api changes for psp runasgroup policy

pkg/securitycontext/accessors.go

@@ -29,6 +29,7 @@ type PodSecurityContextAccessor interface {
 	HostIPC() bool
 	SELinuxOptions() *api.SELinuxOptions
 	RunAsUser() *int64
+	RunAsGroup() *int64
 	RunAsNonRoot() *bool
 	SupplementalGroups() []int64
 	FSGroup() *int64
@@ -43,6 +44,7 @@ type PodSecurityContextMutator interface {
 	SetHostIPC(bool)
 	SetSELinuxOptions(*api.SELinuxOptions)
 	SetRunAsUser(*int64)
+	SetRunAsGroup(*int64)
 	SetRunAsNonRoot(*bool)
 	SetSupplementalGroups([]int64)
 	SetFSGroup(*int64)
@@ -142,6 +144,20 @@ func (w *podSecurityContextWrapper) SetRunAsUser(v *int64) {
 	w.ensurePodSC()
 	w.podSC.RunAsUser = v
 }
+func (w *podSecurityContextWrapper) RunAsGroup() *int64 {
+	if w.podSC == nil {
+		return nil
+	}
+	return w.podSC.RunAsGroup
+}
+func (w *podSecurityContextWrapper) SetRunAsGroup(v *int64) {
+	if w.podSC == nil && v == nil {
+		return
+	}
+	w.ensurePodSC()
+	w.podSC.RunAsGroup = v
+}
+
 func (w *podSecurityContextWrapper) RunAsNonRoot() *bool {
 	if w.podSC == nil {
 		return nil
@@ -191,6 +207,7 @@ type ContainerSecurityContextAccessor interface {
 	ProcMount() api.ProcMountType
 	SELinuxOptions() *api.SELinuxOptions
 	RunAsUser() *int64
+	RunAsGroup() *int64
 	RunAsNonRoot() *bool
 	ReadOnlyRootFilesystem() *bool
 	AllowPrivilegeEscalation() *bool
@@ -205,6 +222,7 @@ type ContainerSecurityContextMutator interface {
 	SetPrivileged(*bool)
 	SetSELinuxOptions(*api.SELinuxOptions)
 	SetRunAsUser(*int64)
+	SetRunAsGroup(*int64)
 	SetRunAsNonRoot(*bool)
 	SetReadOnlyRootFilesystem(*bool)
 	SetAllowPrivilegeEscalation(*bool)
@@ -293,6 +311,20 @@ func (w *containerSecurityContextWrapper) SetRunAsUser(v *int64) {
 	w.ensureContainerSC()
 	w.containerSC.RunAsUser = v
 }
+func (w *containerSecurityContextWrapper) RunAsGroup() *int64 {
+	if w.containerSC == nil {
+		return nil
+	}
+	return w.containerSC.RunAsGroup
+}
+func (w *containerSecurityContextWrapper) SetRunAsGroup(v *int64) {
+	if w.containerSC == nil && v == nil {
+		return
+	}
+	w.ensureContainerSC()
+	w.containerSC.RunAsGroup = v
+}
+
 func (w *containerSecurityContextWrapper) RunAsNonRoot() *bool {
 	if w.containerSC == nil {
 		return nil
@@ -391,6 +423,18 @@ func (w *effectiveContainerSecurityContextWrapper) SetRunAsUser(v *int64) {
 		w.containerSC.SetRunAsUser(v)
 	}
 }
+func (w *effectiveContainerSecurityContextWrapper) RunAsGroup() *int64 {
+	if v := w.containerSC.RunAsGroup(); v != nil {
+		return v
+	}
+	return w.podSC.RunAsGroup()
+}
+func (w *effectiveContainerSecurityContextWrapper) SetRunAsGroup(v *int64) {
+	if !reflect.DeepEqual(w.RunAsGroup(), v) {
+		w.containerSC.SetRunAsGroup(v)
+	}
+}
+
 func (w *effectiveContainerSecurityContextWrapper) RunAsNonRoot() *bool {
 	if v := w.containerSC.RunAsNonRoot(); v != nil {
 		return v

pkg/securitycontext/accessors_test.go

@@ -27,6 +27,7 @@ import (
 func TestPodSecurityContextAccessor(t *testing.T) {
 	fsGroup := int64(2)
 	runAsUser := int64(1)
+	runAsGroup := int64(1)
 	runAsNonRoot := true
 
