mirrors/ceph-csi
1
0
Fork 0
mirror of https://github.com/ceph/ceph-csi.git synced 2025-06-13 10:33:35 +00:00
Code Issues Packages Projects Releases Wiki Activity

vendor updates

Browse Source
This commit is contained in:
Serguei Bezverkhi
2018-03-06 17:33:18 -05:00
parent 4b3ebc171b
commit e9033989a0
5854 changed files with 248382 additions and 119809 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
vendor/k8s.io/kubernetes/pkg/security/apparmor/BUILD generated vendored
View File

@ -11,8 +11,39 @@ go_library(
srcs = [
"helpers.go",
"validate.go",
"validate_disabled.go",
],
] + select({
"@io_bazel_rules_go//go/platform:android": [
"validate_disabled.go",
],
"@io_bazel_rules_go//go/platform:darwin": [
"validate_disabled.go",
],
"@io_bazel_rules_go//go/platform:dragonfly": [
"validate_disabled.go",
],
"@io_bazel_rules_go//go/platform:freebsd": [
"validate_disabled.go",
],
"@io_bazel_rules_go//go/platform:nacl": [
"validate_disabled.go",
],
"@io_bazel_rules_go//go/platform:netbsd": [
"validate_disabled.go",
],
"@io_bazel_rules_go//go/platform:openbsd": [
"validate_disabled.go",
],
"@io_bazel_rules_go//go/platform:plan9": [
"validate_disabled.go",
],
"@io_bazel_rules_go//go/platform:solaris": [
"validate_disabled.go",
],
"@io_bazel_rules_go//go/platform:windows": [
"validate_disabled.go",
],
"//conditions:default": [],
}),
importpath = "k8s.io/kubernetes/pkg/security/apparmor",
deps = [
"//pkg/features:go_default_library",
@ -29,8 +60,7 @@ go_test(
data = [
"testdata/profiles",
],
importpath = "k8s.io/kubernetes/pkg/security/apparmor",
library = ":go_default_library",
embed = [":go_default_library"],
deps = [
"//vendor/github.com/stretchr/testify/assert:go_default_library",
"//vendor/k8s.io/api/core/v1:go_default_library",

4
vendor/k8s.io/kubernetes/pkg/security/podsecuritypolicy/BUILD generated vendored
View File

@ -27,7 +27,6 @@ go_library(
"//pkg/security/podsecuritypolicy/user:go_default_library",
"//pkg/security/podsecuritypolicy/util:go_default_library",
"//pkg/securitycontext:go_default_library",
"//pkg/util/maps:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/util/errors:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
],
@ -36,8 +35,7 @@ go_library(
go_test(
name = "go_default_test",
srcs = ["provider_test.go"],
importpath = "k8s.io/kubernetes/pkg/security/podsecuritypolicy",
library = ":go_default_library",
embed = [":go_default_library"],
deps = [
"//pkg/apis/core:go_default_library",
"//pkg/apis/core/v1:go_default_library",

3
vendor/k8s.io/kubernetes/pkg/security/podsecuritypolicy/apparmor/BUILD generated vendored
View File

@ -21,8 +21,7 @@ go_library(
go_test(
name = "go_default_test",
srcs = ["strategy_test.go"],
importpath = "k8s.io/kubernetes/pkg/security/podsecuritypolicy/apparmor",
library = ":go_default_library",
embed = [":go_default_library"],
deps = [
"//pkg/apis/core:go_default_library",
"//pkg/security/apparmor:go_default_library",

7
vendor/k8s.io/kubernetes/pkg/security/podsecuritypolicy/capabilities/BUILD generated vendored
View File

@ -9,8 +9,8 @@ load(
go_library(
name = "go_default_library",
srcs = [
"capabilities.go",
"doc.go",
"mustrunas.go",
"types.go",
],
importpath = "k8s.io/kubernetes/pkg/security/podsecuritypolicy/capabilities",
@ -24,9 +24,8 @@ go_library(
go_test(
name = "go_default_test",
srcs = ["mustrunas_test.go"],
importpath = "k8s.io/kubernetes/pkg/security/podsecuritypolicy/capabilities",
library = ":go_default_library",
srcs = ["capabilities_test.go"],
embed = [":go_default_library"],
deps = [
"//pkg/apis/core:go_default_library",
"//pkg/apis/extensions:go_default_library",

