PSP reviews: client

Author: sdminonne

Diff for: pkg/client/client.go

@@ -295,6 +295,18 @@ func (c *Client) RoleBindingRestrictions(namespace string) RoleBindingRestrictio
 	return newRoleBindingRestrictions(c, namespace)
 }
 
+func (c *Client) PodSecurityPolicyReviews(namespace string) PodSecurityPolicyReviewInterface {
+	return newPodSecurityPolicyReviews(c, namespace)
+}
+
+func (c *Client) PodSecurityPolicySelfSubjectReviews(namespace string) PodSecurityPolicySelfSubjectReviewInterface {
+	return newPodSecurityPolicySelfSubjectReviews(c, namespace)
+}
+
+func (c *Client) PodSecurityPolicySubjectReviews(namespace string) PodSecurityPolicySubjectReviewInterface {
+	return newPodSecurityPolicySubjectReviews(c, namespace)
+}
+
 // Client is an OpenShift client object
 type Client struct {
 	*restclient.RESTClient

Diff for: pkg/client/podsecuritypolicyreview.go

@@ -0,0 +1,34 @@
+package client
+
+import securityapi "github.com/openshift/origin/pkg/security/api"
+
+// PodSecurityPolicyReviewsNamespacer has methods to work with PodSecurityPolicyReview resources in the cluster scope
+type PodSecurityPolicyReviewsNamespacer interface {
+	PodSecurityPolicyReviews(namespace string) PodSecurityPolicyReviewInterface
+}
+
+// PodSecurityPolicyReviewInterface exposes methods on PodSecurityPolicyReview resources.
+type PodSecurityPolicyReviewInterface interface {
+	Create(policy *securityapi.PodSecurityPolicyReview) (*securityapi.PodSecurityPolicyReview, error)
+}
+
+// podSecurityPolicyReviews implements PodSecurityPolicyReviewsNamespacer interface
+type podSecurityPolicyReviews struct {
+	c  *Client
+	ns string
+}
+
+// newPodSecurityPolicyReviews returns a podSecurityPolicyReviews
+func newPodSecurityPolicyReviews(c *Client, namespace string) *podSecurityPolicyReviews {
+	return &podSecurityPolicyReviews{
+		c:  c,
+		ns: namespace,
+	}
+}
+
+// Create creates a PodSecurityPolicyReview
+func (p *podSecurityPolicyReviews) Create(pspr *securityapi.PodSecurityPolicyReview) (result *securityapi.PodSecurityPolicyReview, err error) {
+	result = &securityapi.PodSecurityPolicyReview{}
+	err = p.c.Post().Namespace(p.ns).Resource("podSecurityPolicyReviews").Body(pspr).Do().Into(result)
+	return
+}

