Merge pull request #15558 from php-coder/scc_for_flexvolumes

Automatic merge from submit-queue

SCC: add AllowedFlexVolumes to manage a whitelist of allowed flexvolumes drivers

Proposal: kubernetes/community#723
Trello: https://trello.com/c/YT6sNEay/61-5-sccfsi-psp-scc-flex-volume-support
Examples: #15558 (comment)

api/docs/api/v1.SecurityContextConstraints.adoc

@@ -26,6 +26,8 @@ Expand or mouse-over a field for more information about it.
 </div><div style="margin-left:13px;"><span title="(boolean) AllowPrivilegedContainer determines if a container can request to be run as privileged.">allowPrivilegedContainer</span>:
 </div><details><summary><span title="(array) AllowedCapabilities is a list of capabilities that can be requested to add to the container. Capabilities in this field maybe added at the pod author&#39;s discretion. You must not list a capability in both AllowedCapabilities and RequiredDropCapabilities. To allow all capabilities you may use &#39;*&#39;.">allowedCapabilities</span>:
 </summary><div style="margin-left:13px;">- <span title="(string)">[string]</span>:
+</div></details><details><summary><span title="(array) AllowedFlexVolumes is a whitelist of allowed Flexvolumes.  Empty or nil indicates that all Flexvolumes may be used.  This parameter is effective only when the usage of the Flexvolumes is allowed in the &#34;Volumes&#34; field.">allowedFlexVolumes</span>:
+</summary><div style="margin-left:13px;">- <span title="(string) Driver is the name of the Flexvolume driver.">driver</span>:
 </div></details><div style="margin-left:13px;"><span title="(string) APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources">apiVersion</span>:
 </div><details><summary><span title="(array) DefaultAddCapabilities is the default set of capabilities that will be added to the container unless the pod spec specifically drops the capability.  You may not list a capabiility in both DefaultAddCapabilities and RequiredDropCapabilities.">defaultAddCapabilities</span>:
 </summary><div style="margin-left:13px;">- <span title="(string)">[string]</span>:

api/docs/apis-security.openshift.io/v1.SecurityContextConstraints.adoc

@@ -26,6 +26,8 @@ Expand or mouse-over a field for more information about it.
 </div><div style="margin-left:13px;"><span title="(boolean) AllowPrivilegedContainer determines if a container can request to be run as privileged.">allowPrivilegedContainer</span>:
 </div><details><summary><span title="(array) AllowedCapabilities is a list of capabilities that can be requested to add to the container. Capabilities in this field maybe added at the pod author&#39;s discretion. You must not list a capability in both AllowedCapabilities and RequiredDropCapabilities. To allow all capabilities you may use &#39;*&#39;.">allowedCapabilities</span>:
 </summary><div style="margin-left:13px;">- <span title="(string)">[string]</span>:
+</div></details><details><summary><span title="(array) AllowedFlexVolumes is a whitelist of allowed Flexvolumes.  Empty or nil indicates that all Flexvolumes may be used.  This parameter is effective only when the usage of the Flexvolumes is allowed in the &#34;Volumes&#34; field.">allowedFlexVolumes</span>:
+</summary><div style="margin-left:13px;">- <span title="(string) Driver is the name of the Flexvolume driver.">driver</span>:
 </div></details><div style="margin-left:13px;"><span title="(string) APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources">apiVersion</span>:
 </div><details><summary><span title="(array) DefaultAddCapabilities is the default set of capabilities that will be added to the container unless the pod spec specifically drops the capability.  You may not list a capabiility in both DefaultAddCapabilities and RequiredDropCapabilities.">defaultAddCapabilities</span>:
 </summary><div style="margin-left:13px;">- <span title="(string)">[string]</span>:

api/swagger-spec/api-v1.json

@@ -22769,6 +22769,7 @@
      "allowedCapabilities",
      "allowHostDirVolumePlugin",
      "volumes",
+     "allowedFlexVolumes",
      "allowHostNetwork",
      "allowHostPorts",
      "allowHostPID",
@@ -22829,6 +22830,13 @@
       },
       "description": "Volumes is a white list of allowed volume plugins.  FSType corresponds directly with the field names of a VolumeSource (azureFile, configMap, emptyDir).  To allow all volumes you may use \"*\". To allow no volumes, set to [\"none\"]."
      },
+     "allowedFlexVolumes": {
+      "type": "array",
+      "items": {
+       "$ref": "v1.AllowedFlexVolume"
+      },
+      "description": "AllowedFlexVolumes is a whitelist of allowed Flexvolumes.  Empty or nil indicates that all Flexvolumes may be used.  This parameter is effective only when the usage of the Flexvolumes is allowed in the \"Volumes\" field."
+     },
      "allowHostNetwork": {
       "type": "boolean",
       "description": "AllowHostNetwork determines if the policy allows the use of HostNetwork in the pod spec."
@@ -22892,6 +22900,16 @@
     "id": "v1.FSType",
     "properties": {}
    },
+   "v1.AllowedFlexVolume": {
+    "id": "v1.AllowedFlexVolume",
+    "description": "AllowedFlexVolume represents a single Flexvolume that is allowed to be used.",
+    "properties": {
+     "driver": {
+      "type": "string",
+      "description": "Driver is the name of the Flexvolume driver."
+     }
+    }
+   },
    "v1.SELinuxContextStrategyOptions": {
     "id": "v1.SELinuxContextStrategyOptions",
     "description": "SELinuxContextStrategyOptions defines the strategy type and any options used to create the strategy.",