0
vendor/k8s.io/kubernetes/pkg/security/podsecuritypolicy/capabilities/mustrunas.go → vendor/k8s.io/kubernetes/pkg/security/podsecuritypolicy/capabilities/capabilities.go generated vendored
View File

0
vendor/k8s.io/kubernetes/pkg/security/podsecuritypolicy/capabilities/mustrunas_test.go → vendor/k8s.io/kubernetes/pkg/security/podsecuritypolicy/capabilities/capabilities_test.go generated vendored
View File

8
vendor/k8s.io/kubernetes/pkg/security/podsecuritypolicy/group/BUILD generated vendored
View File

@ -29,12 +29,8 @@ go_test(
"mustrunas_test.go",
"runasany_test.go",
],
importpath = "k8s.io/kubernetes/pkg/security/podsecuritypolicy/group",
library = ":go_default_library",
deps = [
"//pkg/apis/core:go_default_library",
"//pkg/apis/extensions:go_default_library",
],
embed = [":go_default_library"],
deps = ["//pkg/apis/extensions:go_default_library"],
)
filegroup(

6
vendor/k8s.io/kubernetes/pkg/security/podsecuritypolicy/group/mustrunas_test.go generated vendored
View File

@ -17,7 +17,6 @@ limitations under the License.
package group
import (
api "k8s.io/kubernetes/pkg/apis/core"
"k8s.io/kubernetes/pkg/apis/extensions"
"testing"
)
@ -110,7 +109,6 @@ func TestGenerate(t *testing.T) {
func TestValidate(t *testing.T) {
tests := map[string]struct {
ranges []extensions.GroupIDRange
pod *api.Pod
groups []int64
pass bool
}{
@ -138,14 +136,14 @@ func TestValidate(t *testing.T) {
},
pass: true,
},
"in range boundry min": {
"in range boundary min": {
groups: []int64{1},
ranges: []extensions.GroupIDRange{
{Min: 1, Max: 3},
},
pass: true,
},
"in range boundry max": {
"in range boundary max": {
groups: []int64{3},
ranges: []extensions.GroupIDRange{
{Min: 1, Max: 3},

62
vendor/k8s.io/kubernetes/pkg/security/podsecuritypolicy/provider.go generated vendored
View File

