github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-25 04:33:26 +00:00
Code Issues Projects Releases Wiki Activity

Drop RuntimeClass from PSP when feature is disabled

Browse Source
This commit is contained in:
Tim Allclair 2019-04-24 15:32:57 -07:00
parent 1bd4340c7c
commit c666bd0012
3 changed files with 59 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
pkg/api/podsecuritypolicy/BUILD
View File

@ -41,5 +41,6 @@ go_test(
"//staging/src/k8s.io/apimachinery/pkg/util/diff:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/util/diff:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/util/feature:go_default_library", "//staging/src/k8s.io/apiserver/pkg/util/feature:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/util/feature/testing:go_default_library", "//staging/src/k8s.io/apiserver/pkg/util/feature/testing:go_default_library",
"//vendor/github.com/stretchr/testify/assert:go_default_library",
], ],
) )

4
pkg/api/podsecuritypolicy/util.go
View File

@ -38,6 +38,10 @@ func DropDisabledFields(pspSpec, oldPSPSpec *policy.PodSecurityPolicySpec) {
if !utilfeature.DefaultFeatureGate.Enabled(features.CSIInlineVolume) { if !utilfeature.DefaultFeatureGate.Enabled(features.CSIInlineVolume) {
pspSpec.AllowedCSIDrivers = nil pspSpec.AllowedCSIDrivers = nil
} }
if !utilfeature.DefaultFeatureGate.Enabled(features.RuntimeClass) &&
(oldPSPSpec == nil || oldPSPSpec.RuntimeClass == nil) {
pspSpec.RuntimeClass = nil
}
} }
func allowedProcMountTypesInUse(oldPSPSpec *policy.PodSecurityPolicySpec) bool { func allowedProcMountTypesInUse(oldPSPSpec *policy.PodSecurityPolicySpec) bool {

54
pkg/api/podsecuritypolicy/util_test.go
View File

@ -21,6 +21,8 @@ import (
"reflect" "reflect"
"testing" "testing"
"github.com/stretchr/testify/assert"
"k8s.io/apimachinery/pkg/util/diff" "k8s.io/apimachinery/pkg/util/diff"
utilfeature "k8s.io/apiserver/pkg/util/feature" utilfeature "k8s.io/apiserver/pkg/util/feature"
utilfeaturetesting "k8s.io/apiserver/pkg/util/feature/testing" utilfeaturetesting "k8s.io/apiserver/pkg/util/feature/testing"
@ -276,3 +278,55 @@ func TestDropSysctls(t *testing.T) {
} }
} }
} }
func TestDropRuntimeClass(t *testing.T) {
type testcase struct {
name string
featureEnabled bool
pspSpec, oldPSPSpec *policy.PodSecurityPolicySpec
expectRuntimeClass bool
}
tests := []testcase{}
pspGenerator := func(withRuntimeClass bool) *policy.PodSecurityPolicySpec {
psp := &policy.PodSecurityPolicySpec{}
if withRuntimeClass {
psp.RuntimeClass = &policy.RuntimeClassStrategyOptions{
AllowedRuntimeClassNames: []string{policy.AllowAllRuntimeClassNames},
}
}
return psp
}
for _, enabled := range []bool{true, false} {
for _, hasRuntimeClass := range []bool{true, false} {
tests = append(tests, testcase{
name: fmt.Sprintf("create feature:%t hasRC:%t", enabled, hasRuntimeClass),
featureEnabled: enabled,
pspSpec: pspGenerator(hasRuntimeClass),
expectRuntimeClass: enabled && hasRuntimeClass,
})
for _, hadRuntimeClass := range []bool{true, false} {
tests = append(tests, testcase{
name: fmt.Sprintf("update feature:%t hasRC:%t hadRC:%t", enabled, hasRuntimeClass, hadRuntimeClass),
featureEnabled: enabled,
pspSpec: pspGenerator(hasRuntimeClass),
oldPSPSpec: pspGenerator(hadRuntimeClass),
expectRuntimeClass: hasRuntimeClass && (enabled || hadRuntimeClass),
})
}
}
}
for _, test := range tests {
t.Run(test.name, func(t *testing.T) {
defer utilfeaturetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.RuntimeClass, test.featureEnabled)()
DropDisabledFields(test.pspSpec, test.oldPSPSpec)
if test.expectRuntimeClass {
assert.NotNil(t, test.pspSpec.RuntimeClass)
} else {
assert.Nil(t, test.pspSpec.RuntimeClass)
}
})
}
}