github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-28 05:57:25 +00:00
Code Issues Projects Releases Wiki Activity

PodSecurity: appArmorProfile: cleanup

Browse Source 
Also allow  values
Add unit test exercising forbidden reason/detail
Clean up forbidden reason construction
This commit is contained in:
Jordan Liggitt 2021-07-07 17:04:55 -04:00
parent 8291f8490b
commit b390e9e32d
3 changed files with 58 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
staging/src/k8s.io/pod-security-admission/policy/check_apparmor.go → staging/src/k8s.io/pod-security-admission/policy/check_appArmorProfile.go
View File

@ -18,11 +18,11 @@ package policy
import ( import (
"fmt" "fmt"
"sort"
"strings" "strings"
corev1 "k8s.io/api/core/v1" corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/util/sets"
"k8s.io/pod-security-admission/api" "k8s.io/pod-security-admission/api"
) )
@ -34,7 +34,7 @@ profile, or restrict overrides to an allowed set of profiles.
**Restricted Fields:** **Restricted Fields:**
metadata.annotations['container.apparmor.security.beta.kubernetes.io/*'] metadata.annotations['container.apparmor.security.beta.kubernetes.io/*']
**Allowed Values:** 'runtime/default', undefined **Allowed Values:** 'runtime/default', 'localhost/*', empty, undefined
*/ */
func init() { func init() {
addCheck(CheckAppArmorProfile) addCheck(CheckAppArmorProfile)
@ -56,31 +56,24 @@ func CheckAppArmorProfile() Check {
} }
func allowedProfile(profile string) bool { func allowedProfile(profile string) bool {
return profile == corev1.AppArmorBetaProfileRuntimeDefault || return len(profile) == 0 ||
profile == corev1.AppArmorBetaProfileRuntimeDefault ||
strings.HasPrefix(profile, corev1.AppArmorBetaProfileNamePrefix) strings.HasPrefix(profile, corev1.AppArmorBetaProfileNamePrefix)
} }
func appArmorProfile_1_0(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult { func appArmorProfile_1_0(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
forbiddenValues := sets.NewString() var forbiddenValues []string
// undefined is an allowed value for 'container.apparmor.security.beta.kubernetes.io/*'
if len(podMetadata.Annotations) == 0 {
return CheckResult{Allowed: true}
}
for k, v := range podMetadata.Annotations { for k, v := range podMetadata.Annotations {
if strings.HasPrefix(k, corev1.AppArmorBetaContainerAnnotationKeyPrefix) && !allowedProfile(v) { if strings.HasPrefix(k, corev1.AppArmorBetaContainerAnnotationKeyPrefix) && !allowedProfile(v) {
forbiddenValues.Insert(fmt.Sprintf("%s:%s", k, v)) forbiddenValues = append(forbiddenValues, fmt.Sprintf("%s=%q", k, v))
} }
} }
if len(forbiddenValues) > 0 { if len(forbiddenValues) > 0 {
sort.Strings(forbiddenValues)
return CheckResult{ return CheckResult{
Allowed: false, Allowed: false,
ForbiddenReason: "forbidden AppArmor profile", ForbiddenReason: pluralize("forbidden AppArmor profile", "forbidden AppArmor profiles", len(forbiddenValues)),
ForbiddenDetail: fmt.Sprintf("forbidden AppArmor annotations %q", ForbiddenDetail: strings.Join(forbiddenValues, ", "),
forbiddenValues,
),
} }
} }

50
staging/src/k8s.io/pod-security-admission/policy/check_apparmor_test.go → staging/src/k8s.io/pod-security-admission/policy/check_appArmorProfile_test.go
View File

@ -1,5 +1,5 @@
/* /*
Copyright 2017 The Kubernetes Authors. Copyright 2021 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License"); Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License. you may not use this file except in compliance with the License.
@ -17,6 +17,7 @@ limitations under the License.
package policy package policy
import ( import (
"strings"
"testing" "testing"
corev1 "k8s.io/api/core/v1" corev1 "k8s.io/api/core/v1"
@ -78,3 +79,50 @@ func TestCheckAppArmor(t *testing.T) {
}) })
} }
} }
func TestAppArmorProfile(t *testing.T) {
tests := []struct {
name string
pod *corev1.Pod
expectReason string
expectDetail string
}{
{
name: "multiple containers",
pod: &corev1.Pod{
ObjectMeta: metav1.ObjectMeta{
Annotations: map[string]string{
`container.apparmor.security.beta.kubernetes.io/`: `bogus`,
`container.apparmor.security.beta.kubernetes.io/a`: ``,
`container.apparmor.security.beta.kubernetes.io/b`: `runtime/default`,
`container.apparmor.security.beta.kubernetes.io/c`: `localhost/`,
`container.apparmor.security.beta.kubernetes.io/d`: `localhost/foo`,
`container.apparmor.security.beta.kubernetes.io/e`: `unconfined`,
`container.apparmor.security.beta.kubernetes.io/f`: `unknown`,
},
},
},
expectReason: `forbidden AppArmor profiles`,
expectDetail: strings.Join([]string{
`container.apparmor.security.beta.kubernetes.io/="bogus"`,
`container.apparmor.security.beta.kubernetes.io/e="unconfined"`,
`container.apparmor.security.beta.kubernetes.io/f="unknown"`,
}, ", "),
},
}
for _, tc := range tests {
t.Run(tc.name, func(t *testing.T) {
result := appArmorProfile_1_0(&tc.pod.ObjectMeta, &tc.pod.Spec)
if result.Allowed {
t.Fatal("expected disallowed")
}
if e, a := tc.expectReason, result.ForbiddenReason; e != a {
t.Errorf("expected\n%s\ngot\n%s", e, a)
}
if e, a := tc.expectDetail, result.ForbiddenDetail; e != a {
t.Errorf("expected\n%s\ngot\n%s", e, a)
}
})
}
}

0
staging/src/k8s.io/pod-security-admission/test/fixtures_apparmor.go → staging/src/k8s.io/pod-security-admission/test/fixtures_appArmorProfile.go
View File