Unverified Commit 71e00a6b authored by Kubernetes Submit Queue's avatar Kubernetes Submit Queue Committed by GitHub

Merge pull request #61608 from php-coder/psp_move_internal_types_to_policy

Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. PSP: move internal types to policy API group **What this PR does / why we need it**: This is a part of the PSP migration from extensions to policy API group. This PR moves internal types to the its final destination. **Which issue(s) this PR fixes**: Addressed to https://github.com/kubernetes/features/issues/5
parents 4b26d70d 6767e233
...@@ -3,20 +3,12 @@ package(default_visibility = ["//visibility:public"]) ...@@ -3,20 +3,12 @@ package(default_visibility = ["//visibility:public"])
load( load(
"@io_bazel_rules_go//go:def.bzl", "@io_bazel_rules_go//go:def.bzl",
"go_library", "go_library",
"go_test",
)
go_test(
name = "go_default_test",
srcs = ["helpers_test.go"],
embed = [":go_default_library"],
) )
go_library( go_library(
name = "go_default_library", name = "go_default_library",
srcs = [ srcs = [
"doc.go", "doc.go",
"helpers.go",
"register.go", "register.go",
"types.go", "types.go",
"zz_generated.deepcopy.go", "zz_generated.deepcopy.go",
...@@ -26,6 +18,7 @@ go_library( ...@@ -26,6 +18,7 @@ go_library(
"//pkg/apis/autoscaling:go_default_library", "//pkg/apis/autoscaling:go_default_library",
"//pkg/apis/core:go_default_library", "//pkg/apis/core:go_default_library",
"//pkg/apis/networking:go_default_library", "//pkg/apis/networking:go_default_library",
"//pkg/apis/policy:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/api/resource:go_default_library", "//vendor/k8s.io/apimachinery/pkg/api/resource:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library", "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/runtime:go_default_library", "//vendor/k8s.io/apimachinery/pkg/runtime:go_default_library",
......
...@@ -54,34 +54,6 @@ var Funcs = func(codecs runtimeserializer.CodecFactory) []interface{} { ...@@ -54,34 +54,6 @@ var Funcs = func(codecs runtimeserializer.CodecFactory) []interface{} {
j.RollingUpdate = &rollingUpdate j.RollingUpdate = &rollingUpdate
} }
}, },
func(psp *extensions.PodSecurityPolicySpec, c fuzz.Continue) {
c.FuzzNoCustom(psp) // fuzz self without calling this function again
runAsUserRules := []extensions.RunAsUserStrategy{
extensions.RunAsUserStrategyMustRunAsNonRoot,
extensions.RunAsUserStrategyMustRunAs,
extensions.RunAsUserStrategyRunAsAny,
}
psp.RunAsUser.Rule = runAsUserRules[c.Rand.Intn(len(runAsUserRules))]
seLinuxRules := []extensions.SELinuxStrategy{
extensions.SELinuxStrategyMustRunAs,
extensions.SELinuxStrategyRunAsAny,
}
psp.SELinux.Rule = seLinuxRules[c.Rand.Intn(len(seLinuxRules))]
supplementalGroupsRules := []extensions.SupplementalGroupsStrategyType{
extensions.SupplementalGroupsStrategyRunAsAny,
extensions.SupplementalGroupsStrategyMustRunAs,
}
psp.SupplementalGroups.Rule = supplementalGroupsRules[c.Rand.Intn(len(supplementalGroupsRules))]
fsGroupRules := []extensions.FSGroupStrategyType{
extensions.FSGroupStrategyMustRunAs,
extensions.FSGroupStrategyRunAsAny,
}
psp.FSGroup.Rule = fsGroupRules[c.Rand.Intn(len(fsGroupRules))]
},
func(j *extensions.DaemonSetSpec, c fuzz.Continue) { func(j *extensions.DaemonSetSpec, c fuzz.Continue) {
c.FuzzNoCustom(j) // fuzz self without calling this function again c.FuzzNoCustom(j) // fuzz self without calling this function again
rhl := int32(c.Rand.Int31()) rhl := int32(c.Rand.Int31())
......
...@@ -21,6 +21,7 @@ import ( ...@@ -21,6 +21,7 @@ import (
"k8s.io/apimachinery/pkg/runtime/schema" "k8s.io/apimachinery/pkg/runtime/schema"
"k8s.io/kubernetes/pkg/apis/autoscaling" "k8s.io/kubernetes/pkg/apis/autoscaling"
"k8s.io/kubernetes/pkg/apis/networking" "k8s.io/kubernetes/pkg/apis/networking"
"k8s.io/kubernetes/pkg/apis/policy"
) )
// GroupName is the group name use in this package // GroupName is the group name use in this package
...@@ -58,8 +59,8 @@ func addKnownTypes(scheme *runtime.Scheme) error { ...@@ -58,8 +59,8 @@ func addKnownTypes(scheme *runtime.Scheme) error {
&IngressList{}, &IngressList{},
&ReplicaSet{}, &ReplicaSet{},
&ReplicaSetList{}, &ReplicaSetList{},
&PodSecurityPolicy{}, &policy.PodSecurityPolicy{},
&PodSecurityPolicyList{}, &policy.PodSecurityPolicyList{},
&autoscaling.Scale{}, &autoscaling.Scale{},
&networking.NetworkPolicy{}, &networking.NetworkPolicy{},
&networking.NetworkPolicyList{}, &networking.NetworkPolicyList{},
......
...@@ -35,13 +35,6 @@ import ( ...@@ -35,13 +35,6 @@ import (
api "k8s.io/kubernetes/pkg/apis/core" api "k8s.io/kubernetes/pkg/apis/core"
) )
const (
// SysctlsPodSecurityPolicyAnnotationKey represents the key of a whitelist of
// allowed safe and unsafe sysctls in a pod spec. It's a comma-separated list of plain sysctl
// names or sysctl patterns (which end in *). The string "*" matches all sysctls.
SysctlsPodSecurityPolicyAnnotationKey string = "security.alpha.kubernetes.io/sysctls"
)
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// Dummy definition // Dummy definition
...@@ -780,271 +773,3 @@ type ReplicaSetCondition struct { ...@@ -780,271 +773,3 @@ type ReplicaSetCondition struct {
// +optional // +optional
Message string Message string
} }
// +genclient
// +genclient:nonNamespaced
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// PodSecurityPolicy governs the ability to make requests that affect the SecurityContext
// that will be applied to a pod and container.
type PodSecurityPolicy struct {
metav1.TypeMeta
// +optional
metav1.ObjectMeta
// Spec defines the policy enforced.
// +optional
Spec PodSecurityPolicySpec
}
// PodSecurityPolicySpec defines the policy enforced.
type PodSecurityPolicySpec struct {
// Privileged determines if a pod can request to be run as privileged.
// +optional
Privileged bool
// DefaultAddCapabilities is the default set of capabilities that will be added to the container
// unless the pod spec specifically drops the capability. You may not list a capability in both
// DefaultAddCapabilities and RequiredDropCapabilities. Capabilities added here are implicitly
// allowed, and need not be included in the AllowedCapabilities list.
// +optional
DefaultAddCapabilities []api.Capability
// RequiredDropCapabilities are the capabilities that will be dropped from the container. These
// are required to be dropped and cannot be added.
// +optional
RequiredDropCapabilities []api.Capability
// AllowedCapabilities is a list of capabilities that can be requested to add to the container.
// Capabilities in this field may be added at the pod author's discretion.
// You must not list a capability in both AllowedCapabilities and RequiredDropCapabilities.
// To allow all capabilities you may use '*'.
// +optional
AllowedCapabilities []api.Capability
// Volumes is a white list of allowed volume plugins. Empty indicates that
// no volumes may be used. To allow all volumes you may use '*'.
// +optional
Volumes []FSType
// HostNetwork determines if the policy allows the use of HostNetwork in the pod spec.
// +optional
HostNetwork bool
// HostPorts determines which host port ranges are allowed to be exposed.
// +optional
HostPorts []HostPortRange
// HostPID determines if the policy allows the use of HostPID in the pod spec.
// +optional
HostPID bool
// HostIPC determines if the policy allows the use of HostIPC in the pod spec.
// +optional
HostIPC bool
// SELinux is the strategy that will dictate the allowable labels that may be set.
SELinux SELinuxStrategyOptions
// RunAsUser is the strategy that will dictate the allowable RunAsUser values that may be set.
RunAsUser RunAsUserStrategyOptions
// SupplementalGroups is the strategy that will dictate what supplemental groups are used by the SecurityContext.
SupplementalGroups SupplementalGroupsStrategyOptions
// FSGroup is the strategy that will dictate what fs group is used by the SecurityContext.
FSGroup FSGroupStrategyOptions
// ReadOnlyRootFilesystem when set to true will force containers to run with a read only root file
// system. If the container specifically requests to run with a non-read only root file system
// the PSP should deny the pod.
// If set to false the container may run with a read only root file system if it wishes but it
// will not be forced to.
// +optional
ReadOnlyRootFilesystem bool
// DefaultAllowPrivilegeEscalation controls the default setting for whether a
// process can gain more privileges than its parent process.
// +optional
DefaultAllowPrivilegeEscalation *bool
// AllowPrivilegeEscalation determines if a pod can request to allow
// privilege escalation. If unspecified, defaults to true.
// +optional
AllowPrivilegeEscalation bool
// AllowedHostPaths is a white list of allowed host paths. Empty indicates that all host paths may be used.
// +optional
AllowedHostPaths []AllowedHostPath
// AllowedFlexVolumes is a whitelist of allowed Flexvolumes. Empty or nil indicates that all
// Flexvolumes may be used. This parameter is effective only when the usage of the Flexvolumes
// is allowed in the "Volumes" field.
// +optional
AllowedFlexVolumes []AllowedFlexVolume
}
// AllowedHostPath defines the host volume conditions that will be enabled by a policy
// for pods to use. It requires the path prefix to be defined.
type AllowedHostPath struct {
// PathPrefix is the path prefix that the host volume must match.
// PathPrefix does not support `*`.
// Trailing slashes are trimmed when validating the path prefix with a host path.
//
// Examples:
// `/foo` would allow `/foo`, `/foo/` and `/foo/bar`
// `/foo` would not allow `/food` or `/etc/foo`
PathPrefix string
}
// HostPortRange defines a range of host ports that will be enabled by a policy
// for pods to use. It requires both the start and end to be defined.
type HostPortRange struct {
// Min is the start of the range, inclusive.
Min int32
// Max is the end of the range, inclusive.
Max int32
}
// AllowAllCapabilities can be used as a value for the PodSecurityPolicy.AllowAllCapabilities
// field and means that any capabilities are allowed to be requested.
var AllowAllCapabilities api.Capability = "*"
// FSType gives strong typing to different file systems that are used by volumes.
type FSType string
var (
AzureFile FSType = "azureFile"
Flocker FSType = "flocker"
FlexVolume FSType = "flexVolume"
HostPath FSType = "hostPath"
EmptyDir FSType = "emptyDir"
GCEPersistentDisk FSType = "gcePersistentDisk"
AWSElasticBlockStore FSType = "awsElasticBlockStore"
GitRepo FSType = "gitRepo"
Secret FSType = "secret"
NFS FSType = "nfs"
ISCSI FSType = "iscsi"
Glusterfs FSType = "glusterfs"
PersistentVolumeClaim FSType = "persistentVolumeClaim"
RBD FSType = "rbd"
Cinder FSType = "cinder"
CephFS FSType = "cephFS"
DownwardAPI FSType = "downwardAPI"
FC FSType = "fc"
ConfigMap FSType = "configMap"
VsphereVolume FSType = "vsphereVolume"
Quobyte FSType = "quobyte"
AzureDisk FSType = "azureDisk"
PhotonPersistentDisk FSType = "photonPersistentDisk"
StorageOS FSType = "storageos"
Projected FSType = "projected"
PortworxVolume FSType = "portworxVolume"
ScaleIO FSType = "scaleIO"
CSI FSType = "csi"
All FSType = "*"
)
// AllowedFlexVolume represents a single Flexvolume that is allowed to be used.
type AllowedFlexVolume struct {
// Driver is the name of the Flexvolume driver.
Driver string
}
// SELinuxStrategyOptions defines the strategy type and any options used to create the strategy.
type SELinuxStrategyOptions struct {
// Rule is the strategy that will dictate the allowable labels that may be set.
Rule SELinuxStrategy
// SELinuxOptions required to run as; required for MustRunAs
// More info: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#selinux
// +optional
SELinuxOptions *api.SELinuxOptions
}
// SELinuxStrategy denotes strategy types for generating SELinux options for a
// Security.
type SELinuxStrategy string
const (
// SELinuxStrategyMustRunAs means that container must have SELinux labels of X applied.
SELinuxStrategyMustRunAs SELinuxStrategy = "MustRunAs"
// SELinuxStrategyRunAsAny means that container may make requests for any SELinux context labels.
SELinuxStrategyRunAsAny SELinuxStrategy = "RunAsAny"
)
// RunAsUserStrategyOptions defines the strategy type and any options used to create the strategy.
type RunAsUserStrategyOptions struct {
// Rule is the strategy that will dictate the allowable RunAsUser values that may be set.
Rule RunAsUserStrategy
// Ranges are the allowed ranges of uids that may be used. If you would like to force a single uid
// then supply a single range with the same start and end. Required for MustRunAs.
// +optional
Ranges []UserIDRange
}
// UserIDRange provides a min/max of an allowed range of UserIDs.
type UserIDRange struct {
// Min is the start of the range, inclusive.
Min int64
// Max is the end of the range, inclusive.
Max int64
}
// GroupIDRange provides a min/max of an allowed range of GroupIDs.
type GroupIDRange struct {
// Min is the start of the range, inclusive.
Min int64
// Max is the end of the range, inclusive.
Max int64
}
// RunAsUserStrategy denotes strategy types for generating RunAsUser values for a
// SecurityContext.
type RunAsUserStrategy string
const (
// RunAsUserStrategyMustRunAs means that container must run as a particular uid.
RunAsUserStrategyMustRunAs RunAsUserStrategy = "MustRunAs"
// RunAsUserStrategyMustRunAsNonRoot means that container must run as a non-root uid
RunAsUserStrategyMustRunAsNonRoot RunAsUserStrategy = "MustRunAsNonRoot"
// RunAsUserStrategyRunAsAny means that container may make requests for any uid.
RunAsUserStrategyRunAsAny RunAsUserStrategy = "RunAsAny"
)
// FSGroupStrategyOptions defines the strategy type and options used to create the strategy.
type FSGroupStrategyOptions struct {
// Rule is the strategy that will dictate what FSGroup is used in the SecurityContext.
// +optional
Rule FSGroupStrategyType
// Ranges are the allowed ranges of fs groups. If you would like to force a single
// fs group then supply a single range with the same start and end. Required for MustRunAs.
// +optional
Ranges []GroupIDRange
}
// FSGroupStrategyType denotes strategy types for generating FSGroup values for a
// SecurityContext
type FSGroupStrategyType string
const (
// FSGroupStrategyMustRunAs means that container must have FSGroup of X applied.
FSGroupStrategyMustRunAs FSGroupStrategyType = "MustRunAs"
// FSGroupStrategyRunAsAny means that container may make requests for any FSGroup labels.
FSGroupStrategyRunAsAny FSGroupStrategyType = "RunAsAny"
)
// SupplementalGroupsStrategyOptions defines the strategy type and options used to create the strategy.
type SupplementalGroupsStrategyOptions struct {
// Rule is the strategy that will dictate what supplemental groups is used in the SecurityContext.
// +optional
Rule SupplementalGroupsStrategyType
// Ranges are the allowed ranges of supplemental groups. If you would like to force a single
// supplemental group then supply a single range with the same start and end. Required for MustRunAs.
// +optional
Ranges []GroupIDRange
}
// SupplementalGroupsStrategyType denotes strategy types for determining valid supplemental
// groups for a SecurityContext.
type SupplementalGroupsStrategyType string
const (
// SupplementalGroupsStrategyMustRunAs means that container must run as a particular gid.
SupplementalGroupsStrategyMustRunAs SupplementalGroupsStrategyType = "MustRunAs"
// SupplementalGroupsStrategyRunAsAny means that container may make requests for any gid.
SupplementalGroupsStrategyRunAsAny SupplementalGroupsStrategyType = "RunAsAny"
)
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// PodSecurityPolicyList is a list of PodSecurityPolicy objects.
type PodSecurityPolicyList struct {
metav1.TypeMeta
// +optional
metav1.ListMeta
Items []PodSecurityPolicy
}
...@@ -23,6 +23,7 @@ go_library( ...@@ -23,6 +23,7 @@ go_library(
"//pkg/apis/core/v1:go_default_library", "//pkg/apis/core/v1:go_default_library",
"//pkg/apis/extensions:go_default_library", "//pkg/apis/extensions:go_default_library",
"//pkg/apis/networking:go_default_library", "//pkg/apis/networking:go_default_library",
"//pkg/apis/policy:go_default_library",
"//vendor/k8s.io/api/core/v1:go_default_library", "//vendor/k8s.io/api/core/v1:go_default_library",
"//vendor/k8s.io/api/extensions/v1beta1:go_default_library", "//vendor/k8s.io/api/extensions/v1beta1:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library", "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
......
...@@ -61,7 +61,6 @@ func addConversionFuncs(scheme *runtime.Scheme) error { ...@@ -61,7 +61,6 @@ func addConversionFuncs(scheme *runtime.Scheme) error {
Convert_networking_NetworkPolicyPort_To_v1beta1_NetworkPolicyPort, Convert_networking_NetworkPolicyPort_To_v1beta1_NetworkPolicyPort,
Convert_v1beta1_NetworkPolicySpec_To_networking_NetworkPolicySpec, Convert_v1beta1_NetworkPolicySpec_To_networking_NetworkPolicySpec,
Convert_networking_NetworkPolicySpec_To_v1beta1_NetworkPolicySpec, Convert_networking_NetworkPolicySpec_To_v1beta1_NetworkPolicySpec,
Convert_extensions_PodSecurityPolicySpec_To_v1beta1_PodSecurityPolicySpec,
Convert_v1beta1_IPBlock_To_networking_IPBlock, Convert_v1beta1_IPBlock_To_networking_IPBlock,
Convert_networking_IPBlock_To_v1beta1_IPBlock, Convert_networking_IPBlock_To_v1beta1_IPBlock,
Convert_networking_NetworkPolicyEgressRule_To_v1beta1_NetworkPolicyEgressRule, Convert_networking_NetworkPolicyEgressRule_To_v1beta1_NetworkPolicyEgressRule,
...@@ -503,7 +502,3 @@ func Convert_networking_NetworkPolicyList_To_v1beta1_NetworkPolicyList(in *netwo ...@@ -503,7 +502,3 @@ func Convert_networking_NetworkPolicyList_To_v1beta1_NetworkPolicyList(in *netwo
} }
return nil return nil
} }
func Convert_extensions_PodSecurityPolicySpec_To_v1beta1_PodSecurityPolicySpec(in *extensions.PodSecurityPolicySpec, out *extensionsv1beta1.PodSecurityPolicySpec, s conversion.Scope) error {
return autoConvert_extensions_PodSecurityPolicySpec_To_v1beta1_PodSecurityPolicySpec(in, out, s)
}
...@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and ...@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
limitations under the License. limitations under the License.
*/ */
// +k8s:conversion-gen=k8s.io/kubernetes/pkg/apis/policy
// +k8s:conversion-gen=k8s.io/kubernetes/pkg/apis/extensions // +k8s:conversion-gen=k8s.io/kubernetes/pkg/apis/extensions
// +k8s:conversion-gen=k8s.io/kubernetes/pkg/apis/autoscaling // +k8s:conversion-gen=k8s.io/kubernetes/pkg/apis/autoscaling
// +k8s:conversion-gen-external-types=k8s.io/api/extensions/v1beta1 // +k8s:conversion-gen-external-types=k8s.io/api/extensions/v1beta1
......
...@@ -32,6 +32,7 @@ import ( ...@@ -32,6 +32,7 @@ import (
core "k8s.io/kubernetes/pkg/apis/core" core "k8s.io/kubernetes/pkg/apis/core"
core_v1 "k8s.io/kubernetes/pkg/apis/core/v1" core_v1 "k8s.io/kubernetes/pkg/apis/core/v1"
extensions "k8s.io/kubernetes/pkg/apis/extensions" extensions "k8s.io/kubernetes/pkg/apis/extensions"
policy "k8s.io/kubernetes/pkg/apis/policy"
) )
func init() { func init() {
...@@ -42,10 +43,10 @@ func init() { ...@@ -42,10 +43,10 @@ func init() {
// Public to allow building arbitrary schemes. // Public to allow building arbitrary schemes.
func RegisterConversions(scheme *runtime.Scheme) error { func RegisterConversions(scheme *runtime.Scheme) error {
return scheme.AddGeneratedConversionFuncs( return scheme.AddGeneratedConversionFuncs(
Convert_v1beta1_AllowedFlexVolume_To_extensions_AllowedFlexVolume, Convert_v1beta1_AllowedFlexVolume_To_policy_AllowedFlexVolume,
Convert_extensions_AllowedFlexVolume_To_v1beta1_AllowedFlexVolume, Convert_policy_AllowedFlexVolume_To_v1beta1_AllowedFlexVolume,
Convert_v1beta1_AllowedHostPath_To_extensions_AllowedHostPath, Convert_v1beta1_AllowedHostPath_To_policy_AllowedHostPath,
Convert_extensions_AllowedHostPath_To_v1beta1_AllowedHostPath, Convert_policy_AllowedHostPath_To_v1beta1_AllowedHostPath,
Convert_v1beta1_CustomMetricCurrentStatus_To_extensions_CustomMetricCurrentStatus, Convert_v1beta1_CustomMetricCurrentStatus_To_extensions_CustomMetricCurrentStatus,
Convert_extensions_CustomMetricCurrentStatus_To_v1beta1_CustomMetricCurrentStatus, Convert_extensions_CustomMetricCurrentStatus_To_v1beta1_CustomMetricCurrentStatus,
Convert_v1beta1_CustomMetricCurrentStatusList_To_extensions_CustomMetricCurrentStatusList, Convert_v1beta1_CustomMetricCurrentStatusList_To_extensions_CustomMetricCurrentStatusList,
...@@ -80,14 +81,14 @@ func RegisterConversions(scheme *runtime.Scheme) error { ...@@ -80,14 +81,14 @@ func RegisterConversions(scheme *runtime.Scheme) error {
Convert_extensions_DeploymentStatus_To_v1beta1_DeploymentStatus, Convert_extensions_DeploymentStatus_To_v1beta1_DeploymentStatus,
Convert_v1beta1_DeploymentStrategy_To_extensions_DeploymentStrategy, Convert_v1beta1_DeploymentStrategy_To_extensions_DeploymentStrategy,
Convert_extensions_DeploymentStrategy_To_v1beta1_DeploymentStrategy, Convert_extensions_DeploymentStrategy_To_v1beta1_DeploymentStrategy,
Convert_v1beta1_FSGroupStrategyOptions_To_extensions_FSGroupStrategyOptions, Convert_v1beta1_FSGroupStrategyOptions_To_policy_FSGroupStrategyOptions,
Convert_extensions_FSGroupStrategyOptions_To_v1beta1_FSGroupStrategyOptions, Convert_policy_FSGroupStrategyOptions_To_v1beta1_FSGroupStrategyOptions,
Convert_v1beta1_HTTPIngressPath_To_extensions_HTTPIngressPath, Convert_v1beta1_HTTPIngressPath_To_extensions_HTTPIngressPath,
Convert_extensions_HTTPIngressPath_To_v1beta1_HTTPIngressPath, Convert_extensions_HTTPIngressPath_To_v1beta1_HTTPIngressPath,
Convert_v1beta1_HTTPIngressRuleValue_To_extensions_HTTPIngressRuleValue, Convert_v1beta1_HTTPIngressRuleValue_To_extensions_HTTPIngressRuleValue,
Convert_extensions_HTTPIngressRuleValue_To_v1beta1_HTTPIngressRuleValue, Convert_extensions_HTTPIngressRuleValue_To_v1beta1_HTTPIngressRuleValue,
Convert_v1beta1_HostPortRange_To_extensions_HostPortRange, Convert_v1beta1_HostPortRange_To_policy_HostPortRange,
Convert_extensions_HostPortRange_To_v1beta1_HostPortRange, Convert_policy_HostPortRange_To_v1beta1_HostPortRange,
Convert_v1beta1_Ingress_To_extensions_Ingress, Convert_v1beta1_Ingress_To_extensions_Ingress,
Convert_extensions_Ingress_To_v1beta1_Ingress, Convert_extensions_Ingress_To_v1beta1_Ingress,
Convert_v1beta1_IngressBackend_To_extensions_IngressBackend, Convert_v1beta1_IngressBackend_To_extensions_IngressBackend,
...@@ -104,12 +105,12 @@ func RegisterConversions(scheme *runtime.Scheme) error { ...@@ -104,12 +105,12 @@ func RegisterConversions(scheme *runtime.Scheme) error {
Convert_extensions_IngressStatus_To_v1beta1_IngressStatus, Convert_extensions_IngressStatus_To_v1beta1_IngressStatus,
Convert_v1beta1_IngressTLS_To_extensions_IngressTLS, Convert_v1beta1_IngressTLS_To_extensions_IngressTLS,
Convert_extensions_IngressTLS_To_v1beta1_IngressTLS, Convert_extensions_IngressTLS_To_v1beta1_IngressTLS,
Convert_v1beta1_PodSecurityPolicy_To_extensions_PodSecurityPolicy, Convert_v1beta1_PodSecurityPolicy_To_policy_PodSecurityPolicy,
Convert_extensions_PodSecurityPolicy_To_v1beta1_PodSecurityPolicy, Convert_policy_PodSecurityPolicy_To_v1beta1_PodSecurityPolicy,
Convert_v1beta1_PodSecurityPolicyList_To_extensions_PodSecurityPolicyList, Convert_v1beta1_PodSecurityPolicyList_To_policy_PodSecurityPolicyList,
Convert_extensions_PodSecurityPolicyList_To_v1beta1_PodSecurityPolicyList, Convert_policy_PodSecurityPolicyList_To_v1beta1_PodSecurityPolicyList,
Convert_v1beta1_PodSecurityPolicySpec_To_extensions_PodSecurityPolicySpec, Convert_v1beta1_PodSecurityPolicySpec_To_policy_PodSecurityPolicySpec,
Convert_extensions_PodSecurityPolicySpec_To_v1beta1_PodSecurityPolicySpec, Convert_policy_PodSecurityPolicySpec_To_v1beta1_PodSecurityPolicySpec,
Convert_v1beta1_ReplicaSet_To_extensions_ReplicaSet, Convert_v1beta1_ReplicaSet_To_extensions_ReplicaSet,
Convert_extensions_ReplicaSet_To_v1beta1_ReplicaSet, Convert_extensions_ReplicaSet_To_v1beta1_ReplicaSet,
Convert_v1beta1_ReplicaSetCondition_To_extensions_ReplicaSetCondition, Convert_v1beta1_ReplicaSetCondition_To_extensions_ReplicaSetCondition,
...@@ -128,59 +129,59 @@ func RegisterConversions(scheme *runtime.Scheme) error { ...@@ -128,59 +129,59 @@ func RegisterConversions(scheme *runtime.Scheme) error {
Convert_extensions_RollingUpdateDaemonSet_To_v1beta1_RollingUpdateDaemonSet, Convert_extensions_RollingUpdateDaemonSet_To_v1beta1_RollingUpdateDaemonSet,
Convert_v1beta1_RollingUpdateDeployment_To_extensions_RollingUpdateDeployment, Convert_v1beta1_RollingUpdateDeployment_To_extensions_RollingUpdateDeployment,
Convert_extensions_RollingUpdateDeployment_To_v1beta1_RollingUpdateDeployment, Convert_extensions_RollingUpdateDeployment_To_v1beta1_RollingUpdateDeployment,
Convert_v1beta1_RunAsUserStrategyOptions_To_extensions_RunAsUserStrategyOptions, Convert_v1beta1_RunAsUserStrategyOptions_To_policy_RunAsUserStrategyOptions,
Convert_extensions_RunAsUserStrategyOptions_To_v1beta1_RunAsUserStrategyOptions, Convert_policy_RunAsUserStrategyOptions_To_v1beta1_RunAsUserStrategyOptions,
Convert_v1beta1_SELinuxStrategyOptions_To_extensions_SELinuxStrategyOptions, Convert_v1beta1_SELinuxStrategyOptions_To_policy_SELinuxStrategyOptions,
Convert_extensions_SELinuxStrategyOptions_To_v1beta1_SELinuxStrategyOptions, Convert_policy_SELinuxStrategyOptions_To_v1beta1_SELinuxStrategyOptions,
Convert_v1beta1_Scale_To_autoscaling_Scale, Convert_v1beta1_Scale_To_autoscaling_Scale,
Convert_autoscaling_Scale_To_v1beta1_Scale, Convert_autoscaling_Scale_To_v1beta1_Scale,
Convert_v1beta1_ScaleSpec_To_autoscaling_ScaleSpec, Convert_v1beta1_ScaleSpec_To_autoscaling_ScaleSpec,
Convert_autoscaling_ScaleSpec_To_v1beta1_ScaleSpec, Convert_autoscaling_ScaleSpec_To_v1beta1_ScaleSpec,
Convert_v1beta1_ScaleStatus_To_autoscaling_ScaleStatus, Convert_v1beta1_ScaleStatus_To_autoscaling_ScaleStatus,
Convert_autoscaling_ScaleStatus_To_v1beta1_ScaleStatus, Convert_autoscaling_ScaleStatus_To_v1beta1_ScaleStatus,
Convert_v1beta1_SupplementalGroupsStrategyOptions_To_extensions_SupplementalGroupsStrategyOptions, Convert_v1beta1_SupplementalGroupsStrategyOptions_To_policy_SupplementalGroupsStrategyOptions,
Convert_extensions_SupplementalGroupsStrategyOptions_To_v1beta1_SupplementalGroupsStrategyOptions, Convert_policy_SupplementalGroupsStrategyOptions_To_v1beta1_SupplementalGroupsStrategyOptions,
) )
} }
func autoConvert_v1beta1_AllowedFlexVolume_To_extensions_AllowedFlexVolume(in *v1beta1.AllowedFlexVolume, out *extensions.AllowedFlexVolume, s conversion.Scope) error { func autoConvert_v1beta1_AllowedFlexVolume_To_policy_AllowedFlexVolume(in *v1beta1.AllowedFlexVolume, out *policy.AllowedFlexVolume, s conversion.Scope) error {
out.Driver = in.Driver out.Driver = in.Driver
return nil return nil
} }
// Convert_v1beta1_AllowedFlexVolume_To_extensions_AllowedFlexVolume is an autogenerated conversion function. // Convert_v1beta1_AllowedFlexVolume_To_policy_AllowedFlexVolume is an autogenerated conversion function.
func Convert_v1beta1_AllowedFlexVolume_To_extensions_AllowedFlexVolume(in *v1beta1.AllowedFlexVolume, out *extensions.AllowedFlexVolume, s conversion.Scope) error { func Convert_v1beta1_AllowedFlexVolume_To_policy_AllowedFlexVolume(in *v1beta1.AllowedFlexVolume, out *policy.AllowedFlexVolume, s conversion.Scope) error {
return autoConvert_v1beta1_AllowedFlexVolume_To_extensions_AllowedFlexVolume(in, out, s) return autoConvert_v1beta1_AllowedFlexVolume_To_policy_AllowedFlexVolume(in, out, s)
} }
func autoConvert_extensions_AllowedFlexVolume_To_v1beta1_AllowedFlexVolume(in *extensions.AllowedFlexVolume, out *v1beta1.AllowedFlexVolume, s conversion.Scope) error { func autoConvert_policy_AllowedFlexVolume_To_v1beta1_AllowedFlexVolume(in *policy.AllowedFlexVolume, out *v1beta1.AllowedFlexVolume, s conversion.Scope) error {
out.Driver = in.Driver out.Driver = in.Driver
return nil return nil
} }
// Convert_extensions_AllowedFlexVolume_To_v1beta1_AllowedFlexVolume is an autogenerated conversion function. // Convert_policy_AllowedFlexVolume_To_v1beta1_AllowedFlexVolume is an autogenerated conversion function.
func Convert_extensions_AllowedFlexVolume_To_v1beta1_AllowedFlexVolume(in *extensions.AllowedFlexVolume, out *v1beta1.AllowedFlexVolume, s conversion.Scope) error { func Convert_policy_AllowedFlexVolume_To_v1beta1_AllowedFlexVolume(in *policy.AllowedFlexVolume, out *v1beta1.AllowedFlexVolume, s conversion.Scope) error {
return autoConvert_extensions_AllowedFlexVolume_To_v1beta1_AllowedFlexVolume(in, out, s) return autoConvert_policy_AllowedFlexVolume_To_v1beta1_AllowedFlexVolume(in, out, s)
} }
func autoConvert_v1beta1_AllowedHostPath_To_extensions_AllowedHostPath(in *v1beta1.AllowedHostPath, out *extensions.AllowedHostPath, s conversion.Scope) error { func autoConvert_v1beta1_AllowedHostPath_To_policy_AllowedHostPath(in *v1beta1.AllowedHostPath, out *policy.AllowedHostPath, s conversion.Scope) error {
out.PathPrefix = in.PathPrefix out.PathPrefix = in.PathPrefix
return nil return nil
} }
// Convert_v1beta1_AllowedHostPath_To_extensions_AllowedHostPath is an autogenerated conversion function. // Convert_v1beta1_AllowedHostPath_To_policy_AllowedHostPath is an autogenerated conversion function.
func Convert_v1beta1_AllowedHostPath_To_extensions_AllowedHostPath(in *v1beta1.AllowedHostPath, out *extensions.AllowedHostPath, s conversion.Scope) error { func Convert_v1beta1_AllowedHostPath_To_policy_AllowedHostPath(in *v1beta1.AllowedHostPath, out *policy.AllowedHostPath, s conversion.Scope) error {
return autoConvert_v1beta1_AllowedHostPath_To_extensions_AllowedHostPath(in, out, s) return autoConvert_v1beta1_AllowedHostPath_To_policy_AllowedHostPath(in, out, s)
} }
func autoConvert_extensions_AllowedHostPath_To_v1beta1_AllowedHostPath(in *extensions.AllowedHostPath, out *v1beta1.AllowedHostPath, s conversion.Scope) error { func autoConvert_policy_AllowedHostPath_To_v1beta1_AllowedHostPath(in *policy.AllowedHostPath, out *v1beta1.AllowedHostPath, s conversion.Scope) error {
out.PathPrefix = in.PathPrefix out.PathPrefix = in.PathPrefix
return nil return nil
} }
// Convert_extensions_AllowedHostPath_To_v1beta1_AllowedHostPath is an autogenerated conversion function. // Convert_policy_AllowedHostPath_To_v1beta1_AllowedHostPath is an autogenerated conversion function.
func Convert_extensions_AllowedHostPath_To_v1beta1_AllowedHostPath(in *extensions.AllowedHostPath, out *v1beta1.AllowedHostPath, s conversion.Scope) error { func Convert_policy_AllowedHostPath_To_v1beta1_AllowedHostPath(in *policy.AllowedHostPath, out *v1beta1.AllowedHostPath, s conversion.Scope) error {
return autoConvert_extensions_AllowedHostPath_To_v1beta1_AllowedHostPath(in, out, s) return autoConvert_policy_AllowedHostPath_To_v1beta1_AllowedHostPath(in, out, s)
} }
func autoConvert_v1beta1_CustomMetricCurrentStatus_To_extensions_CustomMetricCurrentStatus(in *v1beta1.CustomMetricCurrentStatus, out *extensions.CustomMetricCurrentStatus, s conversion.Scope) error { func autoConvert_v1beta1_CustomMetricCurrentStatus_To_extensions_CustomMetricCurrentStatus(in *v1beta1.CustomMetricCurrentStatus, out *extensions.CustomMetricCurrentStatus, s conversion.Scope) error {
...@@ -715,26 +716,26 @@ func autoConvert_extensions_DeploymentStrategy_To_v1beta1_DeploymentStrategy(in ...@@ -715,26 +716,26 @@ func autoConvert_extensions_DeploymentStrategy_To_v1beta1_DeploymentStrategy(in
return nil return nil
} }
func autoConvert_v1beta1_FSGroupStrategyOptions_To_extensions_FSGroupStrategyOptions(in *v1beta1.FSGroupStrategyOptions, out *extensions.FSGroupStrategyOptions, s conversion.Scope) error { func autoConvert_v1beta1_FSGroupStrategyOptions_To_policy_FSGroupStrategyOptions(in *v1beta1.FSGroupStrategyOptions, out *policy.FSGroupStrategyOptions, s conversion.Scope) error {
out.Rule = extensions.FSGroupStrategyType(in.Rule) out.Rule = policy.FSGroupStrategyType(in.Rule)
out.Ranges = *(*[]extensions.GroupIDRange)(unsafe.Pointer(&in.Ranges)) out.Ranges = *(*[]policy.GroupIDRange)(unsafe.Pointer(&in.Ranges))
return nil return nil
} }
// Convert_v1beta1_FSGroupStrategyOptions_To_extensions_FSGroupStrategyOptions is an autogenerated conversion function. // Convert_v1beta1_FSGroupStrategyOptions_To_policy_FSGroupStrategyOptions is an autogenerated conversion function.
func Convert_v1beta1_FSGroupStrategyOptions_To_extensions_FSGroupStrategyOptions(in *v1beta1.FSGroupStrategyOptions, out *extensions.FSGroupStrategyOptions, s conversion.Scope) error { func Convert_v1beta1_FSGroupStrategyOptions_To_policy_FSGroupStrategyOptions(in *v1beta1.FSGroupStrategyOptions, out *policy.FSGroupStrategyOptions, s conversion.Scope) error {
return autoConvert_v1beta1_FSGroupStrategyOptions_To_extensions_FSGroupStrategyOptions(in, out, s) return autoConvert_v1beta1_FSGroupStrategyOptions_To_policy_FSGroupStrategyOptions(in, out, s)
} }
func autoConvert_extensions_FSGroupStrategyOptions_To_v1beta1_FSGroupStrategyOptions(in *extensions.FSGroupStrategyOptions, out *v1beta1.FSGroupStrategyOptions, s conversion.Scope) error { func autoConvert_policy_FSGroupStrategyOptions_To_v1beta1_FSGroupStrategyOptions(in *policy.FSGroupStrategyOptions, out *v1beta1.FSGroupStrategyOptions, s conversion.Scope) error {
out.Rule = v1beta1.FSGroupStrategyType(in.Rule) out.Rule = v1beta1.FSGroupStrategyType(in.Rule)
out.Ranges = *(*[]v1beta1.IDRange)(unsafe.Pointer(&in.Ranges)) out.Ranges = *(*[]v1beta1.IDRange)(unsafe.Pointer(&in.Ranges))
return nil return nil
} }
// Convert_extensions_FSGroupStrategyOptions_To_v1beta1_FSGroupStrategyOptions is an autogenerated conversion function. // Convert_policy_FSGroupStrategyOptions_To_v1beta1_FSGroupStrategyOptions is an autogenerated conversion function.