@ -25,7 +25,6 @@ import (
"k8s.io/kubernetes/pkg/apis/extensions"
psputil "k8s.io/kubernetes/pkg/security/podsecuritypolicy/util"
"k8s.io/kubernetes/pkg/securitycontext"
"k8s.io/kubernetes/pkg/util/maps"
)
// used to pass in the field being validated for reusable group strategies so they
@ -64,17 +63,16 @@ func NewSimpleProvider(psp *extensions.PodSecurityPolicy, namespace string, stra
}, nil
}
// Create a PodSecurityContext based on the given constraints. If a setting is already set
// on the PodSecurityContext it will not be changed. Validate should be used after the context
// is created to ensure it complies with the required restrictions.
func (s *simpleProvider) CreatePodSecurityContext(pod *api.Pod) (*api.PodSecurityContext, map[string]string, error) {
// DefaultPodSecurityContext sets the default values of the required but not filled fields.
// It modifies the SecurityContext and annotations of the provided pod. Validation should be
// used after the context is defaulted to ensure it complies with the required restrictions.
func (s *simpleProvider) DefaultPodSecurityContext(pod *api.Pod) error {
sc := securitycontext.NewPodSecurityContextMutator(pod.Spec.SecurityContext)
annotations := maps.CopySS(pod.Annotations)
if sc.SupplementalGroups() == nil {
supGroups, err := s.strategies.SupplementalGroupStrategy.Generate(pod)
if err != nil {
return nil, nil, err
return err
}
sc.SetSupplementalGroups(supGroups)
}
@ -82,7 +80,7 @@ func (s *simpleProvider) CreatePodSecurityContext(pod *api.Pod) (*api.PodSecurit
if sc.FSGroup() == nil {
fsGroup, err := s.strategies.FSGroupStrategy.GenerateSingle(pod)
if err != nil {
return nil, nil, err
return err
}
sc.SetFSGroup(fsGroup)
}
@ -90,41 +88,42 @@ func (s *simpleProvider) CreatePodSecurityContext(pod *api.Pod) (*api.PodSecurit
if sc.SELinuxOptions() == nil {
seLinux, err := s.strategies.SELinuxStrategy.Generate(pod, nil)
if err != nil {
return nil, nil, err
return err
}
sc.SetSELinuxOptions(seLinux)
}
// This is only generated on the pod level. Containers inherit the pod's profile. If the
// container has a specific profile set then it will be caught in the validation step.
seccompProfile, err := s.strategies.SeccompStrategy.Generate(annotations, pod)
seccompProfile, err := s.strategies.SeccompStrategy.Generate(pod.Annotations, pod)
if err != nil {
return nil, nil, err
return err
}
if seccompProfile != "" {
if annotations == nil {
annotations = map[string]string{}
if pod.Annotations == nil {
pod.Annotations = map[string]string{}
}
annotations[api.SeccompPodAnnotationKey] = seccompProfile
pod.Annotations[api.SeccompPodAnnotationKey] = seccompProfile
}
return sc.PodSecurityContext(), annotations, nil
pod.Spec.SecurityContext = sc.PodSecurityContext()
return nil
}
// Create a SecurityContext based on the given constraints. If a setting is already set on the
// container's security context then it will not be changed. Validation should be used after
// the context is created to ensure it complies with the required restrictions.
func (s *simpleProvider) CreateContainerSecurityContext(pod *api.Pod, container *api.Container) (*api.SecurityContext, map[string]string, error) {
// DefaultContainerSecurityContext sets the default values of the required but not filled fields.
// It modifies the SecurityContext of the container and annotations of the pod. Validation should
// be used after the context is defaulted to ensure it complies with the required restrictions.
func (s *simpleProvider) DefaultContainerSecurityContext(pod *api.Pod, container *api.Container) error {
sc := securitycontext.NewEffectiveContainerSecurityContextMutator(
securitycontext.NewPodSecurityContextAccessor(pod.Spec.SecurityContext),
securitycontext.NewContainerSecurityContextMutator(container.SecurityContext),
)
annotations := maps.CopySS(pod.Annotations)
if sc.RunAsUser() == nil {
uid, err := s.strategies.RunAsUserStrategy.Generate(pod, container)
if err != nil {
return nil, nil, err
return err
}
sc.SetRunAsUser(uid)
}
@ -132,14 +131,14 @@ func (s *simpleProvider) CreateContainerSecurityContext(pod *api.Pod, container
if sc.SELinuxOptions() == nil {
seLinux, err := s.strategies.SELinuxStrategy.Generate(pod, container)
if err != nil {
return nil, nil, err
return err
}
sc.SetSELinuxOptions(seLinux)
}
annotations, err := s.strategies.AppArmorStrategy.Generate(annotations, container)
annotations, err := s.strategies.AppArmorStrategy.Generate(pod.Annotations, container)
if err != nil {
return nil, nil, err
return err
}
// if we're using the non-root strategy set the marker that this container should not be
@ -152,7 +151,7 @@ func (s *simpleProvider) CreateContainerSecurityContext(pod *api.Pod, container
caps, err := s.strategies.CapabilitiesStrategy.Generate(pod, container)
if err != nil {
return nil, nil, err
return err
}
sc.SetCapabilities(caps)
@ -174,11 +173,14 @@ func (s *simpleProvider) CreateContainerSecurityContext(pod *api.Pod, container
sc.SetAllowPrivilegeEscalation(&s.psp.Spec.AllowPrivilegeEscalation)
}
return sc.ContainerSecurityContext(), annotations, nil
pod.Annotations = annotations
container.SecurityContext = sc.ContainerSecurityContext()
return nil
}
// Ensure a pod's SecurityContext is in compliance with the given constraints.
func (s *simpleProvider) ValidatePodSecurityContext(pod *api.Pod, fldPath *field.Path) field.ErrorList {
// ValidatePod ensure a pod is in compliance with the given constraints.
func (s *simpleProvider) ValidatePod(pod *api.Pod, fldPath *field.Path) field.ErrorList {
allErrs := field.ErrorList{}
sc := securitycontext.NewPodSecurityContextAccessor(pod.Spec.SecurityContext)
@ -207,8 +209,6 @@ func (s *simpleProvider) ValidatePodSecurityContext(pod *api.Pod, fldPath *field
allErrs = append(allErrs, s.strategies.SysctlsStrategy.Validate(pod)...)
// TODO(tallclair): ValidatePodSecurityContext should be renamed to ValidatePod since its scope
// is not limited to the PodSecurityContext.
if len(pod.Spec.Volumes) > 0 {
allowsAllVolumeTypes := psputil.PSPAllowsAllVolumes(s.psp)
allowedVolumes := psputil.FSTypeToStringSet(s.psp.Spec.Volumes)

