing.T) {
 		},
 	}
 
+	for i := 0; i < 2; i++ {
 		for k, v := range tests {
+			v.pod.Spec.Containers, v.pod.Spec.InitContainers = v.pod.Spec.InitContainers, v.pod.Spec.Containers
 			testPSPAdmit(k, v.psps, v.pod, v.shouldPass, v.expectedPSP, t)
 		}
 	}
+}
 
 func TestAdmitHostPID(t *testing.T) {
 	createPodWithHostPID := func(hostPID bool) *kapi.Pod {