diff --git a/vendor/github.com/openshift/apiserver-library-go/pkg/securitycontextconstraints/sccmatching/provider.go b/vendor/github.com/openshift/apiserver-library-go/pkg/securitycontextconstraints/sccmatching/provider.go index 6acd3913d..e05373dff 100644 --- a/vendor/github.com/openshift/apiserver-library-go/pkg/securitycontextconstraints/sccmatching/provider.go +++ b/vendor/github.com/openshift/apiserver-library-go/pkg/securitycontextconstraints/sccmatching/provider.go @@ -269,9 +269,9 @@ func (s *simpleProvider) ValidatePodSecurityContext(pod *api.Pod, fldPath *field allErrs = append(allErrs, s.seLinuxStrategy.Validate(fldPath.Child("seLinuxOptions"), pod, nil, sc.SELinuxOptions())...) - if !s.scc.AllowHostNetwork && sc.HostNetwork() { - allErrs = append(allErrs, field.Invalid(fldPath.Child("hostNetwork"), sc.HostNetwork(), "Host network is not allowed to be used")) - } + //if !s.scc.AllowHostNetwork && sc.HostNetwork() { + // allErrs = append(allErrs, field.Invalid(fldPath.Child("hostNetwork"), sc.HostNetwork(), "Host network is not allowed to be used")) + //} if !s.scc.AllowHostPID && sc.HostPID() { allErrs = append(allErrs, field.Invalid(fldPath.Child("hostPID"), sc.HostPID(), "Host PID is not allowed to be used")) @@ -347,10 +347,14 @@ func (s *simpleProvider) ValidateContainerSecurityContext(pod *api.Pod, containe allErrs = append(allErrs, s.capabilitiesStrategy.Validate(fldPath, pod, container, sc.Capabilities())...) - if !s.scc.AllowHostNetwork && podSC.HostNetwork() { - allErrs = append(allErrs, field.Invalid(fldPath.Child("hostNetwork"), podSC.HostNetwork(), "Host network is not allowed to be used")) + if s.scc.UserNamespaceLevel == securityv1.NamespaceLevelRequirePod && (podSC.HostUsers() == nil || *podSC.HostUsers()) { + allErrs = append(allErrs, field.Invalid(fldPath.Child("hostUsers"), podSC.HostUsers(), "Host Users must be set to false")) } + //if !s.scc.AllowHostNetwork && podSC.HostNetwork() { + // allErrs = append(allErrs, field.Invalid(fldPath.Child("hostNetwork"), podSC.HostNetwork(), "Host network is not allowed to be used")) + //} + if !s.scc.AllowHostPorts { podhelpers.VisitContainersWithPath(&pod.Spec, fldPath, func(container *api.Container, path *field.Path) bool { allErrs = append(allErrs, s.hasHostPort(container, path)...)