api/swagger-spec/openshift-openapi-spec.json

@@ -92187,6 +92187,15 @@
      }
     }
    },
+   "com.github.openshift.origin.pkg.security.apis.security.v1.AllowedFlexVolume": {
+    "description": "AllowedFlexVolume represents a single Flexvolume that is allowed to be used.",
+    "properties": {
+     "driver": {
+      "description": "Driver is the name of the Flexvolume driver.",
+      "type": "string"
+     }
+    }
+   },
    "com.github.openshift.origin.pkg.security.apis.security.v1.FSGroupStrategyOptions": {
     "description": "FSGroupStrategyOptions defines the strategy type and options used to create the strategy.",
     "properties": {
@@ -92459,6 +92468,7 @@
      "allowedCapabilities",
      "allowHostDirVolumePlugin",
      "volumes",
+     "allowedFlexVolumes",
      "allowHostNetwork",
      "allowHostPorts",
      "allowHostPID",
@@ -92497,6 +92507,13 @@
        "type": "string"
       }
      },
+     "allowedFlexVolumes": {
+      "description": "AllowedFlexVolumes is a whitelist of allowed Flexvolumes.  Empty or nil indicates that all Flexvolumes may be used.  This parameter is effective only when the usage of the Flexvolumes is allowed in the \"Volumes\" field.",
+      "type": "array",
+      "items": {
+       "$ref": "#/definitions/com.github.openshift.origin.pkg.security.apis.security.v1.AllowedFlexVolume"
+      }
+     },
      "apiVersion": {
       "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources",
       "type": "string"

pkg/oc/cli/describe/describer.go

@@ -1835,6 +1835,7 @@ func describeSecurityContextConstraints(scc *securityapi.SecurityContextConstrai
 		fmt.Fprintf(out, "  Allowed Capabilities:\t%s\n", capsToString(scc.AllowedCapabilities))
 		fmt.Fprintf(out, "  Allowed Seccomp Profiles:\t%s\n", stringOrNone(strings.Join(scc.SeccompProfiles, ",")))
 		fmt.Fprintf(out, "  Allowed Volume Types:\t%s\n", fsTypeToString(scc.Volumes))
+		fmt.Fprintf(out, "  Allowed Flexvolumes:\t%s\n", flexVolumesToString(scc.AllowedFlexVolumes))
 		fmt.Fprintf(out, "  Allow Host Network:\t%t\n", scc.AllowHostNetwork)
 		fmt.Fprintf(out, "  Allow Host Ports:\t%t\n", scc.AllowHostPorts)
 		fmt.Fprintf(out, "  Allow Host PID:\t%t\n", scc.AllowHostPID)
@@ -1884,10 +1885,14 @@ func describeSecurityContextConstraints(scc *securityapi.SecurityContextConstrai
 }
 
 func stringOrNone(s string) string {
+	return stringOrDefaultValue(s, "<none>")
+}
+
+func stringOrDefaultValue(s, defaultValue string) string {
 	if len(s) > 0 {
 		return s
 	}
-	return "<none>"
+	return defaultValue
 }
 
 func fsTypeToString(volumes []securityapi.FSType) string {
@@ -1898,6 +1903,14 @@ func fsTypeToString(volumes []securityapi.FSType) string {
 	return stringOrNone(strings.Join(strVolumes, ","))
 }
 
+func flexVolumesToString(flexVolumes []securityapi.AllowedFlexVolume) string {
+	volumes := []string{}
+	for _, flexVolume := range flexVolumes {
+		volumes = append(volumes, "driver="+flexVolume.Driver)
+	}
+	return stringOrDefaultValue(strings.Join(volumes, ","), "<all>")
+}
+
 func idRangeToString(ranges []securityapi.IDRange) string {
 	formattedString := ""
 	if ranges != nil {

