本文整理汇总了Golang中github.com/openshift/origin/pkg/security/scc.NewDefaultSCCMatcher函数的典型用法代码示例。如果您正苦于以下问题:Golang NewDefaultSCCMatcher函数的具体用法?Golang NewDefaultSCCMatcher怎么用?Golang NewDefaultSCCMatcher使用的例子?那么恭喜您, 这里精选的函数代码示例或许可以为您提供帮助。
在下文中一共展示了NewDefaultSCCMatcher函数的9个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Golang代码示例。
示例1: TestMatchingSecurityContextConstraints
func TestMatchingSecurityContextConstraints(t *testing.T) {
sccs := []*kapi.SecurityContextConstraints{
{
ObjectMeta: kapi.ObjectMeta{
Name: "match group",
},
Groups: []string{"group"},
},
{
ObjectMeta: kapi.ObjectMeta{
Name: "match user",
},
Users: []string{"user"},
},
}
cache := &oscache.IndexerToSecurityContextConstraintsLister{
Indexer: cache.NewIndexer(cache.MetaNamespaceKeyFunc,
cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}),
}
for _, scc := range sccs {
cache.Add(scc)
}
// single match cases
testCases := map[string]struct {
userInfo user.Info
expectedSCC string
}{
"find none": {
userInfo: &user.DefaultInfo{
Name: "foo",
Groups: []string{"bar"},
},
},
"find user": {
userInfo: &user.DefaultInfo{
Name: "user",
Groups: []string{"bar"},
},
expectedSCC: "match user",
},
"find group": {
userInfo: &user.DefaultInfo{
Name: "foo",
Groups: []string{"group"},
},
expectedSCC: "match group",
},
}
for k, v := range testCases {
sccMatcher := oscc.NewDefaultSCCMatcher(cache)
sccs, err := sccMatcher.FindApplicableSCCs(v.userInfo)
if err != nil {
t.Errorf("%s received error %v", k, err)
continue
}
if v.expectedSCC == "" {
if len(sccs) > 0 {
t.Errorf("%s expected to match 0 sccs but found %d: %#v", k, len(sccs), sccs)
}
}
if v.expectedSCC != "" {
if len(sccs) != 1 {
t.Errorf("%s returned more than one scc, use case can not validate: %#v", k, sccs)
continue
}
if v.expectedSCC != sccs[0].Name {
t.Errorf("%s expected to match %s but found %s", k, v.expectedSCC, sccs[0].Name)
}
}
}
// check that we can match many at once
userInfo := &user.DefaultInfo{
Name: "user",
Groups: []string{"group"},
}
sccMatcher := oscc.NewDefaultSCCMatcher(cache)
sccs, err := sccMatcher.FindApplicableSCCs(userInfo)
if err != nil {
t.Fatalf("matching many sccs returned error %v", err)
}
if len(sccs) != 2 {
t.Errorf("matching many sccs expected to match 2 sccs but found %d: %#v", len(sccs), sccs)
}
}
示例2: GetRestStorage
func (c *MasterConfig) GetRestStorage() map[string]rest.Storage {
kubeletClient, err := kubeletclient.NewStaticKubeletClient(c.KubeletClientConfig)
if err != nil {
glog.Fatalf("Unable to configure Kubelet client: %v", err)
}
// TODO: allow the system CAs and the local CAs to be joined together.
