func TestSCCVolumeConversionsV1Beta3ToApi(t *testing.T) {
if !registered.IsAllowedVersion(versioned.SchemeGroupVersion) {
return
}
noHostDirVolumes := []api.FSType{}
for _, v := range sccutil.GetAllFSTypesExcept(string(api.FSTypeHostPath)).List() {
noHostDirVolumes = append(noHostDirVolumes, api.FSType(v))
}
tests := map[string]struct {
scc *versioned.SecurityContextConstraints
volumes []api.FSType
}{
"hostDir false": {
scc: &versioned.SecurityContextConstraints{
AllowHostDirVolumePlugin: false,
},
volumes: noHostDirVolumes,
},
"hostDir true": {
scc: &versioned.SecurityContextConstraints{
AllowHostDirVolumePlugin: true,
},
volumes: []api.FSType{api.FSTypeAll},
},
}
for k, v := range tests {
got := api.SecurityContextConstraints{}
err := api.Scheme.Convert(v.scc, &got)
if err != nil {
t.Errorf("%s received an error during conversion: %v", k, err)
continue
}
if !reflect.DeepEqual(got.Volumes, v.volumes) {
t.Errorf("%s expected volumes: %v but received: %v", k, v.volumes, got.Volumes)
}
}
}
// Default SCCs for new fields. FSGroup and SupplementalGroups are
// set to the RunAsAny strategy if they are unset on the scc.
func SetDefaults_SCC(scc *SecurityContextConstraints) {
if len(scc.FSGroup.Type) == 0 {
scc.FSGroup.Type = FSGroupStrategyRunAsAny
}
if len(scc.SupplementalGroups.Type) == 0 {
scc.SupplementalGroups.Type = SupplementalGroupsStrategyRunAsAny
}
// defaults the volume slice of the SCC.
// In order to support old clients the boolean fields will always take precedence.
defaultAllowedVolumes := fsTypeToStringSet(scc.Volumes)
// assume a nil volume slice is allowing everything for backwards compatibility
if defaultAllowedVolumes == nil {
defaultAllowedVolumes = sets.NewString(string(FSTypeAll))
}
if scc.AllowHostDirVolumePlugin {
// if already allowing all then there is no reason to add
if !defaultAllowedVolumes.Has(string(FSTypeAll)) {
defaultAllowedVolumes.Insert(string(FSTypeHostPath))
}
} else {
// we should only default all volumes if the SCC came in with FSTypeAll or we defaulted it
// otherwise we should only change the volumes slice to ensure that it does not conflict with
// the AllowHostDirVolumePlugin setting
shouldDefaultAllVolumes := defaultAllowedVolumes.Has(string(FSTypeAll))
// remove anything from volumes that conflicts with AllowHostDirVolumePlugin = false
defaultAllowedVolumes.Delete(string(FSTypeAll))
defaultAllowedVolumes.Delete(string(FSTypeHostPath))
if shouldDefaultAllVolumes {
allVolumes := sccutil.GetAllFSTypesExcept(string(FSTypeHostPath))
defaultAllowedVolumes.Insert(allVolumes.List()...)
}
}
scc.Volumes = StringSetToFSType(defaultAllowedVolumes)
}
func TestDefaultSCCVolumes(t *testing.T) {
tests := map[string]struct {
scc *versioned.SecurityContextConstraints
expectedVolumes []versioned.FSType
expectedHostDir bool
}{
// this expects the volumes to default to all for an empty volume slice
// but since the host dir setting is false it should be all - host dir
"old client - default allow* fields, no volumes slice": {
scc: &versioned.SecurityContextConstraints{},
expectedVolumes: versioned.StringSetToFSType(sccutil.GetAllFSTypesExcept(string(versioned.FSTypeHostPath))),
expectedHostDir: false,
},
// this expects the volumes to default to all for an empty volume slice
"old client - set allowHostDir true fields, no volumes slice": {
scc: &versioned.SecurityContextConstraints{
AllowHostDirVolumePlugin: true,
},
expectedVolumes: []versioned.FSType{versioned.FSTypeAll},
expectedHostDir: true,
},
"new client - allow* fields set with matching volume slice": {
scc: &versioned.SecurityContextConstraints{
Volumes: []versioned.FSType{versioned.FSTypeEmptyDir, versioned.FSTypeHostPath},
AllowHostDirVolumePlugin: true,
},
expectedVolumes: []versioned.FSType{versioned.FSTypeEmptyDir, versioned.FSTypeHostPath},
expectedHostDir: true,
},
"new client - allow* fields set with mismatch host dir volume slice": {
scc: &versioned.SecurityContextConstraints{
Volumes: []versioned.FSType{versioned.FSTypeEmptyDir, versioned.FSTypeHostPath},
AllowHostDirVolumePlugin: false,
},
expectedVolumes: []versioned.FSType{versioned.FSTypeEmptyDir},
expectedHostDir: false,
},
"new client - allow* fields set with mismatch FSTypeAll volume slice": {
scc: &versioned.SecurityContextConstraints{
Volumes: []versioned.FSType{versioned.FSTypeAll},
AllowHostDirVolumePlugin: false,
},
expectedVolumes: versioned.StringSetToFSType(sccutil.GetAllFSTypesExcept(string(versioned.FSTypeHostPath))),
expectedHostDir: false,
},
