github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #47824 from mbohlool/revert2

Browse Source 
Automatic merge from submit-queue (batch tested with PRs 47851, 47824, 47858, 46099)

Revert 44714 manually

#44714 broke backward compatibility for old swagger spec that kubectl still uses. The decision on #47448 was to revert this change but the change was not automatically revertible. Here I semi-manually remove all references to UnixUserID and UnixGroupID and updated generated files accordingly.

Please wait for tests to pass then review that as there may still be tests that are failing.

Fixes #47448

Adding release note just because the original PR has a release note. If possible, we should remove both release notes as they cancel each other.

**Release note**: (removed by caesarxuchao)

UnixUserID and UnixGroupID is reverted back as int64 to keep backward compatibility.
This commit is contained in:
Kubernetes Submit Queue
2017-06-21 15:21:14 -07:00
committed by GitHub
parent 5d30190b3b 222f6ae37f
commit 03014f486c
119 changed files with 1810 additions and 2252 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
api/swagger-spec/apps_v1beta1.json
View File

@@ -5320,7 +5320,8 @@
"description": "The SELinux context to be applied to the container. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence."
},
"runAsUser": {
"$ref": "types.UnixUserID",
"type": "integer",
"format": "int64",
"description": "The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence."
},
"runAsNonRoot": {
@@ -5379,10 +5380,6 @@
}
}
},
"types.UnixUserID": {
"id": "types.UnixUserID",
"properties": {}
},
"v1.PodSecurityContext": {
"id": "v1.PodSecurityContext",
"description": "PodSecurityContext holds pod-level security attributes and common container settings. Some fields are also present in container.securityContext. Field values of container.securityContext take precedence over field values of PodSecurityContext.",
@@ -5392,7 +5389,8 @@
"description": "The SELinux context to be applied to all containers. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container."
},
"runAsUser": {
"$ref": "types.UnixUserID",
"type": "integer",
"format": "int64",
"description": "The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container."
},
"runAsNonRoot": {
@@ -5402,20 +5400,17 @@
"supplementalGroups": {
"type": "array",
"items": {
"$ref": "types.UnixGroupID"
"type": "integer"
},
"description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID. If unspecified, no groups will be added to any container."
},
"fsGroup": {
"$ref": "types.UnixGroupID",
"type": "integer",
"format": "int64",
"description": "A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to change the ownership of that volume to be owned by the pod:\n\n1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 3. The permission bits are OR'd with rw-rw "
}
}
},
"types.UnixGroupID": {
"id": "types.UnixGroupID",
"properties": {}
},
"v1.Affinity": {
"id": "v1.Affinity",
"description": "Affinity is a group of affinity scheduling rules.",

19
api/swagger-spec/batch_v1.json
View File

@@ -3067,7 +3067,8 @@
"description": "The SELinux context to be applied to the container. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence."
},
"runAsUser": {
"$ref": "types.UnixUserID",
"type": "integer",
"format": "int64",
"description": "The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence."
},
"runAsNonRoot": {
@@ -3126,10 +3127,6 @@
}
}
},
"types.UnixUserID": {
"id": "types.UnixUserID",
"properties": {}
},
"v1.PodSecurityContext": {
"id": "v1.PodSecurityContext",
"description": "PodSecurityContext holds pod-level security attributes and common container settings. Some fields are also present in container.securityContext. Field values of container.securityContext take precedence over field values of PodSecurityContext.",
@@ -3139,7 +3136,8 @@
"description": "The SELinux context to be applied to all containers. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container."
},
"runAsUser": {
"$ref": "types.UnixUserID",
"type": "integer",
"format": "int64",
"description": "The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container."
},
"runAsNonRoot": {
@@ -3149,20 +3147,17 @@
"supplementalGroups": {
"type": "array",
"items": {
"$ref": "types.UnixGroupID"
"type": "integer"
},
"description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID. If unspecified, no groups will be added to any container."
},
"fsGroup": {
"$ref": "types.UnixGroupID",
"type": "integer",
"format": "int64",
"description": "A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to change the ownership of that volume to be owned by the pod:\n\n1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 3. The permission bits are OR'd with rw-rw "
}
}
},
"types.UnixGroupID": {
"id": "types.UnixGroupID",
"properties": {}
},
"v1.Affinity": {
"id": "v1.Affinity",
"description": "Affinity is a group of affinity scheduling rules.",

19
api/swagger-spec/batch_v2alpha1.json
View File

@@ -4148,7 +4148,8 @@
"description": "The SELinux context to be applied to the container. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence."
},
"runAsUser": {
"$ref": "types.UnixUserID",
"type": "integer",
"format": "int64",
"description": "The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence."
},
"runAsNonRoot": {
@@ -4207,10 +4208,6 @@
}
}
},
"types.UnixUserID": {
"id": "types.UnixUserID",
"properties": {}
},
"v1.PodSecurityContext": {
"id": "v1.PodSecurityContext",
"description": "PodSecurityContext holds pod-level security attributes and common container settings. Some fields are also present in container.securityContext. Field values of container.securityContext take precedence over field values of PodSecurityContext.",
@@ -4220,7 +4217,8 @@
"description": "The SELinux context to be applied to all containers. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container."
},
"runAsUser": {
"$ref": "types.UnixUserID",
"type": "integer",
"format": "int64",
"description": "The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container."
},
"runAsNonRoot": {
@@ -4230,20 +4228,17 @@
"supplementalGroups": {
"type": "array",
"items": {
"$ref": "types.UnixGroupID"
"type": "integer"
},
"description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID. If unspecified, no groups will be added to any container."
},
"fsGroup": {
"$ref": "types.UnixGroupID",
"type": "integer",
"format": "int64",
"description": "A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to change the ownership of that volume to be owned by the pod:\n\n1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 3. The permission bits are OR'd with rw-rw "
}
}
},
"types.UnixGroupID": {
"id": "types.UnixGroupID",
"properties": {}
},
"v1.Affinity": {
"id": "v1.Affinity",
"description": "Affinity is a group of affinity scheduling rules.",

19
api/swagger-spec/extensions_v1beta1.json
View File

@@ -8792,7 +8792,8 @@
"description": "The SELinux context to be applied to the container. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence."
},
"runAsUser": {
"$ref": "types.UnixUserID",
"type": "integer",
"format": "int64",
"description": "The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence."
},
"runAsNonRoot": {
@@ -8851,10 +8852,6 @@
}
}
},
"types.UnixUserID": {
"id": "types.UnixUserID",
"properties": {}
},
"v1.PodSecurityContext": {
"id": "v1.PodSecurityContext",
"description": "PodSecurityContext holds pod-level security attributes and common container settings. Some fields are also present in container.securityContext. Field values of container.securityContext take precedence over field values of PodSecurityContext.",
@@ -8864,7 +8861,8 @@
"description": "The SELinux context to be applied to all containers. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container."
},
"runAsUser": {
"$ref": "types.UnixUserID",
"type": "integer",
"format": "int64",
"description": "The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container."
},
"runAsNonRoot": {
@@ -8874,20 +8872,17 @@
"supplementalGroups": {
"type": "array",
"items": {
"$ref": "types.UnixGroupID"
"type": "integer"
},
"description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID. If unspecified, no groups will be added to any container."
},
"fsGroup": {
"$ref": "types.UnixGroupID",
"type": "integer",
"format": "int64",
"description": "A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to change the ownership of that volume to be owned by the pod:\n\n1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 3. The permission bits are OR'd with rw-rw "
}
}
},
"types.UnixGroupID": {
"id": "types.UnixGroupID",
"properties": {}
},
"v1.Affinity": {
"id": "v1.Affinity",
"description": "Affinity is a group of affinity scheduling rules.",

19
api/swagger-spec/v1.json
View File

@@ -20623,7 +20623,8 @@
"description": "The SELinux context to be applied to the container. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence."
},
"runAsUser": {
"$ref": "types.UnixUserID",
"type": "integer",
"format": "int64",
"description": "The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence."
},
"runAsNonRoot": {
@@ -20682,10 +20683,6 @@
}
}
},
"types.UnixUserID": {
"id": "types.UnixUserID",
"properties": {}
},
"v1.PodSecurityContext": {
"id": "v1.PodSecurityContext",
"description": "PodSecurityContext holds pod-level security attributes and common container settings. Some fields are also present in container.securityContext. Field values of container.securityContext take precedence over field values of PodSecurityContext.",
@@ -20695,7 +20692,8 @@
"description": "The SELinux context to be applied to all containers. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container."
},
"runAsUser": {
"$ref": "types.UnixUserID",
"type": "integer",
"format": "int64",
"description": "The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container."
},
"runAsNonRoot": {
@@ -20705,20 +20703,17 @@
"supplementalGroups": {
"type": "array",
"items": {
"$ref": "types.UnixGroupID"
"type": "integer"
},
"description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID. If unspecified, no groups will be added to any container."
},
"fsGroup": {
"$ref": "types.UnixGroupID",
"type": "integer",
"format": "int64",
"description": "A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to change the ownership of that volume to be owned by the pod:\n\n1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 3. The permission bits are OR'd with rw-rw "
}
}
},
"types.UnixGroupID": {
"id": "types.UnixGroupID",
"properties": {}
},
"v1.Affinity": {
"id": "v1.Affinity",
"description": "Affinity is a group of affinity scheduling rules.",

16
docs/api-reference/apps/v1beta1/definitions.html
View File

@@ -4426,10 +4426,6 @@ Examples:<br>
</tbody>
</table>
</div>
<div class="sect2">
<h3 id="_types_unixuserid">types.UnixUserID</h3>
</div>
<div class="sect2">
<h3 id="_v1_photonpersistentdiskvolumesource">v1.PhotonPersistentDiskVolumeSource</h3>
@@ -4843,10 +4839,6 @@ Examples:<br>
</tbody>
</table>
</div>
<div class="sect2">
<h3 id="_types_unixgroupid">types.UnixGroupID</h3>
</div>
<div class="sect2">
<h3 id="_v1beta1_deploymentrollback">v1beta1.DeploymentRollback</h3>
@@ -5541,7 +5533,7 @@ Examples:<br>
<td class="tableblock halign-left valign-top"><p class="tableblock">runAsUser</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_types_unixuserid">types.UnixUserID</a></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">integer (int64)</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
<tr>
@@ -5555,7 +5547,7 @@ Examples:<br>
<td class="tableblock halign-left valign-top"><p class="tableblock">supplementalGroups</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">A list of groups applied to the first process run in each container, in addition to the container&#8217;s primary GID. If unspecified, no groups will be added to any container.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_types_unixgroupid">types.UnixGroupID</a> array</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">integer (int32) array</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
<tr>
@@ -5564,7 +5556,7 @@ Examples:<br>
<br>
1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 3. The permission bits are OR&#8217;d with rw-rw</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_types_unixgroupid">types.UnixGroupID</a></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">integer (int64)</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
</tbody>
@@ -6000,7 +5992,7 @@ Examples:<br>
<td class="tableblock halign-left valign-top"><p class="tableblock">runAsUser</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_types_unixuserid">types.UnixUserID</a></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">integer (int64)</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
<tr>

24
docs/api-reference/batch/v1/definitions.html
View File

@@ -1483,10 +1483,6 @@ When an object is created, the system will populate this list with the current s
</tbody>
</table>
</div>
<div class="sect2">
<h3 id="_types_uid">types.UID</h3>
</div>
<div class="sect2">
<h3 id="_v1_azurefilevolumesource">v1.AzureFileVolumeSource</h3>
@@ -1535,6 +1531,10 @@ When an object is created, the system will populate this list with the current s
</tbody>
</table>
</div>
<div class="sect2">
<h3 id="_types_uid">types.UID</h3>
</div>
<div class="sect2">
<h3 id="_v1_iscsivolumesource">v1.ISCSIVolumeSource</h3>
@@ -3672,10 +3672,6 @@ Examples:<br>
</tbody>
</table>
</div>
<div class="sect2">
<h3 id="_types_unixuserid">types.UnixUserID</h3>
</div>
<div class="sect2">
<h3 id="_v1_photonpersistentdiskvolumesource">v1.PhotonPersistentDiskVolumeSource</h3>
@@ -3986,10 +3982,6 @@ Examples:<br>
</tbody>
</table>
</div>
<div class="sect2">
<h3 id="_types_unixgroupid">types.UnixGroupID</h3>
</div>
<div class="sect2">
<h3 id="_v1_httpheader">v1.HTTPHeader</h3>
@@ -4505,7 +4497,7 @@ Examples:<br>
<td class="tableblock halign-left valign-top"><p class="tableblock">runAsUser</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_types_unixuserid">types.UnixUserID</a></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">integer (int64)</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
<tr>
@@ -4519,7 +4511,7 @@ Examples:<br>
<td class="tableblock halign-left valign-top"><p class="tableblock">supplementalGroups</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">A list of groups applied to the first process run in each container, in addition to the container&#8217;s primary GID. If unspecified, no groups will be added to any container.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_types_unixgroupid">types.UnixGroupID</a> array</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">integer (int32) array</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
<tr>
@@ -4528,7 +4520,7 @@ Examples:<br>
<br>
1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 3. The permission bits are OR&#8217;d with rw-rw</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_types_unixgroupid">types.UnixGroupID</a></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">integer (int64)</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
</tbody>
@@ -4978,7 +4970,7 @@ Examples:<br>
<td class="tableblock halign-left valign-top"><p class="tableblock">runAsUser</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_types_unixuserid">types.UnixUserID</a></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">integer (int64)</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
<tr>

16
docs/api-reference/batch/v2alpha1/definitions.html
View File

@@ -3679,10 +3679,6 @@ Examples:<br>
</tbody>
</table>
</div>
<div class="sect2">
<h3 id="_types_unixuserid">types.UnixUserID</h3>
</div>
<div class="sect2">
<h3 id="_v1_photonpersistentdiskvolumesource">v1.PhotonPersistentDiskVolumeSource</h3>
@@ -3993,10 +3989,6 @@ Examples:<br>
</tbody>
</table>
</div>
<div class="sect2">
<h3 id="_types_unixgroupid">types.UnixGroupID</h3>
</div>
<div class="sect2">
<h3 id="_v1_httpheader">v1.HTTPHeader</h3>
@@ -4512,7 +4504,7 @@ Examples:<br>
<td class="tableblock halign-left valign-top"><p class="tableblock">runAsUser</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_types_unixuserid">types.UnixUserID</a></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">integer (int64)</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
<tr>
@@ -4526,7 +4518,7 @@ Examples:<br>
<td class="tableblock halign-left valign-top"><p class="tableblock">supplementalGroups</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">A list of groups applied to the first process run in each container, in addition to the container&#8217;s primary GID. If unspecified, no groups will be added to any container.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_types_unixgroupid">types.UnixGroupID</a> array</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">integer (int32) array</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
<tr>
@@ -4535,7 +4527,7 @@ Examples:<br>
<br>
1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 3. The permission bits are OR&#8217;d with rw-rw</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_types_unixgroupid">types.UnixGroupID</a></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">integer (int64)</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
</tbody>
@@ -4916,7 +4908,7 @@ Examples:<br>
<td class="tableblock halign-left valign-top"><p class="tableblock">runAsUser</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_types_unixuserid">types.UnixUserID</a></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">integer (int64)</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
<tr>