func Convert_extensions_FSGroupStrategyOptions_To_v1beta1_FSGroupStrategyOptions(in *extensions.FSGroupStrategyOptions, out *v1beta1.FSGroupStrategyOptions, s conversion.Scope) error { func Convert_policy_FSGroupStrategyOptions_To_v1beta1_FSGroupStrategyOptions(in *policy.FSGroupStrategyOptions, out *v1beta1.FSGroupStrategyOptions, s conversion.Scope) error {
return autoConvert_extensions_FSGroupStrategyOptions_To_v1beta1_FSGroupStrategyOptions(in, out, s) return autoConvert_policy_FSGroupStrategyOptions_To_v1beta1_FSGroupStrategyOptions(in, out, s)
} }
func autoConvert_v1beta1_HTTPIngressPath_To_extensions_HTTPIngressPath(in *v1beta1.HTTPIngressPath, out *extensions.HTTPIngressPath, s conversion.Scope) error { func autoConvert_v1beta1_HTTPIngressPath_To_extensions_HTTPIngressPath(in *v1beta1.HTTPIngressPath, out *extensions.HTTPIngressPath, s conversion.Scope) error {
...@@ -783,26 +784,26 @@ func Convert_extensions_HTTPIngressRuleValue_To_v1beta1_HTTPIngressRuleValue(in ...@@ -783,26 +784,26 @@ func Convert_extensions_HTTPIngressRuleValue_To_v1beta1_HTTPIngressRuleValue(in
return autoConvert_extensions_HTTPIngressRuleValue_To_v1beta1_HTTPIngressRuleValue(in, out, s) return autoConvert_extensions_HTTPIngressRuleValue_To_v1beta1_HTTPIngressRuleValue(in, out, s)
} }
func autoConvert_v1beta1_HostPortRange_To_extensions_HostPortRange(in *v1beta1.HostPortRange, out *extensions.HostPortRange, s conversion.Scope) error { func autoConvert_v1beta1_HostPortRange_To_policy_HostPortRange(in *v1beta1.HostPortRange, out *policy.HostPortRange, s conversion.Scope) error {
out.Min = in.Min out.Min = in.Min
out.Max = in.Max out.Max = in.Max
return nil return nil
} }
// Convert_v1beta1_HostPortRange_To_extensions_HostPortRange is an autogenerated conversion function. // Convert_v1beta1_HostPortRange_To_policy_HostPortRange is an autogenerated conversion function.
func Convert_v1beta1_HostPortRange_To_extensions_HostPortRange(in *v1beta1.HostPortRange, out *extensions.HostPortRange, s conversion.Scope) error { func Convert_v1beta1_HostPortRange_To_policy_HostPortRange(in *v1beta1.HostPortRange, out *policy.HostPortRange, s conversion.Scope) error {
return autoConvert_v1beta1_HostPortRange_To_extensions_HostPortRange(in, out, s) return autoConvert_v1beta1_HostPortRange_To_policy_HostPortRange(in, out, s)
} }
func autoConvert_extensions_HostPortRange_To_v1beta1_HostPortRange(in *extensions.HostPortRange, out *v1beta1.HostPortRange, s conversion.Scope) error { func autoConvert_policy_HostPortRange_To_v1beta1_HostPortRange(in *policy.HostPortRange, out *v1beta1.HostPortRange, s conversion.Scope) error {
out.Min = in.Min out.Min = in.Min
out.Max = in.Max out.Max = in.Max
return nil return nil
} }
// Convert_extensions_HostPortRange_To_v1beta1_HostPortRange is an autogenerated conversion function. // Convert_policy_HostPortRange_To_v1beta1_HostPortRange is an autogenerated conversion function.
func Convert_extensions_HostPortRange_To_v1beta1_HostPortRange(in *extensions.HostPortRange, out *v1beta1.HostPortRange, s conversion.Scope) error { func Convert_policy_HostPortRange_To_v1beta1_HostPortRange(in *policy.HostPortRange, out *v1beta1.HostPortRange, s conversion.Scope) error {
return autoConvert_extensions_HostPortRange_To_v1beta1_HostPortRange(in, out, s) return autoConvert_policy_HostPortRange_To_v1beta1_HostPortRange(in, out, s)
} }
func autoConvert_v1beta1_Ingress_To_extensions_Ingress(in *v1beta1.Ingress, out *extensions.Ingress, s conversion.Scope) error { func autoConvert_v1beta1_Ingress_To_extensions_Ingress(in *v1beta1.Ingress, out *extensions.Ingress, s conversion.Scope) error {
...@@ -999,39 +1000,39 @@ func Convert_extensions_IngressTLS_To_v1beta1_IngressTLS(in *extensions.IngressT ...@@ -999,39 +1000,39 @@ func Convert_extensions_IngressTLS_To_v1beta1_IngressTLS(in *extensions.IngressT
return autoConvert_extensions_IngressTLS_To_v1beta1_IngressTLS(in, out, s) return autoConvert_extensions_IngressTLS_To_v1beta1_IngressTLS(in, out, s)
} }
func autoConvert_v1beta1_PodSecurityPolicy_To_extensions_PodSecurityPolicy(in *v1beta1.PodSecurityPolicy, out *extensions.PodSecurityPolicy, s conversion.Scope) error { func autoConvert_v1beta1_PodSecurityPolicy_To_policy_PodSecurityPolicy(in *v1beta1.PodSecurityPolicy, out *policy.PodSecurityPolicy, s conversion.Scope) error {
out.ObjectMeta = in.ObjectMeta out.ObjectMeta = in.ObjectMeta
if err := Convert_v1beta1_PodSecurityPolicySpec_To_extensions_PodSecurityPolicySpec(&in.Spec, &out.Spec, s); err != nil { if err := Convert_v1beta1_PodSecurityPolicySpec_To_policy_PodSecurityPolicySpec(&in.Spec, &out.Spec, s); err != nil {
return err return err
} }
return nil return nil
} }
// Convert_v1beta1_PodSecurityPolicy_To_extensions_PodSecurityPolicy is an autogenerated conversion function. // Convert_v1beta1_PodSecurityPolicy_To_policy_PodSecurityPolicy is an autogenerated conversion function.
func Convert_v1beta1_PodSecurityPolicy_To_extensions_PodSecurityPolicy(in *v1beta1.PodSecurityPolicy, out *extensions.PodSecurityPolicy, s conversion.Scope) error { func Convert_v1beta1_PodSecurityPolicy_To_policy_PodSecurityPolicy(in *v1beta1.PodSecurityPolicy, out *policy.PodSecurityPolicy, s conversion.Scope) error {
return autoConvert_v1beta1_PodSecurityPolicy_To_extensions_PodSecurityPolicy(in, out, s) return autoConvert_v1beta1_PodSecurityPolicy_To_policy_PodSecurityPolicy(in, out, s)
} }
func autoConvert_extensions_PodSecurityPolicy_To_v1beta1_PodSecurityPolicy(in *extensions.PodSecurityPolicy, out *v1beta1.PodSecurityPolicy, s conversion.Scope) error { func autoConvert_policy_PodSecurityPolicy_To_v1beta1_PodSecurityPolicy(in *policy.PodSecurityPolicy, out *v1beta1.PodSecurityPolicy, s conversion.Scope) error {
out.ObjectMeta = in.ObjectMeta out.ObjectMeta = in.ObjectMeta
if err := Convert_extensions_PodSecurityPolicySpec_To_v1beta1_PodSecurityPolicySpec(&in.Spec, &out.Spec, s); err != nil { if err := Convert_policy_PodSecurityPolicySpec_To_v1beta1_PodSecurityPolicySpec(&in.Spec, &out.Spec, s); err != nil {
return err return err
} }
return nil return nil
} }
// Convert_extensions_PodSecurityPolicy_To_v1beta1_PodSecurityPolicy is an autogenerated conversion function. // Convert_policy_PodSecurityPolicy_To_v1beta1_PodSecurityPolicy is an autogenerated conversion function.
func Convert_extensions_PodSecurityPolicy_To_v1beta1_PodSecurityPolicy(in *extensions.PodSecurityPolicy, out *v1beta1.PodSecurityPolicy, s conversion.Scope) error { func Convert_policy_PodSecurityPolicy_To_v1beta1_PodSecurityPolicy(in *policy.PodSecurityPolicy, out *v1beta1.PodSecurityPolicy, s conversion.Scope) error {
return autoConvert_extensions_PodSecurityPolicy_To_v1beta1_PodSecurityPolicy(in, out, s) return autoConvert_policy_PodSecurityPolicy_To_v1beta1_PodSecurityPolicy(in, out, s)
} }
func autoConvert_v1beta1_PodSecurityPolicyList_To_extensions_PodSecurityPolicyList(in *v1beta1.PodSecurityPolicyList, out *extensions.PodSecurityPolicyList, s conversion.Scope) error { func autoConvert_v1beta1_PodSecurityPolicyList_To_policy_PodSecurityPolicyList(in *v1beta1.PodSecurityPolicyList, out *policy.PodSecurityPolicyList, s conversion.Scope) error {
out.ListMeta = in.ListMeta out.ListMeta = in.ListMeta
if in.Items != nil { if in.Items != nil {
in, out := &in.Items, &out.Items in, out := &in.Items, &out.Items
*out = make([]extensions.PodSecurityPolicy, len(*in)) *out = make([]policy.PodSecurityPolicy, len(*in))
for i := range *in { for i := range *in {
if err := Convert_v1beta1_PodSecurityPolicy_To_extensions_PodSecurityPolicy(&(*in)[i], &(*out)[i], s); err != nil { if err := Convert_v1beta1_PodSecurityPolicy_To_policy_PodSecurityPolicy(&(*in)[i], &(*out)[i], s); err != nil {
return err return err
} }
} }
...@@ -1041,18 +1042,18 @@ func autoConvert_v1beta1_PodSecurityPolicyList_To_extensions_PodSecurityPolicyLi ...@@ -1041,18 +1042,18 @@ func autoConvert_v1beta1_PodSecurityPolicyList_To_extensions_PodSecurityPolicyLi
return nil return nil
} }
// Convert_v1beta1_PodSecurityPolicyList_To_extensions_PodSecurityPolicyList is an autogenerated conversion function. // Convert_v1beta1_PodSecurityPolicyList_To_policy_PodSecurityPolicyList is an autogenerated conversion function.
func Convert_v1beta1_PodSecurityPolicyList_To_extensions_PodSecurityPolicyList(in *v1beta1.PodSecurityPolicyList, out *extensions.PodSecurityPolicyList, s conversion.Scope) error { func Convert_v1beta1_PodSecurityPolicyList_To_policy_PodSecurityPolicyList(in *v1beta1.PodSecurityPolicyList, out *policy.PodSecurityPolicyList, s conversion.Scope) error {
return autoConvert_v1beta1_PodSecurityPolicyList_To_extensions_PodSecurityPolicyList(in, out, s) return autoConvert_v1beta1_PodSecurityPolicyList_To_policy_PodSecurityPolicyList(in, out, s)
} }
func autoConvert_extensions_PodSecurityPolicyList_To_v1beta1_PodSecurityPolicyList(in *extensions.PodSecurityPolicyList, out *v1beta1.PodSecurityPolicyList, s conversion.Scope) error { func autoConvert_policy_PodSecurityPolicyList_To_v1beta1_PodSecurityPolicyList(in *policy.PodSecurityPolicyList, out *v1beta1.PodSecurityPolicyList, s conversion.Scope) error {
out.ListMeta = in.ListMeta out.ListMeta = in.ListMeta
if in.Items != nil { if in.Items != nil {
in, out := &in.Items, &out.Items in, out := &in.Items, &out.Items
*out = make([]v1beta1.PodSecurityPolicy, len(*in)) *out = make([]v1beta1.PodSecurityPolicy, len(*in))
for i := range *in { for i := range *in {
if err := Convert_extensions_PodSecurityPolicy_To_v1beta1_PodSecurityPolicy(&(*in)[i], &(*out)[i], s); err != nil { if err := Convert_policy_PodSecurityPolicy_To_v1beta1_PodSecurityPolicy(&(*in)[i], &(*out)[i], s); err != nil {
return err return err
} }
} }
...@@ -1062,31 +1063,31 @@ func autoConvert_extensions_PodSecurityPolicyList_To_v1beta1_PodSecurityPolicyLi ...@@ -1062,31 +1063,31 @@ func autoConvert_extensions_PodSecurityPolicyList_To_v1beta1_PodSecurityPolicyLi
return nil return nil
} }
// Convert_extensions_PodSecurityPolicyList_To_v1beta1_PodSecurityPolicyList is an autogenerated conversion function. // Convert_policy_PodSecurityPolicyList_To_v1beta1_PodSecurityPolicyList is an autogenerated conversion function.
func Convert_extensions_PodSecurityPolicyList_To_v1beta1_PodSecurityPolicyList(in *extensions.PodSecurityPolicyList, out *v1beta1.PodSecurityPolicyList, s conversion.Scope) error { func Convert_policy_PodSecurityPolicyList_To_v1beta1_PodSecurityPolicyList(in *policy.PodSecurityPolicyList, out *v1beta1.PodSecurityPolicyList, s conversion.Scope) error {
return autoConvert_extensions_PodSecurityPolicyList_To_v1beta1_PodSecurityPolicyList(in, out, s) return autoConvert_policy_PodSecurityPolicyList_To_v1beta1_PodSecurityPolicyList(in, out, s)
} }
func autoConvert_v1beta1_PodSecurityPolicySpec_To_extensions_PodSecurityPolicySpec(in *v1beta1.PodSecurityPolicySpec, out *extensions.PodSecurityPolicySpec, s conversion.Scope) error { func autoConvert_v1beta1_PodSecurityPolicySpec_To_policy_PodSecurityPolicySpec(in *v1beta1.PodSecurityPolicySpec, out *policy.PodSecurityPolicySpec, s conversion.Scope) error {
out.Privileged = in.Privileged out.Privileged = in.Privileged
out.DefaultAddCapabilities = *(*[]core.Capability)(unsafe.Pointer(&in.DefaultAddCapabilities)) out.DefaultAddCapabilities = *(*[]core.Capability)(unsafe.Pointer(&in.DefaultAddCapabilities))
out.RequiredDropCapabilities = *(*[]core.Capability)(unsafe.Pointer(&in.RequiredDropCapabilities)) out.RequiredDropCapabilities = *(*[]core.Capability)(unsafe.Pointer(&in.RequiredDropCapabilities))
out.AllowedCapabilities = *(*[]core.Capability)(unsafe.Pointer(&in.AllowedCapabilities)) out.AllowedCapabilities = *(*[]core.Capability)(unsafe.Pointer(&in.AllowedCapabilities))
out.Volumes = *(*[]extensions.FSType)(unsafe.Pointer(&in.Volumes)) out.Volumes = *(*[]policy.FSType)(unsafe.Pointer(&in.Volumes))
out.HostNetwork = in.HostNetwork out.HostNetwork = in.HostNetwork
out.HostPorts = *(*[]extensions.HostPortRange)(unsafe.Pointer(&in.HostPorts)) out.HostPorts = *(*[]policy.HostPortRange)(unsafe.Pointer(&in.HostPorts))
out.HostPID = in.HostPID out.HostPID = in.HostPID
out.HostIPC = in.HostIPC out.HostIPC = in.HostIPC
if err := Convert_v1beta1_SELinuxStrategyOptions_To_extensions_SELinuxStrategyOptions(&in.SELinux, &out.SELinux, s); err != nil { if err := Convert_v1beta1_SELinuxStrategyOptions_To_policy_SELinuxStrategyOptions(&in.SELinux, &out.SELinux, s); err != nil {
return err return err
} }
if err := Convert_v1beta1_RunAsUserStrategyOptions_To_extensions_RunAsUserStrategyOptions(&in.RunAsUser, &out.RunAsUser, s); err != nil { if err := Convert_v1beta1_RunAsUserStrategyOptions_To_policy_RunAsUserStrategyOptions(&in.RunAsUser, &out.RunAsUser, s); err != nil {
return err return err
} }
if err := Convert_v1beta1_SupplementalGroupsStrategyOptions_To_extensions_SupplementalGroupsStrategyOptions(&in.SupplementalGroups, &out.SupplementalGroups, s); err != nil { if err := Convert_v1beta1_SupplementalGroupsStrategyOptions_To_policy_SupplementalGroupsStrategyOptions(&in.SupplementalGroups, &out.SupplementalGroups, s); err != nil {
return err return err
} }
if err := Convert_v1beta1_FSGroupStrategyOptions_To_extensions_FSGroupStrategyOptions(&in.FSGroup, &out.FSGroup, s); err != nil { if err := Convert_v1beta1_FSGroupStrategyOptions_To_policy_FSGroupStrategyOptions(&in.FSGroup, &out.FSGroup, s); err != nil {
return err return err
} }
out.ReadOnlyRootFilesystem = in.ReadOnlyRootFilesystem out.ReadOnlyRootFilesystem = in.ReadOnlyRootFilesystem
...@@ -1094,17 +1095,17 @@ func autoConvert_v1beta1_PodSecurityPolicySpec_To_extensions_PodSecurityPolicySp ...@@ -1094,17 +1095,17 @@ func autoConvert_v1beta1_PodSecurityPolicySpec_To_extensions_PodSecurityPolicySp
if err := meta_v1.Convert_Pointer_bool_To_bool(&in.AllowPrivilegeEscalation, &out.AllowPrivilegeEscalation, s); err != nil { if err := meta_v1.Convert_Pointer_bool_To_bool(&in.AllowPrivilegeEscalation, &out.AllowPrivilegeEscalation, s); err != nil {
return err return err
} }
out.AllowedHostPaths = *(*[]extensions.AllowedHostPath)(unsafe.Pointer(&in.AllowedHostPaths)) out.AllowedHostPaths = *(*[]policy.AllowedHostPath)(unsafe.Pointer(&in.AllowedHostPaths))
out.AllowedFlexVolumes = *(*[]extensions.AllowedFlexVolume)(unsafe.Pointer(&in.AllowedFlexVolumes)) out.AllowedFlexVolumes = *(*[]policy.AllowedFlexVolume)(unsafe.Pointer(&in.AllowedFlexVolumes))
return nil return nil
} }
// Convert_v1beta1_PodSecurityPolicySpec_To_extensions_PodSecurityPolicySpec is an autogenerated conversion function. // Convert_v1beta1_PodSecurityPolicySpec_To_policy_PodSecurityPolicySpec is an autogenerated conversion function.
func Convert_v1beta1_PodSecurityPolicySpec_To_extensions_PodSecurityPolicySpec(in *v1beta1.PodSecurityPolicySpec, out *extensions.PodSecurityPolicySpec, s conversion.Scope) error { func Convert_v1beta1_PodSecurityPolicySpec_To_policy_PodSecurityPolicySpec(in *v1beta1.PodSecurityPolicySpec, out *policy.PodSecurityPolicySpec, s conversion.Scope) error {
return autoConvert_v1beta1_PodSecurityPolicySpec_To_extensions_PodSecurityPolicySpec(in, out, s) return autoConvert_v1beta1_PodSecurityPolicySpec_To_policy_PodSecurityPolicySpec(in, out, s)
} }
func autoConvert_extensions_PodSecurityPolicySpec_To_v1beta1_PodSecurityPolicySpec(in *extensions.PodSecurityPolicySpec, out *v1beta1.PodSecurityPolicySpec, s conversion.Scope) error { func autoConvert_policy_PodSecurityPolicySpec_To_v1beta1_PodSecurityPolicySpec(in *policy.PodSecurityPolicySpec, out *v1beta1.PodSecurityPolicySpec, s conversion.Scope) error {
out.Privileged = in.Privileged out.Privileged = in.Privileged
out.DefaultAddCapabilities = *(*[]v1.Capability)(unsafe.Pointer(&in.DefaultAddCapabilities)) out.DefaultAddCapabilities = *(*[]v1.Capability)(unsafe.Pointer(&in.DefaultAddCapabilities))
out.RequiredDropCapabilities = *(*[]v1.Capability)(unsafe.Pointer(&in.RequiredDropCapabilities)) out.RequiredDropCapabilities = *(*[]v1.Capability)(unsafe.Pointer(&in.RequiredDropCapabilities))
...@@ -1114,16 +1115,16 @@ func autoConvert_extensions_PodSecurityPolicySpec_To_v1beta1_PodSecurityPolicySp ...@@ -1114,16 +1115,16 @@ func autoConvert_extensions_PodSecurityPolicySpec_To_v1beta1_PodSecurityPolicySp
out.HostPorts = *(*[]v1beta1.HostPortRange)(unsafe.Pointer(&in.HostPorts)) out.HostPorts = *(*[]v1beta1.HostPortRange)(unsafe.Pointer(&in.HostPorts))
out.HostPID = in.HostPID out.HostPID = in.HostPID
out.HostIPC = in.HostIPC out.HostIPC = in.HostIPC
if err := Convert_extensions_SELinuxStrategyOptions_To_v1beta1_SELinuxStrategyOptions(&in.SELinux, &out.SELinux, s); err != nil { if err := Convert_policy_SELinuxStrategyOptions_To_v1beta1_SELinuxStrategyOptions(&in.SELinux, &out.SELinux, s); err != nil {
return err return err
} }
if err := Convert_extensions_RunAsUserStrategyOptions_To_v1beta1_RunAsUserStrategyOptions(&in.RunAsUser, &out.RunAsUser, s); err != nil { if err := Convert_policy_RunAsUserStrategyOptions_To_v1beta1_RunAsUserStrategyOptions(&in.RunAsUser, &out.RunAsUser, s); err != nil {
return err return err
} }
if err := Convert_extensions_SupplementalGroupsStrategyOptions_To_v1beta1_SupplementalGroupsStrategyOptions(&in.SupplementalGroups, &out.SupplementalGroups, s); err != nil { if err := Convert_policy_SupplementalGroupsStrategyOptions_To_v1beta1_SupplementalGroupsStrategyOptions(&in.SupplementalGroups, &out.SupplementalGroups, s); err != nil {
return err return err
} }
if err := Convert_extensions_FSGroupStrategyOptions_To_v1beta1_FSGroupStrategyOptions(&in.FSGroup, &out.FSGroup, s); err != nil { if err := Convert_policy_FSGroupStrategyOptions_To_v1beta1_FSGroupStrategyOptions(&in.FSGroup, &out.FSGroup, s); err != nil {
return err return err
} }
out.ReadOnlyRootFilesystem = in.ReadOnlyRootFilesystem out.ReadOnlyRootFilesystem = in.ReadOnlyRootFilesystem
...@@ -1136,6 +1137,11 @@ func autoConvert_extensions_PodSecurityPolicySpec_To_v1beta1_PodSecurityPolicySp ...@@ -1136,6 +1137,11 @@ func autoConvert_extensions_PodSecurityPolicySpec_To_v1beta1_PodSecurityPolicySp
return nil return nil
} }
// Convert_policy_PodSecurityPolicySpec_To_v1beta1_PodSecurityPolicySpec is an autogenerated conversion function.
func Convert_policy_PodSecurityPolicySpec_To_v1beta1_PodSecurityPolicySpec(in *policy.PodSecurityPolicySpec, out *v1beta1.PodSecurityPolicySpec, s conversion.Scope) error {
return autoConvert_policy_PodSecurityPolicySpec_To_v1beta1_PodSecurityPolicySpec(in, out, s)
}
func autoConvert_v1beta1_ReplicaSet_To_extensions_ReplicaSet(in *v1beta1.ReplicaSet, out *extensions.ReplicaSet, s conversion.Scope) error { func autoConvert_v1beta1_ReplicaSet_To_extensions_ReplicaSet(in *v1beta1.ReplicaSet, out *extensions.ReplicaSet, s conversion.Scope) error {
out.ObjectMeta = in.ObjectMeta out.ObjectMeta = in.ObjectMeta
if err := Convert_v1beta1_ReplicaSetSpec_To_extensions_ReplicaSetSpec(&in.Spec, &out.Spec, s); err != nil { if err := Convert_v1beta1_ReplicaSetSpec_To_extensions_ReplicaSetSpec(&in.Spec, &out.Spec, s); err != nil {
...@@ -1352,48 +1358,48 @@ func autoConvert_extensions_RollingUpdateDeployment_To_v1beta1_RollingUpdateDepl ...@@ -1352,48 +1358,48 @@ func autoConvert_extensions_RollingUpdateDeployment_To_v1beta1_RollingUpdateDepl
return nil return nil
} }
func autoConvert_v1beta1_RunAsUserStrategyOptions_To_extensions_RunAsUserStrategyOptions(in *v1beta1.RunAsUserStrategyOptions, out *extensions.RunAsUserStrategyOptions, s conversion.Scope) error { func autoConvert_v1beta1_RunAsUserStrategyOptions_To_policy_RunAsUserStrategyOptions(in *v1beta1.RunAsUserStrategyOptions, out *policy.RunAsUserStrategyOptions, s conversion.Scope) error {
out.Rule = extensions.RunAsUserStrategy(in.Rule) out.Rule = policy.RunAsUserStrategy(in.Rule)
out.Ranges = *(*[]extensions.UserIDRange)(unsafe.Pointer(&in.Ranges)) out.Ranges = *(*[]policy.UserIDRange)(unsafe.Pointer(&in.Ranges))
return nil return nil
} }
// Convert_v1beta1_RunAsUserStrategyOptions_To_extensions_RunAsUserStrategyOptions is an autogenerated conversion function. // Convert_v1beta1_RunAsUserStrategyOptions_To_policy_RunAsUserStrategyOptions is an autogenerated conversion function.
func Convert_v1beta1_RunAsUserStrategyOptions_To_extensions_RunAsUserStrategyOptions(in *v1beta1.RunAsUserStrategyOptions, out *extensions.RunAsUserStrategyOptions, s conversion.Scope) error { func Convert_v1beta1_RunAsUserStrategyOptions_To_policy_RunAsUserStrategyOptions(in *v1beta1.RunAsUserStrategyOptions, out *policy.RunAsUserStrategyOptions, s conversion.Scope) error {
return autoConvert_v1beta1_RunAsUserStrategyOptions_To_extensions_RunAsUserStrategyOptions(in, out, s) return autoConvert_v1beta1_RunAsUserStrategyOptions_To_policy_RunAsUserStrategyOptions(in, out, s)
} }
func autoConvert_extensions_RunAsUserStrategyOptions_To_v1beta1_RunAsUserStrategyOptions(in *extensions.RunAsUserStrategyOptions, out *v1beta1.RunAsUserStrategyOptions, s conversion.Scope) error { func autoConvert_policy_RunAsUserStrategyOptions_To_v1beta1_RunAsUserStrategyOptions(in *policy.RunAsUserStrategyOptions, out *v1beta1.RunAsUserStrategyOptions, s conversion.Scope) error {
out.Rule = v1beta1.RunAsUserStrategy(in.Rule) out.Rule = v1beta1.RunAsUserStrategy(in.Rule)
out.Ranges = *(*[]v1beta1.IDRange)(unsafe.Pointer(&in.Ranges)) out.Ranges = *(*[]v1beta1.IDRange)(unsafe.Pointer(&in.Ranges))
return nil return nil
} }
// Convert_extensions_RunAsUserStrategyOptions_To_v1beta1_RunAsUserStrategyOptions is an autogenerated conversion function. // Convert_policy_RunAsUserStrategyOptions_To_v1beta1_RunAsUserStrategyOptions is an autogenerated conversion function.
func Convert_extensions_RunAsUserStrategyOptions_To_v1beta1_RunAsUserStrategyOptions(in *extensions.RunAsUserStrategyOptions, out *v1beta1.RunAsUserStrategyOptions, s conversion.Scope) error { func Convert_policy_RunAsUserStrategyOptions_To_v1beta1_RunAsUserStrategyOptions(in *policy.RunAsUserStrategyOptions, out *v1beta1.RunAsUserStrategyOptions, s conversion.Scope) error {
return autoConvert_extensions_RunAsUserStrategyOptions_To_v1beta1_RunAsUserStrategyOptions(in, out, s) return autoConvert_policy_RunAsUserStrategyOptions_To_v1beta1_RunAsUserStrategyOptions(in, out, s)
} }
func autoConvert_v1beta1_SELinuxStrategyOptions_To_extensions_SELinuxStrategyOptions(in *v1beta1.SELinuxStrategyOptions, out *extensions.SELinuxStrategyOptions, s conversion.Scope) error { func autoConvert_v1beta1_SELinuxStrategyOptions_To_policy_SELinuxStrategyOptions(in *v1beta1.SELinuxStrategyOptions, out *policy.SELinuxStrategyOptions, s conversion.Scope) error {
out.Rule = extensions.SELinuxStrategy(in.Rule) out.Rule = policy.SELinuxStrategy(in.Rule)
out.SELinuxOptions = (*core.SELinuxOptions)(unsafe.Pointer(in.SELinuxOptions)) out.SELinuxOptions = (*core.SELinuxOptions)(unsafe.Pointer(in.SELinuxOptions))
return nil return nil
} }
// Convert_v1beta1_SELinuxStrategyOptions_To_extensions_SELinuxStrategyOptions is an autogenerated conversion function. // Convert_v1beta1_SELinuxStrategyOptions_To_policy_SELinuxStrategyOptions is an autogenerated conversion function.
func Convert_v1beta1_SELinuxStrategyOptions_To_extensions_SELinuxStrategyOptions(in *v1beta1.SELinuxStrategyOptions, out *extensions.SELinuxStrategyOptions, s conversion.Scope) error { func Convert_v1beta1_SELinuxStrategyOptions_To_policy_SELinuxStrategyOptions(in *v1beta1.SELinuxStrategyOptions, out *policy.SELinuxStrategyOptions, s conversion.Scope) error {
return autoConvert_v1beta1_SELinuxStrategyOptions_To_extensions_SELinuxStrategyOptions(in, out, s) return autoConvert_v1beta1_SELinuxStrategyOptions_To_policy_SELinuxStrategyOptions(in, out, s)
} }
func autoConvert_extensions_SELinuxStrategyOptions_To_v1beta1_SELinuxStrategyOptions(in *extensions.SELinuxStrategyOptions, out *v1beta1.SELinuxStrategyOptions, s conversion.Scope) error { func autoConvert_policy_SELinuxStrategyOptions_To_v1beta1_SELinuxStrategyOptions(in *policy.SELinuxStrategyOptions, out *v1beta1.SELinuxStrategyOptions, s conversion.Scope) error {
out.Rule = v1beta1.SELinuxStrategy(in.Rule) out.Rule = v1beta1.SELinuxStrategy(in.Rule)
out.SELinuxOptions = (*v1.SELinuxOptions)(unsafe.Pointer(in.SELinuxOptions)) out.SELinuxOptions = (*v1.SELinuxOptions)(unsafe.Pointer(in.SELinuxOptions))
return nil return nil
} }
// Convert_extensions_SELinuxStrategyOptions_To_v1beta1_SELinuxStrategyOptions is an autogenerated conversion function. // Convert_policy_SELinuxStrategyOptions_To_v1beta1_SELinuxStrategyOptions is an autogenerated conversion function.
func Convert_extensions_SELinuxStrategyOptions_To_v1beta1_SELinuxStrategyOptions(in *extensions.SELinuxStrategyOptions, out *v1beta1.SELinuxStrategyOptions, s conversion.Scope) error { func Convert_policy_SELinuxStrategyOptions_To_v1beta1_SELinuxStrategyOptions(in *policy.SELinuxStrategyOptions, out *v1beta1.SELinuxStrategyOptions, s conversion.Scope) error {
return autoConvert_extensions_SELinuxStrategyOptions_To_v1beta1_SELinuxStrategyOptions(in, out, s) return autoConvert_policy_SELinuxStrategyOptions_To_v1beta1_SELinuxStrategyOptions(in, out, s)
} }
func autoConvert_v1beta1_Scale_To_autoscaling_Scale(in *v1beta1.Scale, out *autoscaling.Scale, s conversion.Scope) error { func autoConvert_v1beta1_Scale_To_autoscaling_Scale(in *v1beta1.Scale, out *autoscaling.Scale, s conversion.Scope) error {
...@@ -1461,24 +1467,24 @@ func autoConvert_autoscaling_ScaleStatus_To_v1beta1_ScaleStatus(in *autoscaling. ...@@ -1461,24 +1467,24 @@ func autoConvert_autoscaling_ScaleStatus_To_v1beta1_ScaleStatus(in *autoscaling.
return nil return nil
} }
func autoConvert_v1beta1_SupplementalGroupsStrategyOptions_To_extensions_SupplementalGroupsStrategyOptions(in *v1beta1.SupplementalGroupsStrategyOptions, out *extensions.SupplementalGroupsStrategyOptions, s conversion.Scope) error { func autoConvert_v1beta1_SupplementalGroupsStrategyOptions_To_policy_SupplementalGroupsStrategyOptions(in *v1beta1.SupplementalGroupsStrategyOptions, out *policy.SupplementalGroupsStrategyOptions, s conversion.Scope) error {
out.Rule = extensions.SupplementalGroupsStrategyType(in.Rule) out.Rule = policy.SupplementalGroupsStrategyType(in.Rule)
out.Ranges = *(*[]extensions.GroupIDRange)(unsafe.Pointer(&in.Ranges)) out.Ranges = *(*[]policy.GroupIDRange)(unsafe.Pointer(&in.Ranges))
return nil return nil
} }
// Convert_v1beta1_SupplementalGroupsStrategyOptions_To_extensions_SupplementalGroupsStrategyOptions is an autogenerated conversion function. // Convert_v1beta1_SupplementalGroupsStrategyOptions_To_policy_SupplementalGroupsStrategyOptions is an autogenerated conversion function.
func Convert_v1beta1_SupplementalGroupsStrategyOptions_To_extensions_SupplementalGroupsStrategyOptions(in *v1beta1.SupplementalGroupsStrategyOptions, out *extensions.SupplementalGroupsStrategyOptions, s conversion.Scope) error { func Convert_v1beta1_SupplementalGroupsStrategyOptions_To_policy_SupplementalGroupsStrategyOptions(in *v1beta1.SupplementalGroupsStrategyOptions, out *policy.SupplementalGroupsStrategyOptions, s conversion.Scope) error {
return autoConvert_v1beta1_SupplementalGroupsStrategyOptions_To_extensions_SupplementalGroupsStrategyOptions(in, out, s) return autoConvert_v1beta1_SupplementalGroupsStrategyOptions_To_policy_SupplementalGroupsStrategyOptions(in, out, s)
} }
func autoConvert_extensions_SupplementalGroupsStrategyOptions_To_v1beta1_SupplementalGroupsStrategyOptions(in *extensions.SupplementalGroupsStrategyOptions, out *v1beta1.SupplementalGroupsStrategyOptions, s conversion.Scope) error { func autoConvert_policy_SupplementalGroupsStrategyOptions_To_v1beta1_SupplementalGroupsStrategyOptions(in *policy.SupplementalGroupsStrategyOptions, out *v1beta1.SupplementalGroupsStrategyOptions, s conversion.Scope) error {
out.Rule = v1beta1.SupplementalGroupsStrategyType(in.Rule) out.Rule = v1beta1.SupplementalGroupsStrategyType(in.Rule)
out.Ranges = *(*[]v1beta1.IDRange)(unsafe.Pointer(&in.Ranges)) out.Ranges = *(*[]v1beta1.IDRange)(unsafe.Pointer(&in.Ranges))
return nil return nil
} }
// Convert_extensions_SupplementalGroupsStrategyOptions_To_v1beta1_SupplementalGroupsStrategyOptions is an autogenerated conversion function. // Convert_policy_SupplementalGroupsStrategyOptions_To_v1beta1_SupplementalGroupsStrategyOptions is an autogenerated conversion function.
func Convert_extensions_SupplementalGroupsStrategyOptions_To_v1beta1_SupplementalGroupsStrategyOptions(in *extensions.SupplementalGroupsStrategyOptions, out *v1beta1.SupplementalGroupsStrategyOptions, s conversion.Scope) error { func Convert_policy_SupplementalGroupsStrategyOptions_To_v1beta1_SupplementalGroupsStrategyOptions(in *policy.SupplementalGroupsStrategyOptions, out *v1beta1.SupplementalGroupsStrategyOptions, s conversion.Scope) error {
return autoConvert_extensions_SupplementalGroupsStrategyOptions_To_v1beta1_SupplementalGroupsStrategyOptions(in, out, s) return autoConvert_policy_SupplementalGroupsStrategyOptions_To_v1beta1_SupplementalGroupsStrategyOptions(in, out, s)
} }
...@@ -14,15 +14,11 @@ go_library( ...@@ -14,15 +14,11 @@ go_library(
"//pkg/apis/core:go_default_library", "//pkg/apis/core:go_default_library",
"//pkg/apis/core/validation:go_default_library", "//pkg/apis/core/validation:go_default_library",
"//pkg/apis/extensions:go_default_library", "//pkg/apis/extensions:go_default_library",
"//pkg/security/apparmor:go_default_library",
"//pkg/security/podsecuritypolicy/seccomp:go_default_library",
"//pkg/security/podsecuritypolicy/util:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/api/equality:go_default_library", "//vendor/k8s.io/apimachinery/pkg/api/equality:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library", "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/apis/meta/v1/validation:go_default_library", "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1/validation:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/labels:go_default_library", "//vendor/k8s.io/apimachinery/pkg/labels:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/util/intstr:go_default_library", "//vendor/k8s.io/apimachinery/pkg/util/intstr:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/util/sets:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/util/validation:go_default_library", "//vendor/k8s.io/apimachinery/pkg/util/validation:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/util/validation/field:go_default_library", "//vendor/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
], ],
...@@ -35,9 +31,6 @@ go_test( ...@@ -35,9 +31,6 @@ go_test(
deps = [ deps = [
"//pkg/apis/core:go_default_library", "//pkg/apis/core:go_default_library",
"//pkg/apis/extensions:go_default_library", "//pkg/apis/extensions:go_default_library",
"//pkg/security/apparmor:go_default_library",
"//pkg/security/podsecuritypolicy/seccomp:go_default_library",
"//pkg/security/podsecuritypolicy/util:go_default_library",
"//vendor/github.com/davecgh/go-spew/spew:go_default_library", "//vendor/github.com/davecgh/go-spew/spew:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library", "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/util/intstr:go_default_library", "//vendor/k8s.io/apimachinery/pkg/util/intstr:go_default_library",
......
