mirrors/ceph-csi
1
0
Fork 0
mirror of https://github.com/ceph/ceph-csi.git synced 2025-06-13 10:33:35 +00:00
Code Issues Packages Projects Releases Wiki Activity

build: move e2e dependencies into e2e/go.mod

Browse Source 
Several packages are only used while running the e2e suite. These
packages are less important to update, as the they can not influence the
final executable that is part of the Ceph-CSI container-image.

By moving these dependencies out of the main Ceph-CSI go.mod, it is
easier to identify if a reported CVE affects Ceph-CSI, or only the
testing (like most of the Kubernetes CVEs).

Signed-off-by: Niels de Vos <ndevos@ibm.com>
This commit is contained in:
Niels de Vos
2025-03-04 08:57:28 +01:00
committed by mergify[bot]
parent 15da101b1b
commit bec6090996
8047 changed files with 1407827 additions and 3453 deletions
Download Patch File Download Diff File Expand all files Collapse all files

201
e2e/vendor/k8s.io/pod-security-admission/LICENSE generated vendored Normal file
View File

@ -0,0 +1,201 @@
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "{}"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright {yyyy} {name of copyright owner}
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

146
e2e/vendor/k8s.io/pod-security-admission/api/attributes.go generated vendored Normal file
View File

@ -0,0 +1,146 @@
/*
Copyright 2021 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package api
import (
admissionv1 "k8s.io/api/admission/v1"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/runtime/schema"
)
// Attributes exposes the admission request parameters consumed by the PodSecurity admission controller.
type Attributes interface {
// GetName is the name of the object associated with the request.
GetName() string
// GetNamespace is the namespace associated with the request (if any)
GetNamespace() string
// GetResource is the name of the resource being requested. This is not the kind. For example: pods
GetResource() schema.GroupVersionResource
// GetKind is the name of the kind being requested. For example: Pod
GetKind() schema.GroupVersionKind
// GetSubresource is the name of the subresource being requested. This is a different resource, scoped to the parent resource, but it may have a different kind.
// For instance, /pods has the resource "pods" and the kind "Pod", while /pods/foo/status has the resource "pods", the sub resource "status", and the kind "Pod"
// (because status operates on pods). The binding resource for a pod though may be /pods/foo/binding, which has resource "pods", subresource "binding", and kind "Binding".
GetSubresource() string
// GetOperation is the operation being performed
GetOperation() admissionv1.Operation
// GetObject returns the typed Object from incoming request.
// For objects in the core API group, the result must use the v1 API.
GetObject() (runtime.Object, error)
// GetOldObject returns the typed existing object. Only populated for UPDATE requests.
// For objects in the core API group, the result must use the v1 API.
GetOldObject() (runtime.Object, error)
// GetUserName is the requesting user's authenticated name.
GetUserName() string
}
// AttributesRecord is a simple struct implementing the Attributes interface.
type AttributesRecord struct {
Name string
Namespace string
Kind schema.GroupVersionKind
Resource schema.GroupVersionResource
Subresource string
Operation admissionv1.Operation
Object runtime.Object
OldObject runtime.Object
Username string
}
func (a *AttributesRecord) GetName() string {
return a.Name
}
func (a *AttributesRecord) GetNamespace() string {
return a.Namespace
}
func (a *AttributesRecord) GetKind() schema.GroupVersionKind {
return a.Kind
}
func (a *AttributesRecord) GetResource() schema.GroupVersionResource {
return a.Resource
}
func (a *AttributesRecord) GetSubresource() string {
return a.Subresource
}
func (a *AttributesRecord) GetOperation() admissionv1.Operation {
return a.Operation
}
func (a *AttributesRecord) GetUserName() string {
return a.Username
}
func (a *AttributesRecord) GetObject() (runtime.Object, error) {
return a.Object, nil
}
func (a *AttributesRecord) GetOldObject() (runtime.Object, error) {
return a.OldObject, nil
}
var _ Attributes = &AttributesRecord{}
// RequestAttributes adapts an admission.Request to the Attributes interface.
func RequestAttributes(request *admissionv1.AdmissionRequest, decoder runtime.Decoder) Attributes {
return &attributes{
r: request,
decoder: decoder,
}
}
// attributes is an interface used by AdmissionController to get information about a request
// that is used to make an admission decision.
type attributes struct {
r *admissionv1.AdmissionRequest
decoder runtime.Decoder
}
func (a *attributes) GetName() string {
return a.r.Name
}
func (a *attributes) GetNamespace() string {
return a.r.Namespace
}
func (a *attributes) GetKind() schema.GroupVersionKind {
return schema.GroupVersionKind(a.r.Kind)
}
func (a *attributes) GetResource() schema.GroupVersionResource {
return schema.GroupVersionResource(a.r.Resource)
}
func (a *attributes) GetSubresource() string {
return a.r.RequestSubResource
}
func (a *attributes) GetOperation() admissionv1.Operation {
return a.r.Operation
}
func (a *attributes) GetUserName() string {
return a.r.UserInfo.Username
}
func (a *attributes) GetObject() (runtime.Object, error) {
return a.decode(a.r.Object)
}
func (a *attributes) GetOldObject() (runtime.Object, error) {
return a.decode(a.r.OldObject)
}
func (a *attributes) decode(in runtime.RawExtension) (runtime.Object, error) {
if in.Raw == nil {
return nil, nil
}
gvk := schema.GroupVersionKind(a.r.Kind)
out, _, err := a.decoder.Decode(in.Raw, &gvk, nil)
return out, err
}
var _ Attributes = &attributes{}

50
e2e/vendor/k8s.io/pod-security-admission/api/constants.go generated vendored Normal file
View File

@ -0,0 +1,50 @@
/*
Copyright 2021 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package api
type Level string
const (
LevelPrivileged Level = "privileged"
LevelBaseline Level = "baseline"
LevelRestricted Level = "restricted"
)
var validLevels = []string{
string(LevelPrivileged),
string(LevelBaseline),
string(LevelRestricted),
}
const VersionLatest = "latest"
const AuditAnnotationPrefix = labelPrefix
const (
labelPrefix = "pod-security.kubernetes.io/"
EnforceLevelLabel = labelPrefix + "enforce"
EnforceVersionLabel = labelPrefix + "enforce-version"
AuditLevelLabel = labelPrefix + "audit"
AuditVersionLabel = labelPrefix + "audit-version"
WarnLevelLabel = labelPrefix + "warn"
WarnVersionLabel = labelPrefix + "warn-version"
ExemptionReasonAnnotationKey = "exempt"
AuditViolationsAnnotationKey = "audit-violations"
EnforcedPolicyAnnotationKey = "enforce-policy"
)

18
e2e/vendor/k8s.io/pod-security-admission/api/doc.go generated vendored Normal file
View File

@ -0,0 +1,18 @@
/*
Copyright 2021 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Package api contains constants and helpers for PodSecurity admission label keys and values
package api // import "k8s.io/pod-security-admission/api"

269
e2e/vendor/k8s.io/pod-security-admission/api/helpers.go generated vendored Normal file
View File

