Merge pull request #106089 from liggitt/podsecurity-beta
PodSecurity: promote config and feature gate to beta
This commit is contained in:
		| @@ -712,6 +712,7 @@ const ( | ||||
|  | ||||
| 	// owner: @liggitt, @tallclair, sig-auth | ||||
| 	// alpha: v1.22 | ||||
| 	// beta: v1.23 | ||||
| 	// | ||||
| 	// Enables the PodSecurity admission plugin | ||||
| 	PodSecurity featuregate.Feature = "PodSecurity" | ||||
| @@ -895,7 +896,7 @@ var defaultKubernetesFeatureGates = map[featuregate.Feature]featuregate.FeatureS | ||||
| 	StatefulSetMinReadySeconds:                     {Default: true, PreRelease: featuregate.Beta}, | ||||
| 	ExpandedDNSConfig:                              {Default: false, PreRelease: featuregate.Alpha}, | ||||
| 	SeccompDefault:                                 {Default: false, PreRelease: featuregate.Alpha}, | ||||
| 	PodSecurity:                                    {Default: false, PreRelease: featuregate.Alpha}, | ||||
| 	PodSecurity:                                    {Default: true, PreRelease: featuregate.Beta}, | ||||
| 	ReadWriteOncePod:                               {Default: false, PreRelease: featuregate.Alpha}, | ||||
| 	CSRDuration:                                    {Default: true, PreRelease: featuregate.Beta}, | ||||
| 	DelegateFSGroupToCSIDriver:                     {Default: false, PreRelease: featuregate.Alpha}, | ||||
|   | ||||
| @@ -24,7 +24,7 @@ import ( | ||||
| 	"k8s.io/apimachinery/pkg/runtime" | ||||
| 	"k8s.io/pod-security-admission/admission/api" | ||||
| 	"k8s.io/pod-security-admission/admission/api/scheme" | ||||
| 	apiv1alpha1 "k8s.io/pod-security-admission/admission/api/v1alpha1" | ||||
| 	apiv1beta1 "k8s.io/pod-security-admission/admission/api/v1beta1" | ||||
| ) | ||||
|  | ||||
| func LoadFromFile(file string) (*api.PodSecurityConfiguration, error) { | ||||
| @@ -57,7 +57,7 @@ func LoadFromReader(reader io.Reader) (*api.PodSecurityConfiguration, error) { | ||||
| func LoadFromData(data []byte) (*api.PodSecurityConfiguration, error) { | ||||
| 	if len(data) == 0 { | ||||
| 		// no config provided, return default | ||||
| 		externalConfig := &apiv1alpha1.PodSecurityConfiguration{} | ||||
| 		externalConfig := &apiv1beta1.PodSecurityConfiguration{} | ||||
| 		scheme.Scheme.Default(externalConfig) | ||||
| 		internalConfig := &api.PodSecurityConfiguration{} | ||||
| 		if err := scheme.Scheme.Convert(externalConfig, internalConfig, nil); err != nil { | ||||
|   | ||||
| @@ -98,6 +98,29 @@ func TestLoadFromFile(t *testing.T) { | ||||
| 		} | ||||
| 	} | ||||
|  | ||||
| 	// valid file | ||||
| 	{ | ||||
| 		input := `{ | ||||
| 			"apiVersion":"pod-security.admission.config.k8s.io/v1beta1", | ||||
| 			"kind":"PodSecurityConfiguration", | ||||
| 			"defaults":{"enforce":"baseline"}}` | ||||
| 		expect := &api.PodSecurityConfiguration{ | ||||
| 			Defaults: api.PodSecurityDefaults{ | ||||
| 				Enforce: "baseline", EnforceVersion: "latest", | ||||
| 				Warn: "privileged", WarnVersion: "latest", | ||||
| 				Audit: "privileged", AuditVersion: "latest", | ||||
| 			}, | ||||
| 		} | ||||
|  | ||||
| 		config, err := LoadFromFile(writeTempFile(t, input)) | ||||
| 		if err != nil { | ||||
| 			t.Fatalf("unexpected err: %v", err) | ||||
| 		} | ||||
| 		if !reflect.DeepEqual(config, expect) { | ||||
| 			t.Fatalf("unexpected config:\n%s", cmp.Diff(expect, config)) | ||||
| 		} | ||||
| 	} | ||||
|  | ||||
| 	// missing file | ||||
| 	{ | ||||
| 		_, err := LoadFromFile(`bogus-missing-pod-security-policy-config-file`) | ||||
| @@ -172,6 +195,29 @@ func TestLoadFromReader(t *testing.T) { | ||||
| 		} | ||||
| 	} | ||||
|  | ||||
| 	// valid reader | ||||
| 	{ | ||||
| 		input := `{ | ||||
