mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-24 20:24:09 +00:00
PodSecurity: optimize evaluation of fully-privileged namespaces
benchmark old ns/op new ns/op delta BenchmarkVerifyPod/enforce-implicit_pod-12 2658 370 -86.07% BenchmarkVerifyPod/enforce-implicit_deployment-12 2462 408 -83.42% BenchmarkVerifyPod/enforce-privileged_pod-12 2346 420 -82.11% BenchmarkVerifyPod/enforce-privileged_deployment-12 2318 426 -81.64% BenchmarkVerifyPod/enforce-baseline_pod-12 3606 4259 +18.11% BenchmarkVerifyPod/enforce-baseline_deployment-12 2032 341 -83.22% BenchmarkVerifyPod/enforce-restricted_pod-12 3522 3322 -5.68% BenchmarkVerifyPod/enforce-restricted_deployment-12 1893 327 -82.70% BenchmarkVerifyPod/warn-baseline_pod-12 3076 2964 -3.64% BenchmarkVerifyPod/warn-baseline_deployment-12 3111 3069 -1.35% BenchmarkVerifyPod/warn-restricted_pod-12 3155 3223 +2.16% BenchmarkVerifyPod/warn-restricted_deployment-12 3235 3443 +6.43% BenchmarkVerifyPod/enforce-warn-audit-baseline_pod-12 5148 5193 +0.87% BenchmarkVerifyPod/enforce-warn-audit-baseline_deployment-12 4147 4295 +3.57% BenchmarkVerifyPod/warn-baseline-audit-restricted_pod-12 4286 4363 +1.80% BenchmarkVerifyPod/warn-baseline-audit-restricted_deployment-12 4447 4482 +0.79% benchmark old allocs new allocs delta BenchmarkVerifyPod/enforce-implicit_pod-12 12 2 -83.33% BenchmarkVerifyPod/enforce-implicit_deployment-12 14 2 -85.71% BenchmarkVerifyPod/enforce-privileged_pod-12 12 2 -83.33% BenchmarkVerifyPod/enforce-privileged_deployment-12 14 2 -85.71% BenchmarkVerifyPod/enforce-baseline_pod-12 17 17 +0.00% BenchmarkVerifyPod/enforce-baseline_deployment-12 14 2 -85.71% BenchmarkVerifyPod/enforce-restricted_pod-12 17 17 +0.00% BenchmarkVerifyPod/enforce-restricted_deployment-12 14 2 -85.71% BenchmarkVerifyPod/warn-baseline_pod-12 17 17 +0.00% BenchmarkVerifyPod/warn-baseline_deployment-12 19 19 +0.00% BenchmarkVerifyPod/warn-restricted_pod-12 17 17 +0.00% BenchmarkVerifyPod/warn-restricted_deployment-12 19 19 +0.00% BenchmarkVerifyPod/enforce-warn-audit-baseline_pod-12 27 27 +0.00% BenchmarkVerifyPod/enforce-warn-audit-baseline_deployment-12 24 24 +0.00% BenchmarkVerifyPod/warn-baseline-audit-restricted_pod-12 22 22 +0.00% BenchmarkVerifyPod/warn-baseline-audit-restricted_deployment-12 24 24 +0.00% benchmark old bytes new bytes delta BenchmarkVerifyPod/enforce-implicit_pod-12 2120 208 -90.19% BenchmarkVerifyPod/enforce-implicit_deployment-12 2304 208 -90.97% BenchmarkVerifyPod/enforce-privileged_pod-12 2120 208 -90.19% BenchmarkVerifyPod/enforce-privileged_deployment-12 2304 208 -90.97% BenchmarkVerifyPod/enforce-baseline_pod-12 3368 3368 +0.00% BenchmarkVerifyPod/enforce-baseline_deployment-12 2304 208 -90.97% BenchmarkVerifyPod/enforce-restricted_pod-12 3368 3368 +0.00% BenchmarkVerifyPod/enforce-restricted_deployment-12 2304 208 -90.97% BenchmarkVerifyPod/warn-baseline_pod-12 3368 3368 +0.00% BenchmarkVerifyPod/warn-baseline_deployment-12 3552 3552 +0.00% BenchmarkVerifyPod/warn-restricted_pod-12 3368 3368 +0.00% BenchmarkVerifyPod/warn-restricted_deployment-12 3552 3552 +0.00% BenchmarkVerifyPod/enforce-warn-audit-baseline_pod-12 5864 5864 +0.00% BenchmarkVerifyPod/enforce-warn-audit-baseline_deployment-12 4800 4800 +0.00% BenchmarkVerifyPod/warn-baseline-audit-restricted_pod-12 4616 4616 +0.00% BenchmarkVerifyPod/warn-baseline-audit-restricted_deployment-12 4800 4800 +0.00%
This commit is contained in:
parent
13e0887c4c
commit
d5589ba65f
@ -302,6 +302,17 @@ func (a *Admission) ValidatePod(ctx context.Context, attrs Attributes) *admissio
|
||||
return allowedResponse()
|
||||
}
|
||||
|
||||
// short-circuit on privileged enforce+audit+warn namespaces
|
||||
namespace, err := a.NamespaceGetter.GetNamespace(ctx, attrs.GetNamespace())
|
||||
if err != nil {
|
||||
klog.ErrorS(err, "failed to fetch pod namespace", "namespace", attrs.GetNamespace())
|
||||
return internalErrorResponse(fmt.Sprintf("failed to lookup namespace %s", attrs.GetNamespace()))
|
||||
}
|
||||
nsPolicy, _ := a.PolicyToEvaluate(namespace.Labels)
|
||||
if nsPolicy.Enforce.Level == api.LevelPrivileged && nsPolicy.Warn.Level == api.LevelPrivileged && nsPolicy.Audit.Level == api.LevelPrivileged {
|
||||
return allowedResponse()
|
||||
}
|
||||
|
||||
obj, err := attrs.GetObject()
|
||||
if err != nil {
|
||||
klog.ErrorS(err, "failed to decode object")
|
||||
@ -341,6 +352,17 @@ func (a *Admission) ValidatePodController(ctx context.Context, attrs Attributes)
|
||||
return allowedResponse()
|
||||
}
|
||||
|
||||
// short-circuit on privileged audit+warn namespaces
|
||||
namespace, err := a.NamespaceGetter.GetNamespace(ctx, attrs.GetNamespace())
|
||||
if err != nil {
|
||||
klog.ErrorS(err, "failed to fetch pod namespace", "namespace", attrs.GetNamespace())
|
||||
return internalErrorResponse(fmt.Sprintf("failed to lookup namespace %s", attrs.GetNamespace()))
|
||||
}
|
||||
nsPolicy, _ := a.PolicyToEvaluate(namespace.Labels)
|
||||
if nsPolicy.Warn.Level == api.LevelPrivileged && nsPolicy.Audit.Level == api.LevelPrivileged {
|
||||
return allowedResponse()
|
||||
}
|
||||
|
||||
obj, err := attrs.GetObject()
|
||||
if err != nil {
|
||||
klog.ErrorS(err, "failed to decode object")
|
||||
|
Loading…
Reference in New Issue
Block a user