diff --git a/pkg/volume/util/util.go b/pkg/volume/util/util.go index 601dc646013..ee13d975d70 100644 --- a/pkg/volume/util/util.go +++ b/pkg/volume/util/util.go @@ -653,8 +653,7 @@ func GetPodVolumeNames(pod *v1.Pod) (mounts sets.String, devices sets.String, se // attributes. func FsUserFrom(pod *v1.Pod) *int64 { var fsUser *int64 - // Exclude ephemeral containers because SecurityContext is not allowed. - podutil.VisitContainers(&pod.Spec, podutil.InitContainers|podutil.Containers, func(container *v1.Container, containerType podutil.ContainerType) bool { + podutil.VisitContainers(&pod.Spec, podutil.AllFeatureEnabledContainers(), func(container *v1.Container, containerType podutil.ContainerType) bool { runAsUser, ok := securitycontext.DetermineEffectiveRunAsUser(pod, container) // One container doesn't specify user or there are more than one // non-root UIDs. diff --git a/pkg/volume/util/util_test.go b/pkg/volume/util/util_test.go index e35cce690e1..91b4ea3db37 100644 --- a/pkg/volume/util/util_test.go +++ b/pkg/volume/util/util_test.go @@ -34,7 +34,7 @@ import ( "k8s.io/kubernetes/pkg/features" "k8s.io/kubernetes/pkg/util/slice" "k8s.io/kubernetes/pkg/volume" - utilptr "k8s.io/utils/pointer" + "k8s.io/utils/ptr" ) func TestLoadPodFromFile(t *testing.T) { @@ -169,14 +169,14 @@ func TestFsUserFrom(t *testing.T) { InitContainers: []v1.Container{ { SecurityContext: &v1.SecurityContext{ - RunAsUser: utilptr.Int64Ptr(1000), + RunAsUser: ptr.To[int64](1000), }, }, }, Containers: []v1.Container{ { SecurityContext: &v1.SecurityContext{ - RunAsUser: utilptr.Int64Ptr(1000), + RunAsUser: ptr.To[int64](1000), }, }, { @@ -195,19 +195,28 @@ func TestFsUserFrom(t *testing.T) { InitContainers: []v1.Container{ { SecurityContext: &v1.SecurityContext{ - RunAsUser: utilptr.Int64Ptr(999), + RunAsUser: ptr.To[int64](999), }, }, }, Containers: []v1.Container{ { SecurityContext: &v1.SecurityContext{ - RunAsUser: utilptr.Int64Ptr(1000), + RunAsUser: ptr.To[int64](1000), }, }, { SecurityContext: &v1.SecurityContext{ - RunAsUser: utilptr.Int64Ptr(1000), + RunAsUser: ptr.To[int64](1000), + }, + }, + }, + EphemeralContainers: []v1.EphemeralContainer{ + { + EphemeralContainerCommon: v1.EphemeralContainerCommon{ + SecurityContext: &v1.SecurityContext{ + RunAsUser: ptr.To[int64](1001), + }, }, }, }, @@ -215,6 +224,34 @@ func TestFsUserFrom(t *testing.T) { }, wantFsUser: nil, }, + { + desc: "init and regular containers have runAsUser specified and the same", + pod: &v1.Pod{ + Spec: v1.PodSpec{ + SecurityContext: &v1.PodSecurityContext{}, + InitContainers: []v1.Container{ + { + SecurityContext: &v1.SecurityContext{ + RunAsUser: ptr.To[int64](1000), + }, + }, + }, + Containers: []v1.Container{ + { + SecurityContext: &v1.SecurityContext{ + RunAsUser: ptr.To[int64](1000), + }, + }, + { + SecurityContext: &v1.SecurityContext{ + RunAsUser: ptr.To[int64](1000), + }, + }, + }, + }, + }, + wantFsUser: ptr.To[int64](1000), + }, { desc: "all have runAsUser specified and the same", pod: &v1.Pod{ @@ -223,25 +260,34 @@ func TestFsUserFrom(t *testing.T) { InitContainers: []v1.Container{ { SecurityContext: &v1.SecurityContext{ - RunAsUser: utilptr.Int64Ptr(1000), + RunAsUser: ptr.To[int64](1000), }, }, }, Containers: []v1.Container{ { SecurityContext: &v1.SecurityContext{ - RunAsUser: utilptr.Int64Ptr(1000), + RunAsUser: ptr.To[int64](1000), }, }, { SecurityContext: &v1.SecurityContext{ - RunAsUser: utilptr.Int64Ptr(1000), + RunAsUser: ptr.To[int64](1000), + }, + }, + }, + EphemeralContainers: []v1.EphemeralContainer{ + { + EphemeralContainerCommon: v1.EphemeralContainerCommon{ + SecurityContext: &v1.SecurityContext{ + RunAsUser: ptr.To[int64](1000), + }, }, }, }, }, }, - wantFsUser: utilptr.Int64Ptr(1000), + wantFsUser: ptr.To[int64](1000), }, }