...@@ -17,10 +17,7 @@ limitations under the License. ...@@ -17,10 +17,7 @@ limitations under the License.
package validation package validation
import ( import (
"fmt"
"net" "net"
"path/filepath"
"regexp" "regexp"
"strconv" "strconv"
"strings" "strings"
...@@ -30,15 +27,11 @@ import ( ...@@ -30,15 +27,11 @@ import (
unversionedvalidation "k8s.io/apimachinery/pkg/apis/meta/v1/validation" unversionedvalidation "k8s.io/apimachinery/pkg/apis/meta/v1/validation"
"k8s.io/apimachinery/pkg/labels" "k8s.io/apimachinery/pkg/labels"
"k8s.io/apimachinery/pkg/util/intstr" "k8s.io/apimachinery/pkg/util/intstr"
"k8s.io/apimachinery/pkg/util/sets"
"k8s.io/apimachinery/pkg/util/validation" "k8s.io/apimachinery/pkg/util/validation"
"k8s.io/apimachinery/pkg/util/validation/field" "k8s.io/apimachinery/pkg/util/validation/field"
api "k8s.io/kubernetes/pkg/apis/core" api "k8s.io/kubernetes/pkg/apis/core"
apivalidation "k8s.io/kubernetes/pkg/apis/core/validation" apivalidation "k8s.io/kubernetes/pkg/apis/core/validation"
"k8s.io/kubernetes/pkg/apis/extensions" "k8s.io/kubernetes/pkg/apis/extensions"
"k8s.io/kubernetes/pkg/security/apparmor"
"k8s.io/kubernetes/pkg/security/podsecuritypolicy/seccomp"
psputil "k8s.io/kubernetes/pkg/security/podsecuritypolicy/util"
) )
// ValidateDaemonSet tests if required fields in the DaemonSet are set. // ValidateDaemonSet tests if required fields in the DaemonSet are set.
...@@ -613,299 +606,3 @@ func ValidatePodTemplateSpecForReplicaSet(template *api.PodTemplateSpec, selecto ...@@ -613,299 +606,3 @@ func ValidatePodTemplateSpecForReplicaSet(template *api.PodTemplateSpec, selecto
} }
return allErrs return allErrs
} }
// ValidatePodSecurityPolicyName can be used to check whether the given
// pod security policy name is valid.
// Prefix indicates this name will be used as part of generation, in which case
// trailing dashes are allowed.
var ValidatePodSecurityPolicyName = apivalidation.NameIsDNSSubdomain
func ValidatePodSecurityPolicy(psp *extensions.PodSecurityPolicy) field.ErrorList {
allErrs := field.ErrorList{}
allErrs = append(allErrs, apivalidation.ValidateObjectMeta(&psp.ObjectMeta, false, ValidatePodSecurityPolicyName, field.NewPath("metadata"))...)
allErrs = append(allErrs, ValidatePodSecurityPolicySpecificAnnotations(psp.Annotations, field.NewPath("metadata").Child("annotations"))...)
allErrs = append(allErrs, ValidatePodSecurityPolicySpec(&psp.Spec, field.NewPath("spec"))...)
return allErrs
}
func ValidatePodSecurityPolicySpec(spec *extensions.PodSecurityPolicySpec, fldPath *field.Path) field.ErrorList {
allErrs := field.ErrorList{}
allErrs = append(allErrs, validatePSPRunAsUser(fldPath.Child("runAsUser"), &spec.RunAsUser)...)
allErrs = append(allErrs, validatePSPSELinux(fldPath.Child("seLinux"), &spec.SELinux)...)
allErrs = append(allErrs, validatePSPSupplementalGroup(fldPath.Child("supplementalGroups"), &spec.SupplementalGroups)...)
allErrs = append(allErrs, validatePSPFSGroup(fldPath.Child("fsGroup"), &spec.FSGroup)...)
allErrs = append(allErrs, validatePodSecurityPolicyVolumes(fldPath, spec.Volumes)...)
if len(spec.RequiredDropCapabilities) > 0 && hasCap(extensions.AllowAllCapabilities, spec.AllowedCapabilities) {
allErrs = append(allErrs, field.Invalid(field.NewPath("requiredDropCapabilities"), spec.RequiredDropCapabilities,
"must be empty when all capabilities are allowed by a wildcard"))
}
allErrs = append(allErrs, validatePSPCapsAgainstDrops(spec.RequiredDropCapabilities, spec.DefaultAddCapabilities, field.NewPath("defaultAddCapabilities"))...)
allErrs = append(allErrs, validatePSPCapsAgainstDrops(spec.RequiredDropCapabilities, spec.AllowedCapabilities, field.NewPath("allowedCapabilities"))...)
allErrs = append(allErrs, validatePSPDefaultAllowPrivilegeEscalation(fldPath.Child("defaultAllowPrivilegeEscalation"), spec.DefaultAllowPrivilegeEscalation, spec.AllowPrivilegeEscalation)...)
allErrs = append(allErrs, validatePSPAllowedHostPaths(fldPath.Child("allowedHostPaths"), spec.AllowedHostPaths)...)
allErrs = append(allErrs, validatePSPAllowedFlexVolumes(fldPath.Child("allowedFlexVolumes"), spec.AllowedFlexVolumes)...)
return allErrs
}
func ValidatePodSecurityPolicySpecificAnnotations(annotations map[string]string, fldPath *field.Path) field.ErrorList {
allErrs := field.ErrorList{}
if p := annotations[apparmor.DefaultProfileAnnotationKey]; p != "" {
if err := apparmor.ValidateProfileFormat(p); err != nil {
allErrs = append(allErrs, field.Invalid(fldPath.Key(apparmor.DefaultProfileAnnotationKey), p, err.Error()))
}
}
if allowed := annotations[apparmor.AllowedProfilesAnnotationKey]; allowed != "" {
for _, p := range strings.Split(allowed, ",") {
if err := apparmor.ValidateProfileFormat(p); err != nil {
allErrs = append(allErrs, field.Invalid(fldPath.Key(apparmor.AllowedProfilesAnnotationKey), allowed, err.Error()))
}
}
}
sysctlAnnotation := annotations[extensions.SysctlsPodSecurityPolicyAnnotationKey]
sysctlFldPath := fldPath.Key(extensions.SysctlsPodSecurityPolicyAnnotationKey)
sysctls, err := extensions.SysctlsFromPodSecurityPolicyAnnotation(sysctlAnnotation)
if err != nil {
allErrs = append(allErrs, field.Invalid(sysctlFldPath, sysctlAnnotation, err.Error()))
} else {
allErrs = append(allErrs, validatePodSecurityPolicySysctls(sysctlFldPath, sysctls)...)
}
if p := annotations[seccomp.DefaultProfileAnnotationKey]; p != "" {
allErrs = append(allErrs, apivalidation.ValidateSeccompProfile(p, fldPath.Key(seccomp.DefaultProfileAnnotationKey))...)
}
if allowed := annotations[seccomp.AllowedProfilesAnnotationKey]; allowed != "" {
for _, p := range strings.Split(allowed, ",") {
if p == seccomp.AllowAny {
continue
}
allErrs = append(allErrs, apivalidation.ValidateSeccompProfile(p, fldPath.Key(seccomp.AllowedProfilesAnnotationKey))...)
}
}
return allErrs
}
// validatePSPAllowedHostPaths makes sure all allowed host paths follow:
// 1. path prefix is required
// 2. path prefix does not have any element which is ".."
func validatePSPAllowedHostPaths(fldPath *field.Path, allowedHostPaths []extensions.AllowedHostPath) field.ErrorList {
allErrs := field.ErrorList{}
for i, target := range allowedHostPaths {
if target.PathPrefix == "" {
allErrs = append(allErrs, field.Required(fldPath.Index(i), "is required"))
break
}
parts := strings.Split(filepath.ToSlash(target.PathPrefix), "/")
for _, item := range parts {
if item == ".." {
allErrs = append(allErrs, field.Invalid(fldPath.Index(i), target.PathPrefix, "must not contain '..'"))
break // even for `../../..`, one error is sufficient to make the point
}
}
}
return allErrs
}
// validatePSPAllowedFlexVolumes
func validatePSPAllowedFlexVolumes(fldPath *field.Path, flexVolumes []extensions.AllowedFlexVolume) field.ErrorList {
allErrs := field.ErrorList{}
if len(flexVolumes) > 0 {
for idx, fv := range flexVolumes {
if len(fv.Driver) == 0 {
allErrs = append(allErrs, field.Required(fldPath.Child("allowedFlexVolumes").Index(idx).Child("driver"),
"must specify a driver"))
}
}
}
return allErrs
}
// validatePSPSELinux validates the SELinux fields of PodSecurityPolicy.
func validatePSPSELinux(fldPath *field.Path, seLinux *extensions.SELinuxStrategyOptions) field.ErrorList {
allErrs := field.ErrorList{}
// ensure the selinux strategy has a valid rule
supportedSELinuxRules := sets.NewString(string(extensions.SELinuxStrategyMustRunAs),
string(extensions.SELinuxStrategyRunAsAny))
if !supportedSELinuxRules.Has(string(seLinux.Rule)) {
allErrs = append(allErrs, field.NotSupported(fldPath.Child("rule"), seLinux.Rule, supportedSELinuxRules.List()))
}
return allErrs
}
// validatePSPRunAsUser validates the RunAsUser fields of PodSecurityPolicy.
func validatePSPRunAsUser(fldPath *field.Path, runAsUser *extensions.RunAsUserStrategyOptions) field.ErrorList {
allErrs := field.ErrorList{}
// ensure the user strategy has a valid rule
supportedRunAsUserRules := sets.NewString(string(extensions.RunAsUserStrategyMustRunAs),
string(extensions.RunAsUserStrategyMustRunAsNonRoot),
string(extensions.RunAsUserStrategyRunAsAny))
if !supportedRunAsUserRules.Has(string(runAsUser.Rule)) {
allErrs = append(allErrs, field.NotSupported(fldPath.Child("rule"), runAsUser.Rule, supportedRunAsUserRules.List()))
}
// validate range settings
for idx, rng := range runAsUser.Ranges {
allErrs = append(allErrs, validateUserIDRange(fldPath.Child("ranges").Index(idx), rng)...)
}
return allErrs
}
// validatePSPFSGroup validates the FSGroupStrategyOptions fields of the PodSecurityPolicy.
func validatePSPFSGroup(fldPath *field.Path, groupOptions *extensions.FSGroupStrategyOptions) field.ErrorList {
allErrs := field.ErrorList{}
supportedRules := sets.NewString(
string(extensions.FSGroupStrategyMustRunAs),
string(extensions.FSGroupStrategyRunAsAny),
)
if !supportedRules.Has(string(groupOptions.Rule)) {
allErrs = append(allErrs, field.NotSupported(fldPath.Child("rule"), groupOptions.Rule, supportedRules.List()))
}
for idx, rng := range groupOptions.Ranges {
allErrs = append(allErrs, validateGroupIDRange(fldPath.Child("ranges").Index(idx), rng)...)
}
return allErrs
}
// validatePSPSupplementalGroup validates the SupplementalGroupsStrategyOptions fields of the PodSecurityPolicy.
func validatePSPSupplementalGroup(fldPath *field.Path, groupOptions *extensions.SupplementalGroupsStrategyOptions) field.ErrorList {
allErrs := field.ErrorList{}
supportedRules := sets.NewString(
string(extensions.SupplementalGroupsStrategyRunAsAny),
string(extensions.SupplementalGroupsStrategyMustRunAs),
)
if !supportedRules.Has(string(groupOptions.Rule)) {
allErrs = append(allErrs, field.NotSupported(fldPath.Child("rule"), groupOptions.Rule, supportedRules.List()))
}
for idx, rng := range groupOptions.Ranges {
allErrs = append(allErrs, validateGroupIDRange(fldPath.Child("ranges").Index(idx), rng)...)
}
return allErrs
}
// validatePodSecurityPolicyVolumes validates the volume fields of PodSecurityPolicy.
func validatePodSecurityPolicyVolumes(fldPath *field.Path, volumes []extensions.FSType) field.ErrorList {
allErrs := field.ErrorList{}
allowed := psputil.GetAllFSTypesAsSet()
// add in the * value since that is a pseudo type that is not included by default
allowed.Insert(string(extensions.All))
for _, v := range volumes {
if !allowed.Has(string(v)) {
allErrs = append(allErrs, field.NotSupported(fldPath.Child("volumes"), v, allowed.List()))
}
}
return allErrs
}
// validatePSPDefaultAllowPrivilegeEscalation validates the DefaultAllowPrivilegeEscalation field against the AllowPrivilegeEscalation field of a PodSecurityPolicy.
func validatePSPDefaultAllowPrivilegeEscalation(fldPath *field.Path, defaultAllowPrivilegeEscalation *bool, allowPrivilegeEscalation bool) field.ErrorList {
allErrs := field.ErrorList{}
if defaultAllowPrivilegeEscalation != nil && *defaultAllowPrivilegeEscalation && !allowPrivilegeEscalation {
allErrs = append(allErrs, field.Invalid(fldPath, defaultAllowPrivilegeEscalation, "Cannot set DefaultAllowPrivilegeEscalation to true without also setting AllowPrivilegeEscalation to true"))
}
return allErrs
}
const sysctlPatternSegmentFmt string = "([a-z0-9][-_a-z0-9]*)?[a-z0-9*]"
const SysctlPatternFmt string = "(" + apivalidation.SysctlSegmentFmt + "\\.)*" + sysctlPatternSegmentFmt
var sysctlPatternRegexp = regexp.MustCompile("^" + SysctlPatternFmt + "$")
func IsValidSysctlPattern(name string) bool {
if len(name) > apivalidation.SysctlMaxLength {
return false
}
return sysctlPatternRegexp.MatchString(name)
}
// validatePodSecurityPolicySysctls validates the sysctls fields of PodSecurityPolicy.
func validatePodSecurityPolicySysctls(fldPath *field.Path, sysctls []string) field.ErrorList {
allErrs := field.ErrorList{}
for i, s := range sysctls {
if !IsValidSysctlPattern(string(s)) {
allErrs = append(
allErrs,
field.Invalid(fldPath.Index(i), sysctls[i], fmt.Sprintf("must have at most %d characters and match regex %s",
apivalidation.SysctlMaxLength,
SysctlPatternFmt,
)),
)
}
}
return allErrs
}
func validateUserIDRange(fldPath *field.Path, rng extensions.UserIDRange) field.ErrorList {
return validateIDRanges(fldPath, int64(rng.Min), int64(rng.Max))
}
func validateGroupIDRange(fldPath *field.Path, rng extensions.GroupIDRange) field.ErrorList {
return validateIDRanges(fldPath, int64(rng.Min), int64(rng.Max))
}
// validateIDRanges ensures the range is valid.
func validateIDRanges(fldPath *field.Path, min, max int64) field.ErrorList {
allErrs := field.ErrorList{}
// if 0 <= Min <= Max then we do not need to validate max. It is always greater than or
// equal to 0 and Min.
if min < 0 {
allErrs = append(allErrs, field.Invalid(fldPath.Child("min"), min, "min cannot be negative"))
}
if max < 0 {
allErrs = append(allErrs, field.Invalid(fldPath.Child("max"), max, "max cannot be negative"))
}
if min > max {
allErrs = append(allErrs, field.Invalid(fldPath.Child("min"), min, "min cannot be greater than max"))
}
return allErrs
}
// validatePSPCapsAgainstDrops ensures an allowed cap is not listed in the required drops.
func validatePSPCapsAgainstDrops(requiredDrops []api.Capability, capsToCheck []api.Capability, fldPath *field.Path) field.ErrorList {
allErrs := field.ErrorList{}
if requiredDrops == nil {
return allErrs
}
for _, cap := range capsToCheck {
if hasCap(cap, requiredDrops) {
allErrs = append(allErrs, field.Invalid(fldPath, cap,
fmt.Sprintf("capability is listed in %s and requiredDropCapabilities", fldPath.String())))
}
}
return allErrs
}
// hasCap checks for needle in haystack.
func hasCap(needle api.Capability, haystack []api.Capability) bool {
for _, c := range haystack {
if needle == c {
return true
}
}
return false
}
// ValidatePodSecurityPolicyUpdate validates a PSP for updates.
func ValidatePodSecurityPolicyUpdate(old *extensions.PodSecurityPolicy, new *extensions.PodSecurityPolicy) field.ErrorList {
allErrs := field.ErrorList{}
allErrs = append(allErrs, apivalidation.ValidateObjectMetaUpdate(&new.ObjectMeta, &old.ObjectMeta, field.NewPath("metadata"))...)
allErrs = append(allErrs, ValidatePodSecurityPolicySpecificAnnotations(new.Annotations, field.NewPath("metadata").Child("annotations"))...)
allErrs = append(allErrs, ValidatePodSecurityPolicySpec(&new.Spec, field.NewPath("spec"))...)
return allErrs
}
...@@ -28,9 +28,6 @@ import ( ...@@ -28,9 +28,6 @@ import (
"k8s.io/apimachinery/pkg/util/validation/field" "k8s.io/apimachinery/pkg/util/validation/field"
api "k8s.io/kubernetes/pkg/apis/core" api "k8s.io/kubernetes/pkg/apis/core"
"k8s.io/kubernetes/pkg/apis/extensions" "k8s.io/kubernetes/pkg/apis/extensions"
"k8s.io/kubernetes/pkg/security/apparmor"
"k8s.io/kubernetes/pkg/security/podsecuritypolicy/seccomp"
psputil "k8s.io/kubernetes/pkg/security/podsecuritypolicy/util"
) )
func TestValidateDaemonSetStatusUpdate(t *testing.T) { func TestValidateDaemonSetStatusUpdate(t *testing.T) {
...@@ -2317,527 +2314,3 @@ func TestValidateReplicaSet(t *testing.T) { ...@@ -2317,527 +2314,3 @@ func TestValidateReplicaSet(t *testing.T) {
} }
} }
} }
func TestValidatePodSecurityPolicy(t *testing.T) {
validPSP := func() *extensions.PodSecurityPolicy {
return &extensions.PodSecurityPolicy{
ObjectMeta: metav1.ObjectMeta{
Name: "foo",
Annotations: map[string]string{},
},
Spec: extensions.PodSecurityPolicySpec{
SELinux: extensions.SELinuxStrategyOptions{
Rule: extensions.SELinuxStrategyRunAsAny,
},
RunAsUser: extensions.RunAsUserStrategyOptions{
Rule: extensions.RunAsUserStrategyRunAsAny,
},
FSGroup: extensions.FSGroupStrategyOptions{
Rule: extensions.FSGroupStrategyRunAsAny,
},
SupplementalGroups: extensions.SupplementalGroupsStrategyOptions{
Rule: extensions.SupplementalGroupsStrategyRunAsAny,
},
AllowedHostPaths: []extensions.AllowedHostPath{
{PathPrefix: "/foo/bar"},
{PathPrefix: "/baz/"},
},
},
}
}
noUserOptions := validPSP()
noUserOptions.Spec.RunAsUser.Rule = ""
noSELinuxOptions := validPSP()
noSELinuxOptions.Spec.SELinux.Rule = ""
invalidUserStratType := validPSP()
invalidUserStratType.Spec.RunAsUser.Rule = "invalid"
invalidSELinuxStratType := validPSP()
invalidSELinuxStratType.Spec.SELinux.Rule = "invalid"
invalidUIDPSP := validPSP()
invalidUIDPSP.Spec.RunAsUser.Rule = extensions.RunAsUserStrategyMustRunAs
invalidUIDPSP.Spec.RunAsUser.Ranges = []extensions.UserIDRange{{Min: -1, Max: 1}}
missingObjectMetaName := validPSP()
missingObjectMetaName.ObjectMeta.Name = ""
noFSGroupOptions := validPSP()
noFSGroupOptions.Spec.FSGroup.Rule = ""
invalidFSGroupStratType := validPSP()
invalidFSGroupStratType.Spec.FSGroup.Rule = "invalid"
noSupplementalGroupsOptions := validPSP()
noSupplementalGroupsOptions.Spec.SupplementalGroups.Rule = ""
invalidSupGroupStratType := validPSP()
invalidSupGroupStratType.Spec.SupplementalGroups.Rule = "invalid"
invalidRangeMinGreaterThanMax := validPSP()
invalidRangeMinGreaterThanMax.Spec.FSGroup.Ranges = []extensions.GroupIDRange{
{Min: 2, Max: 1},
}
invalidRangeNegativeMin := validPSP()
invalidRangeNegativeMin.Spec.FSGroup.Ranges = []extensions.GroupIDRange{
{Min: -1, Max: 10},
}
invalidRangeNegativeMax := validPSP()
invalidRangeNegativeMax.Spec.FSGroup.Ranges = []extensions.GroupIDRange{
{Min: 1, Max: -10},
}
wildcardAllowedCapAndRequiredDrop := validPSP()
wildcardAllowedCapAndRequiredDrop.Spec.RequiredDropCapabilities = []api.Capability{"foo"}
wildcardAllowedCapAndRequiredDrop.Spec.AllowedCapabilities = []api.Capability{extensions.AllowAllCapabilities}
requiredCapAddAndDrop := validPSP()
requiredCapAddAndDrop.Spec.DefaultAddCapabilities = []api.Capability{"foo"}
requiredCapAddAndDrop.Spec.RequiredDropCapabilities = []api.Capability{"foo"}
allowedCapListedInRequiredDrop := validPSP()
allowedCapListedInRequiredDrop.Spec.RequiredDropCapabilities = []api.Capability{"foo"}
allowedCapListedInRequiredDrop.Spec.AllowedCapabilities = []api.Capability{"foo"}
invalidAppArmorDefault := validPSP()
invalidAppArmorDefault.Annotations = map[string]string{
apparmor.DefaultProfileAnnotationKey: "not-good",
}
invalidAppArmorAllowed := validPSP()
invalidAppArmorAllowed.Annotations = map[string]string{
apparmor.AllowedProfilesAnnotationKey: apparmor.ProfileRuntimeDefault + ",not-good",
}
invalidSysctlPattern := validPSP()
invalidSysctlPattern.Annotations[extensions.SysctlsPodSecurityPolicyAnnotationKey] = "a.*.b"
invalidSeccompDefault := validPSP()
invalidSeccompDefault.Annotations = map[string]string{
seccomp.DefaultProfileAnnotationKey: "not-good",
}
invalidSeccompAllowAnyDefault := validPSP()
invalidSeccompAllowAnyDefault.Annotations = map[string]string{
seccomp.DefaultProfileAnnotationKey: "*",
}
invalidSeccompAllowed := validPSP()
invalidSeccompAllowed.Annotations = map[string]string{
seccomp.AllowedProfilesAnnotationKey: "docker/default,not-good",
}
invalidAllowedHostPathMissingPath := validPSP()
invalidAllowedHostPathMissingPath.Spec.AllowedHostPaths = []extensions.AllowedHostPath{
{PathPrefix: ""},
}
invalidAllowedHostPathBacksteps := validPSP()
invalidAllowedHostPathBacksteps.Spec.AllowedHostPaths = []extensions.AllowedHostPath{
{PathPrefix: "/dont/allow/backsteps/.."},
}
invalidDefaultAllowPrivilegeEscalation := validPSP()
pe := true
invalidDefaultAllowPrivilegeEscalation.Spec.DefaultAllowPrivilegeEscalation = &pe
emptyFlexDriver := validPSP()
emptyFlexDriver.Spec.Volumes = []extensions.FSType{extensions.FlexVolume}
emptyFlexDriver.Spec.AllowedFlexVolumes = []extensions.AllowedFlexVolume{{}}
nonEmptyFlexVolumes := validPSP()
nonEmptyFlexVolumes.Spec.AllowedFlexVolumes = []extensions.AllowedFlexVolume{{Driver: "example/driver"}}
type testCase struct {
psp *extensions.PodSecurityPolicy
errorType field.ErrorType
errorDetail string
}
errorCases := map[string]testCase{
"no user options": {
psp: noUserOptions,
errorType: field.ErrorTypeNotSupported,
errorDetail: `supported values: "MustRunAs", "MustRunAsNonRoot", "RunAsAny"`,
},
"no selinux options": {
psp: noSELinuxOptions,
errorType: field.ErrorTypeNotSupported,
errorDetail: `supported values: "MustRunAs", "RunAsAny"`,
},
"no fsgroup options": {
psp: noFSGroupOptions,
errorType: field.ErrorTypeNotSupported,
errorDetail: `supported values: "MustRunAs", "RunAsAny"`,
},
"no sup group options": {
psp: noSupplementalGroupsOptions,
errorType: field.ErrorTypeNotSupported,
errorDetail: `supported values: "MustRunAs", "RunAsAny"`,
},
"invalid user strategy type": {
psp: invalidUserStratType,
errorType: field.ErrorTypeNotSupported,
errorDetail: `supported values: "MustRunAs", "MustRunAsNonRoot", "RunAsAny"`,
},
"invalid selinux strategy type": {
psp: invalidSELinuxStratType,
errorType: field.ErrorTypeNotSupported,
errorDetail: `supported values: "MustRunAs", "RunAsAny"`,
},
"invalid sup group strategy type": {
psp: invalidSupGroupStratType,
errorType: field.ErrorTypeNotSupported,
errorDetail: `supported values: "MustRunAs", "RunAsAny"`,
},
"invalid fs group strategy type": {
psp: invalidFSGroupStratType,
errorType: field.ErrorTypeNotSupported,
errorDetail: `supported values: "MustRunAs", "RunAsAny"`,
},
"invalid uid": {
psp: invalidUIDPSP,
errorType: field.ErrorTypeInvalid,
errorDetail: "min cannot be negative",
},
"missing object meta name": {
psp: missingObjectMetaName,
errorType: field.ErrorTypeRequired,
errorDetail: "name or generateName is required",
},
"invalid range min greater than max": {
psp: invalidRangeMinGreaterThanMax,
errorType: field.ErrorTypeInvalid,
errorDetail: "min cannot be greater than max",
},
"invalid range negative min": {
psp: invalidRangeNegativeMin,
errorType: field.ErrorTypeInvalid,
errorDetail: "min cannot be negative",
},
"invalid range negative max": {
psp: invalidRangeNegativeMax,
errorType: field.ErrorTypeInvalid,
errorDetail: "max cannot be negative",
},
"non-empty required drops and all caps are allowed by a wildcard": {
psp: wildcardAllowedCapAndRequiredDrop,
errorType: field.ErrorTypeInvalid,
errorDetail: "must be empty when all capabilities are allowed by a wildcard",
},
"invalid required caps": {
psp: requiredCapAddAndDrop,
errorType: field.ErrorTypeInvalid,
errorDetail: "capability is listed in defaultAddCapabilities and requiredDropCapabilities",
},
"allowed cap listed in required drops": {
psp: allowedCapListedInRequiredDrop,
errorType: field.ErrorTypeInvalid,
errorDetail: "capability is listed in allowedCapabilities and requiredDropCapabilities",
},
"invalid AppArmor default profile": {
psp: invalidAppArmorDefault,
errorType: field.ErrorTypeInvalid,
errorDetail: "invalid AppArmor profile name: \"not-good\"",
},
"invalid AppArmor allowed profile": {
psp: invalidAppArmorAllowed,
errorType: field.ErrorTypeInvalid,
errorDetail: "invalid AppArmor profile name: \"not-good\"",
},
"invalid sysctl pattern": {
psp: invalidSysctlPattern,
errorType: field.ErrorTypeInvalid,
errorDetail: fmt.Sprintf("must have at most 253 characters and match regex %s", SysctlPatternFmt),
},
"invalid seccomp default profile": {
psp: invalidSeccompDefault,
errorType: field.ErrorTypeInvalid,
errorDetail: "must be a valid seccomp profile",
},
"invalid seccomp allow any default profile": {
psp: invalidSeccompAllowAnyDefault,
errorType: field.ErrorTypeInvalid,
errorDetail: "must be a valid seccomp profile",
},
"invalid seccomp allowed profile": {
psp: invalidSeccompAllowed,
errorType: field.ErrorTypeInvalid,
errorDetail: "must be a valid seccomp profile",
},
"invalid defaultAllowPrivilegeEscalation": {
psp: invalidDefaultAllowPrivilegeEscalation,
errorType: field.ErrorTypeInvalid,
errorDetail: "Cannot set DefaultAllowPrivilegeEscalation to true without also setting AllowPrivilegeEscalation to true",
},
"invalid allowed host path empty path": {
psp: invalidAllowedHostPathMissingPath,
errorType: field.ErrorTypeRequired,
errorDetail: "is required",
},
"invalid allowed host path with backsteps": {
psp: invalidAllowedHostPathBacksteps,
errorType: field.ErrorTypeInvalid,
errorDetail: "must not contain '..'",
},
"empty flex volume driver": {
psp: emptyFlexDriver,
errorType: field.ErrorTypeRequired,
errorDetail: "must specify a driver",
},
}
for k, v := range errorCases {
errs := ValidatePodSecurityPolicy(v.psp)
if len(errs) == 0 {
t.Errorf("%s expected errors but got none", k)
continue
}
if errs[0].Type != v.errorType {
t.Errorf("[%s] received an unexpected error type. Expected: '%s' got: '%s'", k, v.errorType, errs[0].Type)
}
if errs[0].Detail != v.errorDetail {
t.Errorf("[%s] received an unexpected error detail. Expected '%s' got: '%s'", k, v.errorDetail, errs[0].Detail)
}
}
// Update error is different for 'missing object meta name'.
errorCases["missing object meta name"] = testCase{
psp: errorCases["missing object meta name"].psp,
errorType: field.ErrorTypeInvalid,
errorDetail: "field is immutable",
}
// Should not be able to update to an invalid policy.
for k, v := range errorCases {
v.psp.ResourceVersion = "444" // Required for updates.
errs := ValidatePodSecurityPolicyUpdate(validPSP(), v.psp)
if len(errs) == 0 {
t.Errorf("[%s] expected update errors but got none", k)
continue
}
if errs[0].Type != v.errorType {
t.Errorf("[%s] received an unexpected error type. Expected: '%s' got: '%s'", k, v.errorType, errs[0].Type)
}
if errs[0].Detail != v.errorDetail {
t.Errorf("[%s] received an unexpected error detail. Expected '%s' got: '%s'", k, v.errorDetail, errs[0].Detail)
}
}
mustRunAs := validPSP()
mustRunAs.Spec.FSGroup.Rule = extensions.FSGroupStrategyMustRunAs
mustRunAs.Spec.SupplementalGroups.Rule = extensions.SupplementalGroupsStrategyMustRunAs
mustRunAs.Spec.RunAsUser.Rule = extensions.RunAsUserStrategyMustRunAs
mustRunAs.Spec.RunAsUser.Ranges = []extensions.UserIDRange{
{Min: 1, Max: 1},
}
mustRunAs.Spec.SELinux.Rule = extensions.SELinuxStrategyMustRunAs
runAsNonRoot := validPSP()
runAsNonRoot.Spec.RunAsUser.Rule = extensions.RunAsUserStrategyMustRunAsNonRoot
caseInsensitiveAddDrop := validPSP()
caseInsensitiveAddDrop.Spec.DefaultAddCapabilities = []api.Capability{"foo"}
caseInsensitiveAddDrop.Spec.RequiredDropCapabilities = []api.Capability{"FOO"}
caseInsensitiveAllowedDrop := validPSP()
caseInsensitiveAllowedDrop.Spec.RequiredDropCapabilities = []api.Capability{"FOO"}
caseInsensitiveAllowedDrop.Spec.AllowedCapabilities = []api.Capability{"foo"}
validAppArmor := validPSP()
validAppArmor.Annotations = map[string]string{
apparmor.DefaultProfileAnnotationKey: apparmor.ProfileRuntimeDefault,
apparmor.AllowedProfilesAnnotationKey: apparmor.ProfileRuntimeDefault + "," + apparmor.ProfileNamePrefix + "foo",
}
withSysctl := validPSP()
withSysctl.Annotations[extensions.SysctlsPodSecurityPolicyAnnotationKey] = "net.*"
validSeccomp := validPSP()
validSeccomp.Annotations = map[string]string{
seccomp.DefaultProfileAnnotationKey: "docker/default",
seccomp.AllowedProfilesAnnotationKey: "docker/default,unconfined,localhost/foo,*",
}
validDefaultAllowPrivilegeEscalation := validPSP()
pe = true
validDefaultAllowPrivilegeEscalation.Spec.DefaultAllowPrivilegeEscalation = &pe
validDefaultAllowPrivilegeEscalation.Spec.AllowPrivilegeEscalation = true
flexvolumeWhenFlexVolumesAllowed := validPSP()
flexvolumeWhenFlexVolumesAllowed.Spec.Volumes = []extensions.FSType{extensions.FlexVolume}
flexvolumeWhenFlexVolumesAllowed.Spec.AllowedFlexVolumes = []extensions.AllowedFlexVolume{
{Driver: "example/driver1"},
}
flexvolumeWhenAllVolumesAllowed := validPSP()
flexvolumeWhenAllVolumesAllowed.Spec.Volumes = []extensions.FSType{extensions.All}
flexvolumeWhenAllVolumesAllowed.Spec.AllowedFlexVolumes = []extensions.AllowedFlexVolume{
{Driver: "example/driver2"},
}
successCases := map[string]struct {
psp *extensions.PodSecurityPolicy
}{
"must run as": {
psp: mustRunAs,
},
"run as any": {
psp: validPSP(),
},
"run as non-root (user only)": {
psp: runAsNonRoot,
},
"comparison for add -> drop is case sensitive": {
psp: caseInsensitiveAddDrop,
},
"comparison for allowed -> drop is case sensitive": {
psp: caseInsensitiveAllowedDrop,
},
"valid AppArmor annotations": {
psp: validAppArmor,
},
"with network sysctls": {
psp: withSysctl,
},
"valid seccomp annotations": {
psp: validSeccomp,
},
"valid defaultAllowPrivilegeEscalation as true": {
psp: validDefaultAllowPrivilegeEscalation,
},
"allow white-listed flexVolume when flex volumes are allowed": {
psp: flexvolumeWhenFlexVolumesAllowed,
},
"allow white-listed flexVolume when all volumes are allowed": {
psp: flexvolumeWhenAllVolumesAllowed,
},
}
for k, v := range successCases {
if errs := ValidatePodSecurityPolicy(v.psp); len(errs) != 0 {
t.Errorf("Expected success for %s, got %v", k, errs)
}
// Should be able to update to a valid PSP.
v.psp.ResourceVersion = "444" // Required for updates.
if errs := ValidatePodSecurityPolicyUpdate(validPSP(), v.psp); len(errs) != 0 {
t.Errorf("Expected success for %s update, got %v", k, errs)
}
}
}
func TestValidatePSPVolumes(t *testing.T) {
validPSP := func() *extensions.PodSecurityPolicy {
return &extensions.PodSecurityPolicy{
ObjectMeta: metav1.ObjectMeta{Name: "foo"},
Spec: extensions.PodSecurityPolicySpec{
SELinux: extensions.SELinuxStrategyOptions{
Rule: extensions.SELinuxStrategyRunAsAny,
},
RunAsUser: extensions.RunAsUserStrategyOptions{
Rule: extensions.RunAsUserStrategyRunAsAny,
},
FSGroup: extensions.FSGroupStrategyOptions{
Rule: extensions.FSGroupStrategyRunAsAny,
},
SupplementalGroups: extensions.SupplementalGroupsStrategyOptions{
Rule: extensions.SupplementalGroupsStrategyRunAsAny,
},
},
}
}
volumes := psputil.GetAllFSTypesAsSet()
// add in the * value since that is a pseudo type that is not included by default
volumes.Insert(string(extensions.All))
for _, strVolume := range volumes.List() {
psp := validPSP()
psp.Spec.Volumes = []extensions.FSType{extensions.FSType(strVolume)}
errs := ValidatePodSecurityPolicy(psp)
if len(errs) != 0 {
t.Errorf("%s validation expected no errors but received %v", strVolume, errs)
}
}
}
func TestIsValidSysctlPattern(t *testing.T) {
valid := []string{
"a.b.c.d",
"a",
"a_b",
"a-b",
"abc",
"abc.def",
"*",
"a.*",
"*",
"abc*",
"a.abc*",
"a.b.*",
}
invalid := []string{
"",
"ä",
"a_",
"_",
"_a",
"_a._b",
"__",
"-",
".",
"a.",
".a",
"a.b.",
"a*.b",
"a*b",
"*a",
"Abc",
func(n int) string {
x := make([]byte, n)
for i := range x {
x[i] = byte('a')
}
return string(x)
}(256),
}
for _, s := range valid {
if !IsValidSysctlPattern(s) {
t.Errorf("%q expected to be a valid sysctl pattern", s)
}
}
for _, s := range invalid {
if IsValidSysctlPattern(s) {
t.Errorf("%q expected to be an invalid sysctl pattern", s)
}
}
}
func Test_validatePSPRunAsUser(t *testing.T) {
var testCases = []struct {
name string
runAsUserStrategy extensions.RunAsUserStrategyOptions
fail bool
}{
{"Invalid RunAsUserStrategy", extensions.RunAsUserStrategyOptions{Rule: extensions.RunAsUserStrategy("someInvalidStrategy")}, true},
{"RunAsUserStrategyMustRunAs", extensions.RunAsUserStrategyOptions{Rule: extensions.RunAsUserStrategyMustRunAs}, false},
{"RunAsUserStrategyMustRunAsNonRoot", extensions.RunAsUserStrategyOptions{Rule: extensions.RunAsUserStrategyMustRunAsNonRoot}, false},
{"RunAsUserStrategyMustRunAsNonRoot With Valid Range", extensions.RunAsUserStrategyOptions{Rule: extensions.RunAsUserStrategyMustRunAs, Ranges: []extensions.UserIDRange{{Min: 2, Max: 3}, {Min: 4, Max: 5}}}, false},
{"RunAsUserStrategyMustRunAsNonRoot With Invalid Range", extensions.RunAsUserStrategyOptions{Rule: extensions.RunAsUserStrategyMustRunAs, Ranges: []extensions.UserIDRange{{Min: 2, Max: 3}, {Min: 5, Max: 4}}}, true},
}
for _, testCase := range testCases {
t.Run(testCase.name, func(t *testing.T) {
errList := validatePSPRunAsUser(field.NewPath("status"), &testCase.runAsUserStrategy)
actualErrors := len(errList)
expectedErrors := 1
if !testCase.fail {
expectedErrors = 0
}
if actualErrors != expectedErrors {
t.Errorf("In testCase %v, expected %v errors, got %v errors", testCase.name, expectedErrors, actualErrors)
}
})
}
}
...@@ -23,42 +23,9 @@ package extensions ...@@ -23,42 +23,9 @@ package extensions
import ( import (
v1 "k8s.io/apimachinery/pkg/apis/meta/v1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
runtime "k8s.io/apimachinery/pkg/runtime" runtime "k8s.io/apimachinery/pkg/runtime"
core "k8s.io/kubernetes/pkg/apis/core"
) )
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *AllowedFlexVolume) DeepCopyInto(out *AllowedFlexVolume) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AllowedFlexVolume.
