Merge pull request #1 from soltysh/11075_addons

Added missing policies for PodSecurityPolicy(Review|SelfSubjectReview|SubjectReview)
openshift · Sep 29, 2016 · d30b6f9 · d30b6f9
2 parents 39d7eeb + 96962cb
commit d30b6f9
Show file tree

Hide file tree

Showing 6 changed files with 19 additions and 6 deletions.
diff --git a/pkg/cmd/server/bootstrappolicy/policy.go b/pkg/cmd/server/bootstrappolicy/policy.go
@@ -23,6 +23,7 @@ import (
 	quotaapi "github.com/openshift/origin/pkg/quota/api"
 	routeapi "github.com/openshift/origin/pkg/route/api"
 	sdnapi "github.com/openshift/origin/pkg/sdn/api"
+	securityapi "github.com/openshift/origin/pkg/security/api"
 	templateapi "github.com/openshift/origin/pkg/template/api"
 	userapi "github.com/openshift/origin/pkg/user/api"
 )
@@ -38,6 +39,7 @@ var (
 	certificatesGroup = certificates.GroupName
 	extensionsGroup   = extensions.GroupName
 	policyGroup       = policy.GroupName
+	securityGroup     = securityapi.GroupName
 	storageGroup      = storage.GroupName
 	authzGroup        = authorizationapi.GroupName
 	buildGroup        = buildapi.GroupName
@@ -165,6 +167,8 @@ func GetBootstrapClusterRoles() []authorizationapi.ClusterRole {
 				authorizationapi.NewRule("create").Groups(authzGroup).Resources("localresourceaccessreviews", "localsubjectaccessreviews", "resourceaccessreviews",
 					"selfsubjectrulesreviews", "subjectaccessreviews").RuleOrDie(),
 				authorizationapi.NewRule("create").Groups("authentication.k8s.io").Resources("tokenreviews").RuleOrDie(),
+				// permissions to check PSP, these creates are non-mutating
+				authorizationapi.NewRule("create").Groups(securityGroup).Resources("podsecuritypolicysubjectreviews", "podsecuritypolicyselfsubjectreviews", "podsecuritypolicyreviews").RuleOrDie(),
 				// Allow read access to node metrics
 				authorizationapi.NewRule("get").Groups(kapiGroup).Resources(authorizationapi.NodeMetricsResource, authorizationapi.NodeSpecResource).RuleOrDie(),
 				// Allow read access to stats

diff --git a/pkg/security/registry/podsecuritypolicyreview/rest.go b/pkg/security/registry/podsecuritypolicyreview/rest.go
@@ -43,7 +43,7 @@ func (r *REST) Create(ctx kapi.Context, obj runtime.Object) (runtime.Object, err
 		return nil, kapierrors.NewBadRequest(fmt.Sprintf("not a PodSecurityPolicyReview: %#v", obj))
 	}
 	if errs := securityvalidation.ValidatePodSecurityPolicyReview(pspr); len(errs) > 0 {
-		return nil, kapierrors.NewInvalid(kapi.Kind("podsecuritypolicyreview"), "", errs)
+		return nil, kapierrors.NewInvalid(securityapi.Kind(pspr.Kind), "", errs)
 	}
 	ns, ok := kapi.NamespaceFrom(ctx)
 	if !ok {
@@ -56,7 +56,7 @@ func (r *REST) Create(ctx kapi.Context, obj runtime.Object) (runtime.Object, err
 
 	if len(serviceAccounts) == 0 {
 		glog.Errorf("No service accounts for namespace %s", ns)
-		return nil, kapierrors.NewBadRequest(fmt.Sprintf("no a ServiceAccount for namespace: %s", ns))
+		return nil, kapierrors.NewBadRequest(fmt.Sprintf("unable to find ServiceAccount for namespace: %s", ns))
 	}
 
 	errs := []error{}

diff --git a/pkg/security/registry/podsecuritypolicyreview/rest_test.go b/pkg/security/registry/podsecuritypolicyreview/rest_test.go
@@ -178,7 +178,7 @@ func TestErrors(t *testing.T) {
 				},
 			},
 			serviceAccount: admissionttesting.CreateSAForTest(),
-			errorMessage:   "podsecuritypolicyreview \"\" is invalid: spec.podSpec.serviceAccountName: Invalid value: \"A.B.C.D.E\": must match the regex [a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)* (e.g. 'example.com')",
+			errorMessage:   ` "" is invalid: spec.podSpec.serviceAccountName: Invalid value: "A.B.C.D.E": must match the regex [a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)* (e.g. 'example.com')`,
 		},
 		"no SA": {
 			request: &securityapi.PodSecurityPolicyReview{
@@ -194,7 +194,7 @@ func TestErrors(t *testing.T) {
 					},
 				},
 			},
-			errorMessage: "unable to retrieve ServiceAccount default: ServiceAccount \"default\" not found",
+			errorMessage: `unable to retrieve ServiceAccount default: ServiceAccount "default" not found`,
 		},
 	}
 	for testName, testcase := range testcases {

diff --git a/pkg/security/registry/podsecuritypolicysubjectreview/rest.go b/pkg/security/registry/podsecuritypolicysubjectreview/rest.go
@@ -49,7 +49,7 @@ func (r *REST) Create(ctx kapi.Context, obj runtime.Object) (runtime.Object, err
 	}
 
 	if errs := securityvalidation.ValidatePodSecurityPolicySubjectReview(pspsr); len(errs) > 0 {
-		return nil, kapierrors.NewInvalid(kapi.Kind("podsecuritypolicysubjectreview"), "", errs)
+		return nil, kapierrors.NewInvalid(securityapi.Kind(pspsr.Kind), "", errs)
 	}
 
 	userInfo := &user.DefaultInfo{Name: pspsr.Spec.User, Groups: pspsr.Spec.Groups}

diff --git a/pkg/security/registry/podsecuritypolicysubjectreview/rest_test.go b/pkg/security/registry/podsecuritypolicysubjectreview/rest_test.go
@@ -170,7 +170,7 @@ func TestRequests(t *testing.T) {
 					Groups: []string{"bar", "baz"},
 				},
 			},
-			errorMessage: "podsecuritypolicysubjectreview \"\" is invalid: spec.podSpec.serviceAccountName: Invalid value: \"A.B.C.D\": must match the regex [a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)* (e.g. 'example.com')",
+			errorMessage: ` "" is invalid: spec.podSpec.serviceAccountName: Invalid value: "A.B.C.D": must match the regex [a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)* (e.g. 'example.com')`,
 		},
 		"no provider": {
 			request: &securityapi.PodSecurityPolicySubjectReview{

diff --git a/test/testdata/bootstrappolicy/bootstrap_cluster_roles.yaml b/test/testdata/bootstrappolicy/bootstrap_cluster_roles.yaml
@@ -323,6 +323,15 @@ items:
     - tokenreviews
     verbs:
     - create
+  - apiGroups:
+    - ""
+    attributeRestrictions: null
+    resources:
+    - podsecuritypolicyreviews
+    - podsecuritypolicyselfsubjectreviews
+    - podsecuritypolicysubjectreviews
+    verbs:
+    - create
   - apiGroups:
     - ""
     attributeRestrictions: null