16
docs/api-reference/extensions/v1beta1/definitions.html
View File

@@ -5094,10 +5094,6 @@ Examples:<br>
</tbody>
</table>
</div>
<div class="sect2">
<h3 id="_types_unixuserid">types.UnixUserID</h3>
</div>
<div class="sect2">
<h3 id="_v1_photonpersistentdiskvolumesource">v1.PhotonPersistentDiskVolumeSource</h3>
@@ -5608,10 +5604,6 @@ Examples:<br>
</tbody>
</table>
</div>
<div class="sect2">
<h3 id="_types_unixgroupid">types.UnixGroupID</h3>
</div>
<div class="sect2">
<h3 id="_v1beta1_deploymentrollback">v1beta1.DeploymentRollback</h3>
@@ -6410,7 +6402,7 @@ Both these may change in the future. Incoming requests are matched against the h
<td class="tableblock halign-left valign-top"><p class="tableblock">runAsUser</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_types_unixuserid">types.UnixUserID</a></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">integer (int64)</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
<tr>
@@ -6424,7 +6416,7 @@ Both these may change in the future. Incoming requests are matched against the h
<td class="tableblock halign-left valign-top"><p class="tableblock">supplementalGroups</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">A list of groups applied to the first process run in each container, in addition to the container&#8217;s primary GID. If unspecified, no groups will be added to any container.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_types_unixgroupid">types.UnixGroupID</a> array</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">integer (int32) array</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
<tr>
@@ -6433,7 +6425,7 @@ Both these may change in the future. Incoming requests are matched against the h
<br>
1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 3. The permission bits are OR&#8217;d with rw-rw</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_types_unixgroupid">types.UnixGroupID</a></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">integer (int64)</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
</tbody>
@@ -7048,7 +7040,7 @@ Both these may change in the future. Incoming requests are matched against the h
<td class="tableblock halign-left valign-top"><p class="tableblock">runAsUser</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_types_unixuserid">types.UnixUserID</a></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">integer (int64)</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
<tr>

16
docs/api-reference/v1/definitions.html
View File

@@ -6213,10 +6213,6 @@ Examples:<br>
</tbody>
</table>
</div>
<div class="sect2">
<h3 id="_types_unixuserid">types.UnixUserID</h3>
</div>
<div class="sect2">
<h3 id="_v1_photonpersistentdiskvolumesource">v1.PhotonPersistentDiskVolumeSource</h3>
@@ -6616,10 +6612,6 @@ Examples:<br>
</tbody>
</table>
</div>
<div class="sect2">
<h3 id="_types_unixgroupid">types.UnixGroupID</h3>
</div>
<div class="sect2">
<h3 id="_v1_httpheader">v1.HTTPHeader</h3>
@@ -7272,7 +7264,7 @@ Examples:<br>
<td class="tableblock halign-left valign-top"><p class="tableblock">runAsUser</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_types_unixuserid">types.UnixUserID</a></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">integer (int64)</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
<tr>
@@ -7286,7 +7278,7 @@ Examples:<br>
<td class="tableblock halign-left valign-top"><p class="tableblock">supplementalGroups</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">A list of groups applied to the first process run in each container, in addition to the container&#8217;s primary GID. If unspecified, no groups will be added to any container.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_types_unixgroupid">types.UnixGroupID</a> array</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">integer (int32) array</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
<tr>
@@ -7295,7 +7287,7 @@ Examples:<br>
<br>
1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 3. The permission bits are OR&#8217;d with rw-rw</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_types_unixgroupid">types.UnixGroupID</a></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">integer (int64)</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
</tbody>
@@ -8343,7 +8335,7 @@ Examples:<br>
<td class="tableblock halign-left valign-top"><p class="tableblock">runAsUser</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_types_unixuserid">types.UnixUserID</a></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">integer (int64)</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
<tr>

19
federation/apis/swagger-spec/extensions_v1beta1.json
View File

@@ -6536,7 +6536,8 @@
"description": "The SELinux context to be applied to the container. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence."
},
"runAsUser": {
"$ref": "types.UnixUserID",
"type": "integer",
"format": "int64",
"description": "The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence."
},
"runAsNonRoot": {
@@ -6595,10 +6596,6 @@
}
}
},
"types.UnixUserID": {
"id": "types.UnixUserID",
"properties": {}
},
"v1.PodSecurityContext": {
"id": "v1.PodSecurityContext",
"description": "PodSecurityContext holds pod-level security attributes and common container settings. Some fields are also present in container.securityContext. Field values of container.securityContext take precedence over field values of PodSecurityContext.",
@@ -6608,7 +6605,8 @@
"description": "The SELinux context to be applied to all containers. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container."
},
"runAsUser": {
"$ref": "types.UnixUserID",
"type": "integer",
"format": "int64",
"description": "The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container."
},
"runAsNonRoot": {
@@ -6618,20 +6616,17 @@
"supplementalGroups": {
"type": "array",
"items": {
"$ref": "types.UnixGroupID"
"type": "integer"
},
"description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID. If unspecified, no groups will be added to any container."
},
"fsGroup": {
"$ref": "types.UnixGroupID",
"type": "integer",
"format": "int64",
"description": "A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to change the ownership of that volume to be owned by the pod:\n\n1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 3. The permission bits are OR'd with rw-rw "
}
}
},
"types.UnixGroupID": {
"id": "types.UnixGroupID",
"properties": {}
},
"v1.Affinity": {
"id": "v1.Affinity",
"description": "Affinity is a group of affinity scheduling rules.",

16
federation/docs/api-reference/extensions/v1beta1/definitions.html
View File

@@ -4713,10 +4713,6 @@ Examples:<br>
</tbody>
</table>
</div>
<div class="sect2">
<h3 id="_types_unixuserid">types.UnixUserID</h3>
</div>
<div class="sect2">
<h3 id="_v1_photonpersistentdiskvolumesource">v1.PhotonPersistentDiskVolumeSource</h3>
@@ -5130,10 +5126,6 @@ Examples:<br>
</tbody>
</table>
</div>
<div class="sect2">
<h3 id="_types_unixgroupid">types.UnixGroupID</h3>
</div>
<div class="sect2">
<h3 id="_v1beta1_deploymentrollback">v1beta1.DeploymentRollback</h3>
@@ -5832,7 +5824,7 @@ Both these may change in the future. Incoming requests are matched against the h
<td class="tableblock halign-left valign-top"><p class="tableblock">runAsUser</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_types_unixuserid">types.UnixUserID</a></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">integer (int64)</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
<tr>
@@ -5846,7 +5838,7 @@ Both these may change in the future. Incoming requests are matched against the h
<td class="tableblock halign-left valign-top"><p class="tableblock">supplementalGroups</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">A list of groups applied to the first process run in each container, in addition to the container&#8217;s primary GID. If unspecified, no groups will be added to any container.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_types_unixgroupid">types.UnixGroupID</a> array</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">integer (int32) array</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
<tr>
@@ -5855,7 +5847,7 @@ Both these may change in the future. Incoming requests are matched against the h
<br>
1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 3. The permission bits are OR&#8217;d with rw-rw</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_types_unixgroupid">types.UnixGroupID</a></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">integer (int64)</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
</tbody>
@@ -6429,7 +6421,7 @@ Both these may change in the future. Incoming requests are matched against the h
<td class="tableblock halign-left valign-top"><p class="tableblock">runAsUser</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_types_unixuserid">types.UnixUserID</a></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">integer (int64)</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
<tr>

10
hack/make-rules/test-cmd-util.sh
View File

@@ -2851,6 +2851,16 @@ run_deployment_tests() {
# Clean up
kubectl delete deployment test-nginx-apps "${kube_flags[@]}"
### Test kubectl create deployment should not fail validation
# Pre-Condition: No deployment exists.
kube::test::get_object_assert deployment "{{range.items}}{{$id_field}}:{{end}}" ''
# Command
kubectl create -f hack/testdata/deployment-with-UnixUserID.yaml "${kube_flags[@]}"
# Post-Condition: Deployment "deployment-with-unixuserid" is created.
kube::test::get_object_assert deployment "{{range.items}}{{$id_field}}:{{end}}" 'deployment-with-unixuserid:'
# Clean up
kubectl delete deployment deployment-with-unixuserid "${kube_flags[@]}"
### Test cascading deletion
## Test that rs is deleted when deployment is deleted.
# Pre-condition: no deployment exists

18
hack/testdata/deployment-with-UnixUserID.yaml vendored Normal file
View File

@@ -0,0 +1,18 @@
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: deployment-with-unixuserid
spec:
replicas: 1
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.7.9
securityContext:
runAsNonRoot: true
runAsUser: 65534

8
pkg/api/types.go
View File

@@ -2263,7 +2263,7 @@ type PodSecurityContext struct {
// PodSecurityContext, the value specified in SecurityContext takes precedence
// for that container.
// +optional
RunAsUser *types.UnixUserID
RunAsUser *int64
// Indicates that the container must run as a non-root user.
// If true, the Kubelet will validate the image at runtime to ensure that it
// does not run as UID 0 (root) and fail to start the container if it does.
@@ -2276,7 +2276,7 @@ type PodSecurityContext struct {
// to the container's primary GID. If unspecified, no groups will be added to
// any container.
// +optional
SupplementalGroups []types.UnixGroupID
SupplementalGroups []int64
// A special supplemental group that applies to all containers in a pod.
// Some volume types allow the Kubelet to change the ownership of that volume
// to be owned by the pod:
@@ -2287,7 +2287,7 @@ type PodSecurityContext struct {
//
// If unset, the Kubelet will not modify the ownership and permissions of any volume.
// +optional
FSGroup *types.UnixGroupID
FSGroup *int64
}
// PodQOSClass defines the supported qos classes of Pods.
@@ -3924,7 +3924,7 @@ type SecurityContext struct {
// May also be set in PodSecurityContext. If set in both SecurityContext and
// PodSecurityContext, the value specified in SecurityContext takes precedence.
// +optional
RunAsUser *types.UnixUserID
RunAsUser *int64
// Indicates that the container must run as a non-root user.
// If true, the Kubelet will validate the image at runtime to ensure that it
// does not run as UID 0 (root) and fail to start the container if it does.