"new client - allow* fields unset with volume slice": {
scc: &versioned.SecurityContextConstraints{
Volumes: []versioned.FSType{versioned.FSTypeEmptyDir, versioned.FSTypeHostPath},
},
expectedVolumes: []versioned.FSType{versioned.FSTypeEmptyDir},
expectedHostDir: false,
},
"new client - extra volume params retained": {
scc: &versioned.SecurityContextConstraints{
Volumes: []versioned.FSType{versioned.FSTypeEmptyDir, versioned.FSTypeHostPath, versioned.FSTypeGitRepo},
},
expectedVolumes: []versioned.FSType{versioned.FSTypeEmptyDir, versioned.FSTypeGitRepo},
expectedHostDir: false,
},
"new client - empty volume slice, host dir true": {
scc: &versioned.SecurityContextConstraints{
Volumes: []versioned.FSType{},
AllowHostDirVolumePlugin: true,
},
expectedVolumes: []versioned.FSType{versioned.FSTypeHostPath},
expectedHostDir: true,
},
"new client - empty volume slice, host dir false": {
scc: &versioned.SecurityContextConstraints{
Volumes: []versioned.FSType{},
AllowHostDirVolumePlugin: false,
},
expectedVolumes: []versioned.FSType{},
expectedHostDir: false,
},
}
for k, v := range tests {
output := roundTrip(t, runtime.Object(v.scc))
scc := output.(*versioned.SecurityContextConstraints)
if !reflect.DeepEqual(scc.Volumes, v.expectedVolumes) {
t.Errorf("%s has invalid volumes. Expected: %v got: %v", k, v.expectedVolumes, scc.Volumes)
}
if scc.AllowHostDirVolumePlugin != v.expectedHostDir {
t.Errorf("%s has invalid host dir. Expected: %v got: %v", k, v.expectedHostDir, scc.AllowHostDirVolumePlugin)
}
}
}
func convert_v1beta3_SecurityContextConstraints_To_api_SecurityContextConstraints(in *SecurityContextConstraints, out *api.SecurityContextConstraints, s conversion.Scope) error {
if defaulting, found := s.DefaultingInterface(reflect.TypeOf(*in)); found {
defaulting.(func(*SecurityContextConstraints))(in)
}
if err := convert_v1beta3_ObjectMeta_To_api_ObjectMeta(&in.ObjectMeta, &out.ObjectMeta, s); err != nil {
return err
}
if in.Priority != nil {
out.Priority = new(int)
*out.Priority = *in.Priority
} else {
out.Priority = nil
}
out.AllowPrivilegedContainer = in.AllowPrivilegedContainer
if in.AllowedCapabilities != nil {
out.AllowedCapabilities = make([]api.Capability, len(in.AllowedCapabilities))
for i := range in.AllowedCapabilities {
out.AllowedCapabilities[i] = api.Capability(in.AllowedCapabilities[i])
}
} else {
out.AllowedCapabilities = nil
}
// for v1beta3 -> api volume conversion we must assume that all volumes were allowed.
// the only volume you could turn off is the host path volume so we'll remove that based
// on the v1beta3 setting.
if !in.AllowHostDirVolumePlugin {
for _, v := range sccutil.GetAllFSTypesExcept(string(api.FSTypeHostPath)).List() {
out.Volumes = append(out.Volumes, api.FSType(v))
}
} else {
out.Volumes = []api.FSType{api.FSTypeAll}
}
out.AllowHostNetwork = in.AllowHostNetwork
out.AllowHostPorts = in.AllowHostPorts
out.AllowHostPID = in.AllowHostPID
out.AllowHostIPC = in.AllowHostIPC
if err := convert_v1beta3_SELinuxContextStrategyOptions_To_api_SELinuxContextStrategyOptions(&in.SELinuxContext, &out.SELinuxContext, s); err != nil {
return err
}
if err := convert_v1beta3_RunAsUserStrategyOptions_To_api_RunAsUserStrategyOptions(&in.RunAsUser, &out.RunAsUser, s); err != nil {
return err
}
if err := convert_v1beta3_FSGroupStrategyOptions_To_api_FSGroupStrategyOptions(&in.FSGroup, &out.FSGroup, s); err != nil {
return err
}
if err := convert_v1beta3_SupplementalGroupsStrategyOptions_To_api_SupplementalGroupsStrategyOptions(&in.SupplementalGroups, &out.SupplementalGroups, s); err != nil {
return err
}
if in.DefaultAddCapabilities != nil {
out.DefaultAddCapabilities = make([]api.Capability, len(in.DefaultAddCapabilities))
for i := range in.DefaultAddCapabilities {
out.DefaultAddCapabilities[i] = api.Capability(in.DefaultAddCapabilities[i])
}
} else {
out.DefaultAddCapabilities = nil
}
if in.RequiredDropCapabilities != nil {
out.RequiredDropCapabilities = make([]api.Capability, len(in.RequiredDropCapabilities))
for i := range in.RequiredDropCapabilities {
out.RequiredDropCapabilities[i] = api.Capability(in.RequiredDropCapabilities[i])
}
} else {
out.RequiredDropCapabilities = nil
}
out.ReadOnlyRootFilesystem = in.ReadOnlyRootFilesystem
if in.Users != nil {
out.Users = make([]string, len(in.Users))
for i := range in.Users {
out.Users[i] = in.Users[i]
}
} else {
out.Users = nil
}
if in.Groups != nil {
out.Groups = make([]string, len(in.Groups))
for i := range in.Groups {
out.Groups[i] = in.Groups[i]
}
} else {
out.Groups = nil
}
return nil
}