Use dedicated Unix User and Group ID types
This commit is contained in:
Jamie Hannaford
@@ -19,6 +19,7 @@ go_library(
|
||||
deps = [
|
||||
"//pkg/api:go_default_library",
|
||||
"//pkg/api/v1:go_default_library",
|
||||
"//vendor/k8s.io/apimachinery/pkg/types:go_default_library",
|
||||
],
|
||||
)
|
||||
|
||||
@@ -27,7 +28,10 @@ go_test(
|
||||
srcs = ["util_test.go"],
|
||||
library = ":go_default_library",
|
||||
tags = ["automanaged"],
|
||||
deps = ["//pkg/api/v1:go_default_library"],
|
||||
deps = [
|
||||
"//pkg/api/v1:go_default_library",
|
||||
"//vendor/k8s.io/apimachinery/pkg/types:go_default_library",
|
||||
],
|
||||
)
|
||||
|
||||
filegroup(
|
||||
|
||||
@@ -20,6 +20,7 @@ import (
|
||||
"fmt"
|
||||
"strings"
|
||||
|
||||
"k8s.io/apimachinery/pkg/types"
|
||||
"k8s.io/kubernetes/pkg/api"
|
||||
"k8s.io/kubernetes/pkg/api/v1"
|
||||
)
|
||||
@@ -119,7 +120,7 @@ func DetermineEffectiveSecurityContext(pod *v1.Pod, container *v1.Container) *v1
|
||||
}
|
||||
|
||||
if containerSc.RunAsUser != nil {
|
||||
effectiveSc.RunAsUser = new(int64)
|
||||
effectiveSc.RunAsUser = new(types.UnixUserID)
|
||||
*effectiveSc.RunAsUser = *containerSc.RunAsUser
|
||||
}
|
||||
|
||||
@@ -148,7 +149,7 @@ func securityContextFromPodSecurityContext(pod *v1.Pod) *v1.SecurityContext {
|
||||
*synthesized.SELinuxOptions = *pod.Spec.SecurityContext.SELinuxOptions
|
||||
}
|
||||
if pod.Spec.SecurityContext.RunAsUser != nil {
|
||||
synthesized.RunAsUser = new(int64)
|
||||
synthesized.RunAsUser = new(types.UnixUserID)
|
||||
*synthesized.RunAsUser = *pod.Spec.SecurityContext.RunAsUser
|
||||
}
|
||||
|
||||
@@ -191,7 +192,7 @@ func InternalDetermineEffectiveSecurityContext(pod *api.Pod, container *api.Cont
|
||||
}
|
||||
|
||||
if containerSc.RunAsUser != nil {
|
||||
effectiveSc.RunAsUser = new(int64)
|
||||
effectiveSc.RunAsUser = new(types.UnixUserID)
|
||||
*effectiveSc.RunAsUser = *containerSc.RunAsUser
|
||||
}
|
||||
|
||||
@@ -220,7 +221,7 @@ func internalSecurityContextFromPodSecurityContext(pod *api.Pod) *api.SecurityCo
|
||||
*synthesized.SELinuxOptions = *pod.Spec.SecurityContext.SELinuxOptions
|
||||
}
|
||||
if pod.Spec.SecurityContext.RunAsUser != nil {
|
||||
synthesized.RunAsUser = new(int64)
|
||||
synthesized.RunAsUser = new(types.UnixUserID)
|
||||
*synthesized.RunAsUser = *pod.Spec.SecurityContext.RunAsUser
|
||||
}
|
||||
|
||||
|
||||
@@ -19,6 +19,7 @@ package securitycontext
|
||||
import (
|
||||
"testing"
|
||||
|
||||
"k8s.io/apimachinery/pkg/types"
|
||||
"k8s.io/kubernetes/pkg/api/v1"
|
||||
)
|
||||
|
||||
@@ -84,13 +85,13 @@ func compareContexts(name string, ex, ac *v1.SELinuxOptions, t *testing.T) {
|
||||
}
|
||||
}
|
||||
|
||||
func containerWithUser(ptr *int64) *v1.Container {
|
||||
func containerWithUser(ptr *types.UnixUserID) *v1.Container {
|
||||
return &v1.Container{SecurityContext: &v1.SecurityContext{RunAsUser: ptr}}
|
||||
}
|
||||
|
||||
func TestHaRootUID(t *testing.T) {
|
||||
var nonRoot int64 = 1
|
||||
var root int64 = 0
|
||||
nonRoot := types.UnixUserID(1)
|
||||
root := types.UnixUserID(0)
|
||||
|
||||
tests := map[string]struct {
|
||||
container *v1.Container
|
||||
@@ -120,7 +121,7 @@ func TestHaRootUID(t *testing.T) {
|
||||
}
|
||||
|
||||
func TestHasRunAsUser(t *testing.T) {
|
||||
var runAsUser int64 = 0
|
||||
runAsUser := types.UnixUserID(0)
|
||||
|
||||
tests := map[string]struct {
|
||||
container *v1.Container
|
||||
@@ -147,8 +148,8 @@ func TestHasRunAsUser(t *testing.T) {
|
||||
}
|
||||
|
||||
func TestHasRootRunAsUser(t *testing.T) {
|
||||
var nonRoot int64 = 1
|
||||
var root int64 = 0
|
||||
nonRoot := types.UnixUserID(1)
|
||||
root := types.UnixUserID(0)
|
||||
|
||||
tests := map[string]struct {
|
||||
container *v1.Container
|
||||
|
||||
Reference in New Issue
Block a user