Drop RuntimeClass from PSP when feature is disabled

2025-07-23 19:56:01 +00:00 · 2019-04-24 15:32:57 -07:00 · 2019-04-24 15:32:57 -07:00 · c666bd0012
commit c666bd0012
parent 1bd4340c7c
3 changed files with 59 additions and 0 deletions
--- a/pkg/api/podsecuritypolicy/BUILD
+++ b/pkg/api/podsecuritypolicy/BUILD
@ -41,5 +41,6 @@ go_test(
        "//staging/src/k8s.io/apimachinery/pkg/util/diff:go_default_library",
        "//staging/src/k8s.io/apiserver/pkg/util/feature:go_default_library",
        "//staging/src/k8s.io/apiserver/pkg/util/feature/testing:go_default_library",
+        "//vendor/github.com/stretchr/testify/assert:go_default_library",
    ],
 )
--- a/pkg/api/podsecuritypolicy/util.go
+++ b/pkg/api/podsecuritypolicy/util.go
@ -38,6 +38,10 @@ func DropDisabledFields(pspSpec, oldPSPSpec *policy.PodSecurityPolicySpec) {
 	if !utilfeature.DefaultFeatureGate.Enabled(features.CSIInlineVolume) {
 		pspSpec.AllowedCSIDrivers = nil
 	}
+	if !utilfeature.DefaultFeatureGate.Enabled(features.RuntimeClass) &&
+		(oldPSPSpec == nil || oldPSPSpec.RuntimeClass == nil) {
+		pspSpec.RuntimeClass = nil
+	}
 }

 func allowedProcMountTypesInUse(oldPSPSpec *policy.PodSecurityPolicySpec) bool {
--- a/pkg/api/podsecuritypolicy/util_test.go
+++ b/pkg/api/podsecuritypolicy/util_test.go
@ -21,6 +21,8 @@ import (
 	"reflect"
 	"testing"

+	"github.com/stretchr/testify/assert"
+
 	"k8s.io/apimachinery/pkg/util/diff"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	utilfeaturetesting "k8s.io/apiserver/pkg/util/feature/testing"
@ -276,3 +278,55 @@ func TestDropSysctls(t *testing.T) {
 		}
 	}
 }
+
+func TestDropRuntimeClass(t *testing.T) {
+	type testcase struct {
+		name                string
+		featureEnabled      bool
+		pspSpec, oldPSPSpec *policy.PodSecurityPolicySpec
+		expectRuntimeClass  bool
+	}
+	tests := []testcase{}
+	pspGenerator := func(withRuntimeClass bool) *policy.PodSecurityPolicySpec {
+		psp := &policy.PodSecurityPolicySpec{}
+		if withRuntimeClass {
+			psp.RuntimeClass = &policy.RuntimeClassStrategyOptions{
+				AllowedRuntimeClassNames: []string{policy.AllowAllRuntimeClassNames},
+			}
+		}
+		return psp
+	}
+	for _, enabled := range []bool{true, false} {
+		for _, hasRuntimeClass := range []bool{true, false} {
+			tests = append(tests, testcase{
+				name:               fmt.Sprintf("create feature:%t hasRC:%t", enabled, hasRuntimeClass),
+				featureEnabled:     enabled,
+				pspSpec:            pspGenerator(hasRuntimeClass),
+				expectRuntimeClass: enabled && hasRuntimeClass,
+			})
+			for _, hadRuntimeClass := range []bool{true, false} {
+				tests = append(tests, testcase{
+					name:               fmt.Sprintf("update feature:%t hasRC:%t hadRC:%t", enabled, hasRuntimeClass, hadRuntimeClass),
+					featureEnabled:     enabled,
+					pspSpec:            pspGenerator(hasRuntimeClass),
+					oldPSPSpec:         pspGenerator(hadRuntimeClass),
+					expectRuntimeClass: hasRuntimeClass && (enabled || hadRuntimeClass),
+				})
+			}
+		}
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			defer utilfeaturetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.RuntimeClass, test.featureEnabled)()
+
+			DropDisabledFields(test.pspSpec, test.oldPSPSpec)
+
+			if test.expectRuntimeClass {
+				assert.NotNil(t, test.pspSpec.RuntimeClass)
+			} else {
+				assert.Nil(t, test.pspSpec.RuntimeClass)
+			}
+		})
+	}
+}