importTransport, err := restclient.TransportFor(&restclient.Config{})
if err != nil {
glog.Fatalf("Unable to configure a default transport for importing: %v", err)
}
insecureImportTransport, err := restclient.TransportFor(&restclient.Config{Insecure: true})
if err != nil {
glog.Fatalf("Unable to configure a default transport for importing: %v", err)
}
buildStorage, buildDetailsStorage, err := buildetcd.NewREST(c.RESTOptionsGetter)
checkStorageErr(err)
buildRegistry := buildregistry.NewRegistry(buildStorage)
buildConfigStorage, err := buildconfigetcd.NewREST(c.RESTOptionsGetter)
checkStorageErr(err)
buildConfigRegistry := buildconfigregistry.NewRegistry(buildConfigStorage)
deployConfigStorage, deployConfigStatusStorage, deployConfigScaleStorage, err := deployconfigetcd.NewREST(c.RESTOptionsGetter)
dcInstantiateOriginClient, dcInstantiateKubeClient := c.DeploymentConfigInstantiateClients()
dcInstantiateStorage := deployconfiginstantiate.NewREST(
*deployConfigStorage.Store,
dcInstantiateOriginClient,
dcInstantiateKubeClient,
c.ExternalVersionCodec,
c.AdmissionControl,
)
checkStorageErr(err)
deployConfigRegistry := deployconfigregistry.NewRegistry(deployConfigStorage)
routeAllocator := c.RouteAllocator()
routeStorage, routeStatusStorage, err := routeetcd.NewREST(c.RESTOptionsGetter, routeAllocator)
checkStorageErr(err)
hostSubnetStorage, err := hostsubnetetcd.NewREST(c.RESTOptionsGetter)
checkStorageErr(err)
netNamespaceStorage, err := netnamespaceetcd.NewREST(c.RESTOptionsGetter)
checkStorageErr(err)
clusterNetworkStorage, err := clusternetworketcd.NewREST(c.RESTOptionsGetter)
checkStorageErr(err)
egressNetworkPolicyStorage, err := egressnetworkpolicyetcd.NewREST(c.RESTOptionsGetter)
checkStorageErr(err)
userStorage, err := useretcd.NewREST(c.RESTOptionsGetter)
checkStorageErr(err)
userRegistry := userregistry.NewRegistry(userStorage)
identityStorage, err := identityetcd.NewREST(c.RESTOptionsGetter)
checkStorageErr(err)
identityRegistry := identityregistry.NewRegistry(identityStorage)
userIdentityMappingStorage := useridentitymapping.NewREST(userRegistry, identityRegistry)
groupStorage, err := groupetcd.NewREST(c.RESTOptionsGetter)
checkStorageErr(err)
policyStorage, err := policyetcd.NewStorage(c.RESTOptionsGetter)
checkStorageErr(err)
policyRegistry := policyregistry.NewRegistry(policyStorage)
policyBindingStorage, err := policybindingetcd.NewStorage(c.RESTOptionsGetter)
checkStorageErr(err)
policyBindingRegistry := policybindingregistry.NewRegistry(policyBindingStorage)
clusterPolicyStorage, err := clusterpolicystorage.NewStorage(c.RESTOptionsGetter)
checkStorageErr(err)
clusterPolicyRegistry := clusterpolicyregistry.NewRegistry(clusterPolicyStorage)
clusterPolicyBindingStorage, err := clusterpolicybindingstorage.NewStorage(c.RESTOptionsGetter)
checkStorageErr(err)
clusterPolicyBindingRegistry := clusterpolicybindingregistry.NewRegistry(clusterPolicyBindingStorage)
selfSubjectRulesReviewStorage := selfsubjectrulesreview.NewREST(c.RuleResolver, c.Informers.ClusterPolicies().Lister().ClusterPolicies())
subjectRulesReviewStorage := subjectrulesreview.NewREST(c.RuleResolver, c.Informers.ClusterPolicies().Lister().ClusterPolicies())
roleStorage := rolestorage.NewVirtualStorage(policyRegistry, c.RuleResolver)
roleBindingStorage := rolebindingstorage.NewVirtualStorage(policyBindingRegistry, c.RuleResolver)
clusterRoleStorage := clusterrolestorage.NewClusterRoleStorage(clusterPolicyRegistry, clusterPolicyBindingRegistry)
clusterRoleBindingStorage := clusterrolebindingstorage.NewClusterRoleBindingStorage(clusterPolicyRegistry, clusterPolicyBindingRegistry)
subjectAccessReviewStorage := subjectaccessreview.NewREST(c.Authorizer)
subjectAccessReviewRegistry := subjectaccessreview.NewRegistry(subjectAccessReviewStorage)
localSubjectAccessReviewStorage := localsubjectaccessreview.NewREST(subjectAccessReviewRegistry)
resourceAccessReviewStorage := resourceaccessreview.NewREST(c.Authorizer)
resourceAccessReviewRegistry := resourceaccessreview.NewRegistry(resourceAccessReviewStorage)
localResourceAccessReviewStorage := localresourceaccessreview.NewREST(resourceAccessReviewRegistry)
podSecurityPolicyReviewStorage := podsecuritypolicyreview.NewREST(oscc.NewDefaultSCCMatcher(c.Informers.SecurityContextConstraints().Lister()), clientadapter.FromUnversionedClient(c.PrivilegedLoopbackKubernetesClient))
podSecurityPolicySubjectStorage := podsecuritypolicysubjectreview.NewREST(oscc.NewDefaultSCCMatcher(c.Informers.SecurityContextConstraints().Lister()), clientadapter.FromUnversionedClient(c.PrivilegedLoopbackKubernetesClient))
podSecurityPolicySelfSubjectReviewStorage := podsecuritypolicyselfsubjectreview.NewREST(oscc.NewDefaultSCCMatcher(c.Informers.SecurityContextConstraints().Lister()), clientadapter.FromUnversionedClient(c.PrivilegedLoopbackKubernetesClient))
imageStorage, err := imageetcd.NewREST(c.RESTOptionsGetter)
checkStorageErr(err)
imageRegistry := image.NewRegistry(imageStorage)
imageSignatureStorage := imagesignature.NewREST(c.PrivilegedLoopbackOpenShiftClient.Images())
imageStreamSecretsStorage := imagesecret.NewREST(c.ImageStreamSecretClient())
//.........这里部分代码省略.........
