Beispiel #1
0
func TestSCCVolumeConversionsV1Beta3ToApi(t *testing.T) {
	if !registered.IsAllowedVersion(versioned.SchemeGroupVersion) {
		return
	}

	noHostDirVolumes := []api.FSType{}
	for _, v := range sccutil.GetAllFSTypesExcept(string(api.FSTypeHostPath)).List() {
		noHostDirVolumes = append(noHostDirVolumes, api.FSType(v))
	}

	tests := map[string]struct {
		scc     *versioned.SecurityContextConstraints
		volumes []api.FSType
	}{
		"hostDir false": {
			scc: &versioned.SecurityContextConstraints{
				AllowHostDirVolumePlugin: false,
			},
			volumes: noHostDirVolumes,
		},
		"hostDir true": {
			scc: &versioned.SecurityContextConstraints{
				AllowHostDirVolumePlugin: true,
			},
			volumes: []api.FSType{api.FSTypeAll},
		},
	}

	for k, v := range tests {
		got := api.SecurityContextConstraints{}
		err := api.Scheme.Convert(v.scc, &got)

		if err != nil {
			t.Errorf("%s received an error during conversion: %v", k, err)
			continue
		}
		if !reflect.DeepEqual(got.Volumes, v.volumes) {
			t.Errorf("%s expected volumes: %v but received: %v", k, v.volumes, got.Volumes)
		}
	}
}
Beispiel #2
0
// Default SCCs for new fields.  FSGroup and SupplementalGroups are
// set to the RunAsAny strategy if they are unset on the scc.
func SetDefaults_SCC(scc *SecurityContextConstraints) {
	if len(scc.FSGroup.Type) == 0 {
		scc.FSGroup.Type = FSGroupStrategyRunAsAny
	}
	if len(scc.SupplementalGroups.Type) == 0 {
		scc.SupplementalGroups.Type = SupplementalGroupsStrategyRunAsAny
	}

	// defaults the volume slice of the SCC.
	// In order to support old clients the boolean fields will always take precedence.
	defaultAllowedVolumes := fsTypeToStringSet(scc.Volumes)

	// assume a nil volume slice is allowing everything for backwards compatibility
	if defaultAllowedVolumes == nil {
		defaultAllowedVolumes = sets.NewString(string(FSTypeAll))
	}

	if scc.AllowHostDirVolumePlugin {
		// if already allowing all then there is no reason to add
		if !defaultAllowedVolumes.Has(string(FSTypeAll)) {
			defaultAllowedVolumes.Insert(string(FSTypeHostPath))
		}
	} else {
		// we should only default all volumes if the SCC came in with FSTypeAll or we defaulted it
		// otherwise we should only change the volumes slice to ensure that it does not conflict with
		// the AllowHostDirVolumePlugin setting
		shouldDefaultAllVolumes := defaultAllowedVolumes.Has(string(FSTypeAll))

		// remove anything from volumes that conflicts with AllowHostDirVolumePlugin = false
		defaultAllowedVolumes.Delete(string(FSTypeAll))
		defaultAllowedVolumes.Delete(string(FSTypeHostPath))

		if shouldDefaultAllVolumes {
			allVolumes := sccutil.GetAllFSTypesExcept(string(FSTypeHostPath))
			defaultAllowedVolumes.Insert(allVolumes.List()...)
		}
	}

	scc.Volumes = StringSetToFSType(defaultAllowedVolumes)
}
Beispiel #3
0
func TestDefaultSCCVolumes(t *testing.T) {
	tests := map[string]struct {
		scc             *versioned.SecurityContextConstraints
		expectedVolumes []versioned.FSType
		expectedHostDir bool
	}{
		// this expects the volumes to default to all for an empty volume slice
		// but since the host dir setting is false it should be all - host dir
		"old client - default allow* fields, no volumes slice": {
			scc:             &versioned.SecurityContextConstraints{},
			expectedVolumes: versioned.StringSetToFSType(sccutil.GetAllFSTypesExcept(string(versioned.FSTypeHostPath))),
			expectedHostDir: false,
		},
		// this expects the volumes to default to all for an empty volume slice
		"old client - set allowHostDir true fields, no volumes slice": {
			scc: &versioned.SecurityContextConstraints{
				AllowHostDirVolumePlugin: true,
			},
			expectedVolumes: []versioned.FSType{versioned.FSTypeAll},
			expectedHostDir: true,
		},
		"new client - allow* fields set with matching volume slice": {
			scc: &versioned.SecurityContextConstraints{
				Volumes:                  []versioned.FSType{versioned.FSTypeEmptyDir, versioned.FSTypeHostPath},
				AllowHostDirVolumePlugin: true,
			},
			expectedVolumes: []versioned.FSType{versioned.FSTypeEmptyDir, versioned.FSTypeHostPath},
			expectedHostDir: true,
		},
		"new client - allow* fields set with mismatch host dir volume slice": {
			scc: &versioned.SecurityContextConstraints{
				Volumes:                  []versioned.FSType{versioned.FSTypeEmptyDir, versioned.FSTypeHostPath},
				AllowHostDirVolumePlugin: false,
			},
			expectedVolumes: []versioned.FSType{versioned.FSTypeEmptyDir},
			expectedHostDir: false,
		},
		"new client - allow* fields set with mismatch FSTypeAll volume slice": {
			scc: &versioned.SecurityContextConstraints{
				Volumes:                  []versioned.FSType{versioned.FSTypeAll},
				AllowHostDirVolumePlugin: false,
			},
			expectedVolumes: versioned.StringSetToFSType(sccutil.GetAllFSTypesExcept(string(versioned.FSTypeHostPath))),
			expectedHostDir: false,
		},
		"new client - allow* fields unset with volume slice": {
			scc: &versioned.SecurityContextConstraints{
				Volumes: []versioned.FSType{versioned.FSTypeEmptyDir, versioned.FSTypeHostPath},
			},
			expectedVolumes: []versioned.FSType{versioned.FSTypeEmptyDir},
			expectedHostDir: false,
		},
		"new client - extra volume params retained": {
			scc: &versioned.SecurityContextConstraints{
				Volumes: []versioned.FSType{versioned.FSTypeEmptyDir, versioned.FSTypeHostPath, versioned.FSTypeGitRepo},
			},
			expectedVolumes: []versioned.FSType{versioned.FSTypeEmptyDir, versioned.FSTypeGitRepo},
			expectedHostDir: false,
		},
		"new client - empty volume slice, host dir true": {
			scc: &versioned.SecurityContextConstraints{
				Volumes:                  []versioned.FSType{},
				AllowHostDirVolumePlugin: true,
			},
			expectedVolumes: []versioned.FSType{versioned.FSTypeHostPath},
			expectedHostDir: true,
		},
		"new client - empty volume slice, host dir false": {
			scc: &versioned.SecurityContextConstraints{
				Volumes:                  []versioned.FSType{},
				AllowHostDirVolumePlugin: false,
			},
			expectedVolumes: []versioned.FSType{},
			expectedHostDir: false,
		},
	}
	for k, v := range tests {
		output := roundTrip(t, runtime.Object(v.scc))
		scc := output.(*versioned.SecurityContextConstraints)

		if !reflect.DeepEqual(scc.Volumes, v.expectedVolumes) {
			t.Errorf("%s has invalid volumes.  Expected: %v got: %v", k, v.expectedVolumes, scc.Volumes)
		}

		if scc.AllowHostDirVolumePlugin != v.expectedHostDir {
			t.Errorf("%s has invalid host dir.  Expected: %v got: %v", k, v.expectedHostDir, scc.AllowHostDirVolumePlugin)
		}
	}
}
Beispiel #4
0
func convert_v1beta3_SecurityContextConstraints_To_api_SecurityContextConstraints(in *SecurityContextConstraints, out *api.SecurityContextConstraints, s conversion.Scope) error {
	if defaulting, found := s.DefaultingInterface(reflect.TypeOf(*in)); found {
		defaulting.(func(*SecurityContextConstraints))(in)
	}

	if err := convert_v1beta3_ObjectMeta_To_api_ObjectMeta(&in.ObjectMeta, &out.ObjectMeta, s); err != nil {
		return err
	}
	if in.Priority != nil {
		out.Priority = new(int)
		*out.Priority = *in.Priority
	} else {
		out.Priority = nil
	}
	out.AllowPrivilegedContainer = in.AllowPrivilegedContainer
	if in.AllowedCapabilities != nil {
		out.AllowedCapabilities = make([]api.Capability, len(in.AllowedCapabilities))
		for i := range in.AllowedCapabilities {
			out.AllowedCapabilities[i] = api.Capability(in.AllowedCapabilities[i])
		}
	} else {
		out.AllowedCapabilities = nil
	}

	// for v1beta3 -> api volume conversion we must assume that all volumes were allowed.
	// the only volume you could turn off is the host path volume so we'll remove that based
	// on the v1beta3 setting.
	if !in.AllowHostDirVolumePlugin {
		for _, v := range sccutil.GetAllFSTypesExcept(string(api.FSTypeHostPath)).List() {
			out.Volumes = append(out.Volumes, api.FSType(v))
		}
	} else {
		out.Volumes = []api.FSType{api.FSTypeAll}
	}

	out.AllowHostNetwork = in.AllowHostNetwork
	out.AllowHostPorts = in.AllowHostPorts
	out.AllowHostPID = in.AllowHostPID
	out.AllowHostIPC = in.AllowHostIPC
	if err := convert_v1beta3_SELinuxContextStrategyOptions_To_api_SELinuxContextStrategyOptions(&in.SELinuxContext, &out.SELinuxContext, s); err != nil {
		return err
	}
	if err := convert_v1beta3_RunAsUserStrategyOptions_To_api_RunAsUserStrategyOptions(&in.RunAsUser, &out.RunAsUser, s); err != nil {
		return err
	}
	if err := convert_v1beta3_FSGroupStrategyOptions_To_api_FSGroupStrategyOptions(&in.FSGroup, &out.FSGroup, s); err != nil {
		return err
	}
	if err := convert_v1beta3_SupplementalGroupsStrategyOptions_To_api_SupplementalGroupsStrategyOptions(&in.SupplementalGroups, &out.SupplementalGroups, s); err != nil {
		return err
	}
	if in.DefaultAddCapabilities != nil {
		out.DefaultAddCapabilities = make([]api.Capability, len(in.DefaultAddCapabilities))
		for i := range in.DefaultAddCapabilities {
			out.DefaultAddCapabilities[i] = api.Capability(in.DefaultAddCapabilities[i])
		}
	} else {
		out.DefaultAddCapabilities = nil
	}
	if in.RequiredDropCapabilities != nil {
		out.RequiredDropCapabilities = make([]api.Capability, len(in.RequiredDropCapabilities))
		for i := range in.RequiredDropCapabilities {
			out.RequiredDropCapabilities[i] = api.Capability(in.RequiredDropCapabilities[i])
		}
	} else {
		out.RequiredDropCapabilities = nil
	}
	out.ReadOnlyRootFilesystem = in.ReadOnlyRootFilesystem
	if in.Users != nil {
		out.Users = make([]string, len(in.Users))
		for i := range in.Users {
			out.Users[i] = in.Users[i]
		}
	} else {
		out.Users = nil
	}
	if in.Groups != nil {
		out.Groups = make([]string, len(in.Groups))
		for i := range in.Groups {
			out.Groups[i] = in.Groups[i]
		}
	} else {
		out.Groups = nil
	}
	return nil
}