diff --git a/pkg/apis/policy/types.go b/pkg/apis/policy/types.go index 2d90dec8a74..4d138ec1044 100644 --- a/pkg/apis/policy/types.go +++ b/pkg/apis/policy/types.go @@ -312,19 +312,11 @@ type RunAsUserStrategyOptions struct { // Ranges are the allowed ranges of uids that may be used. If you would like to force a single uid // then supply a single range with the same start and end. Required for MustRunAs. // +optional - Ranges []UserIDRange + Ranges []IDRange } -// UserIDRange provides a min/max of an allowed range of UserIDs. -type UserIDRange struct { - // Min is the start of the range, inclusive. - Min int64 - // Max is the end of the range, inclusive. - Max int64 -} - -// GroupIDRange provides a min/max of an allowed range of GroupIDs. -type GroupIDRange struct { +// IDRange provides a min/max of an allowed range of IDs. +type IDRange struct { // Min is the start of the range, inclusive. Min int64 // Max is the end of the range, inclusive. @@ -352,7 +344,7 @@ type FSGroupStrategyOptions struct { // Ranges are the allowed ranges of fs groups. If you would like to force a single // fs group then supply a single range with the same start and end. Required for MustRunAs. // +optional - Ranges []GroupIDRange + Ranges []IDRange } // FSGroupStrategyType denotes strategy types for generating FSGroup values for a @@ -374,7 +366,7 @@ type SupplementalGroupsStrategyOptions struct { // Ranges are the allowed ranges of supplemental groups. If you would like to force a single // supplemental group then supply a single range with the same start and end. Required for MustRunAs. // +optional - Ranges []GroupIDRange + Ranges []IDRange } // SupplementalGroupsStrategyType denotes strategy types for determining valid supplemental diff --git a/pkg/apis/policy/validation/validation.go b/pkg/apis/policy/validation/validation.go index 2c1e1de2a87..c1b592a858f 100644 --- a/pkg/apis/policy/validation/validation.go +++ b/pkg/apis/policy/validation/validation.go @@ -325,12 +325,12 @@ func validatePodSecurityPolicySysctls(fldPath *field.Path, sysctls []string) fie return allErrs } -func validateUserIDRange(fldPath *field.Path, rng policy.UserIDRange) field.ErrorList { - return validateIDRanges(fldPath, int64(rng.Min), int64(rng.Max)) +func validateUserIDRange(fldPath *field.Path, rng policy.IDRange) field.ErrorList { + return validateIDRanges(fldPath, rng.Min, rng.Max) } -func validateGroupIDRange(fldPath *field.Path, rng policy.GroupIDRange) field.ErrorList { - return validateIDRanges(fldPath, int64(rng.Min), int64(rng.Max)) +func validateGroupIDRange(fldPath *field.Path, rng policy.IDRange) field.ErrorList { + return validateIDRanges(fldPath, rng.Min, rng.Max) } // validateIDRanges ensures the range is valid. diff --git a/pkg/apis/policy/validation/validation_test.go b/pkg/apis/policy/validation/validation_test.go index 0f1c58212f2..681812a63cc 100644 --- a/pkg/apis/policy/validation/validation_test.go +++ b/pkg/apis/policy/validation/validation_test.go @@ -270,7 +270,7 @@ func TestValidatePodSecurityPolicy(t *testing.T) { invalidUIDPSP := validPSP() invalidUIDPSP.Spec.RunAsUser.Rule = policy.RunAsUserStrategyMustRunAs - invalidUIDPSP.Spec.RunAsUser.Ranges = []policy.UserIDRange{{Min: -1, Max: 1}} + invalidUIDPSP.Spec.RunAsUser.Ranges = []policy.IDRange{{Min: -1, Max: 1}} missingObjectMetaName := validPSP() missingObjectMetaName.ObjectMeta.Name = "" @@ -288,17 +288,17 @@ func TestValidatePodSecurityPolicy(t *testing.T) { invalidSupGroupStratType.Spec.SupplementalGroups.Rule = "invalid" invalidRangeMinGreaterThanMax := validPSP() - invalidRangeMinGreaterThanMax.Spec.FSGroup.Ranges = []policy.GroupIDRange{ + invalidRangeMinGreaterThanMax.Spec.FSGroup.Ranges = []policy.IDRange{ {Min: 2, Max: 1}, } invalidRangeNegativeMin := validPSP() - invalidRangeNegativeMin.Spec.FSGroup.Ranges = []policy.GroupIDRange{ + invalidRangeNegativeMin.Spec.FSGroup.Ranges = []policy.IDRange{ {Min: -1, Max: 10}, } invalidRangeNegativeMax := validPSP() - invalidRangeNegativeMax.Spec.FSGroup.Ranges = []policy.GroupIDRange{ + invalidRangeNegativeMax.Spec.FSGroup.Ranges = []policy.IDRange{ {Min: 1, Max: -10}, } @@ -539,7 +539,7 @@ func TestValidatePodSecurityPolicy(t *testing.T) { mustRunAs.Spec.FSGroup.Rule = policy.FSGroupStrategyMustRunAs mustRunAs.Spec.SupplementalGroups.Rule = policy.SupplementalGroupsStrategyMustRunAs mustRunAs.Spec.RunAsUser.Rule = policy.RunAsUserStrategyMustRunAs - mustRunAs.Spec.RunAsUser.Ranges = []policy.UserIDRange{ + mustRunAs.Spec.RunAsUser.Ranges = []policy.IDRange{ {Min: 1, Max: 1}, } mustRunAs.Spec.SELinux.Rule = policy.SELinuxStrategyMustRunAs @@ -733,8 +733,8 @@ func Test_validatePSPRunAsUser(t *testing.T) { {"Invalid RunAsUserStrategy", policy.RunAsUserStrategyOptions{Rule: policy.RunAsUserStrategy("someInvalidStrategy")}, true}, {"RunAsUserStrategyMustRunAs", policy.RunAsUserStrategyOptions{Rule: policy.RunAsUserStrategyMustRunAs}, false}, {"RunAsUserStrategyMustRunAsNonRoot", policy.RunAsUserStrategyOptions{Rule: policy.RunAsUserStrategyMustRunAsNonRoot}, false}, - {"RunAsUserStrategyMustRunAsNonRoot With Valid Range", policy.RunAsUserStrategyOptions{Rule: policy.RunAsUserStrategyMustRunAs, Ranges: []policy.UserIDRange{{Min: 2, Max: 3}, {Min: 4, Max: 5}}}, false}, - {"RunAsUserStrategyMustRunAsNonRoot With Invalid Range", policy.RunAsUserStrategyOptions{Rule: policy.RunAsUserStrategyMustRunAs, Ranges: []policy.UserIDRange{{Min: 2, Max: 3}, {Min: 5, Max: 4}}}, true}, + {"RunAsUserStrategyMustRunAsNonRoot With Valid Range", policy.RunAsUserStrategyOptions{Rule: policy.RunAsUserStrategyMustRunAs, Ranges: []policy.IDRange{{Min: 2, Max: 3}, {Min: 4, Max: 5}}}, false}, + {"RunAsUserStrategyMustRunAsNonRoot With Invalid Range", policy.RunAsUserStrategyOptions{Rule: policy.RunAsUserStrategyMustRunAs, Ranges: []policy.IDRange{{Min: 2, Max: 3}, {Min: 5, Max: 4}}}, true}, } for _, testCase := range testCases { diff --git a/pkg/printers/internalversion/describe.go b/pkg/printers/internalversion/describe.go index 0bc468cc77a..636374eb534 100644 --- a/pkg/printers/internalversion/describe.go +++ b/pkg/printers/internalversion/describe.go @@ -3535,13 +3535,13 @@ func describePodSecurityPolicy(psp *policy.PodSecurityPolicy) (string, error) { w.Write(LEVEL_2, "Level:\t%s\n", stringOrNone(level)) w.Write(LEVEL_1, "Run As User Strategy: %s\t\n", string(psp.Spec.RunAsUser.Rule)) - w.Write(LEVEL_2, "Ranges:\t%s\n", userIDRangeToString(psp.Spec.RunAsUser.Ranges)) + w.Write(LEVEL_2, "Ranges:\t%s\n", idRangeToString(psp.Spec.RunAsUser.Ranges)) w.Write(LEVEL_1, "FSGroup Strategy: %s\t\n", string(psp.Spec.FSGroup.Rule)) - w.Write(LEVEL_2, "Ranges:\t%s\n", groupIDRangeToString(psp.Spec.FSGroup.Ranges)) + w.Write(LEVEL_2, "Ranges:\t%s\n", idRangeToString(psp.Spec.FSGroup.Ranges)) w.Write(LEVEL_1, "Supplemental Groups Strategy: %s\t\n", string(psp.Spec.SupplementalGroups.Rule)) - w.Write(LEVEL_2, "Ranges:\t%s\n", groupIDRangeToString(psp.Spec.SupplementalGroups.Ranges)) + w.Write(LEVEL_2, "Ranges:\t%s\n", idRangeToString(psp.Spec.SupplementalGroups.Ranges)) return