diff --git a/pkg/apis/extensions/v1beta1/zz_generated.conversion.go b/pkg/apis/extensions/v1beta1/zz_generated.conversion.go index f095ee9bc6c..c6b51c84e88 100644 --- a/pkg/apis/extensions/v1beta1/zz_generated.conversion.go +++ b/pkg/apis/extensions/v1beta1/zz_generated.conversion.go @@ -89,6 +89,8 @@ func RegisterConversions(scheme *runtime.Scheme) error { Convert_extensions_HTTPIngressRuleValue_To_v1beta1_HTTPIngressRuleValue, Convert_v1beta1_HostPortRange_To_policy_HostPortRange, Convert_policy_HostPortRange_To_v1beta1_HostPortRange, + Convert_v1beta1_IDRange_To_policy_IDRange, + Convert_policy_IDRange_To_v1beta1_IDRange, Convert_v1beta1_Ingress_To_extensions_Ingress, Convert_extensions_Ingress_To_v1beta1_Ingress, Convert_v1beta1_IngressBackend_To_extensions_IngressBackend, @@ -718,7 +720,7 @@ func autoConvert_extensions_DeploymentStrategy_To_v1beta1_DeploymentStrategy(in func autoConvert_v1beta1_FSGroupStrategyOptions_To_policy_FSGroupStrategyOptions(in *v1beta1.FSGroupStrategyOptions, out *policy.FSGroupStrategyOptions, s conversion.Scope) error { out.Rule = policy.FSGroupStrategyType(in.Rule) - out.Ranges = *(*[]policy.GroupIDRange)(unsafe.Pointer(&in.Ranges)) + out.Ranges = *(*[]policy.IDRange)(unsafe.Pointer(&in.Ranges)) return nil } @@ -806,6 +808,28 @@ func Convert_policy_HostPortRange_To_v1beta1_HostPortRange(in *policy.HostPortRa return autoConvert_policy_HostPortRange_To_v1beta1_HostPortRange(in, out, s) } +func autoConvert_v1beta1_IDRange_To_policy_IDRange(in *v1beta1.IDRange, out *policy.IDRange, s conversion.Scope) error { + out.Min = in.Min + out.Max = in.Max + return nil +} + +// Convert_v1beta1_IDRange_To_policy_IDRange is an autogenerated conversion function. +func Convert_v1beta1_IDRange_To_policy_IDRange(in *v1beta1.IDRange, out *policy.IDRange, s conversion.Scope) error { + return autoConvert_v1beta1_IDRange_To_policy_IDRange(in, out, s) +} + +func autoConvert_policy_IDRange_To_v1beta1_IDRange(in *policy.IDRange, out *v1beta1.IDRange, s conversion.Scope) error { + out.Min = in.Min + out.Max = in.Max + return nil +} + +// Convert_policy_IDRange_To_v1beta1_IDRange is an autogenerated conversion function. +func Convert_policy_IDRange_To_v1beta1_IDRange(in *policy.IDRange, out *v1beta1.IDRange, s conversion.Scope) error { + return autoConvert_policy_IDRange_To_v1beta1_IDRange(in, out, s) +} + func autoConvert_v1beta1_Ingress_To_extensions_Ingress(in *v1beta1.Ingress, out *extensions.Ingress, s conversion.Scope) error { out.ObjectMeta = in.ObjectMeta if err := Convert_v1beta1_IngressSpec_To_extensions_IngressSpec(&in.Spec, &out.Spec, s); err != nil { @@ -1360,7 +1384,7 @@ func autoConvert_extensions_RollingUpdateDeployment_To_v1beta1_RollingUpdateDepl func autoConvert_v1beta1_RunAsUserStrategyOptions_To_policy_RunAsUserStrategyOptions(in *v1beta1.RunAsUserStrategyOptions, out *policy.RunAsUserStrategyOptions, s conversion.Scope) error { out.Rule = policy.RunAsUserStrategy(in.Rule) - out.Ranges = *(*[]policy.UserIDRange)(unsafe.Pointer(&in.Ranges)) + out.Ranges = *(*[]policy.IDRange)(unsafe.Pointer(&in.Ranges)) return nil } @@ -1469,7 +1493,7 @@ func autoConvert_autoscaling_ScaleStatus_To_v1beta1_ScaleStatus(in *autoscaling. func autoConvert_v1beta1_SupplementalGroupsStrategyOptions_To_policy_SupplementalGroupsStrategyOptions(in *v1beta1.SupplementalGroupsStrategyOptions, out *policy.SupplementalGroupsStrategyOptions, s conversion.Scope) error { out.Rule = policy.SupplementalGroupsStrategyType(in.Rule) - out.Ranges = *(*[]policy.GroupIDRange)(unsafe.Pointer(&in.Ranges)) + out.Ranges = *(*[]policy.IDRange)(unsafe.Pointer(&in.Ranges)) return nil } diff --git a/pkg/apis/policy/types.go b/pkg/apis/policy/types.go index 2d90dec8a74..4d138ec1044 100644 --- a/pkg/apis/policy/types.go +++ b/pkg/apis/policy/types.go @@ -312,19 +312,11 @@ type RunAsUserStrategyOptions struct { // Ranges are the allowed ranges of uids that may be used. If you would like to force a single uid // then supply a single range with the same start and end. Required for MustRunAs. // +optional - Ranges []UserIDRange + Ranges []IDRange } -// UserIDRange provides a min/max of an allowed range of UserIDs. -type UserIDRange struct { - // Min is the start of the range, inclusive. - Min int64 - // Max is the end of the range, inclusive. - Max int64 -} - -// GroupIDRange provides a min/max of an allowed range of GroupIDs. -type GroupIDRange struct { +// IDRange provides a min/max of an allowed range of IDs. +type IDRange struct { // Min is the start of the range, inclusive. Min int64 // Max is the end of the range, inclusive. @@ -352,7 +344,7 @@ type FSGroupStrategyOptions struct { // Ranges are the allowed ranges of fs groups. If you would like to force a single // fs group then supply a single range with the same start and end. Required for MustRunAs. // +optional - Ranges []GroupIDRange + Ranges []IDRange } // FSGroupStrategyType denotes strategy types for generating FSGroup values for a @@ -374,7 +366,7 @@ type SupplementalGroupsStrategyOptions struct { // Ranges are the allowed ranges of supplemental groups. If you would like to force a single // supplemental group then supply a single range with the same start and end. Required for MustRunAs. // +optional - Ranges []GroupIDRange + Ranges []IDRange } // SupplementalGroupsStrategyType denotes strategy types for determining valid supplemental diff --git a/pkg/apis/policy/v1beta1/zz_generated.conversion.go b/pkg/apis/policy/v1beta1/zz_generated.conversion.go index 54e3c713574..9ac64398fc0 100644 --- a/pkg/apis/policy/v1beta1/zz_generated.conversion.go +++ b/pkg/apis/policy/v1beta1/zz_generated.conversion.go @@ -51,6 +51,8 @@ func RegisterConversions(scheme *runtime.Scheme) error { Convert_policy_FSGroupStrategyOptions_To_v1beta1_FSGroupStrategyOptions, Convert_v1beta1_HostPortRange_To_policy_HostPortRange, Convert_policy_HostPortRange_To_v1beta1_HostPortRange, + Convert_v1beta1_IDRange_To_policy_IDRange, + Convert_policy_IDRange_To_v1beta1_IDRange, Convert_v1beta1_PodDisruptionBudget_To_policy_PodDisruptionBudget, Convert_policy_PodDisruptionBudget_To_v1beta1_PodDisruptionBudget, Convert_v1beta1_PodDisruptionBudgetList_To_policy_PodDisruptionBudgetList, @@ -138,7 +140,7 @@ func Convert_policy_Eviction_To_v1beta1_Eviction(in *policy.Eviction, out *v1bet func autoConvert_v1beta1_FSGroupStrategyOptions_To_policy_FSGroupStrategyOptions(in *v1beta1.FSGroupStrategyOptions, out *policy.FSGroupStrategyOptions, s conversion.Scope) error { out.Rule = policy.FSGroupStrategyType(in.Rule) - out.Ranges = *(*[]policy.GroupIDRange)(unsafe.Pointer(&in.Ranges)) + out.Ranges = *(*[]policy.IDRange)(unsafe.Pointer(&in.Ranges)) return nil } @@ -180,6 +182,28 @@ func Convert_policy_HostPortRange_To_v1beta1_HostPortRange(in *policy.HostPortRa return autoConvert_policy_HostPortRange_To_v1beta1_HostPortRange(in, out, s) } +func