示例3: TestAllowed
func TestAllowed(t *testing.T) {
testcases := map[string]struct {
sccs []*kapi.SecurityContextConstraints
// patch function modify nominal PodSecurityPolicySubjectReview request
patch func(p *securityapi.PodSecurityPolicySubjectReview)
check func(p *securityapi.PodSecurityPolicySubjectReview) (bool, string)
}{
"nominal case": {
sccs: []*kapi.SecurityContextConstraints{
admissionttesting.UserScc("bar"),
admissionttesting.UserScc("foo"),
},
check: func(p *securityapi.PodSecurityPolicySubjectReview) (bool, string) {
// must be different due defaulting
return p.Status.Template.Spec.SecurityContext != nil, "Status.Template should be defaulted"
},
},
// if PodTemplateSpec.Spec.ServiceAccountName is empty it will not be defaulted
"empty service account name": {
sccs: []*kapi.SecurityContextConstraints{
admissionttesting.UserScc("bar"),
admissionttesting.UserScc("foo"),
},
patch: func(p *securityapi.PodSecurityPolicySubjectReview) {
p.Spec.Template.Spec.ServiceAccountName = "" // empty SA in podSpec
},
check: func(p *securityapi.PodSecurityPolicySubjectReview) (bool, string) {
return p.Status.Template.Spec.SecurityContext == nil, "Status.PodTemplateSpec should not be defaulted"
},
},
// If you specify "User" but not "Group", then is it interpreted as "What if User were not a member of any groups.
"user - no group": {
sccs: []*kapi.SecurityContextConstraints{
admissionttesting.UserScc("bar"),
admissionttesting.UserScc("foo"),
},
patch: func(p *securityapi.PodSecurityPolicySubjectReview) {
p.Spec.Groups = nil
},
},
// If User and Groups are empty, then the check is performed using *only* the ServiceAccountName in the PodTemplateSpec.
"no user - no group": {
sccs: []*kapi.SecurityContextConstraints{
admissionttesting.UserScc("bar"),
admissionttesting.UserScc("foo"),
saSCC(),
},
patch: func(p *securityapi.PodSecurityPolicySubjectReview) {
p.Spec.Groups = nil
p.Spec.User = ""
},
},
}
namespace := admissionttesting.CreateNamespaceForTest()
for testName, testcase := range testcases {
serviceAccount := admissionttesting.CreateSAForTest()
reviewRequest := &securityapi.PodSecurityPolicySubjectReview{
Spec: securityapi.PodSecurityPolicySubjectReviewSpec{
Template: kapi.PodTemplateSpec{
Spec: kapi.PodSpec{
Containers: []kapi.Container{{Name: "ctr", Image: "image", ImagePullPolicy: "IfNotPresent"}},
RestartPolicy: kapi.RestartPolicyAlways,
SecurityContext: &kapi.PodSecurityContext{},
DNSPolicy: kapi.DNSClusterFirst,
ServiceAccountName: "default",
},
},
User: "foo",
Groups: []string{"bar", "baz"},
},
}
if testcase.patch != nil {
testcase.patch(reviewRequest) // local modification of the nominal case
}
cache := &oscache.IndexerToSecurityContextConstraintsLister{
Indexer: cache.NewIndexer(cache.MetaNamespaceKeyFunc,
cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}),
}
for _, scc := range testcase.sccs {
if err := cache.Add(scc); err != nil {
t.Fatalf("error adding sccs to store: %v", err)
}
}
csf := clientsetfake.NewSimpleClientset(namespace, serviceAccount)
storage := REST{oscc.NewDefaultSCCMatcher(cache), csf}
ctx := kapi.WithNamespace(kapi.NewContext(), kapi.NamespaceAll)
obj, err := storage.Create(ctx, reviewRequest)
if err != nil {
t.Errorf("%s - Unexpected error: %v", testName, err)
continue
}
pspsr, ok := obj.(*securityapi.PodSecurityPolicySubjectReview)
if !ok {
t.Errorf("%s - Unable to convert created runtime.Object to PodSecurityPolicySubjectReview", testName)
continue
}
//.........这里部分代码省略.........
