[podsecurity] Dedupe overlapping forbidden messages

staging/src/k8s.io/pod-security-admission/policy/check_capabilities_baseline.go

@@ -45,8 +45,9 @@ func init() {
 // that limits the capabilities that can be added in 1.0+
 func CheckCapabilitiesBaseline() Check {
 	return Check{
-		ID:    "capabilities_baseline",
-		Level: api.LevelBaseline,
+		ID:      "capabilities_baseline",
+		Level:   api.LevelBaseline,
+		Overlap: true,
 		Versions: []VersionedCheck{
 			{
 				MinimumVersion: api.MajorMinorVersion(1, 0),

staging/src/k8s.io/pod-security-admission/policy/check_hostPathVolumes.go

@@ -42,8 +42,9 @@ func init() {
 // that requires hostPath=undefined/null in 1.0+
 func CheckHostPathVolumes() Check {
 	return Check{
-		ID:    "hostPathVolumes",
-		Level: api.LevelBaseline,
+		ID:      "hostPathVolumes",
+		Level:   api.LevelBaseline,
+		Overlap: true,
 		Versions: []VersionedCheck{
 			{
 				MinimumVersion: api.MajorMinorVersion(1, 0),

staging/src/k8s.io/pod-security-admission/policy/check_seccompProfile_baseline.go

@@ -57,8 +57,9 @@ func init() {
 
 func CheckSeccompBaseline() Check {
 	return Check{
-		ID:    "seccompProfile_baseline",
-		Level: api.LevelBaseline,
+		ID:      "seccompProfile_baseline",
+		Level:   api.LevelBaseline,
+		Overlap: true,
 		Versions: []VersionedCheck{
 			{
 				MinimumVersion: api.MajorMinorVersion(1, 0),

staging/src/k8s.io/pod-security-admission/policy/checks.go

@@ -32,6 +32,8 @@ type Check struct {
 	// Baseline checks are evaluated for baseline and restricted namespaces.
 	// Restricted checks are only evaluated for restricted namespaces.
 	Level api.Level
+	// Overlap indicates whether the check is overlapping with the check one level higher than oneself.
+	Overlap bool
 	// Versions contains one or more revisions of the check that apply to different versions.
 	// If the check is not yet assigned to a version, this must be a single-item list with a MinimumVersion of "".
 	// Otherwise, MinimumVersion of items must represent strictly increasing versions.

staging/src/k8s.io/pod-security-admission/policy/registry.go

@@ -33,7 +33,7 @@ type Evaluator interface {
 // checkRegistry provides a default implementation of an Evaluator.
 type checkRegistry struct {
 	// The checks are a map of check_ID -> sorted slice of versioned checks, newest first
-	baselineChecks, restrictedChecks map[api.Version][]CheckPodFn
+	baselineChecks, overlappingBaselineChecks, restrictedChecks map[api.Version][]CheckPodFn
 	// maxVersion is the maximum version that is cached, guaranteed to be at least
 	// the max MinimumVersion of all registered checks.
 	maxVersion api.Version
@@ -50,8 +50,9 @@ func NewEvaluator(checks []Check) (Evaluator, error) {
 		return nil, err
 	}
 	r := &checkRegistry{
-		baselineChecks:   map[api.Version][]CheckPodFn{},
-		restrictedChecks: map[api.Version][]CheckPodFn{},
+		baselineChecks:            map[api.Version][]CheckPodFn{},
+		overlappingBaselineChecks: map[api.Version][]CheckPodFn{},
+		restrictedChecks:          map[api.Version][]CheckPodFn{},
 	}
 	populate(r, checks)
 	return r, nil
@@ -69,6 +70,9 @@ func (r *checkRegistry) EvaluatePod(lv api.LevelVersion, podMetadata *metav1.Obj
 		results = append(results, check(podMetadata, podSpec))
 	}
 	if lv.Level == api.LevelBaseline {
+		for _, check := range r.overlappingBaselineChecks[lv.Version] {
+			results = append(results, check(podMetadata, podSpec))
+		}
 		return results
 	}
 	for _, check := range r.restrictedChecks[lv.Version] {
@@ -122,6 +126,8 @@ func populate(r *checkRegistry, validChecks []Check) {
 	for _, c := range validChecks {
 		if c.Level == api.LevelRestricted {
 			inflateVersions(c, r.restrictedChecks, r.maxVersion)
+		} else if c.Overlap {
+			inflateVersions(c, r.overlappingBaselineChecks, r.maxVersion)
 		} else {
 			inflateVersions(c, r.baselineChecks, r.maxVersion)
 		}