1414
pkg/api/v1/generated.pb.go
View File

File diff suppressed because it is too large Load Diff

169
pkg/api/v1/types.generated.go
View File

@@ -37619,7 +37619,6 @@ func (x *PodSecurityContext) CodecEncodeSelf(e *codec1978.Encoder) {
yym8 := z.EncBinary()
_ = yym8
if false {
} else if z.HasExtensions() && z.EncExt(yy7) {
} else {
r.EncodeInt(int64(yy7))
}
@@ -37639,7 +37638,6 @@ func (x *PodSecurityContext) CodecEncodeSelf(e *codec1978.Encoder) {
yym10 := z.EncBinary()
_ = yym10
if false {
} else if z.HasExtensions() && z.EncExt(yy9) {
} else {
r.EncodeInt(int64(yy9))
}
@@ -37691,7 +37689,7 @@ func (x *PodSecurityContext) CodecEncodeSelf(e *codec1978.Encoder) {
_ = yym17
if false {
} else {
h.encSlicetypes_UnixGroupID(([]pkg1_types.UnixGroupID)(x.SupplementalGroups), e)
z.F.EncSliceInt64V(x.SupplementalGroups, false, e)
}
}
} else {
@@ -37709,7 +37707,7 @@ func (x *PodSecurityContext) CodecEncodeSelf(e *codec1978.Encoder) {
_ = yym18
if false {
} else {
h.encSlicetypes_UnixGroupID(([]pkg1_types.UnixGroupID)(x.SupplementalGroups), e)
z.F.EncSliceInt64V(x.SupplementalGroups, false, e)
}
}
}
@@ -37724,7 +37722,6 @@ func (x *PodSecurityContext) CodecEncodeSelf(e *codec1978.Encoder) {
yym21 := z.EncBinary()
_ = yym21
if false {
} else if z.HasExtensions() && z.EncExt(yy20) {
} else {
r.EncodeInt(int64(yy20))
}
@@ -37744,7 +37741,6 @@ func (x *PodSecurityContext) CodecEncodeSelf(e *codec1978.Encoder) {
yym23 := z.EncBinary()
_ = yym23
if false {
} else if z.HasExtensions() && z.EncExt(yy22) {
} else {
r.EncodeInt(int64(yy22))
}
@@ -37830,12 +37826,11 @@ func (x *PodSecurityContext) codecDecodeSelfFromMap(l int, d *codec1978.Decoder)
}
} else {
if x.RunAsUser == nil {
x.RunAsUser = new(pkg1_types.UnixUserID)
x.RunAsUser = new(int64)
}
yym6 := z.DecBinary()
_ = yym6
if false {
} else if z.HasExtensions() && z.DecExt(x.RunAsUser) {
} else {
*((*int64)(x.RunAsUser)) = int64(r.DecodeInt(64))
}
@@ -37865,7 +37860,7 @@ func (x *PodSecurityContext) codecDecodeSelfFromMap(l int, d *codec1978.Decoder)
_ = yym10
if false {
} else {
h.decSlicetypes_UnixGroupID((*[]pkg1_types.UnixGroupID)(yyv9), d)
z.F.DecSliceInt64X(yyv9, false, d)
}
}
case "fsGroup":
@@ -37875,12 +37870,11 @@ func (x *PodSecurityContext) codecDecodeSelfFromMap(l int, d *codec1978.Decoder)
}
} else {
if x.FSGroup == nil {
x.FSGroup = new(pkg1_types.UnixGroupID)
x.FSGroup = new(int64)
}
yym12 := z.DecBinary()
_ = yym12
if false {
} else if z.HasExtensions() && z.DecExt(x.FSGroup) {
} else {
*((*int64)(x.FSGroup)) = int64(r.DecodeInt(64))
}
@@ -37937,12 +37931,11 @@ func (x *PodSecurityContext) codecDecodeSelfFromArray(l int, d *codec1978.Decode
}
} else {
if x.RunAsUser == nil {
x.RunAsUser = new(pkg1_types.UnixUserID)
x.RunAsUser = new(int64)
}
yym16 := z.DecBinary()
_ = yym16
if false {
} else if z.HasExtensions() && z.DecExt(x.RunAsUser) {
} else {
*((*int64)(x.RunAsUser)) = int64(r.DecodeInt(64))
}
@@ -37992,7 +37985,7 @@ func (x *PodSecurityContext) codecDecodeSelfFromArray(l int, d *codec1978.Decode
_ = yym20
if false {
} else {
h.decSlicetypes_UnixGroupID((*[]pkg1_types.UnixGroupID)(yyv19), d)
z.F.DecSliceInt64X(yyv19, false, d)
}
}
yyj13++
@@ -38012,12 +38005,11 @@ func (x *PodSecurityContext) codecDecodeSelfFromArray(l int, d *codec1978.Decode
}
} else {
if x.FSGroup == nil {
x.FSGroup = new(pkg1_types.UnixGroupID)
x.FSGroup = new(int64)
}
yym22 := z.DecBinary()
_ = yym22
if false {
} else if z.HasExtensions() && z.DecExt(x.FSGroup) {
} else {
*((*int64)(x.FSGroup)) = int64(r.DecodeInt(64))
}
@@ -67969,7 +67961,6 @@ func (x *SecurityContext) CodecEncodeSelf(e *codec1978.Encoder) {
yym16 := z.EncBinary()
_ = yym16
if false {
} else if z.HasExtensions() && z.EncExt(yy15) {
} else {
r.EncodeInt(int64(yy15))
}
@@ -67989,7 +67980,6 @@ func (x *SecurityContext) CodecEncodeSelf(e *codec1978.Encoder) {
yym18 := z.EncBinary()
_ = yym18
if false {
} else if z.HasExtensions() && z.EncExt(yy17) {
} else {
r.EncodeInt(int64(yy17))
}
@@ -68172,12 +68162,11 @@ func (x *SecurityContext) codecDecodeSelfFromMap(l int, d *codec1978.Decoder) {
}
} else {
if x.RunAsUser == nil {
x.RunAsUser = new(pkg1_types.UnixUserID)
x.RunAsUser = new(int64)
}
yym9 := z.DecBinary()
_ = yym9
if false {
} else if z.HasExtensions() && z.DecExt(x.RunAsUser) {
} else {
*((*int64)(x.RunAsUser)) = int64(r.DecodeInt(64))
}
@@ -68313,12 +68302,11 @@ func (x *SecurityContext) codecDecodeSelfFromArray(l int, d *codec1978.Decoder)
}
} else {
if x.RunAsUser == nil {
x.RunAsUser = new(pkg1_types.UnixUserID)
x.RunAsUser = new(int64)
}
yym20 := z.DecBinary()
_ = yym20
if false {
} else if z.HasExtensions() && z.DecExt(x.RunAsUser) {
} else {
*((*int64)(x.RunAsUser)) = int64(r.DecodeInt(64))
}
@@ -72192,143 +72180,6 @@ func (x codecSelfer1234) decSliceHostAlias(v *[]HostAlias, d *codec1978.Decoder)
}
}
func (x codecSelfer1234) encSlicetypes_UnixGroupID(v []pkg1_types.UnixGroupID, e *codec1978.Encoder) {
var h codecSelfer1234
z, r := codec1978.GenHelperEncoder(e)
_, _, _ = h, z, r
r.EncodeArrayStart(len(v))
for _, yyv1 := range v {
z.EncSendContainerState(codecSelfer_containerArrayElem1234)
yym2 := z.EncBinary()
_ = yym2
if false {
} else if z.HasExtensions() && z.EncExt(yyv1) {
} else {
r.EncodeInt(int64(yyv1))
}
}
z.EncSendContainerState(codecSelfer_containerArrayEnd1234)
}
func (x codecSelfer1234) decSlicetypes_UnixGroupID(v *[]pkg1_types.UnixGroupID, d *codec1978.Decoder) {
var h codecSelfer1234
z, r := codec1978.GenHelperDecoder(d)
_, _, _ = h, z, r
yyv1 := *v
yyh1, yyl1 := z.DecSliceHelperStart()
var yyc1 bool
_ = yyc1
if yyl1 == 0 {
if yyv1 == nil {
yyv1 = []pkg1_types.UnixGroupID{}
yyc1 = true
} else if len(yyv1) != 0 {
yyv1 = yyv1[:0]
yyc1 = true
}
} else if yyl1 > 0 {
var yyrr1, yyrl1 int
var yyrt1 bool
_, _ = yyrl1, yyrt1
yyrr1 = yyl1 // len(yyv1)
if yyl1 > cap(yyv1) {
yyrl1, yyrt1 = z.DecInferLen(yyl1, z.DecBasicHandle().MaxInitLen, 8)
if yyrt1 {
if yyrl1 <= cap(yyv1) {
yyv1 = yyv1[:yyrl1]
} else {
yyv1 = make([]pkg1_types.UnixGroupID, yyrl1)
}
} else {
yyv1 = make([]pkg1_types.UnixGroupID, yyrl1)
}
yyc1 = true
yyrr1 = len(yyv1)
} else if yyl1 != len(yyv1) {
yyv1 = yyv1[:yyl1]
yyc1 = true
}
yyj1 := 0
for ; yyj1 < yyrr1; yyj1++ {
yyh1.ElemContainerState(yyj1)
if r.TryDecodeAsNil() {
yyv1[yyj1] = 0
} else {
yyv2 := &yyv1[yyj1]
yym3 := z.DecBinary()
_ = yym3
if false {
} else if z.HasExtensions() && z.DecExt(yyv2) {
} else {
*((*int64)(yyv2)) = int64(r.DecodeInt(64))
}
}
}
if yyrt1 {
for ; yyj1 < yyl1; yyj1++ {
yyv1 = append(yyv1, 0)
yyh1.ElemContainerState(yyj1)
if r.TryDecodeAsNil() {
yyv1[yyj1] = 0
} else {
yyv4 := &yyv1[yyj1]
yym5 := z.DecBinary()
_ = yym5
if false {
} else if z.HasExtensions() && z.DecExt(yyv4) {
} else {
*((*int64)(yyv4)) = int64(r.DecodeInt(64))
}
}
}
}
} else {
yyj1 := 0
for ; !r.CheckBreak(); yyj1++ {
if yyj1 >= len(yyv1) {
yyv1 = append(yyv1, 0) // var yyz1 pkg1_types.UnixGroupID
yyc1 = true
}
yyh1.ElemContainerState(yyj1)
if yyj1 < len(yyv1) {
if r.TryDecodeAsNil() {
yyv1[yyj1] = 0
} else {
yyv6 := &yyv1[yyj1]
yym7 := z.DecBinary()
_ = yym7
if false {
} else if z.HasExtensions() && z.DecExt(yyv6) {
} else {
*((*int64)(yyv6)) = int64(r.DecodeInt(64))
}
}
} else {
z.DecSwallow()
}
}
if yyj1 < len(yyv1) {
yyv1 = yyv1[:yyj1]
yyc1 = true
} else if yyj1 == 0 && yyv1 == nil {
yyv1 = []pkg1_types.UnixGroupID{}
yyc1 = true
}
}
yyh1.End()
if yyc1 {
*v = yyv1
}
}
func (x codecSelfer1234) encSlicePodCondition(v []PodCondition, e *codec1978.Encoder) {
var h codecSelfer1234
z, r := codec1978.GenHelperEncoder(e)

8
pkg/api/v1/types.go
View File

@@ -2548,7 +2548,7 @@ type PodSecurityContext struct {
// PodSecurityContext, the value specified in SecurityContext takes precedence
// for that container.
// +optional
RunAsUser *types.UnixUserID `json:"runAsUser,omitempty" protobuf:"varint,2,opt,name=runAsUser,casttype=k8s.io/apimachinery/pkg/types.UnixUserID"`
RunAsUser *int64 `json:"runAsUser,omitempty" protobuf:"varint,2,opt,name=runAsUser"`
// Indicates that the container must run as a non-root user.
// If true, the Kubelet will validate the image at runtime to ensure that it
// does not run as UID 0 (root) and fail to start the container if it does.
@@ -2561,7 +2561,7 @@ type PodSecurityContext struct {
// to the container's primary GID. If unspecified, no groups will be added to
// any container.
// +optional
SupplementalGroups []types.UnixGroupID `json:"supplementalGroups,omitempty" protobuf:"varint,4,rep,name=supplementalGroups,casttype=k8s.io/apimachinery/pkg/types.UnixGroupID"`
SupplementalGroups []int64 `json:"supplementalGroups,omitempty" protobuf:"varint,4,rep,name=supplementalGroups"`
// A special supplemental group that applies to all containers in a pod.
// Some volume types allow the Kubelet to change the ownership of that volume
// to be owned by the pod:
@@ -2572,7 +2572,7 @@ type PodSecurityContext struct {
//
// If unset, the Kubelet will not modify the ownership and permissions of any volume.
// +optional
FSGroup *types.UnixGroupID `json:"fsGroup,omitempty" protobuf:"varint,5,opt,name=fsGroup,casttype=k8s.io/apimachinery/pkg/types.UnixGroupID"`
FSGroup *int64 `json:"fsGroup,omitempty" protobuf:"varint,5,opt,name=fsGroup"`
}
// PodQOSClass defines the supported qos classes of Pods.
@@ -4511,7 +4511,7 @@ type SecurityContext struct {
// May also be set in PodSecurityContext. If set in both SecurityContext and
// PodSecurityContext, the value specified in SecurityContext takes precedence.
// +optional
RunAsUser *types.UnixUserID `json:"runAsUser,omitempty" protobuf:"varint,4,opt,name=runAsUser,casttype=k8s.io/apimachinery/pkg/types.UnixUserID"`
RunAsUser *int64 `json:"runAsUser,omitempty" protobuf:"varint,4,opt,name=runAsUser"`
// Indicates that the container must run as a non-root user.
// If true, the Kubelet will validate the image at runtime to ensure that it
// does not run as UID 0 (root) and fail to start the container if it does.

16
pkg/api/v1/zz_generated.conversion.go
View File

@@ -3450,10 +3450,10 @@ func Convert_api_PodProxyOptions_To_v1_PodProxyOptions(in *api.PodProxyOptions,
func autoConvert_v1_PodSecurityContext_To_api_PodSecurityContext(in *PodSecurityContext, out *api.PodSecurityContext, s conversion.Scope) error {
out.SELinuxOptions = (*api.SELinuxOptions)(unsafe.Pointer(in.SELinuxOptions))
out.RunAsUser = (*types.UnixUserID)(unsafe.Pointer(in.RunAsUser))
out.RunAsUser = (*int64)(unsafe.Pointer(in.RunAsUser))
out.RunAsNonRoot = (*bool)(unsafe.Pointer(in.RunAsNonRoot))
out.SupplementalGroups = *(*[]types.UnixGroupID)(unsafe.Pointer(&in.SupplementalGroups))
out.FSGroup = (*types.UnixGroupID)(unsafe.Pointer(in.FSGroup))
out.SupplementalGroups = *(*[]int64)(unsafe.Pointer(&in.SupplementalGroups))
out.FSGroup = (*int64)(unsafe.Pointer(in.FSGroup))
return nil
}
@@ -3462,10 +3462,10 @@ func autoConvert_api_PodSecurityContext_To_v1_PodSecurityContext(in *api.PodSecu
// INFO: in.HostPID opted out of conversion generation
// INFO: in.HostIPC opted out of conversion generation
out.SELinuxOptions = (*SELinuxOptions)(unsafe.Pointer(in.SELinuxOptions))
out.RunAsUser = (*types.UnixUserID)(unsafe.Pointer(in.RunAsUser))
out.RunAsUser = (*int64)(unsafe.Pointer(in.RunAsUser))
out.RunAsNonRoot = (*bool)(unsafe.Pointer(in.RunAsNonRoot))
out.SupplementalGroups = *(*[]types.UnixGroupID)(unsafe.Pointer(&in.SupplementalGroups))
out.FSGroup = (*types.UnixGroupID)(unsafe.Pointer(in.FSGroup))
out.SupplementalGroups = *(*[]int64)(unsafe.Pointer(&in.SupplementalGroups))
out.FSGroup = (*int64)(unsafe.Pointer(in.FSGroup))
return nil
}
@@ -4525,7 +4525,7 @@ func autoConvert_v1_SecurityContext_To_api_SecurityContext(in *SecurityContext,
out.Capabilities = (*api.Capabilities)(unsafe.Pointer(in.Capabilities))
out.Privileged = (*bool)(unsafe.Pointer(in.Privileged))
out.SELinuxOptions = (*api.SELinuxOptions)(unsafe.Pointer(in.SELinuxOptions))
out.RunAsUser = (*types.UnixUserID)(unsafe.Pointer(in.RunAsUser))
out.RunAsUser = (*int64)(unsafe.Pointer(in.RunAsUser))
out.RunAsNonRoot = (*bool)(unsafe.Pointer(in.RunAsNonRoot))
out.ReadOnlyRootFilesystem = (*bool)(unsafe.Pointer(in.ReadOnlyRootFilesystem))
return nil
@@ -4540,7 +4540,7 @@ func autoConvert_api_SecurityContext_To_v1_SecurityContext(in *api.SecurityConte
out.Capabilities = (*Capabilities)(unsafe.Pointer(in.Capabilities))
out.Privileged = (*bool)(unsafe.Pointer(in.Privileged))
out.SELinuxOptions = (*SELinuxOptions)(unsafe.Pointer(in.SELinuxOptions))
out.RunAsUser = (*types.UnixUserID)(unsafe.Pointer(in.RunAsUser))
out.RunAsUser = (*int64)(unsafe.Pointer(in.RunAsUser))
out.RunAsNonRoot = (*bool)(unsafe.Pointer(in.RunAsNonRoot))
out.ReadOnlyRootFilesystem = (*bool)(unsafe.Pointer(in.ReadOnlyRootFilesystem))
return nil

8
pkg/api/v1/zz_generated.deepcopy.go
View File

@@ -2469,7 +2469,7 @@ func DeepCopy_v1_PodSecurityContext(in interface{}, out interface{}, c *conversi
}
if in.RunAsUser != nil {
in, out := &in.RunAsUser, &out.RunAsUser
*out = new(types.UnixUserID)
*out = new(int64)
**out = **in
}
if in.RunAsNonRoot != nil {
@@ -2479,12 +2479,12 @@ func DeepCopy_v1_PodSecurityContext(in interface{}, out interface{}, c *conversi
}
if in.SupplementalGroups != nil {
in, out := &in.SupplementalGroups, &out.SupplementalGroups
*out = make([]types.UnixGroupID, len(*in))
*out = make([]int64, len(*in))
copy(*out, *in)
}
if in.FSGroup != nil {
in, out := &in.FSGroup, &out.FSGroup
*out = new(types.UnixGroupID)
*out = new(int64)
**out = **in
}
return nil
@@ -3264,7 +3264,7 @@ func DeepCopy_v1_SecurityContext(in interface{}, out interface{}, c *conversion.
}
if in.RunAsUser != nil {
in, out := &in.RunAsUser, &out.RunAsUser
*out = new(types.UnixUserID)
*out = new(int64)
**out = **in
}
if in.RunAsNonRoot != nil {

1
pkg/api/validation/BUILD
View File

@@ -81,7 +81,6 @@ go_test(
"//vendor/k8s.io/apimachinery/pkg/api/testing:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/runtime:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/types:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/util/intstr:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/util/sets:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",

29
pkg/api/validation/validation_test.go
View File

@@ -24,7 +24,6 @@ import (
"k8s.io/apimachinery/pkg/api/resource"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/types"
"k8s.io/apimachinery/pkg/util/intstr"
"k8s.io/apimachinery/pkg/util/sets"
"k8s.io/apimachinery/pkg/util/validation/field"
@@ -3627,10 +3626,10 @@ func TestValidatePodSpec(t *testing.T) {
activeDeadlineSeconds := int64(30)
activeDeadlineSecondsMax := int64(math.MaxInt32)
minUserID := types.UnixUserID(0)
maxUserID := types.UnixUserID(2147483647)
minGroupID := types.UnixGroupID(0)
maxGroupID := types.UnixGroupID(2147483647)
minUserID := int64(0)
maxUserID := int64(2147483647)
minGroupID := int64(0)
maxGroupID := int64(2147483647)
successCases := []api.PodSpec{
{ // Populate basic fields, leave defaults for most.
@@ -3685,7 +3684,7 @@ func TestValidatePodSpec(t *testing.T) {
{ // Populate RunAsUser SupplementalGroups FSGroup with minID 0
Containers: []api.Container{{Name: "ctr", Image: "image", ImagePullPolicy: "IfNotPresent", TerminationMessagePolicy: "File"}},
SecurityContext: &api.PodSecurityContext{
SupplementalGroups: []types.UnixGroupID{minGroupID},
SupplementalGroups: []int64{minGroupID},
RunAsUser: &minUserID,
FSGroup: &minGroupID,
},
@@ -3695,7 +3694,7 @@ func TestValidatePodSpec(t *testing.T) {
{ // Populate RunAsUser SupplementalGroups FSGroup with maxID 2147483647
Containers: []api.Container{{Name: "ctr", Image: "image", ImagePullPolicy: "IfNotPresent", TerminationMessagePolicy: "File"}},
SecurityContext: &api.PodSecurityContext{
SupplementalGroups: []types.UnixGroupID{maxGroupID},
SupplementalGroups: []int64{maxGroupID},
RunAsUser: &maxUserID,
FSGroup: &maxGroupID,
},
@@ -3750,10 +3749,10 @@ func TestValidatePodSpec(t *testing.T) {
activeDeadlineSeconds = int64(0)
activeDeadlineSecondsTooLarge := int64(math.MaxInt32 + 1)
minUserID = types.UnixUserID(-1)
maxUserID = types.UnixUserID(2147483648)
minGroupID = types.UnixGroupID(-1)
maxGroupID = types.UnixGroupID(2147483648)
minUserID = int64(-1)
maxUserID = int64(2147483648)
minGroupID = int64(-1)
maxGroupID = int64(2147483648)
failureCases := map[string]api.PodSpec{
"bad volume": {
@@ -3827,7 +3826,7 @@ func TestValidatePodSpec(t *testing.T) {
Containers: []api.Container{{Name: "ctr", Image: "image", ImagePullPolicy: "IfNotPresent", TerminationMessagePolicy: "File"}},
SecurityContext: &api.PodSecurityContext{
HostNetwork: false,
SupplementalGroups: []types.UnixGroupID{maxGroupID, 1234},
SupplementalGroups: []int64{maxGroupID, 1234},
},
RestartPolicy: api.RestartPolicyAlways,
DNSPolicy: api.DNSClusterFirst,
@@ -3836,7 +3835,7 @@ func TestValidatePodSpec(t *testing.T) {
Containers: []api.Container{{Name: "ctr", Image: "image", ImagePullPolicy: "IfNotPresent", TerminationMessagePolicy: "File"}},
SecurityContext: &api.PodSecurityContext{
HostNetwork: false,
SupplementalGroups: []types.UnixGroupID{minGroupID, 1234},
SupplementalGroups: []int64{minGroupID, 1234},
},
RestartPolicy: api.RestartPolicyAlways,
DNSPolicy: api.DNSClusterFirst,
@@ -9597,7 +9596,7 @@ func TestValidateTLSSecret(t *testing.T) {
func TestValidateSecurityContext(t *testing.T) {
priv := false
runAsUser := types.UnixUserID(1)
runAsUser := int64(1)
fullValidSC := func() *api.SecurityContext {
return &api.SecurityContext{
Privileged: &priv,
@@ -9649,7 +9648,7 @@ func TestValidateSecurityContext(t *testing.T) {
privRequestWithGlobalDeny.Privileged = &requestPrivileged
negativeRunAsUser := fullValidSC()
negativeUser := types.UnixUserID(-1)
negativeUser := int64(-1)
negativeRunAsUser.RunAsUser = &negativeUser
errorCases := map[string]struct {

8
pkg/api/zz_generated.deepcopy.go
View File

@@ -2487,7 +2487,7 @@ func DeepCopy_api_PodSecurityContext(in interface{}, out interface{}, c *convers
}
if in.RunAsUser != nil {
in, out := &in.RunAsUser, &out.RunAsUser
*out = new(types.UnixUserID)
*out = new(int64)
**out = **in
}
if in.RunAsNonRoot != nil {
@@ -2497,12 +2497,12 @@ func DeepCopy_api_PodSecurityContext(in interface{}, out interface{}, c *convers
}
if in.SupplementalGroups != nil {
in, out := &in.SupplementalGroups, &out.SupplementalGroups
*out = make([]types.UnixGroupID, len(*in))
*out = make([]int64, len(*in))
copy(*out, *in)
}
if in.FSGroup != nil {
in, out := &in.FSGroup, &out.FSGroup
*out = new(types.UnixGroupID)
*out = new(int64)
**out = **in
}
return nil
@@ -3270,7 +3270,7 @@ func DeepCopy_api_SecurityContext(in interface{}, out interface{}, c *conversion
}
if in.RunAsUser != nil {
in, out := &in.RunAsUser, &out.RunAsUser
*out = new(types.UnixUserID)
*out = new(int64)
**out = **in
}
if in.RunAsNonRoot != nil {

1
pkg/apis/extensions/BUILD
View File

@@ -32,7 +32,6 @@ go_library(
"//vendor/k8s.io/apimachinery/pkg/conversion:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/runtime:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/runtime/schema:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/types:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/util/intstr:go_default_library",
],
)

9
pkg/apis/extensions/types.go
View File

@@ -31,7 +31,6 @@ package extensions
import (
"k8s.io/apimachinery/pkg/api/resource"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/types"
"k8s.io/apimachinery/pkg/util/intstr"
"k8s.io/kubernetes/pkg/api"
)
@@ -976,17 +975,17 @@ type RunAsUserStrategyOptions struct {
// UserIDRange provides a min/max of an allowed range of UserIDs.
type UserIDRange struct {
// Min is the start of the range, inclusive.
Min types.UnixUserID
Min int64
// Max is the end of the range, inclusive.
Max types.UnixUserID
Max int64
}
// GroupIDRange provides a min/max of an allowed range of GroupIDs.
type GroupIDRange struct {
// Min is the start of the range, inclusive.
Min types.UnixGroupID
Min int64
// Max is the end of the range, inclusive.
Max types.UnixGroupID
Max int64
}
// RunAsUserStrategy denotes strategy types for generating RunAsUser values for a

1
pkg/kubelet/dockershim/securitycontext/BUILD
View File

@@ -36,7 +36,6 @@ go_test(
"//pkg/api/testing:go_default_library",
"//pkg/api/v1:go_default_library",
"//vendor/github.com/docker/engine-api/types/container:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/types:go_default_library",
],
)

11
pkg/kubelet/dockershim/securitycontext/provider_test.go
View File

@@ -23,14 +23,13 @@ import (
"testing"
dockercontainer "github.com/docker/engine-api/types/container"
"k8s.io/apimachinery/pkg/types"
apitesting "k8s.io/kubernetes/pkg/api/testing"
"k8s.io/kubernetes/pkg/api/v1"
)
func TestModifyContainerConfig(t *testing.T) {
userID := types.UnixUserID(123)
overrideUserID := types.UnixUserID(321)
userID := int64(123)
overrideUserID := int64(321)
cases := []struct {
name string
@@ -177,7 +176,7 @@ func TestModifyHostConfig(t *testing.T) {
func TestModifyHostConfigPodSecurityContext(t *testing.T) {
supplementalGroupsSC := &v1.PodSecurityContext{}
supplementalGroupsSC.SupplementalGroups = []types.UnixGroupID{2222}
supplementalGroupsSC.SupplementalGroups = []int64{2222}
supplementalGroupHC := fullValidHostConfig()
supplementalGroupHC.GroupAdd = []string{"2222"}
fsGroupHC := fullValidHostConfig()
@@ -186,7 +185,7 @@ func TestModifyHostConfigPodSecurityContext(t *testing.T) {
extraSupplementalGroupHC.GroupAdd = []string{"1234"}
bothHC := fullValidHostConfig()
bothHC.GroupAdd = []string{"2222", "1234"}
fsGroup := types.UnixGroupID(1234)
fsGroup := int64(1234)
extraSupplementalGroup := []int64{1234}
testCases := map[string]struct {
@@ -211,7 +210,7 @@ func TestModifyHostConfigPodSecurityContext(t *testing.T) {
},
"FSGroup + SupplementalGroups": {
securityContext: &v1.PodSecurityContext{
SupplementalGroups: []types.UnixGroupID{2222},
SupplementalGroups: []int64{2222},
FSGroup: &fsGroup,
},
expected: bothHC,

4
pkg/kubelet/kubelet_volumes_test.go
View File

@@ -453,10 +453,10 @@ func (f *stubVolume) CanMount() error {
return nil
}
func (f *stubVolume) SetUp(fsGroup *types.UnixGroupID) error {
func (f *stubVolume) SetUp(fsGroup *int64) error {
return nil
}
func (f *stubVolume) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
func (f *stubVolume) SetUpAt(dir string, fsGroup *int64) error {
return nil
}

3
pkg/kubelet/kuberuntime/kuberuntime_container_test.go
View File

@@ -24,7 +24,6 @@ import (
"github.com/stretchr/testify/assert"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/types"
"k8s.io/kubernetes/pkg/api/v1"
runtimeapi "k8s.io/kubernetes/pkg/kubelet/apis/cri/v1alpha1/runtime"
kubecontainer "k8s.io/kubernetes/pkg/kubelet/container"
@@ -227,7 +226,7 @@ func TestGenerateContainerConfig(t *testing.T) {
assert.NoError(t, err)
assert.Equal(t, expectedConfig, containerConfig, "generate container config for kubelet runtime v1.")
runAsUser := types.UnixUserID(0)
runAsUser := int64(0)
runAsNonRootTrue := true
podWithContainerSecurityContext := &v1.Pod{
ObjectMeta: metav1.ObjectMeta{

3
pkg/kubelet/kuberuntime/security_context_test.go
View File

@@ -18,7 +18,6 @@ package kuberuntime
import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/types"
"k8s.io/kubernetes/pkg/api/v1"
"github.com/stretchr/testify/assert"
@@ -45,7 +44,7 @@ func TestVerifyRunAsNonRoot(t *testing.T) {
},
}
rootUser := types.UnixUserID(0)
rootUser := int64(0)
runAsNonRootTrue := true
runAsNonRootFalse := false
imageRootUser := int64(0)

18
pkg/kubelet/rkt/rkt_test.go
View File

@@ -983,10 +983,10 @@ func TestSetApp(t *testing.T) {
}
defer os.RemoveAll(tmpDir)
rootUser := kubetypes.UnixUserID(0)
nonRootUser := kubetypes.UnixUserID(42)
rootUser := int64(0)
nonRootUser := int64(42)
runAsNonRootTrue := true
fsgid := kubetypes.UnixGroupID(3)
fsgid := int64(3)
tests := []struct {
container *v1.Container
@@ -1092,9 +1092,9 @@ func TestSetApp(t *testing.T) {
RunAsNonRoot: &runAsNonRootTrue,
},
podCtx: &v1.PodSecurityContext{
SupplementalGroups: []kubetypes.UnixGroupID{
kubetypes.UnixGroupID(1),
kubetypes.UnixGroupID(2),
SupplementalGroups: []int64{
int64(1),
int64(2),
},
FSGroup: &fsgid,
},
@@ -1157,9 +1157,9 @@ func TestSetApp(t *testing.T) {
RunAsNonRoot: &runAsNonRootTrue,
},
podCtx: &v1.PodSecurityContext{
SupplementalGroups: []kubetypes.UnixGroupID{
kubetypes.UnixGroupID(1),
kubetypes.UnixGroupID(2),
SupplementalGroups: []int64{
int64(1),
int64(2),
},
FSGroup: &fsgid,
},

1
pkg/kubelet/volumemanager/BUILD
View File

@@ -60,7 +60,6 @@ go_test(
"//pkg/volume/util/types:go_default_library",
"//pkg/volume/util/volumehelper:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/types:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/util/sets:go_default_library",
"//vendor/k8s.io/client-go/tools/record:go_default_library",
"//vendor/k8s.io/client-go/util/testing:go_default_library",

3
pkg/kubelet/volumemanager/volume_manager_test.go
View File

@@ -24,7 +24,6 @@ import (
"time"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
kubetypes "k8s.io/apimachinery/pkg/types"
"k8s.io/apimachinery/pkg/util/sets"
"k8s.io/client-go/tools/record"
utiltesting "k8s.io/client-go/util/testing"
@@ -239,7 +238,7 @@ func createObjects() (*v1.Node, *v1.Pod, *v1.PersistentVolume, *v1.PersistentVol
},
},
SecurityContext: &v1.PodSecurityContext{
SupplementalGroups: []kubetypes.UnixGroupID{555},
SupplementalGroups: []int64{555},
},
},
}

2
pkg/security/podsecuritypolicy/BUILD
View File

@@ -29,7 +29,6 @@ go_library(
"//pkg/security/podsecuritypolicy/user:go_default_library",
"//pkg/security/podsecuritypolicy/util:go_default_library",
"//pkg/util/maps:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/types:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/util/errors:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
],
@@ -49,7 +48,6 @@ go_test(
"//pkg/security/podsecuritypolicy/util:go_default_library",
"//vendor/github.com/davecgh/go-spew/spew:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/types:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/util/diff:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
],

2
pkg/security/podsecuritypolicy/group/BUILD
View File

@@ -21,7 +21,6 @@ go_library(
"//pkg/api:go_default_library",
"//pkg/apis/extensions:go_default_library",
"//pkg/security/podsecuritypolicy/util:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/types:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
],
)
@@ -37,7 +36,6 @@ go_test(
deps = [
"//pkg/api:go_default_library",
"//pkg/apis/extensions:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/types:go_default_library",
],
)

13
pkg/security/podsecuritypolicy/group/mustrunas.go
View File

@@ -19,7 +19,6 @@ package group
import (
"fmt"
"k8s.io/apimachinery/pkg/types"
"k8s.io/apimachinery/pkg/util/validation/field"
"k8s.io/kubernetes/pkg/api"
"k8s.io/kubernetes/pkg/apis/extensions"
@@ -47,14 +46,14 @@ func NewMustRunAs(ranges []extensions.GroupIDRange, field string) (GroupStrategy
// Generate creates the group based on policy rules. By default this returns the first group of the
// first range (min val).
func (s *mustRunAs) Generate(pod *api.Pod) ([]types.UnixGroupID, error) {
return []types.UnixGroupID{s.ranges[0].Min}, nil
func (s *mustRunAs) Generate(pod *api.Pod) ([]int64, error) {
return []int64{s.ranges[0].Min}, nil
}
// Generate a single value to be applied. This is used for FSGroup. This strategy will return
// the first group of the first range (min val).
func (s *mustRunAs) GenerateSingle(pod *api.Pod) (*types.UnixGroupID, error) {
single := new(types.UnixGroupID)
func (s *mustRunAs) GenerateSingle(pod *api.Pod) (*int64, error) {
single := new(int64)
*single = s.ranges[0].Min
return single, nil
}
@@ -62,7 +61,7 @@ func (s *mustRunAs) GenerateSingle(pod *api.Pod) (*types.UnixGroupID, error) {
// Validate ensures that the specified values fall within the range of the strategy.
// Groups are passed in here to allow this strategy to support multiple group fields (fsgroup and
// supplemental groups).
func (s *mustRunAs) Validate(pod *api.Pod, groups []types.UnixGroupID) field.ErrorList {
func (s *mustRunAs) Validate(pod *api.Pod, groups []int64) field.ErrorList {
allErrs := field.ErrorList{}
if pod.Spec.SecurityContext == nil {
@@ -84,7 +83,7 @@ func (s *mustRunAs) Validate(pod *api.Pod, groups []types.UnixGroupID) field.Err
return allErrs
}
func (s *mustRunAs) isGroupValid(group types.UnixGroupID) bool {
func (s *mustRunAs) isGroupValid(group int64) bool {
for _, rng := range s.ranges {
if psputil.GroupFallsInRange(group, rng) {
return true

