api changes for psp runasgroup policy

2026-01-29 21:29:24 +00:00 · 2018-08-03 09:43:27 -07:00
parent 4033862616
commit bc3e3afc46
34 changed files with 1588 additions and 391 deletions
--- a/pkg/security/podsecuritypolicy/BUILD
+++ b/pkg/security/podsecuritypolicy/BUILD
@@ -18,6 +18,7 @@ go_library(
    deps = [
        "//pkg/apis/core:go_default_library",
        "//pkg/apis/policy:go_default_library",
+        "//pkg/features:go_default_library",
        "//pkg/security/podsecuritypolicy/apparmor:go_default_library",
        "//pkg/security/podsecuritypolicy/capabilities:go_default_library",
        "//pkg/security/podsecuritypolicy/group:go_default_library",
@@ -29,6 +30,7 @@ go_library(
        "//pkg/securitycontext:go_default_library",
        "//staging/src/k8s.io/apimachinery/pkg/util/errors:go_default_library",
        "//staging/src/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
+        "//staging/src/k8s.io/apiserver/pkg/util/feature:go_default_library",
    ],
 )

--- a/pkg/security/podsecuritypolicy/factory.go
+++ b/pkg/security/podsecuritypolicy/factory.go
@@ -19,6 +19,9 @@ package podsecuritypolicy
 import (
 	"fmt"

+	utilfeature "k8s.io/apiserver/pkg/util/feature"
+	"k8s.io/kubernetes/pkg/features"
+
 	"k8s.io/apimachinery/pkg/util/errors"
 	api "k8s.io/kubernetes/pkg/apis/core"
 	"k8s.io/kubernetes/pkg/apis/policy"
@@ -47,6 +50,14 @@ func (f *simpleStrategyFactory) CreateStrategies(psp *policy.PodSecurityPolicy,
 		errs = append(errs, err)
 	}

+	var groupStrat group.GroupStrategy
+	if utilfeature.DefaultFeatureGate.Enabled(features.RunAsGroup) {
+		groupStrat, err = createRunAsGroupStrategy(psp.Spec.RunAsGroup)
+		if err != nil {
+			errs = append(errs, err)
+		}
+	}
+
 	seLinuxStrat, err := createSELinuxStrategy(&psp.Spec.SELinux)
 	if err != nil {
 		errs = append(errs, err)
@@ -85,6 +96,7 @@ func (f *simpleStrategyFactory) CreateStrategies(psp *policy.PodSecurityPolicy,

 	strategies := &ProviderStrategies{
 		RunAsUserStrategy:         userStrat,
+		RunAsGroupStrategy:        groupStrat,
 		SELinuxStrategy:           seLinuxStrat,
 		AppArmorStrategy:          appArmorStrat,
 		FSGroupStrategy:           fsGroupStrat,
@@ -111,6 +123,23 @@ func createUserStrategy(opts *policy.RunAsUserStrategyOptions) (user.RunAsUserSt
 	}
 }

+// createRunAsGroupStrategy creates a new group strategy.
+func createRunAsGroupStrategy(opts *policy.RunAsGroupStrategyOptions) (group.GroupStrategy, error) {
+	if opts == nil {
+		return group.NewRunAsAny()
+	}
+	switch opts.Rule {
+	case policy.RunAsGroupStrategyMustRunAs:
+		return group.NewMustRunAs(opts.Ranges)
+	case policy.RunAsGroupStrategyRunAsAny:
+		return group.NewRunAsAny()
+	case policy.RunAsGroupStrategyMayRunAs:
+		return group.NewMayRunAs(opts.Ranges)
+	default:
+		return nil, fmt.Errorf("Unrecognized RunAsGroup strategy type %s", opts.Rule)
+	}
+}
+
 // createSELinuxStrategy creates a new selinux strategy.
 func createSELinuxStrategy(opts *policy.SELinuxStrategyOptions) (selinux.SELinuxStrategy, error) {
 	switch opts.Rule {
--- a/pkg/security/podsecuritypolicy/group/runasany_test.go
+++ b/pkg/security/podsecuritypolicy/group/runasany_test.go
@@ -50,7 +50,7 @@ func TestRunAsAnyGenerateSingle(t *testing.T) {
 	}
 }

-func TestRunAsAnyValidte(t *testing.T) {
+func TestRunAsAnyValidate(t *testing.T) {
 	s, err := NewRunAsAny()
 	if err != nil {
 		t.Fatalf("unexpected error initializing NewRunAsAny %v", err)
--- a/pkg/security/podsecuritypolicy/provider.go
+++ b/pkg/security/podsecuritypolicy/provider.go
@@ -21,8 +21,10 @@ import (
 	"strings"

