func ValidatePodSecurityPolicySpecificAnnotations(annotations map[string]string, fldPath *field.Path) field.ErrorList { allErrs := field.ErrorList{} if p := annotations[apparmor.DefaultProfileAnnotationKey]; p != "" { if err := apparmor.ValidateProfileFormat(p); err != nil { allErrs = append(allErrs, field.Invalid(fldPath.Key(apparmor.DefaultProfileAnnotationKey), p, err.Error())) } } if allowed := annotations[apparmor.AllowedProfilesAnnotationKey]; allowed != "" { for _, p := range strings.Split(allowed, ",") { if err := apparmor.ValidateProfileFormat(p); err != nil { allErrs = append(allErrs, field.Invalid(fldPath.Key(apparmor.AllowedProfilesAnnotationKey), allowed, err.Error())) } } } sysctlAnnotation := annotations[extensions.SysctlsPodSecurityPolicyAnnotationKey] sysctlFldPath := fldPath.Key(extensions.SysctlsPodSecurityPolicyAnnotationKey) sysctls, err := extensions.SysctlsFromPodSecurityPolicyAnnotation(sysctlAnnotation) if err != nil { allErrs = append(allErrs, field.Invalid(sysctlFldPath, sysctlAnnotation, err.Error())) } else { allErrs = append(allErrs, validatePodSecurityPolicySysctls(sysctlFldPath, sysctls)...) } if p := annotations[seccomp.DefaultProfileAnnotationKey]; p != "" { allErrs = append(allErrs, apivalidation.ValidateSeccompProfile(p, fldPath.Key(seccomp.DefaultProfileAnnotationKey))...) } if allowed := annotations[seccomp.AllowedProfilesAnnotationKey]; allowed != "" { for _, p := range strings.Split(allowed, ",") { allErrs = append(allErrs, apivalidation.ValidateSeccompProfile(p, fldPath.Key(seccomp.AllowedProfilesAnnotationKey))...) } } return allErrs }
func (f *simpleStrategyFactory) CreateStrategies(psp *extensions.PodSecurityPolicy, namespace string) (*ProviderStrategies, error) { errs := []error{} userStrat, err := createUserStrategy(&psp.Spec.RunAsUser) if err != nil { errs = append(errs, err) } seLinuxStrat, err := createSELinuxStrategy(&psp.Spec.SELinux) if err != nil { errs = append(errs, err) } appArmorStrat, err := createAppArmorStrategy(psp) if err != nil { errs = append(errs, err) } fsGroupStrat, err := createFSGroupStrategy(&psp.Spec.FSGroup) if err != nil { errs = append(errs, err) } supGroupStrat, err := createSupplementalGroupStrategy(&psp.Spec.SupplementalGroups) if err != nil { errs = append(errs, err) } capStrat, err := createCapabilitiesStrategy(psp.Spec.DefaultAddCapabilities, psp.Spec.RequiredDropCapabilities, psp.Spec.AllowedCapabilities) if err != nil { errs = append(errs, err) } var unsafeSysctls []string if ann, found := psp.Annotations[extensions.SysctlsPodSecurityPolicyAnnotationKey]; found { var err error unsafeSysctls, err = extensions.SysctlsFromPodSecurityPolicyAnnotation(ann) if err != nil { errs = append(errs, err) } } sysctlsStrat := createSysctlsStrategy(unsafeSysctls) if len(errs) > 0 { return nil, errors.NewAggregate(errs) } strategies := &ProviderStrategies{ RunAsUserStrategy: userStrat, SELinuxStrategy: seLinuxStrat, AppArmorStrategy: appArmorStrat, FSGroupStrategy: fsGroupStrat, SupplementalGroupStrategy: supGroupStrat, CapabilitiesStrategy: capStrat, SysctlsStrategy: sysctlsStrat, } return strategies, nil }
// NewSimpleProvider creates a new SecurityContextConstraintsProvider instance. func NewSimpleProvider(scc *api.SecurityContextConstraints) (SecurityContextConstraintsProvider, error) { if scc == nil { return nil, fmt.Errorf("NewSimpleProvider requires a SecurityContextConstraints") } userStrat, err := createUserStrategy(&scc.RunAsUser) if err != nil { return nil, err } seLinuxStrat, err := createSELinuxStrategy(&scc.SELinuxContext) if err != nil { return nil, err } fsGroupStrat, err := createFSGroupStrategy(&scc.FSGroup) if err != nil { return nil, err } supGroupStrat, err := createSupplementalGroupStrategy(&scc.SupplementalGroups) if err != nil { return nil, err } capStrat, err := createCapabilitiesStrategy(scc.DefaultAddCapabilities, scc.RequiredDropCapabilities, scc.AllowedCapabilities) if err != nil { return nil, err } seccompStrat, err := createSeccompStrategy(scc.SeccompProfiles) if err != nil { return nil, err } var unsafeSysctls []string if ann, found := scc.Annotations[extensions.SysctlsPodSecurityPolicyAnnotationKey]; found { var err error unsafeSysctls, err = extensions.SysctlsFromPodSecurityPolicyAnnotation(ann) if err != nil { return nil, err } } sysctlsStrat, err := createSysctlsStrategy(unsafeSysctls) if err != nil { return nil, err } return &simpleProvider{ scc: scc, runAsUserStrategy: userStrat, seLinuxStrategy: seLinuxStrat, fsGroupStrategy: fsGroupStrat, supplementalGroupStrategy: supGroupStrat, capabilitiesStrategy: capStrat, seccompStrategy: seccompStrat, sysctlsStrategy: sysctlsStrat, }, nil }