nil }) @@ -3586,19 +3586,7 @@ func hostPortRangeToString(ranges []policy.HostPortRange) string { return stringOrNone(formattedString) } -func userIDRangeToString(ranges []policy.UserIDRange) string { - formattedString := "" - if ranges != nil { - strRanges := []string{} - for _, r := range ranges { - strRanges = append(strRanges, fmt.Sprintf("%d-%d", r.Min, r.Max)) - } - formattedString = strings.Join(strRanges, ",") - } - return stringOrNone(formattedString) -} - -func groupIDRangeToString(ranges []policy.GroupIDRange) string { +func idRangeToString(ranges []policy.IDRange) string { formattedString := "" if ranges != nil { strRanges := []string{} diff --git a/pkg/security/podsecuritypolicy/group/mustrunas.go b/pkg/security/podsecuritypolicy/group/mustrunas.go index 5516351ccb8..9e2b8b8791a 100644 --- a/pkg/security/podsecuritypolicy/group/mustrunas.go +++ b/pkg/security/podsecuritypolicy/group/mustrunas.go @@ -27,14 +27,14 @@ import ( // mustRunAs implements the GroupStrategy interface type mustRunAs struct { - ranges []policy.GroupIDRange + ranges []policy.IDRange field string } var _ GroupStrategy = &mustRunAs{} // NewMustRunAs provides a new MustRunAs strategy based on ranges. -func NewMustRunAs(ranges []policy.GroupIDRange, field string) (GroupStrategy, error) { +func NewMustRunAs(ranges []policy.IDRange, field string) (GroupStrategy, error) { if len(ranges) == 0 { return nil, fmt.Errorf("ranges must be supplied for MustRunAs") } diff --git a/pkg/security/podsecuritypolicy/group/mustrunas_test.go b/pkg/security/podsecuritypolicy/group/mustrunas_test.go index 970c4fd4633..3d7c17e33ef 100644 --- a/pkg/security/podsecuritypolicy/group/mustrunas_test.go +++ b/pkg/security/podsecuritypolicy/group/mustrunas_test.go @@ -25,14 +25,14 @@ import ( func TestMustRunAsOptions(t *testing.T) { tests := map[string]struct { - ranges []policy.GroupIDRange + ranges []policy.IDRange pass bool }{ "empty": { - ranges: []policy.GroupIDRange{}, + ranges: []policy.IDRange{}, }, "ranges": { - ranges: []policy.GroupIDRange{ + ranges: []policy.IDRange{ {Min: 1, Max: 1}, }, pass: true, @@ -52,23 +52,23 @@ func TestMustRunAsOptions(t *testing.T) { func TestGenerate(t *testing.T) { tests := map[string]struct { - ranges []policy.GroupIDRange + ranges []policy.IDRange expected []int64 }{ "multi value": { - ranges: []policy.GroupIDRange{ + ranges: []policy.IDRange{ {Min: 1, Max: 2}, }, expected: []int64{1}, }, "single value": { - ranges: []policy.GroupIDRange{ + ranges: []policy.IDRange{ {Min: 1, Max: 1}, }, expected: []int64{1}, }, "multi range": { - ranges: []policy.GroupIDRange{ + ranges: []policy.IDRange{ {Min: 1, Max: 1}, {Min: 2, Max: 500}, }, @@ -110,25 +110,25 @@ func TestGenerate(t *testing.T) { func TestValidate(t *testing.T) { tests := map[string]struct { - ranges []policy.GroupIDRange + ranges []policy.IDRange groups []int64 expectedError string }{ "nil security context": { - ranges: []policy.GroupIDRange{ + ranges: []policy.IDRange{ {Min: 1, Max: 3}, }, expectedError: "unable to validate empty groups against required ranges", }, "empty groups": { - ranges: []policy.GroupIDRange{ + ranges: []policy.IDRange{ {Min: 1, Max: 3}, }, expectedError: "unable to validate empty groups against required ranges", }, "not in range": { groups: []int64{5}, - ranges: []policy.GroupIDRange{ + ranges: []policy.IDRange{ {Min: 1, Max: 3}, {Min: 4, Max: 4}, }, @@ -136,25 +136,25 @@ func TestValidate(t *testing.T) { }, "in range 1": { groups: []int64{2}, - ranges: []policy.GroupIDRange{ + ranges: []policy.IDRange{ {Min: 1, Max: 3}, }, }, "in range boundary min": { groups: []int64{1}, - ranges: []policy.GroupIDRange{ + ranges: []policy.IDRange{ {Min: 1, Max: 3}, }, }, "in range boundary max": { groups: []int64{3}, - ranges: []policy.GroupIDRange{ + ranges: []policy.IDRange{ {Min: 1, Max: 3}, }, }, "singular range": { groups: []int64{4}, - ranges: []policy.GroupIDRange{ + ranges: []policy.IDRange{ {Min: 4, Max: 4}, }, }, diff --git a/pkg/security/podsecuritypolicy/provider_test.go b/pkg/security/podsecuritypolicy/provider_test.go index 4d8747c7494..a6361136349 100644 --- a/pkg/security/podsecuritypolicy/provider_test.go +++ b/pkg/security/podsecuritypolicy/provider_test.go @@ -186,7 +186,7 @@ func TestValidatePodSecurityContextFailures(t *testing.T) { failSupplementalGroupPSP := defaultPSP() failSupplementalGroupPSP.Spec.SupplementalGroups = policy.SupplementalGroupsStrategyOptions{ Rule: policy.SupplementalGroupsStrategyMustRunAs, - Ranges: []policy.GroupIDRange{ + Ranges: []policy.IDRange{ {Min: 1, Max: 1}, }, } @@ -197,7 +197,7 @@ func TestValidatePodSecurityContextFailures(t *testing.T) { failFSGroupPSP := defaultPSP() failFSGroupPSP.Spec.FSGroup = policy.FSGroupStrategyOptions{ Rule: policy.FSGroupStrategyMustRunAs, - Ranges: []policy.GroupIDRange{ + Ranges: []policy.IDRange{ {Min: 1, Max: 1}, }, } @@ -409,7 +409,7 @@ func TestValidateContainerSecurityContextFailures(t *testing.T) { badUID := int64(1) failUserPSP.Spec.RunAsUser = policy.RunAsUserStrategyOptions{ Rule: policy.RunAsUserStrategyMustRunAs, - Ranges: []policy.UserIDRange{{Min: uid, Max: uid}}, + Ranges: []policy.IDRange{{Min: uid, Max: uid}}, } failUserPod := defaultPod() failUserPod.Spec.Containers[0].SecurityContext.RunAsUser = &badUID @@ -564,7 +564,7 @@ func TestValidatePodSecurityContextSuccess(t *testing.T) { supGroupPSP := defaultPSP() supGroupPSP.Spec.SupplementalGroups = policy.SupplementalGroupsStrategyOptions{ Rule: policy.SupplementalGroupsStrategyMustRunAs, - Ranges: []policy.GroupIDRange{ + Ranges: []policy.IDRange{ {Min: 1, Max: 5}, }, } @@ -574,7 +574,7 @@ func TestValidatePodSecurityContextSuccess(t *testing.T) { fsGroupPSP := defaultPSP() fsGroupPSP.Spec.FSGroup = policy.FSGroupStrategyOptions{ Rule: policy.FSGroupStrategyMustRunAs, - Ranges: []policy.GroupIDRange{ + Ranges: []policy.IDRange{ {Min: 1, Max: 5}, }, } @@ -746,7 +746,7 @@ func TestValidateContainerSecurityContextSuccess(t *testing.T) { uid := int64(999) userPSP.Spec.RunAsUser = policy.RunAsUserStrategyOptions{ Rule: policy.RunAsUserStrategyMustRunAs, - Ranges: []policy.UserIDRange{{Min: uid, Max: uid}}, + Ranges: []policy.IDRange{{Min: uid, Max: uid}}, } userPod := defaultPod() userPod.Spec.Containers[0].SecurityContext.RunAsUser = &uid diff --git a/pkg/security/podsecuritypolicy/user/mustrunas_test.go b/pkg/security/podsecuritypolicy/user/mustrunas_test.go index 3caf48b1317..f8358fb07e8 100644 --- a/pkg/security/podsecuritypolicy/user/mustrunas_test.go +++ b/pkg/security/podsecuritypolicy/user/mustrunas_test.go @@ -38,7 +38,7 @@ func TestNewMustRunAs(t *testing.T) { }, "valid opts": { opts: &policy.RunAsUserStrategyOptions{ - Ranges: []policy.UserIDRange{ + Ranges: []policy.IDRange{ {Min: 1, Max: 1}, }, }, @@ -58,7 +58,7 @@ func TestNewMustRunAs(t *testing.T) { func TestGenerate(t *testing.T) { opts := &policy.RunAsUserStrategyOptions{ - Ranges: []policy.UserIDRange{ + Ranges: []policy.IDRange{ {Min: 1, Max: 1}, }, } @@ -77,7 +77,7 @@ func TestGenerate(t *testing.T) { func TestValidate(t *testing.T) { opts := &policy.RunAsUserStrategyOptions{ - Ranges: []policy.UserIDRange{ + Ranges: []policy.IDRange{ {Min: 1, Max: 1}, {Min: 10, Max: 20}, }, diff --git a/pkg/security/podsecuritypolicy/util/util.go b/pkg/security/podsecuritypolicy/util/util.go index ff9092b686d..67643ccfd2e 100644 --- a/pkg/security/podsecuritypolicy/util/util.go +++ b/pkg/security/podsecuritypolicy/util/util.go @@ -164,12 +164,12 @@ func PSPAllowsFSType(psp *policy.PodSecurityPolicy, fsType policy.FSType) bool { } // UserFallsInRange is a utility to determine it the id falls in the valid range. -func UserFallsInRange(id int64, rng policy.UserIDRange) bool { +func UserFallsInRange(id int64, rng policy.IDRange) bool { return id >= rng.Min && id <= rng.Max } // GroupFallsInRange is a utility to determine it the id falls in the valid range. -func GroupFallsInRange(id int64, rng policy.GroupIDRange) bool { +func GroupFallsInRange(id int64, rng policy.IDRange) bool { return id >= rng.Min && id <= rng.Max } diff --git a/plugin/pkg/admission/security/podsecuritypolicy/admission_test.go b/plugin/pkg/admission/security/podsecuritypolicy/admission_test.go index 80dd1b75fe2..6cdf1d3c935 100644 --- a/plugin/pkg/admission/security/podsecuritypolicy/admission_test.go +++ b/plugin/pkg/admission/security/podsecuritypolicy/admission_test.go @@ -324,11 +324,11 @@ func defaultPod(t *testing.T, pod *kapi.Pod) *kapi.Pod { func TestAdmitPreferNonmutating(t *testing.T) { mutating1 := restrictivePSP() mutating1.Name = "mutating1" - mutating1.Spec.RunAsUser.Ranges = []policy.UserIDRange{{Min: int64(1), Max: int64(1)}} + mutating1.Spec.RunAsUser.Ranges = []policy.IDRange{{Min: int64(1), Max: int64(1)}} mutating2 := restrictivePSP() mutating2.Name = "mutating2" - mutating2.Spec.RunAsUser.Ranges = []policy.UserIDRange{{Min: int64(2), Max: int64(2)}} + mutating2.Spec.RunAsUser.Ranges = []policy.IDRange{{Min: int64(2), Max: int64(2)}} privilegedPSP := permissivePSP() privilegedPSP.Name = "privileged" @@ -1194,7 +1194,7 @@ func TestAdmitRunAsUser(t *testing.T) { mustRunAs := permissivePSP() mustRunAs.Name = "mustRunAs" mustRunAs.Spec.RunAsUser.Rule = policy.RunAsUserStrategyMustRunAs - mustRunAs.Spec.RunAsUser.Ranges = []policy.UserIDRange{ + mustRunAs.Spec.RunAsUser.Ranges = []policy.IDRange{ {Min: int64(999), Max: int64(1000)}, } @@ -1357,7 +1357,7 @@ func TestAdmitSupplementalGroups(t *testing.T) { mustRunAs := permissivePSP() mustRunAs.Name = "mustRunAs" mustRunAs.Spec.SupplementalGroups.Rule = policy.SupplementalGroupsStrategyMustRunAs - mustRunAs.Spec.SupplementalGroups.Ranges = []policy.GroupIDRange{{Min: int64(999), Max: int64(1000)}} + mustRunAs.Spec.SupplementalGroups.Ranges = []policy.IDRange{{Min: int64(999), Max: int64(1000)}} tests := map[string]struct { pod *kapi.Pod @@ -2354,7 +2354,7 @@ func restrictivePSP() *policy.PodSecurityPolicy { Spec: policy.PodSecurityPolicySpec{ RunAsUser: policy.RunAsUserStrategyOptions{ Rule: policy.RunAsUserStrategyMustRunAs, - Ranges: []policy.UserIDRange{ + Ranges: []policy.IDRange{ {Min: int64(999), Max: int64(999)}, }, }, @@ -2366,13 +2366,13 @@ func restrictivePSP() *policy.PodSecurityPolicy { }, FSGroup: policy.FSGroupStrategyOptions{ Rule: policy.FSGroupStrategyMustRunAs, - Ranges: []policy.GroupIDRange{ + Ranges: []policy.IDRange{ {Min: int64(999), Max: int64(999)}, }, }, SupplementalGroups: policy.SupplementalGroupsStrategyOptions{ Rule: policy.SupplementalGroupsStrategyMustRunAs, - Ranges: []policy.GroupIDRange{ + Ranges: []policy.IDRange{ {Min: int64(999), Max: int64(999)}, }, },