Diff for: pkg/client/podsecuritypolicysubjectreview.go

@@ -0,0 +1,61 @@
+package client
+
+import securityapi "github.com/openshift/origin/pkg/security/api"
+
+// PodSecurityPolicySubjectReviewsNamespacer has methods to work with PodSecurityPolicySubjectReview resources in the cluster scope
+type PodSecurityPolicySubjectReviewsNamespacer interface {
+	PodSecurityPolicySubjectReviews(namespace string) PodSecurityPolicySubjectReviewInterface
+}
+
+// PodSecurityPolicySubjectReviewInterface exposes methods on PodSecurityPolicySubjectReview resources.
+type PodSecurityPolicySubjectReviewInterface interface {
+	Create(policy *securityapi.PodSecurityPolicySubjectReview) (*securityapi.PodSecurityPolicySubjectReview, error)
+}
+
+// PodSecurityPolicySubjectReviews implements PodSecurityPolicySubjectReviews interface
+type podSecurityPolicySubjectReviews struct {
+	c  *Client
+	ns string
+}
+
+// newPodSecurityPolicySubjectReviews returns a PodSecurityPolicySubjectReviews
+func newPodSecurityPolicySubjectReviews(c *Client, namespace string) *podSecurityPolicySubjectReviews {
+	return &podSecurityPolicySubjectReviews{
+		c:  c,
+		ns: namespace,
+	}
+}
+
+func (p *podSecurityPolicySubjectReviews) Create(pspsr *securityapi.PodSecurityPolicySubjectReview) (result *securityapi.PodSecurityPolicySubjectReview, err error) {
+	result = &securityapi.PodSecurityPolicySubjectReview{}
+	err = p.c.Post().Namespace(p.ns).Resource("podSecurityPolicySubjectReviews").Body(pspsr).Do().Into(result)
+	return
+}
+
+// PodSecurityPolicySelfSubjectReviewsNamespacer has methods to work with PodSecurityPolicySelfSubjectReview resources in the cluster scope
+type PodSecurityPolicySelfSubjectReviewsNamespacer interface {
+	PodSecurityPolicySelfSubjectReviews(namespace string) PodSecurityPolicySelfSubjectReviewInterface
+}
+
+// PodSecurityPolicySelfSubjectReviewInterface exposes methods on PodSecurityPolicySelfSubjectReview resources.
+type PodSecurityPolicySelfSubjectReviewInterface interface {
+	Create(policy *securityapi.PodSecurityPolicySelfSubjectReview) (*securityapi.PodSecurityPolicySelfSubjectReview, error)
+}
+
+type podSecurityPolicySelfSubjectReviews struct {
+	c  *Client
+	ns string
+}
+
+func newPodSecurityPolicySelfSubjectReviews(c *Client, namespace string) *podSecurityPolicySelfSubjectReviews {
+	return &podSecurityPolicySelfSubjectReviews{
+		c:  c,
+		ns: namespace,
+	}
+}
+
+func (p *podSecurityPolicySelfSubjectReviews) Create(pspssr *securityapi.PodSecurityPolicySelfSubjectReview) (result *securityapi.PodSecurityPolicySelfSubjectReview, err error) {
+	result = &securityapi.PodSecurityPolicySelfSubjectReview{}
+	err = p.c.Post().Namespace(p.ns).Resource("podSecurityPolicySelfSubjectReviews").Body(pspssr).Do().Into(result)
+	return
+}

Diff for: pkg/client/testclient/fake_podsecuritypolicyreview.go

@@ -0,0 +1,25 @@
+package testclient
+
+import (
+	securityapi "github.com/openshift/origin/pkg/security/api"
+	"k8s.io/kubernetes/pkg/api/unversioned"
+	"k8s.io/kubernetes/pkg/client/testing/core"
+)
+
+// FakePodSecurityPolicyReviews implements the PodSecurityPolicyReviews interface.
+// Meant to be embedded into a struct to get a default implementation.
+// This makes faking out just the methods you want to test easier.
+type FakePodSecurityPolicyReviews struct {
+	Fake      *Fake
+	Namespace string
+}
+
+var podSecurityPolicyReviewsResource = unversioned.GroupVersionResource{Group: "", Version: "", Resource: "podsecuritypolicyreviews"}
+
+func (c *FakePodSecurityPolicyReviews) Create(inObj *securityapi.PodSecurityPolicyReview) (*securityapi.PodSecurityPolicyReview, error) {
+	obj, err := c.Fake.Invokes(core.NewCreateAction(podSecurityPolicyReviewsResource, c.Namespace, inObj), &securityapi.PodSecurityPolicyReview{})
+	if cast, ok := obj.(*securityapi.PodSecurityPolicyReview); ok {
+		return cast, err
+	}
+	return nil, err
+}