 	testcases := []*api.PodSecurityContext{
@@ -38,6 +39,7 @@ func TestPodSecurityContextAccessor(t *testing.T) {
 		{HostPID: true},
 		{RunAsNonRoot: &runAsNonRoot},
 		{RunAsUser: &runAsUser},
+		{RunAsGroup: &runAsGroup},
 		{SELinuxOptions: &api.SELinuxOptions{User: "bob"}},
 		{SupplementalGroups: []int64{1, 2, 3}},
 	}
@@ -68,6 +70,9 @@ func TestPodSecurityContextAccessor(t *testing.T) {
 		if v := a.RunAsUser(); !reflect.DeepEqual(expected.RunAsUser, v) {
 			t.Errorf("%d: expected %#v, got %#v", i, expected.RunAsUser, v)
 		}
+		if v := a.RunAsGroup(); !reflect.DeepEqual(expected.RunAsGroup, v) {
+			t.Errorf("%d: expected %#v, got %#v", i, expected.RunAsGroup, v)
+		}
 		if v := a.SELinuxOptions(); !reflect.DeepEqual(expected.SELinuxOptions, v) {
 			t.Errorf("%d: expected %#v, got %#v", i, expected.SELinuxOptions, v)
 		}
@@ -95,6 +100,7 @@ func TestPodSecurityContextMutator(t *testing.T) {
 					HostPID:            true,
 					SELinuxOptions:     &api.SELinuxOptions{},
 					RunAsUser:          nil,
+					RunAsGroup:         nil,
 					RunAsNonRoot:       nil,
 					SupplementalGroups: nil,
 					FSGroup:            nil,
@@ -123,6 +129,7 @@ func TestPodSecurityContextMutator(t *testing.T) {
 			m.SetHostPID(m.HostPID())
 			m.SetRunAsNonRoot(m.RunAsNonRoot())
 			m.SetRunAsUser(m.RunAsUser())
+			m.SetRunAsGroup(m.RunAsGroup())
 			m.SetSELinuxOptions(m.SELinuxOptions())
 			m.SetSupplementalGroups(m.SupplementalGroups())
 			if !reflect.DeepEqual(sc, originalSC) {
@@ -208,6 +215,19 @@ func TestPodSecurityContextMutator(t *testing.T) {
 			}
 		}
 
+		// RunAsGroup
+		{
+			modifiedSC := nonNilSC(tc.newSC())
+			m := NewPodSecurityContextMutator(tc.newSC())
+			i := int64(1123)
+			modifiedSC.RunAsGroup = &i
+			m.SetRunAsGroup(&i)
+			if !reflect.DeepEqual(m.PodSecurityContext(), modifiedSC) {
+				t.Errorf("%s: unexpected object:\n%s", k, diff.ObjectGoPrintSideBySide(modifiedSC, m.PodSecurityContext()))
+				continue
+			}
+		}
+
 		// SELinuxOptions
 		{
 			modifiedSC := nonNilSC(tc.newSC())
@@ -429,6 +449,8 @@ func TestEffectiveContainerSecurityContextAccessor(t *testing.T) {
 	privileged := true
 	runAsUser := int64(1)
 	runAsUserPod := int64(12)
+	runAsGroup := int64(1)
+	runAsGroupPod := int64(12)
 	runAsNonRoot := true
 	runAsNonRootPod := false
 	readOnlyRootFilesystem := true
@@ -500,6 +522,26 @@ func TestEffectiveContainerSecurityContextAccessor(t *testing.T) {
 				SELinuxOptions:           &api.SELinuxOptions{User: "bob"},
 			},
 		},
+		{
+			PodSC: &api.PodSecurityContext{
+				RunAsGroup: &runAsGroup,
+			},
+			SC: nil,
+			Effective: &api.SecurityContext{
+				RunAsGroup: &runAsGroup,
+			},
+		},
+		{
+			PodSC: &api.PodSecurityContext{
+				RunAsGroup: &runAsGroupPod,
+			},
+			SC: &api.SecurityContext{
+				RunAsGroup: &runAsGroup,
+			},
+			Effective: &api.SecurityContext{
+				RunAsGroup: &runAsGroup,
+			},
+		},
 	}
 
 	for i, tc := range testcases {