func (in *AllowedFlexVolume) DeepCopy() *AllowedFlexVolume {
if in == nil {
return nil
}
out := new(AllowedFlexVolume)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *AllowedHostPath) DeepCopyInto(out *AllowedHostPath) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AllowedHostPath.
func (in *AllowedHostPath) DeepCopy() *AllowedHostPath {
if in == nil {
return nil
}
out := new(AllowedHostPath)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *CustomMetricCurrentStatus) DeepCopyInto(out *CustomMetricCurrentStatus) { func (in *CustomMetricCurrentStatus) DeepCopyInto(out *CustomMetricCurrentStatus) {
*out = *in *out = *in
out.CurrentValue = in.CurrentValue.DeepCopy() out.CurrentValue = in.CurrentValue.DeepCopy()
...@@ -533,43 +500,6 @@ func (in *DeploymentStrategy) DeepCopy() *DeploymentStrategy { ...@@ -533,43 +500,6 @@ func (in *DeploymentStrategy) DeepCopy() *DeploymentStrategy {
} }
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *FSGroupStrategyOptions) DeepCopyInto(out *FSGroupStrategyOptions) {
*out = *in
if in.Ranges != nil {
in, out := &in.Ranges, &out.Ranges
*out = make([]GroupIDRange, len(*in))
copy(*out, *in)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FSGroupStrategyOptions.
func (in *FSGroupStrategyOptions) DeepCopy() *FSGroupStrategyOptions {
if in == nil {
return nil
}
out := new(FSGroupStrategyOptions)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *GroupIDRange) DeepCopyInto(out *GroupIDRange) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GroupIDRange.
func (in *GroupIDRange) DeepCopy() *GroupIDRange {
if in == nil {
return nil
}
out := new(GroupIDRange)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *HTTPIngressPath) DeepCopyInto(out *HTTPIngressPath) { func (in *HTTPIngressPath) DeepCopyInto(out *HTTPIngressPath) {
*out = *in *out = *in
out.Backend = in.Backend out.Backend = in.Backend
...@@ -608,22 +538,6 @@ func (in *HTTPIngressRuleValue) DeepCopy() *HTTPIngressRuleValue { ...@@ -608,22 +538,6 @@ func (in *HTTPIngressRuleValue) DeepCopy() *HTTPIngressRuleValue {
} }
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *HostPortRange) DeepCopyInto(out *HostPortRange) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HostPortRange.
func (in *HostPortRange) DeepCopy() *HostPortRange {
if in == nil {
return nil
}
out := new(HostPortRange)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *Ingress) DeepCopyInto(out *Ingress) { func (in *Ingress) DeepCopyInto(out *Ingress) {
*out = *in *out = *in
out.TypeMeta = in.TypeMeta out.TypeMeta = in.TypeMeta
...@@ -821,130 +735,6 @@ func (in *IngressTLS) DeepCopy() *IngressTLS { ...@@ -821,130 +735,6 @@ func (in *IngressTLS) DeepCopy() *IngressTLS {
} }
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *PodSecurityPolicy) DeepCopyInto(out *PodSecurityPolicy) {
*out = *in
out.TypeMeta = in.TypeMeta
in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
in.Spec.DeepCopyInto(&out.Spec)
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodSecurityPolicy.
func (in *PodSecurityPolicy) DeepCopy() *PodSecurityPolicy {
if in == nil {
return nil
}
out := new(PodSecurityPolicy)
in.DeepCopyInto(out)
return out
}
// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (in *PodSecurityPolicy) DeepCopyObject() runtime.Object {
if c := in.DeepCopy(); c != nil {
return c
}
return nil
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *PodSecurityPolicyList) DeepCopyInto(out *PodSecurityPolicyList) {
*out = *in
out.TypeMeta = in.TypeMeta
out.ListMeta = in.ListMeta
if in.Items != nil {
in, out := &in.Items, &out.Items
*out = make([]PodSecurityPolicy, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodSecurityPolicyList.
func (in *PodSecurityPolicyList) DeepCopy() *PodSecurityPolicyList {
if in == nil {
return nil
}
out := new(PodSecurityPolicyList)
in.DeepCopyInto(out)
return out
}
// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (in *PodSecurityPolicyList) DeepCopyObject() runtime.Object {
if c := in.DeepCopy(); c != nil {
return c
}
return nil
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *PodSecurityPolicySpec) DeepCopyInto(out *PodSecurityPolicySpec) {
*out = *in
if in.DefaultAddCapabilities != nil {
in, out := &in.DefaultAddCapabilities, &out.DefaultAddCapabilities
*out = make([]core.Capability, len(*in))
copy(*out, *in)
}
if in.RequiredDropCapabilities != nil {
in, out := &in.RequiredDropCapabilities, &out.RequiredDropCapabilities
*out = make([]core.Capability, len(*in))
copy(*out, *in)
}
if in.AllowedCapabilities != nil {
in, out := &in.AllowedCapabilities, &out.AllowedCapabilities
*out = make([]core.Capability, len(*in))
copy(*out, *in)
}
if in.Volumes != nil {
in, out := &in.Volumes, &out.Volumes
*out = make([]FSType, len(*in))
copy(*out, *in)
}
if in.HostPorts != nil {
in, out := &in.HostPorts, &out.HostPorts
*out = make([]HostPortRange, len(*in))
copy(*out, *in)
}
in.SELinux.DeepCopyInto(&out.SELinux)
in.RunAsUser.DeepCopyInto(&out.RunAsUser)
in.SupplementalGroups.DeepCopyInto(&out.SupplementalGroups)
in.FSGroup.DeepCopyInto(&out.FSGroup)
if in.DefaultAllowPrivilegeEscalation != nil {
in, out := &in.DefaultAllowPrivilegeEscalation, &out.DefaultAllowPrivilegeEscalation
if *in == nil {
*out = nil
} else {
*out = new(bool)
**out = **in
}
}
if in.AllowedHostPaths != nil {
in, out := &in.AllowedHostPaths, &out.AllowedHostPaths
*out = make([]AllowedHostPath, len(*in))
copy(*out, *in)
}
if in.AllowedFlexVolumes != nil {
in, out := &in.AllowedFlexVolumes, &out.AllowedFlexVolumes
*out = make([]AllowedFlexVolume, len(*in))
copy(*out, *in)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodSecurityPolicySpec.
func (in *PodSecurityPolicySpec) DeepCopy() *PodSecurityPolicySpec {
if in == nil {
return nil
}
out := new(PodSecurityPolicySpec)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ReplicaSet) DeepCopyInto(out *ReplicaSet) { func (in *ReplicaSet) DeepCopyInto(out *ReplicaSet) {
*out = *in *out = *in
out.TypeMeta = in.TypeMeta out.TypeMeta = in.TypeMeta
...@@ -1146,86 +936,3 @@ func (in *RollingUpdateDeployment) DeepCopy() *RollingUpdateDeployment { ...@@ -1146,86 +936,3 @@ func (in *RollingUpdateDeployment) DeepCopy() *RollingUpdateDeployment {
in.DeepCopyInto(out) in.DeepCopyInto(out)
return out return out
} }
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *RunAsUserStrategyOptions) DeepCopyInto(out *RunAsUserStrategyOptions) {
*out = *in
if in.Ranges != nil {
in, out := &in.Ranges, &out.Ranges
*out = make([]UserIDRange, len(*in))
copy(*out, *in)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RunAsUserStrategyOptions.
func (in *RunAsUserStrategyOptions) DeepCopy() *RunAsUserStrategyOptions {
if in == nil {
return nil
}
out := new(RunAsUserStrategyOptions)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *SELinuxStrategyOptions) DeepCopyInto(out *SELinuxStrategyOptions) {
*out = *in
if in.SELinuxOptions != nil {
in, out := &in.SELinuxOptions, &out.SELinuxOptions
if *in == nil {
*out = nil
} else {
*out = new(core.SELinuxOptions)
**out = **in
}
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SELinuxStrategyOptions.
func (in *SELinuxStrategyOptions) DeepCopy() *SELinuxStrategyOptions {
if in == nil {
return nil
}
out := new(SELinuxStrategyOptions)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *SupplementalGroupsStrategyOptions) DeepCopyInto(out *SupplementalGroupsStrategyOptions) {
*out = *in
if in.Ranges != nil {
in, out := &in.Ranges, &out.Ranges
*out = make([]GroupIDRange, len(*in))
copy(*out, *in)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SupplementalGroupsStrategyOptions.
func (in *SupplementalGroupsStrategyOptions) DeepCopy() *SupplementalGroupsStrategyOptions {
if in == nil {
return nil
}
out := new(SupplementalGroupsStrategyOptions)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *UserIDRange) DeepCopyInto(out *UserIDRange) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UserIDRange.
func (in *UserIDRange) DeepCopy() *UserIDRange {
if in == nil {
return nil
}
out := new(UserIDRange)
in.DeepCopyInto(out)
return out
}
...@@ -3,19 +3,21 @@ package(default_visibility = ["//visibility:public"]) ...@@ -3,19 +3,21 @@ package(default_visibility = ["//visibility:public"])
load( load(
"@io_bazel_rules_go//go:def.bzl", "@io_bazel_rules_go//go:def.bzl",
"go_library", "go_library",
"go_test",
) )
go_library( go_library(
name = "go_default_library", name = "go_default_library",
srcs = [ srcs = [
"doc.go", "doc.go",
"helpers.go",
"register.go", "register.go",
"types.go", "types.go",
"zz_generated.deepcopy.go", "zz_generated.deepcopy.go",
], ],
importpath = "k8s.io/kubernetes/pkg/apis/policy", importpath = "k8s.io/kubernetes/pkg/apis/policy",
deps = [ deps = [
"//pkg/apis/extensions:go_default_library", "//pkg/apis/core:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library", "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/runtime:go_default_library", "//vendor/k8s.io/apimachinery/pkg/runtime:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/runtime/schema:go_default_library", "//vendor/k8s.io/apimachinery/pkg/runtime/schema:go_default_library",
...@@ -41,3 +43,9 @@ filegroup( ...@@ -41,3 +43,9 @@ filegroup(
], ],
tags = ["automanaged"], tags = ["automanaged"],
) )
go_test(
name = "go_default_test",
srcs = ["helpers_test.go"],
embed = [":go_default_library"],
)
...@@ -30,5 +30,33 @@ var Funcs = func(codecs runtimeserializer.CodecFactory) []interface{} { ...@@ -30,5 +30,33 @@ var Funcs = func(codecs runtimeserializer.CodecFactory) []interface{} {
c.FuzzNoCustom(s) // fuzz self without calling this function again c.FuzzNoCustom(s) // fuzz self without calling this function again
s.PodDisruptionsAllowed = int32(c.Rand.Intn(2)) s.PodDisruptionsAllowed = int32(c.Rand.Intn(2))
}, },
func(psp *policy.PodSecurityPolicySpec, c fuzz.Continue) {
c.FuzzNoCustom(psp) // fuzz self without calling this function again
runAsUserRules := []policy.RunAsUserStrategy{
policy.RunAsUserStrategyMustRunAsNonRoot,
policy.RunAsUserStrategyMustRunAs,
policy.RunAsUserStrategyRunAsAny,
}
psp.RunAsUser.Rule = runAsUserRules[c.Rand.Intn(len(runAsUserRules))]
seLinuxRules := []policy.SELinuxStrategy{
policy.SELinuxStrategyMustRunAs,
policy.SELinuxStrategyRunAsAny,
}
psp.SELinux.Rule = seLinuxRules[c.Rand.Intn(len(seLinuxRules))]
supplementalGroupsRules := []policy.SupplementalGroupsStrategyType{
policy.SupplementalGroupsStrategyRunAsAny,
policy.SupplementalGroupsStrategyMustRunAs,
}
psp.SupplementalGroups.Rule = supplementalGroupsRules[c.Rand.Intn(len(supplementalGroupsRules))]
fsGroupRules := []policy.FSGroupStrategyType{
policy.FSGroupStrategyMustRunAs,
policy.FSGroupStrategyRunAsAny,
}
psp.FSGroup.Rule = fsGroupRules[c.Rand.Intn(len(fsGroupRules))]
},
} }
} }
...@@ -14,14 +14,14 @@ See the License for the specific language governing permissions and ...@@ -14,14 +14,14 @@ See the License for the specific language governing permissions and
limitations under the License. limitations under the License.
*/ */
package extensions package policy
import ( import (
"strings" "strings"
) )
// SysctlsFromPodSecurityPolicyAnnotation parses an annotation value of the key // SysctlsFromPodSecurityPolicyAnnotation parses an annotation value of the key
// SysctlsSecurityPolocyAnnotationKey into a slice of sysctls. An empty slice // SysctlsSecurityPolicyAnnotationKey into a slice of sysctls. An empty slice
// is returned if annotation is the empty string. // is returned if annotation is the empty string.
func SysctlsFromPodSecurityPolicyAnnotation(annotation string) ([]string, error) { func SysctlsFromPodSecurityPolicyAnnotation(annotation string) ([]string, error) {
if len(annotation) == 0 { if len(annotation) == 0 {
......
...@@ -14,7 +14,7 @@ See the License for the specific language governing permissions and ...@@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
limitations under the License. limitations under the License.
*/ */
package extensions package policy
import ( import (
"reflect" "reflect"
......
...@@ -19,7 +19,6 @@ package policy ...@@ -19,7 +19,6 @@ package policy
import ( import (
"k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/runtime/schema" "k8s.io/apimachinery/pkg/runtime/schema"
"k8s.io/kubernetes/pkg/apis/extensions"
) )
// GroupName is the group name use in this package // GroupName is the group name use in this package
...@@ -49,8 +48,8 @@ func addKnownTypes(scheme *runtime.Scheme) error { ...@@ -49,8 +48,8 @@ func addKnownTypes(scheme *runtime.Scheme) error {
scheme.AddKnownTypes(SchemeGroupVersion, scheme.AddKnownTypes(SchemeGroupVersion,
&PodDisruptionBudget{}, &PodDisruptionBudget{},
&PodDisruptionBudgetList{}, &PodDisruptionBudgetList{},
&extensions.PodSecurityPolicy{}, &PodSecurityPolicy{},
&extensions.PodSecurityPolicyList{}, &PodSecurityPolicyList{},
&Eviction{}, &Eviction{},
) )
return nil return nil
......
...@@ -19,6 +19,14 @@ package policy ...@@ -19,6 +19,14 @@ package policy
import ( import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/util/intstr" "k8s.io/apimachinery/pkg/util/intstr"
api "k8s.io/kubernetes/pkg/apis/core"
)
const (
// SysctlsPodSecurityPolicyAnnotationKey represents the key of a whitelist of
// allowed safe and unsafe sysctls in a pod spec. It's a comma-separated list of plain sysctl
// names or sysctl patterns (which end in *). The string "*" matches all sysctls.
SysctlsPodSecurityPolicyAnnotationKey string = "security.alpha.kubernetes.io/sysctls"
) )
// PodDisruptionBudgetSpec is a description of a PodDisruptionBudget. // PodDisruptionBudgetSpec is a description of a PodDisruptionBudget.
...@@ -122,3 +130,271 @@ type Eviction struct { ...@@ -122,3 +130,271 @@ type Eviction struct {
// +optional // +optional
DeleteOptions *metav1.DeleteOptions DeleteOptions *metav1.DeleteOptions
} }
// +genclient
// +genclient:nonNamespaced
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// PodSecurityPolicy governs the ability to make requests that affect the SecurityContext
// that will be applied to a pod and container.
type PodSecurityPolicy struct {
metav1.TypeMeta
// +optional
metav1.ObjectMeta
// Spec defines the policy enforced.
// +optional
Spec PodSecurityPolicySpec
}
// PodSecurityPolicySpec defines the policy enforced.
type PodSecurityPolicySpec struct {
// Privileged determines if a pod can request to be run as privileged.
// +optional
Privileged bool
// DefaultAddCapabilities is the default set of capabilities that will be added to the container
// unless the pod spec specifically drops the capability. You may not list a capability in both
// DefaultAddCapabilities and RequiredDropCapabilities. Capabilities added here are implicitly
// allowed, and need not be included in the AllowedCapabilities list.
// +optional
DefaultAddCapabilities []api.Capability
// RequiredDropCapabilities are the capabilities that will be dropped from the container. These
// are required to be dropped and cannot be added.
// +optional
RequiredDropCapabilities []api.Capability
// AllowedCapabilities is a list of capabilities that can be requested to add to the container.
// Capabilities in this field may be added at the pod author's discretion.
// You must not list a capability in both AllowedCapabilities and RequiredDropCapabilities.
// To allow all capabilities you may use '*'.
// +optional
AllowedCapabilities []api.Capability
// Volumes is a white list of allowed volume plugins. Empty indicates that
// no volumes may be used. To allow all volumes you may use '*'.
// +optional
Volumes []FSType
// HostNetwork determines if the policy allows the use of HostNetwork in the pod spec.
// +optional
HostNetwork bool
// HostPorts determines which host port ranges are allowed to be exposed.
// +optional
HostPorts []HostPortRange
// HostPID determines if the policy allows the use of HostPID in the pod spec.
// +optional
HostPID bool
// HostIPC determines if the policy allows the use of HostIPC in the pod spec.
// +optional
HostIPC bool
// SELinux is the strategy that will dictate the allowable labels that may be set.
SELinux SELinuxStrategyOptions
// RunAsUser is the strategy that will dictate the allowable RunAsUser values that may be set.
RunAsUser RunAsUserStrategyOptions
// SupplementalGroups is the strategy that will dictate what supplemental groups are used by the SecurityContext.
SupplementalGroups SupplementalGroupsStrategyOptions
// FSGroup is the strategy that will dictate what fs group is used by the SecurityContext.
FSGroup FSGroupStrategyOptions
// ReadOnlyRootFilesystem when set to true will force containers to run with a read only root file
// system. If the container specifically requests to run with a non-read only root file system
// the PSP should deny the pod.
// If set to false the container may run with a read only root file system if it wishes but it
// will not be forced to.
// +optional
ReadOnlyRootFilesystem bool
// DefaultAllowPrivilegeEscalation controls the default setting for whether a
// process can gain more privileges than its parent process.
// +optional
DefaultAllowPrivilegeEscalation *bool
// AllowPrivilegeEscalation determines if a pod can request to allow
// privilege escalation. If unspecified, defaults to true.
// +optional
AllowPrivilegeEscalation bool
// AllowedHostPaths is a white list of allowed host paths. Empty indicates that all host paths may be used.
// +optional
AllowedHostPaths []AllowedHostPath
// AllowedFlexVolumes is a whitelist of allowed Flexvolumes. Empty or nil indicates that all
// Flexvolumes may be used. This parameter is effective only when the usage of the Flexvolumes
// is allowed in the "Volumes" field.
// +optional
AllowedFlexVolumes []AllowedFlexVolume
}
// AllowedHostPath defines the host volume conditions that will be enabled by a policy
// for pods to use. It requires the path prefix to be defined.
type AllowedHostPath struct {
// PathPrefix is the path prefix that the host volume must match.
// PathPrefix does not support `*`.
// Trailing slashes are trimmed when validating the path prefix with a host path.
//
// Examples:
// `/foo` would allow `/foo`, `/foo/` and `/foo/bar`
// `/foo` would not allow `/food` or `/etc/foo`
PathPrefix string
}
// HostPortRange defines a range of host ports that will be enabled by a policy
// for pods to use. It requires both the start and end to be defined.
type HostPortRange struct {
// Min is the start of the range, inclusive.
Min int32
// Max is the end of the range, inclusive.
Max int32
}
// AllowAllCapabilities can be used as a value for the PodSecurityPolicy.AllowAllCapabilities
// field and means that any capabilities are allowed to be requested.
var AllowAllCapabilities api.Capability = "*"
// FSType gives strong typing to different file systems that are used by volumes.
type FSType string
var (
AzureFile FSType = "azureFile"
Flocker FSType = "flocker"
FlexVolume FSType = "flexVolume"
HostPath FSType = "hostPath"
EmptyDir FSType = "emptyDir"
GCEPersistentDisk FSType = "gcePersistentDisk"
AWSElasticBlockStore FSType = "awsElasticBlockStore"
GitRepo FSType = "gitRepo"
Secret FSType = "secret"
NFS FSType = "nfs"
ISCSI FSType = "iscsi"
Glusterfs FSType = "glusterfs"
PersistentVolumeClaim FSType = "persistentVolumeClaim"
RBD FSType = "rbd"
Cinder FSType = "cinder"
CephFS FSType = "cephFS"
DownwardAPI FSType = "downwardAPI"
FC FSType = "fc"
ConfigMap FSType = "configMap"
VsphereVolume FSType = "vsphereVolume"
Quobyte FSType = "quobyte"
AzureDisk FSType = "azureDisk"
PhotonPersistentDisk FSType = "photonPersistentDisk"
StorageOS FSType = "storageos"
Projected FSType = "projected"
PortworxVolume FSType = "portworxVolume"
ScaleIO FSType = "scaleIO"
CSI FSType = "csi"
All FSType = "*"
)
// AllowedFlexVolume represents a single Flexvolume that is allowed to be used.
type AllowedFlexVolume struct {
// Driver is the name of the Flexvolume driver.
Driver string
}
// SELinuxStrategyOptions defines the strategy type and any options used to create the strategy.
type SELinuxStrategyOptions struct {
// Rule is the strategy that will dictate the allowable labels that may be set.
Rule SELinuxStrategy
// SELinuxOptions required to run as; required for MustRunAs
// More info: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#selinux
// +optional
SELinuxOptions *api.SELinuxOptions
}
// SELinuxStrategy denotes strategy types for generating SELinux options for a
// Security.
type SELinuxStrategy string
const (
// SELinuxStrategyMustRunAs means that container must have SELinux labels of X applied.
SELinuxStrategyMustRunAs SELinuxStrategy = "MustRunAs"
// SELinuxStrategyRunAsAny means that container may make requests for any SELinux context labels.
SELinuxStrategyRunAsAny SELinuxStrategy = "RunAsAny"
)
// RunAsUserStrategyOptions defines the strategy type and any options used to create the strategy.
type RunAsUserStrategyOptions struct {
// Rule is the strategy that will dictate the allowable RunAsUser values that may be set.
Rule RunAsUserStrategy
// Ranges are the allowed ranges of uids that may be used. If you would like to force a single uid
// then supply a single range with the same start and end. Required for MustRunAs.
// +optional
Ranges []UserIDRange
}
// UserIDRange provides a min/max of an allowed range of UserIDs.
type UserIDRange struct {
// Min is the start of the range, inclusive.
Min int64
// Max is the end of the range, inclusive.
Max int64
}
// GroupIDRange provides a min/max of an allowed range of GroupIDs.
type GroupIDRange struct {
// Min is the start of the range, inclusive.
Min int64
// Max is the end of the range, inclusive.
Max int64
}
// RunAsUserStrategy denotes strategy types for generating RunAsUser values for a
// SecurityContext.
type RunAsUserStrategy string
const (
// RunAsUserStrategyMustRunAs means that container must run as a particular uid.
RunAsUserStrategyMustRunAs RunAsUserStrategy = "MustRunAs"
// RunAsUserStrategyMustRunAsNonRoot means that container must run as a non-root uid
RunAsUserStrategyMustRunAsNonRoot RunAsUserStrategy = "MustRunAsNonRoot"
// RunAsUserStrategyRunAsAny means that container may make requests for any uid.
RunAsUserStrategyRunAsAny RunAsUserStrategy = "RunAsAny"
)
// FSGroupStrategyOptions defines the strategy type and options used to create the strategy.
type FSGroupStrategyOptions struct {
// Rule is the strategy that will dictate what FSGroup is used in the SecurityContext.
// +optional
Rule FSGroupStrategyType
// Ranges are the allowed ranges of fs groups. If you would like to force a single
// fs group then supply a single range with the same start and end. Required for MustRunAs.
// +optional
Ranges []GroupIDRange
}
// FSGroupStrategyType denotes strategy types for generating FSGroup values for a
// SecurityContext
type FSGroupStrategyType string
const (
// FSGroupStrategyMustRunAs means that container must have FSGroup of X applied.
FSGroupStrategyMustRunAs FSGroupStrategyType = "MustRunAs"
// FSGroupStrategyRunAsAny means that container may make requests for any FSGroup labels.
FSGroupStrategyRunAsAny FSGroupStrategyType = "RunAsAny"
)
// SupplementalGroupsStrategyOptions defines the strategy type and options used to create the strategy.
type SupplementalGroupsStrategyOptions struct {
// Rule is the strategy that will dictate what supplemental groups is used in the SecurityContext.
// +optional
Rule SupplementalGroupsStrategyType
// Ranges are the allowed ranges of supplemental groups. If you would like to force a single
// supplemental group then supply a single range with the same start and end. Required for MustRunAs.
// +optional
Ranges []GroupIDRange
}
// SupplementalGroupsStrategyType denotes strategy types for determining valid supplemental
// groups for a SecurityContext.
type SupplementalGroupsStrategyType string
const (
// SupplementalGroupsStrategyMustRunAs means that container must run as a particular gid.
SupplementalGroupsStrategyMustRunAs SupplementalGroupsStrategyType = "MustRunAs"
// SupplementalGroupsStrategyRunAsAny means that container may make requests for any gid.
SupplementalGroupsStrategyRunAsAny SupplementalGroupsStrategyType = "RunAsAny"
)
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// PodSecurityPolicyList is a list of PodSecurityPolicy objects.
type PodSecurityPolicyList struct {
metav1.TypeMeta
// +optional
metav1.ListMeta
Items []PodSecurityPolicy
}
...@@ -17,7 +17,6 @@ go_library( ...@@ -17,7 +17,6 @@ go_library(
importpath = "k8s.io/kubernetes/pkg/apis/policy/v1beta1", importpath = "k8s.io/kubernetes/pkg/apis/policy/v1beta1",
deps = [ deps = [
"//pkg/apis/core:go_default_library", "//pkg/apis/core:go_default_library",
"//pkg/apis/extensions:go_default_library",
"//pkg/apis/policy:go_default_library", "//pkg/apis/policy:go_default_library",
"//vendor/k8s.io/api/core/v1:go_default_library", "//vendor/k8s.io/api/core/v1:go_default_library",
"//vendor/k8s.io/api/policy/v1beta1:go_default_library", "//vendor/k8s.io/api/policy/v1beta1:go_default_library",
......
...@@ -15,7 +15,6 @@ limitations under the License. ...@@ -15,7 +15,6 @@ limitations under the License.
*/ */
// +k8s:conversion-gen=k8s.io/kubernetes/pkg/apis/policy // +k8s:conversion-gen=k8s.io/kubernetes/pkg/apis/policy
// +k8s:conversion-gen=k8s.io/kubernetes/pkg/apis/extensions
// +k8s:conversion-gen-external-types=k8s.io/api/policy/v1beta1 // +k8s:conversion-gen-external-types=k8s.io/api/policy/v1beta1
// +k8s:defaulter-gen=TypeMeta // +k8s:defaulter-gen=TypeMeta
// +k8s:defaulter-gen-input=../../../../vendor/k8s.io/api/policy/v1beta1 // +k8s:defaulter-gen-input=../../../../vendor/k8s.io/api/policy/v1beta1
......
...@@ -30,7 +30,6 @@ import ( ...@@ -30,7 +30,6 @@ import (
runtime "k8s.io/apimachinery/pkg/runtime" runtime "k8s.io/apimachinery/pkg/runtime"
intstr "k8s.io/apimachinery/pkg/util/intstr" intstr "k8s.io/apimachinery/pkg/util/intstr"
core "k8s.io/kubernetes/pkg/apis/core" core "k8s.io/kubernetes/pkg/apis/core"
extensions "k8s.io/kubernetes/pkg/apis/extensions"
policy "k8s.io/kubernetes/pkg/apis/policy" policy "k8s.io/kubernetes/pkg/apis/policy"
) )
...@@ -42,16 +41,16 @@ func init() { ...@@ -42,16 +41,16 @@ func init() {
// Public to allow building arbitrary schemes. // Public to allow building arbitrary schemes.
func RegisterConversions(scheme *runtime.Scheme) error { func RegisterConversions(scheme *runtime.Scheme) error {
return scheme.AddGeneratedConversionFuncs( return scheme.AddGeneratedConversionFuncs(
Convert_v1beta1_AllowedFlexVolume_To_extensions_AllowedFlexVolume, Convert_v1beta1_AllowedFlexVolume_To_policy_AllowedFlexVolume,
Convert_extensions_AllowedFlexVolume_To_v1beta1_AllowedFlexVolume, Convert_policy_AllowedFlexVolume_To_v1beta1_AllowedFlexVolume,
Convert_v1beta1_AllowedHostPath_To_extensions_AllowedHostPath, Convert_v1beta1_AllowedHostPath_To_policy_AllowedHostPath,
Convert_extensions_AllowedHostPath_To_v1beta1_AllowedHostPath, Convert_policy_AllowedHostPath_To_v1beta1_AllowedHostPath,
Convert_v1beta1_Eviction_To_policy_Eviction, Convert_v1beta1_Eviction_To_policy_Eviction,
Convert_policy_Eviction_To_v1beta1_Eviction, Convert_policy_Eviction_To_v1beta1_Eviction,
Convert_v1beta1_FSGroupStrategyOptions_To_extensions_FSGroupStrategyOptions, Convert_v1beta1_FSGroupStrategyOptions_To_policy_FSGroupStrategyOptions,
Convert_extensions_FSGroupStrategyOptions_To_v1beta1_FSGroupStrategyOptions, Convert_policy_FSGroupStrategyOptions_To_v1beta1_FSGroupStrategyOptions,
Convert_v1beta1_HostPortRange_To_extensions_HostPortRange, Convert_v1beta1_HostPortRange_To_policy_HostPortRange,
Convert_extensions_HostPortRange_To_v1beta1_HostPortRange, Convert_policy_HostPortRange_To_v1beta1_HostPortRange,
Convert_v1beta1_PodDisruptionBudget_To_policy_PodDisruptionBudget, Convert_v1beta1_PodDisruptionBudget_To_policy_PodDisruptionBudget,
Convert_policy_PodDisruptionBudget_To_v1beta1_PodDisruptionBudget, Convert_policy_PodDisruptionBudget_To_v1beta1_PodDisruptionBudget,
Convert_v1beta1_PodDisruptionBudgetList_To_policy_PodDisruptionBudgetList, Convert_v1beta1_PodDisruptionBudgetList_To_policy_PodDisruptionBudgetList,
...@@ -60,59 +59,59 @@ func RegisterConversions(scheme *runtime.Scheme) error { ...@@ -60,59 +59,59 @@ func RegisterConversions(scheme *runtime.Scheme) error {
Convert_policy_PodDisruptionBudgetSpec_To_v1beta1_PodDisruptionBudgetSpec, Convert_policy_PodDisruptionBudgetSpec_To_v1beta1_PodDisruptionBudgetSpec,
Convert_v1beta1_PodDisruptionBudgetStatus_To_policy_PodDisruptionBudgetStatus, Convert_v1beta1_PodDisruptionBudgetStatus_To_policy_PodDisruptionBudgetStatus,
Convert_policy_PodDisruptionBudgetStatus_To_v1beta1_PodDisruptionBudgetStatus, Convert_policy_PodDisruptionBudgetStatus_To_v1beta1_PodDisruptionBudgetStatus,
Convert_v1beta1_PodSecurityPolicy_To_extensions_PodSecurityPolicy, Convert_v1beta1_PodSecurityPolicy_To_policy_PodSecurityPolicy,
Convert_extensions_PodSecurityPolicy_To_v1beta1_PodSecurityPolicy, Convert_policy_PodSecurityPolicy_To_v1beta1_PodSecurityPolicy,
Convert_v1beta1_PodSecurityPolicyList_To_extensions_PodSecurityPolicyList, Convert_v1beta1_PodSecurityPolicyList_To_policy_PodSecurityPolicyList,
Convert_extensions_PodSecurityPolicyList_To_v1beta1_PodSecurityPolicyList, Convert_policy_PodSecurityPolicyList_To_v1beta1_PodSecurityPolicyList,
Convert_v1beta1_PodSecurityPolicySpec_To_extensions_PodSecurityPolicySpec, Convert_v1beta1_PodSecurityPolicySpec_To_policy_PodSecurityPolicySpec,
Convert_extensions_PodSecurityPolicySpec_To_v1beta1_PodSecurityPolicySpec, Convert_policy_PodSecurityPolicySpec_To_v1beta1_PodSecurityPolicySpec,
Convert_v1beta1_RunAsUserStrategyOptions_To_extensions_RunAsUserStrategyOptions, Convert_v1beta1_RunAsUserStrategyOptions_To_policy_RunAsUserStrategyOptions,
Convert_extensions_RunAsUserStrategyOptions_To_v1beta1_RunAsUserStrategyOptions, Convert_policy_RunAsUserStrategyOptions_To_v1beta1_RunAsUserStrategyOptions,
Convert_v1beta1_SELinuxStrategyOptions_To_extensions_SELinuxStrategyOptions, Convert_v1beta1_SELinuxStrategyOptions_To_policy_SELinuxStrategyOptions,
Convert_extensions_SELinuxStrategyOptions_To_v1beta1_SELinuxStrategyOptions, Convert_policy_SELinuxStrategyOptions_To_v1beta1_SELinuxStrategyOptions,
Convert_v1beta1_SupplementalGroupsStrategyOptions_To_extensions_SupplementalGroupsStrategyOptions, Convert_v1beta1_SupplementalGroupsStrategyOptions_To_policy_SupplementalGroupsStrategyOptions,
Convert_extensions_SupplementalGroupsStrategyOptions_To_v1beta1_SupplementalGroupsStrategyOptions, Convert_policy_SupplementalGroupsStrategyOptions_To_v1beta1_SupplementalGroupsStrategyOptions,
) )
} }
func autoConvert_v1beta1_AllowedFlexVolume_To_extensions_AllowedFlexVolume(in *v1beta1.AllowedFlexVolume, out *extensions.AllowedFlexVolume, s conversion.Scope) error { func autoConvert_v1beta1_AllowedFlexVolume_To_policy_AllowedFlexVolume(in *v1beta1.AllowedFlexVolume, out *policy.AllowedFlexVolume, s conversion.Scope) error {
out.Driver = in.Driver out.Driver = in.Driver
return nil return nil
} }
// Convert_v1beta1_AllowedFlexVolume_To_extensions_AllowedFlexVolume is an autogenerated conversion function. // Convert_v1beta1_AllowedFlexVolume_To_policy_AllowedFlexVolume is an autogenerated conversion function.
func Convert_v1beta1_AllowedFlexVolume_To_extensions_AllowedFlexVolume(in *v1beta1.AllowedFlexVolume, out *extensions.AllowedFlexVolume, s conversion.Scope) error { func Convert_v1beta1_AllowedFlexVolume_To_policy_AllowedFlexVolume(in *v1beta1.AllowedFlexVolume, out *policy.AllowedFlexVolume, s conversion.Scope) error {
return autoConvert_v1beta1_AllowedFlexVolume_To_extensions_AllowedFlexVolume(in, out, s) return autoConvert_v1beta1_AllowedFlexVolume_To_policy_AllowedFlexVolume(in, out, s)
} }
func autoConvert_extensions_AllowedFlexVolume_To_v1beta1_AllowedFlexVolume(in *extensions.AllowedFlexVolume, out *v1beta1.AllowedFlexVolume, s conversion.Scope) error { func autoConvert_policy_AllowedFlexVolume_To_v1beta1_AllowedFlexVolume(in *policy.AllowedFlexVolume, out *v1beta1.AllowedFlexVolume, s conversion.Scope) error {
out.Driver = in.Driver out.Driver = in.Driver
return nil return nil
} }
// Convert_extensions_AllowedFlexVolume_To_v1beta1_AllowedFlexVolume is an autogenerated conversion function. // Convert_policy_AllowedFlexVolume_To_v1beta1_AllowedFlexVolume is an autogenerated conversion function.
func Convert_extensions_AllowedFlexVolume_To_v1beta1_AllowedFlexVolume(in *extensions.AllowedFlexVolume, out *v1beta1.AllowedFlexVolume, s conversion.Scope) error { func Convert_policy_AllowedFlexVolume_To_v1beta1_AllowedFlexVolume(in *policy.AllowedFlexVolume, out *v1beta1.AllowedFlexVolume, s conversion.Scope) error {
return autoConvert_extensions_AllowedFlexVolume_To_v1beta1_AllowedFlexVolume(in, out, s) return autoConvert_policy_AllowedFlexVolume_To_v1beta1_AllowedFlexVolume(in, out, s)
} }
func autoConvert_v1beta1_AllowedHostPath_To_extensions_AllowedHostPath(in *v1beta1.AllowedHostPath, out *extensions.AllowedHostPath, s conversion.Scope) error { func autoConvert_v1beta1_AllowedHostPath_To_policy_AllowedHostPath(in *v1beta1.AllowedHostPath, out *policy.AllowedHostPath, s conversion.Scope) error {
out.PathPrefix = in.PathPrefix out.PathPrefix = in.PathPrefix
return nil return nil
} }
// Convert_v1beta1_AllowedHostPath_To_extensions_AllowedHostPath is an autogenerated conversion function. // Convert_v1beta1_AllowedHostPath_To_policy_AllowedHostPath is an autogenerated conversion function.
