github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

PodSecurityPolicy: Do not mutate nil privileged field to false

Browse Source
This commit is contained in:
Jordan Liggitt
2017-10-05 15:55:53 -04:00
parent 77b83e446b
commit b45b809f4c
2 changed files with 31 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
pkg/security/podsecuritypolicy/provider.go
View File

@@ -157,11 +157,6 @@ func (s *simpleProvider) CreateContainerSecurityContext(pod *api.Pod, container
return nil, nil, err
}
if sc.Privileged == nil {
priv := false
sc.Privileged = &priv
}
// if we're using the non-root strategy set the marker that this container should not be
// run as root which will signal to the kubelet to do a final check either on the runAsUser
// or, if runAsUser is not set, the image UID will be checked.
@@ -284,7 +279,7 @@ func (s *simpleProvider) ValidateContainerSecurityContext(pod *api.Pod, containe
allErrs = append(allErrs, s.strategies.AppArmorStrategy.Validate(pod, container)...)
allErrs = append(allErrs, s.strategies.SeccompStrategy.ValidateContainer(pod, container)...)
if !s.psp.Spec.Privileged && *sc.Privileged {
if !s.psp.Spec.Privileged && sc.Privileged != nil && *sc.Privileged {
allErrs = append(allErrs, field.Invalid(fldPath.Child("privileged"), *sc.Privileged, "Privileged containers are not allowed"))
}