Diff for: pkg/client/testclient/fake_podsecuritypolicysubjectreview.go

@@ -0,0 +1,43 @@
+package testclient
+
+import (
+	securityapi "github.com/openshift/origin/pkg/security/api"
+	"k8s.io/kubernetes/pkg/api/unversioned"
+	"k8s.io/kubernetes/pkg/client/testing/core"
+)
+
+// FakePodSecurityPolicySubjectReviews implements the PodSecurityPolicySubjectReviews interface.
+// Meant to be embedded into a struct to get a default implementation.
+// This makes faking out just the methods you want to test easier.
+type FakePodSecurityPolicySubjectReviews struct {
+	Fake      *Fake
+	Namespace string
+}
+
+var podSecurityPolicySubjectReviewsResource = unversioned.GroupVersionResource{Group: "", Version: "", Resource: "podsecuritypolicysubjectreviews"}
+
+func (c *FakePodSecurityPolicySubjectReviews) Create(inObj *securityapi.PodSecurityPolicySubjectReview) (*securityapi.PodSecurityPolicySubjectReview, error) {
+	obj, err := c.Fake.Invokes(core.NewCreateAction(podSecurityPolicySubjectReviewsResource, c.Namespace, inObj), &securityapi.PodSecurityPolicySubjectReview{})
+	if cast, ok := obj.(*securityapi.PodSecurityPolicySubjectReview); ok {
+		return cast, err
+	}
+	return nil, err
+}
+
+// FakePodSecurityPolicySelfSubjectReviews implements the PodSecurityPolicySelfSubjectReviews interface.
+// Meant to be embedded into a struct to get a default implementation.
+// This makes faking out just the methods you want to test easier.
+type FakePodSecurityPolicySelfSubjectReviews struct {
+	Fake      *Fake
+	Namespace string
+}
+
+var podSecurityPolicySelfSubjectReviewsResource = unversioned.GroupVersionResource{Group: "", Version: "", Resource: "podsecuritypolicyselfsubjectreviews"}
+
+func (c *FakePodSecurityPolicySelfSubjectReviews) Create(inObj *securityapi.PodSecurityPolicySelfSubjectReview) (*securityapi.PodSecurityPolicySelfSubjectReview, error) {
+	obj, err := c.Fake.Invokes(core.NewCreateAction(podSecurityPolicySelfSubjectReviewsResource, c.Namespace, inObj), &securityapi.PodSecurityPolicySelfSubjectReview{})
+	if cast, ok := obj.(*securityapi.PodSecurityPolicySelfSubjectReview); ok {
+		return cast, err
+	}
+	return nil, err
+}

Diff for: pkg/cmd/admin/policy/policy.go

@@ -45,6 +45,8 @@ func NewCmdPolicy(name, fullName string, f *clientcmd.Factory, out, errout io.Wr
 			Message: "Discover:",
 			Commands: []*cobra.Command{
 				NewCmdWhoCan(WhoCanRecommendedName, fullName+" "+WhoCanRecommendedName, f, out),
+				NewCmdSccSubjectReview(SubjectReviewRecommendedName, fullName+" "+SubjectReviewRecommendedName, f, out),
+				NewCmdSccReview(ReviewRecommendedName, fullName+" "+ReviewRecommendedName, f, out),
 			},
 		},
 		{