pkg/openapi/zz_generated.openapi.go

@@ -8788,6 +8788,23 @@ func GetOpenAPIDefinitions(ref openapi.ReferenceCallback) map[string]openapi.Ope
 			},
 			Dependencies: []string{},
 		},
+		"github.com/openshift/origin/pkg/security/apis/security/v1.AllowedFlexVolume": {
+			Schema: spec.Schema{
+				SchemaProps: spec.SchemaProps{
+					Description: "AllowedFlexVolume represents a single Flexvolume that is allowed to be used.",
+					Properties: map[string]spec.Schema{
+						"driver": {
+							SchemaProps: spec.SchemaProps{
+								Description: "Driver is the name of the Flexvolume driver.",
+								Type:        []string{"string"},
+								Format:      "",
+							},
+						},
+					},
+				},
+			},
+			Dependencies: []string{},
+		},
 		"github.com/openshift/origin/pkg/security/apis/security/v1.FSGroupStrategyOptions": {
 			Schema: spec.Schema{
 				SchemaProps: spec.SchemaProps{
@@ -9265,6 +9282,19 @@ func GetOpenAPIDefinitions(ref openapi.ReferenceCallback) map[string]openapi.Ope
 								},
 							},
 						},
+						"allowedFlexVolumes": {
+							SchemaProps: spec.SchemaProps{
+								Description: "AllowedFlexVolumes is a whitelist of allowed Flexvolumes.  Empty or nil indicates that all Flexvolumes may be used.  This parameter is effective only when the usage of the Flexvolumes is allowed in the \"Volumes\" field.",
+								Type:        []string{"array"},
+								Items: &spec.SchemaOrArray{
+									Schema: &spec.Schema{
+										SchemaProps: spec.SchemaProps{
+											Ref: ref("github.com/openshift/origin/pkg/security/apis/security/v1.AllowedFlexVolume"),
+										},
+									},
+								},
+							},
+						},
 						"allowHostNetwork": {
 							SchemaProps: spec.SchemaProps{
 								Description: "AllowHostNetwork determines if the policy allows the use of HostNetwork in the pod spec.",
@@ -9367,11 +9397,11 @@ func GetOpenAPIDefinitions(ref openapi.ReferenceCallback) map[string]openapi.Ope
 							},
 						},
 					},
-					Required: []string{"priority", "allowPrivilegedContainer", "defaultAddCapabilities", "requiredDropCapabilities", "allowedCapabilities", "allowHostDirVolumePlugin", "volumes", "allowHostNetwork", "allowHostPorts", "allowHostPID", "allowHostIPC", "readOnlyRootFilesystem"},
+					Required: []string{"priority", "allowPrivilegedContainer", "defaultAddCapabilities", "requiredDropCapabilities", "allowedCapabilities", "allowHostDirVolumePlugin", "volumes", "allowedFlexVolumes", "allowHostNetwork", "allowHostPorts", "allowHostPID", "allowHostIPC", "readOnlyRootFilesystem"},
 				},
 			},
 			Dependencies: []string{
-				"github.com/openshift/origin/pkg/security/apis/security/v1.FSGroupStrategyOptions", "github.com/openshift/origin/pkg/security/apis/security/v1.RunAsUserStrategyOptions", "github.com/openshift/origin/pkg/security/apis/security/v1.SELinuxContextStrategyOptions", "github.com/openshift/origin/pkg/security/apis/security/v1.SupplementalGroupsStrategyOptions", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+				"github.com/openshift/origin/pkg/security/apis/security/v1.AllowedFlexVolume", "github.com/openshift/origin/pkg/security/apis/security/v1.FSGroupStrategyOptions", "github.com/openshift/origin/pkg/security/apis/security/v1.RunAsUserStrategyOptions", "github.com/openshift/origin/pkg/security/apis/security/v1.SELinuxContextStrategyOptions", "github.com/openshift/origin/pkg/security/apis/security/v1.SupplementalGroupsStrategyOptions", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
 		},
 		"github.com/openshift/origin/pkg/security/apis/security/v1.SecurityContextConstraintsList": {
 			Schema: spec.Schema{

pkg/security/apis/security/types.go

@@ -45,6 +45,11 @@ type SecurityContextConstraints struct {
 	// of a VolumeSource (azureFile, configMap, emptyDir).  To allow all volumes you may use "*".
 	// To allow no volumes, set to ["none"].
 	Volumes []FSType
+	// AllowedFlexVolumes is a whitelist of allowed Flexvolumes.  Empty or nil indicates that all
+	// Flexvolumes may be used.  This parameter is effective only when the usage of the Flexvolumes
+	// is allowed in the "Volumes" field.
+	// +optional
+	AllowedFlexVolumes []AllowedFlexVolume
 	// AllowHostNetwork determines if the policy allows the use of HostNetwork in the pod spec.
 	AllowHostNetwork bool
 	// AllowHostPorts determines if the policy allows host ports in the containers.
@@ -115,6 +120,12 @@ var (
 	FSTypeNone                  FSType = "none"
 )
 
+// AllowedFlexVolume represents a single Flexvolume that is allowed to be used.
+type AllowedFlexVolume struct {
+	// Driver is the name of the Flexvolume driver.
+	Driver string
+}
+
 // SELinuxContextStrategyOptions defines the strategy type and any options used to create the strategy.
 type SELinuxContextStrategyOptions struct {
 	// Type is the strategy that will dictate what SELinux context is used in the SecurityContext.