| 			"apiVersion":"pod-security.admission.config.k8s.io/v1beta1", | ||||
| 			"kind":"PodSecurityConfiguration", | ||||
| 			"defaults":{"enforce":"baseline"}}` | ||||
| 		expect := &api.PodSecurityConfiguration{ | ||||
| 			Defaults: api.PodSecurityDefaults{ | ||||
| 				Enforce: "baseline", EnforceVersion: "latest", | ||||
| 				Warn: "privileged", WarnVersion: "latest", | ||||
| 				Audit: "privileged", AuditVersion: "latest", | ||||
| 			}, | ||||
| 		} | ||||
|  | ||||
| 		config, err := LoadFromReader(bytes.NewBufferString(input)) | ||||
| 		if err != nil { | ||||
| 			t.Fatalf("unexpected err: %v", err) | ||||
| 		} | ||||
| 		if !reflect.DeepEqual(config, expect) { | ||||
| 			t.Fatalf("unexpected config:\n%s", cmp.Diff(expect, config)) | ||||
| 		} | ||||
| 	} | ||||
|  | ||||
| 	// invalid reader | ||||
| 	{ | ||||
| 		input := `{ | ||||
| @@ -225,6 +271,46 @@ func TestLoadFromData(t *testing.T) { | ||||
| 			data: []byte(` | ||||
| apiVersion: pod-security.admission.config.k8s.io/v1alpha1 | ||||
| kind: PodSecurityConfiguration | ||||
| defaults: | ||||
|   enforce: baseline | ||||
|   enforce-version: v1.7 | ||||
| exemptions: | ||||
|   usernames: ["alice","bob"] | ||||
|   namespaces: ["kube-system"] | ||||
|   runtimeClasses: ["special"] | ||||
| `), | ||||
| 			expectConfig: &api.PodSecurityConfiguration{ | ||||
| 				Defaults: api.PodSecurityDefaults{ | ||||
| 					Enforce: "baseline", EnforceVersion: "v1.7", | ||||
| 					Warn: "privileged", WarnVersion: "latest", | ||||
| 					Audit: "privileged", AuditVersion: "latest", | ||||
| 				}, | ||||
| 				Exemptions: api.PodSecurityExemptions{ | ||||
| 					Usernames:      []string{"alice", "bob"}, | ||||
| 					Namespaces:     []string{"kube-system"}, | ||||
| 					RuntimeClasses: []string{"special"}, | ||||
| 				}, | ||||
| 			}, | ||||
| 		}, | ||||
| 		{ | ||||
| 			name: "v1beta1 - json", | ||||
| 			data: []byte(`{ | ||||
| "apiVersion":"pod-security.admission.config.k8s.io/v1beta1", | ||||
| "kind":"PodSecurityConfiguration", | ||||
| "defaults":{"enforce":"baseline"}}`), | ||||
| 			expectConfig: &api.PodSecurityConfiguration{ | ||||
| 				Defaults: api.PodSecurityDefaults{ | ||||
| 					Enforce: "baseline", EnforceVersion: "latest", | ||||
| 					Warn: "privileged", WarnVersion: "latest", | ||||
| 					Audit: "privileged", AuditVersion: "latest", | ||||
| 				}, | ||||
| 			}, | ||||
| 		}, | ||||
| 		{ | ||||
| 			name: "v1beta1 - yaml", | ||||
| 			data: []byte(` | ||||
| apiVersion: pod-security.admission.config.k8s.io/v1beta1 | ||||
| kind: PodSecurityConfiguration | ||||
| defaults: | ||||
|   enforce: baseline | ||||
|   enforce-version: v1.7 | ||||
|   | ||||
| @@ -22,6 +22,7 @@ import ( | ||||
| 	utilruntime "k8s.io/apimachinery/pkg/util/runtime" | ||||
| 	podsecurityapi "k8s.io/pod-security-admission/admission/api" | ||||
| 	podsecurityv1alpha1 "k8s.io/pod-security-admission/admission/api/v1alpha1" | ||||
| 	podsecurityv1beta1 "k8s.io/pod-security-admission/admission/api/v1beta1" | ||||
| ) | ||||
|  | ||||
| var ( | ||||
| @@ -40,5 +41,6 @@ func init() { | ||||
| func AddToScheme(scheme *runtime.Scheme) { | ||||
| 	utilruntime.Must(podsecurityapi.AddToScheme(scheme)) | ||||
| 	utilruntime.Must(podsecurityv1alpha1.AddToScheme(scheme)) | ||||
| 	utilruntime.Must(scheme.SetVersionPriority(podsecurityv1alpha1.SchemeGroupVersion)) | ||||
| 	utilruntime.Must(podsecurityv1beta1.AddToScheme(scheme)) | ||||
| 	utilruntime.Must(scheme.SetVersionPriority(podsecurityv1beta1.SchemeGroupVersion, podsecurityv1alpha1.SchemeGroupVersion)) | ||||
| } | ||||
|   | ||||
| @@ -0,0 +1,48 @@ | ||||
| /* | ||||
| Copyright 2021 The Kubernetes Authors. | ||||
