github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-26 21:17:23 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #56848 from CaoShuFeng/duplicated-validation-psp

Browse Source 
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

remove duplicated validation from podsecuritypolicy

**Release note**:
```release-note
NONE
```
This commit is contained in:
Kubernetes Submit Queue 2018-03-26 00:13:08 -07:00 committed by GitHub
commit c014cc2740
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 2 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
pkg/security/podsecuritypolicy/provider.go
View File

@ -273,10 +273,6 @@ func (s *simpleProvider) ValidateContainerSecurityContext(pod *api.Pod, containe
allErrs = append(allErrs, s.strategies.CapabilitiesStrategy.Validate(pod, container, sc.Capabilities())...) allErrs = append(allErrs, s.strategies.CapabilitiesStrategy.Validate(pod, container, sc.Capabilities())...)
if !s.psp.Spec.HostNetwork && podSC.HostNetwork() {
allErrs = append(allErrs, field.Invalid(fldPath.Child("hostNetwork"), podSC.HostNetwork(), "Host network is not allowed to be used"))
}
containersPath := fldPath.Child("containers") containersPath := fldPath.Child("containers")
for idx, c := range pod.Spec.Containers { for idx, c := range pod.Spec.Containers {
idxPath := containersPath.Index(idx) idxPath := containersPath.Index(idx)
@ -289,14 +285,6 @@ func (s *simpleProvider) ValidateContainerSecurityContext(pod *api.Pod, containe
allErrs = append(allErrs, s.hasInvalidHostPort(&c, idxPath)...) allErrs = append(allErrs, s.hasInvalidHostPort(&c, idxPath)...)
} }
if !s.psp.Spec.HostPID && podSC.HostPID() {
allErrs = append(allErrs, field.Invalid(fldPath.Child("hostPID"), podSC.HostPID(), "Host PID is not allowed to be used"))
}
if !s.psp.Spec.HostIPC && podSC.HostIPC() {
allErrs = append(allErrs, field.Invalid(fldPath.Child("hostIPC"), podSC.HostIPC(), "Host IPC is not allowed to be used"))
}
if s.psp.Spec.ReadOnlyRootFilesystem { if s.psp.Spec.ReadOnlyRootFilesystem {
readOnly := sc.ReadOnlyRootFilesystem() readOnly := sc.ReadOnlyRootFilesystem()
if readOnly == nil { if readOnly == nil {

7
plugin/pkg/admission/security/podsecuritypolicy/admission_test.go
View File

@ -2235,14 +2235,11 @@ func TestPolicyAuthorizationErrors(t *testing.T) {
} }
for desc, tc := range tests { for desc, tc := range tests {
t.Run(desc, func(t *testing.T) { t.Run(desc, func(t *testing.T) {
var ( authz := &TestAuthorizer{usernameToNamespaceToAllowedPSPs: tc.allowed}
authz = &TestAuthorizer{usernameToNamespaceToAllowedPSPs: tc.allowed}
privileged = true
)
pod := goodPod() pod := goodPod()
pod.Namespace = ns pod.Namespace = ns
pod.Spec.ServiceAccountName = sa pod.Spec.ServiceAccountName = sa
pod.Spec.Containers[0].SecurityContext.Privileged = &privileged pod.Spec.SecurityContext.HostPID = true
plugin := NewTestAdmission(tc.inPolicies, authz) plugin := NewTestAdmission(tc.inPolicies, authz)
attrs := kadmission.NewAttributesRecord(pod, nil, kapi.Kind("Pod").WithVersion("version"), ns, "", kapi.Resource("pods").WithVersion("version"), "", kadmission.Create, &user.DefaultInfo{Name: userName}) attrs := kadmission.NewAttributesRecord(pod, nil, kapi.Kind("Pod").WithVersion("version"), ns, "", kapi.Resource("pods").WithVersion("version"), "", kadmission.Create, &user.DefaultInfo{Name: userName})