github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-25 12:43:23 +00:00
Code Issues Projects Releases Wiki Activity

admission: run PodSecurity before PodSecurityPolicy

Browse Source 
This change fixes the order in which the PodSecurity and
PodSecurityPolicy admission plugins are run.  The old code intended
for PSA to run before PSP, but attempted to enforce that via
registration order (which is irrelevant).  Now PSA is correctly
executed before PSP to allow for audit and warning modes to be
exercised even in the presence of a deny PSP policy.

Signed-off-by: Monis Khan <mok@vmware.com>
This commit is contained in:
Monis Khan 2021-09-01 11:39:58 -04:00
parent 7a0638da76
commit b5ef684d90
No known key found for this signature in database
GPG Key ID: 52C90ADA01B269B8
1 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
pkg/kubeapiserver/options/plugins.go
View File

@ -75,8 +75,8 @@ var AllOrderedPlugins = []string{
nodetaint.PluginName, // TaintNodesByCondition nodetaint.PluginName, // TaintNodesByCondition
alwayspullimages.PluginName, // AlwaysPullImages alwayspullimages.PluginName, // AlwaysPullImages
imagepolicy.PluginName, // ImagePolicyWebhook imagepolicy.PluginName, // ImagePolicyWebhook
podsecurity.PluginName, // PodSecurity - before PodSecurityPolicy so audit/warn get exercised even if PodSecurityPolicy denies
podsecuritypolicy.PluginName, // PodSecurityPolicy podsecuritypolicy.PluginName, // PodSecurityPolicy
podsecurity.PluginName, // PodSecurity
podnodeselector.PluginName, // PodNodeSelector podnodeselector.PluginName, // PodNodeSelector
podpriority.PluginName, // Priority podpriority.PluginName, // Priority
defaulttolerationseconds.PluginName, // DefaultTolerationSeconds defaulttolerationseconds.PluginName, // DefaultTolerationSeconds
@ -104,8 +104,8 @@ var AllOrderedPlugins = []string{
deny.PluginName, // AlwaysDeny deny.PluginName, // AlwaysDeny
} }
// RegisterAllAdmissionPlugins registers all admission plugins and // RegisterAllAdmissionPlugins registers all admission plugins.
// sets the recommended plugins order. // The order of registration is irrelevant, see AllOrderedPlugins for execution order.
func RegisterAllAdmissionPlugins(plugins *admission.Plugins) { func RegisterAllAdmissionPlugins(plugins *admission.Plugins) {
admit.Register(plugins) // DEPRECATED as no real meaning admit.Register(plugins) // DEPRECATED as no real meaning
alwayspullimages.Register(plugins) alwayspullimages.Register(plugins)
@ -128,7 +128,7 @@ func RegisterAllAdmissionPlugins(plugins *admission.Plugins) {
podtolerationrestriction.Register(plugins) podtolerationrestriction.Register(plugins)
runtimeclass.Register(plugins) runtimeclass.Register(plugins)
resourcequota.Register(plugins) resourcequota.Register(plugins)
podsecurity.Register(plugins) // before PodSecurityPolicy so audit/warn get exercised even if PodSecurityPolicy denies podsecurity.Register(plugins)
podsecuritypolicy.Register(plugins) podsecuritypolicy.Register(plugins)
podpriority.Register(plugins) podpriority.Register(plugins)
scdeny.Register(plugins) scdeny.Register(plugins)