autoConvert_v1beta1_IDRange_To_policy_IDRange(in *v1beta1.IDRange, out *policy.IDRange, s conversion.Scope) error { + out.Min = in.Min + out.Max = in.Max + return nil +} + +// Convert_v1beta1_IDRange_To_policy_IDRange is an autogenerated conversion function. +func Convert_v1beta1_IDRange_To_policy_IDRange(in *v1beta1.IDRange, out *policy.IDRange, s conversion.Scope) error { + return autoConvert_v1beta1_IDRange_To_policy_IDRange(in, out, s) +} + +func autoConvert_policy_IDRange_To_v1beta1_IDRange(in *policy.IDRange, out *v1beta1.IDRange, s conversion.Scope) error { + out.Min = in.Min + out.Max = in.Max + return nil +} + +// Convert_policy_IDRange_To_v1beta1_IDRange is an autogenerated conversion function. +func Convert_policy_IDRange_To_v1beta1_IDRange(in *policy.IDRange, out *v1beta1.IDRange, s conversion.Scope) error { + return autoConvert_policy_IDRange_To_v1beta1_IDRange(in, out, s) +} + func autoConvert_v1beta1_PodDisruptionBudget_To_policy_PodDisruptionBudget(in *v1beta1.PodDisruptionBudget, out *policy.PodDisruptionBudget, s conversion.Scope) error { out.ObjectMeta = in.ObjectMeta if err := Convert_v1beta1_PodDisruptionBudgetSpec_To_policy_PodDisruptionBudgetSpec(&in.Spec, &out.Spec, s); err != nil { @@ -432,7 +456,7 @@ func Convert_policy_PodSecurityPolicySpec_To_v1beta1_PodSecurityPolicySpec(in *p func autoConvert_v1beta1_RunAsUserStrategyOptions_To_policy_RunAsUserStrategyOptions(in *v1beta1.RunAsUserStrategyOptions, out *policy.RunAsUserStrategyOptions, s conversion.Scope) error { out.Rule = policy.RunAsUserStrategy(in.Rule) - out.Ranges = *(*[]policy.UserIDRange)(unsafe.Pointer(&in.Ranges)) + out.Ranges = *(*[]policy.IDRange)(unsafe.Pointer(&in.Ranges)) return nil } @@ -476,7 +500,7 @@ func Convert_policy_SELinuxStrategyOptions_To_v1beta1_SELinuxStrategyOptions(in func autoConvert_v1beta1_SupplementalGroupsStrategyOptions_To_policy_SupplementalGroupsStrategyOptions(in *v1beta1.SupplementalGroupsStrategyOptions, out *policy.SupplementalGroupsStrategyOptions, s conversion.Scope) error { out.Rule = policy.SupplementalGroupsStrategyType(in.Rule) - out.Ranges = *(*[]policy.GroupIDRange)(unsafe.Pointer(&in.Ranges)) + out.Ranges = *(*[]policy.IDRange)(unsafe.Pointer(&in.Ranges)) return nil } diff --git a/pkg/apis/policy/validation/validation.go b/pkg/apis/policy/validation/validation.go index 2c1e1de2a87..c1b592a858f 100644 --- a/pkg/apis/policy/validation/validation.go +++ b/pkg/apis/policy/validation/validation.go @@ -325,12 +325,12 @@ func validatePodSecurityPolicySysctls(fldPath *field.Path, sysctls []string) fie return allErrs } -func validateUserIDRange(fldPath *field.Path, rng policy.UserIDRange) field.ErrorList { - return validateIDRanges(fldPath, int64(rng.Min), int64(rng.Max)) +func validateUserIDRange(fldPath *field.Path, rng policy.IDRange) field.ErrorList { + return validateIDRanges(fldPath, rng.Min, rng.Max) } -func validateGroupIDRange(fldPath *field.Path, rng policy.GroupIDRange) field.ErrorList { - return validateIDRanges(fldPath, int64(rng.Min), int64(rng.Max)) +func validateGroupIDRange(fldPath *field.Path, rng policy.IDRange) field.ErrorList { + return validateIDRanges(fldPath, rng.Min, rng.Max) } // validateIDRanges ensures the range is valid. diff --git a/pkg/apis/policy/validation/validation_test.go b/pkg/apis/policy/validation/validation_test.go index 0f1c58212f2..681812a63cc 100644 --- a/pkg/apis/policy/validation/validation_test.go +++ b/pkg/apis/policy/validation/validation_test.go @@ -270,7 +270,7 @@ func TestValidatePodSecurityPolicy(t *testing.T) { invalidUIDPSP := validPSP() invalidUIDPSP.Spec.RunAsUser.Rule = policy.RunAsUserStrategyMustRunAs - invalidUIDPSP.Spec.RunAsUser.Ranges = []policy.UserIDRange{{Min: -1, Max: 1}} + invalidUIDPSP.Spec.RunAsUser.Ranges = []policy.IDRange{{Min: -1, Max: 1}} missingObjectMetaName := validPSP() missingObjectMetaName.ObjectMeta.Name = "" @@ -288,17 +288,17 @@ func TestValidatePodSecurityPolicy(t *testing.T) { invalidSupGroupStratType.Spec.SupplementalGroups.Rule = "invalid" invalidRangeMinGreaterThanMax := validPSP() - invalidRangeMinGreaterThanMax.Spec.FSGroup.Ranges = []policy.GroupIDRange{ + invalidRangeMinGreaterThanMax.Spec.FSGroup.Ranges = []policy.IDRange{ {Min: 2, Max: 1}, } invalidRangeNegativeMin := validPSP() - invalidRangeNegativeMin.Spec.FSGroup.Ranges = []policy.GroupIDRange{ + invalidRangeNegativeMin.Spec.FSGroup.Ranges = []policy.IDRange{ {Min: -1, Max: 10}, } invalidRangeNegativeMax := validPSP() - invalidRangeNegativeMax.Spec.FSGroup.Ranges = []policy.GroupIDRange{ + invalidRangeNegativeMax.Spec.FSGroup.Ranges = []policy.IDRange{ {Min: 1, Max: -10}, } @@ -539,7 +539,7 @@ func TestValidatePodSecurityPolicy(t *testing.T) { mustRunAs.Spec.FSGroup.Rule = policy.FSGroupStrategyMustRunAs mustRunAs.Spec.SupplementalGroups.Rule = policy.SupplementalGroupsStrategyMustRunAs mustRunAs.Spec.RunAsUser.Rule = policy.RunAsUserStrategyMustRunAs - mustRunAs.Spec.RunAsUser.Ranges = []policy.UserIDRange{ + mustRunAs.Spec.RunAsUser.Ranges = []policy.IDRange{ {Min: 1, Max: 1}, } mustRunAs.Spec.SELinux.Rule = policy.SELinuxStrategyMustRunAs @@ -733,8 +733,8 @@ func Test_validatePSPRunAsUser(t *testing.T) { {"Invalid RunAsUserStrategy", policy.RunAsUserStrategyOptions{Rule: policy.RunAsUserStrategy("someInvalidStrategy")}, true}, {"RunAsUserStrategyMustRunAs", policy.RunAsUserStrategyOptions{Rule: policy.RunAsUserStrategyMustRunAs}, false}, {"RunAsUserStrategyMustRunAsNonRoot", policy.RunAsUserStrategyOptions{Rule: policy.RunAsUserStrategyMustRunAsNonRoot}, false}, - {"RunAsUserStrategyMustRunAsNonRoot With Valid Range", policy.RunAsUserStrategyOptions{Rule: policy.RunAsUserStrategyMustRunAs, Ranges: []policy.UserIDRange{{Min: 2, Max: 3}, {Min: 4, Max: 5}}}, false}, - {"RunAsUserStrategyMustRunAsNonRoot With Invalid Range", policy.RunAsUserStrategyOptions{Rule: policy.RunAsUserStrategyMustRunAs, Ranges: []policy.UserIDRange{{Min: 2, Max: 3}, {Min: 5, Max: 4}}}, true}, + {"RunAsUserStrategyMustRunAsNonRoot With Valid Range", policy.RunAsUserStrategyOptions{Rule: policy.RunAsUserStrategyMustRunAs, Ranges: []policy.IDRange{{Min: 2, Max: 3}, {Min: 4, Max: 5}}}, false}, + {"RunAsUserStrategyMustRunAsNonRoot With Invalid Range", policy.RunAsUserStrategyOptions{Rule: policy.RunAsUserStrategyMustRunAs, Ranges: []policy.IDRange{{Min: 2, Max: 3}, {Min: 5, Max: 4}}}, true}, } for _, testCase := range testCases { diff --git a/pkg/apis/policy/zz_generated.deepcopy.go b/pkg/apis/policy/zz_generated.deepcopy.go index 068dfae6ed7..25147ba6c2a 100644 --- a/pkg/apis/policy/zz_generated.deepcopy.go +++ b/pkg/apis/policy/zz_generated.deepcopy.go @@ -99,7 +99,7 @@ func (in *FSGroupStrategyOptions) DeepCopyInto(out *FSGroupStrategyOptions) { *out = *in if in.Ranges != nil { in, out := &in.Ranges, &out.Ranges - *out = make([]GroupIDRange, len(*in)) + *out = make([]IDRange, len(*in)) copy(*out, *in) } return @@ -115,22 +115,6 @@ func (in *FSGroupStrategyOptions) DeepCopy() *FSGroupStrategyOptions { return out } -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *GroupIDRange) DeepCopyInto(out *GroupIDRange) { - *out = *in - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GroupIDRange. -func (in *GroupIDRange) DeepCopy() *GroupIDRange { - if in == nil { - return nil - } - out := new(GroupIDRange) - in.DeepCopyInto(out) - return out -} - // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *HostPortRange) DeepCopyInto(out *HostPortRange) { *out = *in @@ -147,6 +131,22 @@ func (in *HostPortRange) DeepCopy() *HostPortRange { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *IDRange) DeepCopyInto(out *IDRange) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IDRange. +func (in *IDRange) DeepCopy() *IDRange { + if in == nil { + return nil + } + out := new(IDRange) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *PodDisruptionBudget) DeepCopyInto(out *PodDisruptionBudget) { *out = *in @@ -403,7 +403,7 @@ func (in *RunAsUserStrategyOptions) DeepCopyInto(out *RunAsUserStrategyOptions) *out = *in if in.Ranges != nil { in, out := &in.Ranges, &out.Ranges - *out = make([]UserIDRange, len(*in)) + *out = make([]IDRange, len(*in)) copy(*out, *in) } return @@ -449,7 +449,7 @@ func (in *SupplementalGroupsStrategyOptions) DeepCopyInto(out *SupplementalGroup *out = *in if in.Ranges != nil { in, out := &in.Ranges, &out.Ranges - *out = make([]GroupIDRange, len(*in)) + *out = make([]IDRange, len(*in)) copy(*out, *in) } return @@ -464,19 +464,3 @@ func (in *SupplementalGroupsStrategyOptions) DeepCopy() *SupplementalGroupsStrat in.DeepCopyInto(out) return out } - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *UserIDRange) DeepCopyInto(out *UserIDRange) { - *out = *in - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UserIDRange. -func (in *UserIDRange) DeepCopy() *UserIDRange { - if in == nil { - return nil - } - out := new(UserIDRange) - in.DeepCopyInto(out) - return out -} diff --git a/pkg/printers/internalversion/describe.go b/pkg/printers/internalversion/describe.go index 0bc468cc77a..636374eb534 100644 --- a/pkg/printers/internalversion/describe.go +++ b/pkg/printers/internalversion/describe.go @@ -3535,13 +3535,13 @@ func describePodSecurityPolicy(psp *policy.PodSecurityPolicy) (string, error) { w.Write(LEVEL_2, "Level:\t%s\n", stringOrNone(level)) w.Write(LEVEL_1, "Run As User Strategy: %s\t\n", string(psp.Spec.RunAsUser.Rule)) - w.Write(LEVEL_2, "Ranges:\t%s\n", userIDRangeToString(psp.Spec.RunAsUser.Ranges)) + w.Write(LEVEL_2, "Ranges:\t%s\n", idRangeToString(psp.Spec.RunAsUser.Ranges)) w.Write(LEVEL_1, "FSGroup Strategy: %s\t\n", string(psp.Spec.FSGroup.Rule)) - w.Write(LEVEL_2, "Ranges:\t%s\n", groupIDRangeToString(psp.Spec.FSGroup.Ranges)) + w.Write(LEVEL_2, "Ranges:\t%s\n", idRangeToString(psp.Spec.FSGroup.Ranges)) w.Write(LEVEL_1, "Supplemental Groups Strategy: %s\t\n", string(psp.Spec.SupplementalGroups.Rule)) - w.Write(LEVEL_2, "Ranges:\t%s\n", groupIDRangeToString(psp.Spec.SupplementalGroups.Ranges)) + w.Write(LEVEL_2, "Ranges:\t%s\n", idRangeToString(psp.Spec.SupplementalGroups.Ranges)) return nil }) @@ -3586,19 +3586,7 @@ func hostPortRangeToString(ranges []policy.HostPortRange) string { return stringOrNone(formattedString) } -func userIDRangeToString(ranges []policy.UserIDRange) string { - formattedString := "" - if ranges != nil { - strRanges := []string{} - for _, r := range ranges { - strRanges = append(strRanges, fmt.Sprintf("%d-%d", r.Min, r.Max)) - } - formattedString = strings.Join(strRanges, ",") - } - return stringOrNone(formattedString) -} - -func groupIDRangeToString(ranges []policy.GroupIDRange) string { +func idRangeToString(ranges []policy.IDRange) string { formattedString := "" if ranges != nil { strRanges := []string{} diff --git a/pkg/security/podsecuritypolicy/group/mustrunas.go b/pkg/security/podsecuritypolicy/group/mustrunas.go index 5516351ccb8..9e2b8b8791a 100644 --- a/pkg/security/podsecuritypolicy/group/mustrunas.go +++ b/pkg/security/podsecuritypolicy/group/mustrunas.go @@ -27,14 +27,14 @@ import ( // mustRunAs implements the GroupStrategy interface type mustRunAs struct { - ranges []policy.GroupIDRange + ranges []policy.IDRange field string } var _ GroupStrategy = &mustRunAs{} // NewMustRunAs provides a new MustRunAs strategy based on ranges. -func NewMustRunAs(ranges []policy.GroupIDRange, field string) (GroupStrategy, error) { +func NewMustRunAs(ranges []policy.IDRange, field string) (GroupStrategy, error) { if len(ranges) == 0 { return nil, fmt.Errorf("ranges must be supplied for MustRunAs") } diff --git a/pkg/security/podsecuritypolicy/group/mustrunas_test.go b/pkg/security/podsecuritypolicy/group/mustrunas_test.go index 970c4fd4633..3d7c17e33ef 100644 --- a/pkg/security/podsecuritypolicy/group/mustrunas_test.go +++ b/pkg/security/podsecuritypolicy/group/mustrunas_test.go @@ -25,14 +25,14 @@ import ( func TestMustRunAsOptions(t *testing.T) { tests := map[string]struct { - ranges []policy.GroupIDRange + ranges []policy.IDRange pass bool }{ "empty": { - ranges: []policy.GroupIDRange{}, + ranges: []policy.IDRange{}, }, "ranges": { - ranges: []policy.GroupIDRange{ + ranges: []policy.IDRange{ {Min: 1, Max: 1}, }, pass: true, @@ -52,23 +52,23 @@ func TestMustRunAsOptions(t *testing.T) { func TestGenerate(t *testing.T) { tests := map[string]struct { - ranges []policy.GroupIDRange + ranges []policy.IDRange expected []int64 }{ "multi value": { - ranges: []policy.GroupIDRange{ + ranges: []policy.IDRange{ {Min: 1, Max: 2}, }, expected: []int64{1}, }, "single value": { - ranges: []policy.GroupIDRange{ + ranges: []policy.IDRange{ {Min: 1, Max: 1}, }, expected: []int64{1}, }, "multi range": { - ranges: []policy.GroupIDRange{ + ranges: []policy.IDRange{ {Min: 1, Max: 1}, {Min: 2, Max: 500}, }, @@ -110,25 +110,25 @@ func TestGenerate(t *testing.T) { func TestValidate(t *testing.T) { tests := map[string]struct { - ranges []policy.GroupIDRange + ranges []policy.IDRange groups []int64 expectedError string }{ "nil security context": { - ranges: []policy.GroupIDRange{ + ranges: []policy.IDRange{ {Min: 1, Max: 3}, }, expectedError: "unable to validate empty groups against required ranges", }, "empty groups": { - ranges: []policy.GroupIDRange{ + ranges: []policy.IDRange{ {Min: 1, Max: 3}, }, expectedError: "unable to validate empty groups against required ranges", }, "not in range": { groups: []int64{5}, - ranges: []policy.GroupIDRange{ + ranges: []policy.IDRange{ {Min: 1, Max: 3}, {Min: 4, Max: 4}, }, @@ -136,25 +136,25 @@ func TestValidate(t *testing.T) { }, "in range 1": { groups: []int64{2}, - ranges: []policy.GroupIDRange{ + ranges: []policy.IDRange{ {Min: 1, Max: 3}, }, }, "in range boundary min": { groups: []int64{1}, - ranges: []policy.GroupIDRange{ + ranges: []policy.IDRange{ {Min: 1, Max: 3}, }, }, "in range