// Ensure a container's SecurityContext is in compliance with the given constraints
func (s *simpleProvider) ValidateContainerSecurityContext(pod *api.Pod, container *api.Container, fldPath *field.Path) field.ErrorList {
allErrs := field.ErrorList{}
if container.SecurityContext == nil {
allErrs = append(allErrs, field.Invalid(fldPath.Child("securityContext"), container.SecurityContext, "No security context is set"))
return allErrs
}
sc := container.SecurityContext
allErrs = append(allErrs, s.runAsUserStrategy.Validate(pod, container)...)
allErrs = append(allErrs, s.seLinuxStrategy.Validate(pod, container)...)
if !s.scc.AllowPrivilegedContainer && *sc.Privileged {
allErrs = append(allErrs, field.Invalid(fldPath.Child("privileged"), *sc.Privileged, "Privileged containers are not allowed"))
}
allErrs = append(allErrs, s.capabilitiesStrategy.Validate(pod, container)...)
if len(pod.Spec.Volumes) > 0 && !sccutil.SCCAllowsAllVolumes(s.scc) {
allowedVolumes := sccutil.FSTypeToStringSet(s.scc.Volumes)
for i, v := range pod.Spec.Volumes {
fsType, err := sccutil.GetVolumeFSType(v)
if err != nil {
allErrs = append(allErrs, field.Invalid(fldPath.Child("volumes").Index(i), string(fsType), err.Error()))
continue
}
if !allowedVolumes.Has(string(fsType)) {
allErrs = append(allErrs, field.Invalid(
fldPath.Child("volumes").Index(i), string(fsType),
fmt.Sprintf("%s volumes are not allowed to be used", string(fsType))))
}
}
}
if !s.scc.AllowHostNetwork && pod.Spec.SecurityContext.HostNetwork {
allErrs = append(allErrs, field.Invalid(fldPath.Child("hostNetwork"), pod.Spec.SecurityContext.HostNetwork, "Host network is not allowed to be used"))
}
if !s.scc.AllowHostPorts {
containersPath := fldPath.Child("containers")
for idx, c := range pod.Spec.Containers {
idxPath := containersPath.Index(idx)
allErrs = append(allErrs, s.hasHostPort(&c, idxPath)...)
}
}
if !s.scc.AllowHostPID && pod.Spec.SecurityContext.HostPID {
allErrs = append(allErrs, field.Invalid(fldPath.Child("hostPID"), pod.Spec.SecurityContext.HostPID, "Host PID is not allowed to be used"))
}
if !s.scc.AllowHostIPC && pod.Spec.SecurityContext.HostIPC {
allErrs = append(allErrs, field.Invalid(fldPath.Child("hostIPC"), pod.Spec.SecurityContext.HostIPC, "Host IPC is not allowed to be used"))
}
if s.scc.ReadOnlyRootFilesystem {
if sc.ReadOnlyRootFilesystem == nil {
allErrs = append(allErrs, field.Invalid(fldPath.Child("readOnlyRootFilesystem"), sc.ReadOnlyRootFilesystem, "ReadOnlyRootFilesystem may not be nil and must be set to true"))
} else if !*sc.ReadOnlyRootFilesystem {
allErrs = append(allErrs, field.Invalid(fldPath.Child("readOnlyRootFilesystem"), *sc.ReadOnlyRootFilesystem, "ReadOnlyRootFilesystem must be set to true"))
}
}
return allErrs
}
func convert_api_SecurityContextConstraints_To_v1beta3_SecurityContextConstraints(in *api.SecurityContextConstraints, out *SecurityContextConstraints, s conversion.Scope) error {
if defaulting, found := s.DefaultingInterface(reflect.TypeOf(*in)); found {
defaulting.(func(*api.SecurityContextConstraints))(in)
}
if err := convert_api_ObjectMeta_To_v1beta3_ObjectMeta(&in.ObjectMeta, &out.ObjectMeta, s); err != nil {
return err
}
if in.Priority != nil {
out.Priority = new(int)
*out.Priority = *in.Priority
} else {
out.Priority = nil
}
out.AllowPrivilegedContainer = in.AllowPrivilegedContainer
if in.AllowedCapabilities != nil {
out.AllowedCapabilities = make([]Capability, len(in.AllowedCapabilities))
for i := range in.AllowedCapabilities {
out.AllowedCapabilities[i] = Capability(in.AllowedCapabilities[i])
}
} else {
out.AllowedCapabilities = nil
}
// for api -> v1beta3 we will set the AllowHostdirVolumePlugin based on the existence of
// FSTypeAll or FSTypeHostPath in the volumes slice.
if sccutil.SCCAllowsAllVolumes(in) || sccutil.SCCAllowsFSType(in, api.FSTypeHostPath) {
out.AllowHostDirVolumePlugin = true
}
out.AllowHostNetwork = in.AllowHostNetwork
out.AllowHostPorts = in.AllowHostPorts
out.AllowHostPID = in.AllowHostPID
out.AllowHostIPC = in.AllowHostIPC
if err := convert_api_SELinuxContextStrategyOptions_To_v1beta3_SELinuxContextStrategyOptions(&in.SELinuxContext, &out.SELinuxContext, s); err != nil {
return err
}
if err := convert_api_RunAsUserStrategyOptions_To_v1beta3_RunAsUserStrategyOptions(&in.RunAsUser, &out.RunAsUser, s); err != nil {
return err
}
if err := convert_api_FSGroupStrategyOptions_To_v1beta3_FSGroupStrategyOptions(&in.FSGroup, &out.FSGroup, s); err != nil {
return err
}
if err := convert_api_SupplementalGroupsStrategyOptions_To_v1beta3_SupplementalGroupsStrategyOptions(&in.SupplementalGroups, &out.SupplementalGroups, s); err != nil {
return err
}
if in.DefaultAddCapabilities != nil {
out.DefaultAddCapabilities = make([]Capability, len(in.DefaultAddCapabilities))
for i := range in.DefaultAddCapabilities {
out.DefaultAddCapabilities[i] = Capability(in.DefaultAddCapabilities[i])
}
} else {
out.DefaultAddCapabilities = nil
}
if in.RequiredDropCapabilities != nil {
out.RequiredDropCapabilities = make([]Capability, len(in.RequiredDropCapabilities))
for i := range in.RequiredDropCapabilities {
out.RequiredDropCapabilities[i] = Capability(in.RequiredDropCapabilities[i])
}
} else {
out.RequiredDropCapabilities = nil
}
out.ReadOnlyRootFilesystem = in.ReadOnlyRootFilesystem
if in.Users != nil {
out.Users = make([]string, len(in.Users))
for i := range in.Users {
out.Users[i] = in.Users[i]
}
} else {
out.Users = nil
}
if in.Groups != nil {
out.Groups = make([]string, len(in.Groups))
for i := range in.Groups {
out.Groups[i] = in.Groups[i]
}
} else {
out.Groups = nil
}
return nil
}
