PodSecurityPolicy should respect and validate user-supplied RunAsNonR…

[Q-Lee]

What this PR does / why we need it: PodSecurityPolicies overwrite and then fail to validate the RunAsNonRoot field in the container security context.

Which issue this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close that issue when PR gets merged): fixes #47071

Special notes for your reviewer: gce/gke don't use this in 1.6. You'll need to speak up if you think this is important enough to patch. It should almost certainly go into 1.7.

Release note:

PodSecurityPolicy now recognizes pods that specify `runAsNonRoot: false` in their security context and does not overwrite the specified value

[liggitt]

@kubernetes/sig-auth-pr-reviews

[liggitt]

cc @pweil-

[liggitt]

RunAsNonRoot=false is forbidden... you could set it to true if you wanted

[liggitt]

update godoc

[Q-Lee]

Ok, that message is backwards. Let me fix it for you :D

[liggitt]

we only need to do something if sc.RunAsNonRoot == nil... the change in nonRoot#Validate() ensures a non-nil value is acceptable, so we don't need to overwrite it here (and the impl in this block is a no-op, anyway)

[Q-Lee]

Ya, that's better.

[liggitt]

I'd like to see unit tests around both the Validate() and CreateContainerSecurityContext() changes

[pweil-]

+1 to this. IIRC the original behavior was a hold over from the time when the SCDeny plugin was used to prevent people from setting items in the SC so the system could always just DTRT.

Please make sure to add the scenario to the provider tests that do the pass/fail testing for the strategies.

[Q-Lee]

@liggitt @pweil- I've added unit tests.

@spxtr unit test changes trigger full e2e changes. Is that necessary?

[liggitt]

the point of this test is to make sure CreateContainerSecurityContext doesn't mutate a pod, so I'd want to leave it completely empty (no RunAsNonRoot set) to enable as many of the if ... == nil { ... } blocks as possible to run

[Q-Lee]

Done

[liggitt]

and test that one with RunAsNonRoot: &true returns no error

[Q-Lee]

Done

[Q-Lee]

@k8s-bot pull-kubernetes-e2e-gce-etcd3 test this

[spxtr]

@spxtr unit test changes trigger full e2e changes. Is that necessary?

Currently every change triggers full e2e. This is something we can fix with the magic of bazel!

[liggitt]

/lgtm

[Q-Lee]

/assign @brendandburns

@liggitt - the psp owners file is pretty sparse.

[brendandburns]

/approve

[k8s-github-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Q-Lee, brendandburns, liggitt

Associated issue: 47071

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these OWNERS Files:

• pkg/OWNERS [brendandburns]

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

[k8s-github-robot]

@k8s-bot test this [submit-queue is verifying that this PR is safe to merge]

[k8s-ci-robot]

@Q-Lee: The following test failed, say /retest to rerun them all:

Test name	Commit	Details	Rerun command
pull-kubernetes-e2e-gce-etcd3	158f17b	link	@k8s-bot pull-kubernetes-e2e-gce-etcd3 test this

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[k8s-github-robot]

Automatic merge from submit-queue (batch tested with PRs 47073, 47457, 47479)