staging/src/k8s.io/pod-security-admission/policy/registry_test.go

@@ -29,12 +29,13 @@ import (
 
 func TestCheckRegistry(t *testing.T) {
 	checks := []Check{
-		generateCheck("a", api.LevelBaseline, []string{"v1.0"}),
-		generateCheck("b", api.LevelBaseline, []string{"v1.10"}),
-		generateCheck("c", api.LevelBaseline, []string{"v1.0", "v1.5", "v1.10"}),
-		generateCheck("d", api.LevelBaseline, []string{"v1.11", "v1.15", "v1.20"}),
-		generateCheck("e", api.LevelRestricted, []string{"v1.0"}),
-		generateCheck("f", api.LevelRestricted, []string{"v1.12", "v1.16", "v1.21"}),
+		generateCheck("a", api.LevelBaseline, false, []string{"v1.0"}),
+		generateCheck("b", api.LevelBaseline, false, []string{"v1.10"}),
+		generateCheck("c", api.LevelBaseline, false, []string{"v1.0", "v1.5", "v1.10"}),
+		generateCheck("d", api.LevelBaseline, false, []string{"v1.11", "v1.15", "v1.20"}),
+		generateCheck("e", api.LevelRestricted, false, []string{"v1.0"}),
+		generateCheck("f", api.LevelRestricted, false, []string{"v1.12", "v1.16", "v1.21"}),
+		generateCheck("g", api.LevelBaseline, true, []string{"v1.15"}),
 	}
 
 	reg, err := NewEvaluator(checks)
@@ -52,7 +53,7 @@ func TestCheckRegistry(t *testing.T) {
 		{api.LevelBaseline, "v1.5", []string{"a:v1.0", "c:v1.5"}},
 		{api.LevelBaseline, "v1.10", []string{"a:v1.0", "b:v1.10", "c:v1.10"}},
 		{api.LevelBaseline, "v1.11", []string{"a:v1.0", "b:v1.10", "c:v1.10", "d:v1.11"}},
-		{api.LevelBaseline, "latest", []string{"a:v1.0", "b:v1.10", "c:v1.10", "d:v1.20"}},
+		{api.LevelBaseline, "latest", []string{"a:v1.0", "b:v1.10", "c:v1.10", "g:v1.15", "d:v1.20"}},
 		{api.LevelRestricted, "v1.0", []string{"a:v1.0", "c:v1.0", "e:v1.0"}},
 		{api.LevelRestricted, "v1.4", []string{"a:v1.0", "c:v1.0", "e:v1.0"}},
 		{api.LevelRestricted, "v1.5", []string{"a:v1.0", "c:v1.5", "e:v1.0"}},
@@ -75,10 +76,11 @@ func TestCheckRegistry(t *testing.T) {
 	}
 }
 
-func generateCheck(id string, level api.Level, versions []string) Check {
+func generateCheck(id string, level api.Level, overlap bool, versions []string) Check {
 	c := Check{
-		ID:    id,
-		Level: level,
+		ID:      id,
+		Level:   level,
+		Overlap: overlap,
 	}
 	for _, ver := range versions {
 		v := versionOrPanic(ver) // Copy ver so it can be used in the CheckPod closure.