Merge pull request #61608 from php-coder/psp_move_internal_types_to_policy
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. PSP: move internal types to policy API group **What this PR does / why we need it**: This is a part of the PSP migration from extensions to policy API group. This PR moves internal types to the its final destination. **Which issue(s) this PR fixes**: Addressed to https://github.com/kubernetes/features/issues/5
This commit is contained in:
commit
71e00a6b8e
@ -3,20 +3,12 @@ package(default_visibility = ["//visibility:public"])
|
|||||||
load(
|
load(
|
||||||
"@io_bazel_rules_go//go:def.bzl",
|
"@io_bazel_rules_go//go:def.bzl",
|
||||||
"go_library",
|
"go_library",
|
||||||
"go_test",
|
|
||||||
)
|
|
||||||
|
|
||||||
go_test(
|
|
||||||
name = "go_default_test",
|
|
||||||
srcs = ["helpers_test.go"],
|
|
||||||
embed = [":go_default_library"],
|
|
||||||
)
|
)
|
||||||
|
|
||||||
go_library(
|
go_library(
|
||||||
name = "go_default_library",
|
name = "go_default_library",
|
||||||
srcs = [
|
srcs = [
|
||||||
"doc.go",
|
"doc.go",
|
||||||
"helpers.go",
|
|
||||||
"register.go",
|
"register.go",
|
||||||
"types.go",
|
"types.go",
|
||||||
"zz_generated.deepcopy.go",
|
"zz_generated.deepcopy.go",
|
||||||
@ -26,6 +18,7 @@ go_library(
|
|||||||
"//pkg/apis/autoscaling:go_default_library",
|
"//pkg/apis/autoscaling:go_default_library",
|
||||||
"//pkg/apis/core:go_default_library",
|
"//pkg/apis/core:go_default_library",
|
||||||
"//pkg/apis/networking:go_default_library",
|
"//pkg/apis/networking:go_default_library",
|
||||||
|
"//pkg/apis/policy:go_default_library",
|
||||||
"//vendor/k8s.io/apimachinery/pkg/api/resource:go_default_library",
|
"//vendor/k8s.io/apimachinery/pkg/api/resource:go_default_library",
|
||||||
"//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
|
"//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
|
||||||
"//vendor/k8s.io/apimachinery/pkg/runtime:go_default_library",
|
"//vendor/k8s.io/apimachinery/pkg/runtime:go_default_library",
|
||||||
|
@ -54,34 +54,6 @@ var Funcs = func(codecs runtimeserializer.CodecFactory) []interface{} {
|
|||||||
j.RollingUpdate = &rollingUpdate
|
j.RollingUpdate = &rollingUpdate
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
func(psp *extensions.PodSecurityPolicySpec, c fuzz.Continue) {
|
|
||||||
c.FuzzNoCustom(psp) // fuzz self without calling this function again
|
|
||||||
|
|
||||||
runAsUserRules := []extensions.RunAsUserStrategy{
|
|
||||||
extensions.RunAsUserStrategyMustRunAsNonRoot,
|
|
||||||
extensions.RunAsUserStrategyMustRunAs,
|
|
||||||
extensions.RunAsUserStrategyRunAsAny,
|
|
||||||
}
|
|
||||||
psp.RunAsUser.Rule = runAsUserRules[c.Rand.Intn(len(runAsUserRules))]
|
|
||||||
|
|
||||||
seLinuxRules := []extensions.SELinuxStrategy{
|
|
||||||
extensions.SELinuxStrategyMustRunAs,
|
|
||||||
extensions.SELinuxStrategyRunAsAny,
|
|
||||||
}
|
|
||||||
psp.SELinux.Rule = seLinuxRules[c.Rand.Intn(len(seLinuxRules))]
|
|
||||||
|
|
||||||
supplementalGroupsRules := []extensions.SupplementalGroupsStrategyType{
|
|
||||||
extensions.SupplementalGroupsStrategyRunAsAny,
|
|
||||||
extensions.SupplementalGroupsStrategyMustRunAs,
|
|
||||||
}
|
|
||||||
psp.SupplementalGroups.Rule = supplementalGroupsRules[c.Rand.Intn(len(supplementalGroupsRules))]
|
|
||||||
|
|
||||||
fsGroupRules := []extensions.FSGroupStrategyType{
|
|
||||||
extensions.FSGroupStrategyMustRunAs,
|
|
||||||
extensions.FSGroupStrategyRunAsAny,
|
|
||||||
}
|
|
||||||
psp.FSGroup.Rule = fsGroupRules[c.Rand.Intn(len(fsGroupRules))]
|
|
||||||
},
|
|
||||||
func(j *extensions.DaemonSetSpec, c fuzz.Continue) {
|
func(j *extensions.DaemonSetSpec, c fuzz.Continue) {
|
||||||
c.FuzzNoCustom(j) // fuzz self without calling this function again
|
c.FuzzNoCustom(j) // fuzz self without calling this function again
|
||||||
rhl := int32(c.Rand.Int31())
|
rhl := int32(c.Rand.Int31())
|
||||||
|
@ -21,6 +21,7 @@ import (
|
|||||||
"k8s.io/apimachinery/pkg/runtime/schema"
|
"k8s.io/apimachinery/pkg/runtime/schema"
|
||||||
"k8s.io/kubernetes/pkg/apis/autoscaling"
|
"k8s.io/kubernetes/pkg/apis/autoscaling"
|
||||||
"k8s.io/kubernetes/pkg/apis/networking"
|
"k8s.io/kubernetes/pkg/apis/networking"
|
||||||
|
"k8s.io/kubernetes/pkg/apis/policy"
|
||||||
)
|
)
|
||||||
|
|
||||||
// GroupName is the group name use in this package
|
// GroupName is the group name use in this package
|
||||||
@ -58,8 +59,8 @@ func addKnownTypes(scheme *runtime.Scheme) error {
|
|||||||
&IngressList{},
|
&IngressList{},
|
||||||
&ReplicaSet{},
|
&ReplicaSet{},
|
||||||
&ReplicaSetList{},
|
&ReplicaSetList{},
|
||||||
&PodSecurityPolicy{},
|
&policy.PodSecurityPolicy{},
|
||||||
&PodSecurityPolicyList{},
|
&policy.PodSecurityPolicyList{},
|
||||||
&autoscaling.Scale{},
|
&autoscaling.Scale{},
|
||||||
&networking.NetworkPolicy{},
|
&networking.NetworkPolicy{},
|
||||||
&networking.NetworkPolicyList{},
|
&networking.NetworkPolicyList{},
|
||||||
|
@ -35,13 +35,6 @@ import (
|
|||||||
api "k8s.io/kubernetes/pkg/apis/core"
|
api "k8s.io/kubernetes/pkg/apis/core"
|
||||||
)
|
)
|
||||||
|
|
||||||
const (
|
|
||||||
// SysctlsPodSecurityPolicyAnnotationKey represents the key of a whitelist of
|
|
||||||
// allowed safe and unsafe sysctls in a pod spec. It's a comma-separated list of plain sysctl
|
|
||||||
// names or sysctl patterns (which end in *). The string "*" matches all sysctls.
|
|
||||||
SysctlsPodSecurityPolicyAnnotationKey string = "security.alpha.kubernetes.io/sysctls"
|
|
||||||
)
|
|
||||||
|
|
||||||
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
||||||
|
|
||||||
// Dummy definition
|
// Dummy definition
|
||||||
@ -780,271 +773,3 @@ type ReplicaSetCondition struct {
|
|||||||
// +optional
|
// +optional
|
||||||
Message string
|
Message string
|
||||||
}
|
}
|
||||||
|
|
||||||
// +genclient
|
|
||||||
// +genclient:nonNamespaced
|
|
||||||
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
|
||||||
|
|
||||||
// PodSecurityPolicy governs the ability to make requests that affect the SecurityContext
|
|
||||||
// that will be applied to a pod and container.
|
|
||||||
type PodSecurityPolicy struct {
|
|
||||||
metav1.TypeMeta
|
|
||||||
// +optional
|
|
||||||
metav1.ObjectMeta
|
|
||||||
|
|
||||||
// Spec defines the policy enforced.
|
|
||||||
// +optional
|
|
||||||
Spec PodSecurityPolicySpec
|
|
||||||
}
|
|
||||||
|
|
||||||
// PodSecurityPolicySpec defines the policy enforced.
|
|
||||||
type PodSecurityPolicySpec struct {
|
|
||||||
// Privileged determines if a pod can request to be run as privileged.
|
|
||||||
// +optional
|
|
||||||
Privileged bool
|
|
||||||
// DefaultAddCapabilities is the default set of capabilities that will be added to the container
|
|
||||||
// unless the pod spec specifically drops the capability. You may not list a capability in both
|
|
||||||
// DefaultAddCapabilities and RequiredDropCapabilities. Capabilities added here are implicitly
|
|
||||||
// allowed, and need not be included in the AllowedCapabilities list.
|
|
||||||
// +optional
|
|
||||||
DefaultAddCapabilities []api.Capability
|
|
||||||
// RequiredDropCapabilities are the capabilities that will be dropped from the container. These
|
|
||||||
// are required to be dropped and cannot be added.
|
|
||||||
// +optional
|
|
||||||
RequiredDropCapabilities []api.Capability
|
|
||||||
// AllowedCapabilities is a list of capabilities that can be requested to add to the container.
|
|
||||||
// Capabilities in this field may be added at the pod author's discretion.
|
|
||||||
// You must not list a capability in both AllowedCapabilities and RequiredDropCapabilities.
|
|
||||||
// To allow all capabilities you may use '*'.
|
|
||||||
// +optional
|
|
||||||
AllowedCapabilities []api.Capability
|
|
||||||
// Volumes is a white list of allowed volume plugins. Empty indicates that
|
|
||||||
// no volumes may be used. To allow all volumes you may use '*'.
|
|
||||||
// +optional
|
|
||||||
Volumes []FSType
|
|
||||||
// HostNetwork determines if the policy allows the use of HostNetwork in the pod spec.
|
|
||||||
// +optional
|
|
||||||
HostNetwork bool
|
|
||||||
// HostPorts determines which host port ranges are allowed to be exposed.
|
|
||||||
// +optional
|
|
||||||
HostPorts []HostPortRange
|
|
||||||
// HostPID determines if the policy allows the use of HostPID in the pod spec.
|
|
||||||
// +optional
|
|
||||||
HostPID bool
|
|
||||||
// HostIPC determines if the policy allows the use of HostIPC in the pod spec.
|
|
||||||
// +optional
|
|
||||||
HostIPC bool
|
|
||||||
// SELinux is the strategy that will dictate the allowable labels that may be set.
|
|
||||||
SELinux SELinuxStrategyOptions
|
|
||||||
// RunAsUser is the strategy that will dictate the allowable RunAsUser values that may be set.
|
|
||||||
RunAsUser RunAsUserStrategyOptions
|
|
||||||
// SupplementalGroups is the strategy that will dictate what supplemental groups are used by the SecurityContext.
|
|
||||||
SupplementalGroups SupplementalGroupsStrategyOptions
|
|
||||||
// FSGroup is the strategy that will dictate what fs group is used by the SecurityContext.
|
|
||||||
FSGroup FSGroupStrategyOptions
|
|
||||||
// ReadOnlyRootFilesystem when set to true will force containers to run with a read only root file
|
|
||||||
// system. If the container specifically requests to run with a non-read only root file system
|
|
||||||
// the PSP should deny the pod.
|
|
||||||
// If set to false the container may run with a read only root file system if it wishes but it
|
|
||||||
// will not be forced to.
|
|
||||||
// +optional
|
|
||||||
ReadOnlyRootFilesystem bool
|
|
||||||
// DefaultAllowPrivilegeEscalation controls the default setting for whether a
|
|
||||||
// process can gain more privileges than its parent process.
|
|
||||||
// +optional
|
|
||||||
DefaultAllowPrivilegeEscalation *bool
|
|
||||||
// AllowPrivilegeEscalation determines if a pod can request to allow
|
|
||||||
// privilege escalation. If unspecified, defaults to true.
|
|
||||||
// +optional
|
|
||||||
AllowPrivilegeEscalation bool
|
|
||||||
// AllowedHostPaths is a white list of allowed host paths. Empty indicates that all host paths may be used.
|
|
||||||
// +optional
|
|
||||||
AllowedHostPaths []AllowedHostPath
|
|
||||||
// AllowedFlexVolumes is a whitelist of allowed Flexvolumes. Empty or nil indicates that all
|
|
||||||
// Flexvolumes may be used. This parameter is effective only when the usage of the Flexvolumes
|
|
||||||
// is allowed in the "Volumes" field.
|
|
||||||
// +optional
|
|
||||||
AllowedFlexVolumes []AllowedFlexVolume
|
|
||||||
}
|
|
||||||
|
|
||||||
// AllowedHostPath defines the host volume conditions that will be enabled by a policy
|
|
||||||
// for pods to use. It requires the path prefix to be defined.
|
|
||||||
type AllowedHostPath struct {
|
|
||||||
// PathPrefix is the path prefix that the host volume must match.
|
|
||||||
// PathPrefix does not support `*`.
|
|
||||||
// Trailing slashes are trimmed when validating the path prefix with a host path.
|
|
||||||
//
|
|
||||||
// Examples:
|
|
||||||
// `/foo` would allow `/foo`, `/foo/` and `/foo/bar`
|
|
||||||
// `/foo` would not allow `/food` or `/etc/foo`
|
|
||||||
PathPrefix string
|
|
||||||
}
|
|
||||||
|
|
||||||
// HostPortRange defines a range of host ports that will be enabled by a policy
|
|
||||||
// for pods to use. It requires both the start and end to be defined.
|
|
||||||
type HostPortRange struct {
|
|
||||||
// Min is the start of the range, inclusive.
|
|
||||||
Min int32
|
|
||||||
// Max is the end of the range, inclusive.
|
|
||||||
Max int32
|
|
||||||
}
|
|
||||||
|
|
||||||
// AllowAllCapabilities can be used as a value for the PodSecurityPolicy.AllowAllCapabilities
|
|
||||||
// field and means that any capabilities are allowed to be requested.
|
|
||||||
var AllowAllCapabilities api.Capability = "*"
|
|
||||||
|
|
||||||
// FSType gives strong typing to different file systems that are used by volumes.
|
|
||||||
type FSType string
|
|
||||||
|
|
||||||
var (
|
|
||||||
AzureFile FSType = "azureFile"
|
|
||||||
Flocker FSType = "flocker"
|
|
||||||
FlexVolume FSType = "flexVolume"
|
|
||||||
HostPath FSType = "hostPath"
|
|
||||||
EmptyDir FSType = "emptyDir"
|
|
||||||
GCEPersistentDisk FSType = "gcePersistentDisk"
|
|
||||||
AWSElasticBlockStore FSType = "awsElasticBlockStore"
|
|
||||||
GitRepo FSType = "gitRepo"
|
|
||||||
Secret FSType = "secret"
|
|
||||||
NFS FSType = "nfs"
|
|
||||||
ISCSI FSType = "iscsi"
|
|
||||||
Glusterfs FSType = "glusterfs"
|
|
||||||
PersistentVolumeClaim FSType = "persistentVolumeClaim"
|
|
||||||
RBD FSType = "rbd"
|
|
||||||
Cinder FSType = "cinder"
|
|
||||||
CephFS FSType = "cephFS"
|
|
||||||
DownwardAPI FSType = "downwardAPI"
|
|
||||||
FC FSType = "fc"
|
|
||||||
ConfigMap FSType = "configMap"
|
|
||||||
VsphereVolume FSType = "vsphereVolume"
|
|
||||||
Quobyte FSType = "quobyte"
|
|
||||||
AzureDisk FSType = "azureDisk"
|
|
||||||
PhotonPersistentDisk FSType = "photonPersistentDisk"
|
|
||||||
StorageOS FSType = "storageos"
|
|
||||||
Projected FSType = "projected"
|
|
||||||
PortworxVolume FSType = "portworxVolume"
|
|
||||||
ScaleIO FSType = "scaleIO"
|
|
||||||
CSI FSType = "csi"
|
|
||||||
All FSType = "*"
|
|
||||||
)
|
|
||||||
|
|
||||||
// AllowedFlexVolume represents a single Flexvolume that is allowed to be used.
|
|
||||||
type AllowedFlexVolume struct {
|
|
||||||
// Driver is the name of the Flexvolume driver.
|
|
||||||
Driver string
|
|
||||||
}
|
|
||||||
|
|
||||||
// SELinuxStrategyOptions defines the strategy type and any options used to create the strategy.
|
|
||||||
type SELinuxStrategyOptions struct {
|
|
||||||
// Rule is the strategy that will dictate the allowable labels that may be set.
|
|
||||||
Rule SELinuxStrategy
|
|
||||||
// SELinuxOptions required to run as; required for MustRunAs
|
|
||||||
// More info: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#selinux
|
|
||||||
// +optional
|
|
||||||
SELinuxOptions *api.SELinuxOptions
|
|
||||||
}
|
|
||||||
|
|
||||||
// SELinuxStrategy denotes strategy types for generating SELinux options for a
|
|
||||||
// Security.
|
|
||||||
type SELinuxStrategy string
|
|
||||||
|
|
||||||
const (
|
|
||||||
// SELinuxStrategyMustRunAs means that container must have SELinux labels of X applied.
|
|
||||||
SELinuxStrategyMustRunAs SELinuxStrategy = "MustRunAs"
|
|
||||||
// SELinuxStrategyRunAsAny means that container may make requests for any SELinux context labels.
|
|
||||||
SELinuxStrategyRunAsAny SELinuxStrategy = "RunAsAny"
|
|
||||||
)
|
|
||||||
|
|
||||||
// RunAsUserStrategyOptions defines the strategy type and any options used to create the strategy.
|
|
||||||
type RunAsUserStrategyOptions struct {
|
|
||||||
// Rule is the strategy that will dictate the allowable RunAsUser values that may be set.
|
|
||||||
Rule RunAsUserStrategy
|
|
||||||
// Ranges are the allowed ranges of uids that may be used. If you would like to force a single uid
|
|
||||||
// then supply a single range with the same start and end. Required for MustRunAs.
|
|
||||||
// +optional
|
|
||||||
Ranges []UserIDRange
|
|
||||||
}
|
|
||||||
|
|
||||||
// UserIDRange provides a min/max of an allowed range of UserIDs.
|
|
||||||
type UserIDRange struct {
|
|
||||||
// Min is the start of the range, inclusive.
|
|
||||||
Min int64
|
|
||||||
// Max is the end of the range, inclusive.
|
|
||||||
Max int64
|
|
||||||
}
|
|
||||||
|
|
||||||
// GroupIDRange provides a min/max of an allowed range of GroupIDs.
|
|
||||||
type GroupIDRange struct {
|
|
||||||
// Min is the start of the range, inclusive.
|
|
||||||
Min int64
|
|
||||||
// Max is the end of the range, inclusive.
|
|
||||||
Max int64
|
|
||||||
}
|
|
||||||
|
|
||||||
// RunAsUserStrategy denotes strategy types for generating RunAsUser values for a
|
|
||||||
// SecurityContext.
|
|
||||||
type RunAsUserStrategy string
|
|
||||||
|
|
||||||
const (
|
|
||||||
// RunAsUserStrategyMustRunAs means that container must run as a particular uid.
|
|
||||||
RunAsUserStrategyMustRunAs RunAsUserStrategy = "MustRunAs"
|
|
||||||
// RunAsUserStrategyMustRunAsNonRoot means that container must run as a non-root uid
|
|
||||||
RunAsUserStrategyMustRunAsNonRoot RunAsUserStrategy = "MustRunAsNonRoot"
|
|
||||||
// RunAsUserStrategyRunAsAny means that container may make requests for any uid.
|
|
||||||
RunAsUserStrategyRunAsAny RunAsUserStrategy = "RunAsAny"
|
|
||||||
)
|
|
||||||
|
|
||||||
// FSGroupStrategyOptions defines the strategy type and options used to create the strategy.
|
|
||||||
type FSGroupStrategyOptions struct {
|
|
||||||
// Rule is the strategy that will dictate what FSGroup is used in the SecurityContext.
|
|
||||||
// +optional
|
|
||||||
Rule FSGroupStrategyType
|
|
||||||
// Ranges are the allowed ranges of fs groups. If you would like to force a single
|
|
||||||
// fs group then supply a single range with the same start and end. Required for MustRunAs.
|
|
||||||
// +optional
|
|
||||||
Ranges []GroupIDRange
|
|
||||||
}
|
|
||||||
|
|
||||||
// FSGroupStrategyType denotes strategy types for generating FSGroup values for a
|
|
||||||
// SecurityContext
|
|
||||||
type FSGroupStrategyType string
|
|
||||||
|
|
||||||
const (
|
|
||||||
// FSGroupStrategyMustRunAs means that container must have FSGroup of X applied.
|
|
||||||
FSGroupStrategyMustRunAs FSGroupStrategyType = "MustRunAs"
|
|
||||||
// FSGroupStrategyRunAsAny means that container may make requests for any FSGroup labels.
|
|
||||||
FSGroupStrategyRunAsAny FSGroupStrategyType = "RunAsAny"
|
|
||||||
)
|
|
||||||
|
|
||||||
// SupplementalGroupsStrategyOptions defines the strategy type and options used to create the strategy.
|
|
||||||
type SupplementalGroupsStrategyOptions struct {
|
|
||||||
// Rule is the strategy that will dictate what supplemental groups is used in the SecurityContext.
|
|
||||||
// +optional
|
|
||||||
Rule SupplementalGroupsStrategyType
|
|
||||||
// Ranges are the allowed ranges of supplemental groups. If you would like to force a single
|
|
||||||
// supplemental group then supply a single range with the same start and end. Required for MustRunAs.
|
|
||||||
// +optional
|
|
||||||
Ranges []GroupIDRange
|
|
||||||
}
|
|
||||||
|
|
||||||
// SupplementalGroupsStrategyType denotes strategy types for determining valid supplemental
|
|
||||||
// groups for a SecurityContext.
|
|
||||||
type SupplementalGroupsStrategyType string
|
|
||||||
|
|
||||||
const (
|
|
||||||
// SupplementalGroupsStrategyMustRunAs means that container must run as a particular gid.
|
|
||||||
SupplementalGroupsStrategyMustRunAs SupplementalGroupsStrategyType = "MustRunAs"
|
|
||||||
// SupplementalGroupsStrategyRunAsAny means that container may make requests for any gid.
|
|
||||||
SupplementalGroupsStrategyRunAsAny SupplementalGroupsStrategyType = "RunAsAny"
|
|
||||||
)
|
|
||||||
|
|
||||||
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
|
||||||
|
|
||||||
// PodSecurityPolicyList is a list of PodSecurityPolicy objects.
|
|
||||||
type PodSecurityPolicyList struct {
|
|
||||||
metav1.TypeMeta
|
|
||||||
// +optional
|
|
||||||
metav1.ListMeta
|
|
||||||
|
|
||||||
Items []PodSecurityPolicy
|
|
||||||
}
|
|
||||||
|
@ -23,6 +23,7 @@ go_library(
|
|||||||
"//pkg/apis/core/v1:go_default_library",
|
"//pkg/apis/core/v1:go_default_library",
|
||||||
"//pkg/apis/extensions:go_default_library",
|
"//pkg/apis/extensions:go_default_library",
|
||||||
"//pkg/apis/networking:go_default_library",
|
"//pkg/apis/networking:go_default_library",
|
||||||
|
"//pkg/apis/policy:go_default_library",
|
||||||
"//vendor/k8s.io/api/core/v1:go_default_library",
|
"//vendor/k8s.io/api/core/v1:go_default_library",
|
||||||
"//vendor/k8s.io/api/extensions/v1beta1:go_default_library",
|
"//vendor/k8s.io/api/extensions/v1beta1:go_default_library",
|
||||||
"//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
|
"//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
|
||||||
|
@ -61,7 +61,6 @@ func addConversionFuncs(scheme *runtime.Scheme) error {
|
|||||||
Convert_networking_NetworkPolicyPort_To_v1beta1_NetworkPolicyPort,
|
Convert_networking_NetworkPolicyPort_To_v1beta1_NetworkPolicyPort,
|
||||||
Convert_v1beta1_NetworkPolicySpec_To_networking_NetworkPolicySpec,
|
Convert_v1beta1_NetworkPolicySpec_To_networking_NetworkPolicySpec,
|
||||||
Convert_networking_NetworkPolicySpec_To_v1beta1_NetworkPolicySpec,
|
Convert_networking_NetworkPolicySpec_To_v1beta1_NetworkPolicySpec,
|
||||||
Convert_extensions_PodSecurityPolicySpec_To_v1beta1_PodSecurityPolicySpec,
|
|
||||||
Convert_v1beta1_IPBlock_To_networking_IPBlock,
|
Convert_v1beta1_IPBlock_To_networking_IPBlock,
|
||||||
Convert_networking_IPBlock_To_v1beta1_IPBlock,
|
Convert_networking_IPBlock_To_v1beta1_IPBlock,
|
||||||
Convert_networking_NetworkPolicyEgressRule_To_v1beta1_NetworkPolicyEgressRule,
|
Convert_networking_NetworkPolicyEgressRule_To_v1beta1_NetworkPolicyEgressRule,
|
||||||
@ -503,7 +502,3 @@ func Convert_networking_NetworkPolicyList_To_v1beta1_NetworkPolicyList(in *netwo
|
|||||||
}
|
}
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func Convert_extensions_PodSecurityPolicySpec_To_v1beta1_PodSecurityPolicySpec(in *extensions.PodSecurityPolicySpec, out *extensionsv1beta1.PodSecurityPolicySpec, s conversion.Scope) error {
|
|
||||||
return autoConvert_extensions_PodSecurityPolicySpec_To_v1beta1_PodSecurityPolicySpec(in, out, s)
|
|
||||||
}
|
|
||||||
|
@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
|
|||||||
limitations under the License.
|
limitations under the License.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
|
// +k8s:conversion-gen=k8s.io/kubernetes/pkg/apis/policy
|
||||||
// +k8s:conversion-gen=k8s.io/kubernetes/pkg/apis/extensions
|
// +k8s:conversion-gen=k8s.io/kubernetes/pkg/apis/extensions
|
||||||
// +k8s:conversion-gen=k8s.io/kubernetes/pkg/apis/autoscaling
|
// +k8s:conversion-gen=k8s.io/kubernetes/pkg/apis/autoscaling
|
||||||
// +k8s:conversion-gen-external-types=k8s.io/api/extensions/v1beta1
|
// +k8s:conversion-gen-external-types=k8s.io/api/extensions/v1beta1
|
||||||
|
248
pkg/apis/extensions/v1beta1/zz_generated.conversion.go
generated
248
pkg/apis/extensions/v1beta1/zz_generated.conversion.go
generated
@ -32,6 +32,7 @@ import (
|
|||||||
core "k8s.io/kubernetes/pkg/apis/core"
|
core "k8s.io/kubernetes/pkg/apis/core"
|
||||||
core_v1 "k8s.io/kubernetes/pkg/apis/core/v1"
|
core_v1 "k8s.io/kubernetes/pkg/apis/core/v1"
|
||||||
extensions "k8s.io/kubernetes/pkg/apis/extensions"
|
extensions "k8s.io/kubernetes/pkg/apis/extensions"
|
||||||
|
policy "k8s.io/kubernetes/pkg/apis/policy"
|
||||||
)
|
)
|
||||||
|
|
||||||
func init() {
|
func init() {
|
||||||
@ -42,10 +43,10 @@ func init() {
|
|||||||
// Public to allow building arbitrary schemes.
|
// Public to allow building arbitrary schemes.
|
||||||
func RegisterConversions(scheme *runtime.Scheme) error {
|
func RegisterConversions(scheme *runtime.Scheme) error {
|
||||||
return scheme.AddGeneratedConversionFuncs(
|
return scheme.AddGeneratedConversionFuncs(
|
||||||
Convert_v1beta1_AllowedFlexVolume_To_extensions_AllowedFlexVolume,
|
Convert_v1beta1_AllowedFlexVolume_To_policy_AllowedFlexVolume,
|
||||||
Convert_extensions_AllowedFlexVolume_To_v1beta1_AllowedFlexVolume,
|
Convert_policy_AllowedFlexVolume_To_v1beta1_AllowedFlexVolume,
|
||||||
Convert_v1beta1_AllowedHostPath_To_extensions_AllowedHostPath,
|
Convert_v1beta1_AllowedHostPath_To_policy_AllowedHostPath,
|
||||||
Convert_extensions_AllowedHostPath_To_v1beta1_AllowedHostPath,
|
Convert_policy_AllowedHostPath_To_v1beta1_AllowedHostPath,
|
||||||
Convert_v1beta1_CustomMetricCurrentStatus_To_extensions_CustomMetricCurrentStatus,
|
Convert_v1beta1_CustomMetricCurrentStatus_To_extensions_CustomMetricCurrentStatus,
|
||||||
Convert_extensions_CustomMetricCurrentStatus_To_v1beta1_CustomMetricCurrentStatus,
|
Convert_extensions_CustomMetricCurrentStatus_To_v1beta1_CustomMetricCurrentStatus,
|
||||||
Convert_v1beta1_CustomMetricCurrentStatusList_To_extensions_CustomMetricCurrentStatusList,
|
Convert_v1beta1_CustomMetricCurrentStatusList_To_extensions_CustomMetricCurrentStatusList,
|
||||||
@ -80,14 +81,14 @@ func RegisterConversions(scheme *runtime.Scheme) error {
|
|||||||
Convert_extensions_DeploymentStatus_To_v1beta1_DeploymentStatus,
|
Convert_extensions_DeploymentStatus_To_v1beta1_DeploymentStatus,
|
||||||
Convert_v1beta1_DeploymentStrategy_To_extensions_DeploymentStrategy,
|
Convert_v1beta1_DeploymentStrategy_To_extensions_DeploymentStrategy,
|
||||||
Convert_extensions_DeploymentStrategy_To_v1beta1_DeploymentStrategy,
|
Convert_extensions_DeploymentStrategy_To_v1beta1_DeploymentStrategy,
|
||||||
Convert_v1beta1_FSGroupStrategyOptions_To_extensions_FSGroupStrategyOptions,
|
Convert_v1beta1_FSGroupStrategyOptions_To_policy_FSGroupStrategyOptions,
|
||||||
Convert_extensions_FSGroupStrategyOptions_To_v1beta1_FSGroupStrategyOptions,
|
Convert_policy_FSGroupStrategyOptions_To_v1beta1_FSGroupStrategyOptions,
|
||||||
Convert_v1beta1_HTTPIngressPath_To_extensions_HTTPIngressPath,
|
Convert_v1beta1_HTTPIngressPath_To_extensions_HTTPIngressPath,
|
||||||
Convert_extensions_HTTPIngressPath_To_v1beta1_HTTPIngressPath,
|
Convert_extensions_HTTPIngressPath_To_v1beta1_HTTPIngressPath,
|
||||||
Convert_v1beta1_HTTPIngressRuleValue_To_extensions_HTTPIngressRuleValue,
|
Convert_v1beta1_HTTPIngressRuleValue_To_extensions_HTTPIngressRuleValue,
|
||||||
Convert_extensions_HTTPIngressRuleValue_To_v1beta1_HTTPIngressRuleValue,
|
Convert_extensions_HTTPIngressRuleValue_To_v1beta1_HTTPIngressRuleValue,
|
||||||
Convert_v1beta1_HostPortRange_To_extensions_HostPortRange,
|
Convert_v1beta1_HostPortRange_To_policy_HostPortRange,
|
||||||
Convert_extensions_HostPortRange_To_v1beta1_HostPortRange,
|
Convert_policy_HostPortRange_To_v1beta1_HostPortRange,
|
||||||
Convert_v1beta1_Ingress_To_extensions_Ingress,
|
Convert_v1beta1_Ingress_To_extensions_Ingress,
|
||||||
Convert_extensions_Ingress_To_v1beta1_Ingress,
|
Convert_extensions_Ingress_To_v1beta1_Ingress,
|
||||||
Convert_v1beta1_IngressBackend_To_extensions_IngressBackend,
|
Convert_v1beta1_IngressBackend_To_extensions_IngressBackend,
|
||||||
@ -104,12 +105,12 @@ func RegisterConversions(scheme *runtime.Scheme) error {
|
|||||||
Convert_extensions_IngressStatus_To_v1beta1_IngressStatus,
|
Convert_extensions_IngressStatus_To_v1beta1_IngressStatus,
|
||||||
Convert_v1beta1_IngressTLS_To_extensions_IngressTLS,
|
Convert_v1beta1_IngressTLS_To_extensions_IngressTLS,
|
||||||
Convert_extensions_IngressTLS_To_v1beta1_IngressTLS,
|
Convert_extensions_IngressTLS_To_v1beta1_IngressTLS,
|
||||||
Convert_v1beta1_PodSecurityPolicy_To_extensions_PodSecurityPolicy,
|
Convert_v1beta1_PodSecurityPolicy_To_policy_PodSecurityPolicy,
|
||||||
Convert_extensions_PodSecurityPolicy_To_v1beta1_PodSecurityPolicy,
|
Convert_policy_PodSecurityPolicy_To_v1beta1_PodSecurityPolicy,
|
||||||
Convert_v1beta1_PodSecurityPolicyList_To_extensions_PodSecurityPolicyList,
|
Convert_v1beta1_PodSecurityPolicyList_To_policy_PodSecurityPolicyList,
|
||||||
Convert_extensions_PodSecurityPolicyList_To_v1beta1_PodSecurityPolicyList,
|
Convert_policy_PodSecurityPolicyList_To_v1beta1_PodSecurityPolicyList,
|
||||||
Convert_v1beta1_PodSecurityPolicySpec_To_extensions_PodSecurityPolicySpec,
|
Convert_v1beta1_PodSecurityPolicySpec_To_policy_PodSecurityPolicySpec,
|
||||||
Convert_extensions_PodSecurityPolicySpec_To_v1beta1_PodSecurityPolicySpec,
|
Convert_policy_PodSecurityPolicySpec_To_v1beta1_PodSecurityPolicySpec,
|
||||||
Convert_v1beta1_ReplicaSet_To_extensions_ReplicaSet,
|
Convert_v1beta1_ReplicaSet_To_extensions_ReplicaSet,
|
||||||
Convert_extensions_ReplicaSet_To_v1beta1_ReplicaSet,
|
Convert_extensions_ReplicaSet_To_v1beta1_ReplicaSet,
|
||||||
Convert_v1beta1_ReplicaSetCondition_To_extensions_ReplicaSetCondition,
|
Convert_v1beta1_ReplicaSetCondition_To_extensions_ReplicaSetCondition,
|
||||||
@ -128,59 +129,59 @@ func RegisterConversions(scheme *runtime.Scheme) error {
|
|||||||
Convert_extensions_RollingUpdateDaemonSet_To_v1beta1_RollingUpdateDaemonSet,
|
Convert_extensions_RollingUpdateDaemonSet_To_v1beta1_RollingUpdateDaemonSet,
|
||||||
Convert_v1beta1_RollingUpdateDeployment_To_extensions_RollingUpdateDeployment,
|
Convert_v1beta1_RollingUpdateDeployment_To_extensions_RollingUpdateDeployment,
|
||||||
Convert_extensions_RollingUpdateDeployment_To_v1beta1_RollingUpdateDeployment,
|
Convert_extensions_RollingUpdateDeployment_To_v1beta1_RollingUpdateDeployment,
|
||||||
Convert_v1beta1_RunAsUserStrategyOptions_To_extensions_RunAsUserStrategyOptions,
|
Convert_v1beta1_RunAsUserStrategyOptions_To_policy_RunAsUserStrategyOptions,
|
||||||
Convert_extensions_RunAsUserStrategyOptions_To_v1beta1_RunAsUserStrategyOptions,
|
Convert_policy_RunAsUserStrategyOptions_To_v1beta1_RunAsUserStrategyOptions,
|
||||||
Convert_v1beta1_SELinuxStrategyOptions_To_extensions_SELinuxStrategyOptions,
|
Convert_v1beta1_SELinuxStrategyOptions_To_policy_SELinuxStrategyOptions,
|
||||||
Convert_extensions_SELinuxStrategyOptions_To_v1beta1_SELinuxStrategyOptions,
|
Convert_policy_SELinuxStrategyOptions_To_v1beta1_SELinuxStrategyOptions,
|
||||||
Convert_v1beta1_Scale_To_autoscaling_Scale,
|
Convert_v1beta1_Scale_To_autoscaling_Scale,
|
||||||
Convert_autoscaling_Scale_To_v1beta1_Scale,
|
Convert_autoscaling_Scale_To_v1beta1_Scale,
|
||||||
Convert_v1beta1_ScaleSpec_To_autoscaling_ScaleSpec,
|
Convert_v1beta1_ScaleSpec_To_autoscaling_ScaleSpec,
|
||||||
Convert_autoscaling_ScaleSpec_To_v1beta1_ScaleSpec,
|
Convert_autoscaling_ScaleSpec_To_v1beta1_ScaleSpec,
|
||||||
Convert_v1beta1_ScaleStatus_To_autoscaling_ScaleStatus,
|
Convert_v1beta1_ScaleStatus_To_autoscaling_ScaleStatus,
|
||||||
Convert_autoscaling_ScaleStatus_To_v1beta1_ScaleStatus,
|
Convert_autoscaling_ScaleStatus_To_v1beta1_ScaleStatus,
|
||||||
Convert_v1beta1_SupplementalGroupsStrategyOptions_To_extensions_SupplementalGroupsStrategyOptions,
|
Convert_v1beta1_SupplementalGroupsStrategyOptions_To_policy_SupplementalGroupsStrategyOptions,
|
||||||
Convert_extensions_SupplementalGroupsStrategyOptions_To_v1beta1_SupplementalGroupsStrategyOptions,
|
Convert_policy_SupplementalGroupsStrategyOptions_To_v1beta1_SupplementalGroupsStrategyOptions,
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
func autoConvert_v1beta1_AllowedFlexVolume_To_extensions_AllowedFlexVolume(in *v1beta1.AllowedFlexVolume, out *extensions.AllowedFlexVolume, s conversion.Scope) error {
|
func autoConvert_v1beta1_AllowedFlexVolume_To_policy_AllowedFlexVolume(in *v1beta1.AllowedFlexVolume, out *policy.AllowedFlexVolume, s conversion.Scope) error {
|
||||||
out.Driver = in.Driver
|
out.Driver = in.Driver
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// Convert_v1beta1_AllowedFlexVolume_To_extensions_AllowedFlexVolume is an autogenerated conversion function.
|
// Convert_v1beta1_AllowedFlexVolume_To_policy_AllowedFlexVolume is an autogenerated conversion function.
|
||||||
func Convert_v1beta1_AllowedFlexVolume_To_extensions_AllowedFlexVolume(in *v1beta1.AllowedFlexVolume, out *extensions.AllowedFlexVolume, s conversion.Scope) error {
|
func Convert_v1beta1_AllowedFlexVolume_To_policy_AllowedFlexVolume(in *v1beta1.AllowedFlexVolume, out *policy.AllowedFlexVolume, s conversion.Scope) error {
|
||||||
return autoConvert_v1beta1_AllowedFlexVolume_To_extensions_AllowedFlexVolume(in, out, s)
|
return autoConvert_v1beta1_AllowedFlexVolume_To_policy_AllowedFlexVolume(in, out, s)
|
||||||
}
|
}
|
||||||
|
|
||||||
func autoConvert_extensions_AllowedFlexVolume_To_v1beta1_AllowedFlexVolume(in *extensions.AllowedFlexVolume, out *v1beta1.AllowedFlexVolume, s conversion.Scope) error {
|
func autoConvert_policy_AllowedFlexVolume_To_v1beta1_AllowedFlexVolume(in *policy.AllowedFlexVolume, out *v1beta1.AllowedFlexVolume, s conversion.Scope) error {
|
||||||
out.Driver = in.Driver
|
out.Driver = in.Driver
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// Convert_extensions_AllowedFlexVolume_To_v1beta1_AllowedFlexVolume is an autogenerated conversion function.
|
// Convert_policy_AllowedFlexVolume_To_v1beta1_AllowedFlexVolume is an autogenerated conversion function.
|
||||||
func Convert_extensions_AllowedFlexVolume_To_v1beta1_AllowedFlexVolume(in *extensions.AllowedFlexVolume, out *v1beta1.AllowedFlexVolume, s conversion.Scope) error {
|
func Convert_policy_AllowedFlexVolume_To_v1beta1_AllowedFlexVolume(in *policy.AllowedFlexVolume, out *v1beta1.AllowedFlexVolume, s conversion.Scope) error {
|
||||||
return autoConvert_extensions_AllowedFlexVolume_To_v1beta1_AllowedFlexVolume(in, out, s)
|
return autoConvert_policy_AllowedFlexVolume_To_v1beta1_AllowedFlexVolume(in, out, s)
|
||||||
}
|
}
|
||||||
|
|
||||||
func autoConvert_v1beta1_AllowedHostPath_To_extensions_AllowedHostPath(in *v1beta1.AllowedHostPath, out *extensions.AllowedHostPath, s conversion.Scope) error {
|
func autoConvert_v1beta1_AllowedHostPath_To_policy_AllowedHostPath(in *v1beta1.AllowedHostPath, out *policy.AllowedHostPath, s conversion.Scope) error {
|
||||||
out.PathPrefix = in.PathPrefix
|
out.PathPrefix = in.PathPrefix
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// Convert_v1beta1_AllowedHostPath_To_extensions_AllowedHostPath is an autogenerated conversion function.
|
// Convert_v1beta1_AllowedHostPath_To_policy_AllowedHostPath is an autogenerated conversion function.
|
||||||
func Convert_v1beta1_AllowedHostPath_To_extensions_AllowedHostPath(in *v1beta1.AllowedHostPath, out *extensions.AllowedHostPath, s conversion.Scope) error {
|
func Convert_v1beta1_AllowedHostPath_To_policy_AllowedHostPath(in *v1beta1.AllowedHostPath, out *policy.AllowedHostPath, s conversion.Scope) error {
|
||||||
return autoConvert_v1beta1_AllowedHostPath_To_extensions_AllowedHostPath(in, out, s)
|
return autoConvert_v1beta1_AllowedHostPath_To_policy_AllowedHostPath(in, out, s)
|
||||||
}
|
}
|
||||||
|
|
||||||
func autoConvert_extensions_AllowedHostPath_To_v1beta1_AllowedHostPath(in *extensions.AllowedHostPath, out *v1beta1.AllowedHostPath, s conversion.Scope) error {
|
func autoConvert_policy_AllowedHostPath_To_v1beta1_AllowedHostPath(in *policy.AllowedHostPath, out *v1beta1.AllowedHostPath, s conversion.Scope) error {
|
||||||
out.PathPrefix = in.PathPrefix
|
out.PathPrefix = in.PathPrefix
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// Convert_extensions_AllowedHostPath_To_v1beta1_AllowedHostPath is an autogenerated conversion function.
|
// Convert_policy_AllowedHostPath_To_v1beta1_AllowedHostPath is an autogenerated conversion function.
|
||||||
func Convert_extensions_AllowedHostPath_To_v1beta1_AllowedHostPath(in *extensions.AllowedHostPath, out *v1beta1.AllowedHostPath, s conversion.Scope) error {
|
func Convert_policy_AllowedHostPath_To_v1beta1_AllowedHostPath(in *policy.AllowedHostPath, out *v1beta1.AllowedHostPath, s conversion.Scope) error {
|
||||||
return autoConvert_extensions_AllowedHostPath_To_v1beta1_AllowedHostPath(in, out, s)
|
return autoConvert_policy_AllowedHostPath_To_v1beta1_AllowedHostPath(in, out, s)
|
||||||
}
|
}
|
||||||
|
|
||||||
func autoConvert_v1beta1_CustomMetricCurrentStatus_To_extensions_CustomMetricCurrentStatus(in *v1beta1.CustomMetricCurrentStatus, out *extensions.CustomMetricCurrentStatus, s conversion.Scope) error {
|
func autoConvert_v1beta1_CustomMetricCurrentStatus_To_extensions_CustomMetricCurrentStatus(in *v1beta1.CustomMetricCurrentStatus, out *extensions.CustomMetricCurrentStatus, s conversion.Scope) error {
|
||||||
@ -715,26 +716,26 @@ func autoConvert_extensions_DeploymentStrategy_To_v1beta1_DeploymentStrategy(in
|
|||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func autoConvert_v1beta1_FSGroupStrategyOptions_To_extensions_FSGroupStrategyOptions(in *v1beta1.FSGroupStrategyOptions, out *extensions.FSGroupStrategyOptions, s conversion.Scope) error {
|
func autoConvert_v1beta1_FSGroupStrategyOptions_To_policy_FSGroupStrategyOptions(in *v1beta1.FSGroupStrategyOptions, out *policy.FSGroupStrategyOptions, s conversion.Scope) error {
|
||||||
out.Rule = extensions.FSGroupStrategyType(in.Rule)
|
out.Rule = policy.FSGroupStrategyType(in.Rule)
|
||||||
out.Ranges = *(*[]extensions.GroupIDRange)(unsafe.Pointer(&in.Ranges))
|
out.Ranges = *(*[]policy.GroupIDRange)(unsafe.Pointer(&in.Ranges))
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// Convert_v1beta1_FSGroupStrategyOptions_To_extensions_FSGroupStrategyOptions is an autogenerated conversion function.
|
// Convert_v1beta1_FSGroupStrategyOptions_To_policy_FSGroupStrategyOptions is an autogenerated conversion function.
|
||||||
func Convert_v1beta1_FSGroupStrategyOptions_To_extensions_FSGroupStrategyOptions(in *v1beta1.FSGroupStrategyOptions, out *extensions.FSGroupStrategyOptions, s conversion.Scope) error {
|
func Convert_v1beta1_FSGroupStrategyOptions_To_policy_FSGroupStrategyOptions(in *v1beta1.FSGroupStrategyOptions, out *policy.FSGroupStrategyOptions, s conversion.Scope) error {
|
||||||
return autoConvert_v1beta1_FSGroupStrategyOptions_To_extensions_FSGroupStrategyOptions(in, out, s)
|
return autoConvert_v1beta1_FSGroupStrategyOptions_To_policy_FSGroupStrategyOptions(in, out, s)
|
||||||
}
|
}
|
||||||
|
|
||||||
func autoConvert_extensions_FSGroupStrategyOptions_To_v1beta1_FSGroupStrategyOptions(in *extensions.FSGroupStrategyOptions, out *v1beta1.FSGroupStrategyOptions, s conversion.Scope) error {
|
func autoConvert_policy_FSGroupStrategyOptions_To_v1beta1_FSGroupStrategyOptions(in *policy.FSGroupStrategyOptions, out *v1beta1.FSGroupStrategyOptions, s conversion.Scope) error {
|
||||||
out.Rule = v1beta1.FSGroupStrategyType(in.Rule)
|
out.Rule = v1beta1.FSGroupStrategyType(in.Rule)
|
||||||
out.Ranges = *(*[]v1beta1.IDRange)(unsafe.Pointer(&in.Ranges))
|
out.Ranges = *(*[]v1beta1.IDRange)(unsafe.Pointer(&in.Ranges))
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// Convert_extensions_FSGroupStrategyOptions_To_v1beta1_FSGroupStrategyOptions is an autogenerated conversion function.
|
// Convert_policy_FSGroupStrategyOptions_To_v1beta1_FSGroupStrategyOptions is an autogenerated conversion function.
|
||||||
func Convert_extensions_FSGroupStrategyOptions_To_v1beta1_FSGroupStrategyOptions(in *extensions.FSGroupStrategyOptions, out *v1beta1.FSGroupStrategyOptions, s conversion.Scope) error {
|
func Convert_policy_FSGroupStrategyOptions_To_v1beta1_FSGroupStrategyOptions(in *policy.FSGroupStrategyOptions, out *v1beta1.FSGroupStrategyOptions, s conversion.Scope) error {
|
||||||
return autoConvert_extensions_FSGroupStrategyOptions_To_v1beta1_FSGroupStrategyOptions(in, out, s)
|
return autoConvert_policy_FSGroupStrategyOptions_To_v1beta1_FSGroupStrategyOptions(in, out, s)
|
||||||
}
|
}
|
||||||
|
|
||||||
func autoConvert_v1beta1_HTTPIngressPath_To_extensions_HTTPIngressPath(in *v1beta1.HTTPIngressPath, out *extensions.HTTPIngressPath, s conversion.Scope) error {
|
func autoConvert_v1beta1_HTTPIngressPath_To_extensions_HTTPIngressPath(in *v1beta1.HTTPIngressPath, out *extensions.HTTPIngressPath, s conversion.Scope) error {
|
||||||
@ -783,26 +784,26 @@ func Convert_extensions_HTTPIngressRuleValue_To_v1beta1_HTTPIngressRuleValue(in
|
|||||||
return autoConvert_extensions_HTTPIngressRuleValue_To_v1beta1_HTTPIngressRuleValue(in, out, s)
|
return autoConvert_extensions_HTTPIngressRuleValue_To_v1beta1_HTTPIngressRuleValue(in, out, s)
|
||||||
}
|
}
|
||||||
|
|
||||||
func autoConvert_v1beta1_HostPortRange_To_extensions_HostPortRange(in *v1beta1.HostPortRange, out *extensions.HostPortRange, s conversion.Scope) error {
|
func autoConvert_v1beta1_HostPortRange_To_policy_HostPortRange(in *v1beta1.HostPortRange, out *policy.HostPortRange, s conversion.Scope) error {
|
||||||
out.Min = in.Min
|
out.Min = in.Min
|
||||||
out.Max = in.Max
|
out.Max = in.Max
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// Convert_v1beta1_HostPortRange_To_extensions_HostPortRange is an autogenerated conversion function.
|
// Convert_v1beta1_HostPortRange_To_policy_HostPortRange is an autogenerated conversion function.
|
||||||
func Convert_v1beta1_HostPortRange_To_extensions_HostPortRange(in *v1beta1.HostPortRange, out *extensions.HostPortRange, s conversion.Scope) error {
|
func Convert_v1beta1_HostPortRange_To_policy_HostPortRange(in *v1beta1.HostPortRange, out *policy.HostPortRange, s conversion.Scope) error {
|
||||||
return autoConvert_v1beta1_HostPortRange_To_extensions_HostPortRange(in, out, s)
|
return autoConvert_v1beta1_HostPortRange_To_policy_HostPortRange(in, out, s)
|
||||||
}
|
}
|
||||||
|
|
||||||
func autoConvert_extensions_HostPortRange_To_v1beta1_HostPortRange(in *extensions.HostPortRange, out *v1beta1.HostPortRange, s conversion.Scope) error {
|
func autoConvert_policy_HostPortRange_To_v1beta1_HostPortRange(in *policy.HostPortRange, out *v1beta1.HostPortRange, s conversion.Scope) error {
|
||||||
out.Min = in.Min
|
out.Min = in.Min
|
||||||
out.Max = in.Max
|
out.Max = in.Max
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// Convert_extensions_HostPortRange_To_v1beta1_HostPortRange is an autogenerated conversion function.
|
// Convert_policy_HostPortRange_To_v1beta1_HostPortRange is an autogenerated conversion function.
|
||||||
func Convert_extensions_HostPortRange_To_v1beta1_HostPortRange(in *extensions.HostPortRange, out *v1beta1.HostPortRange, s conversion.Scope) error {
|
func Convert_policy_HostPortRange_To_v1beta1_HostPortRange(in *policy.HostPortRange, out *v1beta1.HostPortRange, s conversion.Scope) error {
|
||||||
return autoConvert_extensions_HostPortRange_To_v1beta1_HostPortRange(in, out, s)
|
return autoConvert_policy_HostPortRange_To_v1beta1_HostPortRange(in, out, s)
|
||||||
}
|
}
|
||||||
|
|
||||||
func autoConvert_v1beta1_Ingress_To_extensions_Ingress(in *v1beta1.Ingress, out *extensions.Ingress, s conversion.Scope) error {
|
func autoConvert_v1beta1_Ingress_To_extensions_Ingress(in *v1beta1.Ingress, out *extensions.Ingress, s conversion.Scope) error {
|
||||||
@ -999,39 +1000,39 @@ func Convert_extensions_IngressTLS_To_v1beta1_IngressTLS(in *extensions.IngressT
|
|||||||
return autoConvert_extensions_IngressTLS_To_v1beta1_IngressTLS(in, out, s)
|
return autoConvert_extensions_IngressTLS_To_v1beta1_IngressTLS(in, out, s)
|
||||||
}
|
}
|
||||||
|
|
||||||
func autoConvert_v1beta1_PodSecurityPolicy_To_extensions_PodSecurityPolicy(in *v1beta1.PodSecurityPolicy, out *extensions.PodSecurityPolicy, s conversion.Scope) error {
|
func autoConvert_v1beta1_PodSecurityPolicy_To_policy_PodSecurityPolicy(in *v1beta1.PodSecurityPolicy, out *policy.PodSecurityPolicy, s conversion.Scope) error {
|
||||||
out.ObjectMeta = in.ObjectMeta
|
out.ObjectMeta = in.ObjectMeta
|
||||||
if err := Convert_v1beta1_PodSecurityPolicySpec_To_extensions_PodSecurityPolicySpec(&in.Spec, &out.Spec, s); err != nil {
|
if err := Convert_v1beta1_PodSecurityPolicySpec_To_policy_PodSecurityPolicySpec(&in.Spec, &out.Spec, s); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// Convert_v1beta1_PodSecurityPolicy_To_extensions_PodSecurityPolicy is an autogenerated conversion function.
|
// Convert_v1beta1_PodSecurityPolicy_To_policy_PodSecurityPolicy is an autogenerated conversion function.
|
||||||
func Convert_v1beta1_PodSecurityPolicy_To_extensions_PodSecurityPolicy(in *v1beta1.PodSecurityPolicy, out *extensions.PodSecurityPolicy, s conversion.Scope) error {
|
func Convert_v1beta1_PodSecurityPolicy_To_policy_PodSecurityPolicy(in *v1beta1.PodSecurityPolicy, out *policy.PodSecurityPolicy, s conversion.Scope) error {
|
||||||
return autoConvert_v1beta1_PodSecurityPolicy_To_extensions_PodSecurityPolicy(in, out, s)
|
return autoConvert_v1beta1_PodSecurityPolicy_To_policy_PodSecurityPolicy(in, out, s)
|
||||||
}
|
}
|
||||||
|
|
||||||
func autoConvert_extensions_PodSecurityPolicy_To_v1beta1_PodSecurityPolicy(in *extensions.PodSecurityPolicy, out *v1beta1.PodSecurityPolicy, s conversion.Scope) error {
|
func autoConvert_policy_PodSecurityPolicy_To_v1beta1_PodSecurityPolicy(in *policy.PodSecurityPolicy, out *v1beta1.PodSecurityPolicy, s conversion.Scope) error {
|
||||||
out.ObjectMeta = in.ObjectMeta
|
out.ObjectMeta = in.ObjectMeta
|
||||||
if err := Convert_extensions_PodSecurityPolicySpec_To_v1beta1_PodSecurityPolicySpec(&in.Spec, &out.Spec, s); err != nil {
|
if err := Convert_policy_PodSecurityPolicySpec_To_v1beta1_PodSecurityPolicySpec(&in.Spec, &out.Spec, s); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// Convert_extensions_PodSecurityPolicy_To_v1beta1_PodSecurityPolicy is an autogenerated conversion function.
|
// Convert_policy_PodSecurityPolicy_To_v1beta1_PodSecurityPolicy is an autogenerated conversion function.
|
||||||
func Convert_extensions_PodSecurityPolicy_To_v1beta1_PodSecurityPolicy(in *extensions.PodSecurityPolicy, out *v1beta1.PodSecurityPolicy, s conversion.Scope) error {
|
func Convert_policy_PodSecurityPolicy_To_v1beta1_PodSecurityPolicy(in *policy.PodSecurityPolicy, out *v1beta1.PodSecurityPolicy, s conversion.Scope) error {
|
||||||
return autoConvert_extensions_PodSecurityPolicy_To_v1beta1_PodSecurityPolicy(in, out, s)
|
return autoConvert_policy_PodSecurityPolicy_To_v1beta1_PodSecurityPolicy(in, out, s)
|
||||||
}
|
}
|
||||||
|
|
||||||
func autoConvert_v1beta1_PodSecurityPolicyList_To_extensions_PodSecurityPolicyList(in *v1beta1.PodSecurityPolicyList, out *extensions.PodSecurityPolicyList, s conversion.Scope) error {
|
func autoConvert_v1beta1_PodSecurityPolicyList_To_policy_PodSecurityPolicyList(in *v1beta1.PodSecurityPolicyList, out *policy.PodSecurityPolicyList, s conversion.Scope) error {
|
||||||
out.ListMeta = in.ListMeta
|
out.ListMeta = in.ListMeta
|
||||||
if in.Items != nil {
|
if in.Items != nil {
|
||||||
in, out := &in.Items, &out.Items
|
in, out := &in.Items, &out.Items
|
||||||
*out = make([]extensions.PodSecurityPolicy, len(*in))
|
*out = make([]policy.PodSecurityPolicy, len(*in))
|
||||||
for i := range *in {
|
for i := range *in {
|
||||||
if err := Convert_v1beta1_PodSecurityPolicy_To_extensions_PodSecurityPolicy(&(*in)[i], &(*out)[i], s); err != nil {
|
if err := Convert_v1beta1_PodSecurityPolicy_To_policy_PodSecurityPolicy(&(*in)[i], &(*out)[i], s); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -1041,18 +1042,18 @@ func autoConvert_v1beta1_PodSecurityPolicyList_To_extensions_PodSecurityPolicyLi
|
|||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// Convert_v1beta1_PodSecurityPolicyList_To_extensions_PodSecurityPolicyList is an autogenerated conversion function.
|
// Convert_v1beta1_PodSecurityPolicyList_To_policy_PodSecurityPolicyList is an autogenerated conversion function.
|
||||||
func Convert_v1beta1_PodSecurityPolicyList_To_extensions_PodSecurityPolicyList(in *v1beta1.PodSecurityPolicyList, out *extensions.PodSecurityPolicyList, s conversion.Scope) error {
|
func Convert_v1beta1_PodSecurityPolicyList_To_policy_PodSecurityPolicyList(in *v1beta1.PodSecurityPolicyList, out *policy.PodSecurityPolicyList, s conversion.Scope) error {
|
||||||
return autoConvert_v1beta1_PodSecurityPolicyList_To_extensions_PodSecurityPolicyList(in, out, s)
|
return autoConvert_v1beta1_PodSecurityPolicyList_To_policy_PodSecurityPolicyList(in, out, s)
|
||||||
}
|
}
|
||||||
|
|
||||||
func autoConvert_extensions_PodSecurityPolicyList_To_v1beta1_PodSecurityPolicyList(in *extensions.PodSecurityPolicyList, out *v1beta1.PodSecurityPolicyList, s conversion.Scope) error {
|
func autoConvert_policy_PodSecurityPolicyList_To_v1beta1_PodSecurityPolicyList(in *policy.PodSecurityPolicyList, out *v1beta1.PodSecurityPolicyList, s conversion.Scope) error {
|
||||||
out.ListMeta = in.ListMeta
|
out.ListMeta = in.ListMeta
|
||||||
if in.Items != nil {
|
if in.Items != nil {
|
||||||
in, out := &in.Items, &out.Items
|
in, out := &in.Items, &out.Items
|
||||||
*out = make([]v1beta1.PodSecurityPolicy, len(*in))
|
*out = make([]v1beta1.PodSecurityPolicy, len(*in))
|
||||||
for i := range *in {
|
for i := range *in {
|
||||||
if err := Convert_extensions_PodSecurityPolicy_To_v1beta1_PodSecurityPolicy(&(*in)[i], &(*out)[i], s); err != nil {
|
if err := Convert_policy_PodSecurityPolicy_To_v1beta1_PodSecurityPolicy(&(*in)[i], &(*out)[i], s); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -1062,31 +1063,31 @@ func autoConvert_extensions_PodSecurityPolicyList_To_v1beta1_PodSecurityPolicyLi
|
|||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// Convert_extensions_PodSecurityPolicyList_To_v1beta1_PodSecurityPolicyList is an autogenerated conversion function.
