| Serge Bazanski | e6030f6 | 2020-06-03 17:52:59 +0200 | [diff] [blame] | 1 | // Copyright 2020 The Monogon Project Authors. |
| 2 | // |
| 3 | // SPDX-License-Identifier: Apache-2.0 |
| 4 | // |
| 5 | // Licensed under the Apache License, Version 2.0 (the "License"); |
| 6 | // you may not use this file except in compliance with the License. |
| 7 | // You may obtain a copy of the License at |
| 8 | // |
| 9 | // http://www.apache.org/licenses/LICENSE-2.0 |
| 10 | // |
| 11 | // Unless required by applicable law or agreed to in writing, software |
| 12 | // distributed under the License is distributed on an "AS IS" BASIS, |
| 13 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 14 | // See the License for the specific language governing permissions and |
| 15 | // limitations under the License. |
| 16 | |
| 17 | package reconciler |
| 18 | |
| 19 | import ( |
| 20 | "context" |
| 21 | |
| 22 | core "k8s.io/api/core/v1" |
| 23 | policy "k8s.io/api/policy/v1beta1" |
| 24 | meta "k8s.io/apimachinery/pkg/apis/meta/v1" |
| 25 | "k8s.io/client-go/kubernetes" |
| 26 | ) |
| 27 | |
| 28 | type resourcePodSecurityPolicies struct { |
| 29 | kubernetes.Interface |
| 30 | } |
| 31 | |
| 32 | func (r resourcePodSecurityPolicies) List(ctx context.Context) ([]string, error) { |
| 33 | res, err := r.PolicyV1beta1().PodSecurityPolicies().List(ctx, listBuiltins) |
| 34 | if err != nil { |
| 35 | return nil, err |
| 36 | } |
| 37 | objs := make([]string, len(res.Items)) |
| 38 | for i, el := range res.Items { |
| 39 | objs[i] = el.ObjectMeta.Name |
| 40 | } |
| 41 | return objs, nil |
| 42 | } |
| 43 | |
| 44 | func (r resourcePodSecurityPolicies) Create(ctx context.Context, el interface{}) error { |
| 45 | _, err := r.PolicyV1beta1().PodSecurityPolicies().Create(ctx, el.(*policy.PodSecurityPolicy), meta.CreateOptions{}) |
| 46 | return err |
| 47 | } |
| 48 | |
| 49 | func (r resourcePodSecurityPolicies) Delete(ctx context.Context, name string) error { |
| 50 | return r.PolicyV1beta1().PodSecurityPolicies().Delete(ctx, name, meta.DeleteOptions{}) |
| 51 | } |
| 52 | |
| 53 | func (r resourcePodSecurityPolicies) Expected() map[string]interface{} { |
| 54 | return map[string]interface{}{ |
| 55 | "default": &policy.PodSecurityPolicy{ |
| 56 | ObjectMeta: meta.ObjectMeta{ |
| 57 | Name: "default", |
| 58 | Labels: builtinLabels(nil), |
| 59 | Annotations: map[string]string{ |
| 60 | "kubernetes.io/description": "This default PSP allows the creation of pods using features that are" + |
| 61 | " generally considered safe against any sort of escape.", |
| 62 | }, |
| 63 | }, |
| 64 | Spec: policy.PodSecurityPolicySpec{ |
| 65 | AllowPrivilegeEscalation: True(), |
| 66 | AllowedCapabilities: []core.Capability{ // runc's default list of allowed capabilities |
| 67 | "SETPCAP", |
| 68 | "MKNOD", |
| 69 | "AUDIT_WRITE", |
| 70 | "CHOWN", |
| 71 | "NET_RAW", |
| 72 | "DAC_OVERRIDE", |
| 73 | "FOWNER", |
| 74 | "FSETID", |
| 75 | "KILL", |
| 76 | "SETGID", |
| 77 | "SETUID", |
| 78 | "NET_BIND_SERVICE", |
| 79 | "SYS_CHROOT", |
| 80 | "SETFCAP", |
| 81 | }, |
| 82 | HostNetwork: false, |
| 83 | HostIPC: false, |
| 84 | HostPID: false, |
| 85 | FSGroup: policy.FSGroupStrategyOptions{ |
| 86 | Rule: policy.FSGroupStrategyRunAsAny, |
| 87 | }, |
| 88 | RunAsUser: policy.RunAsUserStrategyOptions{ |
| 89 | Rule: policy.RunAsUserStrategyRunAsAny, |
| 90 | }, |
| 91 | SELinux: policy.SELinuxStrategyOptions{ |
| 92 | Rule: policy.SELinuxStrategyRunAsAny, |
| 93 | }, |
| 94 | SupplementalGroups: policy.SupplementalGroupsStrategyOptions{ |
| 95 | Rule: policy.SupplementalGroupsStrategyRunAsAny, |
| 96 | }, |
| 97 | Volumes: []policy.FSType{ // Volumes considered safe to use |
| 98 | policy.ConfigMap, |
| 99 | policy.EmptyDir, |
| 100 | policy.Projected, |
| 101 | policy.Secret, |
| 102 | policy.DownwardAPI, |
| 103 | policy.PersistentVolumeClaim, |
| 104 | }, |
| 105 | }, |
| 106 | }, |
| 107 | } |
| 108 | } |