func validateServiceAccount(kClient *kclient.Client, ns string, sa string) error { // get cluster sccs sccList, err := kClient.SecurityContextConstraints().List(labels.Everything(), fields.Everything()) if err != nil { return fmt.Errorf("unable to validate service account %v", err) } // get set of sccs applicable to the service account userInfo := serviceaccount.UserInfo(ns, sa, "") for _, scc := range sccList.Items { if admission.ConstraintAppliesTo(&scc, userInfo) { if scc.AllowHostPorts { return nil } } } return fmt.Errorf("unable to validate service account, host ports are forbidden") }