|
// Convert_policy_PodSecurityPolicyList_To_v1beta1_PodSecurityPolicyList is an autogenerated conversion function.
|
||||||
func Convert_extensions_PodSecurityPolicyList_To_v1beta1_PodSecurityPolicyList(in *extensions.PodSecurityPolicyList, out *v1beta1.PodSecurityPolicyList, s conversion.Scope) error {
|
func Convert_policy_PodSecurityPolicyList_To_v1beta1_PodSecurityPolicyList(in *policy.PodSecurityPolicyList, out *v1beta1.PodSecurityPolicyList, s conversion.Scope) error {
|
||||||
return autoConvert_extensions_PodSecurityPolicyList_To_v1beta1_PodSecurityPolicyList(in, out, s)
|
return autoConvert_policy_PodSecurityPolicyList_To_v1beta1_PodSecurityPolicyList(in, out, s)
|
||||||
}
|
}
|
||||||
|
|
||||||
func autoConvert_v1beta1_PodSecurityPolicySpec_To_extensions_PodSecurityPolicySpec(in *v1beta1.PodSecurityPolicySpec, out *extensions.PodSecurityPolicySpec, s conversion.Scope) error {
|
func autoConvert_v1beta1_PodSecurityPolicySpec_To_policy_PodSecurityPolicySpec(in *v1beta1.PodSecurityPolicySpec, out *policy.PodSecurityPolicySpec, s conversion.Scope) error {
|
||||||
out.Privileged = in.Privileged
|
out.Privileged = in.Privileged
|
||||||
out.DefaultAddCapabilities = *(*[]core.Capability)(unsafe.Pointer(&in.DefaultAddCapabilities))
|
out.DefaultAddCapabilities = *(*[]core.Capability)(unsafe.Pointer(&in.DefaultAddCapabilities))
|
||||||
out.RequiredDropCapabilities = *(*[]core.Capability)(unsafe.Pointer(&in.RequiredDropCapabilities))
|
out.RequiredDropCapabilities = *(*[]core.Capability)(unsafe.Pointer(&in.RequiredDropCapabilities))
|
||||||
out.AllowedCapabilities = *(*[]core.Capability)(unsafe.Pointer(&in.AllowedCapabilities))
|
out.AllowedCapabilities = *(*[]core.Capability)(unsafe.Pointer(&in.AllowedCapabilities))
|
||||||
out.Volumes = *(*[]extensions.FSType)(unsafe.Pointer(&in.Volumes))
|
out.Volumes = *(*[]policy.FSType)(unsafe.Pointer(&in.Volumes))
|
||||||
out.HostNetwork = in.HostNetwork
|
out.HostNetwork = in.HostNetwork
|
||||||
out.HostPorts = *(*[]extensions.HostPortRange)(unsafe.Pointer(&in.HostPorts))
|
out.HostPorts = *(*[]policy.HostPortRange)(unsafe.Pointer(&in.HostPorts))
|
||||||
out.HostPID = in.HostPID
|
out.HostPID = in.HostPID
|
||||||
out.HostIPC = in.HostIPC
|
out.HostIPC = in.HostIPC
|
||||||
if err := Convert_v1beta1_SELinuxStrategyOptions_To_extensions_SELinuxStrategyOptions(&in.SELinux, &out.SELinux, s); err != nil {
|
if err := Convert_v1beta1_SELinuxStrategyOptions_To_policy_SELinuxStrategyOptions(&in.SELinux, &out.SELinux, s); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if err := Convert_v1beta1_RunAsUserStrategyOptions_To_extensions_RunAsUserStrategyOptions(&in.RunAsUser, &out.RunAsUser, s); err != nil {
|
if err := Convert_v1beta1_RunAsUserStrategyOptions_To_policy_RunAsUserStrategyOptions(&in.RunAsUser, &out.RunAsUser, s); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if err := Convert_v1beta1_SupplementalGroupsStrategyOptions_To_extensions_SupplementalGroupsStrategyOptions(&in.SupplementalGroups, &out.SupplementalGroups, s); err != nil {
|
if err := Convert_v1beta1_SupplementalGroupsStrategyOptions_To_policy_SupplementalGroupsStrategyOptions(&in.SupplementalGroups, &out.SupplementalGroups, s); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if err := Convert_v1beta1_FSGroupStrategyOptions_To_extensions_FSGroupStrategyOptions(&in.FSGroup, &out.FSGroup, s); err != nil {
|
if err := Convert_v1beta1_FSGroupStrategyOptions_To_policy_FSGroupStrategyOptions(&in.FSGroup, &out.FSGroup, s); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
out.ReadOnlyRootFilesystem = in.ReadOnlyRootFilesystem
|
out.ReadOnlyRootFilesystem = in.ReadOnlyRootFilesystem
|
||||||
@ -1094,17 +1095,17 @@ func autoConvert_v1beta1_PodSecurityPolicySpec_To_extensions_PodSecurityPolicySp
|
|||||||
if err := meta_v1.Convert_Pointer_bool_To_bool(&in.AllowPrivilegeEscalation, &out.AllowPrivilegeEscalation, s); err != nil {
|
if err := meta_v1.Convert_Pointer_bool_To_bool(&in.AllowPrivilegeEscalation, &out.AllowPrivilegeEscalation, s); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
out.AllowedHostPaths = *(*[]extensions.AllowedHostPath)(unsafe.Pointer(&in.AllowedHostPaths))
|
out.AllowedHostPaths = *(*[]policy.AllowedHostPath)(unsafe.Pointer(&in.AllowedHostPaths))
|
||||||
out.AllowedFlexVolumes = *(*[]extensions.AllowedFlexVolume)(unsafe.Pointer(&in.AllowedFlexVolumes))
|
out.AllowedFlexVolumes = *(*[]policy.AllowedFlexVolume)(unsafe.Pointer(&in.AllowedFlexVolumes))
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// Convert_v1beta1_PodSecurityPolicySpec_To_extensions_PodSecurityPolicySpec is an autogenerated conversion function.
|
// Convert_v1beta1_PodSecurityPolicySpec_To_policy_PodSecurityPolicySpec is an autogenerated conversion function.
|
||||||
func Convert_v1beta1_PodSecurityPolicySpec_To_extensions_PodSecurityPolicySpec(in *v1beta1.PodSecurityPolicySpec, out *extensions.PodSecurityPolicySpec, s conversion.Scope) error {
|
func Convert_v1beta1_PodSecurityPolicySpec_To_policy_PodSecurityPolicySpec(in *v1beta1.PodSecurityPolicySpec, out *policy.PodSecurityPolicySpec, s conversion.Scope) error {
|
||||||
return autoConvert_v1beta1_PodSecurityPolicySpec_To_extensions_PodSecurityPolicySpec(in, out, s)
|
return autoConvert_v1beta1_PodSecurityPolicySpec_To_policy_PodSecurityPolicySpec(in, out, s)
|
||||||
}
|
}
|
||||||
|
|
||||||
func autoConvert_extensions_PodSecurityPolicySpec_To_v1beta1_PodSecurityPolicySpec(in *extensions.PodSecurityPolicySpec, out *v1beta1.PodSecurityPolicySpec, s conversion.Scope) error {
|
func autoConvert_policy_PodSecurityPolicySpec_To_v1beta1_PodSecurityPolicySpec(in *policy.PodSecurityPolicySpec, out *v1beta1.PodSecurityPolicySpec, s conversion.Scope) error {
|
||||||
out.Privileged = in.Privileged
|
out.Privileged = in.Privileged
|
||||||
out.DefaultAddCapabilities = *(*[]v1.Capability)(unsafe.Pointer(&in.DefaultAddCapabilities))
|
out.DefaultAddCapabilities = *(*[]v1.Capability)(unsafe.Pointer(&in.DefaultAddCapabilities))
|
||||||
out.RequiredDropCapabilities = *(*[]v1.Capability)(unsafe.Pointer(&in.RequiredDropCapabilities))
|
out.RequiredDropCapabilities = *(*[]v1.Capability)(unsafe.Pointer(&in.RequiredDropCapabilities))
|
||||||
@ -1114,16 +1115,16 @@ func autoConvert_extensions_PodSecurityPolicySpec_To_v1beta1_PodSecurityPolicySp
|
|||||||
out.HostPorts = *(*[]v1beta1.HostPortRange)(unsafe.Pointer(&in.HostPorts))
|
out.HostPorts = *(*[]v1beta1.HostPortRange)(unsafe.Pointer(&in.HostPorts))
|
||||||
out.HostPID = in.HostPID
|
out.HostPID = in.HostPID
|
||||||
out.HostIPC = in.HostIPC
|
out.HostIPC = in.HostIPC
|
||||||
if err := Convert_extensions_SELinuxStrategyOptions_To_v1beta1_SELinuxStrategyOptions(&in.SELinux, &out.SELinux, s); err != nil {
|
if err := Convert_policy_SELinuxStrategyOptions_To_v1beta1_SELinuxStrategyOptions(&in.SELinux, &out.SELinux, s); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if err := Convert_extensions_RunAsUserStrategyOptions_To_v1beta1_RunAsUserStrategyOptions(&in.RunAsUser, &out.RunAsUser, s); err != nil {
|
if err := Convert_policy_RunAsUserStrategyOptions_To_v1beta1_RunAsUserStrategyOptions(&in.RunAsUser, &out.RunAsUser, s); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if err := Convert_extensions_SupplementalGroupsStrategyOptions_To_v1beta1_SupplementalGroupsStrategyOptions(&in.SupplementalGroups, &out.SupplementalGroups, s); err != nil {
|
if err := Convert_policy_SupplementalGroupsStrategyOptions_To_v1beta1_SupplementalGroupsStrategyOptions(&in.SupplementalGroups, &out.SupplementalGroups, s); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if err := Convert_extensions_FSGroupStrategyOptions_To_v1beta1_FSGroupStrategyOptions(&in.FSGroup, &out.FSGroup, s); err != nil {
|
if err := Convert_policy_FSGroupStrategyOptions_To_v1beta1_FSGroupStrategyOptions(&in.FSGroup, &out.FSGroup, s); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
out.ReadOnlyRootFilesystem = in.ReadOnlyRootFilesystem
|
out.ReadOnlyRootFilesystem = in.ReadOnlyRootFilesystem
|
||||||
@ -1136,6 +1137,11 @@ func autoConvert_extensions_PodSecurityPolicySpec_To_v1beta1_PodSecurityPolicySp
|
|||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Convert_policy_PodSecurityPolicySpec_To_v1beta1_PodSecurityPolicySpec is an autogenerated conversion function.
|
||||||
|
func Convert_policy_PodSecurityPolicySpec_To_v1beta1_PodSecurityPolicySpec(in *policy.PodSecurityPolicySpec, out *v1beta1.PodSecurityPolicySpec, s conversion.Scope) error {
|
||||||
|
return autoConvert_policy_PodSecurityPolicySpec_To_v1beta1_PodSecurityPolicySpec(in, out, s)
|
||||||
|
}
|
||||||
|
|
||||||
func autoConvert_v1beta1_ReplicaSet_To_extensions_ReplicaSet(in *v1beta1.ReplicaSet, out *extensions.ReplicaSet, s conversion.Scope) error {
|
func autoConvert_v1beta1_ReplicaSet_To_extensions_ReplicaSet(in *v1beta1.ReplicaSet, out *extensions.ReplicaSet, s conversion.Scope) error {
|
||||||
out.ObjectMeta = in.ObjectMeta
|
out.ObjectMeta = in.ObjectMeta
|
||||||
if err := Convert_v1beta1_ReplicaSetSpec_To_extensions_ReplicaSetSpec(&in.Spec, &out.Spec, s); err != nil {
|
if err := Convert_v1beta1_ReplicaSetSpec_To_extensions_ReplicaSetSpec(&in.Spec, &out.Spec, s); err != nil {
|
||||||
@ -1352,48 +1358,48 @@ func autoConvert_extensions_RollingUpdateDeployment_To_v1beta1_RollingUpdateDepl
|
|||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func autoConvert_v1beta1_RunAsUserStrategyOptions_To_extensions_RunAsUserStrategyOptions(in *v1beta1.RunAsUserStrategyOptions, out *extensions.RunAsUserStrategyOptions, s conversion.Scope) error {
|
func autoConvert_v1beta1_RunAsUserStrategyOptions_To_policy_RunAsUserStrategyOptions(in *v1beta1.RunAsUserStrategyOptions, out *policy.RunAsUserStrategyOptions, s conversion.Scope) error {
|
||||||
out.Rule = extensions.RunAsUserStrategy(in.Rule)
|
out.Rule = policy.RunAsUserStrategy(in.Rule)
|
||||||
out.Ranges = *(*[]extensions.UserIDRange)(unsafe.Pointer(&in.Ranges))
|
out.Ranges = *(*[]policy.UserIDRange)(unsafe.Pointer(&in.Ranges))
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// Convert_v1beta1_RunAsUserStrategyOptions_To_extensions_RunAsUserStrategyOptions is an autogenerated conversion function.
|
// Convert_v1beta1_RunAsUserStrategyOptions_To_policy_RunAsUserStrategyOptions is an autogenerated conversion function.
|
||||||
func Convert_v1beta1_RunAsUserStrategyOptions_To_extensions_RunAsUserStrategyOptions(in *v1beta1.RunAsUserStrategyOptions, out *extensions.RunAsUserStrategyOptions, s conversion.Scope) error {
|
func Convert_v1beta1_RunAsUserStrategyOptions_To_policy_RunAsUserStrategyOptions(in *v1beta1.RunAsUserStrategyOptions, out *policy.RunAsUserStrategyOptions, s conversion.Scope) error {
|
||||||
return autoConvert_v1beta1_RunAsUserStrategyOptions_To_extensions_RunAsUserStrategyOptions(in, out, s)
|
return autoConvert_v1beta1_RunAsUserStrategyOptions_To_policy_RunAsUserStrategyOptions(in, out, s)
|
||||||
}
|
}
|
||||||
|
|
||||||
func autoConvert_extensions_RunAsUserStrategyOptions_To_v1beta1_RunAsUserStrategyOptions(in *extensions.RunAsUserStrategyOptions, out *v1beta1.RunAsUserStrategyOptions, s conversion.Scope) error {
|
func autoConvert_policy_RunAsUserStrategyOptions_To_v1beta1_RunAsUserStrategyOptions(in *policy.RunAsUserStrategyOptions, out *v1beta1.RunAsUserStrategyOptions, s conversion.Scope) error {
|
||||||
out.Rule = v1beta1.RunAsUserStrategy(in.Rule)
|
out.Rule = v1beta1.RunAsUserStrategy(in.Rule)
|
||||||
out.Ranges = *(*[]v1beta1.IDRange)(unsafe.Pointer(&in.Ranges))
|
out.Ranges = *(*[]v1beta1.IDRange)(unsafe.Pointer(&in.Ranges))
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// Convert_extensions_RunAsUserStrategyOptions_To_v1beta1_RunAsUserStrategyOptions is an autogenerated conversion function.
|
// Convert_policy_RunAsUserStrategyOptions_To_v1beta1_RunAsUserStrategyOptions is an autogenerated conversion function.
|
||||||
func Convert_extensions_RunAsUserStrategyOptions_To_v1beta1_RunAsUserStrategyOptions(in *extensions.RunAsUserStrategyOptions, out *v1beta1.RunAsUserStrategyOptions, s conversion.Scope) error {
|
func Convert_policy_RunAsUserStrategyOptions_To_v1beta1_RunAsUserStrategyOptions(in *policy.RunAsUserStrategyOptions, out *v1beta1.RunAsUserStrategyOptions, s conversion.Scope) error {
|
||||||
return autoConvert_extensions_RunAsUserStrategyOptions_To_v1beta1_RunAsUserStrategyOptions(in, out, s)
|
return autoConvert_policy_RunAsUserStrategyOptions_To_v1beta1_RunAsUserStrategyOptions(in, out, s)
|
||||||
}
|
}
|
||||||
|
|
||||||
func autoConvert_v1beta1_SELinuxStrategyOptions_To_extensions_SELinuxStrategyOptions(in *v1beta1.SELinuxStrategyOptions, out *extensions.SELinuxStrategyOptions, s conversion.Scope) error {
|
func autoConvert_v1beta1_SELinuxStrategyOptions_To_policy_SELinuxStrategyOptions(in *v1beta1.SELinuxStrategyOptions, out *policy.SELinuxStrategyOptions, s conversion.Scope) error {
|
||||||
out.Rule = extensions.SELinuxStrategy(in.Rule)
|
out.Rule = policy.SELinuxStrategy(in.Rule)
|
||||||
out.SELinuxOptions = (*core.SELinuxOptions)(unsafe.Pointer(in.SELinuxOptions))
|
out.SELinuxOptions = (*core.SELinuxOptions)(unsafe.Pointer(in.SELinuxOptions))
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// Convert_v1beta1_SELinuxStrategyOptions_To_extensions_SELinuxStrategyOptions is an autogenerated conversion function.
|
// Convert_v1beta1_SELinuxStrategyOptions_To_policy_SELinuxStrategyOptions is an autogenerated conversion function.
|
||||||
func Convert_v1beta1_SELinuxStrategyOptions_To_extensions_SELinuxStrategyOptions(in *v1beta1.SELinuxStrategyOptions, out *extensions.SELinuxStrategyOptions, s conversion.Scope) error {
|
func Convert_v1beta1_SELinuxStrategyOptions_To_policy_SELinuxStrategyOptions(in *v1beta1.SELinuxStrategyOptions, out *policy.SELinuxStrategyOptions, s conversion.Scope) error {
|
||||||
return autoConvert_v1beta1_SELinuxStrategyOptions_To_extensions_SELinuxStrategyOptions(in, out, s)
|
return autoConvert_v1beta1_SELinuxStrategyOptions_To_policy_SELinuxStrategyOptions(in, out, s)
|
||||||
}
|
}
|
||||||
|
|
||||||
func autoConvert_extensions_SELinuxStrategyOptions_To_v1beta1_SELinuxStrategyOptions(in *extensions.SELinuxStrategyOptions, out *v1beta1.SELinuxStrategyOptions, s conversion.Scope) error {
|
func autoConvert_policy_SELinuxStrategyOptions_To_v1beta1_SELinuxStrategyOptions(in *policy.SELinuxStrategyOptions, out *v1beta1.SELinuxStrategyOptions, s conversion.Scope) error {
|
||||||
out.Rule = v1beta1.SELinuxStrategy(in.Rule)
|
out.Rule = v1beta1.SELinuxStrategy(in.Rule)
|
||||||
out.SELinuxOptions = (*v1.SELinuxOptions)(unsafe.Pointer(in.SELinuxOptions))
|
out.SELinuxOptions = (*v1.SELinuxOptions)(unsafe.Pointer(in.SELinuxOptions))
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// Convert_extensions_SELinuxStrategyOptions_To_v1beta1_SELinuxStrategyOptions is an autogenerated conversion function.
|
// Convert_policy_SELinuxStrategyOptions_To_v1beta1_SELinuxStrategyOptions is an autogenerated conversion function.
|
||||||
func Convert_extensions_SELinuxStrategyOptions_To_v1beta1_SELinuxStrategyOptions(in *extensions.SELinuxStrategyOptions, out *v1beta1.SELinuxStrategyOptions, s conversion.Scope) error {
|
func Convert_policy_SELinuxStrategyOptions_To_v1beta1_SELinuxStrategyOptions(in *policy.SELinuxStrategyOptions, out *v1beta1.SELinuxStrategyOptions, s conversion.Scope) error {
|
||||||
return autoConvert_extensions_SELinuxStrategyOptions_To_v1beta1_SELinuxStrategyOptions(in, out, s)
|
return autoConvert_policy_SELinuxStrategyOptions_To_v1beta1_SELinuxStrategyOptions(in, out, s)
|
||||||
}
|
}
|
||||||
|
|
||||||
func autoConvert_v1beta1_Scale_To_autoscaling_Scale(in *v1beta1.Scale, out *autoscaling.Scale, s conversion.Scope) error {
|
func autoConvert_v1beta1_Scale_To_autoscaling_Scale(in *v1beta1.Scale, out *autoscaling.Scale, s conversion.Scope) error {
|
||||||
@ -1461,24 +1467,24 @@ func autoConvert_autoscaling_ScaleStatus_To_v1beta1_ScaleStatus(in *autoscaling.
|
|||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func autoConvert_v1beta1_SupplementalGroupsStrategyOptions_To_extensions_SupplementalGroupsStrategyOptions(in *v1beta1.SupplementalGroupsStrategyOptions, out *extensions.SupplementalGroupsStrategyOptions, s conversion.Scope) error {
|
func autoConvert_v1beta1_SupplementalGroupsStrategyOptions_To_policy_SupplementalGroupsStrategyOptions(in *v1beta1.SupplementalGroupsStrategyOptions, out *policy.SupplementalGroupsStrategyOptions, s conversion.Scope) error {
|
||||||
out.Rule = extensions.SupplementalGroupsStrategyType(in.Rule)
|
out.Rule = policy.SupplementalGroupsStrategyType(in.Rule)
|
||||||
out.Ranges = *(*[]extensions.GroupIDRange)(unsafe.Pointer(&in.Ranges))
|
out.Ranges = *(*[]policy.GroupIDRange)(unsafe.Pointer(&in.Ranges))
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// Convert_v1beta1_SupplementalGroupsStrategyOptions_To_extensions_SupplementalGroupsStrategyOptions is an autogenerated conversion function.
|
// Convert_v1beta1_SupplementalGroupsStrategyOptions_To_policy_SupplementalGroupsStrategyOptions is an autogenerated conversion function.
|
||||||
func Convert_v1beta1_SupplementalGroupsStrategyOptions_To_extensions_SupplementalGroupsStrategyOptions(in *v1beta1.SupplementalGroupsStrategyOptions, out *extensions.SupplementalGroupsStrategyOptions, s conversion.Scope) error {
|
func Convert_v1beta1_SupplementalGroupsStrategyOptions_To_policy_SupplementalGroupsStrategyOptions(in *v1beta1.SupplementalGroupsStrategyOptions, out *policy.SupplementalGroupsStrategyOptions, s conversion.Scope) error {
|
||||||
return autoConvert_v1beta1_SupplementalGroupsStrategyOptions_To_extensions_SupplementalGroupsStrategyOptions(in, out, s)
|
return autoConvert_v1beta1_SupplementalGroupsStrategyOptions_To_policy_SupplementalGroupsStrategyOptions(in, out, s)
|
||||||
}
|
}
|
||||||
|
|
||||||
func autoConvert_extensions_SupplementalGroupsStrategyOptions_To_v1beta1_SupplementalGroupsStrategyOptions(in *extensions.SupplementalGroupsStrategyOptions, out *v1beta1.SupplementalGroupsStrategyOptions, s conversion.Scope) error {
|
func autoConvert_policy_SupplementalGroupsStrategyOptions_To_v1beta1_SupplementalGroupsStrategyOptions(in *policy.SupplementalGroupsStrategyOptions, out *v1beta1.SupplementalGroupsStrategyOptions, s conversion.Scope) error {
|
||||||
out.Rule = v1beta1.SupplementalGroupsStrategyType(in.Rule)
|
out.Rule = v1beta1.SupplementalGroupsStrategyType(in.Rule)
|
||||||
out.Ranges = *(*[]v1beta1.IDRange)(unsafe.Pointer(&in.Ranges))
|
out.Ranges = *(*[]v1beta1.IDRange)(unsafe.Pointer(&in.Ranges))
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// Convert_extensions_SupplementalGroupsStrategyOptions_To_v1beta1_SupplementalGroupsStrategyOptions is an autogenerated conversion function.
|
// Convert_policy_SupplementalGroupsStrategyOptions_To_v1beta1_SupplementalGroupsStrategyOptions is an autogenerated conversion function.
|
||||||
func Convert_extensions_SupplementalGroupsStrategyOptions_To_v1beta1_SupplementalGroupsStrategyOptions(in *extensions.SupplementalGroupsStrategyOptions, out *v1beta1.SupplementalGroupsStrategyOptions, s conversion.Scope) error {
|
func Convert_policy_SupplementalGroupsStrategyOptions_To_v1beta1_SupplementalGroupsStrategyOptions(in *policy.SupplementalGroupsStrategyOptions, out *v1beta1.SupplementalGroupsStrategyOptions, s conversion.Scope) error {
|
||||||
return autoConvert_extensions_SupplementalGroupsStrategyOptions_To_v1beta1_SupplementalGroupsStrategyOptions(in, out, s)
|
return autoConvert_policy_SupplementalGroupsStrategyOptions_To_v1beta1_SupplementalGroupsStrategyOptions(in, out, s)
|
||||||
}
|
}
|
||||||
|
@ -14,15 +14,11 @@ go_library(
|
|||||||
"//pkg/apis/core:go_default_library",
|
"//pkg/apis/core:go_default_library",
|
||||||
"//pkg/apis/core/validation:go_default_library",
|
"//pkg/apis/core/validation:go_default_library",
|
||||||
"//pkg/apis/extensions:go_default_library",
|
"//pkg/apis/extensions:go_default_library",
|
||||||
"//pkg/security/apparmor:go_default_library",
|
|
||||||
"//pkg/security/podsecuritypolicy/seccomp:go_default_library",
|
|
||||||
"//pkg/security/podsecuritypolicy/util:go_default_library",
|
|
||||||
"//vendor/k8s.io/apimachinery/pkg/api/equality:go_default_library",
|
"//vendor/k8s.io/apimachinery/pkg/api/equality:go_default_library",
|
||||||
"//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
|
"//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
|
||||||
"//vendor/k8s.io/apimachinery/pkg/apis/meta/v1/validation:go_default_library",
|
"//vendor/k8s.io/apimachinery/pkg/apis/meta/v1/validation:go_default_library",
|
||||||
"//vendor/k8s.io/apimachinery/pkg/labels:go_default_library",
|
"//vendor/k8s.io/apimachinery/pkg/labels:go_default_library",
|
||||||
"//vendor/k8s.io/apimachinery/pkg/util/intstr:go_default_library",
|
"//vendor/k8s.io/apimachinery/pkg/util/intstr:go_default_library",
|
||||||
"//vendor/k8s.io/apimachinery/pkg/util/sets:go_default_library",
|
|
||||||
"//vendor/k8s.io/apimachinery/pkg/util/validation:go_default_library",
|
"//vendor/k8s.io/apimachinery/pkg/util/validation:go_default_library",
|
||||||
"//vendor/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
|
"//vendor/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
|
||||||
],
|
],
|
||||||
@ -35,9 +31,6 @@ go_test(
|
|||||||
deps = [
|
deps = [
|
||||||
"//pkg/apis/core:go_default_library",
|
"//pkg/apis/core:go_default_library",
|
||||||
"//pkg/apis/extensions:go_default_library",
|
"//pkg/apis/extensions:go_default_library",
|
||||||
"//pkg/security/apparmor:go_default_library",
|
|
||||||
"//pkg/security/podsecuritypolicy/seccomp:go_default_library",
|
|
||||||
"//pkg/security/podsecuritypolicy/util:go_default_library",
|
|
||||||
"//vendor/github.com/davecgh/go-spew/spew:go_default_library",
|
"//vendor/github.com/davecgh/go-spew/spew:go_default_library",
|
||||||
"//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
|
"//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
|
||||||
"//vendor/k8s.io/apimachinery/pkg/util/intstr:go_default_library",
|
"//vendor/k8s.io/apimachinery/pkg/util/intstr:go_default_library",
|
||||||
|
@ -17,10 +17,7 @@ limitations under the License.
|
|||||||
package validation
|
package validation
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"fmt"
|
|
||||||
"net"
|
"net"
|
||||||
|
|
||||||
"path/filepath"
|
|
||||||
"regexp"
|
"regexp"
|
||||||
"strconv"
|
"strconv"
|
||||||
"strings"
|
"strings"
|
||||||
@ -30,15 +27,11 @@ import (
|
|||||||
unversionedvalidation "k8s.io/apimachinery/pkg/apis/meta/v1/validation"
|
unversionedvalidation "k8s.io/apimachinery/pkg/apis/meta/v1/validation"
|
||||||
"k8s.io/apimachinery/pkg/labels"
|
"k8s.io/apimachinery/pkg/labels"
|
||||||
"k8s.io/apimachinery/pkg/util/intstr"
|
"k8s.io/apimachinery/pkg/util/intstr"
|
||||||
"k8s.io/apimachinery/pkg/util/sets"
|
|
||||||
"k8s.io/apimachinery/pkg/util/validation"
|
"k8s.io/apimachinery/pkg/util/validation"
|
||||||
"k8s.io/apimachinery/pkg/util/validation/field"
|
"k8s.io/apimachinery/pkg/util/validation/field"
|
||||||
api "k8s.io/kubernetes/pkg/apis/core"
|
api "k8s.io/kubernetes/pkg/apis/core"
|
||||||
apivalidation "k8s.io/kubernetes/pkg/apis/core/validation"
|
apivalidation "k8s.io/kubernetes/pkg/apis/core/validation"
|
||||||
"k8s.io/kubernetes/pkg/apis/extensions"
|
"k8s.io/kubernetes/pkg/apis/extensions"
|
||||||
"k8s.io/kubernetes/pkg/security/apparmor"
|
|
||||||
"k8s.io/kubernetes/pkg/security/podsecuritypolicy/seccomp"
|
|
||||||
psputil "k8s.io/kubernetes/pkg/security/podsecuritypolicy/util"
|
|
||||||
)
|
)
|
||||||
|
|
||||||
// ValidateDaemonSet tests if required fields in the DaemonSet are set.
|
// ValidateDaemonSet tests if required fields in the DaemonSet are set.
|
||||||
@ -613,299 +606,3 @@ func ValidatePodTemplateSpecForReplicaSet(template *api.PodTemplateSpec, selecto
|
|||||||
}
|
}
|
||||||
return allErrs
|
return allErrs
|
||||||
}
|
}
|
||||||
|
|
||||||
// ValidatePodSecurityPolicyName can be used to check whether the given
|
|
||||||
// pod security policy name is valid.
|
|
||||||
// Prefix indicates this name will be used as part of generation, in which case
|
|
||||||
// trailing dashes are allowed.
|
|
||||||
var ValidatePodSecurityPolicyName = apivalidation.NameIsDNSSubdomain
|
|
||||||
|
|
||||||
func ValidatePodSecurityPolicy(psp *extensions.PodSecurityPolicy) field.ErrorList {
|
|
||||||
allErrs := field.ErrorList{}
|
|
||||||
allErrs = append(allErrs, apivalidation.ValidateObjectMeta(&psp.ObjectMeta, false, ValidatePodSecurityPolicyName, field.NewPath("metadata"))...)
|
|
||||||
allErrs = append(allErrs, ValidatePodSecurityPolicySpecificAnnotations(psp.Annotations, field.NewPath("metadata").Child("annotations"))...)
|
|
||||||
allErrs = append(allErrs, ValidatePodSecurityPolicySpec(&psp.Spec, field.NewPath("spec"))...)
|
|
||||||
return allErrs
|
|
||||||
}
|
|
||||||
|
|
||||||
func ValidatePodSecurityPolicySpec(spec *extensions.PodSecurityPolicySpec, fldPath *field.Path) field.ErrorList {
|
|
||||||
allErrs := field.ErrorList{}
|
|
||||||
|
|
||||||
allErrs = append(allErrs, validatePSPRunAsUser(fldPath.Child("runAsUser"), &spec.RunAsUser)...)
|
|
||||||
allErrs = append(allErrs, validatePSPSELinux(fldPath.Child("seLinux"), &spec.SELinux)...)
|
|
||||||
allErrs = append(allErrs, validatePSPSupplementalGroup(fldPath.Child("supplementalGroups"), &spec.SupplementalGroups)...)
|
|
||||||
allErrs = append(allErrs, validatePSPFSGroup(fldPath.Child("fsGroup"), &spec.FSGroup)...)
|
|
||||||
allErrs = append(allErrs, validatePodSecurityPolicyVolumes(fldPath, spec.Volumes)...)
|
|
||||||
if len(spec.RequiredDropCapabilities) > 0 && hasCap(extensions.AllowAllCapabilities, spec.AllowedCapabilities) {
|
|
||||||
allErrs = append(allErrs, field.Invalid(field.NewPath("requiredDropCapabilities"), spec.RequiredDropCapabilities,
|
|
||||||
"must be empty when all capabilities are allowed by a wildcard"))
|
|
||||||
}
|
|
||||||
allErrs = append(allErrs, validatePSPCapsAgainstDrops(spec.RequiredDropCapabilities, spec.DefaultAddCapabilities, field.NewPath("defaultAddCapabilities"))...)
|
|
||||||
allErrs = append(allErrs, validatePSPCapsAgainstDrops(spec.RequiredDropCapabilities, spec.AllowedCapabilities, field.NewPath("allowedCapabilities"))...)
|
|
||||||
allErrs = append(allErrs, validatePSPDefaultAllowPrivilegeEscalation(fldPath.Child("defaultAllowPrivilegeEscalation"), spec.DefaultAllowPrivilegeEscalation, spec.AllowPrivilegeEscalation)...)
|
|
||||||
allErrs = append(allErrs, validatePSPAllowedHostPaths(fldPath.Child("allowedHostPaths"), spec.AllowedHostPaths)...)
|
|
||||||
allErrs = append(allErrs, validatePSPAllowedFlexVolumes(fldPath.Child("allowedFlexVolumes"), spec.AllowedFlexVolumes)...)
|
|
||||||
|
|
||||||
return allErrs
|
|
||||||
}
|
|
||||||
|
|
||||||
func ValidatePodSecurityPolicySpecificAnnotations(annotations map[string]string, fldPath *field.Path) field.ErrorList {
|
|
||||||
allErrs := field.ErrorList{}
|
|
||||||
|
|
||||||
if p := annotations[apparmor.DefaultProfileAnnotationKey]; p != "" {
|
|
||||||
if err := apparmor.ValidateProfileFormat(p); err != nil {
|
|
||||||
allErrs = append(allErrs, field.Invalid(fldPath.Key(apparmor.DefaultProfileAnnotationKey), p, err.Error()))
|
|
||||||
}
|
|
||||||
}
|
|
||||||
if allowed := annotations[apparmor.AllowedProfilesAnnotationKey]; allowed != "" {
|
|
||||||
for _, p := range strings.Split(allowed, ",") {
|
|
||||||
if err := apparmor.ValidateProfileFormat(p); err != nil {
|
|
||||||
allErrs = append(allErrs, field.Invalid(fldPath.Key(apparmor.AllowedProfilesAnnotationKey), allowed, err.Error()))
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
sysctlAnnotation := annotations[extensions.SysctlsPodSecurityPolicyAnnotationKey]
|
|
||||||
sysctlFldPath := fldPath.Key(extensions.SysctlsPodSecurityPolicyAnnotationKey)
|
|
||||||
sysctls, err := extensions.SysctlsFromPodSecurityPolicyAnnotation(sysctlAnnotation)
|
|
||||||
if err != nil {
|
|
||||||
allErrs = append(allErrs, field.Invalid(sysctlFldPath, sysctlAnnotation, err.Error()))
|
|
||||||
} else {
|
|
||||||
allErrs = append(allErrs, validatePodSecurityPolicySysctls(sysctlFldPath, sysctls)...)
|
|
||||||
}
|
|
||||||
|
|
||||||
if p := annotations[seccomp.DefaultProfileAnnotationKey]; p != "" {
|
|
||||||
allErrs = append(allErrs, apivalidation.ValidateSeccompProfile(p, fldPath.Key(seccomp.DefaultProfileAnnotationKey))...)
|
|
||||||
}
|
|
||||||
if allowed := annotations[seccomp.AllowedProfilesAnnotationKey]; allowed != "" {
|
|
||||||
for _, p := range strings.Split(allowed, ",") {
|
|
||||||
if p == seccomp.AllowAny {
|
|
||||||
continue
|
|
||||||
}
|
|
||||||
allErrs = append(allErrs, apivalidation.ValidateSeccompProfile(p, fldPath.Key(seccomp.AllowedProfilesAnnotationKey))...)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return allErrs
|
|
||||||
}
|
|
||||||
|
|
||||||
// validatePSPAllowedHostPaths makes sure all allowed host paths follow:
|
|
||||||
// 1. path prefix is required
|
|
||||||
// 2. path prefix does not have any element which is ".."
|
|
||||||
func validatePSPAllowedHostPaths(fldPath *field.Path, allowedHostPaths []extensions.AllowedHostPath) field.ErrorList {
|
|
||||||
allErrs := field.ErrorList{}
|
|
||||||
|
|
||||||
for i, target := range allowedHostPaths {
|
|
||||||
if target.PathPrefix == "" {
|
|
||||||
allErrs = append(allErrs, field.Required(fldPath.Index(i), "is required"))
|
|
||||||
break
|
|
||||||
}
|
|
||||||
parts := strings.Split(filepath.ToSlash(target.PathPrefix), "/")
|
|
||||||
for _, item := range parts {
|
|
||||||
if item == ".." {
|
|
||||||
allErrs = append(allErrs, field.Invalid(fldPath.Index(i), target.PathPrefix, "must not contain '..'"))
|
|
||||||
break // even for `../../..`, one error is sufficient to make the point
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
return allErrs
|
|
||||||
}
|
|
||||||
|
|
||||||
// validatePSPAllowedFlexVolumes
|
|
||||||
func validatePSPAllowedFlexVolumes(fldPath *field.Path, flexVolumes []extensions.AllowedFlexVolume) field.ErrorList {
|
|
||||||
allErrs := field.ErrorList{}
|
|
||||||
if len(flexVolumes) > 0 {
|
|
||||||
for idx, fv := range flexVolumes {
|
|
||||||
if len(fv.Driver) == 0 {
|
|
||||||
allErrs = append(allErrs, field.Required(fldPath.Child("allowedFlexVolumes").Index(idx).Child("driver"),
|
|
||||||
"must specify a driver"))
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return allErrs
|
|
||||||
}
|
|
||||||
|
|
||||||
// validatePSPSELinux validates the SELinux fields of PodSecurityPolicy.
|
|
||||||
func validatePSPSELinux(fldPath *field.Path, seLinux *extensions.SELinuxStrategyOptions) field.ErrorList {
|
|
||||||
allErrs := field.ErrorList{}
|
|
||||||
|
|
||||||
// ensure the selinux strategy has a valid rule
|
|
||||||
supportedSELinuxRules := sets.NewString(string(extensions.SELinuxStrategyMustRunAs),
|
|
||||||
string(extensions.SELinuxStrategyRunAsAny))
|
|
||||||
if !supportedSELinuxRules.Has(string(seLinux.Rule)) {
|
|
||||||
allErrs = append(allErrs, field.NotSupported(fldPath.Child("rule"), seLinux.Rule, supportedSELinuxRules.List()))
|
|
||||||
}
|
|
||||||
|
|
||||||
return allErrs
|
|
||||||
}
|
|
||||||
|
|
||||||
// validatePSPRunAsUser validates the RunAsUser fields of PodSecurityPolicy.
|
|
||||||
func validatePSPRunAsUser(fldPath *field.Path, runAsUser *extensions.RunAsUserStrategyOptions) field.ErrorList {
|
|
||||||
allErrs := field.ErrorList{}
|
|
||||||
|
|
||||||
// ensure the user strategy has a valid rule
|
|
||||||
supportedRunAsUserRules := sets.NewString(string(extensions.RunAsUserStrategyMustRunAs),
|
|
||||||
string(extensions.RunAsUserStrategyMustRunAsNonRoot),
|
|
||||||
string(extensions.RunAsUserStrategyRunAsAny))
|
|
||||||
if !supportedRunAsUserRules.Has(string(runAsUser.Rule)) {
|
|
||||||
allErrs = append(allErrs, field.NotSupported(fldPath.Child("rule"), runAsUser.Rule, supportedRunAsUserRules.List()))
|
|
||||||
}
|
|
||||||
|
|
||||||
// validate range settings
|
|
||||||
for idx, rng := range runAsUser.Ranges {
|
|
||||||
allErrs = append(allErrs, validateUserIDRange(fldPath.Child("ranges").Index(idx), rng)...)
|
|
||||||
}
|
|
||||||
|
|
||||||
return allErrs
|
|
||||||
}
|
|
||||||
|
|
||||||
// validatePSPFSGroup validates the FSGroupStrategyOptions fields of the PodSecurityPolicy.
|
|
||||||
func validatePSPFSGroup(fldPath *field.Path, groupOptions *extensions.FSGroupStrategyOptions) field.ErrorList {
|
|
||||||
allErrs := field.ErrorList{}
|
|
||||||
|
|
||||||
supportedRules := sets.NewString(
|
|
||||||
string(extensions.FSGroupStrategyMustRunAs),
|
|
||||||
string(extensions.FSGroupStrategyRunAsAny),
|
|
||||||
)
|
|
||||||
if !supportedRules.Has(string(groupOptions.Rule)) {
|
|
||||||
allErrs = append(allErrs, field.NotSupported(fldPath.Child("rule"), groupOptions.Rule, supportedRules.List()))
|
|
||||||
}
|
|
||||||
|
|
||||||
for idx, rng := range groupOptions.Ranges {
|
|
||||||
allErrs = append(allErrs, validateGroupIDRange(fldPath.Child("ranges").Index(idx), rng)...)
|
|
||||||
}
|
|
||||||
return allErrs
|
|
||||||
}
|
|
||||||
|
|
||||||
// validatePSPSupplementalGroup validates the SupplementalGroupsStrategyOptions fields of the PodSecurityPolicy.
|
|
||||||
func validatePSPSupplementalGroup(fldPath *field.Path, groupOptions *extensions.SupplementalGroupsStrategyOptions) field.ErrorList {
|
|
||||||
allErrs := field.ErrorList{}
|
|
||||||
|
|
||||||
supportedRules := sets.NewString(
|
|
||||||
string(extensions.SupplementalGroupsStrategyRunAsAny),
|
|
||||||
string(extensions.SupplementalGroupsStrategyMustRunAs),
|
|
||||||
)
|
|
||||||
if !supportedRules.Has(string(groupOptions.Rule)) {
|
|
||||||
allErrs = append(allErrs, field.NotSupported(fldPath.Child("rule"), groupOptions.Rule, supportedRules.List()))
|
|
||||||
}
|
|
||||||
|
|
||||||
for idx, rng := range groupOptions.Ranges {
|
|
||||||
allErrs = append(allErrs, validateGroupIDRange(fldPath.Child("ranges").Index(idx), rng)...)
|
|
||||||
}
|
|
||||||
return allErrs
|
|
||||||
}
|
|
||||||
|
|
||||||
// validatePodSecurityPolicyVolumes validates the volume fields of PodSecurityPolicy.
|
|
||||||
func validatePodSecurityPolicyVolumes(fldPath *field.Path, volumes []extensions.FSType) field.ErrorList {
|
|
||||||
allErrs := field.ErrorList{}
|
|
||||||
allowed := psputil.GetAllFSTypesAsSet()
|
|
||||||
// add in the * value since that is a pseudo type that is not included by default
|
|
||||||
allowed.Insert(string(extensions.All))
|
|
||||||
for _, v := range volumes {
|
|
||||||
if !allowed.Has(string(v)) {
|
|
||||||
allErrs = append(allErrs, field.NotSupported(fldPath.Child("volumes"), v, allowed.List()))
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return allErrs
|
|
||||||
}
|
|
||||||
|
|
||||||
// validatePSPDefaultAllowPrivilegeEscalation validates the DefaultAllowPrivilegeEscalation field against the AllowPrivilegeEscalation field of a PodSecurityPolicy.
|
|
||||||
func validatePSPDefaultAllowPrivilegeEscalation(fldPath *field.Path, defaultAllowPrivilegeEscalation *bool, allowPrivilegeEscalation bool) field.ErrorList {
|
|
||||||
allErrs := field.ErrorList{}
|
|
||||||
if defaultAllowPrivilegeEscalation != nil && *defaultAllowPrivilegeEscalation && !allowPrivilegeEscalation {
|
|
||||||
allErrs = append(allErrs, field.Invalid(fldPath, defaultAllowPrivilegeEscalation, "Cannot set DefaultAllowPrivilegeEscalation to true without also setting AllowPrivilegeEscalation to true"))
|
|
||||||
}
|
|
||||||
|
|
||||||
return allErrs
|
|
||||||
}
|
|
||||||
|
|
||||||
const sysctlPatternSegmentFmt string = "([a-z0-9][-_a-z0-9]*)?[a-z0-9*]"
|
|
||||||
const SysctlPatternFmt string = "(" + apivalidation.SysctlSegmentFmt + "\\.)*" + sysctlPatternSegmentFmt
|
|
||||||
|
|
||||||
var sysctlPatternRegexp = regexp.MustCompile("^" + SysctlPatternFmt + "$")
|
|
||||||
|
|
||||||
func IsValidSysctlPattern(name string) bool {
|
|
||||||
if len(name) > apivalidation.SysctlMaxLength {
|
|
||||||
return false
|
|
||||||
}
|
|
||||||
return sysctlPatternRegexp.MatchString(name)
|
|
||||||
}
|
|
||||||
|
|
||||||
// validatePodSecurityPolicySysctls validates the sysctls fields of PodSecurityPolicy.
|
|
||||||
func validatePodSecurityPolicySysctls(fldPath *field.Path, sysctls []string) field.ErrorList {
|
|
||||||
allErrs := field.ErrorList{}
|
|
||||||
for i, s := range sysctls {
|
|
||||||
if !IsValidSysctlPattern(string(s)) {
|
|
||||||
allErrs = append(
|
|
||||||
allErrs,
|
|
||||||
field.Invalid(fldPath.Index(i), sysctls[i], fmt.Sprintf("must have at most %d characters and match regex %s",
|
|
||||||
apivalidation.SysctlMaxLength,
|
|
||||||
SysctlPatternFmt,
|
|
||||||
)),
|
|
||||||
)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
return allErrs
|
|
||||||
}
|
|
||||||
|
|
||||||
func validateUserIDRange(fldPath *field.Path, rng extensions.UserIDRange) field.ErrorList {
|
|
||||||
return validateIDRanges(fldPath, int64(rng.Min), int64(rng.Max))
|
|
||||||
}
|
|
||||||
|
|
||||||
func validateGroupIDRange(fldPath *field.Path, rng extensions.GroupIDRange) field.ErrorList {
|
|
||||||
return validateIDRanges(fldPath, int64(rng.Min), int64(rng.Max))
|
|
||||||
}
|
|
||||||
|
|
||||||
// validateIDRanges ensures the range is valid.
|
|
||||||
func validateIDRanges(fldPath *field.Path, min, max int64) field.ErrorList {
|
|
||||||
allErrs := field.ErrorList{}
|
|
||||||
|
|
||||||
// if 0 <= Min <= Max then we do not need to validate max. It is always greater than or
|
|
||||||
// equal to 0 and Min.
|
|
||||||
if min < 0 {
|
|
||||||
allErrs = append(allErrs, field.Invalid(fldPath.Child("min"), min, "min cannot be negative"))
|
|
||||||
}
|
|
||||||
if max < 0 {
|
|
||||||
allErrs = append(allErrs, field.Invalid(fldPath.Child("max"), max, "max cannot be negative"))
|
|
||||||
}
|
|
||||||
if min > max {
|
|
||||||
allErrs = append(allErrs, field.Invalid(fldPath.Child("min"), min, "min cannot be greater than max"))
|
|
||||||
}
|
|
||||||
|
|
||||||
return allErrs
|
|
||||||
}
|
|
||||||
|
|
||||||
// validatePSPCapsAgainstDrops ensures an allowed cap is not listed in the required drops.
|
|
||||||
func validatePSPCapsAgainstDrops(requiredDrops []api.Capability, capsToCheck []api.Capability, fldPath *field.Path) field.ErrorList {
|
|
||||||
allErrs := field.ErrorList{}
|
|
||||||
if requiredDrops == nil {
|
|
||||||
return allErrs
|
|
||||||
}
|
|
||||||
for _, cap := range capsToCheck {
|
|
||||||
if hasCap(cap, requiredDrops) {
|
|
||||||
allErrs = append(allErrs, field.Invalid(fldPath, cap,
|
|
||||||
fmt.Sprintf("capability is listed in %s and requiredDropCapabilities", fldPath.String())))
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return allErrs
|
|
||||||
}
|
|
||||||
|
|
||||||
// hasCap checks for needle in haystack.
|
|
||||||
func hasCap(needle api.Capability, haystack []api.Capability) bool {
|
|
||||||
for _, c := range haystack {
|
|
||||||
if needle == c {
|
|
||||||
return true
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return false
|
|
||||||
}
|
|
||||||
|
|
||||||
// ValidatePodSecurityPolicyUpdate validates a PSP for updates.
|
|
||||||
func ValidatePodSecurityPolicyUpdate(old *extensions.PodSecurityPolicy, new *extensions.PodSecurityPolicy) field.ErrorList {
|
|
||||||
allErrs := field.ErrorList{}
|
|
||||||
allErrs = append(allErrs, apivalidation.ValidateObjectMetaUpdate(&new.ObjectMeta, &old.ObjectMeta, field.NewPath("metadata"))...)
|
|
||||||
allErrs = append(allErrs, ValidatePodSecurityPolicySpecificAnnotations(new.Annotations, field.NewPath("metadata").Child("annotations"))...)
|
|
||||||
allErrs = append(allErrs, ValidatePodSecurityPolicySpec(&new.Spec, field.NewPath("spec"))...)
|
|
||||||
return allErrs
|
|
||||||
}
|
|
||||||
|
@ -28,9 +28,6 @@ import (
|
|||||||
"k8s.io/apimachinery/pkg/util/validation/field"
|
"k8s.io/apimachinery/pkg/util/validation/field"
|
||||||
api "k8s.io/kubernetes/pkg/apis/core"
|
api "k8s.io/kubernetes/pkg/apis/core"
|
||||||
"k8s.io/kubernetes/pkg/apis/extensions"
|
"k8s.io/kubernetes/pkg/apis/extensions"
|
||||||
"k8s.io/kubernetes/pkg/security/apparmor"
|
|
||||||
"k8s.io/kubernetes/pkg/security/podsecuritypolicy/seccomp"
|
|
||||||
psputil "k8s.io/kubernetes/pkg/security/podsecuritypolicy/util"
|
|
||||||
)
|
)
|
||||||
|
|
||||||
func TestValidateDaemonSetStatusUpdate(t *testing.T) {
|
func TestValidateDaemonSetStatusUpdate(t *testing.T) {
|
||||||
@ -2317,527 +2314,3 @@ func TestValidateReplicaSet(t *testing.T) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestValidatePodSecurityPolicy(t *testing.T) {
|
|
||||||
validPSP := func() *extensions.PodSecurityPolicy {
|
|
||||||
return &extensions.PodSecurityPolicy{
|
|
||||||
ObjectMeta: metav1.ObjectMeta{
|
|
||||||
Name: "foo",
|
|
||||||
Annotations: map[string]string{},
|
|
||||||
},
|
|
||||||
Spec: extensions.PodSecurityPolicySpec{
|
|
||||||
SELinux: extensions.SELinuxStrategyOptions{
|
|
||||||
Rule: extensions.SELinuxStrategyRunAsAny,
|
|
||||||
},
|
|
||||||
RunAsUser: extensions.RunAsUserStrategyOptions{
|
|
||||||
Rule: extensions.RunAsUserStrategyRunAsAny,
|
|
||||||
},
|
|
||||||
FSGroup: extensions.FSGroupStrategyOptions{
|
|
||||||
Rule: extensions.FSGroupStrategyRunAsAny,
|
|
||||||
},
|
|
||||||
SupplementalGroups: extensions.SupplementalGroupsStrategyOptions{
|
|
||||||
Rule: extensions.SupplementalGroupsStrategyRunAsAny,
|
|
||||||
},
|
|
||||||
AllowedHostPaths: []extensions.AllowedHostPath{
|
|
||||||
{PathPrefix: "/foo/bar"},
|
|
||||||
{PathPrefix: "/baz/"},
|
|
||||||
},
|
|
||||||
},
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
noUserOptions := validPSP()
|
|
||||||
noUserOptions.Spec.RunAsUser.Rule = ""
|
|
||||||
|
|
||||||
noSELinuxOptions := validPSP()
|
|
||||||
noSELinuxOptions.Spec.SELinux.Rule = ""
|
|
||||||
|
|
||||||
invalidUserStratType := validPSP()
|
|
||||||
invalidUserStratType.Spec.RunAsUser.Rule = "invalid"
|
|
||||||
|
|
||||||
invalidSELinuxStratType := validPSP()
|
|
||||||
invalidSELinuxStratType.Spec.SELinux.Rule = "invalid"
|
|
||||||
|
|
||||||
invalidUIDPSP := validPSP()
|
|
||||||
invalidUIDPSP.Spec.RunAsUser.Rule = extensions.RunAsUserStrategyMustRunAs
|
|
||||||
invalidUIDPSP.Spec.RunAsUser.Ranges = []extensions.UserIDRange{{Min: -1, Max: 1}}
|
|
||||||
|
|
||||||
missingObjectMetaName := validPSP()
|
|
||||||
missingObjectMetaName.ObjectMeta.Name = ""
|
|
||||||
|
|
||||||
noFSGroupOptions := validPSP()
|
|
||||||
noFSGroupOptions.Spec.FSGroup.Rule = ""
|
|
||||||
|
|
||||||
invalidFSGroupStratType := validPSP()
|
|
||||||
invalidFSGroupStratType.Spec.FSGroup.Rule = "invalid"
|
|
||||||
|
|
||||||
noSupplementalGroupsOptions := validPSP()
|
|
||||||
noSupplementalGroupsOptions.Spec.SupplementalGroups.Rule = ""
|
|
||||||
|
|
||||||
invalidSupGroupStratType := validPSP()
|
|
||||||
invalidSupGroupStratType.Spec.SupplementalGroups.Rule = "invalid"
|
|
||||||
|
|
||||||
invalidRangeMinGreaterThanMax := validPSP()
|
|
||||||
invalidRangeMinGreaterThanMax.Spec.FSGroup.Ranges = []extensions.GroupIDRange{
|
|
||||||
{Min: 2, Max: 1},
|
|
||||||
}
|
|
||||||
|
|
||||||
invalidRangeNegativeMin := validPSP()
|
|
||||||
invalidRangeNegativeMin.Spec.FSGroup.Ranges = []extensions.GroupIDRange{
|
|
||||||
{Min: -1, Max: 10},
|
|
||||||
}
|
|
||||||
|
|
||||||
invalidRangeNegativeMax := validPSP()
|
|
||||||
invalidRangeNegativeMax.Spec.FSGroup.Ranges = []extensions.GroupIDRange{
|
|
||||||
{Min: 1, Max: -10},
|
|
||||||
}
|
|
||||||
|
|
||||||
wildcardAllowedCapAndRequiredDrop := validPSP()
|
|
||||||
wildcardAllowedCapAndRequiredDrop.Spec.RequiredDropCapabilities = []api.Capability{"foo"}
|
|
||||||
wildcardAllowedCapAndRequiredDrop.Spec.AllowedCapabilities = []api.Capability{extensions.AllowAllCapabilities}
|
|
||||||
|
|
||||||
requiredCapAddAndDrop := validPSP()
|
|
||||||
requiredCapAddAndDrop.Spec.DefaultAddCapabilities = []api.Capability{"foo"}
|
|
||||||
requiredCapAddAndDrop.Spec.RequiredDropCapabilities = []api.Capability{"foo"}
|
|
||||||
|
|
||||||
allowedCapListedInRequiredDrop := validPSP()
|
|
||||||
allowedCapListedInRequiredDrop.Spec.RequiredDropCapabilities = []api.Capability{"foo"}
|
|
||||||
allowedCapListedInRequiredDrop.Spec.AllowedCapabilities = []api.Capability{"foo"}
|
|
||||||
|
|
||||||
invalidAppArmorDefault := validPSP()
|
|
||||||
invalidAppArmorDefault.Annotations = map[string]string{
|
|
||||||
apparmor.DefaultProfileAnnotationKey: "not-good",
|
|
||||||
}
|
|
||||||
invalidAppArmorAllowed := validPSP()
|
|
||||||
invalidAppArmorAllowed.Annotations = map[string]string{
|
|
||||||
apparmor.AllowedProfilesAnnotationKey: apparmor.ProfileRuntimeDefault + ",not-good",
|
|
||||||
}
|
|
||||||
|
|
||||||
invalidSysctlPattern := validPSP()
|
|
||||||
invalidSysctlPattern.Annotations[extensions.SysctlsPodSecurityPolicyAnnotationKey] = "a.*.b"
|
|
||||||
|
|
||||||
invalidSeccompDefault := validPSP()
|
|
||||||
invalidSeccompDefault.Annotations = map[string]string{
|
|
||||||
seccomp.DefaultProfileAnnotationKey: "not-good",
|
|
||||||
}
|
|
||||||
invalidSeccompAllowAnyDefault := validPSP()
|
|
||||||
invalidSeccompAllowAnyDefault.Annotations = map[string]string{
|
|
||||||
seccomp.DefaultProfileAnnotationKey: "*",
|
|
||||||
}
|
|
||||||
invalidSeccompAllowed := validPSP()
|
|
||||||
invalidSeccompAllowed.Annotations = map[string]string{
|
|
||||||
seccomp.AllowedProfilesAnnotationKey: "docker/default,not-good",
|
|
||||||
}
|
|
||||||
|
|
||||||
invalidAllowedHostPathMissingPath := validPSP()
|
|
||||||
invalidAllowedHostPathMissingPath.Spec.AllowedHostPaths = []extensions.AllowedHostPath{
|
|
||||||
{PathPrefix: ""},
|
|
||||||
}
|
|
||||||
|
|
||||||
invalidAllowedHostPathBacksteps := validPSP()
|
|
||||||
invalidAllowedHostPathBacksteps.Spec.AllowedHostPaths = []extensions.AllowedHostPath{
|
|
||||||
{PathPrefix: "/dont/allow/backsteps/.."},
|
|
||||||
}
|
|
||||||
|
|
||||||
invalidDefaultAllowPrivilegeEscalation := validPSP()
|
|
||||||
pe := true
|
|
||||||
invalidDefaultAllowPrivilegeEscalation.Spec.DefaultAllowPrivilegeEscalation = &pe
|
|
||||||
|
|
||||||
emptyFlexDriver := validPSP()
|
|
||||||
emptyFlexDriver.Spec.Volumes = []extensions.FSType{extensions.FlexVolume}
|
|
||||||
emptyFlexDriver.Spec.AllowedFlexVolumes = []extensions.AllowedFlexVolume{{}}
|
|
||||||
|
|
||||||
nonEmptyFlexVolumes := validPSP()
|
|
||||||
nonEmptyFlexVolumes.Spec.AllowedFlexVolumes = []extensions.AllowedFlexVolume{{Driver: "example/driver"}}
|
|
||||||
|
|
||||||
type testCase struct {
|
|
||||||
psp *extensions.PodSecurityPolicy
|
|
||||||
errorType field.ErrorType
|
|
||||||
errorDetail string
|
|
||||||
}
|
|
||||||
errorCases := map[string]testCase{
|
|
||||||
"no user options": {
|
|
||||||
psp: noUserOptions,
|
|
||||||
errorType: field.ErrorTypeNotSupported,
|
|
||||||
errorDetail: `supported values: "MustRunAs", "MustRunAsNonRoot", "RunAsAny"`,
|
|
||||||
},
|
|
||||||
"no selinux options": {
|
|
||||||
psp: noSELinuxOptions,
|
|
||||||
errorType: field.ErrorTypeNotSupported,
|
|
||||||
errorDetail: `supported values: "MustRunAs", "RunAsAny"`,
|
|
||||||
},
|
|
||||||
"no fsgroup options": {
|
|
||||||
psp: noFSGroupOptions,
|
|
||||||
errorType: field.ErrorTypeNotSupported,
|
|
||||||
errorDetail: `supported values: "MustRunAs", "RunAsAny"`,
|
|
||||||
},
|
|
||||||
"no sup group options": {
|
|
||||||
psp: noSupplementalGroupsOptions,
|
|
||||||
errorType: field.ErrorTypeNotSupported,
|
|
||||||
errorDetail: `supported values: "MustRunAs", "RunAsAny"`,
|
|
||||||
},
|
|
||||||
"invalid user strategy type": {
|
|
||||||
psp: invalidUserStratType,
|
|
||||||
errorType: field.ErrorTypeNotSupported,
|
|
||||||
errorDetail: `supported values: "MustRunAs", "MustRunAsNonRoot", "RunAsAny"`,
|
|
||||||
},
|
|
||||||
"invalid selinux strategy type": {
|
|
||||||
psp: invalidSELinuxStratType,
|
|
||||||
errorType: field.ErrorTypeNotSupported,
|
|
||||||
errorDetail: `supported values: "MustRunAs", "RunAsAny"`,
|
|
||||||
},
|
|
||||||
"invalid sup group strategy type": {
|
|
||||||
psp: invalidSupGroupStratType,
|
|
||||||
errorType: field.ErrorTypeNotSupported,
|
|
||||||
errorDetail: `supported values: "MustRunAs", "RunAsAny"`,
|
|
||||||
},
|
|
||||||
"invalid fs group strategy type": {
|
|
||||||
psp: invalidFSGroupStratType,
|
|
||||||
errorType: field.ErrorTypeNotSupported,
|
|
||||||
errorDetail: `supported values: "MustRunAs", "RunAsAny"`,
|
|
||||||
},
|
|
||||||
"invalid uid": {
|
|
||||||
psp: invalidUIDPSP,
|
|
||||||
errorType: field.ErrorTypeInvalid,
|
|
||||||
errorDetail: "min cannot be negative",
|
|
||||||
},
|
|
||||||
"missing object meta name": {
|
|
||||||
psp: missingObjectMetaName,
|
|
||||||
errorType: field.ErrorTypeRequired,
|
|
||||||
errorDetail: "name or generateName is required",
|
|
||||||
},
|
|
||||||
"invalid range min greater than max": {
|
|
||||||
psp: invalidRangeMinGreaterThanMax,
|
|
||||||
errorType: field.ErrorTypeInvalid,
|
|
||||||
errorDetail: "min cannot be greater than max",
|
|
||||||
},
|
|
||||||
"invalid range negative min": {
|
|
||||||
psp: invalidRangeNegativeMin,
|
|
||||||
errorType: field.ErrorTypeInvalid,
|
|
||||||
errorDetail: "min cannot be negative",
|
|
||||||
},
|
|
||||||
"invalid range negative max": {
|
|
||||||
psp: invalidRangeNegativeMax,
|
|
||||||
errorType: field.ErrorTypeInvalid,
|
|
||||||
errorDetail: "max cannot be negative",
|
|
||||||
},
|
|
||||||
"non-empty required drops and all caps are allowed by a wildcard": {
|
|
||||||
psp: wildcardAllowedCapAndRequiredDrop,
|
|
||||||
errorType: field.ErrorTypeInvalid,
|
|
||||||
errorDetail: "must be empty when all capabilities are allowed by a wildcard",
|
|
||||||
},
|
|
||||||
"invalid required caps": {
|
|
||||||
psp: requiredCapAddAndDrop,
|
|
||||||
errorType: field.ErrorTypeInvalid,
|
|
||||||
errorDetail: "capability is listed in defaultAddCapabilities and requiredDropCapabilities",
|
|
||||||
},
|
|
||||||
"allowed cap listed in required drops": {
|
|
||||||
psp: allowedCapListedInRequiredDrop,
|
|
||||||
errorType: field.ErrorTypeInvalid,
|
|
||||||
errorDetail: "capability is listed in allowedCapabilities and requiredDropCapabilities",
|
|
||||||
},
|
|
||||||
"invalid AppArmor default profile": {
|
|
||||||
psp: invalidAppArmorDefault,
|
|
||||||
errorType: field.ErrorTypeInvalid,
|
|
||||||
errorDetail: "invalid AppArmor profile name: \"not-good\"",
|
|
||||||
},
|
|
||||||
"invalid AppArmor allowed profile": {
|
|
||||||
psp: invalidAppArmorAllowed,
|
|
||||||
errorType: field.ErrorTypeInvalid,
|
|
||||||
errorDetail: "invalid AppArmor profile name: \"not-good\"",
|
|
||||||
},
|
|
||||||
"invalid sysctl pattern": {
|
|
||||||
psp: invalidSysctlPattern,
|
|
||||||
errorType: field.ErrorTypeInvalid,
|
|
||||||
errorDetail: fmt.Sprintf("must have at most 253 characters and match regex %s", SysctlPatternFmt),
|
|
||||||
},
|
|
||||||
"invalid seccomp default profile": {
|
|
||||||
psp: invalidSeccompDefault,
|
|
||||||
errorType: field.ErrorTypeInvalid,
|
|
||||||
errorDetail: "must be a valid seccomp profile",
|
|
||||||
},
|
|
||||||
"invalid seccomp allow any default profile": {
|
|
||||||
psp: invalidSeccompAllowAnyDefault,
|
|
||||||
errorType: field.ErrorTypeInvalid,
|
|
||||||
errorDetail: "must be a valid seccomp profile",
|
|
||||||
},
|
|
||||||
"invalid seccomp allowed profile": {
|
|
||||||
psp: invalidSeccompAllowed,
|
|
||||||
errorType: field.ErrorTypeInvalid,
|
|
||||||
errorDetail: "must be a valid seccomp profile",
|
|
||||||
},
|
|
||||||
"invalid defaultAllowPrivilegeEscalation": {
|
|
||||||
psp: invalidDefaultAllowPrivilegeEscalation,
|
|
||||||
errorType: field.ErrorTypeInvalid,
|
|
||||||
errorDetail: "Cannot set DefaultAllowPrivilegeEscalation to true without also setting AllowPrivilegeEscalation to true",
|
|
||||||
},
|
|
||||||
"invalid allowed host path empty path": {
|
|
||||||
psp: invalidAllowedHostPathMissingPath,
|
|
||||||
errorType: field.ErrorTypeRequired,
|
|
||||||
errorDetail: "is required",
|
|
||||||
},
|
|
||||||
"invalid allowed host path with backsteps": {
|
|
||||||
psp: invalidAllowedHostPathBacksteps,
|
|
||||||
errorType: field.ErrorTypeInvalid,
|
|
||||||
errorDetail: "must not contain '..'",
|
|
||||||
},
|
|
||||||
"empty flex volume driver": {
|
|
||||||
psp: emptyFlexDriver,
|
|
||||||
errorType: field.ErrorTypeRequired,
|
|
||||||
errorDetail: "must specify a driver",
|
|
||||||
},
|
|
||||||
}
|
|
||||||
|
|
||||||
for k, v := range errorCases {
|
|
||||||
errs := ValidatePodSecurityPolicy(v.psp)
|
|
||||||
if len(errs) == 0 {
|
|
||||||
t.Errorf("%s expected errors but got none", k)
|
|
||||||
continue
|
|
||||||
}
|
|
||||||
if errs[0].Type != v.errorType {
|
|
||||||
t.Errorf("[%s] received an unexpected error type. Expected: '%s' got: '%s'", k, v.errorType, errs[0].Type)
|
|
||||||
}
|
|
||||||
if errs[0].Detail != v.errorDetail {
|
|
||||||
t.Errorf("[%s] received an unexpected error detail. Expected '%s' got: '%s'", k, v.errorDetail, errs[0].Detail)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// Update error is different for 'missing object meta name'.