示例4: Admit
// Admit determines if the pod should be admitted based on the requested security context
// and the available SCCs.
//
// 1. Find SCCs for the user.
// 2. Find SCCs for the SA. If there is an error retrieving SA SCCs it is not fatal.
// 3. Remove duplicates between the user/SA SCCs.
// 4. Create the providers, includes setting pre-allocated values if necessary.
// 5. Try to generate and validate an SCC with providers. If we find one then admit the pod
// with the validated SCC. If we don't find any reject the pod and give all errors from the
// failed attempts.
// On updates, the BeforeUpdate of the pod strategy only zeroes out the status. That means that
// any change that claims the pod is no longer privileged will be removed. That should hold until
// we get a true old/new set of objects in.
func (c *constraint) Admit(a kadmission.Attributes) error {
if a.GetResource().GroupResource() != kapi.Resource("pods") {
return nil
}
if len(a.GetSubresource()) != 0 {
return nil
}
pod, ok := a.GetObject().(*kapi.Pod)
// if we can't convert then we don't handle this object so just return
if !ok {
return nil
}
// get all constraints that are usable by the user
glog.V(4).Infof("getting security context constraints for pod %s (generate: %s) in namespace %s with user info %v", pod.Name, pod.GenerateName, a.GetNamespace(), a.GetUserInfo())
sccMatcher := oscc.NewDefaultSCCMatcher(c.sccLister)
matchedConstraints, err := sccMatcher.FindApplicableSCCs(a.GetUserInfo())
if err != nil {
return kadmission.NewForbidden(a, err)
}
// get all constraints that are usable by the SA
if len(pod.Spec.ServiceAccountName) > 0 {
userInfo := serviceaccount.UserInfo(a.GetNamespace(), pod.Spec.ServiceAccountName, "")
glog.V(4).Infof("getting security context constraints for pod %s (generate: %s) with service account info %v", pod.Name, pod.GenerateName, userInfo)
saConstraints, err := sccMatcher.FindApplicableSCCs(userInfo)
if err != nil {
return kadmission.NewForbidden(a, err)
}
matchedConstraints = append(matchedConstraints, saConstraints...)
}
// remove duplicate constraints and sort
matchedConstraints = deduplicateSecurityContextConstraints(matchedConstraints)
sort.Sort(ByPriority(matchedConstraints))
providers, errs := c.createProvidersFromConstraints(a.GetNamespace(), matchedConstraints)
logProviders(pod, providers, errs)
if len(providers) == 0 {
return kadmission.NewForbidden(a, fmt.Errorf("no providers available to validate pod request"))
}
// all containers in a single pod must validate under a single provider or we will reject the request
validationErrs := field.ErrorList{}
for _, provider := range providers {
if errs := assignSecurityContext(provider, pod, field.NewPath(fmt.Sprintf("provider %s: ", provider.GetSCCName()))); len(errs) > 0 {
validationErrs = append(validationErrs, errs...)
