mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-08-01 15:58:37 +00:00
Merge pull request #45813 from xilabao/add-psp-in-kubectl-describe
Automatic merge from submit-queue (batch tested with PRs 45813, 49594, 49443, 49167, 47539)
add podsecuritypolicy in kubectl describe command
**What this PR does / why we need it**:
Describe all fields of podsecuritypolicy
```
# ./cluster/kubectl.sh describe psp restricted
Name: restricted
Settings:
Allow Privileged: false
Default Add Capabilities: <none>
Required Drop Capabilities: <none>
Allowed Capabilities: <none>
Allowed Volume Types: emptyDir,secret,downwardAPI,configMap,persistentVolumeClaim,projected
Allow Host Network: false
Allow Host Ports: <none>
Allow Host PID: false
Allow Host IPC: false
Read Only Root Filesystem: false
SELinux Context Strategy: RunAsAny
User: <none>
Role: <none>
Type: <none>
Level: <none>
Run As User Strategy: MustRunAsNonRoot
Ranges: <none>
FSGroup Strategy: RunAsAny
Ranges: <none>
Supplemental Groups Strategy: RunAsAny
Ranges: <none>
```
**Which issue this PR fixes**: fixes #43757
**Special notes for your reviewer**:
**Release note**:
```release-note
kubectl describe podsecuritypolicy describes all fields.
```
This commit is contained in:
Kubernetes Submit Queue
GitHub
commit
b3c6da0ece
@ -138,6 +138,7 @@ func describerMap(c clientset.Interface) map[schema.GroupKind]printers.Describer
|
||||
|
||||
extensions.Kind("ReplicaSet"): &ReplicaSetDescriber{c},
|
||||
extensions.Kind("NetworkPolicy"): &ExtensionsNetworkPolicyDescriber{c},
|
||||
extensions.Kind("PodSecurityPolicy"): &PodSecurityPolicyDescriber{c},
|
||||
autoscaling.Kind("HorizontalPodAutoscaler"): &HorizontalPodAutoscalerDescriber{c},
|
||||
extensions.Kind("DaemonSet"): &DaemonSetDescriber{c},
|
||||
extensions.Kind("Deployment"): &DeploymentDescriber{c, versionedClientsetForDeployment(c)},
|
||||
@ -3177,6 +3178,135 @@ func describePriorityClass(pc *scheduling.PriorityClass, events *api.EventList)
|
||||
})
|
||||
}
|
||||
|
||||
// PodSecurityPolicyDescriber generates information about a PodSecurityPolicy.
|
||||
type PodSecurityPolicyDescriber struct {
|
||||
clientset.Interface
|
||||
}
|
||||
|
||||
func (d *PodSecurityPolicyDescriber) Describe(namespace, name string, describerSettings printers.DescriberSettings) (string, error) {
|
||||
psp, err := d.Extensions().PodSecurityPolicies().Get(name, metav1.GetOptions{})
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
|
||||
return describePodSecurityPolicy(psp)
|
||||
}
|
||||
|
||||
func describePodSecurityPolicy(psp *extensions.PodSecurityPolicy) (string, error) {
|
||||
return tabbedString(func(out io.Writer) error {
|
||||
w := NewPrefixWriter(out)
|
||||
w.Write(LEVEL_0, "Name:\t%s\n", psp.Name)
|
||||
|
||||
w.Write(LEVEL_0, "\nSettings:\n")
|
||||
|
||||
w.Write(LEVEL_1, "Allow Privileged:\t%t\n", psp.Spec.Privileged)
|
||||
w.Write(LEVEL_1, "Default Add Capabilities:\t%v\n", capsToString(psp.Spec.DefaultAddCapabilities))
|
||||
w.Write(LEVEL_1, "Required Drop Capabilities:\t%s\n", capsToString(psp.Spec.RequiredDropCapabilities))
|
||||
w.Write(LEVEL_1, "Allowed Capabilities:\t%s\n", capsToString(psp.Spec.AllowedCapabilities))
|
||||
w.Write(LEVEL_1, "Allowed Volume Types:\t%s\n", fsTypeToString(psp.Spec.Volumes))
|
||||
|
||||
w.Write(LEVEL_1, "Allow Host Network:\t%t\n", psp.Spec.HostNetwork)
|
||||
w.Write(LEVEL_1, "Allow Host Ports:\t%s\n", hostPortRangeToString(psp.Spec.HostPorts))
|
||||
w.Write(LEVEL_1, "Allow Host PID:\t%t\n", psp.Spec.HostPID)
|
||||
w.Write(LEVEL_1, "Allow Host IPC:\t%t\n", psp.Spec.HostIPC)