|  | ||||
| Licensed under the Apache License, Version 2.0 (the "License"); | ||||
| you may not use this file except in compliance with the License. | ||||
| You may obtain a copy of the License at | ||||
|  | ||||
|     http://www.apache.org/licenses/LICENSE-2.0 | ||||
|  | ||||
| Unless required by applicable law or agreed to in writing, software | ||||
| distributed under the License is distributed on an "AS IS" BASIS, | ||||
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||||
| See the License for the specific language governing permissions and | ||||
| limitations under the License. | ||||
| */ | ||||
|  | ||||
| package v1beta1 | ||||
|  | ||||
| import ( | ||||
| 	"k8s.io/apimachinery/pkg/runtime" | ||||
| 	"k8s.io/pod-security-admission/api" | ||||
| ) | ||||
|  | ||||
| func addDefaultingFuncs(scheme *runtime.Scheme) error { | ||||
| 	return RegisterDefaults(scheme) | ||||
| } | ||||
|  | ||||
| func SetDefaults_PodSecurityDefaults(obj *PodSecurityDefaults) { | ||||
| 	if len(obj.Enforce) == 0 { | ||||
| 		obj.Enforce = string(api.LevelPrivileged) | ||||
| 	} | ||||
| 	if len(obj.Warn) == 0 { | ||||
| 		obj.Warn = string(api.LevelPrivileged) | ||||
| 	} | ||||
| 	if len(obj.Audit) == 0 { | ||||
| 		obj.Audit = string(api.LevelPrivileged) | ||||
| 	} | ||||
|  | ||||
| 	if len(obj.EnforceVersion) == 0 { | ||||
| 		obj.EnforceVersion = string(api.VersionLatest) | ||||
| 	} | ||||
| 	if len(obj.WarnVersion) == 0 { | ||||
| 		obj.WarnVersion = string(api.VersionLatest) | ||||
| 	} | ||||
| 	if len(obj.AuditVersion) == 0 { | ||||
| 		obj.AuditVersion = string(api.VersionLatest) | ||||
| 	} | ||||
| } | ||||
| @@ -0,0 +1,17 @@ | ||||
| /* | ||||
| Copyright 2021 The Kubernetes Authors. | ||||
|  | ||||
| Licensed under the Apache License, Version 2.0 (the "License"); | ||||
| you may not use this file except in compliance with the License. | ||||
| You may obtain a copy of the License at | ||||
|  | ||||
|     http://www.apache.org/licenses/LICENSE-2.0 | ||||
|  | ||||
| Unless required by applicable law or agreed to in writing, software | ||||
| distributed under the License is distributed on an "AS IS" BASIS, | ||||
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||||
| See the License for the specific language governing permissions and | ||||
| limitations under the License. | ||||
| */ | ||||
|  | ||||
| package v1beta1 | ||||
| @@ -0,0 +1,23 @@ | ||||
| /* | ||||
| Copyright 2021 The Kubernetes Authors. | ||||
|  | ||||
| Licensed under the Apache License, Version 2.0 (the "License"); | ||||
| you may not use this file except in compliance with the License. | ||||
| You may obtain a copy of the License at | ||||
|  | ||||
|     http://www.apache.org/licenses/LICENSE-2.0 | ||||
|  | ||||
| Unless required by applicable law or agreed to in writing, software | ||||
| distributed under the License is distributed on an "AS IS" BASIS, | ||||
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||||
| See the License for the specific language governing permissions and | ||||
| limitations under the License. | ||||
| */ | ||||
|  | ||||
| // +k8s:deepcopy-gen=package | ||||
| // +k8s:conversion-gen=k8s.io/pod-security-admission/admission/api | ||||
| // +k8s:defaulter-gen=TypeMeta | ||||
| // +groupName=pod-security.admission.config.k8s.io | ||||
|  | ||||
| // Package v1beta1 contains PodSecurity admission configuration file types | ||||
| package v1beta1 | ||||
| @@ -0,0 +1,50 @@ | ||||
| /* | ||||
| Copyright 2021 The Kubernetes Authors. | ||||
|  | ||||
| Licensed under the Apache License, Version 2.0 (the "License"); | ||||
| you may not use this file except in compliance with the License. | ||||
