github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-24 20:24:09 +00:00
Code Issues Projects Releases Wiki Activity

Validation on RunAsGroup - Update DropDisabled[Alpha]Fields behaviour

Browse Source
This commit is contained in:
Zheng Dayu 2018-12-27 14:38:08 +08:00
parent 13e59ab9ad
commit d4c85e977f
2 changed files with 24 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
pkg/api/pod/util.go
View File

@ -279,7 +279,7 @@ func DropDisabledFields(podSpec, oldPodSpec *api.PodSpec) {
// dropDisabledRunAsGroupField removes disabled fields from PodSpec related // dropDisabledRunAsGroupField removes disabled fields from PodSpec related
// to RunAsGroup // to RunAsGroup
func dropDisabledRunAsGroupField(podSpec, oldPodSpec *api.PodSpec) { func dropDisabledRunAsGroupField(podSpec, oldPodSpec *api.PodSpec) {
if !utilfeature.DefaultFeatureGate.Enabled(features.RunAsGroup) { if !utilfeature.DefaultFeatureGate.Enabled(features.RunAsGroup) && !runAsGroupInUse(oldPodSpec) {
if podSpec.SecurityContext != nil { if podSpec.SecurityContext != nil {
podSpec.SecurityContext.RunAsGroup = nil podSpec.SecurityContext.RunAsGroup = nil
} }
@ -293,22 +293,6 @@ func dropDisabledRunAsGroupField(podSpec, oldPodSpec *api.PodSpec) {
podSpec.InitContainers[i].SecurityContext.RunAsGroup = nil podSpec.InitContainers[i].SecurityContext.RunAsGroup = nil
} }
} }
if oldPodSpec != nil {
if oldPodSpec.SecurityContext != nil {
oldPodSpec.SecurityContext.RunAsGroup = nil
}
for i := range oldPodSpec.Containers {
if oldPodSpec.Containers[i].SecurityContext != nil {
oldPodSpec.Containers[i].SecurityContext.RunAsGroup = nil
}
}
for i := range oldPodSpec.InitContainers {
if oldPodSpec.InitContainers[i].SecurityContext != nil {
oldPodSpec.InitContainers[i].SecurityContext.RunAsGroup = nil
}
}
}
} }
} }
@ -445,3 +429,25 @@ func volumeDevicesInUse(podSpec *api.PodSpec) bool {
} }
return false return false
} }
// runAsGroupInUse returns true if the pod spec is non-nil and has a SecurityContext's RunAsGroup field set
func runAsGroupInUse(podSpec *api.PodSpec) bool {
if podSpec == nil {
return false
}
if podSpec.SecurityContext != nil && podSpec.SecurityContext.RunAsGroup != nil {
return true
}
for i := range podSpec.Containers {
if podSpec.Containers[i].SecurityContext != nil && podSpec.Containers[i].SecurityContext.RunAsGroup != nil {
return true
}
}
for i := range podSpec.InitContainers {
if podSpec.InitContainers[i].SecurityContext != nil && podSpec.InitContainers[i].SecurityContext.RunAsGroup != nil {
return true
}
}
return false
}

5
pkg/api/podsecuritypolicy/util.go
View File

@ -28,11 +28,8 @@ func DropDisabledFields(pspSpec, oldPSPSpec *policy.PodSecurityPolicySpec) {
if !utilfeature.DefaultFeatureGate.Enabled(features.ProcMountType) && !allowedProcMountTypesInUse(oldPSPSpec) { if !utilfeature.DefaultFeatureGate.Enabled(features.ProcMountType) && !allowedProcMountTypesInUse(oldPSPSpec) {
pspSpec.AllowedProcMountTypes = nil pspSpec.AllowedProcMountTypes = nil
} }
if !utilfeature.DefaultFeatureGate.Enabled(features.RunAsGroup) { if !utilfeature.DefaultFeatureGate.Enabled(features.RunAsGroup) && (oldPSPSpec == nil || oldPSPSpec.RunAsGroup == nil) {
pspSpec.RunAsGroup = nil pspSpec.RunAsGroup = nil
if oldPSPSpec != nil {
oldPSPSpec.RunAsGroup = nil
}
} }
} }