OS integration SCC priority field

openshift · Oct 30, 2015 · a711f59 · a711f59
1 parent 8fdaffd
commit a711f59
Show file tree

Hide file tree

Showing 7 changed files with 75 additions and 54 deletions.
diff --git a/api/swagger-spec/api-v1.json b/api/swagger-spec/api-v1.json
@@ -14741,6 +14741,7 @@
    "v1.SecurityContextConstraints": {
     "id": "v1.SecurityContextConstraints",
     "required": [
+     "sortPriority",
      "allowPrivilegedContainer",
      "allowedCapabilities",
      "allowHostDirVolumePlugin",
@@ -14761,6 +14762,11 @@
      "metadata": {
       "$ref": "v1.ObjectMeta"
      },
+     "sortPriority": {
+      "type": "integer",
+      "format": "int32",
+      "description": "influences the sort order when evaluating SCCs available to the user"
+     },
      "allowPrivilegedContainer": {
       "type": "boolean",
       "description": "allow containers to run as privileged"

diff --git a/pkg/cmd/server/bootstrappolicy/securitycontextconstraints.go b/pkg/cmd/server/bootstrappolicy/securitycontextconstraints.go
@@ -66,6 +66,8 @@ func GetBootstrapSecurityContextConstraints(sccNameToAdditionalGroups map[string
 			SupplementalGroups: kapi.SupplementalGroupsStrategyOptions{
 				Type: kapi.SupplementalGroupsStrategyRunAsAny,
 			},
+			// by default if you have access to the admin strategy then use it
+			SortPriority: 1,
 		},
 		// SecurityContextConstraintNonRoot does not allow host access, allocates SELinux labels
 		// and allows the user to request a specific UID or provide the default in the dockerfile.

diff --git a/pkg/security/admission/admission.go b/pkg/security/admission/admission.go
@@ -127,7 +127,7 @@ func (c *constraint) Admit(a kadmission.Attributes) error {
 
 	// remove duplicate constraints and sort
 	matchedConstraints = deduplicateSecurityContextConstraints(matchedConstraints)
-	sort.Sort(ByRestrictions(matchedConstraints))
+	sort.Sort(ByPriority(matchedConstraints))
 	providers, errs := c.createProvidersFromConstraints(a.GetNamespace(), matchedConstraints)
 	logProviders(pod, providers, errs)
 

diff --git a/pkg/security/admission/admission_test.go b/pkg/security/admission/admission_test.go
@@ -68,9 +68,11 @@ func TestAdmit(t *testing.T) {
 			Type: kapi.SupplementalGroupsStrategyMustRunAs,
 		},
 		Groups: []string{"system:serviceaccounts"},
+		// give this scc priority since it is what we want to validate with
+		SortPriority: 1,
 	}
 	// create scc that has specific requirements that shouldn't match but is permissioned to
-	// service accounts to test exact matches
+	// service accounts to test that we're matching first against the higher priority SCC.
 	var exactUID int64 = 999
 	saExactSCC := &kapi.SecurityContextConstraints{
 		ObjectMeta: kapi.ObjectMeta{

diff --git a/pkg/security/admission/bypriority.go b/pkg/security/admission/bypriority.go
@@ -0,0 +1,20 @@
+package admission
+
+import (
+	kapi "k8s.io/kubernetes/pkg/api"
+)
+
+// ByRestrictions is a helper to sort SCCs based on priority.  If priorities are equal
+// a string compare of the name is used.
+type ByPriority []*kapi.SecurityContextConstraints
+
+func (s ByPriority) Len() int {
+	return len(s)
+}
+func (s ByPriority) Swap(i, j int) { s[i], s[j] = s[j], s[i] }
+func (s ByPriority) Less(i, j int) bool {
+	if s[i].SortPriority == s[j].SortPriority {
+		return s[i].Name < s[j].Name
+	}
+	return s[i].SortPriority > s[j].SortPriority
+}
diff --git a/pkg/security/admission/bypriority_test.go b/pkg/security/admission/bypriority_test.go
@@ -0,0 +1,43 @@
+package admission
+
+import (
+	"sort"
+	"testing"
+
+	kapi "k8s.io/kubernetes/pkg/api"
+)
+
+func TestByPriority(t *testing.T) {
+	tests := map[string]struct {
+		sccs     []*kapi.SecurityContextConstraints
+		expected []string
+	}{
+		"sort with priorities": {
+			sccs:     []*kapi.SecurityContextConstraints{testSCC("one", 1), testSCC("two", 2), testSCC("three", 3), testSCC("negative", -1), testSCC("super", 100)},
+			expected: []string{"super", "three", "two", "one", "negative"},
+		},
+		"sort with equal priorities": {
+			sccs:     []*kapi.SecurityContextConstraints{testSCC("one", 1), testSCC("foo", 2), testSCC("bar", 2), testSCC("baz", 2), testSCC("barbaz", 2)},
+			expected: []string{"bar", "barbaz", "baz", "foo", "one"},
+		},
+	}
+
+	for testCaseName, testCase := range tests {
+		sort.Sort(ByPriority(testCase.sccs))
+
+		for i, scc := range testCase.sccs {
+			if scc.Name != testCase.expected[i] {
+				t.Errorf("%s found %s at element %d but expected %s", testCaseName, scc.Name, i, testCase.expected[i])
+			}
+		}
+	}
+}
+
+func testSCC(name string, priority int) *kapi.SecurityContextConstraints {
+	return &kapi.SecurityContextConstraints{
+		ObjectMeta: kapi.ObjectMeta{
+			Name: name,
+		},
+		SortPriority: priority,
+	}
+}
diff --git a/pkg/security/admission/byrestrictions.go b/pkg/security/admission/byrestrictions.go