Skip to content

Commit 35494ab

Browse files
author
Rohit Patil
committed
UPSTREAM: 1234: Fix user namespace validation for runAsGroup, fsGroup, and supplementalGroups_3
1 parent ebf29c1 commit 35494ab

File tree

2 files changed

+16
-16
lines changed

2 files changed

+16
-16
lines changed

pkg/apis/core/validation/validation.go

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -5411,7 +5411,7 @@ func validatePodSpecSecurityContext(securityContext *core.PodSecurityContext, sp
54115411
allErrs = append(allErrs, field.Invalid(fldPath.Child("fsGroup"), *(securityContext.FSGroup), msg))
54125412
}
54135413
// When user namespaces are enabled (hostUsers=false), GIDs must be in range 0-65535
5414-
if !hostUsers && *securityContext.FSGroup > 65535 {
5414+
if !hostUsers && *securityContext.FSGroup > 65534 {
54155415
allErrs = append(allErrs, field.Invalid(fldPath.Child("fsGroup"), *securityContext.FSGroup, "must be between 0 and 65535 when user namespaces are enabled (hostUsers=false)"))
54165416
}
54175417
}
@@ -5420,7 +5420,7 @@ func validatePodSpecSecurityContext(securityContext *core.PodSecurityContext, sp
54205420
allErrs = append(allErrs, field.Invalid(fldPath.Child("runAsUser"), *(securityContext.RunAsUser), msg))
54215421
}
54225422
// When user namespaces are enabled (hostUsers=false), UIDs must be in range 0-65535
5423-
if !hostUsers && *securityContext.RunAsUser > 65535 {
5423+
if !hostUsers && *securityContext.RunAsUser > 65534 {
54245424
allErrs = append(allErrs, field.Invalid(fldPath.Child("runAsUser"), *securityContext.RunAsUser, "must be between 0 and 65535 when user namespaces are enabled (hostUsers=false)"))
54255425
}
54265426
}
@@ -5429,7 +5429,7 @@ func validatePodSpecSecurityContext(securityContext *core.PodSecurityContext, sp
54295429
allErrs = append(allErrs, field.Invalid(fldPath.Child("runAsGroup"), *(securityContext.RunAsGroup), msg))
54305430
}
54315431
// When user namespaces are enabled (hostUsers=false), GIDs must be in range 0-65535
5432-
if !hostUsers && *securityContext.RunAsGroup > 65535 {
5432+
if !hostUsers && *securityContext.RunAsGroup > 65534 {
54335433
allErrs = append(allErrs, field.Invalid(fldPath.Child("runAsGroup"), *securityContext.RunAsGroup, "must be between 0 and 65535 when user namespaces are enabled (hostUsers=false)"))
54345434
}
54355435
}
@@ -5438,7 +5438,7 @@ func validatePodSpecSecurityContext(securityContext *core.PodSecurityContext, sp
54385438
allErrs = append(allErrs, field.Invalid(fldPath.Child("supplementalGroups").Index(g), gid, msg))
54395439
}
54405440
// When user namespaces are enabled (hostUsers=false), GIDs must be in range 0-65535
5441-
if !hostUsers && gid > 65535 {
5441+
if !hostUsers && gid > 65534 {
54425442
allErrs = append(allErrs, field.Invalid(fldPath.Child("supplementalGroups").Index(g), gid, "must be between 0 and 65535 when user namespaces are enabled (hostUsers=false)"))
54435443
}
54445444
}
@@ -8089,7 +8089,7 @@ func ValidateSecurityContext(sc *core.SecurityContext, fldPath *field.Path, host
80898089
allErrs = append(allErrs, field.Invalid(fldPath.Child("runAsUser"), *sc.RunAsUser, msg))
80908090
}
80918091
// When user namespaces are enabled (hostUsers=false), UIDs must be in range 0-65535
8092-
if !hostUsers && *sc.RunAsUser > 65535 {
8092+
if !hostUsers && *sc.RunAsUser > 65534 {
80938093
allErrs = append(allErrs, field.Invalid(fldPath.Child("runAsUser"), *sc.RunAsUser, "must be between 0 and 65535 when user namespaces are enabled (hostUsers=false)"))
80948094
}
80958095
}
@@ -8099,7 +8099,7 @@ func ValidateSecurityContext(sc *core.SecurityContext, fldPath *field.Path, host
80998099
allErrs = append(allErrs, field.Invalid(fldPath.Child("runAsGroup"), *sc.RunAsGroup, msg))
81008100
}
81018101
// When user namespaces are enabled (hostUsers=false), GIDs must be in range 0-65535
8102-
if !hostUsers && *sc.RunAsGroup > 65535 {
8102+
if !hostUsers && *sc.RunAsGroup > 65534 {
81038103
allErrs = append(allErrs, field.Invalid(fldPath.Child("runAsGroup"), *sc.RunAsGroup, "must be between 0 and 65535 when user namespaces are enabled (hostUsers=false)"))
81048104
}
81058105
}

