From 55a4e343c67c337af85bda9c490ee4c46f8aae97 Mon Sep 17 00:00:00 2001 From: Jordan Liggitt Date: Wed, 14 Jun 2017 14:25:06 -0400 Subject: [PATCH 1/2] UPSTREAM: : SCC FSType none --- vendor/k8s.io/kubernetes/pkg/api/types.go | 4 +++- .../k8s.io/kubernetes/pkg/api/v1/defaults.go | 24 ++++++++++++++----- .../kubernetes/pkg/api/v1/defaults_test.go | 2 +- vendor/k8s.io/kubernetes/pkg/api/v1/types.go | 4 +++- .../pkg/api/validation/validation.go | 14 +++++++++++ .../src/k8s.io/client-go/pkg/api/types.go | 4 +++- .../k8s.io/client-go/pkg/api/v1/defaults.go | 24 ++++++++++++++----- .../src/k8s.io/client-go/pkg/api/v1/types.go | 4 +++- 8 files changed, 63 insertions(+), 17 deletions(-) diff --git a/vendor/k8s.io/kubernetes/pkg/api/types.go b/vendor/k8s.io/kubernetes/pkg/api/types.go index 806ec70915d1..036ad538bb55 100644 --- a/vendor/k8s.io/kubernetes/pkg/api/types.go +++ b/vendor/k8s.io/kubernetes/pkg/api/types.go @@ -3893,7 +3893,8 @@ type SecurityContextConstraints struct { // To allow all capabilities you may use '*'. AllowedCapabilities []Capability // Volumes is a white list of allowed volume plugins. FSType corresponds directly with the field names - // of a VolumeSource (azureFile, configMap, emptyDir). To allow all volumes you may use '*'. + // of a VolumeSource (azureFile, configMap, emptyDir). To allow all volumes you may use "*". + // To allow no volumes, set to ["none"]. Volumes []FSType // AllowHostNetwork determines if the policy allows the use of HostNetwork in the pod spec. AllowHostNetwork bool @@ -3961,6 +3962,7 @@ var ( FSPortworxVolume FSType = "portworxVolume" FSScaleIO FSType = "scaleIO" FSTypeAll FSType = "*" + FSTypeNone FSType = "none" ) // SELinuxContextStrategyOptions defines the strategy type and any options used to create the strategy. diff --git a/vendor/k8s.io/kubernetes/pkg/api/v1/defaults.go b/vendor/k8s.io/kubernetes/pkg/api/v1/defaults.go index baed0056e538..70e68b9e1b0c 100644 --- a/vendor/k8s.io/kubernetes/pkg/api/v1/defaults.go +++ b/vendor/k8s.io/kubernetes/pkg/api/v1/defaults.go @@ -411,13 +411,25 @@ func SetDefaults_SCC(scc *SecurityContextConstraints) { scc.SupplementalGroups.Type = SupplementalGroupsStrategyRunAsAny } - // defaults the volume slice of the SCC. - // In order to support old clients the boolean fields will always take precedence. - defaultAllowedVolumes := fsTypeToStringSet(scc.Volumes) - - // assume a nil volume slice is allowing everything for backwards compatibility - if defaultAllowedVolumes == nil { + var defaultAllowedVolumes sets.String + switch { + case scc.Volumes == nil: + // assume a nil volume slice is allowing everything for backwards compatibility defaultAllowedVolumes = sets.NewString(string(FSTypeAll)) + + case len(scc.Volumes) == 0 && scc.AllowHostDirVolumePlugin: + // an empty volume slice means "allow no volumes", but the boolean fields will always take precedence. + defaultAllowedVolumes = sets.NewString(string(FSTypeHostPath)) + + case len(scc.Volumes) == 0 && !scc.AllowHostDirVolumePlugin: + // an empty volume slice means "allow no volumes", but cannot be persisted in protobuf. + // convert this to volumes:["none"] + defaultAllowedVolumes = sets.NewString(string(FSTypeNone)) + + default: + // defaults the volume slice of the SCC. + // In order to support old clients the boolean fields will always take precedence. + defaultAllowedVolumes = fsTypeToStringSet(scc.Volumes) } if scc.AllowHostDirVolumePlugin { diff --git a/vendor/k8s.io/kubernetes/pkg/api/v1/defaults_test.go b/vendor/k8s.io/kubernetes/pkg/api/v1/defaults_test.go index cfd461b2bee6..b47f9ae18670 100644 --- a/vendor/k8s.io/kubernetes/pkg/api/v1/defaults_test.go +++ b/vendor/k8s.io/kubernetes/pkg/api/v1/defaults_test.go @@ -1047,7 +1047,7 @@ func TestDefaultSCCVolumes(t *testing.T) { Volumes: []versioned.FSType{}, AllowHostDirVolumePlugin: false, }, - expectedVolumes: []versioned.FSType{}, + expectedVolumes: []versioned.FSType{versioned.FSTypeNone}, expectedHostDir: false, }, } diff --git a/vendor/k8s.io/kubernetes/pkg/api/v1/types.go b/vendor/k8s.io/kubernetes/pkg/api/v1/types.go index 486b1d649980..2d780a09cebc 100644 --- a/vendor/k8s.io/kubernetes/pkg/api/v1/types.go +++ b/vendor/k8s.io/kubernetes/pkg/api/v1/types.go @@ -4460,7 +4460,8 @@ type SecurityContextConstraints struct { // +k8s:conversion-gen=false AllowHostDirVolumePlugin bool `json:"allowHostDirVolumePlugin" protobuf:"varint,7,opt,name=allowHostDirVolumePlugin"` // Volumes is a white list of allowed volume plugins. FSType corresponds directly with the field names - // of a VolumeSource (azureFile, configMap, emptyDir). To allow all volumes you may use '*'. + // of a VolumeSource (azureFile, configMap, emptyDir). To allow all volumes you may use "*". + // To allow no volumes, set to ["none"]. Volumes []FSType `json:"volumes" protobuf:"bytes,8,rep,name=volumes,casttype=FSType"` // AllowHostNetwork determines if the policy allows the use of HostNetwork in the pod spec. AllowHostNetwork bool `json:"allowHostNetwork" protobuf:"varint,9,opt,name=allowHostNetwork"` @@ -4522,6 +4523,7 @@ var ( FSTypeFC FSType = "fc" FSTypeConfigMap FSType = "configMap" FSTypeAll FSType = "*" + FSTypeNone FSType = "none" ) // SELinuxContextStrategyOptions defines the strategy type and any options used to create the strategy. diff --git a/vendor/k8s.io/kubernetes/pkg/api/validation/validation.go b/vendor/k8s.io/kubernetes/pkg/api/validation/validation.go index a9d4dc414442..92cf2b582f32 100644 --- a/vendor/k8s.io/kubernetes/pkg/api/validation/validation.go +++ b/vendor/k8s.io/kubernetes/pkg/api/validation/validation.go @@ -3976,6 +3976,20 @@ func ValidateSecurityContextConstraints(scc *api.SecurityContextConstraints) fie "required capabilities must be empty when all capabilities are allowed by a wildcard")) } + if len(scc.Volumes) > 1 { + hasNone := false + for _, fsType := range scc.Volumes { + if fsType == api.FSTypeNone { + hasNone = true + break + } + } + if hasNone { + allErrs = append(allErrs, field.Invalid(field.NewPath("volumes"), scc.Volumes, + "if 'none' is specified, no other values are allowed")) + } + } + return allErrs } diff --git a/vendor/k8s.io/kubernetes/staging/src/k8s.io/client-go/pkg/api/types.go b/vendor/k8s.io/kubernetes/staging/src/k8s.io/client-go/pkg/api/types.go index 6df277f578d0..2f54aaed62a1 100644 --- a/vendor/k8s.io/kubernetes/staging/src/k8s.io/client-go/pkg/api/types.go +++ b/vendor/k8s.io/kubernetes/staging/src/k8s.io/client-go/pkg/api/types.go @@ -3883,7 +3883,8 @@ type SecurityContextConstraints struct { // To allow all capabilities you may use '*'. AllowedCapabilities []Capability // Volumes is a white list of allowed volume plugins. FSType corresponds directly with the field names - // of a VolumeSource (azureFile, configMap, emptyDir). To allow all volumes you may use '*'. + // of a VolumeSource (azureFile, configMap, emptyDir). To allow all volumes you may use "*". + // To allow no volumes, set to ["none"]. Volumes []FSType // AllowHostNetwork determines if the policy allows the use of HostNetwork in the pod spec. AllowHostNetwork bool @@ -3951,6 +3952,7 @@ var ( FSPortworxVolume FSType = "portworxVolume" FSScaleIO FSType = "scaleIO" FSTypeAll FSType = "*" + FSTypeNone FSType = "none" ) // SELinuxContextStrategyOptions defines the strategy type and any options used to create the strategy. diff --git a/vendor/k8s.io/kubernetes/staging/src/k8s.io/client-go/pkg/api/v1/defaults.go b/vendor/k8s.io/kubernetes/staging/src/k8s.io/client-go/pkg/api/v1/defaults.go index 8a55d5945f1d..fca4ba417a48 100644 --- a/vendor/k8s.io/kubernetes/staging/src/k8s.io/client-go/pkg/api/v1/defaults.go +++ b/vendor/k8s.io/kubernetes/staging/src/k8s.io/client-go/pkg/api/v1/defaults.go @@ -411,13 +411,25 @@ func SetDefaults_SCC(scc *SecurityContextConstraints) { scc.SupplementalGroups.Type = SupplementalGroupsStrategyRunAsAny } - // defaults the volume slice of the SCC. - // In order to support old clients the boolean fields will always take precedence. - defaultAllowedVolumes := fsTypeToStringSet(scc.Volumes) - - // assume a nil volume slice is allowing everything for backwards compatibility - if defaultAllowedVolumes == nil { + var defaultAllowedVolumes sets.String + switch { + case scc.Volumes == nil: + // assume a nil volume slice is allowing everything for backwards compatibility defaultAllowedVolumes = sets.NewString(string(FSTypeAll)) + + case len(scc.Volumes) == 0 && scc.AllowHostDirVolumePlugin: + // an empty volume slice means "allow no volumes", but the boolean fields will always take precedence. + defaultAllowedVolumes = sets.NewString(string(FSTypeHostPath)) + + case len(scc.Volumes) == 0 && !scc.AllowHostDirVolumePlugin: + // an empty volume slice means "allow no volumes", but cannot be persisted in protobuf. + // convert this to volumes:["none"] + defaultAllowedVolumes = sets.NewString(string(FSTypeNone)) + + default: + // defaults the volume slice of the SCC. + // In order to support old clients the boolean fields will always take precedence. + defaultAllowedVolumes = fsTypeToStringSet(scc.Volumes) } if scc.AllowHostDirVolumePlugin { diff --git a/vendor/k8s.io/kubernetes/staging/src/k8s.io/client-go/pkg/api/v1/types.go b/vendor/k8s.io/kubernetes/staging/src/k8s.io/client-go/pkg/api/v1/types.go index 5d58341ff836..1ff0eea9683c 100644 --- a/vendor/k8s.io/kubernetes/staging/src/k8s.io/client-go/pkg/api/v1/types.go +++ b/vendor/k8s.io/kubernetes/staging/src/k8s.io/client-go/pkg/api/v1/types.go @@ -4451,7 +4451,8 @@ type SecurityContextConstraints struct { // +k8s:conversion-gen=false AllowHostDirVolumePlugin bool `json:"allowHostDirVolumePlugin" protobuf:"varint,7,opt,name=allowHostDirVolumePlugin"` // Volumes is a white list of allowed volume plugins. FSType corresponds directly with the field names - // of a VolumeSource (azureFile, configMap, emptyDir). To allow all volumes you may use '*'. + // of a VolumeSource (azureFile, configMap, emptyDir). To allow all volumes you may use "*". + // To allow no volumes, set to ["none"]. Volumes []FSType `json:"volumes" protobuf:"bytes,8,rep,name=volumes,casttype=FSType"` // AllowHostNetwork determines if the policy allows the use of HostNetwork in the pod spec. AllowHostNetwork bool `json:"allowHostNetwork" protobuf:"varint,9,opt,name=allowHostNetwork"` @@ -4513,6 +4514,7 @@ var ( FSTypeFC FSType = "fc" FSTypeConfigMap FSType = "configMap" FSTypeAll FSType = "*" + FSTypeNone FSType = "none" ) // SELinuxContextStrategyOptions defines the strategy type and any options used to create the strategy. From 2136bfcc80c36e5e9708f8eb06b86c44122d23e8 Mon Sep 17 00:00:00 2001 From: Jordan Liggitt Date: Wed, 14 Jun 2017 14:25:35 -0400 Subject: [PATCH 2/2] Update openapi, scc sorting --- api/swagger-spec/openshift-openapi-spec.json | 2 +- pkg/openapi/zz_generated.openapi.go | 2 +- pkg/security/scc/byrestrictions.go | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/api/swagger-spec/openshift-openapi-spec.json b/api/swagger-spec/openshift-openapi-spec.json index c8ad2c760900..cf671b6516d8 100644 --- a/api/swagger-spec/openshift-openapi-spec.json +++ b/api/swagger-spec/openshift-openapi-spec.json @@ -81054,7 +81054,7 @@ } }, "volumes": { - "description": "Volumes is a white list of allowed volume plugins. FSType corresponds directly with the field names of a VolumeSource (azureFile, configMap, emptyDir). To allow all volumes you may use '*'.", + "description": "Volumes is a white list of allowed volume plugins. FSType corresponds directly with the field names of a VolumeSource (azureFile, configMap, emptyDir). To allow all volumes you may use \"*\". To allow no volumes, set to [\"none\"].", "type": "array", "items": { "type": "string" diff --git a/pkg/openapi/zz_generated.openapi.go b/pkg/openapi/zz_generated.openapi.go index 91ee2a951eea..ede2b9e95758 100644 --- a/pkg/openapi/zz_generated.openapi.go +++ b/pkg/openapi/zz_generated.openapi.go @@ -18273,7 +18273,7 @@ func GetOpenAPIDefinitions(ref openapi.ReferenceCallback) map[string]openapi.Ope }, "volumes": { SchemaProps: spec.SchemaProps{ - Description: "Volumes is a white list of allowed volume plugins. FSType corresponds directly with the field names of a VolumeSource (azureFile, configMap, emptyDir). To allow all volumes you may use '*'.", + Description: "Volumes is a white list of allowed volume plugins. FSType corresponds directly with the field names of a VolumeSource (azureFile, configMap, emptyDir). To allow all volumes you may use \"*\". To allow no volumes, set to [\"none\"].", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ diff --git a/pkg/security/scc/byrestrictions.go b/pkg/security/scc/byrestrictions.go index 34dd4b092cf0..18bab9b235ba 100644 --- a/pkg/security/scc/byrestrictions.go +++ b/pkg/security/scc/byrestrictions.go @@ -67,7 +67,7 @@ func volumePointValue(scc *kapi.SecurityContextConstraints) int { // default case to be non-trivial so we don't have to worry about adding // volumes in the future unless they're trivial. case kapi.FSTypeSecret, kapi.FSTypeConfigMap, - kapi.FSTypeEmptyDir, kapi.FSTypeDownwardAPI: + kapi.FSTypeEmptyDir, kapi.FSTypeDownwardAPI, kapi.FSTypeNone: // do nothing default: hasNonTrivialVolume = true