scottk/kubernetes
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/kubernetes.git synced 2025-11-03 11:48:15 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add SELinuxChangePolicy validation

Browse Source
This commit is contained in:
Jan Safranek
2024-10-08 10:27:08 +02:00
parent 3867cb40ad
commit 6ca7b959e4
4 changed files with 282 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
pkg/apis/core/validation/validation.go
View File

@@ -4058,6 +4058,8 @@ type PodValidationOptions struct {
AllowRelaxedDNSSearchValidation bool
// Allows zero value for Pod Lifecycle Sleep Action
AllowPodLifecycleSleepActionZeroValue bool
// Allow only Recursive value of SELinuxChangePolicy.
AllowOnlyRecursiveSELinuxChangePolicy bool
}
// validatePodMetadataAndSpec tests if required fields in the pod.metadata and pod.spec are set,
@@ -4356,6 +4358,9 @@ func validateWindows(spec *core.PodSpec, fldPath *field.Path) field.ErrorList {
if securityContext.SupplementalGroupsPolicy != nil {
allErrs = append(allErrs, field.Forbidden(fldPath.Child("securityContext").Child("supplementalGroupsPolicy"), "cannot be set for a windows pod"))
}
if securityContext.SELinuxChangePolicy != nil {
allErrs = append(allErrs, field.Forbidden(fldPath.Child("securityContext").Child("seLinuxChangePolicy"), "cannot be set for a windows pod"))
}
}
podshelper.VisitContainersWithPath(spec, fldPath, func(c *core.Container, cFldPath *field.Path) bool {
// validate container security context
@@ -4941,6 +4946,28 @@ func ValidateHostSysctl(sysctl string, securityContext *core.PodSecurityContext,
return nil
}
var validSELinuxChangePolicies = sets.New(core.SELinuxChangePolicyRecursive, core.SELinuxChangePolicyMountOption)
func validateSELinuxChangePolicy(seLinuxChangePolicy *core.PodSELinuxChangePolicy, fldPath *field.Path, opts PodValidationOptions) field.ErrorList {
if seLinuxChangePolicy == nil {
return nil
}
allErrs := field.ErrorList{}
if opts.AllowOnlyRecursiveSELinuxChangePolicy {
if *seLinuxChangePolicy != core.SELinuxChangePolicyRecursive {
allErrs = append(allErrs, field.NotSupported(fldPath, *seLinuxChangePolicy, []core.PodSELinuxChangePolicy{core.SELinuxChangePolicyRecursive}))
}
} else {
// Allow any valid SELinuxChangePolicy value.
if !validSELinuxChangePolicies.Has(*seLinuxChangePolicy) {
allErrs = append(allErrs, field.NotSupported(fldPath, *seLinuxChangePolicy, sets.List(validSELinuxChangePolicies)))
}
}
return allErrs
}
// validatePodSpecSecurityContext verifies the SecurityContext of a PodSpec,
// whether that is defined in a Pod or in an embedded PodSpec (e.g. a
// Deployment's pod template).
@@ -4987,6 +5014,10 @@ func validatePodSpecSecurityContext(securityContext *core.PodSecurityContext, sp
if securityContext.SupplementalGroupsPolicy != nil {
allErrs = append(allErrs, validateSupplementalGroupsPolicy(securityContext.SupplementalGroupsPolicy, fldPath.Child("supplementalGroupsPolicy"))...)
}
if securityContext.SELinuxChangePolicy != nil {
allErrs = append(allErrs, validateSELinuxChangePolicy(securityContext.SELinuxChangePolicy, fldPath.Child("seLinuxChangePolicy"), opts)...)
}
}
return allErrs