continue
}
// the entire pod validated, annotate and accept the pod
glog.V(4).Infof("pod %s (generate: %s) validated against provider %s", pod.Name, pod.GenerateName, provider.GetSCCName())
if pod.ObjectMeta.Annotations == nil {
pod.ObjectMeta.Annotations = map[string]string{}
}
pod.ObjectMeta.Annotations[allocator.ValidatedSCCAnnotation] = provider.GetSCCName()
return nil
}
// we didn't validate against any security context constraint provider, reject the pod and give the errors for each attempt
glog.V(4).Infof("unable to validate pod %s (generate: %s) against any security context constraint: %v", pod.Name, pod.GenerateName, validationErrs)
return kadmission.NewForbidden(a, fmt.Errorf("unable to validate against any security context constraint: %v", validationErrs))
}
示例5: TestRequests
func TestRequests(t *testing.T) {
testcases := map[string]struct {
request *securityapi.PodSecurityPolicySubjectReview
sccs []*kapi.SecurityContextConstraints
serviceAccount *kapi.ServiceAccount
errorMessage string
}{
"invalid request": {
request: &securityapi.PodSecurityPolicySubjectReview{
Spec: securityapi.PodSecurityPolicySubjectReviewSpec{
Template: kapi.PodTemplateSpec{
Spec: kapi.PodSpec{
Containers: []kapi.Container{{Name: "ctr", Image: "image", ImagePullPolicy: "IfNotPresent"}},
RestartPolicy: kapi.RestartPolicyAlways,
SecurityContext: &kapi.PodSecurityContext{},
DNSPolicy: kapi.DNSClusterFirst,
ServiceAccountName: "A.B.C.D",
},
},
User: "foo",
Groups: []string{"bar", "baz"},
},
},
errorMessage: `PodSecurityPolicySubjectReview "" is invalid: spec.template.spec.serviceAccountName: Invalid value: "A.B.C.D": must match the regex [a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)* (e.g. 'example.com')`,
},
"no provider": {
request: &securityapi.PodSecurityPolicySubjectReview{
Spec: securityapi.PodSecurityPolicySubjectReviewSpec{
Template: kapi.PodTemplateSpec{
Spec: kapi.PodSpec{
Containers: []kapi.Container{{Name: "ctr", Image: "image", ImagePullPolicy: "IfNotPresent"}},
RestartPolicy: kapi.RestartPolicyAlways,
SecurityContext: &kapi.PodSecurityContext{},
DNSPolicy: kapi.DNSClusterFirst,
ServiceAccountName: "default",
},
},
},
},
// no errorMessage only pspr empty
},
"container capability": {
request: &securityapi.PodSecurityPolicySubjectReview{
Spec: securityapi.PodSecurityPolicySubjectReviewSpec{
Template: kapi.PodTemplateSpec{
Spec: kapi.PodSpec{
Containers: []kapi.Container{
{
Name: "ctr",
Image: "image",
ImagePullPolicy: "IfNotPresent",
SecurityContext: &kapi.SecurityContext{
Capabilities: &kapi.Capabilities{
Add: []kapi.Capability{"foo"},
},
},
},
},
RestartPolicy: kapi.RestartPolicyAlways,
SecurityContext: &kapi.PodSecurityContext{},
DNSPolicy: kapi.DNSClusterFirst,
ServiceAccountName: "default",
},
},
User: "foo",
},
},
sccs: []*kapi.SecurityContextConstraints{
admissionttesting.UserScc("bar"),
admissionttesting.UserScc("foo"),
},
// no errorMessage
},
}
namespace := admissionttesting.CreateNamespaceForTest()
serviceAccount := admissionttesting.CreateSAForTest()
for testName, testcase := range testcases {
cache := &oscache.IndexerToSecurityContextConstraintsLister{
Indexer: cache.NewIndexer(cache.MetaNamespaceKeyFunc,
cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}),
}
for _, scc := range testcase.sccs {
if err := cache.Add(scc); err != nil {
t.Fatalf("error adding sccs to store: %v", err)
}
}
csf := clientsetfake.NewSimpleClientset(namespace, serviceAccount)
storage := REST{oscc.NewDefaultSCCMatcher(cache), csf}
ctx := kapi.WithNamespace(kapi.NewContext(), kapi.NamespaceAll)
_, err := storage.Create(ctx, testcase.request)
switch {
case err == nil && len(testcase.errorMessage) == 0:
continue
case err == nil && len(testcase.errorMessage) > 0:
t.Errorf("%s - Expected error %q. No error found", testName, testcase.errorMessage)
continue
case err.Error() != testcase.errorMessage:
t.Errorf("%s - Expected error %q. But got %q", testName, testcase.errorMessage, err.Error())
}
}
//.........这里部分代码省略.........
