feat: add GlobalPodSecurity config plumbing

alam-tahmid · alam-tahmid · commit 0d1ce9f5a710 · 2026-04-07T10:13:04.000-07:00
diff --git a/cni/azure-linux.conflist b/cni/azure-linux.conflist
@@ -6,6 +6,7 @@
          "type":"azure-vnet",
          "mode":"transparent",
          "ipsToRouteViaHost":["169.254.20.10"],
+         "globalPodSecurity":false,
          "ipam":{
             "type":"azure-vnet-ipam"
          }
diff --git a/cni/azure-windows.conflist b/cni/azure-windows.conflist
@@ -5,6 +5,7 @@
     "plugins": [
         {
             "type": "azure-vnet",
+            "globalPodSecurity": false,
             "capabilities": {
                 "portMappings": true,
                 "dns": true
diff --git a/cni/netconfig.go b/cni/netconfig.go
@@ -73,6 +73,7 @@ type NetworkConfig struct {
 	DisableHairpinOnHostInterface bool            `json:"disableHairpinOnHostInterface,omitempty"`
 	DisableIPTableLock            bool            `json:"disableIPTableLock,omitempty"`
 	DisableAsyncDelete            bool            `json:"disableAsyncDelete,omitempty"`
+	GlobalPodSecurity             bool            `json:"globalPodSecurity,omitempty"`
 	CNSUrl                        string          `json:"cnsurl,omitempty"`
 	ExecutionMode                 string          `json:"executionMode,omitempty"`
 	IPAM                          IPAM            `json:"ipam,omitempty"`
diff --git a/cni/netconfig_test.go b/cni/netconfig_test.go
@@ -0,0 +1,45 @@
+// Copyright 2017 Microsoft. All rights reserved.
+// MIT License
+
+package cni
+
+import (
+	"encoding/json"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestNetworkConfigGlobalPodSecurity(t *testing.T) {
+	tests := []struct {
+		name      string
+		jsonInput string
+		expected  bool
+	}{
+		{
+			name:      "GlobalPodSecurity set to true",
+			jsonInput: `{"globalPodSecurity": true}`,
+			expected:  true,
+		},
+		{
+			name:      "GlobalPodSecurity set to false",
+			jsonInput: `{"globalPodSecurity": false}`,
+			expected:  false,
+		},
+		{
+			name:      "GlobalPodSecurity omitted defaults to false",
+			jsonInput: `{"name": "test"}`,
+			expected:  false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			var nwCfg NetworkConfig
+			err := json.Unmarshal([]byte(tt.jsonInput), &nwCfg)
+			require.NoError(t, err)
+			assert.Equal(t, tt.expected, nwCfg.GlobalPodSecurity)
+		})
+	}
+}
diff --git a/cni/network/network.go b/cni/network/network.go
@@ -743,6 +743,7 @@ func (plugin *NetPlugin) createEpInfo(opt *createEpInfoOpt) (*network.EndpointIn
 		IPsToRouteViaHost:  opt.nwCfg.IPsToRouteViaHost,
 		EnableSnatOnHost:   opt.nwCfg.EnableSnatOnHost,
 		EnableMultiTenancy: opt.nwCfg.MultiTenancy,
+		GlobalPodSecurity:  opt.nwCfg.GlobalPodSecurity,
 		EnableInfraVnet:    opt.enableInfraVnet,
 		EnableSnatForDns:   opt.enableSnatForDNS,
 		PODName:            opt.k8sPodName,
diff --git a/cni/network/network_test.go b/cni/network/network_test.go
@@ -1849,3 +1849,70 @@ func TestValidateArgs(t *testing.T) {
 		})
 	}
 }
+
+func TestCreateEpInfoGlobalPodSecurity(t *testing.T) {
+	p, _ := cni.NewPlugin("name", "0.3.0")
+
+	tests := []struct {
+		name              string
+		globalPodSecurity bool
+	}{
+		{
+			name:              "GlobalPodSecurity enabled",
+			globalPodSecurity: true,
+		},
+		{
+			name:              "GlobalPodSecurity disabled",
+			globalPodSecurity: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			testNwCfg := &cni.NetworkConfig{
+				Master:            eth0IfName,
+				GlobalPodSecurity: tt.globalPodSecurity,
+			}
+			infraSeen := false
+			plugin := &NetPlugin{
+				Plugin: p,
+				nm:     acnnetwork.NewMockNetworkmanager(acnnetwork.NewMockEndpointClient(nil)),
+				netClient: &InterfaceGetterMock{
+					interfaces: []net.Interface{
+						{
+							Name: eth0IfName,
+						},
+					},
+				},
+			}
+			opt := &createEpInfoOpt{
+				nwCfg: testNwCfg,
+				ipamAddConfig: &IPAMAddConfig{
+					nwCfg: testNwCfg,
+					args: &cniSkel.CmdArgs{
+						ContainerID: "test-container",
+						Netns:       "test-netns",
+						IfName:      eth0IfName,
+					},
+				},
+				args: &cniSkel.CmdArgs{
+					ContainerID: "test-container",
+					Netns:       "test-netns",
+					IfName:      eth0IfName,
+				},
+				ifInfo: &acnnetwork.InterfaceInfo{
+					NICType: cns.InfraNIC,
+					HostSubnetPrefix: net.IPNet{
+						IP:   net.ParseIP("10.0.0.0"),
+						Mask: net.CIDRMask(24, 32),
+					},
+				},
+				infraSeen: &infraSeen,
+			}
+
+			epInfo, err := plugin.createEpInfo(opt)
+			require.NoError(t, err)
+			assert.Equal(t, tt.globalPodSecurity, epInfo.GlobalPodSecurity)
+		})
+	}
+}
diff --git a/network/endpoint.go b/network/endpoint.go
@@ -46,6 +46,7 @@ type endpoint struct {
 	EnableSnatOnHost         bool
 	EnableInfraVnet          bool
 	EnableMultitenancy       bool
+	GlobalPodSecurity        bool
 	AllowInboundFromHostToNC bool
 	AllowInboundFromNCToHost bool
 	NetworkContainerID       string
@@ -81,6 +82,7 @@ type EndpointInfo struct {
 	EnableSnatOnHost         bool
 	EnableInfraVnet          bool
 	EnableMultiTenancy       bool
+	GlobalPodSecurity        bool
 	EnableSnatForDns         bool
 	AllowInboundFromHostToNC bool
 	AllowInboundFromNCToHost bool

Original file line number	Diff line number	Diff line change
`@@ -6,6 +6,7 @@`
`6`	`6`	`"type":"azure-vnet",`
`7`	`7`	`"mode":"transparent",`
`8`	`8`	`"ipsToRouteViaHost":["169.254.20.10"],`
	`9`	`+ "globalPodSecurity":false,`
`9`	`10`	`"ipam":{`
`10`	`11`	`"type":"azure-vnet-ipam"`
`11`	`12`	`}`
Original file line number	Diff line number	Diff line change
`@@ -5,6 +5,7 @@`
`5`	`5`	`"plugins": [`
`6`	`6`	`{`
`7`	`7`	`"type": "azure-vnet",`
	`8`	`+ "globalPodSecurity": false,`
`8`	`9`	`"capabilities": {`
`9`	`10`	`"portMappings": true,`
`10`	`11`	`"dns": true`