// capabilityFromStringSlice creates a capability slice from a string slice.
func capabilityFromStringSlice(slice []string) []api.Capability {
if len(slice) == 0 {
return nil
}
caps := []api.Capability{}
for _, c := range slice {
caps = append(caps, api.Capability(c))
}
return caps
}
func TestHasNonNamespacedCapability(t *testing.T) {
createPodWithCap := func(caps []api.Capability) *api.Pod {
pod := &api.Pod{
Spec: api.PodSpec{
Containers: []api.Container{{}},
},
}
if len(caps) > 0 {
pod.Spec.Containers[0].SecurityContext = &api.SecurityContext{
Capabilities: &api.Capabilities{
Add: caps,
},
}
}
return pod
}
nilCaps := createPodWithCap([]api.Capability{api.Capability("foo")})
nilCaps.Spec.Containers[0].SecurityContext = nil
tests := map[string]struct {
pod *api.Pod
expected bool
}{
"nil security contxt": {createPodWithCap(nil), false},
"nil caps": {nilCaps, false},
"namespaced cap": {createPodWithCap([]api.Capability{api.Capability("foo")}), false},
"non-namespaced cap MKNOD": {createPodWithCap([]api.Capability{api.Capability("MKNOD")}), true},
"non-namespaced cap SYS_TIME": {createPodWithCap([]api.Capability{api.Capability("SYS_TIME")}), true},
"non-namespaced cap SYS_MODULE": {createPodWithCap([]api.Capability{api.Capability("SYS_MODULE")}), true},
}
for k, v := range tests {
actual := hasNonNamespacedCapability(v.pod)
if actual != v.expected {
t.Errorf("%s failed, expected %t but got %t", k, v.expected, actual)
}
}
}
func convert_v1beta3_SecurityContextConstraints_To_api_SecurityContextConstraints(in *SecurityContextConstraints, out *api.SecurityContextConstraints, s conversion.Scope) error {
if defaulting, found := s.DefaultingInterface(reflect.TypeOf(*in)); found {
defaulting.(func(*SecurityContextConstraints))(in)
}
if err := convert_v1beta3_ObjectMeta_To_api_ObjectMeta(&in.ObjectMeta, &out.ObjectMeta, s); err != nil {
return err
}
if in.Priority != nil {
out.Priority = new(int)
*out.Priority = *in.Priority
} else {
out.Priority = nil
}
out.AllowPrivilegedContainer = in.AllowPrivilegedContainer
if in.AllowedCapabilities != nil {
out.AllowedCapabilities = make([]api.Capability, len(in.AllowedCapabilities))
for i := range in.AllowedCapabilities {
out.AllowedCapabilities[i] = api.Capability(in.AllowedCapabilities[i])
}
} else {
out.AllowedCapabilities = nil
}
// for v1beta3 -> api volume conversion we must assume that all volumes were allowed.
// the only volume you could turn off is the host path volume so we'll remove that based
// on the v1beta3 setting.
if !in.AllowHostDirVolumePlugin {
for _, v := range sccutil.GetAllFSTypesExcept(string(api.FSTypeHostPath)).List() {
out.Volumes = append(out.Volumes, api.FSType(v))
}
} else {
out.Volumes = []api.FSType{api.FSTypeAll}
}
out.AllowHostNetwork = in.AllowHostNetwork
out.AllowHostPorts = in.AllowHostPorts
out.AllowHostPID = in.AllowHostPID
out.AllowHostIPC = in.AllowHostIPC
if err := convert_v1beta3_SELinuxContextStrategyOptions_To_api_SELinuxContextStrategyOptions(&in.SELinuxContext, &out.SELinuxContext, s); err != nil {
return err
}
if err := convert_v1beta3_RunAsUserStrategyOptions_To_api_RunAsUserStrategyOptions(&in.RunAsUser, &out.RunAsUser, s); err != nil {
return err
}
if err := convert_v1beta3_FSGroupStrategyOptions_To_api_FSGroupStrategyOptions(&in.FSGroup, &out.FSGroup, s); err != nil {
return err
}
if err := convert_v1beta3_SupplementalGroupsStrategyOptions_To_api_SupplementalGroupsStrategyOptions(&in.SupplementalGroups, &out.SupplementalGroups, s); err != nil {
return err
}
if in.DefaultAddCapabilities != nil {
out.DefaultAddCapabilities = make([]api.Capability, len(in.DefaultAddCapabilities))
for i := range in.DefaultAddCapabilities {
out.DefaultAddCapabilities[i] = api.Capability(in.DefaultAddCapabilities[i])
}
} else {
out.DefaultAddCapabilities = nil
}
if in.RequiredDropCapabilities != nil {
out.RequiredDropCapabilities = make([]api.Capability, len(in.RequiredDropCapabilities))
for i := range in.RequiredDropCapabilities {
out.RequiredDropCapabilities[i] = api.Capability(in.RequiredDropCapabilities[i])
}
} else {
out.RequiredDropCapabilities = nil
}
out.ReadOnlyRootFilesystem = in.ReadOnlyRootFilesystem
if in.Users != nil {
out.Users = make([]string, len(in.Users))
for i := range in.Users {
out.Users[i] = in.Users[i]
}
} else {
out.Users = nil
}
if in.Groups != nil {
out.Groups = make([]string, len(in.Groups))
for i := range in.Groups {
out.Groups[i] = in.Groups[i]
}
} else {
out.Groups = nil
}
return nil
}