@ -0,0 +1,269 @@
/*
Copyright 2021 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package api
import (
"fmt"
"regexp"
"strconv"
"strings"
"unicode"
"k8s.io/apimachinery/pkg/util/validation/field"
"k8s.io/component-base/version"
)
type Version struct {
major int
minor int
latest bool
}
func (v Version) String() string {
if v.latest {
return "latest"
}
return fmt.Sprintf("v%d.%d", v.major, v.minor)
}
// Older returns true if this version v is older than the other.
func (v *Version) Older(other Version) bool {
if v.latest { // Latest is always consider newer, even than future versions.
return false
}
if other.latest {
return true
}
if v.major != other.major {
return v.major < other.major
}
return v.minor < other.minor
}
func (v *Version) Major() int {
return v.major
}
func (v *Version) Minor() int {
return v.minor
}
func (v *Version) Latest() bool {
return v.latest
}
func MajorMinorVersion(major, minor int) Version {
return Version{major: major, minor: minor}
}
// GetAPIVersion get the version of apiServer and return the version major and minor
func GetAPIVersion() Version {
var err error
v := Version{}
apiVersion := version.Get()
major, err := strconv.Atoi(apiVersion.Major)
if err != nil {
return v
}
// split the "normal" + and - for semver stuff to get the leading minor number
minorString := strings.FieldsFunc(apiVersion.Minor, func(r rune) bool {
return !unicode.IsDigit(r)
})[0]
minor, err := strconv.Atoi(minorString)
if err != nil {
return v
}
v = MajorMinorVersion(major, minor)
return v
}
func LatestVersion() Version {
return Version{latest: true}
}
// ParseLevel returns the level that should be evaluated.
// level must be "privileged", "baseline", or "restricted".
// if level does not match one of those strings, "restricted" and an error is returned.
func ParseLevel(level string) (Level, error) {
switch Level(level) {
case LevelPrivileged, LevelBaseline, LevelRestricted:
return Level(level), nil
default:
return LevelRestricted, fmt.Errorf(`must be one of %s`, strings.Join(validLevels, ", "))
}
}
// Valid checks whether the level l is a valid level.
func (l *Level) Valid() bool {
switch *l {
case LevelPrivileged, LevelBaseline, LevelRestricted:
return true
default:
return false
}
}
var versionRegexp = regexp.MustCompile(`^v1\.([0-9]|[1-9][0-9]*)$`)
// ParseVersion returns the policy version that should be evaluated.
// version must be "latest" or "v1.x".
// If version does not match one of those patterns, the latest version and an error is returned.
func ParseVersion(version string) (Version, error) {
if version == "latest" {
return Version{latest: true}, nil
}
match := versionRegexp.FindStringSubmatch(version)
if len(match) != 2 {
return Version{latest: true}, fmt.Errorf(`must be "latest" or "v1.x"`)
}
versionNumber, err := strconv.Atoi(match[1])
if err != nil || versionNumber < 0 {
return Version{latest: true}, fmt.Errorf(`must be "latest" or "v1.x"`)
}
return Version{major: 1, minor: versionNumber}, nil
}
type LevelVersion struct {
Level
Version
}
func (lv LevelVersion) String() string {
return fmt.Sprintf("%s:%s", lv.Level, lv.Version)
}
// Equivalent determines whether two LevelVersions are functionally equivalent. LevelVersions are
// considered equivalent if both are privileged, or both levels & versions are equal.
func (lv *LevelVersion) Equivalent(other *LevelVersion) bool {
return (lv.Level == LevelPrivileged && other.Level == LevelPrivileged) ||
(lv.Level == other.Level && lv.Version == other.Version)
}
type Policy struct {
Enforce LevelVersion
Audit LevelVersion
Warn LevelVersion
}
func (p *Policy) String() string {
return fmt.Sprintf("enforce=%#v, audit=%#v, warn=%#v", p.Enforce, p.Audit, p.Warn)
}
// Equivalent determines whether two policies are functionally equivalent. Policies are considered
// equivalent if all 3 modes are considered equivalent.
func (p *Policy) Equivalent(other *Policy) bool {
return p.Enforce.Equivalent(&other.Enforce) && p.Audit.Equivalent(&other.Audit) && p.Warn.Equivalent(&other.Warn)
}
// FullyPrivileged returns true if all 3 policy modes are privileged.
func (p *Policy) FullyPrivileged() bool {
return p.Enforce.Level == LevelPrivileged &&
p.Audit.Level == LevelPrivileged &&
p.Warn.Level == LevelPrivileged
}
// PolicyToEvaluate resolves the PodSecurity namespace labels to the policy for that namespace,
// falling back to the provided defaults when a label is unspecified. A valid policy is always
// returned, even when an error is returned. If labels cannot be parsed correctly, the values of
// "restricted" and "latest" are used for level and version respectively.
func PolicyToEvaluate(labels map[string]string, defaults Policy) (Policy, field.ErrorList) {
var (
err error
errs field.ErrorList
p = defaults
hasEnforceLevel bool
hasWarnLevel, hasWarnVersion bool
)
if len(labels) == 0 {
return p, nil
}
if level, ok := labels[EnforceLevelLabel]; ok {
p.Enforce.Level, err = ParseLevel(level)
hasEnforceLevel = (err == nil) // Don't default warn in case of error
errs = appendErr(errs, err, EnforceLevelLabel, level)
}
if version, ok := labels[EnforceVersionLabel]; ok {
p.Enforce.Version, err = ParseVersion(version)
errs = appendErr(errs, err, EnforceVersionLabel, version)
}
if level, ok := labels[AuditLevelLabel]; ok {
p.Audit.Level, err = ParseLevel(level)
errs = appendErr(errs, err, AuditLevelLabel, level)
if err != nil {
p.Audit.Level = LevelPrivileged // Fail open for audit.
}
}
if version, ok := labels[AuditVersionLabel]; ok {
p.Audit.Version, err = ParseVersion(version)
errs = appendErr(errs, err, AuditVersionLabel, version)
}
if level, ok := labels[WarnLevelLabel]; ok {
hasWarnLevel = true
p.Warn.Level, err = ParseLevel(level)
errs = appendErr(errs, err, WarnLevelLabel, level)
if err != nil {
p.Warn.Level = LevelPrivileged // Fail open for warn.
}
}
if version, ok := labels[WarnVersionLabel]; ok {
hasWarnVersion = true
p.Warn.Version, err = ParseVersion(version)
errs = appendErr(errs, err, WarnVersionLabel, version)
}
// Default warn to the enforce level when explicitly set to a more restrictive level.
if !hasWarnLevel && hasEnforceLevel && CompareLevels(p.Enforce.Level, p.Warn.Level) > 0 {
p.Warn.Level = p.Enforce.Level
if !hasWarnVersion {
p.Warn.Version = p.Enforce.Version
}
}
return p, errs
}
// CompareLevels returns an integer comparing two levels by strictness. The result will be 0 if
// a==b, -1 if a is less strict than b, and +1 if a is more strict than b.
func CompareLevels(a, b Level) int {
if a == b {
return 0
}
switch a {
case LevelPrivileged:
return -1
case LevelRestricted:
return 1
default:
if b == LevelPrivileged {
return 1
} else if b == LevelRestricted {
return -1
}
}
// This should only happen if both a & b are invalid levels.
return 0
}
var labelsPath = field.NewPath("metadata", "labels")
// appendErr is a helper function to collect label-specific errors.
func appendErr(errs field.ErrorList, err error, label, value string) field.ErrorList {
if err != nil {
return append(errs, field.Invalid(labelsPath.Key(label), value, err.Error()))
}
return errs
}

93
e2e/vendor/k8s.io/pod-security-admission/policy/check_allowPrivilegeEscalation.go generated vendored Normal file
View File

@ -0,0 +1,93 @@
/*
Copyright 2021 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package policy
import (
"fmt"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/pod-security-admission/api"
)
/*
Privilege escalation (such as via set-user-ID or set-group-ID file mode) should not be allowed.
**Restricted Fields:**
spec.containers[*].securityContext.allowPrivilegeEscalation
spec.initContainers[*].securityContext.allowPrivilegeEscalation
**Allowed Values:** false
*/
func init() {
addCheck(CheckAllowPrivilegeEscalation)
}
// CheckAllowPrivilegeEscalation returns a restricted level check
// that requires allowPrivilegeEscalation=false in 1.8+
func CheckAllowPrivilegeEscalation() Check {
return Check{
ID: "allowPrivilegeEscalation",
Level: api.LevelRestricted,
Versions: []VersionedCheck{
{
// Field added in 1.8:
// https://github.com/kubernetes/kubernetes/blob/v1.8.0/staging/src/k8s.io/api/core/v1/types.go#L4797-L4804
MinimumVersion: api.MajorMinorVersion(1, 8),
CheckPod: allowPrivilegeEscalation_1_8,
},
{
// Starting 1.25, windows pods would be exempted from this check using pod.spec.os field when set to windows.
MinimumVersion: api.MajorMinorVersion(1, 25),
CheckPod: allowPrivilegeEscalation_1_25,
},
},
}
}
func allowPrivilegeEscalation_1_8(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
var badContainers []string
visitContainers(podSpec, func(container *corev1.Container) {
if container.SecurityContext == nil || container.SecurityContext.AllowPrivilegeEscalation == nil || *container.SecurityContext.AllowPrivilegeEscalation {
badContainers = append(badContainers, container.Name)
}
})
if len(badContainers) > 0 {
return CheckResult{
Allowed: false,
ForbiddenReason: "allowPrivilegeEscalation != false",
ForbiddenDetail: fmt.Sprintf(
"%s %s must set securityContext.allowPrivilegeEscalation=false",
pluralize("container", "containers", len(badContainers)),
joinQuote(badContainers),
),
}
}
return CheckResult{Allowed: true}
}
func allowPrivilegeEscalation_1_25(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
// Pod API validation would have failed if podOS == Windows and if privilegeEscalation has been set.
// We can admit the Windows pod even if privilegeEscalation has not been set.
if podSpec.OS != nil && podSpec.OS.Name == corev1.Windows {
return CheckResult{Allowed: true}
}
return allowPrivilegeEscalation_1_8(podMetadata, podSpec)
}

143
e2e/vendor/k8s.io/pod-security-admission/policy/check_appArmorProfile.go generated vendored Normal file
View File

@ -0,0 +1,143 @@
/*
Copyright 2021 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package policy
import (
"fmt"
"sort"
"strings"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/util/sets"
"k8s.io/pod-security-admission/api"
)
/*
On supported hosts, the 'runtime/default' AppArmor profile is applied by default.
The baseline policy should prevent overriding or disabling the default AppArmor
profile, or restrict overrides to an allowed set of profiles.
**Restricted Fields:**
metadata.annotations['container.apparmor.security.beta.kubernetes.io/*']
**Allowed Values:** 'runtime/default', 'localhost/*', empty, undefined
**Restricted Fields:**
spec.securityContext.appArmorProfile.type
spec.containers[*].securityContext.appArmorProfile.type
spec.initContainers[*].securityContext.appArmorProfile.type
spec.ephemeralContainers[*].securityContext.appArmorProfile.type
**Allowed Values:** 'RuntimeDefault', 'Localhost', undefined
*/
func init() {
addCheck(CheckAppArmorProfile)
}
// CheckAppArmorProfile returns a baseline level check
// that limits the value of AppArmor profiles in 1.0+
func CheckAppArmorProfile() Check {
return Check{
ID: "appArmorProfile",
Level: api.LevelBaseline,
Versions: []VersionedCheck{
{
MinimumVersion: api.MajorMinorVersion(1, 0),
CheckPod: appArmorProfile_1_0,
},
},
}
}
func allowedAnnotationValue(profile string) bool {
return len(profile) == 0 ||
profile == corev1.DeprecatedAppArmorBetaProfileRuntimeDefault ||
strings.HasPrefix(profile, corev1.DeprecatedAppArmorBetaProfileNamePrefix)
}
func allowedProfileType(profile corev1.AppArmorProfileType) bool {
switch profile {
case corev1.AppArmorProfileTypeRuntimeDefault,
corev1.AppArmorProfileTypeLocalhost:
return true
default:
return false
}
}
func appArmorProfile_1_0(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
var badSetters []string // things that explicitly set appArmorProfile.type to a bad value
badValues := sets.NewString()
if podSpec.SecurityContext != nil && podSpec.SecurityContext.AppArmorProfile != nil {
if !allowedProfileType(podSpec.SecurityContext.AppArmorProfile.Type) {
badSetters = append(badSetters, "pod")
badValues.Insert(string(podSpec.SecurityContext.AppArmorProfile.Type))
}
}
var badContainers []string // containers that set apparmorProfile.type to a bad value
visitContainers(podSpec, func(c *corev1.Container) {
if c.SecurityContext != nil && c.SecurityContext.AppArmorProfile != nil {
if !allowedProfileType(c.SecurityContext.AppArmorProfile.Type) {
badContainers = append(badContainers, c.Name)
badValues.Insert(string(c.SecurityContext.AppArmorProfile.Type))
}
}
})
if len(badContainers) > 0 {
badSetters = append(
badSetters,
fmt.Sprintf(
"%s %s",
pluralize("container", "containers", len(badContainers)),
joinQuote(badContainers),
),
)
}
var forbiddenAnnotations []string
for k, v := range podMetadata.Annotations {
if strings.HasPrefix(k, corev1.DeprecatedAppArmorBetaContainerAnnotationKeyPrefix) && !allowedAnnotationValue(v) {
forbiddenAnnotations = append(forbiddenAnnotations, fmt.Sprintf("%s=%q", k, v))
}
}
badValueList := badValues.List()
if len(forbiddenAnnotations) > 0 {
sort.Strings(forbiddenAnnotations)
badValueList = append(badValueList, forbiddenAnnotations...)
badSetters = append(badSetters, pluralize("annotation", "annotations", len(forbiddenAnnotations)))
}
// pod or containers explicitly set bad apparmorProfiles
if len(badSetters) > 0 {
return CheckResult{
Allowed: false,
ForbiddenReason: pluralize("forbidden AppArmor profile", "forbidden AppArmor profiles", len(badValueList)),
ForbiddenDetail: fmt.Sprintf(
"%s must not set AppArmor profile type to %s",
strings.Join(badSetters, " and "),
joinQuote(badValueList),
),
}
}
return CheckResult{Allowed: true}
}

