github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-31 07:20:13 +00:00
Code Issues Projects Releases Wiki Activity

Replace UserIDRange/GroupIDRange by IDRange in internal type to reduce difference with external type.

Browse Source 
We had IDRange in both types prior 9440a68744 commit that splitted it
into UserIDRange/GroupIDRange. Later, in c91a12d205 commit we had to
revert this changes because they broke backward compatibility but
UserIDRange/GroupIDRange struct left in the internal type.

This commit removes these leftovers and reduces the differences
between internal and external types.
This commit is contained in:
Slava Semushin 2018-05-04 17:37:12 +02:00
parent 54cf942a05
commit f49a0fbd5f
10 changed files with 55 additions and 75 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
pkg/apis/policy/types.go
View File

@ -312,19 +312,11 @@ type RunAsUserStrategyOptions struct {
// Ranges are the allowed ranges of uids that may be used. If you would like to force a single uid
// then supply a single range with the same start and end. Required for MustRunAs.
// +optional
Ranges []UserIDRange
Ranges []IDRange
}
// UserIDRange provides a min/max of an allowed range of UserIDs.
type UserIDRange struct {
// Min is the start of the range, inclusive.
Min int64
// Max is the end of the range, inclusive.
Max int64
}
// GroupIDRange provides a min/max of an allowed range of GroupIDs.
type GroupIDRange struct {
// IDRange provides a min/max of an allowed range of IDs.
type IDRange struct {
// Min is the start of the range, inclusive.
Min int64
// Max is the end of the range, inclusive.
@ -352,7 +344,7 @@ type FSGroupStrategyOptions struct {
// Ranges are the allowed ranges of fs groups. If you would like to force a single
// fs group then supply a single range with the same start and end. Required for MustRunAs.
// +optional
Ranges []GroupIDRange
Ranges []IDRange
}
// FSGroupStrategyType denotes strategy types for generating FSGroup values for a
@ -374,7 +366,7 @@ type SupplementalGroupsStrategyOptions struct {
// Ranges are the allowed ranges of supplemental groups. If you would like to force a single
// supplemental group then supply a single range with the same start and end. Required for MustRunAs.
// +optional
Ranges []GroupIDRange
Ranges []IDRange
}
// SupplementalGroupsStrategyType denotes strategy types for determining valid supplemental

8
pkg/apis/policy/validation/validation.go
View File

@ -325,12 +325,12 @@ func validatePodSecurityPolicySysctls(fldPath *field.Path, sysctls []string) fie
return allErrs
}
func validateUserIDRange(fldPath *field.Path, rng policy.UserIDRange) field.ErrorList {
return validateIDRanges(fldPath, int64(rng.Min), int64(rng.Max))
func validateUserIDRange(fldPath *field.Path, rng policy.IDRange) field.ErrorList {
return validateIDRanges(fldPath, rng.Min, rng.Max)
}
func validateGroupIDRange(fldPath *field.Path, rng policy.GroupIDRange) field.ErrorList {
return validateIDRanges(fldPath, int64(rng.Min), int64(rng.Max))
func validateGroupIDRange(fldPath *field.Path, rng policy.IDRange) field.ErrorList {
return validateIDRanges(fldPath, rng.Min, rng.Max)
}
// validateIDRanges ensures the range is valid.

