Add "MayRunAs" value among other GroupStrategies

Adds "MayRunAs" value among other group strategies. This strategy allows to define a certain range of GIDs for FSGroupStrategy and SupplementalGroupStrategy in a PSP. This new strategy works similarly to the "MustRunAs" one, except that when no GID is specified in a pod/container security context then no GID is generated for the respective containers. Resolves #56173
2018-06-15 12:49:19 +02:00
parent e3dbad3211
commit a577b50012
11 changed files with 389 additions and 40 deletions
--- a/pkg/security/podsecuritypolicy/group/mustrunas.go
+++ b/pkg/security/podsecuritypolicy/group/mustrunas.go
@@ -22,7 +22,6 @@ import (
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	api "k8s.io/kubernetes/pkg/apis/core"
 	"k8s.io/kubernetes/pkg/apis/policy"
-	psputil "k8s.io/kubernetes/pkg/security/podsecuritypolicy/util"
 )

 // mustRunAs implements the GroupStrategy interface
@@ -66,21 +65,7 @@ func (s *mustRunAs) Validate(fldPath *field.Path, _ *api.Pod, groups []int64) fi
 		allErrs = append(allErrs, field.Invalid(fldPath, groups, "unable to validate empty groups against required ranges"))
 	}

-	for _, group := range groups {
-		if !s.isGroupValid(group) {
-			detail := fmt.Sprintf("group %d must be in the ranges: %v", group, s.ranges)
-			allErrs = append(allErrs, field.Invalid(fldPath, groups, detail))
-		}
-	}
+	allErrs = append(allErrs, ValidateGroupsInRanges(fldPath, s.ranges, groups)...)

 	return allErrs
 }
-
-func (s *mustRunAs) isGroupValid(group int64) bool {
-	for _, rng := range s.ranges {
-		if psputil.GroupFallsInRange(group, rng) {
-			return true
-		}
-	}
-	return false
-}