fix!: Don't set spec.PodSecurityContext if empty

We have: - the Pod's spec.securityContext for all the containers in the pods. - per container securityContext. This commit changes the behaviour, so in the case of the Pod not having a spec.securityContext, it doesn't create it. This means that if the containers are correctly configured for runAsUser and runAsGroup, the request will be accepted, instead of mutated. This means that when configured with mutating `false`, the requests will be accepted, and not incorrectly rejected because of unneeded mutation. Signed-off-by: Víctor Cuadrado Juan <[email protected]>
kubewarden · Jan 19, 2024 · 4736238 · 4736238
1 parent 149a0b6
commit 4736238
Showing 1 changed file with 2 additions and 6 deletions.
diff --git a/src/lib.rs b/src/lib.rs
@@ -99,9 +99,7 @@ where
     let mut security_context = security_context_option.unwrap_or_default();
     match validation_request.settings.run_as_user.rule {
         Rule::MustRunAs => {
-            if validation_request.settings.run_as_user.overwrite
-                || security_context.run_as_user().is_none()
-            {
+            if validation_request.settings.run_as_user.overwrite {
                 let default_user_id = validation_request.settings.run_as_user.ranges[0].min;
                 security_context.set_run_as_user(Some(default_user_id));
                 return Ok(Some(security_context));
@@ -143,9 +141,7 @@ where
     let mut security_context = security_context_option.unwrap_or_default();
     match validation_request.settings.run_as_group.rule {
         Rule::MustRunAs => {
-            if validation_request.settings.run_as_group.overwrite
-                || security_context.run_as_group().is_none()
-            {
+            if validation_request.settings.run_as_group.overwrite {
                 let default_group_id = validation_request.settings.run_as_group.ranges[0].min;
                 security_context.set_run_as_group(Some(default_group_id));
                 return Ok(Some(security_context));