14
pkg/apis/policy/validation/validation_test.go
View File

@ -270,7 +270,7 @@ func TestValidatePodSecurityPolicy(t *testing.T) {
invalidUIDPSP := validPSP()
invalidUIDPSP.Spec.RunAsUser.Rule = policy.RunAsUserStrategyMustRunAs
invalidUIDPSP.Spec.RunAsUser.Ranges = []policy.UserIDRange{{Min: -1, Max: 1}}
invalidUIDPSP.Spec.RunAsUser.Ranges = []policy.IDRange{{Min: -1, Max: 1}}
missingObjectMetaName := validPSP()
missingObjectMetaName.ObjectMeta.Name = ""
@ -288,17 +288,17 @@ func TestValidatePodSecurityPolicy(t *testing.T) {
invalidSupGroupStratType.Spec.SupplementalGroups.Rule = "invalid"
invalidRangeMinGreaterThanMax := validPSP()
invalidRangeMinGreaterThanMax.Spec.FSGroup.Ranges = []policy.GroupIDRange{
invalidRangeMinGreaterThanMax.Spec.FSGroup.Ranges = []policy.IDRange{
{Min: 2, Max: 1},
}
invalidRangeNegativeMin := validPSP()
invalidRangeNegativeMin.Spec.FSGroup.Ranges = []policy.GroupIDRange{
invalidRangeNegativeMin.Spec.FSGroup.Ranges = []policy.IDRange{
{Min: -1, Max: 10},
}
invalidRangeNegativeMax := validPSP()
invalidRangeNegativeMax.Spec.FSGroup.Ranges = []policy.GroupIDRange{
invalidRangeNegativeMax.Spec.FSGroup.Ranges = []policy.IDRange{
{Min: 1, Max: -10},
}
@ -539,7 +539,7 @@ func TestValidatePodSecurityPolicy(t *testing.T) {
mustRunAs.Spec.FSGroup.Rule = policy.FSGroupStrategyMustRunAs
mustRunAs.Spec.SupplementalGroups.Rule = policy.SupplementalGroupsStrategyMustRunAs
mustRunAs.Spec.RunAsUser.Rule = policy.RunAsUserStrategyMustRunAs
mustRunAs.Spec.RunAsUser.Ranges = []policy.UserIDRange{
mustRunAs.Spec.RunAsUser.Ranges = []policy.IDRange{
{Min: 1, Max: 1},
}
mustRunAs.Spec.SELinux.Rule = policy.SELinuxStrategyMustRunAs
@ -733,8 +733,8 @@ func Test_validatePSPRunAsUser(t *testing.T) {
{"Invalid RunAsUserStrategy", policy.RunAsUserStrategyOptions{Rule: policy.RunAsUserStrategy("someInvalidStrategy")}, true},
{"RunAsUserStrategyMustRunAs", policy.RunAsUserStrategyOptions{Rule: policy.RunAsUserStrategyMustRunAs}, false},
{"RunAsUserStrategyMustRunAsNonRoot", policy.RunAsUserStrategyOptions{Rule: policy.RunAsUserStrategyMustRunAsNonRoot}, false},
{"RunAsUserStrategyMustRunAsNonRoot With Valid Range", policy.RunAsUserStrategyOptions{Rule: policy.RunAsUserStrategyMustRunAs, Ranges: []policy.UserIDRange{{Min: 2, Max: 3}, {Min: 4, Max: 5}}}, false},
{"RunAsUserStrategyMustRunAsNonRoot With Invalid Range", policy.RunAsUserStrategyOptions{Rule: policy.RunAsUserStrategyMustRunAs, Ranges: []policy.UserIDRange{{Min: 2, Max: 3}, {Min: 5, Max: 4}}}, true},
{"RunAsUserStrategyMustRunAsNonRoot With Valid Range", policy.RunAsUserStrategyOptions{Rule: policy.RunAsUserStrategyMustRunAs, Ranges: []policy.IDRange{{Min: 2, Max: 3}, {Min: 4, Max: 5}}}, false},
{"RunAsUserStrategyMustRunAsNonRoot With Invalid Range", policy.RunAsUserStrategyOptions{Rule: policy.RunAsUserStrategyMustRunAs, Ranges: []policy.IDRange{{Min: 2, Max: 3}, {Min: 5, Max: 4}}}, true},
}
for _, testCase := range testCases {