110
e2e/vendor/k8s.io/pod-security-admission/policy/check_capabilities_baseline.go generated vendored Normal file
View File

@ -0,0 +1,110 @@
/*
Copyright 2021 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package policy
import (
"fmt"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/util/sets"
"k8s.io/pod-security-admission/api"
)
/*
Adding NET_RAW or capabilities beyond the default set must be disallowed.
**Restricted Fields:**
spec.containers[*].securityContext.capabilities.add
spec.initContainers[*].securityContext.capabilities.add
**Allowed Values:**
undefined / empty
values from the default set "AUDIT_WRITE", "CHOWN", "DAC_OVERRIDE","FOWNER", "FSETID", "KILL", "MKNOD", "NET_BIND_SERVICE", "SETFCAP", "SETGID", "SETPCAP", "SETUID", "SYS_CHROOT"
*/
func init() {
addCheck(CheckCapabilitiesBaseline)
}
const checkCapabilitiesBaselineID CheckID = "capabilities_baseline"
// CheckCapabilitiesBaseline returns a baseline level check
// that limits the capabilities that can be added in 1.0+
func CheckCapabilitiesBaseline() Check {
return Check{
ID: checkCapabilitiesBaselineID,
Level: api.LevelBaseline,
Versions: []VersionedCheck{
{
MinimumVersion: api.MajorMinorVersion(1, 0),
CheckPod: capabilitiesBaseline_1_0,
},
},
}
}
var (
capabilities_allowed_1_0 = sets.NewString(
"AUDIT_WRITE",
"CHOWN",
"DAC_OVERRIDE",
"FOWNER",
"FSETID",
"KILL",
"MKNOD",
"NET_BIND_SERVICE",
"SETFCAP",
"SETGID",
"SETPCAP",
"SETUID",
"SYS_CHROOT",
)
)
func capabilitiesBaseline_1_0(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
var badContainers []string
nonDefaultCapabilities := sets.NewString()
visitContainers(podSpec, func(container *corev1.Container) {
if container.SecurityContext != nil && container.SecurityContext.Capabilities != nil {
valid := true
for _, c := range container.SecurityContext.Capabilities.Add {
if !capabilities_allowed_1_0.Has(string(c)) {
valid = false
nonDefaultCapabilities.Insert(string(c))
}
}
if !valid {
badContainers = append(badContainers, container.Name)
}
}
})
if len(badContainers) > 0 {
return CheckResult{
Allowed: false,
ForbiddenReason: "non-default capabilities",
ForbiddenDetail: fmt.Sprintf(
"%s %s must not include %s in securityContext.capabilities.add",
pluralize("container", "containers", len(badContainers)),
joinQuote(badContainers),
joinQuote(nonDefaultCapabilities.List()),
),
}
}
return CheckResult{Allowed: true}
}

145
e2e/vendor/k8s.io/pod-security-admission/policy/check_capabilities_restricted.go generated vendored Normal file
View File

@ -0,0 +1,145 @@
/*
Copyright 2021 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package policy
import (
"fmt"
"strings"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/util/sets"
"k8s.io/pod-security-admission/api"
)
const (
capabilityAll = "ALL"
capabilityNetBindService = "NET_BIND_SERVICE"
)
/*
Containers must drop ALL, and may only add NET_BIND_SERVICE.
**Restricted Fields:**
spec.containers[*].securityContext.capabilities.drop
spec.initContainers[*].securityContext.capabilities.drop
**Allowed Values:**
Must include "ALL"
**Restricted Fields:**
spec.containers[*].securityContext.capabilities.add
spec.initContainers[*].securityContext.capabilities.add
**Allowed Values:**
undefined / empty
"NET_BIND_SERVICE"
*/
func init() {
addCheck(CheckCapabilitiesRestricted)
}
// CheckCapabilitiesRestricted returns a restricted level check
// that ensures ALL capabilities are dropped in 1.22+
func CheckCapabilitiesRestricted() Check {
return Check{
ID: "capabilities_restricted",
Level: api.LevelRestricted,
Versions: []VersionedCheck{
{
MinimumVersion: api.MajorMinorVersion(1, 22),
CheckPod: capabilitiesRestricted_1_22,
OverrideCheckIDs: []CheckID{checkCapabilitiesBaselineID},
},
// Starting 1.25, windows pods would be exempted from this check using pod.spec.os field when set to windows.
{
MinimumVersion: api.MajorMinorVersion(1, 25),
CheckPod: capabilitiesRestricted_1_25,
OverrideCheckIDs: []CheckID{checkCapabilitiesBaselineID},
},
},
}
}
func capabilitiesRestricted_1_22(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
var (
containersMissingDropAll []string
containersAddingForbidden []string
forbiddenCapabilities = sets.NewString()
)
visitContainers(podSpec, func(container *corev1.Container) {
if container.SecurityContext == nil || container.SecurityContext.Capabilities == nil {
containersMissingDropAll = append(containersMissingDropAll, container.Name)
return
}
droppedAll := false
for _, c := range container.SecurityContext.Capabilities.Drop {
if c == capabilityAll {
droppedAll = true
break
}
}
if !droppedAll {
containersMissingDropAll = append(containersMissingDropAll, container.Name)
}
addedForbidden := false
for _, c := range container.SecurityContext.Capabilities.Add {
if c != capabilityNetBindService {
addedForbidden = true
forbiddenCapabilities.Insert(string(c))
}
}
if addedForbidden {
containersAddingForbidden = append(containersAddingForbidden, container.Name)
}
})
var forbiddenDetails []string
if len(containersMissingDropAll) > 0 {
forbiddenDetails = append(forbiddenDetails, fmt.Sprintf(
`%s %s must set securityContext.capabilities.drop=["ALL"]`,
pluralize("container", "containers", len(containersMissingDropAll)),
joinQuote(containersMissingDropAll)))
}
if len(containersAddingForbidden) > 0 {
forbiddenDetails = append(forbiddenDetails, fmt.Sprintf(
`%s %s must not include %s in securityContext.capabilities.add`,
pluralize("container", "containers", len(containersAddingForbidden)),
joinQuote(containersAddingForbidden),
joinQuote(forbiddenCapabilities.List())))
}
if len(forbiddenDetails) > 0 {
return CheckResult{
Allowed: false,
ForbiddenReason: "unrestricted capabilities",
ForbiddenDetail: strings.Join(forbiddenDetails, "; "),
}
}
return CheckResult{Allowed: true}
}
func capabilitiesRestricted_1_25(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
// Pod API validation would have failed if podOS == Windows and if capabilities have been set.
// We can admit the Windows pod even if capabilities has not been set.
if podSpec.OS != nil && podSpec.OS.Name == corev1.Windows {
return CheckResult{Allowed: true}
}
return capabilitiesRestricted_1_22(podMetadata, podSpec)
}

82
e2e/vendor/k8s.io/pod-security-admission/policy/check_hostNamespaces.go generated vendored Normal file
View File

@ -0,0 +1,82 @@
/*
Copyright 2021 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package policy
import (
"strings"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/pod-security-admission/api"
)
/*
Sharing the host network, PID, and IPC namespaces must be disallowed.
**Restricted Fields:**
spec.hostNetwork
spec.hostPID
spec.hostIPC
**Allowed Values:** undefined, false
*/
func init() {
addCheck(CheckHostNamespaces)
}
// CheckHostNamespaces returns a baseline level check
// that prohibits host namespaces in 1.0+
func CheckHostNamespaces() Check {
return Check{
ID: "hostNamespaces",
Level: api.LevelBaseline,
Versions: []VersionedCheck{
{
MinimumVersion: api.MajorMinorVersion(1, 0),
CheckPod: hostNamespaces_1_0,
},
},
}
}
func hostNamespaces_1_0(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
var hostNamespaces []string
if podSpec.HostNetwork {
hostNamespaces = append(hostNamespaces, "hostNetwork=true")
}
if podSpec.HostPID {
hostNamespaces = append(hostNamespaces, "hostPID=true")
}
if podSpec.HostIPC {
hostNamespaces = append(hostNamespaces, "hostIPC=true")
}
if len(hostNamespaces) > 0 {
return CheckResult{
Allowed: false,
ForbiddenReason: "host namespaces",
ForbiddenDetail: strings.Join(hostNamespaces, ", "),
}
}
return CheckResult{Allowed: true}
}

76
e2e/vendor/k8s.io/pod-security-admission/policy/check_hostPathVolumes.go generated vendored Normal file
View File

@ -0,0 +1,76 @@
/*
Copyright 2021 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package policy
import (
"fmt"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/pod-security-admission/api"
)
/*
HostPath volumes must be forbidden.
**Restricted Fields:**
spec.volumes[*].hostPath
**Allowed Values:** undefined/null
*/
func init() {
addCheck(CheckHostPathVolumes)
}
const checkHostPathVolumesID CheckID = "hostPathVolumes"
// CheckHostPathVolumes returns a baseline level check
// that requires hostPath=undefined/null in 1.0+
func CheckHostPathVolumes() Check {
return Check{
ID: checkHostPathVolumesID,
Level: api.LevelBaseline,
Versions: []VersionedCheck{
{
MinimumVersion: api.MajorMinorVersion(1, 0),
CheckPod: hostPathVolumes_1_0,
},
},
}
}
func hostPathVolumes_1_0(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
var hostVolumes []string
for _, volume := range podSpec.Volumes {
if volume.HostPath != nil {
hostVolumes = append(hostVolumes, volume.Name)
}
}
if len(hostVolumes) > 0 {
return CheckResult{
Allowed: false,
ForbiddenReason: "hostPath volumes",
ForbiddenDetail: fmt.Sprintf("%s %s", pluralize("volume", "volumes", len(hostVolumes)), joinQuote(hostVolumes)),
}
}
return CheckResult{Allowed: true}
}

91
e2e/vendor/k8s.io/pod-security-admission/policy/check_hostPorts.go generated vendored Normal file
View File