|
|
||||||
errorCases["missing object meta name"] = testCase{
|
|
||||||
psp: errorCases["missing object meta name"].psp,
|
|
||||||
errorType: field.ErrorTypeInvalid,
|
|
||||||
errorDetail: "field is immutable",
|
|
||||||
}
|
|
||||||
|
|
||||||
// Should not be able to update to an invalid policy.
|
|
||||||
for k, v := range errorCases {
|
|
||||||
v.psp.ResourceVersion = "444" // Required for updates.
|
|
||||||
errs := ValidatePodSecurityPolicyUpdate(validPSP(), v.psp)
|
|
||||||
if len(errs) == 0 {
|
|
||||||
t.Errorf("[%s] expected update errors but got none", k)
|
|
||||||
continue
|
|
||||||
}
|
|
||||||
if errs[0].Type != v.errorType {
|
|
||||||
t.Errorf("[%s] received an unexpected error type. Expected: '%s' got: '%s'", k, v.errorType, errs[0].Type)
|
|
||||||
}
|
|
||||||
if errs[0].Detail != v.errorDetail {
|
|
||||||
t.Errorf("[%s] received an unexpected error detail. Expected '%s' got: '%s'", k, v.errorDetail, errs[0].Detail)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
mustRunAs := validPSP()
|
|
||||||
mustRunAs.Spec.FSGroup.Rule = extensions.FSGroupStrategyMustRunAs
|
|
||||||
mustRunAs.Spec.SupplementalGroups.Rule = extensions.SupplementalGroupsStrategyMustRunAs
|
|
||||||
mustRunAs.Spec.RunAsUser.Rule = extensions.RunAsUserStrategyMustRunAs
|
|
||||||
mustRunAs.Spec.RunAsUser.Ranges = []extensions.UserIDRange{
|
|
||||||
{Min: 1, Max: 1},
|
|
||||||
}
|
|
||||||
mustRunAs.Spec.SELinux.Rule = extensions.SELinuxStrategyMustRunAs
|
|
||||||
|
|
||||||
runAsNonRoot := validPSP()
|
|
||||||
runAsNonRoot.Spec.RunAsUser.Rule = extensions.RunAsUserStrategyMustRunAsNonRoot
|
|
||||||
|
|
||||||
caseInsensitiveAddDrop := validPSP()
|
|
||||||
caseInsensitiveAddDrop.Spec.DefaultAddCapabilities = []api.Capability{"foo"}
|
|
||||||
caseInsensitiveAddDrop.Spec.RequiredDropCapabilities = []api.Capability{"FOO"}
|
|
||||||
|
|
||||||
caseInsensitiveAllowedDrop := validPSP()
|
|
||||||
caseInsensitiveAllowedDrop.Spec.RequiredDropCapabilities = []api.Capability{"FOO"}
|
|
||||||
caseInsensitiveAllowedDrop.Spec.AllowedCapabilities = []api.Capability{"foo"}
|
|
||||||
|
|
||||||
validAppArmor := validPSP()
|
|
||||||
validAppArmor.Annotations = map[string]string{
|
|
||||||
apparmor.DefaultProfileAnnotationKey: apparmor.ProfileRuntimeDefault,
|
|
||||||
apparmor.AllowedProfilesAnnotationKey: apparmor.ProfileRuntimeDefault + "," + apparmor.ProfileNamePrefix + "foo",
|
|
||||||
}
|
|
||||||
|
|
||||||
withSysctl := validPSP()
|
|
||||||
withSysctl.Annotations[extensions.SysctlsPodSecurityPolicyAnnotationKey] = "net.*"
|
|
||||||
|
|
||||||
validSeccomp := validPSP()
|
|
||||||
validSeccomp.Annotations = map[string]string{
|
|
||||||
seccomp.DefaultProfileAnnotationKey: "docker/default",
|
|
||||||
seccomp.AllowedProfilesAnnotationKey: "docker/default,unconfined,localhost/foo,*",
|
|
||||||
}
|
|
||||||
|
|
||||||
validDefaultAllowPrivilegeEscalation := validPSP()
|
|
||||||
pe = true
|
|
||||||
validDefaultAllowPrivilegeEscalation.Spec.DefaultAllowPrivilegeEscalation = &pe
|
|
||||||
validDefaultAllowPrivilegeEscalation.Spec.AllowPrivilegeEscalation = true
|
|
||||||
|
|
||||||
flexvolumeWhenFlexVolumesAllowed := validPSP()
|
|
||||||
flexvolumeWhenFlexVolumesAllowed.Spec.Volumes = []extensions.FSType{extensions.FlexVolume}
|
|
||||||
flexvolumeWhenFlexVolumesAllowed.Spec.AllowedFlexVolumes = []extensions.AllowedFlexVolume{
|
|
||||||
{Driver: "example/driver1"},
|
|
||||||
}
|
|
||||||
|
|
||||||
flexvolumeWhenAllVolumesAllowed := validPSP()
|
|
||||||
flexvolumeWhenAllVolumesAllowed.Spec.Volumes = []extensions.FSType{extensions.All}
|
|
||||||
flexvolumeWhenAllVolumesAllowed.Spec.AllowedFlexVolumes = []extensions.AllowedFlexVolume{
|
|
||||||
{Driver: "example/driver2"},
|
|
||||||
}
|
|
||||||
successCases := map[string]struct {
|
|
||||||
psp *extensions.PodSecurityPolicy
|
|
||||||
}{
|
|
||||||
"must run as": {
|
|
||||||
psp: mustRunAs,
|
|
||||||
},
|
|
||||||
"run as any": {
|
|
||||||
psp: validPSP(),
|
|
||||||
},
|
|
||||||
"run as non-root (user only)": {
|
|
||||||
psp: runAsNonRoot,
|
|
||||||
},
|
|
||||||
"comparison for add -> drop is case sensitive": {
|
|
||||||
psp: caseInsensitiveAddDrop,
|
|
||||||
},
|
|
||||||
"comparison for allowed -> drop is case sensitive": {
|
|
||||||
psp: caseInsensitiveAllowedDrop,
|
|
||||||
},
|
|
||||||
"valid AppArmor annotations": {
|
|
||||||
psp: validAppArmor,
|
|
||||||
},
|
|
||||||
"with network sysctls": {
|
|
||||||
psp: withSysctl,
|
|
||||||
},
|
|
||||||
"valid seccomp annotations": {
|
|
||||||
psp: validSeccomp,
|
|
||||||
},
|
|
||||||
"valid defaultAllowPrivilegeEscalation as true": {
|
|
||||||
psp: validDefaultAllowPrivilegeEscalation,
|
|
||||||
},
|
|
||||||
"allow white-listed flexVolume when flex volumes are allowed": {
|
|
||||||
psp: flexvolumeWhenFlexVolumesAllowed,
|
|
||||||
},
|
|
||||||
"allow white-listed flexVolume when all volumes are allowed": {
|
|
||||||
psp: flexvolumeWhenAllVolumesAllowed,
|
|
||||||
},
|
|
||||||
}
|
|
||||||
|
|
||||||
for k, v := range successCases {
|
|
||||||
if errs := ValidatePodSecurityPolicy(v.psp); len(errs) != 0 {
|
|
||||||
t.Errorf("Expected success for %s, got %v", k, errs)
|
|
||||||
}
|
|
||||||
|
|
||||||
// Should be able to update to a valid PSP.
|
|
||||||
v.psp.ResourceVersion = "444" // Required for updates.
|
|
||||||
if errs := ValidatePodSecurityPolicyUpdate(validPSP(), v.psp); len(errs) != 0 {
|
|
||||||
t.Errorf("Expected success for %s update, got %v", k, errs)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
func TestValidatePSPVolumes(t *testing.T) {
|
|
||||||
validPSP := func() *extensions.PodSecurityPolicy {
|
|
||||||
return &extensions.PodSecurityPolicy{
|
|
||||||
ObjectMeta: metav1.ObjectMeta{Name: "foo"},
|
|
||||||
Spec: extensions.PodSecurityPolicySpec{
|
|
||||||
SELinux: extensions.SELinuxStrategyOptions{
|
|
||||||
Rule: extensions.SELinuxStrategyRunAsAny,
|
|
||||||
},
|
|
||||||
RunAsUser: extensions.RunAsUserStrategyOptions{
|
|
||||||
Rule: extensions.RunAsUserStrategyRunAsAny,
|
|
||||||
},
|
|
||||||
FSGroup: extensions.FSGroupStrategyOptions{
|
|
||||||
Rule: extensions.FSGroupStrategyRunAsAny,
|
|
||||||
},
|
|
||||||
SupplementalGroups: extensions.SupplementalGroupsStrategyOptions{
|
|
||||||
Rule: extensions.SupplementalGroupsStrategyRunAsAny,
|
|
||||||
},
|
|
||||||
},
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
volumes := psputil.GetAllFSTypesAsSet()
|
|
||||||
// add in the * value since that is a pseudo type that is not included by default
|
|
||||||
volumes.Insert(string(extensions.All))
|
|
||||||
|
|
||||||
for _, strVolume := range volumes.List() {
|
|
||||||
psp := validPSP()
|
|
||||||
psp.Spec.Volumes = []extensions.FSType{extensions.FSType(strVolume)}
|
|
||||||
errs := ValidatePodSecurityPolicy(psp)
|
|
||||||
if len(errs) != 0 {
|
|
||||||
t.Errorf("%s validation expected no errors but received %v", strVolume, errs)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
func TestIsValidSysctlPattern(t *testing.T) {
|
|
||||||
valid := []string{
|
|
||||||
"a.b.c.d",
|
|
||||||
"a",
|
|
||||||
"a_b",
|
|
||||||
"a-b",
|
|
||||||
"abc",
|
|
||||||
"abc.def",
|
|
||||||
"*",
|
|
||||||
"a.*",
|
|
||||||
"*",
|
|
||||||
"abc*",
|
|
||||||
"a.abc*",
|
|
||||||
"a.b.*",
|
|
||||||
}
|
|
||||||
invalid := []string{
|
|
||||||
"",
|
|
||||||
"ä",
|
|
||||||
"a_",
|
|
||||||
"_",
|
|
||||||
"_a",
|
|
||||||
"_a._b",
|
|
||||||
"__",
|
|
||||||
"-",
|
|
||||||
".",
|
|
||||||
"a.",
|
|
||||||
".a",
|
|
||||||
"a.b.",
|
|
||||||
"a*.b",
|
|
||||||
"a*b",
|
|
||||||
"*a",
|
|
||||||
"Abc",
|
|
||||||
func(n int) string {
|
|
||||||
x := make([]byte, n)
|
|
||||||
for i := range x {
|
|
||||||
x[i] = byte('a')
|
|
||||||
}
|
|
||||||
return string(x)
|
|
||||||
}(256),
|
|
||||||
}
|
|
||||||
for _, s := range valid {
|
|
||||||
if !IsValidSysctlPattern(s) {
|
|
||||||
t.Errorf("%q expected to be a valid sysctl pattern", s)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
for _, s := range invalid {
|
|
||||||
if IsValidSysctlPattern(s) {
|
|
||||||
t.Errorf("%q expected to be an invalid sysctl pattern", s)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
func Test_validatePSPRunAsUser(t *testing.T) {
|
|
||||||
var testCases = []struct {
|
|
||||||
name string
|
|
||||||
runAsUserStrategy extensions.RunAsUserStrategyOptions
|
|
||||||
fail bool
|
|
||||||
}{
|
|
||||||
{"Invalid RunAsUserStrategy", extensions.RunAsUserStrategyOptions{Rule: extensions.RunAsUserStrategy("someInvalidStrategy")}, true},
|
|
||||||
{"RunAsUserStrategyMustRunAs", extensions.RunAsUserStrategyOptions{Rule: extensions.RunAsUserStrategyMustRunAs}, false},
|
|
||||||
{"RunAsUserStrategyMustRunAsNonRoot", extensions.RunAsUserStrategyOptions{Rule: extensions.RunAsUserStrategyMustRunAsNonRoot}, false},
|
|
||||||
{"RunAsUserStrategyMustRunAsNonRoot With Valid Range", extensions.RunAsUserStrategyOptions{Rule: extensions.RunAsUserStrategyMustRunAs, Ranges: []extensions.UserIDRange{{Min: 2, Max: 3}, {Min: 4, Max: 5}}}, false},
|
|
||||||
{"RunAsUserStrategyMustRunAsNonRoot With Invalid Range", extensions.RunAsUserStrategyOptions{Rule: extensions.RunAsUserStrategyMustRunAs, Ranges: []extensions.UserIDRange{{Min: 2, Max: 3}, {Min: 5, Max: 4}}}, true},
|
|
||||||
}
|
|
||||||
|
|
||||||
for _, testCase := range testCases {
|
|
||||||
t.Run(testCase.name, func(t *testing.T) {
|
|
||||||
errList := validatePSPRunAsUser(field.NewPath("status"), &testCase.runAsUserStrategy)
|
|
||||||
actualErrors := len(errList)
|
|
||||||
expectedErrors := 1
|
|
||||||
if !testCase.fail {
|
|
||||||
expectedErrors = 0
|
|
||||||
}
|
|
||||||
if actualErrors != expectedErrors {
|
|
||||||
t.Errorf("In testCase %v, expected %v errors, got %v errors", testCase.name, expectedErrors, actualErrors)
|
|
||||||
}
|
|
||||||
})
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
293
pkg/apis/extensions/zz_generated.deepcopy.go
generated
293
pkg/apis/extensions/zz_generated.deepcopy.go
generated
@ -23,41 +23,8 @@ package extensions
|
|||||||
import (
|
import (
|
||||||
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||||
runtime "k8s.io/apimachinery/pkg/runtime"
|
runtime "k8s.io/apimachinery/pkg/runtime"
|
||||||
core "k8s.io/kubernetes/pkg/apis/core"
|
|
||||||
)
|
)
|
||||||
|
|
||||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
|
||||||
func (in *AllowedFlexVolume) DeepCopyInto(out *AllowedFlexVolume) {
|
|
||||||
*out = *in
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AllowedFlexVolume.
|
|
||||||
func (in *AllowedFlexVolume) DeepCopy() *AllowedFlexVolume {
|
|
||||||
if in == nil {
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
out := new(AllowedFlexVolume)
|
|
||||||
in.DeepCopyInto(out)
|
|
||||||
return out
|
|
||||||
}
|
|
||||||
|
|
||||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
|
||||||
func (in *AllowedHostPath) DeepCopyInto(out *AllowedHostPath) {
|
|
||||||
*out = *in
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AllowedHostPath.
|
|
||||||
func (in *AllowedHostPath) DeepCopy() *AllowedHostPath {
|
|
||||||
if in == nil {
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
out := new(AllowedHostPath)
|
|
||||||
in.DeepCopyInto(out)
|
|
||||||
return out
|
|
||||||
}
|
|
||||||
|
|
||||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||||
func (in *CustomMetricCurrentStatus) DeepCopyInto(out *CustomMetricCurrentStatus) {
|
func (in *CustomMetricCurrentStatus) DeepCopyInto(out *CustomMetricCurrentStatus) {
|
||||||
*out = *in
|
*out = *in
|
||||||
@ -532,43 +499,6 @@ func (in *DeploymentStrategy) DeepCopy() *DeploymentStrategy {
|
|||||||
return out
|
return out
|
||||||
}
|
}
|
||||||
|
|
||||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
|
||||||
func (in *FSGroupStrategyOptions) DeepCopyInto(out *FSGroupStrategyOptions) {
|
|
||||||
*out = *in
|
|
||||||
if in.Ranges != nil {
|
|
||||||
in, out := &in.Ranges, &out.Ranges
|
|
||||||
*out = make([]GroupIDRange, len(*in))
|
|
||||||
copy(*out, *in)
|
|
||||||
}
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FSGroupStrategyOptions.
|
|
||||||
func (in *FSGroupStrategyOptions) DeepCopy() *FSGroupStrategyOptions {
|
|
||||||
if in == nil {
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
out := new(FSGroupStrategyOptions)
|
|
||||||
in.DeepCopyInto(out)
|
|
||||||
return out
|
|
||||||
}
|
|
||||||
|
|
||||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
|
||||||
func (in *GroupIDRange) DeepCopyInto(out *GroupIDRange) {
|
|
||||||
*out = *in
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GroupIDRange.
|
|
||||||
func (in *GroupIDRange) DeepCopy() *GroupIDRange {
|
|
||||||
if in == nil {
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
out := new(GroupIDRange)
|
|
||||||
in.DeepCopyInto(out)
|
|
||||||
return out
|
|
||||||
}
|
|
||||||
|
|
||||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||||
func (in *HTTPIngressPath) DeepCopyInto(out *HTTPIngressPath) {
|
func (in *HTTPIngressPath) DeepCopyInto(out *HTTPIngressPath) {
|
||||||
*out = *in
|
*out = *in
|
||||||
@ -607,22 +537,6 @@ func (in *HTTPIngressRuleValue) DeepCopy() *HTTPIngressRuleValue {
|
|||||||
return out
|
return out
|
||||||
}
|
}
|
||||||
|
|
||||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
|
||||||
func (in *HostPortRange) DeepCopyInto(out *HostPortRange) {
|
|
||||||
*out = *in
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HostPortRange.
|
|
||||||
func (in *HostPortRange) DeepCopy() *HostPortRange {
|
|
||||||
if in == nil {
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
out := new(HostPortRange)
|
|
||||||
in.DeepCopyInto(out)
|
|
||||||
return out
|
|
||||||
}
|
|
||||||
|
|
||||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||||
func (in *Ingress) DeepCopyInto(out *Ingress) {
|
func (in *Ingress) DeepCopyInto(out *Ingress) {
|
||||||
*out = *in
|
*out = *in
|
||||||
@ -820,130 +734,6 @@ func (in *IngressTLS) DeepCopy() *IngressTLS {
|
|||||||
return out
|
return out
|
||||||
}
|
}
|
||||||
|
|
||||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
|
||||||
func (in *PodSecurityPolicy) DeepCopyInto(out *PodSecurityPolicy) {
|
|
||||||
*out = *in
|
|
||||||
out.TypeMeta = in.TypeMeta
|
|
||||||
in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
|
|
||||||
in.Spec.DeepCopyInto(&out.Spec)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodSecurityPolicy.
|
|
||||||
func (in *PodSecurityPolicy) DeepCopy() *PodSecurityPolicy {
|
|
||||||
if in == nil {
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
out := new(PodSecurityPolicy)
|
|
||||||
in.DeepCopyInto(out)
|
|
||||||
return out
|
|
||||||
}
|
|
||||||
|
|
||||||
// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
|
|
||||||
func (in *PodSecurityPolicy) DeepCopyObject() runtime.Object {
|
|
||||||
if c := in.DeepCopy(); c != nil {
|
|
||||||
return c
|
|
||||||
}
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
|
|
||||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
|
||||||
func (in *PodSecurityPolicyList) DeepCopyInto(out *PodSecurityPolicyList) {
|
|
||||||
*out = *in
|
|
||||||
out.TypeMeta = in.TypeMeta
|
|
||||||
out.ListMeta = in.ListMeta
|
|
||||||
if in.Items != nil {
|
|
||||||
in, out := &in.Items, &out.Items
|
|
||||||
*out = make([]PodSecurityPolicy, len(*in))
|
|
||||||
for i := range *in {
|
|
||||||
(*in)[i].DeepCopyInto(&(*out)[i])
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodSecurityPolicyList.
|
|
||||||
func (in *PodSecurityPolicyList) DeepCopy() *PodSecurityPolicyList {
|
|
||||||
if in == nil {
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
out := new(PodSecurityPolicyList)
|
|
||||||
in.DeepCopyInto(out)
|
|
||||||
return out
|
|
||||||
}
|
|
||||||
|
|
||||||
// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
|
|
||||||
func (in *PodSecurityPolicyList) DeepCopyObject() runtime.Object {
|
|
||||||
if c := in.DeepCopy(); c != nil {
|
|
||||||
return c
|
|
||||||
}
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
|
|
||||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
|
||||||
func (in *PodSecurityPolicySpec) DeepCopyInto(out *PodSecurityPolicySpec) {
|
|
||||||
*out = *in
|
|
||||||
if in.DefaultAddCapabilities != nil {
|
|
||||||
in, out := &in.DefaultAddCapabilities, &out.DefaultAddCapabilities
|
|
||||||
*out = make([]core.Capability, len(*in))
|
|
||||||
copy(*out, *in)
|
|
||||||
}
|
|
||||||
if in.RequiredDropCapabilities != nil {
|
|
||||||
in, out := &in.RequiredDropCapabilities, &out.RequiredDropCapabilities
|
|
||||||
*out = make([]core.Capability, len(*in))
|
|
||||||
copy(*out, *in)
|
|
||||||
}
|
|
||||||
if in.AllowedCapabilities != nil {
|
|
||||||
in, out := &in.AllowedCapabilities, &out.AllowedCapabilities
|
|
||||||
*out = make([]core.Capability, len(*in))
|
|
||||||
copy(*out, *in)
|
|
||||||
}
|
|
||||||
if in.Volumes != nil {
|
|
||||||
in, out := &in.Volumes, &out.Volumes
|
|
||||||
*out = make([]FSType, len(*in))
|
|
||||||
copy(*out, *in)
|
|
||||||
}
|
|
||||||
if in.HostPorts != nil {
|
|
||||||
in, out := &in.HostPorts, &out.HostPorts
|
|
||||||
*out = make([]HostPortRange, len(*in))
|
|
||||||
copy(*out, *in)
|
|
||||||
}
|
|
||||||
in.SELinux.DeepCopyInto(&out.SELinux)
|
|
||||||
in.RunAsUser.DeepCopyInto(&out.RunAsUser)
|
|
||||||
in.SupplementalGroups.DeepCopyInto(&out.SupplementalGroups)
|
|
||||||
in.FSGroup.DeepCopyInto(&out.FSGroup)
|
|
||||||
if in.DefaultAllowPrivilegeEscalation != nil {
|
|
||||||
in, out := &in.DefaultAllowPrivilegeEscalation, &out.DefaultAllowPrivilegeEscalation
|
|
||||||
if *in == nil {
|
|
||||||
*out = nil
|
|
||||||
} else {
|
|
||||||
*out = new(bool)
|
|
||||||
**out = **in
|
|
||||||
}
|
|
||||||
}
|
|
||||||
if in.AllowedHostPaths != nil {
|
|
||||||
in, out := &in.AllowedHostPaths, &out.AllowedHostPaths
|
|
||||||
*out = make([]AllowedHostPath, len(*in))
|
|
||||||
copy(*out, *in)
|
|
||||||
}
|
|
||||||
if in.AllowedFlexVolumes != nil {
|
|
||||||
in, out := &in.AllowedFlexVolumes, &out.AllowedFlexVolumes
|
|
||||||
*out = make([]AllowedFlexVolume, len(*in))
|
|
||||||
copy(*out, *in)
|
|
||||||
}
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodSecurityPolicySpec.
|
|
||||||
func (in *PodSecurityPolicySpec) DeepCopy() *PodSecurityPolicySpec {
|
|
||||||
if in == nil {
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
out := new(PodSecurityPolicySpec)
|
|
||||||
in.DeepCopyInto(out)
|
|
||||||
return out
|
|
||||||
}
|
|
||||||
|
|
||||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||||
func (in *ReplicaSet) DeepCopyInto(out *ReplicaSet) {
|
func (in *ReplicaSet) DeepCopyInto(out *ReplicaSet) {
|
||||||
*out = *in
|
*out = *in
|
||||||
@ -1146,86 +936,3 @@ func (in *RollingUpdateDeployment) DeepCopy() *RollingUpdateDeployment {
|
|||||||
in.DeepCopyInto(out)
|
in.DeepCopyInto(out)
|
||||||
return out
|
return out
|
||||||
}
|
}
|
||||||
|
|
||||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
|
||||||
func (in *RunAsUserStrategyOptions) DeepCopyInto(out *RunAsUserStrategyOptions) {
|
|
||||||
*out = *in
|
|
||||||
if in.Ranges != nil {
|
|
||||||
in, out := &in.Ranges, &out.Ranges
|
|
||||||
*out = make([]UserIDRange, len(*in))
|
|
||||||
copy(*out, *in)
|
|
||||||
}
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RunAsUserStrategyOptions.
|
|
||||||
func (in *RunAsUserStrategyOptions) DeepCopy() *RunAsUserStrategyOptions {
|
|
||||||
if in == nil {
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
out := new(RunAsUserStrategyOptions)
|
|
||||||
in.DeepCopyInto(out)
|
|
||||||
return out
|
|
||||||
}
|
|
||||||
|
|
||||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
|
||||||
func (in *SELinuxStrategyOptions) DeepCopyInto(out *SELinuxStrategyOptions) {
|
|
||||||
*out = *in
|
|
||||||
if in.SELinuxOptions != nil {
|
|
||||||
in, out := &in.SELinuxOptions, &out.SELinuxOptions
|
|
||||||
if *in == nil {
|
|
||||||
*out = nil
|
|
||||||
} else {
|
|
||||||
*out = new(core.SELinuxOptions)
|
|
||||||
**out = **in
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SELinuxStrategyOptions.
|
|
||||||
func (in *SELinuxStrategyOptions) DeepCopy() *SELinuxStrategyOptions {
|
|
||||||
if in == nil {
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
out := new(SELinuxStrategyOptions)
|
|
||||||
in.DeepCopyInto(out)
|
|
||||||
return out
|
|
||||||
}
|
|
||||||
|
|
||||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
|
||||||
func (in *SupplementalGroupsStrategyOptions) DeepCopyInto(out *SupplementalGroupsStrategyOptions) {
|
|
||||||
*out = *in
|
|
||||||
if in.Ranges != nil {
|
|
||||||
in, out := &in.Ranges, &out.Ranges
|
|
||||||
*out = make([]GroupIDRange, len(*in))
|
|
||||||
copy(*out, *in)
|
|
||||||
}
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SupplementalGroupsStrategyOptions.
|
|
||||||
func (in *SupplementalGroupsStrategyOptions) DeepCopy() *SupplementalGroupsStrategyOptions {
|
|
||||||
if in == nil {
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
out := new(SupplementalGroupsStrategyOptions)
|
|
||||||
in.DeepCopyInto(out)
|
|
||||||
return out
|
|
||||||
}
|
|
||||||
|
|
||||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
|
||||||
func (in *UserIDRange) DeepCopyInto(out *UserIDRange) {
|
|
||||||
*out = *in
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UserIDRange.
|
|
||||||
func (in *UserIDRange) DeepCopy() *UserIDRange {
|
|
||||||
if in == nil {
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
out := new(UserIDRange)
|
|
||||||
in.DeepCopyInto(out)
|
|
||||||
return out
|
|
||||||
}
|
|
||||||
|
@ -3,19 +3,21 @@ package(default_visibility = ["//visibility:public"])
|
|||||||
load(
|
load(
|
||||||
"@io_bazel_rules_go//go:def.bzl",
|
"@io_bazel_rules_go//go:def.bzl",
|
||||||
"go_library",
|
"go_library",
|
||||||
|
"go_test",
|
||||||
)
|
)
|
||||||
|
|
||||||
go_library(
|
go_library(
|
||||||
name = "go_default_library",
|
name = "go_default_library",
|
||||||
srcs = [
|
srcs = [
|
||||||
"doc.go",
|
"doc.go",
|
||||||
|
"helpers.go",
|
||||||
"register.go",
|
"register.go",
|
||||||
"types.go",
|
"types.go",
|
||||||
"zz_generated.deepcopy.go",
|
"zz_generated.deepcopy.go",
|
||||||
],
|
],
|
||||||
importpath = "k8s.io/kubernetes/pkg/apis/policy",
|
importpath = "k8s.io/kubernetes/pkg/apis/policy",
|
||||||
deps = [
|
deps = [
|
||||||
"//pkg/apis/extensions:go_default_library",
|
"//pkg/apis/core:go_default_library",
|
||||||
"//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
|
"//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
|
||||||
"//vendor/k8s.io/apimachinery/pkg/runtime:go_default_library",
|
"//vendor/k8s.io/apimachinery/pkg/runtime:go_default_library",
|
||||||
"//vendor/k8s.io/apimachinery/pkg/runtime/schema:go_default_library",
|
"//vendor/k8s.io/apimachinery/pkg/runtime/schema:go_default_library",
|
||||||
@ -41,3 +43,9 @@ filegroup(
|
|||||||
],
|
],
|
||||||
tags = ["automanaged"],
|
tags = ["automanaged"],
|
||||||
)
|
)
|
||||||
|
|
||||||
|
go_test(
|
||||||
|
name = "go_default_test",
|
||||||
|
srcs = ["helpers_test.go"],
|
||||||
|
embed = [":go_default_library"],
|
||||||
|
)
|
||||||
|
@ -30,5 +30,33 @@ var Funcs = func(codecs runtimeserializer.CodecFactory) []interface{} {
|
|||||||
c.FuzzNoCustom(s) // fuzz self without calling this function again
|
c.FuzzNoCustom(s) // fuzz self without calling this function again
|
||||||
s.PodDisruptionsAllowed = int32(c.Rand.Intn(2))
|
s.PodDisruptionsAllowed = int32(c.Rand.Intn(2))
|
||||||
},
|
},
|
||||||
|
func(psp *policy.PodSecurityPolicySpec, c fuzz.Continue) {
|
||||||
|
c.FuzzNoCustom(psp) // fuzz self without calling this function again
|
||||||
|
|
||||||
|
runAsUserRules := []policy.RunAsUserStrategy{
|
||||||
|
policy.RunAsUserStrategyMustRunAsNonRoot,
|
||||||
|
policy.RunAsUserStrategyMustRunAs,
|
||||||
|
policy.RunAsUserStrategyRunAsAny,
|
||||||
|
}
|
||||||
|
psp.RunAsUser.Rule = runAsUserRules[c.Rand.Intn(len(runAsUserRules))]
|
||||||
|
|
||||||
|
seLinuxRules := []policy.SELinuxStrategy{
|
||||||
|
policy.SELinuxStrategyMustRunAs,
|
||||||
|
policy.SELinuxStrategyRunAsAny,
|
||||||
|
}
|
||||||
|
psp.SELinux.Rule = seLinuxRules[c.Rand.Intn(len(seLinuxRules))]
|
||||||
|
|
||||||
|
supplementalGroupsRules := []policy.SupplementalGroupsStrategyType{
|
||||||
|
policy.SupplementalGroupsStrategyRunAsAny,
|
||||||
|
policy.SupplementalGroupsStrategyMustRunAs,
|
||||||
|
}
|
||||||
|
psp.SupplementalGroups.Rule = supplementalGroupsRules[c.Rand.Intn(len(supplementalGroupsRules))]
|
||||||
|
|
||||||
|
fsGroupRules := []policy.FSGroupStrategyType{
|
||||||
|
policy.FSGroupStrategyMustRunAs,
|
||||||
|
policy.FSGroupStrategyRunAsAny,
|
||||||
|
}
|
||||||
|
psp.FSGroup.Rule = fsGroupRules[c.Rand.Intn(len(fsGroupRules))]
|
||||||
|
},
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -14,14 +14,14 @@ See the License for the specific language governing permissions and
|
|||||||
limitations under the License.
|
limitations under the License.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
package extensions
|
package policy
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"strings"
|
"strings"
|
||||||
)
|
)
|
||||||
|
|
||||||
// SysctlsFromPodSecurityPolicyAnnotation parses an annotation value of the key
|
// SysctlsFromPodSecurityPolicyAnnotation parses an annotation value of the key
|
||||||
// SysctlsSecurityPolocyAnnotationKey into a slice of sysctls. An empty slice
|
// SysctlsSecurityPolicyAnnotationKey into a slice of sysctls. An empty slice
|
||||||
// is returned if annotation is the empty string.
|
// is returned if annotation is the empty string.
|
||||||
func SysctlsFromPodSecurityPolicyAnnotation(annotation string) ([]string, error) {
|
func SysctlsFromPodSecurityPolicyAnnotation(annotation string) ([]string, error) {
|
||||||
if len(annotation) == 0 {
|
if len(annotation) == 0 {
|
@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
|
|||||||
limitations under the License.
|
limitations under the License.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
package extensions
|
package policy
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"reflect"
|
"reflect"
|
@ -19,7 +19,6 @@ package policy
|
|||||||
import (
|
import (
|
||||||
"k8s.io/apimachinery/pkg/runtime"
|
"k8s.io/apimachinery/pkg/runtime"
|
||||||
"k8s.io/apimachinery/pkg/runtime/schema"
|
"k8s.io/apimachinery/pkg/runtime/schema"
|
||||||
"k8s.io/kubernetes/pkg/apis/extensions"
|
|
||||||
)
|
)
|
||||||
|
|
||||||
// GroupName is the group name use in this package
|
// GroupName is the group name use in this package
|
||||||
@ -49,8 +48,8 @@ func addKnownTypes(scheme *runtime.Scheme) error {
|
|||||||
scheme.AddKnownTypes(SchemeGroupVersion,
|
scheme.AddKnownTypes(SchemeGroupVersion,
|
||||||
&PodDisruptionBudget{},
|
&PodDisruptionBudget{},
|
||||||
&PodDisruptionBudgetList{},
|
&PodDisruptionBudgetList{},
|
||||||
&extensions.PodSecurityPolicy{},
|
&PodSecurityPolicy{},
|
||||||
&extensions.PodSecurityPolicyList{},
|
&PodSecurityPolicyList{},
|
||||||
&Eviction{},
|
&Eviction{},
|
||||||
)
|
)
|
||||||
return nil
|
return nil
|
||||||
|
@ -19,6 +19,14 @@ package policy
|
|||||||
import (
|
import (
|
||||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||||
"k8s.io/apimachinery/pkg/util/intstr"
|
"k8s.io/apimachinery/pkg/util/intstr"
|
||||||
|
api "k8s.io/kubernetes/pkg/apis/core"
|
||||||
|
)
|
||||||
|
|
||||||
|
const (
|
||||||
|
// SysctlsPodSecurityPolicyAnnotationKey represents the key of a whitelist of
|
||||||
|
// allowed safe and unsafe sysctls in a pod spec. It's a comma-separated list of plain sysctl
|
||||||
|
// names or sysctl patterns (which end in *). The string "*" matches all sysctls.
|
||||||
|
SysctlsPodSecurityPolicyAnnotationKey string = "security.alpha.kubernetes.io/sysctls"
|
||||||
)
|
)
|
||||||
|
|
||||||
// PodDisruptionBudgetSpec is a description of a PodDisruptionBudget.
|
// PodDisruptionBudgetSpec is a description of a PodDisruptionBudget.
|
||||||
@ -122,3 +130,271 @@ type Eviction struct {
|
|||||||
// +optional
|
// +optional
|
||||||
DeleteOptions *metav1.DeleteOptions
|
DeleteOptions *metav1.DeleteOptions
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// +genclient
|
||||||
|
// +genclient:nonNamespaced
|
||||||
|
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
||||||
|
|
||||||
|
// PodSecurityPolicy governs the ability to make requests that affect the SecurityContext
|
||||||
|
// that will be applied to a pod and container.
|
||||||
|
type PodSecurityPolicy struct {
|
||||||
|
metav1.TypeMeta
|
||||||
|
// +optional
|
||||||
|
metav1.ObjectMeta
|
||||||
|
|
||||||
|
// Spec defines the policy enforced.
|
||||||
|
// +optional
|
||||||
|
Spec PodSecurityPolicySpec
|
||||||
|
}
|
||||||
|
|
||||||
|
// PodSecurityPolicySpec defines the policy enforced.
|
||||||
|
type PodSecurityPolicySpec struct {
|
||||||
|
// Privileged determines if a pod can request to be run as privileged.
|
||||||
|
// +optional
|
||||||
|
Privileged bool
|
||||||
|
// DefaultAddCapabilities is the default set of capabilities that will be added to the container
|
||||||
|
// unless the pod spec specifically drops the capability. You may not list a capability in both
|
||||||
|
// DefaultAddCapabilities and RequiredDropCapabilities. Capabilities added here are implicitly
|
||||||
|
// allowed, and need not be included in the AllowedCapabilities list.
|
||||||
|
// +optional
|
||||||
|
DefaultAddCapabilities []api.Capability
|
||||||
|
// RequiredDropCapabilities are the capabilities that will be dropped from the container. These
|
||||||
|
// are required to be dropped and cannot be added.
|
||||||
|
// +optional
|
||||||
|
RequiredDropCapabilities []api.Capability
|
||||||
|
// AllowedCapabilities is a list of capabilities that can be requested to add to the container.
|
||||||
|
// Capabilities in this field may be added at the pod author's discretion.
|
||||||
|
// You must not list a capability in both AllowedCapabilities and RequiredDropCapabilities.
|
||||||
|
// To allow all capabilities you may use '*'.
|
||||||
|
// +optional
|
||||||
|
AllowedCapabilities []api.Capability
|
||||||
|
// Volumes is a white list of allowed volume plugins. Empty indicates that
|
||||||
|
// no volumes may be used. To allow all volumes you may use '*'.
|
||||||
|
// +optional
|
||||||
|
Volumes []FSType
|
||||||
|
// HostNetwork determines if the policy allows the use of HostNetwork in the pod spec.
|
||||||
|
// +optional
|
||||||
|
HostNetwork bool
|
||||||
|
// HostPorts determines which host port ranges are allowed to be exposed.
|
||||||
|
// +optional
|
||||||
|
HostPorts []HostPortRange
|
||||||
|
// HostPID determines if the policy allows the use of HostPID in the pod spec.
|
||||||
|
// +optional
|
||||||
|
HostPID bool
|
||||||
|
// HostIPC determines if the policy allows the use of HostIPC in the pod spec.
|
||||||
|
// +optional
|
||||||
|
HostIPC bool
|
||||||
|
// SELinux is the strategy that will dictate the allowable labels that may be set.
|
||||||
|
SELinux SELinuxStrategyOptions
|
||||||
|
// RunAsUser is the strategy that will dictate the allowable RunAsUser values that may be set.
|
||||||
|
RunAsUser RunAsUserStrategyOptions
|
||||||
|
// SupplementalGroups is the strategy that will dictate what supplemental groups are used by the SecurityContext.
|
||||||
|
SupplementalGroups SupplementalGroupsStrategyOptions
|
||||||
|
// FSGroup is the strategy that will dictate what fs group is used by the SecurityContext.
|
||||||
|
FSGroup FSGroupStrategyOptions
|
||||||
|
// ReadOnlyRootFilesystem when set to true will force containers to run with a read only root file
|
||||||
|
// system. If the container specifically requests to run with a non-read only root file system
|
||||||
|
// the PSP should deny the pod.
|
||||||
|
// If set to false the container may run with a read only root file system if it wishes but it
|
||||||
|
// will not be forced to.
|
||||||
|
// +optional
|
||||||
|
ReadOnlyRootFilesystem bool
|
||||||
|
// DefaultAllowPrivilegeEscalation controls the default setting for whether a
|
||||||
|
// process can gain more privileges than its parent process.
|
||||||
|
// +optional
|
||||||
|
DefaultAllowPrivilegeEscalation *bool
|
||||||
|
// AllowPrivilegeEscalation determines if a pod can request to allow
|
||||||
|
// privilege escalation. If unspecified, defaults to true.
|
||||||
|
// +optional
|
||||||
|
AllowPrivilegeEscalation bool
|
||||||
|
// AllowedHostPaths is a white list of allowed host paths. Empty indicates that all host paths may be used.
|
||||||
|
// +optional
|
||||||
|
AllowedHostPaths []AllowedHostPath
|
||||||
|
// AllowedFlexVolumes is a whitelist of allowed Flexvolumes. Empty or nil indicates that all
|
||||||
|
// Flexvolumes may be used. This parameter is effective only when the usage of the Flexvolumes
|
||||||
|
// is allowed in the "Volumes" field.
|
||||||
|
// +optional
|
||||||
|
AllowedFlexVolumes []AllowedFlexVolume
|
||||||
|
}
|
||||||
|
|
||||||
|
// AllowedHostPath defines the host volume conditions that will be enabled by a policy
|
||||||
|
// for pods to use. It requires the path prefix to be defined.
|
||||||
|
type AllowedHostPath struct {
|
||||||
|
// PathPrefix is the path prefix that the host volume must match.
|
||||||
|
// PathPrefix does not support `*`.
|
||||||
|
// Trailing slashes are trimmed when validating the path prefix with a host path.
|
||||||
|
//
|
||||||
|
// Examples:
|
||||||
|
// `/foo` would allow `/foo`, `/foo/` and `/foo/bar`
|
||||||
|
// `/foo` would not allow `/food` or `/etc/foo`
|
||||||
|
PathPrefix string
|
||||||
|
}
|
||||||
|
|
||||||
|
// HostPortRange defines a range of host ports that will be enabled by a policy
|
||||||
|
// for pods to use. It requires both the start and end to be defined.
|
||||||
|
type HostPortRange struct {
|
||||||
|
// Min is the start of the range, inclusive.
|
||||||
|
Min int32
|
||||||
|
// Max is the end of the range, inclusive.
|
||||||
|
Max int32
|
||||||
|
}
|
||||||
|
|
||||||
|
// AllowAllCapabilities can be used as a value for the PodSecurityPolicy.AllowAllCapabilities
|
||||||
|
// field and means that any capabilities are allowed to be requested.
|
||||||
|
var AllowAllCapabilities api.Capability = "*"
|
||||||
|
|
||||||
|
// FSType gives strong typing to different file systems that are used by volumes.
|
||||||
|
type FSType string
|
||||||
|
|
||||||
|
var (
|
||||||
|
AzureFile FSType = "azureFile"
|
||||||
|
Flocker FSType = "flocker"
|
||||||
|
FlexVolume FSType = "flexVolume"
|
||||||
|
HostPath FSType = "hostPath"
|
||||||
|
EmptyDir FSType = "emptyDir"
|
||||||
|
GCEPersistentDisk FSType = "gcePersistentDisk"
|
||||||
|
AWSElasticBlockStore FSType = "awsElasticBlockStore"
|
||||||
|
GitRepo FSType = "gitRepo"
|
||||||
|
Secret FSType = "secret"
|
||||||
|
NFS FSType = "nfs"
|
||||||
|
ISCSI FSType = "iscsi"
|
||||||
|
Glusterfs FSType = "glusterfs"
|
||||||
|
PersistentVolumeClaim FSType = "persistentVolumeClaim"
|
||||||
|
RBD FSType = "rbd"
|
||||||
|
Cinder FSType = "cinder"
|
||||||
|
CephFS FSType = "cephFS"
|
||||||
|
DownwardAPI FSType = "downwardAPI"
|
||||||
|
FC FSType = "fc"
|
||||||
|
ConfigMap FSType = "configMap"
|
||||||
|
VsphereVolume FSType = "vsphereVolume"
|
||||||
|
Quobyte FSType = "quobyte"
|
||||||
|
AzureDisk FSType = "azureDisk"
|
||||||
|
PhotonPersistentDisk FSType = "photonPersistentDisk"
|
||||||
|
StorageOS FSType = "storageos"
|
||||||
|
Projected FSType = "projected"
|
||||||
|
PortworxVolume FSType = "portworxVolume"
|
||||||
|
ScaleIO FSType = "scaleIO"
|
||||||
|
CSI FSType = "csi"
|
||||||
|
All FSType = "*"
|
||||||
|
)
|
||||||
|
|
||||||
|
// AllowedFlexVolume represents a single Flexvolume that is allowed to be used.
|
||||||
|
type AllowedFlexVolume struct {
|
||||||
|
// Driver is the name of the Flexvolume driver.
|
||||||
|
Driver string
|
||||||
|
}
|
||||||
|
|
||||||
|
// SELinuxStrategyOptions defines the strategy type and any options used to create the strategy.
|
||||||
|
type SELinuxStrategyOptions struct {
|
||||||
|
// Rule is the strategy that will dictate the allowable labels that may be set.
|
||||||
|
Rule SELinuxStrategy
|
||||||
|
// SELinuxOptions required to run as; required for MustRunAs
|
||||||
|
// More info: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#selinux
|
||||||
|
// +optional
|
||||||
|
SELinuxOptions *api.SELinuxOptions
|
||||||
|
}
|
||||||
|
|
||||||
|
// SELinuxStrategy denotes strategy types for generating SELinux options for a
|
||||||
|
// Security.
|
||||||
|
type SELinuxStrategy string
|
||||||
|
|
||||||
|
const (
|
||||||
|
// SELinuxStrategyMustRunAs means that container must have SELinux labels of X applied.
|
||||||
|
SELinuxStrategyMustRunAs SELinuxStrategy = "MustRunAs"
|
||||||
|
// SELinuxStrategyRunAsAny means that container may make requests for any SELinux context labels.
|
||||||
|
SELinuxStrategyRunAsAny SELinuxStrategy = "RunAsAny"
|
||||||
|
)
|
||||||
|
|
||||||
|
// RunAsUserStrategyOptions defines the strategy type and any options used to create the strategy.
|
||||||
|
type RunAsUserStrategyOptions struct {
|
||||||
|
// Rule is the strategy that will dictate the allowable RunAsUser values that may be set.
|
||||||
|
Rule RunAsUserStrategy
|
||||||
|
// Ranges are the allowed ranges of uids that may be used. If you would like to force a single uid
|
||||||
|
// then supply a single range with the same start and end. Required for MustRunAs.
|
||||||
|
// +optional
|
||||||
|
Ranges []UserIDRange
|
||||||
|
}
|
||||||
|
|
||||||
|
// UserIDRange provides a min/max of an allowed range of UserIDs.
|
||||||
|
type UserIDRange struct {
|
||||||
|
// Min is the start of the range, inclusive.
|
||||||
|
Min int64
|
||||||
|
// Max is the end of the range, inclusive.
|
||||||
|
Max int64
|
||||||
|
}
|
||||||
|
|
||||||
|
// GroupIDRange provides a min/max of an allowed range of GroupIDs.
|
||||||
|
type GroupIDRange struct {
|
||||||
|
// Min is the start of the range, inclusive.
|
||||||
|
Min int64
|
||||||
|
// Max is the end of the range, inclusive.
|
||||||
|
Max int64
|
||||||
|
}
|
||||||
|
|
||||||
|
// RunAsUserStrategy denotes strategy types for generating RunAsUser values for a
|
||||||
|
// SecurityContext.
|
||||||
|
type RunAsUserStrategy string
|
||||||
|
|
||||||
|
const (
|
||||||
|
// RunAsUserStrategyMustRunAs means that container must run as a particular uid.
|
||||||
|
RunAsUserStrategyMustRunAs RunAsUserStrategy = "MustRunAs"
|
||||||
|
// RunAsUserStrategyMustRunAsNonRoot means that container must run as a non-root uid
|
||||||
|
RunAsUserStrategyMustRunAsNonRoot RunAsUserStrategy = "MustRunAsNonRoot"
|
||||||
|
// RunAsUserStrategyRunAsAny means that container may make requests for any uid.
|
||||||
|
RunAsUserStrategyRunAsAny RunAsUserStrategy = "RunAsAny"
|
||||||
|
)
|
||||||
|
|
||||||
|
// FSGroupStrategyOptions defines the strategy type and options used to create the strategy.
|
||||||
|
type FSGroupStrategyOptions struct {
|
||||||
|
// Rule is the strategy that will dictate what FSGroup is used in the SecurityContext.
|
||||||
|
// +optional
|
||||||
|
Rule FSGroupStrategyType
|
||||||
|
// Ranges are the allowed ranges of fs groups. If you would like to force a single
|
||||||
|
// fs group then supply a single range with the same start and end. Required for MustRunAs.
|
||||||
|
// +optional
|
||||||
|
Ranges []GroupIDRange
|
||||||
|
}
|
||||||
|
|
||||||
|
// FSGroupStrategyType denotes strategy types for generating FSGroup values for a
|
||||||
|
// SecurityContext
|
||||||
|
type FSGroupStrategyType string
|
||||||
|
|
||||||
|
const (
|
||||||
|
// FSGroupStrategyMustRunAs means that container must have FSGroup of X applied.
|
||||||
|
FSGroupStrategyMustRunAs FSGroupStrategyType = "MustRunAs"
|
||||||
|
// FSGroupStrategyRunAsAny means that container may make requests for any FSGroup labels.
|
||||||
|
FSGroupStrategyRunAsAny FSGroupStrategyType = "RunAsAny"
|
||||||
|
)
|
||||||
|
|
||||||
|
// SupplementalGroupsStrategyOptions defines the strategy type and options used to create the strategy.
|
||||||
|
type SupplementalGroupsStrategyOptions struct {
|
||||||
|
// Rule is the strategy that will dictate what supplemental groups is used in the SecurityContext.
|
||||||
|
// +optional
|
||||||
|
Rule SupplementalGroupsStrategyType
|
||||||
|
// Ranges are the allowed ranges of supplemental groups. If you would like to force a single
|
||||||
|
// supplemental group then supply a single range with the same start and end. Required for MustRunAs.
|
||||||
|
// +optional
|
||||||
|
Ranges []GroupIDRange
|
||||||
|
}
|
||||||
|
|
||||||
|
// SupplementalGroupsStrategyType denotes strategy types for determining valid supplemental
|
||||||
|
// groups for a SecurityContext.
|
||||||
|
type SupplementalGroupsStrategyType string
|
||||||
|
|
||||||
|
const (
|
||||||
|
// SupplementalGroupsStrategyMustRunAs means that container must run as a particular gid.
|
||||||
|
SupplementalGroupsStrategyMustRunAs SupplementalGroupsStrategyType = "MustRunAs"
|
||||||
|
// SupplementalGroupsStrategyRunAsAny means that container may make requests for any gid.
|
||||||
|
SupplementalGroupsStrategyRunAsAny SupplementalGroupsStrategyType = "RunAsAny"
|
||||||
|
)
|
||||||
|
|
||||||
|
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
||||||
|
|
||||||
|
// PodSecurityPolicyList is a list of PodSecurityPolicy objects.
|
||||||
|
type PodSecurityPolicyList struct {
|
||||||
|
metav1.TypeMeta
|
||||||
|
// +optional
|
||||||
|
metav1.ListMeta
|
||||||
|
|
||||||
|
Items []PodSecurityPolicy
|
||||||
|
}
|
||||||
|
@ -17,7 +17,6 @@ go_library(
|
|||||||
importpath = "k8s.io/kubernetes/pkg/apis/policy/v1beta1",
|
importpath = "k8s.io/kubernetes/pkg/apis/policy/v1beta1",
|
||||||
deps = [
|
deps = [
|
||||||
"//pkg/apis/core:go_default_library",
|
"//pkg/apis/core:go_default_library",
|
||||||
"//pkg/apis/extensions:go_default_library",
|
|
||||||
"//pkg/apis/policy:go_default_library",
|
"//pkg/apis/policy:go_default_library",
|
||||||
"//vendor/k8s.io/api/core/v1:go_default_library",
|
"//vendor/k8s.io/api/core/v1:go_default_library",
|
||||||
"//vendor/k8s.io/api/policy/v1beta1:go_default_library",
|
"//vendor/k8s.io/api/policy/v1beta1:go_default_library",
|
||||||
|
@ -15,7 +15,6 @@ limitations under the License.
