Kh add readonly for hostpath (#12)

* add test service account

* minor change

* add readonly for allowedHostPath in k8s version greater than 1.11

Author: Kaizhe

Gopkg.lock

@@ -19,6 +19,7 @@ type Processor struct {
 	resourceNamePrefix map[string]bool
 	namespace          string
 	serviceAccountMap  map[string]v1.ServiceAccount
+	serverGitVersion   string
 }
 
 func NewProcessor(kubeconfig string) (*Processor, error) {
@@ -31,9 +32,16 @@ func NewProcessor(kubeconfig string) (*Processor, error) {
 		return nil, err
 	}
 
+	info, err := clientset.ServerVersion()
+
+	if err != nil {
+		return nil, err
+	}
+
 	return &Processor{
 		k8sClient:          clientset,
 		resourceNamePrefix: map[string]bool{},
+		serverGitVersion:   info.GitVersion,
 	}, nil
 }
 
@@ -149,9 +157,12 @@ func (p *Processor) GeneratePSP(cssList []types.ContainerSecuritySpec, pssList [
 	// set allowed host path
 	hostPathList := utils.MapToArray(hostPaths)
 
+	readOnly, _ := utils.CompareVersion(p.serverGitVersion, types.Version1_11)
+
 	for _, path := range hostPathList {
 		psp.Spec.AllowedHostPaths = append(psp.Spec.AllowedHostPaths, v1beta1.AllowedHostPath{
 			PathPrefix: path,
+			ReadOnly:   readOnly,
 		})
 	}
 

advisor/processor/generate.go

@@ -19,6 +19,10 @@ var (
 	}
 )
 
+const (
+	Version1_11 = "v1.11"
+)
+
 //PodSecurityPolicy Recommendation System help in the following attributes:
 //	1. allowPrivilegeEscalation - done
 //	2. allowedCapabilities - done

advisor/types/securityspec.go

@@ -0,0 +1,22 @@
+package utils
+
+import (
+	"github.com/hashicorp/go-version"
+)
+
+// CompareVersion compare two versions
+func CompareVersion(v1, v2 string) (bool, error) {
+	version1, err := version.NewVersion(v1)
+
+	if err != nil {
+		return false, err
+	}
+
+	version2, err := version.NewVersion(v2)
+
+	if err != nil {
+		return false, err
+	}
+
+	return version1.GreaterThan(version2), nil
+}