Added host path whitelist to psp

pkg/security/podsecuritypolicy/util/util.go

@@ -18,6 +18,7 @@ package util
 
 import (
 	"fmt"
+	"strings"
 
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/sets"
@@ -168,3 +169,52 @@ func UserFallsInRange(id types.UnixUserID, rng extensions.UserIDRange) bool {
 func GroupFallsInRange(id types.UnixGroupID, rng extensions.GroupIDRange) bool {
 	return id >= rng.Min && id <= rng.Max
 }
+
+// PSPAllowsHostVolumePath is a utility for checking if a PSP allows the host volume path.
+// This only checks the path. You should still check to make sure the host volume fs type is allowed.
+func PSPAllowsHostVolumePath(psp *extensions.PodSecurityPolicy, hostPath string) bool {
+	if psp == nil {
+		return false
+	}
+
+	// If no allowed paths are specified then allow any path
+	if len(psp.Spec.AllowedHostPaths) == 0 {
+		return true
+	}
+
+	for _, allowedPath := range psp.Spec.AllowedHostPaths {
+		if hasPathPrefix(hostPath, allowedPath) {
+			return true
+		}
+	}
+
+	return false
+}
+
+// hasPathPrefix returns true if the string matches pathPrefix exactly, or if is prefixed with pathPrefix at a path segment boundary
+// the string and pathPrefix are both normalized to remove trailing slashes prior to checking.
+func hasPathPrefix(s, pathPrefix string) bool {
+
+	s = strings.TrimSuffix(s, "/")
+	pathPrefix = strings.TrimSuffix(pathPrefix, "/")
+
+	// Short circuit if s doesn't contain the prefix at all
+	if !strings.HasPrefix(s, pathPrefix) {
+		return false
+	}
+
+	pathPrefixLength := len(pathPrefix)
+
+	if len(s) == pathPrefixLength {
+		// Exact match
+		return true
+	}
+
+	if s[pathPrefixLength:pathPrefixLength+1] == "/" {
+		// The next character in s is a path segment boundary
+		// Check this instead of normalizing pathPrefix to avoid allocating on every call
+		return true
+	}
+
+	return false
+}