func Convert_v1beta1_AllowedHostPath_To_extensions_AllowedHostPath(in *v1beta1.AllowedHostPath, out *extensions.AllowedHostPath, s conversion.Scope) error { func Convert_v1beta1_AllowedHostPath_To_policy_AllowedHostPath(in *v1beta1.AllowedHostPath, out *policy.AllowedHostPath, s conversion.Scope) error {
return autoConvert_v1beta1_AllowedHostPath_To_extensions_AllowedHostPath(in, out, s) return autoConvert_v1beta1_AllowedHostPath_To_policy_AllowedHostPath(in, out, s)
} }
func autoConvert_extensions_AllowedHostPath_To_v1beta1_AllowedHostPath(in *extensions.AllowedHostPath, out *v1beta1.AllowedHostPath, s conversion.Scope) error { func autoConvert_policy_AllowedHostPath_To_v1beta1_AllowedHostPath(in *policy.AllowedHostPath, out *v1beta1.AllowedHostPath, s conversion.Scope) error {
out.PathPrefix = in.PathPrefix out.PathPrefix = in.PathPrefix
return nil return nil
} }
// Convert_extensions_AllowedHostPath_To_v1beta1_AllowedHostPath is an autogenerated conversion function. // Convert_policy_AllowedHostPath_To_v1beta1_AllowedHostPath is an autogenerated conversion function.
func Convert_extensions_AllowedHostPath_To_v1beta1_AllowedHostPath(in *extensions.AllowedHostPath, out *v1beta1.AllowedHostPath, s conversion.Scope) error { func Convert_policy_AllowedHostPath_To_v1beta1_AllowedHostPath(in *policy.AllowedHostPath, out *v1beta1.AllowedHostPath, s conversion.Scope) error {
return autoConvert_extensions_AllowedHostPath_To_v1beta1_AllowedHostPath(in, out, s) return autoConvert_policy_AllowedHostPath_To_v1beta1_AllowedHostPath(in, out, s)
} }
func autoConvert_v1beta1_Eviction_To_policy_Eviction(in *v1beta1.Eviction, out *policy.Eviction, s conversion.Scope) error { func autoConvert_v1beta1_Eviction_To_policy_Eviction(in *v1beta1.Eviction, out *policy.Eviction, s conversion.Scope) error {
...@@ -137,48 +136,48 @@ func Convert_policy_Eviction_To_v1beta1_Eviction(in *policy.Eviction, out *v1bet ...@@ -137,48 +136,48 @@ func Convert_policy_Eviction_To_v1beta1_Eviction(in *policy.Eviction, out *v1bet
return autoConvert_policy_Eviction_To_v1beta1_Eviction(in, out, s) return autoConvert_policy_Eviction_To_v1beta1_Eviction(in, out, s)
} }
func autoConvert_v1beta1_FSGroupStrategyOptions_To_extensions_FSGroupStrategyOptions(in *v1beta1.FSGroupStrategyOptions, out *extensions.FSGroupStrategyOptions, s conversion.Scope) error { func autoConvert_v1beta1_FSGroupStrategyOptions_To_policy_FSGroupStrategyOptions(in *v1beta1.FSGroupStrategyOptions, out *policy.FSGroupStrategyOptions, s conversion.Scope) error {
out.Rule = extensions.FSGroupStrategyType(in.Rule) out.Rule = policy.FSGroupStrategyType(in.Rule)
out.Ranges = *(*[]extensions.GroupIDRange)(unsafe.Pointer(&in.Ranges)) out.Ranges = *(*[]policy.GroupIDRange)(unsafe.Pointer(&in.Ranges))
return nil return nil
} }
// Convert_v1beta1_FSGroupStrategyOptions_To_extensions_FSGroupStrategyOptions is an autogenerated conversion function. // Convert_v1beta1_FSGroupStrategyOptions_To_policy_FSGroupStrategyOptions is an autogenerated conversion function.
func Convert_v1beta1_FSGroupStrategyOptions_To_extensions_FSGroupStrategyOptions(in *v1beta1.FSGroupStrategyOptions, out *extensions.FSGroupStrategyOptions, s conversion.Scope) error { func Convert_v1beta1_FSGroupStrategyOptions_To_policy_FSGroupStrategyOptions(in *v1beta1.FSGroupStrategyOptions, out *policy.FSGroupStrategyOptions, s conversion.Scope) error {
return autoConvert_v1beta1_FSGroupStrategyOptions_To_extensions_FSGroupStrategyOptions(in, out, s) return autoConvert_v1beta1_FSGroupStrategyOptions_To_policy_FSGroupStrategyOptions(in, out, s)
} }
func autoConvert_extensions_FSGroupStrategyOptions_To_v1beta1_FSGroupStrategyOptions(in *extensions.FSGroupStrategyOptions, out *v1beta1.FSGroupStrategyOptions, s conversion.Scope) error { func autoConvert_policy_FSGroupStrategyOptions_To_v1beta1_FSGroupStrategyOptions(in *policy.FSGroupStrategyOptions, out *v1beta1.FSGroupStrategyOptions, s conversion.Scope) error {
out.Rule = v1beta1.FSGroupStrategyType(in.Rule) out.Rule = v1beta1.FSGroupStrategyType(in.Rule)
out.Ranges = *(*[]v1beta1.IDRange)(unsafe.Pointer(&in.Ranges)) out.Ranges = *(*[]v1beta1.IDRange)(unsafe.Pointer(&in.Ranges))
return nil return nil
} }
// Convert_extensions_FSGroupStrategyOptions_To_v1beta1_FSGroupStrategyOptions is an autogenerated conversion function. // Convert_policy_FSGroupStrategyOptions_To_v1beta1_FSGroupStrategyOptions is an autogenerated conversion function.
func Convert_extensions_FSGroupStrategyOptions_To_v1beta1_FSGroupStrategyOptions(in *extensions.FSGroupStrategyOptions, out *v1beta1.FSGroupStrategyOptions, s conversion.Scope) error { func Convert_policy_FSGroupStrategyOptions_To_v1beta1_FSGroupStrategyOptions(in *policy.FSGroupStrategyOptions, out *v1beta1.FSGroupStrategyOptions, s conversion.Scope) error {
return autoConvert_extensions_FSGroupStrategyOptions_To_v1beta1_FSGroupStrategyOptions(in, out, s) return autoConvert_policy_FSGroupStrategyOptions_To_v1beta1_FSGroupStrategyOptions(in, out, s)
} }
func autoConvert_v1beta1_HostPortRange_To_extensions_HostPortRange(in *v1beta1.HostPortRange, out *extensions.HostPortRange, s conversion.Scope) error { func autoConvert_v1beta1_HostPortRange_To_policy_HostPortRange(in *v1beta1.HostPortRange, out *policy.HostPortRange, s conversion.Scope) error {
out.Min = in.Min out.Min = in.Min
out.Max = in.Max out.Max = in.Max
return nil return nil
} }
// Convert_v1beta1_HostPortRange_To_extensions_HostPortRange is an autogenerated conversion function. // Convert_v1beta1_HostPortRange_To_policy_HostPortRange is an autogenerated conversion function.
func Convert_v1beta1_HostPortRange_To_extensions_HostPortRange(in *v1beta1.HostPortRange, out *extensions.HostPortRange, s conversion.Scope) error { func Convert_v1beta1_HostPortRange_To_policy_HostPortRange(in *v1beta1.HostPortRange, out *policy.HostPortRange, s conversion.Scope) error {
return autoConvert_v1beta1_HostPortRange_To_extensions_HostPortRange(in, out, s) return autoConvert_v1beta1_HostPortRange_To_policy_HostPortRange(in, out, s)
} }
func autoConvert_extensions_HostPortRange_To_v1beta1_HostPortRange(in *extensions.HostPortRange, out *v1beta1.HostPortRange, s conversion.Scope) error { func autoConvert_policy_HostPortRange_To_v1beta1_HostPortRange(in *policy.HostPortRange, out *v1beta1.HostPortRange, s conversion.Scope) error {
out.Min = in.Min out.Min = in.Min
out.Max = in.Max out.Max = in.Max
return nil return nil
} }
// Convert_extensions_HostPortRange_To_v1beta1_HostPortRange is an autogenerated conversion function. // Convert_policy_HostPortRange_To_v1beta1_HostPortRange is an autogenerated conversion function.
func Convert_extensions_HostPortRange_To_v1beta1_HostPortRange(in *extensions.HostPortRange, out *v1beta1.HostPortRange, s conversion.Scope) error { func Convert_policy_HostPortRange_To_v1beta1_HostPortRange(in *policy.HostPortRange, out *v1beta1.HostPortRange, s conversion.Scope) error {
return autoConvert_extensions_HostPortRange_To_v1beta1_HostPortRange(in, out, s) return autoConvert_policy_HostPortRange_To_v1beta1_HostPortRange(in, out, s)
} }
func autoConvert_v1beta1_PodDisruptionBudget_To_policy_PodDisruptionBudget(in *v1beta1.PodDisruptionBudget, out *policy.PodDisruptionBudget, s conversion.Scope) error { func autoConvert_v1beta1_PodDisruptionBudget_To_policy_PodDisruptionBudget(in *v1beta1.PodDisruptionBudget, out *policy.PodDisruptionBudget, s conversion.Scope) error {
...@@ -289,39 +288,39 @@ func Convert_policy_PodDisruptionBudgetStatus_To_v1beta1_PodDisruptionBudgetStat ...@@ -289,39 +288,39 @@ func Convert_policy_PodDisruptionBudgetStatus_To_v1beta1_PodDisruptionBudgetStat
return autoConvert_policy_PodDisruptionBudgetStatus_To_v1beta1_PodDisruptionBudgetStatus(in, out, s) return autoConvert_policy_PodDisruptionBudgetStatus_To_v1beta1_PodDisruptionBudgetStatus(in, out, s)
} }
func autoConvert_v1beta1_PodSecurityPolicy_To_extensions_PodSecurityPolicy(in *v1beta1.PodSecurityPolicy, out *extensions.PodSecurityPolicy, s conversion.Scope) error { func autoConvert_v1beta1_PodSecurityPolicy_To_policy_PodSecurityPolicy(in *v1beta1.PodSecurityPolicy, out *policy.PodSecurityPolicy, s conversion.Scope) error {
out.ObjectMeta = in.ObjectMeta out.ObjectMeta = in.ObjectMeta
if err := Convert_v1beta1_PodSecurityPolicySpec_To_extensions_PodSecurityPolicySpec(&in.Spec, &out.Spec, s); err != nil { if err := Convert_v1beta1_PodSecurityPolicySpec_To_policy_PodSecurityPolicySpec(&in.Spec, &out.Spec, s); err != nil {
return err return err
} }
return nil return nil
} }
// Convert_v1beta1_PodSecurityPolicy_To_extensions_PodSecurityPolicy is an autogenerated conversion function. // Convert_v1beta1_PodSecurityPolicy_To_policy_PodSecurityPolicy is an autogenerated conversion function.
func Convert_v1beta1_PodSecurityPolicy_To_extensions_PodSecurityPolicy(in *v1beta1.PodSecurityPolicy, out *extensions.PodSecurityPolicy, s conversion.Scope) error { func Convert_v1beta1_PodSecurityPolicy_To_policy_PodSecurityPolicy(in *v1beta1.PodSecurityPolicy, out *policy.PodSecurityPolicy, s conversion.Scope) error {
return autoConvert_v1beta1_PodSecurityPolicy_To_extensions_PodSecurityPolicy(in, out, s) return autoConvert_v1beta1_PodSecurityPolicy_To_policy_PodSecurityPolicy(in, out, s)
} }
func autoConvert_extensions_PodSecurityPolicy_To_v1beta1_PodSecurityPolicy(in *extensions.PodSecurityPolicy, out *v1beta1.PodSecurityPolicy, s conversion.Scope) error { func autoConvert_policy_PodSecurityPolicy_To_v1beta1_PodSecurityPolicy(in *policy.PodSecurityPolicy, out *v1beta1.PodSecurityPolicy, s conversion.Scope) error {
out.ObjectMeta = in.ObjectMeta out.ObjectMeta = in.ObjectMeta
if err := Convert_extensions_PodSecurityPolicySpec_To_v1beta1_PodSecurityPolicySpec(&in.Spec, &out.Spec, s); err != nil { if err := Convert_policy_PodSecurityPolicySpec_To_v1beta1_PodSecurityPolicySpec(&in.Spec, &out.Spec, s); err != nil {
return err return err
} }
return nil return nil
} }
// Convert_extensions_PodSecurityPolicy_To_v1beta1_PodSecurityPolicy is an autogenerated conversion function. // Convert_policy_PodSecurityPolicy_To_v1beta1_PodSecurityPolicy is an autogenerated conversion function.
func Convert_extensions_PodSecurityPolicy_To_v1beta1_PodSecurityPolicy(in *extensions.PodSecurityPolicy, out *v1beta1.PodSecurityPolicy, s conversion.Scope) error { func Convert_policy_PodSecurityPolicy_To_v1beta1_PodSecurityPolicy(in *policy.PodSecurityPolicy, out *v1beta1.PodSecurityPolicy, s conversion.Scope) error {
return autoConvert_extensions_PodSecurityPolicy_To_v1beta1_PodSecurityPolicy(in, out, s) return autoConvert_policy_PodSecurityPolicy_To_v1beta1_PodSecurityPolicy(in, out, s)
} }
func autoConvert_v1beta1_PodSecurityPolicyList_To_extensions_PodSecurityPolicyList(in *v1beta1.PodSecurityPolicyList, out *extensions.PodSecurityPolicyList, s conversion.Scope) error { func autoConvert_v1beta1_PodSecurityPolicyList_To_policy_PodSecurityPolicyList(in *v1beta1.PodSecurityPolicyList, out *policy.PodSecurityPolicyList, s conversion.Scope) error {
out.ListMeta = in.ListMeta out.ListMeta = in.ListMeta
if in.Items != nil { if in.Items != nil {
in, out := &in.Items, &out.Items in, out := &in.Items, &out.Items
*out = make([]extensions.PodSecurityPolicy, len(*in)) *out = make([]policy.PodSecurityPolicy, len(*in))
for i := range *in { for i := range *in {
if err := Convert_v1beta1_PodSecurityPolicy_To_extensions_PodSecurityPolicy(&(*in)[i], &(*out)[i], s); err != nil { if err := Convert_v1beta1_PodSecurityPolicy_To_policy_PodSecurityPolicy(&(*in)[i], &(*out)[i], s); err != nil {
return err return err
} }
} }
...@@ -331,18 +330,18 @@ func autoConvert_v1beta1_PodSecurityPolicyList_To_extensions_PodSecurityPolicyLi ...@@ -331,18 +330,18 @@ func autoConvert_v1beta1_PodSecurityPolicyList_To_extensions_PodSecurityPolicyLi
return nil return nil
} }
// Convert_v1beta1_PodSecurityPolicyList_To_extensions_PodSecurityPolicyList is an autogenerated conversion function. // Convert_v1beta1_PodSecurityPolicyList_To_policy_PodSecurityPolicyList is an autogenerated conversion function.
func Convert_v1beta1_PodSecurityPolicyList_To_extensions_PodSecurityPolicyList(in *v1beta1.PodSecurityPolicyList, out *extensions.PodSecurityPolicyList, s conversion.Scope) error { func Convert_v1beta1_PodSecurityPolicyList_To_policy_PodSecurityPolicyList(in *v1beta1.PodSecurityPolicyList, out *policy.PodSecurityPolicyList, s conversion.Scope) error {
return autoConvert_v1beta1_PodSecurityPolicyList_To_extensions_PodSecurityPolicyList(in, out, s) return autoConvert_v1beta1_PodSecurityPolicyList_To_policy_PodSecurityPolicyList(in, out, s)
} }
func autoConvert_extensions_PodSecurityPolicyList_To_v1beta1_PodSecurityPolicyList(in *extensions.PodSecurityPolicyList, out *v1beta1.PodSecurityPolicyList, s conversion.Scope) error { func autoConvert_policy_PodSecurityPolicyList_To_v1beta1_PodSecurityPolicyList(in *policy.PodSecurityPolicyList, out *v1beta1.PodSecurityPolicyList, s conversion.Scope) error {
out.ListMeta = in.ListMeta out.ListMeta = in.ListMeta
if in.Items != nil { if in.Items != nil {
in, out := &in.Items, &out.Items in, out := &in.Items, &out.Items
*out = make([]v1beta1.PodSecurityPolicy, len(*in)) *out = make([]v1beta1.PodSecurityPolicy, len(*in))
for i := range *in { for i := range *in {
if err := Convert_extensions_PodSecurityPolicy_To_v1beta1_PodSecurityPolicy(&(*in)[i], &(*out)[i], s); err != nil { if err := Convert_policy_PodSecurityPolicy_To_v1beta1_PodSecurityPolicy(&(*in)[i], &(*out)[i], s); err != nil {
return err return err
} }
} }
...@@ -352,31 +351,31 @@ func autoConvert_extensions_PodSecurityPolicyList_To_v1beta1_PodSecurityPolicyLi ...@@ -352,31 +351,31 @@ func autoConvert_extensions_PodSecurityPolicyList_To_v1beta1_PodSecurityPolicyLi
return nil return nil
} }
// Convert_extensions_PodSecurityPolicyList_To_v1beta1_PodSecurityPolicyList is an autogenerated conversion function. // Convert_policy_PodSecurityPolicyList_To_v1beta1_PodSecurityPolicyList is an autogenerated conversion function.
func Convert_extensions_PodSecurityPolicyList_To_v1beta1_PodSecurityPolicyList(in *extensions.PodSecurityPolicyList, out *v1beta1.PodSecurityPolicyList, s conversion.Scope) error { func Convert_policy_PodSecurityPolicyList_To_v1beta1_PodSecurityPolicyList(in *policy.PodSecurityPolicyList, out *v1beta1.PodSecurityPolicyList, s conversion.Scope) error {
return autoConvert_extensions_PodSecurityPolicyList_To_v1beta1_PodSecurityPolicyList(in, out, s) return autoConvert_policy_PodSecurityPolicyList_To_v1beta1_PodSecurityPolicyList(in, out, s)
} }
func autoConvert_v1beta1_PodSecurityPolicySpec_To_extensions_PodSecurityPolicySpec(in *v1beta1.PodSecurityPolicySpec, out *extensions.PodSecurityPolicySpec, s conversion.Scope) error { func autoConvert_v1beta1_PodSecurityPolicySpec_To_policy_PodSecurityPolicySpec(in *v1beta1.PodSecurityPolicySpec, out *policy.PodSecurityPolicySpec, s conversion.Scope) error {
out.Privileged = in.Privileged out.Privileged = in.Privileged
out.DefaultAddCapabilities = *(*[]core.Capability)(unsafe.Pointer(&in.DefaultAddCapabilities)) out.DefaultAddCapabilities = *(*[]core.Capability)(unsafe.Pointer(&in.DefaultAddCapabilities))
out.RequiredDropCapabilities = *(*[]core.Capability)(unsafe.Pointer(&in.RequiredDropCapabilities)) out.RequiredDropCapabilities = *(*[]core.Capability)(unsafe.Pointer(&in.RequiredDropCapabilities))
out.AllowedCapabilities = *(*[]core.Capability)(unsafe.Pointer(&in.AllowedCapabilities)) out.AllowedCapabilities = *(*[]core.Capability)(unsafe.Pointer(&in.AllowedCapabilities))
out.Volumes = *(*[]extensions.FSType)(unsafe.Pointer(&in.Volumes)) out.Volumes = *(*[]policy.FSType)(unsafe.Pointer(&in.Volumes))
out.HostNetwork = in.HostNetwork out.HostNetwork = in.HostNetwork
out.HostPorts = *(*[]extensions.HostPortRange)(unsafe.Pointer(&in.HostPorts)) out.HostPorts = *(*[]policy.HostPortRange)(unsafe.Pointer(&in.HostPorts))
out.HostPID = in.HostPID out.HostPID = in.HostPID
out.HostIPC = in.HostIPC out.HostIPC = in.HostIPC
if err := Convert_v1beta1_SELinuxStrategyOptions_To_extensions_SELinuxStrategyOptions(&in.SELinux, &out.SELinux, s); err != nil { if err := Convert_v1beta1_SELinuxStrategyOptions_To_policy_SELinuxStrategyOptions(&in.SELinux, &out.SELinux, s); err != nil {
return err return err
} }
if err := Convert_v1beta1_RunAsUserStrategyOptions_To_extensions_RunAsUserStrategyOptions(&in.RunAsUser, &out.RunAsUser, s); err != nil { if err := Convert_v1beta1_RunAsUserStrategyOptions_To_policy_RunAsUserStrategyOptions(&in.RunAsUser, &out.RunAsUser, s); err != nil {
return err return err
} }
if err := Convert_v1beta1_SupplementalGroupsStrategyOptions_To_extensions_SupplementalGroupsStrategyOptions(&in.SupplementalGroups, &out.SupplementalGroups, s); err != nil { if err := Convert_v1beta1_SupplementalGroupsStrategyOptions_To_policy_SupplementalGroupsStrategyOptions(&in.SupplementalGroups, &out.SupplementalGroups, s); err != nil {
return err return err
} }
if err := Convert_v1beta1_FSGroupStrategyOptions_To_extensions_FSGroupStrategyOptions(&in.FSGroup, &out.FSGroup, s); err != nil { if err := Convert_v1beta1_FSGroupStrategyOptions_To_policy_FSGroupStrategyOptions(&in.FSGroup, &out.FSGroup, s); err != nil {
return err return err
} }
out.ReadOnlyRootFilesystem = in.ReadOnlyRootFilesystem out.ReadOnlyRootFilesystem = in.ReadOnlyRootFilesystem
...@@ -384,17 +383,17 @@ func autoConvert_v1beta1_PodSecurityPolicySpec_To_extensions_PodSecurityPolicySp ...@@ -384,17 +383,17 @@ func autoConvert_v1beta1_PodSecurityPolicySpec_To_extensions_PodSecurityPolicySp
if err := v1.Convert_Pointer_bool_To_bool(&in.AllowPrivilegeEscalation, &out.AllowPrivilegeEscalation, s); err != nil { if err := v1.Convert_Pointer_bool_To_bool(&in.AllowPrivilegeEscalation, &out.AllowPrivilegeEscalation, s); err != nil {
return err return err
} }
out.AllowedHostPaths = *(*[]extensions.AllowedHostPath)(unsafe.Pointer(&in.AllowedHostPaths)) out.AllowedHostPaths = *(*[]policy.AllowedHostPath)(unsafe.Pointer(&in.AllowedHostPaths))
out.AllowedFlexVolumes = *(*[]extensions.AllowedFlexVolume)(unsafe.Pointer(&in.AllowedFlexVolumes)) out.AllowedFlexVolumes = *(*[]policy.AllowedFlexVolume)(unsafe.Pointer(&in.AllowedFlexVolumes))
return nil return nil
} }
// Convert_v1beta1_PodSecurityPolicySpec_To_extensions_PodSecurityPolicySpec is an autogenerated conversion function. // Convert_v1beta1_PodSecurityPolicySpec_To_policy_PodSecurityPolicySpec is an autogenerated conversion function.
func Convert_v1beta1_PodSecurityPolicySpec_To_extensions_PodSecurityPolicySpec(in *v1beta1.PodSecurityPolicySpec, out *extensions.PodSecurityPolicySpec, s conversion.Scope) error { func Convert_v1beta1_PodSecurityPolicySpec_To_policy_PodSecurityPolicySpec(in *v1beta1.PodSecurityPolicySpec, out *policy.PodSecurityPolicySpec, s conversion.Scope) error {
return autoConvert_v1beta1_PodSecurityPolicySpec_To_extensions_PodSecurityPolicySpec(in, out, s) return autoConvert_v1beta1_PodSecurityPolicySpec_To_policy_PodSecurityPolicySpec(in, out, s)
} }
func autoConvert_extensions_PodSecurityPolicySpec_To_v1beta1_PodSecurityPolicySpec(in *extensions.PodSecurityPolicySpec, out *v1beta1.PodSecurityPolicySpec, s conversion.Scope) error { func autoConvert_policy_PodSecurityPolicySpec_To_v1beta1_PodSecurityPolicySpec(in *policy.PodSecurityPolicySpec, out *v1beta1.PodSecurityPolicySpec, s conversion.Scope) error {
out.Privileged = in.Privileged out.Privileged = in.Privileged
out.DefaultAddCapabilities = *(*[]core_v1.Capability)(unsafe.Pointer(&in.DefaultAddCapabilities)) out.DefaultAddCapabilities = *(*[]core_v1.Capability)(unsafe.Pointer(&in.DefaultAddCapabilities))
out.RequiredDropCapabilities = *(*[]core_v1.Capability)(unsafe.Pointer(&in.RequiredDropCapabilities)) out.RequiredDropCapabilities = *(*[]core_v1.Capability)(unsafe.Pointer(&in.RequiredDropCapabilities))
...@@ -404,16 +403,16 @@ func autoConvert_extensions_PodSecurityPolicySpec_To_v1beta1_PodSecurityPolicySp ...@@ -404,16 +403,16 @@ func autoConvert_extensions_PodSecurityPolicySpec_To_v1beta1_PodSecurityPolicySp
out.HostPorts = *(*[]v1beta1.HostPortRange)(unsafe.Pointer(&in.HostPorts)) out.HostPorts = *(*[]v1beta1.HostPortRange)(unsafe.Pointer(&in.HostPorts))
out.HostPID = in.HostPID out.HostPID = in.HostPID
out.HostIPC = in.HostIPC out.HostIPC = in.HostIPC
if err := Convert_extensions_SELinuxStrategyOptions_To_v1beta1_SELinuxStrategyOptions(&in.SELinux, &out.SELinux, s); err != nil { if err := Convert_policy_SELinuxStrategyOptions_To_v1beta1_SELinuxStrategyOptions(&in.SELinux, &out.SELinux, s); err != nil {
return err return err
} }
if err := Convert_extensions_RunAsUserStrategyOptions_To_v1beta1_RunAsUserStrategyOptions(&in.RunAsUser, &out.RunAsUser, s); err != nil { if err := Convert_policy_RunAsUserStrategyOptions_To_v1beta1_RunAsUserStrategyOptions(&in.RunAsUser, &out.RunAsUser, s); err != nil {
return err return err
} }
if err := Convert_extensions_SupplementalGroupsStrategyOptions_To_v1beta1_SupplementalGroupsStrategyOptions(&in.SupplementalGroups, &out.SupplementalGroups, s); err != nil { if err := Convert_policy_SupplementalGroupsStrategyOptions_To_v1beta1_SupplementalGroupsStrategyOptions(&in.SupplementalGroups, &out.SupplementalGroups, s); err != nil {
return err return err
} }
if err := Convert_extensions_FSGroupStrategyOptions_To_v1beta1_FSGroupStrategyOptions(&in.FSGroup, &out.FSGroup, s); err != nil { if err := Convert_policy_FSGroupStrategyOptions_To_v1beta1_FSGroupStrategyOptions(&in.FSGroup, &out.FSGroup, s); err != nil {
return err return err
} }
out.ReadOnlyRootFilesystem = in.ReadOnlyRootFilesystem out.ReadOnlyRootFilesystem = in.ReadOnlyRootFilesystem
...@@ -426,73 +425,73 @@ func autoConvert_extensions_PodSecurityPolicySpec_To_v1beta1_PodSecurityPolicySp ...@@ -426,73 +425,73 @@ func autoConvert_extensions_PodSecurityPolicySpec_To_v1beta1_PodSecurityPolicySp
return nil return nil
} }
// Convert_extensions_PodSecurityPolicySpec_To_v1beta1_PodSecurityPolicySpec is an autogenerated conversion function. // Convert_policy_PodSecurityPolicySpec_To_v1beta1_PodSecurityPolicySpec is an autogenerated conversion function.
func Convert_extensions_PodSecurityPolicySpec_To_v1beta1_PodSecurityPolicySpec(in *extensions.PodSecurityPolicySpec, out *v1beta1.PodSecurityPolicySpec, s conversion.Scope) error { func Convert_policy_PodSecurityPolicySpec_To_v1beta1_PodSecurityPolicySpec(in *policy.PodSecurityPolicySpec, out *v1beta1.PodSecurityPolicySpec, s conversion.Scope) error {
return autoConvert_extensions_PodSecurityPolicySpec_To_v1beta1_PodSecurityPolicySpec(in, out, s) return autoConvert_policy_PodSecurityPolicySpec_To_v1beta1_PodSecurityPolicySpec(in, out, s)
} }
func autoConvert_v1beta1_RunAsUserStrategyOptions_To_extensions_RunAsUserStrategyOptions(in *v1beta1.RunAsUserStrategyOptions, out *extensions.RunAsUserStrategyOptions, s conversion.Scope) error { func autoConvert_v1beta1_RunAsUserStrategyOptions_To_policy_RunAsUserStrategyOptions(in *v1beta1.RunAsUserStrategyOptions, out *policy.RunAsUserStrategyOptions, s conversion.Scope) error {
out.Rule = extensions.RunAsUserStrategy(in.Rule) out.Rule = policy.RunAsUserStrategy(in.Rule)
out.Ranges = *(*[]extensions.UserIDRange)(unsafe.Pointer(&in.Ranges)) out.Ranges = *(*[]policy.UserIDRange)(unsafe.Pointer(&in.Ranges))
return nil return nil
} }
// Convert_v1beta1_RunAsUserStrategyOptions_To_extensions_RunAsUserStrategyOptions is an autogenerated conversion function. // Convert_v1beta1_RunAsUserStrategyOptions_To_policy_RunAsUserStrategyOptions is an autogenerated conversion function.
func Convert_v1beta1_RunAsUserStrategyOptions_To_extensions_RunAsUserStrategyOptions(in *v1beta1.RunAsUserStrategyOptions, out *extensions.RunAsUserStrategyOptions, s conversion.Scope) error { func Convert_v1beta1_RunAsUserStrategyOptions_To_policy_RunAsUserStrategyOptions(in *v1beta1.RunAsUserStrategyOptions, out *policy.RunAsUserStrategyOptions, s conversion.Scope) error {
return autoConvert_v1beta1_RunAsUserStrategyOptions_To_extensions_RunAsUserStrategyOptions(in, out, s) return autoConvert_v1beta1_RunAsUserStrategyOptions_To_policy_RunAsUserStrategyOptions(in, out, s)
} }
func autoConvert_extensions_RunAsUserStrategyOptions_To_v1beta1_RunAsUserStrategyOptions(in *extensions.RunAsUserStrategyOptions, out *v1beta1.RunAsUserStrategyOptions, s conversion.Scope) error { func autoConvert_policy_RunAsUserStrategyOptions_To_v1beta1_RunAsUserStrategyOptions(in *policy.RunAsUserStrategyOptions, out *v1beta1.RunAsUserStrategyOptions, s conversion.Scope) error {
out.Rule = v1beta1.RunAsUserStrategy(in.Rule) out.Rule = v1beta1.RunAsUserStrategy(in.Rule)
out.Ranges = *(*[]v1beta1.IDRange)(unsafe.Pointer(&in.Ranges)) out.Ranges = *(*[]v1beta1.IDRange)(unsafe.Pointer(&in.Ranges))
return nil return nil
} }
// Convert_extensions_RunAsUserStrategyOptions_To_v1beta1_RunAsUserStrategyOptions is an autogenerated conversion function. // Convert_policy_RunAsUserStrategyOptions_To_v1beta1_RunAsUserStrategyOptions is an autogenerated conversion function.
func Convert_extensions_RunAsUserStrategyOptions_To_v1beta1_RunAsUserStrategyOptions(in *extensions.RunAsUserStrategyOptions, out *v1beta1.RunAsUserStrategyOptions, s conversion.Scope) error { func Convert_policy_RunAsUserStrategyOptions_To_v1beta1_RunAsUserStrategyOptions(in *policy.RunAsUserStrategyOptions, out *v1beta1.RunAsUserStrategyOptions, s conversion.Scope) error {
return autoConvert_extensions_RunAsUserStrategyOptions_To_v1beta1_RunAsUserStrategyOptions(in, out, s) return autoConvert_policy_RunAsUserStrategyOptions_To_v1beta1_RunAsUserStrategyOptions(in, out, s)
} }
func autoConvert_v1beta1_SELinuxStrategyOptions_To_extensions_SELinuxStrategyOptions(in *v1beta1.SELinuxStrategyOptions, out *extensions.SELinuxStrategyOptions, s conversion.Scope) error { func autoConvert_v1beta1_SELinuxStrategyOptions_To_policy_SELinuxStrategyOptions(in *v1beta1.SELinuxStrategyOptions, out *policy.SELinuxStrategyOptions, s conversion.Scope) error {
out.Rule = extensions.SELinuxStrategy(in.Rule) out.Rule = policy.SELinuxStrategy(in.Rule)
out.SELinuxOptions = (*core.SELinuxOptions)(unsafe.Pointer(in.SELinuxOptions)) out.SELinuxOptions = (*core.SELinuxOptions)(unsafe.Pointer(in.SELinuxOptions))
return nil return nil
} }
// Convert_v1beta1_SELinuxStrategyOptions_To_extensions_SELinuxStrategyOptions is an autogenerated conversion function. // Convert_v1beta1_SELinuxStrategyOptions_To_policy_SELinuxStrategyOptions is an autogenerated conversion function.
func Convert_v1beta1_SELinuxStrategyOptions_To_extensions_SELinuxStrategyOptions(in *v1beta1.SELinuxStrategyOptions, out *extensions.SELinuxStrategyOptions, s conversion.Scope) error { func Convert_v1beta1_SELinuxStrategyOptions_To_policy_SELinuxStrategyOptions(in *v1beta1.SELinuxStrategyOptions, out *policy.SELinuxStrategyOptions, s conversion.Scope) error {
return autoConvert_v1beta1_SELinuxStrategyOptions_To_extensions_SELinuxStrategyOptions(in, out, s) return autoConvert_v1beta1_SELinuxStrategyOptions_To_policy_SELinuxStrategyOptions(in, out, s)
} }
func autoConvert_extensions_SELinuxStrategyOptions_To_v1beta1_SELinuxStrategyOptions(in *extensions.SELinuxStrategyOptions, out *v1beta1.SELinuxStrategyOptions, s conversion.Scope) error { func autoConvert_policy_SELinuxStrategyOptions_To_v1beta1_SELinuxStrategyOptions(in *policy.SELinuxStrategyOptions, out *v1beta1.SELinuxStrategyOptions, s conversion.Scope) error {
out.Rule = v1beta1.SELinuxStrategy(in.Rule) out.Rule = v1beta1.SELinuxStrategy(in.Rule)
out.SELinuxOptions = (*core_v1.SELinuxOptions)(unsafe.Pointer(in.SELinuxOptions)) out.SELinuxOptions = (*core_v1.SELinuxOptions)(unsafe.Pointer(in.SELinuxOptions))
return nil return nil
} }
// Convert_extensions_SELinuxStrategyOptions_To_v1beta1_SELinuxStrategyOptions is an autogenerated conversion function. // Convert_policy_SELinuxStrategyOptions_To_v1beta1_SELinuxStrategyOptions is an autogenerated conversion function.
func Convert_extensions_SELinuxStrategyOptions_To_v1beta1_SELinuxStrategyOptions(in *extensions.SELinuxStrategyOptions, out *v1beta1.SELinuxStrategyOptions, s conversion.Scope) error { func Convert_policy_SELinuxStrategyOptions_To_v1beta1_SELinuxStrategyOptions(in *policy.SELinuxStrategyOptions, out *v1beta1.SELinuxStrategyOptions, s conversion.Scope) error {
return autoConvert_extensions_SELinuxStrategyOptions_To_v1beta1_SELinuxStrategyOptions(in, out, s) return autoConvert_policy_SELinuxStrategyOptions_To_v1beta1_SELinuxStrategyOptions(in, out, s)
} }
func autoConvert_v1beta1_SupplementalGroupsStrategyOptions_To_extensions_SupplementalGroupsStrategyOptions(in *v1beta1.SupplementalGroupsStrategyOptions, out *extensions.SupplementalGroupsStrategyOptions, s conversion.Scope) error { func autoConvert_v1beta1_SupplementalGroupsStrategyOptions_To_policy_SupplementalGroupsStrategyOptions(in *v1beta1.SupplementalGroupsStrategyOptions, out *policy.SupplementalGroupsStrategyOptions, s conversion.Scope) error {
out.Rule = extensions.SupplementalGroupsStrategyType(in.Rule) out.Rule = policy.SupplementalGroupsStrategyType(in.Rule)
out.Ranges = *(*[]extensions.GroupIDRange)(unsafe.Pointer(&in.Ranges)) out.Ranges = *(*[]policy.GroupIDRange)(unsafe.Pointer(&in.Ranges))
return nil return nil
} }
// Convert_v1beta1_SupplementalGroupsStrategyOptions_To_extensions_SupplementalGroupsStrategyOptions is an autogenerated conversion function. // Convert_v1beta1_SupplementalGroupsStrategyOptions_To_policy_SupplementalGroupsStrategyOptions is an autogenerated conversion function.
func Convert_v1beta1_SupplementalGroupsStrategyOptions_To_extensions_SupplementalGroupsStrategyOptions(in *v1beta1.SupplementalGroupsStrategyOptions, out *extensions.SupplementalGroupsStrategyOptions, s conversion.Scope) error { func Convert_v1beta1_SupplementalGroupsStrategyOptions_To_policy_SupplementalGroupsStrategyOptions(in *v1beta1.SupplementalGroupsStrategyOptions, out *policy.SupplementalGroupsStrategyOptions, s conversion.Scope) error {
return autoConvert_v1beta1_SupplementalGroupsStrategyOptions_To_extensions_SupplementalGroupsStrategyOptions(in, out, s) return autoConvert_v1beta1_SupplementalGroupsStrategyOptions_To_policy_SupplementalGroupsStrategyOptions(in, out, s)
} }
func autoConvert_extensions_SupplementalGroupsStrategyOptions_To_v1beta1_SupplementalGroupsStrategyOptions(in *extensions.SupplementalGroupsStrategyOptions, out *v1beta1.SupplementalGroupsStrategyOptions, s conversion.Scope) error { func autoConvert_policy_SupplementalGroupsStrategyOptions_To_v1beta1_SupplementalGroupsStrategyOptions(in *policy.SupplementalGroupsStrategyOptions, out *v1beta1.SupplementalGroupsStrategyOptions, s conversion.Scope) error {
out.Rule = v1beta1.SupplementalGroupsStrategyType(in.Rule) out.Rule = v1beta1.SupplementalGroupsStrategyType(in.Rule)
out.Ranges = *(*[]v1beta1.IDRange)(unsafe.Pointer(&in.Ranges)) out.Ranges = *(*[]v1beta1.IDRange)(unsafe.Pointer(&in.Ranges))
return nil return nil
} }
// Convert_extensions_SupplementalGroupsStrategyOptions_To_v1beta1_SupplementalGroupsStrategyOptions is an autogenerated conversion function. // Convert_policy_SupplementalGroupsStrategyOptions_To_v1beta1_SupplementalGroupsStrategyOptions is an autogenerated conversion function.
func Convert_extensions_SupplementalGroupsStrategyOptions_To_v1beta1_SupplementalGroupsStrategyOptions(in *extensions.SupplementalGroupsStrategyOptions, out *v1beta1.SupplementalGroupsStrategyOptions, s conversion.Scope) error { func Convert_policy_SupplementalGroupsStrategyOptions_To_v1beta1_SupplementalGroupsStrategyOptions(in *policy.SupplementalGroupsStrategyOptions, out *v1beta1.SupplementalGroupsStrategyOptions, s conversion.Scope) error {
return autoConvert_extensions_SupplementalGroupsStrategyOptions_To_v1beta1_SupplementalGroupsStrategyOptions(in, out, s) return autoConvert_policy_SupplementalGroupsStrategyOptions_To_v1beta1_SupplementalGroupsStrategyOptions(in, out, s)
} }
...@@ -11,10 +11,15 @@ go_library( ...@@ -11,10 +11,15 @@ go_library(
srcs = ["validation.go"], srcs = ["validation.go"],
importpath = "k8s.io/kubernetes/pkg/apis/policy/validation", importpath = "k8s.io/kubernetes/pkg/apis/policy/validation",
deps = [ deps = [
"//pkg/apis/core:go_default_library",
"//pkg/apis/core/validation:go_default_library", "//pkg/apis/core/validation:go_default_library",
"//pkg/apis/extensions/validation:go_default_library", "//pkg/apis/extensions/validation:go_default_library",
"//pkg/apis/policy:go_default_library", "//pkg/apis/policy:go_default_library",
"//pkg/security/apparmor:go_default_library",
"//pkg/security/podsecuritypolicy/seccomp:go_default_library",
"//pkg/security/podsecuritypolicy/util:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/apis/meta/v1/validation:go_default_library", "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1/validation:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/util/sets:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/util/validation/field:go_default_library", "//vendor/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
], ],
) )
...@@ -24,7 +29,12 @@ go_test( ...@@ -24,7 +29,12 @@ go_test(
srcs = ["validation_test.go"], srcs = ["validation_test.go"],
embed = [":go_default_library"], embed = [":go_default_library"],
deps = [ deps = [
"//pkg/apis/core:go_default_library",
"//pkg/apis/policy:go_default_library", "//pkg/apis/policy:go_default_library",
"//pkg/security/apparmor:go_default_library",
"//pkg/security/podsecuritypolicy/seccomp:go_default_library",
"//pkg/security/podsecuritypolicy/util:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/util/intstr:go_default_library", "//vendor/k8s.io/apimachinery/pkg/util/intstr:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/util/validation/field:go_default_library", "//vendor/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
], ],
......
...@@ -17,13 +17,22 @@ limitations under the License. ...@@ -17,13 +17,22 @@ limitations under the License.
package validation package validation
import ( import (
"fmt"
"path/filepath"
"reflect" "reflect"
"regexp"
"strings"
unversionedvalidation "k8s.io/apimachinery/pkg/apis/meta/v1/validation" unversionedvalidation "k8s.io/apimachinery/pkg/apis/meta/v1/validation"
"k8s.io/apimachinery/pkg/util/sets"
"k8s.io/apimachinery/pkg/util/validation/field" "k8s.io/apimachinery/pkg/util/validation/field"
core "k8s.io/kubernetes/pkg/apis/core"
apivalidation "k8s.io/kubernetes/pkg/apis/core/validation" apivalidation "k8s.io/kubernetes/pkg/apis/core/validation"
extensionsvalidation "k8s.io/kubernetes/pkg/apis/extensions/validation" extensionsvalidation "k8s.io/kubernetes/pkg/apis/extensions/validation"
"k8s.io/kubernetes/pkg/apis/policy" "k8s.io/kubernetes/pkg/apis/policy"
"k8s.io/kubernetes/pkg/security/apparmor"
"k8s.io/kubernetes/pkg/security/podsecuritypolicy/seccomp"
psputil "k8s.io/kubernetes/pkg/security/podsecuritypolicy/util"
) )
func ValidatePodDisruptionBudget(pdb *policy.PodDisruptionBudget) field.ErrorList { func ValidatePodDisruptionBudget(pdb *policy.PodDisruptionBudget) field.ErrorList {
...@@ -77,3 +86,302 @@ func ValidatePodDisruptionBudgetStatus(status policy.PodDisruptionBudgetStatus, ...@@ -77,3 +86,302 @@ func ValidatePodDisruptionBudgetStatus(status policy.PodDisruptionBudgetStatus,
allErrs = append(allErrs, apivalidation.ValidateNonnegativeField(int64(status.ExpectedPods), fldPath.Child("expectedPods"))...) allErrs = append(allErrs, apivalidation.ValidateNonnegativeField(int64(status.ExpectedPods), fldPath.Child("expectedPods"))...)
return allErrs return allErrs
} }
// ValidatePodSecurityPolicyName can be used to check whether the given
// pod security policy name is valid.
// Prefix indicates this name will be used as part of generation, in which case
// trailing dashes are allowed.
var ValidatePodSecurityPolicyName = apivalidation.NameIsDNSSubdomain
func ValidatePodSecurityPolicy(psp *policy.PodSecurityPolicy) field.ErrorList {
allErrs := field.ErrorList{}
allErrs = append(allErrs, apivalidation.ValidateObjectMeta(&psp.ObjectMeta, false, ValidatePodSecurityPolicyName, field.NewPath("metadata"))...)
allErrs = append(allErrs, ValidatePodSecurityPolicySpecificAnnotations(psp.Annotations, field.NewPath("metadata").Child("annotations"))...)
allErrs = append(allErrs, ValidatePodSecurityPolicySpec(&psp.Spec, field.NewPath("spec"))...)
return allErrs
}
func ValidatePodSecurityPolicySpec(spec *policy.PodSecurityPolicySpec, fldPath *field.Path) field.ErrorList {
allErrs := field.ErrorList{}
allErrs = append(allErrs, validatePSPRunAsUser(fldPath.Child("runAsUser"), &spec.RunAsUser)...)
allErrs = append(allErrs, validatePSPSELinux(fldPath.Child("seLinux"), &spec.SELinux)...)
allErrs = append(allErrs, validatePSPSupplementalGroup(fldPath.Child("supplementalGroups"), &spec.SupplementalGroups)...)
allErrs = append(allErrs, validatePSPFSGroup(fldPath.Child("fsGroup"), &spec.FSGroup)...)
allErrs = append(allErrs, validatePodSecurityPolicyVolumes(fldPath, spec.Volumes)...)
if len(spec.RequiredDropCapabilities) > 0 && hasCap(policy.AllowAllCapabilities, spec.AllowedCapabilities) {
allErrs = append(allErrs, field.Invalid(field.NewPath("requiredDropCapabilities"), spec.RequiredDropCapabilities,
"must be empty when all capabilities are allowed by a wildcard"))
}
allErrs = append(allErrs, validatePSPCapsAgainstDrops(spec.RequiredDropCapabilities, spec.DefaultAddCapabilities, field.NewPath("defaultAddCapabilities"))...)
allErrs = append(allErrs, validatePSPCapsAgainstDrops(spec.RequiredDropCapabilities, spec.AllowedCapabilities, field.NewPath("allowedCapabilities"))...)
allErrs = append(allErrs, validatePSPDefaultAllowPrivilegeEscalation(fldPath.Child("defaultAllowPrivilegeEscalation"), spec.DefaultAllowPrivilegeEscalation, spec.AllowPrivilegeEscalation)...)
allErrs = append(allErrs, validatePSPAllowedHostPaths(fldPath.Child("allowedHostPaths"), spec.AllowedHostPaths)...)
allErrs = append(allErrs, validatePSPAllowedFlexVolumes(fldPath.Child("allowedFlexVolumes"), spec.AllowedFlexVolumes)...)
return allErrs
}
func ValidatePodSecurityPolicySpecificAnnotations(annotations map[string]string, fldPath *field.Path) field.ErrorList {
allErrs := field.ErrorList{}
if p := annotations[apparmor.DefaultProfileAnnotationKey]; p != "" {
if err := apparmor.ValidateProfileFormat(p); err != nil {
allErrs = append(allErrs, field.Invalid(fldPath.Key(apparmor.DefaultProfileAnnotationKey), p, err.Error()))
}
}
if allowed := annotations[apparmor.AllowedProfilesAnnotationKey]; allowed != "" {
for _, p := range strings.Split(allowed, ",") {
if err := apparmor.ValidateProfileFormat(p); err != nil {
allErrs = append(allErrs, field.Invalid(fldPath.Key(apparmor.AllowedProfilesAnnotationKey), allowed, err.Error()))
}
}
}
sysctlAnnotation := annotations[policy.SysctlsPodSecurityPolicyAnnotationKey]
sysctlFldPath := fldPath.Key(policy.SysctlsPodSecurityPolicyAnnotationKey)
sysctls, err := policy.SysctlsFromPodSecurityPolicyAnnotation(sysctlAnnotation)
if err != nil {
allErrs = append(allErrs, field.Invalid(sysctlFldPath, sysctlAnnotation, err.Error()))
} else {
allErrs = append(allErrs, validatePodSecurityPolicySysctls(sysctlFldPath, sysctls)...)
}
if p := annotations[seccomp.DefaultProfileAnnotationKey]; p != "" {
allErrs = append(allErrs, apivalidation.ValidateSeccompProfile(p, fldPath.Key(seccomp.DefaultProfileAnnotationKey))...)
}
if allowed := annotations[seccomp.AllowedProfilesAnnotationKey]; allowed != "" {
for _, p := range strings.Split(allowed, ",") {
if p == seccomp.AllowAny {
continue
}
allErrs = append(allErrs, apivalidation.ValidateSeccompProfile(p, fldPath.Key(seccomp.AllowedProfilesAnnotationKey))...)
}
}
return allErrs
}
// validatePSPAllowedHostPaths makes sure all allowed host paths follow:
// 1. path prefix is required
// 2. path prefix does not have any element which is ".."
func validatePSPAllowedHostPaths(fldPath *field.Path, allowedHostPaths []policy.AllowedHostPath) field.ErrorList {
allErrs := field.ErrorList{}
for i, target := range allowedHostPaths {
if target.PathPrefix == "" {
allErrs = append(allErrs, field.Required(fldPath.Index(i), "is required"))
break
}
parts := strings.Split(filepath.ToSlash(target.PathPrefix), "/")
for _, item := range parts {
if item == ".." {
allErrs = append(allErrs, field.Invalid(fldPath.Index(i), target.PathPrefix, "must not contain '..'"))
break // even for `../../..`, one error is sufficient to make the point
}
}
}
return allErrs
}
func validatePSPAllowedFlexVolumes(fldPath *field.Path, flexVolumes []policy.AllowedFlexVolume) field.ErrorList {
allErrs := field.ErrorList{}
if len(flexVolumes) > 0 {
for idx, fv := range flexVolumes {
if len(fv.Driver) == 0 {
allErrs = append(allErrs, field.Required(fldPath.Child("allowedFlexVolumes").Index(idx).Child("driver"),
"must specify a driver"))
}
}
}
return allErrs
}
// validatePSPSELinux validates the SELinux fields of PodSecurityPolicy.
func validatePSPSELinux(fldPath *field.Path, seLinux *policy.SELinuxStrategyOptions) field.ErrorList {
allErrs := field.ErrorList{}
// ensure the selinux strategy has a valid rule
supportedSELinuxRules := sets.NewString(
string(policy.SELinuxStrategyMustRunAs),
string(policy.SELinuxStrategyRunAsAny),
)
if !supportedSELinuxRules.Has(string(seLinux.Rule)) {
allErrs = append(allErrs, field.NotSupported(fldPath.Child("rule"), seLinux.Rule, supportedSELinuxRules.List()))
}
return allErrs
}
// validatePSPRunAsUser validates the RunAsUser fields of PodSecurityPolicy.
func validatePSPRunAsUser(fldPath *field.Path, runAsUser *policy.RunAsUserStrategyOptions) field.ErrorList {
allErrs := field.ErrorList{}
// ensure the user strategy has a valid rule
supportedRunAsUserRules := sets.NewString(
string(policy.RunAsUserStrategyMustRunAs),
string(policy.RunAsUserStrategyMustRunAsNonRoot),
string(policy.RunAsUserStrategyRunAsAny),
)
if !supportedRunAsUserRules.Has(string(runAsUser.Rule)) {
allErrs = append(allErrs, field.NotSupported(fldPath.Child("rule"), runAsUser.Rule, supportedRunAsUserRules.List()))
}
// validate range settings
for idx, rng := range runAsUser.Ranges {
allErrs = append(allErrs, validateUserIDRange(fldPath.Child("ranges").Index(idx), rng)...)
}
return allErrs
}
// validatePSPFSGroup validates the FSGroupStrategyOptions fields of the PodSecurityPolicy.
func validatePSPFSGroup(fldPath *field.Path, groupOptions *policy.FSGroupStrategyOptions) field.ErrorList {
allErrs := field.ErrorList{}
supportedRules := sets.NewString(
string(policy.FSGroupStrategyMustRunAs),
string(policy.FSGroupStrategyRunAsAny),
)
if !supportedRules.Has(string(groupOptions.Rule)) {
allErrs = append(allErrs, field.NotSupported(fldPath.Child("rule"), groupOptions.Rule, supportedRules.List()))
}
for idx, rng := range groupOptions.Ranges {
allErrs = append(allErrs, validateGroupIDRange(fldPath.Child("ranges").Index(idx), rng)...)
}
return allErrs
}
// validatePSPSupplementalGroup validates the SupplementalGroupsStrategyOptions fields of the PodSecurityPolicy.
func validatePSPSupplementalGroup(fldPath *field.Path, groupOptions *policy.SupplementalGroupsStrategyOptions) field.ErrorList {
allErrs := field.ErrorList{}
supportedRules := sets.NewString(
string(policy.SupplementalGroupsStrategyRunAsAny),
string(policy.SupplementalGroupsStrategyMustRunAs),
)
if !supportedRules.Has(string(groupOptions.Rule)) {
allErrs = append(allErrs, field.NotSupported(fldPath.Child("rule"), groupOptions.Rule, supportedRules.List()))
}
for idx, rng := range groupOptions.Ranges {
allErrs = append(allErrs, validateGroupIDRange(fldPath.Child("ranges").Index(idx), rng)...)
}
return allErrs
}
// validatePodSecurityPolicyVolumes validates the volume fields of PodSecurityPolicy.
func validatePodSecurityPolicyVolumes(fldPath *field.Path, volumes []policy.FSType) field.ErrorList {
allErrs := field.ErrorList{}
allowed := psputil.GetAllFSTypesAsSet()
// add in the * value since that is a pseudo type that is not included by default
allowed.Insert(string(policy.All))
for _, v := range volumes {
if !allowed.Has(string(v)) {
allErrs = append(allErrs, field.NotSupported(fldPath.Child("volumes"), v, allowed.List()))
}
}
return allErrs
}
// validatePSPDefaultAllowPrivilegeEscalation validates the DefaultAllowPrivilegeEscalation field against the AllowPrivilegeEscalation field of a PodSecurityPolicy.
func validatePSPDefaultAllowPrivilegeEscalation(fldPath *field.Path, defaultAllowPrivilegeEscalation *bool, allowPrivilegeEscalation bool) field.ErrorList {
allErrs := field.ErrorList{}
if defaultAllowPrivilegeEscalation != nil && *defaultAllowPrivilegeEscalation && !allowPrivilegeEscalation {
allErrs = append(allErrs, field.Invalid(fldPath, defaultAllowPrivilegeEscalation, "Cannot set DefaultAllowPrivilegeEscalation to true without also setting AllowPrivilegeEscalation to true"))
}
return allErrs
}
const sysctlPatternSegmentFmt string = "([a-z0-9][-_a-z0-9]*)?[a-z0-9*]"
const SysctlPatternFmt string = "(" + apivalidation.SysctlSegmentFmt + "\\.)*" + sysctlPatternSegmentFmt
var sysctlPatternRegexp = regexp.MustCompile("^" + SysctlPatternFmt + "$")
func IsValidSysctlPattern(name string) bool {
if len(name) > apivalidation.SysctlMaxLength {
return false
}
return sysctlPatternRegexp.MatchString(name)
}
// validatePodSecurityPolicySysctls validates the sysctls fields of PodSecurityPolicy.
func validatePodSecurityPolicySysctls(fldPath *field.Path, sysctls []string) field.ErrorList {
allErrs := field.ErrorList{}
for i, s := range sysctls {
if !IsValidSysctlPattern(string(s)) {
allErrs = append(
allErrs,
field.Invalid(fldPath.Index(i), sysctls[i], fmt.Sprintf("must have at most %d characters and match regex %s",
apivalidation.SysctlMaxLength,
SysctlPatternFmt,
)),
)
}
}
return allErrs
}
func validateUserIDRange(fldPath *field.Path, rng policy.UserIDRange) field.ErrorList {
return validateIDRanges(fldPath, int64(rng.Min), int64(rng.Max))
}
func validateGroupIDRange(fldPath *field.Path, rng policy.GroupIDRange) field.ErrorList {
return validateIDRanges(fldPath, int64(rng.Min), int64(rng.Max))
}
// validateIDRanges ensures the range is valid.
func validateIDRanges(fldPath *field.Path, min, max int64) field.ErrorList {
allErrs := field.ErrorList{}
// if 0 <= Min <= Max then we do not need to validate max. It is always greater than or
// equal to 0 and Min.
if min < 0 {
allErrs = append(allErrs, field.Invalid(fldPath.Child("min"), min, "min cannot be negative"))
}
if max < 0 {
allErrs = append(allErrs, field.Invalid(fldPath.Child("max"), max, "max cannot be negative"))
}
if min > max {
allErrs = append(allErrs, field.Invalid(fldPath.Child("min"), min, "min cannot be greater than max"))
}
return allErrs
}
// validatePSPCapsAgainstDrops ensures an allowed cap is not listed in the required drops.
func validatePSPCapsAgainstDrops(requiredDrops []core.Capability, capsToCheck []core.Capability, fldPath *field.Path) field.ErrorList {
allErrs := field.ErrorList{}
if requiredDrops == nil {
return allErrs
}
for _, cap := range capsToCheck {
if hasCap(cap, requiredDrops) {
allErrs = append(allErrs, field.Invalid(fldPath, cap,
fmt.Sprintf("capability is listed in %s and requiredDropCapabilities", fldPath.String())))
}
}
return allErrs
}
// ValidatePodSecurityPolicyUpdate validates a PSP for updates.
func ValidatePodSecurityPolicyUpdate(old *policy.PodSecurityPolicy, new *policy.PodSecurityPolicy) field.ErrorList {
allErrs := field.ErrorList{}
allErrs = append(allErrs, apivalidation.ValidateObjectMetaUpdate(&new.ObjectMeta, &old.ObjectMeta, field.NewPath("metadata"))...)
allErrs = append(allErrs, ValidatePodSecurityPolicySpecificAnnotations(new.Annotations, field.NewPath("metadata").Child("annotations"))...)
allErrs = append(allErrs, ValidatePodSecurityPolicySpec(&new.Spec, field.NewPath("spec"))...)
return allErrs
}
// hasCap checks for needle in haystack.
func hasCap(needle core.Capability, haystack []core.Capability) bool {
for _, c := range haystack {
if needle == c {
return true
}
}
return false
}
...@@ -17,11 +17,17 @@ limitations under the License. ...@@ -17,11 +17,17 @@ limitations under the License.
package validation package validation
import ( import (
"fmt"
"testing" "testing"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/util/intstr" "k8s.io/apimachinery/pkg/util/intstr"
"k8s.io/apimachinery/pkg/util/validation/field" "k8s.io/apimachinery/pkg/util/validation/field"
api "k8s.io/kubernetes/pkg/apis/core"
"k8s.io/kubernetes/pkg/apis/policy" "k8s.io/kubernetes/pkg/apis/policy"
"k8s.io/kubernetes/pkg/security/apparmor"
"k8s.io/kubernetes/pkg/security/podsecuritypolicy/seccomp"
psputil "k8s.io/kubernetes/pkg/security/podsecuritypolicy/util"
) )
func TestValidatePodDisruptionBudgetSpec(t *testing.T) { func TestValidatePodDisruptionBudgetSpec(t *testing.T) {
...@@ -221,3 +227,527 @@ func TestValidatePodDisruptionBudgetUpdate(t *testing.T) { ...@@ -221,3 +227,527 @@ func TestValidatePodDisruptionBudgetUpdate(t *testing.T) {
} }
} }
} }
func TestValidatePodSecurityPolicy(t *testing.T) {
validPSP := func() *policy.PodSecurityPolicy {
return &policy.PodSecurityPolicy{
ObjectMeta: metav1.ObjectMeta{
Name: "foo",
Annotations: map[string]string{},
},
Spec: policy.PodSecurityPolicySpec{
SELinux: policy.SELinuxStrategyOptions{
Rule: policy.SELinuxStrategyRunAsAny,
},
RunAsUser: policy.RunAsUserStrategyOptions{
Rule: policy.RunAsUserStrategyRunAsAny,
},
FSGroup: policy.FSGroupStrategyOptions{
Rule: policy.FSGroupStrategyRunAsAny,
},
SupplementalGroups: policy.SupplementalGroupsStrategyOptions{
Rule: policy.SupplementalGroupsStrategyRunAsAny,
},
AllowedHostPaths: []policy.AllowedHostPath{
{PathPrefix: "/foo/bar"},
{PathPrefix: "/baz/"},
},
},
}
}
noUserOptions := validPSP()
noUserOptions.Spec.RunAsUser.Rule = ""
noSELinuxOptions := validPSP()
noSELinuxOptions.Spec.SELinux.Rule = ""
invalidUserStratType := validPSP()
invalidUserStratType.Spec.RunAsUser.Rule = "invalid"
invalidSELinuxStratType := validPSP()
invalidSELinuxStratType.Spec.SELinux.Rule = "invalid"
invalidUIDPSP := validPSP()
invalidUIDPSP.Spec.RunAsUser.Rule = policy.RunAsUserStrategyMustRunAs
invalidUIDPSP.Spec.RunAsUser.Ranges = []policy.UserIDRange{{Min: -1, Max: 1}}
missingObjectMetaName := validPSP()
missingObjectMetaName.ObjectMeta.Name = ""
noFSGroupOptions := validPSP()
noFSGroupOptions.Spec.FSGroup.Rule = ""
invalidFSGroupStratType := validPSP()
invalidFSGroupStratType.Spec.FSGroup.Rule = "invalid"
noSupplementalGroupsOptions := validPSP()
noSupplementalGroupsOptions.Spec.SupplementalGroups.Rule = ""
invalidSupGroupStratType := validPSP()
invalidSupGroupStratType.Spec.SupplementalGroups.Rule = "invalid"
invalidRangeMinGreaterThanMax := validPSP()
invalidRangeMinGreaterThanMax.Spec.FSGroup.Ranges = []policy.GroupIDRange{
{Min: 2, Max: 1},
}
invalidRangeNegativeMin := validPSP()
invalidRangeNegativeMin.Spec.FSGroup.Ranges = []policy.GroupIDRange{
{Min: -1, Max: 10},
}
invalidRangeNegativeMax := validPSP()
invalidRangeNegativeMax.Spec.FSGroup.Ranges = []policy.GroupIDRange{
{Min: 1, Max: -10},
}
wildcardAllowedCapAndRequiredDrop := validPSP()
wildcardAllowedCapAndRequiredDrop.Spec.RequiredDropCapabilities = []api.Capability{"foo"}
wildcardAllowedCapAndRequiredDrop.Spec.AllowedCapabilities = []api.Capability{policy.AllowAllCapabilities}
requiredCapAddAndDrop := validPSP()
requiredCapAddAndDrop.Spec.DefaultAddCapabilities = []api.Capability{"foo"}
requiredCapAddAndDrop.Spec.RequiredDropCapabilities = []api.Capability{"foo"}
allowedCapListedInRequiredDrop := validPSP()
allowedCapListedInRequiredDrop.Spec.RequiredDropCapabilities = []api.Capability{"foo"}
allowedCapListedInRequiredDrop.Spec.AllowedCapabilities = []api.Capability{"foo"}
invalidAppArmorDefault := validPSP()
invalidAppArmorDefault.Annotations = map[string]string{
apparmor.DefaultProfileAnnotationKey: "not-good",
}
invalidAppArmorAllowed := validPSP()
invalidAppArmorAllowed.Annotations = map[string]string{
apparmor.AllowedProfilesAnnotationKey: apparmor.ProfileRuntimeDefault + ",not-good",
}
invalidSysctlPattern := validPSP()
invalidSysctlPattern.Annotations[policy.SysctlsPodSecurityPolicyAnnotationKey] = "a.*.b"
invalidSeccompDefault := validPSP()
invalidSeccompDefault.Annotations = map[string]string{
seccomp.DefaultProfileAnnotationKey: "not-good",
}
invalidSeccompAllowAnyDefault := validPSP()
invalidSeccompAllowAnyDefault.Annotations = map[string]string{
seccomp.DefaultProfileAnnotationKey: "*",
}
invalidSeccompAllowed := validPSP()
invalidSeccompAllowed.Annotations = map[string]string{
seccomp.AllowedProfilesAnnotationKey: "docker/default,not-good",
}
invalidAllowedHostPathMissingPath := validPSP()
invalidAllowedHostPathMissingPath.Spec.AllowedHostPaths = []policy.AllowedHostPath{
{PathPrefix: ""},
}
invalidAllowedHostPathBacksteps := validPSP()
invalidAllowedHostPathBacksteps.Spec.AllowedHostPaths = []policy.AllowedHostPath{
{PathPrefix: "/dont/allow/backsteps/.."},
}
invalidDefaultAllowPrivilegeEscalation := validPSP()
pe := true
invalidDefaultAllowPrivilegeEscalation.Spec.DefaultAllowPrivilegeEscalation = &pe
emptyFlexDriver := validPSP()
emptyFlexDriver.Spec.Volumes = []policy.FSType{policy.FlexVolume}
emptyFlexDriver.Spec.AllowedFlexVolumes = []policy.AllowedFlexVolume{{}}
nonEmptyFlexVolumes := validPSP()
nonEmptyFlexVolumes.Spec.AllowedFlexVolumes = []policy.AllowedFlexVolume{{Driver: "example/driver"}}
type testCase struct {
psp *policy.PodSecurityPolicy
errorType field.ErrorType
errorDetail string
}
errorCases := map[string]testCase{
"no user options": {
psp: noUserOptions,
errorType: field.ErrorTypeNotSupported,
errorDetail: `supported values: "MustRunAs", "MustRunAsNonRoot", "RunAsAny"`,
},
"no selinux options": {
psp: noSELinuxOptions,
errorType: field.ErrorTypeNotSupported,
errorDetail: `supported values: "MustRunAs", "RunAsAny"`,
},
"no fsgroup options": {
psp: noFSGroupOptions,
errorType: field.ErrorTypeNotSupported,
errorDetail: `supported values: "MustRunAs", "RunAsAny"`,
},
"no sup group options": {
psp: noSupplementalGroupsOptions,
errorType: field.ErrorTypeNotSupported,
errorDetail: `supported values: "MustRunAs", "RunAsAny"`,
},
"invalid user strategy type": {
psp: invalidUserStratType,
errorType: field.ErrorTypeNotSupported,
errorDetail: `supported values: "MustRunAs", "MustRunAsNonRoot", "RunAsAny"`,
},
"invalid selinux strategy type": {
psp: invalidSELinuxStratType,
errorType: field.ErrorTypeNotSupported,
errorDetail: `supported values: "MustRunAs", "RunAsAny"`,
},
"invalid sup group strategy type": {
psp: invalidSupGroupStratType,
errorType: field.ErrorTypeNotSupported,
errorDetail: `supported values: "MustRunAs", "RunAsAny"`,
},
"invalid fs group strategy type": {
psp: invalidFSGroupStratType,
errorType: field.ErrorTypeNotSupported,
errorDetail: `supported values: "MustRunAs", "RunAsAny"`,
},
"invalid uid": {
psp: invalidUIDPSP,
errorType: field.ErrorTypeInvalid,
errorDetail: "min cannot be negative",
},
"missing object meta name": {
psp: missingObjectMetaName,
errorType: field.ErrorTypeRequired,
errorDetail: "name or generateName is required",
},
"invalid range min greater than max": {
psp: invalidRangeMinGreaterThanMax,
errorType: field.ErrorTypeInvalid,
errorDetail: "min cannot be greater than max",
},
"invalid range negative min": {
psp: invalidRangeNegativeMin,
errorType: field.ErrorTypeInvalid,
errorDetail: "min cannot be negative",
},
"invalid range negative max": {
psp: invalidRangeNegativeMax,
errorType: field.ErrorTypeInvalid,
errorDetail: "max cannot be negative",
},
"non-empty required drops and all caps are allowed by a wildcard": {
psp: wildcardAllowedCapAndRequiredDrop,
errorType: field.ErrorTypeInvalid,
errorDetail: "must be empty when all capabilities are allowed by a wildcard",
},
"invalid required caps": {
psp: requiredCapAddAndDrop,
errorType: field.ErrorTypeInvalid,
errorDetail: "capability is listed in defaultAddCapabilities and requiredDropCapabilities",
},
"allowed cap listed in required drops": {
psp: allowedCapListedInRequiredDrop,
errorType: field.ErrorTypeInvalid,
errorDetail: "capability is listed in allowedCapabilities and requiredDropCapabilities",
},
"invalid AppArmor default profile": {
psp: invalidAppArmorDefault,
errorType: field.ErrorTypeInvalid,
errorDetail: "invalid AppArmor profile name: \"not-good\"",
},
"invalid AppArmor allowed profile": {
psp: invalidAppArmorAllowed,
errorType: field.ErrorTypeInvalid,
errorDetail: "invalid AppArmor profile name: \"not-good\"",
},
"invalid sysctl pattern": {
psp: invalidSysctlPattern,
errorType: field.ErrorTypeInvalid,
errorDetail: fmt.Sprintf("must have at most 253 characters and match regex %s", SysctlPatternFmt),
},
"invalid seccomp default profile": {
psp: invalidSeccompDefault,
errorType: field.ErrorTypeInvalid,
errorDetail: "must be a valid seccomp profile",
},
"invalid seccomp allow any default profile": {
psp: invalidSeccompAllowAnyDefault,
errorType: field.ErrorTypeInvalid,
errorDetail: "must be a valid seccomp profile",
},
"invalid seccomp allowed profile": {
psp: invalidSeccompAllowed,
errorType: field.ErrorTypeInvalid,
errorDetail: "must be a valid seccomp profile",
},
"invalid defaultAllowPrivilegeEscalation": {
psp: invalidDefaultAllowPrivilegeEscalation,
errorType: field.ErrorTypeInvalid,
errorDetail: "Cannot set DefaultAllowPrivilegeEscalation to true without also setting AllowPrivilegeEscalation to true",
},
"invalid allowed host path empty path": {
psp: invalidAllowedHostPathMissingPath,
errorType: field.ErrorTypeRequired,
errorDetail: "is required",
},
"invalid allowed host path with backsteps": {
psp: invalidAllowedHostPathBacksteps,
errorType: field.ErrorTypeInvalid,
errorDetail: "must not contain '..'",
},
"empty flex volume driver": {
psp: emptyFlexDriver,
errorType: field.ErrorTypeRequired,
errorDetail: "must specify a driver",
},
}
for k, v := range errorCases {
errs := ValidatePodSecurityPolicy(v.psp)
if len(errs) == 0 {
t.Errorf("%s expected errors but got none", k)
continue
}
if errs[0].Type != v.errorType {
t.Errorf("[%s] received an unexpected error type. Expected: '%s' got: '%s'", k, v.errorType, errs[0].Type)
}
if errs[0].Detail != v.errorDetail {
t.Errorf("[%s] received an unexpected error detail. Expected '%s' got: '%s'", k, v.errorDetail, errs[0].Detail)
}
}
// Update error is different for 'missing object meta name'.
errorCases["missing object meta name"] = testCase{
psp: errorCases["missing object meta name"].psp,
errorType: field.ErrorTypeInvalid,
errorDetail: "field is immutable",
}
// Should not be able to update to an invalid policy.
for k, v := range errorCases {
v.psp.ResourceVersion = "444" // Required for updates.
errs := ValidatePodSecurityPolicyUpdate(validPSP(), v.psp)
if len(errs) == 0 {
t.Errorf("[%s] expected update errors but got none", k)
continue
}
if errs[0].Type != v.errorType {
t.Errorf("[%s] received an unexpected error type. Expected: '%s' got: '%s'", k, v.errorType, errs[0].Type)
}
if errs[0].Detail != v.errorDetail {
t.Errorf("[%s] received an unexpected error detail. Expected '%s' got: '%s'", k, v.errorDetail, errs[0].Detail)
}
}
mustRunAs := validPSP()
mustRunAs.Spec.FSGroup.Rule = policy.FSGroupStrategyMustRunAs
mustRunAs.Spec.SupplementalGroups.Rule = policy.SupplementalGroupsStrategyMustRunAs
mustRunAs.Spec.RunAsUser.Rule = policy.RunAsUserStrategyMustRunAs
mustRunAs.Spec.RunAsUser.Ranges = []policy.UserIDRange{
{Min: 1, Max: 1},
}
mustRunAs.Spec.SELinux.Rule = policy.SELinuxStrategyMustRunAs
runAsNonRoot := validPSP()
runAsNonRoot.Spec.RunAsUser.Rule = policy.RunAsUserStrategyMustRunAsNonRoot
caseInsensitiveAddDrop := validPSP()
caseInsensitiveAddDrop.Spec.DefaultAddCapabilities = []api.Capability{"foo"}
caseInsensitiveAddDrop.Spec.RequiredDropCapabilities = []api.Capability{"FOO"}
caseInsensitiveAllowedDrop := validPSP()
caseInsensitiveAllowedDrop.Spec.RequiredDropCapabilities = []api.Capability{"FOO"}
caseInsensitiveAllowedDrop.Spec.AllowedCapabilities = []api.Capability{"foo"}
validAppArmor := validPSP()
validAppArmor.Annotations = map[string]string{
apparmor.DefaultProfileAnnotationKey: apparmor.ProfileRuntimeDefault,
apparmor.AllowedProfilesAnnotationKey: apparmor.ProfileRuntimeDefault + "," + apparmor.ProfileNamePrefix + "foo",
}
withSysctl := validPSP()
withSysctl.Annotations[policy.SysctlsPodSecurityPolicyAnnotationKey] = "net.*"
validSeccomp := validPSP()
validSeccomp.Annotations = map[string]string{
seccomp.DefaultProfileAnnotationKey: "docker/default",
seccomp.AllowedProfilesAnnotationKey: "docker/default,unconfined,localhost/foo,*",
}
validDefaultAllowPrivilegeEscalation := validPSP()
pe = true
validDefaultAllowPrivilegeEscalation.Spec.DefaultAllowPrivilegeEscalation = &pe
validDefaultAllowPrivilegeEscalation.Spec.AllowPrivilegeEscalation = true
flexvolumeWhenFlexVolumesAllowed := validPSP()
flexvolumeWhenFlexVolumesAllowed.Spec.Volumes = []policy.FSType{policy.FlexVolume}
flexvolumeWhenFlexVolumesAllowed.Spec.AllowedFlexVolumes = []policy.AllowedFlexVolume{
{Driver: "example/driver1"},
}
flexvolumeWhenAllVolumesAllowed := validPSP()
flexvolumeWhenAllVolumesAllowed.Spec.Volumes = []policy.FSType{policy.All}
flexvolumeWhenAllVolumesAllowed.Spec.AllowedFlexVolumes = []policy.AllowedFlexVolume{
{Driver: "example/driver2"},
}
successCases := map[string]struct {
psp *policy.PodSecurityPolicy
}{
"must run as": {
psp: mustRunAs,
},
"run as any": {
psp: validPSP(),
},
"run as non-root (user only)": {
psp: runAsNonRoot,
},
"comparison for add -> drop is case sensitive": {
psp: caseInsensitiveAddDrop,
},
"comparison for allowed -> drop is case sensitive": {
psp: caseInsensitiveAllowedDrop,
},
"valid AppArmor annotations": {
psp: validAppArmor,
},
"with network sysctls": {
psp: withSysctl,
},
"valid seccomp annotations": {
psp: validSeccomp,
},
"valid defaultAllowPrivilegeEscalation as true": {
psp: validDefaultAllowPrivilegeEscalation,
},
"allow white-listed flexVolume when flex volumes are allowed": {
psp: flexvolumeWhenFlexVolumesAllowed,
},
"allow white-listed flexVolume when all volumes are allowed": {
psp: flexvolumeWhenAllVolumesAllowed,
},
}
for k, v := range successCases {
if errs := ValidatePodSecurityPolicy(v.psp); len(errs) != 0 {
t.Errorf("Expected success for %s, got %v", k, errs)
}
// Should be able to update to a valid PSP.
v.psp.ResourceVersion = "444" // Required for updates.
if errs := ValidatePodSecurityPolicyUpdate(validPSP(), v.psp); len(errs) != 0 {
t.Errorf("Expected success for %s update, got %v", k, errs)
}
}
}
func TestValidatePSPVolumes(t *testing.T) {
validPSP := func() *policy.PodSecurityPolicy {
return &policy.PodSecurityPolicy{
ObjectMeta: metav1.ObjectMeta{Name: "foo"},
Spec: policy.PodSecurityPolicySpec{
SELinux: policy.SELinuxStrategyOptions{
Rule: policy.SELinuxStrategyRunAsAny,
},
RunAsUser: policy.RunAsUserStrategyOptions{
Rule: policy.RunAsUserStrategyRunAsAny,
},
FSGroup: policy.FSGroupStrategyOptions{
Rule: policy.FSGroupStrategyRunAsAny,
},
SupplementalGroups: policy.SupplementalGroupsStrategyOptions{
Rule: policy.SupplementalGroupsStrategyRunAsAny,
},
},
}
}
volumes := psputil.GetAllFSTypesAsSet()
// add in the * value since that is a pseudo type that is not included by default
volumes.Insert(string(policy.All))
for _, strVolume := range volumes.List() {
psp := validPSP()
psp.Spec.Volumes = []policy.FSType{policy.FSType(strVolume)}
errs := ValidatePodSecurityPolicy(psp)
if len(errs) != 0 {
t.Errorf("%s validation expected no errors but received %v", strVolume, errs)
}
}
}
func TestIsValidSysctlPattern(t *testing.T) {
valid := []string{
"a.b.c.d",
"a",
"a_b",
"a-b",
"abc",
"abc.def",
"*",
"a.*",
"*",
"abc*",
"a.abc*",
"a.b.*",
}
invalid := []string{
"",
"ä",
"a_",
"_",
"_a",
"_a._b",
"__",
"-",
".",
"a.",
".a",
"a.b.",
"a*.b",
"a*b",
"*a",
"Abc",
func(n int) string {
x := make([]byte, n)
for i := range x {
x[i] = byte('a')
}
return string(x)
}(256),
}
for _, s := range valid {
if !IsValidSysctlPattern(s) {
t.Errorf("%q expected to be a valid sysctl pattern", s)
}
}
for _, s := range invalid {
if IsValidSysctlPattern(s) {
t.Errorf("%q expected to be an invalid sysctl pattern", s)
}
}
}
func Test_validatePSPRunAsUser(t *testing.T) {
var testCases = []struct {
name string
runAsUserStrategy policy.RunAsUserStrategyOptions
fail bool
}{
{"Invalid RunAsUserStrategy", policy.RunAsUserStrategyOptions{Rule: policy.RunAsUserStrategy("someInvalidStrategy")}, true},
{"RunAsUserStrategyMustRunAs", policy.RunAsUserStrategyOptions{Rule: policy.RunAsUserStrategyMustRunAs}, false},
{"RunAsUserStrategyMustRunAsNonRoot", policy.RunAsUserStrategyOptions{Rule: policy.RunAsUserStrategyMustRunAsNonRoot}, false},
{"RunAsUserStrategyMustRunAsNonRoot With Valid Range", policy.RunAsUserStrategyOptions{Rule: policy.RunAsUserStrategyMustRunAs, Ranges: []policy.UserIDRange{{Min: 2, Max: 3}, {Min: 4, Max: 5}}}, false},
{"RunAsUserStrategyMustRunAsNonRoot With Invalid Range", policy.RunAsUserStrategyOptions{Rule: policy.RunAsUserStrategyMustRunAs, Ranges: []policy.UserIDRange{{Min: 2, Max: 3}, {Min: 5, Max: 4}}}, true},
}
for _, testCase := range testCases {
t.Run(testCase.name, func(t *testing.T) {
errList := validatePSPRunAsUser(field.NewPath("status"), &testCase.runAsUserStrategy)
actualErrors := len(errList)
expectedErrors := 1
if !testCase.fail {
expectedErrors = 0
}
if actualErrors != expectedErrors {
t.Errorf("In testCase %v, expected %v errors, got %v errors", testCase.name, expectedErrors, actualErrors)
}
})
}
}
...@@ -24,9 +24,42 @@ import ( ...@@ -24,9 +24,42 @@ import (
v1 "k8s.io/apimachinery/pkg/apis/meta/v1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
runtime "k8s.io/apimachinery/pkg/runtime" runtime "k8s.io/apimachinery/pkg/runtime"
intstr "k8s.io/apimachinery/pkg/util/intstr" intstr "k8s.io/apimachinery/pkg/util/intstr"
core "k8s.io/kubernetes/pkg/apis/core"
) )
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *AllowedFlexVolume) DeepCopyInto(out *AllowedFlexVolume) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AllowedFlexVolume.
func (in *AllowedFlexVolume) DeepCopy() *AllowedFlexVolume {
if in == nil {
return nil
}
out := new(AllowedFlexVolume)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *AllowedHostPath) DeepCopyInto(out *AllowedHostPath) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AllowedHostPath.
func (in *AllowedHostPath) DeepCopy() *AllowedHostPath {
if in == nil {
return nil
}
out := new(AllowedHostPath)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *Eviction) DeepCopyInto(out *Eviction) { func (in *Eviction) DeepCopyInto(out *Eviction) {
*out = *in *out = *in
out.TypeMeta = in.TypeMeta out.TypeMeta = in.TypeMeta
...@@ -62,6 +95,59 @@ func (in *Eviction) DeepCopyObject() runtime.Object { ...@@ -62,6 +95,59 @@ func (in *Eviction) DeepCopyObject() runtime.Object {
} }
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *FSGroupStrategyOptions) DeepCopyInto(out *FSGroupStrategyOptions) {
*out = *in
if in.Ranges != nil {
in, out := &in.Ranges, &out.Ranges
*out = make([]GroupIDRange, len(*in))
copy(*out, *in)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FSGroupStrategyOptions.
func (in *FSGroupStrategyOptions) DeepCopy() *FSGroupStrategyOptions {
if in == nil {
return nil
}
out := new(FSGroupStrategyOptions)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *GroupIDRange) DeepCopyInto(out *GroupIDRange) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GroupIDRange.
func (in *GroupIDRange) DeepCopy() *GroupIDRange {
if in == nil {
return nil
}
out := new(GroupIDRange)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *HostPortRange) DeepCopyInto(out *HostPortRange) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HostPortRange.
func (in *HostPortRange) DeepCopy() *HostPortRange {
if in == nil {
return nil
}
out := new(HostPortRange)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *PodDisruptionBudget) DeepCopyInto(out *PodDisruptionBudget) { func (in *PodDisruptionBudget) DeepCopyInto(out *PodDisruptionBudget) {
*out = *in *out = *in
out.TypeMeta = in.TypeMeta out.TypeMeta = in.TypeMeta
...@@ -187,3 +273,210 @@ func (in *PodDisruptionBudgetStatus) DeepCopy() *PodDisruptionBudgetStatus { ...@@ -187,3 +273,210 @@ func (in *PodDisruptionBudgetStatus) DeepCopy() *PodDisruptionBudgetStatus {
in.DeepCopyInto(out) in.DeepCopyInto(out)
return out return out
} }
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *PodSecurityPolicy) DeepCopyInto(out *PodSecurityPolicy) {
*out = *in
out.TypeMeta = in.TypeMeta
in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
in.Spec.DeepCopyInto(&out.Spec)
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodSecurityPolicy.
func (in *PodSecurityPolicy) DeepCopy() *PodSecurityPolicy {
if in == nil {
return nil
}
out := new(PodSecurityPolicy)
in.DeepCopyInto(out)
return out
}
// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (in *PodSecurityPolicy) DeepCopyObject() runtime.Object {
if c := in.DeepCopy(); c != nil {
return c
}
return nil
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *PodSecurityPolicyList) DeepCopyInto(out *PodSecurityPolicyList) {
*out = *in
out.TypeMeta = in.TypeMeta
out.ListMeta = in.ListMeta
if in.Items != nil {
in, out := &in.Items, &out.Items
*out = make([]PodSecurityPolicy, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodSecurityPolicyList.
func (in *PodSecurityPolicyList) DeepCopy() *PodSecurityPolicyList {
if in == nil {
return nil
}
out := new(PodSecurityPolicyList)
in.DeepCopyInto(out)
return out
}
// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (in *PodSecurityPolicyList) DeepCopyObject() runtime.Object {
if c := in.DeepCopy(); c != nil {
return c
}
return nil
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *PodSecurityPolicySpec) DeepCopyInto(out *PodSecurityPolicySpec) {
*out = *in
if in.DefaultAddCapabilities != nil {
in, out := &in.DefaultAddCapabilities, &out.DefaultAddCapabilities
*out = make([]core.Capability, len(*in))
copy(*out, *in)
}
if in.RequiredDropCapabilities != nil {
in, out := &in.RequiredDropCapabilities, &out.RequiredDropCapabilities
*out = make([]core.Capability, len(*in))
copy(*out, *in)
}
if in.AllowedCapabilities != nil {
in, out := &in.AllowedCapabilities, &out.AllowedCapabilities
*out = make([]core.Capability, len(*in))
copy(*out, *in)
}
if in.Volumes != nil {
in, out := &in.Volumes, &out.Volumes
*out = make([]FSType, len(*in))
copy(*out, *in)
}
if in.HostPorts != nil {
in, out := &in.HostPorts, &out.HostPorts
*out = make([]HostPortRange, len(*in))
copy(*out, *in)
}
in.SELinux.DeepCopyInto(&out.SELinux)
in.RunAsUser.DeepCopyInto(&out.RunAsUser)
in.SupplementalGroups.DeepCopyInto(&out.SupplementalGroups)
in.FSGroup.DeepCopyInto(&out.FSGroup)
if in.DefaultAllowPrivilegeEscalation != nil {
in, out := &in.DefaultAllowPrivilegeEscalation, &out.DefaultAllowPrivilegeEscalation
if *in == nil {
*out = nil
} else {
*out = new(bool)
**out = **in
}
}
if in.AllowedHostPaths != nil {
in, out := &in.AllowedHostPaths, &out.AllowedHostPaths
*out = make([]AllowedHostPath, len(*in))
copy(*out, *in)
}
if in.AllowedFlexVolumes != nil {
in, out := &in.AllowedFlexVolumes, &out.AllowedFlexVolumes
*out = make([]AllowedFlexVolume, len(*in))
copy(*out, *in)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodSecurityPolicySpec.
func (in *PodSecurityPolicySpec) DeepCopy() *PodSecurityPolicySpec {
if in == nil {
return nil
}
out := new(PodSecurityPolicySpec)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *RunAsUserStrategyOptions) DeepCopyInto(out *RunAsUserStrategyOptions) {
*out = *in
if in.Ranges != nil {
in, out := &in.Ranges, &out.Ranges
*out = make([]UserIDRange, len(*in))
copy(*out, *in)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RunAsUserStrategyOptions.
func (in *RunAsUserStrategyOptions) DeepCopy() *RunAsUserStrategyOptions {
if in == nil {
return nil
}
out := new(RunAsUserStrategyOptions)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *SELinuxStrategyOptions) DeepCopyInto(out *SELinuxStrategyOptions) {
*out = *in
if in.SELinuxOptions != nil {
in, out := &in.SELinuxOptions, &out.SELinuxOptions
if *in == nil {
*out = nil
} else {
*out = new(core.SELinuxOptions)
**out = **in
}
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SELinuxStrategyOptions.
func (in *SELinuxStrategyOptions) DeepCopy() *SELinuxStrategyOptions {
if in == nil {
return nil
}
out := new(SELinuxStrategyOptions)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *SupplementalGroupsStrategyOptions) DeepCopyInto(out *SupplementalGroupsStrategyOptions) {
*out = *in
if in.Ranges != nil {
in, out := &in.Ranges, &out.Ranges
*out = make([]GroupIDRange, len(*in))
copy(*out, *in)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SupplementalGroupsStrategyOptions.
func (in *SupplementalGroupsStrategyOptions) DeepCopy() *SupplementalGroupsStrategyOptions {
if in == nil {
return nil
}
out := new(SupplementalGroupsStrategyOptions)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *UserIDRange) DeepCopyInto(out *UserIDRange) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UserIDRange.
func (in *UserIDRange) DeepCopy() *UserIDRange {
if in == nil {
return nil
}
out := new(UserIDRange)
in.DeepCopyInto(out)
return out
}
...@@ -15,7 +15,6 @@ go_library( ...@@ -15,7 +15,6 @@ go_library(
"extensions_client.go", "extensions_client.go",
"generated_expansion.go", "generated_expansion.go",
"ingress.go", "ingress.go",
"podsecuritypolicy.go",
"replicaset.go", "replicaset.go",
], ],
importpath = "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/extensions/internalversion", importpath = "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/extensions/internalversion",
......
...@@ -28,7 +28,6 @@ type ExtensionsInterface interface { ...@@ -28,7 +28,6 @@ type ExtensionsInterface interface {
DaemonSetsGetter DaemonSetsGetter
DeploymentsGetter DeploymentsGetter
IngressesGetter IngressesGetter
PodSecurityPoliciesGetter
ReplicaSetsGetter ReplicaSetsGetter
} }
...@@ -49,10 +48,6 @@ func (c *ExtensionsClient) Ingresses(namespace string) IngressInterface { ...@@ -49,10 +48,6 @@ func (c *ExtensionsClient) Ingresses(namespace string) IngressInterface {
return newIngresses(c, namespace) return newIngresses(c, namespace)
} }
func (c *ExtensionsClient) PodSecurityPolicies() PodSecurityPolicyInterface {
return newPodSecurityPolicies(c)
}
func (c *ExtensionsClient) ReplicaSets(namespace string) ReplicaSetInterface { func (c *ExtensionsClient) ReplicaSets(namespace string) ReplicaSetInterface {
return newReplicaSets(c, namespace) return newReplicaSets(c, namespace)
} }
......
...@@ -14,7 +14,6 @@ go_library( ...@@ -14,7 +14,6 @@ go_library(
"fake_deployment_expansion.go", "fake_deployment_expansion.go",
"fake_extensions_client.go", "fake_extensions_client.go",
"fake_ingress.go", "fake_ingress.go",
"fake_podsecuritypolicy.go",
"fake_replicaset.go", "fake_replicaset.go",
], ],
importpath = "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/extensions/internalversion/fake", importpath = "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/extensions/internalversion/fake",
......
...@@ -40,10 +40,6 @@ func (c *FakeExtensions) Ingresses(namespace string) internalversion.IngressInte ...@@ -40,10 +40,6 @@ func (c *FakeExtensions) Ingresses(namespace string) internalversion.IngressInte
return &FakeIngresses{c, namespace} return &FakeIngresses{c, namespace}
} }
func (c *FakeExtensions) PodSecurityPolicies() internalversion.PodSecurityPolicyInterface {
return &FakePodSecurityPolicies{c}
}
func (c *FakeExtensions) ReplicaSets(namespace string) internalversion.ReplicaSetInterface { func (c *FakeExtensions) ReplicaSets(namespace string) internalversion.ReplicaSetInterface {
return &FakeReplicaSets{c, namespace} return &FakeReplicaSets{c, namespace}
} }
......
...@@ -22,6 +22,4 @@ type DaemonSetExpansion interface{} ...@@ -22,6 +22,4 @@ type DaemonSetExpansion interface{}
type IngressExpansion interface{} type IngressExpansion interface{}
type PodSecurityPolicyExpansion interface{}
type ReplicaSetExpansion interface{} type ReplicaSetExpansion interface{}
...@@ -13,6 +13,7 @@ go_library( ...@@ -13,6 +13,7 @@ go_library(
"eviction_expansion.go", "eviction_expansion.go",
"generated_expansion.go", "generated_expansion.go",
"poddisruptionbudget.go", "poddisruptionbudget.go",
"podsecuritypolicy.go",
"policy_client.go", "policy_client.go",
], ],
importpath = "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/policy/internalversion", importpath = "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/policy/internalversion",
......
...@@ -12,6 +12,7 @@ go_library( ...@@ -12,6 +12,7 @@ go_library(
"fake_eviction.go", "fake_eviction.go",
"fake_eviction_expansion.go", "fake_eviction_expansion.go",
"fake_poddisruptionbudget.go", "fake_poddisruptionbudget.go",
"fake_podsecuritypolicy.go",
"fake_policy_client.go", "fake_policy_client.go",
], ],
importpath = "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/policy/internalversion/fake", importpath = "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/policy/internalversion/fake",
......
...@@ -25,32 +25,32 @@ import ( ...@@ -25,32 +25,32 @@ import (
types "k8s.io/apimachinery/pkg/types" types "k8s.io/apimachinery/pkg/types"
watch "k8s.io/apimachinery/pkg/watch" watch "k8s.io/apimachinery/pkg/watch"
testing "k8s.io/client-go/testing" testing "k8s.io/client-go/testing"
extensions "k8s.io/kubernetes/pkg/apis/extensions" policy "k8s.io/kubernetes/pkg/apis/policy"
) )
// FakePodSecurityPolicies implements PodSecurityPolicyInterface // FakePodSecurityPolicies implements PodSecurityPolicyInterface
type FakePodSecurityPolicies struct { type FakePodSecurityPolicies struct {
Fake *FakeExtensions Fake *FakePolicy
} }
var podsecuritypoliciesResource = schema.GroupVersionResource{Group: "extensions", Version: "", Resource: "podsecuritypolicies"} var podsecuritypoliciesResource = schema.GroupVersionResource{Group: "policy", Version: "", Resource: "podsecuritypolicies"}
var podsecuritypoliciesKind = schema.GroupVersionKind{Group: "extensions", Version: "", Kind: "PodSecurityPolicy"} var podsecuritypoliciesKind = schema.GroupVersionKind{Group: "policy", Version: "", Kind: "PodSecurityPolicy"}
// Get takes name of the podSecurityPolicy, and returns the corresponding podSecurityPolicy object, and an error if there is any. // Get takes name of the podSecurityPolicy, and returns the corresponding podSecurityPolicy object, and an error if there is any.
func (c *FakePodSecurityPolicies) Get(name string, options v1.GetOptions) (result *extensions.PodSecurityPolicy, err error) { func (c *FakePodSecurityPolicies) Get(name string, options v1.GetOptions) (result *policy.PodSecurityPolicy, err error) {
obj, err := c.Fake. obj, err := c.Fake.
Invokes(testing.NewRootGetAction(podsecuritypoliciesResource, name), &extensions.PodSecurityPolicy{}) Invokes(testing.NewRootGetAction(podsecuritypoliciesResource, name), &policy.PodSecurityPolicy{})
if obj == nil { if obj == nil {
return nil, err return nil, err
} }
return obj.(*extensions.PodSecurityPolicy), err return obj.(*policy.PodSecurityPolicy), err
} }
// List takes label and field selectors, and returns the list of PodSecurityPolicies that match those selectors. // List takes label and field selectors, and returns the list of PodSecurityPolicies that match those selectors.
func (c *FakePodSecurityPolicies) List(opts v1.ListOptions) (result *extensions.PodSecurityPolicyList, err error) { func (c *FakePodSecurityPolicies) List(opts v1.ListOptions) (result *policy.PodSecurityPolicyList, err error) {
obj, err := c.Fake. obj, err := c.Fake.
Invokes(testing.NewRootListAction(podsecuritypoliciesResource, podsecuritypoliciesKind, opts), &extensions.PodSecurityPolicyList{}) Invokes(testing.NewRootListAction(podsecuritypoliciesResource, podsecuritypoliciesKind, opts), &policy.PodSecurityPolicyList{})
if obj == nil { if obj == nil {
return nil, err return nil, err
} }
...@@ -59,8 +59,8 @@ func (c *FakePodSecurityPolicies) List(opts v1.ListOptions) (result *extensions. ...@@ -59,8 +59,8 @@ func (c *FakePodSecurityPolicies) List(opts v1.ListOptions) (result *extensions.
if label == nil { if label == nil {
label = labels.Everything() label = labels.Everything()
} }
list := &extensions.PodSecurityPolicyList{} list := &policy.PodSecurityPolicyList{}
for _, item := range obj.(*extensions.PodSecurityPolicyList).Items { for _, item := range obj.(*policy.PodSecurityPolicyList).Items {
if label.Matches(labels.Set(item.Labels)) { if label.Matches(labels.Set(item.Labels)) {
list.Items = append(list.Items, item) list.Items = append(list.Items, item)
} }
...@@ -75,29 +75,29 @@ func (c *FakePodSecurityPolicies) Watch(opts v1.ListOptions) (watch.Interface, e ...@@ -75,29 +75,29 @@ func (c *FakePodSecurityPolicies) Watch(opts v1.ListOptions) (watch.Interface, e
} }
// Create takes the representation of a podSecurityPolicy and creates it. Returns the server's representation of the podSecurityPolicy, and an error, if there is any. // Create takes the representation of a podSecurityPolicy and creates it. Returns the server's representation of the podSecurityPolicy, and an error, if there is any.
func (c *FakePodSecurityPolicies) Create(podSecurityPolicy *extensions.PodSecurityPolicy) (result *extensions.PodSecurityPolicy, err error) { func (c *FakePodSecurityPolicies) Create(podSecurityPolicy *policy.PodSecurityPolicy) (result *policy.PodSecurityPolicy, err error) {
obj, err := c.Fake. obj, err := c.Fake.
Invokes(testing.NewRootCreateAction(podsecuritypoliciesResource, podSecurityPolicy), &extensions.PodSecurityPolicy{}) Invokes(testing.NewRootCreateAction(podsecuritypoliciesResource, podSecurityPolicy), &policy.PodSecurityPolicy{})
if obj == nil { if obj == nil {
return nil, err return nil, err
} }
return obj.(*extensions.PodSecurityPolicy), err return obj.(*policy.PodSecurityPolicy), err
} }
// Update takes the representation of a podSecurityPolicy and updates it. Returns the server's representation of the podSecurityPolicy, and an error, if there is any. // Update takes the representation of a podSecurityPolicy and updates it. Returns the server's representation of the podSecurityPolicy, and an error, if there is any.
func (c *FakePodSecurityPolicies) Update(podSecurityPolicy *extensions.PodSecurityPolicy) (result *extensions.PodSecurityPolicy, err error) { func (c *FakePodSecurityPolicies) Update(podSecurityPolicy *policy.PodSecurityPolicy) (result *policy.PodSecurityPolicy, err error) {
obj, err := c.Fake. obj, err := c.Fake.
Invokes(testing.NewRootUpdateAction(podsecuritypoliciesResource, podSecurityPolicy), &extensions.PodSecurityPolicy{}) Invokes(testing.NewRootUpdateAction(podsecuritypoliciesResource, podSecurityPolicy), &policy.PodSecurityPolicy{})
if obj == nil { if obj == nil {
return nil, err return nil, err
} }
return obj.(*extensions.PodSecurityPolicy), err return obj.(*policy.PodSecurityPolicy), err
} }
// Delete takes name of the podSecurityPolicy and deletes it. Returns an error if one occurs. // Delete takes name of the podSecurityPolicy and deletes it. Returns an error if one occurs.
func (c *FakePodSecurityPolicies) Delete(name string, options *v1.DeleteOptions) error { func (c *FakePodSecurityPolicies) Delete(name string, options *v1.DeleteOptions) error {
_, err := c.Fake. _, err := c.Fake.
Invokes(testing.NewRootDeleteAction(podsecuritypoliciesResource, name), &extensions.PodSecurityPolicy{}) Invokes(testing.NewRootDeleteAction(podsecuritypoliciesResource, name), &policy.PodSecurityPolicy{})
return err return err
} }
...@@ -105,16 +105,16 @@ func (c *FakePodSecurityPolicies) Delete(name string, options *v1.DeleteOptions) ...@@ -105,16 +105,16 @@ func (c *FakePodSecurityPolicies) Delete(name string, options *v1.DeleteOptions)
func (c *FakePodSecurityPolicies) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error { func (c *FakePodSecurityPolicies) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error {
action := testing.NewRootDeleteCollectionAction(podsecuritypoliciesResource, listOptions) action := testing.NewRootDeleteCollectionAction(podsecuritypoliciesResource, listOptions)
_, err := c.Fake.Invokes(action, &extensions.PodSecurityPolicyList{}) _, err := c.Fake.Invokes(action, &policy.PodSecurityPolicyList{})
return err return err
} }
// Patch applies the patch and returns the patched podSecurityPolicy. // Patch applies the patch and returns the patched podSecurityPolicy.
func (c *FakePodSecurityPolicies) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *extensions.PodSecurityPolicy, err error) { func (c *FakePodSecurityPolicies) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *policy.PodSecurityPolicy, err error) {
obj, err := c.Fake. obj, err := c.Fake.
Invokes(testing.NewRootPatchSubresourceAction(podsecuritypoliciesResource, name, data, subresources...), &extensions.PodSecurityPolicy{}) Invokes(testing.NewRootPatchSubresourceAction(podsecuritypoliciesResource, name, data, subresources...), &policy.PodSecurityPolicy{})
if obj == nil { if obj == nil {
return nil, err return nil, err
} }
return obj.(*extensions.PodSecurityPolicy), err return obj.(*policy.PodSecurityPolicy), err
} }
...@@ -36,6 +36,10 @@ func (c *FakePolicy) PodDisruptionBudgets(namespace string) internalversion.PodD ...@@ -36,6 +36,10 @@ func (c *FakePolicy) PodDisruptionBudgets(namespace string) internalversion.PodD
return &FakePodDisruptionBudgets{c, namespace} return &FakePodDisruptionBudgets{c, namespace}
} }
func (c *FakePolicy) PodSecurityPolicies() internalversion.PodSecurityPolicyInterface {
return &FakePodSecurityPolicies{c}
}
// RESTClient returns a RESTClient that is used to communicate // RESTClient returns a RESTClient that is used to communicate
// with API server by this client implementation. // with API server by this client implementation.
func (c *FakePolicy) RESTClient() rest.Interface { func (c *FakePolicy) RESTClient() rest.Interface {
......
...@@ -19,3 +19,5 @@ limitations under the License. ...@@ -19,3 +19,5 @@ limitations under the License.
package internalversion package internalversion
type PodDisruptionBudgetExpansion interface{} type PodDisruptionBudgetExpansion interface{}
type PodSecurityPolicyExpansion interface{}
...@@ -23,7 +23,7 @@ import ( ...@@ -23,7 +23,7 @@ import (
types "k8s.io/apimachinery/pkg/types" types "k8s.io/apimachinery/pkg/types"
watch "k8s.io/apimachinery/pkg/watch" watch "k8s.io/apimachinery/pkg/watch"
rest "k8s.io/client-go/rest" rest "k8s.io/client-go/rest"
extensions "k8s.io/kubernetes/pkg/apis/extensions" policy "k8s.io/kubernetes/pkg/apis/policy"
scheme "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/scheme" scheme "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/scheme"
) )
...@@ -35,14 +35,14 @@ type PodSecurityPoliciesGetter interface { ...@@ -35,14 +35,14 @@ type PodSecurityPoliciesGetter interface {
// PodSecurityPolicyInterface has methods to work with PodSecurityPolicy resources. // PodSecurityPolicyInterface has methods to work with PodSecurityPolicy resources.
type PodSecurityPolicyInterface interface { type PodSecurityPolicyInterface interface {
Create(*extensions.PodSecurityPolicy) (*extensions.PodSecurityPolicy, error) Create(*policy.PodSecurityPolicy) (*policy.PodSecurityPolicy, error)
Update(*extensions.PodSecurityPolicy) (*extensions.PodSecurityPolicy, error) Update(*policy.PodSecurityPolicy) (*policy.PodSecurityPolicy, error)
Delete(name string, options *v1.DeleteOptions) error Delete(name string, options *v1.DeleteOptions) error
DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error
Get(name string, options v1.GetOptions) (*extensions.PodSecurityPolicy, error) Get(name string, options v1.GetOptions) (*policy.PodSecurityPolicy, error)
List(opts v1.ListOptions) (*extensions.PodSecurityPolicyList, error) List(opts v1.ListOptions) (*policy.PodSecurityPolicyList, error)
Watch(opts v1.ListOptions) (watch.Interface, error) Watch(opts v1.ListOptions) (watch.Interface, error)
Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *extensions.PodSecurityPolicy, err error) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *policy.PodSecurityPolicy, err error)
PodSecurityPolicyExpansion PodSecurityPolicyExpansion
} }
...@@ -52,15 +52,15 @@ type podSecurityPolicies struct { ...@@ -52,15 +52,15 @@ type podSecurityPolicies struct {
} }
// newPodSecurityPolicies returns a PodSecurityPolicies // newPodSecurityPolicies returns a PodSecurityPolicies
func newPodSecurityPolicies(c *ExtensionsClient) *podSecurityPolicies { func newPodSecurityPolicies(c *PolicyClient) *podSecurityPolicies {
return &podSecurityPolicies{ return &podSecurityPolicies{
client: c.RESTClient(), client: c.RESTClient(),
} }
} }
// Get takes name of the podSecurityPolicy, and returns the corresponding podSecurityPolicy object, and an error if there is any. // Get takes name of the podSecurityPolicy, and returns the corresponding podSecurityPolicy object, and an error if there is any.
func (c *podSecurityPolicies) Get(name string, options v1.GetOptions) (result *extensions.PodSecurityPolicy, err error) { func (c *podSecurityPolicies) Get(name string, options v1.GetOptions) (result *policy.PodSecurityPolicy, err error) {
result = &extensions.PodSecurityPolicy{} result = &policy.PodSecurityPolicy{}
err = c.client.Get(). err = c.client.Get().
Resource("podsecuritypolicies"). Resource("podsecuritypolicies").
Name(name). Name(name).
...@@ -71,8 +71,8 @@ func (c *podSecurityPolicies) Get(name string, options v1.GetOptions) (result *e ...@@ -71,8 +71,8 @@ func (c *podSecurityPolicies) Get(name string, options v1.GetOptions) (result *e
} }
// List takes label and field selectors, and returns the list of PodSecurityPolicies that match those selectors. // List takes label and field selectors, and returns the list of PodSecurityPolicies that match those selectors.
func (c *podSecurityPolicies) List(opts v1.ListOptions) (result *extensions.PodSecurityPolicyList, err error) { func (c *podSecurityPolicies) List(opts v1.ListOptions) (result *policy.PodSecurityPolicyList, err error) {
result = &extensions.PodSecurityPolicyList{} result = &policy.PodSecurityPolicyList{}
err = c.client.Get(). err = c.client.Get().
Resource("podsecuritypolicies"). Resource("podsecuritypolicies").
VersionedParams(&opts, scheme.ParameterCodec). VersionedParams(&opts, scheme.ParameterCodec).
...@@ -91,8 +91,8 @@ func (c *podSecurityPolicies) Watch(opts v1.ListOptions) (watch.Interface, error ...@@ -91,8 +91,8 @@ func (c *podSecurityPolicies) Watch(opts v1.ListOptions) (watch.Interface, error
} }
// Create takes the representation of a podSecurityPolicy and creates it. Returns the server's representation of the podSecurityPolicy, and an error, if there is any. // Create takes the representation of a podSecurityPolicy and creates it. Returns the server's representation of the podSecurityPolicy, and an error, if there is any.
func (c *podSecurityPolicies) Create(podSecurityPolicy *extensions.PodSecurityPolicy) (result *extensions.PodSecurityPolicy, err error) { func (c *podSecurityPolicies) Create(podSecurityPolicy *policy.PodSecurityPolicy) (result *policy.PodSecurityPolicy, err error) {
result = &extensions.PodSecurityPolicy{} result = &policy.PodSecurityPolicy{}
err = c.client.Post(). err = c.client.Post().
Resource("podsecuritypolicies"). Resource("podsecuritypolicies").
Body(podSecurityPolicy). Body(podSecurityPolicy).
...@@ -102,8 +102,8 @@ func (c *podSecurityPolicies) Create(podSecurityPolicy *extensions.PodSecurityPo ...@@ -102,8 +102,8 @@ func (c *podSecurityPolicies) Create(podSecurityPolicy *extensions.PodSecurityPo
} }
// Update takes the representation of a podSecurityPolicy and updates it. Returns the server's representation of the podSecurityPolicy, and an error, if there is any. // Update takes the representation of a podSecurityPolicy and updates it. Returns the server's representation of the podSecurityPolicy, and an error, if there is any.
func (c *podSecurityPolicies) Update(podSecurityPolicy *extensions.PodSecurityPolicy) (result *extensions.PodSecurityPolicy, err error) { func (c *podSecurityPolicies) Update(podSecurityPolicy *policy.PodSecurityPolicy) (result *policy.PodSecurityPolicy, err error) {
result = &extensions.PodSecurityPolicy{} result = &policy.PodSecurityPolicy{}
err = c.client.Put(). err = c.client.Put().
Resource("podsecuritypolicies"). Resource("podsecuritypolicies").
Name(podSecurityPolicy.Name). Name(podSecurityPolicy.Name).
...@@ -134,8 +134,8 @@ func (c *podSecurityPolicies) DeleteCollection(options *v1.DeleteOptions, listOp ...@@ -134,8 +134,8 @@ func (c *podSecurityPolicies) DeleteCollection(options *v1.DeleteOptions, listOp
} }
// Patch applies the patch and returns the patched podSecurityPolicy. // Patch applies the patch and returns the patched podSecurityPolicy.
func (c *podSecurityPolicies) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *extensions.PodSecurityPolicy, err error) { func (c *podSecurityPolicies) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *policy.PodSecurityPolicy, err error) {
result = &extensions.PodSecurityPolicy{} result = &policy.PodSecurityPolicy{}
err = c.client.Patch(pt). err = c.client.Patch(pt).
Resource("podsecuritypolicies"). Resource("podsecuritypolicies").
SubResource(subresources...). SubResource(subresources...).
......
...@@ -27,6 +27,7 @@ type PolicyInterface interface { ...@@ -27,6 +27,7 @@ type PolicyInterface interface {
RESTClient() rest.Interface RESTClient() rest.Interface
EvictionsGetter EvictionsGetter
PodDisruptionBudgetsGetter PodDisruptionBudgetsGetter
PodSecurityPoliciesGetter
} }
// PolicyClient is used to interact with features provided by the policy group. // PolicyClient is used to interact with features provided by the policy group.
...@@ -42,6 +43,10 @@ func (c *PolicyClient) PodDisruptionBudgets(namespace string) PodDisruptionBudge ...@@ -42,6 +43,10 @@ func (c *PolicyClient) PodDisruptionBudgets(namespace string) PodDisruptionBudge
return newPodDisruptionBudgets(c, namespace) return newPodDisruptionBudgets(c, namespace)
} }
func (c *PolicyClient) PodSecurityPolicies() PodSecurityPolicyInterface {
return newPodSecurityPolicies(c)
}
// NewForConfig creates a new PolicyClient for the given config. // NewForConfig creates a new PolicyClient for the given config.
func NewForConfig(c *rest.Config) (*PolicyClient, error) { func NewForConfig(c *rest.Config) (*PolicyClient, error) {
config := *c config := *c
......
...@@ -12,7 +12,6 @@ go_library( ...@@ -12,7 +12,6 @@ go_library(
"deployment.go", "deployment.go",
"ingress.go", "ingress.go",
"interface.go", "interface.go",
"podsecuritypolicy.go",
"replicaset.go", "replicaset.go",
], ],
importpath = "k8s.io/kubernetes/pkg/client/informers/informers_generated/internalversion/extensions/internalversion", importpath = "k8s.io/kubernetes/pkg/client/informers/informers_generated/internalversion/extensions/internalversion",
......
...@@ -30,8 +30,6 @@ type Interface interface { ...@@ -30,8 +30,6 @@ type Interface interface {
Deployments() DeploymentInformer Deployments() DeploymentInformer
// Ingresses returns a IngressInformer. // Ingresses returns a IngressInformer.
Ingresses() IngressInformer Ingresses() IngressInformer
// PodSecurityPolicies returns a PodSecurityPolicyInformer.
PodSecurityPolicies() PodSecurityPolicyInformer
// ReplicaSets returns a ReplicaSetInformer. // ReplicaSets returns a ReplicaSetInformer.
ReplicaSets() ReplicaSetInformer ReplicaSets() ReplicaSetInformer
} }
...@@ -62,11 +60,6 @@ func (v *version) Ingresses() IngressInformer { ...@@ -62,11 +60,6 @@ func (v *version) Ingresses() IngressInformer {
return &ingressInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} return &ingressInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
} }
// PodSecurityPolicies returns a PodSecurityPolicyInformer.
func (v *version) PodSecurityPolicies() PodSecurityPolicyInformer {
return &podSecurityPolicyInformer{factory: v.factory, tweakListOptions: v.tweakListOptions}
}
// ReplicaSets returns a ReplicaSetInformer. // ReplicaSets returns a ReplicaSetInformer.
func (v *version) ReplicaSets() ReplicaSetInformer { func (v *version) ReplicaSets() ReplicaSetInformer {
return &replicaSetInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} return &replicaSetInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
......
...@@ -133,8 +133,6 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource ...@@ -133,8 +133,6 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource
return &genericInformer{resource: resource.GroupResource(), informer: f.Extensions().InternalVersion().Deployments().Informer()}, nil return &genericInformer{resource: resource.GroupResource(), informer: f.Extensions().InternalVersion().Deployments().Informer()}, nil
case extensions.SchemeGroupVersion.WithResource("ingresses"): case extensions.SchemeGroupVersion.WithResource("ingresses"):
return &genericInformer{resource: resource.GroupResource(), informer: f.Extensions().InternalVersion().Ingresses().Informer()}, nil return &genericInformer{resource: resource.GroupResource(), informer: f.Extensions().InternalVersion().Ingresses().Informer()}, nil
case extensions.SchemeGroupVersion.WithResource("podsecuritypolicies"):
return &genericInformer{resource: resource.GroupResource(), informer: f.Extensions().InternalVersion().PodSecurityPolicies().Informer()}, nil
case extensions.SchemeGroupVersion.WithResource("replicasets"): case extensions.SchemeGroupVersion.WithResource("replicasets"):
return &genericInformer{resource: resource.GroupResource(), informer: f.Extensions().InternalVersion().ReplicaSets().Informer()}, nil return &genericInformer{resource: resource.GroupResource(), informer: f.Extensions().InternalVersion().ReplicaSets().Informer()}, nil
...@@ -145,6 +143,8 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource ...@@ -145,6 +143,8 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource
// Group=policy, Version=internalVersion // Group=policy, Version=internalVersion
case policy.SchemeGroupVersion.WithResource("poddisruptionbudgets"): case policy.SchemeGroupVersion.WithResource("poddisruptionbudgets"):
return &genericInformer{resource: resource.GroupResource(), informer: f.Policy().InternalVersion().PodDisruptionBudgets().Informer()}, nil return &genericInformer{resource: resource.GroupResource(), informer: f.Policy().InternalVersion().PodDisruptionBudgets().Informer()}, nil
case policy.SchemeGroupVersion.WithResource("podsecuritypolicies"):
return &genericInformer{resource: resource.GroupResource(), informer: f.Policy().InternalVersion().PodSecurityPolicies().Informer()}, nil
// Group=rbac.authorization.k8s.io, Version=internalVersion // Group=rbac.authorization.k8s.io, Version=internalVersion
case rbac.SchemeGroupVersion.WithResource("clusterroles"): case rbac.SchemeGroupVersion.WithResource("clusterroles"):
......
