Merge pull request #19542 from enj/enj/i/psp_review_groupified_fix/1572562

Correctly handle legacy ungroupified PSP review resources

Author: openshift-merge-robot

pkg/api/legacygroupification/groupification.go

@@ -106,7 +106,10 @@ func OAPIToGroupified(uncast runtime.Object, gvk *schema.GroupVersionKind) {
 	case *route.Route, *routev1.Route, *route.RouteList, *routev1.RouteList:
 		gvk.Group = route.GroupName
 
-	case *security.SecurityContextConstraints, *securityv1.SecurityContextConstraints, *security.SecurityContextConstraintsList, *securityv1.SecurityContextConstraintsList:
+	case *security.SecurityContextConstraints, *securityv1.SecurityContextConstraints, *security.SecurityContextConstraintsList, *securityv1.SecurityContextConstraintsList,
+		*security.PodSecurityPolicySubjectReview, *securityv1.PodSecurityPolicySubjectReview,
+		*security.PodSecurityPolicySelfSubjectReview, *securityv1.PodSecurityPolicySelfSubjectReview,
+		*security.PodSecurityPolicyReview, *securityv1.PodSecurityPolicyReview:
 		gvk.Group = security.GroupName
 
 	case *template.Template, *templatev1.Template, *template.TemplateList, *templatev1.TemplateList:
@@ -150,8 +153,11 @@ var oapiKindsToGroup = map[string]string{
 	"ProjectRequest":       "project.openshift.io",
 	"ClusterResourceQuota": "quota.openshift.io", "ClusterResourceQuotaList": "quota.openshift.io",
 	"Route": "route.openshift.io", "RouteList": "route.openshift.io",
-	"SecurityContextConstraint": "security.openshift.io", "SecurityContextConstraintList": "security.openshift.io",
-	"Template": "template.openshift.io", "TemplateList": "template.openshift.io",
+	"SecurityContextConstraints": "security.openshift.io", "SecurityContextConstraintsList": "security.openshift.io",
+	"PodSecurityPolicySubjectReview":     "security.openshift.io",
+	"PodSecurityPolicySelfSubjectReview": "security.openshift.io",
+	"PodSecurityPolicyReview":            "security.openshift.io",
+	"Template":                           "template.openshift.io", "TemplateList": "template.openshift.io",
 	"Group": "user.openshift.io", "GroupList": "user.openshift.io",
 	"Identity": "user.openshift.io", "IdentityList": "user.openshift.io",
 	"UserIdentityMapping": "user.openshift.io",

test/cmd/policy.sh

@@ -207,6 +207,8 @@ os::cmd::expect_success_and_text 'oc policy scc-subject-review -f ${OS_ROOT}/tes
 # Since SCCs are now authorized via RBAC, and system:admin can perform all RBAC actions == system:admin can access all SCCs now
 # Thus the following command now results in the use of the hostnetwork SCC which is the most restrictive SCC that still allows the pod to run
 os::cmd::expect_success_and_text 'oc policy scc-subject-review -f ${OS_ROOT}/test/testdata/nginx_pod.yaml -o=jsonpath={.status.AllowedBy.name}' 'hostnetwork'
+# Make sure that the legacy ungroupified objects continue to work by directly doing a create
+os::cmd::expect_success_and_text 'oc create -f ${OS_ROOT}/test/testdata/legacy_ungroupified_psp_review.yaml -o=jsonpath={.status.allowedBy.name}' 'restricted'
 os::cmd::expect_success "oc login -u bob -p bobpassword"
 os::cmd::expect_success_and_text 'oc whoami' 'bob'
 os::cmd::expect_success 'oc new-project policy-second'

test/testdata/legacy_ungroupified_psp_review.yaml

@@ -0,0 +1,30 @@
+kind: PodSecurityPolicySubjectReview
+apiVersion: v1  # Must have the empty string group
+spec:
+  template:
+    spec:
+      containers:
+      - name: hello-openshift
+        image: hello-openshift
+        ports:
+        - containerPort: 8080
+          protocol: TCP
+        resources: {}
+        volumeMounts:
+        - name: tmp
+          mountPath: "/tmp"
+        terminationMessagePath: "/dev/termination-log"
+        terminationMessagePolicy: FallbackToLogsOnError
+        imagePullPolicy: IfNotPresent
+        securityContext:
+          capabilities: {}
+          privileged: false
+      volumes:
+      - name: tmp
+        emptyDir: {}
+      restartPolicy: Always
+      dnsPolicy: ClusterFirst
+      serviceAccountName: default
+  user: user1
+  groups:
+  - system:authenticated