diff --git a/staging/src/k8s.io/pod-security-admission/policy/check_allowPrivilegeEscalation.go b/staging/src/k8s.io/pod-security-admission/policy/check_allowPrivilegeEscalation.go index 496b746d0a5..d531612a1e5 100644 --- a/staging/src/k8s.io/pod-security-admission/policy/check_allowPrivilegeEscalation.go +++ b/staging/src/k8s.io/pod-security-admission/policy/check_allowPrivilegeEscalation.go @@ -52,6 +52,11 @@ func CheckAllowPrivilegeEscalation() Check { MinimumVersion: api.MajorMinorVersion(1, 8), CheckPod: allowPrivilegeEscalation_1_8, }, + { + // Starting 1.25, windows pods would be exempted from this check using pod.spec.os field when set to windows. + MinimumVersion: api.MajorMinorVersion(1, 25), + CheckPod: allowPrivilegeEscalation_1_25, + }, }, } } @@ -77,3 +82,12 @@ func allowPrivilegeEscalation_1_8(podMetadata *metav1.ObjectMeta, podSpec *corev } return CheckResult{Allowed: true} } + +func allowPrivilegeEscalation_1_25(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult { + // Pod API validation would have failed if podOS == Windows and if privilegeEscalation has been set. + // We can admit the Windows pod even if privilegeEscalation has not been set. + if podSpec.OS != nil && podSpec.OS.Name == corev1.Windows { + return CheckResult{Allowed: true} + } + return allowPrivilegeEscalation_1_8(podMetadata, podSpec) +} diff --git a/staging/src/k8s.io/pod-security-admission/policy/check_allowPrivilegeEscalation_test.go b/staging/src/k8s.io/pod-security-admission/policy/check_allowPrivilegeEscalation_test.go index bed26d28cab..702f49512c9 100644 --- a/staging/src/k8s.io/pod-security-admission/policy/check_allowPrivilegeEscalation_test.go +++ b/staging/src/k8s.io/pod-security-admission/policy/check_allowPrivilegeEscalation_test.go @@ -23,7 +23,66 @@ import ( utilpointer "k8s.io/utils/pointer" ) -func TestAllowPrivilegeEscalation(t *testing.T) { +func TestAllowPrivilegeEscalation_1_25(t *testing.T) { + tests := []struct { + name string + pod *corev1.Pod + expectReason string + expectDetail string + allowed bool + }{ + { + name: "multiple containers", + pod: &corev1.Pod{Spec: corev1.PodSpec{ + Containers: []corev1.Container{ + {Name: "a"}, + {Name: "b", SecurityContext: &corev1.SecurityContext{AllowPrivilegeEscalation: nil}}, + {Name: "c", SecurityContext: &corev1.SecurityContext{AllowPrivilegeEscalation: utilpointer.Bool(true)}}, + {Name: "d", SecurityContext: &corev1.SecurityContext{AllowPrivilegeEscalation: utilpointer.Bool(false)}}, + }}}, + expectReason: `allowPrivilegeEscalation != false`, + expectDetail: `containers "a", "b", "c" must set securityContext.allowPrivilegeEscalation=false`, + allowed: false, + }, + { + name: "windows pod, admit without checking privilegeEscalation", + pod: &corev1.Pod{Spec: corev1.PodSpec{ + OS: &corev1.PodOS{Name: corev1.Windows}, + Containers: []corev1.Container{ + {Name: "a"}, + }}}, + allowed: true, + }, + { + name: "linux pod, reject if security context is not set", + pod: &corev1.Pod{Spec: corev1.PodSpec{ + OS: &corev1.PodOS{Name: corev1.Linux}, + Containers: []corev1.Container{ + {Name: "a"}, + }}}, + expectReason: `allowPrivilegeEscalation != false`, + expectDetail: `container "a" must set securityContext.allowPrivilegeEscalation=false`, + allowed: false, + }, + } + + for _, tc := range tests { + t.Run(tc.name, func(t *testing.T) { + result := allowPrivilegeEscalation_1_25(&tc.pod.ObjectMeta, &tc.pod.Spec) + if result.Allowed && !tc.allowed { + t.Fatal("expected disallowed") + } + if e, a := tc.expectReason, result.ForbiddenReason; e != a { + t.Errorf("expected\n%s\ngot\n%s", e, a) + } + if e, a := tc.expectDetail, result.ForbiddenDetail; e != a { + t.Errorf("expected\n%s\ngot\n%s", e, a) + } + }) + } +} + +func TestAllowPrivilegeEscalation_1_8(t *testing.T) { tests := []struct { name string pod *corev1.Pod diff --git a/staging/src/k8s.io/pod-security-admission/policy/check_capabilities_restricted.go b/staging/src/k8s.io/pod-security-admission/policy/check_capabilities_restricted.go index 48b1ea897b5..9d70b0304ab 100644 --- a/staging/src/k8s.io/pod-security-admission/policy/check_capabilities_restricted.go +++ b/staging/src/k8s.io/pod-security-admission/policy/check_capabilities_restricted.go @@ -66,6 +66,12 @@ func CheckCapabilitiesRestricted() Check { CheckPod: capabilitiesRestricted_1_22, OverrideCheckIDs: []CheckID{checkCapabilitiesBaselineID}, }, + // Starting 1.25, windows pods would be exempted from this check using pod.spec.os field when set to windows. + { + MinimumVersion: api.MajorMinorVersion(1, 25), + CheckPod: capabilitiesRestricted_1_25, + OverrideCheckIDs: []CheckID{checkCapabilitiesBaselineID}, + }, }, } } @@ -128,3 +134,12 @@ func capabilitiesRestricted_1_22(podMetadata *metav1.ObjectMeta, podSpec *corev1 } return CheckResult{Allowed: true} } + +func capabilitiesRestricted_1_25(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult { + // Pod API validation would have failed if podOS == Windows and if capabilities have been set. + // We can admit the Windows pod even if capabilities has not been set. + if podSpec.OS != nil && podSpec.OS.Name == corev1.Windows { + return CheckResult{Allowed: true} + } + return capabilitiesRestricted_1_22(podMetadata, podSpec) +} diff --git a/staging/src/k8s.io/pod-security-admission/policy/check_capabilities_restricted_test.go b/staging/src/k8s.io/pod-security-admission/policy/check_capabilities_restricted_test.go index 4e6dcd6e318..10528293aef 100644 --- a/staging/src/k8s.io/pod-security-admission/policy/check_capabilities_restricted_test.go +++ b/staging/src/k8s.io/pod-security-admission/policy/check_capabilities_restricted_test.go @@ -22,7 +22,63 @@ import ( corev1 "k8s.io/api/core/v1" ) -func TestCapabilitiesRestricted(t *testing.T) { +func TestCapabilitiesRestricted_1_25(t *testing.T) { + tests := []struct { + name string + pod *corev1.Pod + expectReason string + expectDetail string + allowed bool + }{ + { + name: "multiple containers", + pod: &corev1.Pod{Spec: corev1.PodSpec{ + Containers: []corev1.Container{ + {Name: "a", SecurityContext: &corev1.SecurityContext{Capabilities: &corev1.Capabilities{Add: []corev1.Capability{"FOO", "BAR"}}}}, + {Name: "b", SecurityContext: &corev1.SecurityContext{Capabilities: &corev1.Capabilities{Add: []corev1.Capability{"BAR", "BAZ"}}}}, + {Name: "c", SecurityContext: &corev1.SecurityContext{Capabilities: &corev1.Capabilities{Add: []corev1.Capability{"NET_BIND_SERVICE", "CHOWN"}, Drop: []corev1.Capability{"ALL", "FOO"}}}}, + }}}, + expectReason: `unrestricted capabilities`, + expectDetail: `containers "a", "b" must set securityContext.capabilities.drop=["ALL"]; containers "a", "b", "c" must not include "BAR", "BAZ", "CHOWN", "FOO" in securityContext.capabilities.add`, + }, + { + name: "windows pod, admit without checking capabilities", + pod: &corev1.Pod{Spec: corev1.PodSpec{ + OS: &corev1.PodOS{Name: corev1.Windows}, + Containers: []corev1.Container{ + {Name: "a"}, + }}}, + allowed: true, + }, + { + name: "linux pod, reject if security context is not set", + pod: &corev1.Pod{Spec: corev1.PodSpec{ + OS: &corev1.PodOS{Name: corev1.Linux}, + Containers: []corev1.Container{ + {Name: "a"}, + }}}, + expectReason: `unrestricted capabilities`, + expectDetail: `container "a" must set securityContext.capabilities.drop=["ALL"]`, + allowed: false, + }, + } + for _, tc := range tests { + t.Run(tc.name, func(t *testing.T) { + result := capabilitiesRestricted_1_25(&tc.pod.ObjectMeta, &tc.pod.Spec) + if result.Allowed && !tc.allowed { + t.Fatal("expected disallowed") + } + if e, a := tc.expectReason, result.ForbiddenReason; e != a { + t.Errorf("expected\n%s\ngot\n%s", e, a) + } + if e, a := tc.expectDetail, result.ForbiddenDetail; e != a { + t.Errorf("expected\n%s\ngot\n%s", e, a) + } + }) + } +} + +func TestCapabilitiesRestricted_1_22(t *testing.T) { tests := []struct { name string pod *corev1.Pod @@ -41,7 +97,6 @@ func TestCapabilitiesRestricted(t *testing.T) { expectDetail: `containers "a", "b" must set securityContext.capabilities.drop=["ALL"]; containers "a", "b", "c" must not include "BAR", "BAZ", "CHOWN", "FOO" in securityContext.capabilities.add`, }, } - for _, tc := range tests { t.Run(tc.name, func(t *testing.T) { result := capabilitiesRestricted_1_22(&tc.pod.ObjectMeta, &tc.pod.Spec) diff --git a/staging/src/k8s.io/pod-security-admission/policy/check_seccompProfile_restricted.go b/staging/src/k8s.io/pod-security-admission/policy/check_seccompProfile_restricted.go index 1a8535a0f37..9040e0fb05a 100644 --- a/staging/src/k8s.io/pod-security-admission/policy/check_seccompProfile_restricted.go +++ b/staging/src/k8s.io/pod-security-admission/policy/check_seccompProfile_restricted.go @@ -55,6 +55,12 @@ func CheckSeccompProfileRestricted() Check { CheckPod: seccompProfileRestricted_1_19, OverrideCheckIDs: []CheckID{checkSeccompBaselineID}, }, + // Starting 1.25, windows pods would be exempted from this check using pod.spec.os field when set to windows. + { + MinimumVersion: api.MajorMinorVersion(1, 25), + CheckPod: seccompProfileRestricted_1_25, + OverrideCheckIDs: []CheckID{checkSeccompBaselineID}, + }, }, } } @@ -136,3 +142,14 @@ func seccompProfileRestricted_1_19(podMetadata *metav1.ObjectMeta, podSpec *core return CheckResult{Allowed: true} } + +// seccompProfileRestricted_1_25 checks restricted policy on securityContext.seccompProfile field for kubernetes +// version 1.25 and above +func seccompProfileRestricted_1_25(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult { + // Pod API validation would have failed if podOS == Windows and if secCompProfile has been set. + // We can admit the Windows pod even if seccompProfile has not been set. + if podSpec.OS != nil && podSpec.OS.Name == corev1.Windows { + return CheckResult{Allowed: true} + } + return seccompProfileRestricted_1_19(podMetadata, podSpec) +} diff --git a/staging/src/k8s.io/pod-security-admission/policy/check_seccompProfile_restricted_test.go b/staging/src/k8s.io/pod-security-admission/policy/check_seccompProfile_restricted_test.go index fec506bd527..49656204788 100644 --- a/staging/src/k8s.io/pod-security-admission/policy/check_seccompProfile_restricted_test.go +++ b/staging/src/k8s.io/pod-security-admission/policy/check_seccompProfile_restricted_test.go @@ -22,7 +22,105 @@ import ( corev1 "k8s.io/api/core/v1" ) -func TestSeccompProfileRestricted(t *testing.T) { +func TestSeccompProfileRestricted_1_25(t *testing.T) { + tests := []struct { + name string + pod *corev1.Pod + expectReason string + expectDetail string + allowed bool + }{ + { + name: "no