Diff for: pkg/cmd/admin/policy/review.go

@@ -0,0 +1,195 @@
+package policy
+
+import (
+	"fmt"
+	"io"
+
+	"github.com/spf13/cobra"
+
+	kapi "k8s.io/kubernetes/pkg/api"
+	"k8s.io/kubernetes/pkg/api/meta"
+	"k8s.io/kubernetes/pkg/apis/apps"
+	"k8s.io/kubernetes/pkg/kubectl"
+	kcmdutil "k8s.io/kubernetes/pkg/kubectl/cmd/util"
+	"k8s.io/kubernetes/pkg/kubectl/resource"
+	"k8s.io/kubernetes/pkg/runtime"
+	utilerrors "k8s.io/kubernetes/pkg/util/errors"
+
+	ometa "github.com/openshift/origin/pkg/api/meta"
+	"github.com/openshift/origin/pkg/client"
+	"github.com/openshift/origin/pkg/cmd/cli/describe"
+	"github.com/openshift/origin/pkg/cmd/templates"
+	"github.com/openshift/origin/pkg/cmd/util/clientcmd"
+	securityapi "github.com/openshift/origin/pkg/security/api"
+)
+
+var (
+	reviewLong = templates.LongDesc(`Checks which Service Account can create a Pod.
+	The Pod is inferred from the PodTemplateSpec in the provided resource.
+	If no Service Account is provided the one specified in podTemplateSpec.spec.serviceAccountName is used,
+	unless it is empty, in which case "default" is used.
+	If Service Accounts are provided the podTemplateSpec.spec.serviceAccountName is ignored.
+	`)
+	reviewExamples = templates.Examples(`# Check whether Service Accounts sa1 and sa2 can admit a Pod with TemplatePodSpec specified in my_resource.yaml
+	# Service Account specified in myresource.yaml file is ignored
+	$ %[1]s -s sa1,sa2 -f my_resource.yaml
+	
+	# Check whether Service Account specified in my_resource_with_sa.yaml can admit the Pod
+	$ %[1]s -f my_resource_with_sa.yaml
+	
+	# Check whether default Service Account can admit the Pod, default is taken since no Service Account is defined in myresource_with_no_sa.yaml
+	$  %[1]s -f myresource_with_no_sa.yaml
+	`)
+)
+
+const ReviewRecommendedName = "scc-review"
+
+type sccReviewOptions struct {
+	client              client.PodSecurityPolicyReviewsNamespacer
+	namespace           string
+	enforceNamespace    bool
+	out                 io.Writer
+	mapper              meta.RESTMapper
+	typer               runtime.ObjectTyper
+	RESTClientFactory   func(mapping *meta.RESTMapping) (resource.RESTClient, error)
+	printer             kubectl.ResourcePrinter
+	FilenameOptions     resource.FilenameOptions
+	ServiceAccountNames []string
+}
+
+func NewCmdSccReview(name, fullName string, f *clientcmd.Factory, out io.Writer) *cobra.Command {
+	o := &sccReviewOptions{}
+	cmd := &cobra.Command{
+		Use:     name,
+		Short:   "Checks which ServiceAccount can create a Pod",
+		Long:    reviewLong,
+		Example: fmt.Sprintf(reviewExamples, fullName),
+		Run: func(cmd *cobra.Command, args []string) {
+			kcmdutil.CheckErr(o.Complete(f, args, cmd, out))
+			kcmdutil.CheckErr(o.Run(args))
+		},
+	}
+
+	cmd.Flags().StringSliceVarP(&o.ServiceAccountNames, "serviceaccounts", "s", o.ServiceAccountNames, "List of ServiceAccount names, comma separated")
+	kcmdutil.AddFilenameOptionFlags(cmd, &o.FilenameOptions, "Filename, directory, or URL to a file identifying the resource to get from a server.")
+
+	kcmdutil.AddPrinterFlags(cmd)
+
+	return cmd
+}
+
+func (o *sccReviewOptions) Complete(f *clientcmd.Factory, args []string, cmd *cobra.Command, out io.Writer) error {
+	if len(args) == 0 && len(o.FilenameOptions.Filenames) == 0 {
+		return kcmdutil.UsageError(cmd, cmd.Use)
+	}
+	var err error
+	o.namespace, o.enforceNamespace, err = f.DefaultNamespace()
+	if err != nil {
+		return err
+	}
+	o.client, _, err = f.Clients()
+	if err != nil {