@ -0,0 +1,91 @@
/*
Copyright 2021 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package policy
import (
"fmt"
"strconv"
"strings"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/util/sets"
"k8s.io/pod-security-admission/api"
)
/*
HostPort ports must be forbidden.
**Restricted Fields:**
spec.containers[*].ports[*].hostPort
spec.initContainers[*].ports[*].hostPort
**Allowed Values:** undefined/0
*/
func init() {
addCheck(CheckHostPorts)
}
// CheckHostPorts returns a baseline level check
// that forbids any host ports in 1.0+
func CheckHostPorts() Check {
return Check{
ID: "hostPorts",
Level: api.LevelBaseline,
Versions: []VersionedCheck{
{
MinimumVersion: api.MajorMinorVersion(1, 0),
CheckPod: hostPorts_1_0,
},
},
}
}
func hostPorts_1_0(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
var badContainers []string
forbiddenHostPorts := sets.NewString()
visitContainers(podSpec, func(container *corev1.Container) {
valid := true
for _, c := range container.Ports {
if c.HostPort != 0 {
valid = false
forbiddenHostPorts.Insert(strconv.Itoa(int(c.HostPort)))
}
}
if !valid {
badContainers = append(badContainers, container.Name)
}
})
if len(badContainers) > 0 {
return CheckResult{
Allowed: false,
ForbiddenReason: "hostPort",
ForbiddenDetail: fmt.Sprintf(
"%s %s %s %s %s",
pluralize("container", "containers", len(badContainers)),
joinQuote(badContainers),
pluralize("uses", "use", len(badContainers)),
pluralize("hostPort", "hostPorts", len(forbiddenHostPorts)),
strings.Join(forbiddenHostPorts.List(), ", "),
),
}
}
return CheckResult{Allowed: true}
}

75
e2e/vendor/k8s.io/pod-security-admission/policy/check_privileged.go generated vendored Normal file
View File

@ -0,0 +1,75 @@
/*
Copyright 2021 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package policy
import (
"fmt"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/pod-security-admission/api"
)
/*
Privileged Pods disable most security mechanisms and must be disallowed.
Restricted Fields:
spec.containers[*].securityContext.privileged
spec.initContainers[*].securityContext.privileged
Allowed Values: false, undefined/null
*/
func init() {
addCheck(CheckPrivileged)
}
// CheckPrivileged returns a baseline level check
// that forbids privileged=true in 1.0+
func CheckPrivileged() Check {
return Check{
ID: "privileged",
Level: api.LevelBaseline,
Versions: []VersionedCheck{
{
MinimumVersion: api.MajorMinorVersion(1, 0),
CheckPod: privileged_1_0,
},
},
}
}
func privileged_1_0(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
var badContainers []string
visitContainers(podSpec, func(container *corev1.Container) {
if container.SecurityContext != nil && container.SecurityContext.Privileged != nil && *container.SecurityContext.Privileged {
badContainers = append(badContainers, container.Name)
}
})
if len(badContainers) > 0 {
return CheckResult{
Allowed: false,
ForbiddenReason: "privileged",
ForbiddenDetail: fmt.Sprintf(
`%s %s must not set securityContext.privileged=true`,
pluralize("container", "containers", len(badContainers)),
joinQuote(badContainers),
),
}
}
return CheckResult{Allowed: true}
}

102
e2e/vendor/k8s.io/pod-security-admission/policy/check_procMount.go generated vendored Normal file
View File

@ -0,0 +1,102 @@
/*
Copyright 2021 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package policy
import (
"fmt"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/util/sets"
"k8s.io/pod-security-admission/api"
)
/*
The default /proc masks are set up to reduce attack surface, and should be required.
**Restricted Fields:**
spec.containers[*].securityContext.procMount
spec.initContainers[*].securityContext.procMount
**Allowed Values:** undefined/null, "Default"
However, if the pod is in a user namespace (`hostUsers: false`), and the
UserNamespacesPodSecurityStandards feature is enabled, all values are allowed.
*/
func init() {
addCheck(CheckProcMount)
}
// CheckProcMount returns a baseline level check that restricts
// setting the value of securityContext.procMount to DefaultProcMount
// in 1.0+
func CheckProcMount() Check {
return Check{
ID: "procMount",
Level: api.LevelBaseline,
Versions: []VersionedCheck{
{
MinimumVersion: api.MajorMinorVersion(1, 0),
CheckPod: procMount_1_0,
},
},
}
}
func procMount_1_0(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
// TODO: When we remove the UserNamespacesPodSecurityStandards feature gate (and GA this relaxation),
// create a new policy version.
// Note: pod validation will check for well formed procMount type, so avoid double validation and allow everything
// here.
if relaxPolicyForUserNamespacePod(podSpec) {
return CheckResult{Allowed: true}
}
var badContainers []string
forbiddenProcMountTypes := sets.NewString()
visitContainers(podSpec, func(container *corev1.Container) {
// allow if the security context is nil.
if container.SecurityContext == nil {
return
}
// allow if proc mount is not set.
if container.SecurityContext.ProcMount == nil {
return
}
// check if the value of the proc mount type is valid.
if *container.SecurityContext.ProcMount != corev1.DefaultProcMount {
badContainers = append(badContainers, container.Name)
forbiddenProcMountTypes.Insert(string(*container.SecurityContext.ProcMount))
}
})
if len(badContainers) > 0 {
return CheckResult{
Allowed: false,
ForbiddenReason: "procMount",
ForbiddenDetail: fmt.Sprintf(
"%s %s must not set securityContext.procMount to %s",
pluralize("container", "containers", len(badContainers)),
joinQuote(badContainers),
joinQuote(forbiddenProcMountTypes.List()),
),
}
}
return CheckResult{Allowed: true}
}

171
e2e/vendor/k8s.io/pod-security-admission/policy/check_restrictedVolumes.go generated vendored Normal file
View File

@ -0,0 +1,171 @@
/*
Copyright 2021 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package policy
import (
"fmt"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/util/sets"
"k8s.io/pod-security-admission/api"
)
/*
In addition to restricting HostPath volumes, the restricted profile
limits usage of inline pod volume sources to:
* configMap
* downwardAPI
* emptyDir
* projected
* secret
* csi
* persistentVolumeClaim
* ephemeral
**Restricted Fields:**
spec.volumes[*].hostPath
spec.volumes[*].gcePersistentDisk
spec.volumes[*].awsElasticBlockStore
spec.volumes[*].gitRepo
spec.volumes[*].nfs
spec.volumes[*].iscsi
spec.volumes[*].glusterfs
spec.volumes[*].rbd
spec.volumes[*].flexVolume
spec.volumes[*].cinder
spec.volumes[*].cephfs
spec.volumes[*].flocker
spec.volumes[*].fc
spec.volumes[*].azureFile
spec.volumes[*].vsphereVolume
spec.volumes[*].quobyte
spec.volumes[*].azureDisk
spec.volumes[*].portworxVolume
spec.volumes[*].photonPersistentDisk
spec.volumes[*].scaleIO
spec.volumes[*].storageos
**Allowed Values:** undefined/null
*/
func init() {
addCheck(CheckRestrictedVolumes)
}
// CheckRestrictedVolumes returns a restricted level check
// that limits usage of specific volume types in 1.0+
func CheckRestrictedVolumes() Check {
return Check{
ID: "restrictedVolumes",
Level: api.LevelRestricted,
Versions: []VersionedCheck{
{
MinimumVersion: api.MajorMinorVersion(1, 0),
CheckPod: restrictedVolumes_1_0,
OverrideCheckIDs: []CheckID{checkHostPathVolumesID},
},
},
}
}
func restrictedVolumes_1_0(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
var badVolumes []string
badVolumeTypes := sets.NewString()
for _, volume := range podSpec.Volumes {
switch {
case volume.ConfigMap != nil,
volume.CSI != nil,
volume.DownwardAPI != nil,
volume.EmptyDir != nil,
volume.Ephemeral != nil,
volume.PersistentVolumeClaim != nil,
volume.Projected != nil,
volume.Secret != nil:
continue
default:
badVolumes = append(badVolumes, volume.Name)
switch {
case volume.HostPath != nil:
badVolumeTypes.Insert("hostPath")
case volume.GCEPersistentDisk != nil:
badVolumeTypes.Insert("gcePersistentDisk")
case volume.AWSElasticBlockStore != nil:
badVolumeTypes.Insert("awsElasticBlockStore")
case volume.GitRepo != nil:
badVolumeTypes.Insert("gitRepo")
case volume.NFS != nil:
badVolumeTypes.Insert("nfs")
case volume.ISCSI != nil:
badVolumeTypes.Insert("iscsi")
case volume.Glusterfs != nil:
badVolumeTypes.Insert("glusterfs")
case volume.RBD != nil:
badVolumeTypes.Insert("rbd")
case volume.FlexVolume != nil:
badVolumeTypes.Insert("flexVolume")
case volume.Cinder != nil:
badVolumeTypes.Insert("cinder")
case volume.CephFS != nil:
badVolumeTypes.Insert("cephfs")
case volume.Flocker != nil:
badVolumeTypes.Insert("flocker")
case volume.FC != nil:
badVolumeTypes.Insert("fc")
case volume.AzureFile != nil:
badVolumeTypes.Insert("azureFile")
case volume.VsphereVolume != nil:
badVolumeTypes.Insert("vsphereVolume")
case volume.Quobyte != nil:
badVolumeTypes.Insert("quobyte")
case volume.AzureDisk != nil:
badVolumeTypes.Insert("azureDisk")
case volume.PhotonPersistentDisk != nil:
badVolumeTypes.Insert("photonPersistentDisk")
case volume.PortworxVolume != nil:
badVolumeTypes.Insert("portworxVolume")
case volume.ScaleIO != nil:
badVolumeTypes.Insert("scaleIO")
case volume.StorageOS != nil:
badVolumeTypes.Insert("storageos")
default:
badVolumeTypes.Insert("unknown")
}
}
}
if len(badVolumes) > 0 {
return CheckResult{
Allowed: false,
ForbiddenReason: "restricted volume types",
ForbiddenDetail: fmt.Sprintf(
"%s %s %s %s %s",
pluralize("volume", "volumes", len(badVolumes)),
joinQuote(badVolumes),
pluralize("uses", "use", len(badVolumes)),
pluralize("restricted volume type", "restricted volume types", len(badVolumeTypes)),
joinQuote(badVolumeTypes.List()),
),
}
}
return CheckResult{Allowed: true}
}

133
e2e/vendor/k8s.io/pod-security-admission/policy/check_runAsNonRoot.go generated vendored Normal file
View File

@ -0,0 +1,133 @@
/*
Copyright 2021 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package policy
import (
"fmt"
"strings"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/pod-security-admission/api"
)
/*
Containers must be required to run as non-root users.
**Restricted Fields:**
spec.securityContext.runAsNonRoot
spec.containers[*].securityContext.runAsNonRoot
spec.initContainers[*].securityContext.runAsNonRoot
**Allowed Values:**
true
undefined/null at container-level if pod-level is set to true
*/
func init() {
addCheck(CheckRunAsNonRoot)
}
// CheckRunAsNonRoot returns a restricted level check
// that requires runAsNonRoot=true in 1.0+
func CheckRunAsNonRoot() Check {
return Check{
ID: "runAsNonRoot",
Level: api.LevelRestricted,
Versions: []VersionedCheck{
{
MinimumVersion: api.MajorMinorVersion(1, 0),
CheckPod: runAsNonRoot_1_0,
},
},
}
}
func runAsNonRoot_1_0(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
// See KEP-127: https://github.com/kubernetes/enhancements/blob/308ba8d/keps/sig-node/127-user-namespaces/README.md?plain=1#L411-L447
if relaxPolicyForUserNamespacePod(podSpec) {
return CheckResult{Allowed: true}
}
// things that explicitly set runAsNonRoot=false
var badSetters []string
podRunAsNonRoot := false
if podSpec.SecurityContext != nil && podSpec.SecurityContext.RunAsNonRoot != nil {
if !*podSpec.SecurityContext.RunAsNonRoot {
badSetters = append(badSetters, "pod")
} else {
podRunAsNonRoot = true
}
}
// containers that explicitly set runAsNonRoot=false
var explicitlyBadContainers []string
// containers that didn't set runAsNonRoot and aren't caught by a pod-level runAsNonRoot=true
var implicitlyBadContainers []string
visitContainers(podSpec, func(container *corev1.Container) {
if container.SecurityContext != nil && container.SecurityContext.RunAsNonRoot != nil {
// container explicitly set runAsNonRoot
if !*container.SecurityContext.RunAsNonRoot {
// container explicitly set runAsNonRoot to a bad value
explicitlyBadContainers = append(explicitlyBadContainers, container.Name)
}
} else {
// container did not explicitly set runAsNonRoot
if !podRunAsNonRoot {
// no pod-level runAsNonRoot=true, so this container implicitly has a bad value
implicitlyBadContainers = append(implicitlyBadContainers, container.Name)
}
}
})
if len(explicitlyBadContainers) > 0 {
badSetters = append(
badSetters,
fmt.Sprintf(
"%s %s",
pluralize("container", "containers", len(explicitlyBadContainers)),
joinQuote(explicitlyBadContainers),
),
)
}
// pod or containers explicitly set runAsNonRoot=false
if len(badSetters) > 0 {
return CheckResult{
Allowed: false,
ForbiddenReason: "runAsNonRoot != true",
ForbiddenDetail: fmt.Sprintf("%s must not set securityContext.runAsNonRoot=false", strings.Join(badSetters, " and ")),
}
}
// pod didn't set runAsNonRoot and not all containers opted into runAsNonRoot
if len(implicitlyBadContainers) > 0 {
return CheckResult{
Allowed: false,
ForbiddenReason: "runAsNonRoot != true",
ForbiddenDetail: fmt.Sprintf(
"pod or %s %s must set securityContext.runAsNonRoot=true",
pluralize("container", "containers", len(implicitlyBadContainers)),
joinQuote(implicitlyBadContainers),
),
}
}
return CheckResult{Allowed: true}
}

104
e2e/vendor/k8s.io/pod-security-admission/policy/check_runAsUser.go generated vendored Normal file
View File

@ -0,0 +1,104 @@
/*
Copyright 2021 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package policy
import (
"fmt"
"strings"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/pod-security-admission/api"
)
/*
Containers must not set runAsUser: 0
**Restricted Fields:**
spec.securityContext.runAsUser
spec.containers[*].securityContext.runAsUser
spec.initContainers[*].securityContext.runAsUser
**Allowed Values:**
non-zero values
undefined/null
*/
func init() {
addCheck(CheckRunAsUser)
}
// CheckRunAsUser returns a restricted level check
// that forbides runAsUser=0 in 1.23+
func CheckRunAsUser() Check {
return Check{
ID: "runAsUser",
Level: api.LevelRestricted,
Versions: []VersionedCheck{
{
MinimumVersion: api.MajorMinorVersion(1, 23),
CheckPod: runAsUser_1_23,
},
},
}
}
func runAsUser_1_23(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
// See KEP-127: https://github.com/kubernetes/enhancements/blob/308ba8d/keps/sig-node/127-user-namespaces/README.md?plain=1#L411-L447
if relaxPolicyForUserNamespacePod(podSpec) {
return CheckResult{Allowed: true}
}
// things that explicitly set runAsUser=0
var badSetters []string
if podSpec.SecurityContext != nil && podSpec.SecurityContext.RunAsUser != nil && *podSpec.SecurityContext.RunAsUser == 0 {
badSetters = append(badSetters, "pod")
}
// containers that explicitly set runAsUser=0
var explicitlyBadContainers []string
visitContainers(podSpec, func(container *corev1.Container) {
if container.SecurityContext != nil && container.SecurityContext.RunAsUser != nil && *container.SecurityContext.RunAsUser == 0 {
explicitlyBadContainers = append(explicitlyBadContainers, container.Name)
}
})
if len(explicitlyBadContainers) > 0 {
badSetters = append(
badSetters,
fmt.Sprintf(
"%s %s",
pluralize("container", "containers", len(explicitlyBadContainers)),
joinQuote(explicitlyBadContainers),
),
)
}
// pod or containers explicitly set runAsUser=0
if len(badSetters) > 0 {
return CheckResult{
Allowed: false,
ForbiddenReason: "runAsUser=0",
ForbiddenDetail: fmt.Sprintf("%s must not set runAsUser=0", strings.Join(badSetters, " and ")),
}
}
return CheckResult{Allowed: true}
}

172
e2e/vendor/k8s.io/pod-security-admission/policy/check_seLinuxOptions.go generated vendored Normal file
View File

@ -0,0 +1,172 @@
/*
Copyright 2021 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package policy
import (
"fmt"
"strings"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/util/sets"
"k8s.io/pod-security-admission/api"
)
/*
Setting the SELinux type is restricted, and setting a custom SELinux user or role option is forbidden.
**Restricted Fields:**
spec.securityContext.seLinuxOptions.type
spec.containers[*].securityContext.seLinuxOptions.type
spec.initContainers[*].securityContext.seLinuxOptions.type
**Allowed Values:**
undefined/empty
container_t
container_init_t
container_kvm_t
**Restricted Fields:**
spec.securityContext.seLinuxOptions.user
spec.containers[*].securityContext.seLinuxOptions.user
spec.initContainers[*].securityContext.seLinuxOptions.user
spec.securityContext.seLinuxOptions.role
spec.containers[*].securityContext.seLinuxOptions.role
spec.initContainers[*].securityContext.seLinuxOptions.role
**Allowed Values:** undefined/empty
*/
func init() {
addCheck(CheckSELinuxOptions)
}
// CheckSELinuxOptions returns a baseline level check
// that limits seLinuxOptions type, user, and role values in 1.0+
func CheckSELinuxOptions() Check {
return Check{
ID: "seLinuxOptions",
Level: api.LevelBaseline,
Versions: []VersionedCheck{
{
MinimumVersion: api.MajorMinorVersion(1, 0),
CheckPod: seLinuxOptions1_0,
},
{
MinimumVersion: api.MajorMinorVersion(1, 31),
CheckPod: seLinuxOptions1_31,
},
},
}
}
var (
selinuxAllowedTypes1_0 = sets.New("", "container_t", "container_init_t", "container_kvm_t")
selinuxAllowedTypes1_31 = sets.New("", "container_t", "container_init_t", "container_kvm_t", "container_engine_t")
)
func seLinuxOptions1_0(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
return seLinuxOptions(podMetadata, podSpec, selinuxAllowedTypes1_0)
}
func seLinuxOptions1_31(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
return seLinuxOptions(podMetadata, podSpec, selinuxAllowedTypes1_31)
}
func seLinuxOptions(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec, allowedTypes sets.Set[string]) CheckResult {
var (
// sources that set bad seLinuxOptions
badSetters []string
// invalid type values set
badTypes = sets.NewString()
// was user set?
setUser = false
// was role set?
setRole = false
)
validSELinuxOptions := func(opts *corev1.SELinuxOptions) bool {
valid := true
if !allowedTypes.Has(opts.Type) {
valid = false
badTypes.Insert(opts.Type)
}
if len(opts.User) > 0 {
valid = false
setUser = true
}
if len(opts.Role) > 0 {
valid = false
setRole = true
}
return valid
}
if podSpec.SecurityContext != nil && podSpec.SecurityContext.SELinuxOptions != nil {
if !validSELinuxOptions(podSpec.SecurityContext.SELinuxOptions) {
badSetters = append(badSetters, "pod")
}
}
var badContainers []string
visitContainers(podSpec, func(container *corev1.Container) {
if container.SecurityContext != nil && container.SecurityContext.SELinuxOptions != nil {
if !validSELinuxOptions(container.SecurityContext.SELinuxOptions) {
badContainers = append(badContainers, container.Name)
}
}
})
if len(badContainers) > 0 {
badSetters = append(
badSetters,
fmt.Sprintf(
"%s %s",
pluralize("container", "containers", len(badContainers)),
joinQuote(badContainers),
),
)
}
if len(badSetters) > 0 {
var badData []string
if len(badTypes) > 0 {
badData = append(badData, fmt.Sprintf(
"%s %s",
pluralize("type", "types", len(badTypes)),
joinQuote(badTypes.List()),
))
}
if setUser {
badData = append(badData, "user may not be set")
}
if setRole {
badData = append(badData, "role may not be set")
}
return CheckResult{
Allowed: false,
ForbiddenReason: "seLinuxOptions",
ForbiddenDetail: fmt.Sprintf(
`%s set forbidden securityContext.seLinuxOptions: %s`,
strings.Join(badSetters, " and "),
strings.Join(badData, "; "),
),
}
}
return CheckResult{Allowed: true}
}

171
e2e/vendor/k8s.io/pod-security-admission/policy/check_seccompProfile_baseline.go generated vendored Normal file
View File

