Merge pull request #11075 from sdminonne/SCC_check_API_REST

Merged by openshift-bot

Author: OpenShift Bot

api/swagger-spec/oapi-v1.json

@@ -23,6 +23,7 @@ import (
 	quotaapi "github.com/openshift/origin/pkg/quota/api"
 	routeapi "github.com/openshift/origin/pkg/route/api"
 	sdnapi "github.com/openshift/origin/pkg/sdn/api"
+	securityapi "github.com/openshift/origin/pkg/security/api"
 	templateapi "github.com/openshift/origin/pkg/template/api"
 	userapi "github.com/openshift/origin/pkg/user/api"
 )
@@ -38,6 +39,7 @@ var (
 	certificatesGroup = certificates.GroupName
 	extensionsGroup   = extensions.GroupName
 	policyGroup       = policy.GroupName
+	securityGroup     = securityapi.GroupName
 	storageGroup      = storage.GroupName
 	authzGroup        = authorizationapi.GroupName
 	buildGroup        = buildapi.GroupName
@@ -165,6 +167,8 @@ func GetBootstrapClusterRoles() []authorizationapi.ClusterRole {
 				authorizationapi.NewRule("create").Groups(authzGroup).Resources("localresourceaccessreviews", "localsubjectaccessreviews", "resourceaccessreviews",
 					"selfsubjectrulesreviews", "subjectaccessreviews").RuleOrDie(),
 				authorizationapi.NewRule("create").Groups("authentication.k8s.io").Resources("tokenreviews").RuleOrDie(),
+				// permissions to check PSP, these creates are non-mutating
+				authorizationapi.NewRule("create").Groups(securityGroup).Resources("podsecuritypolicysubjectreviews", "podsecuritypolicyselfsubjectreviews", "podsecuritypolicyreviews").RuleOrDie(),
 				// Allow read access to node metrics
 				authorizationapi.NewRule("get").Groups(kapiGroup).Resources(authorizationapi.NodeMetricsResource, authorizationapi.NodeSpecResource).RuleOrDie(),
 				// Allow read access to stats
@@ -238,6 +242,7 @@ func GetBootstrapClusterRoles() []authorizationapi.ClusterRole {
 
 				authorizationapi.NewRule(readWrite...).Groups(authzGroup).Resources("roles", "rolebindings").RuleOrDie(),
 				authorizationapi.NewRule("create").Groups(authzGroup).Resources("localresourceaccessreviews", "localsubjectaccessreviews").RuleOrDie(),
+				authorizationapi.NewRule("create").Groups(securityGroup).Resources("podsecuritypolicysubjectreviews", "podsecuritypolicyselfsubjectreviews", "podsecuritypolicyreviews").RuleOrDie(),
 				authorizationapi.NewRule(read...).Groups(authzGroup).Resources("policies", "policybindings").RuleOrDie(),
 
 				authorizationapi.NewRule(readWrite...).Groups(buildGroup).Resources("builds", "buildconfigs", "buildconfigs/webhooks").RuleOrDie(),

api/swagger-spec/openshift-openapi-spec.json

@@ -27,6 +27,7 @@ import (
 	"k8s.io/kubernetes/pkg/apiserver"
 	"k8s.io/kubernetes/pkg/client/restclient"
 	kclient "k8s.io/kubernetes/pkg/client/unversioned"
+	clientadapter "k8s.io/kubernetes/pkg/client/unversioned/adapters/internalclientset"
 	"k8s.io/kubernetes/pkg/genericapiserver"
 	"k8s.io/kubernetes/pkg/genericapiserver/openapi"
 	kubeletclient "k8s.io/kubernetes/pkg/kubelet/client"
@@ -116,6 +117,10 @@ import (
 	"github.com/openshift/origin/pkg/authorization/registry/subjectaccessreview"
 	configapi "github.com/openshift/origin/pkg/cmd/server/api"
 	routeplugin "github.com/openshift/origin/pkg/route/allocation/simple"
+	"github.com/openshift/origin/pkg/security/registry/podsecuritypolicyreview"
+	"github.com/openshift/origin/pkg/security/registry/podsecuritypolicyselfsubjectreview"
+	"github.com/openshift/origin/pkg/security/registry/podsecuritypolicysubjectreview"
+	oscc "github.com/openshift/origin/pkg/security/scc"
 )
 
 const (
@@ -549,6 +554,10 @@ func (c *MasterConfig) GetRestStorage() map[string]rest.Storage {
 	resourceAccessReviewRegistry := resourceaccessreview.NewRegistry(resourceAccessReviewStorage)
 	localResourceAccessReviewStorage := localresourceaccessreview.NewREST(resourceAccessReviewRegistry)
 
