openshift · openshift-merge-robot · Jul 4, 2018 · Jul 3, 2018
diff --git a/pkg/cmd/server/bootstrappolicy/securitycontextconstraints.go b/pkg/cmd/server/bootstrappolicy/securitycontextconstraints.go
@@ -2,10 +2,13 @@ package bootstrappolicy
 
 import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apiserver/pkg/authentication/serviceaccount"
 	kapi "k8s.io/kubernetes/pkg/apis/core"
 
+	securityapiv1 "github.com/openshift/api/security/v1"
 	securityapi "github.com/openshift/origin/pkg/security/apis/security"
+	securityapiinstall "github.com/openshift/origin/pkg/security/apis/security/install"
 )
 
 const (
@@ -45,6 +48,12 @@ const (
 	DescriptionAnnotation = "kubernetes.io/description"
 )
 
+var bootstrapSCCScheme = runtime.NewScheme()
+
+func init() {
+	securityapiinstall.Install(bootstrapSCCScheme)
+}
+
 // GetBootstrapSecurityContextConstraints returns the slice of default SecurityContextConstraints
 // for system bootstrapping.  This method takes additional users and groups that should be added
 // to the strategies.  Use GetBoostrapSCCAccess to produce the default set of mappings.
@@ -274,7 +283,19 @@ func GetBootstrapSecurityContextConstraints(sccNameToAdditionalGroups map[string
 	}
 
 	// add default access
-	for i, constraint := range constraints {
+	for i := range constraints {
+		// round trip to external, apply defaults, to ensure we match what we compare against the server
+		v1constraint := &securityapiv1.SecurityContextConstraints{}
+		constraint := &securityapi.SecurityContextConstraints{}
+		if err := bootstrapSCCScheme.Convert(constraints[i], v1constraint, nil); err != nil {
+			panic(err)
+		}
+		bootstrapSCCScheme.Default(v1constraint)
+		if err := bootstrapSCCScheme.Convert(v1constraint, constraint, nil); err != nil {
+			panic(err)
+		}
+		constraints[i] = constraint
+
 		if usersToAdd, ok := sccNameToAdditionalUsers[constraint.Name]; ok {
 			constraints[i].Users = append(constraints[i].Users, usersToAdd...)
 		}

diff --git a/pkg/cmd/server/bootstrappolicy/securitycontextconstraints_test.go b/pkg/cmd/server/bootstrappolicy/securitycontextconstraints_test.go
@@ -40,11 +40,17 @@ func TestBootstrappedConstraints(t *testing.T) {
 			t.Errorf("unexpected contraint no. %d (by priority).  Found %v, wanted %v", i, constraint.Name, expectedConstraintNames[i])
 		}
 		g := expectedGroups[constraint.Name]
+		if g == nil {
+			g = []string{}
+		}
 		if !reflect.DeepEqual(g, constraint.Groups) {
 			t.Errorf("unexpected group access for %s.  Found %v, wanted %v", constraint.Name, constraint.Groups, g)
 		}
 
 		u := expectedUsers[constraint.Name]
+		if u == nil {
+			u = []string{}
+		}
 		if !reflect.DeepEqual(u, constraint.Users) {
 			t.Errorf("unexpected user access for %s.  Found %v, wanted %v", constraint.Name, constraint.Users, u)
 		}
@@ -70,11 +76,17 @@ func TestBootstrappedConstraintsWithAddedUser(t *testing.T) {
 
 	for _, constraint := range bootstrappedConstraints {
 		g := expectedGroups[constraint.Name]
+		if g == nil {
+			g = []string{}
+		}
 		if !reflect.DeepEqual(g, constraint.Groups) {
 			t.Errorf("unexpected group access for %s.  Found %v, wanted %v", constraint.Name, constraint.Groups, g)
 		}
 
 		u := expectedUsers[constraint.Name]
+		if u == nil {
+			u = []string{}
+		}
 		if !reflect.DeepEqual(u, constraint.Users) {
 			t.Errorf("unexpected user access for %s.  Found %v, wanted %v", constraint.Name, constraint.Users, u)
 		}