| You may obtain a copy of the License at | ||||
|  | ||||
|     http://www.apache.org/licenses/LICENSE-2.0 | ||||
|  | ||||
| Unless required by applicable law or agreed to in writing, software | ||||
| distributed under the License is distributed on an "AS IS" BASIS, | ||||
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||||
| See the License for the specific language governing permissions and | ||||
| limitations under the License. | ||||
| */ | ||||
|  | ||||
| package v1beta1 | ||||
|  | ||||
| import ( | ||||
| 	"k8s.io/apimachinery/pkg/runtime" | ||||
| 	"k8s.io/apimachinery/pkg/runtime/schema" | ||||
| ) | ||||
|  | ||||
| // GroupName is the group name use in this package | ||||
| const GroupName = "pod-security.admission.config.k8s.io" | ||||
|  | ||||
| // SchemeGroupVersion is group version used to register these objects | ||||
| var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1beta1"} | ||||
|  | ||||
| var ( | ||||
| 	// SchemeBuilder is a pointer used to call AddToScheme | ||||
| 	SchemeBuilder      runtime.SchemeBuilder | ||||
| 	localSchemeBuilder = &SchemeBuilder | ||||
| 	// AddToScheme is used to register the types to API encoding/decoding machinery | ||||
| 	AddToScheme = localSchemeBuilder.AddToScheme | ||||
| ) | ||||
|  | ||||
| func init() { | ||||
| 	// We only register manually written functions here. The registration of the | ||||
| 	// generated functions takes place in the generated files. The separation | ||||
| 	// makes the code compile even when the generated files are missing. | ||||
| 	localSchemeBuilder.Register(addKnownTypes, addDefaultingFuncs) | ||||
| } | ||||
|  | ||||
| func addKnownTypes(scheme *runtime.Scheme) error { | ||||
| 	scheme.AddKnownTypes(SchemeGroupVersion, | ||||
| 		&PodSecurityConfiguration{}, | ||||
| 	) | ||||
| 	return nil | ||||
| } | ||||
| @@ -0,0 +1,44 @@ | ||||
| /* | ||||
| Copyright 2021 The Kubernetes Authors. | ||||
|  | ||||
| Licensed under the Apache License, Version 2.0 (the "License"); | ||||
| you may not use this file except in compliance with the License. | ||||
| You may obtain a copy of the License at | ||||
|  | ||||
|     http://www.apache.org/licenses/LICENSE-2.0 | ||||
|  | ||||
| Unless required by applicable law or agreed to in writing, software | ||||
| distributed under the License is distributed on an "AS IS" BASIS, | ||||
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||||
| See the License for the specific language governing permissions and | ||||
| limitations under the License. | ||||
| */ | ||||
|  | ||||
| package v1beta1 | ||||
|  | ||||
| import ( | ||||
| 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" | ||||
| ) | ||||
|  | ||||
| // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object | ||||
|  | ||||
| type PodSecurityConfiguration struct { | ||||
| 	metav1.TypeMeta | ||||
| 	Defaults   PodSecurityDefaults   `json:"defaults"` | ||||
| 	Exemptions PodSecurityExemptions `json:"exemptions"` | ||||
| } | ||||
|  | ||||
| type PodSecurityDefaults struct { | ||||
| 	Enforce        string `json:"enforce,omitempty"` | ||||
| 	EnforceVersion string `json:"enforce-version,omitempty"` | ||||
| 	Audit          string `json:"audit,omitempty"` | ||||
| 	AuditVersion   string `json:"audit-version,omitempty"` | ||||
| 	Warn           string `json:"warn,omitempty"` | ||||
| 	WarnVersion    string `json:"warn-version,omitempty"` | ||||
| } | ||||
|  | ||||
| type PodSecurityExemptions struct { | ||||
| 	Usernames      []string `json:"usernames,omitempty"` | ||||
| 	Namespaces     []string `json:"namespaces,omitempty"` | ||||
| 	RuntimeClasses []string `json:"runtimeClasses,omitempty"` | ||||
| } | ||||
							
								
								
									
										154
									
								
								staging/src/k8s.io/pod-security-admission/admission/api/v1beta1/zz_generated.conversion.go
									
									
									
										generated
									
									
									
										Normal file
									
								
							
							
						
						
									
										154
									
								
								staging/src/k8s.io/pod-security-admission/admission/api/v1beta1/zz_generated.conversion.go
									
									
									
										generated
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,154 @@ | ||||
| //go:build !ignore_autogenerated | ||||
| // +build !ignore_autogenerated | ||||
|  | ||||
| /* | ||||
| Copyright The Kubernetes Authors. | ||||
|  | ||||
| Licensed under the Apache License, Version 2.0 (the "License"); | ||||
| you may not use this file except in compliance with the License. | ||||
| You may obtain a copy of the License at | ||||
|  | ||||
|     http://www.apache.org/licenses/LICENSE-2.0 | ||||
|  | ||||
| Unless required by applicable law or agreed to in writing, software | ||||
| distributed under the License is distributed on an "AS IS" BASIS, | ||||
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||||
| See the License for the specific language governing permissions and | ||||
| limitations under the License. | ||||
| */ | ||||
|  | ||||
| // Code generated by conversion-gen. DO NOT EDIT. | ||||
|  | ||||
| package v1beta1 | ||||
|  | ||||
| import ( | ||||
| 	unsafe "unsafe" | ||||
|  | ||||
| 	conversion "k8s.io/apimachinery/pkg/conversion" | ||||
| 	runtime "k8s.io/apimachinery/pkg/runtime" | ||||
| 	api "k8s.io/pod-security-admission/admission/api" | ||||
| ) | ||||
|  | ||||
| func init() { | ||||
| 	localSchemeBuilder.Register(RegisterConversions) | ||||
| } | ||||
|  | ||||
| // RegisterConversions adds conversion functions to the given scheme. | ||||
| // Public to allow building arbitrary schemes. | ||||
| func RegisterConversions(s *runtime.Scheme) error { | ||||
| 	if err := s.AddGeneratedConversionFunc((*PodSecurityConfiguration)(nil), (*api.PodSecurityConfiguration)(nil), func(a, b interface{}, scope conversion.Scope) error { | ||||
| 		return Convert_v1beta1_PodSecurityConfiguration_To_api_PodSecurityConfiguration(a.(*PodSecurityConfiguration), b.(*api.PodSecurityConfiguration), scope) | ||||
| 	}); err != nil { | ||||
| 		return err | ||||
| 	} | ||||
| 	if err := s.AddGeneratedConversionFunc((*api.PodSecurityConfiguration)(nil), (*PodSecurityConfiguration)(nil), func(a, b interface{}, scope conversion.Scope) error { | ||||
| 		return Convert_api_PodSecurityConfiguration_To_v1beta1_PodSecurityConfiguration(a.(*api.PodSecurityConfiguration), b.(*PodSecurityConfiguration), scope) | ||||
| 	}); err != nil { | ||||
| 		return err | ||||
| 	} | ||||
| 	if err := s.AddGeneratedConversionFunc((*PodSecurityDefaults)(nil), (*api.PodSecurityDefaults)(nil), func(a, b interface{}, scope conversion.Scope) error { | ||||
| 		return Convert_v1beta1_PodSecurityDefaults_To_api_PodSecurityDefaults(a.(*PodSecurityDefaults), b.(*api.PodSecurityDefaults), scope) | ||||
| 	}); err != nil { | ||||
| 		return err | ||||
| 	} | ||||
| 	if err := s.AddGeneratedConversionFunc((*api.PodSecurityDefaults)(nil), (*PodSecurityDefaults)(nil), func(a, b interface{}, scope conversion.Scope) error { | ||||
| 		return Convert_api_PodSecurityDefaults_To_v1beta1_PodSecurityDefaults(a.(*api.PodSecurityDefaults), b.(*PodSecurityDefaults), scope) | ||||
| 	}); err != nil { | ||||
| 		return err | ||||
| 	} | ||||
| 	if err := s.AddGeneratedConversionFunc((*PodSecurityExemptions)(nil), (*api.PodSecurityExemptions)(nil), func(a, b interface{}, scope conversion.Scope) error { | ||||
| 		return Convert_v1beta1_PodSecurityExemptions_To_api_PodSecurityExemptions(a.(*PodSecurityExemptions), b.(*api.PodSecurityExemptions), scope) | ||||
| 	}); err != nil { | ||||
| 		return err | ||||
| 	} | ||||
| 	if err := s.AddGeneratedConversionFunc((*api.PodSecurityExemptions)(nil), (*PodSecurityExemptions)(nil), func(a, b interface{}, scope conversion.Scope) error { | ||||
| 		return Convert_api_PodSecurityExemptions_To_v1beta1_PodSecurityExemptions(a.(*api.PodSecurityExemptions), b.(*PodSecurityExemptions), scope) | ||||
| 	}); err != nil { | ||||
| 		return err | ||||
| 	} | ||||
| 	return nil | ||||
| } | ||||
|  | ||||
| func autoConvert_v1beta1_PodSecurityConfiguration_To_api_PodSecurityConfiguration(in *PodSecurityConfiguration, out *api.PodSecurityConfiguration, s conversion.Scope) error { | ||||
| 	if err := Convert_v1beta1_PodSecurityDefaults_To_api_PodSecurityDefaults(&in.Defaults, &out.Defaults, s); err != nil { | ||||
| 		return err | ||||
| 	} | ||||
| 	if err := Convert_v1beta1_PodSecurityExemptions_To_api_PodSecurityExemptions(&in.Exemptions, &out.Exemptions, s); err != nil { | ||||
| 		return err | ||||
| 	} | ||||
| 	return nil | ||||
| } | ||||
|  | ||||
| // Convert_v1beta1_PodSecurityConfiguration_To_api_PodSecurityConfiguration is an autogenerated conversion function. | ||||
| func Convert_v1beta1_PodSecurityConfiguration_To_api_PodSecurityConfiguration(in *PodSecurityConfiguration, out *api.PodSecurityConfiguration, s conversion.Scope) error { | ||||
| 	return autoConvert_v1beta1_PodSecurityConfiguration_To_api_PodSecurityConfiguration(in, out, s) | ||||
| } | ||||
|  | ||||
| func autoConvert_api_PodSecurityConfiguration_To_v1beta1_PodSecurityConfiguration(in *api.PodSecurityConfiguration, out *PodSecurityConfiguration, s conversion.Scope) error { | ||||
| 	if err := Convert_api_PodSecurityDefaults_To_v1beta1_PodSecurityDefaults(&in.Defaults, &out.Defaults, s); err != nil { | ||||
| 		return err | ||||
| 	} | ||||
| 	if err := Convert_api_PodSecurityExemptions_To_v1beta1_PodSecurityExemptions(&in.Exemptions, &out.Exemptions, s); err != nil { | ||||
| 		return err | ||||
| 	} | ||||
| 	return nil | ||||
| } | ||||
|  | ||||
| // Convert_api_PodSecurityConfiguration_To_v1beta1_PodSecurityConfiguration is an autogenerated conversion function. | ||||
| func Convert_api_PodSecurityConfiguration_To_v1beta1_PodSecurityConfiguration(in *api.PodSecurityConfiguration, out *PodSecurityConfiguration, s conversion.Scope) error { | ||||
| 	return autoConvert_api_PodSecurityConfiguration_To_v1beta1_PodSecurityConfiguration(in, out, s) | ||||
| } | ||||
|  | ||||
| func autoConvert_v1beta1_PodSecurityDefaults_To_api_PodSecurityDefaults(in *PodSecurityDefaults, out *api.PodSecurityDefaults, s conversion.Scope) error { | ||||
| 	out.Enforce = in.Enforce | ||||
| 	out.EnforceVersion = in.EnforceVersion | ||||
| 	out.Audit = in.Audit | ||||
| 	out.AuditVersion = in.AuditVersion | ||||
| 	out.Warn = in.Warn | ||||
| 	out.WarnVersion = in.WarnVersion | ||||
| 	return nil | ||||
| } | ||||
|  | ||||
| // Convert_v1beta1_PodSecurityDefaults_To_api_PodSecurityDefaults is an autogenerated conversion function. | ||||
| func Convert_v1beta1_PodSecurityDefaults_To_api_PodSecurityDefaults(in *PodSecurityDefaults, out *api.PodSecurityDefaults, s conversion.Scope) error { | ||||
| 	return autoConvert_v1beta1_PodSecurityDefaults_To_api_PodSecurityDefaults(in, out, s) | ||||
| } | ||||
|  | ||||
| func autoConvert_api_PodSecurityDefaults_To_v1beta1_PodSecurityDefaults(in *api.PodSecurityDefaults, out *PodSecurityDefaults, s conversion.Scope) error { | ||||
| 	out.Enforce = in.Enforce | ||||
| 	out.EnforceVersion = in.EnforceVersion | ||||
| 	out.Audit = in.Audit | ||||
| 	out.AuditVersion = in.AuditVersion | ||||
| 	out.Warn = in.Warn | ||||
| 	out.WarnVersion = in.WarnVersion | ||||
| 	return nil | ||||
| } | ||||
|  | ||||
| // Convert_api_PodSecurityDefaults_To_v1beta1_PodSecurityDefaults is an autogenerated conversion function. | ||||
| func Convert_api_PodSecurityDefaults_To_v1beta1_PodSecurityDefaults(in *api.PodSecurityDefaults, out *PodSecurityDefaults, s conversion.Scope) error { | ||||
| 	return autoConvert_api_PodSecurityDefaults_To_v1beta1_PodSecurityDefaults(in, out, s) | ||||
| } | ||||
|  | ||||
| func autoConvert_v1beta1_PodSecurityExemptions_To_api_PodSecurityExemptions(in *PodSecurityExemptions, out *api.PodSecurityExemptions, s conversion.Scope) error { | ||||
| 	out.Usernames = *(*[]string)(unsafe.Pointer(&in.Usernames)) | ||||
| 	out.Namespaces = *(*[]string)(unsafe.Pointer(&in.Namespaces)) | ||||
| 	out.RuntimeClasses = *(*[]string)(unsafe.Pointer(&in.RuntimeClasses)) | ||||
| 	return nil | ||||
| } | ||||
|  | ||||
| // Convert_v1beta1_PodSecurityExemptions_To_api_PodSecurityExemptions is an autogenerated conversion function. | ||||
| func Convert_v1beta1_PodSecurityExemptions_To_api_PodSecurityExemptions(in *PodSecurityExemptions, out *api.PodSecurityExemptions, s conversion.Scope) error { | ||||
| 	return autoConvert_v1beta1_PodSecurityExemptions_To_api_PodSecurityExemptions(in, out, s) | ||||
| } | ||||
|  | ||||
| func autoConvert_api_PodSecurityExemptions_To_v1beta1_PodSecurityExemptions(in *api.PodSecurityExemptions, out *PodSecurityExemptions, s conversion.Scope) error { | ||||
| 	out.Usernames = *(*[]string)(unsafe.Pointer(&in.Usernames)) | ||||
| 	out.Namespaces = *(*[]string)(unsafe.Pointer(&in.Namespaces)) | ||||
| 	out.RuntimeClasses = *(*[]string)(unsafe.Pointer(&in.RuntimeClasses)) | ||||
| 	return nil | ||||
| } | ||||
|  | ||||
| // Convert_api_PodSecurityExemptions_To_v1beta1_PodSecurityExemptions is an autogenerated conversion function. | ||||
| func Convert_api_PodSecurityExemptions_To_v1beta1_PodSecurityExemptions(in *api.PodSecurityExemptions, out *PodSecurityExemptions, s conversion.Scope) error { | ||||
| 	return autoConvert_api_PodSecurityExemptions_To_v1beta1_PodSecurityExemptions(in, out, s) | ||||
| } | ||||
							