+	podSecurityPolicyReviewStorage := podsecuritypolicyreview.NewREST(oscc.NewDefaultSCCMatcher(c.Informers.SecurityContextConstraints().Lister()), clientadapter.FromUnversionedClient(c.PrivilegedLoopbackKubernetesClient))
+	podSecurityPolicySubjectStorage := podsecuritypolicysubjectreview.NewREST(oscc.NewDefaultSCCMatcher(c.Informers.SecurityContextConstraints().Lister()), clientadapter.FromUnversionedClient(c.PrivilegedLoopbackKubernetesClient))
+	podSecurityPolicySelfSubjectReviewStorage := podsecuritypolicyselfsubjectreview.NewREST(oscc.NewDefaultSCCMatcher(c.Informers.SecurityContextConstraints().Lister()), clientadapter.FromUnversionedClient(c.PrivilegedLoopbackKubernetesClient))
+
 	imageStorage, err := imageetcd.NewREST(c.RESTOptionsGetter)
 	checkStorageErr(err)
 	imageRegistry := image.NewRegistry(imageStorage)
@@ -692,6 +701,10 @@ func (c *MasterConfig) GetRestStorage() map[string]rest.Storage {
 		"localResourceAccessReviews": localResourceAccessReviewStorage,
 		"selfSubjectRulesReviews":    selfSubjectRulesReviewStorage,
 
+		"podSecurityPolicyReviews":            podSecurityPolicyReviewStorage,
+		"podSecurityPolicySubjectReviews":     podSecurityPolicySubjectStorage,
+		"podSecurityPolicySelfSubjectReviews": podSecurityPolicySelfSubjectReviewStorage,
+
 		"policies":       policyStorage,
 		"policyBindings": policyBindingStorage,
 		"roles":          roleStorage,

pkg/cmd/server/bootstrappolicy/policy.go

@@ -16,6 +16,7 @@ import (
 
 	oscache "github.com/openshift/origin/pkg/client/cache"
 	allocator "github.com/openshift/origin/pkg/security"
+	admissiontesting "github.com/openshift/origin/pkg/security/admission/testing"
 	oscc "github.com/openshift/origin/pkg/security/scc"
 )
 
@@ -129,8 +130,8 @@ func TestAdmitCaps(t *testing.T) {
 }
 
 func testSCCAdmit(testCaseName string, sccs []*kapi.SecurityContextConstraints, pod *kapi.Pod, shouldPass bool, t *testing.T) {
-	namespace := createNamespaceForTest()
-	serviceAccount := createSAForTest()
+	namespace := admissiontesting.CreateNamespaceForTest()
+	serviceAccount := admissiontesting.CreateSAForTest()
 	tc := clientsetfake.NewSimpleClientset(namespace, serviceAccount)
 	cache := &oscache.IndexerToSecurityContextConstraintsLister{
 		Indexer: cache.NewIndexer(cache.MetaNamespaceKeyFunc,
@@ -155,8 +156,8 @@ func testSCCAdmit(testCaseName string, sccs []*kapi.SecurityContextConstraints,
 
 func TestAdmit(t *testing.T) {
 	// create the annotated namespace and add it to the fake client
-	namespace := createNamespaceForTest()
-	serviceAccount := createSAForTest()
+	namespace := admissiontesting.CreateNamespaceForTest()
+	serviceAccount := admissiontesting.CreateSAForTest()
 
 	// used for cases where things are preallocated
 	defaultGroup := int64(2)
@@ -898,8 +899,8 @@ func TestAdmitWithPrioritizedSCC(t *testing.T) {
 	// SCCs and ensure that they come out with the right annotation.  This means admission
 	// is using the sort strategy we expect.
 
-	namespace := createNamespaceForTest()
-	serviceAccount := createSAForTest()
+	namespace := admissiontesting.CreateNamespaceForTest()
+	serviceAccount := admissiontesting.CreateSAForTest()
 	serviceAccount.Namespace = namespace.Name
 	tc := clientsetfake.NewSimpleClientset(namespace, serviceAccount)
 
@@ -1112,28 +1113,6 @@ func restrictiveSCC() *kapi.SecurityContextConstraints {
 	}
 }
 
