Allow PSP's to specify a whitelist of allowed paths for host volume

removed files not supposed to be there
2026-01-06 16:06:51 +00:00 · 2017-08-06 15:40:18 -04:00
parent a235ba4e49
commit fab6044a31
18 changed files with 1424 additions and 189 deletions
--- a/pkg/security/podsecuritypolicy/provider_test.go
+++ b/pkg/security/podsecuritypolicy/provider_test.go
@@ -248,6 +248,23 @@ func TestValidatePodSecurityContextFailures(t *testing.T) {
 		},
 	}

+	failHostPathDirPod := defaultPod()
+	failHostPathDirPod.Spec.Volumes = []api.Volume{
+		{
+			Name: "bad volume",
+			VolumeSource: api.VolumeSource{
+				HostPath: &api.HostPathVolumeSource{
+					Path: "/fail",
+				},
+			},
+		},
+	}
+	failHostPathDirPSP := defaultPSP()
+	failHostPathDirPSP.Spec.Volumes = []extensions.FSType{extensions.HostPath}
+	failHostPathDirPSP.Spec.AllowedHostPaths = []extensions.AllowedHostPath{
+		{PathPrefix: "/foo/bar"},
+	}
+
 	failOtherSysctlsAllowedPSP := defaultPSP()
 	failOtherSysctlsAllowedPSP.Annotations[extensions.SysctlsPodSecurityPolicyAnnotationKey] = "bar,abc"

@@ -318,6 +335,11 @@ func TestValidatePodSecurityContextFailures(t *testing.T) {
 			psp:           defaultPSP(),
 			expectedError: "hostPath volumes are not allowed to be used",
 		},
+		"failHostPathDirPSP": {
+			pod:           failHostPathDirPod,
+			psp:           failHostPathDirPSP,
+			expectedError: "is not allowed to be used",
+		},
 		"failSafeSysctlFooPod with failNoSysctlAllowedSCC": {
 			pod:           failSafeSysctlFooPod,
 			psp:           failNoSysctlAllowedPSP,
@@ -556,6 +578,30 @@ func TestValidatePodSecurityContextSuccess(t *testing.T) {
 		Level: "level",
 	}

+	hostPathDirPod := defaultPod()
+	hostPathDirPod.Spec.Volumes = []api.Volume{
+		{
+			Name: "good volume",
+			VolumeSource: api.VolumeSource{
+				HostPath: &api.HostPathVolumeSource{
+					Path: "/foo/bar/baz",
+				},
+			},
+		},
+	}
+
+	hostPathDirPSP := defaultPSP()
+	hostPathDirPSP.Spec.Volumes = []extensions.FSType{extensions.HostPath}
+	hostPathDirPSP.Spec.AllowedHostPaths = []extensions.AllowedHostPath{
+		{PathPrefix: "/foo/bar"},
+	}
+
+	hostPathDirAsterisksPSP := defaultPSP()
+	hostPathDirAsterisksPSP.Spec.Volumes = []extensions.FSType{extensions.All}
+	hostPathDirAsterisksPSP.Spec.AllowedHostPaths = []extensions.AllowedHostPath{
+		{PathPrefix: "/foo/bar"},
+	}
+
 	sysctlAllowFooPSP := defaultPSP()
 	sysctlAllowFooPSP.Annotations[extensions.SysctlsPodSecurityPolicyAnnotationKey] = "foo"

@@ -619,6 +665,14 @@ func TestValidatePodSecurityContextSuccess(t *testing.T) {
 			pod: unsafeSysctlFooPod,
 			psp: defaultPSP(),
 		},
+		"pass hostDir allowed directory validating PSP": {
+			pod: hostPathDirPod,
+			psp: hostPathDirPSP,
+		},
+		"pass hostDir all volumes allowed validating PSP": {
+			pod: hostPathDirPod,
+			psp: hostPathDirAsterisksPSP,
+		},
 		"pass seccomp validating PSP": {
 			pod: seccompPod,
 			psp: seccompPSP,