								
								
									
										100
									
								
								staging/src/k8s.io/pod-security-admission/admission/api/v1beta1/zz_generated.deepcopy.go
									
									
									
										generated
									
									
									
										Normal file
									
								
							
							
						
						
									
										100
									
								
								staging/src/k8s.io/pod-security-admission/admission/api/v1beta1/zz_generated.deepcopy.go
									
									
									
										generated
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,100 @@ | ||||
| //go:build !ignore_autogenerated | ||||
| // +build !ignore_autogenerated | ||||
|  | ||||
| /* | ||||
| Copyright The Kubernetes Authors. | ||||
|  | ||||
| Licensed under the Apache License, Version 2.0 (the "License"); | ||||
| you may not use this file except in compliance with the License. | ||||
| You may obtain a copy of the License at | ||||
|  | ||||
|     http://www.apache.org/licenses/LICENSE-2.0 | ||||
|  | ||||
| Unless required by applicable law or agreed to in writing, software | ||||
| distributed under the License is distributed on an "AS IS" BASIS, | ||||
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||||
| See the License for the specific language governing permissions and | ||||
| limitations under the License. | ||||
| */ | ||||
|  | ||||
| // Code generated by deepcopy-gen. DO NOT EDIT. | ||||
|  | ||||
| package v1beta1 | ||||
|  | ||||
| import ( | ||||
| 	runtime "k8s.io/apimachinery/pkg/runtime" | ||||
| ) | ||||
|  | ||||
| // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. | ||||
| func (in *PodSecurityConfiguration) DeepCopyInto(out *PodSecurityConfiguration) { | ||||
| 	*out = *in | ||||
| 	out.TypeMeta = in.TypeMeta | ||||
| 	out.Defaults = in.Defaults | ||||
| 	in.Exemptions.DeepCopyInto(&out.Exemptions) | ||||
| 	return | ||||
| } | ||||
|  | ||||
| // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodSecurityConfiguration. | ||||
| func (in *PodSecurityConfiguration) DeepCopy() *PodSecurityConfiguration { | ||||
| 	if in == nil { | ||||
| 		return nil | ||||
| 	} | ||||
| 	out := new(PodSecurityConfiguration) | ||||
| 	in.DeepCopyInto(out) | ||||
| 	return out | ||||
| } | ||||
|  | ||||
| // DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. | ||||
| func (in *PodSecurityConfiguration) DeepCopyObject() runtime.Object { | ||||
| 	if c := in.DeepCopy(); c != nil { | ||||
| 		return c | ||||
| 	} | ||||
| 	return nil | ||||
| } | ||||
|  | ||||
| // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. | ||||
| func (in *PodSecurityDefaults) DeepCopyInto(out *PodSecurityDefaults) { | ||||
| 	*out = *in | ||||
| 	return | ||||
| } | ||||
|  | ||||
| // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodSecurityDefaults. | ||||
| func (in *PodSecurityDefaults) DeepCopy() *PodSecurityDefaults { | ||||
| 	if in == nil { | ||||
| 		return nil | ||||
| 	} | ||||
| 	out := new(PodSecurityDefaults) | ||||
| 	in.DeepCopyInto(out) | ||||
| 	return out | ||||
| } | ||||
|  | ||||
| // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. | ||||
| func (in *PodSecurityExemptions) DeepCopyInto(out *PodSecurityExemptions) { | ||||
| 	*out = *in | ||||
| 	if in.Usernames != nil { | ||||
| 		in, out := &in.Usernames, &out.Usernames | ||||
| 		*out = make([]string, len(*in)) | ||||
| 		copy(*out, *in) | ||||
| 	} | ||||
| 	if in.Namespaces != nil { | ||||
| 		in, out := &in.Namespaces, &out.Namespaces | ||||
| 		*out = make([]string, len(*in)) | ||||
| 		copy(*out, *in) | ||||
| 	} | ||||
| 	if in.RuntimeClasses != nil { | ||||
| 		in, out := &in.RuntimeClasses, &out.RuntimeClasses | ||||
| 		*out = make([]string, len(*in)) | ||||
| 		copy(*out, *in) | ||||
| 	} | ||||
| 	return | ||||
| } | ||||
|  | ||||
| // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodSecurityExemptions. | ||||
| func (in *PodSecurityExemptions) DeepCopy() *PodSecurityExemptions { | ||||
| 	if in == nil { | ||||
| 		return nil | ||||
| 	} | ||||
| 	out := new(PodSecurityExemptions) | ||||
| 	in.DeepCopyInto(out) | ||||
| 	return out | ||||
| } | ||||
							