37
vendor/k8s.io/kubernetes/pkg/security/podsecuritypolicy/provider_test.go generated vendored
View File

@ -38,7 +38,7 @@ import (
const defaultContainerName = "test-c"
func TestCreatePodSecurityContextNonmutating(t *testing.T) {
func TestDefaultPodSecurityContextNonmutating(t *testing.T) {
// Create a pod with a security context that needs filling in
createPod := func() *api.Pod {
return &api.Pod{
@ -82,7 +82,7 @@ func TestCreatePodSecurityContextNonmutating(t *testing.T) {
if err != nil {
t.Fatalf("unable to create provider %v", err)
}
_, _, err = provider.CreatePodSecurityContext(pod)
err = provider.DefaultPodSecurityContext(pod)
if err != nil {
t.Fatalf("unable to create psc %v", err)
}
@ -91,14 +91,14 @@ func TestCreatePodSecurityContextNonmutating(t *testing.T) {
// since all the strategies were permissive
if !reflect.DeepEqual(createPod(), pod) {
diffs := diff.ObjectDiff(createPod(), pod)
t.Errorf("pod was mutated by CreatePodSecurityContext. diff:\n%s", diffs)
t.Errorf("pod was mutated by DefaultPodSecurityContext. diff:\n%s", diffs)
}
if !reflect.DeepEqual(createPSP(), psp) {
t.Error("psp was mutated by CreatePodSecurityContext")
t.Error("psp was mutated by DefaultPodSecurityContext")
}
}
func TestCreateContainerSecurityContextNonmutating(t *testing.T) {
func TestDefaultContainerSecurityContextNonmutating(t *testing.T) {
untrue := false
tests := []struct {
security *api.SecurityContext
@ -154,7 +154,7 @@ func TestCreateContainerSecurityContextNonmutating(t *testing.T) {
if err != nil {
t.Fatalf("unable to create provider %v", err)
}
_, _, err = provider.CreateContainerSecurityContext(pod, &pod.Spec.Containers[0])
err = provider.DefaultContainerSecurityContext(pod, &pod.Spec.Containers[0])
if err != nil {
t.Fatalf("unable to create container security context %v", err)
}
@ -163,10 +163,10 @@ func TestCreateContainerSecurityContextNonmutating(t *testing.T) {
// since all the strategies were permissive
if !reflect.DeepEqual(createPod(), pod) {
diffs := diff.ObjectDiff(createPod(), pod)
t.Errorf("pod was mutated by CreateContainerSecurityContext. diff:\n%s", diffs)
t.Errorf("pod was mutated by DefaultContainerSecurityContext. diff:\n%s", diffs)
}
if !reflect.DeepEqual(createPSP(), psp) {
t.Error("psp was mutated by CreateContainerSecurityContext")
t.Error("psp was mutated by DefaultContainerSecurityContext")
}
}
}
@ -369,7 +369,7 @@ func TestValidatePodSecurityContextFailures(t *testing.T) {
if err != nil {
t.Fatalf("unable to create provider %v", err)
}
errs := provider.ValidatePodSecurityContext(v.pod, field.NewPath(""))
errs := provider.ValidatePod(v.pod, field.NewPath(""))
if len(errs) == 0 {
t.Errorf("%s expected validation failure but did not receive errors", k)
continue
@ -403,7 +403,7 @@ func allowFlexVolumesPSP(allowAllFlexVolumes, allowAllVolumes bool) *extensions.
}
func TestValidateContainerSecurityContextFailures(t *testing.T) {
// fail user strat
// fail user strategy
failUserPSP := defaultPSP()
uid := int64(999)
badUID := int64(1)
@ -414,7 +414,7 @@ func TestValidateContainerSecurityContextFailures(t *testing.T) {
