diff --git a/vendor/k8s.io/kubernetes/pkg/api/types.go b/vendor/k8s.io/kubernetes/pkg/api/types.go index 806ec70915d1..036ad538bb55 100644 --- a/vendor/k8s.io/kubernetes/pkg/api/types.go +++ b/vendor/k8s.io/kubernetes/pkg/api/types.go @@ -3893,7 +3893,8 @@ type SecurityContextConstraints struct { // To allow all capabilities you may use '*'. AllowedCapabilities []Capability // Volumes is a white list of allowed volume plugins. FSType corresponds directly with the field names - // of a VolumeSource (azureFile, configMap, emptyDir). To allow all volumes you may use '*'. + // of a VolumeSource (azureFile, configMap, emptyDir). To allow all volumes you may use "*". + // To allow no volumes, set to ["none"]. Volumes []FSType // AllowHostNetwork determines if the policy allows the use of HostNetwork in the pod spec. AllowHostNetwork bool @@ -3961,6 +3962,7 @@ var ( FSPortworxVolume FSType = "portworxVolume" FSScaleIO FSType = "scaleIO" FSTypeAll FSType = "*" + FSTypeNone FSType = "none" ) // SELinuxContextStrategyOptions defines the strategy type and any options used to create the strategy. diff --git a/vendor/k8s.io/kubernetes/pkg/api/v1/defaults.go b/vendor/k8s.io/kubernetes/pkg/api/v1/defaults.go index baed0056e538..70e68b9e1b0c 100644 --- a/vendor/k8s.io/kubernetes/pkg/api/v1/defaults.go +++ b/vendor/k8s.io/kubernetes/pkg/api/v1/defaults.go @@ -411,13 +411,25 @@ func SetDefaults_SCC(scc *SecurityContextConstraints) { scc.SupplementalGroups.Type = SupplementalGroupsStrategyRunAsAny } - // defaults the volume slice of the SCC. - // In order to support old clients the boolean fields will always take precedence. - defaultAllowedVolumes := fsTypeToStringSet(scc.Volumes) - - // assume a nil volume slice is allowing everything for backwards compatibility - if defaultAllowedVolumes == nil { + var defaultAllowedVolumes sets.String + switch { + case scc.Volumes == nil: + // assume a nil volume slice is allowing everything for backwards compatibility defaultAllowedVolumes = sets.NewString(string(FSTypeAll)) + + case len(scc.Volumes) == 0 && scc.AllowHostDirVolumePlugin: + // an empty volume slice means "allow no volumes", but the boolean fields will always take precedence. + defaultAllowedVolumes = sets.NewString(string(FSTypeHostPath)) + + case len(scc.Volumes) == 0 && !scc.AllowHostDirVolumePlugin: + // an empty volume slice means "allow no volumes", but cannot be persisted in protobuf. + // convert this to volumes:["none"] + defaultAllowedVolumes = sets.NewString(string(FSTypeNone)) + + default: + // defaults the volume slice of the SCC. + // In order to support old clients the boolean fields will always take precedence. + defaultAllowedVolumes = fsTypeToStringSet(scc.Volumes) } if scc.AllowHostDirVolumePlugin { diff --git a/vendor/k8s.io/kubernetes/pkg/api/v1/defaults_test.go b/vendor/k8s.io/kubernetes/pkg/api/v1/defaults_test.go index cfd461b2bee6..b47f9ae18670 100644 --- a/vendor/k8s.io/kubernetes/pkg/api/v1/defaults_test.go +++ b/vendor/k8s.io/kubernetes/pkg/api/v1/defaults_test.go @@ -1047,7 +1047,7 @@ func TestDefaultSCCVolumes(t *testing.T) { Volumes: []versioned.FSType{}, AllowHostDirVolumePlugin: false, }, - expectedVolumes: []versioned.FSType{}, + expectedVolumes: []versioned.FSType{versioned.FSTypeNone}, expectedHostDir: false, }, } diff --git a/vendor/k8s.io/kubernetes/pkg/api/v1/types.go b/vendor/k8s.io/kubernetes/pkg/api/v1/types.go index 486b1d649980..2d780a09cebc 100644 --- a/vendor/k8s.io/kubernetes/pkg/api/v1/types.go +++ b/vendor/k8s.io/kubernetes/pkg/api/v1/types.go @@ -4460,7 +4460,8 @@ type SecurityContextConstraints struct { // +k8s:conversion-gen=false AllowHostDirVolumePlugin bool `json:"allowHostDirVolumePlugin" protobuf:"varint,7,opt,name=allowHostDirVolumePlugin"` // Volumes is a white list of allowed volume plugins. FSType corresponds directly with the field names - // of a VolumeSource (azureFile, configMap, emptyDir). To allow all volumes you may use '*'. + // of a VolumeSource (azureFile, configMap, emptyDir). To allow all volumes you may use "*". + // To allow no volumes, set to ["none"]. Volumes []FSType `json:"volumes" protobuf:"bytes,8,rep,name=volumes,casttype=FSType"` // AllowHostNetwork determines if the policy allows the use of HostNetwork in the pod spec. AllowHostNetwork bool `json:"allowHostNetwork" protobuf:"varint,9,opt,name=allowHostNetwork"` @@ -4522,6 +4523,7 @@ var ( FSTypeFC FSType = "fc" FSTypeConfigMap FSType = "configMap" FSTypeAll FSType = "*" + FSTypeNone FSType = "none" ) // SELinuxContextStrategyOptions defines the strategy type and any options used to create the strategy. diff --git a/vendor/k8s.io/kubernetes/pkg/api/validation/validation.go b/vendor/k8s.io/kubernetes/pkg/api/validation/validation.go index a9d4dc414442..92cf2b582f32 100644 --- a/vendor/k8s.io/kubernetes/pkg/api/validation/validation.go +++ b/vendor/k8s.io/kubernetes/pkg/api/validation/validation.go @@ -3976,6 +3976,20 @@ func ValidateSecurityContextConstraints(scc *api.SecurityContextConstraints) fie "required capabilities must be empty when all capabilities are allowed by a wildcard")) } + if len(scc.Volumes) > 1 { + hasNone := false + for _, fsType := range scc.Volumes { + if fsType == api.FSTypeNone { + hasNone = true + break + } + } + if hasNone { + allErrs = append(allErrs, field.Invalid(field.NewPath("volumes"), scc.Volumes, + "if 'none' is specified, no other values are allowed")) + } + } + return allErrs } diff --git a/vendor/k8s.io/kubernetes/staging/src/k8s.io/client-go/pkg/api/types.go b/vendor/k8s.io/kubernetes/staging/src/k8s.io/client-go/pkg/api/types.go index 6df277f578d0..2f54aaed62a1 100644 --- a/vendor/k8s.io/kubernetes/staging/src/k8s.io/client-go/pkg/api/types.go +++ b/vendor/k8s.io/kubernetes/staging/src/k8s.io/client-go/pkg/api/types.go @@ -3883,7 +3883,8 @@ type SecurityContextConstraints struct { // To allow all capabilities you may use '*'. AllowedCapabilities []Capability // Volumes is a white list of allowed volume plugins. FSType corresponds directly with the field names - // of a VolumeSource (azureFile, configMap, emptyDir). To allow all volumes you may use '*'. + // of a VolumeSource (azureFile, configMap, emptyDir). To allow all volumes you may use "*". + // To allow no volumes, set to ["none"]. Volumes []FSType // AllowHostNetwork determines if the policy allows the use of HostNetwork in the pod spec. AllowHostNetwork bool @@ -3951,6 +3952,7 @@ var ( FSPortworxVolume FSType = "portworxVolume" FSScaleIO FSType = "scaleIO" FSTypeAll FSType = "*" + FSTypeNone FSType = "none" ) // SELinuxContextStrategyOptions