Home Explore Help
Sign In
tzeneto
/
custom-kube-scheduler
Watch 1
Star 0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: c4c2e0c5e5
Branches Tags
custom-kube-...
/
kubernetes-v1.15.4
/
pkg
/
api
/
podsecuritypolicy
/
util.go

util.go 2.1 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869 
  1. /*
    2. 

  2. Copyright 2018 The Kubernetes Authors.
    3. 

  3. 

  4. Licensed under the Apache License, Version 2.0 (the "License");
    5. 

  5. you may not use this file except in compliance with the License.
    6. 

  6. You may obtain a copy of the License at
    7. 

  7. 

  8.     http://www.apache.org/licenses/LICENSE-2.0
    9. 

  9. 

  10. Unless required by applicable law or agreed to in writing, software
    11. 

  11. distributed under the License is distributed on an "AS IS" BASIS,
    12. 

  12. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13. 

  13. See the License for the specific language governing permissions and
    14. 

  14. limitations under the License.
    15. 

  15. */
    16. 

  16. 

  17. package podsecuritypolicy
    18. 

  18. 

  19. import (
    20. 

  20. 	utilfeature "k8s.io/apiserver/pkg/util/feature"
    21. 

  21. 	"k8s.io/kubernetes/pkg/apis/policy"
    22. 

  22. 	"k8s.io/kubernetes/pkg/features"
    23. 

  23. )
    24. 

  24. 

  25. // DropDisabledFields removes disabled fields from the pod security policy spec.
    26. 

  26. // This should be called from PrepareForCreate/PrepareForUpdate for all resources containing a od security policy spec.
    27. 

  27. func DropDisabledFields(pspSpec, oldPSPSpec *policy.PodSecurityPolicySpec) {
    28. 

  28. 	if !utilfeature.DefaultFeatureGate.Enabled(features.ProcMountType) && !allowedProcMountTypesInUse(oldPSPSpec) {
    29. 

  29. 		pspSpec.AllowedProcMountTypes = nil
    30. 

  30. 	}
    31. 

  31. 	if !utilfeature.DefaultFeatureGate.Enabled(features.RunAsGroup) && (oldPSPSpec == nil || oldPSPSpec.RunAsGroup == nil) {
    32. 

  32. 		pspSpec.RunAsGroup = nil
    33. 

  33. 	}
    34. 

  34. 	if !utilfeature.DefaultFeatureGate.Enabled(features.Sysctls) && !sysctlsInUse(oldPSPSpec) {
    35. 

  35. 		pspSpec.AllowedUnsafeSysctls = nil
    36. 

  36. 		pspSpec.ForbiddenSysctls = nil
    37. 

  37. 	}
    38. 

  38. 	if !utilfeature.DefaultFeatureGate.Enabled(features.CSIInlineVolume) {
    39. 

  39. 		pspSpec.AllowedCSIDrivers = nil
    40. 

  40. 	}
    41. 

  41. 	if !utilfeature.DefaultFeatureGate.Enabled(features.RuntimeClass) &&
    42. 

  42. 		(oldPSPSpec == nil || oldPSPSpec.RuntimeClass == nil) {
    43. 

  43. 		pspSpec.RuntimeClass = nil
    44. 

  44. 	}
    45. 

  45. }
    46. 

  46. 

  47. func allowedProcMountTypesInUse(oldPSPSpec *policy.PodSecurityPolicySpec) bool {
    48. 

  48. 	if oldPSPSpec == nil {
    49. 

  49. 		return false
    50. 

  50. 	}
    51. 

  51. 

  52. 	if oldPSPSpec.AllowedProcMountTypes != nil {
    53. 

  53. 		return true
    54. 

  54. 	}
    55. 

  55. 

  56. 	return false
    57. 

  57. 

  58. }
    59. 

  59. 

  60. func sysctlsInUse(oldPSPSpec *policy.PodSecurityPolicySpec) bool {
    61. 

  61. 	if oldPSPSpec == nil {
    62. 

  62. 		return false
    63. 

  63. 	}
    64. 

  64. 	if oldPSPSpec.AllowedUnsafeSysctls != nil || oldPSPSpec.ForbiddenSysctls != nil {
    65. 

  65. 		return true
    66. 

  66. 	}
    67. 

  67. 	return false
    68. 

  68. }
    69. 

  69.