Skip to content

Commit

Permalink
don't crash when securitycontext is missing
Browse files Browse the repository at this point in the history
  • Loading branch information
dtandersen committed Jul 20, 2023
1 parent 7cd46b5 commit 5405ef8
Show file tree
Hide file tree
Showing 2 changed files with 31 additions and 5 deletions.
2 changes: 2 additions & 0 deletions src/dsmlp/app/validator.py
Original file line number Diff line number Diff line change
Expand Up @@ -144,6 +144,8 @@ def check_pod_security_context(
def check_security_contexts(self, authorized_uid: int, allowed_teams: List[int], containers: List[Container]):
for container in containers:
securityContext = container.securityContext
if securityContext is None:
return

if securityContext.runAsUser is not None and authorized_uid != securityContext.runAsUser:
raise ValidationFailure(f"spec.containers.securityContext: invalid uid {securityContext.runAsUser}")
Expand Down
34 changes: 29 additions & 5 deletions tests/app/test_validator.py
Original file line number Diff line number Diff line change
Expand Up @@ -158,8 +158,7 @@ def test_deny_pod_security_context(self):
]
}
}
}}
)
}})

assert_that(response, equal_to({
"apiVersion": "admission.k8s.io/v1",
Expand All @@ -172,11 +171,36 @@ def test_deny_pod_security_context(self):
assert_that(self.logger.messages, has_item(equal_to(
"INFO Denied request username=user2 namespace=user2 reason=spec.containers.securityContext: invalid uid 3")))

def test_deny_pod_security_context2(self):
"""
The Pod doesn't have any security contexts.
It should be launched.
"""

response = self.when_validate(
{
"request": {
"uid": "705ab4f5-6393-11e8-b7cc-42010a800002",
"namespace": "user10",
"object": {
"kind": "Pod",
"spec": {
"containers": [{}]
}
}
}})

assert_that(response, equal_to({
"apiVersion": "admission.k8s.io/v1",
"kind": "AdmissionReview",
"response": {
"uid": "705ab4f5-6393-11e8-b7cc-42010a800002",
"allowed": True, "status": {
"message": "Allowed"
}}}))

# check podSecurityContext.runAsGroup
def test_deny_team_gid(self):
# self.awsed_client.add_user('user2', UserResponse(uid=2))
# self.kube.add_namespace('user2', Namespace(name='user2', labels={'k8s-sync': 'set'}))

response = self.when_validate(
{
"request": {
Expand Down

0 comments on commit 5405ef8

Please sign in to comment.