From eea3e387661f52b8812cc7d6b92cc5d2c3973fc0 Mon Sep 17 00:00:00 2001 From: Peter Hunt Date: Fri, 10 Jan 2025 09:39:18 -0500 Subject: [PATCH 1/2] WIP: test vendor change Signed-off-by: Peter Hunt --- .../pkg/securitycontextconstraints/sccmatching/provider.go | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/vendor/github.com/openshift/apiserver-library-go/pkg/securitycontextconstraints/sccmatching/provider.go b/vendor/github.com/openshift/apiserver-library-go/pkg/securitycontextconstraints/sccmatching/provider.go index 6acd3913d..22e9324b5 100644 --- a/vendor/github.com/openshift/apiserver-library-go/pkg/securitycontextconstraints/sccmatching/provider.go +++ b/vendor/github.com/openshift/apiserver-library-go/pkg/securitycontextconstraints/sccmatching/provider.go @@ -347,6 +347,10 @@ func (s *simpleProvider) ValidateContainerSecurityContext(pod *api.Pod, containe allErrs = append(allErrs, s.capabilitiesStrategy.Validate(fldPath, pod, container, sc.Capabilities())...) + if s.scc.UserNamespaceLevel == securityv1.NamespaceLevelRequirePod && (podSC.HostUsers() == nil || *podSC.HostUsers()) { + allErrs = append(allErrs, field.Invalid(fldPath.Child("hostUsers"), podSC.HostUsers(), "Host Users must be set to false")) + } + if !s.scc.AllowHostNetwork && podSC.HostNetwork() { allErrs = append(allErrs, field.Invalid(fldPath.Child("hostNetwork"), podSC.HostNetwork(), "Host network is not allowed to be used")) } From 7cf3e5d5482c7ccaee63fcf29eacde79d9393601 Mon Sep 17 00:00:00 2001 From: Peter Hunt Date: Fri, 10 Jan 2025 13:43:42 -0500 Subject: [PATCH 2/2] WIP: test Signed-off-by: Peter Hunt --- .../sccmatching/provider.go | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/vendor/github.com/openshift/apiserver-library-go/pkg/securitycontextconstraints/sccmatching/provider.go b/vendor/github.com/openshift/apiserver-library-go/pkg/securitycontextconstraints/sccmatching/provider.go index 22e9324b5..e05373dff 100644 --- a/vendor/github.com/openshift/apiserver-library-go/pkg/securitycontextconstraints/sccmatching/provider.go +++ b/vendor/github.com/openshift/apiserver-library-go/pkg/securitycontextconstraints/sccmatching/provider.go @@ -269,9 +269,9 @@ func (s *simpleProvider) ValidatePodSecurityContext(pod *api.Pod, fldPath *field allErrs = append(allErrs, s.seLinuxStrategy.Validate(fldPath.Child("seLinuxOptions"), pod, nil, sc.SELinuxOptions())...) - if !s.scc.AllowHostNetwork && sc.HostNetwork() { - allErrs = append(allErrs, field.Invalid(fldPath.Child("hostNetwork"), sc.HostNetwork(), "Host network is not allowed to be used")) - } + //if !s.scc.AllowHostNetwork && sc.HostNetwork() { + // allErrs = append(allErrs, field.Invalid(fldPath.Child("hostNetwork"), sc.HostNetwork(), "Host network is not allowed to be used")) + //} if !s.scc.AllowHostPID && sc.HostPID() { allErrs = append(allErrs, field.Invalid(fldPath.Child("hostPID"), sc.HostPID(), "Host PID is not allowed to be used")) @@ -351,9 +351,9 @@ func (s *simpleProvider) ValidateContainerSecurityContext(pod *api.Pod, containe allErrs = append(allErrs, field.Invalid(fldPath.Child("hostUsers"), podSC.HostUsers(), "Host Users must be set to false")) } - if !s.scc.AllowHostNetwork && podSC.HostNetwork() { - allErrs = append(allErrs, field.Invalid(fldPath.Child("hostNetwork"), podSC.HostNetwork(), "Host network is not allowed to be used")) - } + //if !s.scc.AllowHostNetwork && podSC.HostNetwork() { + // allErrs = append(allErrs, field.Invalid(fldPath.Child("hostNetwork"), podSC.HostNetwork(), "Host network is not allowed to be used")) + //} if !s.scc.AllowHostPorts { podhelpers.VisitContainersWithPath(&pod.Spec, fldPath, func(container *api.Container, path *field.Path) bool {