示例6: TestSpecificSAs
//.........这里部分代码省略.........
{
ObjectMeta: kapi.ObjectMeta{
Name: "yours-sa",
Namespace: "default",
},
},
{
ObjectMeta: kapi.ObjectMeta{
Name: "our-sa",
Namespace: "default",
},
},
},
errorMessage: "",
},
"bad SAs in PSPR": {
request: &securityapi.PodSecurityPolicyReview{
Spec: securityapi.PodSecurityPolicyReviewSpec{
Template: kapi.PodTemplateSpec{
Spec: kapi.PodSpec{
Containers: []kapi.Container{
{
Name: "ctr",
Image: "image",
ImagePullPolicy: "IfNotPresent",
},
},
RestartPolicy: kapi.RestartPolicyAlways,
SecurityContext: &kapi.PodSecurityContext{},
DNSPolicy: kapi.DNSClusterFirst,
ServiceAccountName: "default",
},
},
ServiceAccountNames: []string{"bad-sa"},
},
},
sccs: []*kapi.SecurityContextConstraints{
{
ObjectMeta: kapi.ObjectMeta{
SelfLink: "/api/version/securitycontextconstraints/myscc",
Name: "myscc",
},
RunAsUser: kapi.RunAsUserStrategyOptions{
Type: kapi.RunAsUserStrategyMustRunAsRange,
},
SELinuxContext: kapi.SELinuxContextStrategyOptions{
Type: kapi.SELinuxStrategyMustRunAs,
},
FSGroup: kapi.FSGroupStrategyOptions{
Type: kapi.FSGroupStrategyMustRunAs,
},
SupplementalGroups: kapi.SupplementalGroupsStrategyOptions{
Type: kapi.SupplementalGroupsStrategyMustRunAs,
},
Groups: []string{"system:serviceaccounts"},
},
},
serviceAccounts: []*kapi.ServiceAccount{
{
ObjectMeta: kapi.ObjectMeta{
Name: "my-sa",
Namespace: "default",
},
},
},
errorMessage: `unable to retrieve ServiceAccount bad-sa: ServiceAccount "bad-sa" not found`,
},
}
for testName, testcase := range testcases {
cache := &oscache.IndexerToSecurityContextConstraintsLister{
Indexer: cache.NewIndexer(cache.MetaNamespaceKeyFunc,
cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}),
}
for _, scc := range testcase.sccs {
if err := cache.Add(scc); err != nil {
t.Fatalf("error adding sccs to store: %v", err)
}
}
objects := []runtime.Object{}
namespace := admissionttesting.CreateNamespaceForTest()
objects = append(objects, namespace)
for i := range testcase.serviceAccounts {
objects = append(objects, testcase.serviceAccounts[i])
}
csf := clientsetfake.NewSimpleClientset(objects...)
storage := REST{oscc.NewDefaultSCCMatcher(cache), csf}
ctx := kapi.WithNamespace(kapi.NewContext(), namespace.Name)
_, err := storage.Create(ctx, testcase.request)
switch {
case err == nil && len(testcase.errorMessage) == 0:
continue
case err == nil && len(testcase.errorMessage) > 0:
t.Errorf("%s - Expected error %q. No error found", testName, testcase.errorMessage)
continue
case err.Error() != testcase.errorMessage:
t.Errorf("%s - Expected error %q. But got %#v", testName, testcase.errorMessage, err)
}
}
}
示例7: TestNoErrors
//.........这里部分代码省略.........
