Allow PSP's to specify a whitelist of allowed paths for host volume

removed files not supposed to be there

api/openapi-spec/swagger.json

@@ -62402,6 +62402,15 @@
      }
     }
    },
+   "io.k8s.api.extensions.v1beta1.AllowedHostPath": {
+    "description": "AllowedHostPath defines the host volume conditions that will be enabled by a policy for pods to use. It requires the path prefix to be defined.",
+    "properties": {
+     "path": {
+      "description": "PathPrefix is the path prefix that the host volume must match. PathPrefix does not support `*`. Trailing slashes are trimmed when validating the path prefix with a host path.\n\nExamples: `/foo` would allow `/foo`, `/foo/` and `/foo/bar` `/foo` would not allow `/food` or `/etc/foo`",
+      "type": "string"
+     }
+    }
+   },
    "io.k8s.api.extensions.v1beta1.DaemonSet": {
     "description": "DaemonSet represents the configuration of a daemon set.",
     "properties": {
@@ -63275,6 +63284,13 @@
        "type": "string"
       }
      },
+     "allowedHostPaths": {
+      "description": "AllowedHostPaths is a white list of allowed host paths. Empty indicates that all host paths may be used.",
+      "type": "array",
+      "items": {
+       "$ref": "#/definitions/io.k8s.api.extensions.v1beta1.AllowedHostPath"
+      }
+     },
      "defaultAddCapabilities": {
       "description": "DefaultAddCapabilities is the default set of capabilities that will be added to the container unless the pod spec specifically drops the capability.  You may not list a capabiility in both DefaultAddCapabilities and RequiredDropCapabilities.",
       "type": "array",

api/swagger-spec/extensions_v1beta1.json

@@ -9470,6 +9470,13 @@
      "allowPrivilegeEscalation": {
       "type": "boolean",
       "description": "AllowPrivilegeEscalation determines if a pod can request to allow privilege escalation."
+     },
+     "allowedHostPaths": {
+      "type": "array",
+      "items": {
+       "$ref": "v1beta1.AllowedHostPath"
+      },
+      "description": "AllowedHostPaths is a white list of allowed host paths. Empty indicates that all host paths may be used."
      }
     }
    },
@@ -9588,6 +9595,16 @@
      }
     }
    },
+   "v1beta1.AllowedHostPath": {
+    "id": "v1beta1.AllowedHostPath",
+    "description": "AllowedHostPath defines the host volume conditions that will be enabled by a policy for pods to use. It requires the path prefix to be defined.",
+    "properties": {
+     "path": {
+      "type": "string",
+      "description": "PathPrefix is the path prefix that the host volume must match. PathPrefix does not support `*`. Trailing slashes are trimmed when validating the path prefix with a host path.\n\nExamples: `/foo` would allow `/foo`, `/foo/` and `/foo/bar` `/foo` would not allow `/food` or `/etc/foo`"
+     }
+    }
+   },
    "v1beta1.ReplicaSetList": {
     "id": "v1beta1.ReplicaSetList",
     "description": "ReplicaSetList is a collection of ReplicaSets.",

docs/api-reference/extensions/v1beta1/definitions.html

@@ -419,6 +419,42 @@ span.icon > [class^="icon-"], span.icon > [class*=" icon-"] { cursor: default; }
 <h2 id="_definitions">Definitions</h2>
 <div class="sectionbody">
 <div class="sect2">
+<h3 id="_v1beta1_allowedhostpath">v1beta1.AllowedHostPath</h3>
+<div class="paragraph">
+<p>AllowedHostPath defines the host volume conditions that will be enabled by a policy for pods to use. It requires the path prefix to be defined.</p>
+</div>
+<table class="tableblock frame-all grid-all" style="width:100%; ">
+<colgroup>
+<col style="width:20%;">
+<col style="width:20%;">
+<col style="width:20%;">
+<col style="width:20%;">
+<col style="width:20%;"> 
+</colgroup>
+<thead>
+<tr>
+<th class="tableblock halign-left valign-top">Name</th>
+<th class="tableblock halign-left valign-top">Description</th>
+<th class="tableblock halign-left valign-top">Required</th>
+<th class="tableblock halign-left valign-top">Schema</th>
+<th class="tableblock halign-left valign-top">Default</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock">path</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">PathPrefix is the path prefix that the host volume must match. PathPrefix does not support <code>*</code>. Trailing slashes are trimmed when validating the path prefix with a host path.<br>
+<br>
+Examples: <code>/foo</code> would allow <code>/foo</code>, <code>/foo/</code> and <code>/foo/bar</code> <code>/foo</code> would not allow <code>/food</code> or <code>/etc/foo</code></p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">string</p></td>
+<td class="tableblock halign-left valign-top"></td>
+</tr>
+</tbody>
+</table>
+
+</div>
+<div class="sect2">
 <h3 id="_v1beta1_deploymentstatus">v1beta1.DeploymentStatus</h3>
 <div class="paragraph">
 <p>DeploymentStatus is the most recently observed status of the Deployment.</p>
@@ -7691,6 +7727,13 @@ Both these may change in the future. Incoming requests are matched against the h
 <td class="tableblock halign-left valign-top"><p class="tableblock">boolean</p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
 </tr>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock">allowedHostPaths</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">AllowedHostPaths is a white list of allowed host paths. Empty indicates that all host paths may be used.</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_v1beta1_allowedhostpath">v1beta1.AllowedHostPath</a> array</p></td>
+<td class="tableblock halign-left valign-top"></td>
+</tr>
 </tbody>
 </table>
 

pkg/apis/extensions/types.go

@@ -933,6 +933,22 @@ type PodSecurityPolicySpec struct {
 	// privilege escalation.
 	// +optional
 	AllowPrivilegeEscalation bool
+	// AllowedHostPaths is a white list of allowed host paths. Empty indicates that all host paths may be used.
+	// +optional
+	AllowedHostPaths []AllowedHostPath
+}
+
+// AllowedHostPath defines the host volume conditions that will be enabled by a policy
+// for pods to use. It requires the path prefix to be defined.
+type AllowedHostPath struct {
+	// PathPrefix is the path prefix that the host volume must match.
+	// PathPrefix does not support `*`.
+	// Trailing slashes are trimmed when validating the path prefix with a host path.
+	//
+	// Examples:
+	// `/foo` would allow `/foo`, `/foo/` and `/foo/bar`
+	// `/foo` would not allow `/food` or `/etc/foo`
+	PathPrefix string
 }
 
 // HostPortRange defines a range of host ports that will be enabled by a policy

pkg/apis/extensions/v1beta1/zz_generated.conversion.go

@@ -42,6 +42,8 @@ func RegisterConversions(scheme *runtime.Scheme) error {
 	return scheme.AddGeneratedConversionFuncs(
 		Convert_v1beta1_APIVersion_To_extensions_APIVersion,
 		Convert_extensions_APIVersion_To_v1beta1_APIVersion,
+		Convert_v1beta1_AllowedHostPath_To_extensions_AllowedHostPath,
+		Convert_extensions_AllowedHostPath_To_v1beta1_AllowedHostPath,
 		Convert_v1beta1_CustomMetricCurrentStatus_To_extensions_CustomMetricCurrentStatus,
 		Convert_extensions_CustomMetricCurrentStatus_To_v1beta1_CustomMetricCurrentStatus,
 		Convert_v1beta1_CustomMetricCurrentStatusList_To_extensions_CustomMetricCurrentStatusList,
@@ -165,6 +167,26 @@ func Convert_extensions_APIVersion_To_v1beta1_APIVersion(in *extensions.APIVersi
 	return autoConvert_extensions_APIVersion_To_v1beta1_APIVersion(in, out, s)
 }
 
+func autoConvert_v1beta1_AllowedHostPath_To_extensions_AllowedHostPath(in *v1beta1.AllowedHostPath, out *extensions.AllowedHostPath, s conversion.Scope) error {
+	out.PathPrefix = in.PathPrefix
+	return nil
+}
+
+// Convert_v1beta1_AllowedHostPath_To_extensions_AllowedHostPath is an autogenerated conversion function.
+func Convert_v1beta1_AllowedHostPath_To_extensions_AllowedHostPath(in *v1beta1.AllowedHostPath, out *extensions.AllowedHostPath, s conversion.Scope) error {
+	return autoConvert_v1beta1_AllowedHostPath_To_extensions_AllowedHostPath(in, out, s)
+}
+
+func autoConvert_extensions_AllowedHostPath_To_v1beta1_AllowedHostPath(in *extensions.AllowedHostPath, out *v1beta1.AllowedHostPath, s conversion.Scope) error {
+	out.PathPrefix = in.PathPrefix
+	return nil
+}
+
+// Convert_extensions_AllowedHostPath_To_v1beta1_AllowedHostPath is an autogenerated conversion function.
+func Convert_extensions_AllowedHostPath_To_v1beta1_AllowedHostPath(in *extensions.AllowedHostPath, out *v1beta1.AllowedHostPath, s conversion.Scope) error {
+	return autoConvert_extensions_AllowedHostPath_To_v1beta1_AllowedHostPath(in, out, s)
+}
+
 func autoConvert_v1beta1_CustomMetricCurrentStatus_To_extensions_CustomMetricCurrentStatus(in *v1beta1.CustomMetricCurrentStatus, out *extensions.CustomMetricCurrentStatus, s conversion.Scope) error {
 	out.Name = in.Name
 	out.CurrentValue = in.CurrentValue
@@ -1070,6 +1092,7 @@ func autoConvert_v1beta1_PodSecurityPolicySpec_To_extensions_PodSecurityPolicySp
 	out.ReadOnlyRootFilesystem = in.ReadOnlyRootFilesystem
 	out.DefaultAllowPrivilegeEscalation = (*bool)(unsafe.Pointer(in.DefaultAllowPrivilegeEscalation))
 	out.AllowPrivilegeEscalation = in.AllowPrivilegeEscalation
+	out.AllowedHostPaths = *(*[]extensions.AllowedHostPath)(unsafe.Pointer(&in.AllowedHostPaths))
 	return nil
 }
 
@@ -1113,6 +1136,7 @@ func autoConvert_extensions_PodSecurityPolicySpec_To_v1beta1_PodSecurityPolicySp
 	out.ReadOnlyRootFilesystem = in.ReadOnlyRootFilesystem
 	out.DefaultAllowPrivilegeEscalation = (*bool)(unsafe.Pointer(in.DefaultAllowPrivilegeEscalation))
 	out.AllowPrivilegeEscalation = in.AllowPrivilegeEscalation
+	out.AllowedHostPaths = *(*[]v1beta1.AllowedHostPath)(unsafe.Pointer(&in.AllowedHostPaths))
 	return nil
 }
 

pkg/apis/extensions/validation/validation.go

@@ -19,6 +19,8 @@ package validation
 import (
 	"fmt"
 	"net"
+
+	"path/filepath"
 	"regexp"
 	"strconv"
 	"strings"
@@ -661,6 +663,7 @@ func ValidatePodSecurityPolicySpec(spec *extensions.PodSecurityPolicySpec, fldPa
 	allErrs = append(allErrs, validatePSPCapsAgainstDrops(spec.RequiredDropCapabilities, spec.DefaultAddCapabilities, field.NewPath("defaultAddCapabilities"))...)
 	allErrs = append(allErrs, validatePSPCapsAgainstDrops(spec.RequiredDropCapabilities, spec.AllowedCapabilities, field.NewPath("allowedCapabilities"))...)
 	allErrs = append(allErrs, validatePSPDefaultAllowPrivilegeEscalation(fldPath.Child("defaultAllowPrivilegeEscalation"), spec.DefaultAllowPrivilegeEscalation, spec.AllowPrivilegeEscalation)...)
+	allErrs = append(allErrs, validatePSPAllowedHostPaths(fldPath.Child("allowedHostPaths"), spec.AllowedHostPaths)...)
 
 	return allErrs
 }
@@ -701,6 +704,29 @@ func ValidatePodSecurityPolicySpecificAnnotations(annotations map[string]string,
 	return allErrs
 }
 
+// validatePSPAllowedHostPaths makes sure all allowed host paths follow:
+// 1. path prefix is required
+// 2. path prefix does not have any element which is ".."
+func validatePSPAllowedHostPaths(fldPath *field.Path, allowedHostPaths []extensions.AllowedHostPath) field.ErrorList {
+	allErrs := field.ErrorList{}
+
+	for i, target := range allowedHostPaths {
+		if target.PathPrefix == "" {
+			allErrs = append(allErrs, field.Required(fldPath.Index(i), "is required"))
+			break
+		}
+		parts := strings.Split(filepath.ToSlash(target.PathPrefix), "/")
+		for _, item := range parts {
+			if item == ".." {
+				allErrs = append(allErrs, field.Invalid(fldPath.Index(i), target.PathPrefix, "must not contain '..'"))
+				break // even for `../../..`, one error is sufficient to make the point
+			}
+		}
+	}
+
+	return allErrs
+}
+
 // validatePSPSELinux validates the SELinux fields of PodSecurityPolicy.
 func validatePSPSELinux(fldPath *field.Path, seLinux *extensions.SELinuxStrategyOptions) field.ErrorList {
 	allErrs := field.ErrorList{}

pkg/apis/extensions/validation/validation_test.go

@@ -2418,6 +2418,10 @@ func TestValidatePodSecurityPolicy(t *testing.T) {
 				SupplementalGroups: extensions.SupplementalGroupsStrategyOptions{
 					Rule: extensions.SupplementalGroupsStrategyRunAsAny,
 				},
+				AllowedHostPaths: []extensions.AllowedHostPath{
+					{PathPrefix: "/foo/bar"},
+					{PathPrefix: "/baz/"},
+				},
 			},
 		}
 	}
@@ -2497,6 +2501,16 @@ func TestValidatePodSecurityPolicy(t *testing.T) {
 		seccomp.AllowedProfilesAnnotationKey: "docker/default,not-good",
 	}
 
+	invalidAllowedHostPathMissingPath := validPSP()
+	invalidAllowedHostPathMissingPath.Spec.AllowedHostPaths = []extensions.AllowedHostPath{
+		{PathPrefix: ""},
+	}
+
+	invalidAllowedHostPathBacksteps := validPSP()
+	invalidAllowedHostPathBacksteps.Spec.AllowedHostPaths = []extensions.AllowedHostPath{
+		{PathPrefix: "/dont/allow/backsteps/.."},
+	}
+
 	invalidDefaultAllowPrivilegeEscalation := validPSP()
 	pe := true
 	invalidDefaultAllowPrivilegeEscalation.Spec.DefaultAllowPrivilegeEscalation = &pe
@@ -2612,6 +2626,16 @@ func TestValidatePodSecurityPolicy(t *testing.T) {
 			errorType:   field.ErrorTypeInvalid,
 			errorDetail: "Cannot set DefaultAllowPrivilegeEscalation to true without also setting AllowPrivilegeEscalation to true",
 		},
+		"invalid allowed host path empty path": {
+			psp:         invalidAllowedHostPathMissingPath,
+			errorType:   field.ErrorTypeRequired,
+			errorDetail: "is required",
+		},
+		"invalid allowed host path with backsteps": {
+			psp:         invalidAllowedHostPathBacksteps,
+			errorType:   field.ErrorTypeInvalid,
+			errorDetail: "must not contain '..'",
+		},
 	}
 
 	for k, v := range errorCases {

pkg/apis/extensions/zz_generated.deepcopy.go

@@ -42,6 +42,10 @@ func RegisterDeepCopies(scheme *runtime.Scheme) error {
 			in.(*APIVersion).DeepCopyInto(out.(*APIVersion))
 			return nil
 		}, InType: reflect.TypeOf(&APIVersion{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*AllowedHostPath).DeepCopyInto(out.(*AllowedHostPath))
+			return nil
+		}, InType: reflect.TypeOf(&AllowedHostPath{})},
 		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
 			in.(*CustomMetricCurrentStatus).DeepCopyInto(out.(*CustomMetricCurrentStatus))
 			return nil
@@ -269,6 +273,22 @@ func (in *APIVersion) DeepCopy() *APIVersion {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AllowedHostPath) DeepCopyInto(out *AllowedHostPath) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AllowedHostPath.
+func (in *AllowedHostPath) DeepCopy() *AllowedHostPath {
+	if in == nil {
+		return nil
+	}
+	out := new(AllowedHostPath)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CustomMetricCurrentStatus) DeepCopyInto(out *CustomMetricCurrentStatus) {
 	*out = *in
@@ -1117,6 +1137,11 @@ func (in *PodSecurityPolicySpec) DeepCopyInto(out *PodSecurityPolicySpec) {
 			**out = **in
 		}
 	}
+	if in.AllowedHostPaths != nil {
+		in, out := &in.AllowedHostPaths, &out.AllowedHostPaths
+		*out = make([]AllowedHostPath, len(*in))
+		copy(*out, *in)
+	}
 	return
 }
 

pkg/security/podsecuritypolicy/provider.go

@@ -239,7 +239,8 @@ func (s *simpleProvider) ValidatePodSecurityContext(pod *api.Pod, fldPath *field
 