failUserPod := defaultPod()
failUserPod.Spec.Containers[0].SecurityContext.RunAsUser = &badUID
// fail selinux strat
// fail selinux strategy
failSELinuxPSP := defaultPSP()
failSELinuxPSP.Spec.SELinux = extensions.SELinuxStrategyOptions{
Rule: extensions.SELinuxStrategyMustRunAs,
@ -732,7 +732,7 @@ func TestValidatePodSecurityContextSuccess(t *testing.T) {
if err != nil {
t.Fatalf("unable to create provider %v", err)
}
errs := provider.ValidatePodSecurityContext(v.pod, field.NewPath(""))
errs := provider.ValidatePod(v.pod, field.NewPath(""))
if len(errs) != 0 {
t.Errorf("%s expected validation pass but received errors %v", k, errs)
continue
@ -741,7 +741,7 @@ func TestValidatePodSecurityContextSuccess(t *testing.T) {
}
func TestValidateContainerSecurityContextSuccess(t *testing.T) {
// success user strat
// success user strategy
userPSP := defaultPSP()
uid := int64(999)
userPSP.Spec.RunAsUser = extensions.RunAsUserStrategyOptions{
@ -751,7 +751,7 @@ func TestValidateContainerSecurityContextSuccess(t *testing.T) {
userPod := defaultPod()
userPod.Spec.Containers[0].SecurityContext.RunAsUser = &uid
// success selinux strat
// success selinux strategy
seLinuxPSP := defaultPSP()
seLinuxPSP.Spec.SELinux = extensions.SELinuxStrategyOptions{
Rule: extensions.SELinuxStrategyMustRunAs,
@ -965,12 +965,13 @@ func TestGenerateContainerSecurityContextReadOnlyRootFS(t *testing.T) {
t.Errorf("%s unable to create provider %v", k, err)
continue
}
sc, _, err := provider.CreateContainerSecurityContext(v.pod, &v.pod.Spec.Containers[0])
err = provider.DefaultContainerSecurityContext(v.pod, &v.pod.Spec.Containers[0])
if err != nil {
t.Errorf("%s unable to create container security context %v", k, err)
continue
}
sc := v.pod.Spec.Containers[0].SecurityContext
if v.expected == nil && sc.ReadOnlyRootFilesystem != nil {
t.Errorf("%s expected a nil ReadOnlyRootFilesystem but got %t", k, *sc.ReadOnlyRootFilesystem)
}
@ -1093,7 +1094,7 @@ func TestValidateAllowedVolumes(t *testing.T) {
}
// expect a denial for this PSP and test the error message to ensure it's related to the volumesource
errs := provider.ValidatePodSecurityContext(pod, field.NewPath(""))
errs := provider.ValidatePod(pod, field.NewPath(""))
if len(errs) != 1 {
t.Errorf("expected exactly 1 error for %s but got %v", fieldVal.Name, errs)
} else {
@ -1104,14 +1105,14 @@ func TestValidateAllowedVolumes(t *testing.T) {
// now add the fstype directly to the psp and it should validate
psp.Spec.Volumes = []extensions.FSType{fsType}
errs = provider.ValidatePodSecurityContext(pod, field.NewPath(""))
errs = provider.ValidatePod(pod, field.NewPath(""))
if len(errs) != 0 {
t.Errorf("directly allowing volume expected no errors for %s but got %v", fieldVal.Name, errs)
}
// now change the psp to allow any volumes and the pod should still validate
psp.Spec.Volumes = []extensions.FSType{extensions.All}
errs = provider.ValidatePodSecurityContext(pod, field.NewPath(""))
errs = provider.ValidatePod(pod, field.NewPath(""))
if len(errs) != 0 {
t.Errorf("wildcard volume expected no errors for %s but got %v", fieldVal.Name, errs)
}