								
								
									
										38
									
								
								staging/src/k8s.io/pod-security-admission/admission/api/v1beta1/zz_generated.defaults.go
									
									
									
										generated
									
									
									
										Normal file
									
								
							
							
						
						
									
										38
									
								
								staging/src/k8s.io/pod-security-admission/admission/api/v1beta1/zz_generated.defaults.go
									
									
									
										generated
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,38 @@ | ||||
| //go:build !ignore_autogenerated | ||||
| // +build !ignore_autogenerated | ||||
|  | ||||
| /* | ||||
| Copyright The Kubernetes Authors. | ||||
|  | ||||
| Licensed under the Apache License, Version 2.0 (the "License"); | ||||
| you may not use this file except in compliance with the License. | ||||
| You may obtain a copy of the License at | ||||
|  | ||||
|     http://www.apache.org/licenses/LICENSE-2.0 | ||||
|  | ||||
| Unless required by applicable law or agreed to in writing, software | ||||
| distributed under the License is distributed on an "AS IS" BASIS, | ||||
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||||
| See the License for the specific language governing permissions and | ||||
| limitations under the License. | ||||
| */ | ||||
|  | ||||
| // Code generated by defaulter-gen. DO NOT EDIT. | ||||
|  | ||||
| package v1beta1 | ||||
|  | ||||
| import ( | ||||
| 	runtime "k8s.io/apimachinery/pkg/runtime" | ||||
| ) | ||||
|  | ||||
| // RegisterDefaults adds defaulters functions to the given scheme. | ||||
| // Public to allow building arbitrary schemes. | ||||
| // All generated defaulters are covering - they call all nested defaulters. | ||||
| func RegisterDefaults(scheme *runtime.Scheme) error { | ||||
| 	scheme.AddTypeDefaultingFunc(&PodSecurityConfiguration{}, func(obj interface{}) { SetObjectDefaults_PodSecurityConfiguration(obj.(*PodSecurityConfiguration)) }) | ||||
| 	return nil | ||||
| } | ||||
|  | ||||
| func SetObjectDefaults_PodSecurityConfiguration(in *PodSecurityConfiguration) { | ||||
| 	SetDefaults_PodSecurityDefaults(&in.Defaults) | ||||
| } | ||||
| @@ -102,14 +102,14 @@ func TestPodSecurityWebhook(t *testing.T) { | ||||
| 	defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.ProcMountType, true)() | ||||
| 	defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.WindowsHostProcessContainers, true)() | ||||
| 	defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.AppArmor, true)() | ||||
| 	// The webhook should pass tests even when PodSecurity is disabled. | ||||
| 	defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.PodSecurity, false)() | ||||
|  | ||||
| 	// Start test API server. | ||||
| 	capabilities.SetForTests(capabilities.Capabilities{AllowPrivileged: true}) | ||||
| 	testServer := kubeapiservertesting.StartTestServerOrDie(t, kubeapiservertesting.NewDefaultTestServerOptions(), []string{ | ||||
| 		"--anonymous-auth=false", | ||||
| 		"--allow-privileged=true", | ||||
| 		// The webhook should pass tests even when PodSecurity is disabled. | ||||
| 		"--disable-admission-plugins=PodSecurity", | ||||
| 	}, framework.SharedEtcd()) | ||||
| 	t.Cleanup(testServer.TearDownFn) | ||||
|  | ||||
|   | ||||
							
								
								
									
										1
									
								
								vendor/modules.txt
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										1
									
								
								vendor/modules.txt
									
									
									
									
										vendored
									
									
								
							| @@ -2254,6 +2254,7 @@ k8s.io/pod-security-admission/admission/api | ||||
| k8s.io/pod-security-admission/admission/api/load | ||||
| k8s.io/pod-security-admission/admission/api/scheme | ||||
| k8s.io/pod-security-admission/admission/api/v1alpha1 | ||||
| k8s.io/pod-security-admission/admission/api/v1beta1 | ||||
| k8s.io/pod-security-admission/admission/api/validation | ||||
| k8s.io/pod-security-admission/api | ||||
| k8s.io/pod-security-admission/cmd/webhook/server | ||||
|   | ||||
		Reference in New Issue
	
	Block a user
	 Kubernetes Prow Robot
					Kubernetes Prow Robot