Groups: []string{"system:serviceaccounts"},
},
},
allowedSAs: []string{"default"},
},
"failure creating provider": {
request: &securityapi.PodSecurityPolicyReview{
Spec: securityapi.PodSecurityPolicyReviewSpec{
Template: kapi.PodTemplateSpec{
Spec: kapi.PodSpec{
Containers: []kapi.Container{
{
Name: "ctr",
Image: "image",
ImagePullPolicy: "IfNotPresent",
SecurityContext: &kapi.SecurityContext{
Capabilities: &kapi.Capabilities{
Add: []kapi.Capability{"foo"},
},
},
},
},
RestartPolicy: kapi.RestartPolicyAlways,
SecurityContext: &kapi.PodSecurityContext{},
DNSPolicy: kapi.DNSClusterFirst,
ServiceAccountName: "default",
},
},
},
},
sccs: []*kapi.SecurityContextConstraints{
{
ObjectMeta: kapi.ObjectMeta{
SelfLink: "/api/version/securitycontextconstraints/restrictive",
Name: "restrictive",
},
RunAsUser: kapi.RunAsUserStrategyOptions{
Type: kapi.RunAsUserStrategyMustRunAs,
UID: &uid,
},
SELinuxContext: kapi.SELinuxContextStrategyOptions{
Type: kapi.SELinuxStrategyMustRunAs,
SELinuxOptions: &kapi.SELinuxOptions{
Level: "s9:z0,z1",
},
},
FSGroup: kapi.FSGroupStrategyOptions{
Type: kapi.FSGroupStrategyMustRunAs,
Ranges: []kapi.IDRange{
{Min: 999, Max: 999},
},
},
SupplementalGroups: kapi.SupplementalGroupsStrategyOptions{
Type: kapi.SupplementalGroupsStrategyMustRunAs,
Ranges: []kapi.IDRange{
{Min: 999, Max: 999},
},
},
Groups: []string{"system:serviceaccounts"},
},
},
allowedSAs: nil,
},
}
for testName, testcase := range testcases {
cache := &oscache.IndexerToSecurityContextConstraintsLister{
Indexer: cache.NewIndexer(cache.MetaNamespaceKeyFunc,
cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}),
}
for _, scc := range testcase.sccs {
if err := cache.Add(scc); err != nil {
t.Fatalf("error adding sccs to store: %v", err)
}
}
namespace := admissionttesting.CreateNamespaceForTest()
serviceAccount := admissionttesting.CreateSAForTest()
serviceAccount.Namespace = namespace.Name
csf := clientsetfake.NewSimpleClientset(namespace, serviceAccount)
storage := REST{oscc.NewDefaultSCCMatcher(cache), csf}
ctx := kapi.WithNamespace(kapi.NewContext(), namespace.Name)
obj, err := storage.Create(ctx, testcase.request)
if err != nil {
t.Errorf("%s - Unexpected error: %v", testName, err)
continue
}
pspsr, ok := obj.(*securityapi.PodSecurityPolicyReview)
if !ok {
t.Errorf("%s - unable to convert cretated runtime.Object to PodSecurityPolicyReview", testName)
continue
}
var allowedSas []string
for _, sa := range pspsr.Status.AllowedServiceAccounts {
allowedSas = append(allowedSas, sa.Name)
}
if !reflect.DeepEqual(allowedSas, testcase.allowedSAs) {
t.Errorf("%s - expected allowed ServiceAccout names %v got %v", testName, testcase.allowedSAs, allowedSas)
}
}
}
示例8: TestErrors
func TestErrors(t *testing.T) {
testcases := map[string]struct {
request *securityapi.PodSecurityPolicyReview
sccs []*kapi.SecurityContextConstraints
serviceAccount *kapi.ServiceAccount
errorMessage string
}{
"invalid PSPR": {
request: &securityapi.PodSecurityPolicyReview{
Spec: securityapi.PodSecurityPolicyReviewSpec{
Template: kapi.PodTemplateSpec{
Spec: kapi.PodSpec{
Containers: []kapi.Container{{Name: "ctr", Image: "image", ImagePullPolicy: "IfNotPresent"}},
RestartPolicy: kapi.RestartPolicyAlways,
SecurityContext: &kapi.PodSecurityContext{},
DNSPolicy: kapi.DNSClusterFirst,
ServiceAccountName: "A.B.C.D.E",
},
},
},
},
serviceAccount: admissionttesting.CreateSAForTest(),
errorMessage: `PodSecurityPolicyReview "" is invalid: spec.template.spec.serviceAccountName: Invalid value: "A.B.C.D.E": must match the regex [a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)* (e.g. 'example.com')`,
},
"no SA": {
request: &securityapi.PodSecurityPolicyReview{
Spec: securityapi.PodSecurityPolicyReviewSpec{
Template: kapi.PodTemplateSpec{
Spec: kapi.PodSpec{