pkg/apis/core/validation/validation_test.go

Lines changed: 10 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -23195,25 +23195,25 @@ func TestValidateSecurityContext(t *testing.T) {
2319523195
"runAsUser exceeds user namespace boundary": {
2319623196
sc: invalidUserNsUserBoundary,
2319723197
errorType: "FieldValueInvalid",
23198-
errorDetail: "must be between 0 and 65534 when user namespaces are enabled",
23198+
errorDetail: "must be between 0 and 65535 when user namespaces are enabled",
2319923199
hostUsers: false,
2320023200
},
2320123201
"runAsUser exceeds user namespace limit": {
2320223202
sc: invalidUserNsUserHigh,
2320323203
errorType: "FieldValueInvalid",
23204-
errorDetail: "must be between 0 and 65534 when user namespaces are enabled",
23204+
errorDetail: "must be between 0 and 65535 when user namespaces are enabled",
2320523205
hostUsers: false,
2320623206
},
2320723207
"runAsGroup exceeds user namespace boundary": {
2320823208
sc: invalidUserNsGroupBoundary,
2320923209
errorType: "FieldValueInvalid",
23210-
errorDetail: "must be between 0 and 65534 when user namespaces are enabled",
23210+
errorDetail: "must be between 0 and 65535 when user namespaces are enabled",
2321123211
hostUsers: false,
2321223212
},
2321323213
"runAsGroup exceeds user namespace limit": {
2321423214
sc: invalidUserNsGroupHigh,
2321523215
errorType: "FieldValueInvalid",
23216-
errorDetail: "must be between 0 and 65534 when user namespaces are enabled",
23216+
errorDetail: "must be between 0 and 65535 when user namespaces are enabled",
2321723217
hostUsers: false,
2321823218
},
2321923219
}
@@ -23307,47 +23307,47 @@ func TestValidatePodSecurityContextUserNamespaceLimits(t *testing.T) {
2330723307
FSGroup: &invalidGID,
2330823308
},
2330923309
hostUsers: false,
23310-
expectedErr: "must be between 0 and 65534 when user namespaces are enabled",
23310+
expectedErr: "must be between 0 and 65535 when user namespaces are enabled",
2331123311
},
2331223312
{
2331323313
name: "runAsUser exceeds limit with hostUsers false",
2331423314
sc: &core.PodSecurityContext{
2331523315
RunAsUser: &invalidUID,
2331623316
},
2331723317
hostUsers: false,
23318-
expectedErr: "must be between 0 and 65534 when user namespaces are enabled",
23318+
expectedErr: "must be between 0 and 65535 when user namespaces are enabled",
2331923319
},
2332023320
{
2332123321
name: "runAsGroup exceeds limit with hostUsers false",
2332223322
sc: &core.PodSecurityContext{
2332323323
RunAsGroup: &invalidGID,
2332423324
},
2332523325
hostUsers: false,
23326-
expectedErr: "must be between 0 and 65534 when user namespaces are enabled",
23326+
expectedErr: "must be between 0 and 65535 when user namespaces are enabled",
2332723327
},
2332823328
{
2332923329
name: "supplementalGroups exceeds limit with hostUsers false",
2333023330
sc: &core.PodSecurityContext{
2333123331
SupplementalGroups: []int64{1000, invalidGID, 2000},
2333223332
},
2333323333
hostUsers: false,
23334-
expectedErr: "must be between 0 and 65534 when user namespaces are enabled",
23334+
expectedErr: "must be between 0 and 65535 when user namespaces are enabled",
2333523335
},
2333623336
{
2333723337
name: "very high fsGroup with hostUsers false",
2333823338
sc: &core.PodSecurityContext{
2333923339
FSGroup: &veryHighGID,
2334023340
},
2334123341
hostUsers: false,
23342-
expectedErr: "must be between 0 and 65534 when user namespaces are enabled",
23342+
expectedErr: "must be between 0 and 65535 when user namespaces are enabled",
2334323343
},
2334423344
{
2334523345
name: "very high runAsUser with hostUsers false",
2334623346
sc: &core.PodSecurityContext{
2334723347
RunAsUser: &veryHighUID,
2334823348
},
2334923349
hostUsers: false,
23350-
expectedErr: "must be between 0 and 65534 when user namespaces are enabled",
23350+
expectedErr: "must be between 0 and 65535 when user namespaces are enabled",
2335123351
},
2335223352
}
2335323353

0 commit comments

Comments
 (0)