[WIP] OCPBUGS-64663 runAsUser/runAsGroup not behaving to the expected range values in user namespaces

openshift-kube-apiserver/admission/customresourcevalidation/securitycontextconstraints/defaulting_scc_test.go

@@ -81,6 +81,15 @@ func TestDefaultingHappens(t *testing.T) {
 	"priority": null,
 	"readOnlyRootFilesystem": false,
 	"requiredDropCapabilities": null,
+	"runAsGroup": {
+		"ranges": [
+			{
+				"max": 65534,
+				"min": 1000
+			}
+		],
+		"type": "MustRunAs"
+	},
 	"runAsUser": {
 		"type": "RunAsAny"
 	},

openshift-kube-apiserver/admission/customresourcevalidation/securitycontextconstraints/defaults.go

@@ -9,13 +9,23 @@ import (
 
 // Default SCCs for new fields.  FSGroup and SupplementalGroups are
 // set to the RunAsAny strategy if they are unset on the scc.
+// RunAsGroup is set to the MustRunAs strategy with ranges [1000, 65534] if unset.
 func SetDefaults_SCC(scc *securityv1.SecurityContextConstraints) {
 	if len(scc.FSGroup.Type) == 0 {
 		scc.FSGroup.Type = securityv1.FSGroupStrategyRunAsAny
 	}
 	if len(scc.SupplementalGroups.Type) == 0 {
 		scc.SupplementalGroups.Type = securityv1.SupplementalGroupsStrategyRunAsAny
 	}
+	if len(scc.RunAsGroup.Type) == 0 {
+		scc.RunAsGroup.Type = securityv1.RunAsGroupStrategyMustRunAs
+		scc.RunAsGroup.Ranges = []securityv1.IDRange{
+			{
+				Min: 1000,
+				Max: 65534,
+			},
+		}
+	}
 
 	if scc.Users == nil {
 		scc.Users = []string{}

openshift-kube-apiserver/admission/customresourcevalidation/securitycontextconstraints/validation/validation.go

@@ -70,6 +70,24 @@ func ValidateSecurityContextConstraints(scc *securityv1.SecurityContextConstrain
 	}
 	allErrs = append(allErrs, validateIDRanges(scc.SupplementalGroups.Ranges, field.NewPath("supplementalGroups"))...)
 
+	// ensure the runAsGroup strategy has a valid type
+	if len(scc.RunAsGroup.Type) > 0 {
+		if scc.RunAsGroup.Type != securityv1.RunAsGroupStrategyMustRunAs &&
+			scc.RunAsGroup.Type != securityv1.RunAsGroupStrategyMustRunAsRange &&
+			scc.RunAsGroup.Type != securityv1.RunAsGroupStrategyRunAsAny {
+			allErrs = append(allErrs, field.NotSupported(field.NewPath("runAsGroup", "type"), scc.RunAsGroup.Type,
+				[]string{string(securityv1.RunAsGroupStrategyMustRunAs), string(securityv1.RunAsGroupStrategyMustRunAsRange), string(securityv1.RunAsGroupStrategyRunAsAny)}))
+		}
+		allErrs = append(allErrs, validateIDRanges(scc.RunAsGroup.Ranges, field.NewPath("runAsGroup"))...)
+
+		// if specified, gid cannot be negative
+		if scc.RunAsGroup.GID != nil {
+			if *scc.RunAsGroup.GID < 0 {
+				allErrs = append(allErrs, field.Invalid(field.NewPath("runAsGroup").Child("gid"), *scc.RunAsGroup.GID, "gid cannot be negative"))
+			}
+		}
+	}
+
 	// validate capabilities
 	allErrs = append(allErrs, validateSCCCapsAgainstDrops(scc.RequiredDropCapabilities, scc.DefaultAddCapabilities, field.NewPath("defaultAddCapabilities"))...)
 	allErrs = append(allErrs, validateSCCCapsAgainstDrops(scc.RequiredDropCapabilities, scc.AllowedCapabilities, field.NewPath("allowedCapabilities"))...)

pkg/apis/core/validation/validation.go

@@ -4532,7 +4532,7 @@ func ValidatePodSpec(spec *core.PodSpec, podMeta *metav1.ObjectMeta, fldPath *fi
 	allErrs = append(allErrs, validateRestartPolicy(&spec.RestartPolicy, fldPath.Child("restartPolicy"))...)
 	allErrs = append(allErrs, validateDNSPolicy(&spec.DNSPolicy, fldPath.Child("dnsPolicy"))...)
 	allErrs = append(allErrs, unversionedvalidation.ValidateLabels(spec.NodeSelector, fldPath.Child("nodeSelector"))...)
-	allErrs = append(allErrs, validatePodSpecSecurityContext(spec.SecurityContext, spec, fldPath, fldPath.Child("securityContext"), opts)...)
+	allErrs = append(allErrs, validatePodSpecSecurityContext(spec.SecurityContext, spec, fldPath, fldPath.Child("securityContext"), opts, hostUsers)...)
 	allErrs = append(allErrs, validateImagePullSecrets(spec.ImagePullSecrets, fldPath.Child("imagePullSecrets"))...)
 	allErrs = append(allErrs, validateAffinity(spec.Affinity, opts, fldPath.Child("affinity"))...)
 	allErrs = append(allErrs, validatePodDNSConfig(spec.DNSConfig, &spec.DNSPolicy, fldPath.Child("dnsConfig"), opts)...)
@@ -5402,29 +5402,45 @@ func validateSELinuxChangePolicy(seLinuxChangePolicy *core.PodSELinuxChangePolic
 // validatePodSpecSecurityContext verifies the SecurityContext of a PodSpec,
 // whether that is defined in a Pod or in an embedded PodSpec (e.g. a
 // Deployment's pod template).
-func validatePodSpecSecurityContext(securityContext *core.PodSecurityContext, spec *core.PodSpec, specPath, fldPath *field.Path, opts PodValidationOptions) field.ErrorList {
+func validatePodSpecSecurityContext(securityContext *core.PodSecurityContext, spec *core.PodSpec, specPath, fldPath *field.Path, opts PodValidationOptions, hostUsers bool) field.ErrorList {
 	allErrs := field.ErrorList{}
 
