CLAassistant
commented
4 years ago
All committers have signed the CLA.
Closed cbarbian-sap closed 4 years ago
CLAassistant
commented
4 years ago
All committers have signed the CLA.
Neumann-Nils
commented
4 years ago Looks good to me and worked while testing it manually. Needs unit tests (https://github.com/karydia/karydia/blob/master/pkg/admission/karydia/admission_test.go) and integration tests (https://github.com/karydia/karydia/blob/master/tests/e2e/admission_security_context_test.go).
cbarbian-sap
commented
4 years ago Unit test and integration tests have been added
Currently (if pre-conditions are fulfilled), Karydia will override an existing pod security context, and just set runAsUser and runAsGroup. Other previously existing attributes (such as fsGroup) will get lost. Which probably should not be the case, as Karydia claims to only own runAsUser and runAsGroup.
This PR tries to fix this behaviour, so that in an existing pod security context, only runAsUser and runAsGroup will be patched by Karydia.
A similar behaviour was observed in the logic where Karydia patches existing container security contexts. This is also covered by this PR.