InitContainers are not checked for hostPort ranges

PodSecurityPolicy must verify that host port ranges are guarded on init containers.
2025-08-31 16:46:54 +00:00 · 2016-07-20 22:20:42 -04:00
parent d0ddefffd9
commit affd79fdc0
2 changed files with 11 additions and 2 deletions
--- a/pkg/security/podsecuritypolicy/provider.go
+++ b/pkg/security/podsecuritypolicy/provider.go
@@ -250,6 +250,12 @@ func (s *simpleProvider) ValidateContainerSecurityContext(pod *api.Pod, containe
 		allErrs = append(allErrs, s.hasInvalidHostPort(&c, idxPath)...)
 	}

+	containersPath = fldPath.Child("initContainers")
+	for idx, c := range pod.Spec.InitContainers {
+		idxPath := containersPath.Index(idx)
+		allErrs = append(allErrs, s.hasInvalidHostPort(&c, idxPath)...)
+	}
+
 	if !s.psp.Spec.HostPID && pod.Spec.SecurityContext.HostPID {
 		allErrs = append(allErrs, field.Invalid(fldPath.Child("hostPID"), pod.Spec.SecurityContext.HostPID, "Host PID is not allowed to be used"))
 	}
--- a/plugin/pkg/admission/security/podsecuritypolicy/admission_test.go
+++ b/plugin/pkg/admission/security/podsecuritypolicy/admission_test.go
@@ -394,10 +394,13 @@ func TestAdmitHostPorts(t *testing.T) {
 		},
 	}

+	for i := 0; i < 2; i++ {
 		for k, v := range tests {
+			v.pod.Spec.Containers, v.pod.Spec.InitContainers = v.pod.Spec.InitContainers, v.pod.Spec.Containers
 			testPSPAdmit(k, v.psps, v.pod, v.shouldPass, v.expectedPSP, t)
 		}
 	}
+}

 func TestAdmitHostPID(t *testing.T) {
 	createPodWithHostPID := func(hostPID bool) *kapi.Pod {