 	if securityContext != nil {
 		if securityContext.FSGroup != nil {
 			for _, msg := range validation.IsValidGroupID(*securityContext.FSGroup) {
 				allErrs = append(allErrs, field.Invalid(fldPath.Child("fsGroup"), *(securityContext.FSGroup), msg))
 			}
+			// When user namespaces are enabled (hostUsers=false), GIDs must be in range 0-65535
+			if !hostUsers && *securityContext.FSGroup > 65534 {
+				allErrs = append(allErrs, field.Invalid(fldPath.Child("fsGroup"), *securityContext.FSGroup, "must be between 0 and 65535 when user namespaces are enabled (hostUsers=false)"))
+			}
 		}
 		if securityContext.RunAsUser != nil {
 			for _, msg := range validation.IsValidUserID(*securityContext.RunAsUser) {
 				allErrs = append(allErrs, field.Invalid(fldPath.Child("runAsUser"), *(securityContext.RunAsUser), msg))
 			}
+			// When user namespaces are enabled (hostUsers=false), UIDs must be in range 0-65535
+			if !hostUsers && *securityContext.RunAsUser > 65534 {
+				allErrs = append(allErrs, field.Invalid(fldPath.Child("runAsUser"), *securityContext.RunAsUser, "must be between 0 and 65535 when user namespaces are enabled (hostUsers=false)"))
+			}
 		}
 		if securityContext.RunAsGroup != nil {
 			for _, msg := range validation.IsValidGroupID(*securityContext.RunAsGroup) {
 				allErrs = append(allErrs, field.Invalid(fldPath.Child("runAsGroup"), *(securityContext.RunAsGroup), msg))
 			}
+			// When user namespaces are enabled (hostUsers=false), GIDs must be in range 0-65535
+			if !hostUsers && *securityContext.RunAsGroup > 65534 {
+				allErrs = append(allErrs, field.Invalid(fldPath.Child("runAsGroup"), *securityContext.RunAsGroup, "must be between 0 and 65535 when user namespaces are enabled (hostUsers=false)"))
+			}
 		}
 		for g, gid := range securityContext.SupplementalGroups {
 			for _, msg := range validation.IsValidGroupID(gid) {
 				allErrs = append(allErrs, field.Invalid(fldPath.Child("supplementalGroups").Index(g), gid, msg))
 			}
+			// When user namespaces are enabled (hostUsers=false), GIDs must be in range 0-65535
+			if !hostUsers && gid > 65534 {
+				allErrs = append(allErrs, field.Invalid(fldPath.Child("supplementalGroups").Index(g), gid, "must be between 0 and 65535 when user namespaces are enabled (hostUsers=false)"))
+			}
 		}
 		if securityContext.ShareProcessNamespace != nil && securityContext.HostPID && *securityContext.ShareProcessNamespace {
 			allErrs = append(allErrs, field.Invalid(fldPath.Child("shareProcessNamespace"), *securityContext.ShareProcessNamespace, "ShareProcessNamespace and HostPID cannot both be enabled"))
@@ -8072,12 +8088,20 @@ func ValidateSecurityContext(sc *core.SecurityContext, fldPath *field.Path, host
 		for _, msg := range validation.IsValidUserID(*sc.RunAsUser) {
 			allErrs = append(allErrs, field.Invalid(fldPath.Child("runAsUser"), *sc.RunAsUser, msg))
 		}
+		// When user namespaces are enabled (hostUsers=false), UIDs must be in range 0-65535
+		if !hostUsers && *sc.RunAsUser > 65534 {
+			allErrs = append(allErrs, field.Invalid(fldPath.Child("runAsUser"), *sc.RunAsUser, "must be between 0 and 65535 when user namespaces are enabled (hostUsers=false)"))
+		}
 	}
 
 	if sc.RunAsGroup != nil {
 		for _, msg := range validation.IsValidGroupID(*sc.RunAsGroup) {
 			allErrs = append(allErrs, field.Invalid(fldPath.Child("runAsGroup"), *sc.RunAsGroup, msg))
 		}
+		// When user namespaces are enabled (hostUsers=false), GIDs must be in range 0-65535
+		if !hostUsers && *sc.RunAsGroup > 65534 {
+			allErrs = append(allErrs, field.Invalid(fldPath.Child("runAsGroup"), *sc.RunAsGroup, "must be between 0 and 65535 when user namespaces are enabled (hostUsers=false)"))
+		}
 	}
 
 	if sc.ProcMount != nil {