 	// TODO(tallclair): ValidatePodSecurityContext should be renamed to ValidatePod since its scope
 	// is not limited to the PodSecurityContext.
-	if len(pod.Spec.Volumes) > 0 && !psputil.PSPAllowsAllVolumes(s.psp) {
+	if len(pod.Spec.Volumes) > 0 {
+		allowsAllVolumeTypes := psputil.PSPAllowsAllVolumes(s.psp)
 		allowedVolumes := psputil.FSTypeToStringSet(s.psp.Spec.Volumes)
 		for i, v := range pod.Spec.Volumes {
 			fsType, err := psputil.GetVolumeFSType(v)
@@ -248,10 +249,19 @@ func (s *simpleProvider) ValidatePodSecurityContext(pod *api.Pod, fldPath *field
 				continue
 			}
 
-			if !allowedVolumes.Has(string(fsType)) {
+			if !allowsAllVolumeTypes && !allowedVolumes.Has(string(fsType)) {
 				allErrs = append(allErrs, field.Invalid(
 					field.NewPath("spec", "volumes").Index(i), string(fsType),
 					fmt.Sprintf("%s volumes are not allowed to be used", string(fsType))))
+				continue
+			}
+
+			if fsType == extensions.HostPath {
+				if !psputil.AllowsHostVolumePath(s.psp, v.HostPath.Path) {
+					allErrs = append(allErrs, field.Invalid(
+						field.NewPath("spec", "volumes").Index(i).Child("hostPath", "pathPrefix"), v.HostPath.Path,
+						fmt.Sprintf("is not allowed to be used")))
+				}
 			}
 		}
 	}

pkg/security/podsecuritypolicy/provider_test.go

@@ -248,6 +248,23 @@ func TestValidatePodSecurityContextFailures(t *testing.T) {
 		},
 	}
 
+	failHostPathDirPod := defaultPod()
+	failHostPathDirPod.Spec.Volumes = []api.Volume{
+		{
+			Name: "bad volume",
+			VolumeSource: api.VolumeSource{
+				HostPath: &api.HostPathVolumeSource{
+					Path: "/fail",
+				},
+			},
+		},
+	}
+	failHostPathDirPSP := defaultPSP()
+	failHostPathDirPSP.Spec.Volumes = []extensions.FSType{extensions.HostPath}
+	failHostPathDirPSP.Spec.AllowedHostPaths = []extensions.AllowedHostPath{
+		{PathPrefix: "/foo/bar"},
+	}
+
 	failOtherSysctlsAllowedPSP := defaultPSP()
 	failOtherSysctlsAllowedPSP.Annotations[extensions.SysctlsPodSecurityPolicyAnnotationKey] = "bar,abc"
 
@@ -318,6 +335,11 @@ func TestValidatePodSecurityContextFailures(t *testing.T) {
 			psp:           defaultPSP(),
 			expectedError: "hostPath volumes are not allowed to be used",
 		},
+		"failHostPathDirPSP": {
+			pod:           failHostPathDirPod,
+			psp:           failHostPathDirPSP,
+			expectedError: "is not allowed to be used",
+		},
 		"failSafeSysctlFooPod with failNoSysctlAllowedSCC": {
 			pod:           failSafeSysctlFooPod,
 			psp:           failNoSysctlAllowedPSP,
@@ -556,6 +578,30 @@ func TestValidatePodSecurityContextSuccess(t *testing.T) {
 		Level: "level",
 	}
 
+	hostPathDirPod := defaultPod()
+	hostPathDirPod.Spec.Volumes = []api.Volume{
+		{
+			Name: "good volume",
+			VolumeSource: api.VolumeSource{
+				HostPath: &api.HostPathVolumeSource{
+					Path: "/foo/bar/baz",
+				},
+			},
+		},
+	}
+
+	hostPathDirPSP := defaultPSP()
+	hostPathDirPSP.Spec.Volumes = []extensions.FSType{extensions.HostPath}
+	hostPathDirPSP.Spec.AllowedHostPaths = []extensions.AllowedHostPath{
+		{PathPrefix: "/foo/bar"},
+	}
+
+	hostPathDirAsterisksPSP := defaultPSP()
+	hostPathDirAsterisksPSP.Spec.Volumes = []extensions.FSType{extensions.All}
+	hostPathDirAsterisksPSP.Spec.AllowedHostPaths = []extensions.AllowedHostPath{
+		{PathPrefix: "/foo/bar"},
+	}
+
 	sysctlAllowFooPSP := defaultPSP()
 	sysctlAllowFooPSP.Annotations[extensions.SysctlsPodSecurityPolicyAnnotationKey] = "foo"
 
@@ -619,6 +665,14 @@ func TestValidatePodSecurityContextSuccess(t *testing.T) {
 			pod: unsafeSysctlFooPod,
 			psp: defaultPSP(),
 		},
+		"pass hostDir allowed directory validating PSP": {
+			pod: hostPathDirPod,
+			psp: hostPathDirPSP,
+		},
+		"pass hostDir all volumes allowed validating PSP": {
+			pod: hostPathDirPod,
+			psp: hostPathDirAsterisksPSP,
+		},
 		"pass seccomp validating PSP": {
 			pod: seccompPod,
 			psp: seccompPSP,

pkg/security/podsecuritypolicy/util/util.go

@@ -18,6 +18,7 @@ package util
 
 import (
 	"fmt"
+	"strings"
 
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/kubernetes/pkg/api"
@@ -170,3 +171,53 @@ func UserFallsInRange(id int64, rng extensions.UserIDRange) bool {
 func GroupFallsInRange(id int64, rng extensions.GroupIDRange) bool {
 	return id >= rng.Min && id <= rng.Max
 }
+
+// AllowsHostVolumePath is a utility for checking if a PSP allows the host volume path.
+// This only checks the path. You should still check to make sure the host volume fs type is allowed.
+func AllowsHostVolumePath(psp *extensions.PodSecurityPolicy, hostPath string) bool {
+	if psp == nil {
+		return false
+	}
+
+	// If no allowed paths are specified then allow any path
+	if len(psp.Spec.AllowedHostPaths) == 0 {
+		return true
+	}
+
+	for _, allowedPath := range psp.Spec.AllowedHostPaths {
+		if hasPathPrefix(hostPath, allowedPath.PathPrefix) {
+			return true
+		}
+	}
+
+	return false
+}
+
+// hasPathPrefix returns true if the string matches pathPrefix exactly, or if is prefixed with pathPrefix at a path segment boundary
+// the string and pathPrefix are both normalized to remove trailing slashes prior to checking.
+func hasPathPrefix(s, pathPrefix string) bool {
+
+	s = strings.TrimSuffix(s, "/")
+	pathPrefix = strings.TrimSuffix(pathPrefix, "/")
+
+	// Short circuit if s doesn't contain the prefix at all
+	if !strings.HasPrefix(s, pathPrefix) {
+		return false
+	}
+
+	pathPrefixLength := len(pathPrefix)
+
+	if len(s) == pathPrefixLength {
+		// Exact match
+		return true
+	}
+
+	if s[pathPrefixLength:pathPrefixLength+1] == "/" {
+		// The next character in s is a path segment boundary
+		// Check this instead of normalizing pathPrefix to avoid allocating on every call
+		// Example where this check applies: s=/foo/bar and pathPrefix=/foo
+		return true
+	}
+
+	return false
+}

pkg/security/podsecuritypolicy/util/util_test.go

@@ -103,3 +103,95 @@ func TestPSPAllowsFSType(t *testing.T) {
 		}
 	}
 }
+
+func TestAllowsHostVolumePath(t *testing.T) {
+	tests := map[string]struct {
+		psp    *extensions.PodSecurityPolicy
+		path   string
+		allows bool
+	}{
+		"nil psp": {
+			psp:    nil,
+			path:   "/test",
+			allows: false,
+		},
+		"empty allowed paths": {
+			psp:    &extensions.PodSecurityPolicy{},
+			path:   "/test",
+			allows: true,
+		},
+		"non-matching": {
+			psp: &extensions.PodSecurityPolicy{
+				Spec: extensions.PodSecurityPolicySpec{
+					AllowedHostPaths: []extensions.AllowedHostPath{
+						{PathPrefix: "/foo"},
+					},
+				},
+			},
+			path:   "/foobar",
+			allows: false,
+		},
+		"match on direct match": {
+			psp: &extensions.PodSecurityPolicy{
+				Spec: extensions.PodSecurityPolicySpec{
+					AllowedHostPaths: []extensions.AllowedHostPath{
+						{PathPrefix: "/foo"},
+					},
+				},
+			},
+			path:   "/foo",
+			allows: true,
+		},
+		"match with trailing slash on host path": {
+			psp: &extensions.PodSecurityPolicy{
+				Spec: extensions.PodSecurityPolicySpec{
+					AllowedHostPaths: []extensions.AllowedHostPath{
+						{PathPrefix: "/foo"},
+					},
+				},
+			},
+			path:   "/foo/",
+			allows: true,
+		},
+		"match with trailing slash on allowed path": {
+			psp: &extensions.PodSecurityPolicy{
+				Spec: extensions.PodSecurityPolicySpec{
+					AllowedHostPaths: []extensions.AllowedHostPath{
+						{PathPrefix: "/foo/"},
+					},
+				},
+			},
+			path:   "/foo",
+			allows: true,
+		},
+		"match child directory": {
+			psp: &extensions.PodSecurityPolicy{
+				Spec: extensions.PodSecurityPolicySpec{
+					AllowedHostPaths: []extensions.AllowedHostPath{
+						{PathPrefix: "/foo/"},
+					},
+				},
+			},
+			path:   "/foo/bar",
+			allows: true,
+		},
+		"non-matching parent directory": {
+			psp: &extensions.PodSecurityPolicy{
+				Spec: extensions.PodSecurityPolicySpec{
+					AllowedHostPaths: []extensions.AllowedHostPath{
+						{PathPrefix: "/foo/bar"},
+					},
+				},
+			},
+			path:   "/foo",
+			allows: false,
+		},
+	}
+
+	for k, v := range tests {
+		allows := AllowsHostVolumePath(v.psp, v.path)
+		if v.allows != allows {
+			t.Errorf("%s expected %t but got %t", k, v.allows, allows)
+		}
+	}
+}

staging/src/k8s.io/api/extensions/v1beta1/generated.pb.go

@@ -26,6 +26,7 @@ limitations under the License.
 
 	It has these top-level messages:
 		APIVersion
+		AllowedHostPath
 		CustomMetricCurrentStatus
 		CustomMetricCurrentStatusList
 		CustomMetricTarget
@@ -119,93 +120,99 @@ func (m *APIVersion) Reset()                    { *m = APIVersion{} }
 func (*APIVersion) ProtoMessage()               {}
 func (*APIVersion) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{0} }
 
+func (m *AllowedHostPath) Reset()                    { *m = AllowedHostPath{} }
+func (*AllowedHostPath) ProtoMessage()               {}
+func (*AllowedHostPath) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{1} }
+
 func (m *CustomMetricCurrentStatus) Reset()      { *m = CustomMetricCurrentStatus{} }
 func (*CustomMetricCurrentStatus) ProtoMessage() {}
 func (*CustomMetricCurrentStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptorGenerated, []int{1}
+	return fileDescriptorGenerated, []int{2}
 }
 
 func (m *CustomMetricCurrentStatusList) Reset()      { *m = CustomMetricCurrentStatusList{} }
 func (*CustomMetricCurrentStatusList) ProtoMessage() {}
 func (*CustomMetricCurrentStatusList) Descriptor() ([]byte, []int) {
-	return fileDescriptorGenerated, []int{2}
+	return fileDescriptorGenerated, []int{3}
 }
 
 func (m *CustomMetricTarget) Reset()                    { *m = CustomMetricTarget{} }
 func (*CustomMetricTarget) ProtoMessage()               {}
-func (*CustomMetricTarget) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{3} }
+func (*CustomMetricTarget) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{4} }
 
 func (m *CustomMetricTargetList) Reset()                    { *m = CustomMetricTargetList{} }
 func (*CustomMetricTargetList) ProtoMessage()               {}
-func (*CustomMetricTargetList) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{4} }
+func (*CustomMetricTargetList) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{5} }
 
 func (m *DaemonSet) Reset()                    { *m = DaemonSet{} }
 func (*DaemonSet) ProtoMessage()               {}
-func (*DaemonSet) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{5} }
+func (*DaemonSet) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{6} }
 
 func (m *DaemonSetList) Reset()                    { *m = DaemonSetList{} }
 func (*DaemonSetList) ProtoMessage()               {}
-func (*DaemonSetList) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{6} }
+func (*DaemonSetList) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{7} }
 
 func (m *DaemonSetSpec) Reset()                    { *m = DaemonSetSpec{} }
 func (*DaemonSetSpec) ProtoMessage()               {}
-func (*DaemonSetSpec) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{7} }
+func (*DaemonSetSpec) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{8} }
 
 func (m *DaemonSetStatus) Reset()                    { *m = DaemonSetStatus{} }
 func (*DaemonSetStatus) ProtoMessage()               {}
-func (*DaemonSetStatus) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{8} }
+func (*DaemonSetStatus) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{9} }
 
