github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add support for enforcing read only host paths in PSPs.

Browse Source
This commit is contained in:
Josh Horwitz
2018-05-10 15:54:09 -04:00
parent 86ae84b10e
commit c7fbcf35da
20 changed files with 593 additions and 342 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
pkg/security/podsecuritypolicy/util/util.go
View File

@@ -175,23 +175,27 @@ func GroupFallsInRange(id int64, rng policy.IDRange) bool {
// AllowsHostVolumePath is a utility for checking if a PSP allows the host volume path.
// This only checks the path. You should still check to make sure the host volume fs type is allowed.
func AllowsHostVolumePath(psp *policy.PodSecurityPolicy, hostPath string) bool {
func AllowsHostVolumePath(psp *policy.PodSecurityPolicy, hostPath string) (pathIsAllowed, mustBeReadOnly bool) {
if psp == nil {
return false
return false, false
}
// If no allowed paths are specified then allow any path
if len(psp.Spec.AllowedHostPaths) == 0 {
return true
return true, false
}
for _, allowedPath := range psp.Spec.AllowedHostPaths {
if hasPathPrefix(hostPath, allowedPath.PathPrefix) {
return true
if !allowedPath.ReadOnly {
return true, allowedPath.ReadOnly
}
pathIsAllowed = true
mustBeReadOnly = true
}
}
return false
return pathIsAllowed, mustBeReadOnly
}
// hasPathPrefix returns true if the string matches pathPrefix exactly, or if is prefixed with pathPrefix at a path segment boundary