|
|||||||
*/
|
*/
|
||||||
|
|
||||||
// +k8s:conversion-gen=k8s.io/kubernetes/pkg/apis/policy
|
// +k8s:conversion-gen=k8s.io/kubernetes/pkg/apis/policy
|
||||||
// +k8s:conversion-gen=k8s.io/kubernetes/pkg/apis/extensions
|
|
||||||
// +k8s:conversion-gen-external-types=k8s.io/api/policy/v1beta1
|
// +k8s:conversion-gen-external-types=k8s.io/api/policy/v1beta1
|
||||||
// +k8s:defaulter-gen=TypeMeta
|
// +k8s:defaulter-gen=TypeMeta
|
||||||
// +k8s:defaulter-gen-input=../../../../vendor/k8s.io/api/policy/v1beta1
|
// +k8s:defaulter-gen-input=../../../../vendor/k8s.io/api/policy/v1beta1
|
||||||
|
249
pkg/apis/policy/v1beta1/zz_generated.conversion.go
generated
249
pkg/apis/policy/v1beta1/zz_generated.conversion.go
generated
@ -30,7 +30,6 @@ import (
|
|||||||
runtime "k8s.io/apimachinery/pkg/runtime"
|
runtime "k8s.io/apimachinery/pkg/runtime"
|
||||||
intstr "k8s.io/apimachinery/pkg/util/intstr"
|
intstr "k8s.io/apimachinery/pkg/util/intstr"
|
||||||
core "k8s.io/kubernetes/pkg/apis/core"
|
core "k8s.io/kubernetes/pkg/apis/core"
|
||||||
extensions "k8s.io/kubernetes/pkg/apis/extensions"
|
|
||||||
policy "k8s.io/kubernetes/pkg/apis/policy"
|
policy "k8s.io/kubernetes/pkg/apis/policy"
|
||||||
)
|
)
|
||||||
|
|
||||||
@ -42,16 +41,16 @@ func init() {
|
|||||||
// Public to allow building arbitrary schemes.
|
// Public to allow building arbitrary schemes.
|
||||||
func RegisterConversions(scheme *runtime.Scheme) error {
|
func RegisterConversions(scheme *runtime.Scheme) error {
|
||||||
return scheme.AddGeneratedConversionFuncs(
|
return scheme.AddGeneratedConversionFuncs(
|
||||||
Convert_v1beta1_AllowedFlexVolume_To_extensions_AllowedFlexVolume,
|
Convert_v1beta1_AllowedFlexVolume_To_policy_AllowedFlexVolume,
|
||||||
Convert_extensions_AllowedFlexVolume_To_v1beta1_AllowedFlexVolume,
|
Convert_policy_AllowedFlexVolume_To_v1beta1_AllowedFlexVolume,
|
||||||
Convert_v1beta1_AllowedHostPath_To_extensions_AllowedHostPath,
|
Convert_v1beta1_AllowedHostPath_To_policy_AllowedHostPath,
|
||||||
Convert_extensions_AllowedHostPath_To_v1beta1_AllowedHostPath,
|
Convert_policy_AllowedHostPath_To_v1beta1_AllowedHostPath,
|
||||||
Convert_v1beta1_Eviction_To_policy_Eviction,
|
Convert_v1beta1_Eviction_To_policy_Eviction,
|
||||||
Convert_policy_Eviction_To_v1beta1_Eviction,
|
Convert_policy_Eviction_To_v1beta1_Eviction,
|
||||||
Convert_v1beta1_FSGroupStrategyOptions_To_extensions_FSGroupStrategyOptions,
|
Convert_v1beta1_FSGroupStrategyOptions_To_policy_FSGroupStrategyOptions,
|
||||||
Convert_extensions_FSGroupStrategyOptions_To_v1beta1_FSGroupStrategyOptions,
|
Convert_policy_FSGroupStrategyOptions_To_v1beta1_FSGroupStrategyOptions,
|
||||||
Convert_v1beta1_HostPortRange_To_extensions_HostPortRange,
|
Convert_v1beta1_HostPortRange_To_policy_HostPortRange,
|
||||||
Convert_extensions_HostPortRange_To_v1beta1_HostPortRange,
|
Convert_policy_HostPortRange_To_v1beta1_HostPortRange,
|
||||||
Convert_v1beta1_PodDisruptionBudget_To_policy_PodDisruptionBudget,
|
Convert_v1beta1_PodDisruptionBudget_To_policy_PodDisruptionBudget,
|
||||||
Convert_policy_PodDisruptionBudget_To_v1beta1_PodDisruptionBudget,
|
Convert_policy_PodDisruptionBudget_To_v1beta1_PodDisruptionBudget,
|
||||||
Convert_v1beta1_PodDisruptionBudgetList_To_policy_PodDisruptionBudgetList,
|
Convert_v1beta1_PodDisruptionBudgetList_To_policy_PodDisruptionBudgetList,
|
||||||
@ -60,59 +59,59 @@ func RegisterConversions(scheme *runtime.Scheme) error {
|
|||||||
Convert_policy_PodDisruptionBudgetSpec_To_v1beta1_PodDisruptionBudgetSpec,
|
Convert_policy_PodDisruptionBudgetSpec_To_v1beta1_PodDisruptionBudgetSpec,
|
||||||
Convert_v1beta1_PodDisruptionBudgetStatus_To_policy_PodDisruptionBudgetStatus,
|
Convert_v1beta1_PodDisruptionBudgetStatus_To_policy_PodDisruptionBudgetStatus,
|
||||||
Convert_policy_PodDisruptionBudgetStatus_To_v1beta1_PodDisruptionBudgetStatus,
|
Convert_policy_PodDisruptionBudgetStatus_To_v1beta1_PodDisruptionBudgetStatus,
|
||||||
Convert_v1beta1_PodSecurityPolicy_To_extensions_PodSecurityPolicy,
|
Convert_v1beta1_PodSecurityPolicy_To_policy_PodSecurityPolicy,
|
||||||
Convert_extensions_PodSecurityPolicy_To_v1beta1_PodSecurityPolicy,
|
Convert_policy_PodSecurityPolicy_To_v1beta1_PodSecurityPolicy,
|
||||||
Convert_v1beta1_PodSecurityPolicyList_To_extensions_PodSecurityPolicyList,
|
Convert_v1beta1_PodSecurityPolicyList_To_policy_PodSecurityPolicyList,
|
||||||
Convert_extensions_PodSecurityPolicyList_To_v1beta1_PodSecurityPolicyList,
|
Convert_policy_PodSecurityPolicyList_To_v1beta1_PodSecurityPolicyList,
|
||||||
Convert_v1beta1_PodSecurityPolicySpec_To_extensions_PodSecurityPolicySpec,
|
Convert_v1beta1_PodSecurityPolicySpec_To_policy_PodSecurityPolicySpec,
|
||||||
Convert_extensions_PodSecurityPolicySpec_To_v1beta1_PodSecurityPolicySpec,
|
Convert_policy_PodSecurityPolicySpec_To_v1beta1_PodSecurityPolicySpec,
|
||||||
Convert_v1beta1_RunAsUserStrategyOptions_To_extensions_RunAsUserStrategyOptions,
|
Convert_v1beta1_RunAsUserStrategyOptions_To_policy_RunAsUserStrategyOptions,
|
||||||
Convert_extensions_RunAsUserStrategyOptions_To_v1beta1_RunAsUserStrategyOptions,
|
Convert_policy_RunAsUserStrategyOptions_To_v1beta1_RunAsUserStrategyOptions,
|
||||||
Convert_v1beta1_SELinuxStrategyOptions_To_extensions_SELinuxStrategyOptions,
|
Convert_v1beta1_SELinuxStrategyOptions_To_policy_SELinuxStrategyOptions,
|
||||||
Convert_extensions_SELinuxStrategyOptions_To_v1beta1_SELinuxStrategyOptions,
|
Convert_policy_SELinuxStrategyOptions_To_v1beta1_SELinuxStrategyOptions,
|
||||||
Convert_v1beta1_SupplementalGroupsStrategyOptions_To_extensions_SupplementalGroupsStrategyOptions,
|
Convert_v1beta1_SupplementalGroupsStrategyOptions_To_policy_SupplementalGroupsStrategyOptions,
|
||||||
Convert_extensions_SupplementalGroupsStrategyOptions_To_v1beta1_SupplementalGroupsStrategyOptions,
|
Convert_policy_SupplementalGroupsStrategyOptions_To_v1beta1_SupplementalGroupsStrategyOptions,
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
func autoConvert_v1beta1_AllowedFlexVolume_To_extensions_AllowedFlexVolume(in *v1beta1.AllowedFlexVolume, out *extensions.AllowedFlexVolume, s conversion.Scope) error {
|
func autoConvert_v1beta1_AllowedFlexVolume_To_policy_AllowedFlexVolume(in *v1beta1.AllowedFlexVolume, out *policy.AllowedFlexVolume, s conversion.Scope) error {
|
||||||
out.Driver = in.Driver
|
out.Driver = in.Driver
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// Convert_v1beta1_AllowedFlexVolume_To_extensions_AllowedFlexVolume is an autogenerated conversion function.
|
// Convert_v1beta1_AllowedFlexVolume_To_policy_AllowedFlexVolume is an autogenerated conversion function.
|
||||||
func Convert_v1beta1_AllowedFlexVolume_To_extensions_AllowedFlexVolume(in *v1beta1.AllowedFlexVolume, out *extensions.AllowedFlexVolume, s conversion.Scope) error {
|
func Convert_v1beta1_AllowedFlexVolume_To_policy_AllowedFlexVolume(in *v1beta1.AllowedFlexVolume, out *policy.AllowedFlexVolume, s conversion.Scope) error {
|
||||||
return autoConvert_v1beta1_AllowedFlexVolume_To_extensions_AllowedFlexVolume(in, out, s)
|
return autoConvert_v1beta1_AllowedFlexVolume_To_policy_AllowedFlexVolume(in, out, s)
|
||||||
}
|
}
|
||||||
|
|
||||||
func autoConvert_extensions_AllowedFlexVolume_To_v1beta1_AllowedFlexVolume(in *extensions.AllowedFlexVolume, out *v1beta1.AllowedFlexVolume, s conversion.Scope) error {
|
func autoConvert_policy_AllowedFlexVolume_To_v1beta1_AllowedFlexVolume(in *policy.AllowedFlexVolume, out *v1beta1.AllowedFlexVolume, s conversion.Scope) error {
|
||||||
out.Driver = in.Driver
|
out.Driver = in.Driver
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// Convert_extensions_AllowedFlexVolume_To_v1beta1_AllowedFlexVolume is an autogenerated conversion function.
|
// Convert_policy_AllowedFlexVolume_To_v1beta1_AllowedFlexVolume is an autogenerated conversion function.
|
||||||
func Convert_extensions_AllowedFlexVolume_To_v1beta1_AllowedFlexVolume(in *extensions.AllowedFlexVolume, out *v1beta1.AllowedFlexVolume, s conversion.Scope) error {
|
func Convert_policy_AllowedFlexVolume_To_v1beta1_AllowedFlexVolume(in *policy.AllowedFlexVolume, out *v1beta1.AllowedFlexVolume, s conversion.Scope) error {
|
||||||
return autoConvert_extensions_AllowedFlexVolume_To_v1beta1_AllowedFlexVolume(in, out, s)
|
return autoConvert_policy_AllowedFlexVolume_To_v1beta1_AllowedFlexVolume(in, out, s)
|
||||||
}
|
}
|
||||||
|
|
||||||
func autoConvert_v1beta1_AllowedHostPath_To_extensions_AllowedHostPath(in *v1beta1.AllowedHostPath, out *extensions.AllowedHostPath, s conversion.Scope) error {
|
func autoConvert_v1beta1_AllowedHostPath_To_policy_AllowedHostPath(in *v1beta1.AllowedHostPath, out *policy.AllowedHostPath, s conversion.Scope) error {
|
||||||
out.PathPrefix = in.PathPrefix
|
out.PathPrefix = in.PathPrefix
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// Convert_v1beta1_AllowedHostPath_To_extensions_AllowedHostPath is an autogenerated conversion function.
|
// Convert_v1beta1_AllowedHostPath_To_policy_AllowedHostPath is an autogenerated conversion function.
|
||||||
func Convert_v1beta1_AllowedHostPath_To_extensions_AllowedHostPath(in *v1beta1.AllowedHostPath, out *extensions.AllowedHostPath, s conversion.Scope) error {
|
func Convert_v1beta1_AllowedHostPath_To_policy_AllowedHostPath(in *v1beta1.AllowedHostPath, out *policy.AllowedHostPath, s conversion.Scope) error {
|
||||||
return autoConvert_v1beta1_AllowedHostPath_To_extensions_AllowedHostPath(in, out, s)
|
return autoConvert_v1beta1_AllowedHostPath_To_policy_AllowedHostPath(in, out, s)
|
||||||
}
|
}
|
||||||
|
|
||||||
func autoConvert_extensions_AllowedHostPath_To_v1beta1_AllowedHostPath(in *extensions.AllowedHostPath, out *v1beta1.AllowedHostPath, s conversion.Scope) error {
|
func autoConvert_policy_AllowedHostPath_To_v1beta1_AllowedHostPath(in *policy.AllowedHostPath, out *v1beta1.AllowedHostPath, s conversion.Scope) error {
|
||||||
out.PathPrefix = in.PathPrefix
|
out.PathPrefix = in.PathPrefix
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// Convert_extensions_AllowedHostPath_To_v1beta1_AllowedHostPath is an autogenerated conversion function.
|
// Convert_policy_AllowedHostPath_To_v1beta1_AllowedHostPath is an autogenerated conversion function.
|
||||||
func Convert_extensions_AllowedHostPath_To_v1beta1_AllowedHostPath(in *extensions.AllowedHostPath, out *v1beta1.AllowedHostPath, s conversion.Scope) error {
|
func Convert_policy_AllowedHostPath_To_v1beta1_AllowedHostPath(in *policy.AllowedHostPath, out *v1beta1.AllowedHostPath, s conversion.Scope) error {
|
||||||
return autoConvert_extensions_AllowedHostPath_To_v1beta1_AllowedHostPath(in, out, s)
|
return autoConvert_policy_AllowedHostPath_To_v1beta1_AllowedHostPath(in, out, s)
|
||||||
}
|
}
|
||||||
|
|
||||||
func autoConvert_v1beta1_Eviction_To_policy_Eviction(in *v1beta1.Eviction, out *policy.Eviction, s conversion.Scope) error {
|
func autoConvert_v1beta1_Eviction_To_policy_Eviction(in *v1beta1.Eviction, out *policy.Eviction, s conversion.Scope) error {
|
||||||
@ -137,48 +136,48 @@ func Convert_policy_Eviction_To_v1beta1_Eviction(in *policy.Eviction, out *v1bet
|
|||||||
return autoConvert_policy_Eviction_To_v1beta1_Eviction(in, out, s)
|
return autoConvert_policy_Eviction_To_v1beta1_Eviction(in, out, s)
|
||||||
}
|
}
|
||||||
|
|
||||||
func autoConvert_v1beta1_FSGroupStrategyOptions_To_extensions_FSGroupStrategyOptions(in *v1beta1.FSGroupStrategyOptions, out *extensions.FSGroupStrategyOptions, s conversion.Scope) error {
|
func autoConvert_v1beta1_FSGroupStrategyOptions_To_policy_FSGroupStrategyOptions(in *v1beta1.FSGroupStrategyOptions, out *policy.FSGroupStrategyOptions, s conversion.Scope) error {
|
||||||
out.Rule = extensions.FSGroupStrategyType(in.Rule)
|
out.Rule = policy.FSGroupStrategyType(in.Rule)
|
||||||
out.Ranges = *(*[]extensions.GroupIDRange)(unsafe.Pointer(&in.Ranges))
|
out.Ranges = *(*[]policy.GroupIDRange)(unsafe.Pointer(&in.Ranges))
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// Convert_v1beta1_FSGroupStrategyOptions_To_extensions_FSGroupStrategyOptions is an autogenerated conversion function.
|
// Convert_v1beta1_FSGroupStrategyOptions_To_policy_FSGroupStrategyOptions is an autogenerated conversion function.
|
||||||
func Convert_v1beta1_FSGroupStrategyOptions_To_extensions_FSGroupStrategyOptions(in *v1beta1.FSGroupStrategyOptions, out *extensions.FSGroupStrategyOptions, s conversion.Scope) error {
|
func Convert_v1beta1_FSGroupStrategyOptions_To_policy_FSGroupStrategyOptions(in *v1beta1.FSGroupStrategyOptions, out *policy.FSGroupStrategyOptions, s conversion.Scope) error {
|
||||||
return autoConvert_v1beta1_FSGroupStrategyOptions_To_extensions_FSGroupStrategyOptions(in, out, s)
|
return autoConvert_v1beta1_FSGroupStrategyOptions_To_policy_FSGroupStrategyOptions(in, out, s)
|
||||||
}
|
}
|
||||||
|
|
||||||
func autoConvert_extensions_FSGroupStrategyOptions_To_v1beta1_FSGroupStrategyOptions(in *extensions.FSGroupStrategyOptions, out *v1beta1.FSGroupStrategyOptions, s conversion.Scope) error {
|
func autoConvert_policy_FSGroupStrategyOptions_To_v1beta1_FSGroupStrategyOptions(in *policy.FSGroupStrategyOptions, out *v1beta1.FSGroupStrategyOptions, s conversion.Scope) error {
|
||||||
out.Rule = v1beta1.FSGroupStrategyType(in.Rule)
|
out.Rule = v1beta1.FSGroupStrategyType(in.Rule)
|
||||||
out.Ranges = *(*[]v1beta1.IDRange)(unsafe.Pointer(&in.Ranges))
|
out.Ranges = *(*[]v1beta1.IDRange)(unsafe.Pointer(&in.Ranges))
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// Convert_extensions_FSGroupStrategyOptions_To_v1beta1_FSGroupStrategyOptions is an autogenerated conversion function.
|
// Convert_policy_FSGroupStrategyOptions_To_v1beta1_FSGroupStrategyOptions is an autogenerated conversion function.
|
||||||
func Convert_extensions_FSGroupStrategyOptions_To_v1beta1_FSGroupStrategyOptions(in *extensions.FSGroupStrategyOptions, out *v1beta1.FSGroupStrategyOptions, s conversion.Scope) error {
|
func Convert_policy_FSGroupStrategyOptions_To_v1beta1_FSGroupStrategyOptions(in *policy.FSGroupStrategyOptions, out *v1beta1.FSGroupStrategyOptions, s conversion.Scope) error {
|
||||||
return autoConvert_extensions_FSGroupStrategyOptions_To_v1beta1_FSGroupStrategyOptions(in, out, s)
|
return autoConvert_policy_FSGroupStrategyOptions_To_v1beta1_FSGroupStrategyOptions(in, out, s)
|
||||||
}
|
}
|
||||||
|
|
||||||
func autoConvert_v1beta1_HostPortRange_To_extensions_HostPortRange(in *v1beta1.HostPortRange, out *extensions.HostPortRange, s conversion.Scope) error {
|
func autoConvert_v1beta1_HostPortRange_To_policy_HostPortRange(in *v1beta1.HostPortRange, out *policy.HostPortRange, s conversion.Scope) error {
|
||||||
out.Min = in.Min
|
out.Min = in.Min
|
||||||
out.Max = in.Max
|
out.Max = in.Max
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// Convert_v1beta1_HostPortRange_To_extensions_HostPortRange is an autogenerated conversion function.
|
// Convert_v1beta1_HostPortRange_To_policy_HostPortRange is an autogenerated conversion function.
|
||||||
func Convert_v1beta1_HostPortRange_To_extensions_HostPortRange(in *v1beta1.HostPortRange, out *extensions.HostPortRange, s conversion.Scope) error {
|
func Convert_v1beta1_HostPortRange_To_policy_HostPortRange(in *v1beta1.HostPortRange, out *policy.HostPortRange, s conversion.Scope) error {
|
||||||
return autoConvert_v1beta1_HostPortRange_To_extensions_HostPortRange(in, out, s)
|
return autoConvert_v1beta1_HostPortRange_To_policy_HostPortRange(in, out, s)
|
||||||
}
|
}
|
||||||
|
|
||||||
func autoConvert_extensions_HostPortRange_To_v1beta1_HostPortRange(in *extensions.HostPortRange, out *v1beta1.HostPortRange, s conversion.Scope) error {
|
func autoConvert_policy_HostPortRange_To_v1beta1_HostPortRange(in *policy.HostPortRange, out *v1beta1.HostPortRange, s conversion.Scope) error {
|
||||||
out.Min = in.Min
|
out.Min = in.Min
|
||||||
out.Max = in.Max
|
out.Max = in.Max
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// Convert_extensions_HostPortRange_To_v1beta1_HostPortRange is an autogenerated conversion function.
|
// Convert_policy_HostPortRange_To_v1beta1_HostPortRange is an autogenerated conversion function.
|
||||||
func Convert_extensions_HostPortRange_To_v1beta1_HostPortRange(in *extensions.HostPortRange, out *v1beta1.HostPortRange, s conversion.Scope) error {
|
func Convert_policy_HostPortRange_To_v1beta1_HostPortRange(in *policy.HostPortRange, out *v1beta1.HostPortRange, s conversion.Scope) error {
|
||||||
return autoConvert_extensions_HostPortRange_To_v1beta1_HostPortRange(in, out, s)
|
return autoConvert_policy_HostPortRange_To_v1beta1_HostPortRange(in, out, s)
|
||||||
}
|
}
|
||||||
|
|
||||||
func autoConvert_v1beta1_PodDisruptionBudget_To_policy_PodDisruptionBudget(in *v1beta1.PodDisruptionBudget, out *policy.PodDisruptionBudget, s conversion.Scope) error {
|
func autoConvert_v1beta1_PodDisruptionBudget_To_policy_PodDisruptionBudget(in *v1beta1.PodDisruptionBudget, out *policy.PodDisruptionBudget, s conversion.Scope) error {
|
||||||
@ -289,39 +288,39 @@ func Convert_policy_PodDisruptionBudgetStatus_To_v1beta1_PodDisruptionBudgetStat
|
|||||||
return autoConvert_policy_PodDisruptionBudgetStatus_To_v1beta1_PodDisruptionBudgetStatus(in, out, s)
|
return autoConvert_policy_PodDisruptionBudgetStatus_To_v1beta1_PodDisruptionBudgetStatus(in, out, s)
|
||||||
}
|
}
|
||||||
|
|
||||||
func autoConvert_v1beta1_PodSecurityPolicy_To_extensions_PodSecurityPolicy(in *v1beta1.PodSecurityPolicy, out *extensions.PodSecurityPolicy, s conversion.Scope) error {
|
func autoConvert_v1beta1_PodSecurityPolicy_To_policy_PodSecurityPolicy(in *v1beta1.PodSecurityPolicy, out *policy.PodSecurityPolicy, s conversion.Scope) error {
|
||||||
out.ObjectMeta = in.ObjectMeta
|
out.ObjectMeta = in.ObjectMeta
|
||||||
if err := Convert_v1beta1_PodSecurityPolicySpec_To_extensions_PodSecurityPolicySpec(&in.Spec, &out.Spec, s); err != nil {
|
if err := Convert_v1beta1_PodSecurityPolicySpec_To_policy_PodSecurityPolicySpec(&in.Spec, &out.Spec, s); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// Convert_v1beta1_PodSecurityPolicy_To_extensions_PodSecurityPolicy is an autogenerated conversion function.
|
// Convert_v1beta1_PodSecurityPolicy_To_policy_PodSecurityPolicy is an autogenerated conversion function.
|
||||||
func Convert_v1beta1_PodSecurityPolicy_To_extensions_PodSecurityPolicy(in *v1beta1.PodSecurityPolicy, out *extensions.PodSecurityPolicy, s conversion.Scope) error {
|
func Convert_v1beta1_PodSecurityPolicy_To_policy_PodSecurityPolicy(in *v1beta1.PodSecurityPolicy, out *policy.PodSecurityPolicy, s conversion.Scope) error {
|
||||||
return autoConvert_v1beta1_PodSecurityPolicy_To_extensions_PodSecurityPolicy(in, out, s)
|
return autoConvert_v1beta1_PodSecurityPolicy_To_policy_PodSecurityPolicy(in, out, s)
|
||||||
}
|
}
|
||||||
|
|
||||||
func autoConvert_extensions_PodSecurityPolicy_To_v1beta1_PodSecurityPolicy(in *extensions.PodSecurityPolicy, out *v1beta1.PodSecurityPolicy, s conversion.Scope) error {
|
func autoConvert_policy_PodSecurityPolicy_To_v1beta1_PodSecurityPolicy(in *policy.PodSecurityPolicy, out *v1beta1.PodSecurityPolicy, s conversion.Scope) error {
|
||||||
out.ObjectMeta = in.ObjectMeta
|
out.ObjectMeta = in.ObjectMeta
|
||||||
if err := Convert_extensions_PodSecurityPolicySpec_To_v1beta1_PodSecurityPolicySpec(&in.Spec, &out.Spec, s); err != nil {
|
if err := Convert_policy_PodSecurityPolicySpec_To_v1beta1_PodSecurityPolicySpec(&in.Spec, &out.Spec, s); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// Convert_extensions_PodSecurityPolicy_To_v1beta1_PodSecurityPolicy is an autogenerated conversion function.
|
// Convert_policy_PodSecurityPolicy_To_v1beta1_PodSecurityPolicy is an autogenerated conversion function.
|
||||||
func Convert_extensions_PodSecurityPolicy_To_v1beta1_PodSecurityPolicy(in *extensions.PodSecurityPolicy, out *v1beta1.PodSecurityPolicy, s conversion.Scope) error {
|
func Convert_policy_PodSecurityPolicy_To_v1beta1_PodSecurityPolicy(in *policy.PodSecurityPolicy, out *v1beta1.PodSecurityPolicy, s conversion.Scope) error {
|
||||||
return autoConvert_extensions_PodSecurityPolicy_To_v1beta1_PodSecurityPolicy(in, out, s)
|
return autoConvert_policy_PodSecurityPolicy_To_v1beta1_PodSecurityPolicy(in, out, s)
|
||||||
}
|
}
|
||||||
|
|
||||||
func autoConvert_v1beta1_PodSecurityPolicyList_To_extensions_PodSecurityPolicyList(in *v1beta1.PodSecurityPolicyList, out *extensions.PodSecurityPolicyList, s conversion.Scope) error {
|
func autoConvert_v1beta1_PodSecurityPolicyList_To_policy_PodSecurityPolicyList(in *v1beta1.PodSecurityPolicyList, out *policy.PodSecurityPolicyList, s conversion.Scope) error {
|
||||||
out.ListMeta = in.ListMeta
|
out.ListMeta = in.ListMeta
|
||||||
if in.Items != nil {
|
if in.Items != nil {
|
||||||
in, out := &in.Items, &out.Items
|
in, out := &in.Items, &out.Items
|
||||||
*out = make([]extensions.PodSecurityPolicy, len(*in))
|
*out = make([]policy.PodSecurityPolicy, len(*in))
|
||||||
for i := range *in {
|
for i := range *in {
|
||||||
if err := Convert_v1beta1_PodSecurityPolicy_To_extensions_PodSecurityPolicy(&(*in)[i], &(*out)[i], s); err != nil {
|
if err := Convert_v1beta1_PodSecurityPolicy_To_policy_PodSecurityPolicy(&(*in)[i], &(*out)[i], s); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -331,18 +330,18 @@ func autoConvert_v1beta1_PodSecurityPolicyList_To_extensions_PodSecurityPolicyLi
|
|||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// Convert_v1beta1_PodSecurityPolicyList_To_extensions_PodSecurityPolicyList is an autogenerated conversion function.
|
// Convert_v1beta1_PodSecurityPolicyList_To_policy_PodSecurityPolicyList is an autogenerated conversion function.
|
||||||
func Convert_v1beta1_PodSecurityPolicyList_To_extensions_PodSecurityPolicyList(in *v1beta1.PodSecurityPolicyList, out *extensions.PodSecurityPolicyList, s conversion.Scope) error {
|
func Convert_v1beta1_PodSecurityPolicyList_To_policy_PodSecurityPolicyList(in *v1beta1.PodSecurityPolicyList, out *policy.PodSecurityPolicyList, s conversion.Scope) error {
|
||||||
return autoConvert_v1beta1_PodSecurityPolicyList_To_extensions_PodSecurityPolicyList(in, out, s)
|
return autoConvert_v1beta1_PodSecurityPolicyList_To_policy_PodSecurityPolicyList(in, out, s)
|
||||||
}
|
}
|
||||||
|
|
||||||
func autoConvert_extensions_PodSecurityPolicyList_To_v1beta1_PodSecurityPolicyList(in *extensions.PodSecurityPolicyList, out *v1beta1.PodSecurityPolicyList, s conversion.Scope) error {
|
func autoConvert_policy_PodSecurityPolicyList_To_v1beta1_PodSecurityPolicyList(in *policy.PodSecurityPolicyList, out *v1beta1.PodSecurityPolicyList, s conversion.Scope) error {
|
||||||
out.ListMeta = in.ListMeta
|
out.ListMeta = in.ListMeta
|
||||||
if in.Items != nil {
|
if in.Items != nil {
|
||||||
in, out := &in.Items, &out.Items
|
in, out := &in.Items, &out.Items
|
||||||
*out = make([]v1beta1.PodSecurityPolicy, len(*in))
|
*out = make([]v1beta1.PodSecurityPolicy, len(*in))
|
||||||
for i := range *in {
|
for i := range *in {
|
||||||
if err := Convert_extensions_PodSecurityPolicy_To_v1beta1_PodSecurityPolicy(&(*in)[i], &(*out)[i], s); err != nil {
|
if err := Convert_policy_PodSecurityPolicy_To_v1beta1_PodSecurityPolicy(&(*in)[i], &(*out)[i], s); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -352,31 +351,31 @@ func autoConvert_extensions_PodSecurityPolicyList_To_v1beta1_PodSecurityPolicyLi
|
|||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// Convert_extensions_PodSecurityPolicyList_To_v1beta1_PodSecurityPolicyList is an autogenerated conversion function.
|
// Convert_policy_PodSecurityPolicyList_To_v1beta1_PodSecurityPolicyList is an autogenerated conversion function.
|
||||||
func Convert_extensions_PodSecurityPolicyList_To_v1beta1_PodSecurityPolicyList(in *extensions.PodSecurityPolicyList, out *v1beta1.PodSecurityPolicyList, s conversion.Scope) error {
|
func Convert_policy_PodSecurityPolicyList_To_v1beta1_PodSecurityPolicyList(in *policy.PodSecurityPolicyList, out *v1beta1.PodSecurityPolicyList, s conversion.Scope) error {
|
||||||
return autoConvert_extensions_PodSecurityPolicyList_To_v1beta1_PodSecurityPolicyList(in, out, s)
|
return autoConvert_policy_PodSecurityPolicyList_To_v1beta1_PodSecurityPolicyList(in, out, s)
|
||||||
}
|
}
|
||||||
|
|
||||||
func autoConvert_v1beta1_PodSecurityPolicySpec_To_extensions_PodSecurityPolicySpec(in *v1beta1.PodSecurityPolicySpec, out *extensions.PodSecurityPolicySpec, s conversion.Scope) error {
|
func autoConvert_v1beta1_PodSecurityPolicySpec_To_policy_PodSecurityPolicySpec(in *v1beta1.PodSecurityPolicySpec, out *policy.PodSecurityPolicySpec, s conversion.Scope) error {
|
||||||
out.Privileged = in.Privileged
|
out.Privileged = in.Privileged
|
||||||
out.DefaultAddCapabilities = *(*[]core.Capability)(unsafe.Pointer(&in.DefaultAddCapabilities))
|
out.DefaultAddCapabilities = *(*[]core.Capability)(unsafe.Pointer(&in.DefaultAddCapabilities))
|
||||||
out.RequiredDropCapabilities = *(*[]core.Capability)(unsafe.Pointer(&in.RequiredDropCapabilities))
|
out.RequiredDropCapabilities = *(*[]core.Capability)(unsafe.Pointer(&in.RequiredDropCapabilities))
|
||||||
out.AllowedCapabilities = *(*[]core.Capability)(unsafe.Pointer(&in.AllowedCapabilities))
|
out.AllowedCapabilities = *(*[]core.Capability)(unsafe.Pointer(&in.AllowedCapabilities))
|
||||||
out.Volumes = *(*[]extensions.FSType)(unsafe.Pointer(&in.Volumes))
|
out.Volumes = *(*[]policy.FSType)(unsafe.Pointer(&in.Volumes))
|
||||||
out.HostNetwork = in.HostNetwork
|
out.HostNetwork = in.HostNetwork
|
||||||
out.HostPorts = *(*[]extensions.HostPortRange)(unsafe.Pointer(&in.HostPorts))
|
out.HostPorts = *(*[]policy.HostPortRange)(unsafe.Pointer(&in.HostPorts))
|
||||||
out.HostPID = in.HostPID
|
out.HostPID = in.HostPID
|
||||||
out.HostIPC = in.HostIPC
|
out.HostIPC = in.HostIPC
|
||||||
if err := Convert_v1beta1_SELinuxStrategyOptions_To_extensions_SELinuxStrategyOptions(&in.SELinux, &out.SELinux, s); err != nil {
|
if err := Convert_v1beta1_SELinuxStrategyOptions_To_policy_SELinuxStrategyOptions(&in.SELinux, &out.SELinux, s); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if err := Convert_v1beta1_RunAsUserStrategyOptions_To_extensions_RunAsUserStrategyOptions(&in.RunAsUser, &out.RunAsUser, s); err != nil {
|
if err := Convert_v1beta1_RunAsUserStrategyOptions_To_policy_RunAsUserStrategyOptions(&in.RunAsUser, &out.RunAsUser, s); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if err := Convert_v1beta1_SupplementalGroupsStrategyOptions_To_extensions_SupplementalGroupsStrategyOptions(&in.SupplementalGroups, &out.SupplementalGroups, s); err != nil {
|
if err := Convert_v1beta1_SupplementalGroupsStrategyOptions_To_policy_SupplementalGroupsStrategyOptions(&in.SupplementalGroups, &out.SupplementalGroups, s); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if err := Convert_v1beta1_FSGroupStrategyOptions_To_extensions_FSGroupStrategyOptions(&in.FSGroup, &out.FSGroup, s); err != nil {
|
if err := Convert_v1beta1_FSGroupStrategyOptions_To_policy_FSGroupStrategyOptions(&in.FSGroup, &out.FSGroup, s); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
out.ReadOnlyRootFilesystem = in.ReadOnlyRootFilesystem
|
out.ReadOnlyRootFilesystem = in.ReadOnlyRootFilesystem
|
||||||
@ -384,17 +383,17 @@ func autoConvert_v1beta1_PodSecurityPolicySpec_To_extensions_PodSecurityPolicySp
|
|||||||
if err := v1.Convert_Pointer_bool_To_bool(&in.AllowPrivilegeEscalation, &out.AllowPrivilegeEscalation, s); err != nil {
|
if err := v1.Convert_Pointer_bool_To_bool(&in.AllowPrivilegeEscalation, &out.AllowPrivilegeEscalation, s); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
out.AllowedHostPaths = *(*[]extensions.AllowedHostPath)(unsafe.Pointer(&in.AllowedHostPaths))
|
out.AllowedHostPaths = *(*[]policy.AllowedHostPath)(unsafe.Pointer(&in.AllowedHostPaths))
|
||||||
out.AllowedFlexVolumes = *(*[]extensions.AllowedFlexVolume)(unsafe.Pointer(&in.AllowedFlexVolumes))
|
out.AllowedFlexVolumes = *(*[]policy.AllowedFlexVolume)(unsafe.Pointer(&in.AllowedFlexVolumes))
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// Convert_v1beta1_PodSecurityPolicySpec_To_extensions_PodSecurityPolicySpec is an autogenerated conversion function.
|
// Convert_v1beta1_PodSecurityPolicySpec_To_policy_PodSecurityPolicySpec is an autogenerated conversion function.
|
||||||
func Convert_v1beta1_PodSecurityPolicySpec_To_extensions_PodSecurityPolicySpec(in *v1beta1.PodSecurityPolicySpec, out *extensions.PodSecurityPolicySpec, s conversion.Scope) error {
|
func Convert_v1beta1_PodSecurityPolicySpec_To_policy_PodSecurityPolicySpec(in *v1beta1.PodSecurityPolicySpec, out *policy.PodSecurityPolicySpec, s conversion.Scope) error {
|
||||||
return autoConvert_v1beta1_PodSecurityPolicySpec_To_extensions_PodSecurityPolicySpec(in, out, s)
|
return autoConvert_v1beta1_PodSecurityPolicySpec_To_policy_PodSecurityPolicySpec(in, out, s)
|
||||||
}
|
}
|
||||||
|
|
||||||
func autoConvert_extensions_PodSecurityPolicySpec_To_v1beta1_PodSecurityPolicySpec(in *extensions.PodSecurityPolicySpec, out *v1beta1.PodSecurityPolicySpec, s conversion.Scope) error {
|
func autoConvert_policy_PodSecurityPolicySpec_To_v1beta1_PodSecurityPolicySpec(in *policy.PodSecurityPolicySpec, out *v1beta1.PodSecurityPolicySpec, s conversion.Scope) error {
|
||||||
out.Privileged = in.Privileged
|
out.Privileged = in.Privileged
|
||||||
out.DefaultAddCapabilities = *(*[]core_v1.Capability)(unsafe.Pointer(&in.DefaultAddCapabilities))
|
out.DefaultAddCapabilities = *(*[]core_v1.Capability)(unsafe.Pointer(&in.DefaultAddCapabilities))
|
||||||
out.RequiredDropCapabilities = *(*[]core_v1.Capability)(unsafe.Pointer(&in.RequiredDropCapabilities))
|
out.RequiredDropCapabilities = *(*[]core_v1.Capability)(unsafe.Pointer(&in.RequiredDropCapabilities))
|
||||||
@ -404,16 +403,16 @@ func autoConvert_extensions_PodSecurityPolicySpec_To_v1beta1_PodSecurityPolicySp
|
|||||||
out.HostPorts = *(*[]v1beta1.HostPortRange)(unsafe.Pointer(&in.HostPorts))
|
out.HostPorts = *(*[]v1beta1.HostPortRange)(unsafe.Pointer(&in.HostPorts))
|
||||||
out.HostPID = in.HostPID
|
out.HostPID = in.HostPID
|
||||||
out.HostIPC = in.HostIPC
|
out.HostIPC = in.HostIPC
|
||||||
if err := Convert_extensions_SELinuxStrategyOptions_To_v1beta1_SELinuxStrategyOptions(&in.SELinux, &out.SELinux, s); err != nil {
|
if err := Convert_policy_SELinuxStrategyOptions_To_v1beta1_SELinuxStrategyOptions(&in.SELinux, &out.SELinux, s); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if err := Convert_extensions_RunAsUserStrategyOptions_To_v1beta1_RunAsUserStrategyOptions(&in.RunAsUser, &out.RunAsUser, s); err != nil {
|
if err := Convert_policy_RunAsUserStrategyOptions_To_v1beta1_RunAsUserStrategyOptions(&in.RunAsUser, &out.RunAsUser, s); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if err := Convert_extensions_SupplementalGroupsStrategyOptions_To_v1beta1_SupplementalGroupsStrategyOptions(&in.SupplementalGroups, &out.SupplementalGroups, s); err != nil {
|
if err := Convert_policy_SupplementalGroupsStrategyOptions_To_v1beta1_SupplementalGroupsStrategyOptions(&in.SupplementalGroups, &out.SupplementalGroups, s); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if err := Convert_extensions_FSGroupStrategyOptions_To_v1beta1_FSGroupStrategyOptions(&in.FSGroup, &out.FSGroup, s); err != nil {
|
if err := Convert_policy_FSGroupStrategyOptions_To_v1beta1_FSGroupStrategyOptions(&in.FSGroup, &out.FSGroup, s); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
out.ReadOnlyRootFilesystem = in.ReadOnlyRootFilesystem
|
out.ReadOnlyRootFilesystem = in.ReadOnlyRootFilesystem
|
||||||
@ -426,73 +425,73 @@ func autoConvert_extensions_PodSecurityPolicySpec_To_v1beta1_PodSecurityPolicySp
|
|||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// Convert_extensions_PodSecurityPolicySpec_To_v1beta1_PodSecurityPolicySpec is an autogenerated conversion function.
|
// Convert_policy_PodSecurityPolicySpec_To_v1beta1_PodSecurityPolicySpec is an autogenerated conversion function.
|
||||||
func Convert_extensions_PodSecurityPolicySpec_To_v1beta1_PodSecurityPolicySpec(in *extensions.PodSecurityPolicySpec, out *v1beta1.PodSecurityPolicySpec, s conversion.Scope) error {
|
func Convert_policy_PodSecurityPolicySpec_To_v1beta1_PodSecurityPolicySpec(in *policy.PodSecurityPolicySpec, out *v1beta1.PodSecurityPolicySpec, s conversion.Scope) error {
|
||||||
return autoConvert_extensions_PodSecurityPolicySpec_To_v1beta1_PodSecurityPolicySpec(in, out, s)
|
return autoConvert_policy_PodSecurityPolicySpec_To_v1beta1_PodSecurityPolicySpec(in, out, s)
|
||||||
}
|
}
|
||||||
|
|
||||||
func autoConvert_v1beta1_RunAsUserStrategyOptions_To_extensions_RunAsUserStrategyOptions(in *v1beta1.RunAsUserStrategyOptions, out *extensions.RunAsUserStrategyOptions, s conversion.Scope) error {
|
func autoConvert_v1beta1_RunAsUserStrategyOptions_To_policy_RunAsUserStrategyOptions(in *v1beta1.RunAsUserStrategyOptions, out *policy.RunAsUserStrategyOptions, s conversion.Scope) error {
|
||||||
out.Rule = extensions.RunAsUserStrategy(in.Rule)
|
out.Rule = policy.RunAsUserStrategy(in.Rule)
|
||||||
out.Ranges = *(*[]extensions.UserIDRange)(unsafe.Pointer(&in.Ranges))
|
out.Ranges = *(*[]policy.UserIDRange)(unsafe.Pointer(&in.Ranges))
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// Convert_v1beta1_RunAsUserStrategyOptions_To_extensions_RunAsUserStrategyOptions is an autogenerated conversion function.
|
// Convert_v1beta1_RunAsUserStrategyOptions_To_policy_RunAsUserStrategyOptions is an autogenerated conversion function.
|
||||||
func Convert_v1beta1_RunAsUserStrategyOptions_To_extensions_RunAsUserStrategyOptions(in *v1beta1.RunAsUserStrategyOptions, out *extensions.RunAsUserStrategyOptions, s conversion.Scope) error {
|
func Convert_v1beta1_RunAsUserStrategyOptions_To_policy_RunAsUserStrategyOptions(in *v1beta1.RunAsUserStrategyOptions, out *policy.RunAsUserStrategyOptions, s conversion.Scope) error {
|
||||||
return autoConvert_v1beta1_RunAsUserStrategyOptions_To_extensions_RunAsUserStrategyOptions(in, out, s)
|
return autoConvert_v1beta1_RunAsUserStrategyOptions_To_policy_RunAsUserStrategyOptions(in, out, s)
|
||||||
}
|
}
|
||||||
|
|
||||||
func autoConvert_extensions_RunAsUserStrategyOptions_To_v1beta1_RunAsUserStrategyOptions(in *extensions.RunAsUserStrategyOptions, out *v1beta1.RunAsUserStrategyOptions, s conversion.Scope) error {
|
func autoConvert_policy_RunAsUserStrategyOptions_To_v1beta1_RunAsUserStrategyOptions(in *policy.RunAsUserStrategyOptions, out *v1beta1.RunAsUserStrategyOptions, s conversion.Scope) error {
|
||||||
out.Rule = v1beta1.RunAsUserStrategy(in.Rule)
|
out.Rule = v1beta1.RunAsUserStrategy(in.Rule)
|
||||||
out.Ranges = *(*[]v1beta1.IDRange)(unsafe.Pointer(&in.Ranges))
|
out.Ranges = *(*[]v1beta1.IDRange)(unsafe.Pointer(&in.Ranges))
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// Convert_extensions_RunAsUserStrategyOptions_To_v1beta1_RunAsUserStrategyOptions is an autogenerated conversion function.
|
// Convert_policy_RunAsUserStrategyOptions_To_v1beta1_RunAsUserStrategyOptions is an autogenerated conversion function.
|
||||||
func Convert_extensions_RunAsUserStrategyOptions_To_v1beta1_RunAsUserStrategyOptions(in *extensions.RunAsUserStrategyOptions, out *v1beta1.RunAsUserStrategyOptions, s conversion.Scope) error {
|
func Convert_policy_RunAsUserStrategyOptions_To_v1beta1_RunAsUserStrategyOptions(in *policy.RunAsUserStrategyOptions, out *v1beta1.RunAsUserStrategyOptions, s conversion.Scope) error {
|
||||||
return autoConvert_extensions_RunAsUserStrategyOptions_To_v1beta1_RunAsUserStrategyOptions(in, out, s)
|
return autoConvert_policy_RunAsUserStrategyOptions_To_v1beta1_RunAsUserStrategyOptions(in, out, s)
|
||||||
}
|
}
|
||||||
|
|
||||||
func autoConvert_v1beta1_SELinuxStrategyOptions_To_extensions_SELinuxStrategyOptions(in *v1beta1.SELinuxStrategyOptions, out *extensions.SELinuxStrategyOptions, s conversion.Scope) error {
|
func autoConvert_v1beta1_SELinuxStrategyOptions_To_policy_SELinuxStrategyOptions(in *v1beta1.SELinuxStrategyOptions, out *policy.SELinuxStrategyOptions, s conversion.Scope) error {
|
||||||
out.Rule = extensions.SELinuxStrategy(in.Rule)
|
out.Rule = policy.SELinuxStrategy(in.Rule)
|
||||||
out.SELinuxOptions = (*core.SELinuxOptions)(unsafe.Pointer(in.SELinuxOptions))
|
out.SELinuxOptions = (*core.SELinuxOptions)(unsafe.Pointer(in.SELinuxOptions))
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// Convert_v1beta1_SELinuxStrategyOptions_To_extensions_SELinuxStrategyOptions is an autogenerated conversion function.
|
// Convert_v1beta1_SELinuxStrategyOptions_To_policy_SELinuxStrategyOptions is an autogenerated conversion function.
|
||||||
func Convert_v1beta1_SELinuxStrategyOptions_To_extensions_SELinuxStrategyOptions(in *v1beta1.SELinuxStrategyOptions, out *extensions.SELinuxStrategyOptions, s conversion.Scope) error {
|
func Convert_v1beta1_SELinuxStrategyOptions_To_policy_SELinuxStrategyOptions(in *v1beta1.SELinuxStrategyOptions, out *policy.SELinuxStrategyOptions, s conversion.Scope) error {
|
||||||
return autoConvert_v1beta1_SELinuxStrategyOptions_To_extensions_SELinuxStrategyOptions(in, out, s)
|
return autoConvert_v1beta1_SELinuxStrategyOptions_To_policy_SELinuxStrategyOptions(in, out, s)
|
||||||
}
|
}
|
||||||
|
|
||||||
func autoConvert_extensions_SELinuxStrategyOptions_To_v1beta1_SELinuxStrategyOptions(in *extensions.SELinuxStrategyOptions, out *v1beta1.SELinuxStrategyOptions, s conversion.Scope) error {
|
func autoConvert_policy_SELinuxStrategyOptions_To_v1beta1_SELinuxStrategyOptions(in *policy.SELinuxStrategyOptions, out *v1beta1.SELinuxStrategyOptions, s conversion.Scope) error {
|
||||||
out.Rule = v1beta1.SELinuxStrategy(in.Rule)
|
out.Rule = v1beta1.SELinuxStrategy(in.Rule)
|
||||||
out.SELinuxOptions = (*core_v1.SELinuxOptions)(unsafe.Pointer(in.SELinuxOptions))
|
out.SELinuxOptions = (*core_v1.SELinuxOptions)(unsafe.Pointer(in.SELinuxOptions))
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// Convert_extensions_SELinuxStrategyOptions_To_v1beta1_SELinuxStrategyOptions is an autogenerated conversion function.
|
// Convert_policy_SELinuxStrategyOptions_To_v1beta1_SELinuxStrategyOptions is an autogenerated conversion function.
|
||||||
func Convert_extensions_SELinuxStrategyOptions_To_v1beta1_SELinuxStrategyOptions(in *extensions.SELinuxStrategyOptions, out *v1beta1.SELinuxStrategyOptions, s conversion.Scope) error {
|
func Convert_policy_SELinuxStrategyOptions_To_v1beta1_SELinuxStrategyOptions(in *policy.SELinuxStrategyOptions, out *v1beta1.SELinuxStrategyOptions, s conversion.Scope) error {
|
||||||
return autoConvert_extensions_SELinuxStrategyOptions_To_v1beta1_SELinuxStrategyOptions(in, out, s)
|
return autoConvert_policy_SELinuxStrategyOptions_To_v1beta1_SELinuxStrategyOptions(in, out, s)
|
||||||
}
|
}
|
||||||
|
|
||||||
func autoConvert_v1beta1_SupplementalGroupsStrategyOptions_To_extensions_SupplementalGroupsStrategyOptions(in *v1beta1.SupplementalGroupsStrategyOptions, out *extensions.SupplementalGroupsStrategyOptions, s conversion.Scope) error {
|
func autoConvert_v1beta1_SupplementalGroupsStrategyOptions_To_policy_SupplementalGroupsStrategyOptions(in *v1beta1.SupplementalGroupsStrategyOptions, out *policy.SupplementalGroupsStrategyOptions, s conversion.Scope) error {
|
||||||
out.Rule = extensions.SupplementalGroupsStrategyType(in.Rule)
|
out.Rule = policy.SupplementalGroupsStrategyType(in.Rule)
|
||||||
out.Ranges = *(*[]extensions.GroupIDRange)(unsafe.Pointer(&in.Ranges))
|
out.Ranges = *(*[]policy.GroupIDRange)(unsafe.Pointer(&in.Ranges))
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// Convert_v1beta1_SupplementalGroupsStrategyOptions_To_extensions_SupplementalGroupsStrategyOptions is an autogenerated conversion function.
|
// Convert_v1beta1_SupplementalGroupsStrategyOptions_To_policy_SupplementalGroupsStrategyOptions is an autogenerated conversion function.
|
||||||
func Convert_v1beta1_SupplementalGroupsStrategyOptions_To_extensions_SupplementalGroupsStrategyOptions(in *v1beta1.SupplementalGroupsStrategyOptions, out *extensions.SupplementalGroupsStrategyOptions, s conversion.Scope) error {
|
func Convert_v1beta1_SupplementalGroupsStrategyOptions_To_policy_SupplementalGroupsStrategyOptions(in *v1beta1.SupplementalGroupsStrategyOptions, out *policy.SupplementalGroupsStrategyOptions, s conversion.Scope) error {
|
||||||
return autoConvert_v1beta1_SupplementalGroupsStrategyOptions_To_extensions_SupplementalGroupsStrategyOptions(in, out, s)
|
return autoConvert_v1beta1_SupplementalGroupsStrategyOptions_To_policy_SupplementalGroupsStrategyOptions(in, out, s)
|
||||||
}
|
}
|
||||||
|
|
||||||
func autoConvert_extensions_SupplementalGroupsStrategyOptions_To_v1beta1_SupplementalGroupsStrategyOptions(in *extensions.SupplementalGroupsStrategyOptions, out *v1beta1.SupplementalGroupsStrategyOptions, s conversion.Scope) error {
|
func autoConvert_policy_SupplementalGroupsStrategyOptions_To_v1beta1_SupplementalGroupsStrategyOptions(in *policy.SupplementalGroupsStrategyOptions, out *v1beta1.SupplementalGroupsStrategyOptions, s conversion.Scope) error {
|
||||||
out.Rule = v1beta1.SupplementalGroupsStrategyType(in.Rule)
|
out.Rule = v1beta1.SupplementalGroupsStrategyType(in.Rule)
|
||||||
out.Ranges = *(*[]v1beta1.IDRange)(unsafe.Pointer(&in.Ranges))
|
out.Ranges = *(*[]v1beta1.IDRange)(unsafe.Pointer(&in.Ranges))
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// Convert_extensions_SupplementalGroupsStrategyOptions_To_v1beta1_SupplementalGroupsStrategyOptions is an autogenerated conversion function.
|
// Convert_policy_SupplementalGroupsStrategyOptions_To_v1beta1_SupplementalGroupsStrategyOptions is an autogenerated conversion function.
|
||||||
func Convert_extensions_SupplementalGroupsStrategyOptions_To_v1beta1_SupplementalGroupsStrategyOptions(in *extensions.SupplementalGroupsStrategyOptions, out *v1beta1.SupplementalGroupsStrategyOptions, s conversion.Scope) error {
|
func Convert_policy_SupplementalGroupsStrategyOptions_To_v1beta1_SupplementalGroupsStrategyOptions(in *policy.SupplementalGroupsStrategyOptions, out *v1beta1.SupplementalGroupsStrategyOptions, s conversion.Scope) error {
|
||||||
return autoConvert_extensions_SupplementalGroupsStrategyOptions_To_v1beta1_SupplementalGroupsStrategyOptions(in, out, s)
|
return autoConvert_policy_SupplementalGroupsStrategyOptions_To_v1beta1_SupplementalGroupsStrategyOptions(in, out, s)
|
||||||
}
|
}
|
||||||
|
@ -11,10 +11,15 @@ go_library(
|
|||||||
srcs = ["validation.go"],
|
srcs = ["validation.go"],
|
||||||
importpath = "k8s.io/kubernetes/pkg/apis/policy/validation",
|
importpath = "k8s.io/kubernetes/pkg/apis/policy/validation",
|
||||||
deps = [
|
deps = [
|
||||||
|
"//pkg/apis/core:go_default_library",
|
||||||
"//pkg/apis/core/validation:go_default_library",
|
"//pkg/apis/core/validation:go_default_library",
|
||||||
"//pkg/apis/extensions/validation:go_default_library",
|
"//pkg/apis/extensions/validation:go_default_library",
|
||||||
"//pkg/apis/policy:go_default_library",
|
"//pkg/apis/policy:go_default_library",
|
||||||
|
"//pkg/security/apparmor:go_default_library",
|
||||||
|
"//pkg/security/podsecuritypolicy/seccomp:go_default_library",
|
||||||
|
"//pkg/security/podsecuritypolicy/util:go_default_library",
|
||||||
"//vendor/k8s.io/apimachinery/pkg/apis/meta/v1/validation:go_default_library",
|
"//vendor/k8s.io/apimachinery/pkg/apis/meta/v1/validation:go_default_library",
|
||||||
|
"//vendor/k8s.io/apimachinery/pkg/util/sets:go_default_library",
|
||||||
"//vendor/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
|
"//vendor/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
|
||||||
],
|
],
|
||||||
)
|
)
|
||||||
@ -24,7 +29,12 @@ go_test(
|
|||||||
srcs = ["validation_test.go"],
|
srcs = ["validation_test.go"],
|
||||||
embed = [":go_default_library"],
|
embed = [":go_default_library"],
|
||||||
deps = [
|
deps = [
|
||||||
|
"//pkg/apis/core:go_default_library",
|
||||||
"//pkg/apis/policy:go_default_library",
|
"//pkg/apis/policy:go_default_library",
|
||||||
|
"//pkg/security/apparmor:go_default_library",
|
||||||
|
"//pkg/security/podsecuritypolicy/seccomp:go_default_library",
|
||||||
|
"//pkg/security/podsecuritypolicy/util:go_default_library",
|
||||||
|
"//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
|
||||||
"//vendor/k8s.io/apimachinery/pkg/util/intstr:go_default_library",
|
"//vendor/k8s.io/apimachinery/pkg/util/intstr:go_default_library",
|
||||||
"//vendor/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
|
"//vendor/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
|
||||||
],
|
],
|
||||||
|
@ -17,13 +17,22 @@ limitations under the License.
|
|||||||
package validation
|
package validation
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"fmt"
|
||||||
|
"path/filepath"
|
||||||
"reflect"
|
"reflect"
|
||||||
|
"regexp"
|
||||||
|
"strings"
|
||||||
|
|
||||||
unversionedvalidation "k8s.io/apimachinery/pkg/apis/meta/v1/validation"
|
unversionedvalidation "k8s.io/apimachinery/pkg/apis/meta/v1/validation"
|
||||||
|
"k8s.io/apimachinery/pkg/util/sets"
|
||||||
"k8s.io/apimachinery/pkg/util/validation/field"
|
"k8s.io/apimachinery/pkg/util/validation/field"
|
||||||
|
core "k8s.io/kubernetes/pkg/apis/core"
|
||||||
apivalidation "k8s.io/kubernetes/pkg/apis/core/validation"
|
apivalidation "k8s.io/kubernetes/pkg/apis/core/validation"
|
||||||
extensionsvalidation "k8s.io/kubernetes/pkg/apis/extensions/validation"
|
extensionsvalidation "k8s.io/kubernetes/pkg/apis/extensions/validation"
|
||||||
"k8s.io/kubernetes/pkg/apis/policy"
|
"k8s.io/kubernetes/pkg/apis/policy"
|
||||||
|
"k8s.io/kubernetes/pkg/security/apparmor"
|
||||||
|
"k8s.io/kubernetes/pkg/security/podsecuritypolicy/seccomp"
|
||||||
|
psputil "k8s.io/kubernetes/pkg/security/podsecuritypolicy/util"
|
||||||
)
|
)
|
||||||
|
|
||||||
func ValidatePodDisruptionBudget(pdb *policy.PodDisruptionBudget) field.ErrorList {
|
func ValidatePodDisruptionBudget(pdb *policy.PodDisruptionBudget) field.ErrorList {
|
||||||
@ -77,3 +86,302 @@ func ValidatePodDisruptionBudgetStatus(status policy.PodDisruptionBudgetStatus,
|
|||||||
allErrs = append(allErrs, apivalidation.ValidateNonnegativeField(int64(status.ExpectedPods), fldPath.Child("expectedPods"))...)
|
allErrs = append(allErrs, apivalidation.ValidateNonnegativeField(int64(status.ExpectedPods), fldPath.Child("expectedPods"))...)
|
||||||
return allErrs
|
return allErrs
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// ValidatePodSecurityPolicyName can be used to check whether the given
|
||||||
|
// pod security policy name is valid.
|
||||||
|
// Prefix indicates this name will be used as part of generation, in which case
|
||||||
|
// trailing dashes are allowed.
|
||||||
|
var ValidatePodSecurityPolicyName = apivalidation.NameIsDNSSubdomain
|
||||||
|
|
||||||
|
func ValidatePodSecurityPolicy(psp *policy.PodSecurityPolicy) field.ErrorList {
|
||||||
|
allErrs := field.ErrorList{}
|
||||||
|
allErrs = append(allErrs, apivalidation.ValidateObjectMeta(&psp.ObjectMeta, false, ValidatePodSecurityPolicyName, field.NewPath("metadata"))...)
|
||||||
|
allErrs = append(allErrs, ValidatePodSecurityPolicySpecificAnnotations(psp.Annotations, field.NewPath("metadata").Child("annotations"))...)
|
||||||
|
allErrs = append(allErrs, ValidatePodSecurityPolicySpec(&psp.Spec, field.NewPath("spec"))...)
|
||||||
|
return allErrs
|
||||||
|
}
|
||||||
|
|
||||||
|
func ValidatePodSecurityPolicySpec(spec *policy.PodSecurityPolicySpec, fldPath *field.Path) field.ErrorList {
|
||||||
|
allErrs := field.ErrorList{}
|
||||||
|
|
||||||
|
allErrs = append(allErrs, validatePSPRunAsUser(fldPath.Child("runAsUser"), &spec.RunAsUser)...)