3
vendor/k8s.io/kubernetes/pkg/security/podsecuritypolicy/seccomp/BUILD generated vendored
View File

@ -19,8 +19,7 @@ go_library(
go_test(
name = "go_default_test",
srcs = ["strategy_test.go"],
importpath = "k8s.io/kubernetes/pkg/security/podsecuritypolicy/seccomp",
library = ":go_default_library",
embed = [":go_default_library"],
deps = [
"//pkg/apis/core:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",

16
vendor/k8s.io/kubernetes/pkg/security/podsecuritypolicy/seccomp/strategy_test.go generated vendored
View File

@ -83,8 +83,8 @@ func TestNewStrategy(t *testing.T) {
},
}
for k, v := range tests {
strat := NewStrategy(v.annotations)
internalStrat, _ := strat.(*strategy)
s := NewStrategy(v.annotations)
internalStrat, _ := s.(*strategy)
if internalStrat.allowAnyProfile != v.expectedAllowAny {
t.Errorf("%s expected allowAnyProfile to be %t but found %t", k, v.expectedAllowAny, internalStrat.allowAnyProfile)
@ -145,8 +145,8 @@ func TestGenerate(t *testing.T) {
},
}
for k, v := range tests {
strat := NewStrategy(v.pspAnnotations)
actual, err := strat.Generate(v.podAnnotations, nil)
s := NewStrategy(v.pspAnnotations)
actual, err := s.Generate(v.podAnnotations, nil)
if err != nil {
t.Errorf("%s received error during generation %#v", k, err)
continue
@ -213,8 +213,8 @@ func TestValidatePod(t *testing.T) {
Annotations: v.podAnnotations,
},
}
strat := NewStrategy(v.pspAnnotations)
errs := strat.ValidatePod(pod)
s := NewStrategy(v.pspAnnotations)
errs := s.ValidatePod(pod)
if v.expectedError == "" && len(errs) != 0 {
t.Errorf("%s expected no errors but received %#v", k, errs.ToAggregate().Error())
}
@ -304,8 +304,8 @@ func TestValidateContainer(t *testing.T) {
Name: "container",
}
strat := NewStrategy(v.pspAnnotations)
errs := strat.ValidateContainer(pod, container)
s := NewStrategy(v.pspAnnotations)
errs := s.ValidateContainer(pod, container)
if v.expectedError == "" && len(errs) != 0 {
t.Errorf("%s expected no errors but received %#v", k, errs.ToAggregate().Error())
}

4
vendor/k8s.io/kubernetes/pkg/security/podsecuritypolicy/selinux/BUILD generated vendored
View File

@ -18,6 +18,7 @@ go_library(
deps = [
"//pkg/apis/core:go_default_library",
"//pkg/apis/extensions:go_default_library",
"//pkg/security/podsecuritypolicy/util:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
],
)
@ -28,8 +29,7 @@ go_test(
"mustrunas_test.go",
"runasany_test.go",
],
importpath = "k8s.io/kubernetes/pkg/security/podsecuritypolicy/selinux",
library = ":go_default_library",
embed = [":go_default_library"],
deps = [
"//pkg/apis/core:go_default_library",
"//pkg/apis/extensions:go_default_library",

46
vendor/k8s.io/kubernetes/pkg/security/podsecuritypolicy/selinux/mustrunas.go generated vendored
View File

@ -18,10 +18,13 @@ package selinux
import (
"fmt"
"sort"
"strings"
"k8s.io/apimachinery/pkg/util/validation/field"
api "k8s.io/kubernetes/pkg/apis/core"
"k8s.io/kubernetes/pkg/apis/extensions"
"k8s.io/kubernetes/pkg/security/podsecuritypolicy/util"
)
type mustRunAs struct {
@ -55,7 +58,7 @@ func (s *mustRunAs) Validate(fldPath *field.Path, _ *api.Pod, _ *api.Container,
allErrs = append(allErrs, field.Required(fldPath, ""))
return allErrs
}
if seLinux.Level != s.opts.SELinuxOptions.Level {
if !equalLevels(s.opts.SELinuxOptions.Level, seLinux.Level) {
detail := fmt.Sprintf("must be %s", s.opts.SELinuxOptions.Level)
allErrs = append(allErrs, field.Invalid(fldPath.Child("level"), seLinux.Level, detail))
}
@ -74,3 +77,44 @@ func (s *mustRunAs) Validate(fldPath *field.Path, _ *api.Pod, _ *api.Container,
return allErrs
}
// equalLevels compares SELinux levels for equality.
func equalLevels(expected, actual string) bool {
if expected == actual {
return true
}
// "s0:c6,c0" => [ "s0", "c6,c0" ]
expectedParts := strings.SplitN(expected, ":", 2)
actualParts := strings.SplitN(actual, ":", 2)
// both SELinux levels must be in a format "sX:cY"
if len(expectedParts) != 2 || len(actualParts) != 2 {
return false
}
if !equalSensitivity(expectedParts[0], actualParts[0]) {
return false
}
if !equalCategories(expectedParts[1], actualParts[1]) {
return false
}
return true
}
// equalSensitivity compares sensitivities of the SELinux levels for equality.
func equalSensitivity(expected, actual string) bool {
return expected == actual
}
// equalCategories compares categories of the SELinux levels for equality.
func equalCategories(expected, actual string) bool {
expectedCategories := strings.Split(expected, ",")
actualCategories := strings.Split(actual, ",")
sort.Strings(expectedCategories)
sort.Strings(actualCategories)
return util.EqualStringSlices(expectedCategories, actualCategories)
}