-func (m *DaemonSetUpdateStrategy) Reset()                    { *m = DaemonSetUpdateStrategy{} }
+func (m *DaemonSetUpdateStrategy) Reset()      { *m = DaemonSetUpdateStrategy{} }
-func (*DaemonSetUpdateStrategy) ProtoMessage()               {}
+func (*DaemonSetUpdateStrategy) ProtoMessage() {}
-func (*DaemonSetUpdateStrategy) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{9} }
+func (*DaemonSetUpdateStrategy) Descriptor() ([]byte, []int) {
+	return fileDescriptorGenerated, []int{10}
+}
 
 func (m *Deployment) Reset()                    { *m = Deployment{} }
 func (*Deployment) ProtoMessage()               {}
-func (*Deployment) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{10} }
+func (*Deployment) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{11} }
 
 func (m *DeploymentCondition) Reset()                    { *m = DeploymentCondition{} }
 func (*DeploymentCondition) ProtoMessage()               {}
-func (*DeploymentCondition) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{11} }
+func (*DeploymentCondition) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{12} }
 
 func (m *DeploymentList) Reset()                    { *m = DeploymentList{} }
 func (*DeploymentList) ProtoMessage()               {}
-func (*DeploymentList) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{12} }
+func (*DeploymentList) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{13} }
 
 func (m *DeploymentRollback) Reset()                    { *m = DeploymentRollback{} }
 func (*DeploymentRollback) ProtoMessage()               {}
-func (*DeploymentRollback) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{13} }
+func (*DeploymentRollback) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{14} }
 
 func (m *DeploymentSpec) Reset()                    { *m = DeploymentSpec{} }
 func (*DeploymentSpec) ProtoMessage()               {}
-func (*DeploymentSpec) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{14} }
+func (*DeploymentSpec) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{15} }
 
 func (m *DeploymentStatus) Reset()                    { *m = DeploymentStatus{} }
 func (*DeploymentStatus) ProtoMessage()               {}
-func (*DeploymentStatus) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{15} }
+func (*DeploymentStatus) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{16} }
 
 func (m *DeploymentStrategy) Reset()                    { *m = DeploymentStrategy{} }
 func (*DeploymentStrategy) ProtoMessage()               {}
-func (*DeploymentStrategy) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{16} }
+func (*DeploymentStrategy) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{17} }
 
 func (m *FSGroupStrategyOptions) Reset()                    { *m = FSGroupStrategyOptions{} }
 func (*FSGroupStrategyOptions) ProtoMessage()               {}
-func (*FSGroupStrategyOptions) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{17} }
+func (*FSGroupStrategyOptions) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{18} }
 
 func (m *HTTPIngressPath) Reset()                    { *m = HTTPIngressPath{} }
 func (*HTTPIngressPath) ProtoMessage()               {}
-func (*HTTPIngressPath) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{18} }
+func (*HTTPIngressPath) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{19} }
 
 func (m *HTTPIngressRuleValue) Reset()                    { *m = HTTPIngressRuleValue{} }
 func (*HTTPIngressRuleValue) ProtoMessage()               {}
-func (*HTTPIngressRuleValue) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{19} }
+func (*HTTPIngressRuleValue) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{20} }
 
 func (m *HostPortRange) Reset()                    { *m = HostPortRange{} }
 func (*HostPortRange) ProtoMessage()               {}
-func (*HostPortRange) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{20} }
+func (*HostPortRange) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{21} }
 
 func (m *IDRange) Reset()                    { *m = IDRange{} }
 func (*IDRange) ProtoMessage()               {}
-func (*IDRange) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{21} }
+func (*IDRange) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{22} }
 
 func (m *IPBlock) Reset()                    { *m = IPBlock{} }
 func (*IPBlock) ProtoMessage()               {}
@@ -369,6 +376,7 @@ func (*ThirdPartyResourceList) Descriptor() ([]byte, []int) { return fileDescrip
 
 func init() {
 	proto.RegisterType((*APIVersion)(nil), "k8s.io.api.extensions.v1beta1.APIVersion")
+	proto.RegisterType((*AllowedHostPath)(nil), "k8s.io.api.extensions.v1beta1.AllowedHostPath")
 	proto.RegisterType((*CustomMetricCurrentStatus)(nil), "k8s.io.api.extensions.v1beta1.CustomMetricCurrentStatus")
 	proto.RegisterType((*CustomMetricCurrentStatusList)(nil), "k8s.io.api.extensions.v1beta1.CustomMetricCurrentStatusList")
 	proto.RegisterType((*CustomMetricTarget)(nil), "k8s.io.api.extensions.v1beta1.CustomMetricTarget")
@@ -450,6 +458,28 @@ func (m *APIVersion) MarshalTo(dAtA []byte) (int, error) {
 	return i, nil
 }
 
+func (m *AllowedHostPath) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *AllowedHostPath) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.PathPrefix)))
+	i += copy(dAtA[i:], m.PathPrefix)
+	return i, nil
+}
+
 func (m *CustomMetricCurrentStatus) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
 	dAtA = make([]byte, size)
@@ -2078,6 +2108,20 @@ func (m *PodSecurityPolicySpec) MarshalTo(dAtA []byte) (int, error) {
 		dAtA[i] = 0
 	}
 	i++
+	if len(m.AllowedHostPaths) > 0 {
+		for _, msg := range m.AllowedHostPaths {
+			dAtA[i] = 0x8a
+			i++
+			dAtA[i] = 0x1
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
 	return i, nil
 }
 
@@ -2792,6 +2836,14 @@ func (m *APIVersion) Size() (n int) {
 	return n
 }
 
+func (m *AllowedHostPath) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.PathPrefix)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
 func (m *CustomMetricCurrentStatus) Size() (n int) {
 	var l int
 	_ = l
@@ -3362,6 +3414,12 @@ func (m *PodSecurityPolicySpec) Size() (n int) {
 		n += 2
 	}
 	n += 3
+	if len(m.AllowedHostPaths) > 0 {
+		for _, e := range m.AllowedHostPaths {
+			l = e.Size()
+			n += 2 + l + sovGenerated(uint64(l))
+		}
+	}
 	return n
 }
 
@@ -3632,6 +3690,16 @@ func (this *APIVersion) String() string {
 	}, "")
 	return s
 }
+func (this *AllowedHostPath) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&AllowedHostPath{`,
+		`PathPrefix:` + fmt.Sprintf("%v", this.PathPrefix) + `,`,
+		`}`,
+	}, "")
+	return s
+}
 func (this *CustomMetricCurrentStatus) String() string {
 	if this == nil {
 		return "nil"
@@ -4110,6 +4178,7 @@ func (this *PodSecurityPolicySpec) String() string {
 		`ReadOnlyRootFilesystem:` + fmt.Sprintf("%v", this.ReadOnlyRootFilesystem) + `,`,
 		`DefaultAllowPrivilegeEscalation:` + valueToStringGenerated(this.DefaultAllowPrivilegeEscalation) + `,`,
 		`AllowPrivilegeEscalation:` + fmt.Sprintf("%v", this.AllowPrivilegeEscalation) + `,`,
+		`AllowedHostPaths:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.AllowedHostPaths), "AllowedHostPath", "AllowedHostPath", 1), `&`, ``, 1) + `,`,
 		`}`,
 	}, "")
 	return s
@@ -4428,6 +4497,85 @@ func (m *APIVersion) Unmarshal(dAtA []byte) error {
 	}
 	return nil
 }
+func (m *AllowedHostPath) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: AllowedHostPath: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: AllowedHostPath: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field PathPrefix", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.PathPrefix = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
 func (m *CustomMetricCurrentStatus) Unmarshal(dAtA []byte) error {
 	l := len(dAtA)
 	iNdEx := 0
@@ -9731,6 +9879,37 @@ func (m *PodSecurityPolicySpec) Unmarshal(dAtA []byte) error {
 				}
 			}
 			m.AllowPrivilegeEscalation = bool(v != 0)
+		case 17:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field AllowedHostPaths", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.AllowedHostPaths = append(m.AllowedHostPaths, AllowedHostPath{})
+			if err := m.AllowedHostPaths[len(m.AllowedHostPaths)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
 		default:
 			iNdEx = preIndex
 			skippy, err := skipGenerated(dAtA[iNdEx:])
@@ -12183,6 +12362,7 @@ func init() {
 }
 
 var fileDescriptorGenerated = []byte{
+<<<<<<< a235ba4e49451c779b8328378addf0d7bd7b84fd
 	// 3495 bytes of a gzipped FileDescriptorProto
 	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xdc, 0x5b, 0xcd, 0x6f, 0x1b, 0xd7,
 	0xb5, 0xf7, 0x90, 0xa2, 0x48, 0x1d, 0x5a, 0x92, 0x75, 0xe5, 0xc8, 0x8c, 0x1c, 0x8b, 0xce, 0x04,
@@ -12403,4 +12583,225 @@ var fileDescriptorGenerated = []byte{
 	0x78, 0x74, 0x30, 0x27, 0x7c, 0x7e, 0x30, 0x27, 0x7c, 0x71, 0x30, 0x27, 0xfc, 0xed, 0x60, 0x4e,
 	0xf8, 0xf1, 0x57, 0x73, 0x27, 0xee, 0xe7, 0x39, 0xee, 0xbf, 0x02, 0x00, 0x00, 0xff, 0xff, 0x6f,
 	0x30, 0xd5, 0x91, 0x29, 0x3b, 0x00, 0x00,
+=======
+	// 3487 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xdc, 0x5b, 0x4d, 0x6c, 0x1c, 0xc7,
+	0x95, 0x56, 0xcf, 0x0f, 0x39, 0x7c, 0x14, 0xff, 0x8a, 0x32, 0x35, 0xa6, 0x2c, 0x0e, 0xdd, 0x06,
+	0xb4, 0x92, 0x57, 0x9a, 0xb1, 0x64, 0xcb, 0x96, 0x2d, 0xac, 0x77, 0x39, 0xa4, 0x7e, 0xe8, 0x25,
+	0x29, 0xaa, 0x66, 0x48, 0xef, 0x0a, 0xd6, 0xae, 0x9b, 0x33, 0xc5, 0x61, 0x8b, 0x3d, 0xdd, 0xe3,
+	0xee, 0x6a, 0x9a, 0x73, 0x59, 0xec, 0xc9, 0xc0, 0x02, 0xbb, 0xd8, 0xdd, 0x83, 0x03, 0x07, 0xc8,
+	0x21, 0xbe, 0xe4, 0x94, 0x20, 0xbe, 0x25, 0x07, 0x23, 0x40, 0x80, 0x04, 0x10, 0x02, 0x27, 0xf0,
+	0x29, 0xf1, 0x89, 0x88, 0xe9, 0x63, 0xce, 0x01, 0x02, 0x1d, 0x82, 0xa0, 0xaa, 0xab, 0xff, 0xbb,
+	0x39, 0x33, 0xb4, 0x44, 0x04, 0xb9, 0x71, 0xea, 0xbd, 0xf7, 0xbd, 0x9f, 0xaa, 0x7a, 0xf5, 0xaa,
+	0x5e, 0x13, 0x6e, 0xef, 0xde, 0xb0, 0xca, 0xaa, 0x51, 0xd9, 0xb5, 0xb7, 0x88, 0xa9, 0x13, 0x4a,
+	0xac, 0xca, 0x1e, 0xd1, 0x9b, 0x86, 0x59, 0x11, 0x04, 0xa5, 0xa3, 0x56, 0xc8, 0x3e, 0x25, 0xba,
+	0xa5, 0x1a, 0xba, 0x55, 0xd9, 0xbb, 0xba, 0x45, 0xa8, 0x72, 0xb5, 0xd2, 0x22, 0x3a, 0x31, 0x15,
+	0x4a, 0x9a, 0xe5, 0x8e, 0x69, 0x50, 0x03, 0x9d, 0x77, 0xd8, 0xcb, 0x4a, 0x47, 0x2d, 0xfb, 0xec,
+	0x65, 0xc1, 0x3e, 0x7b, 0xa5, 0xa5, 0xd2, 0x1d, 0x7b, 0xab, 0xdc, 0x30, 0xda, 0x95, 0x96, 0xd1,
+	0x32, 0x2a, 0x5c, 0x6a, 0xcb, 0xde, 0xe6, 0xbf, 0xf8, 0x0f, 0xfe, 0x97, 0x83, 0x36, 0x2b, 0x07,
+	0x94, 0x37, 0x0c, 0x93, 0x54, 0xf6, 0x62, 0x1a, 0x67, 0x2f, 0x05, 0x78, 0x3a, 0x86, 0xa6, 0x36,
+	0xba, 0x69, 0xc6, 0xcd, 0xbe, 0xe6, 0xb3, 0xb6, 0x95, 0xc6, 0x8e, 0xaa, 0x13, 0xb3, 0x5b, 0xe9,
+	0xec, 0xb6, 0xb8, 0xac, 0x49, 0x2c, 0xc3, 0x36, 0x1b, 0x64, 0x20, 0x29, 0xab, 0xd2, 0x26, 0x54,
+	0x49, 0x32, 0xab, 0x92, 0x26, 0x65, 0xda, 0x3a, 0x55, 0xdb, 0x71, 0x35, 0xaf, 0xf7, 0x12, 0xb0,
+	0x1a, 0x3b, 0xa4, 0xad, 0xc4, 0xe4, 0x5e, 0x4d, 0x93, 0xb3, 0xa9, 0xaa, 0x55, 0x54, 0x9d, 0x5a,
+	0xd4, 0x8c, 0x0a, 0xc9, 0x65, 0x80, 0x85, 0xf5, 0xe5, 0x4d, 0x62, 0xb2, 0xe9, 0x41, 0xf3, 0x90,
+	0xd3, 0x95, 0x36, 0x29, 0x4a, 0xf3, 0xd2, 0xc5, 0x91, 0xea, 0xe9, 0xc7, 0x07, 0xa5, 0x53, 0x87,
+	0x07, 0xa5, 0xdc, 0x9a, 0xd2, 0x26, 0x98, 0x53, 0xe4, 0x37, 0x61, 0x62, 0x41, 0xd3, 0x8c, 0x0f,
+	0x49, 0xf3, 0xae, 0x61, 0xd1, 0x75, 0x85, 0xee, 0xa0, 0x0b, 0x90, 0xeb, 0x28, 0x74, 0x47, 0x08,
+	0x21, 0x21, 0x04, 0x8c, 0xb6, 0x6e, 0x92, 0x6d, 0x75, 0x1f, 0x73, 0xba, 0xfc, 0x5d, 0x09, 0x9e,
+	0x5f, 0xb4, 0x2d, 0x6a, 0xb4, 0x57, 0x09, 0x35, 0xd5, 0xc6, 0xa2, 0x6d, 0x9a, 0x44, 0xa7, 0x35,
+	0xaa, 0x50, 0xdb, 0xea, 0xad, 0x1a, 0x3d, 0x80, 0xfc, 0x9e, 0xa2, 0xd9, 0xa4, 0x98, 0x99, 0x97,
+	0x2e, 0x8e, 0x5e, 0x2b, 0x97, 0xfd, 0x15, 0xe6, 0xf9, 0x5b, 0xee, 0xec, 0xb6, 0xf8, 0x92, 0x73,
+	0x27, 0xb1, 0x7c, 0xdf, 0x56, 0x74, 0xaa, 0xd2, 0x6e, 0xf5, 0x8c, 0x80, 0x3c, 0x2d, 0xf4, 0x6e,
+	0x32, 0x2c, 0xec, 0x40, 0xca, 0xff, 0x01, 0xe7, 0x53, 0x4d, 0x5b, 0x51, 0x2d, 0x8a, 0x1e, 0x42,
+	0x5e, 0xa5, 0xa4, 0x6d, 0x15, 0xa5, 0xf9, 0xec, 0xc5, 0xd1, 0x6b, 0x37, 0xca, 0x47, 0x2e, 0xef,
+	0x72, 0x2a, 0x58, 0x75, 0x4c, 0x98, 0x91, 0x5f, 0x66, 0x70, 0xd8, 0x41, 0x95, 0xff, 0x5f, 0x02,
+	0x14, 0x94, 0xa9, 0x2b, 0x66, 0x8b, 0xd0, 0x3e, 0x82, 0xf2, 0xaf, 0xdf, 0x2e, 0x28, 0xd3, 0x02,
+	0x72, 0xd4, 0x51, 0x18, 0x8a, 0x49, 0x07, 0x66, 0xe2, 0x26, 0xf1, 0x60, 0x6c, 0x86, 0x83, 0x71,
+	0x75, 0x80, 0x60, 0x38, 0x28, 0x29, 0x51, 0xf8, 0x38, 0x03, 0x23, 0x4b, 0x0a, 0x69, 0x1b, 0x7a,
+	0x8d, 0x50, 0xf4, 0x3e, 0x14, 0xd8, 0x9e, 0x6a, 0x2a, 0x54, 0xe1, 0x01, 0x18, 0xbd, 0xf6, 0xca,
+	0x51, 0xde, 0x59, 0x65, 0xc6, 0x5d, 0xde, 0xbb, 0x5a, 0xbe, 0xb7, 0xf5, 0x88, 0x34, 0xe8, 0x2a,
+	0xa1, 0x8a, 0xbf, 0x1a, 0xfd, 0x31, 0xec, 0xa1, 0xa2, 0x35, 0xc8, 0x59, 0x1d, 0xd2, 0x10, 0xb1,
+	0xbb, 0xdc, 0xc3, 0x0d, 0xcf, 0xb2, 0x5a, 0x87, 0x34, 0xfc, 0xc9, 0x60, 0xbf, 0x30, 0xc7, 0x41,
+	0x9b, 0x30, 0x64, 0xf1, 0x59, 0x2e, 0x66, 0x63, 0xb3, 0x71, 0x34, 0xa2, 0xb3, 0x36, 0xc6, 0x05,
+	0xe6, 0x90, 0xf3, 0x1b, 0x0b, 0x34, 0xf9, 0x73, 0x09, 0xc6, 0x3c, 0x5e, 0x3e, 0x03, 0xef, 0xc5,
+	0x62, 0x53, 0xee, 0x2f, 0x36, 0x4c, 0x9a, 0x47, 0x66, 0x52, 0xe8, 0x2a, 0xb8, 0x23, 0x81, 0xb8,
+	0xac, 0xba, 0xf3, 0x9b, 0xe1, 0xf3, 0x7b, 0xb1, 0x5f, 0x37, 0x52, 0xa6, 0xf5, 0x3b, 0xb9, 0x80,
+	0xf9, 0x2c, 0x5c, 0xe8, 0x21, 0x14, 0x2c, 0xa2, 0x91, 0x06, 0x35, 0x4c, 0x61, 0xfe, 0xab, 0x7d,
+	0x9a, 0xaf, 0x6c, 0x11, 0xad, 0x26, 0x44, 0xab, 0xa7, 0x99, 0xfd, 0xee, 0x2f, 0xec, 0x41, 0xa2,
+	0xfb, 0x50, 0xa0, 0xa4, 0xdd, 0xd1, 0x14, 0xea, 0xee, 0x8b, 0x97, 0x82, 0x2e, 0xb0, 0x03, 0x84,
+	0x81, 0xad, 0x1b, 0xcd, 0xba, 0x60, 0xe3, 0x53, 0xea, 0x85, 0xc4, 0x1d, 0xc5, 0x1e, 0x0c, 0xda,
+	0x83, 0x71, 0xbb, 0xd3, 0x64, 0x9c, 0x94, 0xa5, 0xcf, 0x56, 0x57, 0x4c, 0xf1, 0xeb, 0xfd, 0xc6,
+	0x66, 0x23, 0x24, 0x5d, 0x9d, 0x11, 0xba, 0xc6, 0xc3, 0xe3, 0x38, 0xa2, 0x05, 0x2d, 0xc0, 0x44,
+	0x5b, 0xd5, 0x31, 0x51, 0x9a, 0xdd, 0x1a, 0x69, 0x18, 0x7a, 0xd3, 0x2a, 0xe6, 0xe6, 0xa5, 0x8b,
+	0xf9, 0xea, 0x59, 0x01, 0x30, 0xb1, 0x1a, 0x26, 0xe3, 0x28, 0x3f, 0x7a, 0x07, 0x90, 0xeb, 0xc6,
+	0x1d, 0x27, 0xfb, 0xab, 0x86, 0x5e, 0xcc, 0xcf, 0x4b, 0x17, 0xb3, 0xd5, 0x59, 0x81, 0x82, 0xea,
+	0x31, 0x0e, 0x9c, 0x20, 0x85, 0x56, 0xe0, 0x8c, 0x49, 0xf6, 0x54, 0xe6, 0xe3, 0x5d, 0xd5, 0xa2,
+	0x86, 0xd9, 0x5d, 0x51, 0xdb, 0x2a, 0x2d, 0x0e, 0x71, 0x9b, 0x8a, 0x87, 0x07, 0xa5, 0x33, 0x38,
+	0x81, 0x8e, 0x13, 0xa5, 0xe4, 0xcf, 0xf2, 0x30, 0x11, 0xd9, 0x03, 0x68, 0x13, 0x66, 0x1a, 0x4e,
+	0xc2, 0x5c, 0xb3, 0xdb, 0x5b, 0xc4, 0xac, 0x35, 0x76, 0x48, 0xd3, 0xd6, 0x48, 0x93, 0x2f, 0x94,
+	0x7c, 0x75, 0x4e, 0x58, 0x3c, 0xb3, 0x98, 0xc8, 0x85, 0x53, 0xa4, 0x59, 0x14, 0x74, 0x3e, 0xb4,
+	0xaa, 0x5a, 0x96, 0x87, 0x99, 0xe1, 0x98, 0x5e, 0x14, 0xd6, 0x62, 0x1c, 0x38, 0x41, 0x8a, 0xd9,
+	0xd8, 0x24, 0x96, 0x6a, 0x92, 0x66, 0xd4, 0xc6, 0x6c, 0xd8, 0xc6, 0xa5, 0x44, 0x2e, 0x9c, 0x22,
+	0x8d, 0xae, 0xc3, 0xa8, 0xa3, 0x8d, 0xcf, 0x9f, 0x98, 0x68, 0x2f, 0x45, 0xaf, 0xf9, 0x24, 0x1c,
+	0xe4, 0x63, 0xae, 0x19, 0x5b, 0x16, 0x31, 0xf7, 0x48, 0x33, 0x7d, 0x82, 0xef, 0xc5, 0x38, 0x70,
+	0x82, 0x14, 0x73, 0xcd, 0x59, 0x81, 0x31, 0xd7, 0x86, 0xc2, 0xae, 0x6d, 0x24, 0x72, 0xe1, 0x14,
+	0x69, 0xb6, 0x8e, 0x1d, 0x93, 0x17, 0xf6, 0x14, 0x55, 0x53, 0xb6, 0x34, 0x52, 0x1c, 0x0e, 0xaf,
+	0xe3, 0xb5, 0x30, 0x19, 0x47, 0xf9, 0xd1, 0x1d, 0x98, 0x72, 0x86, 0x36, 0x74, 0xc5, 0x03, 0x29,
+	0x70, 0x90, 0xe7, 0x05, 0xc8, 0xd4, 0x5a, 0x94, 0x01, 0xc7, 0x65, 0xd0, 0x5b, 0x30, 0xde, 0x30,
+	0x34, 0x8d, 0xaf, 0xc7, 0x45, 0xc3, 0xd6, 0x69, 0x71, 0x84, 0xa3, 0x20, 0xb6, 0x1f, 0x17, 0x43,
+	0x14, 0x1c, 0xe1, 0x94, 0x7f, 0x25, 0xc1, 0xd9, 0x94, 0x3d, 0x8d, 0xfe, 0x11, 0x72, 0xb4, 0xdb,
+	0x71, 0x4f, 0xeb, 0xbf, 0x77, 0x0f, 0x88, 0x7a, 0xb7, 0x43, 0x9e, 0x1c, 0x94, 0xce, 0xa5, 0x88,
+	0x31, 0x32, 0xe6, 0x82, 0x48, 0x87, 0x31, 0x93, 0xa9, 0xd3, 0x5b, 0x0e, 0x8b, 0x48, 0x5e, 0xd7,
+	0x7b, 0xe4, 0x18, 0x1c, 0x94, 0xf1, 0x93, 0xf1, 0xd4, 0xe1, 0x41, 0x69, 0x2c, 0x44, 0xc3, 0x61,
+	0x78, 0xf9, 0x93, 0x0c, 0xc0, 0x12, 0xe9, 0x68, 0x46, 0xb7, 0x4d, 0xf4, 0x93, 0x38, 0x70, 0xef,
+	0x85, 0x0e, 0xdc, 0x2b, 0xbd, 0x72, 0xa7, 0x67, 0x5a, 0xea, 0x89, 0xfb, 0x6e, 0xe4, 0xc4, 0xad,
+	0xf4, 0x0f, 0x79, 0xf4, 0x91, 0xfb, 0xbb, 0x2c, 0x4c, 0xfb, 0xcc, 0x8b, 0x86, 0xde, 0x54, 0xf9,
+	0xfe, 0xb8, 0x19, 0x9a, 0xe3, 0xbf, 0x8b, 0xcc, 0xf1, 0xd9, 0x04, 0x91, 0xc0, 0xfc, 0xae, 0x78,
+	0xd6, 0x66, 0xb8, 0xf8, 0x6b, 0x61, 0xe5, 0x4f, 0x0e, 0x4a, 0x09, 0xf7, 0x9c, 0xb2, 0x87, 0x14,
+	0x36, 0x11, 0x5d, 0x80, 0x21, 0x93, 0x28, 0x96, 0xa1, 0xf3, 0x44, 0x31, 0xe2, 0xbb, 0x82, 0xf9,
+	0x28, 0x16, 0x54, 0x74, 0x09, 0x86, 0xdb, 0xc4, 0xb2, 0x94, 0x16, 0xe1, 0x39, 0x61, 0xa4, 0x3a,
+	0x21, 0x18, 0x87, 0x57, 0x9d, 0x61, 0xec, 0xd2, 0xd1, 0x23, 0x18, 0xd7, 0x14, 0x4b, 0x2c, 0xd0,
+	0xba, 0xda, 0x26, 0x7c, 0xd7, 0x8f, 0x5e, 0x7b, 0xb9, 0xbf, 0x75, 0xc0, 0x24, 0xfc, 0x93, 0x6d,
+	0x25, 0x84, 0x84, 0x23, 0xc8, 0x68, 0x0f, 0x10, 0x1b, 0xa9, 0x9b, 0x8a, 0x6e, 0x39, 0x81, 0x62,
+	0xfa, 0x86, 0x07, 0xd6, 0xe7, 0x65, 0xb8, 0x95, 0x18, 0x1a, 0x4e, 0xd0, 0x20, 0xff, 0x4c, 0x82,
+	0x71, 0x7f, 0x9a, 0x4e, 0xa0, 0x9a, 0x5a, 0x0b, 0x57, 0x53, 0x97, 0xfa, 0x5e, 0xa2, 0x29, 0xe5,
+	0xd4, 0x9f, 0x32, 0x80, 0x7c, 0x26, 0xb6, 0xc1, 0xb7, 0x94, 0xc6, 0x6e, 0x1f, 0x77, 0x85, 0x8f,
+	0x25, 0x40, 0x22, 0x3d, 0x2f, 0xe8, 0xba, 0x41, 0x79, 0xc6, 0x77, 0xcd, 0x5a, 0xee, 0xdb, 0x2c,
+	0x57, 0x63, 0x79, 0x23, 0x86, 0x75, 0x4b, 0xa7, 0x66, 0xd7, 0x9f, 0x91, 0x38, 0x03, 0x4e, 0x30,
+	0x00, 0x29, 0x00, 0xa6, 0xc0, 0xac, 0x1b, 0x62, 0x23, 0x5f, 0xe9, 0x23, 0xe7, 0x31, 0x81, 0x45,
+	0x43, 0xdf, 0x56, 0x5b, 0x7e, 0xda, 0xc1, 0x1e, 0x10, 0x0e, 0x80, 0xce, 0xde, 0x82, 0xb3, 0x29,
+	0xd6, 0xa2, 0x49, 0xc8, 0xee, 0x92, 0xae, 0x13, 0x36, 0xcc, 0xfe, 0x44, 0x67, 0x82, 0x77, 0xaa,
+	0x11, 0x71, 0x1d, 0x7a, 0x2b, 0x73, 0x43, 0x92, 0x3f, 0xcf, 0x07, 0xd7, 0x0e, 0x2f, 0x65, 0x2f,
+	0x42, 0xc1, 0x24, 0x1d, 0x4d, 0x6d, 0x28, 0x96, 0xa8, 0x50, 0x78, 0x55, 0x8a, 0xc5, 0x18, 0xf6,
+	0xa8, 0xa1, 0xa2, 0x37, 0xf3, 0x6c, 0x8b, 0xde, 0xec, 0xd3, 0x29, 0x7a, 0xff, 0x1d, 0x0a, 0x96,
+	0x5b, 0xee, 0xe6, 0x38, 0xe4, 0xd5, 0x01, 0xf2, 0xab, 0xa8, 0x74, 0x3d, 0x05, 0x5e, 0x8d, 0xeb,
+	0x81, 0x26, 0x55, 0xb7, 0xf9, 0x01, 0xab, 0xdb, 0xa7, 0x5a, 0x91, 0xb2, 0x9c, 0xda, 0x51, 0x6c,
+	0x8b, 0x34, 0x79, 0x22, 0x2a, 0xf8, 0x39, 0x75, 0x9d, 0x8f, 0x62, 0x41, 0x45, 0x0f, 0x43, 0x4b,
+	0xb6, 0x70, 0x9c, 0x25, 0x3b, 0x9e, 0xbe, 0x5c, 0xd1, 0x06, 0x9c, 0xed, 0x98, 0x46, 0xcb, 0x24,
+	0x96, 0xb5, 0x44, 0x94, 0xa6, 0xa6, 0xea, 0xc4, 0x8d, 0x8f, 0x53, 0xaa, 0x9c, 0x3b, 0x3c, 0x28,
+	0x9d, 0x5d, 0x4f, 0x66, 0xc1, 0x69, 0xb2, 0xf2, 0xe3, 0x1c, 0x4c, 0x46, 0x4f, 0xc0, 0x94, 0xea,
+	0x51, 0x3a, 0x56, 0xf5, 0x78, 0x39, 0xb0, 0x19, 0x9c, 0xd2, 0xda, 0x9b, 0xfd, 0x84, 0x0d, 0xb1,
+	0x00, 0x13, 0x22, 0x1b, 0xb8, 0x44, 0x51, 0x3f, 0x7b, 0xb3, 0xbf, 0x11, 0x26, 0xe3, 0x28, 0x3f,
+	0xab, 0x09, 0xfd, 0x52, 0xcf, 0x05, 0xc9, 0x85, 0x6b, 0xc2, 0x85, 0x28, 0x03, 0x8e, 0xcb, 0xa0,
+	0x55, 0x98, 0xb6, 0xf5, 0x38, 0x94, 0xb3, 0x1a, 0xcf, 0x09, 0xa8, 0xe9, 0x8d, 0x38, 0x0b, 0x4e,
+	0x92, 0x43, 0xdb, 0x00, 0x0d, 0xf7, 0xd8, 0xb6, 0x8a, 0x43, 0x3c, 0xc3, 0x5e, 0xeb, 0x7b, 0xef,
+	0x78, 0x27, 0xbe, 0x9f, 0xd7, 0xbc, 0x21, 0x0b, 0x07, 0x90, 0xd1, 0x4d, 0x18, 0x33, 0xf9, 0x85,
+	0xc0, 0x35, 0xd8, 0x29, 0xaa, 0x9f, 0x13, 0x62, 0x63, 0x38, 0x48, 0xc4, 0x61, 0xde, 0x84, 0x3a,
+	0xb8, 0xd0, 0x77, 0x1d, 0xfc, 0x73, 0x29, 0x78, 0x08, 0x79, 0x25, 0xf0, 0x5b, 0xa1, 0xf2, 0xe8,
+	0x42, 0xa4, 0x3c, 0x9a, 0x89, 0x4b, 0x04, 0xaa, 0x23, 0x23, 0xb9, 0xfa, 0x7d, 0x7d, 0xa0, 0xea,
+	0xd7, 0x3f, 0x3c, 0x7b, 0x97, 0xbf, 0x9f, 0x4a, 0x30, 0x73, 0xbb, 0x76, 0xc7, 0x34, 0xec, 0x8e,
+	0x6b, 0xce, 0xbd, 0x8e, 0x13, 0xd7, 0x37, 0x20, 0x67, 0xda, 0x9a, 0xeb, 0xc7, 0x4b, 0xae, 0x1f,
+	0xd8, 0xd6, 0x98, 0x1f, 0xd3, 0x11, 0x29, 0xc7, 0x09, 0x26, 0x80, 0xd6, 0x60, 0xc8, 0x54, 0xf4,
+	0x16, 0x71, 0x8f, 0xd5, 0x0b, 0x3d, 0xac, 0x5f, 0x5e, 0xc2, 0x8c, 0x3d, 0x50, 0xbc, 0x71, 0x69,
+	0x2c, 0x50, 0xe4, 0xff, 0x91, 0x60, 0xe2, 0x6e, 0xbd, 0xbe, 0xbe, 0xac, 0xf3, 0x1d, 0xcd, 0x1f,
+	0x5c, 0xe7, 0x43, 0x0f, 0xae, 0xde, 0x49, 0xcf, 0x68, 0xce, 0x53, 0x2b, 0xfa, 0x17, 0x18, 0x66,
+	0x99, 0x84, 0xe8, 0xcd, 0x3e, 0x4b, 0x6d, 0x01, 0x5f, 0x75, 0x84, 0xfc, 0x0a, 0x51, 0x0c, 0x60,
+	0x17, 0x4e, 0xde, 0x85, 0x33, 0x01, 0x73, 0x58, 0x3c, 0xf8, 0x9b, 0x21, 0xaa, 0x41, 0x9e, 0x69,
+	0x76, 0x9f, 0x04, 0x7b, 0xbd, 0x7c, 0x45, 0x5c, 0xf2, 0x2b, 0x1d, 0xf6, 0xcb, 0xc2, 0x0e, 0x96,
+	0xbc, 0x0a, 0x63, 0xfc, 0x95, 0xd9, 0x30, 0x29, 0x0f, 0x0b, 0x3a, 0x0f, 0xd9, 0xb6, 0xaa, 0x8b,
+	0x73, 0x76, 0x54, 0xc8, 0x64, 0xd9, 0x19, 0xc1, 0xc6, 0x39, 0x59, 0xd9, 0x17, 0x99, 0xc7, 0x27,
+	0x2b, 0xfb, 0x98, 0x8d, 0xcb, 0x77, 0x60, 0x58, 0x84, 0x3b, 0x08, 0x94, 0x3d, 0x1a, 0x28, 0x9b,
+	0x00, 0xf4, 0xbf, 0x19, 0x18, 0x16, 0xd6, 0x9f, 0xc0, 0xa5, 0x69, 0x25, 0x74, 0x69, 0x7a, 0xb9,
+	0xbf, 0x99, 0x4c, 0xbd, 0x31, 0xd5, 0x23, 0x37, 0xa6, 0xcb, 0x7d, 0xe2, 0x1d, 0x7d, 0x5d, 0xfa,
+	0x4c, 0x82, 0xf1, 0xf0, 0x1a, 0x42, 0xd7, 0x61, 0x94, 0x9d, 0x0f, 0x6a, 0x83, 0xac, 0xf9, 0x65,
+	0xa9, 0xf7, 0x98, 0x51, 0xf3, 0x49, 0x38, 0xc8, 0x87, 0x5a, 0x9e, 0x18, 0x9b, 0x76, 0xe1, 0x74,
+	0x7a, 0x48, 0x6d, 0xaa, 0x6a, 0x65, 0xa7, 0xb7, 0x51, 0x5e, 0xd6, 0xe9, 0x3d, 0xb3, 0x46, 0x4d,
+	0x55, 0x6f, 0xc5, 0x14, 0xf1, 0x35, 0x14, 0x44, 0x96, 0x7f, 0x2a, 0xc1, 0xa8, 0x30, 0xf9, 0x04,
+	0x2e, 0x01, 0xff, 0x1c, 0xbe, 0x04, 0x5c, 0xe8, 0x73, 0x3f, 0x26, 0xdf, 0x00, 0x7e, 0xe0, 0x9b,
+	0xce, 0x76, 0x20, 0x4b, 0x08, 0x3b, 0x86, 0x45, 0xa3, 0x09, 0x81, 0xed, 0x1d, 0xcc, 0x29, 0xc8,
+	0x86, 0x49, 0x35, 0xb2, 0x65, 0x45, 0x68, 0x2b, 0xfd, 0x59, 0xe2, 0x89, 0x55, 0x8b, 0x02, 0x7e,
+	0x32, 0x4a, 0xc1, 0x31, 0x15, 0x32, 0x81, 0x18, 0x17, 0xba, 0x0f, 0xb9, 0x1d, 0x4a, 0x3b, 0x09,
+	0xef, 0xbe, 0x3d, 0x12, 0x85, 0x6f, 0x42, 0x81, 0x7b, 0x57, 0xaf, 0xaf, 0x63, 0x0e, 0x25, 0xff,
+	0xd9, 0x8f, 0x47, 0xcd, 0x59, 0xe3, 0x5e, 0xfa, 0x93, 0x8e, 0x93, 0xfe, 0x46, 0x93, 0x52, 0x1f,
+	0xba, 0x0b, 0x59, 0xaa, 0xf5, 0x7b, 0x8b, 0x13, 0x88, 0xf5, 0x95, 0x9a, 0x9f, 0x3f, 0xea, 0x2b,
+	0x35, 0xcc, 0x20, 0xd0, 0x3d, 0xc8, 0xb3, 0xc3, 0x82, 0x6d, 0xc1, 0x6c, 0xff, 0x5b, 0x9a, 0xf9,
+	0xef, 0x2f, 0x08, 0xf6, 0xcb, 0xc2, 0x0e, 0x8e, 0xfc, 0x01, 0x8c, 0x85, 0xf6, 0x29, 0x7a, 0x1f,
+	0x4e, 0x6b, 0x86, 0xd2, 0xac, 0x2a, 0x9a, 0xa2, 0x37, 0x88, 0xfb, 0xc8, 0x7e, 0x21, 0xe9, 0x42,
+	0xb0, 0x12, 0xe0, 0x13, 0xbb, 0xdc, 0x6b, 0x95, 0x05, 0x69, 0x38, 0x84, 0x28, 0x2b, 0x00, 0xbe,
+	0x8f, 0xa8, 0x04, 0x79, 0xb6, 0xce, 0x9c, 0xf4, 0x3f, 0x52, 0x1d, 0x61, 0x16, 0xb2, 0xe5, 0x67,
+	0x61, 0x67, 0x1c, 0x5d, 0x03, 0xb0, 0x48, 0xc3, 0x24, 0x94, 0x27, 0x83, 0x4c, 0xb8, 0x55, 0x58,
+	0xf3, 0x28, 0x38, 0xc0, 0x25, 0xff, 0x52, 0x82, 0xb1, 0x35, 0x42, 0x3f, 0x34, 0xcc, 0xdd, 0x75,
+	0xde, 0xcf, 0x3d, 0x81, 0x64, 0x8b, 0x43, 0xc9, 0xf6, 0x95, 0x1e, 0x33, 0x13, 0xb2, 0x2e, 0x2d,
+	0xe5, 0x32, 0x3f, 0x8a, 0x21, 0xce, 0xe0, 0xde, 0xdd, 0x80, 0x7c, 0xc7, 0x30, 0xa9, 0x7b, 0x70,
+	0x0e, 0xa4, 0x91, 0xe5, 0xb1, 0xc0, 0xd1, 0xc9, 0x60, 0xb0, 0x83, 0xc6, 0xfc, 0xd8, 0x36, 0x8d,
+	0xb6, 0x58, 0xad, 0x83, 0xa1, 0x12, 0x62, 0xfa, 0x7e, 0xdc, 0x36, 0x8d, 0x36, 0xe6, 0x58, 0xf2,
+	0x2f, 0x24, 0x98, 0x0a, 0x71, 0x9e, 0x40, 0xde, 0xbc, 0x1f, 0xce, 0x9b, 0x97, 0x07, 0x71, 0x24,
+	0x25, 0x7b, 0xfe, 0x31, 0xea, 0x06, 0x73, 0x18, 0x6d, 0xc3, 0x68, 0xc7, 0x68, 0xd6, 0x9e, 0x42,
+	0x57, 0x6a, 0x82, 0x1d, 0x3b, 0xeb, 0x3e, 0x16, 0x0e, 0x02, 0xa3, 0x7d, 0x98, 0xd2, 0x95, 0x36,
+	0xb1, 0x3a, 0x4a, 0x83, 0xd4, 0x9e, 0xc2, 0x73, 0xc0, 0x73, 0xfc, 0xd9, 0x3b, 0x8a, 0x88, 0xe3,
+	0x4a, 0xe4, 0x1f, 0xc6, 0xfc, 0x36, 0x4c, 0x8a, 0xee, 0x40, 0x81, 0x7f, 0x09, 0xd0, 0x30, 0x34,
+	0xf7, 0xe1, 0x9a, 0x4d, 0xc5, 0xba, 0x18, 0x7b, 0x72, 0x50, 0x3a, 0x97, 0xf0, 0x26, 0xe9, 0x92,
+	0xb1, 0x27, 0x8c, 0xd6, 0x20, 0xd7, 0xf9, 0x36, 0x27, 0x36, 0x4f, 0xea, 0xfc, 0x98, 0xe6, 0x38,
+	0xf2, 0x37, 0x51, 0x73, 0x79, 0x6a, 0x7f, 0xf4, 0xd4, 0xa6, 0xc9, 0xab, 0x10, 0x52, 0xa7, 0x6a,
+	0x0b, 0x86, 0xc5, 0x89, 0x26, 0x56, 0xdf, 0x1b, 0x83, 0xac, 0xbe, 0x60, 0xd6, 0xf6, 0xea, 0x69,
+	0x77, 0xd0, 0x05, 0x96, 0x7f, 0x2d, 0xc1, 0x14, 0x37, 0xa0, 0x61, 0x9b, 0x2a, 0xed, 0x9e, 0x58,
+	0x9e, 0xdb, 0x0c, 0xe5, 0xb9, 0xd7, 0x7a, 0x38, 0x16, 0xb3, 0x30, 0x35, 0xd7, 0x7d, 0x21, 0xc1,
+	0x73, 0x31, 0xee, 0x13, 0xc8, 0x13, 0x1b, 0xe1, 0x3c, 0xf1, 0xca, 0xa0, 0x0e, 0xa5, 0xe4, 0x8a,
+	0xef, 0x9d, 0x4e, 0x70, 0x87, 0x2f, 0xc4, 0x6b, 0x00, 0x1d, 0x53, 0xdd, 0x53, 0x35, 0xd2, 0x12,
+	0xbd, 0xc9, 0x42, 0xe0, 0xdb, 0x17, 0x8f, 0x82, 0x03, 0x5c, 0xc8, 0x82, 0x99, 0x26, 0xd9, 0x56,
+	0x6c, 0x8d, 0x2e, 0x34, 0x9b, 0x8b, 0x4a, 0x47, 0xd9, 0x52, 0x35, 0x95, 0xaa, 0xe2, 0xb2, 0x38,
+	0x52, 0xbd, 0xe9, 0xf4, 0x0c, 0x93, 0x38, 0x9e, 0x1c, 0x94, 0xce, 0x27, 0xf5, 0x06, 0x5c, 0x96,
+	0x2e, 0x4e, 0x81, 0x46, 0x5d, 0x28, 0x9a, 0xe4, 0x03, 0x5b, 0x35, 0x49, 0x73, 0xc9, 0x34, 0x3a,
+	0x21, 0xb5, 0x59, 0xae, 0xf6, 0x1f, 0x0e, 0x0f, 0x4a, 0x45, 0x9c, 0xc2, 0xd3, 0x5b, 0x71, 0x2a,
+	0x3c, 0x7a, 0x04, 0xd3, 0x8a, 0xf3, 0xb1, 0x50, 0x48, 0x6b, 0x8e, 0x6b, 0xbd, 0x71, 0x78, 0x50,
+	0x9a, 0x5e, 0x88, 0x93, 0x7b, 0x2b, 0x4c, 0x02, 0x45, 0x15, 0x18, 0xde, 0x33, 0x34, 0xbb, 0x4d,
+	0xac, 0x62, 0x9e, 0xe3, 0xb3, 0xc4, 0x38, 0xbc, 0xe9, 0x0c, 0x3d, 0x39, 0x28, 0x0d, 0xdd, 0xae,
+	0xf1, 0x6b, 0xba, 0xcb, 0xc5, 0xee, 0x27, 0xac, 0x34, 0x11, 0x7b, 0x96, 0xbf, 0x17, 0x16, 0xfc,
+	0xa4, 0x70, 0xd7, 0x27, 0xe1, 0x20, 0x1f, 0x7a, 0x08, 0x23, 0x3b, 0xe2, 0x4e, 0x6a, 0x15, 0x87,
+	0xfb, 0x3a, 0x94, 0x42, 0x77, 0xd8, 0xea, 0x94, 0x50, 0x31, 0xe2, 0x0e, 0x5b, 0xd8, 0x47, 0x44,
+	0x97, 0x60, 0x98, 0xff, 0x58, 0x5e, 0xe2, 0x8f, 0x31, 0x05, 0x3f, 0x75, 0xdc, 0x75, 0x86, 0xb1,
+	0x4b, 0x77, 0x59, 0x97, 0xd7, 0x17, 0xf9, 0xa3, 0x60, 0x84, 0x75, 0x79, 0x7d, 0x11, 0xbb, 0x74,
+	0xf4, 0x3e, 0x0c, 0x5b, 0x64, 0x45, 0xd5, 0xed, 0xfd, 0x22, 0xf4, 0xd5, 0x52, 0xac, 0xdd, 0xe2,
+	0xdc, 0x91, 0x67, 0x11, 0x5f, 0x83, 0xa0, 0x63, 0x17, 0x16, 0xed, 0xc0, 0x88, 0x69, 0xeb, 0x0b,
+	0xd6, 0x86, 0x45, 0xcc, 0xe2, 0x28, 0xd7, 0xd1, 0x2b, 0x5b, 0x62, 0x97, 0x3f, 0xaa, 0xc5, 0x8b,
+	0x90, 0xc7, 0x81, 0x7d, 0x70, 0xf4, 0xdf, 0x12, 0x20, 0xcb, 0xee, 0x74, 0x34, 0xd2, 0x26, 0x3a,
+	0x55, 0x34, 0xfe, 0x12, 0x63, 0x15, 0x4f, 0x73, 0x9d, 0xff, 0xd4, 0xcb, 0xaf, 0x98, 0x60, 0x54,
+	0xb9, 0xf7, 0xe4, 0x19, 0x67, 0xc5, 0x09, 0x7a, 0x59, 0x68, 0xb7, 0x2d, 0xfe, 0x77, 0x71, 0xac,
+	0xaf, 0xd0, 0x26, 0xbf, 0x38, 0xf9, 0xa1, 0x15, 0x74, 0xec, 0xc2, 0xa2, 0x4d, 0x98, 0x31, 0x89,
+	0xd2, 0xbc, 0xa7, 0x6b, 0x5d, 0x6c, 0x18, 0xf4, 0xb6, 0xaa, 0x11, 0xab, 0x6b, 0x51, 0xd2, 0x2e,
+	0x8e, 0xf3, 0x69, 0xf7, 0x5a, 0xf2, 0x38, 0x91, 0x0b, 0xa7, 0x48, 0xa3, 0x36, 0x94, 0xdc, 0x94,
+	0xc1, 0xf6, 0x93, 0x97, 0xb3, 0x6e, 0x59, 0x0d, 0x45, 0x73, 0x5e, 0x81, 0x27, 0xb8, 0x82, 0x97,
+	0x0e, 0x0f, 0x4a, 0xa5, 0xa5, 0xa3, 0x59, 0x71, 0x2f, 0x2c, 0xf4, 0x1e, 0x14, 0x95, 0x34, 0x3d,
+	0x93, 0x5c, 0xcf, 0xbc, 0x70, 0xa4, 0x98, 0xaa, 0x24, 0x15, 0x01, 0x51, 0x98, 0x54, 0xc2, 0xdf,
+	0x25, 0x5a, 0xc5, 0xa9, 0xbe, 0x9e, 0xa2, 0x22, 0x9f, 0x33, 0xfa, 0xf7, 0xdb, 0x08, 0xc1, 0xc2,
+	0x31, 0x0d, 0xbc, 0x81, 0x2e, 0x9e, 0x53, 0x4f, 0xe6, 0x8b, 0xb5, 0xc1, 0x1a, 0xe8, 0xbe, 0x69,
+	0x4f, 0xad, 0x81, 0x1e, 0x80, 0x3c, 0xfa, 0x45, 0xe8, 0x0f, 0x19, 0x98, 0xf6, 0x99, 0xfb, 0x6e,
+	0xa0, 0x27, 0x88, 0x3c, 0xb3, 0x06, 0x7a, 0x72, 0x07, 0x3a, 0xfb, 0xac, 0x3b, 0xd0, 0xcf, 0xa0,
+	0x71, 0xcf, 0x9b, 0xda, 0x7e, 0xe8, 0xfe, 0xfa, 0x9a, 0xda, 0xbe, 0x6d, 0x29, 0x85, 0xd6, 0x8f,
+	0x33, 0x41, 0x07, 0xfe, 0xe6, 0x3b, 0xab, 0xdf, 0xfe, 0xb3, 0x3e, 0xf9, 0x8b, 0x2c, 0x4c, 0x46,
+	0x77, 0x63, 0xa8, 0x01, 0x27, 0xf5, 0x6c, 0xc0, 0xad, 0xc3, 0x99, 0x6d, 0x5b, 0xd3, 0xba, 0x3c,
+	0x0c, 0x81, 0x2e, 0x9c, 0xf3, 0x80, 0xfe, 0x82, 0x90, 0x3c, 0x73, 0x3b, 0x81, 0x07, 0x27, 0x4a,
+	0xa6, 0x34, 0x13, 0xb3, 0xc7, 0x6a, 0x26, 0xc6, 0x7a, 0x5b, 0xb9, 0x01, 0x7a, 0x5b, 0x89, 0x8d,
+	0xc1, 0xfc, 0x31, 0x1a, 0x83, 0xc7, 0xe9, 0xe4, 0x25, 0x24, 0xb1, 0x5e, 0x9d, 0x3c, 0xf9, 0x05,
+	0x98, 0x15, 0x62, 0x94, 0x37, 0xd9, 0x74, 0x6a, 0x1a, 0x9a, 0x46, 0xcc, 0x25, 0xbb, 0xdd, 0xee,
+	0xca, 0x6f, 0xc3, 0x78, 0xb8, 0x7d, 0xec, 0xcc, 0xb4, 0xd3, 0xc1, 0x16, 0x6d, 0x8c, 0xc0, 0x4c,
+	0x3b, 0xe3, 0xd8, 0xe3, 0x90, 0x3f, 0x92, 0x60, 0x26, 0xf9, 0x33, 0x31, 0xa4, 0xc1, 0x78, 0x5b,
+	0xd9, 0x0f, 0x7e, 0x53, 0x27, 0x1d, 0xf3, 0x06, 0xcf, 0xfb, 0x86, 0xab, 0x21, 0x2c, 0x1c, 0xc1,
+	0x66, 0xb7, 0xfa, 0xb3, 0x29, 0x1d, 0xbb, 0x93, 0xb5, 0x04, 0x3d, 0x80, 0x42, 0x5b, 0xd9, 0xaf,
+	0xd9, 0x66, 0x8b, 0x1c, 0xfb, 0xcd, 0x82, 0x67, 0x8c, 0x55, 0x81, 0x82, 0x3d, 0x3c, 0xf9, 0x53,
+	0x09, 0x8a, 0x69, 0xe5, 0x2d, 0xba, 0x1e, 0xea, 0x2d, 0xbe, 0x18, 0xe9, 0x2d, 0x4e, 0xc5, 0xe4,
+	0x9e, 0x51, 0x67, 0xf1, 0x47, 0x12, 0xcc, 0x24, 0x97, 0xf9, 0xe8, 0xd5, 0x90, 0x85, 0xa5, 0x88,
+	0x85, 0x13, 0x11, 0x29, 0x61, 0xdf, 0xbf, 0xc1, 0xb8, 0xb8, 0x0c, 0x08, 0x18, 0x11, 0x55, 0x39,
+	0x29, 0x57, 0x0a, 0x08, 0xb7, 0xf8, 0xe5, 0xf3, 0x15, 0x1e, 0xc3, 0x11, 0x34, 0xf9, 0xbf, 0x32,
+	0x90, 0xaf, 0x35, 0x14, 0x8d, 0x9c, 0x40, 0x99, 0xf5, 0x4e, 0xa8, 0xcc, 0xea, 0xf5, 0xfd, 0x3b,
+	0xb7, 0x2a, 0xb5, 0xc2, 0xc2, 0x91, 0x0a, 0xeb, 0xe5, 0xbe, 0xd0, 0x8e, 0x2e, 0xae, 0xde, 0x84,
+	0x11, 0x4f, 0xe9, 0x60, 0x39, 0x5f, 0xfe, 0x7e, 0x06, 0x46, 0x03, 0x2a, 0x06, 0x3c, 0x31, 0xb6,
+	0x43, 0x27, 0x6d, 0x3f, 0xff, 0x09, 0x13, 0xd0, 0x55, 0x76, 0xcf, 0x56, 0xe7, 0x33, 0x31, 0xff,
+	0xc3, 0xa0, 0xf8, 0x91, 0xfb, 0x36, 0x8c, 0x53, 0xfe, 0x9f, 0x22, 0xde, 0x4b, 0x5f, 0x96, 0xaf,
+	0x45, 0xef, 0xe3, 0xc2, 0x7a, 0x88, 0x8a, 0x23, 0xdc, 0xb3, 0x37, 0x61, 0x2c, 0xa4, 0x6c, 0xa0,
+	0xaf, 0xbc, 0x7e, 0x22, 0xc1, 0x8b, 0x3d, 0x2f, 0x8a, 0xa8, 0x1a, 0xda, 0x24, 0xe5, 0xc8, 0x26,
+	0x99, 0x4b, 0x07, 0x78, 0x86, 0x5f, 0x0b, 0x7c, 0x94, 0x01, 0x54, 0xdf, 0x51, 0xcd, 0xe6, 0xba,
+	0x62, 0xd2, 0x2e, 0x16, 0xff, 0xee, 0x73, 0x02, 0x1b, 0xe6, 0x3a, 0x8c, 0x36, 0x89, 0xd5, 0x30,
+	0x55, 0x1e, 0x1c, 0x51, 0x9d, 0x7b, 0x8f, 0x29, 0x4b, 0x3e, 0x09, 0x07, 0xf9, 0xd0, 0xbb, 0x50,
+	0xd8, 0x73, 0xfe, 0xf5, 0xcc, 0xed, 0x85, 0xf5, 0x2a, 0x24, 0xfd, 0x7f, 0x56, 0xf3, 0xd7, 0x8f,
+	0x18, 0xb0, 0xb0, 0x07, 0x26, 0x7f, 0x22, 0xc1, 0x4c, 0x3c, 0x10, 0x4b, 0xcc, 0xd4, 0x67, 0x1f,
+	0x8c, 0x17, 0x20, 0xc7, 0xd1, 0x59, 0x14, 0x4e, 0x3b, 0xef, 0xda, 0x4c, 0x33, 0xe6, 0xa3, 0xf2,
+	0x6f, 0x25, 0x98, 0x4d, 0x36, 0xed, 0x04, 0xca, 0xf6, 0x07, 0xe1, 0xb2, 0xbd, 0xd7, 0x5b, 0x45,
+	0xb2, 0x9d, 0x29, 0x25, 0xfc, 0x6f, 0x12, 0x63, 0x7e, 0x02, 0x4e, 0x6d, 0x86, 0x9d, 0xba, 0x3a,
+	0xb0, 0x53, 0xc9, 0x0e, 0x55, 0xaf, 0x3c, 0xfe, 0x7a, 0xee, 0xd4, 0x97, 0x5f, 0xcf, 0x9d, 0xfa,
+	0xea, 0xeb, 0xb9, 0x53, 0xff, 0x79, 0x38, 0x27, 0x3d, 0x3e, 0x9c, 0x93, 0xbe, 0x3c, 0x9c, 0x93,
+	0xbe, 0x3a, 0x9c, 0x93, 0x7e, 0x7f, 0x38, 0x27, 0xfd, 0xdf, 0x37, 0x73, 0xa7, 0x1e, 0x0c, 0x0b,
+	0xdc, 0xbf, 0x04, 0x00, 0x00, 0xff, 0xff, 0xc0, 0xf0, 0x58, 0xb7, 0x3a, 0x3b, 0x00, 0x00,
+>>>>>>> Allow PSP's to specify a whitelist of allowed paths for host volume
 }

staging/src/k8s.io/api/extensions/v1beta1/generated.proto

@@ -39,6 +39,19 @@ message APIVersion {
   optional string name = 1;
 }
 
+// AllowedHostPath defines the host volume conditions that will be enabled by a policy
+// for pods to use. It requires the path prefix to be defined.
+message AllowedHostPath {
+  // PathPrefix is the path prefix that the host volume must match.
+  // PathPrefix does not support `*`.
+  // Trailing slashes are trimmed when validating the path prefix with a host path.
+  // 
+  // Examples:
+  // `/foo` would allow `/foo`, `/foo/` and `/foo/bar`
+  // `/foo` would not allow `/food` or `/etc/foo`
+  optional string path = 1;
+}
+
 message CustomMetricCurrentStatus {
   // Custom Metric name.
   optional string name = 1;
@@ -754,6 +767,10 @@ message PodSecurityPolicySpec {
   // privilege escalation.
   // +optional
   optional bool allowPrivilegeEscalation = 16;
+
+  // AllowedHostPaths is a white list of allowed host paths. Empty indicates that all host paths may be used.
+  // +optional
+  repeated AllowedHostPath allowedHostPaths = 17;
 }
 
 // ReplicaSet represents the configuration of a ReplicaSet.

staging/src/k8s.io/api/extensions/v1beta1/types.generated.go

@@ -14751,7 +14751,7 @@ func (x *PodSecurityPolicySpec) CodecEncodeSelf(e *codec1978.Encoder) {
 		} else {
 			yysep2 := !z.EncBinary()
 			yy2arr2 := z.EncBasicHandle().StructToArray
-			var yyq2 [16]bool
+			var yyq2 [17]bool
 			_, _, _ = yysep2, yyq2, yy2arr2
 			const yyr2 bool = false
 			yyq2[0] = x.Privileged != false
@@ -14766,9 +14766,10 @@ func (x *PodSecurityPolicySpec) CodecEncodeSelf(e *codec1978.Encoder) {
 			yyq2[13] = x.ReadOnlyRootFilesystem != false
 			yyq2[14] = x.DefaultAllowPrivilegeEscalation != nil
 			yyq2[15] = x.AllowPrivilegeEscalation != false
+			yyq2[16] = len(x.AllowedHostPaths) != 0
 			var yynn2 int
 			if yyr2 || yy2arr2 {
-				r.EncodeArrayStart(16)
+				r.EncodeArrayStart(17)
 			} else {
 				yynn2 = 4
 				for _, b := range yyq2 {
@@ -15173,6 +15174,39 @@ func (x *PodSecurityPolicySpec) CodecEncodeSelf(e *codec1978.Encoder) {
 					}
 				}
 			}
+			if yyr2 || yy2arr2 {
+				z.EncSendContainerState(codecSelfer_containerArrayElem1234)
+				if yyq2[16] {
+					if x.AllowedHostPaths == nil {
+						r.EncodeNil()
+					} else {
+						yym62 := z.EncBinary()
+						_ = yym62
+						if false {
+						} else {
+							h.encSliceAllowedHostPath(([]AllowedHostPath)(x.AllowedHostPaths), e)
+						}
+					}
+				} else {
+					r.EncodeNil()
+				}
+			} else {
+				if yyq2[16] {
+					z.EncSendContainerState(codecSelfer_containerMapKey1234)
+					r.EncodeString(codecSelferC_UTF81234, string("allowedHostPaths"))
+					z.EncSendContainerState(codecSelfer_containerMapValue1234)
+					if x.AllowedHostPaths == nil {
+						r.EncodeNil()
+					} else {
+						yym63 := z.EncBinary()
+						_ = yym63
+						if false {
+						} else {
+							h.encSliceAllowedHostPath(([]AllowedHostPath)(x.AllowedHostPaths), e)
+						}
+					}
+				}
+			}
 			if yyr2 || yy2arr2 {
 				z.EncSendContainerState(codecSelfer_containerArrayEnd1234)
 			} else {
@@ -15410,6 +15444,18 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromMap(l int, d *codec1978.Decod
 					*((*bool)(yyv30)) = r.DecodeBool()
 				}
 			}
+		case "allowedHostPaths":
+			if r.TryDecodeAsNil() {
+				x.AllowedHostPaths = nil
+			} else {
+				yyv32 := &x.AllowedHostPaths
+				yym33 := z.DecBinary()
+				_ = yym33
+				if false {
+				} else {
+					h.decSliceAllowedHostPath((*[]AllowedHostPath)(yyv32), d)
+				}
+			}
 		default:
 			z.DecStructFieldNotFound(-1, yys3)
 		} // end switch yys3
@@ -15421,16 +15467,16 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromArray(l int, d *codec1978.Dec
 	var h codecSelfer1234
 	z, r := codec1978.GenHelperDecoder(d)
 	_, _, _ = h, z, r
-	var yyj32 int
+	var yyj34 int
-	var yyb32 bool
+	var yyb34 bool
-	var yyhl32 bool = l >= 0
+	var yyhl34 bool = l >= 0
-	yyj32++
+	yyj34++
-	if yyhl32 {
+	if yyhl34 {
-		yyb32 = yyj32 > l
+		yyb34 = yyj34 > l
 	} else {
-		yyb32 = r.CheckBreak()
+		yyb34 = r.CheckBreak()
 	}
-	if yyb32 {
+	if yyb34 {
 		z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
 		return
 	}
@@ -15438,21 +15484,21 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromArray(l int, d *codec1978.Dec
 	if r.TryDecodeAsNil() {
 		x.Privileged = false
 	} else {
-		yyv33 := &x.Privileged
+		yyv35 := &x.Privileged
-		yym34 := z.DecBinary()
+		yym36 := z.DecBinary()
-		_ = yym34
+		_ = yym36
 		if false {
 		} else {
-			*((*bool)(yyv33)) = r.DecodeBool()
+			*((*bool)(yyv35)) = r.DecodeBool()
 		}
 	}
-	yyj32++
+	yyj34++
-	if yyhl32 {
+	if yyhl34 {
-		yyb32 = yyj32 > l
+		yyb34 = yyj34 > l
 	} else {
-		yyb32 = r.CheckBreak()
+		yyb34 = r.CheckBreak()
 	}
-	if yyb32 {
+	if yyb34 {
 		z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
 		return
 	}
@@ -15460,29 +15506,7 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromArray(l int, d *codec1978.Dec
 	if r.TryDecodeAsNil() {
 		x.DefaultAddCapabilities = nil
 	} else {
-		yyv35 := &x.DefaultAddCapabilities
+		yyv37 := &x.DefaultAddCapabilities
-		yym36 := z.DecBinary()
-		_ = yym36
-		if false {
-		} else {
-			h.decSlicev1_Capability((*[]pkg4_v1.Capability)(yyv35), d)
-		}
-	}
-	yyj32++
-	if yyhl32 {
-		yyb32 = yyj32 > l
-	} else {
-		yyb32 = r.CheckBreak()
-	}
-	if yyb32 {
-		z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
-		return
-	}
-	z.DecSendContainerState(codecSelfer_containerArrayElem1234)
-	if r.TryDecodeAsNil() {
-		x.RequiredDropCapabilities = nil
-	} else {
-		yyv37 := &x.RequiredDropCapabilities
 		yym38 := z.DecBinary()
 		_ = yym38
 		if false {
@@ -15490,21 +15514,21 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromArray(l int, d *codec1978.Dec
 			h.decSlicev1_Capability((*[]pkg4_v1.Capability)(yyv37), d)
 		}
 	}
-	yyj32++
+	yyj34++
-	if yyhl32 {
+	if yyhl34 {
-		yyb32 = yyj32 > l
+		yyb34 = yyj34 > l
 	} else {
-		yyb32 = r.CheckBreak()
+		yyb34 = r.CheckBreak()
 	}
-	if yyb32 {
+	if yyb34 {
 		z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
 		return
 	}
 	z.DecSendContainerState(codecSelfer_containerArrayElem1234)
 	if r.TryDecodeAsNil() {
-		x.AllowedCapabilities = nil
+		x.RequiredDropCapabilities = nil
 	} else {
-		yyv39 := &x.AllowedCapabilities
+		yyv39 := &x.RequiredDropCapabilities
 		yym40 := z.DecBinary()
 		_ = yym40
 		if false {
@@ -15512,13 +15536,35 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromArray(l int, d *codec1978.Dec
 			h.decSlicev1_Capability((*[]pkg4_v1.Capability)(yyv39), d)
 		}
 	}
-	yyj32++
+	yyj34++
-	if yyhl32 {
+	if yyhl34 {
-		yyb32 = yyj32 > l
+		yyb34 = yyj34 > l
 	} else {
-		yyb32 = r.CheckBreak()
+		yyb34 = r.CheckBreak()
 	}
-	if yyb32 {
+	if yyb34 {
+		z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
+		return
+	}
+	z.DecSendContainerState(codecSelfer_containerArrayElem1234)
+	if r.TryDecodeAsNil() {
+		x.AllowedCapabilities = nil
+	} else {
+		yyv41 := &x.AllowedCapabilities
+		yym42 := z.DecBinary()
+		_ = yym42
+		if false {
+		} else {
+			h.decSlicev1_Capability((*[]pkg4_v1.Capability)(yyv41), d)
+		}
+	}
+	yyj34++
+	if yyhl34 {
+		yyb34 = yyj34 > l
+	} else {
+		yyb34 = r.CheckBreak()
+	}
+	if yyb34 {
 		z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
 		return
 	}
@@ -15526,21 +15572,21 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromArray(l int, d *codec1978.Dec
 	if r.TryDecodeAsNil() {
 		x.Volumes = nil
 	} else {
-		yyv41 := &x.Volumes
+		yyv43 := &x.Volumes
-		yym42 := z.DecBinary()
+		yym44 := z.DecBinary()
-		_ = yym42
+		_ = yym44
 		if false {
 		} else {
-			h.decSliceFSType((*[]FSType)(yyv41), d)
+			h.decSliceFSType((*[]FSType)(yyv43), d)
 		}
 	}
-	yyj32++
+	yyj34++
-	if yyhl32 {
+	if yyhl34 {
-		yyb32 = yyj32 > l
+		yyb34 = yyj34 > l
 	} else {
-		yyb32 = r.CheckBreak()
+		yyb34 = r.CheckBreak()
 	}
-	if yyb32 {
+	if yyb34 {
 		z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
 		return
 	}
@@ -15548,21 +15594,21 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromArray(l int, d *codec1978.Dec
 	if r.TryDecodeAsNil() {
 		x.HostNetwork = false
 	} else {
-		yyv43 := &x.HostNetwork
+		yyv45 := &x.HostNetwork
-		yym44 := z.DecBinary()
+		yym46 := z.DecBinary()
-		_ = yym44
+		_ = yym46
 		if false {
 		} else {
-			*((*bool)(yyv43)) = r.DecodeBool()
+			*((*bool)(yyv45)) = r.DecodeBool()
 		}
 	}
-	yyj32++
+	yyj34++
-	if yyhl32 {
+	if yyhl34 {
-		yyb32 = yyj32 > l
+		yyb34 = yyj34 > l
 	} else {
-		yyb32 = r.CheckBreak()
+		yyb34 = r.CheckBreak()
 	}
-	if yyb32 {
+	if yyb34 {
 		z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
 		return
 	}
@@ -15570,21 +15616,21 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromArray(l int, d *codec1978.Dec
 	if r.TryDecodeAsNil() {
 		x.HostPorts = nil
 	} else {
-		yyv45 := &x.HostPorts
+		yyv47 := &x.HostPorts
-		yym46 := z.DecBinary()
+		yym48 := z.DecBinary()
-		_ = yym46
+		_ = yym48
 		if false {
 		} else {
-			h.decSliceHostPortRange((*[]HostPortRange)(yyv45), d)
+			h.decSliceHostPortRange((*[]HostPortRange)(yyv47), d)
 		}
 	}
-	yyj32++
+	yyj34++
-	if yyhl32 {
+	if yyhl34 {
-		yyb32 = yyj32 > l
+		yyb34 = yyj34 > l
 	} else {
-		yyb32 = r.CheckBreak()
+		yyb34 = r.CheckBreak()
 	}
-	if yyb32 {
+	if yyb34 {
 		z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
 		return
 	}
@@ -15592,29 +15638,7 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromArray(l int, d *codec1978.Dec
 	if r.TryDecodeAsNil() {
 		x.HostPID = false
 	} else {
-		yyv47 := &x.HostPID
+		yyv49 := &x.HostPID
-		yym48 := z.DecBinary()
-		_ = yym48
-		if false {
-		} else {
-			*((*bool)(yyv47)) = r.DecodeBool()
-		}
-	}
-	yyj32++
-	if yyhl32 {
-		yyb32 = yyj32 > l
-	} else {
-		yyb32 = r.CheckBreak()
-	}
-	if yyb32 {
-		z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
-		return
-	}
-	z.DecSendContainerState(codecSelfer_containerArrayElem1234)
-	if r.TryDecodeAsNil() {
-		x.HostIPC = false
-	} else {
-		yyv49 := &x.HostIPC
 		yym50 := z.DecBinary()
 		_ = yym50
 		if false {
@@ -15622,13 +15646,35 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromArray(l int, d *codec1978.Dec
 			*((*bool)(yyv49)) = r.DecodeBool()
 		}
 	}
-	yyj32++
+	yyj34++
-	if yyhl32 {
+	if yyhl34 {
-		yyb32 = yyj32 > l
+		yyb34 = yyj34 > l
 	} else {
-		yyb32 = r.CheckBreak()
+		yyb34 = r.CheckBreak()
 	}
-	if yyb32 {
+	if yyb34 {
+		z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
+		return
+	}
+	z.DecSendContainerState(codecSelfer_containerArrayElem1234)
+	if r.TryDecodeAsNil() {
+		x.HostIPC = false
+	} else {
+		yyv51 := &x.HostIPC
+		yym52 := z.DecBinary()
+		_ = yym52
+		if false {
+		} else {
+			*((*bool)(yyv51)) = r.DecodeBool()
+		}
+	}
+	yyj34++
+	if yyhl34 {
+		yyb34 = yyj34 > l
+	} else {
+		yyb34 = r.CheckBreak()
+	}
+	if yyb34 {
 		z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
 		return
 	}
@@ -15636,16 +15682,16 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromArray(l int, d *codec1978.Dec
 	if r.TryDecodeAsNil() {
 		x.SELinux = SELinuxStrategyOptions{}
 	} else {
-		yyv51 := &x.SELinux
+		yyv53 := &x.SELinux
-		yyv51.CodecDecodeSelf(d)
+		yyv53.CodecDecodeSelf(d)
 	}
-	yyj32++
+	yyj34++
-	if yyhl32 {
+	if yyhl34 {
-		yyb32 = yyj32 > l
+		yyb34 = yyj34 > l
 	} else {
-		yyb32 = r.CheckBreak()
+		yyb34 = r.CheckBreak()
 	}
-	if yyb32 {
+	if yyb34 {
 		z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
 		return
 	}
@@ -15653,16 +15699,16 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromArray(l int, d *codec1978.Dec
 	if r.TryDecodeAsNil() {
 		x.RunAsUser = RunAsUserStrategyOptions{}
 	} else {
-		yyv52 := &x.RunAsUser
+		yyv54 := &x.RunAsUser
-		yyv52.CodecDecodeSelf(d)
+		yyv54.CodecDecodeSelf(d)
 	}
-	yyj32++
+	yyj34++
-	if yyhl32 {
+	if yyhl34 {
-		yyb32 = yyj32 > l
+		yyb34 = yyj34 > l
 	} else {
-		yyb32 = r.CheckBreak()
+		yyb34 = r.CheckBreak()
 	}
-	if yyb32 {
+	if yyb34 {
 		z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
 		return
 	}
@@ -15670,16 +15716,16 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromArray(l int, d *codec1978.Dec
 	if r.TryDecodeAsNil() {
 		x.SupplementalGroups = SupplementalGroupsStrategyOptions{}
 	} else {
-		yyv53 := &x.SupplementalGroups
+		yyv55 := &x.SupplementalGroups
-		yyv53.CodecDecodeSelf(d)
+		yyv55.CodecDecodeSelf(d)
 	}
-	yyj32++
+	yyj34++
-	if yyhl32 {
+	if yyhl34 {
-		yyb32 = yyj32 > l
+		yyb34 = yyj34 > l
 	} else {
-		yyb32 = r.CheckBreak()
+		yyb34 = r.CheckBreak()
 	}
-	if yyb32 {
+	if yyb34 {
 		z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
 		return
 	}
@@ -15687,16 +15733,16 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromArray(l int, d *codec1978.Dec
 	if r.TryDecodeAsNil() {
 		x.FSGroup = FSGroupStrategyOptions{}
 	} else {
-		yyv54 := &x.FSGroup
+		yyv56 := &x.FSGroup
-		yyv54.CodecDecodeSelf(d)
+		yyv56.CodecDecodeSelf(d)
 	}
-	yyj32++
+	yyj34++
-	if yyhl32 {
+	if yyhl34 {
-		yyb32 = yyj32 > l
+		yyb34 = yyj34 > l
 	} else {
-		yyb32 = r.CheckBreak()
+		yyb34 = r.CheckBreak()
 	}
-	if yyb32 {
+	if yyb34 {
 		z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
 		return
 	}
@@ -15704,21 +15750,21 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromArray(l int, d *codec1978.Dec
 	if r.TryDecodeAsNil() {
 		x.ReadOnlyRootFilesystem = false
 	} else {
-		yyv55 := &x.ReadOnlyRootFilesystem
+		yyv57 := &x.ReadOnlyRootFilesystem
-		yym56 := z.DecBinary()
+		yym58 := z.DecBinary()
-		_ = yym56
+		_ = yym58
 		if false {
 		} else {
-			*((*bool)(yyv55)) = r.DecodeBool()
+			*((*bool)(yyv57)) = r.DecodeBool()
 		}
 	}
-	yyj32++
+	yyj34++
-	if yyhl32 {
+	if yyhl34 {
-		yyb32 = yyj32 > l
+		yyb34 = yyj34 > l
 	} else {
-		yyb32 = r.CheckBreak()
+		yyb34 = r.CheckBreak()
 	}
-	if yyb32 {
+	if yyb34 {
 		z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
 		return
 	}
@@ -15731,20 +15777,20 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromArray(l int, d *codec1978.Dec
 		if x.DefaultAllowPrivilegeEscalation == nil {
 			x.DefaultAllowPrivilegeEscalation = new(bool)
 		}
-		yym58 := z.DecBinary()
+		yym60 := z.DecBinary()
-		_ = yym58
+		_ = yym60
 		if false {
 		} else {
 			*((*bool)(x.DefaultAllowPrivilegeEscalation)) = r.DecodeBool()
 		}
 	}
-	yyj32++
+	yyj34++
-	if yyhl32 {
+	if yyhl34 {
-		yyb32 = yyj32 > l
+		yyb34 = yyj34 > l
 	} else {
-		yyb32 = r.CheckBreak()
+		yyb34 = r.CheckBreak()
 	}
-	if yyb32 {
+	if yyb34 {
 		z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
 		return
 	}
@@ -15752,26 +15798,229 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromArray(l int, d *codec1978.Dec
 	if r.TryDecodeAsNil() {
 		x.AllowPrivilegeEscalation = false
 	} else {
-		yyv59 := &x.AllowPrivilegeEscalation
+		yyv61 := &x.AllowPrivilegeEscalation
-		yym60 := z.DecBinary()
+		yym62 := z.DecBinary()
-		_ = yym60
+		_ = yym62
 		if false {
 		} else {
-			*((*bool)(yyv59)) = r.DecodeBool()
+			*((*bool)(yyv61)) = r.DecodeBool()
+		}
+	}
+	yyj34++
+	if yyhl34 {
+		yyb34 = yyj34 > l
+	} else {
+		yyb34 = r.CheckBreak()
+	}
+	if yyb34 {
+		z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
+		return
+	}
+	z.DecSendContainerState(codecSelfer_containerArrayElem1234)
+	if r.TryDecodeAsNil() {
+		x.AllowedHostPaths = nil
+	} else {
+		yyv63 := &x.AllowedHostPaths
+		yym64 := z.DecBinary()
+		_ = yym64
+		if false {
+		} else {
+			h.decSliceAllowedHostPath((*[]AllowedHostPath)(yyv63), d)
 		}
 	}
 	for {
-		yyj32++
+		yyj34++
-		if yyhl32 {
+		if yyhl34 {
-			yyb32 = yyj32 > l
+			yyb34 = yyj34 > l
 		} else {
-			yyb32 = r.CheckBreak()
+			yyb34 = r.CheckBreak()
 		}
-		if yyb32 {
+		if yyb34 {
 			break
 		}
 		z.DecSendContainerState(codecSelfer_containerArrayElem1234)
-		z.DecStructFieldNotFound(yyj32-1, "")
+		z.DecStructFieldNotFound(yyj34-1, "")
+	}
+	z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
+}
+
+func (x *AllowedHostPath) CodecEncodeSelf(e *codec1978.Encoder) {
+	var h codecSelfer1234
+	z, r := codec1978.GenHelperEncoder(e)
+	_, _, _ = h, z, r
+	if x == nil {
+		r.EncodeNil()
+	} else {
+		yym1 := z.EncBinary()
+		_ = yym1
+		if false {
+		} else if z.HasExtensions() && z.EncExt(x) {
+		} else {
+			yysep2 := !z.EncBinary()
+			yy2arr2 := z.EncBasicHandle().StructToArray
+			var yyq2 [1]bool
+			_, _, _ = yysep2, yyq2, yy2arr2
+			const yyr2 bool = false
+			yyq2[0] = x.PathPrefix != ""
+			var yynn2 int
+			if yyr2 || yy2arr2 {
+				r.EncodeArrayStart(1)
+			} else {
+				yynn2 = 0
+				for _, b := range yyq2 {
+					if b {
+						yynn2++
+					}
+				}
+				r.EncodeMapStart(yynn2)
+				yynn2 = 0
+			}
+			if yyr2 || yy2arr2 {
+				z.EncSendContainerState(codecSelfer_containerArrayElem1234)
+				if yyq2[0] {
+					yym4 := z.EncBinary()
+					_ = yym4
+					if false {
+					} else {
+						r.EncodeString(codecSelferC_UTF81234, string(x.PathPrefix))
+					}
+				} else {
+					r.EncodeString(codecSelferC_UTF81234, "")
+				}
+			} else {
+				if yyq2[0] {
+					z.EncSendContainerState(codecSelfer_containerMapKey1234)
+					r.EncodeString(codecSelferC_UTF81234, string("path"))
+					z.EncSendContainerState(codecSelfer_containerMapValue1234)
+					yym5 := z.EncBinary()
+					_ = yym5
+					if false {
+					} else {
+						r.EncodeString(codecSelferC_UTF81234, string(x.PathPrefix))
+					}
+				}
+			}
+			if yyr2 || yy2arr2 {
+				z.EncSendContainerState(codecSelfer_containerArrayEnd1234)
+			} else {
+				z.EncSendContainerState(codecSelfer_containerMapEnd1234)
+			}
+		}
+	}
+}
+
+func (x *AllowedHostPath) CodecDecodeSelf(d *codec1978.Decoder) {
+	var h codecSelfer1234
+	z, r := codec1978.GenHelperDecoder(d)
+	_, _, _ = h, z, r
+	yym1 := z.DecBinary()
+	_ = yym1
+	if false {
+	} else if z.HasExtensions() && z.DecExt(x) {
+	} else {
+		yyct2 := r.ContainerType()
+		if yyct2 == codecSelferValueTypeMap1234 {
+			yyl2 := r.ReadMapStart()
+			if yyl2 == 0 {
+				z.DecSendContainerState(codecSelfer_containerMapEnd1234)
+			} else {
+				x.codecDecodeSelfFromMap(yyl2, d)
+			}
+		} else if yyct2 == codecSelferValueTypeArray1234 {
+			yyl2 := r.ReadArrayStart()
+			if yyl2 == 0 {
+				z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
+			} else {
+				x.codecDecodeSelfFromArray(yyl2, d)
+			}
+		} else {
+			panic(codecSelferOnlyMapOrArrayEncodeToStructErr1234)
+		}
+	}
+}
+
+func (x *AllowedHostPath) codecDecodeSelfFromMap(l int, d *codec1978.Decoder) {
+	var h codecSelfer1234
+	z, r := codec1978.GenHelperDecoder(d)
+	_, _, _ = h, z, r
+	var yys3Slc = z.DecScratchBuffer() // default slice to decode into
+	_ = yys3Slc
+	var yyhl3 bool = l >= 0
+	for yyj3 := 0; ; yyj3++ {
+		if yyhl3 {
+			if yyj3 >= l {
+				break
+			}
+		} else {
+			if r.CheckBreak() {
+				break
+			}
+		}
+		z.DecSendContainerState(codecSelfer_containerMapKey1234)
+		yys3Slc = r.DecodeBytes(yys3Slc, true, true)
+		yys3 := string(yys3Slc)
+		z.DecSendContainerState(codecSelfer_containerMapValue1234)
+		switch yys3 {
+		case "path":
+			if r.TryDecodeAsNil() {
+				x.PathPrefix = ""
+			} else {
+				yyv4 := &x.PathPrefix
+				yym5 := z.DecBinary()
+				_ = yym5
+				if false {
+				} else {
+					*((*string)(yyv4)) = r.DecodeString()
+				}
+			}
+		default:
+			z.DecStructFieldNotFound(-1, yys3)
+		} // end switch yys3
+	} // end for yyj3
+	z.DecSendContainerState(codecSelfer_containerMapEnd1234)
+}
+
+func (x *AllowedHostPath) codecDecodeSelfFromArray(l int, d *codec1978.Decoder) {
+	var h codecSelfer1234
+	z, r := codec1978.GenHelperDecoder(d)
+	_, _, _ = h, z, r
+	var yyj6 int
+	var yyb6 bool
+	var yyhl6 bool = l >= 0
+	yyj6++
+	if yyhl6 {
+		yyb6 = yyj6 > l
+	} else {
+		yyb6 = r.CheckBreak()
+	}
+	if yyb6 {
+		z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
+		return
+	}
+	z.DecSendContainerState(codecSelfer_containerArrayElem1234)
+	if r.TryDecodeAsNil() {
+		x.PathPrefix = ""
+	} else {
+		yyv7 := &x.PathPrefix
+		yym8 := z.DecBinary()
+		_ = yym8
+		if false {
+		} else {
+			*((*string)(yyv7)) = r.DecodeString()
+		}
+	}
+	for {
+		yyj6++
+		if yyhl6 {
+			yyb6 = yyj6 > l
+		} else {
+			yyb6 = r.CheckBreak()
+		}
+		if yyb6 {
+			break
+		}
+		z.DecSendContainerState(codecSelfer_containerArrayElem1234)
+		z.DecStructFieldNotFound(yyj6-1, "")
 	}
 	z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
 }
@@ -21700,6 +21949,125 @@ func (x codecSelfer1234) decSliceHostPortRange(v *[]HostPortRange, d *codec1978.
 	}
 }
 
+func (x codecSelfer1234) encSliceAllowedHostPath(v []AllowedHostPath, e *codec1978.Encoder) {
+	var h codecSelfer1234
+	z, r := codec1978.GenHelperEncoder(e)
+	_, _, _ = h, z, r
+	r.EncodeArrayStart(len(v))
+	for _, yyv1 := range v {
+		z.EncSendContainerState(codecSelfer_containerArrayElem1234)
+		yy2 := &yyv1
+		yy2.CodecEncodeSelf(e)
+	}
+	z.EncSendContainerState(codecSelfer_containerArrayEnd1234)
+}
+
+func (x codecSelfer1234) decSliceAllowedHostPath(v *[]AllowedHostPath, d *codec1978.Decoder) {
+	var h codecSelfer1234
+	z, r := codec1978.GenHelperDecoder(d)
+	_, _, _ = h, z, r
+
+	yyv1 := *v
+	yyh1, yyl1 := z.DecSliceHelperStart()
+	var yyc1 bool
+	_ = yyc1
+	if yyl1 == 0 {
+		if yyv1 == nil {
+			yyv1 = []AllowedHostPath{}
+			yyc1 = true
+		} else if len(yyv1) != 0 {
+			yyv1 = yyv1[:0]
+			yyc1 = true
+		}
+	} else if yyl1 > 0 {
+		var yyrr1, yyrl1 int
+		var yyrt1 bool
+		_, _ = yyrl1, yyrt1
+		yyrr1 = yyl1 // len(yyv1)
+		if yyl1 > cap(yyv1) {
+
+			yyrg1 := len(yyv1) > 0
+			yyv21 := yyv1
+			yyrl1, yyrt1 = z.DecInferLen(yyl1, z.DecBasicHandle().MaxInitLen, 16)
+			if yyrt1 {
+				if yyrl1 <= cap(yyv1) {
+					yyv1 = yyv1[:yyrl1]
+				} else {
+					yyv1 = make([]AllowedHostPath, yyrl1)
+				}
+			} else {
+				yyv1 = make([]AllowedHostPath, yyrl1)
+			}
+			yyc1 = true
+			yyrr1 = len(yyv1)
+			if yyrg1 {
+				copy(yyv1, yyv21)
+			}
+		} else if yyl1 != len(yyv1) {
+			yyv1 = yyv1[:yyl1]
+			yyc1 = true
+		}
+		yyj1 := 0
+		for ; yyj1 < yyrr1; yyj1++ {
+			yyh1.ElemContainerState(yyj1)
+			if r.TryDecodeAsNil() {
+				yyv1[yyj1] = AllowedHostPath{}
+			} else {
+				yyv2 := &yyv1[yyj1]
+				yyv2.CodecDecodeSelf(d)
+			}
+
+		}
+		if yyrt1 {
+			for ; yyj1 < yyl1; yyj1++ {
+				yyv1 = append(yyv1, AllowedHostPath{})
+				yyh1.ElemContainerState(yyj1)
+				if r.TryDecodeAsNil() {
+					yyv1[yyj1] = AllowedHostPath{}
+				} else {
+					yyv3 := &yyv1[yyj1]
+					yyv3.CodecDecodeSelf(d)
+				}
+
+			}
+		}
+
+	} else {
+		yyj1 := 0
+		for ; !r.CheckBreak(); yyj1++ {
+
+			if yyj1 >= len(yyv1) {
+				yyv1 = append(yyv1, AllowedHostPath{}) // var yyz1 AllowedHostPath
+				yyc1 = true
+			}
+			yyh1.ElemContainerState(yyj1)
+			if yyj1 < len(yyv1) {
+				if r.TryDecodeAsNil() {
+					yyv1[yyj1] = AllowedHostPath{}
+				} else {
+					yyv4 := &yyv1[yyj1]
+					yyv4.CodecDecodeSelf(d)
+				}
+
+			} else {
+				z.DecSwallow()
+			}
+
+		}
+		if yyj1 < len(yyv1) {
+			yyv1 = yyv1[:yyj1]
+			yyc1 = true
+		} else if yyj1 == 0 && yyv1 == nil {
+			yyv1 = []AllowedHostPath{}
+			yyc1 = true
+		}
+	}
+	yyh1.End()
+	if yyc1 {
+		*v = yyv1
+	}
+}
+
 func (x codecSelfer1234) encSliceIDRange(v []IDRange, e *codec1978.Encoder) {
 	var h codecSelfer1234
 	z, r := codec1978.GenHelperEncoder(e)
@@ -21858,7 +22226,7 @@ func (x codecSelfer1234) decSlicePodSecurityPolicy(v *[]PodSecurityPolicy, d *co
 
 			yyrg1 := len(yyv1) > 0
 			yyv21 := yyv1
-			yyrl1, yyrt1 = z.DecInferLen(yyl1, z.DecBasicHandle().MaxInitLen, 576)
+			yyrl1, yyrt1 = z.DecInferLen(yyl1, z.DecBasicHandle().MaxInitLen, 600)
 			if yyrt1 {
 				if yyrl1 <= cap(yyv1) {
 					yyv1 = yyv1[:yyrl1]

staging/src/k8s.io/api/extensions/v1beta1/types.go

@@ -965,6 +965,22 @@ type PodSecurityPolicySpec struct {
 	// privilege escalation.
 	// +optional
 	AllowPrivilegeEscalation bool `json:"allowPrivilegeEscalation,omitempty" protobuf:"varint,16,opt,name=allowPrivilegeEscalation"`
+	// is a white list of allowed host paths. Empty indicates that all host paths may be used.
+	// +optional
+	AllowedHostPaths []AllowedHostPath `json:"allowedHostPaths,omitempty" protobuf:"bytes,17,rep,name=allowedHostPaths"`
+}
+
+// defines the host volume conditions that will be enabled by a policy
+// for pods to use. It requires the path prefix to be defined.
+type AllowedHostPath struct {
+	// is the path prefix that the host volume must match.
+	// It does not support `*`.
+	// Trailing slashes are trimmed when validating the path prefix with a host path.
+	//
+	// Examples:
+	// `/foo` would allow `/foo`, `/foo/` and `/foo/bar`
+	// `/foo` would not allow `/food` or `/etc/foo`
+	PathPrefix string `json:"pathPrefix,omitempty" protobuf:"bytes,1,rep,name=pathPrefix"`
 }
 
 // FS Type gives strong typing to different file systems that are used by volumes.

staging/src/k8s.io/api/extensions/v1beta1/types_swagger_doc_generated.go

@@ -36,6 +36,15 @@ func (APIVersion) SwaggerDoc() map[string]string {
 	return map_APIVersion
 }
 
+var map_AllowedHostPath = map[string]string{
+	"":     "AllowedHostPath defines the host volume conditions that will be enabled by a policy for pods to use. It requires the path prefix to be defined.",
+	"path": "PathPrefix is the path prefix that the host volume must match. PathPrefix does not support `*`. Trailing slashes are trimmed when validating the path prefix with a host path.\n\nExamples: `/foo` would allow `/foo`, `/foo/` and `/foo/bar` `/foo` would not allow `/food` or `/etc/foo`",
+}
+
+func (AllowedHostPath) SwaggerDoc() map[string]string {
+	return map_AllowedHostPath
+}
+
 var map_CustomMetricCurrentStatus = map[string]string{
 	"name":  "Custom Metric name.",
 	"value": "Custom Metric value (average).",
@@ -438,6 +447,7 @@ var map_PodSecurityPolicySpec = map[string]string{
 	"readOnlyRootFilesystem":          "ReadOnlyRootFilesystem when set to true will force containers to run with a read only root file system.  If the container specifically requests to run with a non-read only root file system the PSP should deny the pod. If set to false the container may run with a read only root file system if it wishes but it will not be forced to.",
 	"defaultAllowPrivilegeEscalation": "DefaultAllowPrivilegeEscalation controls the default setting for whether a process can gain more privileges than it's parent process.",
 	"allowPrivilegeEscalation":        "AllowPrivilegeEscalation determines if a pod can request to allow privilege escalation.",
+	"allowedHostPaths":                "AllowedHostPaths is a white list of allowed host paths. Empty indicates that all host paths may be used.",
 }
 
 func (PodSecurityPolicySpec) SwaggerDoc() map[string]string {

staging/src/k8s.io/api/extensions/v1beta1/zz_generated.deepcopy.go

@@ -43,6 +43,10 @@ func RegisterDeepCopies(scheme *runtime.Scheme) error {
 			in.(*APIVersion).DeepCopyInto(out.(*APIVersion))
 			return nil
 		}, InType: reflect.TypeOf(&APIVersion{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*AllowedHostPath).DeepCopyInto(out.(*AllowedHostPath))
+			return nil
+		}, InType: reflect.TypeOf(&AllowedHostPath{})},
 		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
 			in.(*CustomMetricCurrentStatus).DeepCopyInto(out.(*CustomMetricCurrentStatus))
 			return nil
@@ -294,6 +298,22 @@ func (in *APIVersion) DeepCopy() *APIVersion {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AllowedHostPath) DeepCopyInto(out *AllowedHostPath) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AllowedHostPath.
+func (in *AllowedHostPath) DeepCopy() *AllowedHostPath {
+	if in == nil {
+		return nil
+	}
+	out := new(AllowedHostPath)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CustomMetricCurrentStatus) DeepCopyInto(out *CustomMetricCurrentStatus) {
 	*out = *in
@@ -1365,6 +1385,11 @@ func (in *PodSecurityPolicySpec) DeepCopyInto(out *PodSecurityPolicySpec) {
 			**out = **in
 		}
 	}
+	if in.AllowedHostPaths != nil {
+		in, out := &in.AllowedHostPaths, &out.AllowedHostPaths
+		*out = make([]AllowedHostPath, len(*in))
+		copy(*out, *in)
+	}
 	return
 }