Validation on RunAsGroup - Update DropDisabled[Alpha]Fields behaviour

ceshihao · ceshihao · commit d4c85e977fe2 · 2018-12-30T23:09:29.000+08:00
diff --git a/pkg/api/pod/util.go b/pkg/api/pod/util.go
@@ -279,7 +279,7 @@ func DropDisabledFields(podSpec, oldPodSpec *api.PodSpec) {
 // dropDisabledRunAsGroupField removes disabled fields from PodSpec related
 // to RunAsGroup
 func dropDisabledRunAsGroupField(podSpec, oldPodSpec *api.PodSpec) {
-	if !utilfeature.DefaultFeatureGate.Enabled(features.RunAsGroup) {
+	if !utilfeature.DefaultFeatureGate.Enabled(features.RunAsGroup) && !runAsGroupInUse(oldPodSpec) {
 		if podSpec.SecurityContext != nil {
 			podSpec.SecurityContext.RunAsGroup = nil
 		}
@@ -293,22 +293,6 @@ func dropDisabledRunAsGroupField(podSpec, oldPodSpec *api.PodSpec) {
 				podSpec.InitContainers[i].SecurityContext.RunAsGroup = nil
 			}
 		}
-
-		if oldPodSpec != nil {
-			if oldPodSpec.SecurityContext != nil {
-				oldPodSpec.SecurityContext.RunAsGroup = nil
-			}
-			for i := range oldPodSpec.Containers {
-				if oldPodSpec.Containers[i].SecurityContext != nil {
-					oldPodSpec.Containers[i].SecurityContext.RunAsGroup = nil
-				}
-			}
-			for i := range oldPodSpec.InitContainers {
-				if oldPodSpec.InitContainers[i].SecurityContext != nil {
-					oldPodSpec.InitContainers[i].SecurityContext.RunAsGroup = nil
-				}
-			}
-		}
 	}
 }
 
@@ -445,3 +429,25 @@ func volumeDevicesInUse(podSpec *api.PodSpec) bool {
 	}
 	return false
 }
+
+// runAsGroupInUse returns true if the pod spec is non-nil and has a SecurityContext's RunAsGroup field set
+func runAsGroupInUse(podSpec *api.PodSpec) bool {
+	if podSpec == nil {
+		return false
+	}
+
+	if podSpec.SecurityContext != nil && podSpec.SecurityContext.RunAsGroup != nil {
+		return true
+	}
+	for i := range podSpec.Containers {
+		if podSpec.Containers[i].SecurityContext != nil && podSpec.Containers[i].SecurityContext.RunAsGroup != nil {
+			return true
+		}
+	}
+	for i := range podSpec.InitContainers {
+		if podSpec.InitContainers[i].SecurityContext != nil && podSpec.InitContainers[i].SecurityContext.RunAsGroup != nil {
+			return true
+		}
+	}
+	return false
+}
diff --git a/pkg/api/podsecuritypolicy/util.go b/pkg/api/podsecuritypolicy/util.go
@@ -28,11 +28,8 @@ func DropDisabledFields(pspSpec, oldPSPSpec *policy.PodSecurityPolicySpec) {
 	if !utilfeature.DefaultFeatureGate.Enabled(features.ProcMountType) && !allowedProcMountTypesInUse(oldPSPSpec) {
 		pspSpec.AllowedProcMountTypes = nil
 	}
-	if !utilfeature.DefaultFeatureGate.Enabled(features.RunAsGroup) {
+	if !utilfeature.DefaultFeatureGate.Enabled(features.RunAsGroup) && (oldPSPSpec == nil || oldPSPSpec.RunAsGroup == nil) {
 		pspSpec.RunAsGroup = nil
-		if oldPSPSpec != nil {
-			oldPSPSpec.RunAsGroup = nil
-		}
 	}
 }
 

Original file line number	Diff line number	Diff line change
`@@ -28,11 +28,8 @@ func DropDisabledFields(pspSpec, oldPSPSpec *policy.PodSecurityPolicySpec) {`
`28`	`28`	`if !utilfeature.DefaultFeatureGate.Enabled(features.ProcMountType) && !allowedProcMountTypesInUse(oldPSPSpec) {`
`29`	`29`	`pspSpec.AllowedProcMountTypes = nil`
`30`	`30`	`}`
`31`		`- if !utilfeature.DefaultFeatureGate.Enabled(features.RunAsGroup) {`
	`31`	`+ if !utilfeature.DefaultFeatureGate.Enabled(features.RunAsGroup) && (oldPSPSpec == nil \|\| oldPSPSpec.RunAsGroup == nil) {`
`32`	`32`	`pspSpec.RunAsGroup = nil`
`33`		`- if oldPSPSpec != nil {`
`34`		`- oldPSPSpec.RunAsGroup = nil`
`35`		`- }`
`36`	`33`	`}`
`37`	`34`	`}`
`38`	`35`