explicit seccomp", + pod: &corev1.Pod{Spec: corev1.PodSpec{ + Containers: []corev1.Container{ + {Name: "a"}, + }, + }}, + expectReason: `seccompProfile`, + expectDetail: `pod or container "a" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost"`, + }, + { + name: "no explicit seccomp, windows Pod", + pod: &corev1.Pod{Spec: corev1.PodSpec{ + OS: &corev1.PodOS{Name: corev1.Windows}, + Containers: []corev1.Container{ + {Name: "a"}, + }, + }}, + allowed: true, + }, + { + name: "no explicit seccomp, linux pod", + pod: &corev1.Pod{Spec: corev1.PodSpec{ + OS: &corev1.PodOS{Name: corev1.Linux}, + Containers: []corev1.Container{ + {Name: "a"}, + }, + }}, + expectReason: `seccompProfile`, + expectDetail: `pod or container "a" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost"`, + allowed: false, + }, + { + name: "pod seccomp invalid", + pod: &corev1.Pod{Spec: corev1.PodSpec{ + SecurityContext: &corev1.PodSecurityContext{SeccompProfile: &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeUnconfined}}, + Containers: []corev1.Container{ + {Name: "a", SecurityContext: nil}, + }, + }}, + expectReason: `seccompProfile`, + expectDetail: `pod must not set securityContext.seccompProfile.type to "Unconfined"`, + }, + { + name: "containers seccomp invalid", + pod: &corev1.Pod{Spec: corev1.PodSpec{ + SecurityContext: &corev1.PodSecurityContext{SeccompProfile: &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeRuntimeDefault}}, + Containers: []corev1.Container{ + {Name: "a", SecurityContext: nil}, + {Name: "b", SecurityContext: &corev1.SecurityContext{}}, + {Name: "c", SecurityContext: &corev1.SecurityContext{SeccompProfile: &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeUnconfined}}}, + {Name: "d", SecurityContext: &corev1.SecurityContext{SeccompProfile: &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeUnconfined}}}, + {Name: "e", SecurityContext: &corev1.SecurityContext{SeccompProfile: &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeRuntimeDefault}}}, + {Name: "f", SecurityContext: &corev1.SecurityContext{SeccompProfile: &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeRuntimeDefault}}}, + }, + }}, + expectReason: `seccompProfile`, + expectDetail: `containers "c", "d" must not set securityContext.seccompProfile.type to "Unconfined"`, + }, + { + name: "pod nil, container fallthrough", + pod: &corev1.Pod{Spec: corev1.PodSpec{ + Containers: []corev1.Container{ + {Name: "a", SecurityContext: nil}, + {Name: "b", SecurityContext: &corev1.SecurityContext{}}, + {Name: "d", SecurityContext: &corev1.SecurityContext{SeccompProfile: &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeRuntimeDefault}}}, + {Name: "e", SecurityContext: &corev1.SecurityContext{SeccompProfile: &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeRuntimeDefault}}}, + }, + }}, + expectReason: `seccompProfile`, + expectDetail: `pod or containers "a", "b" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost"`, + }, + } + + for _, tc := range tests { + t.Run(tc.name, func(t *testing.T) { + result := seccompProfileRestricted_1_25(&tc.pod.ObjectMeta, &tc.pod.Spec) + if result.Allowed && !tc.allowed { + t.Fatal("expected disallowed") + } + if e, a := tc.expectReason, result.ForbiddenReason; e != a { + t.Errorf("expected\n%s\ngot\n%s", e, a) + } + if e, a := tc.expectDetail, result.ForbiddenDetail; e != a { + t.Errorf("expected\n%s\ngot\n%s", e, a) + } + }) + } +} + +func TestSeccompProfileRestricted_1_19(t *testing.T) { tests := []struct { name string pod *corev1.Pod