github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-28 14:07:14 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #52301 from tallclair/psp-seccomp

Browse Source 
Automatic merge from submit-queue (batch tested with PRs 52339, 52343, 52125, 52360, 52301)

'*' is valid for allowed seccomp profiles

**What this PR does / why we need it**:
This should be valid on a PodSecurityPolicy, but is currently rejected:
```
seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
```

**Which issue this PR fixes**: fixes #52300

```release-note
NONE
```
This commit is contained in:
Kubernetes Submit Queue 2017-09-12 21:46:02 -07:00 committed by GitHub
commit dc02dfe560
2 changed files with 13 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
pkg/apis/extensions/validation/validation.go
View File

@ -698,6 +698,9 @@ func ValidatePodSecurityPolicySpecificAnnotations(annotations map[string]string,
} }
if allowed := annotations[seccomp.AllowedProfilesAnnotationKey]; allowed != "" { if allowed := annotations[seccomp.AllowedProfilesAnnotationKey]; allowed != "" {
for _, p := range strings.Split(allowed, ",") { for _, p := range strings.Split(allowed, ",") {
if p == seccomp.AllowAny {
continue
}
allErrs = append(allErrs, apivalidation.ValidateSeccompProfile(p, fldPath.Key(seccomp.AllowedProfilesAnnotationKey))...) allErrs = append(allErrs, apivalidation.ValidateSeccompProfile(p, fldPath.Key(seccomp.AllowedProfilesAnnotationKey))...)
} }
} }

11
pkg/apis/extensions/validation/validation_test.go
View File

@ -2496,6 +2496,10 @@ func TestValidatePodSecurityPolicy(t *testing.T) {
invalidSeccompDefault.Annotations = map[string]string{ invalidSeccompDefault.Annotations = map[string]string{
seccomp.DefaultProfileAnnotationKey: "not-good", seccomp.DefaultProfileAnnotationKey: "not-good",
} }
invalidSeccompAllowAnyDefault := validPSP()
invalidSeccompAllowAnyDefault.Annotations = map[string]string{
seccomp.DefaultProfileAnnotationKey: "*",
}
invalidSeccompAllowed := validPSP() invalidSeccompAllowed := validPSP()
invalidSeccompAllowed.Annotations = map[string]string{ invalidSeccompAllowed.Annotations = map[string]string{
seccomp.AllowedProfilesAnnotationKey: "docker/default,not-good", seccomp.AllowedProfilesAnnotationKey: "docker/default,not-good",
@ -2616,6 +2620,11 @@ func TestValidatePodSecurityPolicy(t *testing.T) {
errorType: field.ErrorTypeInvalid, errorType: field.ErrorTypeInvalid,
errorDetail: "must be a valid seccomp profile", errorDetail: "must be a valid seccomp profile",
}, },
"invalid seccomp allow any default profile": {
psp: invalidSeccompAllowAnyDefault,
errorType: field.ErrorTypeInvalid,
errorDetail: "must be a valid seccomp profile",
},
"invalid seccomp allowed profile": { "invalid seccomp allowed profile": {
psp: invalidSeccompAllowed, psp: invalidSeccompAllowed,
errorType: field.ErrorTypeInvalid, errorType: field.ErrorTypeInvalid,
@ -2707,7 +2716,7 @@ func TestValidatePodSecurityPolicy(t *testing.T) {
validSeccomp := validPSP() validSeccomp := validPSP()
validSeccomp.Annotations = map[string]string{ validSeccomp.Annotations = map[string]string{
seccomp.DefaultProfileAnnotationKey: "docker/default", seccomp.DefaultProfileAnnotationKey: "docker/default",
seccomp.AllowedProfilesAnnotationKey: "docker/default,unconfined,localhost/foo", seccomp.AllowedProfilesAnnotationKey: "docker/default,unconfined,localhost/foo,*",
} }
validDefaultAllowPrivilegeEscalation := validPSP() validDefaultAllowPrivilegeEscalation := validPSP()