github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-24 20:24:09 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #126163 from haircommander/procMount-baseline

Browse Source 
PSA: allow procMount type Unmasked in baseline
This commit is contained in:
Kubernetes Prow Robot 2024-07-23 12:21:20 -07:00 committed by GitHub
commit c01bc31fa2
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 84 additions and 47 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
staging/src/k8s.io/pod-security-admission/policy/check_procMount.go
View File

@ -35,6 +35,9 @@ spec.initContainers[*].securityContext.procMount
**Allowed Values:** undefined/null, "Default" **Allowed Values:** undefined/null, "Default"
However, if the pod is in a user namespace (`hostUsers: false`), and the
UserNamespacesPodSecurityStandards feature is enabled, all values are allowed.
*/ */
func init() { func init() {
@ -58,6 +61,14 @@ func CheckProcMount() Check {
} }
func procMount_1_0(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult { func procMount_1_0(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
// TODO: When we remove the UserNamespacesPodSecurityStandards feature gate (and GA this relaxation),
// create a new policy version.
// Note: pod validation will check for well formed procMount type, so avoid double validation and allow everything
// here.
if relaxPolicyForUserNamespacePod(podSpec) {
return CheckResult{Allowed: true}
}
var badContainers []string var badContainers []string
forbiddenProcMountTypes := sets.NewString() forbiddenProcMountTypes := sets.NewString()
visitContainers(podSpec, func(container *corev1.Container) { visitContainers(podSpec, func(container *corev1.Container) {

42
staging/src/k8s.io/pod-security-admission/policy/check_procMount_test.go
View File

@ -29,10 +29,12 @@ func TestProcMount(t *testing.T) {
hostUsers := false hostUsers := false
tests := []struct { tests := []struct {
name string name string
pod *corev1.Pod pod *corev1.Pod
expectReason string expectReason string
expectDetail string expectDetail string
expectAllowed bool
relaxForUserNS bool
}{ }{
{ {
name: "procMount", name: "procMount",
@ -46,16 +48,40 @@ func TestProcMount(t *testing.T) {
}, },
HostUsers: &hostUsers, HostUsers: &hostUsers,
}}, }},
expectReason: `procMount`, expectReason: `procMount`,
expectDetail: `containers "d", "e" must not set securityContext.procMount to "Unmasked", "other"`, expectAllowed: false,
expectDetail: `containers "d", "e" must not set securityContext.procMount to "Unmasked", "other"`,
},
{
name: "procMount",
pod: &corev1.Pod{Spec: corev1.PodSpec{
Containers: []corev1.Container{
{Name: "a", SecurityContext: nil},
{Name: "b", SecurityContext: &corev1.SecurityContext{}},
{Name: "c", SecurityContext: &corev1.SecurityContext{ProcMount: &defaultValue}},
{Name: "d", SecurityContext: &corev1.SecurityContext{ProcMount: &unmaskedValue}},
{Name: "e", SecurityContext: &corev1.SecurityContext{ProcMount: &otherValue}},
},
HostUsers: &hostUsers,
}},
expectReason: "",
expectDetail: "",
expectAllowed: true,
relaxForUserNS: true,
}, },
} }
for _, tc := range tests { for _, tc := range tests {
t.Run(tc.name, func(t *testing.T) { t.Run(tc.name, func(t *testing.T) {
if tc.relaxForUserNS {
RelaxPolicyForUserNamespacePods(true)
t.Cleanup(func() {
RelaxPolicyForUserNamespacePods(false)
})
}
result := procMount_1_0(&tc.pod.ObjectMeta, &tc.pod.Spec) result := procMount_1_0(&tc.pod.ObjectMeta, &tc.pod.Spec)
if result.Allowed { if result.Allowed != tc.expectAllowed {
t.Fatal("expected disallowed") t.Fatalf("expected Allowed to be %v was %v", tc.expectAllowed, result.Allowed)
} }
if e, a := tc.expectReason, result.ForbiddenReason; e != a { if e, a := tc.expectReason, result.ForbiddenReason; e != a {
t.Errorf("expected\n%s\ngot\n%s", e, a) t.Errorf("expected\n%s\ngot\n%s", e, a)

33
staging/src/k8s.io/pod-security-admission/policy/check_runAsNonRoot_test.go
View File

