github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add seccomp enforcement and validation based on new GA fields

Browse Source 
Adds seccomp validation.

This ensures that field and annotation values must match when present.

Co-authored-by: Sascha Grunert <sgrunert@suse.com>
This commit is contained in:
Paulo Gomes
2020-06-24 21:37:49 +01:00
parent 865cbf0bdf
commit 8976e3620f
93 changed files with 17247 additions and 15078 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
pkg/security/podsecuritypolicy/provider.go
View File

@@ -239,7 +239,7 @@ func (s *simpleProvider) ValidatePod(pod *api.Pod) field.ErrorList {
allErrs = append(allErrs, validateRuntimeClassName(pod.Spec.RuntimeClassName, s.psp.Spec.RuntimeClass.AllowedRuntimeClassNames)...)
}
pods.VisitContainersWithPath(&pod.Spec, func(c *api.Container, p *field.Path) bool {
pods.VisitContainersWithPath(&pod.Spec, field.NewPath("spec"), func(c *api.Container, p *field.Path) bool {
allErrs = append(allErrs, s.validateContainer(pod, c, p)...)
return true
})
@@ -276,7 +276,7 @@ func (s *simpleProvider) validatePodVolumes(pod *api.Pod) field.ErrorList {
fmt.Sprintf("is not allowed to be used")))
} else if mustBeReadOnly {
// Ensure all the VolumeMounts that use this volume are read-only
pods.VisitContainersWithPath(&pod.Spec, func(c *api.Container, p *field.Path) bool {
pods.VisitContainersWithPath(&pod.Spec, field.NewPath("spec"), func(c *api.Container, p *field.Path) bool {
for i, cv := range c.VolumeMounts {
if cv.Name == v.Name && !cv.ReadOnly {
allErrs = append(allErrs, field.Invalid(p.Child("volumeMounts").Index(i).Child("readOnly"), cv.ReadOnly, "must be read-only"))