Allow PSP's to specify a whitelist of allowed paths for host volume #50212
Conversation
k8s-ci-robot
added
cncf-cla: yes
|
Hi @jhorwit2. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
k8s-github-robot
added
kind/api-change
|
/unassign |
|
CC @pweil- |
| if !psputil.PSPAllowsHostVolumePath(s.psp, v.HostPath.Path) { | ||
| allErrs = append(allErrs, field.Invalid( | ||
| field.NewPath("spec", "volumes").Index(i), string(fsType), | ||
| fmt.Sprintf("host path %s is not allowed to be used. allowed host paths", v.HostPath.Path))) |
There was a problem hiding this comment.
"host path %s is not allowed to be used. allowed host paths" -> "host path %s is not allowed to be used"
| continue | ||
| } | ||
|
|
||
| if fsType == extensions.HostPath { |
There was a problem hiding this comment.
Looks like this check will be triggered only when volumes not equal to *. This is incorrect.
There was a problem hiding this comment.
Good catch! I updated the PR.
| for k, v := range tests { | ||
| allows := PSPAllowsHostVolumePath(v.psp, v.path) | ||
| if v.allows != allows { | ||
| t.Errorf("%s expected PSPAllowsHostVolumePath to return %t but got %t", k, v.allows, allows) |
There was a problem hiding this comment.
s/PSPAllowsHostVolumePath//
pkg/apis/extensions/types.go
Outdated
| } | ||
|
|
||
| // AllowedHostPath defines the host volume conditions that will be enabled by a policy | ||
| // for pods to use. It requires the path to be defined. |
There was a problem hiding this comment.
"It requires the path to be defined." Code for validating this scenario is missing.
pkg/apis/extensions/types.go
Outdated
| // for pods to use. It requires the path to be defined. | ||
| type AllowedHostPath struct { | ||
| // Path is the path prefix that the host volume must match | ||
| Path string |
There was a problem hiding this comment.
could name the field PathPrefix, the parent should remain AllowedHostPath
|
|
||
| // PSPAllowsHostVolumePath is a utility for checking if a PSP allows the host volume path. | ||
| // This only checks the path. You should still check to make sure the host volume fs type is allowed. | ||
| func PSPAllowsHostVolumePath(psp *extensions.PodSecurityPolicy, hostPath string) bool { |
There was a problem hiding this comment.
Is it mandatory to use PSP in the function name? I don't see a reason for that. psputil.AllowsHostVolumePath() looks good to me either.
jhorwit2
force-pushed
the
jah/psp-hostpath
branch
3 times, most recently
from
d7ec40a to
2c3925b
Compare
|
@liggitt @php-coder i've addressed all the major concerns. Could someone please enable the test suite for me 👼 |
|
/ok-to-test |
k8s-ci-robot
removed
the
needs-ok-to-test
|
/test pull-kubernetes-e2e-gce-etcd3
… On Aug 11, 2017, at 4:06 PM, k8s-ci-robot ***@***.***> wrote:
/test pull-kubernetes-e2e-gce-etcd3
|
jhorwit2
force-pushed
the
jah/psp-hostpath
branch
from
1da54eb to
340123e
Compare
|
Is there anyone else that should review this? Tests all look good. |
k8s-github-robot
added
the
needs-rebase
jhorwit2
force-pushed
the
jah/psp-hostpath
branch
from
340123e to
9396113
Compare
jhorwit2
force-pushed
the
jah/psp-hostpath
branch
from
4d05eef to
c298282
Compare
|
@bgrant0607 @liggitt it should all be good now! |
k8s-github-robot
added
the
needs-rebase
jhorwit2
force-pushed
the
jah/psp-hostpath
branch
from
c298282 to
f8c43dd
Compare
removed files not supposed to be there
jhorwit2
force-pushed
the
jah/psp-hostpath
branch
from
f8c43dd to
6ec738a
Compare
k8s-github-robot
removed
the
needs-rebase
|
/retest
… On Aug 25, 2017, at 11:28 PM, k8s-ci-robot ***@***.***> wrote:
@jhorwit2: The following tests failed, say /retest to rerun them all:
Test name Commit Details Rerun command
pull-kubernetes-e2e-gce-bazel 6ec738a link /test pull-kubernetes-e2e-gce-bazel
pull-kubernetes-e2e-gce-etcd3 6ec738a link /test pull-kubernetes-e2e-gce-etcd3
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.
|
|
Spawned #51422 for the checker |
|
Is there anyone else that should review this? I was told we wanted this in for 1.8 so i just want to make sure we meet code freeze. |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
@smarterclayton @ericchiang @liggitt do we still plan to make this before code freeze? |
|
adding @smarterclayton for docs/ pkg/ approval |
|
/test pull-kubernetes-bazel-build |
|
/approve based on the history and comments in this thread and previous approval in last release |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: jhorwit2, liggitt, smarterclayton Associated issue: 29326 The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
k8s-github-robot
added
the
approved
|
/test pull-kubernetes-e2e-gce-etcd3 |
|
Automatic merge from submit-queue (batch tested with PRs 50719, 51216, 50212, 51408, 51381) |
What this PR does / why we need it:
Reverts the revert for the allowed host path feature that was moved from v1.7 to v1.8. This PR also changes the api as discussed in #47811.
Original pr: #43946
revert: #47851
Which issue this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close that issue when PR gets merged): fixes #29326Special notes for your reviewer:
cc @liggitt @ericchiang @php-coder
It seems the api build process has changed. Hopefully I did it right 👼 .
Release note: