Last active
January 28, 2026 11:01
-
-
Save ibihim/147f52a9f73d9a0bb0bdddeda53f4619 to your computer and use it in GitHub Desktop.
Controller Review
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package controller | |
| /* | |
| ================================================================================ | |
| PRIVILEGED POLICY CONTROLLER - Code Review Exercise | |
| ================================================================================ | |
| WHAT | |
| ---- | |
| This controller enforces security policies for privileged containers. It ensures | |
| that only Pods running under a ServiceAccount with "cluster-admin" privileges | |
| are allowed to have "allowPrivilegeEscalation: true" in their security context. | |
| If a Pod: | |
| - Has allowPrivilegeEscalation enabled, AND | |
| - Its ServiceAccount is NOT bound to the "cluster-admin" ClusterRole | |
| Then the controller will patch the Pod to disable privilege escalation. | |
| Key Kubernetes concepts used: | |
| - ServiceAccount: Identity that Pods run as (like a user account for workloads) | |
| - ClusterRoleBinding: Grants a ClusterRole's permissions to a subject (user/SA) | |
| - SecurityContext: Container-level security settings (privileges, capabilities) | |
| YOUR TASK | |
| --------- | |
| Review the sync() function below. Identify performance issues, inefficiencies, | |
| and anti-patterns. Consider: | |
| - API server load and network calls | |
| - Algorithmic complexity (Big-O) | |
| - Memory allocations | |
| - Order of operations (what should be checked first?) | |
| - What happens at scale (1000s of pods, 100s of service accounts) | |
| ================================================================================ | |
| */ | |
| import ( | |
| "context" | |
| "fmt" | |
| corev1 "k8s.io/api/core/v1" | |
| metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" | |
| "k8s.io/client-go/kubernetes" | |
| ) | |
| const clusterAdminRole = "cluster-admin" | |
| // PrivilegedPolicyController ensures only cluster-admin ServiceAccounts | |
| // can run Pods with allowPrivilegeEscalation enabled. | |
| type PrivilegedPolicyController struct { | |
| // client talks directly to the Kubernetes API server (network calls) | |
| kubeClient kubernetes.Interface | |
| saIsAdminCache SAIsAdminCache | |
| } | |
| // sync enforces the privileged policy across all Pods in the cluster. | |
| // Called periodically and whenever relevant resources change. | |
| func (c *PrivilegedPolicyController) sync(ctx context.Context) error { | |
| // Get all pods in the cluster | |
| pods, err := c.kubeClient.CoreV1().Pods("").List(ctx, metav1.ListOptions{}) | |
| if err != nil { | |
| return fmt.Errorf("failed to list pods: %w", err) | |
| } | |
| var updateErrors []error | |
| for _, pod := range pods.Items { | |
| // Make a copy so we can safely modify it | |
| podCopy := pod.DeepCopy() | |
| // Get all service accounts in the cluster | |
| serviceAccounts, err := c.kubeClient.CoreV1().ServiceAccounts("").List(ctx, metav1.ListOptions{}) | |
| if err != nil { | |
| return fmt.Errorf("failed to list service accounts: %w", err) | |
| } | |
| // Find the service account for this pod | |
| var podServiceAccount *corev1.ServiceAccount | |
| for _, sa := range serviceAccounts.Items { | |
| if sa.Name == pod.Spec.ServiceAccountName && sa.Namespace == pod.Namespace { | |
| podServiceAccount = &sa | |
| break | |
| } | |
| } | |
| if podServiceAccount == nil { | |
| continue // ServiceAccount not found, skip | |
| } | |
| // Check if this service account is bound to cluster-admin | |
| isClusterAdmin, err := c.saIsAdminCache.IsAdmin(podServiceAccount) | |
| if err != nil { | |
| return fmt.Errorf("failed to list service accounts: %w", err) | |
| } | |
| // If not a cluster admin, ensure privilege escalation is disabled | |
| if !isClusterAdmin { | |
| needsUpdate := false | |
| for i := range podCopy.Spec.Containers { | |
| container := &podCopy.Spec.Containers[i] | |
| if container.SecurityContext != nil && | |
| container.SecurityContext.AllowPrivilegeEscalation != nil && | |
| *container.SecurityContext.AllowPrivilegeEscalation { | |
| falseVal := false | |
| container.SecurityContext.AllowPrivilegeEscalation = &falseVal | |
| needsUpdate = true | |
| } | |
| } | |
| for i := range podCopy.Spec.InitContainers { | |
| container := &podCopy.Spec.InitContainers[i] | |
| if container.SecurityContext != nil && | |
| container.SecurityContext.AllowPrivilegeEscalation != nil && | |
| *container.SecurityContext.AllowPrivilegeEscalation { | |
| falseVal := false | |
| container.SecurityContext.AllowPrivilegeEscalation = &falseVal | |
| needsUpdate = true | |
| } | |
| } | |
| if needsUpdate { | |
| _, err := c.kubeClient.CoreV1().Pods(pod.Namespace).Update(ctx, podCopy, metav1.UpdateOptions{}) | |
| if err != nil { | |
| updateErrors = append(updateErrors, fmt.Errorf("pod %s/%s: %w", pod.Namespace, pod.Name, err)) | |
| } | |
| } | |
| } | |
| } | |
| if len(updateErrors) > 0 { | |
| return fmt.Errorf("encountered %d errors: %v", len(updateErrors), updateErrors) | |
| } | |
| return nil | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment