apis: add validation for HostUsers
This commit just adds a validation according to KEP-127. We check that only the supported volumes for phase 1 of the KEP are accepted. Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
This commit is contained in:
Rodrigo Campos
@@ -539,6 +539,15 @@ func dropDisabledFields(
|
||||
})
|
||||
}
|
||||
|
||||
// If the feature is disabled and not in use, drop the hostUsers field.
|
||||
if !utilfeature.DefaultFeatureGate.Enabled(features.UserNamespacesStatelessPodsSupport) && !hostUsersInUse(oldPodSpec) {
|
||||
// Drop the field in podSpec only if SecurityContext is not nil.
|
||||
// If it is nil, there is no need to set hostUsers=nil (it will be nil too).
|
||||
if podSpec.SecurityContext != nil {
|
||||
podSpec.SecurityContext.HostUsers = nil
|
||||
}
|
||||
}
|
||||
|
||||
dropDisabledProcMountField(podSpec, oldPodSpec)
|
||||
|
||||
dropDisabledCSIVolumeSourceAlphaFields(podSpec, oldPodSpec)
|
||||
@@ -672,6 +681,15 @@ func nodeTaintsPolicyInUse(podSpec *api.PodSpec) bool {
|
||||
return false
|
||||
}
|
||||
|
||||
// hostUsersInUse returns true if the pod spec has spec.hostUsers field set.
|
||||
func hostUsersInUse(podSpec *api.PodSpec) bool {
|
||||
if podSpec != nil && podSpec.SecurityContext != nil && podSpec.SecurityContext.HostUsers != nil {
|
||||
return true
|
||||
}
|
||||
|
||||
return false
|
||||
}
|
||||
|
||||
// procMountInUse returns true if the pod spec is non-nil and has a SecurityContext's ProcMount field set to a non-default value
|
||||
func procMountInUse(podSpec *api.PodSpec) bool {
|
||||
if podSpec == nil {
|
||||
|
||||
@@ -1949,3 +1949,100 @@ func TestDropDisabledMatchLabelKeysField(t *testing.T) {
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestDropHostUsers(t *testing.T) {
|
||||
falseVar := false
|
||||
trueVar := true
|
||||
|
||||
podWithoutHostUsers := func() *api.Pod {
|
||||
return &api.Pod{
|
||||
Spec: api.PodSpec{
|
||||
SecurityContext: &api.PodSecurityContext{}},
|
||||
}
|
||||
}
|
||||
podWithHostUsersFalse := func() *api.Pod {
|
||||
return &api.Pod{
|
||||
Spec: api.PodSpec{
|
||||
SecurityContext: &api.PodSecurityContext{
|
||||
HostUsers: &falseVar,
|
||||
},
|
||||
},
|
||||
}
|
||||
}
|
||||
podWithHostUsersTrue := func() *api.Pod {
|
||||
return &api.Pod{
|
||||
Spec: api.PodSpec{
|
||||
SecurityContext: &api.PodSecurityContext{
|
||||
HostUsers: &trueVar,
|
||||
},
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
podInfo := []struct {
|
||||
description string
|
||||
hasHostUsers bool
|
||||
pod func() *api.Pod
|
||||
}{
|
||||
{
|
||||
description: "with hostUsers=true",
|
||||
hasHostUsers: true,
|
||||
pod: podWithHostUsersTrue,
|
||||
},
|
||||
{
|
||||
description: "with hostUsers=false",
|
||||
hasHostUsers: true,
|
||||
pod: podWithHostUsersFalse,
|
||||
},
|
||||
{
|
||||
description: "with hostUsers=nil",
|
||||
pod: func() *api.Pod { return nil },
|
||||
},
|
||||
}
|
||||
|
||||
for _, enabled := range []bool{true, false} {
|
||||
for _, oldPodInfo := range podInfo {
|
||||
for _, newPodInfo := range podInfo {
|
||||
oldPodHasHostUsers, oldPod := oldPodInfo.hasHostUsers, oldPodInfo.pod()
|
||||
newPodHasHostUsers, newPod := newPodInfo.hasHostUsers, newPodInfo.pod()
|
||||
if newPod == nil {
|
||||
continue
|
||||
}
|
||||
|
||||
t.Run(fmt.Sprintf("feature enabled=%v, old pod %v, new pod %v", enabled, oldPodInfo.description, newPodInfo.description), func(t *testing.T) {
|
||||
defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.UserNamespacesStatelessPodsSupport, enabled)()
|
||||
|
||||
DropDisabledPodFields(newPod, oldPod)
|
||||
|
||||
// old pod should never be changed
|
||||
if !reflect.DeepEqual(oldPod, oldPodInfo.pod()) {
|
||||
t.Errorf("old pod changed: %v", cmp.Diff(oldPod, oldPodInfo.pod()))
|
||||
}
|
||||
|
||||
switch {
|
||||
case enabled || oldPodHasHostUsers:
|
||||
// new pod should not be changed if the feature is enabled, or if the old pod had hostUsers
|
||||
if !reflect.DeepEqual(newPod, newPodInfo.pod()) {
|
||||
t.Errorf("new pod changed: %v", cmp.Diff(newPod, newPodInfo.pod()))
|
||||
}
|
||||
case newPodHasHostUsers:
|
||||
// new pod should be changed
|
||||
if reflect.DeepEqual(newPod, newPodInfo.pod()) {
|
||||
t.Errorf("new pod was not changed")
|
||||
}
|
||||
// new pod should not have hostUsers
|
||||
if exp := podWithoutHostUsers(); !reflect.DeepEqual(newPod, exp) {
|
||||
t.Errorf("new pod had hostUsers: %v", cmp.Diff(newPod, exp))
|
||||
}
|
||||
default:
|
||||
// new pod should not need to be changed
|
||||
if !reflect.DeepEqual(newPod, newPodInfo.pod()) {
|
||||
t.Errorf("new pod changed: %v", cmp.Diff(newPod, newPodInfo.pod()))
|
||||
}
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user