Show SCC provider in error message

[php-coder]

Let's use parameter fldPath in the AssignSecurityContext function. In this case provider name is included in the error message that is super helpful during debug.

Before:

admission.go:125] unable to validate pod (generate: es-master-2387585559-) against any security context constraint: [spec.initContainers[0].securityContext.privileged: Invalid value: true: Privileged containers are not allowed capabilities.add: Invalid value: "IPC_LOCK": capability may not be added capabilities.add: Invalid value: "SYS_RESOURCE": capability may not be added]

After

admission.go:125] unable to validate pod (generate: es-master-2387585559-) against any security context constraint: [provider restricted: .spec.initContainers[0].securityContext.privileged: Invalid value: true: Privileged containers are not allowed capabilities.add: Invalid value: "IPC_LOCK": capability may not be added capabilities.add: Invalid value: "SYS_RESOURCE": capability may not be added]

This message is also including in the FailedCreate event. The message still hard to read but now it contains helpful information.

PTAL @pweil-

[php-coder]

I see that we're missing information about container here

origin/vendor/k8s.io/kubernetes/pkg/securitycontextconstraints/provider.go

Lines 299 to 307 in ec4262b

	allErrs = append(allErrs, s.runAsUserStrategy.Validate(pod, container)...)
	allErrs = append(allErrs, s.seLinuxStrategy.Validate(pod, container)...)
	allErrs = append(allErrs, s.seccompStrategy.ValidateContainer(pod, container)...)
	if !s.scc.AllowPrivilegedContainer && *sc.Privileged {
	allErrs = append(allErrs, field.Invalid(fldPath.Child("privileged"), *sc.Privileged, "Privileged containers are not allowed"))
	}
	allErrs = append(allErrs, s.capabilitiesStrategy.Validate(pod, container)...)

because Validate() accepts only container and inside the method there is no information whether it was init-container or not and what is the index of a container.

In the error message that I provided the first error relates to the init container but two others relate to a simple container.

[php-coder]

BTW original issue is also exist in kubernetes where fldPath parameter isn't being used by assignSecurityContext(). Let me know if I need to create PR for that too.

[php-coder]

@pweil- Gently ping :)

[mfojtik]

I don't see any sensitive information leaking here and it indeed improves the messaging.

LGTM (but will defer to @pweil- for merge ;-)

[php-coder]

[test]

[php-coder]

I see that we're missing information about container

I've created a separate issue for that: #13909

[php-coder]

Tests failed because of #13619

[php-coder]

[test]

Ping @pweil-

[php-coder]

Ping @pweil-

[openshift-bot]

Evaluated for origin test up to 0b87377

[openshift-bot]

continuous-integration/openshift-jenkins/test FAILURE (https://ci.openshift.redhat.com/jenkins/job/test_pull_request_origin/1682/) (Base Commit: 67275e1)

[php-coder]

test flake #14328

[pweil-]

LGTM

[php-coder]

@mfojtik Can we merge it?

[php-coder]

@mfojtik Ping. I don't see a reason of not merging it.

[mfojtik]

[merge] sorry for the delay

[php-coder]

test flake #12072 and #14489

[php-coder]

@mfojtik Could you re-run merge process, please?

[php-coder]

@mfojtik and this one too, please :)

[mfojtik]

[merge]

…

On 14 June 2017 at 16:42:23, Vyacheslav Semushin ***@***.***) wrote: @mfojtik <https://github.com/mfojtik> and this one too, please :) — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#13842 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AACsaK30gObeq4DMxnYj1Xxvf90fyK8iks5sD_FPgaJpZM4NDX0t> .

[openshift-bot]

Evaluated for origin merge up to 0b87377

[openshift-bot]

continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/merge_pull_request_origin/994/) (Base Commit: e87bd0c) (Image: devenv-rhel7_6358)