SecurityContextConstraints: only set runAsNonRoot when runAsUser is nil.

php-coder · php-coder · commit 014f66d83cd5 · 2017-12-18T18:06:21.000+01:00
diff --git a/pkg/security/securitycontextconstraints/provider.go b/pkg/security/securitycontextconstraints/provider.go
@@ -203,7 +203,7 @@ func (s *simpleProvider) CreateContainerSecurityContext(pod *api.Pod, container
 	// if we're using the non-root strategy set the marker that this container should not be
 	// run as root which will signal to the kubelet to do a final check either on the runAsUser
 	// or, if runAsUser is not set, the image
-	if s.scc.RunAsUser.Type == securityapi.RunAsUserStrategyMustRunAsNonRoot {
+	if sc.RunAsNonRoot == nil && sc.RunAsUser == nil && s.scc.RunAsUser.Type == securityapi.RunAsUserStrategyMustRunAsNonRoot {
 		nonRoot := true
 		sc.RunAsNonRoot = &nonRoot
 	}

Original file line number	Diff line number	Diff line change
`@@ -203,7 +203,7 @@ func (s simpleProvider) CreateContainerSecurityContext(pod api.Pod, container`
`203`	`203`	`// if we're using the non-root strategy set the marker that this container should not be`
`204`	`204`	`// run as root which will signal to the kubelet to do a final check either on the runAsUser`
`205`	`205`	`// or, if runAsUser is not set, the image`
`206`		`- if s.scc.RunAsUser.Type == securityapi.RunAsUserStrategyMustRunAsNonRoot {`
	`206`	`+ if sc.RunAsNonRoot == nil && sc.RunAsUser == nil && s.scc.RunAsUser.Type == securityapi.RunAsUserStrategyMustRunAsNonRoot {`
`207`	`207`	`nonRoot := true`
`208`	`208`	`sc.RunAsNonRoot = &nonRoot`
`209`	`209`	`}`