Make space in the point logic for capabilities accounting.

Author: adelton

Diff for: pkg/security/scc/byrestrictions.go

@@ -22,7 +22,7 @@ func pointValue(constraint *kapi.SecurityContextConstraints) int {
 
 	// make sure these are always valued higher than the combination of the highest strategies
 	if constraint.AllowPrivilegedContainer {
-		points += 20
+		points += 200000
 	}
 
 	// add points based on volume requests
@@ -31,28 +31,28 @@ func pointValue(constraint *kapi.SecurityContextConstraints) int {
 	// strategies in order of least restrictive to most restrictive
 	switch constraint.SELinuxContext.Type {
 	case kapi.SELinuxStrategyRunAsAny:
-		points += 4
+		points += 40000
 	case kapi.SELinuxStrategyMustRunAs:
-		points += 1
+		points += 10000
 	}
 
 	switch constraint.RunAsUser.Type {
 	case kapi.RunAsUserStrategyRunAsAny:
-		points += 4
+		points += 40000
 	case kapi.RunAsUserStrategyMustRunAsNonRoot:
-		points += 3
+		points += 30000
 	case kapi.RunAsUserStrategyMustRunAsRange:
-		points += 2
+		points += 20000
 	case kapi.RunAsUserStrategyMustRunAs:
-		points += 1
+		points += 10000
 	}
 	return points
 }
 
 // volumePointValue returns a score based on the volumes allowed by the SCC.
-// Allowing a host volume will return a score of 10.  Allowance of anything other
+// Allowing a host volume will return a score of 100000.  Allowance of anything other
 // than Secret, ConfigMap, EmptyDir, DownwardAPI, Projected, and None will result in
-// a score of 5.  If the SCC only allows these trivial types, it will have a
+// a score of 50000.  If the SCC only allows these trivial types, it will have a
 // score of 0.
 func volumePointValue(scc *kapi.SecurityContextConstraints) int {
 	hasHostVolume := false
@@ -75,10 +75,10 @@ func volumePointValue(scc *kapi.SecurityContextConstraints) int {
 	}
 
 	if hasHostVolume {
-		return 10
+		return 100000
 	}
 	if hasNonTrivialVolume {
-		return 5
+		return 50000
 	}
 	return 0
 }

Diff for: pkg/security/scc/byrestrictions_test.go

@@ -24,17 +24,17 @@ func TestPointValue(t *testing.T) {
 	}
 
 	seLinuxStrategies := map[kapi.SELinuxContextStrategyType]int{
-		kapi.SELinuxStrategyRunAsAny:  4,
-		kapi.SELinuxStrategyMustRunAs: 1,
+		kapi.SELinuxStrategyRunAsAny:  40000,
+		kapi.SELinuxStrategyMustRunAs: 10000,
 	}
 	userStrategies := map[kapi.RunAsUserStrategyType]int{
-		kapi.RunAsUserStrategyRunAsAny:         4,
-		kapi.RunAsUserStrategyMustRunAsNonRoot: 3,
-		kapi.RunAsUserStrategyMustRunAsRange:   2,
-		kapi.RunAsUserStrategyMustRunAs:        1,
+		kapi.RunAsUserStrategyRunAsAny:         40000,
+		kapi.RunAsUserStrategyMustRunAsNonRoot: 30000,
+		kapi.RunAsUserStrategyMustRunAsRange:   20000,
+		kapi.RunAsUserStrategyMustRunAs:        10000,
 	}
 
-	privilegedPoints := 20
+	privilegedPoints := 200000
 
 	// run through all combos of user strategy + seLinux strategy + priv
 	for userStrategy, userStrategyPoints := range userStrategies {
@@ -61,7 +61,7 @@ func TestPointValue(t *testing.T) {
 	scc := newSCC(false, kapi.SELinuxStrategyMustRunAs, kapi.RunAsUserStrategyMustRunAs)
 	scc.Volumes = []kapi.FSType{kapi.FSTypeHostPath}
 	actualPoints := pointValue(scc)
-	if actualPoints != 12 { //1 (SELinux) + 1 (User) + 10 (host path volume)
+	if actualPoints != 120000 { //10000 (SELinux) + 10000 (User) + 100000 (host path volume)
 		t.Errorf("volume score was not added to the scc point value correctly!")
 	}
 }
@@ -94,27 +94,27 @@ func TestVolumePointValue(t *testing.T) {
 	}{
 		"all volumes": {
 			scc:            allowAllSCC,
-			expectedPoints: 10,
+			expectedPoints: 100000,
 		},
 		"host volume": {
 			scc:            newSCC(true, false, false),
-			expectedPoints: 10,
+			expectedPoints: 100000,
 		},
 		"host volume and non trivial volumes": {
 			scc:            newSCC(true, true, false),
-			expectedPoints: 10,
+			expectedPoints: 100000,
 		},
 		"host volume, non trivial, and trivial": {
 			scc:            newSCC(true, true, true),
-			expectedPoints: 10,
+			expectedPoints: 100000,
 		},
 		"non trivial": {
 			scc:            newSCC(false, true, false),
-			expectedPoints: 5,
+			expectedPoints: 50000,
 		},
 		"non trivial and trivial": {
 			scc:            newSCC(false, true, true),
-			expectedPoints: 5,
+			expectedPoints: 50000,
 		},
 		"trivial": {
 			scc:            newSCC(false, false, true),