Merge pull request #14625 from liggitt/scc-volumes

Allow setting volumes:["none"] to disallow all volume types in SCC

api/swagger-spec/openshift-openapi-spec.json

@@ -81054,7 +81054,7 @@
       }
      },
      "volumes": {
-      "description": "Volumes is a white list of allowed volume plugins.  FSType corresponds directly with the field names of a VolumeSource (azureFile, configMap, emptyDir).  To allow all volumes you may use '*'.",
+      "description": "Volumes is a white list of allowed volume plugins.  FSType corresponds directly with the field names of a VolumeSource (azureFile, configMap, emptyDir).  To allow all volumes you may use \"*\". To allow no volumes, set to [\"none\"].",
       "type": "array",
       "items": {
        "type": "string"

pkg/openapi/zz_generated.openapi.go

@@ -18273,7 +18273,7 @@ func GetOpenAPIDefinitions(ref openapi.ReferenceCallback) map[string]openapi.Ope
 						},
 						"volumes": {
 							SchemaProps: spec.SchemaProps{
-								Description: "Volumes is a white list of allowed volume plugins.  FSType corresponds directly with the field names of a VolumeSource (azureFile, configMap, emptyDir).  To allow all volumes you may use '*'.",
+								Description: "Volumes is a white list of allowed volume plugins.  FSType corresponds directly with the field names of a VolumeSource (azureFile, configMap, emptyDir).  To allow all volumes you may use \"*\". To allow no volumes, set to [\"none\"].",
 								Type:        []string{"array"},
 								Items: &spec.SchemaOrArray{
 									Schema: &spec.Schema{

pkg/security/scc/byrestrictions.go

@@ -67,7 +67,7 @@ func volumePointValue(scc *kapi.SecurityContextConstraints) int {
 		// default case to be non-trivial so we don't have to worry about adding
 		// volumes in the future unless they're trivial.
 		case kapi.FSTypeSecret, kapi.FSTypeConfigMap,
-			kapi.FSTypeEmptyDir, kapi.FSTypeDownwardAPI:
+			kapi.FSTypeEmptyDir, kapi.FSTypeDownwardAPI, kapi.FSTypeNone:
 			// do nothing
 		default:
 			hasNonTrivialVolume = true