From 8bd9a6d2691d9d0e01616bd3737a96ff1257d21a Mon Sep 17 00:00:00 2001 From: Jordan Liggitt Date: Tue, 3 Jul 2018 12:02:34 -0400 Subject: [PATCH] Apply defaults to bootstrap SCCs before reconciliation --- .../securitycontextconstraints.go | 23 ++++++++++++++++++- .../securitycontextconstraints_test.go | 12 ++++++++++ 2 files changed, 34 insertions(+), 1 deletion(-) diff --git a/pkg/cmd/server/bootstrappolicy/securitycontextconstraints.go b/pkg/cmd/server/bootstrappolicy/securitycontextconstraints.go index d0ae432743ea..b0b4e630f487 100644 --- a/pkg/cmd/server/bootstrappolicy/securitycontextconstraints.go +++ b/pkg/cmd/server/bootstrappolicy/securitycontextconstraints.go @@ -2,10 +2,13 @@ package bootstrappolicy import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" "k8s.io/apiserver/pkg/authentication/serviceaccount" kapi "k8s.io/kubernetes/pkg/apis/core" + securityapiv1 "github.com/openshift/api/security/v1" securityapi "github.com/openshift/origin/pkg/security/apis/security" + securityapiinstall "github.com/openshift/origin/pkg/security/apis/security/install" ) const ( @@ -45,6 +48,12 @@ const ( DescriptionAnnotation = "kubernetes.io/description" ) +var bootstrapSCCScheme = runtime.NewScheme() + +func init() { + securityapiinstall.Install(bootstrapSCCScheme) +} + // GetBootstrapSecurityContextConstraints returns the slice of default SecurityContextConstraints // for system bootstrapping. This method takes additional users and groups that should be added // to the strategies. Use GetBoostrapSCCAccess to produce the default set of mappings. @@ -274,7 +283,19 @@ func GetBootstrapSecurityContextConstraints(sccNameToAdditionalGroups map[string } // add default access - for i, constraint := range constraints { + for i := range constraints { + // round trip to external, apply defaults, to ensure we match what we compare against the server + v1constraint := &securityapiv1.SecurityContextConstraints{} + constraint := &securityapi.SecurityContextConstraints{} + if err := bootstrapSCCScheme.Convert(constraints[i], v1constraint, nil); err != nil { + panic(err) + } + bootstrapSCCScheme.Default(v1constraint) + if err := bootstrapSCCScheme.Convert(v1constraint, constraint, nil); err != nil { + panic(err) + } + constraints[i] = constraint + if usersToAdd, ok := sccNameToAdditionalUsers[constraint.Name]; ok { constraints[i].Users = append(constraints[i].Users, usersToAdd...) } diff --git a/pkg/cmd/server/bootstrappolicy/securitycontextconstraints_test.go b/pkg/cmd/server/bootstrappolicy/securitycontextconstraints_test.go index 9cb1312c6b84..358b614ca5c7 100644 --- a/pkg/cmd/server/bootstrappolicy/securitycontextconstraints_test.go +++ b/pkg/cmd/server/bootstrappolicy/securitycontextconstraints_test.go @@ -40,11 +40,17 @@ func TestBootstrappedConstraints(t *testing.T) { t.Errorf("unexpected contraint no. %d (by priority). Found %v, wanted %v", i, constraint.Name, expectedConstraintNames[i]) } g := expectedGroups[constraint.Name] + if g == nil { + g = []string{} + } if !reflect.DeepEqual(g, constraint.Groups) { t.Errorf("unexpected group access for %s. Found %v, wanted %v", constraint.Name, constraint.Groups, g) } u := expectedUsers[constraint.Name] + if u == nil { + u = []string{} + } if !reflect.DeepEqual(u, constraint.Users) { t.Errorf("unexpected user access for %s. Found %v, wanted %v", constraint.Name, constraint.Users, u) } @@ -70,11 +76,17 @@ func TestBootstrappedConstraintsWithAddedUser(t *testing.T) { for _, constraint := range bootstrappedConstraints { g := expectedGroups[constraint.Name] + if g == nil { + g = []string{} + } if !reflect.DeepEqual(g, constraint.Groups) { t.Errorf("unexpected group access for %s. Found %v, wanted %v", constraint.Name, constraint.Groups, g) } u := expectedUsers[constraint.Name] + if u == nil { + u = []string{} + } if !reflect.DeepEqual(u, constraint.Users) { t.Errorf("unexpected user access for %s. Found %v, wanted %v", constraint.Name, constraint.Users, u) }