Merge pull request #9715 from pweil-/scc-seccomp

Merged by openshift-bot

api/swagger-spec/api-v1.json

@@ -20355,6 +20355,13 @@
        "type": "string"
       },
       "description": "The groups that have permission to use this security context constraints"
+     },
+     "seccompProfiles": {
+      "type": "array",
+      "items": {
+       "type": "string"
+      },
+      "description": "SeccompProfiles lists the allowed profiles that may be set for the pod or container's seccomp annotations.  An unset (nil) or empty value means that no profiles may be specifid by the pod or container.\tThe wildcard '*' may be used to allow all profiles.  When used to generate a value for a pod the first non-wildcard profile will be used as the default."
      }
     }
    },

pkg/cmd/server/bootstrappolicy/securitycontextconstraints.go

@@ -81,6 +81,7 @@ func GetBootstrapSecurityContextConstraints(sccNameToAdditionalGroups map[string
 			SupplementalGroups: kapi.SupplementalGroupsStrategyOptions{
 				Type: kapi.SupplementalGroupsStrategyRunAsAny,
 			},
+			SeccompProfiles: []string{"*"},
 		},
 		// SecurityContextConstraintNonRoot does not allow host access, allocates SELinux labels
 		// and allows the user to request a specific UID or provide the default in the dockerfile.

pkg/security/admission/admission.go

@@ -136,7 +136,7 @@ func assignSecurityContext(provider scc.SecurityContextConstraintsProvider, pod
 
 	errs := field.ErrorList{}
 
-	psc, err := provider.CreatePodSecurityContext(pod)
+	psc, generatedAnnotations, err := provider.CreatePodSecurityContext(pod)
 	if err != nil {
 		errs = append(errs, field.Invalid(field.NewPath("spec", "securityContext"), pod.Spec.SecurityContext, err.Error()))
 	}
@@ -145,7 +145,10 @@ func assignSecurityContext(provider scc.SecurityContextConstraintsProvider, pod
 	// set for container generation/validation.  We will reset to original post container
 	// validation.
 	originalPSC := pod.Spec.SecurityContext
+	originalAnnotations := pod.Annotations
+
 	pod.Spec.SecurityContext = psc
+	pod.Annotations = generatedAnnotations
 	errs = append(errs, provider.ValidatePodSecurityContext(pod, field.NewPath("spec", "securityContext"))...)
 
 	// Note: this is not changing the original container, we will set container SCs later so long
@@ -176,6 +179,7 @@ func assignSecurityContext(provider scc.SecurityContextConstraintsProvider, pod
 	if len(errs) > 0 {
 		// ensure psc is not mutated if there are errors
 		pod.Spec.SecurityContext = originalPSC
+		pod.Annotations = originalAnnotations
 		return errs
 	}
 

pkg/security/admission/admission_test.go

@@ -1499,6 +1499,117 @@ func TestAdmitWithPrioritizedSCC(t *testing.T) {
 	testSCCAdmission(matchingPriorityAndScoreSCCOnePod, plugin, matchingPriorityAndScoreSCCOne.Name, t)
 }
 
+func TestAdmitSeccomp(t *testing.T) {
+	createPodWithSeccomp := func(podAnnotation, containerAnnotation string) *kapi.Pod {
+		pod := goodPod()
+		pod.Annotations = map[string]string{}
+		if podAnnotation != "" {
+			pod.Annotations[kapi.SeccompPodAnnotationKey] = podAnnotation
+		}
+		if containerAnnotation != "" {
+			pod.Annotations[kapi.SeccompContainerAnnotationKeyPrefix+"container"] = containerAnnotation
+		}
+		pod.Spec.Containers[0].Name = "container"
+		return pod
+	}
+
+	noSeccompSCC := restrictiveSCC()
+	noSeccompSCC.Name = "noseccomp"
+
+	seccompSCC := restrictiveSCC()
+	seccompSCC.Name = "seccomp"
+	seccompSCC.SeccompProfiles = []string{"foo"}
+
+	wildcardSCC := restrictiveSCC()
+	wildcardSCC.Name = "wildcard"
+	wildcardSCC.SeccompProfiles = []string{"*"}
+
+	tests := map[string]struct {
+		pod                   *kapi.Pod
+		sccs                  []*kapi.SecurityContextConstraints
+		shouldPass            bool
+		expectedPodAnnotation string
+		expectedSCC           string
+	}{
+		"no seccomp, no requests": {
+			pod:         goodPod(),
+			sccs:        []*kapi.SecurityContextConstraints{noSeccompSCC},
+			shouldPass:  true,
+			expectedSCC: noSeccompSCC.Name,
+		},
+		"no seccomp, bad container requests": {
+			pod:        createPodWithSeccomp("foo", "bar"),
+			sccs:       []*kapi.SecurityContextConstraints{noSeccompSCC},
+			shouldPass: false,
+		},
+		"seccomp, no requests": {
+			pod:                   goodPod(),
+			sccs:                  []*kapi.SecurityContextConstraints{seccompSCC},
+			shouldPass:            true,
+			expectedPodAnnotation: "foo",
+			expectedSCC:           seccompSCC.Name,
+		},
+		"seccomp, valid pod annotation, no container annotation": {
+			pod:                   createPodWithSeccomp("foo", ""),
+			sccs:                  []*kapi.SecurityContextConstraints{seccompSCC},
+			shouldPass:            true,
+			expectedPodAnnotation: "foo",
+			expectedSCC:           seccompSCC.Name,
+		},
+		"seccomp, no pod annotation, valid container annotation": {
+			pod:                   createPodWithSeccomp("", "foo"),
+			sccs:                  []*kapi.SecurityContextConstraints{seccompSCC},
+			shouldPass:            true,
+			expectedPodAnnotation: "foo",
+			expectedSCC:           seccompSCC.Name,
+		},
+		"seccomp, valid pod annotation, invalid container annotation": {
+			pod:        createPodWithSeccomp("foo", "bar"),
+			sccs:       []*kapi.SecurityContextConstraints{seccompSCC},
+			shouldPass: false,
+		},
+		"wild card, no requests": {
+			pod:         goodPod(),
+			sccs:        []*kapi.SecurityContextConstraints{wildcardSCC},
+			shouldPass:  true,
+			expectedSCC: wildcardSCC.Name,
+		},
+		"wild card, requests": {
+			pod:                   createPodWithSeccomp("foo", "bar"),
+			sccs:                  []*kapi.SecurityContextConstraints{wildcardSCC},
+			shouldPass:            true,
+			expectedPodAnnotation: "foo",
+			expectedSCC:           wildcardSCC.Name,
+		},
+	}
+
+	for k, v := range tests {
+		testSCCAdmit(k, v.sccs, v.pod, v.shouldPass, t)
+
+		if v.shouldPass {
+			validatedSCC, ok := v.pod.Annotations[allocator.ValidatedSCCAnnotation]
+			if !ok {
+				t.Errorf("expected to find the validated annotation on the pod for the scc but found none")
+				return
+			}
+			if validatedSCC != v.expectedSCC {
+				t.Errorf("should have validated against %s but found %s", v.expectedSCC, validatedSCC)
+			}
+
+			if len(v.expectedPodAnnotation) > 0 {
+				annotation, found := v.pod.Annotations[kapi.SeccompPodAnnotationKey]
+				if !found {
+					t.Errorf("%s expected to have pod annotation for seccomp but found none", k)
+				}
+				if found && annotation != v.expectedPodAnnotation {
+					t.Errorf("%s expected pod annotation to be %s but found %s", k, v.expectedPodAnnotation, annotation)
+				}
+			}
+		}
+	}
+
+}
+
 // testSCCAdmission is a helper to admit the pod and ensure it was validated against the expected
 // SCC.
 func testSCCAdmission(pod *kapi.Pod, plugin kadmission.Interface, expectedSCC string, t *testing.T) {