SCC can't be patched via JSONPatch because users is nil

smarterclayton · smarterclayton · commit 9e38f3e7704f · 2017-11-04T18:19:07.000-04:00
When users or groups are nil, standard JSONPatch can't be used to add a
new item to the list because the array is nil instead of empty. Alter
the serialization of SCC so that there is always a user or group
array returned.

This allows us to do declarative patching against SCC until we move to
PSP in a future release.
diff --git a/api/protobuf-spec/github_com_openshift_origin_pkg_security_apis_security_v1.proto b/api/protobuf-spec/github_com_openshift_origin_pkg_security_apis_security_v1.proto
diff --git a/api/swagger-spec/api-v1.json b/api/swagger-spec/api-v1.json
@@ -22774,7 +22774,9 @@
      "allowHostPorts",
      "allowHostPID",
      "allowHostIPC",
-     "readOnlyRootFilesystem"
+     "readOnlyRootFilesystem",
+     "users",
+     "groups"
     ],
     "properties": {
      "kind": {
diff --git a/pkg/security/apis/security/v1/defaults.go b/pkg/security/apis/security/v1/defaults.go
@@ -23,6 +23,13 @@ func SetDefaults_SCC(scc *SecurityContextConstraints) {
 		scc.SupplementalGroups.Type = SupplementalGroupsStrategyRunAsAny
 	}
 
+	if scc.Users == nil {
+		scc.Users = []string{}
+	}
+	if scc.Groups == nil {
+		scc.Groups = []string{}
+	}
+
 	var defaultAllowedVolumes sets.String
 	switch {
 	case scc.Volumes == nil:
diff --git a/pkg/security/apis/security/v1/generated.proto b/pkg/security/apis/security/v1/generated.proto
diff --git a/pkg/security/apis/security/v1/types.go b/pkg/security/apis/security/v1/types.go
@@ -79,9 +79,11 @@ type SecurityContextConstraints struct {
 	ReadOnlyRootFilesystem bool `json:"readOnlyRootFilesystem" protobuf:"varint,17,opt,name=readOnlyRootFilesystem"`
 
 	// The users who have permissions to use this security context constraints
-	Users []string `json:"users,omitempty" protobuf:"bytes,18,rep,name=users"`
+	// +optional
+	Users []string `json:"users" protobuf:"bytes,18,rep,name=users"`
 	// The groups that have permission to use this security context constraints
-	Groups []string `json:"groups,omitempty" protobuf:"bytes,19,rep,name=groups"`
+	// +optional
+	Groups []string `json:"groups" protobuf:"bytes,19,rep,name=groups"`
 
 	// SeccompProfiles lists the allowed profiles that may be set for the pod or
 	// container's seccomp annotations.  An unset (nil) or empty value means that no profiles may
diff --git a/pkg/security/apis/security/v1/zz_generated.conversion.go b/pkg/security/apis/security/v1/zz_generated.conversion.go
@@ -518,8 +518,16 @@ func autoConvert_security_SecurityContextConstraints_To_v1_SecurityContextConstr
 	}
 	out.ReadOnlyRootFilesystem = in.ReadOnlyRootFilesystem
 	out.SeccompProfiles = *(*[]string)(unsafe.Pointer(&in.SeccompProfiles))
-	out.Users = *(*[]string)(unsafe.Pointer(&in.Users))
-	out.Groups = *(*[]string)(unsafe.Pointer(&in.Groups))
+	if in.Users == nil {
+		out.Users = make([]string, 0)
+	} else {
+		out.Users = *(*[]string)(unsafe.Pointer(&in.Users))
+	}
+	if in.Groups == nil {
+		out.Groups = make([]string, 0)
+	} else {
+		out.Groups = *(*[]string)(unsafe.Pointer(&in.Groups))
+	}
 	return nil
 }
 