20
pkg/printers/internalversion/describe.go
View File

@ -3535,13 +3535,13 @@ func describePodSecurityPolicy(psp *policy.PodSecurityPolicy) (string, error) {
w.Write(LEVEL_2, "Level:\t%s\n", stringOrNone(level))
w.Write(LEVEL_1, "Run As User Strategy: %s\t\n", string(psp.Spec.RunAsUser.Rule))
w.Write(LEVEL_2, "Ranges:\t%s\n", userIDRangeToString(psp.Spec.RunAsUser.Ranges))
w.Write(LEVEL_2, "Ranges:\t%s\n", idRangeToString(psp.Spec.RunAsUser.Ranges))
w.Write(LEVEL_1, "FSGroup Strategy: %s\t\n", string(psp.Spec.FSGroup.Rule))
w.Write(LEVEL_2, "Ranges:\t%s\n", groupIDRangeToString(psp.Spec.FSGroup.Ranges))
w.Write(LEVEL_2, "Ranges:\t%s\n", idRangeToString(psp.Spec.FSGroup.Ranges))
w.Write(LEVEL_1, "Supplemental Groups Strategy: %s\t\n", string(psp.Spec.SupplementalGroups.Rule))
w.Write(LEVEL_2, "Ranges:\t%s\n", groupIDRangeToString(psp.Spec.SupplementalGroups.Ranges))
w.Write(LEVEL_2, "Ranges:\t%s\n", idRangeToString(psp.Spec.SupplementalGroups.Ranges))
return nil
})
@ -3586,19 +3586,7 @@ func hostPortRangeToString(ranges []policy.HostPortRange) string {
return stringOrNone(formattedString)
}
func userIDRangeToString(ranges []policy.UserIDRange) string {
formattedString := ""
if ranges != nil {
strRanges := []string{}
for _, r := range ranges {
strRanges = append(strRanges, fmt.Sprintf("%d-%d", r.Min, r.Max))
}
formattedString = strings.Join(strRanges, ",")
}
return stringOrNone(formattedString)
}
func groupIDRangeToString(ranges []policy.GroupIDRange) string {
func idRangeToString(ranges []policy.IDRange) string {
formattedString := ""
if ranges != nil {
strRanges := []string{}

4
pkg/security/podsecuritypolicy/group/mustrunas.go
View File

@ -27,14 +27,14 @@ import (
// mustRunAs implements the GroupStrategy interface
type mustRunAs struct {
ranges []policy.GroupIDRange
ranges []policy.IDRange
field string
}
var _ GroupStrategy = &mustRunAs{}
// NewMustRunAs provides a new MustRunAs strategy based on ranges.
func NewMustRunAs(ranges []policy.GroupIDRange, field string) (GroupStrategy, error) {
func NewMustRunAs(ranges []policy.IDRange, field string) (GroupStrategy, error) {
if len(ranges) == 0 {
return nil, fmt.Errorf("ranges must be supplied for MustRunAs")
}

30
pkg/security/podsecuritypolicy/group/mustrunas_test.go
View File

@ -25,14 +25,14 @@ import (
func TestMustRunAsOptions(t *testing.T) {
tests := map[string]struct {
ranges []policy.GroupIDRange
ranges []policy.IDRange
pass bool
}{
"empty": {
ranges: []policy.GroupIDRange{},
ranges: []policy.IDRange{},
},
"ranges": {
ranges: []policy.GroupIDRange{
ranges: []policy.IDRange{
{Min: 1, Max: 1},
},
pass: true,
@ -52,23 +52,23 @@ func TestMustRunAsOptions(t *testing.T) {
func TestGenerate(t *testing.T) {
tests := map[string]struct {
ranges []policy.GroupIDRange
ranges []policy.IDRange
expected []int64
}{
"multi value": {
ranges: []policy.GroupIDRange{
ranges: []policy.IDRange{
{Min: 1, Max: 2},
},
expected: []int64{1},
},
"single value": {
ranges: []policy.GroupIDRange{
ranges: []policy.IDRange{
{Min: 1, Max: 1},
},
expected: []int64{1},
},
"multi range": {
ranges: []policy.GroupIDRange{
ranges: []policy.IDRange{
{Min: 1, Max: 1},
{Min: 2, Max: 500},
},
@ -110,25 +110,25 @@ func TestGenerate(t *testing.T) {
func TestValidate(t *testing.T) {
tests := map[string]struct {
ranges []policy.GroupIDRange
ranges []policy.IDRange
groups []int64
expectedError string
}{
"nil security context": {
ranges: []policy.GroupIDRange{
ranges: []policy.IDRange{
{Min: 1, Max: 3},
},
expectedError: "unable to validate empty groups against required ranges",
},
"empty groups": {
ranges: []policy.GroupIDRange{
ranges: []policy.IDRange{
{Min: 1, Max: 3},
},
expectedError: "unable to validate empty groups against required ranges",
},
"not in range": {
groups: []int64{5},
ranges: []policy.GroupIDRange{
ranges: []policy.IDRange{
{Min: 1, Max: 3},
{Min: 4, Max: 4},
},
@ -136,25 +136,25 @@ func TestValidate(t *testing.T) {
},
"in range 1": {
groups: []int64{2},
ranges: []policy.GroupIDRange{
ranges: []policy.IDRange{
{Min: 1, Max: 3},
},
},
"in range boundary min": {
groups: []int64{1},
ranges: []policy.GroupIDRange{
ranges: []policy.IDRange{
{Min: 1, Max: 3},
},
},
"in range boundary max": {
groups: []int64{3},
ranges: []policy.GroupIDRange{
ranges: []policy.IDRange{
{Min: 1, Max: 3},
},
},
"singular range": {
groups: []int64{4},
ranges: []policy.GroupIDRange{
ranges: []policy.IDRange{
{Min: 4, Max: 4},
},
},

12
pkg/security/podsecuritypolicy/provider_test.go
View File

@ -186,7 +186,7 @@ func TestValidatePodSecurityContextFailures(t *testing.T) {
failSupplementalGroupPSP := defaultPSP()
failSupplementalGroupPSP.Spec.SupplementalGroups = policy.SupplementalGroupsStrategyOptions{
Rule: policy.SupplementalGroupsStrategyMustRunAs,
Ranges: []policy.GroupIDRange{
Ranges: []policy.IDRange{
{Min: 1, Max: 1},
},
}
@ -197,7 +197,7 @@ func TestValidatePodSecurityContextFailures(t *testing.T) {
failFSGroupPSP := defaultPSP()
failFSGroupPSP.Spec.FSGroup = policy.FSGroupStrategyOptions{
Rule: policy.FSGroupStrategyMustRunAs,
Ranges: []policy.GroupIDRange{
Ranges: []policy.IDRange{
{Min: 1, Max: 1},
},
}
@ -409,7 +409,7 @@ func TestValidateContainerSecurityContextFailures(t *testing.T) {
badUID := int64(1)
failUserPSP.Spec.RunAsUser = policy.RunAsUserStrategyOptions{
Rule: policy.RunAsUserStrategyMustRunAs,
Ranges: []policy.UserIDRange{{Min: uid, Max: uid}},
Ranges: []policy.IDRange{{Min: uid, Max: uid}},
}
failUserPod := defaultPod()
failUserPod.Spec.Containers[0].SecurityContext.RunAsUser = &badUID
@ -564,7 +564,7 @@ func TestValidatePodSecurityContextSuccess(t *testing.T) {
supGroupPSP := defaultPSP()
supGroupPSP.Spec.SupplementalGroups = policy.SupplementalGroupsStrategyOptions{
Rule: policy.SupplementalGroupsStrategyMustRunAs,
Ranges: []policy.GroupIDRange{
Ranges: []policy.IDRange{
{Min: 1, Max: 5},
},
}
@ -574,7 +574,7 @@ func TestValidatePodSecurityContextSuccess(t *testing.T) {
fsGroupPSP := defaultPSP()
fsGroupPSP.Spec.FSGroup = policy.FSGroupStrategyOptions{
Rule: policy.FSGroupStrategyMustRunAs,
Ranges: []policy.GroupIDRange{
Ranges: []policy.IDRange{
{Min: 1, Max: 5},
},
}
@ -746,7 +746,7 @@ func TestValidateContainerSecurityContextSuccess(t *testing.T) {
uid := int64(999)
userPSP.Spec.RunAsUser = policy.RunAsUserStrategyOptions{
Rule: policy.RunAsUserStrategyMustRunAs,
Ranges: []policy.UserIDRange{{Min: uid, Max: uid}},
Ranges: []policy.IDRange{{Min: uid, Max: uid}},
}
userPod := defaultPod()
userPod.Spec.Containers[0].SecurityContext.RunAsUser = &uid

6
pkg/security/podsecuritypolicy/user/mustrunas_test.go
View File

@ -38,7 +38,7 @@ func TestNewMustRunAs(t *testing.T) {
},
"valid opts": {
opts: &policy.RunAsUserStrategyOptions{
Ranges: []policy.UserIDRange{
Ranges: []policy.IDRange{
{Min: 1, Max: 1},
},
},
@ -58,7 +58,7 @@ func TestNewMustRunAs(t *testing.T) {
func TestGenerate(t *testing.T) {
opts := &policy.RunAsUserStrategyOptions{
Ranges: []policy.UserIDRange{
Ranges: []policy.IDRange{
{Min: 1, Max: 1},
},
}
@ -77,7 +77,7 @@ func TestGenerate(t *testing.T) {
func TestValidate(t *testing.T) {
opts := &policy.RunAsUserStrategyOptions{
Ranges: []policy.UserIDRange{
Ranges: []policy.IDRange{
{Min: 1, Max: 1},
{Min: 10, Max: 20},
},

