fix miss understanding etc

README.md

@@ -12,7 +12,7 @@ This project is just a stopgap until it is replaced.
 Pod Security Admission
 ======================
 
-pod-security-admission is a set of [Kubernetes Admission Webhooks](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/) to ensure [Pod Security Standards](https://kubernetes.io/docs/concepts/security/pod-security-standards/).
+pod-security-admission is a set of [Kubernetes Admission Webhooks](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/) to ensure [Pod Security Standards v1.30](https://github.com/kubernetes/website/blob/snapshot-initial-v1.30/content/en/docs/concepts/security/pod-security-standards.md).
 
 pod-security-admission aims to be a simple [Pod Security Policy](https://kubernetes.io/docs/concepts/policy/pod-security-policy/) replacement.
 

cmd/sub/run.go

@@ -52,7 +52,7 @@ func run(addr string, port int, profs []hooks.SecurityProfile) error {
 	wh := mgr.GetWebhookServer()
 	for _, prof := range profs {
 		wh.Register("/mutate-"+prof.Name, hooks.NewPodMutator(mgr.GetClient(), ctrl.Log.WithName("mutate-"+prof.Name), dec, prof))
-		wh.Register("/validate-"+prof.Name, hooks.NewPodValidator(mgr.GetClient(), ctrl.Log.WithName("validate-"+prof.Name), &dec, prof))
+		wh.Register("/validate-"+prof.Name, hooks.NewPodValidator(mgr.GetClient(), ctrl.Log.WithName("validate-"+prof.Name), dec, prof))
 	}
 
 	// +kubebuilder:scaffold:builder

hooks/ephemeral_container_test.go

@@ -157,6 +157,18 @@ spec:
 				},
 			},
 		}, false, "denied the request: spec.ephemeralContainers[0].securityContext.selinuxOptions: Forbidden: Setting custom SELinux options is not allowed"),
+		Entry("AllowAppArmor Ephemeral Container", "restricted", "test-allowed-apparmor-ec", corev1.EphemeralContainer{
+			EphemeralContainerCommon: corev1.EphemeralContainerCommon{
+				Name:  "debug",
+				Image: "ghcr.io/cybozu/ubuntu-debug",
+				SecurityContext: &corev1.SecurityContext{
+					RunAsNonRoot: ptr.To(true),
+					AppArmorProfile: &corev1.AppArmorProfile{
+						Type: "RuntimeDefault",
+					},
+				},
+			},
+		}, true, ""),
 	)
 
 	// runAsNonRoot of an ephemeral container will not be mutated until the following issue is completed.

hooks/suite_test.go

@@ -129,7 +129,7 @@ var _ = BeforeSuite(func() {
 		AllowPrivilegeEscalation: true,
 		RunAsRoot:                true,
 	}
-	wh.Register(baselineValidatingWebhookPath, NewPodValidator(mgr.GetClient(), ctrl.Log.WithName(baselineValidatingWebhookPath), &dec, baselineProfile))
+	wh.Register(baselineValidatingWebhookPath, NewPodValidator(mgr.GetClient(), ctrl.Log.WithName(baselineValidatingWebhookPath), dec, baselineProfile))
 	wh.Register(baselineMutatingWebhookPath, NewPodMutator(mgr.GetClient(), ctrl.Log.WithName(baselineMutatingWebhookPath), dec, baselineProfile))
 
 	// "hostpath" profile = "baseline" profile + AllowedHostPaths
@@ -155,20 +155,20 @@ var _ = BeforeSuite(func() {
 		AllowPrivilegeEscalation: true,
 		RunAsRoot:                true,
 	}
-	wh.Register(hostpathValidatingWebhookPath, NewPodValidator(mgr.GetClient(), ctrl.Log.WithName(hostpathValidatingWebhookPath), &dec, hostpathProfile))
+	wh.Register(hostpathValidatingWebhookPath, NewPodValidator(mgr.GetClient(), ctrl.Log.WithName(hostpathValidatingWebhookPath), dec, hostpathProfile))
 	wh.Register(hostpathMutatingWebhookPath, NewPodMutator(mgr.GetClient(), ctrl.Log.WithName(hostpathMutatingWebhookPath), dec, hostpathProfile))
 
 	restrictedProfile := SecurityProfile{
 		Name: "restricted",
 	}
-	wh.Register(restrictedValidatingWebhookPath, NewPodValidator(mgr.GetClient(), ctrl.Log.WithName(restrictedValidatingWebhookPath), &dec, restrictedProfile))
+	wh.Register(restrictedValidatingWebhookPath, NewPodValidator(mgr.GetClient(), ctrl.Log.WithName(restrictedValidatingWebhookPath), dec, restrictedProfile))
 	wh.Register(restrictedMutatingWebhookPath, NewPodMutator(mgr.GetClient(), ctrl.Log.WithName(restrictedMutatingWebhookPath), dec, restrictedProfile))
 
 	mutatingProfile := SecurityProfile{
 		Name:              "mutating",
 		ForceRunAsNonRoot: true,
 	}
-	wh.Register(mutatingValidatingWebhookPath, NewPodValidator(mgr.GetClient(), ctrl.Log.WithName(mutatingValidatingWebhookPath), &dec, mutatingProfile))
+	wh.Register(mutatingValidatingWebhookPath, NewPodValidator(mgr.GetClient(), ctrl.Log.WithName(mutatingValidatingWebhookPath), dec, mutatingProfile))
 	wh.Register(mutatingMutatingWebhookPath, NewPodMutator(mgr.GetClient(), ctrl.Log.WithName(mutatingMutatingWebhookPath), dec, mutatingProfile))
 
