From d4c85e977fe2e1ee5df3fb2977460b578346bdb8 Mon Sep 17 00:00:00 2001
From: Zheng Dayu <davidzheng23@gmail.com>
Date: Thu, 27 Dec 2018 14:38:08 +0800
Subject: [PATCH] Validation on RunAsGroup - Update DropDisabled[Alpha]Fields
 behaviour

---
 pkg/api/pod/util.go               | 40 ++++++++++++++++++-------------
 pkg/api/podsecuritypolicy/util.go |  5 +---
 2 files changed, 24 insertions(+), 21 deletions(-)

diff --git a/pkg/api/pod/util.go b/pkg/api/pod/util.go
index a6864f73f29..1c2c6a9fe0b 100644
--- a/pkg/api/pod/util.go
+++ b/pkg/api/pod/util.go
@@ -279,7 +279,7 @@ func DropDisabledFields(podSpec, oldPodSpec *api.PodSpec) {
 // dropDisabledRunAsGroupField removes disabled fields from PodSpec related
 // to RunAsGroup
 func dropDisabledRunAsGroupField(podSpec, oldPodSpec *api.PodSpec) {
-	if !utilfeature.DefaultFeatureGate.Enabled(features.RunAsGroup) {
+	if !utilfeature.DefaultFeatureGate.Enabled(features.RunAsGroup) && !runAsGroupInUse(oldPodSpec) {
 		if podSpec.SecurityContext != nil {
 			podSpec.SecurityContext.RunAsGroup = nil
 		}
@@ -293,22 +293,6 @@ func dropDisabledRunAsGroupField(podSpec, oldPodSpec *api.PodSpec) {
 				podSpec.InitContainers[i].SecurityContext.RunAsGroup = nil
 			}
 		}
-
-		if oldPodSpec != nil {
-			if oldPodSpec.SecurityContext != nil {
-				oldPodSpec.SecurityContext.RunAsGroup = nil
-			}
-			for i := range oldPodSpec.Containers {
-				if oldPodSpec.Containers[i].SecurityContext != nil {
-					oldPodSpec.Containers[i].SecurityContext.RunAsGroup = nil
-				}
-			}
-			for i := range oldPodSpec.InitContainers {
-				if oldPodSpec.InitContainers[i].SecurityContext != nil {
-					oldPodSpec.InitContainers[i].SecurityContext.RunAsGroup = nil
-				}
-			}
-		}
 	}
 }
 
@@ -445,3 +429,25 @@ func volumeDevicesInUse(podSpec *api.PodSpec) bool {
 	}
 	return false
 }
+
+// runAsGroupInUse returns true if the pod spec is non-nil and has a SecurityContext's RunAsGroup field set
+func runAsGroupInUse(podSpec *api.PodSpec) bool {
+	if podSpec == nil {
+		return false
+	}
+
+	if podSpec.SecurityContext != nil && podSpec.SecurityContext.RunAsGroup != nil {
+		return true
+	}
+	for i := range podSpec.Containers {
+		if podSpec.Containers[i].SecurityContext != nil && podSpec.Containers[i].SecurityContext.RunAsGroup != nil {
+			return true
+		}
+	}
+	for i := range podSpec.InitContainers {
+		if podSpec.InitContainers[i].SecurityContext != nil && podSpec.InitContainers[i].SecurityContext.RunAsGroup != nil {
+			return true
+		}
+	}
+	return false
+}
diff --git a/pkg/api/podsecuritypolicy/util.go b/pkg/api/podsecuritypolicy/util.go
index 234a152455a..4aecb5a16ad 100644
--- a/pkg/api/podsecuritypolicy/util.go
+++ b/pkg/api/podsecuritypolicy/util.go
@@ -28,11 +28,8 @@ func DropDisabledFields(pspSpec, oldPSPSpec *policy.PodSecurityPolicySpec) {
 	if !utilfeature.DefaultFeatureGate.Enabled(features.ProcMountType) && !allowedProcMountTypesInUse(oldPSPSpec) {
 		pspSpec.AllowedProcMountTypes = nil
 	}
-	if !utilfeature.DefaultFeatureGate.Enabled(features.RunAsGroup) {
+	if !utilfeature.DefaultFeatureGate.Enabled(features.RunAsGroup) && (oldPSPSpec == nil || oldPSPSpec.RunAsGroup == nil) {
 		pspSpec.RunAsGroup = nil
-		if oldPSPSpec != nil {
-			oldPSPSpec.RunAsGroup = nil
-		}
 	}
 }