Merge pull request #127981 from jsafrane/selinux-changepolicy

1710: Implement SELinuxChangePolicy
2025-10-31 18:28:13 +00:00 · 2024-11-04 22:09:29 +00:00
parent b240c51a72 09afd667d7
commit 97c79df18f
87 changed files with 1909 additions and 1077 deletions
--- a/pkg/apis/core/validation/validation_test.go
+++ b/pkg/apis/core/validation/validation_test.go
@@ -20583,6 +20583,7 @@ func TestValidateOSFields(t *testing.T) {
 		"SecurityContext.RunAsGroup",
 		"SecurityContext.RunAsUser",
 		"SecurityContext.SELinuxOptions",
+		"SecurityContext.SELinuxChangePolicy",
 		"SecurityContext.SeccompProfile",
 		"SecurityContext.ShareProcessNamespace",
 		"SecurityContext.SupplementalGroups",
@@ -25026,3 +25027,78 @@ func TestValidateContainerStatusAllocatedResourcesStatus(t *testing.T) {
 		})
 	}
 }
+
+func TestValidateSELinuxChangePolicy(t *testing.T) {
+	tests := []struct {
+		name               string
+		pod                *core.Pod
+		allowOnlyRecursive bool
+		wantErrs           field.ErrorList
+	}{
+		{
+			name: "nil is valid",
+			pod: podtest.MakePod("pod", podtest.SetSecurityContext(&core.PodSecurityContext{
+				SELinuxChangePolicy: nil,
+			})),
+			allowOnlyRecursive: false,
+			wantErrs:           nil,
+		},
+		{
+			name: "Recursive is always valid",
+			pod: podtest.MakePod("pod", podtest.SetSecurityContext(&core.PodSecurityContext{
+				SELinuxChangePolicy: ptr.To(core.SELinuxChangePolicyRecursive),
+			})),
+			allowOnlyRecursive: false,
+			wantErrs:           nil,
+		},
+		{
+			name: "MountOption is not valid when AllowOnlyRecursiveSELinuxChangePolicy",
+			pod: podtest.MakePod("pod", podtest.SetSecurityContext(&core.PodSecurityContext{
+				SELinuxChangePolicy: ptr.To(core.SELinuxChangePolicyMountOption),
+			})),
+			allowOnlyRecursive: true,
+			wantErrs: field.ErrorList{
+				field.NotSupported(
+					field.NewPath("spec", "securityContext", "seLinuxChangePolicy"),
+					core.PodSELinuxChangePolicy("MountOption"),
+					[]string{"Recursive"}),
+			},
+		},
+		{
+			name: "MountOption is valid when not AllowOnlyRecursiveSELinuxChangePolicy",
+			pod: podtest.MakePod("pod", podtest.SetSecurityContext(&core.PodSecurityContext{
+				SELinuxChangePolicy: ptr.To(core.SELinuxChangePolicyMountOption),
+			})),
+			allowOnlyRecursive: false,
+			wantErrs:           nil,
+		},
+		{
+			name: "invalid value",
+			pod: podtest.MakePod("pod", podtest.SetSecurityContext(&core.PodSecurityContext{
+				SELinuxChangePolicy: ptr.To(core.PodSELinuxChangePolicy("InvalidValue")),
+			})),
+			allowOnlyRecursive: false,
+			wantErrs: field.ErrorList{
+				field.NotSupported(field.NewPath("spec", "securityContext", "seLinuxChangePolicy"),
+					core.PodSELinuxChangePolicy("InvalidValue"),
+					[]string{"MountOption", "Recursive"}),
+			},
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			opts := PodValidationOptions{
+				AllowOnlyRecursiveSELinuxChangePolicy: tc.allowOnlyRecursive,
+			}
+			errs := ValidatePodSpec(&tc.pod.Spec, &tc.pod.ObjectMeta, field.NewPath("spec"), opts)
+			if len(errs) == 0 {
+				errs = nil
+			}
+			if diff := cmp.Diff(tc.wantErrs, errs); diff != "" {
+				t.Errorf("unexpected field errors (-want, +got):\n%s", diff)
+			}
+
+		})
+	}
+}