 	//+kubebuilder:scaffold:webhook

hooks/validate_pod.go

@@ -17,13 +17,13 @@ import (
 type podValidator struct {
 	client      client.Client
 	log         logr.Logger
-	decoder     *admission.Decoder
+	decoder     admission.Decoder
 	profileName string
 	validators  []validators.Validator
 }
 
 // NewPodValidator creates a webhook handler for Pod.
-func NewPodValidator(c client.Client, log logr.Logger, dec *admission.Decoder, prof SecurityProfile) http.Handler {
+func NewPodValidator(c client.Client, log logr.Logger, dec admission.Decoder, prof SecurityProfile) http.Handler {
 	v := &podValidator{
 		client:      c,
 		log:         log,
@@ -89,7 +89,7 @@ func (v *podValidator) Handle(ctx context.Context, req admission.Request) admiss
 	v.log.Info("validating pod", "name", namespacedName, "profile", v.profileName)
 
 	po := &corev1.Pod{}
-	err := admission.Decoder.Decode(*v.decoder, req, po)
+	err := v.decoder.Decode(req, po)
 	if err != nil {
 		v.log.Error(err, "failed to decode pod", "name", namespacedName, "profile", v.profileName)
 		return admission.Errored(http.StatusBadRequest, err)

hooks/validators/deny_unsafe_apparmor.go

@@ -26,12 +26,10 @@ func (v DenyUnsafeAppArmor) Validate(ctx context.Context, pod *corev1.Pod) field
 	p = field.NewPath("spec").Child("SecurityContext")
 	hasPodAppArmorProfile := pod.Spec.SecurityContext != nil && pod.Spec.SecurityContext.AppArmorProfile != nil
 	if hasPodAppArmorProfile {
-		isTypeUnconfined := pod.Spec.SecurityContext.AppArmorProfile.Type == corev1.AppArmorProfileTypeUnconfined
 		isTypeRuntimeDefault := pod.Spec.SecurityContext.AppArmorProfile.Type == corev1.AppArmorProfileTypeRuntimeDefault
 		isTypeLocalhost := pod.Spec.SecurityContext.AppArmorProfile.Type == corev1.AppArmorProfileTypeLocalhost
-		hasNotAllowedType := !(isTypeUnconfined || isTypeRuntimeDefault || isTypeLocalhost)
+		hasNotAllowedType := !(isTypeRuntimeDefault || isTypeLocalhost)
 		if hasNotAllowedType {
-			// errs = append(errs, field.Forbidden(p.Child("AppArmorProfile"), fmt.Sprintf("%v is not an allowed AppArmor profile", pod.Spec.SecurityContext.AppArmorProfile.Type)))
 			errs = append(errs, field.Forbidden(p, fmt.Sprintf("%v is not an allowed AppArmor profile", pod.Spec.SecurityContext.AppArmorProfile.Type)))
 		}
 	}
@@ -40,10 +38,9 @@ func (v DenyUnsafeAppArmor) Validate(ctx context.Context, pod *corev1.Pod) field
 	for i, co := range pod.Spec.Containers {
 		hasPodAppArmorProfile := co.SecurityContext != nil && co.SecurityContext.AppArmorProfile != nil
 		if hasPodAppArmorProfile {
-			isTypeUnconfined := co.SecurityContext.AppArmorProfile.Type == corev1.AppArmorProfileTypeUnconfined
 			isTypeRuntimeDefault := co.SecurityContext.AppArmorProfile.Type == corev1.AppArmorProfileTypeRuntimeDefault
 			isTypeLocalhost := co.SecurityContext.AppArmorProfile.Type == corev1.AppArmorProfileTypeLocalhost
-			hasNotAllowedType := !(isTypeUnconfined || isTypeRuntimeDefault || isTypeLocalhost)
+			hasNotAllowedType := !(isTypeRuntimeDefault || isTypeLocalhost)
 			if hasNotAllowedType {
 				errs = append(errs, field.Forbidden(p.Index(i), fmt.Sprintf("%v is not an allowed AppArmor profile", co.SecurityContext.AppArmorProfile.Type)))
 			}
@@ -54,10 +51,9 @@ func (v DenyUnsafeAppArmor) Validate(ctx context.Context, pod *corev1.Pod) field
 	for i, co := range pod.Spec.Containers {
 		hasPodAppArmorProfile := co.SecurityContext != nil && co.SecurityContext.AppArmorProfile != nil
 		if hasPodAppArmorProfile {
-			isTypeUnconfined := co.SecurityContext.AppArmorProfile.Type == corev1.AppArmorProfileTypeUnconfined
 			isTypeRuntimeDefault := co.SecurityContext.AppArmorProfile.Type == corev1.AppArmorProfileTypeRuntimeDefault
 			isTypeLocalhost := co.SecurityContext.AppArmorProfile.Type == corev1.AppArmorProfileTypeLocalhost
-			hasNotAllowedType := !(isTypeUnconfined || isTypeRuntimeDefault || isTypeLocalhost)
+			hasNotAllowedType := !(isTypeRuntimeDefault || isTypeLocalhost)
 			if hasNotAllowedType {
 				errs = append(errs, field.Forbidden(p.Index(i), fmt.Sprintf("%v is not an allowed AppArmor profile", co.SecurityContext.AppArmorProfile.Type)))
 			}