4
pkg/security/podsecuritypolicy/util/util.go
View File

@ -164,12 +164,12 @@ func PSPAllowsFSType(psp *policy.PodSecurityPolicy, fsType policy.FSType) bool {
}
// UserFallsInRange is a utility to determine it the id falls in the valid range.
func UserFallsInRange(id int64, rng policy.UserIDRange) bool {
func UserFallsInRange(id int64, rng policy.IDRange) bool {
return id >= rng.Min && id <= rng.Max
}
// GroupFallsInRange is a utility to determine it the id falls in the valid range.
func GroupFallsInRange(id int64, rng policy.GroupIDRange) bool {
func GroupFallsInRange(id int64, rng policy.IDRange) bool {
return id >= rng.Min && id <= rng.Max
}

14
plugin/pkg/admission/security/podsecuritypolicy/admission_test.go
View File

@ -324,11 +324,11 @@ func defaultPod(t *testing.T, pod *kapi.Pod) *kapi.Pod {
func TestAdmitPreferNonmutating(t *testing.T) {
mutating1 := restrictivePSP()
mutating1.Name = "mutating1"
mutating1.Spec.RunAsUser.Ranges = []policy.UserIDRange{{Min: int64(1), Max: int64(1)}}
mutating1.Spec.RunAsUser.Ranges = []policy.IDRange{{Min: int64(1), Max: int64(1)}}
mutating2 := restrictivePSP()
mutating2.Name = "mutating2"
mutating2.Spec.RunAsUser.Ranges = []policy.UserIDRange{{Min: int64(2), Max: int64(2)}}
mutating2.Spec.RunAsUser.Ranges = []policy.IDRange{{Min: int64(2), Max: int64(2)}}
privilegedPSP := permissivePSP()
privilegedPSP.Name = "privileged"
@ -1194,7 +1194,7 @@ func TestAdmitRunAsUser(t *testing.T) {
mustRunAs := permissivePSP()
mustRunAs.Name = "mustRunAs"
mustRunAs.Spec.RunAsUser.Rule = policy.RunAsUserStrategyMustRunAs
mustRunAs.Spec.RunAsUser.Ranges = []policy.UserIDRange{
mustRunAs.Spec.RunAsUser.Ranges = []policy.IDRange{
{Min: int64(999), Max: int64(1000)},
}
@ -1357,7 +1357,7 @@ func TestAdmitSupplementalGroups(t *testing.T) {
mustRunAs := permissivePSP()
mustRunAs.Name = "mustRunAs"
mustRunAs.Spec.SupplementalGroups.Rule = policy.SupplementalGroupsStrategyMustRunAs
mustRunAs.Spec.SupplementalGroups.Ranges = []policy.GroupIDRange{{Min: int64(999), Max: int64(1000)}}
mustRunAs.Spec.SupplementalGroups.Ranges = []policy.IDRange{{Min: int64(999), Max: int64(1000)}}
tests := map[string]struct {
pod *kapi.Pod
@ -2354,7 +2354,7 @@ func restrictivePSP() *policy.PodSecurityPolicy {
Spec: policy.PodSecurityPolicySpec{
RunAsUser: policy.RunAsUserStrategyOptions{
Rule: policy.RunAsUserStrategyMustRunAs,
Ranges: []policy.UserIDRange{
Ranges: []policy.IDRange{
{Min: int64(999), Max: int64(999)},
},
},
@ -2366,13 +2366,13 @@ func restrictivePSP() *policy.PodSecurityPolicy {
},
FSGroup: policy.FSGroupStrategyOptions{
Rule: policy.FSGroupStrategyMustRunAs,
Ranges: []policy.GroupIDRange{
Ranges: []policy.IDRange{
{Min: int64(999), Max: int64(999)},
},
},
SupplementalGroups: policy.SupplementalGroupsStrategyOptions{
Rule: policy.SupplementalGroupsStrategyMustRunAs,
Ranges: []policy.GroupIDRange{
Ranges: []policy.IDRange{
{Min: int64(999), Max: int64(999)},
},
},