|
||||
w.Write(LEVEL_1, "Read Only Root Filesystem:\t%v\n", psp.Spec.ReadOnlyRootFilesystem)
|
||||
|
||||
w.Write(LEVEL_1, "SELinux Context Strategy: %s\t\n", string(psp.Spec.SELinux.Rule))
|
||||
var user, role, seLinuxType, level string
|
||||
if psp.Spec.SELinux.SELinuxOptions != nil {
|
||||
user = psp.Spec.SELinux.SELinuxOptions.User
|
||||
role = psp.Spec.SELinux.SELinuxOptions.Role
|
||||
seLinuxType = psp.Spec.SELinux.SELinuxOptions.Type
|
||||
level = psp.Spec.SELinux.SELinuxOptions.Level
|
||||
}
|
||||
w.Write(LEVEL_2, "User:\t%s\n", stringOrNone(user))
|
||||
w.Write(LEVEL_2, "Role:\t%s\n", stringOrNone(role))
|
||||
w.Write(LEVEL_2, "Type:\t%s\n", stringOrNone(seLinuxType))
|
||||
w.Write(LEVEL_2, "Level:\t%s\n", stringOrNone(level))
|
||||
|
||||
w.Write(LEVEL_1, "Run As User Strategy: %s\t\n", string(psp.Spec.RunAsUser.Rule))
|
||||
w.Write(LEVEL_2, "Ranges:\t%s\n", userIDRangeToString(psp.Spec.RunAsUser.Ranges))
|
||||
|
||||
w.Write(LEVEL_1, "FSGroup Strategy: %s\t\n", string(psp.Spec.FSGroup.Rule))
|
||||
w.Write(LEVEL_2, "Ranges:\t%s\n", groupIDRangeToString(psp.Spec.FSGroup.Ranges))
|
||||
|
||||
w.Write(LEVEL_1, "Supplemental Groups Strategy: %s\t\n", string(psp.Spec.SupplementalGroups.Rule))
|
||||
w.Write(LEVEL_2, "Ranges:\t%s\n", groupIDRangeToString(psp.Spec.SupplementalGroups.Ranges))
|
||||
|
||||
return nil
|
||||
})
|
||||
}
|
||||
|
||||
func stringOrAll(s string) string {
|
||||
if len(s) > 0 {
|
||||
return s
|
||||
}
|
||||
return "*"
|
||||
}
|
||||
|
||||
func stringOrNone(s string) string {
|
||||
if len(s) > 0 {
|
||||
return s
|
||||
}
|
||||
return "<none>"
|
||||
}
|
||||
|
||||
func fsTypeToString(volumes []extensions.FSType) string {
|
||||
strVolumes := []string{}
|
||||
for _, v := range volumes {
|
||||
strVolumes = append(strVolumes, string(v))
|
||||
}
|
||||
return stringOrNone(strings.Join(strVolumes, ","))
|
||||
}
|
||||
|
||||
func hostPortRangeToString(ranges []extensions.HostPortRange) string {
|
||||
formattedString := ""
|
||||
if ranges != nil {
|
||||
strRanges := []string{}
|
||||
for _, r := range ranges {
|
||||
strRanges = append(strRanges, fmt.Sprintf("%d-%d", r.Min, r.Max))
|
||||
}
|
||||
formattedString = strings.Join(strRanges, ",")
|
||||
}
|
||||
return stringOrNone(formattedString)
|
||||
}
|
||||
|
||||
func userIDRangeToString(ranges []extensions.UserIDRange) string {
|
||||
formattedString := ""
|
||||
if ranges != nil {
|
||||
strRanges := []string{}
|
||||
for _, r := range ranges {
|
||||
strRanges = append(strRanges, fmt.Sprintf("%d-%d", r.Min, r.Max))
|
||||
}
|
||||
formattedString = strings.Join(strRanges, ",")
|
||||
}
|
||||
return stringOrNone(formattedString)
|
||||
}
|
||||
|
||||
func groupIDRangeToString(ranges []extensions.GroupIDRange) string {
|
||||
formattedString := ""
|
||||
if ranges != nil {
|
||||
strRanges := []string{}
|
||||
for _, r := range ranges {
|
||||
strRanges = append(strRanges, fmt.Sprintf("%d-%d", r.Min, r.Max))
|
||||
}
|
||||
formattedString = strings.Join(strRanges, ",")
|
||||
}
|
||||
return stringOrNone(formattedString)
|
||||
}
|
||||
|
||||
func capsToString(caps []api.Capability) string {
|
||||
formattedString := ""
|
||||
if caps != nil {
|
||||
strCaps := []string{}
|
||||
for _, c := range caps {
|
||||
strCaps = append(strCaps, string(c))
|
||||
}
|
||||
formattedString = strings.Join(strCaps, ",")
|
||||
}
|
||||
return stringOrNone(formattedString)
|
||||
}
|
||||
|
||||
// newErrNoDescriber creates a new ErrNoDescriber with the names of the provided types.
|
||||
func newErrNoDescriber(types ...reflect.Type) error {
|
||||
names := make([]string, 0, len(types))
|
||||
|
||||
@ -20,6 +20,7 @@ import (
|
||||
"bytes"
|
||||
"fmt"
|
||||
"reflect"
|
||||
"regexp"
|
||||
"strings"
|
||||
"testing"
|
||||
"time"
|
||||
@ -1462,6 +1463,63 @@ URL: http://localhost
|
||||
}
|
||||
}
|
||||
|
||||
func TestDescribePodSecurityPolicy(t *testing.T) {
|
||||
expected := []string{
|
||||
"Name:\t*mypsp",
|
||||
"Allow Privileged:\t*false",
|
||||
"Default Add Capabilities:\t*<none>",
|
||||
"Required Drop Capabilities:\t*<none>",
|
||||
"Allowed Capabilities:\t*<none>",
|
||||
"Allowed Volume Types:\t*<none>",
|
||||
"Allow Host Network:\t*false",
|
||||
"Allow Host Ports:\t*<none>",
|
||||
"Allow Host PID:\t*false",
|
||||
"Allow Host IPC:\t*false",
|
||||
"Read Only Root Filesystem:\t*false",
|
||||
"SELinux Context Strategy: RunAsAny",
|
||||
"User:\t*<none>",
|
||||
"Role:\t*<none>",
|
||||
"Type:\t*<none>",
|
||||
"Level:\t*<none>",
|
||||
"Run As User Strategy: RunAsAny",
|
||||
"FSGroup Strategy: RunAsAny",
|
||||
"Supplemental Groups Strategy: RunAsAny",
|
||||
}
|
||||
|
||||
fake := fake.NewSimpleClientset(&extensions.PodSecurityPolicy{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: "mypsp",
|
||||
},
|
||||
Spec: extensions.PodSecurityPolicySpec{
|
||||
SELinux: extensions.SELinuxStrategyOptions{
|
||||
Rule: extensions.SELinuxStrategyRunAsAny,
|
||||
},
|
||||
RunAsUser: extensions.RunAsUserStrategyOptions{
|
||||
Rule: extensions.RunAsUserStrategyRunAsAny,
|
||||
},
|
||||
FSGroup: extensions.FSGroupStrategyOptions{
|
||||
Rule: extensions.FSGroupStrategyRunAsAny,
|
||||
},
|
||||
SupplementalGroups: extensions.SupplementalGroupsStrategyOptions{
|
||||
Rule: extensions.SupplementalGroupsStrategyRunAsAny,
|
||||
},
|
||||
},
|
||||
})
|
||||
|
||||
c := &describeClient{T: t, Namespace: "", Interface: fake}
|
||||
d := PodSecurityPolicyDescriber{c}
|
||||
out, err := d.Describe("", "mypsp", printers.DescriberSettings{})
|
||||
if err != nil {
|
||||
t.Fatalf("unexpected error: %v", err)
|
||||
}
|
||||
|
||||
for _, item := range expected {
|
||||
if matched, _ := regexp.MatchString(item, out); !matched {
|
||||
t.Errorf("Expected to find %q in: %q", item, out)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func TestDescribeResourceQuota(t *testing.T) {
|
||||
fake := fake.NewSimpleClientset(&api.ResourceQuota{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
|
||||
Loading…
Reference in New Issue
Block a user