defines the strategy type and any options used to create the strategy. diff --git a/vendor/k8s.io/kubernetes/staging/src/k8s.io/client-go/pkg/api/v1/defaults.go b/vendor/k8s.io/kubernetes/staging/src/k8s.io/client-go/pkg/api/v1/defaults.go index 8a55d5945f1d..fca4ba417a48 100644 --- a/vendor/k8s.io/kubernetes/staging/src/k8s.io/client-go/pkg/api/v1/defaults.go +++ b/vendor/k8s.io/kubernetes/staging/src/k8s.io/client-go/pkg/api/v1/defaults.go @@ -411,13 +411,25 @@ func SetDefaults_SCC(scc *SecurityContextConstraints) { scc.SupplementalGroups.Type = SupplementalGroupsStrategyRunAsAny } - // defaults the volume slice of the SCC. - // In order to support old clients the boolean fields will always take precedence. - defaultAllowedVolumes := fsTypeToStringSet(scc.Volumes) - - // assume a nil volume slice is allowing everything for backwards compatibility - if defaultAllowedVolumes == nil { + var defaultAllowedVolumes sets.String + switch { + case scc.Volumes == nil: + // assume a nil volume slice is allowing everything for backwards compatibility defaultAllowedVolumes = sets.NewString(string(FSTypeAll)) + + case len(scc.Volumes) == 0 && scc.AllowHostDirVolumePlugin: + // an empty volume slice means "allow no volumes", but the boolean fields will always take precedence. + defaultAllowedVolumes = sets.NewString(string(FSTypeHostPath)) + + case len(scc.Volumes) == 0 && !scc.AllowHostDirVolumePlugin: + // an empty volume slice means "allow no volumes", but cannot be persisted in protobuf. + // convert this to volumes:["none"] + defaultAllowedVolumes = sets.NewString(string(FSTypeNone)) + + default: + // defaults the volume slice of the SCC. + // In order to support old clients the boolean fields will always take precedence. + defaultAllowedVolumes = fsTypeToStringSet(scc.Volumes) } if scc.AllowHostDirVolumePlugin { diff --git a/vendor/k8s.io/kubernetes/staging/src/k8s.io/client-go/pkg/api/v1/types.go b/vendor/k8s.io/kubernetes/staging/src/k8s.io/client-go/pkg/api/v1/types.go index 5d58341ff836..1ff0eea9683c 100644 --- a/vendor/k8s.io/kubernetes/staging/src/k8s.io/client-go/pkg/api/v1/types.go +++ b/vendor/k8s.io/kubernetes/staging/src/k8s.io/client-go/pkg/api/v1/types.go @@ -4451,7 +4451,8 @@ type SecurityContextConstraints struct { // +k8s:conversion-gen=false AllowHostDirVolumePlugin bool `json:"allowHostDirVolumePlugin" protobuf:"varint,7,opt,name=allowHostDirVolumePlugin"` // Volumes is a white list of allowed volume plugins. FSType corresponds directly with the field names - // of a VolumeSource (azureFile, configMap, emptyDir). To allow all volumes you may use '*'. + // of a VolumeSource (azureFile, configMap, emptyDir). To allow all volumes you may use "*". + // To allow no volumes, set to ["none"]. Volumes []FSType `json:"volumes" protobuf:"bytes,8,rep,name=volumes,casttype=FSType"` // AllowHostNetwork determines if the policy allows the use of HostNetwork in the pod spec. AllowHostNetwork bool `json:"allowHostNetwork" protobuf:"varint,9,opt,name=allowHostNetwork"` @@ -4513,6 +4514,7 @@ var ( FSTypeFC FSType = "fc" FSTypeConfigMap FSType = "configMap" FSTypeAll FSType = "*" + FSTypeNone FSType = "none" ) // SELinuxContextStrategyOptions defines the strategy type and any options used to create the strategy.