SecurityContextConstraints: add AllowedFlexDrivers field.

php-coder · php-coder · commit ccfea0460fa6 · 2017-07-31T16:25:20.000+02:00
diff --git a/pkg/oc/cli/describe/describer.go b/pkg/oc/cli/describe/describer.go
@@ -1810,6 +1810,7 @@ func describeSecurityContextConstraints(scc *securityapi.SecurityContextConstrai
 		fmt.Fprintf(out, "  Allowed Capabilities:\t%s\n", capsToString(scc.AllowedCapabilities))
 		fmt.Fprintf(out, "  Allowed Seccomp Profiles:\t%s\n", stringOrNone(strings.Join(scc.SeccompProfiles, ",")))
 		fmt.Fprintf(out, "  Allowed Volume Types:\t%s\n", fsTypeToString(scc.Volumes))
+		fmt.Fprintf(out, "  Allowed Flexvolume Drivers:\t%s\n", stringOrDefaultValue(strings.Join(scc.AllowedFlexDrivers, ","), "<all>"))
 		fmt.Fprintf(out, "  Allow Host Network:\t%t\n", scc.AllowHostNetwork)
 		fmt.Fprintf(out, "  Allow Host Ports:\t%t\n", scc.AllowHostPorts)
 		fmt.Fprintf(out, "  Allow Host PID:\t%t\n", scc.AllowHostPID)
@@ -1865,6 +1866,13 @@ func stringOrNone(s string) string {
 	return "<none>"
 }
 
+func stringOrDefaultValue(s, defaultValue string) string {
+	if len(s) > 0 {
+		return s
+	}
+	return defaultValue
+}
+
 func fsTypeToString(volumes []securityapi.FSType) string {
 	strVolumes := []string{}
 	for _, v := range volumes {
diff --git a/pkg/security/apis/security/types.go b/pkg/security/apis/security/types.go
@@ -42,6 +42,10 @@ type SecurityContextConstraints struct {
 	// of a VolumeSource (azureFile, configMap, emptyDir).  To allow all volumes you may use "*".
 	// To allow no volumes, set to ["none"].
 	Volumes []FSType
+	// AllowedFlexDrivers is a whitelist of allowed Flexvolume drivers.
+	// Empty or nil indicates that all drivers may be used.
+	// +optional
+	AllowedFlexDrivers []string
 	// AllowHostNetwork determines if the policy allows the use of HostNetwork in the pod spec.
 	AllowHostNetwork bool
 	// AllowHostPorts determines if the policy allows host ports in the containers.
diff --git a/pkg/security/apis/security/v1/types.go b/pkg/security/apis/security/v1/types.go
@@ -47,6 +47,9 @@ type SecurityContextConstraints struct {
 	// of a VolumeSource (azureFile, configMap, emptyDir).  To allow all volumes you may use "*".
 	// To allow no volumes, set to ["none"].
 	Volumes []FSType `json:"volumes" protobuf:"bytes,8,rep,name=volumes,casttype=FSType"`
+	// AllowedFlexDrivers is a whitelist of allowed Flexvolume drivers.
+	// Empty or nil indicates that all drivers may be used.
+	AllowedFlexDrivers []string `json:"allowedFlexDrivers" protobuf:"bytes,21,opt,name=allowedFlexDrivers"`
 	// AllowHostNetwork determines if the policy allows the use of HostNetwork in the pod spec.
 	AllowHostNetwork bool `json:"allowHostNetwork" protobuf:"varint,9,opt,name=allowHostNetwork"`
 	// AllowHostPorts determines if the policy allows host ports in the containers.
diff --git a/pkg/security/securitycontextconstraints/provider.go b/pkg/security/securitycontextconstraints/provider.go
@@ -292,19 +292,41 @@ func (s *simpleProvider) ValidateContainerSecurityContext(pod *api.Pod, containe
 
 	allErrs = append(allErrs, s.capabilitiesStrategy.Validate(pod, container)...)
 
-	if len(pod.Spec.Volumes) > 0 && !sccutil.SCCAllowsAllVolumes(s.scc) {
-		allowedVolumes := sccutil.FSTypeToStringSet(s.scc.Volumes)
-		for i, v := range pod.Spec.Volumes {
-			fsType, err := sccutil.GetVolumeFSType(v)
-			if err != nil {
-				allErrs = append(allErrs, field.Invalid(fldPath.Child("volumes").Index(i), string(fsType), err.Error()))
-				continue
+	if len(pod.Spec.Volumes) > 0 {
+		if !sccutil.SCCAllowsAllVolumes(s.scc) {
+			allowedVolumes := sccutil.FSTypeToStringSet(s.scc.Volumes)
+			for i, v := range pod.Spec.Volumes {
+				fsType, err := sccutil.GetVolumeFSType(v)
+				if err != nil {
+					allErrs = append(allErrs, field.Invalid(fldPath.Child("volumes").Index(i), string(fsType), err.Error()))
+					continue
+				}
+
+				if !allowedVolumes.Has(string(fsType)) {
+					allErrs = append(allErrs, field.Invalid(
+						fldPath.Child("volumes").Index(i), string(fsType),
+						fmt.Sprintf("%s volumes are not allowed to be used", string(fsType))))
+				}
 			}
+		}
 
-			if !allowedVolumes.Has(string(fsType)) {
-				allErrs = append(allErrs, field.Invalid(
-					fldPath.Child("volumes").Index(i), string(fsType),
-					fmt.Sprintf("%s volumes are not allowed to be used", string(fsType))))
+		if len(s.scc.AllowedFlexDrivers) > 0 && sccutil.SCCAllowsFSType(s.scc, securityapi.FSTypeFlexVolume) {
+			for i, v := range pod.Spec.Volumes {
+				if v.FlexVolume == nil {
+					continue
+				}
+
+				found := false
+				driver := v.FlexVolume.Driver
+				for _, allowedDriver := range s.scc.AllowedFlexDrivers {
+					if driver == allowedDriver {
+						found = true
+						break
+					}
+				}
+				if !found {
+					allErrs = append(allErrs, field.Invalid(fldPath.Child("volumes").Index(i), driver, "Flexvolume driver is not allowed to be used"))
+				}
 			}
 		}
 	}