|
||||||
|
allErrs = append(allErrs, validatePSPSELinux(fldPath.Child("seLinux"), &spec.SELinux)...)
|
||||||
|
allErrs = append(allErrs, validatePSPSupplementalGroup(fldPath.Child("supplementalGroups"), &spec.SupplementalGroups)...)
|
||||||
|
allErrs = append(allErrs, validatePSPFSGroup(fldPath.Child("fsGroup"), &spec.FSGroup)...)
|
||||||
|
allErrs = append(allErrs, validatePodSecurityPolicyVolumes(fldPath, spec.Volumes)...)
|
||||||
|
if len(spec.RequiredDropCapabilities) > 0 && hasCap(policy.AllowAllCapabilities, spec.AllowedCapabilities) {
|
||||||
|
allErrs = append(allErrs, field.Invalid(field.NewPath("requiredDropCapabilities"), spec.RequiredDropCapabilities,
|
||||||
|
"must be empty when all capabilities are allowed by a wildcard"))
|
||||||
|
}
|
||||||
|
allErrs = append(allErrs, validatePSPCapsAgainstDrops(spec.RequiredDropCapabilities, spec.DefaultAddCapabilities, field.NewPath("defaultAddCapabilities"))...)
|
||||||
|
allErrs = append(allErrs, validatePSPCapsAgainstDrops(spec.RequiredDropCapabilities, spec.AllowedCapabilities, field.NewPath("allowedCapabilities"))...)
|
||||||
|
allErrs = append(allErrs, validatePSPDefaultAllowPrivilegeEscalation(fldPath.Child("defaultAllowPrivilegeEscalation"), spec.DefaultAllowPrivilegeEscalation, spec.AllowPrivilegeEscalation)...)
|
||||||
|
allErrs = append(allErrs, validatePSPAllowedHostPaths(fldPath.Child("allowedHostPaths"), spec.AllowedHostPaths)...)
|
||||||
|
allErrs = append(allErrs, validatePSPAllowedFlexVolumes(fldPath.Child("allowedFlexVolumes"), spec.AllowedFlexVolumes)...)
|
||||||
|
|
||||||
|
return allErrs
|
||||||
|
}
|
||||||
|
|
||||||
|
func ValidatePodSecurityPolicySpecificAnnotations(annotations map[string]string, fldPath *field.Path) field.ErrorList {
|
||||||
|
allErrs := field.ErrorList{}
|
||||||
|
|
||||||
|
if p := annotations[apparmor.DefaultProfileAnnotationKey]; p != "" {
|
||||||
|
if err := apparmor.ValidateProfileFormat(p); err != nil {
|
||||||
|
allErrs = append(allErrs, field.Invalid(fldPath.Key(apparmor.DefaultProfileAnnotationKey), p, err.Error()))
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if allowed := annotations[apparmor.AllowedProfilesAnnotationKey]; allowed != "" {
|
||||||
|
for _, p := range strings.Split(allowed, ",") {
|
||||||
|
if err := apparmor.ValidateProfileFormat(p); err != nil {
|
||||||
|
allErrs = append(allErrs, field.Invalid(fldPath.Key(apparmor.AllowedProfilesAnnotationKey), allowed, err.Error()))
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
sysctlAnnotation := annotations[policy.SysctlsPodSecurityPolicyAnnotationKey]
|
||||||
|
sysctlFldPath := fldPath.Key(policy.SysctlsPodSecurityPolicyAnnotationKey)
|
||||||
|
sysctls, err := policy.SysctlsFromPodSecurityPolicyAnnotation(sysctlAnnotation)
|
||||||
|
if err != nil {
|
||||||
|
allErrs = append(allErrs, field.Invalid(sysctlFldPath, sysctlAnnotation, err.Error()))
|
||||||
|
} else {
|
||||||
|
allErrs = append(allErrs, validatePodSecurityPolicySysctls(sysctlFldPath, sysctls)...)
|
||||||
|
}
|
||||||
|
|
||||||
|
if p := annotations[seccomp.DefaultProfileAnnotationKey]; p != "" {
|
||||||
|
allErrs = append(allErrs, apivalidation.ValidateSeccompProfile(p, fldPath.Key(seccomp.DefaultProfileAnnotationKey))...)
|
||||||
|
}
|
||||||
|
if allowed := annotations[seccomp.AllowedProfilesAnnotationKey]; allowed != "" {
|
||||||
|
for _, p := range strings.Split(allowed, ",") {
|
||||||
|
if p == seccomp.AllowAny {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
allErrs = append(allErrs, apivalidation.ValidateSeccompProfile(p, fldPath.Key(seccomp.AllowedProfilesAnnotationKey))...)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return allErrs
|
||||||
|
}
|
||||||
|
|
||||||
|
// validatePSPAllowedHostPaths makes sure all allowed host paths follow:
|
||||||
|
// 1. path prefix is required
|
||||||
|
// 2. path prefix does not have any element which is ".."
|
||||||
|
func validatePSPAllowedHostPaths(fldPath *field.Path, allowedHostPaths []policy.AllowedHostPath) field.ErrorList {
|
||||||
|
allErrs := field.ErrorList{}
|
||||||
|
|
||||||
|
for i, target := range allowedHostPaths {
|
||||||
|
if target.PathPrefix == "" {
|
||||||
|
allErrs = append(allErrs, field.Required(fldPath.Index(i), "is required"))
|
||||||
|
break
|
||||||
|
}
|
||||||
|
parts := strings.Split(filepath.ToSlash(target.PathPrefix), "/")
|
||||||
|
for _, item := range parts {
|
||||||
|
if item == ".." {
|
||||||
|
allErrs = append(allErrs, field.Invalid(fldPath.Index(i), target.PathPrefix, "must not contain '..'"))
|
||||||
|
break // even for `../../..`, one error is sufficient to make the point
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return allErrs
|
||||||
|
}
|
||||||
|
|
||||||
|
func validatePSPAllowedFlexVolumes(fldPath *field.Path, flexVolumes []policy.AllowedFlexVolume) field.ErrorList {
|
||||||
|
allErrs := field.ErrorList{}
|
||||||
|
if len(flexVolumes) > 0 {
|
||||||
|
for idx, fv := range flexVolumes {
|
||||||
|
if len(fv.Driver) == 0 {
|
||||||
|
allErrs = append(allErrs, field.Required(fldPath.Child("allowedFlexVolumes").Index(idx).Child("driver"),
|
||||||
|
"must specify a driver"))
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return allErrs
|
||||||
|
}
|
||||||
|
|
||||||
|
// validatePSPSELinux validates the SELinux fields of PodSecurityPolicy.
|
||||||
|
func validatePSPSELinux(fldPath *field.Path, seLinux *policy.SELinuxStrategyOptions) field.ErrorList {
|
||||||
|
allErrs := field.ErrorList{}
|
||||||
|
|
||||||
|
// ensure the selinux strategy has a valid rule
|
||||||
|
supportedSELinuxRules := sets.NewString(
|
||||||
|
string(policy.SELinuxStrategyMustRunAs),
|
||||||
|
string(policy.SELinuxStrategyRunAsAny),
|
||||||
|
)
|
||||||
|
if !supportedSELinuxRules.Has(string(seLinux.Rule)) {
|
||||||
|
allErrs = append(allErrs, field.NotSupported(fldPath.Child("rule"), seLinux.Rule, supportedSELinuxRules.List()))
|
||||||
|
}
|
||||||
|
|
||||||
|
return allErrs
|
||||||
|
}
|
||||||
|
|
||||||
|
// validatePSPRunAsUser validates the RunAsUser fields of PodSecurityPolicy.
|
||||||
|
func validatePSPRunAsUser(fldPath *field.Path, runAsUser *policy.RunAsUserStrategyOptions) field.ErrorList {
|
||||||
|
allErrs := field.ErrorList{}
|
||||||
|
|
||||||
|
// ensure the user strategy has a valid rule
|
||||||
|
supportedRunAsUserRules := sets.NewString(
|
||||||
|
string(policy.RunAsUserStrategyMustRunAs),
|
||||||
|
string(policy.RunAsUserStrategyMustRunAsNonRoot),
|
||||||
|
string(policy.RunAsUserStrategyRunAsAny),
|
||||||
|
)
|
||||||
|
if !supportedRunAsUserRules.Has(string(runAsUser.Rule)) {
|
||||||
|
allErrs = append(allErrs, field.NotSupported(fldPath.Child("rule"), runAsUser.Rule, supportedRunAsUserRules.List()))
|
||||||
|
}
|
||||||
|
|
||||||
|
// validate range settings
|
||||||
|
for idx, rng := range runAsUser.Ranges {
|
||||||
|
allErrs = append(allErrs, validateUserIDRange(fldPath.Child("ranges").Index(idx), rng)...)
|
||||||
|
}
|
||||||
|
|
||||||
|
return allErrs
|
||||||
|
}
|
||||||
|
|
||||||
|
// validatePSPFSGroup validates the FSGroupStrategyOptions fields of the PodSecurityPolicy.
|
||||||
|
func validatePSPFSGroup(fldPath *field.Path, groupOptions *policy.FSGroupStrategyOptions) field.ErrorList {
|
||||||
|
allErrs := field.ErrorList{}
|
||||||
|
|
||||||
|
supportedRules := sets.NewString(
|
||||||
|
string(policy.FSGroupStrategyMustRunAs),
|
||||||
|
string(policy.FSGroupStrategyRunAsAny),
|
||||||
|
)
|
||||||
|
if !supportedRules.Has(string(groupOptions.Rule)) {
|
||||||
|
allErrs = append(allErrs, field.NotSupported(fldPath.Child("rule"), groupOptions.Rule, supportedRules.List()))
|
||||||
|
}
|
||||||
|
|
||||||
|
for idx, rng := range groupOptions.Ranges {
|
||||||
|
allErrs = append(allErrs, validateGroupIDRange(fldPath.Child("ranges").Index(idx), rng)...)
|
||||||
|
}
|
||||||
|
return allErrs
|
||||||
|
}
|
||||||
|
|
||||||
|
// validatePSPSupplementalGroup validates the SupplementalGroupsStrategyOptions fields of the PodSecurityPolicy.
|
||||||
|
func validatePSPSupplementalGroup(fldPath *field.Path, groupOptions *policy.SupplementalGroupsStrategyOptions) field.ErrorList {
|
||||||
|
allErrs := field.ErrorList{}
|
||||||
|
|
||||||
|
supportedRules := sets.NewString(
|
||||||
|
string(policy.SupplementalGroupsStrategyRunAsAny),
|
||||||
|
string(policy.SupplementalGroupsStrategyMustRunAs),
|
||||||
|
)
|
||||||
|
if !supportedRules.Has(string(groupOptions.Rule)) {
|
||||||
|
allErrs = append(allErrs, field.NotSupported(fldPath.Child("rule"), groupOptions.Rule, supportedRules.List()))
|
||||||
|
}
|
||||||
|
|
||||||
|
for idx, rng := range groupOptions.Ranges {
|
||||||
|
allErrs = append(allErrs, validateGroupIDRange(fldPath.Child("ranges").Index(idx), rng)...)
|
||||||
|
}
|
||||||
|
return allErrs
|
||||||
|
}
|
||||||
|
|
||||||
|
// validatePodSecurityPolicyVolumes validates the volume fields of PodSecurityPolicy.
|
||||||
|
func validatePodSecurityPolicyVolumes(fldPath *field.Path, volumes []policy.FSType) field.ErrorList {
|
||||||
|
allErrs := field.ErrorList{}
|
||||||
|
allowed := psputil.GetAllFSTypesAsSet()
|
||||||
|
// add in the * value since that is a pseudo type that is not included by default
|
||||||
|
allowed.Insert(string(policy.All))
|
||||||
|
for _, v := range volumes {
|
||||||
|
if !allowed.Has(string(v)) {
|
||||||
|
allErrs = append(allErrs, field.NotSupported(fldPath.Child("volumes"), v, allowed.List()))
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return allErrs
|
||||||
|
}
|
||||||
|
|
||||||
|
// validatePSPDefaultAllowPrivilegeEscalation validates the DefaultAllowPrivilegeEscalation field against the AllowPrivilegeEscalation field of a PodSecurityPolicy.
|
||||||
|
func validatePSPDefaultAllowPrivilegeEscalation(fldPath *field.Path, defaultAllowPrivilegeEscalation *bool, allowPrivilegeEscalation bool) field.ErrorList {
|
||||||
|
allErrs := field.ErrorList{}
|
||||||
|
if defaultAllowPrivilegeEscalation != nil && *defaultAllowPrivilegeEscalation && !allowPrivilegeEscalation {
|
||||||
|
allErrs = append(allErrs, field.Invalid(fldPath, defaultAllowPrivilegeEscalation, "Cannot set DefaultAllowPrivilegeEscalation to true without also setting AllowPrivilegeEscalation to true"))
|
||||||
|
}
|
||||||
|
|
||||||
|
return allErrs
|
||||||
|
}
|
||||||
|
|
||||||
|
const sysctlPatternSegmentFmt string = "([a-z0-9][-_a-z0-9]*)?[a-z0-9*]"
|
||||||
|
const SysctlPatternFmt string = "(" + apivalidation.SysctlSegmentFmt + "\\.)*" + sysctlPatternSegmentFmt
|
||||||
|
|
||||||
|
var sysctlPatternRegexp = regexp.MustCompile("^" + SysctlPatternFmt + "$")
|
||||||
|
|
||||||
|
func IsValidSysctlPattern(name string) bool {
|
||||||
|
if len(name) > apivalidation.SysctlMaxLength {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
return sysctlPatternRegexp.MatchString(name)
|
||||||
|
}
|
||||||
|
|
||||||
|
// validatePodSecurityPolicySysctls validates the sysctls fields of PodSecurityPolicy.
|
||||||
|
func validatePodSecurityPolicySysctls(fldPath *field.Path, sysctls []string) field.ErrorList {
|
||||||
|
allErrs := field.ErrorList{}
|
||||||
|
for i, s := range sysctls {
|
||||||
|
if !IsValidSysctlPattern(string(s)) {
|
||||||
|
allErrs = append(
|
||||||
|
allErrs,
|
||||||
|
field.Invalid(fldPath.Index(i), sysctls[i], fmt.Sprintf("must have at most %d characters and match regex %s",
|
||||||
|
apivalidation.SysctlMaxLength,
|
||||||
|
SysctlPatternFmt,
|
||||||
|
)),
|
||||||
|
)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return allErrs
|
||||||
|
}
|
||||||
|
|
||||||
|
func validateUserIDRange(fldPath *field.Path, rng policy.UserIDRange) field.ErrorList {
|
||||||
|
return validateIDRanges(fldPath, int64(rng.Min), int64(rng.Max))
|
||||||
|
}
|
||||||
|
|
||||||
|
func validateGroupIDRange(fldPath *field.Path, rng policy.GroupIDRange) field.ErrorList {
|
||||||
|
return validateIDRanges(fldPath, int64(rng.Min), int64(rng.Max))
|
||||||
|
}
|
||||||
|
|
||||||
|
// validateIDRanges ensures the range is valid.
|
||||||
|
func validateIDRanges(fldPath *field.Path, min, max int64) field.ErrorList {
|
||||||
|
allErrs := field.ErrorList{}
|
||||||
|
|
||||||
|
// if 0 <= Min <= Max then we do not need to validate max. It is always greater than or
|
||||||
|
// equal to 0 and Min.
|
||||||
|
if min < 0 {
|
||||||
|
allErrs = append(allErrs, field.Invalid(fldPath.Child("min"), min, "min cannot be negative"))
|
||||||
|
}
|
||||||
|
if max < 0 {
|
||||||
|
allErrs = append(allErrs, field.Invalid(fldPath.Child("max"), max, "max cannot be negative"))
|
||||||
|
}
|
||||||
|
if min > max {
|
||||||
|
allErrs = append(allErrs, field.Invalid(fldPath.Child("min"), min, "min cannot be greater than max"))
|
||||||
|
}
|
||||||
|
|
||||||
|
return allErrs
|
||||||
|
}
|
||||||
|
|
||||||
|
// validatePSPCapsAgainstDrops ensures an allowed cap is not listed in the required drops.
|
||||||
|
func validatePSPCapsAgainstDrops(requiredDrops []core.Capability, capsToCheck []core.Capability, fldPath *field.Path) field.ErrorList {
|
||||||
|
allErrs := field.ErrorList{}
|
||||||
|
if requiredDrops == nil {
|
||||||
|
return allErrs
|
||||||
|
}
|
||||||
|
for _, cap := range capsToCheck {
|
||||||
|
if hasCap(cap, requiredDrops) {
|
||||||
|
allErrs = append(allErrs, field.Invalid(fldPath, cap,
|
||||||
|
fmt.Sprintf("capability is listed in %s and requiredDropCapabilities", fldPath.String())))
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return allErrs
|
||||||
|
}
|
||||||
|
|
||||||
|
// ValidatePodSecurityPolicyUpdate validates a PSP for updates.
|
||||||
|
func ValidatePodSecurityPolicyUpdate(old *policy.PodSecurityPolicy, new *policy.PodSecurityPolicy) field.ErrorList {
|
||||||
|
allErrs := field.ErrorList{}
|
||||||
|
allErrs = append(allErrs, apivalidation.ValidateObjectMetaUpdate(&new.ObjectMeta, &old.ObjectMeta, field.NewPath("metadata"))...)
|
||||||
|
allErrs = append(allErrs, ValidatePodSecurityPolicySpecificAnnotations(new.Annotations, field.NewPath("metadata").Child("annotations"))...)
|
||||||
|
allErrs = append(allErrs, ValidatePodSecurityPolicySpec(&new.Spec, field.NewPath("spec"))...)
|
||||||
|
return allErrs
|
||||||
|
}
|
||||||
|
|
||||||
|
// hasCap checks for needle in haystack.
|
||||||
|
func hasCap(needle core.Capability, haystack []core.Capability) bool {
|
||||||
|
for _, c := range haystack {
|
||||||
|
if needle == c {
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
@ -17,11 +17,17 @@ limitations under the License.
|
|||||||
package validation
|
package validation
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"fmt"
|
||||||
"testing"
|
"testing"
|
||||||
|
|
||||||
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||||
"k8s.io/apimachinery/pkg/util/intstr"
|
"k8s.io/apimachinery/pkg/util/intstr"
|
||||||
"k8s.io/apimachinery/pkg/util/validation/field"
|
"k8s.io/apimachinery/pkg/util/validation/field"
|
||||||
|
api "k8s.io/kubernetes/pkg/apis/core"
|
||||||
"k8s.io/kubernetes/pkg/apis/policy"
|
"k8s.io/kubernetes/pkg/apis/policy"
|
||||||
|
"k8s.io/kubernetes/pkg/security/apparmor"
|
||||||
|
"k8s.io/kubernetes/pkg/security/podsecuritypolicy/seccomp"
|
||||||
|
psputil "k8s.io/kubernetes/pkg/security/podsecuritypolicy/util"
|
||||||
)
|
)
|
||||||
|
|
||||||
func TestValidatePodDisruptionBudgetSpec(t *testing.T) {
|
func TestValidatePodDisruptionBudgetSpec(t *testing.T) {
|
||||||
@ -221,3 +227,527 @@ func TestValidatePodDisruptionBudgetUpdate(t *testing.T) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func TestValidatePodSecurityPolicy(t *testing.T) {
|
||||||
|
validPSP := func() *policy.PodSecurityPolicy {
|
||||||
|
return &policy.PodSecurityPolicy{
|
||||||
|
ObjectMeta: metav1.ObjectMeta{
|
||||||
|
Name: "foo",
|
||||||
|
Annotations: map[string]string{},
|
||||||
|
},
|
||||||
|
Spec: policy.PodSecurityPolicySpec{
|
||||||
|
SELinux: policy.SELinuxStrategyOptions{
|
||||||
|
Rule: policy.SELinuxStrategyRunAsAny,
|
||||||
|
},
|
||||||
|
RunAsUser: policy.RunAsUserStrategyOptions{
|
||||||
|
Rule: policy.RunAsUserStrategyRunAsAny,
|
||||||
|
},
|
||||||
|
FSGroup: policy.FSGroupStrategyOptions{
|
||||||
|
Rule: policy.FSGroupStrategyRunAsAny,
|
||||||
|
},
|
||||||
|
SupplementalGroups: policy.SupplementalGroupsStrategyOptions{
|
||||||
|
Rule: policy.SupplementalGroupsStrategyRunAsAny,
|
||||||
|
},
|
||||||
|
AllowedHostPaths: []policy.AllowedHostPath{
|
||||||
|
{PathPrefix: "/foo/bar"},
|
||||||
|
{PathPrefix: "/baz/"},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
noUserOptions := validPSP()
|
||||||
|
noUserOptions.Spec.RunAsUser.Rule = ""
|
||||||
|
|
||||||
|
noSELinuxOptions := validPSP()
|
||||||
|
noSELinuxOptions.Spec.SELinux.Rule = ""
|
||||||
|
|
||||||
|
invalidUserStratType := validPSP()
|
||||||
|
invalidUserStratType.Spec.RunAsUser.Rule = "invalid"
|
||||||
|
|
||||||
|
invalidSELinuxStratType := validPSP()
|
||||||
|
invalidSELinuxStratType.Spec.SELinux.Rule = "invalid"
|
||||||
|
|
||||||
|
invalidUIDPSP := validPSP()
|
||||||
|
invalidUIDPSP.Spec.RunAsUser.Rule = policy.RunAsUserStrategyMustRunAs
|
||||||
|
invalidUIDPSP.Spec.RunAsUser.Ranges = []policy.UserIDRange{{Min: -1, Max: 1}}
|
||||||
|
|
||||||
|
missingObjectMetaName := validPSP()
|
||||||
|
missingObjectMetaName.ObjectMeta.Name = ""
|
||||||
|
|
||||||
|
noFSGroupOptions := validPSP()
|
||||||
|
noFSGroupOptions.Spec.FSGroup.Rule = ""
|
||||||
|
|
||||||
|
invalidFSGroupStratType := validPSP()
|
||||||
|
invalidFSGroupStratType.Spec.FSGroup.Rule = "invalid"
|
||||||
|
|
||||||
|
noSupplementalGroupsOptions := validPSP()
|
||||||
|
noSupplementalGroupsOptions.Spec.SupplementalGroups.Rule = ""
|
||||||
|
|
||||||
|
invalidSupGroupStratType := validPSP()
|
||||||
|
invalidSupGroupStratType.Spec.SupplementalGroups.Rule = "invalid"
|
||||||
|
|
||||||
|
invalidRangeMinGreaterThanMax := validPSP()
|
||||||
|
invalidRangeMinGreaterThanMax.Spec.FSGroup.Ranges = []policy.GroupIDRange{
|
||||||
|
{Min: 2, Max: 1},
|
||||||
|
}
|
||||||
|
|
||||||
|
invalidRangeNegativeMin := validPSP()
|
||||||
|
invalidRangeNegativeMin.Spec.FSGroup.Ranges = []policy.GroupIDRange{
|
||||||
|
{Min: -1, Max: 10},
|
||||||
|
}
|
||||||
|
|
||||||
|
invalidRangeNegativeMax := validPSP()
|
||||||
|
invalidRangeNegativeMax.Spec.FSGroup.Ranges = []policy.GroupIDRange{
|
||||||
|
{Min: 1, Max: -10},
|
||||||
|
}
|
||||||
|
|
||||||
|
wildcardAllowedCapAndRequiredDrop := validPSP()
|
||||||
|
wildcardAllowedCapAndRequiredDrop.Spec.RequiredDropCapabilities = []api.Capability{"foo"}
|
||||||
|
wildcardAllowedCapAndRequiredDrop.Spec.AllowedCapabilities = []api.Capability{policy.AllowAllCapabilities}
|
||||||
|
|
||||||
|
requiredCapAddAndDrop := validPSP()
|
||||||
|
requiredCapAddAndDrop.Spec.DefaultAddCapabilities = []api.Capability{"foo"}
|
||||||
|
requiredCapAddAndDrop.Spec.RequiredDropCapabilities = []api.Capability{"foo"}
|
||||||
|
|
||||||
|
allowedCapListedInRequiredDrop := validPSP()
|
||||||
|
allowedCapListedInRequiredDrop.Spec.RequiredDropCapabilities = []api.Capability{"foo"}
|
||||||
|
allowedCapListedInRequiredDrop.Spec.AllowedCapabilities = []api.Capability{"foo"}
|
||||||
|
|
||||||
|
invalidAppArmorDefault := validPSP()
|
||||||
|
invalidAppArmorDefault.Annotations = map[string]string{
|
||||||
|
apparmor.DefaultProfileAnnotationKey: "not-good",
|
||||||
|
}
|
||||||
|
invalidAppArmorAllowed := validPSP()
|
||||||
|
invalidAppArmorAllowed.Annotations = map[string]string{
|
||||||
|
apparmor.AllowedProfilesAnnotationKey: apparmor.ProfileRuntimeDefault + ",not-good",
|
||||||
|
}
|
||||||
|
|
||||||
|
invalidSysctlPattern := validPSP()
|
||||||
|
invalidSysctlPattern.Annotations[policy.SysctlsPodSecurityPolicyAnnotationKey] = "a.*.b"
|
||||||
|
|
||||||
|
invalidSeccompDefault := validPSP()
|
||||||
|
invalidSeccompDefault.Annotations = map[string]string{
|
||||||
|
seccomp.DefaultProfileAnnotationKey: "not-good",
|
||||||
|
}
|
||||||
|
invalidSeccompAllowAnyDefault := validPSP()
|
||||||
|
invalidSeccompAllowAnyDefault.Annotations = map[string]string{
|
||||||
|
seccomp.DefaultProfileAnnotationKey: "*",
|
||||||
|
}
|
||||||
|
invalidSeccompAllowed := validPSP()
|
||||||
|
invalidSeccompAllowed.Annotations = map[string]string{
|
||||||
|
seccomp.AllowedProfilesAnnotationKey: "docker/default,not-good",
|
||||||
|
}
|
||||||
|
|
||||||
|
invalidAllowedHostPathMissingPath := validPSP()
|
||||||
|
invalidAllowedHostPathMissingPath.Spec.AllowedHostPaths = []policy.AllowedHostPath{
|
||||||
|
{PathPrefix: ""},
|
||||||
|
}
|
||||||
|
|
||||||
|
invalidAllowedHostPathBacksteps := validPSP()
|
||||||
|
invalidAllowedHostPathBacksteps.Spec.AllowedHostPaths = []policy.AllowedHostPath{
|
||||||
|
{PathPrefix: "/dont/allow/backsteps/.."},
|
||||||
|
}
|
||||||
|
|
||||||
|
invalidDefaultAllowPrivilegeEscalation := validPSP()
|
||||||
|
pe := true
|
||||||
|
invalidDefaultAllowPrivilegeEscalation.Spec.DefaultAllowPrivilegeEscalation = &pe
|
||||||
|
|
||||||
|
emptyFlexDriver := validPSP()
|
||||||
|
emptyFlexDriver.Spec.Volumes = []policy.FSType{policy.FlexVolume}
|
||||||
|
emptyFlexDriver.Spec.AllowedFlexVolumes = []policy.AllowedFlexVolume{{}}
|
||||||
|
|
||||||
|
nonEmptyFlexVolumes := validPSP()
|
||||||
|
nonEmptyFlexVolumes.Spec.AllowedFlexVolumes = []policy.AllowedFlexVolume{{Driver: "example/driver"}}
|
||||||
|
|
||||||
|
type testCase struct {
|
||||||
|
psp *policy.PodSecurityPolicy
|
||||||
|
errorType field.ErrorType
|
||||||
|
errorDetail string
|
||||||
|
}
|
||||||
|
errorCases := map[string]testCase{
|
||||||
|
"no user options": {
|
||||||
|
psp: noUserOptions,
|
||||||
|
errorType: field.ErrorTypeNotSupported,
|
||||||
|
errorDetail: `supported values: "MustRunAs", "MustRunAsNonRoot", "RunAsAny"`,
|
||||||
|
},
|
||||||
|
"no selinux options": {
|
||||||
|
psp: noSELinuxOptions,
|
||||||
|
errorType: field.ErrorTypeNotSupported,
|
||||||
|
errorDetail: `supported values: "MustRunAs", "RunAsAny"`,
|
||||||
|
},
|
||||||
|
"no fsgroup options": {
|
||||||
|
psp: noFSGroupOptions,
|
||||||
|
errorType: field.ErrorTypeNotSupported,
|
||||||
|
errorDetail: `supported values: "MustRunAs", "RunAsAny"`,
|
||||||
|
},
|
||||||
|
"no sup group options": {
|
||||||
|
psp: noSupplementalGroupsOptions,
|
||||||
|
errorType: field.ErrorTypeNotSupported,
|
||||||
|
errorDetail: `supported values: "MustRunAs", "RunAsAny"`,
|
||||||
|
},
|
||||||
|
"invalid user strategy type": {
|
||||||
|
psp: invalidUserStratType,
|
||||||
|
errorType: field.ErrorTypeNotSupported,
|
||||||
|
errorDetail: `supported values: "MustRunAs", "MustRunAsNonRoot", "RunAsAny"`,
|
||||||
|
},
|
||||||
|
"invalid selinux strategy type": {
|
||||||
|
psp: invalidSELinuxStratType,
|
||||||
|
errorType: field.ErrorTypeNotSupported,
|
||||||
|
errorDetail: `supported values: "MustRunAs", "RunAsAny"`,
|
||||||
|
},
|
||||||
|
"invalid sup group strategy type": {
|
||||||
|
psp: invalidSupGroupStratType,
|
||||||
|
errorType: field.ErrorTypeNotSupported,
|
||||||
|
errorDetail: `supported values: "MustRunAs", "RunAsAny"`,
|
||||||
|
},
|
||||||
|
"invalid fs group strategy type": {
|
||||||
|
psp: invalidFSGroupStratType,
|
||||||
|
errorType: field.ErrorTypeNotSupported,
|
||||||
|
errorDetail: `supported values: "MustRunAs", "RunAsAny"`,
|
||||||
|
},
|
||||||
|
"invalid uid": {
|
||||||
|
psp: invalidUIDPSP,
|
||||||
|
errorType: field.ErrorTypeInvalid,
|
||||||
|
errorDetail: "min cannot be negative",
|
||||||
|
},
|
||||||
|
"missing object meta name": {
|
||||||
|
psp: missingObjectMetaName,
|
||||||
|
errorType: field.ErrorTypeRequired,
|
||||||
|
errorDetail: "name or generateName is required",
|
||||||
|
},
|
||||||
|
"invalid range min greater than max": {
|
||||||
|
psp: invalidRangeMinGreaterThanMax,
|
||||||
|
errorType: field.ErrorTypeInvalid,
|
||||||
|
errorDetail: "min cannot be greater than max",
|
||||||
|
},
|
||||||
|
"invalid range negative min": {
|
||||||
|
psp: invalidRangeNegativeMin,
|
||||||
|
errorType: field.ErrorTypeInvalid,
|
||||||
|
errorDetail: "min cannot be negative",
|
||||||
|
},
|
||||||
|
"invalid range negative max": {
|
||||||
|
psp: invalidRangeNegativeMax,
|
||||||
|
errorType: field.ErrorTypeInvalid,
|
||||||
|
errorDetail: "max cannot be negative",
|
||||||
|
},
|
||||||
|
"non-empty required drops and all caps are allowed by a wildcard": {
|
||||||
|
psp: wildcardAllowedCapAndRequiredDrop,
|
||||||
|
errorType: field.ErrorTypeInvalid,
|
||||||
|
errorDetail: "must be empty when all capabilities are allowed by a wildcard",
|
||||||
|
},
|
||||||
|
"invalid required caps": {
|
||||||
|
psp: requiredCapAddAndDrop,
|
||||||
|
errorType: field.ErrorTypeInvalid,
|
||||||
|
errorDetail: "capability is listed in defaultAddCapabilities and requiredDropCapabilities",
|
||||||
|
},
|
||||||
|
"allowed cap listed in required drops": {
|
||||||
|
psp: allowedCapListedInRequiredDrop,
|
||||||
|
errorType: field.ErrorTypeInvalid,
|
||||||
|
errorDetail: "capability is listed in allowedCapabilities and requiredDropCapabilities",
|
||||||
|
},
|
||||||
|
"invalid AppArmor default profile": {
|
||||||
|
psp: invalidAppArmorDefault,
|
||||||
|
errorType: field.ErrorTypeInvalid,
|
||||||
|
errorDetail: "invalid AppArmor profile name: \"not-good\"",
|
||||||
|
},
|
||||||
|
"invalid AppArmor allowed profile": {
|
||||||
|
psp: invalidAppArmorAllowed,
|
||||||
|
errorType: field.ErrorTypeInvalid,
|
||||||
|
errorDetail: "invalid AppArmor profile name: \"not-good\"",
|
||||||
|
},
|
||||||
|
"invalid sysctl pattern": {
|
||||||
|
psp: invalidSysctlPattern,
|
||||||
|
errorType: field.ErrorTypeInvalid,
|
||||||
|
errorDetail: fmt.Sprintf("must have at most 253 characters and match regex %s", SysctlPatternFmt),
|
||||||
|
},
|
||||||
|
"invalid seccomp default profile": {
|
||||||
|
psp: invalidSeccompDefault,
|
||||||
|
errorType: field.ErrorTypeInvalid,
|
||||||
|
errorDetail: "must be a valid seccomp profile",
|
||||||
|
},
|
||||||
|
"invalid seccomp allow any default profile": {
|
||||||
|
psp: invalidSeccompAllowAnyDefault,
|
||||||
|
errorType: field.ErrorTypeInvalid,
|
||||||
|
errorDetail: "must be a valid seccomp profile",
|
||||||
|
},
|
||||||
|
"invalid seccomp allowed profile": {
|
||||||
|
psp: invalidSeccompAllowed,
|
||||||
|
errorType: field.ErrorTypeInvalid,
|
||||||
|
errorDetail: "must be a valid seccomp profile",
|
||||||
|
},
|
||||||
|
"invalid defaultAllowPrivilegeEscalation": {
|
||||||
|
psp: invalidDefaultAllowPrivilegeEscalation,
|
||||||
|
errorType: field.ErrorTypeInvalid,
|
||||||
|
errorDetail: "Cannot set DefaultAllowPrivilegeEscalation to true without also setting AllowPrivilegeEscalation to true",
|
||||||
|
},
|
||||||
|
"invalid allowed host path empty path": {
|
||||||
|
psp: invalidAllowedHostPathMissingPath,
|
||||||
|
errorType: field.ErrorTypeRequired,
|
||||||
|
errorDetail: "is required",
|
||||||
|
},
|
||||||
|
"invalid allowed host path with backsteps": {
|
||||||
|
psp: invalidAllowedHostPathBacksteps,
|
||||||
|
errorType: field.ErrorTypeInvalid,
|
||||||
|
errorDetail: "must not contain '..'",
|
||||||
|
},
|
||||||
|
"empty flex volume driver": {
|
||||||
|
psp: emptyFlexDriver,
|
||||||
|
errorType: field.ErrorTypeRequired,
|
||||||
|
errorDetail: "must specify a driver",
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
for k, v := range errorCases {
|
||||||
|
errs := ValidatePodSecurityPolicy(v.psp)
|
||||||
|
if len(errs) == 0 {
|
||||||
|
t.Errorf("%s expected errors but got none", k)
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
if errs[0].Type != v.errorType {
|
||||||
|
t.Errorf("[%s] received an unexpected error type. Expected: '%s' got: '%s'", k, v.errorType, errs[0].Type)
|
||||||
|
}
|
||||||
|
if errs[0].Detail != v.errorDetail {
|
||||||
|
t.Errorf("[%s] received an unexpected error detail. Expected '%s' got: '%s'", k, v.errorDetail, errs[0].Detail)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Update error is different for 'missing object meta name'.
|
||||||
|
errorCases["missing object meta name"] = testCase{
|
||||||
|
psp: errorCases["missing object meta name"].psp,
|
||||||
|
errorType: field.ErrorTypeInvalid,
|
||||||
|
errorDetail: "field is immutable",
|
||||||
|
}
|
||||||
|
|
||||||
|
// Should not be able to update to an invalid policy.
|
||||||
|
for k, v := range errorCases {
|
||||||
|
v.psp.ResourceVersion = "444" // Required for updates.
|
||||||
|
errs := ValidatePodSecurityPolicyUpdate(validPSP(), v.psp)
|
||||||
|
if len(errs) == 0 {
|
||||||
|
t.Errorf("[%s] expected update errors but got none", k)
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
if errs[0].Type != v.errorType {
|
||||||
|
t.Errorf("[%s] received an unexpected error type. Expected: '%s' got: '%s'", k, v.errorType, errs[0].Type)
|
||||||
|
}
|
||||||
|
if errs[0].Detail != v.errorDetail {
|
||||||
|
t.Errorf("[%s] received an unexpected error detail. Expected '%s' got: '%s'", k, v.errorDetail, errs[0].Detail)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
mustRunAs := validPSP()
|
||||||
|
mustRunAs.Spec.FSGroup.Rule = policy.FSGroupStrategyMustRunAs
|
||||||
|
mustRunAs.Spec.SupplementalGroups.Rule = policy.SupplementalGroupsStrategyMustRunAs
|
||||||
|
mustRunAs.Spec.RunAsUser.Rule = policy.RunAsUserStrategyMustRunAs
|
||||||
|
mustRunAs.Spec.RunAsUser.Ranges = []policy.UserIDRange{
|
||||||
|
{Min: 1, Max: 1},
|
||||||
|
}
|
||||||
|
mustRunAs.Spec.SELinux.Rule = policy.SELinuxStrategyMustRunAs
|
||||||
|
|
||||||
|
runAsNonRoot := validPSP()
|
||||||
|
runAsNonRoot.Spec.RunAsUser.Rule = policy.RunAsUserStrategyMustRunAsNonRoot
|
||||||
|
|
||||||
|
caseInsensitiveAddDrop := validPSP()
|
||||||
|
caseInsensitiveAddDrop.Spec.DefaultAddCapabilities = []api.Capability{"foo"}
|
||||||
|
caseInsensitiveAddDrop.Spec.RequiredDropCapabilities = []api.Capability{"FOO"}
|
||||||
|
|
||||||
|
caseInsensitiveAllowedDrop := validPSP()
|
||||||
|
caseInsensitiveAllowedDrop.Spec.RequiredDropCapabilities = []api.Capability{"FOO"}
|
||||||
|
caseInsensitiveAllowedDrop.Spec.AllowedCapabilities = []api.Capability{"foo"}
|
||||||
|
|
||||||
|
validAppArmor := validPSP()
|
||||||
|
validAppArmor.Annotations = map[string]string{
|
||||||
|
apparmor.DefaultProfileAnnotationKey: apparmor.ProfileRuntimeDefault,
|
||||||
|
apparmor.AllowedProfilesAnnotationKey: apparmor.ProfileRuntimeDefault + "," + apparmor.ProfileNamePrefix + "foo",
|
||||||
|
}
|
||||||
|
|
||||||
|
withSysctl := validPSP()
|
||||||
|
withSysctl.Annotations[policy.SysctlsPodSecurityPolicyAnnotationKey] = "net.*"
|
||||||
|
|
||||||
|
validSeccomp := validPSP()
|
||||||
|
validSeccomp.Annotations = map[string]string{
|
||||||
|
seccomp.DefaultProfileAnnotationKey: "docker/default",
|
||||||
|
seccomp.AllowedProfilesAnnotationKey: "docker/default,unconfined,localhost/foo,*",
|
||||||
|
}
|
||||||
|
|
||||||
|
validDefaultAllowPrivilegeEscalation := validPSP()
|
||||||
|
pe = true
|
||||||
|
validDefaultAllowPrivilegeEscalation.Spec.DefaultAllowPrivilegeEscalation = &pe
|
||||||
|
validDefaultAllowPrivilegeEscalation.Spec.AllowPrivilegeEscalation = true
|
||||||
|
|
||||||
|
flexvolumeWhenFlexVolumesAllowed := validPSP()
|
||||||
|
flexvolumeWhenFlexVolumesAllowed.Spec.Volumes = []policy.FSType{policy.FlexVolume}
|
||||||
|
flexvolumeWhenFlexVolumesAllowed.Spec.AllowedFlexVolumes = []policy.AllowedFlexVolume{
|
||||||
|
{Driver: "example/driver1"},
|
||||||
|
}
|
||||||
|
|
||||||
|
flexvolumeWhenAllVolumesAllowed := validPSP()
|
||||||
|
flexvolumeWhenAllVolumesAllowed.Spec.Volumes = []policy.FSType{policy.All}
|
||||||
|
flexvolumeWhenAllVolumesAllowed.Spec.AllowedFlexVolumes = []policy.AllowedFlexVolume{
|
||||||
|
{Driver: "example/driver2"},
|
||||||
|
}
|
||||||
|
successCases := map[string]struct {
|
||||||
|
psp *policy.PodSecurityPolicy
|
||||||
|
}{
|
||||||
|
"must run as": {
|
||||||
|
psp: mustRunAs,
|
||||||
|
},
|
||||||
|
"run as any": {
|
||||||
|
psp: validPSP(),
|
||||||
|
},
|
||||||
|
"run as non-root (user only)": {
|
||||||
|
psp: runAsNonRoot,
|
||||||
|
},
|
||||||
|
"comparison for add -> drop is case sensitive": {
|
||||||
|
psp: caseInsensitiveAddDrop,
|
||||||
|
},
|
||||||
|
"comparison for allowed -> drop is case sensitive": {
|
||||||
|
psp: caseInsensitiveAllowedDrop,
|
||||||
|
},
|
||||||
|
"valid AppArmor annotations": {
|
||||||
|
psp: validAppArmor,
|
||||||
|
},
|
||||||
|
"with network sysctls": {
|
||||||
|
psp: withSysctl,
|
||||||
|
},
|
||||||
|
"valid seccomp annotations": {
|
||||||
|
psp: validSeccomp,
|
||||||
|
},
|
||||||
|
"valid defaultAllowPrivilegeEscalation as true": {
|
||||||
|
psp: validDefaultAllowPrivilegeEscalation,
|
||||||
|
},
|
||||||
|
"allow white-listed flexVolume when flex volumes are allowed": {
|
||||||
|
psp: flexvolumeWhenFlexVolumesAllowed,
|
||||||
|
},
|
||||||
|
"allow white-listed flexVolume when all volumes are allowed": {
|
||||||
|
psp: flexvolumeWhenAllVolumesAllowed,
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
for k, v := range successCases {
|
||||||
|
if errs := ValidatePodSecurityPolicy(v.psp); len(errs) != 0 {
|
||||||
|
t.Errorf("Expected success for %s, got %v", k, errs)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Should be able to update to a valid PSP.
|
||||||
|
v.psp.ResourceVersion = "444" // Required for updates.
|
||||||
|
if errs := ValidatePodSecurityPolicyUpdate(validPSP(), v.psp); len(errs) != 0 {
|
||||||
|
t.Errorf("Expected success for %s update, got %v", k, errs)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestValidatePSPVolumes(t *testing.T) {
|
||||||
|
validPSP := func() *policy.PodSecurityPolicy {
|
||||||
|
return &policy.PodSecurityPolicy{
|
||||||
|
ObjectMeta: metav1.ObjectMeta{Name: "foo"},
|
||||||
|
Spec: policy.PodSecurityPolicySpec{
|
||||||
|
SELinux: policy.SELinuxStrategyOptions{
|
||||||
|
Rule: policy.SELinuxStrategyRunAsAny,
|
||||||
|
},
|
||||||
|
RunAsUser: policy.RunAsUserStrategyOptions{
|
||||||
|
Rule: policy.RunAsUserStrategyRunAsAny,
|
||||||
|
},
|
||||||
|
FSGroup: policy.FSGroupStrategyOptions{
|
||||||
|
Rule: policy.FSGroupStrategyRunAsAny,
|
||||||
|
},
|
||||||
|
SupplementalGroups: policy.SupplementalGroupsStrategyOptions{
|
||||||
|
Rule: policy.SupplementalGroupsStrategyRunAsAny,
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
volumes := psputil.GetAllFSTypesAsSet()
|
||||||
|
// add in the * value since that is a pseudo type that is not included by default
|
||||||
|
volumes.Insert(string(policy.All))
|
||||||
|
|
||||||
|
for _, strVolume := range volumes.List() {
|
||||||
|
psp := validPSP()
|
||||||
|
psp.Spec.Volumes = []policy.FSType{policy.FSType(strVolume)}
|
||||||
|
errs := ValidatePodSecurityPolicy(psp)
|
||||||
|
if len(errs) != 0 {
|
||||||
|
t.Errorf("%s validation expected no errors but received %v", strVolume, errs)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestIsValidSysctlPattern(t *testing.T) {
|
||||||
|
valid := []string{
|
||||||
|
"a.b.c.d",
|
||||||
|
"a",
|
||||||
|
"a_b",
|
||||||
|
"a-b",
|
||||||
|
"abc",
|
||||||
|
"abc.def",
|
||||||
|
"*",
|
||||||
|
"a.*",
|
||||||
|
"*",
|
||||||
|
"abc*",
|
||||||
|
"a.abc*",
|
||||||
|
"a.b.*",
|
||||||
|
}
|
||||||
|
invalid := []string{
|
||||||
|
"",
|
||||||
|
"ä",
|
||||||
|
"a_",
|
||||||
|
"_",
|
||||||
|
"_a",
|
||||||
|
"_a._b",
|
||||||
|
"__",
|
||||||
|
"-",
|
||||||
|
".",
|
||||||
|
"a.",
|
||||||
|
".a",
|
||||||
|
"a.b.",
|
||||||
|
"a*.b",
|
||||||
|
"a*b",
|
||||||
|
"*a",
|
||||||
|
"Abc",
|
||||||
|
func(n int) string {
|
||||||
|
x := make([]byte, n)
|
||||||
|
for i := range x {
|
||||||
|
x[i] = byte('a')
|
||||||
|
}
|
||||||
|
return string(x)
|
||||||
|
}(256),
|
||||||
|
}
|
||||||
|
for _, s := range valid {
|
||||||
|
if !IsValidSysctlPattern(s) {
|
||||||
|
t.Errorf("%q expected to be a valid sysctl pattern", s)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
for _, s := range invalid {
|
||||||
|
if IsValidSysctlPattern(s) {
|
||||||
|
t.Errorf("%q expected to be an invalid sysctl pattern", s)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func Test_validatePSPRunAsUser(t *testing.T) {
|
||||||
|
var testCases = []struct {
|
||||||
|
name string
|
||||||
|
runAsUserStrategy policy.RunAsUserStrategyOptions
|
||||||
|
fail bool
|
||||||
|
}{
|
||||||
|
{"Invalid RunAsUserStrategy", policy.RunAsUserStrategyOptions{Rule: policy.RunAsUserStrategy("someInvalidStrategy")}, true},
|
||||||
|
{"RunAsUserStrategyMustRunAs", policy.RunAsUserStrategyOptions{Rule: policy.RunAsUserStrategyMustRunAs}, false},
|
||||||
|
{"RunAsUserStrategyMustRunAsNonRoot", policy.RunAsUserStrategyOptions{Rule: policy.RunAsUserStrategyMustRunAsNonRoot}, false},
|
||||||
|
{"RunAsUserStrategyMustRunAsNonRoot With Valid Range", policy.RunAsUserStrategyOptions{Rule: policy.RunAsUserStrategyMustRunAs, Ranges: []policy.UserIDRange{{Min: 2, Max: 3}, {Min: 4, Max: 5}}}, false},
|
||||||
|
{"RunAsUserStrategyMustRunAsNonRoot With Invalid Range", policy.RunAsUserStrategyOptions{Rule: policy.RunAsUserStrategyMustRunAs, Ranges: []policy.UserIDRange{{Min: 2, Max: 3}, {Min: 5, Max: 4}}}, true},
|
||||||
|
}
|
||||||
|
|
||||||
|
for _, testCase := range testCases {
|
||||||
|
t.Run(testCase.name, func(t *testing.T) {
|
||||||
|
errList := validatePSPRunAsUser(field.NewPath("status"), &testCase.runAsUserStrategy)
|
||||||
|
actualErrors := len(errList)
|
||||||
|
expectedErrors := 1
|
||||||
|
if !testCase.fail {
|
||||||
|
expectedErrors = 0
|
||||||
|
}
|
||||||
|
if actualErrors != expectedErrors {
|
||||||
|
t.Errorf("In testCase %v, expected %v errors, got %v errors", testCase.name, expectedErrors, actualErrors)
|
||||||
|
}
|
||||||
|
})
|
||||||
|
}
|
||||||
|
}
|
||||||
|
293
pkg/apis/policy/zz_generated.deepcopy.go
generated
293
pkg/apis/policy/zz_generated.deepcopy.go
generated
@ -24,8 +24,41 @@ import (
|
|||||||
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||||
runtime "k8s.io/apimachinery/pkg/runtime"
|
runtime "k8s.io/apimachinery/pkg/runtime"
|
||||||
intstr "k8s.io/apimachinery/pkg/util/intstr"
|
intstr "k8s.io/apimachinery/pkg/util/intstr"
|
||||||
|
core "k8s.io/kubernetes/pkg/apis/core"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||||
|
func (in *AllowedFlexVolume) DeepCopyInto(out *AllowedFlexVolume) {
|
||||||
|
*out = *in
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AllowedFlexVolume.
|
||||||
|
func (in *AllowedFlexVolume) DeepCopy() *AllowedFlexVolume {
|
||||||
|
if in == nil {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
out := new(AllowedFlexVolume)
|
||||||
|
in.DeepCopyInto(out)
|
||||||
|
return out
|
||||||
|
}
|
||||||
|
|
||||||
|
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||||
|
func (in *AllowedHostPath) DeepCopyInto(out *AllowedHostPath) {
|
||||||
|
*out = *in
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AllowedHostPath.
|
||||||
|
func (in *AllowedHostPath) DeepCopy() *AllowedHostPath {
|
||||||
|
if in == nil {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
out := new(AllowedHostPath)
|
||||||
|
in.DeepCopyInto(out)
|
||||||
|
return out
|
||||||
|
}
|
||||||
|
|
||||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||||
func (in *Eviction) DeepCopyInto(out *Eviction) {
|
func (in *Eviction) DeepCopyInto(out *Eviction) {
|
||||||
*out = *in
|
*out = *in
|
||||||
@ -61,6 +94,59 @@ func (in *Eviction) DeepCopyObject() runtime.Object {
|
|||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||||
|
func (in *FSGroupStrategyOptions) DeepCopyInto(out *FSGroupStrategyOptions) {
|
||||||
|
*out = *in
|
||||||
|
if in.Ranges != nil {
|
||||||
|
in, out := &in.Ranges, &out.Ranges
|
||||||
|
*out = make([]GroupIDRange, len(*in))
|
||||||
|
copy(*out, *in)
|
||||||
|
}
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FSGroupStrategyOptions.
|
||||||
|
func (in *FSGroupStrategyOptions) DeepCopy() *FSGroupStrategyOptions {
|
||||||
|
if in == nil {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
out := new(FSGroupStrategyOptions)
|
||||||
|
in.DeepCopyInto(out)
|
||||||
|
return out
|
||||||
|
}
|
||||||
|
|
||||||
|
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||||
|
func (in *GroupIDRange) DeepCopyInto(out *GroupIDRange) {
|
||||||
|
*out = *in
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GroupIDRange.
|
||||||
|
func (in *GroupIDRange) DeepCopy() *GroupIDRange {
|
||||||
|
if in == nil {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
out := new(GroupIDRange)
|
||||||
|
in.DeepCopyInto(out)
|
||||||
|
return out
|
||||||
|
}
|
||||||
|
|
||||||
|
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||||
|
func (in *HostPortRange) DeepCopyInto(out *HostPortRange) {
|
||||||
|
*out = *in
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HostPortRange.
|
||||||
|
func (in *HostPortRange) DeepCopy() *HostPortRange {
|
||||||
|
if in == nil {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
out := new(HostPortRange)
|
||||||
|
in.DeepCopyInto(out)
|
||||||
|
return out
|
||||||
|
}
|
||||||
|
|
||||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||||
func (in *PodDisruptionBudget) DeepCopyInto(out *PodDisruptionBudget) {
|
func (in *PodDisruptionBudget) DeepCopyInto(out *PodDisruptionBudget) {
|
||||||
*out = *in
|
*out = *in
|
||||||
@ -187,3 +273,210 @@ func (in *PodDisruptionBudgetStatus) DeepCopy() *PodDisruptionBudgetStatus {
|
|||||||
in.DeepCopyInto(out)
|
in.DeepCopyInto(out)
|
||||||
return out
|
return out
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||||
|
func (in *PodSecurityPolicy) DeepCopyInto(out *PodSecurityPolicy) {
|
||||||
|
*out = *in
|
||||||
|
out.TypeMeta = in.TypeMeta
|
||||||
|
in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
|
||||||
|
in.Spec.DeepCopyInto(&out.Spec)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodSecurityPolicy.
|
||||||
|
func (in *PodSecurityPolicy) DeepCopy() *PodSecurityPolicy {
|
||||||
|
if in == nil {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
out := new(PodSecurityPolicy)
|
||||||
|
in.DeepCopyInto(out)
|
||||||
|
return out
|
||||||
|
}
|
||||||
|
|
||||||
|
// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
|
||||||
|
func (in *PodSecurityPolicy) DeepCopyObject() runtime.Object {
|
||||||
|
if c := in.DeepCopy(); c != nil {
|
||||||
|
return c
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||||
|
func (in *PodSecurityPolicyList) DeepCopyInto(out *PodSecurityPolicyList) {
|
||||||
|
*out = *in
|
||||||
|
out.TypeMeta = in.TypeMeta
|
||||||
|
out.ListMeta = in.ListMeta
|
||||||
|
if in.Items != nil {
|
||||||
|
in, out := &in.Items, &out.Items
|
||||||
|
*out = make([]PodSecurityPolicy, len(*in))
|
||||||
|
for i := range *in {
|
||||||
|
(*in)[i].DeepCopyInto(&(*out)[i])
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodSecurityPolicyList.
|
||||||
|
func (in *PodSecurityPolicyList) DeepCopy() *PodSecurityPolicyList {
|
||||||
|
if in == nil {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
out := new(PodSecurityPolicyList)
|
||||||
|
in.DeepCopyInto(out)
|
||||||
|
return out
|
||||||
|
}
|
||||||
|
|
||||||
|
// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
|
||||||
|
func (in *PodSecurityPolicyList) DeepCopyObject() runtime.Object {
|
||||||
|
if c := in.DeepCopy(); c != nil {
|
||||||
|
return c
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||||
|
func (in *PodSecurityPolicySpec) DeepCopyInto(out *PodSecurityPolicySpec) {
|
||||||
|
*out = *in
|
||||||
|
if in.DefaultAddCapabilities != nil {
|
||||||
|
in, out := &in.DefaultAddCapabilities, &out.DefaultAddCapabilities
|
||||||
|
*out = make([]core.Capability, len(*in))
|
||||||
|
copy(*out, *in)
|
||||||
|
}
|
||||||
|
if in.RequiredDropCapabilities != nil {
|
||||||
|
in, out := &in.RequiredDropCapabilities, &out.RequiredDropCapabilities
|
||||||
|
*out = make([]core.Capability, len(*in))
|
||||||
|
copy(*out, *in)
|
||||||
|
}
|
||||||
|
if in.AllowedCapabilities != nil {
|
||||||
|
in, out := &in.AllowedCapabilities, &out.AllowedCapabilities
|
||||||
|
*out = make([]core.Capability, len(*in))
|
||||||
|
copy(*out, *in)
|
||||||
|
}
|
||||||
|
if in.Volumes != nil {
|
||||||
|
in, out := &in.Volumes, &out.Volumes
|
||||||
|
*out = make([]FSType, len(*in))
|
||||||
|
copy(*out, *in)
|
||||||
|
}
|
||||||
|
if in.HostPorts != nil {
|
||||||
|
in, out := &in.HostPorts, &out.HostPorts
|
||||||
|
*out = make([]HostPortRange, len(*in))
|
||||||
|
copy(*out, *in)
|
||||||
|
}
|
||||||
|
in.SELinux.DeepCopyInto(&out.SELinux)
|
||||||
|
in.RunAsUser.DeepCopyInto(&out.RunAsUser)
|
||||||
|
in.SupplementalGroups.DeepCopyInto(&out.SupplementalGroups)
|
||||||
|
in.FSGroup.DeepCopyInto(&out.FSGroup)
|
||||||
|
if in.DefaultAllowPrivilegeEscalation != nil {
|
||||||
|
in, out := &in.DefaultAllowPrivilegeEscalation, &out.DefaultAllowPrivilegeEscalation
|
||||||
|
if *in == nil {
|
||||||
|
*out = nil
|
||||||
|
} else {
|
||||||
|
*out = new(bool)
|
||||||
|
**out = **in
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if in.AllowedHostPaths != nil {
|
||||||
|
in, out := &in.AllowedHostPaths, &out.AllowedHostPaths
|
||||||
|
*out = make([]AllowedHostPath, len(*in))
|
||||||
|
copy(*out, *in)
|
||||||
|
}
|
||||||
|
if in.AllowedFlexVolumes != nil {
|
||||||
|
in, out := &in.AllowedFlexVolumes, &out.AllowedFlexVolumes
|
||||||
|
*out = make([]AllowedFlexVolume, len(*in))
|
||||||
|
copy(*out, *in)
|
||||||
|
}
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodSecurityPolicySpec.
|
||||||
|
func (in *PodSecurityPolicySpec) DeepCopy() *PodSecurityPolicySpec {
|
||||||
|
if in == nil {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
out := new(PodSecurityPolicySpec)
|
||||||
|
in.DeepCopyInto(out)
|
||||||
|
return out
|
||||||
|
}
|
||||||
|
|
||||||
|
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||||
|
func (in *RunAsUserStrategyOptions) DeepCopyInto(out *RunAsUserStrategyOptions) {
|
||||||
|
*out = *in
|
||||||
|
if in.Ranges != nil {
|
||||||
|
in, out := &in.Ranges, &out.Ranges
|
||||||
|
*out = make([]UserIDRange, len(*in))
|
||||||
|
copy(*out, *in)
|
||||||
|
}
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RunAsUserStrategyOptions.
|
||||||
|
func (in *RunAsUserStrategyOptions) DeepCopy() *RunAsUserStrategyOptions {
|
||||||
|
if in == nil {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
out := new(RunAsUserStrategyOptions)
|
||||||
|
in.DeepCopyInto(out)
|
||||||
|
return out
|
||||||
|
}
|
||||||
|
|
||||||
|
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||||
|
func (in *SELinuxStrategyOptions) DeepCopyInto(out *SELinuxStrategyOptions) {
|
||||||
|
*out = *in
|
||||||
|
if in.SELinuxOptions != nil {
|
||||||
|
in, out := &in.SELinuxOptions, &out.SELinuxOptions
|
||||||
|
if *in == nil {
|
||||||
|
*out = nil
|
||||||
|
} else {
|
||||||
|
*out = new(core.SELinuxOptions)
|
||||||
|
**out = **in
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SELinuxStrategyOptions.