21
pkg/security/podsecuritypolicy/group/mustrunas_test.go
View File

@@ -19,7 +19,6 @@ package group
import (
"testing"
"k8s.io/apimachinery/pkg/types"
"k8s.io/kubernetes/pkg/api"
"k8s.io/kubernetes/pkg/apis/extensions"
)
@@ -54,26 +53,26 @@ func TestMustRunAsOptions(t *testing.T) {
func TestGenerate(t *testing.T) {
tests := map[string]struct {
ranges []extensions.GroupIDRange
expected []types.UnixGroupID
expected []int64
}{
"multi value": {
ranges: []extensions.GroupIDRange{
{Min: 1, Max: 2},
},
expected: []types.UnixGroupID{1},
expected: []int64{1},
},
"single value": {
ranges: []extensions.GroupIDRange{
{Min: 1, Max: 1},
},
expected: []types.UnixGroupID{1},
expected: []int64{1},
},
"multi range": {
ranges: []extensions.GroupIDRange{
{Min: 1, Max: 1},
{Min: 2, Max: 500},
},
expected: []types.UnixGroupID{1},
expected: []int64{1},
},
}
@@ -121,7 +120,7 @@ func TestValidate(t *testing.T) {
tests := map[string]struct {
ranges []extensions.GroupIDRange
pod *api.Pod
groups []types.UnixGroupID
groups []int64
pass bool
}{
"nil security context": {
@@ -138,7 +137,7 @@ func TestValidate(t *testing.T) {
},
"not in range": {
pod: validPod(),
groups: []types.UnixGroupID{5},
groups: []int64{5},
ranges: []extensions.GroupIDRange{
{Min: 1, Max: 3},
{Min: 4, Max: 4},
@@ -146,7 +145,7 @@ func TestValidate(t *testing.T) {
},
"in range 1": {
pod: validPod(),
groups: []types.UnixGroupID{2},
groups: []int64{2},
ranges: []extensions.GroupIDRange{
{Min: 1, Max: 3},
},
@@ -154,7 +153,7 @@ func TestValidate(t *testing.T) {
},
"in range boundry min": {
pod: validPod(),
groups: []types.UnixGroupID{1},
groups: []int64{1},
ranges: []extensions.GroupIDRange{
{Min: 1, Max: 3},
},
@@ -162,7 +161,7 @@ func TestValidate(t *testing.T) {
},
"in range boundry max": {
pod: validPod(),
groups: []types.UnixGroupID{3},
groups: []int64{3},
ranges: []extensions.GroupIDRange{
{Min: 1, Max: 3},
},
@@ -170,7 +169,7 @@ func TestValidate(t *testing.T) {
},
"singular range": {
pod: validPod(),
groups: []types.UnixGroupID{4},
groups: []int64{4},
ranges: []extensions.GroupIDRange{
{Min: 4, Max: 4},
},

9
pkg/security/podsecuritypolicy/group/runasany.go
View File

@@ -17,7 +17,6 @@ limitations under the License.
package group
import (
"k8s.io/apimachinery/pkg/types"
"k8s.io/apimachinery/pkg/util/validation/field"
"k8s.io/kubernetes/pkg/api"
)
@@ -34,17 +33,17 @@ func NewRunAsAny() (GroupStrategy, error) {
}
// Generate creates the group based on policy rules. This strategy returns an empty slice.
func (s *runAsAny) Generate(pod *api.Pod) ([]types.UnixGroupID, error) {
return []types.UnixGroupID{}, nil
func (s *runAsAny) Generate(pod *api.Pod) ([]int64, error) {
return []int64{}, nil
}
// Generate a single value to be applied. This is used for FSGroup. This strategy returns nil.
func (s *runAsAny) GenerateSingle(pod *api.Pod) (*types.UnixGroupID, error) {
func (s *runAsAny) GenerateSingle(pod *api.Pod) (*int64, error) {
return nil, nil
}
// Validate ensures that the specified values fall within the range of the strategy.
func (s *runAsAny) Validate(pod *api.Pod, groups []types.UnixGroupID) field.ErrorList {
func (s *runAsAny) Validate(pod *api.Pod, groups []int64) field.ErrorList {
return field.ErrorList{}
}

7
pkg/security/podsecuritypolicy/group/types.go
View File

@@ -17,7 +17,6 @@ limitations under the License.
package group
import (
"k8s.io/apimachinery/pkg/types"
"k8s.io/apimachinery/pkg/util/validation/field"
"k8s.io/kubernetes/pkg/api"
)
@@ -27,10 +26,10 @@ type GroupStrategy interface {
// Generate creates the group based on policy rules. The underlying implementation can
// decide whether it will return a full range of values or a subset of values from the
// configured ranges.
Generate(pod *api.Pod) ([]types.UnixGroupID, error)
Generate(pod *api.Pod) ([]int64, error)
// Generate a single value to be applied. The underlying implementation decides which
// value to return if configured with multiple ranges. This is used for FSGroup.
GenerateSingle(pod *api.Pod) (*types.UnixGroupID, error)
GenerateSingle(pod *api.Pod) (*int64, error)
// Validate ensures that the specified values fall within the range of the strategy.
Validate(pod *api.Pod, groups []types.UnixGroupID) field.ErrorList
Validate(pod *api.Pod, groups []int64) field.ErrorList
}

3
pkg/security/podsecuritypolicy/provider.go
View File

@@ -19,7 +19,6 @@ package podsecuritypolicy
import (
"fmt"
"k8s.io/apimachinery/pkg/types"
"k8s.io/apimachinery/pkg/util/validation/field"
"k8s.io/kubernetes/pkg/api"
"k8s.io/kubernetes/pkg/apis/extensions"
@@ -195,7 +194,7 @@ func (s *simpleProvider) ValidatePodSecurityContext(pod *api.Pod, fldPath *field
return allErrs
}
fsGroups := []types.UnixGroupID{}
fsGroups := []int64{}
if pod.Spec.SecurityContext.FSGroup != nil {
fsGroups = append(fsGroups, *pod.Spec.SecurityContext.FSGroup)
}

17
pkg/security/podsecuritypolicy/provider_test.go
View File

@@ -25,7 +25,6 @@ import (
"github.com/davecgh/go-spew/spew"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/types"
"k8s.io/apimachinery/pkg/util/diff"
"k8s.io/apimachinery/pkg/util/validation/field"
"k8s.io/kubernetes/pkg/api"
@@ -134,7 +133,7 @@ func TestCreateContainerSecurityContextNonmutating(t *testing.T) {
// Create a PSP with strategies that will populate a blank security context
createPSP := func() *extensions.PodSecurityPolicy {
uid := types.UnixUserID(1)
uid := int64(1)
return &extensions.PodSecurityPolicy{
ObjectMeta: metav1.ObjectMeta{
Name: "psp-sa",
@@ -206,7 +205,7 @@ func TestValidatePodSecurityContextFailures(t *testing.T) {
failHostIPCPod.Spec.SecurityContext.HostIPC = true
failSupplementalGroupPod := defaultPod()
failSupplementalGroupPod.Spec.SecurityContext.SupplementalGroups = []types.UnixGroupID{999}
failSupplementalGroupPod.Spec.SecurityContext.SupplementalGroups = []int64{999}
failSupplementalGroupPSP := defaultPSP()
failSupplementalGroupPSP.Spec.SupplementalGroups = extensions.SupplementalGroupsStrategyOptions{
Rule: extensions.SupplementalGroupsStrategyMustRunAs,
@@ -216,7 +215,7 @@ func TestValidatePodSecurityContextFailures(t *testing.T) {
}
failFSGroupPod := defaultPod()
fsGroup := types.UnixGroupID(999)
fsGroup := int64(999)
failFSGroupPod.Spec.SecurityContext.FSGroup = &fsGroup
failFSGroupPSP := defaultPSP()
failFSGroupPSP.Spec.FSGroup = extensions.FSGroupStrategyOptions{
@@ -363,8 +362,8 @@ func TestValidatePodSecurityContextFailures(t *testing.T) {
func TestValidateContainerSecurityContextFailures(t *testing.T) {
// fail user strat
failUserPSP := defaultPSP()
uid := types.UnixUserID(999)
badUID := types.UnixUserID(1)
uid := int64(999)
badUID := int64(1)
failUserPSP.Spec.RunAsUser = extensions.RunAsUserStrategyOptions{
Rule: extensions.RunAsUserStrategyMustRunAs,
Ranges: []extensions.UserIDRange{{Min: uid, Max: uid}},
@@ -527,7 +526,7 @@ func TestValidatePodSecurityContextSuccess(t *testing.T) {
},
}
supGroupPod := defaultPod()
supGroupPod.Spec.SecurityContext.SupplementalGroups = []types.UnixGroupID{3}
supGroupPod.Spec.SecurityContext.SupplementalGroups = []int64{3}
fsGroupPSP := defaultPSP()
fsGroupPSP.Spec.FSGroup = extensions.FSGroupStrategyOptions{
@@ -537,7 +536,7 @@ func TestValidatePodSecurityContextSuccess(t *testing.T) {
},
}
fsGroupPod := defaultPod()
fsGroup := types.UnixGroupID(3)
fsGroup := int64(3)
fsGroupPod.Spec.SecurityContext.FSGroup = &fsGroup
seLinuxPod := defaultPod()
@@ -660,7 +659,7 @@ func TestValidateContainerSecurityContextSuccess(t *testing.T) {
// success user strat
userPSP := defaultPSP()
uid := types.UnixUserID(999)
uid := int64(999)
userPSP.Spec.RunAsUser = extensions.RunAsUserStrategyOptions{
Rule: extensions.RunAsUserStrategyMustRunAs,
Ranges: []extensions.UserIDRange{{Min: uid, Max: uid}},

2
pkg/security/podsecuritypolicy/user/BUILD
View File

@@ -22,7 +22,6 @@ go_library(
"//pkg/api:go_default_library",
"//pkg/apis/extensions:go_default_library",
"//pkg/security/podsecuritypolicy/util:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/types:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
],
)
@@ -39,7 +38,6 @@ go_test(
deps = [
"//pkg/api:go_default_library",
"//pkg/apis/extensions:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/types:go_default_library",
],
)

5
pkg/security/podsecuritypolicy/user/mustrunas.go
View File

@@ -19,7 +19,6 @@ package user
import (
"fmt"
"k8s.io/apimachinery/pkg/types"
"k8s.io/apimachinery/pkg/util/validation/field"
"k8s.io/kubernetes/pkg/api"
"k8s.io/kubernetes/pkg/apis/extensions"
@@ -45,7 +44,7 @@ func NewMustRunAs(options *extensions.RunAsUserStrategyOptions) (RunAsUserStrate
}
// Generate creates the uid based on policy rules. MustRunAs returns the first range's Min.
func (s *mustRunAs) Generate(pod *api.Pod, container *api.Container) (*types.UnixUserID, error) {
func (s *mustRunAs) Generate(pod *api.Pod, container *api.Container) (*int64, error) {
return &s.opts.Ranges[0].Min, nil
}
@@ -75,7 +74,7 @@ func (s *mustRunAs) Validate(pod *api.Pod, container *api.Container) field.Error
return allErrs
}
func (s *mustRunAs) isValidUID(id types.UnixUserID) bool {
func (s *mustRunAs) isValidUID(id int64) bool {
for _, rng := range s.opts.Ranges {
if psputil.UserFallsInRange(id, rng) {
return true

5
pkg/security/podsecuritypolicy/user/mustrunas_test.go
View File

@@ -20,7 +20,6 @@ import (
"strings"
"testing"
"k8s.io/apimachinery/pkg/types"
"k8s.io/kubernetes/pkg/api"
"k8s.io/kubernetes/pkg/apis/extensions"
)
@@ -85,8 +84,8 @@ func TestValidate(t *testing.T) {
},
}
validID := types.UnixUserID(15)
invalidID := types.UnixUserID(21)
validID := int64(15)
invalidID := int64(21)
tests := map[string]struct {
container *api.Container

3
pkg/security/podsecuritypolicy/user/nonroot.go
View File

@@ -19,7 +19,6 @@ package user
import (
"fmt"
"k8s.io/apimachinery/pkg/types"
"k8s.io/apimachinery/pkg/util/validation/field"
"k8s.io/kubernetes/pkg/api"
"k8s.io/kubernetes/pkg/apis/extensions"
@@ -35,7 +34,7 @@ func NewRunAsNonRoot(options *extensions.RunAsUserStrategyOptions) (RunAsUserStr
// Generate creates the uid based on policy rules. This strategy does return a UID. It assumes
// that the user will specify a UID or the container image specifies a UID.
func (s *nonRoot) Generate(pod *api.Pod, container *api.Container) (*types.UnixUserID, error) {
func (s *nonRoot) Generate(pod *api.Pod, container *api.Container) (*int64, error) {
return nil, nil
}

5
pkg/security/podsecuritypolicy/user/nonroot_test.go
View File

@@ -19,7 +19,6 @@ package user
import (
"testing"
"k8s.io/apimachinery/pkg/types"
"k8s.io/kubernetes/pkg/api"
"k8s.io/kubernetes/pkg/apis/extensions"
)
@@ -50,8 +49,8 @@ func TestNonRootGenerate(t *testing.T) {
}
func TestNonRootValidate(t *testing.T) {
goodUID := types.UnixUserID(1)
badUID := types.UnixUserID(0)
goodUID := int64(1)
badUID := int64(0)
untrue := false
unfalse := true
s, err := NewRunAsNonRoot(&extensions.RunAsUserStrategyOptions{})

3
pkg/security/podsecuritypolicy/user/runasany.go
View File

@@ -17,7 +17,6 @@ limitations under the License.
package user
import (
"k8s.io/apimachinery/pkg/types"
"k8s.io/apimachinery/pkg/util/validation/field"
"k8s.io/kubernetes/pkg/api"
"k8s.io/kubernetes/pkg/apis/extensions"
@@ -34,7 +33,7 @@ func NewRunAsAny(options *extensions.RunAsUserStrategyOptions) (RunAsUserStrateg
}
// Generate creates the uid based on policy rules.
func (s *runAsAny) Generate(pod *api.Pod, container *api.Container) (*types.UnixUserID, error) {
func (s *runAsAny) Generate(pod *api.Pod, container *api.Container) (*int64, error) {
return nil, nil
}

3
pkg/security/podsecuritypolicy/user/types.go
View File

@@ -17,7 +17,6 @@ limitations under the License.
package user
import (
"k8s.io/apimachinery/pkg/types"
"k8s.io/apimachinery/pkg/util/validation/field"
"k8s.io/kubernetes/pkg/api"
)
@@ -25,7 +24,7 @@ import (
// RunAsUserStrategy defines the interface for all uid constraint strategies.
type RunAsUserStrategy interface {
// Generate creates the uid based on policy rules.
Generate(pod *api.Pod, container *api.Container) (*types.UnixUserID, error)
Generate(pod *api.Pod, container *api.Container) (*int64, error)
// Validate ensures that the specified values fall within the range of the strategy.
Validate(pod *api.Pod, container *api.Container) field.ErrorList
}