56
vendor/k8s.io/kubernetes/pkg/security/podsecuritypolicy/selinux/mustrunas_test.go generated vendored
View File

@ -76,61 +76,81 @@ func TestMustRunAsValidate(t *testing.T) {
return &api.SELinuxOptions{
User: "user",
Role: "role",
Level: "level",
Level: "s0:c0,c6",
Type: "type",
}
}
newValidOptsWithLevel := func(level string) *api.SELinuxOptions {
opts := newValidOpts()
opts.Level = level
return opts
}
role := newValidOpts()
role.Role = "invalid"
user := newValidOpts()
user.User = "invalid"
level := newValidOpts()
level.Level = "invalid"
seType := newValidOpts()
seType.Type = "invalid"
validOpts := newValidOpts()
tests := map[string]struct {
seLinux *api.SELinuxOptions
podSeLinux *api.SELinuxOptions
pspSeLinux *api.SELinuxOptions
expectedMsg string
}{
"invalid role": {
seLinux: role,
podSeLinux: role,
pspSeLinux: validOpts,
expectedMsg: "role: Invalid value",
},
"invalid user": {
seLinux: user,
podSeLinux: user,
pspSeLinux: validOpts,
expectedMsg: "user: Invalid value",
},
"invalid level": {
seLinux: level,
"levels are not equal": {
podSeLinux: newValidOptsWithLevel("s0"),
pspSeLinux: newValidOptsWithLevel("s0:c1,c2"),
expectedMsg: "level: Invalid value",
},
"invalid type": {
seLinux: seType,
expectedMsg: "type: Invalid value",
"levels differ by sensitivity": {
podSeLinux: newValidOptsWithLevel("s0:c6"),
pspSeLinux: newValidOptsWithLevel("s1:c6"),
expectedMsg: "level: Invalid value",
},
"levels differ by categories": {
podSeLinux: newValidOptsWithLevel("s0:c0,c8"),
pspSeLinux: newValidOptsWithLevel("s0:c1,c7"),
expectedMsg: "level: Invalid value",
},
"valid": {
seLinux: newValidOpts(),
podSeLinux: validOpts,
pspSeLinux: validOpts,
expectedMsg: "",
},
"valid with different order of categories": {
podSeLinux: newValidOptsWithLevel("s0:c6,c0"),
pspSeLinux: validOpts,
expectedMsg: "",
},
}
opts := &extensions.SELinuxStrategyOptions{
SELinuxOptions: newValidOpts(),
}
for name, tc := range tests {
opts := &extensions.SELinuxStrategyOptions{
SELinuxOptions: tc.pspSeLinux,
}
mustRunAs, err := NewMustRunAs(opts)
if err != nil {
t.Errorf("unexpected error initializing NewMustRunAs for testcase %s: %#v", name, err)
continue
}
errs := mustRunAs.Validate(nil, nil, nil, tc.seLinux)
errs := mustRunAs.Validate(nil, nil, nil, tc.podSeLinux)
//should've passed but didn't
if len(tc.expectedMsg) == 0 && len(errs) > 0 {
t.Errorf("%s expected no errors but received %v", name, errs)

3
vendor/k8s.io/kubernetes/pkg/security/podsecuritypolicy/sysctl/BUILD generated vendored
View File

@ -23,8 +23,7 @@ go_library(
go_test(
name = "go_default_test",
srcs = ["mustmatchpatterns_test.go"],
importpath = "k8s.io/kubernetes/pkg/security/podsecuritypolicy/sysctl",
library = ":go_default_library",
embed = [":go_default_library"],
deps = [
"//pkg/apis/core:go_default_library",
"//pkg/apis/core/helper:go_default_library",

16
vendor/k8s.io/kubernetes/pkg/security/podsecuritypolicy/types.go generated vendored
View File