Containers: []kapi.Container{{Name: "ctr", Image: "image", ImagePullPolicy: "IfNotPresent"}},
RestartPolicy: kapi.RestartPolicyAlways,
SecurityContext: &kapi.PodSecurityContext{},
DNSPolicy: kapi.DNSClusterFirst,
ServiceAccountName: "default",
},
},
},
},
errorMessage: `unable to retrieve ServiceAccount default: ServiceAccount "default" not found`,
},
}
for testName, testcase := range testcases {
cache := &oscache.IndexerToSecurityContextConstraintsLister{
Indexer: cache.NewIndexer(cache.MetaNamespaceKeyFunc,
cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}),
}
for _, scc := range testcase.sccs {
if err := cache.Add(scc); err != nil {
t.Fatalf("error adding sccs to store: %v", err)
}
}
namespace := admissionttesting.CreateNamespaceForTest()
var csf clientset.Interface
if testcase.serviceAccount != nil {
testcase.serviceAccount.Namespace = namespace.Name
csf = clientsetfake.NewSimpleClientset(namespace, testcase.serviceAccount)
} else {
csf = clientsetfake.NewSimpleClientset(namespace)
}
storage := REST{oscc.NewDefaultSCCMatcher(cache), csf}
ctx := kapi.WithNamespace(kapi.NewContext(), namespace.Name)
_, err := storage.Create(ctx, testcase.request)
if err == nil {
t.Errorf("%s - Expected error", testName)
continue
}
if err.Error() != testcase.errorMessage {
t.Errorf("%s - Bad error. Expected %q got %q", testName, testcase.errorMessage, err.Error())
}
}
}
示例9: TestPodSecurityPolicySelfSubjectReview
func TestPodSecurityPolicySelfSubjectReview(t *testing.T) {
testcases := map[string]struct {
sccs []*kapi.SecurityContextConstraints
check func(p *securityapi.PodSecurityPolicySelfSubjectReview) (bool, string)
}{
"user foo": {
sccs: []*kapi.SecurityContextConstraints{
admissionttesting.UserScc("bar"),
admissionttesting.UserScc("foo"),
},
check: func(p *securityapi.PodSecurityPolicySelfSubjectReview) (bool, string) {
fmt.Printf("-> Is %q", p.Status.AllowedBy.Name)
return p.Status.AllowedBy.Name == "foo", "SCC should be foo"
},
},
"user bar ": {
sccs: []*kapi.SecurityContextConstraints{
admissionttesting.UserScc("bar"),
},
check: func(p *securityapi.PodSecurityPolicySelfSubjectReview) (bool, string) {
return p.Status.AllowedBy == nil, "Allowed by should be nil"
},
},
}
for testName, testcase := range testcases {
namespace := admissionttesting.CreateNamespaceForTest()
serviceAccount := admissionttesting.CreateSAForTest()
reviewRequest := &securityapi.PodSecurityPolicySelfSubjectReview{
Spec: securityapi.PodSecurityPolicySelfSubjectReviewSpec{
Template: kapi.PodTemplateSpec{
Spec: kapi.PodSpec{
Containers: []kapi.Container{{Name: "ctr", Image: "image", ImagePullPolicy: "IfNotPresent"}},
RestartPolicy: kapi.RestartPolicyAlways,
SecurityContext: &kapi.PodSecurityContext{},
DNSPolicy: kapi.DNSClusterFirst,
ServiceAccountName: "default",
},
},
},
}
cache := &oscache.IndexerToSecurityContextConstraintsLister{
Indexer: cache.NewIndexer(cache.MetaNamespaceKeyFunc,
cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}),
}
for _, scc := range testcase.sccs {
if err := cache.Add(scc); err != nil {
t.Fatalf("error adding sccs to store: %v", err)
}
}
csf := clientsetfake.NewSimpleClientset(namespace, serviceAccount)
storage := REST{oscc.NewDefaultSCCMatcher(cache), csf}
ctx := kapi.WithUser(kapi.WithNamespace(kapi.NewContext(), kapi.NamespaceAll), &user.DefaultInfo{Name: "foo", Groups: []string{"bar", "baz"}})
obj, err := storage.Create(ctx, reviewRequest)
if err != nil {
t.Errorf("%s - Unexpected error", testName)
}
pspssr, ok := obj.(*securityapi.PodSecurityPolicySelfSubjectReview)
if !ok {
t.Errorf("%s - Unable to convert created runtime.Object to PodSecurityPolicySelfSubjectReview", testName)
continue
}
if ok, message := testcase.check(pspssr); !ok {
t.Errorf("%s - %s", testName, message)
}
}
}