@ -0,0 +1,171 @@
/*
Copyright 2021 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package policy
import (
"fmt"
"strings"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/util/sets"
"k8s.io/pod-security-admission/api"
)
/*
If seccomp profiles are specified, only runtime default and localhost profiles are allowed.
v1.0 - v1.18:
**Restricted Fields:**
metadata.annotations['seccomp.security.alpha.kubernetes.io/pod']
metadata.annotations['container.seccomp.security.alpha.kubernetes.io/*']
**Allowed Values:** 'runtime/default', 'docker/default', 'localhost/*', undefined
v1.19+:
**Restricted Fields:**
spec.securityContext.seccompProfile.type
spec.containers[*].securityContext.seccompProfile.type
spec.initContainers[*].securityContext.seccompProfile.type
**Allowed Values:** 'RuntimeDefault', 'Localhost', undefined
*/
const (
annotationKeyPod = "seccomp.security.alpha.kubernetes.io/pod"
annotationKeyContainerPrefix = "container.seccomp.security.alpha.kubernetes.io/"
checkSeccompBaselineID CheckID = "seccompProfile_baseline"
)
func init() {
addCheck(CheckSeccompBaseline)
}
func CheckSeccompBaseline() Check {
return Check{
ID: checkSeccompBaselineID,
Level: api.LevelBaseline,
Versions: []VersionedCheck{
{
MinimumVersion: api.MajorMinorVersion(1, 0),
CheckPod: seccompProfileBaseline_1_0,
},
{
MinimumVersion: api.MajorMinorVersion(1, 19),
CheckPod: seccompProfileBaseline_1_19,
},
},
}
}
func validSeccomp(t corev1.SeccompProfileType) bool {
return t == corev1.SeccompProfileTypeLocalhost ||
t == corev1.SeccompProfileTypeRuntimeDefault
}
func validSeccompAnnotationValue(v string) bool {
return v == corev1.SeccompProfileRuntimeDefault ||
v == corev1.DeprecatedSeccompProfileDockerDefault ||
strings.HasPrefix(v, corev1.SeccompLocalhostProfileNamePrefix)
}
// seccompProfileBaseline_1_0 checks baseline policy on seccomp alpha annotation
func seccompProfileBaseline_1_0(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
forbidden := sets.NewString()
if val, ok := podMetadata.Annotations[annotationKeyPod]; ok {
if !validSeccompAnnotationValue(val) {
forbidden.Insert(fmt.Sprintf("%s=%q", annotationKeyPod, val))
}
}
visitContainers(podSpec, func(c *corev1.Container) {
annotation := annotationKeyContainerPrefix + c.Name
if val, ok := podMetadata.Annotations[annotation]; ok {
if !validSeccompAnnotationValue(val) {
forbidden.Insert(fmt.Sprintf("%s=%q", annotation, val))
}
}
})
if len(forbidden) > 0 {
return CheckResult{
Allowed: false,
ForbiddenReason: "seccompProfile",
ForbiddenDetail: fmt.Sprintf(
"forbidden %s %s",
pluralize("annotation", "annotations", len(forbidden)),
strings.Join(forbidden.List(), ", "),
),
}
}
return CheckResult{Allowed: true}
}
// seccompProfileBaseline_1_19 checks baseline policy on securityContext.seccompProfile field
func seccompProfileBaseline_1_19(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
// things that explicitly set seccompProfile.type to a bad value
var badSetters []string
badValues := sets.NewString()
if podSpec.SecurityContext != nil && podSpec.SecurityContext.SeccompProfile != nil {
if !validSeccomp(podSpec.SecurityContext.SeccompProfile.Type) {
badSetters = append(badSetters, "pod")
badValues.Insert(string(podSpec.SecurityContext.SeccompProfile.Type))
}
}
// containers that explicitly set seccompProfile.type to a bad value
var explicitlyBadContainers []string
visitContainers(podSpec, func(c *corev1.Container) {
if c.SecurityContext != nil && c.SecurityContext.SeccompProfile != nil {
// container explicitly set seccompProfile
if !validSeccomp(c.SecurityContext.SeccompProfile.Type) {
// container explicitly set seccompProfile to a bad value
explicitlyBadContainers = append(explicitlyBadContainers, c.Name)
badValues.Insert(string(c.SecurityContext.SeccompProfile.Type))
}
}
})
if len(explicitlyBadContainers) > 0 {
badSetters = append(
badSetters,
fmt.Sprintf(
"%s %s",
pluralize("container", "containers", len(explicitlyBadContainers)),
joinQuote(explicitlyBadContainers),
),
)
}
// pod or containers explicitly set bad seccompProfiles
if len(badSetters) > 0 {
return CheckResult{
Allowed: false,
ForbiddenReason: "seccompProfile",
ForbiddenDetail: fmt.Sprintf(
"%s must not set securityContext.seccompProfile.type to %s",
strings.Join(badSetters, " and "),
joinQuote(badValues.List()),
),
}
}
return CheckResult{Allowed: true}
}

155
e2e/vendor/k8s.io/pod-security-admission/policy/check_seccompProfile_restricted.go generated vendored Normal file
View File

@ -0,0 +1,155 @@
/*
Copyright 2021 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package policy
import (
"fmt"
"strings"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/util/sets"
"k8s.io/pod-security-admission/api"
)
/*
Seccomp profiles must be specified, and only runtime default and localhost profiles are allowed.
v1.19+:
**Restricted Fields:**
spec.securityContext.seccompProfile.type
spec.containers[*].securityContext.seccompProfile.type
spec.initContainers[*].securityContext.seccompProfile.type
**Allowed Values:** 'RuntimeDefault', 'Localhost'
Note: container-level fields may be undefined if pod-level field is specified.
*/
func init() {
addCheck(CheckSeccompProfileRestricted)
}
func CheckSeccompProfileRestricted() Check {
return Check{
ID: "seccompProfile_restricted",
Level: api.LevelRestricted,
Versions: []VersionedCheck{
{
MinimumVersion: api.MajorMinorVersion(1, 19),
CheckPod: seccompProfileRestricted_1_19,
OverrideCheckIDs: []CheckID{checkSeccompBaselineID},
},
// Starting 1.25, windows pods would be exempted from this check using pod.spec.os field when set to windows.
{
MinimumVersion: api.MajorMinorVersion(1, 25),
CheckPod: seccompProfileRestricted_1_25,
OverrideCheckIDs: []CheckID{checkSeccompBaselineID},
},
},
}
}
// seccompProfileRestricted_1_19 checks restricted policy on securityContext.seccompProfile field
func seccompProfileRestricted_1_19(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
// things that explicitly set seccompProfile.type to a bad value
var badSetters []string
badValues := sets.NewString()
podSeccompSet := false
if podSpec.SecurityContext != nil && podSpec.SecurityContext.SeccompProfile != nil {
if !validSeccomp(podSpec.SecurityContext.SeccompProfile.Type) {
badSetters = append(badSetters, "pod")
badValues.Insert(string(podSpec.SecurityContext.SeccompProfile.Type))
} else {
podSeccompSet = true
}
}
// containers that explicitly set seccompProfile.type to a bad value
var explicitlyBadContainers []string
// containers that didn't set seccompProfile and aren't caught by a pod-level seccompProfile
var implicitlyBadContainers []string
visitContainers(podSpec, func(c *corev1.Container) {
if c.SecurityContext != nil && c.SecurityContext.SeccompProfile != nil {
// container explicitly set seccompProfile
if !validSeccomp(c.SecurityContext.SeccompProfile.Type) {
// container explicitly set seccompProfile to a bad value
explicitlyBadContainers = append(explicitlyBadContainers, c.Name)
badValues.Insert(string(c.SecurityContext.SeccompProfile.Type))
}
} else {
// container did not explicitly set seccompProfile
if !podSeccompSet {
// no valid pod-level seccompProfile, so this container implicitly has a bad value
implicitlyBadContainers = append(implicitlyBadContainers, c.Name)
}
}
})
if len(explicitlyBadContainers) > 0 {
badSetters = append(
badSetters,
fmt.Sprintf(
"%s %s",
pluralize("container", "containers", len(explicitlyBadContainers)),
joinQuote(explicitlyBadContainers),
),
)
}
// pod or containers explicitly set bad seccompProfiles
if len(badSetters) > 0 {
return CheckResult{
Allowed: false,
ForbiddenReason: "seccompProfile",
ForbiddenDetail: fmt.Sprintf(
"%s must not set securityContext.seccompProfile.type to %s",
strings.Join(badSetters, " and "),
joinQuote(badValues.List()),
),
}
}
// pod didn't set seccompProfile and not all containers opted into seccompProfile
if len(implicitlyBadContainers) > 0 {
return CheckResult{
Allowed: false,
ForbiddenReason: "seccompProfile",
ForbiddenDetail: fmt.Sprintf(
`pod or %s %s must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost"`,
pluralize("container", "containers", len(implicitlyBadContainers)),
joinQuote(implicitlyBadContainers),
),
}
}
return CheckResult{Allowed: true}
}
// seccompProfileRestricted_1_25 checks restricted policy on securityContext.seccompProfile field for kubernetes
// version 1.25 and above
func seccompProfileRestricted_1_25(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
// Pod API validation would have failed if podOS == Windows and if secCompProfile has been set.
// We can admit the Windows pod even if seccompProfile has not been set.
if podSpec.OS != nil && podSpec.OS.Name == corev1.Windows {
return CheckResult{Allowed: true}
}
return seccompProfileRestricted_1_19(podMetadata, podSpec)
}

143
e2e/vendor/k8s.io/pod-security-admission/policy/check_sysctls.go generated vendored Normal file
View File