@ -25,12 +25,12 @@ import (
func TestRunAsNonRoot(t *testing.T) { func TestRunAsNonRoot(t *testing.T) {
tests := []struct { tests := []struct {
name string name string
pod *corev1.Pod pod *corev1.Pod
expectReason string expectReason string
expectDetail string expectDetail string
allowed bool expectAllowed bool
enableUserNamespacesPodSecurityStandards bool relaxForUserNS bool
}{ }{
{ {
name: "no explicit runAsNonRoot", name: "no explicit runAsNonRoot",
@ -87,8 +87,8 @@ func TestRunAsNonRoot(t *testing.T) {
pod: &corev1.Pod{Spec: corev1.PodSpec{ pod: &corev1.Pod{Spec: corev1.PodSpec{
HostUsers: utilpointer.Bool(false), HostUsers: utilpointer.Bool(false),
}}, }},
allowed: true, expectAllowed: true,
enableUserNamespacesPodSecurityStandards: true, relaxForUserNS: true,
}, },
{ {
name: "UserNamespacesPodSecurityStandards enabled with HostUsers", name: "UserNamespacesPodSecurityStandards enabled with HostUsers",
@ -98,21 +98,24 @@ func TestRunAsNonRoot(t *testing.T) {
}, },
HostUsers: utilpointer.Bool(true), HostUsers: utilpointer.Bool(true),
}}, }},
expectReason: `runAsNonRoot != true`, expectReason: `runAsNonRoot != true`,
expectDetail: `pod or container "a" must set securityContext.runAsNonRoot=true`, expectDetail: `pod or container "a" must set securityContext.runAsNonRoot=true`,
allowed: false, expectAllowed: false,
enableUserNamespacesPodSecurityStandards: true, relaxForUserNS: true,
}, },
} }
for _, tc := range tests { for _, tc := range tests {
t.Run(tc.name, func(t *testing.T) { t.Run(tc.name, func(t *testing.T) {
if tc.enableUserNamespacesPodSecurityStandards { if tc.relaxForUserNS {
RelaxPolicyForUserNamespacePods(true) RelaxPolicyForUserNamespacePods(true)
t.Cleanup(func() {
RelaxPolicyForUserNamespacePods(false)
})
} }
result := runAsNonRoot_1_0(&tc.pod.ObjectMeta, &tc.pod.Spec) result := runAsNonRoot_1_0(&tc.pod.ObjectMeta, &tc.pod.Spec)
if result.Allowed && !tc.allowed { if result.Allowed != tc.expectAllowed {
t.Fatal("expected disallowed") t.Fatalf("expected Allowed to be %v was %v", tc.expectAllowed, result.Allowed)
} }
if e, a := tc.expectReason, result.ForbiddenReason; e != a { if e, a := tc.expectReason, result.ForbiddenReason; e != a {
t.Errorf("expected\n%s\ngot\n%s", e, a) t.Errorf("expected\n%s\ngot\n%s", e, a)

45
staging/src/k8s.io/pod-security-admission/policy/check_runAsUser_test.go
View File

@ -25,12 +25,12 @@ import (
func TestRunAsUser(t *testing.T) { func TestRunAsUser(t *testing.T) {
tests := []struct { tests := []struct {
name string name string
pod *corev1.Pod pod *corev1.Pod
expectAllow bool expectAllowed bool
expectReason string expectReason string
expectDetail string expectDetail string
enableUserNamespacesPodSecurityStandards bool relaxForUserNS bool
}{ }{
{ {
name: "pod runAsUser=0", name: "pod runAsUser=0",
@ -51,7 +51,7 @@ func TestRunAsUser(t *testing.T) {
{Name: "a", SecurityContext: nil}, {Name: "a", SecurityContext: nil},
}, },
}}, }},
expectAllow: true, expectAllowed: true,
}, },
{ {
name: "pod runAsUser=nil", name: "pod runAsUser=nil",
@ -61,7 +61,7 @@ func TestRunAsUser(t *testing.T) {
{Name: "a", SecurityContext: nil}, {Name: "a", SecurityContext: nil},
}, },
}}, }},
expectAllow: true, expectAllowed: true,
}, },
{ {
name: "containers runAsUser=0", name: "containers runAsUser=0",
@ -89,15 +89,15 @@ func TestRunAsUser(t *testing.T) {
{Name: "f", SecurityContext: &corev1.SecurityContext{RunAsUser: utilpointer.Int64(4)}}, {Name: "f", SecurityContext: &corev1.SecurityContext{RunAsUser: utilpointer.Int64(4)}},
}, },
}}, }},
expectAllow: true, expectAllowed: true,
}, },
{ {
name: "UserNamespacesPodSecurityStandards enabled without HostUsers", name: "UserNamespacesPodSecurityStandards enabled without HostUsers",
pod: &corev1.Pod{Spec: corev1.PodSpec{ pod: &corev1.Pod{Spec: corev1.PodSpec{
HostUsers: utilpointer.Bool(false), HostUsers: utilpointer.Bool(false),
}}, }},
expectAllow: true, expectAllowed: true,
enableUserNamespacesPodSecurityStandards: true, relaxForUserNS: true,
}, },
{ {
name: "UserNamespacesPodSecurityStandards enabled with HostUsers", name: "UserNamespacesPodSecurityStandards enabled with HostUsers",
@ -108,27 +108,24 @@ func TestRunAsUser(t *testing.T) {
}, },
HostUsers: utilpointer.Bool(true), HostUsers: utilpointer.Bool(true),
}}, }},
expectAllow: false, expectAllowed: false,
expectReason: `runAsUser=0`, expectReason: `runAsUser=0`,
expectDetail: `pod must not set runAsUser=0`, expectDetail: `pod must not set runAsUser=0`,
enableUserNamespacesPodSecurityStandards: true, relaxForUserNS: true,
}, },
} }
for _, tc := range tests { for _, tc := range tests {
t.Run(tc.name, func(t *testing.T) { t.Run(tc.name, func(t *testing.T) {
if tc.enableUserNamespacesPodSecurityStandards { if tc.relaxForUserNS {
RelaxPolicyForUserNamespacePods(true) RelaxPolicyForUserNamespacePods(true)
t.Cleanup(func() {
RelaxPolicyForUserNamespacePods(false)
})
} }
result := runAsUser_1_23(&tc.pod.ObjectMeta, &tc.pod.Spec) result := runAsUser_1_23(&tc.pod.ObjectMeta, &tc.pod.Spec)
if tc.expectAllow { if result.Allowed != tc.expectAllowed {
if !result.Allowed { t.Fatalf("expected Allowed to be %v was %v", tc.expectAllowed, result.Allowed)
t.Fatalf("expected to be allowed, disallowed: %s, %s", result.ForbiddenReason, result.ForbiddenDetail)
}
return
}
if result.Allowed {
t.Fatal("expected disallowed")
} }
if e, a := tc.expectReason, result.ForbiddenReason; e != a { if e, a := tc.expectReason, result.ForbiddenReason; e != a {
t.Errorf("expected\n%s\ngot\n%s", e, a) t.Errorf("expected\n%s\ngot\n%s", e, a)