+		return fmt.Errorf("unable to obtain client: %v", err)
+	}
+	o.mapper, o.typer = f.Object()
+	o.RESTClientFactory = f.ClientForMapping
+
+	if len(kcmdutil.GetFlagString(cmd, "output")) != 0 {
+		clientConfig, err := f.ClientConfig()
+		if err != nil {
+			return err
+		}
+		version, err := kcmdutil.OutputVersion(cmd, clientConfig.GroupVersion)
+		if err != nil {
+			return err
+		}
+		p, _, err := kcmdutil.PrinterForCommand(cmd)
+		if err != nil {
+			return err
+		}
+		o.printer = kubectl.NewVersionedPrinter(p, kapi.Scheme, version)
+	} else {
+		o.printer = describe.NewHumanReadablePrinter(kubectl.PrintOptions{NoHeaders: kcmdutil.GetFlagBool(cmd, "no-headers")})
+	}
+
+	o.out = out
+
+	return nil
+}
+
+func (o *sccReviewOptions) Run(args []string) error {
+
+	r := resource.NewBuilder(o.mapper, o.typer, resource.ClientMapperFunc(o.RESTClientFactory), kapi.Codecs.UniversalDecoder()).
+		NamespaceParam(o.namespace).
+		FilenameParam(o.enforceNamespace, &o.FilenameOptions).
+		ResourceTypeOrNameArgs(true, args...).
+		ContinueOnError().
+		Flatten().
+		Do()
+	err := r.Err()
+	if err != nil {
+		return err
+	}
+
+	allErrs := []error{}
+	reviews := []*securityapi.PodSecurityPolicyReview{}
+	err = r.Visit(func(info *resource.Info, err error) error {
+		if err != nil {
+			return err
+		}
+		objectName := info.Name
+		podTemplateSpec, err := GetPodTemplateForObject(info.Object)
+		if err != nil {
+			return fmt.Errorf(" %q cannot create pod: %v", objectName, err)
+		}
+		err = CheckStatefulSetWithWolumeClaimTemplates(info.Object)
+		if err != nil {
+			return err
+		}
+		review := &securityapi.PodSecurityPolicyReview{
+			Spec: securityapi.PodSecurityPolicyReviewSpec{
+				Template:            *podTemplateSpec,
+				ServiceAccountNames: o.ServiceAccountNames,
+			},
+		}
+		response, err := o.client.PodSecurityPolicyReviews(o.namespace).Create(review)
+		if err != nil {
+			return fmt.Errorf("unable to compute Pod Security Policy Review for %q: %v", objectName, err)
+		}
+		reviews = append(reviews, response)
+		return nil
+	})
+	allErrs = append(allErrs, err)
+	for i := range reviews {
+		if err := o.printer.PrintObj(reviews[i], o.out); err != nil {
+			allErrs = append(allErrs, err)
+		}
+	}
+	return utilerrors.NewAggregate(allErrs)
+}
+
+// CheckStatefulSetWithWolumeClaimTemplates checks whether a supplied object is a statefulSet with volumeClaimTemplates
+// Currently scc-review  and scc-subject-review commands cannot handle correctly this case since validation is not based
+// only on podTemplateSpec.
+func CheckStatefulSetWithWolumeClaimTemplates(obj runtime.Object) error {
+	// TODO remove this as soon upstream statefulSet validation for podSpec is fixed.
+	// Currently podTemplateSpec for a statefulSet is not fully validated
+	// spec.volumeClaimTemplates info should be propagated down to
+	// spec.template.spec validateContainers to validate volumeMounts
+	//https://github.com/openshift/origin/blob/master/vendor/k8s.io/kubernetes/pkg/apis/apps/validation/validation.go#L57
+	switch r := obj.(type) {
+	case *apps.StatefulSet:
+		if len(r.Spec.VolumeClaimTemplates) > 0 {
+			return fmt.Errorf("StatefulSet %q with spec.volumeClaimTemplates currently not supported.", r.GetName())
+		}
+	}
+	return nil
+}
+
+func GetPodTemplateForObject(obj runtime.Object) (*kapi.PodTemplateSpec, error) {
+	podSpec, _, err := ometa.GetPodSpec(obj)
+	if err != nil {
+		return nil, err
+	}
+	return &kapi.PodTemplateSpec{Spec: *podSpec}, nil
+}