mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-23 03:41:45 +00:00
Merge pull request #56848 from CaoShuFeng/duplicated-validation-psp
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. remove duplicated validation from podsecuritypolicy **Release note**: ```release-note NONE ```
This commit is contained in:
commit
c014cc2740
@ -273,10 +273,6 @@ func (s *simpleProvider) ValidateContainerSecurityContext(pod *api.Pod, containe
|
||||
|
||||
allErrs = append(allErrs, s.strategies.CapabilitiesStrategy.Validate(pod, container, sc.Capabilities())...)
|
||||
|
||||
if !s.psp.Spec.HostNetwork && podSC.HostNetwork() {
|
||||
allErrs = append(allErrs, field.Invalid(fldPath.Child("hostNetwork"), podSC.HostNetwork(), "Host network is not allowed to be used"))
|
||||
}
|
||||
|
||||
containersPath := fldPath.Child("containers")
|
||||
for idx, c := range pod.Spec.Containers {
|
||||
idxPath := containersPath.Index(idx)
|
||||
@ -289,14 +285,6 @@ func (s *simpleProvider) ValidateContainerSecurityContext(pod *api.Pod, containe
|
||||
allErrs = append(allErrs, s.hasInvalidHostPort(&c, idxPath)...)
|
||||
}
|
||||
|
||||
if !s.psp.Spec.HostPID && podSC.HostPID() {
|
||||
allErrs = append(allErrs, field.Invalid(fldPath.Child("hostPID"), podSC.HostPID(), "Host PID is not allowed to be used"))
|
||||
}
|
||||
|
||||
if !s.psp.Spec.HostIPC && podSC.HostIPC() {
|
||||
allErrs = append(allErrs, field.Invalid(fldPath.Child("hostIPC"), podSC.HostIPC(), "Host IPC is not allowed to be used"))
|
||||
}
|
||||
|
||||
if s.psp.Spec.ReadOnlyRootFilesystem {
|
||||
readOnly := sc.ReadOnlyRootFilesystem()
|
||||
if readOnly == nil {
|
||||
|
@ -2235,14 +2235,11 @@ func TestPolicyAuthorizationErrors(t *testing.T) {
|
||||
}
|
||||
for desc, tc := range tests {
|
||||
t.Run(desc, func(t *testing.T) {
|
||||
var (
|
||||
authz = &TestAuthorizer{usernameToNamespaceToAllowedPSPs: tc.allowed}
|
||||
privileged = true
|
||||
)
|
||||
authz := &TestAuthorizer{usernameToNamespaceToAllowedPSPs: tc.allowed}
|
||||
pod := goodPod()
|
||||
pod.Namespace = ns
|
||||
pod.Spec.ServiceAccountName = sa
|
||||
pod.Spec.Containers[0].SecurityContext.Privileged = &privileged
|
||||
pod.Spec.SecurityContext.HostPID = true
|
||||
|
||||
plugin := NewTestAdmission(tc.inPolicies, authz)
|
||||
attrs := kadmission.NewAttributesRecord(pod, nil, kapi.Kind("Pod").WithVersion("version"), ns, "", kapi.Resource("pods").WithVersion("version"), "", kadmission.Create, &user.DefaultInfo{Name: userName})
|
||||
|
Loading…
Reference in New Issue
Block a user