GitList

Browse code

allow pvc by default

Paul Weil authored on 2016/03/31 00:37:43
Showing 2 changed files

pkg/cmd/server/bootstrappolicy/securitycontextconstraints.go index e5f5c11..8b7572d 100644
pkg/cmd/server/bootstrappolicy/securitycontextconstraints_test.go index 117d105..4c8f519 100644

pkg/cmd/server/bootstrappolicy/securitycontextconstraints.go

@@ -91,7 +91,7 @@ func GetBootstrapSecurityContextConstraints(sccNameToAdditionalGroups map[string
                      					DescriptionAnnotation: SecurityContextConstraintNonRootDesc,
                      				},
                      			},
                     -			Volumes: []kapi.FSType{kapi.FSTypeEmptyDir, kapi.FSTypeSecret, kapi.FSTypeDownwardAPI, kapi.FSTypeConfigMap},
                     +			Volumes: []kapi.FSType{kapi.FSTypeEmptyDir, kapi.FSTypeSecret, kapi.FSTypeDownwardAPI, kapi.FSTypeConfigMap, kapi.FSTypePersistentVolumeClaim},
                      			SELinuxContext: kapi.SELinuxContextStrategyOptions{
                      				// This strategy requires that annotations on the namespace which will be populated
                      				// by the admission controller.  If namespaces are not annotated creating the strategy
@@ -119,7 +119,7 @@ func GetBootstrapSecurityContextConstraints(sccNameToAdditionalGroups map[string
                      					DescriptionAnnotation: SecurityContextConstraintHostMountAndAnyUIDDesc,
                      				},
                      			},
                     -			Volumes: []kapi.FSType{kapi.FSTypeHostPath, kapi.FSTypeEmptyDir, kapi.FSTypeSecret, kapi.FSTypeDownwardAPI, kapi.FSTypeConfigMap},
                     +			Volumes: []kapi.FSType{kapi.FSTypeHostPath, kapi.FSTypeEmptyDir, kapi.FSTypeSecret, kapi.FSTypeDownwardAPI, kapi.FSTypeConfigMap, kapi.FSTypePersistentVolumeClaim},
                      			SELinuxContext: kapi.SELinuxContextStrategyOptions{
                      				// This strategy requires that annotations on the namespace which will be populated
                      				// by the admission controller.  If namespaces are not annotated creating the strategy
@@ -148,7 +148,7 @@ func GetBootstrapSecurityContextConstraints(sccNameToAdditionalGroups map[string
                      					DescriptionAnnotation: SecurityContextConstraintHostNSDesc,
                      				},
                      			},
                     -			Volumes:          []kapi.FSType{kapi.FSTypeHostPath, kapi.FSTypeEmptyDir, kapi.FSTypeSecret, kapi.FSTypeDownwardAPI, kapi.FSTypeConfigMap},
                     +			Volumes:          []kapi.FSType{kapi.FSTypeHostPath, kapi.FSTypeEmptyDir, kapi.FSTypeSecret, kapi.FSTypeDownwardAPI, kapi.FSTypeConfigMap, kapi.FSTypePersistentVolumeClaim},
                      			AllowHostNetwork: true,
                      			AllowHostPorts:   true,
                      			AllowHostPID:     true,
@@ -180,7 +180,7 @@ func GetBootstrapSecurityContextConstraints(sccNameToAdditionalGroups map[string
                      					DescriptionAnnotation: SecurityContextConstraintRestrictedDesc,
                      				},
                      			},
                     -			Volumes: []kapi.FSType{kapi.FSTypeEmptyDir, kapi.FSTypeSecret, kapi.FSTypeDownwardAPI, kapi.FSTypeConfigMap},
                     +			Volumes: []kapi.FSType{kapi.FSTypeEmptyDir, kapi.FSTypeSecret, kapi.FSTypeDownwardAPI, kapi.FSTypeConfigMap, kapi.FSTypePersistentVolumeClaim},
                      			SELinuxContext: kapi.SELinuxContextStrategyOptions{
                      				// This strategy requires that annotations on the namespace which will be populated
                      				// by the admission controller.  If namespaces are not annotated creating the strategy
@@ -210,7 +210,7 @@ func GetBootstrapSecurityContextConstraints(sccNameToAdditionalGroups map[string
                      					DescriptionAnnotation: SecurityContextConstraintsAnyUIDDesc,
                      				},
                      			},
                     -			Volumes: []kapi.FSType{kapi.FSTypeEmptyDir, kapi.FSTypeSecret, kapi.FSTypeDownwardAPI, kapi.FSTypeConfigMap},
                     +			Volumes: []kapi.FSType{kapi.FSTypeEmptyDir, kapi.FSTypeSecret, kapi.FSTypeDownwardAPI, kapi.FSTypeConfigMap, kapi.FSTypePersistentVolumeClaim},
                      			SELinuxContext: kapi.SELinuxContextStrategyOptions{
                      				// This strategy requires that annotations on the namespace which will be populated
                      				// by the admission controller.  If namespaces are not annotated creating the strategy
@@ -241,7 +241,7 @@ func GetBootstrapSecurityContextConstraints(sccNameToAdditionalGroups map[string
                      			},
                      			AllowHostNetwork: true,
                      			AllowHostPorts:   true,
                     -			Volumes:          []kapi.FSType{kapi.FSTypeEmptyDir, kapi.FSTypeSecret, kapi.FSTypeDownwardAPI, kapi.FSTypeConfigMap},
                     +			Volumes:          []kapi.FSType{kapi.FSTypeEmptyDir, kapi.FSTypeSecret, kapi.FSTypeDownwardAPI, kapi.FSTypeConfigMap, kapi.FSTypePersistentVolumeClaim},
                      			SELinuxContext: kapi.SELinuxContextStrategyOptions{
                      				// This strategy requires that annotations on the namespace which will be populated
                      				// by the admission controller.  If namespaces are not annotated creating the strategy

pkg/cmd/server/bootstrappolicy/securitycontextconstraints_test.go

History View file @ 020adab

@@ -1,9 +1,11 @@
                      package bootstrappolicy
                      import (
                     -	"k8s.io/kubernetes/pkg/serviceaccount"
                      	"reflect"
                      	"testing"
+                    +
                     +	kapi "k8s.io/kubernetes/pkg/api"
                     +	"k8s.io/kubernetes/pkg/serviceaccount"
+                     )
                      func TestBootstrappedConstraints(t *testing.T) {
@@ -17,6 +19,7 @@ func TestBootstrappedConstraints(t *testing.T) {
                      		SecurityContextConstraintsHostNetwork,
+                     	}
                      	expectedGroups, expectedUsers := getExpectedAccess()
                     +	expectedVolumes := []kapi.FSType{kapi.FSTypeEmptyDir, kapi.FSTypeSecret, kapi.FSTypeDownwardAPI, kapi.FSTypeConfigMap, kapi.FSTypePersistentVolumeClaim}
                      	groups, users := GetBoostrapSCCAccess(DefaultOpenShiftInfraNamespace)
                      	bootstrappedConstraints := GetBootstrapSecurityContextConstraints(groups, users)
@@ -35,6 +38,12 @@ func TestBootstrappedConstraints(t *testing.T) {
                      		if !reflect.DeepEqual(u, constraint.Users) {
                      			t.Errorf("unexpected user access for %s.  Found %v, wanted %v", constraint.Name, constraint.Users, u)
+                     		}
+                    +
                     +		for _, expectedVolume := range expectedVolumes {
                     +			if !supportsFSType(expectedVolume, &constraint) {
                     +				t.Errorf("%s does not support %v which is required for all default SCCs", constraint.Name, expectedVolume)
                     +			}
                     +		}
+                     	}
+                     }
@@ -77,3 +86,12 @@ func getExpectedAccess() (map[string][]string, map[string][]string) {
+                     	}
                      	return groups, users
+                     }
+                    +
                     +func supportsFSType(fsType kapi.FSType, scc *kapi.SecurityContextConstraints) bool {
                     +	for _, v := range scc.Volumes {
                     +		if v == kapi.FSTypeAll || v == fsType {
                     +			return true
                     +		}
                     +	}
                     +	return false
                     +}