-func createNamespaceForTest() *kapi.Namespace {
-	return &kapi.Namespace{
-		ObjectMeta: kapi.ObjectMeta{
-			Name: "default",
-			Annotations: map[string]string{
-				allocator.UIDRangeAnnotation:           "1/3",
-				allocator.MCSAnnotation:                "s0:c1,c0",
-				allocator.SupplementalGroupsAnnotation: "2/3",
-			},
-		},
-	}
-}
-
-func createSAForTest() *kapi.ServiceAccount {
-	return &kapi.ServiceAccount{
-		ObjectMeta: kapi.ObjectMeta{
-			Name:      "default",
-			Namespace: "default",
-		},
-	}
-}
-
 // goodPod is empty and should not be used directly for testing since we're providing
 // two different SCCs.  Since no values are specified it would be allowed to match any
 // SCC when defaults are filled in.

pkg/cmd/server/origin/master.go

@@ -0,0 +1,60 @@
+package testing
+
+import (
+	kapi "k8s.io/kubernetes/pkg/api"
+
+	allocator "github.com/openshift/origin/pkg/security"
+)
+
+// CreateSAForTest Build and Initializes a ServiceAccount for tests
+func CreateSAForTest() *kapi.ServiceAccount {
+	return &kapi.ServiceAccount{
+		ObjectMeta: kapi.ObjectMeta{
+			Name:      "default",
+			Namespace: "default",
+		},
+	}
+}
+
+// CreateNamespaceForTest builds and initializes a Namespaces for tests
+func CreateNamespaceForTest() *kapi.Namespace {
+	return &kapi.Namespace{
+		ObjectMeta: kapi.ObjectMeta{
+			Name: "default",
+			Annotations: map[string]string{
+				allocator.UIDRangeAnnotation:           "1/3",
+				allocator.MCSAnnotation:                "s0:c1,c0",
+				allocator.SupplementalGroupsAnnotation: "2/3",
+			},
+		},
+	}
+}
+
+// UserScc creates a SCC for a given user name
+func UserScc(user string) *kapi.SecurityContextConstraints {
+	var uid int64 = 9999
+	fsGroup := int64(1)
+	return &kapi.SecurityContextConstraints{
+		ObjectMeta: kapi.ObjectMeta{
+			SelfLink: "/api/version/securitycontextconstraints/" + user,
+			Name:     user,
+		},
+		Users: []string{user},
+		SELinuxContext: kapi.SELinuxContextStrategyOptions{
+			Type: kapi.SELinuxStrategyRunAsAny,
+		},
+		RunAsUser: kapi.RunAsUserStrategyOptions{
+			Type: kapi.RunAsUserStrategyMustRunAs,
+			UID:  &uid,
+		},
+		FSGroup: kapi.FSGroupStrategyOptions{
+			Type: kapi.FSGroupStrategyMustRunAs,
+			Ranges: []kapi.IDRange{
+				{Min: fsGroup, Max: fsGroup},
+			},
+		},
+		SupplementalGroups: kapi.SupplementalGroupsStrategyOptions{
+			Type: kapi.SupplementalGroupsStrategyRunAsAny,
+		},
+	}
+}

