ProcMount validation and testing

Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com>

pkg/api/pod/util.go

@@ -322,31 +322,18 @@ func dropDisabledRunAsGroupField(podSpec, oldPodSpec *api.PodSpec) {
 }
 
 // dropDisabledProcMountField removes disabled fields from PodSpec related
-// to ProcMount
+// to ProcMount only if it is not already used by the old spec
 func dropDisabledProcMountField(podSpec, oldPodSpec *api.PodSpec) {
-	if !utilfeature.DefaultFeatureGate.Enabled(features.ProcMountType) {
-		defProcMount := api.DefaultProcMount
+	if !utilfeature.DefaultFeatureGate.Enabled(features.ProcMountType) && !procMountInUse(oldPodSpec) {
+		defaultProcMount := api.DefaultProcMount
 		for i := range podSpec.Containers {
 			if podSpec.Containers[i].SecurityContext != nil {
-				podSpec.Containers[i].SecurityContext.ProcMount = &defProcMount
+				podSpec.Containers[i].SecurityContext.ProcMount = &defaultProcMount
 			}
 		}
 		for i := range podSpec.InitContainers {
 			if podSpec.InitContainers[i].SecurityContext != nil {
-				podSpec.InitContainers[i].SecurityContext.ProcMount = &defProcMount
-			}
-		}
-
-		if oldPodSpec != nil {
-			for i := range oldPodSpec.Containers {
-				if oldPodSpec.Containers[i].SecurityContext != nil {
-					oldPodSpec.Containers[i].SecurityContext.ProcMount = &defProcMount
-				}
-			}
-			for i := range oldPodSpec.InitContainers {
-				if oldPodSpec.InitContainers[i].SecurityContext != nil {
-					oldPodSpec.InitContainers[i].SecurityContext.ProcMount = &defProcMount
-				}
+				podSpec.InitContainers[i].SecurityContext.ProcMount = &defaultProcMount
 			}
 		}
 	}
@@ -406,3 +393,29 @@ func runtimeClassInUse(podSpec *api.PodSpec) bool {
 	}
 	return false
 }
+
+// procMountInUse returns true if the pod spec is non-nil and has a SecurityContext's ProcMount field set
+func procMountInUse(podSpec *api.PodSpec) bool {
+	if podSpec == nil {
+		return false
+	}
+	for i := range podSpec.Containers {
+		if podSpec.Containers[i].SecurityContext != nil {
+			if podSpec.Containers[i].SecurityContext.ProcMount != nil {
+				if *podSpec.Containers[i].SecurityContext.ProcMount != api.DefaultProcMount {
+					return true
+				}
+			}
+		}
+	}
+	for i := range podSpec.InitContainers {
+		if podSpec.InitContainers[i].SecurityContext != nil {
+			if podSpec.InitContainers[i].SecurityContext.ProcMount != nil {
+				if *podSpec.InitContainers[i].SecurityContext.ProcMount != api.DefaultProcMount {
+					return true
+				}
+			}
+		}
+	}
+	return false
+}

pkg/api/pod/util_test.go

@@ -518,3 +518,97 @@ func TestDropRuntimeClass(t *testing.T) {
 		}
 	}
 }
+
+func TestDropProcMount(t *testing.T) {
+	procMount := api.UnmaskedProcMount
+	defaultProcMount := api.DefaultProcMount
+	podWithProcMount := func() *api.Pod {
+		return &api.Pod{
+			Spec: api.PodSpec{
+				RestartPolicy:  api.RestartPolicyNever,
+				Containers:     []api.Container{{Name: "container1", Image: "testimage", SecurityContext: &api.SecurityContext{ProcMount: &procMount}}},
+				InitContainers: []api.Container{{Name: "container1", Image: "testimage", SecurityContext: &api.SecurityContext{ProcMount: &procMount}}},
+			},
+		}
+	}
+	podWithoutProcMount := func() *api.Pod {
+		return &api.Pod{
+			Spec: api.PodSpec{
+				RestartPolicy:  api.RestartPolicyNever,
+				Containers:     []api.Container{{Name: "container1", Image: "testimage", SecurityContext: &api.SecurityContext{ProcMount: &defaultProcMount}}},
+				InitContainers: []api.Container{{Name: "container1", Image: "testimage", SecurityContext: &api.SecurityContext{ProcMount: &defaultProcMount}}},
+			},
+		}
+	}
+
+	podInfo := []struct {
+		description  string
+		hasProcMount bool
+		pod          func() *api.Pod
+	}{
+		{
+			description:  "has ProcMount",
+			hasProcMount: true,
+			pod:          podWithProcMount,
+		},
+		{
+			description:  "does not have ProcMount",
+			hasProcMount: false,
+			pod:          podWithoutProcMount,
+		},
+		{
+			description:  "is nil",
+			hasProcMount: false,
+			pod:          func() *api.Pod { return nil },
+		},
+	}
+
+	for _, enabled := range []bool{true, false} {
+		for _, oldPodInfo := range podInfo {
+			for _, newPodInfo := range podInfo {
+				oldPodHasProcMount, oldPod := oldPodInfo.hasProcMount, oldPodInfo.pod()
+				newPodHasProcMount, newPod := newPodInfo.hasProcMount, newPodInfo.pod()
+				if newPod == nil {
+					continue
+				}
+
+				t.Run(fmt.Sprintf("feature enabled=%v, old pod %v, new pod %v", enabled, oldPodInfo.description, newPodInfo.description), func(t *testing.T) {
+					defer utilfeaturetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.ProcMountType, enabled)()
+
+					var oldPodSpec *api.PodSpec
+					if oldPod != nil {
+						oldPodSpec = &oldPod.Spec
+					}
+					DropDisabledFields(&newPod.Spec, oldPodSpec)
+
+					// old pod should never be changed
+					if !reflect.DeepEqual(oldPod, oldPodInfo.pod()) {
+						t.Errorf("old pod changed: %v", diff.ObjectReflectDiff(oldPod, oldPodInfo.pod()))
+					}
+
+					switch {
+					case enabled || oldPodHasProcMount:
+						// new pod should not be changed if the feature is enabled, or if the old pod had ProcMount
+						if !reflect.DeepEqual(newPod, newPodInfo.pod()) {
+							t.Errorf("new pod changed: %v", diff.ObjectReflectDiff(newPod, newPodInfo.pod()))
+						}
+					case newPodHasProcMount:
+						// new pod should be changed
+						if reflect.DeepEqual(newPod, newPodInfo.pod()) {
+							t.Errorf("new pod was not changed")
+						}
+						// new pod should not have ProcMount
+						if !reflect.DeepEqual(newPod, podWithoutProcMount()) {
+							t.Errorf("new pod had ProcMount: %v", diff.ObjectReflectDiff(newPod, podWithoutProcMount()))
+						}
+					default:
+						// new pod should not need to be changed
+						if !reflect.DeepEqual(newPod, newPodInfo.pod()) {
+							t.Errorf("new pod changed: %v", diff.ObjectReflectDiff(newPod, newPodInfo.pod()))
+						}
+					}
+				})
+			}
+		}
+	}
+}