@ -32,14 +32,14 @@ import (
// Provider provides the implementation to generate a new security
// context based on constraints or validate an existing security context against constraints.
type Provider interface {
// Create a PodSecurityContext based on the given constraints. Also returns an updated set
// of Pod annotations for alpha feature support.
CreatePodSecurityContext(pod *api.Pod) (*api.PodSecurityContext, map[string]string, error)
// Create a container SecurityContext based on the given constraints. Also returns an updated set
// of Pod annotations for alpha feature support.
CreateContainerSecurityContext(pod *api.Pod, container *api.Container) (*api.SecurityContext, map[string]string, error)
// Ensure a pod's SecurityContext is in compliance with the given constraints.
ValidatePodSecurityContext(pod *api.Pod, fldPath *field.Path) field.ErrorList
// DefaultPodSecurityContext sets the default values of the required but not filled fields.
// It modifies the SecurityContext and annotations of the provided pod.
DefaultPodSecurityContext(pod *api.Pod) error
// DefaultContainerSecurityContext sets the default values of the required but not filled fields.
// It modifies the SecurityContext of the container and annotations of the pod.
DefaultContainerSecurityContext(pod *api.Pod, container *api.Container) error
// Ensure a pod is in compliance with the given constraints.
ValidatePod(pod *api.Pod, fldPath *field.Path) field.ErrorList
// Ensure a container's SecurityContext is in compliance with the given constraints
ValidateContainerSecurityContext(pod *api.Pod, container *api.Container, fldPath *field.Path) field.ErrorList
// Get the name of the PSP that this provider was initialized with.

3
vendor/k8s.io/kubernetes/pkg/security/podsecuritypolicy/user/BUILD generated vendored
View File

@ -31,8 +31,7 @@ go_test(
"nonroot_test.go",
"runasany_test.go",
],
importpath = "k8s.io/kubernetes/pkg/security/podsecuritypolicy/user",
library = ":go_default_library",
embed = [":go_default_library"],
deps = [
"//pkg/apis/core:go_default_library",
"//pkg/apis/extensions:go_default_library",

3
vendor/k8s.io/kubernetes/pkg/security/podsecuritypolicy/util/BUILD generated vendored
View File

@ -23,8 +23,7 @@ go_library(
go_test(
name = "go_default_test",
srcs = ["util_test.go"],
importpath = "k8s.io/kubernetes/pkg/security/podsecuritypolicy/util",
library = ":go_default_library",
embed = [":go_default_library"],
deps = [
"//pkg/apis/core:go_default_library",
"//pkg/apis/extensions:go_default_library",

14
vendor/k8s.io/kubernetes/pkg/security/podsecuritypolicy/util/util.go generated vendored
View File

@ -222,3 +222,17 @@ func hasPathPrefix(s, pathPrefix string) bool {
return false
}
// EqualStringSlices compares string slices for equality. Slices are equal when
// their sizes and elements on similar positions are equal.
func EqualStringSlices(a, b []string) bool {
if len(a) != len(b) {
return false
}
for i := 0; i < len(a); i++ {
if a[i] != b[i] {
return false
}
}
return true
}

37
vendor/k8s.io/kubernetes/pkg/security/podsecuritypolicy/util/util_test.go generated vendored
View File

@ -41,7 +41,7 @@ func TestVolumeSourceFSTypeDrift(t *testing.T) {
fsType, err := GetVolumeFSType(api.Volume{VolumeSource: volumeSource})
if err != nil {
t.Errorf("error getting fstype for field %s. This likely means that drift has occured between FSType and VolumeSource. Please update the api and getVolumeFSType", fieldVal.Name)
t.Errorf("error getting fstype for field %s. This likely means that drift has occurred between FSType and VolumeSource. Please update the api and getVolumeFSType", fieldVal.Name)
}
if !allFSTypes.Has(string(fsType)) {
@ -194,3 +194,38 @@ func TestAllowsHostVolumePath(t *testing.T) {
}
}
}
func TestEqualStringSlices(t *testing.T) {
tests := map[string]struct {
arg1 []string
arg2 []string
expectedResult bool
}{
"nil equals to nil": {
arg1: nil,
arg2: nil,
expectedResult: true,
},
"equal by size": {
arg1: []string{"1", "1"},
arg2: []string{"1", "1"},
expectedResult: true,
},
"not equal by size": {
arg1: []string{"1"},
arg2: []string{"1", "1"},
expectedResult: false,
},
"not equal by elements": {
arg1: []string{"1", "1"},
arg2: []string{"1", "2"},
expectedResult: false,
},
}
for k, v := range tests {
if result := EqualStringSlices(v.arg1, v.arg2); result != v.expectedResult {
t.Errorf("%s expected to return %t but got %t", k, v.expectedResult, result)
}
}
}