Add seccomp enforcement and validation based on new GA fields

Adds seccomp validation.

This ensures that field and annotation values must match when present.

Co-authored-by: Sascha Grunert <sgrunert@suse.com>

pkg/apis/core/pods/helpers.go

@@ -34,23 +34,23 @@ type ContainerVisitorWithPath func(container *api.Container, path *field.Path) b
 // of every container in the given pod spec and the field.Path to that container.
 // If visitor returns false, visiting is short-circuited. VisitContainersWithPath returns true if visiting completes,
 // false if visiting was short-circuited.
-func VisitContainersWithPath(podSpec *api.PodSpec, visitor ContainerVisitorWithPath) bool {
-	path := field.NewPath("spec", "initContainers")
+func VisitContainersWithPath(podSpec *api.PodSpec, specPath *field.Path, visitor ContainerVisitorWithPath) bool {
+	fldPath := specPath.Child("initContainers")
 	for i := range podSpec.InitContainers {
-		if !visitor(&podSpec.InitContainers[i], path.Index(i)) {
+		if !visitor(&podSpec.InitContainers[i], fldPath.Index(i)) {
 			return false
 		}
 	}
-	path = field.NewPath("spec", "containers")
+	fldPath = specPath.Child("containers")
 	for i := range podSpec.Containers {
-		if !visitor(&podSpec.Containers[i], path.Index(i)) {
+		if !visitor(&podSpec.Containers[i], fldPath.Index(i)) {
 			return false
 		}
 	}
 	if utilfeature.DefaultFeatureGate.Enabled(features.EphemeralContainers) {
-		path = field.NewPath("spec", "ephemeralContainers")
+		fldPath = specPath.Child("ephemeralContainers")
 		for i := range podSpec.EphemeralContainers {
-			if !visitor((*api.Container)(&podSpec.EphemeralContainers[i].EphemeralContainerCommon), path.Index(i)) {
+			if !visitor((*api.Container)(&podSpec.EphemeralContainers[i].EphemeralContainerCommon), fldPath.Index(i)) {
 				return false
 			}
 		}

pkg/apis/core/pods/helpers_test.go

@@ -32,16 +32,19 @@ func TestVisitContainersWithPath(t *testing.T) {
 
 	testCases := []struct {
 		description string
+		path        *field.Path
 		haveSpec    *api.PodSpec
 		wantNames   []string
 	}{
 		{
 			"empty podspec",
+			field.NewPath("spec"),
 			&api.PodSpec{},
 			[]string{},
 		},
 		{
 			"regular containers",
+			field.NewPath("spec"),
 			&api.PodSpec{
 				Containers: []api.Container{
 					{Name: "c1"},
@@ -52,6 +55,7 @@ func TestVisitContainersWithPath(t *testing.T) {
 		},
 		{
 			"init containers",
+			field.NewPath("spec"),
 			&api.PodSpec{
 				InitContainers: []api.Container{
 					{Name: "i1"},
@@ -62,6 +66,7 @@ func TestVisitContainersWithPath(t *testing.T) {
 		},
 		{
 			"regular and init containers",
+			field.NewPath("spec"),
 			&api.PodSpec{
 				Containers: []api.Container{
 					{Name: "c1"},
@@ -76,6 +81,7 @@ func TestVisitContainersWithPath(t *testing.T) {
 		},
 		{
 			"ephemeral containers",
+			field.NewPath("spec"),
 			&api.PodSpec{
 				Containers: []api.Container{
 					{Name: "c1"},
@@ -89,6 +95,7 @@ func TestVisitContainersWithPath(t *testing.T) {
 		},
 		{
 			"all container types",
+			field.NewPath("spec"),
 			&api.PodSpec{
 				Containers: []api.Container{
 					{Name: "c1"},
@@ -105,11 +112,30 @@ func TestVisitContainersWithPath(t *testing.T) {
 			},
 			[]string{"spec.initContainers[0]", "spec.initContainers[1]", "spec.containers[0]", "spec.containers[1]", "spec.ephemeralContainers[0]", "spec.ephemeralContainers[1]"},
 		},
+		{
+			"all container types with template pod path",
+			field.NewPath("template", "spec"),
+			&api.PodSpec{
+				Containers: []api.Container{
+					{Name: "c1"},
+					{Name: "c2"},
+				},
+				InitContainers: []api.Container{
+					{Name: "i1"},
+					{Name: "i2"},
+				},
+				EphemeralContainers: []api.EphemeralContainer{
+					{EphemeralContainerCommon: api.EphemeralContainerCommon{Name: "e1"}},
+					{EphemeralContainerCommon: api.EphemeralContainerCommon{Name: "e2"}},
+				},
+			},
+			[]string{"template.spec.initContainers[0]", "template.spec.initContainers[1]", "template.spec.containers[0]", "template.spec.containers[1]", "template.spec.ephemeralContainers[0]", "template.spec.ephemeralContainers[1]"},
+		},
 	}
 
 	for _, tc := range testCases {
 		gotNames := []string{}
-		VisitContainersWithPath(tc.haveSpec, func(c *api.Container, p *field.Path) bool {
+		VisitContainersWithPath(tc.haveSpec, tc.path, func(c *api.Container, p *field.Path) bool {
 			gotNames = append(gotNames, p.String())
 			return true
 		})