Skip to content

Commit

Permalink
Introduce security.openshift.io/psp-priority annotation on PSP for ho…
Browse files Browse the repository at this point in the history
…lding SCC.Priroty value.
  • Loading branch information
php-coder committed Apr 19, 2018
1 parent 16cb024 commit 9b50f4d
Show file tree
Hide file tree
Showing 3 changed files with 34 additions and 0 deletions.
6 changes: 6 additions & 0 deletions pkg/oc/admin/migrate/scc/scc.go
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,11 @@ import (
// It simplifies their identification.
const clusterRoleAndBindingNamePrefix = "psp:"

// pspPriorityAnnotationKey is a name of the annotation that could be present on PodSecurityPolicy and specifies its priority.
// It should be a number. An empty value means 0 priority. Higher values means that the policy has higher priority.
// This is an equivalent of the SCC.Priority field but applies to PSP and it's required for seamless transition.
const pspPriorityAnnotationKey = "security.openshift.io/psp-priority"

var (
internalMigrateSCCShort = "Converts SCCs to similar PSPs"
internalMigrateSCCLong = templates.LongDesc(`
Expand Down Expand Up @@ -169,6 +174,7 @@ func convertSccToPsp(scc *securityapi.SecurityContextConstraints) (*policy.PodSe
annotations := make(map[string]string)
extractSeccompProfiles(scc, annotations)
extractSysctls(scc, annotations)
extractPriority(scc, annotations)

selinux, err := extractSELinux(scc)
if err != nil {
Expand Down
7 changes: 7 additions & 0 deletions pkg/oc/admin/migrate/scc/scc_to_psp.go
Original file line number Diff line number Diff line change
Expand Up @@ -274,3 +274,10 @@ func extractSysctls(scc *securityapi.SecurityContextConstraints, annotations map
annotations[internalextensions.SysctlsPodSecurityPolicyAnnotationKey] = sysctls
}
}

// PSP doesn't have priority like SCC does. We hold the value of SCC.Priroty field in a custom annotation.
func extractPriority(scc *securityapi.SecurityContextConstraints, annotations map[string]string) {
if scc.Priority != nil {
annotations[pspPriorityAnnotationKey] = fmt.Sprintf("%d", *scc.Priority)
}
}
21 changes: 21 additions & 0 deletions pkg/oc/admin/migrate/scc/scc_to_psp_test.go
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
package scc

import (
"fmt"
"reflect"
"testing"

Expand Down Expand Up @@ -572,3 +573,23 @@ func TestExtractSysctls(t *testing.T) {
t.Errorf("extractSysctls() expected annotation %q to be %q but it has value %q", sysctlsAnnotation, expected, actual)
}
}

func TestExtractPriority(t *testing.T) {
var priority int32 = 10
expected := fmt.Sprintf("%d", priority)
scc := &securityapi.SecurityContextConstraints{
Priority: &priority,
}

annotations := make(map[string]string)
extractPriority(scc, annotations)

value, hasAnnotation := annotations[pspPriorityAnnotationKey]
if !hasAnnotation {
t.Fatalf("expected to have annotation %q but it is not set", pspPriorityAnnotationKey)
}

if value != expected {
t.Errorf("expected annotation %q to have value \"%v\" but it has value \"%v\"", pspPriorityAnnotationKey, expected, value)
}
}

0 comments on commit 9b50f4d

Please sign in to comment.