1
pkg/security/podsecuritypolicy/util/BUILD
View File

@@ -18,7 +18,6 @@ go_library(
deps = [
"//pkg/api:go_default_library",
"//pkg/apis/extensions:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/types:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/util/sets:go_default_library",
],
)

5
pkg/security/podsecuritypolicy/util/util.go
View File

@@ -19,7 +19,6 @@ package util
import (
"fmt"
"k8s.io/apimachinery/pkg/types"
"k8s.io/apimachinery/pkg/util/sets"
"k8s.io/kubernetes/pkg/api"
"k8s.io/kubernetes/pkg/apis/extensions"
@@ -163,11 +162,11 @@ func PSPAllowsFSType(psp *extensions.PodSecurityPolicy, fsType extensions.FSType
}
// UserFallsInRange is a utility to determine it the id falls in the valid range.
func UserFallsInRange(id types.UnixUserID, rng extensions.UserIDRange) bool {
func UserFallsInRange(id int64, rng extensions.UserIDRange) bool {
return id >= rng.Min && id <= rng.Max
}
// GroupFallsInRange is a utility to determine it the id falls in the valid range.
func GroupFallsInRange(id types.UnixGroupID, rng extensions.GroupIDRange) bool {
func GroupFallsInRange(id int64, rng extensions.GroupIDRange) bool {
return id >= rng.Min && id <= rng.Max
}

6
pkg/securitycontext/BUILD
View File

@@ -19,7 +19,6 @@ go_library(
deps = [
"//pkg/api:go_default_library",
"//pkg/api/v1:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/types:go_default_library",
],
)
@@ -28,10 +27,7 @@ go_test(
srcs = ["util_test.go"],
library = ":go_default_library",
tags = ["automanaged"],
deps = [
"//pkg/api/v1:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/types:go_default_library",
],
deps = ["//pkg/api/v1:go_default_library"],
)
filegroup(

9
pkg/securitycontext/util.go
View File

@@ -20,7 +20,6 @@ import (
"fmt"
"strings"
"k8s.io/apimachinery/pkg/types"
"k8s.io/kubernetes/pkg/api"
"k8s.io/kubernetes/pkg/api/v1"
)
@@ -120,7 +119,7 @@ func DetermineEffectiveSecurityContext(pod *v1.Pod, container *v1.Container) *v1
}
if containerSc.RunAsUser != nil {
effectiveSc.RunAsUser = new(types.UnixUserID)
effectiveSc.RunAsUser = new(int64)
*effectiveSc.RunAsUser = *containerSc.RunAsUser
}
@@ -149,7 +148,7 @@ func securityContextFromPodSecurityContext(pod *v1.Pod) *v1.SecurityContext {
*synthesized.SELinuxOptions = *pod.Spec.SecurityContext.SELinuxOptions
}
if pod.Spec.SecurityContext.RunAsUser != nil {
synthesized.RunAsUser = new(types.UnixUserID)
synthesized.RunAsUser = new(int64)
*synthesized.RunAsUser = *pod.Spec.SecurityContext.RunAsUser
}
@@ -192,7 +191,7 @@ func InternalDetermineEffectiveSecurityContext(pod *api.Pod, container *api.Cont
}
if containerSc.RunAsUser != nil {
effectiveSc.RunAsUser = new(types.UnixUserID)
effectiveSc.RunAsUser = new(int64)
*effectiveSc.RunAsUser = *containerSc.RunAsUser
}
@@ -221,7 +220,7 @@ func internalSecurityContextFromPodSecurityContext(pod *api.Pod) *api.SecurityCo
*synthesized.SELinuxOptions = *pod.Spec.SecurityContext.SELinuxOptions
}
if pod.Spec.SecurityContext.RunAsUser != nil {
synthesized.RunAsUser = new(types.UnixUserID)
synthesized.RunAsUser = new(int64)
*synthesized.RunAsUser = *pod.Spec.SecurityContext.RunAsUser
}

13
pkg/securitycontext/util_test.go
View File

@@ -19,7 +19,6 @@ package securitycontext
import (
"testing"
"k8s.io/apimachinery/pkg/types"
"k8s.io/kubernetes/pkg/api/v1"
)
@@ -85,13 +84,13 @@ func compareContexts(name string, ex, ac *v1.SELinuxOptions, t *testing.T) {
}
}
func containerWithUser(ptr *types.UnixUserID) *v1.Container {
func containerWithUser(ptr *int64) *v1.Container {
return &v1.Container{SecurityContext: &v1.SecurityContext{RunAsUser: ptr}}
}
func TestHaRootUID(t *testing.T) {
nonRoot := types.UnixUserID(1)
root := types.UnixUserID(0)
nonRoot := int64(1)
root := int64(0)
tests := map[string]struct {
container *v1.Container
@@ -121,7 +120,7 @@ func TestHaRootUID(t *testing.T) {
}
func TestHasRunAsUser(t *testing.T) {
runAsUser := types.UnixUserID(0)
runAsUser := int64(0)
tests := map[string]struct {
container *v1.Container
@@ -148,8 +147,8 @@ func TestHasRunAsUser(t *testing.T) {
}
func TestHasRootRunAsUser(t *testing.T) {
nonRoot := types.UnixUserID(1)
root := types.UnixUserID(0)
nonRoot := int64(1)
root := int64(0)
tests := map[string]struct {
container *v1.Container

4
pkg/volume/aws_ebs/aws_ebs.go
View File

@@ -294,12 +294,12 @@ func (b *awsElasticBlockStoreMounter) CanMount() error {
}
// SetUp attaches the disk and bind mounts to the volume path.
func (b *awsElasticBlockStoreMounter) SetUp(fsGroup *types.UnixGroupID) error {
func (b *awsElasticBlockStoreMounter) SetUp(fsGroup *int64) error {
return b.SetUpAt(b.GetPath(), fsGroup)
}
// SetUpAt attaches the disk and bind mounts to the volume path.
func (b *awsElasticBlockStoreMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
func (b *awsElasticBlockStoreMounter) SetUpAt(dir string, fsGroup *int64) error {
// TODO: handle failed mounts here.
notMnt, err := b.mounter.IsLikelyNotMountPoint(dir)
glog.V(4).Infof("PersistentDisk set up: %s %v %v", dir, !notMnt, err)

4
pkg/volume/azure_dd/azure_dd.go
View File

@@ -234,12 +234,12 @@ func (b *azureDiskMounter) CanMount() error {
}
// SetUp attaches the disk and bind mounts to the volume path.
func (b *azureDiskMounter) SetUp(fsGroup *types.UnixGroupID) error {
func (b *azureDiskMounter) SetUp(fsGroup *int64) error {
return b.SetUpAt(b.GetPath(), fsGroup)
}
// SetUpAt attaches the disk and bind mounts to the volume path.
func (b *azureDiskMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
func (b *azureDiskMounter) SetUpAt(dir string, fsGroup *int64) error {
b.plugin.volumeLocks.LockKey(b.diskName)
defer b.plugin.volumeLocks.UnlockKey(b.diskName)

4
pkg/volume/azure_file/azure_file.go
View File

@@ -189,11 +189,11 @@ func (b *azureFileMounter) CanMount() error {
}
// SetUp attaches the disk and bind mounts to the volume path.
func (b *azureFileMounter) SetUp(fsGroup *types.UnixGroupID) error {
func (b *azureFileMounter) SetUp(fsGroup *int64) error {
return b.SetUpAt(b.GetPath(), fsGroup)
}
func (b *azureFileMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
func (b *azureFileMounter) SetUpAt(dir string, fsGroup *int64) error {
notMnt, err := b.mounter.IsLikelyNotMountPoint(dir)
glog.V(4).Infof("AzureFile mount set up: %s %v %v", dir, !notMnt, err)
if err != nil && !os.IsNotExist(err) {

4
pkg/volume/cephfs/cephfs.go
View File

@@ -217,12 +217,12 @@ func (cephfsMounter *cephfsMounter) CanMount() error {
}
// SetUp attaches the disk and bind mounts to the volume path.
func (cephfsVolume *cephfsMounter) SetUp(fsGroup *types.UnixGroupID) error {
func (cephfsVolume *cephfsMounter) SetUp(fsGroup *int64) error {
return cephfsVolume.SetUpAt(cephfsVolume.GetPath(), fsGroup)
}
// SetUpAt attaches the disk and bind mounts to the volume path.
func (cephfsVolume *cephfsMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
func (cephfsVolume *cephfsMounter) SetUpAt(dir string, fsGroup *int64) error {
notMnt, err := cephfsVolume.mounter.IsLikelyNotMountPoint(dir)
glog.V(4).Infof("CephFS mount set up: %s %v %v", dir, !notMnt, err)
if err != nil && !os.IsNotExist(err) {

4
pkg/volume/cinder/cinder.go
View File

@@ -298,12 +298,12 @@ func (b *cinderVolumeMounter) CanMount() error {
return nil
}
func (b *cinderVolumeMounter) SetUp(fsGroup *types.UnixGroupID) error {
func (b *cinderVolumeMounter) SetUp(fsGroup *int64) error {
return b.SetUpAt(b.GetPath(), fsGroup)
}
// SetUp bind mounts to the volume path.
func (b *cinderVolumeMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
func (b *cinderVolumeMounter) SetUpAt(dir string, fsGroup *int64) error {
glog.V(5).Infof("Cinder SetUp %s to %s", b.pdName, dir)
b.plugin.volumeLocks.LockKey(b.pdName)

4
pkg/volume/configmap/configmap.go
View File

@@ -179,11 +179,11 @@ func (b *configMapVolumeMounter) CanMount() error {
return nil
}
func (b *configMapVolumeMounter) SetUp(fsGroup *types.UnixGroupID) error {
func (b *configMapVolumeMounter) SetUp(fsGroup *int64) error {
return b.SetUpAt(b.GetPath(), fsGroup)
}
func (b *configMapVolumeMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
func (b *configMapVolumeMounter) SetUpAt(dir string, fsGroup *int64) error {
glog.V(3).Infof("Setting up volume %v for pod %v at %v", b.volName, b.pod.UID, dir)
// Wrap EmptyDir, let it do the setup.

8
pkg/volume/configmap/configmap_test.go
View File

@@ -333,7 +333,7 @@ func TestPlugin(t *testing.T) {
t.Errorf("Got unexpected path: %s", volumePath)
}
fsGroup := types.UnixGroupID(1001)
fsGroup := int64(1001)
err = mounter.SetUp(&fsGroup)
if err != nil {
t.Errorf("Failed to setup volume: %v", err)
@@ -391,7 +391,7 @@ func TestPluginReboot(t *testing.T) {
t.Errorf("Got unexpected path: %s", volumePath)
}
fsGroup := types.UnixGroupID(1001)
fsGroup := int64(1001)
err = mounter.SetUp(&fsGroup)
if err != nil {
t.Errorf("Failed to setup volume: %v", err)
@@ -453,7 +453,7 @@ func TestPluginOptional(t *testing.T) {
t.Errorf("Got unexpected path: %s", volumePath)
}
fsGroup := types.UnixGroupID(1001)
fsGroup := int64(1001)
err = mounter.SetUp(&fsGroup)
if err != nil {
t.Errorf("Failed to setup volume: %v", err)
@@ -528,7 +528,7 @@ func TestPluginKeysOptional(t *testing.T) {
t.Errorf("Got unexpected path: %s", volumePath)
}
fsGroup := types.UnixGroupID(1001)
fsGroup := int64(1001)
err = mounter.SetUp(&fsGroup)
if err != nil {
t.Errorf("Failed to setup volume: %v", err)

4
pkg/volume/downwardapi/downwardapi.go
View File

@@ -168,11 +168,11 @@ func (b *downwardAPIVolumeMounter) CanMount() error {
// This function is not idempotent by design. We want the data to be refreshed periodically.
// The internal sync interval of kubelet will drive the refresh of data.
// TODO: Add volume specific ticker and refresh loop
func (b *downwardAPIVolumeMounter) SetUp(fsGroup *types.UnixGroupID) error {
func (b *downwardAPIVolumeMounter) SetUp(fsGroup *int64) error {
return b.SetUpAt(b.GetPath(), fsGroup)
}
func (b *downwardAPIVolumeMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
func (b *downwardAPIVolumeMounter) SetUpAt(dir string, fsGroup *int64) error {
glog.V(3).Infof("Setting up a downwardAPI volume %v for pod %v/%v at %v", b.volName, b.pod.Namespace, b.pod.Name, dir)
// Wrap EmptyDir. Here we rely on the idempotency of the wrapped plugin to avoid repeatedly mounting
wrapped, err := b.plugin.host.NewWrapperMounter(b.volName, wrappedVolumeSpec(), b.pod, *b.opts)

4
pkg/volume/empty_dir/empty_dir.go
View File

@@ -191,12 +191,12 @@ func (b *emptyDir) CanMount() error {
}
// SetUp creates new directory.
func (ed *emptyDir) SetUp(fsGroup *types.UnixGroupID) error {
func (ed *emptyDir) SetUp(fsGroup *int64) error {
return ed.SetUpAt(ed.GetPath(), fsGroup)
}
// SetUpAt creates new directory.
func (ed *emptyDir) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
func (ed *emptyDir) SetUpAt(dir string, fsGroup *int64) error {
notMnt, err := ed.mounter.IsLikelyNotMountPoint(dir)
// Getting an os.IsNotExist err from is a contingency; the directory
// may not exist yet, in which case, setup should run.

