From b79d7235cfb8b7e0f1fe471d95fa63ca2be6a763 Mon Sep 17 00:00:00 2001
From: Slava Semushin <vsemushi@redhat.com>
Date: Fri, 9 Jun 2017 16:16:40 +0200
Subject: [PATCH] When sorting SCCs by restrictions don't add a score if SCC
 allows volumes of projected type.

---
 pkg/security/scc/byrestrictions.go      | 14 +++++++-------
 pkg/security/scc/byrestrictions_test.go | 12 ++++++++++++
 2 files changed, 19 insertions(+), 7 deletions(-)

diff --git a/pkg/security/scc/byrestrictions.go b/pkg/security/scc/byrestrictions.go
index 18bab9b235ba..736352f97efb 100644
--- a/pkg/security/scc/byrestrictions.go
+++ b/pkg/security/scc/byrestrictions.go
@@ -49,11 +49,11 @@ func pointValue(constraint *kapi.SecurityContextConstraints) int {
 	return points
 }
 
-// allowsHostPathVolume returns a score based on the volumes allowed by the SCC.
-// Allowing a host volume wil return a score of 10.  Allowance of anything other
-// than kapi.FSTypeSecret, kapi.FSTypeConfigMap, kapi.FSTypeConfigMap, kapi.FSTypeDownwardAPI
-// will result in a score of 5.  If the SCC only allows kapi.FSTypeSecret, kapi.FSTypeConfigMap,
-// kapi.FSTypeEmptyDir, kapi.FSTypeDownwardAPI it will have a score of 0.
+// volumePointValue returns a score based on the volumes allowed by the SCC.
+// Allowing a host volume will return a score of 10.  Allowance of anything other
+// than Secret, ConfigMap, EmptyDir, DownwardAPI, Projected, and None will result in
+// a score of 5.  If the SCC only allows these trivial types, it will have a
+// score of 0.
 func volumePointValue(scc *kapi.SecurityContextConstraints) int {
 	hasHostVolume := false
 	hasNonTrivialVolume := false
@@ -66,8 +66,8 @@ func volumePointValue(scc *kapi.SecurityContextConstraints) int {
 		// it is easier to specifically list the trivial volumes and allow the
 		// default case to be non-trivial so we don't have to worry about adding
 		// volumes in the future unless they're trivial.
-		case kapi.FSTypeSecret, kapi.FSTypeConfigMap,
-			kapi.FSTypeEmptyDir, kapi.FSTypeDownwardAPI, kapi.FSTypeNone:
+		case kapi.FSTypeSecret, kapi.FSTypeConfigMap, kapi.FSTypeEmptyDir,
+			kapi.FSTypeDownwardAPI, kapi.FSProjected, kapi.FSTypeNone:
 			// do nothing
 		default:
 			hasNonTrivialVolume = true
diff --git a/pkg/security/scc/byrestrictions_test.go b/pkg/security/scc/byrestrictions_test.go
index 1156ff1b3604..ac31e08c92ee 100644
--- a/pkg/security/scc/byrestrictions_test.go
+++ b/pkg/security/scc/byrestrictions_test.go
@@ -144,6 +144,18 @@ func TestVolumePointValue(t *testing.T) {
 			},
 			expectedPoints: 0,
 		},
+		"trivial - projected": {
+			scc: &kapi.SecurityContextConstraints{
+				Volumes: []kapi.FSType{kapi.FSProjected},
+			},
+			expectedPoints: 0,
+		},
+		"trivial - none": {
+			scc: &kapi.SecurityContextConstraints{
+				Volumes: []kapi.FSType{kapi.FSTypeNone},
+			},
+			expectedPoints: 0,
+		},
 		"no volumes allowed": {
 			scc:            newSCC(false, false, false),
 			expectedPoints: 0,