|
||||||
|
func (in *SELinuxStrategyOptions) DeepCopy() *SELinuxStrategyOptions {
|
||||||
|
if in == nil {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
out := new(SELinuxStrategyOptions)
|
||||||
|
in.DeepCopyInto(out)
|
||||||
|
return out
|
||||||
|
}
|
||||||
|
|
||||||
|
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||||
|
func (in *SupplementalGroupsStrategyOptions) DeepCopyInto(out *SupplementalGroupsStrategyOptions) {
|
||||||
|
*out = *in
|
||||||
|
if in.Ranges != nil {
|
||||||
|
in, out := &in.Ranges, &out.Ranges
|
||||||
|
*out = make([]GroupIDRange, len(*in))
|
||||||
|
copy(*out, *in)
|
||||||
|
}
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SupplementalGroupsStrategyOptions.
|
||||||
|
func (in *SupplementalGroupsStrategyOptions) DeepCopy() *SupplementalGroupsStrategyOptions {
|
||||||
|
if in == nil {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
out := new(SupplementalGroupsStrategyOptions)
|
||||||
|
in.DeepCopyInto(out)
|
||||||
|
return out
|
||||||
|
}
|
||||||
|
|
||||||
|
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||||
|
func (in *UserIDRange) DeepCopyInto(out *UserIDRange) {
|
||||||
|
*out = *in
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UserIDRange.
|
||||||
|
func (in *UserIDRange) DeepCopy() *UserIDRange {
|
||||||
|
if in == nil {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
out := new(UserIDRange)
|
||||||
|
in.DeepCopyInto(out)
|
||||||
|
return out
|
||||||
|
}
|
||||||
|
@ -15,7 +15,6 @@ go_library(
|
|||||||
"extensions_client.go",
|
"extensions_client.go",
|
||||||
"generated_expansion.go",
|
"generated_expansion.go",
|
||||||
"ingress.go",
|
"ingress.go",
|
||||||
"podsecuritypolicy.go",
|
|
||||||
"replicaset.go",
|
"replicaset.go",
|
||||||
],
|
],
|
||||||
importpath = "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/extensions/internalversion",
|
importpath = "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/extensions/internalversion",
|
||||||
|
@ -28,7 +28,6 @@ type ExtensionsInterface interface {
|
|||||||
DaemonSetsGetter
|
DaemonSetsGetter
|
||||||
DeploymentsGetter
|
DeploymentsGetter
|
||||||
IngressesGetter
|
IngressesGetter
|
||||||
PodSecurityPoliciesGetter
|
|
||||||
ReplicaSetsGetter
|
ReplicaSetsGetter
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -49,10 +48,6 @@ func (c *ExtensionsClient) Ingresses(namespace string) IngressInterface {
|
|||||||
return newIngresses(c, namespace)
|
return newIngresses(c, namespace)
|
||||||
}
|
}
|
||||||
|
|
||||||
func (c *ExtensionsClient) PodSecurityPolicies() PodSecurityPolicyInterface {
|
|
||||||
return newPodSecurityPolicies(c)
|
|
||||||
}
|
|
||||||
|
|
||||||
func (c *ExtensionsClient) ReplicaSets(namespace string) ReplicaSetInterface {
|
func (c *ExtensionsClient) ReplicaSets(namespace string) ReplicaSetInterface {
|
||||||
return newReplicaSets(c, namespace)
|
return newReplicaSets(c, namespace)
|
||||||
}
|
}
|
||||||
|
@ -14,7 +14,6 @@ go_library(
|
|||||||
"fake_deployment_expansion.go",
|
"fake_deployment_expansion.go",
|
||||||
"fake_extensions_client.go",
|
"fake_extensions_client.go",
|
||||||
"fake_ingress.go",
|
"fake_ingress.go",
|
||||||
"fake_podsecuritypolicy.go",
|
|
||||||
"fake_replicaset.go",
|
"fake_replicaset.go",
|
||||||
],
|
],
|
||||||
importpath = "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/extensions/internalversion/fake",
|
importpath = "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/extensions/internalversion/fake",
|
||||||
|
@ -40,10 +40,6 @@ func (c *FakeExtensions) Ingresses(namespace string) internalversion.IngressInte
|
|||||||
return &FakeIngresses{c, namespace}
|
return &FakeIngresses{c, namespace}
|
||||||
}
|
}
|
||||||
|
|
||||||
func (c *FakeExtensions) PodSecurityPolicies() internalversion.PodSecurityPolicyInterface {
|
|
||||||
return &FakePodSecurityPolicies{c}
|
|
||||||
}
|
|
||||||
|
|
||||||
func (c *FakeExtensions) ReplicaSets(namespace string) internalversion.ReplicaSetInterface {
|
func (c *FakeExtensions) ReplicaSets(namespace string) internalversion.ReplicaSetInterface {
|
||||||
return &FakeReplicaSets{c, namespace}
|
return &FakeReplicaSets{c, namespace}
|
||||||
}
|
}
|
||||||
|
@ -22,6 +22,4 @@ type DaemonSetExpansion interface{}
|
|||||||
|
|
||||||
type IngressExpansion interface{}
|
type IngressExpansion interface{}
|
||||||
|
|
||||||
type PodSecurityPolicyExpansion interface{}
|
|
||||||
|
|
||||||
type ReplicaSetExpansion interface{}
|
type ReplicaSetExpansion interface{}
|
||||||
|
@ -13,6 +13,7 @@ go_library(
|
|||||||
"eviction_expansion.go",
|
"eviction_expansion.go",
|
||||||
"generated_expansion.go",
|
"generated_expansion.go",
|
||||||
"poddisruptionbudget.go",
|
"poddisruptionbudget.go",
|
||||||
|
"podsecuritypolicy.go",
|
||||||
"policy_client.go",
|
"policy_client.go",
|
||||||
],
|
],
|
||||||
importpath = "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/policy/internalversion",
|
importpath = "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/policy/internalversion",
|
||||||
|
@ -12,6 +12,7 @@ go_library(
|
|||||||
"fake_eviction.go",
|
"fake_eviction.go",
|
||||||
"fake_eviction_expansion.go",
|
"fake_eviction_expansion.go",
|
||||||
"fake_poddisruptionbudget.go",
|
"fake_poddisruptionbudget.go",
|
||||||
|
"fake_podsecuritypolicy.go",
|
||||||
"fake_policy_client.go",
|
"fake_policy_client.go",
|
||||||
],
|
],
|
||||||
importpath = "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/policy/internalversion/fake",
|
importpath = "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/policy/internalversion/fake",
|
||||||
|
@ -25,32 +25,32 @@ import (
|
|||||||
types "k8s.io/apimachinery/pkg/types"
|
types "k8s.io/apimachinery/pkg/types"
|
||||||
watch "k8s.io/apimachinery/pkg/watch"
|
watch "k8s.io/apimachinery/pkg/watch"
|
||||||
testing "k8s.io/client-go/testing"
|
testing "k8s.io/client-go/testing"
|
||||||
extensions "k8s.io/kubernetes/pkg/apis/extensions"
|
policy "k8s.io/kubernetes/pkg/apis/policy"
|
||||||
)
|
)
|
||||||
|
|
||||||
// FakePodSecurityPolicies implements PodSecurityPolicyInterface
|
// FakePodSecurityPolicies implements PodSecurityPolicyInterface
|
||||||
type FakePodSecurityPolicies struct {
|
type FakePodSecurityPolicies struct {
|
||||||
Fake *FakeExtensions
|
Fake *FakePolicy
|
||||||
}
|
}
|
||||||
|
|
||||||
var podsecuritypoliciesResource = schema.GroupVersionResource{Group: "extensions", Version: "", Resource: "podsecuritypolicies"}
|
var podsecuritypoliciesResource = schema.GroupVersionResource{Group: "policy", Version: "", Resource: "podsecuritypolicies"}
|
||||||
|
|
||||||
var podsecuritypoliciesKind = schema.GroupVersionKind{Group: "extensions", Version: "", Kind: "PodSecurityPolicy"}
|
var podsecuritypoliciesKind = schema.GroupVersionKind{Group: "policy", Version: "", Kind: "PodSecurityPolicy"}
|
||||||
|
|
||||||
// Get takes name of the podSecurityPolicy, and returns the corresponding podSecurityPolicy object, and an error if there is any.
|
// Get takes name of the podSecurityPolicy, and returns the corresponding podSecurityPolicy object, and an error if there is any.
|
||||||
func (c *FakePodSecurityPolicies) Get(name string, options v1.GetOptions) (result *extensions.PodSecurityPolicy, err error) {
|
func (c *FakePodSecurityPolicies) Get(name string, options v1.GetOptions) (result *policy.PodSecurityPolicy, err error) {
|
||||||
obj, err := c.Fake.
|
obj, err := c.Fake.
|
||||||
Invokes(testing.NewRootGetAction(podsecuritypoliciesResource, name), &extensions.PodSecurityPolicy{})
|
Invokes(testing.NewRootGetAction(podsecuritypoliciesResource, name), &policy.PodSecurityPolicy{})
|
||||||
if obj == nil {
|
if obj == nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
return obj.(*extensions.PodSecurityPolicy), err
|
return obj.(*policy.PodSecurityPolicy), err
|
||||||
}
|
}
|
||||||
|
|
||||||
// List takes label and field selectors, and returns the list of PodSecurityPolicies that match those selectors.
|
// List takes label and field selectors, and returns the list of PodSecurityPolicies that match those selectors.
|
||||||
func (c *FakePodSecurityPolicies) List(opts v1.ListOptions) (result *extensions.PodSecurityPolicyList, err error) {
|
func (c *FakePodSecurityPolicies) List(opts v1.ListOptions) (result *policy.PodSecurityPolicyList, err error) {
|
||||||
obj, err := c.Fake.
|
obj, err := c.Fake.
|
||||||
Invokes(testing.NewRootListAction(podsecuritypoliciesResource, podsecuritypoliciesKind, opts), &extensions.PodSecurityPolicyList{})
|
Invokes(testing.NewRootListAction(podsecuritypoliciesResource, podsecuritypoliciesKind, opts), &policy.PodSecurityPolicyList{})
|
||||||
if obj == nil {
|
if obj == nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
@ -59,8 +59,8 @@ func (c *FakePodSecurityPolicies) List(opts v1.ListOptions) (result *extensions.
|
|||||||
if label == nil {
|
if label == nil {
|
||||||
label = labels.Everything()
|
label = labels.Everything()
|
||||||
}
|
}
|
||||||
list := &extensions.PodSecurityPolicyList{}
|
list := &policy.PodSecurityPolicyList{}
|
||||||
for _, item := range obj.(*extensions.PodSecurityPolicyList).Items {
|
for _, item := range obj.(*policy.PodSecurityPolicyList).Items {
|
||||||
if label.Matches(labels.Set(item.Labels)) {
|
if label.Matches(labels.Set(item.Labels)) {
|
||||||
list.Items = append(list.Items, item)
|
list.Items = append(list.Items, item)
|
||||||
}
|
}
|
||||||
@ -75,29 +75,29 @@ func (c *FakePodSecurityPolicies) Watch(opts v1.ListOptions) (watch.Interface, e
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Create takes the representation of a podSecurityPolicy and creates it. Returns the server's representation of the podSecurityPolicy, and an error, if there is any.
|
// Create takes the representation of a podSecurityPolicy and creates it. Returns the server's representation of the podSecurityPolicy, and an error, if there is any.
|
||||||
func (c *FakePodSecurityPolicies) Create(podSecurityPolicy *extensions.PodSecurityPolicy) (result *extensions.PodSecurityPolicy, err error) {
|
func (c *FakePodSecurityPolicies) Create(podSecurityPolicy *policy.PodSecurityPolicy) (result *policy.PodSecurityPolicy, err error) {
|
||||||
obj, err := c.Fake.
|
obj, err := c.Fake.
|
||||||
Invokes(testing.NewRootCreateAction(podsecuritypoliciesResource, podSecurityPolicy), &extensions.PodSecurityPolicy{})
|
Invokes(testing.NewRootCreateAction(podsecuritypoliciesResource, podSecurityPolicy), &policy.PodSecurityPolicy{})
|
||||||
if obj == nil {
|
if obj == nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
return obj.(*extensions.PodSecurityPolicy), err
|
return obj.(*policy.PodSecurityPolicy), err
|
||||||
}
|
}
|
||||||
|
|
||||||
// Update takes the representation of a podSecurityPolicy and updates it. Returns the server's representation of the podSecurityPolicy, and an error, if there is any.
|
// Update takes the representation of a podSecurityPolicy and updates it. Returns the server's representation of the podSecurityPolicy, and an error, if there is any.
|
||||||
func (c *FakePodSecurityPolicies) Update(podSecurityPolicy *extensions.PodSecurityPolicy) (result *extensions.PodSecurityPolicy, err error) {
|
func (c *FakePodSecurityPolicies) Update(podSecurityPolicy *policy.PodSecurityPolicy) (result *policy.PodSecurityPolicy, err error) {
|
||||||
obj, err := c.Fake.
|
obj, err := c.Fake.
|
||||||
Invokes(testing.NewRootUpdateAction(podsecuritypoliciesResource, podSecurityPolicy), &extensions.PodSecurityPolicy{})
|
Invokes(testing.NewRootUpdateAction(podsecuritypoliciesResource, podSecurityPolicy), &policy.PodSecurityPolicy{})
|
||||||
if obj == nil {
|
if obj == nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
return obj.(*extensions.PodSecurityPolicy), err
|
return obj.(*policy.PodSecurityPolicy), err
|
||||||
}
|
}
|
||||||
|
|
||||||
// Delete takes name of the podSecurityPolicy and deletes it. Returns an error if one occurs.
|
// Delete takes name of the podSecurityPolicy and deletes it. Returns an error if one occurs.
|
||||||
func (c *FakePodSecurityPolicies) Delete(name string, options *v1.DeleteOptions) error {
|
func (c *FakePodSecurityPolicies) Delete(name string, options *v1.DeleteOptions) error {
|
||||||
_, err := c.Fake.
|
_, err := c.Fake.
|
||||||
Invokes(testing.NewRootDeleteAction(podsecuritypoliciesResource, name), &extensions.PodSecurityPolicy{})
|
Invokes(testing.NewRootDeleteAction(podsecuritypoliciesResource, name), &policy.PodSecurityPolicy{})
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -105,16 +105,16 @@ func (c *FakePodSecurityPolicies) Delete(name string, options *v1.DeleteOptions)
|
|||||||
func (c *FakePodSecurityPolicies) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error {
|
func (c *FakePodSecurityPolicies) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error {
|
||||||
action := testing.NewRootDeleteCollectionAction(podsecuritypoliciesResource, listOptions)
|
action := testing.NewRootDeleteCollectionAction(podsecuritypoliciesResource, listOptions)
|
||||||
|
|
||||||
_, err := c.Fake.Invokes(action, &extensions.PodSecurityPolicyList{})
|
_, err := c.Fake.Invokes(action, &policy.PodSecurityPolicyList{})
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
// Patch applies the patch and returns the patched podSecurityPolicy.
|
// Patch applies the patch and returns the patched podSecurityPolicy.
|
||||||
func (c *FakePodSecurityPolicies) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *extensions.PodSecurityPolicy, err error) {
|
func (c *FakePodSecurityPolicies) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *policy.PodSecurityPolicy, err error) {
|
||||||
obj, err := c.Fake.
|
obj, err := c.Fake.
|
||||||
Invokes(testing.NewRootPatchSubresourceAction(podsecuritypoliciesResource, name, data, subresources...), &extensions.PodSecurityPolicy{})
|
Invokes(testing.NewRootPatchSubresourceAction(podsecuritypoliciesResource, name, data, subresources...), &policy.PodSecurityPolicy{})
|
||||||
if obj == nil {
|
if obj == nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
return obj.(*extensions.PodSecurityPolicy), err
|
return obj.(*policy.PodSecurityPolicy), err
|
||||||
}
|
}
|
@ -36,6 +36,10 @@ func (c *FakePolicy) PodDisruptionBudgets(namespace string) internalversion.PodD
|
|||||||
return &FakePodDisruptionBudgets{c, namespace}
|
return &FakePodDisruptionBudgets{c, namespace}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (c *FakePolicy) PodSecurityPolicies() internalversion.PodSecurityPolicyInterface {
|
||||||
|
return &FakePodSecurityPolicies{c}
|
||||||
|
}
|
||||||
|
|
||||||
// RESTClient returns a RESTClient that is used to communicate
|
// RESTClient returns a RESTClient that is used to communicate
|
||||||
// with API server by this client implementation.
|
// with API server by this client implementation.
|
||||||
func (c *FakePolicy) RESTClient() rest.Interface {
|
func (c *FakePolicy) RESTClient() rest.Interface {
|
||||||
|
@ -19,3 +19,5 @@ limitations under the License.
|
|||||||
package internalversion
|
package internalversion
|
||||||
|
|
||||||
type PodDisruptionBudgetExpansion interface{}
|
type PodDisruptionBudgetExpansion interface{}
|
||||||
|
|
||||||
|
type PodSecurityPolicyExpansion interface{}
|
||||||
|
@ -23,7 +23,7 @@ import (
|
|||||||
types "k8s.io/apimachinery/pkg/types"
|
types "k8s.io/apimachinery/pkg/types"
|
||||||
watch "k8s.io/apimachinery/pkg/watch"
|
watch "k8s.io/apimachinery/pkg/watch"
|
||||||
rest "k8s.io/client-go/rest"
|
rest "k8s.io/client-go/rest"
|
||||||
extensions "k8s.io/kubernetes/pkg/apis/extensions"
|
policy "k8s.io/kubernetes/pkg/apis/policy"
|
||||||
scheme "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/scheme"
|
scheme "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/scheme"
|
||||||
)
|
)
|
||||||
|
|
||||||
@ -35,14 +35,14 @@ type PodSecurityPoliciesGetter interface {
|
|||||||
|
|
||||||
// PodSecurityPolicyInterface has methods to work with PodSecurityPolicy resources.
|
// PodSecurityPolicyInterface has methods to work with PodSecurityPolicy resources.
|
||||||
type PodSecurityPolicyInterface interface {
|
type PodSecurityPolicyInterface interface {
|
||||||
Create(*extensions.PodSecurityPolicy) (*extensions.PodSecurityPolicy, error)
|
Create(*policy.PodSecurityPolicy) (*policy.PodSecurityPolicy, error)
|
||||||
Update(*extensions.PodSecurityPolicy) (*extensions.PodSecurityPolicy, error)
|
Update(*policy.PodSecurityPolicy) (*policy.PodSecurityPolicy, error)
|
||||||
Delete(name string, options *v1.DeleteOptions) error
|
Delete(name string, options *v1.DeleteOptions) error
|
||||||
DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error
|
DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error
|
||||||
Get(name string, options v1.GetOptions) (*extensions.PodSecurityPolicy, error)
|
Get(name string, options v1.GetOptions) (*policy.PodSecurityPolicy, error)
|
||||||
List(opts v1.ListOptions) (*extensions.PodSecurityPolicyList, error)
|
List(opts v1.ListOptions) (*policy.PodSecurityPolicyList, error)
|
||||||
Watch(opts v1.ListOptions) (watch.Interface, error)
|
Watch(opts v1.ListOptions) (watch.Interface, error)
|
||||||
Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *extensions.PodSecurityPolicy, err error)
|
Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *policy.PodSecurityPolicy, err error)
|
||||||
PodSecurityPolicyExpansion
|
PodSecurityPolicyExpansion
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -52,15 +52,15 @@ type podSecurityPolicies struct {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// newPodSecurityPolicies returns a PodSecurityPolicies
|
// newPodSecurityPolicies returns a PodSecurityPolicies
|
||||||
func newPodSecurityPolicies(c *ExtensionsClient) *podSecurityPolicies {
|
func newPodSecurityPolicies(c *PolicyClient) *podSecurityPolicies {
|
||||||
return &podSecurityPolicies{
|
return &podSecurityPolicies{
|
||||||
client: c.RESTClient(),
|
client: c.RESTClient(),
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// Get takes name of the podSecurityPolicy, and returns the corresponding podSecurityPolicy object, and an error if there is any.
|
// Get takes name of the podSecurityPolicy, and returns the corresponding podSecurityPolicy object, and an error if there is any.
|
||||||
func (c *podSecurityPolicies) Get(name string, options v1.GetOptions) (result *extensions.PodSecurityPolicy, err error) {
|
func (c *podSecurityPolicies) Get(name string, options v1.GetOptions) (result *policy.PodSecurityPolicy, err error) {
|
||||||
result = &extensions.PodSecurityPolicy{}
|
result = &policy.PodSecurityPolicy{}
|
||||||
err = c.client.Get().
|
err = c.client.Get().
|
||||||
Resource("podsecuritypolicies").
|
Resource("podsecuritypolicies").
|
||||||
Name(name).
|
Name(name).
|
||||||
@ -71,8 +71,8 @@ func (c *podSecurityPolicies) Get(name string, options v1.GetOptions) (result *e
|
|||||||
}
|
}
|
||||||
|
|
||||||
// List takes label and field selectors, and returns the list of PodSecurityPolicies that match those selectors.
|
// List takes label and field selectors, and returns the list of PodSecurityPolicies that match those selectors.
|
||||||
func (c *podSecurityPolicies) List(opts v1.ListOptions) (result *extensions.PodSecurityPolicyList, err error) {
|
func (c *podSecurityPolicies) List(opts v1.ListOptions) (result *policy.PodSecurityPolicyList, err error) {
|
||||||
result = &extensions.PodSecurityPolicyList{}
|
result = &policy.PodSecurityPolicyList{}
|
||||||
err = c.client.Get().
|
err = c.client.Get().
|
||||||
Resource("podsecuritypolicies").
|
Resource("podsecuritypolicies").
|
||||||
VersionedParams(&opts, scheme.ParameterCodec).
|
VersionedParams(&opts, scheme.ParameterCodec).
|
||||||
@ -91,8 +91,8 @@ func (c *podSecurityPolicies) Watch(opts v1.ListOptions) (watch.Interface, error
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Create takes the representation of a podSecurityPolicy and creates it. Returns the server's representation of the podSecurityPolicy, and an error, if there is any.
|
// Create takes the representation of a podSecurityPolicy and creates it. Returns the server's representation of the podSecurityPolicy, and an error, if there is any.
|
||||||
func (c *podSecurityPolicies) Create(podSecurityPolicy *extensions.PodSecurityPolicy) (result *extensions.PodSecurityPolicy, err error) {
|
func (c *podSecurityPolicies) Create(podSecurityPolicy *policy.PodSecurityPolicy) (result *policy.PodSecurityPolicy, err error) {
|
||||||
result = &extensions.PodSecurityPolicy{}
|
result = &policy.PodSecurityPolicy{}
|
||||||
err = c.client.Post().
|
err = c.client.Post().
|
||||||
Resource("podsecuritypolicies").
|
Resource("podsecuritypolicies").
|
||||||
Body(podSecurityPolicy).
|
Body(podSecurityPolicy).
|
||||||
@ -102,8 +102,8 @@ func (c *podSecurityPolicies) Create(podSecurityPolicy *extensions.PodSecurityPo
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Update takes the representation of a podSecurityPolicy and updates it. Returns the server's representation of the podSecurityPolicy, and an error, if there is any.
|
// Update takes the representation of a podSecurityPolicy and updates it. Returns the server's representation of the podSecurityPolicy, and an error, if there is any.
|
||||||
func (c *podSecurityPolicies) Update(podSecurityPolicy *extensions.PodSecurityPolicy) (result *extensions.PodSecurityPolicy, err error) {
|
func (c *podSecurityPolicies) Update(podSecurityPolicy *policy.PodSecurityPolicy) (result *policy.PodSecurityPolicy, err error) {
|
||||||
result = &extensions.PodSecurityPolicy{}
|
result = &policy.PodSecurityPolicy{}
|
||||||
err = c.client.Put().
|
err = c.client.Put().
|
||||||
Resource("podsecuritypolicies").
|
Resource("podsecuritypolicies").
|
||||||
Name(podSecurityPolicy.Name).
|
Name(podSecurityPolicy.Name).
|
||||||
@ -134,8 +134,8 @@ func (c *podSecurityPolicies) DeleteCollection(options *v1.DeleteOptions, listOp
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Patch applies the patch and returns the patched podSecurityPolicy.
|
// Patch applies the patch and returns the patched podSecurityPolicy.
|
||||||
func (c *podSecurityPolicies) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *extensions.PodSecurityPolicy, err error) {
|
func (c *podSecurityPolicies) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *policy.PodSecurityPolicy, err error) {
|
||||||
result = &extensions.PodSecurityPolicy{}
|
result = &policy.PodSecurityPolicy{}
|
||||||
err = c.client.Patch(pt).
|
err = c.client.Patch(pt).
|
||||||
Resource("podsecuritypolicies").
|
Resource("podsecuritypolicies").
|
||||||
SubResource(subresources...).
|
SubResource(subresources...).
|
@ -27,6 +27,7 @@ type PolicyInterface interface {
|
|||||||
RESTClient() rest.Interface
|
RESTClient() rest.Interface
|
||||||
EvictionsGetter
|
EvictionsGetter
|
||||||
PodDisruptionBudgetsGetter
|
PodDisruptionBudgetsGetter
|
||||||
|
PodSecurityPoliciesGetter
|
||||||
}
|
}
|
||||||
|
|
||||||
// PolicyClient is used to interact with features provided by the policy group.
|
// PolicyClient is used to interact with features provided by the policy group.
|
||||||
@ -42,6 +43,10 @@ func (c *PolicyClient) PodDisruptionBudgets(namespace string) PodDisruptionBudge
|
|||||||
return newPodDisruptionBudgets(c, namespace)
|
return newPodDisruptionBudgets(c, namespace)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (c *PolicyClient) PodSecurityPolicies() PodSecurityPolicyInterface {
|
||||||
|
return newPodSecurityPolicies(c)
|
||||||
|
}
|
||||||
|
|
||||||
// NewForConfig creates a new PolicyClient for the given config.
|
// NewForConfig creates a new PolicyClient for the given config.
|
||||||
func NewForConfig(c *rest.Config) (*PolicyClient, error) {
|
func NewForConfig(c *rest.Config) (*PolicyClient, error) {
|
||||||
config := *c
|
config := *c
|
||||||
|
@ -12,7 +12,6 @@ go_library(
|
|||||||
"deployment.go",
|
"deployment.go",
|
||||||
"ingress.go",
|
"ingress.go",
|
||||||
"interface.go",
|
"interface.go",
|
||||||
"podsecuritypolicy.go",
|
|
||||||
"replicaset.go",
|
"replicaset.go",
|
||||||
],
|
],
|
||||||
importpath = "k8s.io/kubernetes/pkg/client/informers/informers_generated/internalversion/extensions/internalversion",
|
importpath = "k8s.io/kubernetes/pkg/client/informers/informers_generated/internalversion/extensions/internalversion",
|
||||||
|
@ -30,8 +30,6 @@ type Interface interface {
|
|||||||
Deployments() DeploymentInformer
|
Deployments() DeploymentInformer
|
||||||
// Ingresses returns a IngressInformer.
|
// Ingresses returns a IngressInformer.
|
||||||
Ingresses() IngressInformer
|
Ingresses() IngressInformer
|
||||||
// PodSecurityPolicies returns a PodSecurityPolicyInformer.
|
|
||||||
PodSecurityPolicies() PodSecurityPolicyInformer
|
|
||||||
// ReplicaSets returns a ReplicaSetInformer.
|
// ReplicaSets returns a ReplicaSetInformer.
|
||||||
ReplicaSets() ReplicaSetInformer
|
ReplicaSets() ReplicaSetInformer
|
||||||
}
|
}
|
||||||
@ -62,11 +60,6 @@ func (v *version) Ingresses() IngressInformer {
|
|||||||
return &ingressInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
|
return &ingressInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
|
||||||
}
|
}
|
||||||
|
|
||||||
// PodSecurityPolicies returns a PodSecurityPolicyInformer.
|
|
||||||
func (v *version) PodSecurityPolicies() PodSecurityPolicyInformer {
|
|
||||||
return &podSecurityPolicyInformer{factory: v.factory, tweakListOptions: v.tweakListOptions}
|
|
||||||
}
|
|
||||||
|
|
||||||
// ReplicaSets returns a ReplicaSetInformer.
|
// ReplicaSets returns a ReplicaSetInformer.
|
||||||
func (v *version) ReplicaSets() ReplicaSetInformer {
|
func (v *version) ReplicaSets() ReplicaSetInformer {
|
||||||
return &replicaSetInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
|
return &replicaSetInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
|
||||||
|
@ -133,8 +133,6 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource
|
|||||||
return &genericInformer{resource: resource.GroupResource(), informer: f.Extensions().InternalVersion().Deployments().Informer()}, nil
|
return &genericInformer{resource: resource.GroupResource(), informer: f.Extensions().InternalVersion().Deployments().Informer()}, nil
|
||||||
case extensions.SchemeGroupVersion.WithResource("ingresses"):
|
case extensions.SchemeGroupVersion.WithResource("ingresses"):
|
||||||
return &genericInformer{resource: resource.GroupResource(), informer: f.Extensions().InternalVersion().Ingresses().Informer()}, nil
|
return &genericInformer{resource: resource.GroupResource(), informer: f.Extensions().InternalVersion().Ingresses().Informer()}, nil
|
||||||
case extensions.SchemeGroupVersion.WithResource("podsecuritypolicies"):
|
|
||||||
return &genericInformer{resource: resource.GroupResource(), informer: f.Extensions().InternalVersion().PodSecurityPolicies().Informer()}, nil
|
|
||||||
case extensions.SchemeGroupVersion.WithResource("replicasets"):
|
case extensions.SchemeGroupVersion.WithResource("replicasets"):
|
||||||
return &genericInformer{resource: resource.GroupResource(), informer: f.Extensions().InternalVersion().ReplicaSets().Informer()}, nil
|
return &genericInformer{resource: resource.GroupResource(), informer: f.Extensions().InternalVersion().ReplicaSets().Informer()}, nil
|
||||||
|
|
||||||
@ -145,6 +143,8 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource
|
|||||||
// Group=policy, Version=internalVersion
|
// Group=policy, Version=internalVersion
|
||||||
case policy.SchemeGroupVersion.WithResource("poddisruptionbudgets"):
|
case policy.SchemeGroupVersion.WithResource("poddisruptionbudgets"):
|
||||||
return &genericInformer{resource: resource.GroupResource(), informer: f.Policy().InternalVersion().PodDisruptionBudgets().Informer()}, nil
|
return &genericInformer{resource: resource.GroupResource(), informer: f.Policy().InternalVersion().PodDisruptionBudgets().Informer()}, nil
|
||||||
|
case policy.SchemeGroupVersion.WithResource("podsecuritypolicies"):
|
||||||
|
return &genericInformer{resource: resource.GroupResource(), informer: f.Policy().InternalVersion().PodSecurityPolicies().Informer()}, nil
|
||||||
|
|
||||||
// Group=rbac.authorization.k8s.io, Version=internalVersion
|
// Group=rbac.authorization.k8s.io, Version=internalVersion
|
||||||
case rbac.SchemeGroupVersion.WithResource("clusterroles"):
|
case rbac.SchemeGroupVersion.WithResource("clusterroles"):
|
||||||
|
@ -10,6 +10,7 @@ go_library(
|
|||||||
srcs = [
|
srcs = [
|
||||||
"interface.go",
|
"interface.go",
|
||||||
"poddisruptionbudget.go",
|
"poddisruptionbudget.go",
|
||||||
|
"podsecuritypolicy.go",
|
||||||
],
|
],
|
||||||
importpath = "k8s.io/kubernetes/pkg/client/informers/informers_generated/internalversion/policy/internalversion",
|
importpath = "k8s.io/kubernetes/pkg/client/informers/informers_generated/internalversion/policy/internalversion",
|
||||||
deps = [
|
deps = [
|
||||||
|
@ -26,6 +26,8 @@ import (
|
|||||||
type Interface interface {
|
type Interface interface {
|
||||||
// PodDisruptionBudgets returns a PodDisruptionBudgetInformer.
|
// PodDisruptionBudgets returns a PodDisruptionBudgetInformer.
|
||||||
PodDisruptionBudgets() PodDisruptionBudgetInformer
|
PodDisruptionBudgets() PodDisruptionBudgetInformer
|
||||||
|
// PodSecurityPolicies returns a PodSecurityPolicyInformer.
|
||||||
|
PodSecurityPolicies() PodSecurityPolicyInformer
|
||||||
}
|
}
|
||||||
|
|
||||||
type version struct {
|
type version struct {
|
||||||
@ -43,3 +45,8 @@ func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakList
|
|||||||
func (v *version) PodDisruptionBudgets() PodDisruptionBudgetInformer {
|
func (v *version) PodDisruptionBudgets() PodDisruptionBudgetInformer {
|
||||||
return &podDisruptionBudgetInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
|
return &podDisruptionBudgetInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// PodSecurityPolicies returns a PodSecurityPolicyInformer.
|
||||||
|
func (v *version) PodSecurityPolicies() PodSecurityPolicyInformer {
|
||||||
|
return &podSecurityPolicyInformer{factory: v.factory, tweakListOptions: v.tweakListOptions}
|
||||||
|
}
|
||||||
|
@ -25,10 +25,10 @@ import (
|
|||||||
runtime "k8s.io/apimachinery/pkg/runtime"
|
runtime "k8s.io/apimachinery/pkg/runtime"
|
||||||
watch "k8s.io/apimachinery/pkg/watch"
|
watch "k8s.io/apimachinery/pkg/watch"
|
||||||
cache "k8s.io/client-go/tools/cache"
|
cache "k8s.io/client-go/tools/cache"
|
||||||
extensions "k8s.io/kubernetes/pkg/apis/extensions"
|
policy "k8s.io/kubernetes/pkg/apis/policy"
|
||||||
internalclientset "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset"
|
internalclientset "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset"
|
||||||
internalinterfaces "k8s.io/kubernetes/pkg/client/informers/informers_generated/internalversion/internalinterfaces"
|
internalinterfaces "k8s.io/kubernetes/pkg/client/informers/informers_generated/internalversion/internalinterfaces"
|
||||||
internalversion "k8s.io/kubernetes/pkg/client/listers/extensions/internalversion"
|
internalversion "k8s.io/kubernetes/pkg/client/listers/policy/internalversion"
|
||||||
)
|
)
|
||||||
|
|
||||||
// PodSecurityPolicyInformer provides access to a shared informer and lister for
|
// PodSecurityPolicyInformer provides access to a shared informer and lister for
|
||||||
@ -60,16 +60,16 @@ func NewFilteredPodSecurityPolicyInformer(client internalclientset.Interface, re
|
|||||||
if tweakListOptions != nil {
|
if tweakListOptions != nil {
|
||||||
tweakListOptions(&options)
|
tweakListOptions(&options)
|
||||||
}
|
}
|
||||||
return client.Extensions().PodSecurityPolicies().List(options)
|
return client.Policy().PodSecurityPolicies().List(options)
|
||||||
},
|
},
|
||||||
WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
|
WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
|
||||||
if tweakListOptions != nil {
|
if tweakListOptions != nil {
|
||||||
tweakListOptions(&options)
|
tweakListOptions(&options)
|
||||||
}
|
}
|
||||||
return client.Extensions().PodSecurityPolicies().Watch(options)
|
return client.Policy().PodSecurityPolicies().Watch(options)
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
&extensions.PodSecurityPolicy{},
|
&policy.PodSecurityPolicy{},
|
||||||
resyncPeriod,
|
resyncPeriod,
|
||||||
indexers,
|
indexers,
|
||||||
)
|
)
|
||||||
@ -80,7 +80,7 @@ func (f *podSecurityPolicyInformer) defaultInformer(client internalclientset.Int
|
|||||||
}
|
}
|
||||||
|
|
||||||
func (f *podSecurityPolicyInformer) Informer() cache.SharedIndexInformer {
|
func (f *podSecurityPolicyInformer) Informer() cache.SharedIndexInformer {
|
||||||
return f.factory.InformerFor(&extensions.PodSecurityPolicy{}, f.defaultInformer)
|
return f.factory.InformerFor(&policy.PodSecurityPolicy{}, f.defaultInformer)
|
||||||
}
|
}
|
||||||
|
|
||||||
func (f *podSecurityPolicyInformer) Lister() internalversion.PodSecurityPolicyLister {
|
func (f *podSecurityPolicyInformer) Lister() internalversion.PodSecurityPolicyLister {
|
@ -15,7 +15,6 @@ go_library(
|
|||||||
"deployment_expansion.go",
|
"deployment_expansion.go",
|
||||||
"expansion_generated.go",
|
"expansion_generated.go",
|
||||||
"ingress.go",
|
"ingress.go",
|
||||||
"podsecuritypolicy.go",
|
|
||||||
"replicaset.go",
|
"replicaset.go",
|
||||||
"replicaset_expansion.go",
|
"replicaset_expansion.go",
|
||||||
],
|
],
|
||||||
|
@ -25,7 +25,3 @@ type IngressListerExpansion interface{}
|
|||||||
// IngressNamespaceListerExpansion allows custom methods to be added to
|
// IngressNamespaceListerExpansion allows custom methods to be added to
|
||||||
// IngressNamespaceLister.
|
// IngressNamespaceLister.
|
||||||
type IngressNamespaceListerExpansion interface{}
|
type IngressNamespaceListerExpansion interface{}
|
||||||
|
|
||||||
// PodSecurityPolicyListerExpansion allows custom methods to be added to
|
|
||||||
// PodSecurityPolicyLister.
|
|
||||||
type PodSecurityPolicyListerExpansion interface{}
|
|
||||||
|
@ -12,6 +12,7 @@ go_library(
|
|||||||
"expansion_generated.go",
|
"expansion_generated.go",
|
||||||
"poddisruptionbudget.go",
|
"poddisruptionbudget.go",
|
||||||
"poddisruptionbudget_expansion.go",
|
"poddisruptionbudget_expansion.go",
|
||||||
|
"podsecuritypolicy.go",
|
||||||
],
|
],
|
||||||
importpath = "k8s.io/kubernetes/pkg/client/listers/policy/internalversion",
|
importpath = "k8s.io/kubernetes/pkg/client/listers/policy/internalversion",
|
||||||
deps = [
|
deps = [
|
||||||
|
@ -25,3 +25,7 @@ type EvictionListerExpansion interface{}
|
|||||||
// EvictionNamespaceListerExpansion allows custom methods to be added to
|
// EvictionNamespaceListerExpansion allows custom methods to be added to
|
||||||
// EvictionNamespaceLister.
|
// EvictionNamespaceLister.
|
||||||
type EvictionNamespaceListerExpansion interface{}
|
type EvictionNamespaceListerExpansion interface{}
|
||||||
|
|
||||||
|
// PodSecurityPolicyListerExpansion allows custom methods to be added to
|
||||||
|
// PodSecurityPolicyLister.
|
||||||
|
type PodSecurityPolicyListerExpansion interface{}
|
||||||
|
@ -22,15 +22,15 @@ import (
|
|||||||
"k8s.io/apimachinery/pkg/api/errors"
|
"k8s.io/apimachinery/pkg/api/errors"
|
||||||
"k8s.io/apimachinery/pkg/labels"
|
"k8s.io/apimachinery/pkg/labels"
|
||||||
"k8s.io/client-go/tools/cache"
|
"k8s.io/client-go/tools/cache"
|
||||||
extensions "k8s.io/kubernetes/pkg/apis/extensions"
|
policy "k8s.io/kubernetes/pkg/apis/policy"
|
||||||
)
|
)
|
||||||
|
|
||||||
// PodSecurityPolicyLister helps list PodSecurityPolicies.
|
// PodSecurityPolicyLister helps list PodSecurityPolicies.
|
||||||
type PodSecurityPolicyLister interface {
|
type PodSecurityPolicyLister interface {
|
||||||
// List lists all PodSecurityPolicies in the indexer.
|
// List lists all PodSecurityPolicies in the indexer.
|
||||||
List(selector labels.Selector) (ret []*extensions.PodSecurityPolicy, err error)
|
List(selector labels.Selector) (ret []*policy.PodSecurityPolicy, err error)
|
||||||
// Get retrieves the PodSecurityPolicy from the index for a given name.
|
// Get retrieves the PodSecurityPolicy from the index for a given name.
|
||||||
Get(name string) (*extensions.PodSecurityPolicy, error)
|
Get(name string) (*policy.PodSecurityPolicy, error)
|
||||||
PodSecurityPolicyListerExpansion
|
PodSecurityPolicyListerExpansion
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -45,21 +45,21 @@ func NewPodSecurityPolicyLister(indexer cache.Indexer) PodSecurityPolicyLister {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// List lists all PodSecurityPolicies in the indexer.
|
// List lists all PodSecurityPolicies in the indexer.
|
||||||
func (s *podSecurityPolicyLister) List(selector labels.Selector) (ret []*extensions.PodSecurityPolicy, err error) {
|
func (s *podSecurityPolicyLister) List(selector labels.Selector) (ret []*policy.PodSecurityPolicy, err error) {
|
||||||
err = cache.ListAll(s.indexer, selector, func(m interface{}) {
|
err = cache.ListAll(s.indexer, selector, func(m interface{}) {
|
||||||
ret = append(ret, m.(*extensions.PodSecurityPolicy))
|
ret = append(ret, m.(*policy.PodSecurityPolicy))
|
||||||
})
|
})
|
||||||
return ret, err
|
return ret, err
|
||||||
}
|
}
|
||||||
|
|
||||||
// Get retrieves the PodSecurityPolicy from the index for a given name.
|
// Get retrieves the PodSecurityPolicy from the index for a given name.
|
||||||
func (s *podSecurityPolicyLister) Get(name string) (*extensions.PodSecurityPolicy, error) {
|
func (s *podSecurityPolicyLister) Get(name string) (*policy.PodSecurityPolicy, error) {
|
||||||
obj, exists, err := s.indexer.GetByKey(name)
|
obj, exists, err := s.indexer.GetByKey(name)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
if !exists {
|
if !exists {
|
||||||
return nil, errors.NewNotFound(extensions.Resource("podsecuritypolicy"), name)
|
return nil, errors.NewNotFound(policy.Resource("podsecuritypolicy"), name)
|
||||||
}
|
}
|
||||||
return obj.(*extensions.PodSecurityPolicy), nil
|
return obj.(*policy.PodSecurityPolicy), nil
|
||||||
}
|
}
|
@ -17,7 +17,7 @@ go_library(
|
|||||||
deps = [
|
deps = [
|
||||||
"//pkg/apis/core/v1/helper:go_default_library",
|
"//pkg/apis/core/v1/helper:go_default_library",
|
||||||
"//pkg/apis/core/validation:go_default_library",
|
"//pkg/apis/core/validation:go_default_library",
|
||||||
"//pkg/apis/extensions/validation:go_default_library",
|
"//pkg/apis/policy/validation:go_default_library",
|
||||||
"//pkg/kubelet/container:go_default_library",
|
"//pkg/kubelet/container:go_default_library",
|
||||||
"//pkg/kubelet/lifecycle:go_default_library",
|
"//pkg/kubelet/lifecycle:go_default_library",
|
||||||
],
|
],
|
||||||
|
@ -22,7 +22,7 @@ import (
|
|||||||
|
|
||||||
v1helper "k8s.io/kubernetes/pkg/apis/core/v1/helper"
|
v1helper "k8s.io/kubernetes/pkg/apis/core/v1/helper"
|
||||||
"k8s.io/kubernetes/pkg/apis/core/validation"
|
"k8s.io/kubernetes/pkg/apis/core/validation"
|
||||||
extvalidation "k8s.io/kubernetes/pkg/apis/extensions/validation"
|
policyvalidation "k8s.io/kubernetes/pkg/apis/policy/validation"
|
||||||
"k8s.io/kubernetes/pkg/kubelet/lifecycle"
|
"k8s.io/kubernetes/pkg/kubelet/lifecycle"
|
||||||
)
|
)
|
||||||
|
|
||||||
@ -64,11 +64,11 @@ func NewWhitelist(patterns []string, annotationKey string) (*patternWhitelist, e
|
|||||||
}
|
}
|
||||||
|
|
||||||
for _, s := range patterns {
|
for _, s := range patterns {
|
||||||
if !extvalidation.IsValidSysctlPattern(s) {
|
if !policyvalidation.IsValidSysctlPattern(s) {
|
||||||
return nil, fmt.Errorf("sysctl %q must have at most %d characters and match regex %s",
|
return nil, fmt.Errorf("sysctl %q must have at most %d characters and match regex %s",
|
||||||
s,
|
s,
|
||||||
validation.SysctlMaxLength,
|
validation.SysctlMaxLength,
|
||||||
extvalidation.SysctlPatternFmt,
|
policyvalidation.SysctlPatternFmt,
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
if strings.HasSuffix(s, "*") {
|
if strings.HasSuffix(s, "*") {
|
||||||
|
@ -3475,7 +3475,7 @@ type PodSecurityPolicyDescriber struct {
|
|||||||
}
|
}
|
||||||
|
|
||||||
func (d *PodSecurityPolicyDescriber) Describe(namespace, name string, describerSettings printers.DescriberSettings) (string, error) {
|
func (d *PodSecurityPolicyDescriber) Describe(namespace, name string, describerSettings printers.DescriberSettings) (string, error) {
|
||||||
psp, err := d.Extensions().PodSecurityPolicies().Get(name, metav1.GetOptions{})
|
psp, err := d.Policy().PodSecurityPolicies().Get(name, metav1.GetOptions{})
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return "", err
|
return "", err
|
||||||
}
|
}
|
||||||
@ -3483,7 +3483,7 @@ func (d *PodSecurityPolicyDescriber) Describe(namespace, name string, describerS
|
|||||||
return describePodSecurityPolicy(psp)
|
return describePodSecurityPolicy(psp)
|
||||||
}
|
}
|
||||||
|
|
||||||
func describePodSecurityPolicy(psp *extensions.PodSecurityPolicy) (string, error) {
|
func describePodSecurityPolicy(psp *policy.PodSecurityPolicy) (string, error) {
|
||||||
return tabbedString(func(out io.Writer) error {
|
return tabbedString(func(out io.Writer) error {
|
||||||
w := NewPrefixWriter(out)
|
w := NewPrefixWriter(out)
|
||||||
w.Write(LEVEL_0, "Name:\t%s\n", psp.Name)
|
w.Write(LEVEL_0, "Name:\t%s\n", psp.Name)
|
||||||
@ -3543,7 +3543,7 @@ func stringOrDefaultValue(s, defaultValue string) string {
|
|||||||
return defaultValue
|
return defaultValue
|
||||||
}
|
}
|
||||||
|
|
||||||
func fsTypeToString(volumes []extensions.FSType) string {
|
func fsTypeToString(volumes []policy.FSType) string {
|
||||||
strVolumes := []string{}
|
strVolumes := []string{}
|
||||||
for _, v := range volumes {
|
for _, v := range volumes {
|
||||||
strVolumes = append(strVolumes, string(v))
|
strVolumes = append(strVolumes, string(v))
|
||||||
@ -3551,7 +3551,7 @@ func fsTypeToString(volumes []extensions.FSType) string {
|
|||||||
return stringOrNone(strings.Join(strVolumes, ","))
|
return stringOrNone(strings.Join(strVolumes, ","))
|
||||||
}
|
}
|
||||||
|
|
||||||
func flexVolumesToString(flexVolumes []extensions.AllowedFlexVolume) string {
|
func flexVolumesToString(flexVolumes []policy.AllowedFlexVolume) string {
|
||||||
volumes := []string{}
|
volumes := []string{}
|
||||||
for _, flexVolume := range flexVolumes {
|
for _, flexVolume := range flexVolumes {
|
||||||
volumes = append(volumes, "driver="+flexVolume.Driver)
|
volumes = append(volumes, "driver="+flexVolume.Driver)
|
||||||
@ -3559,7 +3559,7 @@ func flexVolumesToString(flexVolumes []extensions.AllowedFlexVolume) string {
|
|||||||
return stringOrDefaultValue(strings.Join(volumes, ","), "<all>")
|
return stringOrDefaultValue(strings.Join(volumes, ","), "<all>")
|
||||||
}
|
}
|
||||||
|
|
||||||
func hostPortRangeToString(ranges []extensions.HostPortRange) string {
|
func hostPortRangeToString(ranges []policy.HostPortRange) string {
|
||||||
formattedString := ""
|
formattedString := ""
|
||||||
if ranges != nil {
|
if ranges != nil {
|
||||||
strRanges := []string{}
|
strRanges := []string{}
|
||||||
@ -3571,7 +3571,7 @@ func hostPortRangeToString(ranges []extensions.HostPortRange) string {
|
|||||||
return stringOrNone(formattedString)
|
return stringOrNone(formattedString)
|
||||||
}
|
}
|
||||||
|
|
||||||
func userIDRangeToString(ranges []extensions.UserIDRange) string {
|
func userIDRangeToString(ranges []policy.UserIDRange) string {
|
||||||
formattedString := ""
|
formattedString := ""
|
||||||
if ranges != nil {
|
if ranges != nil {
|
||||||
strRanges := []string{}
|
strRanges := []string{}
|
||||||
@ -3583,7 +3583,7 @@ func userIDRangeToString(ranges []extensions.UserIDRange) string {
|
|||||||
return stringOrNone(formattedString)
|
return stringOrNone(formattedString)
|
||||||
}
|
}
|
||||||
|
|
||||||
func groupIDRangeToString(ranges []extensions.GroupIDRange) string {
|
func groupIDRangeToString(ranges []policy.GroupIDRange) string {
|
||||||
formattedString := ""
|
formattedString := ""
|
||||||
if ranges != nil {
|
if ranges != nil {
|
||||||
strRanges := []string{}
|
strRanges := []string{}
|
||||||
|
@ -2187,22 +2187,22 @@ func TestDescribePodSecurityPolicy(t *testing.T) {
|
|||||||
"Supplemental Groups Strategy: RunAsAny",
|
"Supplemental Groups Strategy: RunAsAny",
|
||||||
}
|
}
|
||||||
|
|
||||||
fake := fake.NewSimpleClientset(&extensions.PodSecurityPolicy{
|
fake := fake.NewSimpleClientset(&policy.PodSecurityPolicy{
|
||||||
ObjectMeta: metav1.ObjectMeta{
|
ObjectMeta: metav1.ObjectMeta{
|
||||||
Name: "mypsp",
|
Name: "mypsp",
|
||||||
},
|
},
|
||||||
Spec: extensions.PodSecurityPolicySpec{
|
Spec: policy.PodSecurityPolicySpec{
|
||||||
SELinux: extensions.SELinuxStrategyOptions{
|
SELinux: policy.SELinuxStrategyOptions{
|
||||||
Rule: extensions.SELinuxStrategyRunAsAny,
|
Rule: policy.SELinuxStrategyRunAsAny,
|
||||||
},
|
},
|
||||||
RunAsUser: extensions.RunAsUserStrategyOptions{
|
RunAsUser: policy.RunAsUserStrategyOptions{
|
||||||
Rule: extensions.RunAsUserStrategyRunAsAny,
|
Rule: policy.RunAsUserStrategyRunAsAny,
|
||||||
},
|
},
|
||||||
FSGroup: extensions.FSGroupStrategyOptions{
|
FSGroup: policy.FSGroupStrategyOptions{
|
||||||
Rule: extensions.FSGroupStrategyRunAsAny,
|
Rule: policy.FSGroupStrategyRunAsAny,
|
||||||
},
|
},
|
||||||
SupplementalGroups: extensions.SupplementalGroupsStrategyOptions{
|
SupplementalGroups: policy.SupplementalGroupsStrategyOptions{
|
||||||
Rule: extensions.SupplementalGroupsStrategyRunAsAny,
|
Rule: policy.SupplementalGroupsStrategyRunAsAny,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
})
|
})
|
||||||
|
@ -1619,7 +1619,7 @@ func printConfigMapList(list *api.ConfigMapList, options printers.PrintOptions)
|
|||||||
return rows, nil
|
return rows, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func printPodSecurityPolicy(obj *extensions.PodSecurityPolicy, options printers.PrintOptions) ([]metav1beta1.TableRow, error) {
|
func printPodSecurityPolicy(obj *policy.PodSecurityPolicy, options printers.PrintOptions) ([]metav1beta1.TableRow, error) {
|
||||||
row := metav1beta1.TableRow{
|
row := metav1beta1.TableRow{
|
||||||
Object: runtime.RawExtension{Object: obj},
|
Object: runtime.RawExtension{Object: obj},
|
||||||
}
|
}
|
||||||
@ -1640,7 +1640,7 @@ func printPodSecurityPolicy(obj *extensions.PodSecurityPolicy, options printers.
|
|||||||
return []metav1beta1.TableRow{row}, nil
|
return []metav1beta1.TableRow{row}, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func printPodSecurityPolicyList(list *extensions.PodSecurityPolicyList, options printers.PrintOptions) ([]metav1beta1.TableRow, error) {
|
func printPodSecurityPolicyList(list *policy.PodSecurityPolicyList, options printers.PrintOptions) ([]metav1beta1.TableRow, error) {
|
||||||
rows := make([]metav1beta1.TableRow, 0, len(list.Items))
|
rows := make([]metav1beta1.TableRow, 0, len(list.Items))
|
||||||
for i := range list.Items {
|
for i := range list.Items {
|
||||||
r, err := printPodSecurityPolicy(&list.Items[i], options)
|
r, err := printPodSecurityPolicy(&list.Items[i], options)
|
||||||
|
@ -14,8 +14,8 @@ go_library(
|
|||||||
importpath = "k8s.io/kubernetes/pkg/registry/extensions/podsecuritypolicy",
|
importpath = "k8s.io/kubernetes/pkg/registry/extensions/podsecuritypolicy",
|
||||||
deps = [
|
deps = [
|
||||||
"//pkg/api/legacyscheme:go_default_library",
|
"//pkg/api/legacyscheme:go_default_library",
|
||||||
"//pkg/apis/extensions:go_default_library",
|
"//pkg/apis/policy:go_default_library",
|
||||||
"//pkg/apis/extensions/validation:go_default_library",
|
"//pkg/apis/policy/validation:go_default_library",
|
||||||
"//vendor/k8s.io/apimachinery/pkg/runtime:go_default_library",
|
"//vendor/k8s.io/apimachinery/pkg/runtime:go_default_library",
|
||||||
"//vendor/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
|
"//vendor/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
|
||||||
"//vendor/k8s.io/apiserver/pkg/endpoints/request:go_default_library",
|
"//vendor/k8s.io/apiserver/pkg/endpoints/request:go_default_library",
|
||||||
|
@ -11,9 +11,9 @@ go_test(
|
|||||||
srcs = ["storage_test.go"],
|
srcs = ["storage_test.go"],
|
||||||
embed = [":go_default_library"],
|
embed = [":go_default_library"],
|
||||||
deps = [
|
deps = [
|
||||||
"//pkg/apis/extensions:go_default_library",
|
"//pkg/apis/policy:go_default_library",
|
||||||
"//pkg/registry/registrytest:go_default_library",
|
"//pkg/registry/registrytest:go_default_library",
|
||||||
"//vendor/k8s.io/api/extensions/v1beta1:go_default_library",
|
"//vendor/k8s.io/api/policy/v1beta1:go_default_library",
|
||||||
"//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
|
"//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
|
||||||
"//vendor/k8s.io/apimachinery/pkg/fields:go_default_library",
|
"//vendor/k8s.io/apimachinery/pkg/fields:go_default_library",
|
||||||
"//vendor/k8s.io/apimachinery/pkg/labels:go_default_library",
|
"//vendor/k8s.io/apimachinery/pkg/labels:go_default_library",
|
||||||
@ -29,11 +29,12 @@ go_library(
|
|||||||
srcs = ["storage.go"],
|
srcs = ["storage.go"],
|
||||||
importpath = "k8s.io/kubernetes/pkg/registry/extensions/podsecuritypolicy/storage",
|
importpath = "k8s.io/kubernetes/pkg/registry/extensions/podsecuritypolicy/storage",
|
||||||
deps = [
|
deps = [
|
||||||
"//pkg/apis/extensions:go_default_library",
|
"//pkg/apis/policy:go_default_library",
|
||||||
"//pkg/printers:go_default_library",
|
"//pkg/printers:go_default_library",
|
||||||
"//pkg/printers/internalversion:go_default_library",
|
"//pkg/printers/internalversion:go_default_library",
|
||||||
"//pkg/printers/storage:go_default_library",
|
"//pkg/printers/storage:go_default_library",
|
||||||
"//pkg/registry/extensions/podsecuritypolicy:go_default_library",
|
"//pkg/registry/extensions/podsecuritypolicy:go_default_library",
|
||||||
|
"//vendor/k8s.io/api/extensions/v1beta1:go_default_library",
|
||||||
"//vendor/k8s.io/apimachinery/pkg/runtime:go_default_library",
|
"//vendor/k8s.io/apimachinery/pkg/runtime:go_default_library",
|
||||||
"//vendor/k8s.io/apiserver/pkg/registry/generic:go_default_library",
|
"//vendor/k8s.io/apiserver/pkg/registry/generic:go_default_library",
|
||||||
"//vendor/k8s.io/apiserver/pkg/registry/generic/registry:go_default_library",
|
"//vendor/k8s.io/apiserver/pkg/registry/generic/registry:go_default_library",
|
||||||
|
@ -17,10 +17,11 @@ limitations under the License.
|
|||||||
package storage
|
package storage
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
extensions "k8s.io/api/extensions/v1beta1"
|
||||||
"k8s.io/apimachinery/pkg/runtime"
|
"k8s.io/apimachinery/pkg/runtime"
|
||||||
"k8s.io/apiserver/pkg/registry/generic"
|
"k8s.io/apiserver/pkg/registry/generic"
|
||||||
genericregistry "k8s.io/apiserver/pkg/registry/generic/registry"
|
genericregistry "k8s.io/apiserver/pkg/registry/generic/registry"
|
||||||
"k8s.io/kubernetes/pkg/apis/extensions"
|
"k8s.io/kubernetes/pkg/apis/policy"
|
||||||
"k8s.io/kubernetes/pkg/printers"
|
"k8s.io/kubernetes/pkg/printers"
|
||||||
printersinternal "k8s.io/kubernetes/pkg/printers/internalversion"
|
printersinternal "k8s.io/kubernetes/pkg/printers/internalversion"
|
||||||
printerstorage "k8s.io/kubernetes/pkg/printers/storage"
|
printerstorage "k8s.io/kubernetes/pkg/printers/storage"
|
||||||
@ -35,8 +36,8 @@ type REST struct {
|
|||||||
// NewREST returns a RESTStorage object that will work against PodSecurityPolicy objects.
|
// NewREST returns a RESTStorage object that will work against PodSecurityPolicy objects.
|
||||||
func NewREST(optsGetter generic.RESTOptionsGetter) *REST {
|
func NewREST(optsGetter generic.RESTOptionsGetter) *REST {
|
||||||
store := &genericregistry.Store{
|
store := &genericregistry.Store{
|
||||||
NewFunc: func() runtime.Object { return &extensions.PodSecurityPolicy{} },
|
NewFunc: func() runtime.Object { return &policy.PodSecurityPolicy{} },
|
||||||
NewListFunc: func() runtime.Object { return &extensions.PodSecurityPolicyList{} },
|
NewListFunc: func() runtime.Object { return &policy.PodSecurityPolicyList{} },
|
||||||
DefaultQualifiedResource: extensions.Resource("podsecuritypolicies"),
|
DefaultQualifiedResource: extensions.Resource("podsecuritypolicies"),
|
||||||
|
|
||||||
CreateStrategy: podsecuritypolicy.Strategy,
|
CreateStrategy: podsecuritypolicy.Strategy,
|
||||||
|
@ -20,9 +20,9 @@ import (
|
|||||||
"testing"
|
"testing"
|
||||||
|
|
||||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||||
"k8s.io/kubernetes/pkg/apis/extensions"
|
"k8s.io/kubernetes/pkg/apis/policy"
|
||||||
// Ensure that extensions/v1beta1 package is initialized.
|
// Ensure that policy/v1beta1 package is initialized.
|
||||||
_ "k8s.io/api/extensions/v1beta1"
|
_ "k8s.io/api/policy/v1beta1"
|
||||||
"k8s.io/apimachinery/pkg/fields"
|
"k8s.io/apimachinery/pkg/fields"
|
||||||
"k8s.io/apimachinery/pkg/labels"
|
"k8s.io/apimachinery/pkg/labels"
|
||||||
"k8s.io/apimachinery/pkg/runtime"
|
"k8s.io/apimachinery/pkg/runtime"
|
||||||
@ -33,7 +33,7 @@ import (
|
|||||||
)
|
)
|
||||||
|
|
||||||
func newStorage(t *testing.T) (*REST, *etcdtesting.EtcdTestServer) {
|
func newStorage(t *testing.T) (*REST, *etcdtesting.EtcdTestServer) {
|
||||||
etcdStorage, server := registrytest.NewEtcdStorage(t, "extensions")
|
etcdStorage, server := registrytest.NewEtcdStorage(t, "policy")
|
||||||
restOptions := generic.RESTOptions{
|
restOptions := generic.RESTOptions{
|
||||||
StorageConfig: etcdStorage,
|
StorageConfig: etcdStorage,
|
||||||
Decorator: generic.UndecoratedStorage,
|
Decorator: generic.UndecoratedStorage,
|
||||||
@ -43,23 +43,23 @@ func newStorage(t *testing.T) (*REST, *etcdtesting.EtcdTestServer) {
|
|||||||
return NewREST(restOptions), server
|
return NewREST(restOptions), server
|
||||||
}
|
}
|
||||||
|
|
||||||
func validNewPodSecurityPolicy() *extensions.PodSecurityPolicy {
|
func validNewPodSecurityPolicy() *policy.PodSecurityPolicy {
|
||||||
return &extensions.PodSecurityPolicy{
|
return &policy.PodSecurityPolicy{
|
||||||
ObjectMeta: metav1.ObjectMeta{
|
ObjectMeta: metav1.ObjectMeta{
|
||||||
Name: "foo",
|
Name: "foo",
|
||||||
},
|
},
|
||||||
Spec: extensions.PodSecurityPolicySpec{
|
Spec: policy.PodSecurityPolicySpec{
|
||||||
SELinux: extensions.SELinuxStrategyOptions{
|
SELinux: policy.SELinuxStrategyOptions{
|
||||||
Rule: extensions.SELinuxStrategyRunAsAny,
|
Rule: policy.SELinuxStrategyRunAsAny,
|
||||||
},
|
},
|
||||||
RunAsUser: extensions.RunAsUserStrategyOptions{
|
RunAsUser: policy.RunAsUserStrategyOptions{
|
||||||
Rule: extensions.RunAsUserStrategyRunAsAny,
|
Rule: policy.RunAsUserStrategyRunAsAny,
|
||||||
},
|
},
|
||||||
FSGroup: extensions.FSGroupStrategyOptions{
|
FSGroup: policy.FSGroupStrategyOptions{
|
||||||
Rule: extensions.FSGroupStrategyRunAsAny,
|
Rule: policy.FSGroupStrategyRunAsAny,
|
||||||
},
|
},
|
||||||
SupplementalGroups: extensions.SupplementalGroupsStrategyOptions{
|
SupplementalGroups: policy.SupplementalGroupsStrategyOptions{
|
||||||
Rule: extensions.SupplementalGroupsStrategyRunAsAny,
|
Rule: policy.SupplementalGroupsStrategyRunAsAny,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
@ -76,7 +76,7 @@ func TestCreate(t *testing.T) {
|
|||||||
// valid
|
// valid
|
||||||
psp,
|
psp,
|
||||||
// invalid
|
// invalid
|
||||||
&extensions.PodSecurityPolicy{
|
&policy.PodSecurityPolicy{
|
||||||
ObjectMeta: metav1.ObjectMeta{Name: "name with spaces"},
|
ObjectMeta: metav1.ObjectMeta{Name: "name with spaces"},
|
||||||
},
|
},
|
||||||
)
|
)
|
||||||
@ -92,7 +92,7 @@ func TestUpdate(t *testing.T) {
|
|||||||
validNewPodSecurityPolicy(),
|
validNewPodSecurityPolicy(),
|
||||||
// updateFunc
|
// updateFunc
|
||||||
func(obj runtime.Object) runtime.Object {
|
func(obj runtime.Object) runtime.Object {
|
||||||
object := obj.(*extensions.PodSecurityPolicy)
|
object := obj.(*policy.PodSecurityPolicy)
|
||||||
object.Labels = map[string]string{"a": "b"}
|
object.Labels = map[string]string{"a": "b"}
|
||||||
return object
|
return object
|
||||||
},
|
},
|
||||||
|
@ -23,8 +23,8 @@ import (
|
|||||||
"k8s.io/apiserver/pkg/registry/rest"
|
"k8s.io/apiserver/pkg/registry/rest"
|
||||||
"k8s.io/apiserver/pkg/storage/names"
|
"k8s.io/apiserver/pkg/storage/names"
|
||||||
"k8s.io/kubernetes/pkg/api/legacyscheme"
|
"k8s.io/kubernetes/pkg/api/legacyscheme"
|
||||||
"k8s.io/kubernetes/pkg/apis/extensions"
|
"k8s.io/kubernetes/pkg/apis/policy"
|
||||||
"k8s.io/kubernetes/pkg/apis/extensions/validation"
|
"k8s.io/kubernetes/pkg/apis/policy/validation"
|
||||||
)
|
)
|
||||||
|
|
||||||
// strategy implements behavior for PodSecurityPolicy objects
|
// strategy implements behavior for PodSecurityPolicy objects
|
||||||
@ -63,9 +63,9 @@ func (strategy) Canonicalize(obj runtime.Object) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
func (strategy) Validate(ctx genericapirequest.Context, obj runtime.Object) field.ErrorList {
|
func (strategy) Validate(ctx genericapirequest.Context, obj runtime.Object) field.ErrorList {
|
||||||
return validation.ValidatePodSecurityPolicy(obj.(*extensions.PodSecurityPolicy))
|
return validation.ValidatePodSecurityPolicy(obj.(*policy.PodSecurityPolicy))
|
||||||
}
|
}
|
||||||
|
|
||||||
func (strategy) ValidateUpdate(ctx genericapirequest.Context, obj, old runtime.Object) field.ErrorList {
|
func (strategy) ValidateUpdate(ctx genericapirequest.Context, obj, old runtime.Object) field.ErrorList {
|
||||||
return validation.ValidatePodSecurityPolicyUpdate(old.(*extensions.PodSecurityPolicy), obj.(*extensions.PodSecurityPolicy))
|
return validation.ValidatePodSecurityPolicyUpdate(old.(*policy.PodSecurityPolicy), obj.(*policy.PodSecurityPolicy))
|
||||||
}
|
}
|
||||||
|
@ -17,7 +17,7 @@ go_library(
|
|||||||
importpath = "k8s.io/kubernetes/pkg/security/podsecuritypolicy",
|
importpath = "k8s.io/kubernetes/pkg/security/podsecuritypolicy",
|
||||||
deps = [
|
deps = [
|
||||||
"//pkg/apis/core:go_default_library",
|
"//pkg/apis/core:go_default_library",
|
||||||
"//pkg/apis/extensions:go_default_library",
|
"//pkg/apis/policy:go_default_library",
|
||||||
"//pkg/security/podsecuritypolicy/apparmor:go_default_library",
|
"//pkg/security/podsecuritypolicy/apparmor:go_default_library",
|
||||||
"//pkg/security/podsecuritypolicy/capabilities:go_default_library",
|
"//pkg/security/podsecuritypolicy/capabilities:go_default_library",
|
||||||
"//pkg/security/podsecuritypolicy/group:go_default_library",
|
"//pkg/security/podsecuritypolicy/group:go_default_library",
|
||||||
@ -39,7 +39,7 @@ go_test(
|
|||||||
deps = [
|
deps = [
|
||||||
"//pkg/apis/core:go_default_library",
|
"//pkg/apis/core:go_default_library",
|
||||||
"//pkg/apis/core/v1:go_default_library",
|
"//pkg/apis/core/v1:go_default_library",
|
||||||
"//pkg/apis/extensions:go_default_library",
|
"//pkg/apis/policy:go_default_library",
|
||||||
"//pkg/security/apparmor:go_default_library",
|
"//pkg/security/apparmor:go_default_library",
|
||||||
"//pkg/security/podsecuritypolicy/seccomp:go_default_library",
|
"//pkg/security/podsecuritypolicy/seccomp:go_default_library",
|
||||||
"//pkg/security/podsecuritypolicy/util:go_default_library",
|
"//pkg/security/podsecuritypolicy/util:go_default_library",
|
||||||
|
@ -16,7 +16,7 @@ go_library(
|
|||||||
importpath = "k8s.io/kubernetes/pkg/security/podsecuritypolicy/capabilities",
|
importpath = "k8s.io/kubernetes/pkg/security/podsecuritypolicy/capabilities",
|
||||||
deps = [
|
deps = [
|
||||||
"//pkg/apis/core:go_default_library",
|
"//pkg/apis/core:go_default_library",
|
||||||
"//pkg/apis/extensions:go_default_library",
|
"//pkg/apis/policy:go_default_library",
|
||||||
"//vendor/k8s.io/apimachinery/pkg/util/sets:go_default_library",
|
"//vendor/k8s.io/apimachinery/pkg/util/sets:go_default_library",
|
||||||
"//vendor/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
|
"//vendor/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
|
||||||
],
|
],
|
||||||
@ -28,7 +28,7 @@ go_test(
|
|||||||
embed = [":go_default_library"],
|
embed = [":go_default_library"],
|
||||||
deps = [
|
deps = [
|
||||||
"//pkg/apis/core:go_default_library",
|
"//pkg/apis/core:go_default_library",
|
||||||
"//pkg/apis/extensions:go_default_library",
|
"//pkg/apis/policy:go_default_library",
|
||||||
],
|
],
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -22,7 +22,7 @@ import (
|
|||||||
"k8s.io/apimachinery/pkg/util/sets"
|
"k8s.io/apimachinery/pkg/util/sets"
|
||||||
"k8s.io/apimachinery/pkg/util/validation/field"
|
"k8s.io/apimachinery/pkg/util/validation/field"
|
||||||
api "k8s.io/kubernetes/pkg/apis/core"
|
api "k8s.io/kubernetes/pkg/apis/core"
|
||||||
"k8s.io/kubernetes/pkg/apis/extensions"
|
"k8s.io/kubernetes/pkg/apis/policy"
|
||||||
)
|
)
|
||||||
|
|
||||||
// defaultCapabilities implements the Strategy interface
|
// defaultCapabilities implements the Strategy interface
|
||||||
@ -100,7 +100,7 @@ func (s *defaultCapabilities) Validate(pod *api.Pod, container *api.Container, c
|
|||||||
}
|
}
|
||||||
|
|
||||||
allowedAdd := makeCapSet(s.allowedCaps)
|
allowedAdd := makeCapSet(s.allowedCaps)
|
||||||
allowAllCaps := allowedAdd.Has(string(extensions.AllowAllCapabilities))
|
allowAllCaps := allowedAdd.Has(string(policy.AllowAllCapabilities))
|
||||||
if allowAllCaps {
|
if allowAllCaps {
|
||||||
// skip validation against allowed/defaultAdd/requiredDrop because all capabilities are allowed by a wildcard
|
// skip validation against allowed/defaultAdd/requiredDrop because all capabilities are allowed by a wildcard
|
||||||
return allErrs
|
return allErrs
|
||||||
|
@ -21,7 +21,7 @@ import (
|
|||||||
"testing"
|
"testing"
|
||||||
|
|
||||||
api "k8s.io/kubernetes/pkg/apis/core"
|
api "k8s.io/kubernetes/pkg/apis/core"
|
||||||
"k8s.io/kubernetes/pkg/apis/extensions"
|
"k8s.io/kubernetes/pkg/apis/policy"
|
||||||
)
|
)
|
||||||
|
|
||||||
func TestGenerateAdds(t *testing.T) {
|
func TestGenerateAdds(t *testing.T) {
|
||||||
@ -278,7 +278,7 @@ func TestValidateAdds(t *testing.T) {
|
|||||||
},
|
},
|
||||||
},
|
},
|
||||||
"no required, all allowed, container requests valid": {
|
"no required, all allowed, container requests valid": {
|
||||||
allowedCaps: []api.Capability{extensions.AllowAllCapabilities},
|
allowedCaps: []api.Capability{policy.AllowAllCapabilities},
|
||||||
containerCaps: &api.Capabilities{
|
containerCaps: &api.Capabilities{
|
||||||
Add: []api.Capability{"foo"},
|
Add: []api.Capability{"foo"},
|
||||||
},
|
},
|
||||||
|
@ -21,7 +21,7 @@ import (
|
|||||||
|
|
||||||
"k8s.io/apimachinery/pkg/util/errors"
|
"k8s.io/apimachinery/pkg/util/errors"
|
||||||
api "k8s.io/kubernetes/pkg/apis/core"
|
api "k8s.io/kubernetes/pkg/apis/core"
|
||||||
"k8s.io/kubernetes/pkg/apis/extensions"
|
"k8s.io/kubernetes/pkg/apis/policy"
|
||||||
"k8s.io/kubernetes/pkg/security/podsecuritypolicy/apparmor"
|
"k8s.io/kubernetes/pkg/security/podsecuritypolicy/apparmor"
|
||||||
"k8s.io/kubernetes/pkg/security/podsecuritypolicy/capabilities"
|
"k8s.io/kubernetes/pkg/security/podsecuritypolicy/capabilities"
|
||||||
"k8s.io/kubernetes/pkg/security/podsecuritypolicy/group"
|
"k8s.io/kubernetes/pkg/security/podsecuritypolicy/group"
|
||||||
@ -39,7 +39,7 @@ func NewSimpleStrategyFactory() StrategyFactory {
|
|||||||
return &simpleStrategyFactory{}
|
return &simpleStrategyFactory{}
|
||||||
}
|
}
|
||||||
|
|
||||||
func (f *simpleStrategyFactory) CreateStrategies(psp *extensions.PodSecurityPolicy, namespace string) (*ProviderStrategies, error) {
|
func (f *simpleStrategyFactory) CreateStrategies(psp *policy.PodSecurityPolicy, namespace string) (*ProviderStrategies, error) {
|
||||||
errs := []error{}
|
errs := []error{}
|
||||||
|
|
||||||
userStrat, err := createUserStrategy(&psp.Spec.RunAsUser)
|
userStrat, err := createUserStrategy(&psp.Spec.RunAsUser)
|
||||||
@ -78,9 +78,9 @@ func (f *simpleStrategyFactory) CreateStrategies(psp *extensions.PodSecurityPoli
|
|||||||
}
|
}
|
||||||
|
|
||||||
var unsafeSysctls []string
|
var unsafeSysctls []string
|
||||||
if ann, found := psp.Annotations[extensions.SysctlsPodSecurityPolicyAnnotationKey]; found {
|
if ann, found := psp.Annotations[policy.SysctlsPodSecurityPolicyAnnotationKey]; found {
|
||||||
var err error
|
var err error
|
||||||
unsafeSysctls, err = extensions.SysctlsFromPodSecurityPolicyAnnotation(ann)
|
unsafeSysctls, err = policy.SysctlsFromPodSecurityPolicyAnnotation(ann)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
errs = append(errs, err)
|
errs = append(errs, err)
|
||||||
}
|
}
|
||||||
@ -106,13 +106,13 @@ func (f *simpleStrategyFactory) CreateStrategies(psp *extensions.PodSecurityPoli
|
|||||||
}
|
}
|
||||||
|
|
||||||
// createUserStrategy creates a new user strategy.
|
// createUserStrategy creates a new user strategy.
|
||||||
func createUserStrategy(opts *extensions.RunAsUserStrategyOptions) (user.RunAsUserStrategy, error) {
|
func createUserStrategy(opts *policy.RunAsUserStrategyOptions) (user.RunAsUserStrategy, error) {
|
||||||
switch opts.Rule {
|
switch opts.Rule {
|
||||||
case extensions.RunAsUserStrategyMustRunAs:
|
case policy.RunAsUserStrategyMustRunAs:
|
||||||
return user.NewMustRunAs(opts)
|
return user.NewMustRunAs(opts)
|
||||||
case extensions.RunAsUserStrategyMustRunAsNonRoot:
|
case policy.RunAsUserStrategyMustRunAsNonRoot:
|
||||||
return user.NewRunAsNonRoot(opts)
|
return user.NewRunAsNonRoot(opts)
|
||||||
case extensions.RunAsUserStrategyRunAsAny:
|
case policy.RunAsUserStrategyRunAsAny:
|
||||||
return user.NewRunAsAny(opts)
|
return user.NewRunAsAny(opts)
|
||||||
default:
|
default:
|
||||||
return nil, fmt.Errorf("Unrecognized RunAsUser strategy type %s", opts.Rule)
|
return nil, fmt.Errorf("Unrecognized RunAsUser strategy type %s", opts.Rule)
|
||||||
@ -120,11 +120,11 @@ func createUserStrategy(opts *extensions.RunAsUserStrategyOptions) (user.RunAsUs
|
|||||||
}
|
}
|
||||||
|
|
||||||
// createSELinuxStrategy creates a new selinux strategy.
|
// createSELinuxStrategy creates a new selinux strategy.
|
||||||
func createSELinuxStrategy(opts *extensions.SELinuxStrategyOptions) (selinux.SELinuxStrategy, error) {
|
func createSELinuxStrategy(opts *policy.SELinuxStrategyOptions) (selinux.SELinuxStrategy, error) {
|
||||||
switch opts.Rule {
|
switch opts.Rule {
|
||||||
case extensions.SELinuxStrategyMustRunAs:
|
case policy.SELinuxStrategyMustRunAs:
|
||||||
return selinux.NewMustRunAs(opts)
|
return selinux.NewMustRunAs(opts)
|
||||||
case extensions.SELinuxStrategyRunAsAny:
|
case policy.SELinuxStrategyRunAsAny:
|
||||||
return selinux.NewRunAsAny(opts)
|
return selinux.NewRunAsAny(opts)
|
||||||
default:
|
default:
|
||||||
return nil, fmt.Errorf("Unrecognized SELinuxContext strategy type %s", opts.Rule)
|
return nil, fmt.Errorf("Unrecognized SELinuxContext strategy type %s", opts.Rule)
|
||||||
@ -132,21 +132,21 @@ func createSELinuxStrategy(opts *extensions.SELinuxStrategyOptions) (selinux.SEL
|
|||||||
}
|
}
|
||||||
|
|
||||||
// createAppArmorStrategy creates a new AppArmor strategy.
|
// createAppArmorStrategy creates a new AppArmor strategy.
|
||||||
func createAppArmorStrategy(psp *extensions.PodSecurityPolicy) (apparmor.Strategy, error) {
|
func createAppArmorStrategy(psp *policy.PodSecurityPolicy) (apparmor.Strategy, error) {
|
||||||
return apparmor.NewStrategy(psp.Annotations), nil
|
return apparmor.NewStrategy(psp.Annotations), nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// createSeccompStrategy creates a new seccomp strategy.
|
// createSeccompStrategy creates a new seccomp strategy.
|
||||||
func createSeccompStrategy(psp *extensions.PodSecurityPolicy) (seccomp.Strategy, error) {
|
func createSeccompStrategy(psp *policy.PodSecurityPolicy) (seccomp.Strategy, error) {
|
||||||
return seccomp.NewStrategy(psp.Annotations), nil
|
return seccomp.NewStrategy(psp.Annotations), nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// createFSGroupStrategy creates a new fsgroup strategy
|
// createFSGroupStrategy creates a new fsgroup strategy
|
||||||
func createFSGroupStrategy(opts *extensions.FSGroupStrategyOptions) (group.GroupStrategy, error) {
|
func createFSGroupStrategy(opts *policy.FSGroupStrategyOptions) (group.GroupStrategy, error) {
|
||||||
switch opts.Rule {
|
switch opts.Rule {
|
||||||
case extensions.FSGroupStrategyRunAsAny:
|
case policy.FSGroupStrategyRunAsAny:
|
||||||
return group.NewRunAsAny()
|
return group.NewRunAsAny()
|
||||||
case extensions.FSGroupStrategyMustRunAs:
|
case policy.FSGroupStrategyMustRunAs:
|
||||||
return group.NewMustRunAs(opts.Ranges, fsGroupField)
|
return group.NewMustRunAs(opts.Ranges, fsGroupField)
|
||||||
default:
|
default:
|
||||||
return nil, fmt.Errorf("Unrecognized FSGroup strategy type %s", opts.Rule)
|
return nil, fmt.Errorf("Unrecognized FSGroup strategy type %s", opts.Rule)
|
||||||
@ -154,11 +154,11 @@ func createFSGroupStrategy(opts *extensions.FSGroupStrategyOptions) (group.Group
|
|||||||
}
|
}
|
||||||
|
|
||||||
// createSupplementalGroupStrategy creates a new supplemental group strategy
|
// createSupplementalGroupStrategy creates a new supplemental group strategy
|
||||||
func createSupplementalGroupStrategy(opts *extensions.SupplementalGroupsStrategyOptions) (group.GroupStrategy, error) {
|
func createSupplementalGroupStrategy(opts *policy.SupplementalGroupsStrategyOptions) (group.GroupStrategy, error) {
|
||||||
switch opts.Rule {
|
switch opts.Rule {
|
||||||
case extensions.SupplementalGroupsStrategyRunAsAny:
|
case policy.SupplementalGroupsStrategyRunAsAny:
|
||||||
return group.NewRunAsAny()
|
return group.NewRunAsAny()
|
||||||
case extensions.SupplementalGroupsStrategyMustRunAs:
|
case policy.SupplementalGroupsStrategyMustRunAs:
|
||||||
return group.NewMustRunAs(opts.Ranges, supplementalGroupsField)
|
return group.NewMustRunAs(opts.Ranges, supplementalGroupsField)
|
||||||
default:
|
default:
|
||||||
return nil, fmt.Errorf("Unrecognized SupplementalGroups strategy type %s", opts.Rule)
|
return nil, fmt.Errorf("Unrecognized SupplementalGroups strategy type %s", opts.Rule)
|
||||||
|
@ -17,7 +17,7 @@ go_library(
|
|||||||
importpath = "k8s.io/kubernetes/pkg/security/podsecuritypolicy/group",
|
importpath = "k8s.io/kubernetes/pkg/security/podsecuritypolicy/group",
|
||||||
deps = [
|
deps = [
|
||||||
"//pkg/apis/core:go_default_library",
|
"//pkg/apis/core:go_default_library",
|
||||||
"//pkg/apis/extensions:go_default_library",
|
"//pkg/apis/policy:go_default_library",
|
||||||
"//pkg/security/podsecuritypolicy/util:go_default_library",
|
"//pkg/security/podsecuritypolicy/util:go_default_library",
|
||||||
"//vendor/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
|
"//vendor/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
|
||||||
],
|
],
|
||||||
@ -30,7 +30,7 @@ go_test(
|
|||||||
"runasany_test.go",
|
"runasany_test.go",
|
||||||
],
|
],
|
||||||
embed = [":go_default_library"],
|
embed = [":go_default_library"],
|
||||||
deps = ["//pkg/apis/extensions:go_default_library"],
|
deps = ["//pkg/apis/policy:go_default_library"],
|
||||||
)
|
)
|
||||||
|
|
||||||
filegroup(
|
filegroup(
|
||||||
|
@ -21,20 +21,20 @@ import (
|
|||||||
|
|
||||||
"k8s.io/apimachinery/pkg/util/validation/field"
|
"k8s.io/apimachinery/pkg/util/validation/field"
|
||||||
api "k8s.io/kubernetes/pkg/apis/core"
|
api "k8s.io/kubernetes/pkg/apis/core"
|
||||||
"k8s.io/kubernetes/pkg/apis/extensions"
|
"k8s.io/kubernetes/pkg/apis/policy"
|
||||||
psputil "k8s.io/kubernetes/pkg/security/podsecuritypolicy/util"
|
psputil "k8s.io/kubernetes/pkg/security/podsecuritypolicy/util"
|
||||||
)
|
)
|
||||||
|
|
||||||
// mustRunAs implements the GroupStrategy interface
|
// mustRunAs implements the GroupStrategy interface
|
||||||
type mustRunAs struct {
|
type mustRunAs struct {
|
||||||
ranges []extensions.GroupIDRange
|
ranges []policy.GroupIDRange
|
||||||
field string
|
field string
|
||||||
}
|
}
|
||||||
|
|
||||||
var _ GroupStrategy = &mustRunAs{}
|
var _ GroupStrategy = &mustRunAs{}
|
||||||
|
|
||||||
// NewMustRunAs provides a new MustRunAs strategy based on ranges.
|
// NewMustRunAs provides a new MustRunAs strategy based on ranges.
|
||||||
func NewMustRunAs(ranges []extensions.GroupIDRange, field string) (GroupStrategy, error) {
|
func NewMustRunAs(ranges []policy.GroupIDRange, field string) (GroupStrategy, error) {
|
||||||
if len(ranges) == 0 {
|
if len(ranges) == 0 {
|
||||||
return nil, fmt.Errorf("ranges must be supplied for MustRunAs")
|
return nil, fmt.Errorf("ranges must be supplied for MustRunAs")
|
||||||
}
|
}
|
||||||
|
@ -20,19 +20,19 @@ import (
|
|||||||
"strings"
|
"strings"
|
||||||
"testing"
|
"testing"
|
||||||
|
|
||||||
"k8s.io/kubernetes/pkg/apis/extensions"
|
"k8s.io/kubernetes/pkg/apis/policy"
|
||||||
)
|
)
|
||||||
|
|
||||||
func TestMustRunAsOptions(t *testing.T) {
|
func TestMustRunAsOptions(t *testing.T) {
|
||||||
tests := map[string]struct {
|
tests := map[string]struct {
|
||||||
ranges []extensions.GroupIDRange
|
ranges []policy.GroupIDRange
|
||||||
pass bool
|
pass bool
|
||||||
}{
|
}{
|
||||||
"empty": {
|
"empty": {
|
||||||
ranges: []extensions.GroupIDRange{},
|
ranges: []policy.GroupIDRange{},
|
||||||
},
|
},
|
||||||
"ranges": {
|
"ranges": {
|
||||||
ranges: []extensions.GroupIDRange{
|
ranges: []policy.GroupIDRange{
|
||||||
{Min: 1, Max: 1},
|
{Min: 1, Max: 1},
|
||||||
},
|
},
|
||||||
pass: true,
|
pass: true,
|
||||||
@ -52,23 +52,23 @@ func TestMustRunAsOptions(t *testing.T) {
|
|||||||
|
|
||||||
func TestGenerate(t *testing.T) {
|
func TestGenerate(t *testing.T) {
|
||||||
tests := map[string]struct {
|
tests := map[string]struct {
|
||||||
ranges []extensions.GroupIDRange
|
ranges []policy.GroupIDRange
|
||||||
expected []int64
|
expected []int64
|
||||||
}{
|
}{
|
||||||
"multi value": {
|
"multi value": {
|
||||||
ranges: []extensions.GroupIDRange{
|
ranges: []policy.GroupIDRange{
|
||||||
{Min: 1, Max: 2},
|
{Min: 1, Max: 2},
|
||||||
},
|
},
|
||||||
expected: []int64{1},
|
expected: []int64{1},
|
||||||
},
|
},
|
||||||
"single value": {
|
"single value": {
|
||||||
ranges: []extensions.GroupIDRange{
|
ranges: []policy.GroupIDRange{
|
||||||
{Min: 1, Max: 1},
|
{Min: 1, Max: 1},
|
||||||
},
|
},
|
||||||
expected: []int64{1},
|
expected: []int64{1},
|
||||||
},
|
},
|
||||||
"multi range": {
|
"multi range": {
|
||||||
ranges: []extensions.GroupIDRange{
|
ranges: []policy.GroupIDRange{
|
||||||
{Min: 1, Max: 1},
|
{Min: 1, Max: 1},
|
||||||
{Min: 2, Max: 500},
|
{Min: 2, Max: 500},
|
||||||
},
|
},
|
||||||
@ -110,25 +110,25 @@ func TestGenerate(t *testing.T) {
|
|||||||
|
|
||||||
func TestValidate(t *testing.T) {
|
func TestValidate(t *testing.T) {
|
||||||
tests := map[string]struct {
|
tests := map[string]struct {
|
||||||
ranges []extensions.GroupIDRange
|
ranges []policy.GroupIDRange
|
||||||
groups []int64
|
groups []int64
|
||||||
expectedError string
|
expectedError string
|
||||||
}{
|
}{
|
||||||
"nil security context": {
|
"nil security context": {
|
||||||
ranges: []extensions.GroupIDRange{
|
ranges: []policy.GroupIDRange{
|
||||||
{Min: 1, Max: 3},
|
{Min: 1, Max: 3},
|
||||||
},
|
},
|
||||||
expectedError: "unable to validate empty groups against required ranges",
|
expectedError: "unable to validate empty groups against required ranges",
|
||||||
},
|
},
|
||||||
"empty groups": {
|
"empty groups": {
|
||||||
ranges: []extensions.GroupIDRange{
|
ranges: []policy.GroupIDRange{
|
||||||
{Min: 1, Max: 3},
|
{Min: 1, Max: 3},
|
||||||
},
|
},
|
||||||
expectedError: "unable to validate empty groups against required ranges",
|
expectedError: "unable to validate empty groups against required ranges",
|
||||||
},
|
},
|
||||||
"not in range": {
|
"not in range": {
|
||||||
groups: []int64{5},
|
groups: []int64{5},
|
||||||
ranges: []extensions.GroupIDRange{
|
ranges: []policy.GroupIDRange{
|
||||||
{Min: 1, Max: 3},
|
{Min: 1, Max: 3},
|
||||||
{Min: 4, Max: 4},
|
{Min: 4, Max: 4},
|
||||||
},
|
},
|
||||||
@ -136,25 +136,25 @@ func TestValidate(t *testing.T) {
|
|||||||
},
|
},
|
||||||
"in range 1": {
|
"in range 1": {
|
||||||
groups: []int64{2},
|
groups: []int64{2},
|
||||||
ranges: []extensions.GroupIDRange{
|
ranges: []policy.GroupIDRange{
|
||||||
{Min: 1, Max: 3},
|
{Min: 1, Max: 3},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
"in range boundary min": {
|
"in range boundary min": {
|
||||||
groups: []int64{1},
|
groups: []int64{1},
|
||||||
ranges: []extensions.GroupIDRange{
|
ranges: []policy.GroupIDRange{
|
||||||
{Min: 1, Max: 3},
|
{Min: 1, Max: 3},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
"in range boundary max": {
|
"in range boundary max": {
|
||||||
groups: []int64{3},
|
groups: []int64{3},
|
||||||
ranges: []extensions.GroupIDRange{
|
ranges: []policy.GroupIDRange{
|
||||||
{Min: 1, Max: 3},
|
{Min: 1, Max: 3},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
"singular range": {
|
"singular range": {
|
||||||
groups: []int64{4},
|
groups: []int64{4},
|
||||||
ranges: []extensions.GroupIDRange{
|
ranges: []policy.GroupIDRange{
|
||||||
{Min: 4, Max: 4},
|
{Min: 4, Max: 4},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
@ -22,7 +22,7 @@ import (
|
|||||||
|
|
||||||
"k8s.io/apimachinery/pkg/util/validation/field"
|
"k8s.io/apimachinery/pkg/util/validation/field"
|
||||||
api "k8s.io/kubernetes/pkg/apis/core"
|
api "k8s.io/kubernetes/pkg/apis/core"
|
||||||
"k8s.io/kubernetes/pkg/apis/extensions"
|
"k8s.io/kubernetes/pkg/apis/policy"
|
||||||
psputil "k8s.io/kubernetes/pkg/security/podsecuritypolicy/util"
|
psputil "k8s.io/kubernetes/pkg/security/podsecuritypolicy/util"
|
||||||
"k8s.io/kubernetes/pkg/securitycontext"
|
"k8s.io/kubernetes/pkg/securitycontext"
|
||||||
)
|
)
|
||||||
@ -36,7 +36,7 @@ const (
|
|||||||
|
|
||||||
// simpleProvider is the default implementation of Provider.
|
// simpleProvider is the default implementation of Provider.
|
||||||
type simpleProvider struct {
|
type simpleProvider struct {
|
||||||
psp *extensions.PodSecurityPolicy
|
psp *policy.PodSecurityPolicy
|
||||||
strategies *ProviderStrategies
|
strategies *ProviderStrategies
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -44,7 +44,7 @@ type simpleProvider struct {
|
|||||||
var _ Provider = &simpleProvider{}
|
var _ Provider = &simpleProvider{}
|
||||||
|
|
||||||
// NewSimpleProvider creates a new Provider instance.
|
// NewSimpleProvider creates a new Provider instance.
|
||||||
func NewSimpleProvider(psp *extensions.PodSecurityPolicy, namespace string, strategyFactory StrategyFactory) (Provider, error) {
|
func NewSimpleProvider(psp *policy.PodSecurityPolicy, namespace string, strategyFactory StrategyFactory) (Provider, error) {
|
||||||
if psp == nil {
|
if psp == nil {
|
||||||
return nil, fmt.Errorf("NewSimpleProvider requires a PodSecurityPolicy")
|
return nil, fmt.Errorf("NewSimpleProvider requires a PodSecurityPolicy")
|
||||||
}
|
}
|
||||||
@ -144,7 +144,7 @@ func (s *simpleProvider) DefaultContainerSecurityContext(pod *api.Pod, container
|
|||||||
// if we're using the non-root strategy set the marker that this container should not be
|
// if we're using the non-root strategy set the marker that this container should not be
|
||||||
// run as root which will signal to the kubelet to do a final check either on the runAsUser
|
// run as root which will signal to the kubelet to do a final check either on the runAsUser
|
||||||
// or, if runAsUser is not set, the image UID will be checked.
|
// or, if runAsUser is not set, the image UID will be checked.
|
||||||
if sc.RunAsNonRoot() == nil && sc.RunAsUser() == nil && s.psp.Spec.RunAsUser.Rule == extensions.RunAsUserStrategyMustRunAsNonRoot {
|
if sc.RunAsNonRoot() == nil && sc.RunAsUser() == nil && s.psp.Spec.RunAsUser.Rule == policy.RunAsUserStrategyMustRunAsNonRoot {
|
||||||
nonRoot := true
|
nonRoot := true
|
||||||
sc.SetRunAsNonRoot(&nonRoot)
|
sc.SetRunAsNonRoot(&nonRoot)
|
||||||
}
|
}
|
||||||
@ -226,7 +226,7 @@ func (s *simpleProvider) ValidatePod(pod *api.Pod, fldPath *field.Path) field.Er
|
|||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
|
|
||||||
if fsType == extensions.HostPath {
|
if fsType == policy.HostPath {
|
||||||
if !psputil.AllowsHostVolumePath(s.psp, v.HostPath.Path) {
|
if !psputil.AllowsHostVolumePath(s.psp, v.HostPath.Path) {
|
||||||
allErrs = append(allErrs, field.Invalid(
|
allErrs = append(allErrs, field.Invalid(
|
||||||
field.NewPath("spec", "volumes").Index(i).Child("hostPath", "pathPrefix"), v.HostPath.Path,
|
field.NewPath("spec", "volumes").Index(i).Child("hostPath", "pathPrefix"), v.HostPath.Path,
|
||||||
@ -234,7 +234,7 @@ func (s *simpleProvider) ValidatePod(pod *api.Pod, fldPath *field.Path) field.Er
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if fsType == extensions.FlexVolume && len(s.psp.Spec.AllowedFlexVolumes) > 0 {
|
if fsType == policy.FlexVolume && len(s.psp.Spec.AllowedFlexVolumes) > 0 {
|
||||||
found := false
|
found := false
|
||||||
driver := v.FlexVolume.Driver
|
driver := v.FlexVolume.Driver
|
||||||
for _, allowedFlexVolume := range s.psp.Spec.AllowedFlexVolumes {
|
for _, allowedFlexVolume := range s.psp.Spec.AllowedFlexVolumes {
|
||||||
@ -333,7 +333,7 @@ func (s *simpleProvider) GetPSPName() string {
|
|||||||
return s.psp.Name
|
return s.psp.Name
|
||||||
}
|
}
|
||||||
|
|
||||||
func hostPortRangesToString(ranges []extensions.HostPortRange) string {
|
func hostPortRangesToString(ranges []policy.HostPortRange) string {
|
||||||
formattedString := ""
|
formattedString := ""
|
||||||
if ranges != nil {
|
if ranges != nil {
|
||||||
strRanges := []string{}
|
strRanges := []string{}
|
||||||
|
@ -30,7 +30,7 @@ import (
|
|||||||
"k8s.io/apimachinery/pkg/util/validation/field"
|
"k8s.io/apimachinery/pkg/util/validation/field"
|
||||||
api "k8s.io/kubernetes/pkg/apis/core"
|
api "k8s.io/kubernetes/pkg/apis/core"
|
||||||
k8s_api_v1 "k8s.io/kubernetes/pkg/apis/core/v1"
|
k8s_api_v1 "k8s.io/kubernetes/pkg/apis/core/v1"
|
||||||
"k8s.io/kubernetes/pkg/apis/extensions"
|
"k8s.io/kubernetes/pkg/apis/policy"
|
||||||
"k8s.io/kubernetes/pkg/security/apparmor"
|
"k8s.io/kubernetes/pkg/security/apparmor"
|
||||||
"k8s.io/kubernetes/pkg/security/podsecuritypolicy/seccomp"
|
"k8s.io/kubernetes/pkg/security/podsecuritypolicy/seccomp"
|
||||||
psputil "k8s.io/kubernetes/pkg/security/podsecuritypolicy/util"
|
psputil "k8s.io/kubernetes/pkg/security/podsecuritypolicy/util"
|
||||||
@ -49,27 +49,27 @@ func TestDefaultPodSecurityContextNonmutating(t *testing.T) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Create a PSP with strategies that will populate a blank psc
|
// Create a PSP with strategies that will populate a blank psc
|
||||||
createPSP := func() *extensions.PodSecurityPolicy {
|
createPSP := func() *policy.PodSecurityPolicy {
|
||||||
return &extensions.PodSecurityPolicy{
|
return &policy.PodSecurityPolicy{
|
||||||
ObjectMeta: metav1.ObjectMeta{
|
ObjectMeta: metav1.ObjectMeta{
|
||||||
Name: "psp-sa",
|
Name: "psp-sa",
|
||||||
Annotations: map[string]string{
|
Annotations: map[string]string{
|
||||||
seccomp.AllowedProfilesAnnotationKey: "*",
|
seccomp.AllowedProfilesAnnotationKey: "*",
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
Spec: extensions.PodSecurityPolicySpec{
|
Spec: policy.PodSecurityPolicySpec{
|
||||||
AllowPrivilegeEscalation: true,
|
AllowPrivilegeEscalation: true,
|
||||||
RunAsUser: extensions.RunAsUserStrategyOptions{
|
RunAsUser: policy.RunAsUserStrategyOptions{
|
||||||
Rule: extensions.RunAsUserStrategyRunAsAny,
|
Rule: policy.RunAsUserStrategyRunAsAny,
|
||||||
},
|
},
|
||||||
SELinux: extensions.SELinuxStrategyOptions{
|
SELinux: policy.SELinuxStrategyOptions{
|
||||||
Rule: extensions.SELinuxStrategyRunAsAny,
|
Rule: policy.SELinuxStrategyRunAsAny,
|
||||||
},
|
},
|
||||||
FSGroup: extensions.FSGroupStrategyOptions{
|
FSGroup: policy.FSGroupStrategyOptions{
|
||||||
Rule: extensions.FSGroupStrategyRunAsAny,
|
Rule: policy.FSGroupStrategyRunAsAny,
|
||||||
},
|
},
|
||||||
SupplementalGroups: extensions.SupplementalGroupsStrategyOptions{
|
SupplementalGroups: policy.SupplementalGroupsStrategyOptions{
|
||||||
Rule: extensions.SupplementalGroupsStrategyRunAsAny,
|
Rule: policy.SupplementalGroupsStrategyRunAsAny,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
@ -120,8 +120,8 @@ func TestDefaultContainerSecurityContextNonmutating(t *testing.T) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Create a PSP with strategies that will populate a blank security context
|
// Create a PSP with strategies that will populate a blank security context
|
||||||
createPSP := func() *extensions.PodSecurityPolicy {
|
createPSP := func() *policy.PodSecurityPolicy {
|
||||||
return &extensions.PodSecurityPolicy{
|
return &policy.PodSecurityPolicy{
|
||||||
ObjectMeta: metav1.ObjectMeta{
|
ObjectMeta: metav1.ObjectMeta{
|
||||||
Name: "psp-sa",
|
Name: "psp-sa",
|
||||||
Annotations: map[string]string{
|
Annotations: map[string]string{
|
||||||
@ -129,19 +129,19 @@ func TestDefaultContainerSecurityContextNonmutating(t *testing.T) {
|
|||||||
seccomp.DefaultProfileAnnotationKey: "foo",
|
seccomp.DefaultProfileAnnotationKey: "foo",
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
Spec: extensions.PodSecurityPolicySpec{
|
Spec: policy.PodSecurityPolicySpec{
|
||||||
AllowPrivilegeEscalation: true,
|
AllowPrivilegeEscalation: true,
|
||||||
RunAsUser: extensions.RunAsUserStrategyOptions{
|
RunAsUser: policy.RunAsUserStrategyOptions{
|
||||||
Rule: extensions.RunAsUserStrategyRunAsAny,
|
Rule: policy.RunAsUserStrategyRunAsAny,
|
||||||
},
|
},
|
||||||
SELinux: extensions.SELinuxStrategyOptions{
|
SELinux: policy.SELinuxStrategyOptions{
|
||||||
Rule: extensions.SELinuxStrategyRunAsAny,
|
Rule: policy.SELinuxStrategyRunAsAny,
|
||||||
},
|
},
|
||||||
FSGroup: extensions.FSGroupStrategyOptions{
|
FSGroup: policy.FSGroupStrategyOptions{
|
||||||
Rule: extensions.FSGroupStrategyRunAsAny,
|
Rule: policy.FSGroupStrategyRunAsAny,
|
||||||
},
|
},
|
||||||
SupplementalGroups: extensions.SupplementalGroupsStrategyOptions{
|
SupplementalGroups: policy.SupplementalGroupsStrategyOptions{
|
||||||
Rule: extensions.SupplementalGroupsStrategyRunAsAny,
|
Rule: policy.SupplementalGroupsStrategyRunAsAny,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
@ -184,9 +184,9 @@ func TestValidatePodSecurityContextFailures(t *testing.T) {
|
|||||||
failSupplementalGroupPod := defaultPod()
|
failSupplementalGroupPod := defaultPod()
|
||||||
failSupplementalGroupPod.Spec.SecurityContext.SupplementalGroups = []int64{999}
|
failSupplementalGroupPod.Spec.SecurityContext.SupplementalGroups = []int64{999}
|
||||||
failSupplementalGroupPSP := defaultPSP()
|
failSupplementalGroupPSP := defaultPSP()
|
||||||
failSupplementalGroupPSP.Spec.SupplementalGroups = extensions.SupplementalGroupsStrategyOptions{
|
failSupplementalGroupPSP.Spec.SupplementalGroups = policy.SupplementalGroupsStrategyOptions{
|
||||||
Rule: extensions.SupplementalGroupsStrategyMustRunAs,
|
Rule: policy.SupplementalGroupsStrategyMustRunAs,
|
||||||
Ranges: []extensions.GroupIDRange{
|
Ranges: []policy.GroupIDRange{
|
||||||
{Min: 1, Max: 1},
|
{Min: 1, Max: 1},
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
@ -195,16 +195,16 @@ func TestValidatePodSecurityContextFailures(t *testing.T) {
|
|||||||
fsGroup := int64(999)
|
fsGroup := int64(999)
|
||||||
failFSGroupPod.Spec.SecurityContext.FSGroup = &fsGroup
|
failFSGroupPod.Spec.SecurityContext.FSGroup = &fsGroup
|
||||||
failFSGroupPSP := defaultPSP()
|
failFSGroupPSP := defaultPSP()
|
||||||
failFSGroupPSP.Spec.FSGroup = extensions.FSGroupStrategyOptions{
|
failFSGroupPSP.Spec.FSGroup = policy.FSGroupStrategyOptions{
|
||||||
Rule: extensions.FSGroupStrategyMustRunAs,
|
Rule: policy.FSGroupStrategyMustRunAs,
|
||||||
Ranges: []extensions.GroupIDRange{
|
Ranges: []policy.GroupIDRange{
|
||||||
{Min: 1, Max: 1},
|
{Min: 1, Max: 1},
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
failNilSELinuxPod := defaultPod()
|
failNilSELinuxPod := defaultPod()
|
||||||
failSELinuxPSP := defaultPSP()
|
failSELinuxPSP := defaultPSP()
|
||||||
failSELinuxPSP.Spec.SELinux.Rule = extensions.SELinuxStrategyMustRunAs
|
failSELinuxPSP.Spec.SELinux.Rule = policy.SELinuxStrategyMustRunAs
|
||||||
failSELinuxPSP.Spec.SELinux.SELinuxOptions = &api.SELinuxOptions{
|
failSELinuxPSP.Spec.SELinux.SELinuxOptions = &api.SELinuxOptions{
|
||||||
Level: "foo",
|
Level: "foo",
|
||||||
}
|
}
|
||||||
@ -236,16 +236,16 @@ func TestValidatePodSecurityContextFailures(t *testing.T) {
|
|||||||
},
|
},
|
||||||
}
|
}
|
||||||
failHostPathDirPSP := defaultPSP()
|
failHostPathDirPSP := defaultPSP()
|
||||||
failHostPathDirPSP.Spec.Volumes = []extensions.FSType{extensions.HostPath}
|
failHostPathDirPSP.Spec.Volumes = []policy.FSType{policy.HostPath}
|
||||||
failHostPathDirPSP.Spec.AllowedHostPaths = []extensions.AllowedHostPath{
|
failHostPathDirPSP.Spec.AllowedHostPaths = []policy.AllowedHostPath{
|
||||||
{PathPrefix: "/foo/bar"},
|
{PathPrefix: "/foo/bar"},
|
||||||
}
|
}
|
||||||
|
|
||||||
failOtherSysctlsAllowedPSP := defaultPSP()
|
failOtherSysctlsAllowedPSP := defaultPSP()
|
||||||
failOtherSysctlsAllowedPSP.Annotations[extensions.SysctlsPodSecurityPolicyAnnotationKey] = "bar,abc"
|
failOtherSysctlsAllowedPSP.Annotations[policy.SysctlsPodSecurityPolicyAnnotationKey] = "bar,abc"
|
||||||
|
|
||||||
failNoSysctlAllowedPSP := defaultPSP()
|
failNoSysctlAllowedPSP := defaultPSP()
|
||||||
failNoSysctlAllowedPSP.Annotations[extensions.SysctlsPodSecurityPolicyAnnotationKey] = ""
|
failNoSysctlAllowedPSP.Annotations[policy.SysctlsPodSecurityPolicyAnnotationKey] = ""
|
||||||
|
|
||||||
failSafeSysctlFooPod := defaultPod()
|
failSafeSysctlFooPod := defaultPod()
|
||||||
failSafeSysctlFooPod.Annotations[api.SysctlsPodAnnotationKey] = "foo=1"
|
failSafeSysctlFooPod.Annotations[api.SysctlsPodAnnotationKey] = "foo=1"
|
||||||
@ -270,7 +270,7 @@ func TestValidatePodSecurityContextFailures(t *testing.T) {
|
|||||||
|
|
||||||
errorCases := map[string]struct {
|
errorCases := map[string]struct {
|
||||||
pod *api.Pod
|
pod *api.Pod
|
||||||
psp *extensions.PodSecurityPolicy
|
psp *policy.PodSecurityPolicy
|
||||||
expectedError string
|
expectedError string
|
||||||
}{
|
}{
|
||||||
"failHostNetwork": {
|
"failHostNetwork": {
|
||||||
@ -380,24 +380,24 @@ func TestValidatePodSecurityContextFailures(t *testing.T) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func allowFlexVolumesPSP(allowAllFlexVolumes, allowAllVolumes bool) *extensions.PodSecurityPolicy {
|
func allowFlexVolumesPSP(allowAllFlexVolumes, allowAllVolumes bool) *policy.PodSecurityPolicy {
|
||||||
psp := defaultPSP()
|
psp := defaultPSP()
|
||||||
|
|
||||||
allowedVolumes := []extensions.AllowedFlexVolume{
|
allowedVolumes := []policy.AllowedFlexVolume{
|
||||||
{Driver: "example/foo"},
|
{Driver: "example/foo"},
|
||||||
{Driver: "example/bar"},
|
{Driver: "example/bar"},
|
||||||
}
|
}
|
||||||
if allowAllFlexVolumes {
|
if allowAllFlexVolumes {
|
||||||
allowedVolumes = []extensions.AllowedFlexVolume{}
|
allowedVolumes = []policy.AllowedFlexVolume{}
|
||||||
}
|
}
|
||||||
|
|
||||||
allowedVolumeType := extensions.FlexVolume
|
allowedVolumeType := policy.FlexVolume
|
||||||
if allowAllVolumes {
|
if allowAllVolumes {
|
||||||
allowedVolumeType = extensions.All
|
allowedVolumeType = policy.All
|
||||||
}
|
}
|
||||||
|
|
||||||
psp.Spec.AllowedFlexVolumes = allowedVolumes
|
psp.Spec.AllowedFlexVolumes = allowedVolumes
|
||||||
psp.Spec.Volumes = []extensions.FSType{allowedVolumeType}
|
psp.Spec.Volumes = []policy.FSType{allowedVolumeType}
|
||||||
|
|
||||||
return psp
|
return psp
|
||||||
}
|
}
|
||||||
@ -407,17 +407,17 @@ func TestValidateContainerSecurityContextFailures(t *testing.T) {
|
|||||||
failUserPSP := defaultPSP()
|
failUserPSP := defaultPSP()
|
||||||
uid := int64(999)
|
uid := int64(999)
|
||||||
badUID := int64(1)
|
badUID := int64(1)
|
||||||
failUserPSP.Spec.RunAsUser = extensions.RunAsUserStrategyOptions{
|
failUserPSP.Spec.RunAsUser = policy.RunAsUserStrategyOptions{
|
||||||
Rule: extensions.RunAsUserStrategyMustRunAs,
|
Rule: policy.RunAsUserStrategyMustRunAs,
|
||||||
Ranges: []extensions.UserIDRange{{Min: uid, Max: uid}},
|
Ranges: []policy.UserIDRange{{Min: uid, Max: uid}},
|
||||||
}
|
}
|
||||||
failUserPod := defaultPod()
|
failUserPod := defaultPod()
|
||||||
failUserPod.Spec.Containers[0].SecurityContext.RunAsUser = &badUID
|
failUserPod.Spec.Containers[0].SecurityContext.RunAsUser = &badUID
|
||||||
|
|
||||||
// fail selinux strategy
|
// fail selinux strategy
|
||||||
failSELinuxPSP := defaultPSP()
|
failSELinuxPSP := defaultPSP()
|
||||||
failSELinuxPSP.Spec.SELinux = extensions.SELinuxStrategyOptions{
|
failSELinuxPSP.Spec.SELinux = policy.SELinuxStrategyOptions{
|
||||||
Rule: extensions.SELinuxStrategyMustRunAs,
|
Rule: policy.SELinuxStrategyMustRunAs,
|
||||||
SELinuxOptions: &api.SELinuxOptions{
|
SELinuxOptions: &api.SELinuxOptions{
|
||||||
Level: "foo",
|
Level: "foo",
|
||||||
},
|
},
|
||||||
@ -469,7 +469,7 @@ func TestValidateContainerSecurityContextFailures(t *testing.T) {
|
|||||||
|
|
||||||
errorCases := map[string]struct {
|
errorCases := map[string]struct {
|
||||||
pod *api.Pod
|
pod *api.Pod
|
||||||
psp *extensions.PodSecurityPolicy
|
psp *policy.PodSecurityPolicy
|
||||||
expectedError string
|
expectedError string
|
||||||
}{
|
}{
|
||||||
"failUserPSP": {
|
"failUserPSP": {
|
||||||
@ -562,9 +562,9 @@ func TestValidatePodSecurityContextSuccess(t *testing.T) {
|
|||||||
hostIPCPod.Spec.SecurityContext.HostIPC = true
|
hostIPCPod.Spec.SecurityContext.HostIPC = true
|
||||||
|
|
||||||
supGroupPSP := defaultPSP()
|
supGroupPSP := defaultPSP()
|
||||||
supGroupPSP.Spec.SupplementalGroups = extensions.SupplementalGroupsStrategyOptions{
|
supGroupPSP.Spec.SupplementalGroups = policy.SupplementalGroupsStrategyOptions{
|
||||||
Rule: extensions.SupplementalGroupsStrategyMustRunAs,
|
Rule: policy.SupplementalGroupsStrategyMustRunAs,
|
||||||
Ranges: []extensions.GroupIDRange{
|
Ranges: []policy.GroupIDRange{
|
||||||
{Min: 1, Max: 5},
|
{Min: 1, Max: 5},
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
@ -572,9 +572,9 @@ func TestValidatePodSecurityContextSuccess(t *testing.T) {
|
|||||||
supGroupPod.Spec.SecurityContext.SupplementalGroups = []int64{3}
|
supGroupPod.Spec.SecurityContext.SupplementalGroups = []int64{3}
|
||||||
|
|
||||||
fsGroupPSP := defaultPSP()
|
fsGroupPSP := defaultPSP()
|
||||||
fsGroupPSP.Spec.FSGroup = extensions.FSGroupStrategyOptions{
|
fsGroupPSP.Spec.FSGroup = policy.FSGroupStrategyOptions{
|
||||||
Rule: extensions.FSGroupStrategyMustRunAs,
|
Rule: policy.FSGroupStrategyMustRunAs,
|
||||||
Ranges: []extensions.GroupIDRange{
|
Ranges: []policy.GroupIDRange{
|
||||||
{Min: 1, Max: 5},
|
{Min: 1, Max: 5},
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
@ -590,7 +590,7 @@ func TestValidatePodSecurityContextSuccess(t *testing.T) {
|
|||||||
Level: "level",
|
Level: "level",
|
||||||
}
|
}
|
||||||
seLinuxPSP := defaultPSP()
|
seLinuxPSP := defaultPSP()
|
||||||
seLinuxPSP.Spec.SELinux.Rule = extensions.SELinuxStrategyMustRunAs
|
seLinuxPSP.Spec.SELinux.Rule = policy.SELinuxStrategyMustRunAs
|
||||||
seLinuxPSP.Spec.SELinux.SELinuxOptions = &api.SELinuxOptions{
|
seLinuxPSP.Spec.SELinux.SELinuxOptions = &api.SELinuxOptions{
|
||||||
User: "user",
|
User: "user",
|
||||||
Role: "role",
|
Role: "role",
|
||||||
@ -611,19 +611,19 @@ func TestValidatePodSecurityContextSuccess(t *testing.T) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
hostPathDirPSP := defaultPSP()
|
hostPathDirPSP := defaultPSP()
|
||||||
hostPathDirPSP.Spec.Volumes = []extensions.FSType{extensions.HostPath}
|
hostPathDirPSP.Spec.Volumes = []policy.FSType{policy.HostPath}
|
||||||
hostPathDirPSP.Spec.AllowedHostPaths = []extensions.AllowedHostPath{
|
hostPathDirPSP.Spec.AllowedHostPaths = []policy.AllowedHostPath{
|
||||||
{PathPrefix: "/foo/bar"},
|
{PathPrefix: "/foo/bar"},
|
||||||
}
|
}
|
||||||
|
|
||||||
hostPathDirAsterisksPSP := defaultPSP()
|
hostPathDirAsterisksPSP := defaultPSP()
|
||||||
hostPathDirAsterisksPSP.Spec.Volumes = []extensions.FSType{extensions.All}
|
hostPathDirAsterisksPSP.Spec.Volumes = []policy.FSType{policy.All}
|
||||||
hostPathDirAsterisksPSP.Spec.AllowedHostPaths = []extensions.AllowedHostPath{
|
hostPathDirAsterisksPSP.Spec.AllowedHostPaths = []policy.AllowedHostPath{
|
||||||
{PathPrefix: "/foo/bar"},
|
{PathPrefix: "/foo/bar"},
|
||||||
}
|
}
|
||||||
|
|
||||||
sysctlAllowFooPSP := defaultPSP()
|
sysctlAllowFooPSP := defaultPSP()
|
||||||
sysctlAllowFooPSP.Annotations[extensions.SysctlsPodSecurityPolicyAnnotationKey] = "foo"
|
sysctlAllowFooPSP.Annotations[policy.SysctlsPodSecurityPolicyAnnotationKey] = "foo"
|
||||||
|
|
||||||
safeSysctlFooPod := defaultPod()
|
safeSysctlFooPod := defaultPod()
|
||||||
safeSysctlFooPod.Annotations[api.SysctlsPodAnnotationKey] = "foo=1"
|
safeSysctlFooPod.Annotations[api.SysctlsPodAnnotationKey] = "foo=1"
|
||||||
@ -655,7 +655,7 @@ func TestValidatePodSecurityContextSuccess(t *testing.T) {
|
|||||||
|
|
||||||
successCases := map[string]struct {
|
successCases := map[string]struct {
|
||||||
pod *api.Pod
|
pod *api.Pod
|
||||||
psp *extensions.PodSecurityPolicy
|
psp *policy.PodSecurityPolicy
|
||||||
}{
|
}{
|
||||||
"pass hostNetwork validating PSP": {
|
"pass hostNetwork validating PSP": {
|
||||||
pod: hostNetworkPod,
|
pod: hostNetworkPod,
|
||||||
@ -744,17 +744,17 @@ func TestValidateContainerSecurityContextSuccess(t *testing.T) {
|
|||||||
// success user strategy
|
// success user strategy
|
||||||
userPSP := defaultPSP()
|
userPSP := defaultPSP()
|
||||||
uid := int64(999)
|
uid := int64(999)
|
||||||
userPSP.Spec.RunAsUser = extensions.RunAsUserStrategyOptions{
|
userPSP.Spec.RunAsUser = policy.RunAsUserStrategyOptions{
|
||||||
Rule: extensions.RunAsUserStrategyMustRunAs,
|
Rule: policy.RunAsUserStrategyMustRunAs,
|
||||||
Ranges: []extensions.UserIDRange{{Min: uid, Max: uid}},
|
Ranges: []policy.UserIDRange{{Min: uid, Max: uid}},
|
||||||
}
|
}
|
||||||
userPod := defaultPod()
|
userPod := defaultPod()
|
||||||
userPod.Spec.Containers[0].SecurityContext.RunAsUser = &uid
|
userPod.Spec.Containers[0].SecurityContext.RunAsUser = &uid
|
||||||
|
|
||||||
// success selinux strategy
|
// success selinux strategy
|
||||||
seLinuxPSP := defaultPSP()
|
seLinuxPSP := defaultPSP()
|
||||||
seLinuxPSP.Spec.SELinux = extensions.SELinuxStrategyOptions{
|
seLinuxPSP.Spec.SELinux = policy.SELinuxStrategyOptions{
|
||||||
Rule: extensions.SELinuxStrategyMustRunAs,
|
Rule: policy.SELinuxStrategyMustRunAs,
|
||||||
SELinuxOptions: &api.SELinuxOptions{
|
SELinuxOptions: &api.SELinuxOptions{
|
||||||
Level: "foo",
|
Level: "foo",
|
||||||
},
|
},
|
||||||
@ -795,7 +795,7 @@ func TestValidateContainerSecurityContextSuccess(t *testing.T) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
hostDirPSP := defaultPSP()
|
hostDirPSP := defaultPSP()
|
||||||
hostDirPSP.Spec.Volumes = []extensions.FSType{extensions.HostPath}
|
hostDirPSP.Spec.Volumes = []policy.FSType{policy.HostPath}
|
||||||
hostDirPod := defaultPod()
|
hostDirPod := defaultPod()
|
||||||
hostDirPod.Spec.Volumes = []api.Volume{
|
hostDirPod.Spec.Volumes = []api.Volume{
|
||||||
{
|
{
|
||||||
@ -807,7 +807,7 @@ func TestValidateContainerSecurityContextSuccess(t *testing.T) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
hostPortPSP := defaultPSP()
|
hostPortPSP := defaultPSP()
|
||||||
hostPortPSP.Spec.HostPorts = []extensions.HostPortRange{{Min: 1, Max: 1}}
|
hostPortPSP.Spec.HostPorts = []policy.HostPortRange{{Min: 1, Max: 1}}
|
||||||
hostPortPod := defaultPod()
|
hostPortPod := defaultPod()
|
||||||
hostPortPod.Spec.Containers[0].Ports = []api.ContainerPort{{HostPort: 1}}
|
hostPortPod.Spec.Containers[0].Ports = []api.ContainerPort{{HostPort: 1}}
|
||||||
|
|
||||||
@ -836,7 +836,7 @@ func TestValidateContainerSecurityContextSuccess(t *testing.T) {
|
|||||||
|
|
||||||
successCases := map[string]struct {
|
successCases := map[string]struct {
|
||||||
pod *api.Pod
|
pod *api.Pod
|
||||||
psp *extensions.PodSecurityPolicy
|
psp *policy.PodSecurityPolicy
|
||||||
}{
|
}{
|
||||||
"pass user must run as PSP": {
|
"pass user must run as PSP": {
|
||||||
pod: userPod,
|
pod: userPod,
|
||||||
@ -922,7 +922,7 @@ func TestGenerateContainerSecurityContextReadOnlyRootFS(t *testing.T) {
|
|||||||
|
|
||||||
tests := map[string]struct {
|
tests := map[string]struct {
|
||||||
pod *api.Pod
|
pod *api.Pod
|
||||||
psp *extensions.PodSecurityPolicy
|
psp *policy.PodSecurityPolicy
|
||||||
expected *bool
|
expected *bool
|
||||||
}{
|
}{
|
||||||
"false psp, nil sc": {
|
"false psp, nil sc": {
|
||||||
@ -985,24 +985,24 @@ func TestGenerateContainerSecurityContextReadOnlyRootFS(t *testing.T) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func defaultPSP() *extensions.PodSecurityPolicy {
|
func defaultPSP() *policy.PodSecurityPolicy {
|
||||||
return &extensions.PodSecurityPolicy{
|
return &policy.PodSecurityPolicy{
|
||||||
ObjectMeta: metav1.ObjectMeta{
|
ObjectMeta: metav1.ObjectMeta{
|
||||||
Name: "psp-sa",
|
Name: "psp-sa",
|
||||||
Annotations: map[string]string{},
|
Annotations: map[string]string{},
|
||||||
},
|
},
|
||||||
Spec: extensions.PodSecurityPolicySpec{
|
Spec: policy.PodSecurityPolicySpec{
|
||||||
RunAsUser: extensions.RunAsUserStrategyOptions{
|
RunAsUser: policy.RunAsUserStrategyOptions{
|
||||||
Rule: extensions.RunAsUserStrategyRunAsAny,
|
Rule: policy.RunAsUserStrategyRunAsAny,
|
||||||
},
|
},
|
||||||
SELinux: extensions.SELinuxStrategyOptions{
|
SELinux: policy.SELinuxStrategyOptions{
|
||||||
Rule: extensions.SELinuxStrategyRunAsAny,
|
Rule: policy.SELinuxStrategyRunAsAny,
|
||||||
},
|
},
|
||||||
FSGroup: extensions.FSGroupStrategyOptions{
|
FSGroup: policy.FSGroupStrategyOptions{
|
||||||
Rule: extensions.FSGroupStrategyRunAsAny,
|
Rule: policy.FSGroupStrategyRunAsAny,
|
||||||
},
|
},
|
||||||
SupplementalGroups: extensions.SupplementalGroupsStrategyOptions{
|
SupplementalGroups: policy.SupplementalGroupsStrategyOptions{
|
||||||
Rule: extensions.SupplementalGroupsStrategyRunAsAny,
|
Rule: policy.SupplementalGroupsStrategyRunAsAny,
|
||||||
},
|
},
|
||||||
AllowPrivilegeEscalation: true,
|
AllowPrivilegeEscalation: true,
|
||||||
},
|
},
|
||||||
@ -1104,14 +1104,14 @@ func TestValidateAllowedVolumes(t *testing.T) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// now add the fstype directly to the psp and it should validate
|
// now add the fstype directly to the psp and it should validate
|
||||||
psp.Spec.Volumes = []extensions.FSType{fsType}
|
psp.Spec.Volumes = []policy.FSType{fsType}
|
||||||
errs = provider.ValidatePod(pod, field.NewPath(""))
|
errs = provider.ValidatePod(pod, field.NewPath(""))
|
||||||
if len(errs) != 0 {
|
if len(errs) != 0 {
|
||||||
t.Errorf("directly allowing volume expected no errors for %s but got %v", fieldVal.Name, errs)
|
t.Errorf("directly allowing volume expected no errors for %s but got %v", fieldVal.Name, errs)
|
||||||
}
|
}
|
||||||
|
|
||||||
// now change the psp to allow any volumes and the pod should still validate
|
// now change the psp to allow any volumes and the pod should still validate
|
||||||
psp.Spec.Volumes = []extensions.FSType{extensions.All}
|
psp.Spec.Volumes = []policy.FSType{policy.All}
|
||||||
errs = provider.ValidatePod(pod, field.NewPath(""))
|
errs = provider.ValidatePod(pod, field.NewPath(""))
|
||||||
if len(errs) != 0 {
|
if len(errs) != 0 {
|
||||||
t.Errorf("wildcard volume expected no errors for %s but got %v", fieldVal.Name, errs)
|
t.Errorf("wildcard volume expected no errors for %s but got %v", fieldVal.Name, errs)
|
||||||
|
@ -17,7 +17,7 @@ go_library(
|
|||||||
importpath = "k8s.io/kubernetes/pkg/security/podsecuritypolicy/selinux",
|
importpath = "k8s.io/kubernetes/pkg/security/podsecuritypolicy/selinux",
|
||||||
deps = [
|
deps = [
|
||||||
"//pkg/apis/core:go_default_library",
|
"//pkg/apis/core:go_default_library",
|
||||||
"//pkg/apis/extensions:go_default_library",
|
"//pkg/apis/policy:go_default_library",
|
||||||
"//pkg/security/podsecuritypolicy/util:go_default_library",
|
"//pkg/security/podsecuritypolicy/util:go_default_library",
|
||||||
"//vendor/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
|
"//vendor/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
|
||||||
],
|
],
|
||||||
@ -32,7 +32,7 @@ go_test(
|
|||||||
embed = [":go_default_library"],
|
embed = [":go_default_library"],
|
||||||
deps = [
|
deps = [
|
||||||
"//pkg/apis/core:go_default_library",
|
"//pkg/apis/core:go_default_library",
|
||||||
"//pkg/apis/extensions:go_default_library",
|
"//pkg/apis/policy:go_default_library",
|
||||||
],
|
],
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -23,17 +23,17 @@ import (
|
|||||||
|
|
||||||
"k8s.io/apimachinery/pkg/util/validation/field"
|
"k8s.io/apimachinery/pkg/util/validation/field"
|
||||||
api "k8s.io/kubernetes/pkg/apis/core"
|
api "k8s.io/kubernetes/pkg/apis/core"
|
||||||
"k8s.io/kubernetes/pkg/apis/extensions"
|
"k8s.io/kubernetes/pkg/apis/policy"
|
||||||
"k8s.io/kubernetes/pkg/security/podsecuritypolicy/util"
|
"k8s.io/kubernetes/pkg/security/podsecuritypolicy/util"
|
||||||
)
|
)
|
||||||
|
|
||||||
type mustRunAs struct {
|
type mustRunAs struct {
|
||||||
opts *extensions.SELinuxStrategyOptions
|
opts *policy.SELinuxStrategyOptions
|
||||||
}
|
}
|
||||||
|
|
||||||
var _ SELinuxStrategy = &mustRunAs{}
|
var _ SELinuxStrategy = &mustRunAs{}
|
||||||
|
|
||||||
func NewMustRunAs(options *extensions.SELinuxStrategyOptions) (SELinuxStrategy, error) {
|
func NewMustRunAs(options *policy.SELinuxStrategyOptions) (SELinuxStrategy, error) {
|
||||||
if options == nil {
|
if options == nil {
|
||||||
return nil, fmt.Errorf("MustRunAs requires SELinuxContextStrategyOptions")
|
return nil, fmt.Errorf("MustRunAs requires SELinuxContextStrategyOptions")
|
||||||
}
|
}
|
||||||
|
@ -18,7 +18,7 @@ package selinux
|
|||||||
|
|
||||||
import (
|
import (
|
||||||
api "k8s.io/kubernetes/pkg/apis/core"
|
api "k8s.io/kubernetes/pkg/apis/core"
|
||||||
"k8s.io/kubernetes/pkg/apis/extensions"
|
"k8s.io/kubernetes/pkg/apis/policy"
|
||||||
"reflect"
|
"reflect"
|
||||||
"strings"
|
"strings"
|
||||||
"testing"
|
"testing"
|
||||||
@ -26,7 +26,7 @@ import (
|
|||||||
|
|
||||||
func TestMustRunAsOptions(t *testing.T) {
|
func TestMustRunAsOptions(t *testing.T) {
|
||||||
tests := map[string]struct {
|
tests := map[string]struct {
|
||||||
opts *extensions.SELinuxStrategyOptions
|
opts *policy.SELinuxStrategyOptions
|
||||||
pass bool
|
pass bool
|
||||||
}{
|
}{
|
||||||
"nil opts": {
|
"nil opts": {
|
||||||
@ -34,11 +34,11 @@ func TestMustRunAsOptions(t *testing.T) {
|
|||||||
pass: false,
|
pass: false,
|
||||||
},
|
},
|
||||||
"invalid opts": {
|
"invalid opts": {
|
||||||
opts: &extensions.SELinuxStrategyOptions{},
|
opts: &policy.SELinuxStrategyOptions{},
|
||||||
pass: false,
|
pass: false,
|
||||||
},
|
},
|
||||||
"valid opts": {
|
"valid opts": {
|
||||||
opts: &extensions.SELinuxStrategyOptions{SELinuxOptions: &api.SELinuxOptions{}},
|
opts: &policy.SELinuxStrategyOptions{SELinuxOptions: &api.SELinuxOptions{}},
|
||||||
pass: true,
|
pass: true,
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
@ -54,7 +54,7 @@ func TestMustRunAsOptions(t *testing.T) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
func TestMustRunAsGenerate(t *testing.T) {
|
func TestMustRunAsGenerate(t *testing.T) {
|
||||||
opts := &extensions.SELinuxStrategyOptions{
|
opts := &policy.SELinuxStrategyOptions{
|
||||||
SELinuxOptions: &api.SELinuxOptions{
|
SELinuxOptions: &api.SELinuxOptions{
|
||||||
User: "user",
|
User: "user",
|
||||||
Role: "role",
|
Role: "role",
|
||||||
@ -145,7 +145,7 @@ func TestMustRunAsValidate(t *testing.T) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
for name, tc := range tests {
|
for name, tc := range tests {
|
||||||
opts := &extensions.SELinuxStrategyOptions{
|
opts := &policy.SELinuxStrategyOptions{
|
||||||
SELinuxOptions: tc.pspSeLinux,
|
SELinuxOptions: tc.pspSeLinux,
|
||||||
}
|
}
|
||||||
mustRunAs, err := NewMustRunAs(opts)
|
mustRunAs, err := NewMustRunAs(opts)
|
||||||
|
@ -19,7 +19,7 @@ package selinux
|
|||||||
import (
|
import (
|
||||||
"k8s.io/apimachinery/pkg/util/validation/field"
|
"k8s.io/apimachinery/pkg/util/validation/field"
|
||||||
api "k8s.io/kubernetes/pkg/apis/core"
|
api "k8s.io/kubernetes/pkg/apis/core"
|
||||||
"k8s.io/kubernetes/pkg/apis/extensions"
|
"k8s.io/kubernetes/pkg/apis/policy"
|
||||||
)
|
)
|
||||||
|
|
||||||
// runAsAny implements the SELinuxStrategy interface.
|
// runAsAny implements the SELinuxStrategy interface.
|
||||||
@ -28,7 +28,7 @@ type runAsAny struct{}
|
|||||||
var _ SELinuxStrategy = &runAsAny{}
|
var _ SELinuxStrategy = &runAsAny{}
|
||||||
|
|
||||||
// NewRunAsAny provides a strategy that will return the configured se linux context or nil.
|
// NewRunAsAny provides a strategy that will return the configured se linux context or nil.
|
||||||
func NewRunAsAny(options *extensions.SELinuxStrategyOptions) (SELinuxStrategy, error) {
|
func NewRunAsAny(options *policy.SELinuxStrategyOptions) (SELinuxStrategy, error) {
|
||||||
return &runAsAny{}, nil
|
return &runAsAny{}, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -18,7 +18,7 @@ package selinux
|
|||||||
|
|
||||||
import (
|
import (
|
||||||
api "k8s.io/kubernetes/pkg/apis/core"
|
api "k8s.io/kubernetes/pkg/apis/core"
|
||||||
"k8s.io/kubernetes/pkg/apis/extensions"
|
"k8s.io/kubernetes/pkg/apis/policy"
|
||||||
"testing"
|
"testing"
|
||||||
)
|
)
|
||||||
|
|
||||||
@ -27,14 +27,14 @@ func TestRunAsAnyOptions(t *testing.T) {
|
|||||||
if err != nil {
|
if err != nil {
|
||||||
t.Fatalf("unexpected error initializing NewRunAsAny %v", err)
|
t.Fatalf("unexpected error initializing NewRunAsAny %v", err)
|
||||||
}
|
}
|
||||||
_, err = NewRunAsAny(&extensions.SELinuxStrategyOptions{})
|
_, err = NewRunAsAny(&policy.SELinuxStrategyOptions{})
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Errorf("unexpected error initializing NewRunAsAny %v", err)
|
t.Errorf("unexpected error initializing NewRunAsAny %v", err)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestRunAsAnyGenerate(t *testing.T) {
|
func TestRunAsAnyGenerate(t *testing.T) {
|
||||||
s, err := NewRunAsAny(&extensions.SELinuxStrategyOptions{})
|
s, err := NewRunAsAny(&policy.SELinuxStrategyOptions{})
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Fatalf("unexpected error initializing NewRunAsAny %v", err)
|
t.Fatalf("unexpected error initializing NewRunAsAny %v", err)
|
||||||
}
|
}
|
||||||
@ -48,7 +48,7 @@ func TestRunAsAnyGenerate(t *testing.T) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
func TestRunAsAnyValidate(t *testing.T) {
|
func TestRunAsAnyValidate(t *testing.T) {
|
||||||
s, err := NewRunAsAny(&extensions.SELinuxStrategyOptions{
|
s, err := NewRunAsAny(&policy.SELinuxStrategyOptions{
|
||||||
SELinuxOptions: &api.SELinuxOptions{
|
SELinuxOptions: &api.SELinuxOptions{
|
||||||
Level: "foo",
|
Level: "foo",
|
||||||
},
|
},
|
||||||
@ -61,7 +61,7 @@ func TestRunAsAnyValidate(t *testing.T) {
|
|||||||
if len(errs) != 0 {
|
if len(errs) != 0 {
|
||||||
t.Errorf("unexpected errors validating with ")
|
t.Errorf("unexpected errors validating with ")
|
||||||
}
|
}
|
||||||
s, err = NewRunAsAny(&extensions.SELinuxStrategyOptions{})
|
s, err = NewRunAsAny(&policy.SELinuxStrategyOptions{})
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Fatalf("unexpected error initializing NewRunAsAny %v", err)
|
t.Fatalf("unexpected error initializing NewRunAsAny %v", err)
|
||||||
}
|
}
|
||||||
|
@ -19,7 +19,7 @@ package podsecuritypolicy
|
|||||||
import (
|
import (
|
||||||
"k8s.io/apimachinery/pkg/util/validation/field"
|
"k8s.io/apimachinery/pkg/util/validation/field"
|
||||||
api "k8s.io/kubernetes/pkg/apis/core"
|
api "k8s.io/kubernetes/pkg/apis/core"
|
||||||
"k8s.io/kubernetes/pkg/apis/extensions"
|
"k8s.io/kubernetes/pkg/apis/policy"
|
||||||
"k8s.io/kubernetes/pkg/security/podsecuritypolicy/apparmor"
|
"k8s.io/kubernetes/pkg/security/podsecuritypolicy/apparmor"
|
||||||
"k8s.io/kubernetes/pkg/security/podsecuritypolicy/capabilities"
|
"k8s.io/kubernetes/pkg/security/podsecuritypolicy/capabilities"
|
||||||
"k8s.io/kubernetes/pkg/security/podsecuritypolicy/group"
|
"k8s.io/kubernetes/pkg/security/podsecuritypolicy/group"
|
||||||
@ -54,7 +54,7 @@ type Provider interface {
|
|||||||
type StrategyFactory interface {
|
type StrategyFactory interface {
|
||||||
// CreateStrategies creates the strategies that a provider will use. The namespace argument
|
// CreateStrategies creates the strategies that a provider will use. The namespace argument
|
||||||
// should be the namespace of the object being checked (the pod's namespace).
|
// should be the namespace of the object being checked (the pod's namespace).
|
||||||
CreateStrategies(psp *extensions.PodSecurityPolicy, namespace string) (*ProviderStrategies, error)
|
CreateStrategies(psp *policy.PodSecurityPolicy, namespace string) (*ProviderStrategies, error)
|
||||||
}
|
}
|
||||||
|
|
||||||
// ProviderStrategies is a holder for all strategies that the provider requires to be populated.
|
// ProviderStrategies is a holder for all strategies that the provider requires to be populated.
|
||||||
|
@ -18,7 +18,7 @@ go_library(
|
|||||||
importpath = "k8s.io/kubernetes/pkg/security/podsecuritypolicy/user",
|
importpath = "k8s.io/kubernetes/pkg/security/podsecuritypolicy/user",
|
||||||
deps = [
|
deps = [
|
||||||
"//pkg/apis/core:go_default_library",
|
"//pkg/apis/core:go_default_library",
|
||||||
"//pkg/apis/extensions:go_default_library",
|
"//pkg/apis/policy:go_default_library",
|
||||||
"//pkg/security/podsecuritypolicy/util:go_default_library",
|
"//pkg/security/podsecuritypolicy/util:go_default_library",
|
||||||
"//vendor/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
|
"//vendor/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
|
||||||
],
|
],
|
||||||
@ -34,7 +34,7 @@ go_test(
|
|||||||
embed = [":go_default_library"],
|
embed = [":go_default_library"],
|
||||||
deps = [
|
deps = [
|
||||||
"//pkg/apis/core:go_default_library",
|
"//pkg/apis/core:go_default_library",
|
||||||
"//pkg/apis/extensions:go_default_library",
|
"//pkg/apis/policy:go_default_library",
|
||||||
],
|
],
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -21,17 +21,17 @@ import (
|
|||||||
|
|
||||||
"k8s.io/apimachinery/pkg/util/validation/field"
|
"k8s.io/apimachinery/pkg/util/validation/field"
|
||||||
api "k8s.io/kubernetes/pkg/apis/core"
|
api "k8s.io/kubernetes/pkg/apis/core"
|
||||||
"k8s.io/kubernetes/pkg/apis/extensions"
|
"k8s.io/kubernetes/pkg/apis/policy"
|
||||||
psputil "k8s.io/kubernetes/pkg/security/podsecuritypolicy/util"
|
psputil "k8s.io/kubernetes/pkg/security/podsecuritypolicy/util"
|
||||||
)
|
)
|
||||||
|
|
||||||
// mustRunAs implements the RunAsUserStrategy interface
|
// mustRunAs implements the RunAsUserStrategy interface
|
||||||
type mustRunAs struct {
|
type mustRunAs struct {
|
||||||
opts *extensions.RunAsUserStrategyOptions
|
opts *policy.RunAsUserStrategyOptions
|
||||||
}
|
}
|
||||||
|
|
||||||
// NewMustRunAs provides a strategy that requires the container to run as a specific UID in a range.
|
// NewMustRunAs provides a strategy that requires the container to run as a specific UID in a range.
|
||||||
func NewMustRunAs(options *extensions.RunAsUserStrategyOptions) (RunAsUserStrategy, error) {
|
func NewMustRunAs(options *policy.RunAsUserStrategyOptions) (RunAsUserStrategy, error) {
|
||||||
if options == nil {
|
if options == nil {
|
||||||
return nil, fmt.Errorf("MustRunAs requires run as user options")
|
return nil, fmt.Errorf("MustRunAs requires run as user options")
|
||||||
}
|
}
|
||||||
|
@ -18,14 +18,14 @@ package user
|
|||||||
|
|
||||||
import (
|
import (
|
||||||
api "k8s.io/kubernetes/pkg/apis/core"
|
api "k8s.io/kubernetes/pkg/apis/core"
|
||||||
"k8s.io/kubernetes/pkg/apis/extensions"
|
"k8s.io/kubernetes/pkg/apis/policy"
|
||||||
"strings"
|
"strings"
|
||||||
"testing"
|
"testing"
|
||||||
)
|
)
|
||||||
|
|
||||||
func TestNewMustRunAs(t *testing.T) {
|
func TestNewMustRunAs(t *testing.T) {
|
||||||
tests := map[string]struct {
|
tests := map[string]struct {
|
||||||
opts *extensions.RunAsUserStrategyOptions
|
opts *policy.RunAsUserStrategyOptions
|
||||||
pass bool
|
pass bool
|
||||||
}{
|
}{
|
||||||
"nil opts": {
|
"nil opts": {
|
||||||
@ -33,12 +33,12 @@ func TestNewMustRunAs(t *testing.T) {
|
|||||||
pass: false,
|
pass: false,
|
||||||
},
|
},
|
||||||
"invalid opts": {
|
"invalid opts": {
|
||||||
opts: &extensions.RunAsUserStrategyOptions{},
|
opts: &policy.RunAsUserStrategyOptions{},
|
||||||
pass: false,
|
pass: false,
|
||||||
},
|
},
|
||||||
"valid opts": {
|
"valid opts": {
|
||||||
opts: &extensions.RunAsUserStrategyOptions{
|
opts: &policy.RunAsUserStrategyOptions{
|
||||||
Ranges: []extensions.UserIDRange{
|
Ranges: []policy.UserIDRange{
|
||||||
{Min: 1, Max: 1},
|
{Min: 1, Max: 1},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
@ -57,8 +57,8 @@ func TestNewMustRunAs(t *testing.T) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
func TestGenerate(t *testing.T) {
|
func TestGenerate(t *testing.T) {
|
||||||
opts := &extensions.RunAsUserStrategyOptions{
|
opts := &policy.RunAsUserStrategyOptions{
|
||||||
Ranges: []extensions.UserIDRange{
|
Ranges: []policy.UserIDRange{
|
||||||
{Min: 1, Max: 1},
|
{Min: 1, Max: 1},
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
@ -76,8 +76,8 @@ func TestGenerate(t *testing.T) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
func TestValidate(t *testing.T) {
|
func TestValidate(t *testing.T) {
|
||||||
opts := &extensions.RunAsUserStrategyOptions{
|
opts := &policy.RunAsUserStrategyOptions{
|
||||||
Ranges: []extensions.UserIDRange{
|
Ranges: []policy.UserIDRange{
|
||||||
{Min: 1, Max: 1},
|
{Min: 1, Max: 1},
|
||||||
{Min: 10, Max: 20},
|
{Min: 10, Max: 20},
|
||||||
},
|
},
|
||||||
|
@ -19,14 +19,14 @@ package user
|
|||||||
import (
|
import (
|
||||||
"k8s.io/apimachinery/pkg/util/validation/field"
|
"k8s.io/apimachinery/pkg/util/validation/field"
|
||||||
api "k8s.io/kubernetes/pkg/apis/core"
|
api "k8s.io/kubernetes/pkg/apis/core"
|
||||||
"k8s.io/kubernetes/pkg/apis/extensions"
|
"k8s.io/kubernetes/pkg/apis/policy"
|
||||||
)
|
)
|
||||||
|
|
||||||
type nonRoot struct{}
|
type nonRoot struct{}
|
||||||
|
|
||||||
var _ RunAsUserStrategy = &nonRoot{}
|
var _ RunAsUserStrategy = &nonRoot{}
|
||||||
|
|
||||||
func NewRunAsNonRoot(options *extensions.RunAsUserStrategyOptions) (RunAsUserStrategy, error) {
|
func NewRunAsNonRoot(options *policy.RunAsUserStrategyOptions) (RunAsUserStrategy, error) {
|
||||||
return &nonRoot{}, nil
|
return &nonRoot{}, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -18,7 +18,7 @@ package user
|
|||||||
|
|
||||||
import (
|
import (
|
||||||
api "k8s.io/kubernetes/pkg/apis/core"
|
api "k8s.io/kubernetes/pkg/apis/core"
|
||||||
"k8s.io/kubernetes/pkg/apis/extensions"
|
"k8s.io/kubernetes/pkg/apis/policy"
|
||||||
"testing"
|
"testing"
|
||||||
)
|
)
|
||||||
|
|
||||||
@ -27,14 +27,14 @@ func TestNonRootOptions(t *testing.T) {
|
|||||||
if err != nil {
|
if err != nil {
|
||||||
t.Fatalf("unexpected error initializing NewRunAsNonRoot %v", err)
|
t.Fatalf("unexpected error initializing NewRunAsNonRoot %v", err)
|
||||||
}
|
}
|
||||||
_, err = NewRunAsNonRoot(&extensions.RunAsUserStrategyOptions{})
|
_, err = NewRunAsNonRoot(&policy.RunAsUserStrategyOptions{})
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Errorf("unexpected error initializing NewRunAsNonRoot %v", err)
|
t.Errorf("unexpected error initializing NewRunAsNonRoot %v", err)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestNonRootGenerate(t *testing.T) {
|
func TestNonRootGenerate(t *testing.T) {
|
||||||
s, err := NewRunAsNonRoot(&extensions.RunAsUserStrategyOptions{})
|
s, err := NewRunAsNonRoot(&policy.RunAsUserStrategyOptions{})
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Fatalf("unexpected error initializing NewRunAsNonRoot %v", err)
|
t.Fatalf("unexpected error initializing NewRunAsNonRoot %v", err)
|
||||||
}
|
}
|
||||||
@ -52,7 +52,7 @@ func TestNonRootValidate(t *testing.T) {
|
|||||||
badUID := int64(0)
|
badUID := int64(0)
|
||||||
untrue := false
|
untrue := false
|
||||||
unfalse := true
|
unfalse := true
|
||||||
s, err := NewRunAsNonRoot(&extensions.RunAsUserStrategyOptions{})
|
s, err := NewRunAsNonRoot(&policy.RunAsUserStrategyOptions{})
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Fatalf("unexpected error initializing NewMustRunAs %v", err)
|
t.Fatalf("unexpected error initializing NewMustRunAs %v", err)
|
||||||
}
|
}
|
||||||
|
@ -19,7 +19,7 @@ package user
|
|||||||
import (
|
import (
|
||||||
"k8s.io/apimachinery/pkg/util/validation/field"
|
"k8s.io/apimachinery/pkg/util/validation/field"
|
||||||
api "k8s.io/kubernetes/pkg/apis/core"
|
api "k8s.io/kubernetes/pkg/apis/core"
|
||||||
"k8s.io/kubernetes/pkg/apis/extensions"
|
"k8s.io/kubernetes/pkg/apis/policy"
|
||||||
)
|
)
|
||||||
|
|
||||||
// runAsAny implements the interface RunAsUserStrategy.
|
// runAsAny implements the interface RunAsUserStrategy.
|
||||||
@ -28,7 +28,7 @@ type runAsAny struct{}
|
|||||||
var _ RunAsUserStrategy = &runAsAny{}
|
var _ RunAsUserStrategy = &runAsAny{}
|
||||||
|
|
||||||
// NewRunAsAny provides a strategy that will return nil.
|
// NewRunAsAny provides a strategy that will return nil.
|
||||||
func NewRunAsAny(options *extensions.RunAsUserStrategyOptions) (RunAsUserStrategy, error) {
|
func NewRunAsAny(options *policy.RunAsUserStrategyOptions) (RunAsUserStrategy, error) {
|
||||||
return &runAsAny{}, nil
|
return &runAsAny{}, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -19,7 +19,7 @@ package user
|
|||||||
import (
|
import (
|
||||||
"testing"
|
"testing"
|
||||||
|
|
||||||
"k8s.io/kubernetes/pkg/apis/extensions"
|
"k8s.io/kubernetes/pkg/apis/policy"
|
||||||
)
|
)
|
||||||
|
|
||||||
func TestRunAsAnyOptions(t *testing.T) {
|
func TestRunAsAnyOptions(t *testing.T) {
|
||||||
@ -27,14 +27,14 @@ func TestRunAsAnyOptions(t *testing.T) {
|
|||||||
if err != nil {
|
if err != nil {
|
||||||
t.Fatalf("unexpected error initializing NewRunAsAny %v", err)
|
t.Fatalf("unexpected error initializing NewRunAsAny %v", err)
|
||||||
}
|
}
|
||||||
_, err = NewRunAsAny(&extensions.RunAsUserStrategyOptions{})
|
_, err = NewRunAsAny(&policy.RunAsUserStrategyOptions{})
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Errorf("unexpected error initializing NewRunAsAny %v", err)
|
t.Errorf("unexpected error initializing NewRunAsAny %v", err)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestRunAsAnyGenerate(t *testing.T) {
|
func TestRunAsAnyGenerate(t *testing.T) {
|
||||||
s, err := NewRunAsAny(&extensions.RunAsUserStrategyOptions{})
|
s, err := NewRunAsAny(&policy.RunAsUserStrategyOptions{})
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Fatalf("unexpected error initializing NewRunAsAny %v", err)
|
t.Fatalf("unexpected error initializing NewRunAsAny %v", err)
|
||||||
}
|
}
|
||||||
@ -48,7 +48,7 @@ func TestRunAsAnyGenerate(t *testing.T) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
func TestRunAsAnyValidate(t *testing.T) {
|
func TestRunAsAnyValidate(t *testing.T) {
|
||||||
s, err := NewRunAsAny(&extensions.RunAsUserStrategyOptions{})
|
s, err := NewRunAsAny(&policy.RunAsUserStrategyOptions{})
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Fatalf("unexpected error initializing NewRunAsAny %v", err)
|
t.Fatalf("unexpected error initializing NewRunAsAny %v", err)
|
||||||
}
|
}
|
||||||
|
@ -15,7 +15,7 @@ go_library(
|
|||||||
importpath = "k8s.io/kubernetes/pkg/security/podsecuritypolicy/util",
|
importpath = "k8s.io/kubernetes/pkg/security/podsecuritypolicy/util",
|
||||||
deps = [
|
deps = [
|
||||||
"//pkg/apis/core:go_default_library",
|
"//pkg/apis/core:go_default_library",
|
||||||
"//pkg/apis/extensions:go_default_library",
|
"//pkg/apis/policy:go_default_library",
|
||||||
"//vendor/k8s.io/apimachinery/pkg/util/sets:go_default_library",
|
"//vendor/k8s.io/apimachinery/pkg/util/sets:go_default_library",
|
||||||
],
|
],
|
||||||
)
|
)
|
||||||
@ -26,7 +26,7 @@ go_test(
|
|||||||
embed = [":go_default_library"],
|
embed = [":go_default_library"],
|
||||||
deps = [
|
deps = [
|
||||||
"//pkg/apis/core:go_default_library",
|
"//pkg/apis/core:go_default_library",
|
||||||
"//pkg/apis/extensions:go_default_library",
|
"//pkg/apis/policy:go_default_library",
|
||||||
],
|
],
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -22,7 +22,7 @@ import (
|
|||||||
|
|
||||||
"k8s.io/apimachinery/pkg/util/sets"
|
"k8s.io/apimachinery/pkg/util/sets"
|
||||||
api "k8s.io/kubernetes/pkg/apis/core"
|
api "k8s.io/kubernetes/pkg/apis/core"
|
||||||
"k8s.io/kubernetes/pkg/apis/extensions"
|
"k8s.io/kubernetes/pkg/apis/policy"
|
||||||
)
|
)
|
||||||
|
|
||||||
const (
|
const (
|
||||||
@ -40,102 +40,102 @@ func GetAllFSTypesExcept(exceptions ...string) sets.String {
|
|||||||
func GetAllFSTypesAsSet() sets.String {
|
func GetAllFSTypesAsSet() sets.String {
|
||||||
fstypes := sets.NewString()
|
fstypes := sets.NewString()
|
||||||
fstypes.Insert(
|
fstypes.Insert(
|
||||||
string(extensions.HostPath),
|
string(policy.HostPath),
|
||||||
string(extensions.AzureFile),
|
string(policy.AzureFile),
|
||||||
string(extensions.Flocker),
|
string(policy.Flocker),
|
||||||
string(extensions.FlexVolume),
|
string(policy.FlexVolume),
|
||||||
string(extensions.EmptyDir),
|
string(policy.EmptyDir),
|
||||||
string(extensions.GCEPersistentDisk),
|
string(policy.GCEPersistentDisk),
|
||||||
string(extensions.AWSElasticBlockStore),
|
string(policy.AWSElasticBlockStore),
|
||||||
string(extensions.GitRepo),
|
string(policy.GitRepo),
|
||||||
string(extensions.Secret),
|
string(policy.Secret),
|
||||||
string(extensions.NFS),
|
string(policy.NFS),
|
||||||
string(extensions.ISCSI),
|
string(policy.ISCSI),
|
||||||
string(extensions.Glusterfs),
|
string(policy.Glusterfs),
|
||||||
string(extensions.PersistentVolumeClaim),
|
string(policy.PersistentVolumeClaim),
|
||||||
string(extensions.RBD),
|
string(policy.RBD),
|
||||||
string(extensions.Cinder),
|
string(policy.Cinder),
|
||||||
string(extensions.CephFS),
|
string(policy.CephFS),
|
||||||
string(extensions.DownwardAPI),
|
string(policy.DownwardAPI),
|
||||||
string(extensions.FC),
|
string(policy.FC),
|
||||||
string(extensions.ConfigMap),
|
string(policy.ConfigMap),
|
||||||
string(extensions.VsphereVolume),
|
string(policy.VsphereVolume),
|
||||||
string(extensions.Quobyte),
|
string(policy.Quobyte),
|
||||||
string(extensions.AzureDisk),
|
string(policy.AzureDisk),
|
||||||
string(extensions.PhotonPersistentDisk),
|
string(policy.PhotonPersistentDisk),
|
||||||
string(extensions.StorageOS),
|
string(policy.StorageOS),
|
||||||
string(extensions.Projected),
|
string(policy.Projected),
|
||||||
string(extensions.PortworxVolume),
|
string(policy.PortworxVolume),
|
||||||
string(extensions.ScaleIO),
|
string(policy.ScaleIO),
|
||||||
string(extensions.CSI),
|
string(policy.CSI),
|
||||||
)
|
)
|
||||||
return fstypes
|
return fstypes
|
||||||
}
|
}
|
||||||
|
|
||||||
// getVolumeFSType gets the FSType for a volume.
|
// getVolumeFSType gets the FSType for a volume.
|
||||||
func GetVolumeFSType(v api.Volume) (extensions.FSType, error) {
|
func GetVolumeFSType(v api.Volume) (policy.FSType, error) {
|
||||||
switch {
|
switch {
|
||||||
case v.HostPath != nil:
|
case v.HostPath != nil:
|
||||||
return extensions.HostPath, nil
|
return policy.HostPath, nil
|
||||||
case v.EmptyDir != nil:
|
case v.EmptyDir != nil:
|
||||||
return extensions.EmptyDir, nil
|
return policy.EmptyDir, nil
|
||||||
case v.GCEPersistentDisk != nil:
|
case v.GCEPersistentDisk != nil:
|
||||||
return extensions.GCEPersistentDisk, nil
|
return policy.GCEPersistentDisk, nil
|
||||||
case v.AWSElasticBlockStore != nil:
|
case v.AWSElasticBlockStore != nil:
|
||||||
return extensions.AWSElasticBlockStore, nil
|
return policy.AWSElasticBlockStore, nil
|
||||||
case v.GitRepo != nil:
|
case v.GitRepo != nil:
|
||||||
return extensions.GitRepo, nil
|
return policy.GitRepo, nil
|
||||||
case v.Secret != nil:
|
case v.Secret != nil:
|
||||||
return extensions.Secret, nil
|
return policy.Secret, nil
|
||||||
case v.NFS != nil:
|
case v.NFS != nil:
|
||||||
return extensions.NFS, nil
|
return policy.NFS, nil
|
||||||
case v.ISCSI != nil:
|
case v.ISCSI != nil:
|
||||||
return extensions.ISCSI, nil
|
return policy.ISCSI, nil
|
||||||
case v.Glusterfs != nil:
|
case v.Glusterfs != nil:
|
||||||
return extensions.Glusterfs, nil
|
return policy.Glusterfs, nil
|
||||||
case v.PersistentVolumeClaim != nil:
|
case v.PersistentVolumeClaim != nil:
|
||||||
return extensions.PersistentVolumeClaim, nil
|
return policy.PersistentVolumeClaim, nil
|
||||||
case v.RBD != nil:
|
case v.RBD != nil:
|
||||||
return extensions.RBD, nil
|
return policy.RBD, nil
|
||||||
case v.FlexVolume != nil:
|
case v.FlexVolume != nil:
|
||||||
return extensions.FlexVolume, nil
|
return policy.FlexVolume, nil
|
||||||
case v.Cinder != nil:
|
case v.Cinder != nil:
|
||||||
return extensions.Cinder, nil
|
return policy.Cinder, nil
|
||||||
case v.CephFS != nil:
|
case v.CephFS != nil:
|
||||||
return extensions.CephFS, nil
|
return policy.CephFS, nil
|
||||||
case v.Flocker != nil:
|
case v.Flocker != nil:
|
||||||
return extensions.Flocker, nil
|
return policy.Flocker, nil
|
||||||
case v.DownwardAPI != nil:
|
case v.DownwardAPI != nil:
|
||||||
return extensions.DownwardAPI, nil
|
return policy.DownwardAPI, nil
|
||||||
case v.FC != nil:
|
case v.FC != nil:
|
||||||
return extensions.FC, nil
|
return policy.FC, nil
|
||||||
case v.AzureFile != nil:
|
case v.AzureFile != nil:
|
||||||
return extensions.AzureFile, nil
|
return policy.AzureFile, nil
|
||||||
case v.ConfigMap != nil:
|
case v.ConfigMap != nil:
|
||||||
return extensions.ConfigMap, nil
|
return policy.ConfigMap, nil
|
||||||
case v.VsphereVolume != nil:
|
case v.VsphereVolume != nil:
|
||||||
return extensions.VsphereVolume, nil
|
return policy.VsphereVolume, nil
|
||||||
case v.Quobyte != nil:
|
case v.Quobyte != nil:
|
||||||
return extensions.Quobyte, nil
|
return policy.Quobyte, nil
|
||||||
case v.AzureDisk != nil:
|
case v.AzureDisk != nil:
|
||||||
return extensions.AzureDisk, nil
|
return policy.AzureDisk, nil
|
||||||
case v.PhotonPersistentDisk != nil:
|
case v.PhotonPersistentDisk != nil:
|
||||||
return extensions.PhotonPersistentDisk, nil
|
return policy.PhotonPersistentDisk, nil
|
||||||
case v.StorageOS != nil:
|
case v.StorageOS != nil:
|
||||||
return extensions.StorageOS, nil
|
return policy.StorageOS, nil
|
||||||
case v.Projected != nil:
|
case v.Projected != nil:
|
||||||
return extensions.Projected, nil
|
return policy.Projected, nil
|
||||||
case v.PortworxVolume != nil:
|
case v.PortworxVolume != nil:
|
||||||
return extensions.PortworxVolume, nil
|
return policy.PortworxVolume, nil
|
||||||
case v.ScaleIO != nil:
|
case v.ScaleIO != nil:
|
||||||
return extensions.ScaleIO, nil
|
return policy.ScaleIO, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
return "", fmt.Errorf("unknown volume type for volume: %#v", v)
|
return "", fmt.Errorf("unknown volume type for volume: %#v", v)
|
||||||
}
|
}
|
||||||
|
|
||||||
// FSTypeToStringSet converts an FSType slice to a string set.
|
// FSTypeToStringSet converts an FSType slice to a string set.
|
||||||
func FSTypeToStringSet(fsTypes []extensions.FSType) sets.String {
|
func FSTypeToStringSet(fsTypes []policy.FSType) sets.String {
|
||||||
set := sets.NewString()
|
set := sets.NewString()
|
||||||
for _, v := range fsTypes {
|
for _, v := range fsTypes {
|
||||||
set.Insert(string(v))
|
set.Insert(string(v))
|
||||||
@ -144,19 +144,19 @@ func FSTypeToStringSet(fsTypes []extensions.FSType) sets.String {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// PSPAllowsAllVolumes checks for FSTypeAll in the psp's allowed volumes.
|
// PSPAllowsAllVolumes checks for FSTypeAll in the psp's allowed volumes.
|
||||||
func PSPAllowsAllVolumes(psp *extensions.PodSecurityPolicy) bool {
|
func PSPAllowsAllVolumes(psp *policy.PodSecurityPolicy) bool {
|
||||||
return PSPAllowsFSType(psp, extensions.All)
|
return PSPAllowsFSType(psp, policy.All)
|
||||||
}
|
}
|
||||||
|
|
||||||
// PSPAllowsFSType is a utility for checking if a PSP allows a particular FSType.
|
// PSPAllowsFSType is a utility for checking if a PSP allows a particular FSType.
|
||||||
// If all volumes are allowed then this will return true for any FSType passed.
|
// If all volumes are allowed then this will return true for any FSType passed.
|
||||||
func PSPAllowsFSType(psp *extensions.PodSecurityPolicy, fsType extensions.FSType) bool {
|
func PSPAllowsFSType(psp *policy.PodSecurityPolicy, fsType policy.FSType) bool {
|
||||||
if psp == nil {
|
if psp == nil {
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
|
|
||||||
for _, v := range psp.Spec.Volumes {
|
for _, v := range psp.Spec.Volumes {
|
||||||
if v == fsType || v == extensions.All {
|
if v == fsType || v == policy.All {
|
||||||
return true
|
return true
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -164,18 +164,18 @@ func PSPAllowsFSType(psp *extensions.PodSecurityPolicy, fsType extensions.FSType
|
|||||||
}
|
}
|
||||||
|
|
||||||
// UserFallsInRange is a utility to determine it the id falls in the valid range.
|
// UserFallsInRange is a utility to determine it the id falls in the valid range.
|
||||||
func UserFallsInRange(id int64, rng extensions.UserIDRange) bool {
|
func UserFallsInRange(id int64, rng policy.UserIDRange) bool {
|
||||||
return id >= rng.Min && id <= rng.Max
|
return id >= rng.Min && id <= rng.Max
|
||||||
}
|
}
|
||||||
|
|
||||||
// GroupFallsInRange is a utility to determine it the id falls in the valid range.
|
// GroupFallsInRange is a utility to determine it the id falls in the valid range.
|
||||||
func GroupFallsInRange(id int64, rng extensions.GroupIDRange) bool {
|
func GroupFallsInRange(id int64, rng policy.GroupIDRange) bool {
|
||||||
return id >= rng.Min && id <= rng.Max
|
return id >= rng.Min && id <= rng.Max
|
||||||
}
|
}
|
||||||
|
|
||||||
// AllowsHostVolumePath is a utility for checking if a PSP allows the host volume path.
|
// AllowsHostVolumePath is a utility for checking if a PSP allows the host volume path.
|
||||||
// This only checks the path. You should still check to make sure the host volume fs type is allowed.
|
// This only checks the path. You should still check to make sure the host volume fs type is allowed.
|
||||||
func AllowsHostVolumePath(psp *extensions.PodSecurityPolicy, hostPath string) bool {
|
func AllowsHostVolumePath(psp *policy.PodSecurityPolicy, hostPath string) bool {
|
||||||
if psp == nil {
|
if psp == nil {
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
|
@ -18,7 +18,7 @@ package util
|
|||||||
|
|
||||||
import (
|
import (
|
||||||
api "k8s.io/kubernetes/pkg/apis/core"
|
api "k8s.io/kubernetes/pkg/apis/core"
|
||||||
"k8s.io/kubernetes/pkg/apis/extensions"
|
"k8s.io/kubernetes/pkg/apis/policy"
|
||||||
"reflect"
|
"reflect"
|
||||||
"testing"
|
"testing"
|
||||||
)
|
)
|
||||||
@ -52,45 +52,45 @@ func TestVolumeSourceFSTypeDrift(t *testing.T) {
|
|||||||
|
|
||||||
func TestPSPAllowsFSType(t *testing.T) {
|
func TestPSPAllowsFSType(t *testing.T) {
|
||||||
tests := map[string]struct {
|
tests := map[string]struct {
|
||||||
psp *extensions.PodSecurityPolicy
|
psp *policy.PodSecurityPolicy
|
||||||
fsType extensions.FSType
|
fsType policy.FSType
|
||||||
allows bool
|
allows bool
|
||||||
}{
|
}{
|
||||||
"nil psp": {
|
"nil psp": {
|
||||||
psp: nil,
|
psp: nil,
|
||||||
fsType: extensions.HostPath,
|
fsType: policy.HostPath,
|
||||||
allows: false,
|
allows: false,
|
||||||
},
|
},
|
||||||
"empty volumes": {
|
"empty volumes": {
|
||||||
psp: &extensions.PodSecurityPolicy{},
|
psp: &policy.PodSecurityPolicy{},
|
||||||
fsType: extensions.HostPath,
|
fsType: policy.HostPath,
|
||||||
allows: false,
|
allows: false,
|
||||||
},
|
},
|
||||||
"non-matching": {
|
"non-matching": {
|
||||||
psp: &extensions.PodSecurityPolicy{
|
psp: &policy.PodSecurityPolicy{
|
||||||
Spec: extensions.PodSecurityPolicySpec{
|
Spec: policy.PodSecurityPolicySpec{
|
||||||
Volumes: []extensions.FSType{extensions.AWSElasticBlockStore},
|
Volumes: []policy.FSType{policy.AWSElasticBlockStore},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
fsType: extensions.HostPath,
|
fsType: policy.HostPath,
|
||||||
allows: false,
|
allows: false,
|
||||||
},
|
},
|
||||||
"match on FSTypeAll": {
|
"match on FSTypeAll": {
|
||||||
psp: &extensions.PodSecurityPolicy{
|
psp: &policy.PodSecurityPolicy{
|
||||||
Spec: extensions.PodSecurityPolicySpec{
|
Spec: policy.PodSecurityPolicySpec{
|
||||||
Volumes: []extensions.FSType{extensions.All},
|
Volumes: []policy.FSType{policy.All},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
fsType: extensions.HostPath,
|
fsType: policy.HostPath,
|
||||||
allows: true,
|
allows: true,
|
||||||
},
|
},
|
||||||
"match on direct match": {
|
"match on direct match": {
|
||||||
psp: &extensions.PodSecurityPolicy{
|
psp: &policy.PodSecurityPolicy{
|
||||||
Spec: extensions.PodSecurityPolicySpec{
|
Spec: policy.PodSecurityPolicySpec{
|
||||||
Volumes: []extensions.FSType{extensions.HostPath},
|
Volumes: []policy.FSType{policy.HostPath},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
fsType: extensions.HostPath,
|
fsType: policy.HostPath,
|
||||||
allows: true,
|
allows: true,
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
@ -105,7 +105,7 @@ func TestPSPAllowsFSType(t *testing.T) {
|
|||||||
|
|
||||||
func TestAllowsHostVolumePath(t *testing.T) {
|
func TestAllowsHostVolumePath(t *testing.T) {
|
||||||
tests := map[string]struct {
|
tests := map[string]struct {
|
||||||
psp *extensions.PodSecurityPolicy
|
psp *policy.PodSecurityPolicy
|
||||||
path string
|
path string
|
||||||
allows bool
|
allows bool
|
||||||
}{
|
}{
|
||||||
@ -115,14 +115,14 @@ func TestAllowsHostVolumePath(t *testing.T) {
|
|||||||
allows: false,
|
allows: false,
|
||||||
},
|
},
|
||||||
"empty allowed paths": {
|
"empty allowed paths": {
|
||||||
psp: &extensions.PodSecurityPolicy{},
|
psp: &policy.PodSecurityPolicy{},
|
||||||
path: "/test",
|
path: "/test",
|
||||||
allows: true,
|
allows: true,
|
||||||
},
|
},
|
||||||
"non-matching": {
|
"non-matching": {
|
||||||
psp: &extensions.PodSecurityPolicy{
|
psp: &policy.PodSecurityPolicy{
|
||||||
Spec: extensions.PodSecurityPolicySpec{
|
Spec: policy.PodSecurityPolicySpec{
|
||||||
AllowedHostPaths: []extensions.AllowedHostPath{
|
AllowedHostPaths: []policy.AllowedHostPath{
|
||||||
{PathPrefix: "/foo"},
|
{PathPrefix: "/foo"},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
@ -131,9 +131,9 @@ func TestAllowsHostVolumePath(t *testing.T) {
|
|||||||
allows: false,
|
allows: false,
|
||||||
},
|
},
|
||||||
"match on direct match": {
|
"match on direct match": {
|
||||||
psp: &extensions.PodSecurityPolicy{
|
psp: &policy.PodSecurityPolicy{
|
||||||
Spec: extensions.PodSecurityPolicySpec{
|
Spec: policy.PodSecurityPolicySpec{
|
||||||
AllowedHostPaths: []extensions.AllowedHostPath{
|
AllowedHostPaths: []policy.AllowedHostPath{
|
||||||
{PathPrefix: "/foo"},
|
{PathPrefix: "/foo"},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
@ -142,9 +142,9 @@ func TestAllowsHostVolumePath(t *testing.T) {
|
|||||||
allows: true,
|
allows: true,
|
||||||
},
|
},
|
||||||
"match with trailing slash on host path": {
|
"match with trailing slash on host path": {
|
||||||
psp: &extensions.PodSecurityPolicy{
|
psp: &policy.PodSecurityPolicy{
|
||||||
Spec: extensions.PodSecurityPolicySpec{
|
Spec: policy.PodSecurityPolicySpec{
|
||||||
AllowedHostPaths: []extensions.AllowedHostPath{
|
AllowedHostPaths: []policy.AllowedHostPath{
|
||||||
{PathPrefix: "/foo"},
|
{PathPrefix: "/foo"},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
@ -153,9 +153,9 @@ func TestAllowsHostVolumePath(t *testing.T) {
|
|||||||
allows: true,
|
allows: true,
|
||||||
},
|
},
|
||||||
"match with trailing slash on allowed path": {
|
"match with trailing slash on allowed path": {
|
||||||
psp: &extensions.PodSecurityPolicy{
|
psp: &policy.PodSecurityPolicy{
|
||||||
Spec: extensions.PodSecurityPolicySpec{
|
Spec: policy.PodSecurityPolicySpec{
|
||||||
AllowedHostPaths: []extensions.AllowedHostPath{
|
AllowedHostPaths: []policy.AllowedHostPath{
|
||||||
{PathPrefix: "/foo/"},
|
{PathPrefix: "/foo/"},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
@ -164,9 +164,9 @@ func TestAllowsHostVolumePath(t *testing.T) {
|
|||||||
allows: true,
|
allows: true,
|
||||||
},
|
},
|
||||||
"match child directory": {
|
"match child directory": {
|
||||||
psp: &extensions.PodSecurityPolicy{
|
psp: &policy.PodSecurityPolicy{
|
||||||
Spec: extensions.PodSecurityPolicySpec{
|
Spec: policy.PodSecurityPolicySpec{
|
||||||
AllowedHostPaths: []extensions.AllowedHostPath{
|
AllowedHostPaths: []policy.AllowedHostPath{
|
||||||
{PathPrefix: "/foo/"},
|
{PathPrefix: "/foo/"},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
@ -175,9 +175,9 @@ func TestAllowsHostVolumePath(t *testing.T) {
|
|||||||
allows: true,
|
allows: true,
|
||||||
},
|
},
|
||||||
"non-matching parent directory": {
|
"non-matching parent directory": {
|
||||||
psp: &extensions.PodSecurityPolicy{
|
psp: &policy.PodSecurityPolicy{
|
||||||
Spec: extensions.PodSecurityPolicySpec{
|
Spec: policy.PodSecurityPolicySpec{
|
||||||
AllowedHostPaths: []extensions.AllowedHostPath{
|
AllowedHostPaths: []policy.AllowedHostPath{
|
||||||
{PathPrefix: "/foo/bar"},
|
{PathPrefix: "/foo/bar"},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
@ -15,7 +15,7 @@ go_library(
|
|||||||
"//pkg/apis/extensions:go_default_library",
|
"//pkg/apis/extensions:go_default_library",
|
||||||
"//pkg/apis/policy:go_default_library",
|
"//pkg/apis/policy:go_default_library",
|
||||||
"//pkg/client/informers/informers_generated/internalversion:go_default_library",
|
"//pkg/client/informers/informers_generated/internalversion:go_default_library",
|
||||||
"//pkg/client/listers/extensions/internalversion:go_default_library",
|
"//pkg/client/listers/policy/internalversion:go_default_library",
|
||||||
"//pkg/kubeapiserver/admission:go_default_library",
|
"//pkg/kubeapiserver/admission:go_default_library",
|
||||||
"//pkg/registry/rbac:go_default_library",
|
"//pkg/registry/rbac:go_default_library",
|
||||||
"//pkg/security/podsecuritypolicy:go_default_library",
|
"//pkg/security/podsecuritypolicy:go_default_library",
|
||||||
@ -40,7 +40,6 @@ go_test(
|
|||||||
"//pkg/api/legacyscheme:go_default_library",
|
"//pkg/api/legacyscheme:go_default_library",
|
||||||
"//pkg/apis/core:go_default_library",
|
"//pkg/apis/core:go_default_library",
|
||||||
"//pkg/apis/core/helper:go_default_library",
|
"//pkg/apis/core/helper:go_default_library",
|
||||||
"//pkg/apis/extensions:go_default_library",
|
|
||||||
"//pkg/apis/policy:go_default_library",
|
"//pkg/apis/policy:go_default_library",
|
||||||
"//pkg/client/informers/informers_generated/internalversion:go_default_library",
|
"//pkg/client/informers/informers_generated/internalversion:go_default_library",
|
||||||
"//pkg/controller:go_default_library",
|
"//pkg/controller:go_default_library",
|
||||||
|
@ -35,7 +35,7 @@ import (
|
|||||||
"k8s.io/kubernetes/pkg/apis/extensions"
|
"k8s.io/kubernetes/pkg/apis/extensions"
|
||||||
"k8s.io/kubernetes/pkg/apis/policy"
|
"k8s.io/kubernetes/pkg/apis/policy"
|
||||||
informers "k8s.io/kubernetes/pkg/client/informers/informers_generated/internalversion"
|
informers "k8s.io/kubernetes/pkg/client/informers/informers_generated/internalversion"
|
||||||
extensionslisters "k8s.io/kubernetes/pkg/client/listers/extensions/internalversion"
|
policylisters "k8s.io/kubernetes/pkg/client/listers/policy/internalversion"
|
||||||
kubeapiserveradmission "k8s.io/kubernetes/pkg/kubeapiserver/admission"
|
kubeapiserveradmission "k8s.io/kubernetes/pkg/kubeapiserver/admission"
|
||||||
rbacregistry "k8s.io/kubernetes/pkg/registry/rbac"
|
rbacregistry "k8s.io/kubernetes/pkg/registry/rbac"
|
||||||
psp "k8s.io/kubernetes/pkg/security/podsecuritypolicy"
|
psp "k8s.io/kubernetes/pkg/security/podsecuritypolicy"
|
||||||
@ -61,7 +61,7 @@ type PodSecurityPolicyPlugin struct {
|
|||||||
strategyFactory psp.StrategyFactory
|
strategyFactory psp.StrategyFactory
|
||||||
failOnNoPolicies bool
|
failOnNoPolicies bool
|
||||||
authz authorizer.Authorizer
|
authz authorizer.Authorizer
|
||||||
lister extensionslisters.PodSecurityPolicyLister
|
lister policylisters.PodSecurityPolicyLister
|
||||||
}
|
}
|
||||||
|
|
||||||
// SetAuthorizer sets the authorizer.
|
// SetAuthorizer sets the authorizer.
|
||||||
@ -95,7 +95,7 @@ func newPlugin(strategyFactory psp.StrategyFactory, failOnNoPolicies bool) *PodS
|
|||||||
}
|
}
|
||||||
|
|
||||||
func (a *PodSecurityPolicyPlugin) SetInternalKubeInformerFactory(f informers.SharedInformerFactory) {
|
func (a *PodSecurityPolicyPlugin) SetInternalKubeInformerFactory(f informers.SharedInformerFactory) {
|
||||||
podSecurityPolicyInformer := f.Extensions().InternalVersion().PodSecurityPolicies()
|
podSecurityPolicyInformer := f.Policy().InternalVersion().PodSecurityPolicies()
|
||||||
a.lister = podSecurityPolicyInformer.Lister()
|
a.lister = podSecurityPolicyInformer.Lister()
|
||||||
a.SetReadyFunc(podSecurityPolicyInformer.Informer().HasSynced)
|
a.SetReadyFunc(podSecurityPolicyInformer.Informer().HasSynced)
|
||||||
}
|
}
|
||||||
@ -329,7 +329,7 @@ func assignSecurityContext(provider psp.Provider, pod *api.Pod, fldPath *field.P
|
|||||||
}
|
}
|
||||||
|
|
||||||
// createProvidersFromPolicies creates providers from the constraints supplied.
|
// createProvidersFromPolicies creates providers from the constraints supplied.
|
||||||
func (c *PodSecurityPolicyPlugin) createProvidersFromPolicies(psps []*extensions.PodSecurityPolicy, namespace string) ([]psp.Provider, []error) {
|
func (c *PodSecurityPolicyPlugin) createProvidersFromPolicies(psps []*policy.PodSecurityPolicy, namespace string) ([]psp.Provider, []error) {
|
||||||
var (
|
var (
|
||||||
// collected providers
|
// collected providers
|
||||||
providers []psp.Provider
|
providers []psp.Provider
|
||||||
|
File diff suppressed because it is too large
Load Diff
Loading…
Reference in New Issue
Block a user