 	"k8s.io/apimachinery/pkg/util/validation/field"
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	api "k8s.io/kubernetes/pkg/apis/core"
 	"k8s.io/kubernetes/pkg/apis/policy"
+	"k8s.io/kubernetes/pkg/features"
 	psputil "k8s.io/kubernetes/pkg/security/podsecuritypolicy/util"
 	"k8s.io/kubernetes/pkg/securitycontext"
 )
@@ -121,6 +123,17 @@ func (s *simpleProvider) DefaultContainerSecurityContext(pod *api.Pod, container
 		sc.SetRunAsUser(uid)
 	}

+	if utilfeature.DefaultFeatureGate.Enabled(features.RunAsGroup) {
+		if sc.RunAsGroup() == nil {
+			gid, err := s.strategies.RunAsGroupStrategy.GenerateSingle(pod)
+			if err != nil {
+				return err
+			}
+			sc.SetRunAsGroup(gid)
+		}
+
+	}
+
 	if sc.SELinuxOptions() == nil {
 		seLinux, err := s.strategies.SELinuxStrategy.Generate(pod, container)
 		if err != nil {
@@ -280,6 +293,14 @@ func (s *simpleProvider) ValidateContainer(pod *api.Pod, container *api.Containe

 	scPath := containerPath.Child("securityContext")
 	allErrs = append(allErrs, s.strategies.RunAsUserStrategy.Validate(scPath, pod, container, sc.RunAsNonRoot(), sc.RunAsUser())...)
+
+	if utilfeature.DefaultFeatureGate.Enabled(features.RunAsGroup) {
+		var runAsGroups []int64
+		if sc.RunAsGroup() != nil {
+			runAsGroups = []int64{*sc.RunAsGroup()}
+		}
+		allErrs = append(allErrs, s.strategies.RunAsGroupStrategy.Validate(scPath, pod, runAsGroups)...)
+	}
 	allErrs = append(allErrs, s.strategies.SELinuxStrategy.Validate(scPath.Child("seLinuxOptions"), pod, container, sc.SELinuxOptions())...)
 	allErrs = append(allErrs, s.strategies.AppArmorStrategy.Validate(pod, container)...)
 	allErrs = append(allErrs, s.strategies.SeccompStrategy.ValidateContainer(pod, container)...)
--- a/pkg/security/podsecuritypolicy/provider_test.go
+++ b/pkg/security/podsecuritypolicy/provider_test.go
@@ -65,6 +65,9 @@ func TestDefaultPodSecurityContextNonmutating(t *testing.T) {
 				RunAsUser: policy.RunAsUserStrategyOptions{
 					Rule: policy.RunAsUserStrategyRunAsAny,
 				},
+				RunAsGroup: &policy.RunAsGroupStrategyOptions{
+					Rule: policy.RunAsGroupStrategyRunAsAny,
+				},
 				SELinux: policy.SELinuxStrategyOptions{
 					Rule: policy.SELinuxStrategyRunAsAny,
 				},
@@ -137,6 +140,9 @@ func TestDefaultContainerSecurityContextNonmutating(t *testing.T) {
 					RunAsUser: policy.RunAsUserStrategyOptions{
 						Rule: policy.RunAsUserStrategyRunAsAny,
 					},
+					RunAsGroup: &policy.RunAsGroupStrategyOptions{
+						Rule: policy.RunAsGroupStrategyRunAsAny,
+					},
 					SELinux: policy.SELinuxStrategyOptions{
 						Rule: policy.SELinuxStrategyRunAsAny,
 					},
@@ -1168,6 +1174,9 @@ func defaultPSP() *policy.PodSecurityPolicy {
 			RunAsUser: policy.RunAsUserStrategyOptions{
 				Rule: policy.RunAsUserStrategyRunAsAny,
 			},
+			RunAsGroup: &policy.RunAsGroupStrategyOptions{
+				Rule: policy.RunAsGroupStrategyRunAsAny,
+			},
 			SELinux: policy.SELinuxStrategyOptions{
 				Rule: policy.SELinuxStrategyRunAsAny,
 			},
--- a/pkg/security/podsecuritypolicy/types.go
+++ b/pkg/security/podsecuritypolicy/types.go
@@ -60,6 +60,7 @@ type StrategyFactory interface {
 // ProviderStrategies is a holder for all strategies that the provider requires to be populated.
 type ProviderStrategies struct {
 	RunAsUserStrategy         user.RunAsUserStrategy
+	RunAsGroupStrategy        group.GroupStrategy
 	SELinuxStrategy           selinux.SELinuxStrategy
 	AppArmorStrategy          apparmor.Strategy
 	FSGroupStrategy           group.GroupStrategy