pkg/security/admission/admission_test.go

@@ -0,0 +1,130 @@
+package podsecuritypolicyreview
+
+import (
+	"fmt"
+	"sort"
+
+	"github.com/golang/glog"
+
+	kapi "k8s.io/kubernetes/pkg/api"
+	kapierrors "k8s.io/kubernetes/pkg/api/errors"
+	clientset "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset"
+	"k8s.io/kubernetes/pkg/runtime"
+	kscc "k8s.io/kubernetes/pkg/securitycontextconstraints"
+	"k8s.io/kubernetes/pkg/serviceaccount"
+	kerrors "k8s.io/kubernetes/pkg/util/errors"
+
+	securityapi "github.com/openshift/origin/pkg/security/api"
+	securityvalidation "github.com/openshift/origin/pkg/security/api/validation"
+	"github.com/openshift/origin/pkg/security/registry/podsecuritypolicysubjectreview"
+	oscc "github.com/openshift/origin/pkg/security/scc"
+)
+
+// REST implements the RESTStorage interface in terms of an Registry.
+type REST struct {
+	sccMatcher oscc.SCCMatcher
+	client     clientset.Interface
+}
+
+// NewREST creates a new REST for policies..
+func NewREST(m oscc.SCCMatcher, c clientset.Interface) *REST {
+	return &REST{sccMatcher: m, client: c}
+}
+
+// New creates a new PodSecurityPolicyReview object
+func (r *REST) New() runtime.Object {
+	return &securityapi.PodSecurityPolicyReview{}
+}
+
+// Create registers a given new PodSecurityPolicyReview instance to r.registry.
+func (r *REST) Create(ctx kapi.Context, obj runtime.Object) (runtime.Object, error) {
+	pspr, ok := obj.(*securityapi.PodSecurityPolicyReview)
+	if !ok {
+		return nil, kapierrors.NewBadRequest(fmt.Sprintf("not a PodSecurityPolicyReview: %#v", obj))
+	}
+	if errs := securityvalidation.ValidatePodSecurityPolicyReview(pspr); len(errs) > 0 {
+		return nil, kapierrors.NewInvalid(kapi.Kind("PodSecurityPolicyReview"), "", errs)
+	}
+	ns, ok := kapi.NamespaceFrom(ctx)
+	if !ok {
+		return nil, kapierrors.NewBadRequest("namespace parameter required.")
+	}
+	serviceAccounts, err := getServiceAccounts(pspr.Spec, r.client, ns)
+	if err != nil {
+		return nil, kapierrors.NewBadRequest(err.Error())
+	}
+
+	if len(serviceAccounts) == 0 {
+		glog.Errorf("No service accounts for namespace %s", ns)
+		return nil, kapierrors.NewBadRequest(fmt.Sprintf("unable to find ServiceAccount for namespace: %s", ns))
+	}
+
+	errs := []error{}
+	newStatus := securityapi.PodSecurityPolicyReviewStatus{}
+	for _, sa := range serviceAccounts {
+		userInfo := serviceaccount.UserInfo(ns, sa.Name, "")
+		saConstraints, err := r.sccMatcher.FindApplicableSCCs(userInfo)
+		if err != nil {
+			errs = append(errs, fmt.Errorf("unable to find SecurityContextConstraints for ServiceAccount %s: %v", sa.Name, err))
+			continue
+		}
+		oscc.DeduplicateSecurityContextConstraints(saConstraints)
+		sort.Sort(oscc.ByPriority(saConstraints))
+		var namespace *kapi.Namespace
+		for _, constraint := range saConstraints {
+			var (
+				provider kscc.SecurityContextConstraintsProvider
+				err      error
+			)
+			pspsrs := securityapi.PodSecurityPolicySubjectReviewStatus{}
+			if provider, namespace, err = oscc.CreateProviderFromConstraint(ns, namespace, constraint, r.client); err != nil {
+				errs = append(errs, fmt.Errorf("unable to create provider for service account %s: %v", sa.Name, err))
+				continue
+			}
+			_, err = podsecuritypolicysubjectreview.FillPodSecurityPolicySubjectReviewStatus(&pspsrs, provider, pspr.Spec.Template.Spec, constraint)
+			if err != nil {
+				glog.Errorf("unable to fill PodSecurityPolicyReviewStatus from constraint %v", err)
+				continue
+			}
+			sapsprs := securityapi.ServiceAccountPodSecurityPolicyReviewStatus{pspsrs, sa.Name}
+			newStatus.AllowedServiceAccounts = append(newStatus.AllowedServiceAccounts, sapsprs)
+		}
+	}
+	if len(errs) > 0 {
+		return nil, kapierrors.NewBadRequest(fmt.Sprintf("%s", kerrors.NewAggregate(errs)))
+	}
+	pspr.Status = newStatus
+	return pspr, nil
+}
+
+func getServiceAccounts(psprSpec securityapi.PodSecurityPolicyReviewSpec, client clientset.Interface, namespace string) ([]*kapi.ServiceAccount, error) {
+	serviceAccounts := []*kapi.ServiceAccount{}
+	//  TODO: express 'all service accounts'
+	//if serviceAccountList, err := client.Core().ServiceAccounts(namespace).List(kapi.ListOptions{}); err == nil {
+	//	serviceAccounts = serviceAccountList.Items
+	//	return serviceAccounts, fmt.Errorf("unable to retrieve service accounts: %v", err)
+	//}
+
+	if len(psprSpec.ServiceAccountNames) > 0 {
+		errs := []error{}
+		for _, saName := range psprSpec.ServiceAccountNames {
+			// TODO: use cache as soon ServiceAccount informer is ready
+			sa, err := client.Core().ServiceAccounts(namespace).Get(saName)
+			if err != nil {
+				errs = append(errs, fmt.Errorf("unable to retrieve ServiceAccount %s: %v", saName, err))
+			}
+			serviceAccounts = append(serviceAccounts, sa)
+		}
+		return serviceAccounts, kerrors.NewAggregate(errs)
+	}
+	saName := "default"
+	if len(psprSpec.Template.Spec.ServiceAccountName) > 0 {
+		saName = psprSpec.Template.Spec.ServiceAccountName
+	}
+	sa, err := client.Core().ServiceAccounts(namespace).Get(saName)
+	if err != nil {
+		return serviceAccounts, fmt.Errorf("unable to retrieve ServiceAccount %s: %v", saName, err)
+	}
+	serviceAccounts = append(serviceAccounts, sa)
+	return serviceAccounts, nil
+}