boundary max": { groups: []int64{3}, - ranges: []policy.GroupIDRange{ + ranges: []policy.IDRange{ {Min: 1, Max: 3}, }, }, "singular range": { groups: []int64{4}, - ranges: []policy.GroupIDRange{ + ranges: []policy.IDRange{ {Min: 4, Max: 4}, }, }, diff --git a/pkg/security/podsecuritypolicy/provider_test.go b/pkg/security/podsecuritypolicy/provider_test.go index 4d8747c7494..a6361136349 100644 --- a/pkg/security/podsecuritypolicy/provider_test.go +++ b/pkg/security/podsecuritypolicy/provider_test.go @@ -186,7 +186,7 @@ func TestValidatePodSecurityContextFailures(t *testing.T) { failSupplementalGroupPSP := defaultPSP() failSupplementalGroupPSP.Spec.SupplementalGroups = policy.SupplementalGroupsStrategyOptions{ Rule: policy.SupplementalGroupsStrategyMustRunAs, - Ranges: []policy.GroupIDRange{ + Ranges: []policy.IDRange{ {Min: 1, Max: 1}, }, } @@ -197,7 +197,7 @@ func TestValidatePodSecurityContextFailures(t *testing.T) { failFSGroupPSP := defaultPSP() failFSGroupPSP.Spec.FSGroup = policy.FSGroupStrategyOptions{ Rule: policy.FSGroupStrategyMustRunAs, - Ranges: []policy.GroupIDRange{ + Ranges: []policy.IDRange{ {Min: 1, Max: 1}, }, } @@ -409,7 +409,7 @@ func TestValidateContainerSecurityContextFailures(t *testing.T) { badUID := int64(1) failUserPSP.Spec.RunAsUser = policy.RunAsUserStrategyOptions{ Rule: policy.RunAsUserStrategyMustRunAs, - Ranges: []policy.UserIDRange{{Min: uid, Max: uid}}, + Ranges: []policy.IDRange{{Min: uid, Max: uid}}, } failUserPod := defaultPod() failUserPod.Spec.Containers[0].SecurityContext.RunAsUser = &badUID @@ -564,7 +564,7 @@ func TestValidatePodSecurityContextSuccess(t *testing.T) { supGroupPSP := defaultPSP() supGroupPSP.Spec.SupplementalGroups = policy.SupplementalGroupsStrategyOptions{ Rule: policy.SupplementalGroupsStrategyMustRunAs, - Ranges: []policy.GroupIDRange{ + Ranges: []policy.IDRange{ {Min: 1, Max: 5}, }, } @@ -574,7 +574,7 @@ func TestValidatePodSecurityContextSuccess(t *testing.T) { fsGroupPSP := defaultPSP() fsGroupPSP.Spec.FSGroup = policy.FSGroupStrategyOptions{ Rule: policy.FSGroupStrategyMustRunAs, - Ranges: []policy.GroupIDRange{ + Ranges: []policy.IDRange{ {Min: 1, Max: 5}, }, } @@ -746,7 +746,7 @@ func TestValidateContainerSecurityContextSuccess(t *testing.T) { uid := int64(999) userPSP.Spec.RunAsUser = policy.RunAsUserStrategyOptions{ Rule: policy.RunAsUserStrategyMustRunAs, - Ranges: []policy.UserIDRange{{Min: uid, Max: uid}}, + Ranges: []policy.IDRange{{Min: uid, Max: uid}}, } userPod := defaultPod() userPod.Spec.Containers[0].SecurityContext.RunAsUser = &uid diff --git a/pkg/security/podsecuritypolicy/user/mustrunas_test.go b/pkg/security/podsecuritypolicy/user/mustrunas_test.go index 3caf48b1317..f8358fb07e8 100644 --- a/pkg/security/podsecuritypolicy/user/mustrunas_test.go +++ b/pkg/security/podsecuritypolicy/user/mustrunas_test.go @@ -38,7 +38,7 @@ func TestNewMustRunAs(t *testing.T) { }, "valid opts": { opts: &policy.RunAsUserStrategyOptions{ - Ranges: []policy.UserIDRange{ + Ranges: []policy.IDRange{ {Min: 1, Max: 1}, }, }, @@ -58,7 +58,7 @@ func TestNewMustRunAs(t *testing.T) { func TestGenerate(t *testing.T) { opts := &policy.RunAsUserStrategyOptions{ - Ranges: []policy.UserIDRange{ + Ranges: []policy.IDRange{ {Min: 1, Max: 1}, }, } @@ -77,7 +77,7 @@ func TestGenerate(t *testing.T) { func TestValidate(t *testing.T) { opts := &policy.RunAsUserStrategyOptions{ - Ranges: []policy.UserIDRange{ + Ranges: []policy.IDRange{ {Min: 1, Max: 1}, {Min: 10, Max: 20}, }, diff --git a/pkg/security/podsecuritypolicy/util/util.go b/pkg/security/podsecuritypolicy/util/util.go index ff9092b686d..67643ccfd2e 100644 --- a/pkg/security/podsecuritypolicy/util/util.go +++ b/pkg/security/podsecuritypolicy/util/util.go @@ -164,12 +164,12 @@ func PSPAllowsFSType(psp *policy.PodSecurityPolicy, fsType policy.FSType) bool { } // UserFallsInRange is a utility to determine it the id falls in the valid range. -func UserFallsInRange(id int64, rng policy.UserIDRange) bool { +func UserFallsInRange(id int64, rng policy.IDRange) bool { return id >= rng.Min && id <= rng.Max } // GroupFallsInRange is a utility to determine it the id falls in the valid range. -func GroupFallsInRange(id int64, rng policy.GroupIDRange) bool { +func GroupFallsInRange(id int64, rng policy.IDRange) bool { return id >= rng.Min && id <= rng.Max } diff --git a/plugin/pkg/admission/security/podsecuritypolicy/admission_test.go b/plugin/pkg/admission/security/podsecuritypolicy/admission_test.go index 80dd1b75fe2..6cdf1d3c935 100644 --- a/plugin/pkg/admission/security/podsecuritypolicy/admission_test.go +++ b/plugin/pkg/admission/security/podsecuritypolicy/admission_test.go @@ -324,11 +324,11 @@ func defaultPod(t *testing.T, pod *kapi.Pod) *kapi.Pod { func TestAdmitPreferNonmutating(t *testing.T) { mutating1 := restrictivePSP() mutating1.Name = "mutating1" - mutating1.Spec.RunAsUser.Ranges = []policy.UserIDRange{{Min: int64(1), Max: int64(1)}} + mutating1.Spec.RunAsUser.Ranges = []policy.IDRange{{Min: int64(1), Max: int64(1)}} mutating2 := restrictivePSP() mutating2.Name = "mutating2" - mutating2.Spec.RunAsUser.Ranges = []policy.UserIDRange{{Min: int64(2), Max: int64(2)}} + mutating2.Spec.RunAsUser.Ranges = []policy.IDRange{{Min: int64(2), Max: int64(2)}} privilegedPSP := permissivePSP() privilegedPSP.Name = "privileged" @@ -1194,7 +1194,7 @@ func TestAdmitRunAsUser(t *testing.T) { mustRunAs := permissivePSP() mustRunAs.Name = "mustRunAs" mustRunAs.Spec.RunAsUser.Rule = policy.RunAsUserStrategyMustRunAs - mustRunAs.Spec.RunAsUser.Ranges = []policy.UserIDRange{ + mustRunAs.Spec.RunAsUser.Ranges = []policy.IDRange{ {Min: int64(999), Max: int64(1000)}, } @@ -1357,7 +1357,7 @@ func TestAdmitSupplementalGroups(t *testing.T) { mustRunAs := permissivePSP() mustRunAs.Name = "mustRunAs" mustRunAs.Spec.SupplementalGroups.Rule = policy.SupplementalGroupsStrategyMustRunAs - mustRunAs.Spec.SupplementalGroups.Ranges = []policy.GroupIDRange{{Min: int64(999), Max: int64(1000)}} + mustRunAs.Spec.SupplementalGroups.Ranges = []policy.IDRange{{Min: int64(999), Max: int64(1000)}} tests := map[string]struct { pod *kapi.Pod @@ -2354,7 +2354,7 @@ func restrictivePSP() *policy.PodSecurityPolicy { Spec: policy.PodSecurityPolicySpec{ RunAsUser: policy.RunAsUserStrategyOptions{ Rule: policy.RunAsUserStrategyMustRunAs, - Ranges: []policy.UserIDRange{ + Ranges: []policy.IDRange{ {Min: int64(999), Max: int64(999)}, }, }, @@ -2366,13 +2366,13 @@ func restrictivePSP() *policy.PodSecurityPolicy { }, FSGroup: policy.FSGroupStrategyOptions{ Rule: policy.FSGroupStrategyMustRunAs, - Ranges: []policy.GroupIDRange{ + Ranges: []policy.IDRange{ {Min: int64(999), Max: int64(999)}, }, }, SupplementalGroups: policy.SupplementalGroupsStrategyOptions{ Rule: policy.SupplementalGroupsStrategyMustRunAs, - Ranges: []policy.GroupIDRange{ + Ranges: []policy.IDRange{ {Min: int64(999), Max: int64(999)}, }, },