3
pkg/volume/fc/disk_manager.go
View File

@@ -20,7 +20,6 @@ import (
"os"
"github.com/golang/glog"
"k8s.io/apimachinery/pkg/types"
"k8s.io/kubernetes/pkg/util/mount"
"k8s.io/kubernetes/pkg/volume"
)
@@ -35,7 +34,7 @@ type diskManager interface {
}
// utility to mount a disk based filesystem
func diskSetUp(manager diskManager, b fcDiskMounter, volPath string, mounter mount.Interface, fsGroup *types.UnixGroupID) error {
func diskSetUp(manager diskManager, b fcDiskMounter, volPath string, mounter mount.Interface, fsGroup *int64) error {
globalPDPath := manager.MakeGlobalPDName(*b.fcDisk)
// TODO: handle failed mounts here.
noMnt, err := mounter.IsLikelyNotMountPoint(volPath)

4
pkg/volume/fc/fc.go
View File

@@ -204,11 +204,11 @@ func (b *fcDiskMounter) CanMount() error {
return nil
}
func (b *fcDiskMounter) SetUp(fsGroup *types.UnixGroupID) error {
func (b *fcDiskMounter) SetUp(fsGroup *int64) error {
return b.SetUpAt(b.GetPath(), fsGroup)
}
func (b *fcDiskMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
func (b *fcDiskMounter) SetUpAt(dir string, fsGroup *int64) error {
// diskSetUp checks mountpoints and prevent repeated calls
err := diskSetUp(b.manager, *b, dir, b.mounter, fsGroup)
if err != nil {

3
pkg/volume/flexvolume/mounter-defaults.go
View File

@@ -21,7 +21,6 @@ import (
"github.com/golang/glog"
"k8s.io/apimachinery/pkg/types"
"k8s.io/kubernetes/pkg/volume"
)
@@ -29,7 +28,7 @@ type mounterDefaults flexVolumeMounter
// SetUpAt is part of the volume.Mounter interface.
// This implementation relies on the attacher's device mount path and does a bind mount to dir.
func (f *mounterDefaults) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
func (f *mounterDefaults) SetUpAt(dir string, fsGroup *int64) error {
glog.Warning(logPrefix(f.plugin), "using default SetUpAt to ", dir)
a, err := f.plugin.NewAttacher()

5
pkg/volume/flexvolume/mounter.go
View File

@@ -19,7 +19,6 @@ package flexvolume
import (
"strconv"
"k8s.io/apimachinery/pkg/types"
"k8s.io/kubernetes/pkg/util/exec"
"k8s.io/kubernetes/pkg/util/mount"
"k8s.io/kubernetes/pkg/volume"
@@ -44,12 +43,12 @@ var _ volume.Mounter = &flexVolumeMounter{}
// Mounter interface
// SetUp creates new directory.
func (f *flexVolumeMounter) SetUp(fsGroup *types.UnixGroupID) error {
func (f *flexVolumeMounter) SetUp(fsGroup *int64) error {
return f.SetUpAt(f.GetPath(), fsGroup)
}
// SetUpAt creates new directory.
func (f *flexVolumeMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
func (f *flexVolumeMounter) SetUpAt(dir string, fsGroup *int64) error {
// Mount only once.
alreadyMounted, err := prepareForMount(f.mounter, dir)
if err != nil {

2
pkg/volume/flexvolume/mounter_test.go
View File

@@ -67,6 +67,6 @@ func TestSetUpAt(t *testing.T) {
m, _ := plugin.newMounterInternal(spec, pod, mounter, plugin.runner)
m.SetUpAt(rootDir+"/mount-dir", nil)
fsGroup := types.UnixGroupID(42)
fsGroup := int64(42)
m.SetUpAt(rootDir+"/mount-dir", &fsGroup)
}

4
pkg/volume/flocker/flocker.go
View File

@@ -232,7 +232,7 @@ func (b *flockerVolumeMounter) GetPath() string {
}
// SetUp bind mounts the disk global mount to the volume path.
func (b *flockerVolumeMounter) SetUp(fsGroup *types.UnixGroupID) error {
func (b *flockerVolumeMounter) SetUp(fsGroup *int64) error {
return b.SetUpAt(b.GetPath(), fsGroup)
}
@@ -274,7 +274,7 @@ control service:
need to update the Primary UUID for this volume.
5. Wait until the Primary UUID was updated or timeout.
*/
func (b *flockerVolumeMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
func (b *flockerVolumeMounter) SetUpAt(dir string, fsGroup *int64) error {
var err error
if b.flockerClient == nil {
b.flockerClient, err = b.newFlockerClient()

4
pkg/volume/gce_pd/gce_pd.go
View File

@@ -257,12 +257,12 @@ func (b *gcePersistentDiskMounter) CanMount() error {
}
// SetUp bind mounts the disk global mount to the volume path.
func (b *gcePersistentDiskMounter) SetUp(fsGroup *types.UnixGroupID) error {
func (b *gcePersistentDiskMounter) SetUp(fsGroup *int64) error {
return b.SetUpAt(b.GetPath(), fsGroup)
}
// SetUp bind mounts the disk global mount to the give volume path.
func (b *gcePersistentDiskMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
func (b *gcePersistentDiskMounter) SetUpAt(dir string, fsGroup *int64) error {
// TODO: handle failed mounts here.
notMnt, err := b.mounter.IsLikelyNotMountPoint(dir)
glog.V(4).Infof("GCE PersistentDisk set up: Dir (%s) PD name (%q) Mounted (%t) Error (%v), ReadOnly (%t)", dir, b.pdName, !notMnt, err, b.readOnly)

4
pkg/volume/git_repo/git_repo.go
View File

@@ -171,12 +171,12 @@ func (b *gitRepoVolumeMounter) CanMount() error {
}
// SetUp creates new directory and clones a git repo.
func (b *gitRepoVolumeMounter) SetUp(fsGroup *types.UnixGroupID) error {
func (b *gitRepoVolumeMounter) SetUp(fsGroup *int64) error {
return b.SetUpAt(b.GetPath(), fsGroup)
}
// SetUpAt creates new directory and clones a git repo.
func (b *gitRepoVolumeMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
func (b *gitRepoVolumeMounter) SetUpAt(dir string, fsGroup *int64) error {
if volumeutil.IsReady(b.getMetaDir()) {
return nil
}

4
pkg/volume/glusterfs/glusterfs.go
View File

@@ -252,11 +252,11 @@ func (b *glusterfsMounter) CanMount() error {
}
// SetUp attaches the disk and bind mounts to the volume path.
func (b *glusterfsMounter) SetUp(fsGroup *types.UnixGroupID) error {
func (b *glusterfsMounter) SetUp(fsGroup *int64) error {
return b.SetUpAt(b.GetPath(), fsGroup)
}
func (b *glusterfsMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
func (b *glusterfsMounter) SetUpAt(dir string, fsGroup *int64) error {
notMnt, err := b.mounter.IsLikelyNotMountPoint(dir)
glog.V(4).Infof("glusterfs: mount set up: %s %v %v", dir, !notMnt, err)
if err != nil && !os.IsNotExist(err) {

4
pkg/volume/host_path/host_path.go
View File

@@ -206,7 +206,7 @@ func (b *hostPathMounter) CanMount() error {
}
// SetUp does nothing.
func (b *hostPathMounter) SetUp(fsGroup *types.UnixGroupID) error {
func (b *hostPathMounter) SetUp(fsGroup *int64) error {
err := validation.ValidatePathNoBacksteps(b.GetPath())
if err != nil {
return fmt.Errorf("invalid HostPath `%s`: %v", b.GetPath(), err)
@@ -215,7 +215,7 @@ func (b *hostPathMounter) SetUp(fsGroup *types.UnixGroupID) error {
}
// SetUpAt does not make sense for host paths - probably programmer error.
func (b *hostPathMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
func (b *hostPathMounter) SetUpAt(dir string, fsGroup *int64) error {
return fmt.Errorf("SetUpAt() does not make sense for host paths")
}

3
pkg/volume/iscsi/disk_manager.go
View File

@@ -20,7 +20,6 @@ import (
"os"
"github.com/golang/glog"
"k8s.io/apimachinery/pkg/types"
"k8s.io/kubernetes/pkg/util/mount"
"k8s.io/kubernetes/pkg/volume"
)
@@ -35,7 +34,7 @@ type diskManager interface {
}
// utility to mount a disk based filesystem
func diskSetUp(manager diskManager, b iscsiDiskMounter, volPath string, mounter mount.Interface, fsGroup *types.UnixGroupID) error {
func diskSetUp(manager diskManager, b iscsiDiskMounter, volPath string, mounter mount.Interface, fsGroup *int64) error {
globalPDPath := manager.MakeGlobalPDName(*b.iscsiDisk)
// TODO: handle failed mounts here.
notMnt, err := mounter.IsLikelyNotMountPoint(volPath)

4
pkg/volume/iscsi/iscsi.go
View File

@@ -236,11 +236,11 @@ func (b *iscsiDiskMounter) CanMount() error {
return nil
}
func (b *iscsiDiskMounter) SetUp(fsGroup *types.UnixGroupID) error {
func (b *iscsiDiskMounter) SetUp(fsGroup *int64) error {
return b.SetUpAt(b.GetPath(), fsGroup)
}
func (b *iscsiDiskMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
func (b *iscsiDiskMounter) SetUpAt(dir string, fsGroup *int64) error {
// diskSetUp checks mountpoints and prevent repeated calls
err := diskSetUp(b.manager, *b, dir, b.mounter, fsGroup)
if err != nil {

4
pkg/volume/local/local.go
View File

@@ -182,12 +182,12 @@ func (m *localVolumeMounter) CanMount() error {
}
// SetUp bind mounts the directory to the volume path
func (m *localVolumeMounter) SetUp(fsGroup *types.UnixGroupID) error {
func (m *localVolumeMounter) SetUp(fsGroup *int64) error {
return m.SetUpAt(m.GetPath(), fsGroup)
}
// SetUpAt bind mounts the directory to the volume path and sets up volume ownership
func (m *localVolumeMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
func (m *localVolumeMounter) SetUpAt(dir string, fsGroup *int64) error {
if m.globalPath == "" {
err := fmt.Errorf("LocalVolume volume %q path is empty", m.volName)
return err

4
pkg/volume/nfs/nfs.go
View File

@@ -229,11 +229,11 @@ func (b *nfsMounter) GetAttributes() volume.Attributes {
}
// SetUp attaches the disk and bind mounts to the volume path.
func (b *nfsMounter) SetUp(fsGroup *types.UnixGroupID) error {
func (b *nfsMounter) SetUp(fsGroup *int64) error {
return b.SetUpAt(b.GetPath(), fsGroup)
}
func (b *nfsMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
func (b *nfsMounter) SetUpAt(dir string, fsGroup *int64) error {
notMnt, err := b.mounter.IsLikelyNotMountPoint(dir)
glog.V(4).Infof("NFS mount set up: %s %v %v", dir, !notMnt, err)
if err != nil && !os.IsNotExist(err) {

4
pkg/volume/photon_pd/photon_pd.go
View File

@@ -195,12 +195,12 @@ func (b *photonPersistentDiskMounter) CanMount() error {
}
// SetUp attaches the disk and bind mounts to the volume path.
func (b *photonPersistentDiskMounter) SetUp(fsGroup *types.UnixGroupID) error {
func (b *photonPersistentDiskMounter) SetUp(fsGroup *int64) error {
return b.SetUpAt(b.GetPath(), fsGroup)
}
// SetUp attaches the disk and bind mounts to the volume path.
func (b *photonPersistentDiskMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
func (b *photonPersistentDiskMounter) SetUpAt(dir string, fsGroup *int64) error {
glog.V(4).Infof("Photon Persistent Disk setup %s to %s", b.pdID, dir)
// TODO: handle failed mounts here.

4
pkg/volume/portworx/portworx.go
View File

@@ -259,12 +259,12 @@ func (b *portworxVolumeMounter) CanMount() error {
}
// SetUp attaches the disk and bind mounts to the volume path.
func (b *portworxVolumeMounter) SetUp(fsGroup *types.UnixGroupID) error {
func (b *portworxVolumeMounter) SetUp(fsGroup *int64) error {
return b.SetUpAt(b.GetPath(), fsGroup)
}
// SetUpAt attaches the disk and bind mounts to the volume path.
func (b *portworxVolumeMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
func (b *portworxVolumeMounter) SetUpAt(dir string, fsGroup *int64) error {
notMnt, err := b.mounter.IsLikelyNotMountPoint(dir)
glog.V(4).Infof("Portworx Volume set up: %s %v %v", dir, !notMnt, err)
if err != nil && !os.IsNotExist(err) {

4
pkg/volume/projected/projected.go
View File

@@ -177,11 +177,11 @@ func (s *projectedVolumeMounter) CanMount() error {
return nil
}
func (s *projectedVolumeMounter) SetUp(fsGroup *types.UnixGroupID) error {
func (s *projectedVolumeMounter) SetUp(fsGroup *int64) error {
return s.SetUpAt(s.GetPath(), fsGroup)
}
func (s *projectedVolumeMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
func (s *projectedVolumeMounter) SetUpAt(dir string, fsGroup *int64) error {
glog.V(3).Infof("Setting up volume %v for pod %v at %v", s.volName, s.pod.UID, dir)
wrapped, err := s.plugin.host.NewWrapperMounter(s.volName, wrappedVolumeSpec(), s.pod, *s.opts)

4
pkg/volume/quobyte/quobyte.go
View File

@@ -234,12 +234,12 @@ func (mounter *quobyteMounter) CanMount() error {
}
// SetUp attaches the disk and bind mounts to the volume path.
func (mounter *quobyteMounter) SetUp(fsGroup *types.UnixGroupID) error {
func (mounter *quobyteMounter) SetUp(fsGroup *int64) error {
pluginDir := mounter.plugin.host.GetPluginDir(strings.EscapeQualifiedNameForDisk(quobytePluginName))
return mounter.SetUpAt(pluginDir, fsGroup)
}
func (mounter *quobyteMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
func (mounter *quobyteMounter) SetUpAt(dir string, fsGroup *int64) error {
// Check if Quobyte is already mounted on the host in the Plugin Dir
// if so we can use this mountpoint instead of creating a new one
// IsLikelyNotMountPoint wouldn't check the mount type

3
pkg/volume/rbd/disk_manager.go
View File

@@ -26,7 +26,6 @@ import (
"os"
"github.com/golang/glog"
"k8s.io/apimachinery/pkg/types"
"k8s.io/kubernetes/pkg/api/v1"
"k8s.io/kubernetes/pkg/util/mount"
"k8s.io/kubernetes/pkg/volume"
@@ -46,7 +45,7 @@ type diskManager interface {
}
// utility to mount a disk based filesystem
func diskSetUp(manager diskManager, b rbdMounter, volPath string, mounter mount.Interface, fsGroup *types.UnixGroupID) error {
func diskSetUp(manager diskManager, b rbdMounter, volPath string, mounter mount.Interface, fsGroup *int64) error {
globalPDPath := manager.MakeGlobalPDName(*b.rbd)
// TODO: handle failed mounts here.
notMnt, err := mounter.IsLikelyNotMountPoint(volPath)

4
pkg/volume/rbd/rbd.go
View File

@@ -403,11 +403,11 @@ func (b *rbdMounter) CanMount() error {
return nil
}
func (b *rbdMounter) SetUp(fsGroup *types.UnixGroupID) error {
func (b *rbdMounter) SetUp(fsGroup *int64) error {
return b.SetUpAt(b.GetPath(), fsGroup)
}
func (b *rbdMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
func (b *rbdMounter) SetUpAt(dir string, fsGroup *int64) error {
// diskSetUp checks mountpoints and prevent repeated calls
glog.V(4).Infof("rbd: attempting to SetUp and mount %s", dir)
err := diskSetUp(b.manager, *b, dir, b.mounter, fsGroup)

4
pkg/volume/scaleio/sio_volume.go
View File

@@ -79,12 +79,12 @@ func (v *sioVolume) CanMount() error {
return nil
}
func (v *sioVolume) SetUp(fsGroup *types.UnixGroupID) error {
func (v *sioVolume) SetUp(fsGroup *int64) error {
return v.SetUpAt(v.GetPath(), fsGroup)
}
// SetUp bind mounts the disk global mount to the volume path.
func (v *sioVolume) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
func (v *sioVolume) SetUpAt(dir string, fsGroup *int64) error {
v.plugin.volumeMtx.LockKey(v.volSpecName)
defer v.plugin.volumeMtx.UnlockKey(v.volSpecName)

4
pkg/volume/secret/secret.go
View File

@@ -178,11 +178,11 @@ func (b *secretVolumeMounter) CanMount() error {
return nil
}
func (b *secretVolumeMounter) SetUp(fsGroup *types.UnixGroupID) error {
func (b *secretVolumeMounter) SetUp(fsGroup *int64) error {
return b.SetUpAt(b.GetPath(), fsGroup)
}
func (b *secretVolumeMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
func (b *secretVolumeMounter) SetUpAt(dir string, fsGroup *int64) error {
glog.V(3).Infof("Setting up volume %v for pod %v at %v", b.volName, b.pod.UID, dir)
// Wrap EmptyDir, let it do the setup.

4
pkg/volume/storageos/storageos.go
View File

@@ -333,7 +333,7 @@ func (b *storageosMounter) CanMount() error {
}
// SetUp attaches the disk and bind mounts to the volume path.
func (b *storageosMounter) SetUp(fsGroup *types.UnixGroupID) error {
func (b *storageosMounter) SetUp(fsGroup *int64) error {
// Need a namespace to find the volume, try pod's namespace if not set.
if b.volNamespace == "" {
glog.V(2).Infof("Setting StorageOS volume namespace to pod namespace: %s", b.podNamespace)
@@ -360,7 +360,7 @@ func (b *storageosMounter) SetUp(fsGroup *types.UnixGroupID) error {
}
// SetUp bind mounts the disk global mount to the give volume path.
func (b *storageosMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
func (b *storageosMounter) SetUpAt(dir string, fsGroup *int64) error {
notMnt, err := b.mounter.IsLikelyNotMountPoint(dir)
glog.V(4).Infof("StorageOS volume set up: %s %v %v", dir, !notMnt, err)
if err != nil && !os.IsNotExist(err) {

4
pkg/volume/testing/testing.go
View File

@@ -354,7 +354,7 @@ func (fv *FakeVolume) CanMount() error {
return nil
}
func (fv *FakeVolume) SetUp(fsGroup *types.UnixGroupID) error {
func (fv *FakeVolume) SetUp(fsGroup *int64) error {
fv.Lock()
defer fv.Unlock()
fv.SetUpCallCount++
@@ -367,7 +367,7 @@ func (fv *FakeVolume) GetSetUpCallCount() int {
return fv.SetUpCallCount
}
func (fv *FakeVolume) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
func (fv *FakeVolume) SetUpAt(dir string, fsGroup *int64) error {
return os.MkdirAll(dir, 0750)
}

2
pkg/volume/util/operationexecutor/operation_generator.go
View File

@@ -392,7 +392,7 @@ func (og *operationGenerator) GenerateMountVolumeFunc(
volumeAttacher, _ = attachableVolumePlugin.NewAttacher()
}
var fsGroup *types.UnixGroupID
var fsGroup *int64
if volumeToMount.Pod.Spec.SecurityContext != nil &&
volumeToMount.Pod.Spec.SecurityContext.FSGroup != nil {
fsGroup = volumeToMount.Pod.Spec.SecurityContext.FSGroup

4
pkg/volume/volume.go
View File

@@ -109,14 +109,14 @@ type Mounter interface {
// content should be owned by 'fsGroup' so that it can be
// accessed by the pod. This may be called more than once, so
// implementations must be idempotent.
SetUp(fsGroup *types.UnixGroupID) error
SetUp(fsGroup *int64) error
// SetUpAt prepares and mounts/unpacks the volume to the
// specified directory path, which may or may not exist yet.
// The mount point and its content should be owned by
// 'fsGroup' so that it can be accessed by the pod. This may
// be called more than once, so implementations must be
// idempotent.
SetUpAt(dir string, fsGroup *types.UnixGroupID) error
SetUpAt(dir string, fsGroup *int64) error
// GetAttributes returns the attributes of the mounter.
GetAttributes() Attributes
}

4
pkg/volume/volume_linux.go
View File

@@ -24,8 +24,6 @@ import (
"os"
"k8s.io/apimachinery/pkg/types"
"github.com/golang/glog"
)
@@ -37,7 +35,7 @@ const (
// SetVolumeOwnership modifies the given volume to be owned by
// fsGroup, and sets SetGid so that newly created files are owned by
// fsGroup. If fsGroup is nil nothing is done.
func SetVolumeOwnership(mounter Mounter, fsGroup *types.UnixGroupID) error {
func SetVolumeOwnership(mounter Mounter, fsGroup *int64) error {
if fsGroup == nil {
return nil

4
pkg/volume/volume_unsupported.go
View File

@@ -18,8 +18,6 @@ limitations under the License.
package volume
import "k8s.io/apimachinery/pkg/types"
func SetVolumeOwnership(mounter Mounter, fsGroup *types.UnixGroupID) error {
func SetVolumeOwnership(mounter Mounter, fsGroup *int64) error {
return nil
}

4
pkg/volume/vsphere_volume/vsphere_volume.go
View File

@@ -194,7 +194,7 @@ func (b *vsphereVolumeMounter) GetAttributes() volume.Attributes {
}
// SetUp attaches the disk and bind mounts to the volume path.
func (b *vsphereVolumeMounter) SetUp(fsGroup *types.UnixGroupID) error {
func (b *vsphereVolumeMounter) SetUp(fsGroup *int64) error {
return b.SetUpAt(b.GetPath(), fsGroup)
}
@@ -206,7 +206,7 @@ func (b *vsphereVolumeMounter) CanMount() error {
}
// SetUp attaches the disk and bind mounts to the volume path.
func (b *vsphereVolumeMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
func (b *vsphereVolumeMounter) SetUpAt(dir string, fsGroup *int64) error {
glog.V(5).Infof("vSphere volume setup %s to %s", b.volPath, dir)
// TODO: handle failed mounts here.

1
plugin/pkg/admission/security/podsecuritypolicy/BUILD
View File

@@ -50,7 +50,6 @@ go_test(
"//pkg/security/podsecuritypolicy/util:go_default_library",
"//vendor/github.com/stretchr/testify/assert:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/types:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/util/diff:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/util/sets:go_default_library",
"//vendor/k8s.io/apiserver/pkg/admission:go_default_library",

35
plugin/pkg/admission/security/podsecuritypolicy/admission_test.go
View File

@@ -25,7 +25,6 @@ import (
"github.com/stretchr/testify/assert"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/types"
"k8s.io/apimachinery/pkg/util/diff"
"k8s.io/apimachinery/pkg/util/sets"
kadmission "k8s.io/apiserver/pkg/admission"
@@ -835,7 +834,7 @@ func TestAdmitRunAsUser(t *testing.T) {
// doesn't matter if we set it here or on the container, the
// admission controller uses DetermineEffectiveSC to get the defaulting
// behavior so it can validate what will be applied at runtime
userID := types.UnixUserID(user)
userID := int64(user)
pod.Spec.SecurityContext.RunAsUser = &userID
return pod
}
@@ -855,7 +854,7 @@ func TestAdmitRunAsUser(t *testing.T) {
pod *kapi.Pod
psps []*extensions.PodSecurityPolicy
shouldPass bool
expectedRunAsUser *types.UnixUserID
expectedRunAsUser *int64
expectedPSP string
}{
"runAsAny no pod request": {
@@ -941,8 +940,8 @@ func TestAdmitSupplementalGroups(t *testing.T) {
// doesn't matter if we set it here or on the container, the
// admission controller uses DetermineEffectiveSC to get the defaulting
// behavior so it can validate what will be applied at runtime
groupID := types.UnixGroupID(group)
pod.Spec.SecurityContext.SupplementalGroups = []types.UnixGroupID{groupID}
groupID := int64(group)
pod.Spec.SecurityContext.SupplementalGroups = []int64{groupID}
return pod
}
@@ -957,28 +956,28 @@ func TestAdmitSupplementalGroups(t *testing.T) {
pod *kapi.Pod
psps []*extensions.PodSecurityPolicy
shouldPass bool
expectedSupGroups []types.UnixGroupID
expectedSupGroups []int64
expectedPSP string
}{
"runAsAny no pod request": {
pod: goodPod(),
psps: []*extensions.PodSecurityPolicy{runAsAny},
shouldPass: true,
expectedSupGroups: []types.UnixGroupID{},
expectedSupGroups: []int64{},
expectedPSP: runAsAny.Name,
},
"runAsAny pod request": {
pod: createPodWithSupGroup(1),
psps: []*extensions.PodSecurityPolicy{runAsAny},
shouldPass: true,
expectedSupGroups: []types.UnixGroupID{1},
expectedSupGroups: []int64{1},
expectedPSP: runAsAny.Name,
},
"mustRunAs no pod request": {
pod: goodPod(),
psps: []*extensions.PodSecurityPolicy{mustRunAs},
shouldPass: true,
expectedSupGroups: []types.UnixGroupID{mustRunAs.Spec.SupplementalGroups.Ranges[0].Min},
expectedSupGroups: []int64{mustRunAs.Spec.SupplementalGroups.Ranges[0].Min},
expectedPSP: mustRunAs.Name,
},
"mustRunAs bad pod request": {
@@ -990,7 +989,7 @@ func TestAdmitSupplementalGroups(t *testing.T) {
pod: createPodWithSupGroup(999),
psps: []*extensions.PodSecurityPolicy{mustRunAs},
shouldPass: true,
expectedSupGroups: []types.UnixGroupID{999},
expectedSupGroups: []int64{999},
expectedPSP: mustRunAs.Name,
},
}
@@ -1035,7 +1034,7 @@ func TestAdmitFSGroup(t *testing.T) {
pod *kapi.Pod
psps []*extensions.PodSecurityPolicy
shouldPass bool
expectedFSGroup *types.UnixGroupID
expectedFSGroup *int64
expectedPSP string
}{
"runAsAny no pod request": {
@@ -1711,7 +1710,7 @@ func restrictivePSP() *extensions.PodSecurityPolicy {
RunAsUser: extensions.RunAsUserStrategyOptions{
Rule: extensions.RunAsUserStrategyMustRunAs,
Ranges: []extensions.UserIDRange{
{Min: types.UnixUserID(999), Max: types.UnixUserID(999)},
{Min: int64(999), Max: int64(999)},
},
},
SELinux: extensions.SELinuxStrategyOptions{
@@ -1723,13 +1722,13 @@ func restrictivePSP() *extensions.PodSecurityPolicy {
FSGroup: extensions.FSGroupStrategyOptions{
Rule: extensions.FSGroupStrategyMustRunAs,
Ranges: []extensions.GroupIDRange{
{Min: types.UnixGroupID(999), Max: types.UnixGroupID(999)},
{Min: int64(999), Max: int64(999)},
},
},
SupplementalGroups: extensions.SupplementalGroupsStrategyOptions{
Rule: extensions.SupplementalGroupsStrategyMustRunAs,
Ranges: []extensions.GroupIDRange{
{Min: types.UnixGroupID(999), Max: types.UnixGroupID(999)},
{Min: int64(999), Max: int64(999)},
},
},
},
@@ -1774,12 +1773,12 @@ func goodPod() *kapi.Pod {
}
}
func userIDPtr(i int) *types.UnixUserID {
userID := types.UnixUserID(i)
func userIDPtr(i int) *int64 {
userID := int64(i)
return &userID
}
func groupIDPtr(i int) *types.UnixGroupID {
groupID := types.UnixGroupID(i)
func groupIDPtr(i int) *int64 {
groupID := int64(i)
return &groupID
}

1
plugin/pkg/admission/securitycontext/scdeny/BUILD
View File

@@ -26,7 +26,6 @@ go_test(
tags = ["automanaged"],
deps = [
"//pkg/api:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/types:go_default_library",
"//vendor/k8s.io/apiserver/pkg/admission:go_default_library",
],
)

7
plugin/pkg/admission/securitycontext/scdeny/admission_test.go
View File

@@ -19,7 +19,6 @@ package scdeny
import (
"testing"
"k8s.io/apimachinery/pkg/types"
"k8s.io/apiserver/pkg/admission"
"k8s.io/kubernetes/pkg/api"
)
@@ -28,7 +27,7 @@ import (
func TestAdmission(t *testing.T) {
handler := NewSecurityContextDeny()
runAsUser := types.UnixUserID(1)
runAsUser := int64(1)
priv := true
cases := []struct {
@@ -116,7 +115,7 @@ func TestPodSecurityContextAdmission(t *testing.T) {
},
}
fsGroup := types.UnixGroupID(1001)
fsGroup := int64(1001)
tests := []struct {
securityContext api.PodSecurityContext
@@ -128,7 +127,7 @@ func TestPodSecurityContextAdmission(t *testing.T) {
},
{
securityContext: api.PodSecurityContext{
SupplementalGroups: []types.UnixGroupID{types.UnixGroupID(1234)},
SupplementalGroups: []int64{int64(1234)},
},
errorExpected: true,
},

1
staging/src/k8s.io/apimachinery/pkg/types/BUILD
View File

@@ -15,7 +15,6 @@ go_library(
"nodename.go",
"patch.go",
"uid.go",
"unix_user_id.go",
],
tags = ["automanaged"],
)

23
staging/src/k8s.io/apimachinery/pkg/types/unix_user_id.go
View File

@@ -1,23 +0,0 @@
/*
Copyright 2016 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package types
// int64 is used as a safe bet against wrap-around (uid's are general
// int32) and to support uid_t -1, and -2.
type UnixUserID int64
type UnixGroupID int64

2
staging/src/k8s.io/apimachinery/pkg/util/validation/BUILD
View File

@@ -13,12 +13,10 @@ go_test(
srcs = ["validation_test.go"],
library = ":go_default_library",
tags = ["automanaged"],
deps = ["//vendor/k8s.io/apimachinery/pkg/types:go_default_library"],
)
go_library(
name = "go_default_library",
srcs = ["validation.go"],
tags = ["automanaged"],
deps = ["//vendor/k8s.io/apimachinery/pkg/types:go_default_library"],
)

6
staging/src/k8s.io/apimachinery/pkg/util/validation/validation.go
View File

@@ -22,8 +22,6 @@ import (
"net"
"regexp"
"strings"
"k8s.io/apimachinery/pkg/types"
)
const qnameCharFmt string = "[A-Za-z0-9]"
@@ -200,7 +198,7 @@ const (
)
// IsValidGroupID tests that the argument is a valid Unix GID.
func IsValidGroupID(gid types.UnixGroupID) []string {
func IsValidGroupID(gid int64) []string {
if minGroupID <= gid && gid <= maxGroupID {
return nil
}
@@ -208,7 +206,7 @@ func IsValidGroupID(gid types.UnixGroupID) []string {
}
// IsValidUserID tests that the argument is a valid Unix UID.
func IsValidUserID(uid types.UnixUserID) []string {
func IsValidUserID(uid int64) []string {
if minUserID <= uid && uid <= maxUserID {
return nil
}

14
staging/src/k8s.io/apimachinery/pkg/util/validation/validation_test.go
View File

@@ -19,8 +19,6 @@ package validation
import (
"strings"
"testing"
"k8s.io/apimachinery/pkg/types"
)
func TestIsDNS1123Label(t *testing.T) {
@@ -156,18 +154,18 @@ func TestIsValidPortNum(t *testing.T) {
}
}
func createGroupIDs(ids ...int64) []types.UnixGroupID {
var output []types.UnixGroupID
func createGroupIDs(ids ...int64) []int64 {
var output []int64
for _, id := range ids {
output = append(output, types.UnixGroupID(id))
output = append(output, int64(id))
}
return output
}
func createUserIDs(ids ...int64) []types.UnixUserID {
var output []types.UnixUserID
func createUserIDs(ids ...int64) []int64 {
var output []int64
for _, id := range ids {
output = append(output, types.UnixUserID(id))
output = append(output, int64(id))
}
return output
}

Some files were not shown because too many files have changed in this diff Show More