@ -0,0 +1,143 @@
/*
Copyright 2021 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package policy
import (
"strings"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/util/sets"
"k8s.io/pod-security-admission/api"
)
/*
Sysctls can disable security mechanisms or affect all containers on a host,
and should be disallowed except for an allowed "safe" subset.
A sysctl is considered safe if it is namespaced in the container or the Pod,
and it is isolated from other Pods or processes on the same Node.
**Restricted Fields:**
spec.securityContext.sysctls[*].name
**Allowed Values:**
'kernel.shm_rmid_forced'
'net.ipv4.ip_local_port_range'
'net.ipv4.tcp_syncookies'
'net.ipv4.ping_group_range'
'net.ipv4.ip_unprivileged_port_start'
'net.ipv4.ip_local_reserved_ports'
'net.ipv4.tcp_keepalive_time'
'net.ipv4.tcp_fin_timeout'
'net.ipv4.tcp_keepalive_intvl'
'net.ipv4.tcp_keepalive_probes'
'net.ipv4.tcp_rmem'
'net.ipv4.tcp_wmem'
*/
func init() {
addCheck(CheckSysctls)
}
// CheckSysctls returns a baseline level check
// that limits the value of sysctls in 1.0+
func CheckSysctls() Check {
return Check{
ID: "sysctls",
Level: api.LevelBaseline,
Versions: []VersionedCheck{
{
MinimumVersion: api.MajorMinorVersion(1, 0),
CheckPod: sysctlsV1Dot0,
},
{
MinimumVersion: api.MajorMinorVersion(1, 27),
CheckPod: sysctlsV1Dot27,
}, {
MinimumVersion: api.MajorMinorVersion(1, 29),
CheckPod: sysctlsV1Dot29,
},
{
MinimumVersion: api.MajorMinorVersion(1, 32),
CheckPod: sysctlsV1Dot32,
},
},
}
}
var (
sysctlsAllowedV1Dot0 = sets.NewString(
"kernel.shm_rmid_forced",
"net.ipv4.ip_local_port_range",
"net.ipv4.tcp_syncookies",
"net.ipv4.ping_group_range",
"net.ipv4.ip_unprivileged_port_start",
)
sysctlsAllowedV1Dot27 = sysctlsAllowedV1Dot0.Union(sets.NewString(
"net.ipv4.ip_local_reserved_ports",
))
sysctlsAllowedV1Dot29 = sysctlsAllowedV1Dot27.Union(sets.NewString(
"net.ipv4.tcp_keepalive_time",
"net.ipv4.tcp_fin_timeout",
"net.ipv4.tcp_keepalive_intvl",
"net.ipv4.tcp_keepalive_probes",
))
sysctlsAllowedV1Dot32 = sysctlsAllowedV1Dot29.Union(sets.NewString(
"net.ipv4.tcp_rmem",
"net.ipv4.tcp_wmem",
))
)
func sysctlsV1Dot0(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
return sysctls(podMetadata, podSpec, sysctlsAllowedV1Dot0)
}
func sysctlsV1Dot27(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
return sysctls(podMetadata, podSpec, sysctlsAllowedV1Dot27)
}
func sysctlsV1Dot29(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
return sysctls(podMetadata, podSpec, sysctlsAllowedV1Dot29)
}
func sysctlsV1Dot32(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
return sysctls(podMetadata, podSpec, sysctlsAllowedV1Dot32)
}
func sysctls(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec, sysctls_allowed_set sets.String) CheckResult {
var forbiddenSysctls []string
if podSpec.SecurityContext != nil {
for _, sysctl := range podSpec.SecurityContext.Sysctls {
if !sysctls_allowed_set.Has(sysctl.Name) {
forbiddenSysctls = append(forbiddenSysctls, sysctl.Name)
}
}
}
if len(forbiddenSysctls) > 0 {
return CheckResult{
Allowed: false,
ForbiddenReason: "forbidden sysctls",
ForbiddenDetail: strings.Join(forbiddenSysctls, ", "),
}
}
return CheckResult{Allowed: true}
}

102
e2e/vendor/k8s.io/pod-security-admission/policy/check_windowsHostProcess.go generated vendored Normal file
View File

@ -0,0 +1,102 @@
/*
Copyright 2021 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package policy
import (
"fmt"
"strings"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/pod-security-admission/api"
)
/*
Pod and containers must not set securityContext.windowsOptions.hostProcess to true.
**Restricted Fields:**
spec.securityContext.windowsOptions.hostProcess
spec.containers[*].securityContext.windowsOptions.hostProcess
spec.initContainers[*].securityContext.windowsOptions.hostProcess
**Allowed Values:** undefined / false
*/
func init() {
addCheck(CheckWindowsHostProcess)
}
// CheckWindowsHostProcess returns a baseline level check
// that forbids hostProcess=true in 1.0+
func CheckWindowsHostProcess() Check {
return Check{
ID: "windowsHostProcess",
Level: api.LevelBaseline,
Versions: []VersionedCheck{
{
MinimumVersion: api.MajorMinorVersion(1, 0),
CheckPod: windowsHostProcess_1_0,
},
},
}
}
func windowsHostProcess_1_0(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
var badContainers []string
visitContainers(podSpec, func(container *corev1.Container) {
if container.SecurityContext != nil &&
container.SecurityContext.WindowsOptions != nil &&
container.SecurityContext.WindowsOptions.HostProcess != nil &&
*container.SecurityContext.WindowsOptions.HostProcess {
badContainers = append(badContainers, container.Name)
}
})
podSpecForbidden := false
if podSpec.SecurityContext != nil &&
podSpec.SecurityContext.WindowsOptions != nil &&
podSpec.SecurityContext.WindowsOptions.HostProcess != nil &&
*podSpec.SecurityContext.WindowsOptions.HostProcess {
podSpecForbidden = true
}
// pod or containers explicitly set hostProcess=true
var forbiddenSetters []string
if podSpecForbidden {
forbiddenSetters = append(forbiddenSetters, "pod")
}
if len(badContainers) > 0 {
forbiddenSetters = append(
forbiddenSetters,
fmt.Sprintf(
"%s %s",
pluralize("container", "containers", len(badContainers)),
joinQuote(badContainers),
),
)
}
if len(forbiddenSetters) > 0 {
return CheckResult{
Allowed: false,
ForbiddenReason: "hostProcess",
ForbiddenDetail: fmt.Sprintf("%s must not set securityContext.windowsOptions.hostProcess=true", strings.Join(forbiddenSetters, " and ")),
}
}
return CheckResult{Allowed: true}
}

184
e2e/vendor/k8s.io/pod-security-admission/policy/checks.go generated vendored Normal file
View File

@ -0,0 +1,184 @@
/*
Copyright 2021 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package policy
import (
"strings"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/pod-security-admission/api"
)
type Check struct {
// ID is the unique ID of the check.
ID CheckID
// Level is the policy level this check belongs to.
// Must be Baseline or Restricted.
// Baseline checks are evaluated for baseline and restricted namespaces.
// Restricted checks are only evaluated for restricted namespaces.
Level api.Level
// Versions contains one or more revisions of the check that apply to different versions.
// If the check is not yet assigned to a version, this must be a single-item list with a MinimumVersion of "".
// Otherwise, MinimumVersion of items must represent strictly increasing versions.
Versions []VersionedCheck
}
type VersionedCheck struct {
// MinimumVersion is the first policy version this check applies to.
// If unset, this check is not yet assigned to a policy version.
// If set, must not be "latest".
MinimumVersion api.Version
// CheckPod determines if the pod is allowed.
CheckPod CheckPodFn
// OverrideCheckIDs is an optional list of checks that should be skipped when this check is run.
// Overrides may only be set on restricted checks, and may only override baseline checks.
OverrideCheckIDs []CheckID
}
type CheckPodFn func(*metav1.ObjectMeta, *corev1.PodSpec) CheckResult
type CheckID string
// CheckResult contains the result of checking a pod and indicates whether the pod is allowed,
// and if not, why it was forbidden.
//
// Example output for (false, "host ports", "8080, 9090"):
//
// When checking all pods in a namespace:
// disallowed by policy "baseline": host ports, privileged containers, non-default capabilities
// When checking an individual pod:
// disallowed by policy "baseline": host ports (8080, 9090), privileged containers, non-default capabilities (CAP_NET_RAW)
type CheckResult struct {
// Allowed indicates if the check allowed the pod.
Allowed bool
// ForbiddenReason must be set if Allowed is false.
// ForbiddenReason should be as succinct as possible and is always output.
// Examples:
// - "host ports"
// - "privileged containers"
// - "non-default capabilities"
ForbiddenReason string
// ForbiddenDetail should only be set if Allowed is false, and is optional.
// ForbiddenDetail can include specific values that were disallowed and is used when checking an individual object.
// Examples:
// - list specific invalid host ports: "8080, 9090"
// - list specific invalid containers: "container1, container2"
// - list specific non-default capabilities: "CAP_NET_RAW"
ForbiddenDetail string
}
// AggergateCheckResult holds the aggregate result of running CheckPod across multiple checks.
type AggregateCheckResult struct {
// Allowed indicates if all checks allowed the pod.
Allowed bool
// ForbiddenReasons is a slice of the forbidden reasons from all the forbidden checks. It should not include empty strings.
// ForbiddenReasons and ForbiddenDetails must have the same number of elements, and the indexes are for the same check.
ForbiddenReasons []string
// ForbiddenDetails is a slice of the forbidden details from all the forbidden checks. It may include empty strings.
// ForbiddenReasons and ForbiddenDetails must have the same number of elements, and the indexes are for the same check.
ForbiddenDetails []string
}
// ForbiddenReason returns a comma-separated string of of the forbidden reasons.
// Example: host ports, privileged containers, non-default capabilities
func (a *AggregateCheckResult) ForbiddenReason() string {
return strings.Join(a.ForbiddenReasons, ", ")
}
// ForbiddenDetail returns a detailed forbidden message, with non-empty details formatted in
// parentheses with the associated reason.
// Example: host ports (8080, 9090), privileged containers, non-default capabilities (NET_RAW)
func (a *AggregateCheckResult) ForbiddenDetail() string {
var b strings.Builder
for i := 0; i < len(a.ForbiddenReasons); i++ {
b.WriteString(a.ForbiddenReasons[i])
if a.ForbiddenDetails[i] != "" {
b.WriteString(" (")
b.WriteString(a.ForbiddenDetails[i])
b.WriteString(")")
}
if i != len(a.ForbiddenReasons)-1 {
b.WriteString(", ")
}
}
return b.String()
}
// UnknownForbiddenReason is used as the placeholder forbidden reason for checks that incorrectly disallow without providing a reason.
const UnknownForbiddenReason = "unknown forbidden reason"
// AggregateCheckPod runs all the checks and aggregates the forbidden results into a single CheckResult.
// The aggregated reason is a comma-separated
func AggregateCheckResults(results []CheckResult) AggregateCheckResult {
var (
reasons []string
details []string
)
for _, result := range results {
if !result.Allowed {
if len(result.ForbiddenReason) == 0 {
reasons = append(reasons, UnknownForbiddenReason)
} else {
reasons = append(reasons, result.ForbiddenReason)
}
details = append(details, result.ForbiddenDetail)
}
}
return AggregateCheckResult{
Allowed: len(reasons) == 0,
ForbiddenReasons: reasons,
ForbiddenDetails: details,
}
}
var (
defaultChecks []func() Check
experimentalChecks []func() Check
)
func addCheck(f func() Check) {
// add to experimental or versioned list
c := f()
if len(c.Versions) == 1 && c.Versions[0].MinimumVersion == (api.Version{}) {
experimentalChecks = append(experimentalChecks, f)
} else {
defaultChecks = append(defaultChecks, f)
}
}
// DefaultChecks returns checks that are expected to be enabled by default.
// The results are mutually exclusive with ExperimentalChecks.
// It returns a new copy of checks on each invocation and is expected to be called once at setup time.
func DefaultChecks() []Check {
retval := make([]Check, 0, len(defaultChecks))
for _, f := range defaultChecks {
retval = append(retval, f())
}
return retval
}
// ExperimentalChecks returns checks that have not yet been assigned to policy versions.
// The results are mutually exclusive with DefaultChecks.
// It returns a new copy of checks on each invocation and is expected to be called once at setup time.
func ExperimentalChecks() []Check {
retval := make([]Check, 0, len(experimentalChecks))
for _, f := range experimentalChecks {
retval = append(retval, f())
}
return retval
}

18
e2e/vendor/k8s.io/pod-security-admission/policy/doc.go generated vendored Normal file
View File

@ -0,0 +1,18 @@
/*
Copyright 2021 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Package policy contains implementations of Pod Security Standards checks
package policy // import "k8s.io/pod-security-admission/policy"

56
e2e/vendor/k8s.io/pod-security-admission/policy/helpers.go generated vendored Normal file
View File

@ -0,0 +1,56 @@
/*
Copyright 2021 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package policy
import (
"strings"
"sync/atomic"
corev1 "k8s.io/api/core/v1"
)
func joinQuote(items []string) string {
if len(items) == 0 {
return ""
}
return `"` + strings.Join(items, `", "`) + `"`
}
func pluralize(singular, plural string, count int) string {
if count == 1 {
return singular
}
return plural
}
var relaxPolicyForUserNamespacePods = &atomic.Bool{}
// RelaxPolicyForUserNamespacePods allows opting into relaxing runAsUser /
// runAsNonRoot restricted policies for user namespace pods, before the
// usernamespace feature has reached GA and propagated to the oldest supported
// nodes.
// This should only be opted into in clusters where the administrator ensures
// all nodes in the cluster enable the user namespace feature.
func RelaxPolicyForUserNamespacePods(relax bool) {
relaxPolicyForUserNamespacePods.Store(relax)
}
// relaxPolicyForUserNamespacePod returns true if a policy should be relaxed
// because of enabled user namespaces in the provided pod spec.
func relaxPolicyForUserNamespacePod(podSpec *corev1.PodSpec) bool {
return relaxPolicyForUserNamespacePods.Load() && podSpec != nil && podSpec.HostUsers != nil && !*podSpec.HostUsers
}

226
e2e/vendor/k8s.io/pod-security-admission/policy/registry.go generated vendored Normal file
View File

@ -0,0 +1,226 @@
/*
Copyright 2021 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package policy
import (
"fmt"
"sort"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/pod-security-admission/api"
)
// Evaluator holds the Checks that are used to validate a policy.
type Evaluator interface {
// EvaluatePod evaluates the pod against the policy for the given level & version.
EvaluatePod(lv api.LevelVersion, podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) []CheckResult
}
// checkRegistry provides a default implementation of an Evaluator.
type checkRegistry struct {
// The checks are a map policy version to a slice of checks registered for that version.
baselineChecks, restrictedChecks map[api.Version][]CheckPodFn
// maxVersion is the maximum version that is cached, guaranteed to be at least
// the max MinimumVersion of all registered checks.
maxVersion api.Version
}
// NewEvaluator constructs a new Evaluator instance from the list of checks. If the provided checks are invalid,
// an error is returned. A valid list of checks must meet the following requirements:
// 1. Check.ID is unique in the list
// 2. Check.Level must be either Baseline or Restricted
// 3. Checks must have a non-empty set of versions, sorted in a strictly increasing order
// 4. Check.Versions cannot include 'latest'
func NewEvaluator(checks []Check) (Evaluator, error) {
if err := validateChecks(checks); err != nil {
return nil, err
}
r := &checkRegistry{
baselineChecks: map[api.Version][]CheckPodFn{},
restrictedChecks: map[api.Version][]CheckPodFn{},
}
populate(r, checks)
return r, nil
}
func (r *checkRegistry) EvaluatePod(lv api.LevelVersion, podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) []CheckResult {
if lv.Level == api.LevelPrivileged {
return nil
}
if r.maxVersion.Older(lv.Version) {
lv.Version = r.maxVersion
}
var checks []CheckPodFn
if lv.Level == api.LevelBaseline {
checks = r.baselineChecks[lv.Version]
} else {
// includes non-overridden baseline checks
checks = r.restrictedChecks[lv.Version]
}
var results []CheckResult
for _, check := range checks {
results = append(results, check(podMetadata, podSpec))
}
return results
}
func validateChecks(checks []Check) error {
ids := map[CheckID]api.Level{}
for _, check := range checks {
if _, ok := ids[check.ID]; ok {
return fmt.Errorf("multiple checks registered for ID %s", check.ID)
}
ids[check.ID] = check.Level
if check.Level != api.LevelBaseline && check.Level != api.LevelRestricted {
return fmt.Errorf("check %s: invalid level %s", check.ID, check.Level)
}
if len(check.Versions) == 0 {
return fmt.Errorf("check %s: empty", check.ID)
}
maxVersion := api.Version{}
for _, c := range check.Versions {
if c.MinimumVersion == (api.Version{}) {
return fmt.Errorf("check %s: undefined version found", check.ID)
}
if c.MinimumVersion.Latest() {
return fmt.Errorf("check %s: version cannot be 'latest'", check.ID)
}
if maxVersion == c.MinimumVersion {
return fmt.Errorf("check %s: duplicate version %s", check.ID, c.MinimumVersion)
}
if !maxVersion.Older(c.MinimumVersion) {
return fmt.Errorf("check %s: versions must be strictly increasing", check.ID)
}
maxVersion = c.MinimumVersion
}
}
// Second pass to validate overrides.
for _, check := range checks {
for _, c := range check.Versions {
if len(c.OverrideCheckIDs) == 0 {
continue
}
if check.Level != api.LevelRestricted {
return fmt.Errorf("check %s: only restricted checks may set overrides", check.ID)
}
for _, override := range c.OverrideCheckIDs {
if overriddenLevel, ok := ids[override]; ok && overriddenLevel != api.LevelBaseline {
return fmt.Errorf("check %s: overrides %s check %s", check.ID, overriddenLevel, override)
}
}
}
}
return nil
}
func populate(r *checkRegistry, validChecks []Check) {
// Find the max(MinimumVersion) across all checks.
for _, c := range validChecks {
lastVersion := c.Versions[len(c.Versions)-1].MinimumVersion
if r.maxVersion.Older(lastVersion) {
r.maxVersion = lastVersion
}
}
var (
restrictedVersionedChecks = map[api.Version]map[CheckID]VersionedCheck{}
baselineVersionedChecks = map[api.Version]map[CheckID]VersionedCheck{}
baselineIDs, restrictedIDs []CheckID
)
for _, c := range validChecks {
if c.Level == api.LevelRestricted {
restrictedIDs = append(restrictedIDs, c.ID)
inflateVersions(c, restrictedVersionedChecks, r.maxVersion)
} else {
baselineIDs = append(baselineIDs, c.ID)
inflateVersions(c, baselineVersionedChecks, r.maxVersion)
}
}
// Sort the IDs to maintain consistent error messages.
sort.Slice(restrictedIDs, func(i, j int) bool { return restrictedIDs[i] < restrictedIDs[j] })
sort.Slice(baselineIDs, func(i, j int) bool { return baselineIDs[i] < baselineIDs[j] })
orderedIDs := append(baselineIDs, restrictedIDs...) // Baseline checks first, then restricted.
for v := api.MajorMinorVersion(1, 0); v.Older(nextMinor(r.maxVersion)); v = nextMinor(v) {
// Aggregate all the overridden baseline check ids.
overrides := map[CheckID]bool{}
for _, c := range restrictedVersionedChecks[v] {
for _, override := range c.OverrideCheckIDs {
overrides[override] = true
}
}
// Add the filtered baseline checks to restricted.
for id, c := range baselineVersionedChecks[v] {
if overrides[id] {
continue // Overridden check: skip it.
}
if restrictedVersionedChecks[v] == nil {
restrictedVersionedChecks[v] = map[CheckID]VersionedCheck{}
}
restrictedVersionedChecks[v][id] = c
}
r.restrictedChecks[v] = mapCheckPodFns(restrictedVersionedChecks[v], orderedIDs)
r.baselineChecks[v] = mapCheckPodFns(baselineVersionedChecks[v], orderedIDs)
}
}
func inflateVersions(check Check, versions map[api.Version]map[CheckID]VersionedCheck, maxVersion api.Version) {
for i, c := range check.Versions {
var nextVersion api.Version
if i+1 < len(check.Versions) {
nextVersion = check.Versions[i+1].MinimumVersion
} else {
// Assumes only 1 Major version.
nextVersion = nextMinor(maxVersion)
}
// Iterate over all versions from the minimum of the current check, to the minimum of the
// next check, or the maxVersion++.
for v := c.MinimumVersion; v.Older(nextVersion); v = nextMinor(v) {
if versions[v] == nil {
versions[v] = map[CheckID]VersionedCheck{}
}
versions[v][check.ID] = check.Versions[i]
}
}
}
// mapCheckPodFns converts the versioned check map to an ordered slice of CheckPodFn,
// using the order specified by orderedIDs. All checks must have a corresponding ID in orderedIDs.
func mapCheckPodFns(checks map[CheckID]VersionedCheck, orderedIDs []CheckID) []CheckPodFn {
fns := make([]CheckPodFn, 0, len(checks))
for _, id := range orderedIDs {
if check, ok := checks[id]; ok {
fns = append(fns, check.CheckPod)
}
}
return fns
}
// nextMinor increments the minor version
func nextMinor(v api.Version) api.Version {
if v.Latest() {
return v
}
return api.MajorMinorVersion(v.Major(), v.Minor()+1)
}

37
e2e/vendor/k8s.io/pod-security-admission/policy/visitor.go generated vendored Normal file
View File

@ -0,0 +1,37 @@
/*
Copyright 2021 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package policy
import (
corev1 "k8s.io/api/core/v1"
)
// ContainerVisitor is called with each container and the field.Path to that container
type ContainerVisitor func(container *corev1.Container)
// visitContainers invokes the visitor function for every container in the given pod spec
func visitContainers(podSpec *corev1.PodSpec, visitor ContainerVisitor) {
for i := range podSpec.InitContainers {
visitor(&podSpec.InitContainers[i])
}
for i := range podSpec.Containers {
visitor(&podSpec.Containers[i])
}
for i := range podSpec.EphemeralContainers {
visitor((*corev1.Container)(&podSpec.EphemeralContainers[i].EphemeralContainerCommon))
}
}