Merge pull request kubernetes#43946 from jhorwit2/jah/host-path-psp

Automatic merge from submit-queue (batch tested with PRs 46489, 46281, 46463, 46114, 43946)

Allow PSP's to specify a whitelist of allowed paths for host volume

**What this PR does / why we need it**:

This PR adds the ability to whitelist paths for the host volume to ensure pods cannot access directories they aren't supposed to. E.g. `/var/lib/kubelet`, `/etc/kubernetes/*`, etc. 

**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes kubernetes#29326


**Special notes for your reviewer**:

**Release note**:

```release-note
Allow PSP's to specify a whitelist of allowed paths for host volume based on path prefixes
```

api/openapi-spec/swagger.json

@@ -53319,6 +53319,13 @@
        "type": "string"
       }
      },
+     "allowedHostPaths": {
+      "description": "AllowedHostPaths is a white list of allowed host path prefixes. Empty indicates that all host paths may be used.",
+      "type": "array",
+      "items": {
+       "type": "string"
+      }
+     },
      "defaultAddCapabilities": {
       "description": "DefaultAddCapabilities is the default set of capabilities that will be added to the container unless the pod spec specifically drops the capability.  You may not list a capabiility in both DefaultAddCapabilities and RequiredDropCapabilities.",
       "type": "array",

api/swagger-spec/extensions_v1beta1.json

@@ -9984,6 +9984,13 @@
      "readOnlyRootFilesystem": {
       "type": "boolean",
       "description": "ReadOnlyRootFilesystem when set to true will force containers to run with a read only root file system.  If the container specifically requests to run with a non-read only root file system the PSP should deny the pod. If set to false the container may run with a read only root file system if it wishes but it will not be forced to."
+     },
+     "allowedHostPaths": {
+      "type": "array",
+      "items": {
+       "type": "string"
+      },
+      "description": "AllowedHostPaths is a white list of allowed host path prefixes. Empty indicates that all host paths may be used."
      }
     }
    },

docs/api-reference/extensions/v1beta1/definitions.html

@@ -7655,6 +7655,13 @@ <h3 id="_v1beta1_podsecuritypolicyspec">v1beta1.PodSecurityPolicySpec</h3>
 <td class="tableblock halign-left valign-top"><p class="tableblock">boolean</p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
 </tr>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock">allowedHostPaths</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">AllowedHostPaths is a white list of allowed host path prefixes. Empty indicates that all host paths may be used.</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">string array</p></td>
+<td class="tableblock halign-left valign-top"></td>
+</tr>
 </tbody>
 </table>
 
@@ -8120,7 +8127,7 @@ <h3 id="_any">any</h3>
 </div>
 <div id="footer">
 <div id="footer-text">
-Last updated 2017-05-27 18:54:49 UTC
+Last updated 2017-05-29 17:05:24 UTC
 </div>
 </div>
 </body>

pkg/apis/extensions/types.go

@@ -884,6 +884,10 @@ type PodSecurityPolicySpec struct {
 	// will not be forced to.
 	// +optional
 	ReadOnlyRootFilesystem bool
+	// AllowedHostPaths is a white list of allowed host path prefixes. Empty indicates that all
+	// host paths may be used.
+	// +optional
+	AllowedHostPaths []string
 }
 
 // HostPortRange defines a range of host ports that will be enabled by a policy