...@@ -10,6 +10,7 @@ go_library( ...@@ -10,6 +10,7 @@ go_library(
srcs = [ srcs = [
"interface.go", "interface.go",
"poddisruptionbudget.go", "poddisruptionbudget.go",
"podsecuritypolicy.go",
], ],
importpath = "k8s.io/kubernetes/pkg/client/informers/informers_generated/internalversion/policy/internalversion", importpath = "k8s.io/kubernetes/pkg/client/informers/informers_generated/internalversion/policy/internalversion",
deps = [ deps = [
......
...@@ -26,6 +26,8 @@ import ( ...@@ -26,6 +26,8 @@ import (
type Interface interface { type Interface interface {
// PodDisruptionBudgets returns a PodDisruptionBudgetInformer. // PodDisruptionBudgets returns a PodDisruptionBudgetInformer.
PodDisruptionBudgets() PodDisruptionBudgetInformer PodDisruptionBudgets() PodDisruptionBudgetInformer
// PodSecurityPolicies returns a PodSecurityPolicyInformer.
PodSecurityPolicies() PodSecurityPolicyInformer
} }
type version struct { type version struct {
...@@ -43,3 +45,8 @@ func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakList ...@@ -43,3 +45,8 @@ func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakList
func (v *version) PodDisruptionBudgets() PodDisruptionBudgetInformer { func (v *version) PodDisruptionBudgets() PodDisruptionBudgetInformer {
return &podDisruptionBudgetInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} return &podDisruptionBudgetInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
} }
// PodSecurityPolicies returns a PodSecurityPolicyInformer.
func (v *version) PodSecurityPolicies() PodSecurityPolicyInformer {
return &podSecurityPolicyInformer{factory: v.factory, tweakListOptions: v.tweakListOptions}
}
...@@ -25,10 +25,10 @@ import ( ...@@ -25,10 +25,10 @@ import (
runtime "k8s.io/apimachinery/pkg/runtime" runtime "k8s.io/apimachinery/pkg/runtime"
watch "k8s.io/apimachinery/pkg/watch" watch "k8s.io/apimachinery/pkg/watch"
cache "k8s.io/client-go/tools/cache" cache "k8s.io/client-go/tools/cache"
extensions "k8s.io/kubernetes/pkg/apis/extensions" policy "k8s.io/kubernetes/pkg/apis/policy"
internalclientset "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset" internalclientset "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset"
internalinterfaces "k8s.io/kubernetes/pkg/client/informers/informers_generated/internalversion/internalinterfaces" internalinterfaces "k8s.io/kubernetes/pkg/client/informers/informers_generated/internalversion/internalinterfaces"
internalversion "k8s.io/kubernetes/pkg/client/listers/extensions/internalversion" internalversion "k8s.io/kubernetes/pkg/client/listers/policy/internalversion"
) )
// PodSecurityPolicyInformer provides access to a shared informer and lister for // PodSecurityPolicyInformer provides access to a shared informer and lister for
...@@ -60,16 +60,16 @@ func NewFilteredPodSecurityPolicyInformer(client internalclientset.Interface, re ...@@ -60,16 +60,16 @@ func NewFilteredPodSecurityPolicyInformer(client internalclientset.Interface, re
if tweakListOptions != nil { if tweakListOptions != nil {
tweakListOptions(&options) tweakListOptions(&options)
} }
return client.Extensions().PodSecurityPolicies().List(options) return client.Policy().PodSecurityPolicies().List(options)
}, },
WatchFunc: func(options v1.ListOptions) (watch.Interface, error) { WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
if tweakListOptions != nil { if tweakListOptions != nil {
tweakListOptions(&options) tweakListOptions(&options)
} }
return client.Extensions().PodSecurityPolicies().Watch(options) return client.Policy().PodSecurityPolicies().Watch(options)
}, },
}, },
&extensions.PodSecurityPolicy{}, &policy.PodSecurityPolicy{},
resyncPeriod, resyncPeriod,
indexers, indexers,
) )
...@@ -80,7 +80,7 @@ func (f *podSecurityPolicyInformer) defaultInformer(client internalclientset.Int ...@@ -80,7 +80,7 @@ func (f *podSecurityPolicyInformer) defaultInformer(client internalclientset.Int
} }
func (f *podSecurityPolicyInformer) Informer() cache.SharedIndexInformer { func (f *podSecurityPolicyInformer) Informer() cache.SharedIndexInformer {
return f.factory.InformerFor(&extensions.PodSecurityPolicy{}, f.defaultInformer) return f.factory.InformerFor(&policy.PodSecurityPolicy{}, f.defaultInformer)
} }
func (f *podSecurityPolicyInformer) Lister() internalversion.PodSecurityPolicyLister { func (f *podSecurityPolicyInformer) Lister() internalversion.PodSecurityPolicyLister {
......
...@@ -15,7 +15,6 @@ go_library( ...@@ -15,7 +15,6 @@ go_library(
"deployment_expansion.go", "deployment_expansion.go",
"expansion_generated.go", "expansion_generated.go",
"ingress.go", "ingress.go",
"podsecuritypolicy.go",
"replicaset.go", "replicaset.go",
"replicaset_expansion.go", "replicaset_expansion.go",
], ],
......
...@@ -25,7 +25,3 @@ type IngressListerExpansion interface{} ...@@ -25,7 +25,3 @@ type IngressListerExpansion interface{}
// IngressNamespaceListerExpansion allows custom methods to be added to // IngressNamespaceListerExpansion allows custom methods to be added to
// IngressNamespaceLister. // IngressNamespaceLister.
type IngressNamespaceListerExpansion interface{} type IngressNamespaceListerExpansion interface{}
// PodSecurityPolicyListerExpansion allows custom methods to be added to
// PodSecurityPolicyLister.
type PodSecurityPolicyListerExpansion interface{}
...@@ -12,6 +12,7 @@ go_library( ...@@ -12,6 +12,7 @@ go_library(
"expansion_generated.go", "expansion_generated.go",
"poddisruptionbudget.go", "poddisruptionbudget.go",
"poddisruptionbudget_expansion.go", "poddisruptionbudget_expansion.go",
"podsecuritypolicy.go",
], ],
importpath = "k8s.io/kubernetes/pkg/client/listers/policy/internalversion", importpath = "k8s.io/kubernetes/pkg/client/listers/policy/internalversion",
deps = [ deps = [
......
...@@ -25,3 +25,7 @@ type EvictionListerExpansion interface{} ...@@ -25,3 +25,7 @@ type EvictionListerExpansion interface{}
// EvictionNamespaceListerExpansion allows custom methods to be added to // EvictionNamespaceListerExpansion allows custom methods to be added to
// EvictionNamespaceLister. // EvictionNamespaceLister.
type EvictionNamespaceListerExpansion interface{} type EvictionNamespaceListerExpansion interface{}
// PodSecurityPolicyListerExpansion allows custom methods to be added to
// PodSecurityPolicyLister.
type PodSecurityPolicyListerExpansion interface{}
...@@ -22,15 +22,15 @@ import ( ...@@ -22,15 +22,15 @@ import (
"k8s.io/apimachinery/pkg/api/errors" "k8s.io/apimachinery/pkg/api/errors"
"k8s.io/apimachinery/pkg/labels" "k8s.io/apimachinery/pkg/labels"
"k8s.io/client-go/tools/cache" "k8s.io/client-go/tools/cache"
extensions "k8s.io/kubernetes/pkg/apis/extensions" policy "k8s.io/kubernetes/pkg/apis/policy"
) )
// PodSecurityPolicyLister helps list PodSecurityPolicies. // PodSecurityPolicyLister helps list PodSecurityPolicies.
type PodSecurityPolicyLister interface { type PodSecurityPolicyLister interface {
// List lists all PodSecurityPolicies in the indexer. // List lists all PodSecurityPolicies in the indexer.
List(selector labels.Selector) (ret []*extensions.PodSecurityPolicy, err error) List(selector labels.Selector) (ret []*policy.PodSecurityPolicy, err error)
// Get retrieves the PodSecurityPolicy from the index for a given name. // Get retrieves the PodSecurityPolicy from the index for a given name.
Get(name string) (*extensions.PodSecurityPolicy, error) Get(name string) (*policy.PodSecurityPolicy, error)
PodSecurityPolicyListerExpansion PodSecurityPolicyListerExpansion
} }
...@@ -45,21 +45,21 @@ func NewPodSecurityPolicyLister(indexer cache.Indexer) PodSecurityPolicyLister { ...@@ -45,21 +45,21 @@ func NewPodSecurityPolicyLister(indexer cache.Indexer) PodSecurityPolicyLister {
} }
// List lists all PodSecurityPolicies in the indexer. // List lists all PodSecurityPolicies in the indexer.
func (s *podSecurityPolicyLister) List(selector labels.Selector) (ret []*extensions.PodSecurityPolicy, err error) { func (s *podSecurityPolicyLister) List(selector labels.Selector) (ret []*policy.PodSecurityPolicy, err error) {
err = cache.ListAll(s.indexer, selector, func(m interface{}) { err = cache.ListAll(s.indexer, selector, func(m interface{}) {
ret = append(ret, m.(*extensions.PodSecurityPolicy)) ret = append(ret, m.(*policy.PodSecurityPolicy))
}) })
return ret, err return ret, err
} }
// Get retrieves the PodSecurityPolicy from the index for a given name. // Get retrieves the PodSecurityPolicy from the index for a given name.
func (s *podSecurityPolicyLister) Get(name string) (*extensions.PodSecurityPolicy, error) { func (s *podSecurityPolicyLister) Get(name string) (*policy.PodSecurityPolicy, error) {
obj, exists, err := s.indexer.GetByKey(name) obj, exists, err := s.indexer.GetByKey(name)
if err != nil { if err != nil {
return nil, err return nil, err
} }
if !exists { if !exists {
return nil, errors.NewNotFound(extensions.Resource("podsecuritypolicy"), name) return nil, errors.NewNotFound(policy.Resource("podsecuritypolicy"), name)
} }
return obj.(*extensions.PodSecurityPolicy), nil return obj.(*policy.PodSecurityPolicy), nil
} }
...@@ -17,7 +17,7 @@ go_library( ...@@ -17,7 +17,7 @@ go_library(
deps = [ deps = [
"//pkg/apis/core/v1/helper:go_default_library", "//pkg/apis/core/v1/helper:go_default_library",
"//pkg/apis/core/validation:go_default_library", "//pkg/apis/core/validation:go_default_library",
"//pkg/apis/extensions/validation:go_default_library", "//pkg/apis/policy/validation:go_default_library",
"//pkg/kubelet/container:go_default_library", "//pkg/kubelet/container:go_default_library",
"//pkg/kubelet/lifecycle:go_default_library", "//pkg/kubelet/lifecycle:go_default_library",
], ],
......
...@@ -22,7 +22,7 @@ import ( ...@@ -22,7 +22,7 @@ import (
v1helper "k8s.io/kubernetes/pkg/apis/core/v1/helper" v1helper "k8s.io/kubernetes/pkg/apis/core/v1/helper"
"k8s.io/kubernetes/pkg/apis/core/validation" "k8s.io/kubernetes/pkg/apis/core/validation"
extvalidation "k8s.io/kubernetes/pkg/apis/extensions/validation" policyvalidation "k8s.io/kubernetes/pkg/apis/policy/validation"
"k8s.io/kubernetes/pkg/kubelet/lifecycle" "k8s.io/kubernetes/pkg/kubelet/lifecycle"
) )
...@@ -64,11 +64,11 @@ func NewWhitelist(patterns []string, annotationKey string) (*patternWhitelist, e ...@@ -64,11 +64,11 @@ func NewWhitelist(patterns []string, annotationKey string) (*patternWhitelist, e
} }
for _, s := range patterns { for _, s := range patterns {
if !extvalidation.IsValidSysctlPattern(s) { if !policyvalidation.IsValidSysctlPattern(s) {
return nil, fmt.Errorf("sysctl %q must have at most %d characters and match regex %s", return nil, fmt.Errorf("sysctl %q must have at most %d characters and match regex %s",
s, s,
validation.SysctlMaxLength, validation.SysctlMaxLength,
extvalidation.SysctlPatternFmt, policyvalidation.SysctlPatternFmt,
) )
} }
if strings.HasSuffix(s, "*") { if strings.HasSuffix(s, "*") {
......
...@@ -3475,7 +3475,7 @@ type PodSecurityPolicyDescriber struct { ...@@ -3475,7 +3475,7 @@ type PodSecurityPolicyDescriber struct {
} }
func (d *PodSecurityPolicyDescriber) Describe(namespace, name string, describerSettings printers.DescriberSettings) (string, error) { func (d *PodSecurityPolicyDescriber) Describe(namespace, name string, describerSettings printers.DescriberSettings) (string, error) {
psp, err := d.Extensions().PodSecurityPolicies().Get(name, metav1.GetOptions{}) psp, err := d.Policy().PodSecurityPolicies().Get(name, metav1.GetOptions{})
if err != nil { if err != nil {
return "", err return "", err
} }
...@@ -3483,7 +3483,7 @@ func (d *PodSecurityPolicyDescriber) Describe(namespace, name string, describerS ...@@ -3483,7 +3483,7 @@ func (d *PodSecurityPolicyDescriber) Describe(namespace, name string, describerS
return describePodSecurityPolicy(psp) return describePodSecurityPolicy(psp)
} }
func describePodSecurityPolicy(psp *extensions.PodSecurityPolicy) (string, error) { func describePodSecurityPolicy(psp *policy.PodSecurityPolicy) (string, error) {
return tabbedString(func(out io.Writer) error { return tabbedString(func(out io.Writer) error {
w := NewPrefixWriter(out) w := NewPrefixWriter(out)
w.Write(LEVEL_0, "Name:\t%s\n", psp.Name) w.Write(LEVEL_0, "Name:\t%s\n", psp.Name)
...@@ -3543,7 +3543,7 @@ func stringOrDefaultValue(s, defaultValue string) string { ...@@ -3543,7 +3543,7 @@ func stringOrDefaultValue(s, defaultValue string) string {
return defaultValue return defaultValue
} }
func fsTypeToString(volumes []extensions.FSType) string { func fsTypeToString(volumes []policy.FSType) string {
strVolumes := []string{} strVolumes := []string{}
for _, v := range volumes { for _, v := range volumes {
strVolumes = append(strVolumes, string(v)) strVolumes = append(strVolumes, string(v))
...@@ -3551,7 +3551,7 @@ func fsTypeToString(volumes []extensions.FSType) string { ...@@ -3551,7 +3551,7 @@ func fsTypeToString(volumes []extensions.FSType) string {
return stringOrNone(strings.Join(strVolumes, ",")) return stringOrNone(strings.Join(strVolumes, ","))
} }
func flexVolumesToString(flexVolumes []extensions.AllowedFlexVolume) string { func flexVolumesToString(flexVolumes []policy.AllowedFlexVolume) string {
volumes := []string{} volumes := []string{}
for _, flexVolume := range flexVolumes { for _, flexVolume := range flexVolumes {
volumes = append(volumes, "driver="+flexVolume.Driver) volumes = append(volumes, "driver="+flexVolume.Driver)
...@@ -3559,7 +3559,7 @@ func flexVolumesToString(flexVolumes []extensions.AllowedFlexVolume) string { ...@@ -3559,7 +3559,7 @@ func flexVolumesToString(flexVolumes []extensions.AllowedFlexVolume) string {
return stringOrDefaultValue(strings.Join(volumes, ","), "<all>") return stringOrDefaultValue(strings.Join(volumes, ","), "<all>")
} }
func hostPortRangeToString(ranges []extensions.HostPortRange) string { func hostPortRangeToString(ranges []policy.HostPortRange) string {
formattedString := "" formattedString := ""
if ranges != nil { if ranges != nil {
strRanges := []string{} strRanges := []string{}
...@@ -3571,7 +3571,7 @@ func hostPortRangeToString(ranges []extensions.HostPortRange) string { ...@@ -3571,7 +3571,7 @@ func hostPortRangeToString(ranges []extensions.HostPortRange) string {
return stringOrNone(formattedString) return stringOrNone(formattedString)
} }
func userIDRangeToString(ranges []extensions.UserIDRange) string { func userIDRangeToString(ranges []policy.UserIDRange) string {
formattedString := "" formattedString := ""
if ranges != nil { if ranges != nil {
strRanges := []string{} strRanges := []string{}
...@@ -3583,7 +3583,7 @@ func userIDRangeToString(ranges []extensions.UserIDRange) string { ...@@ -3583,7 +3583,7 @@ func userIDRangeToString(ranges []extensions.UserIDRange) string {
return stringOrNone(formattedString) return stringOrNone(formattedString)
} }
func groupIDRangeToString(ranges []extensions.GroupIDRange) string { func groupIDRangeToString(ranges []policy.GroupIDRange) string {
formattedString := "" formattedString := ""
if ranges != nil { if ranges != nil {
strRanges := []string{} strRanges := []string{}
......
...@@ -2187,22 +2187,22 @@ func TestDescribePodSecurityPolicy(t *testing.T) { ...@@ -2187,22 +2187,22 @@ func TestDescribePodSecurityPolicy(t *testing.T) {
"Supplemental Groups Strategy: RunAsAny", "Supplemental Groups Strategy: RunAsAny",
} }
fake := fake.NewSimpleClientset(&extensions.PodSecurityPolicy{ fake := fake.NewSimpleClientset(&policy.PodSecurityPolicy{
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Name: "mypsp", Name: "mypsp",
}, },
Spec: extensions.PodSecurityPolicySpec{ Spec: policy.PodSecurityPolicySpec{
SELinux: extensions.SELinuxStrategyOptions{ SELinux: policy.SELinuxStrategyOptions{
Rule: extensions.SELinuxStrategyRunAsAny, Rule: policy.SELinuxStrategyRunAsAny,
}, },
RunAsUser: extensions.RunAsUserStrategyOptions{ RunAsUser: policy.RunAsUserStrategyOptions{
Rule: extensions.RunAsUserStrategyRunAsAny, Rule: policy.RunAsUserStrategyRunAsAny,
}, },
FSGroup: extensions.FSGroupStrategyOptions{ FSGroup: policy.FSGroupStrategyOptions{
Rule: extensions.FSGroupStrategyRunAsAny, Rule: policy.FSGroupStrategyRunAsAny,
}, },
SupplementalGroups: extensions.SupplementalGroupsStrategyOptions{ SupplementalGroups: policy.SupplementalGroupsStrategyOptions{
Rule: extensions.SupplementalGroupsStrategyRunAsAny, Rule: policy.SupplementalGroupsStrategyRunAsAny,
}, },
}, },
}) })
......
...@@ -1619,7 +1619,7 @@ func printConfigMapList(list *api.ConfigMapList, options printers.PrintOptions) ...@@ -1619,7 +1619,7 @@ func printConfigMapList(list *api.ConfigMapList, options printers.PrintOptions)
return rows, nil return rows, nil
} }
func printPodSecurityPolicy(obj *extensions.PodSecurityPolicy, options printers.PrintOptions) ([]metav1beta1.TableRow, error) { func printPodSecurityPolicy(obj *policy.PodSecurityPolicy, options printers.PrintOptions) ([]metav1beta1.TableRow, error) {
row := metav1beta1.TableRow{ row := metav1beta1.TableRow{
Object: runtime.RawExtension{Object: obj}, Object: runtime.RawExtension{Object: obj},
} }
...@@ -1640,7 +1640,7 @@ func printPodSecurityPolicy(obj *extensions.PodSecurityPolicy, options printers. ...@@ -1640,7 +1640,7 @@ func printPodSecurityPolicy(obj *extensions.PodSecurityPolicy, options printers.
return []metav1beta1.TableRow{row}, nil return []metav1beta1.TableRow{row}, nil
} }
func printPodSecurityPolicyList(list *extensions.PodSecurityPolicyList, options printers.PrintOptions) ([]metav1beta1.TableRow, error) { func printPodSecurityPolicyList(list *policy.PodSecurityPolicyList, options printers.PrintOptions) ([]metav1beta1.TableRow, error) {
rows := make([]metav1beta1.TableRow, 0, len(list.Items)) rows := make([]metav1beta1.TableRow, 0, len(list.Items))
for i := range list.Items { for i := range list.Items {
r, err := printPodSecurityPolicy(&list.Items[i], options) r, err := printPodSecurityPolicy(&list.Items[i], options)
......
...@@ -14,8 +14,8 @@ go_library( ...@@ -14,8 +14,8 @@ go_library(
importpath = "k8s.io/kubernetes/pkg/registry/extensions/podsecuritypolicy", importpath = "k8s.io/kubernetes/pkg/registry/extensions/podsecuritypolicy",
deps = [ deps = [
"//pkg/api/legacyscheme:go_default_library", "//pkg/api/legacyscheme:go_default_library",
"//pkg/apis/extensions:go_default_library", "//pkg/apis/policy:go_default_library",
"//pkg/apis/extensions/validation:go_default_library", "//pkg/apis/policy/validation:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/runtime:go_default_library", "//vendor/k8s.io/apimachinery/pkg/runtime:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/util/validation/field:go_default_library", "//vendor/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
"//vendor/k8s.io/apiserver/pkg/endpoints/request:go_default_library", "//vendor/k8s.io/apiserver/pkg/endpoints/request:go_default_library",
......
...@@ -11,9 +11,9 @@ go_test( ...@@ -11,9 +11,9 @@ go_test(
srcs = ["storage_test.go"], srcs = ["storage_test.go"],
embed = [":go_default_library"], embed = [":go_default_library"],
deps = [ deps = [
"//pkg/apis/extensions:go_default_library", "//pkg/apis/policy:go_default_library",
"//pkg/registry/registrytest:go_default_library", "//pkg/registry/registrytest:go_default_library",
"//vendor/k8s.io/api/extensions/v1beta1:go_default_library", "//vendor/k8s.io/api/policy/v1beta1:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library", "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/fields:go_default_library", "//vendor/k8s.io/apimachinery/pkg/fields:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/labels:go_default_library", "//vendor/k8s.io/apimachinery/pkg/labels:go_default_library",
...@@ -29,11 +29,12 @@ go_library( ...@@ -29,11 +29,12 @@ go_library(
srcs = ["storage.go"], srcs = ["storage.go"],
importpath = "k8s.io/kubernetes/pkg/registry/extensions/podsecuritypolicy/storage", importpath = "k8s.io/kubernetes/pkg/registry/extensions/podsecuritypolicy/storage",
deps = [ deps = [
"//pkg/apis/extensions:go_default_library", "//pkg/apis/policy:go_default_library",
"//pkg/printers:go_default_library", "//pkg/printers:go_default_library",
"//pkg/printers/internalversion:go_default_library", "//pkg/printers/internalversion:go_default_library",
"//pkg/printers/storage:go_default_library", "//pkg/printers/storage:go_default_library",
"//pkg/registry/extensions/podsecuritypolicy:go_default_library", "//pkg/registry/extensions/podsecuritypolicy:go_default_library",
"//vendor/k8s.io/api/extensions/v1beta1:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/runtime:go_default_library", "//vendor/k8s.io/apimachinery/pkg/runtime:go_default_library",
"//vendor/k8s.io/apiserver/pkg/registry/generic:go_default_library", "//vendor/k8s.io/apiserver/pkg/registry/generic:go_default_library",
"//vendor/k8s.io/apiserver/pkg/registry/generic/registry:go_default_library", "//vendor/k8s.io/apiserver/pkg/registry/generic/registry:go_default_library",
......
...@@ -17,10 +17,11 @@ limitations under the License. ...@@ -17,10 +17,11 @@ limitations under the License.
package storage package storage
import ( import (
extensions "k8s.io/api/extensions/v1beta1"
"k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime"
"k8s.io/apiserver/pkg/registry/generic" "k8s.io/apiserver/pkg/registry/generic"
genericregistry "k8s.io/apiserver/pkg/registry/generic/registry" genericregistry "k8s.io/apiserver/pkg/registry/generic/registry"
"k8s.io/kubernetes/pkg/apis/extensions" "k8s.io/kubernetes/pkg/apis/policy"
"k8s.io/kubernetes/pkg/printers" "k8s.io/kubernetes/pkg/printers"
printersinternal "k8s.io/kubernetes/pkg/printers/internalversion" printersinternal "k8s.io/kubernetes/pkg/printers/internalversion"
printerstorage "k8s.io/kubernetes/pkg/printers/storage" printerstorage "k8s.io/kubernetes/pkg/printers/storage"
...@@ -35,8 +36,8 @@ type REST struct { ...@@ -35,8 +36,8 @@ type REST struct {
// NewREST returns a RESTStorage object that will work against PodSecurityPolicy objects. // NewREST returns a RESTStorage object that will work against PodSecurityPolicy objects.
func NewREST(optsGetter generic.RESTOptionsGetter) *REST { func NewREST(optsGetter generic.RESTOptionsGetter) *REST {
store := &genericregistry.Store{ store := &genericregistry.Store{
NewFunc: func() runtime.Object { return &extensions.PodSecurityPolicy{} }, NewFunc: func() runtime.Object { return &policy.PodSecurityPolicy{} },
NewListFunc: func() runtime.Object { return &extensions.PodSecurityPolicyList{} }, NewListFunc: func() runtime.Object { return &policy.PodSecurityPolicyList{} },
DefaultQualifiedResource: extensions.Resource("podsecuritypolicies"), DefaultQualifiedResource: extensions.Resource("podsecuritypolicies"),
CreateStrategy: podsecuritypolicy.Strategy, CreateStrategy: podsecuritypolicy.Strategy,
......
...@@ -20,9 +20,9 @@ import ( ...@@ -20,9 +20,9 @@ import (
"testing" "testing"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/kubernetes/pkg/apis/extensions" "k8s.io/kubernetes/pkg/apis/policy"
// Ensure that extensions/v1beta1 package is initialized. // Ensure that policy/v1beta1 package is initialized.
_ "k8s.io/api/extensions/v1beta1" _ "k8s.io/api/policy/v1beta1"
"k8s.io/apimachinery/pkg/fields" "k8s.io/apimachinery/pkg/fields"
"k8s.io/apimachinery/pkg/labels" "k8s.io/apimachinery/pkg/labels"
"k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime"
...@@ -33,7 +33,7 @@ import ( ...@@ -33,7 +33,7 @@ import (
) )
func newStorage(t *testing.T) (*REST, *etcdtesting.EtcdTestServer) { func newStorage(t *testing.T) (*REST, *etcdtesting.EtcdTestServer) {
etcdStorage, server := registrytest.NewEtcdStorage(t, "extensions") etcdStorage, server := registrytest.NewEtcdStorage(t, "policy")
restOptions := generic.RESTOptions{ restOptions := generic.RESTOptions{
StorageConfig: etcdStorage, StorageConfig: etcdStorage,
Decorator: generic.UndecoratedStorage, Decorator: generic.UndecoratedStorage,
...@@ -43,23 +43,23 @@ func newStorage(t *testing.T) (*REST, *etcdtesting.EtcdTestServer) { ...@@ -43,23 +43,23 @@ func newStorage(t *testing.T) (*REST, *etcdtesting.EtcdTestServer) {
return NewREST(restOptions), server return NewREST(restOptions), server
} }
func validNewPodSecurityPolicy() *extensions.PodSecurityPolicy { func validNewPodSecurityPolicy() *policy.PodSecurityPolicy {
return &extensions.PodSecurityPolicy{ return &policy.PodSecurityPolicy{
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Name: "foo", Name: "foo",
}, },
Spec: extensions.PodSecurityPolicySpec{ Spec: policy.PodSecurityPolicySpec{
SELinux: extensions.SELinuxStrategyOptions{ SELinux: policy.SELinuxStrategyOptions{
Rule: extensions.SELinuxStrategyRunAsAny, Rule: policy.SELinuxStrategyRunAsAny,
}, },
RunAsUser: extensions.RunAsUserStrategyOptions{ RunAsUser: policy.RunAsUserStrategyOptions{
Rule: extensions.RunAsUserStrategyRunAsAny, Rule: policy.RunAsUserStrategyRunAsAny,
}, },
FSGroup: extensions.FSGroupStrategyOptions{ FSGroup: policy.FSGroupStrategyOptions{
Rule: extensions.FSGroupStrategyRunAsAny, Rule: policy.FSGroupStrategyRunAsAny,
}, },
SupplementalGroups: extensions.SupplementalGroupsStrategyOptions{ SupplementalGroups: policy.SupplementalGroupsStrategyOptions{
Rule: extensions.SupplementalGroupsStrategyRunAsAny, Rule: policy.SupplementalGroupsStrategyRunAsAny,
}, },
}, },
} }
...@@ -76,7 +76,7 @@ func TestCreate(t *testing.T) { ...@@ -76,7 +76,7 @@ func TestCreate(t *testing.T) {
// valid // valid
psp, psp,
// invalid // invalid
&extensions.PodSecurityPolicy{ &policy.PodSecurityPolicy{
ObjectMeta: metav1.ObjectMeta{Name: "name with spaces"}, ObjectMeta: metav1.ObjectMeta{Name: "name with spaces"},
}, },
) )
...@@ -92,7 +92,7 @@ func TestUpdate(t *testing.T) { ...@@ -92,7 +92,7 @@ func TestUpdate(t *testing.T) {
validNewPodSecurityPolicy(), validNewPodSecurityPolicy(),
// updateFunc // updateFunc
func(obj runtime.Object) runtime.Object { func(obj runtime.Object) runtime.Object {
object := obj.(*extensions.PodSecurityPolicy) object := obj.(*policy.PodSecurityPolicy)
object.Labels = map[string]string{"a": "b"} object.Labels = map[string]string{"a": "b"}
return object return object
}, },
......
...@@ -23,8 +23,8 @@ import ( ...@@ -23,8 +23,8 @@ import (
"k8s.io/apiserver/pkg/registry/rest" "k8s.io/apiserver/pkg/registry/rest"
"k8s.io/apiserver/pkg/storage/names" "k8s.io/apiserver/pkg/storage/names"
"k8s.io/kubernetes/pkg/api/legacyscheme" "k8s.io/kubernetes/pkg/api/legacyscheme"
"k8s.io/kubernetes/pkg/apis/extensions" "k8s.io/kubernetes/pkg/apis/policy"
"k8s.io/kubernetes/pkg/apis/extensions/validation" "k8s.io/kubernetes/pkg/apis/policy/validation"
) )
// strategy implements behavior for PodSecurityPolicy objects // strategy implements behavior for PodSecurityPolicy objects
...@@ -63,9 +63,9 @@ func (strategy) Canonicalize(obj runtime.Object) { ...@@ -63,9 +63,9 @@ func (strategy) Canonicalize(obj runtime.Object) {
} }
func (strategy) Validate(ctx genericapirequest.Context, obj runtime.Object) field.ErrorList { func (strategy) Validate(ctx genericapirequest.Context, obj runtime.Object) field.ErrorList {
return validation.ValidatePodSecurityPolicy(obj.(*extensions.PodSecurityPolicy)) return validation.ValidatePodSecurityPolicy(obj.(*policy.PodSecurityPolicy))
} }
func (strategy) ValidateUpdate(ctx genericapirequest.Context, obj, old runtime.Object) field.ErrorList { func (strategy) ValidateUpdate(ctx genericapirequest.Context, obj, old runtime.Object) field.ErrorList {
return validation.ValidatePodSecurityPolicyUpdate(old.(*extensions.PodSecurityPolicy), obj.(*extensions.PodSecurityPolicy)) return validation.ValidatePodSecurityPolicyUpdate(old.(*policy.PodSecurityPolicy), obj.(*policy.PodSecurityPolicy))
} }
...@@ -17,7 +17,7 @@ go_library( ...@@ -17,7 +17,7 @@ go_library(
importpath = "k8s.io/kubernetes/pkg/security/podsecuritypolicy", importpath = "k8s.io/kubernetes/pkg/security/podsecuritypolicy",
deps = [ deps = [
"//pkg/apis/core:go_default_library", "//pkg/apis/core:go_default_library",
"//pkg/apis/extensions:go_default_library", "//pkg/apis/policy:go_default_library",
"//pkg/security/podsecuritypolicy/apparmor:go_default_library", "//pkg/security/podsecuritypolicy/apparmor:go_default_library",
"//pkg/security/podsecuritypolicy/capabilities:go_default_library", "//pkg/security/podsecuritypolicy/capabilities:go_default_library",
"//pkg/security/podsecuritypolicy/group:go_default_library", "//pkg/security/podsecuritypolicy/group:go_default_library",
...@@ -39,7 +39,7 @@ go_test( ...@@ -39,7 +39,7 @@ go_test(
deps = [ deps = [
"//pkg/apis/core:go_default_library", "//pkg/apis/core:go_default_library",
"//pkg/apis/core/v1:go_default_library", "//pkg/apis/core/v1:go_default_library",
"//pkg/apis/extensions:go_default_library", "//pkg/apis/policy:go_default_library",
"//pkg/security/apparmor:go_default_library", "//pkg/security/apparmor:go_default_library",
"//pkg/security/podsecuritypolicy/seccomp:go_default_library", "//pkg/security/podsecuritypolicy/seccomp:go_default_library",
"//pkg/security/podsecuritypolicy/util:go_default_library", "//pkg/security/podsecuritypolicy/util:go_default_library",
......
...@@ -16,7 +16,7 @@ go_library( ...@@ -16,7 +16,7 @@ go_library(
importpath = "k8s.io/kubernetes/pkg/security/podsecuritypolicy/capabilities", importpath = "k8s.io/kubernetes/pkg/security/podsecuritypolicy/capabilities",
deps = [ deps = [
"//pkg/apis/core:go_default_library", "//pkg/apis/core:go_default_library",
"//pkg/apis/extensions:go_default_library", "//pkg/apis/policy:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/util/sets:go_default_library", "//vendor/k8s.io/apimachinery/pkg/util/sets:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/util/validation/field:go_default_library", "//vendor/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
], ],
...@@ -28,7 +28,7 @@ go_test( ...@@ -28,7 +28,7 @@ go_test(
embed = [":go_default_library"], embed = [":go_default_library"],
deps = [ deps = [
"//pkg/apis/core:go_default_library", "//pkg/apis/core:go_default_library",
"//pkg/apis/extensions:go_default_library", "//pkg/apis/policy:go_default_library",
], ],
) )
......
...@@ -22,7 +22,7 @@ import ( ...@@ -22,7 +22,7 @@ import (
"k8s.io/apimachinery/pkg/util/sets" "k8s.io/apimachinery/pkg/util/sets"
"k8s.io/apimachinery/pkg/util/validation/field" "k8s.io/apimachinery/pkg/util/validation/field"
api "k8s.io/kubernetes/pkg/apis/core" api "k8s.io/kubernetes/pkg/apis/core"
"k8s.io/kubernetes/pkg/apis/extensions" "k8s.io/kubernetes/pkg/apis/policy"
) )
// defaultCapabilities implements the Strategy interface // defaultCapabilities implements the Strategy interface
...@@ -100,7 +100,7 @@ func (s *defaultCapabilities) Validate(pod *api.Pod, container *api.Container, c ...@@ -100,7 +100,7 @@ func (s *defaultCapabilities) Validate(pod *api.Pod, container *api.Container, c
} }
allowedAdd := makeCapSet(s.allowedCaps) allowedAdd := makeCapSet(s.allowedCaps)
allowAllCaps := allowedAdd.Has(string(extensions.AllowAllCapabilities)) allowAllCaps := allowedAdd.Has(string(policy.AllowAllCapabilities))
if allowAllCaps { if allowAllCaps {
// skip validation against allowed/defaultAdd/requiredDrop because all capabilities are allowed by a wildcard // skip validation against allowed/defaultAdd/requiredDrop because all capabilities are allowed by a wildcard
return allErrs return allErrs
......
...@@ -21,7 +21,7 @@ import ( ...@@ -21,7 +21,7 @@ import (
"testing" "testing"
api "k8s.io/kubernetes/pkg/apis/core" api "k8s.io/kubernetes/pkg/apis/core"
"k8s.io/kubernetes/pkg/apis/extensions" "k8s.io/kubernetes/pkg/apis/policy"
) )
func TestGenerateAdds(t *testing.T) { func TestGenerateAdds(t *testing.T) {
...@@ -278,7 +278,7 @@ func TestValidateAdds(t *testing.T) { ...@@ -278,7 +278,7 @@ func TestValidateAdds(t *testing.T) {
}, },
}, },
"no required, all allowed, container requests valid": { "no required, all allowed, container requests valid": {
allowedCaps: []api.Capability{extensions.AllowAllCapabilities}, allowedCaps: []api.Capability{policy.AllowAllCapabilities},
containerCaps: &api.Capabilities{ containerCaps: &api.Capabilities{
Add: []api.Capability{"foo"}, Add: []api.Capability{"foo"},
}, },
......
...@@ -21,7 +21,7 @@ import ( ...@@ -21,7 +21,7 @@ import (
"k8s.io/apimachinery/pkg/util/errors" "k8s.io/apimachinery/pkg/util/errors"
api "k8s.io/kubernetes/pkg/apis/core" api "k8s.io/kubernetes/pkg/apis/core"
"k8s.io/kubernetes/pkg/apis/extensions" "k8s.io/kubernetes/pkg/apis/policy"
"k8s.io/kubernetes/pkg/security/podsecuritypolicy/apparmor" "k8s.io/kubernetes/pkg/security/podsecuritypolicy/apparmor"
"k8s.io/kubernetes/pkg/security/podsecuritypolicy/capabilities" "k8s.io/kubernetes/pkg/security/podsecuritypolicy/capabilities"
"k8s.io/kubernetes/pkg/security/podsecuritypolicy/group" "k8s.io/kubernetes/pkg/security/podsecuritypolicy/group"
...@@ -39,7 +39,7 @@ func NewSimpleStrategyFactory() StrategyFactory { ...@@ -39,7 +39,7 @@ func NewSimpleStrategyFactory() StrategyFactory {
return &simpleStrategyFactory{} return &simpleStrategyFactory{}
} }
func (f *simpleStrategyFactory) CreateStrategies(psp *extensions.PodSecurityPolicy, namespace string) (*ProviderStrategies, error) { func (f *simpleStrategyFactory) CreateStrategies(psp *policy.PodSecurityPolicy, namespace string) (*ProviderStrategies, error) {
errs := []error{} errs := []error{}
userStrat, err := createUserStrategy(&psp.Spec.RunAsUser) userStrat, err := createUserStrategy(&psp.Spec.RunAsUser)
...@@ -78,9 +78,9 @@ func (f *simpleStrategyFactory) CreateStrategies(psp *extensions.PodSecurityPoli ...@@ -78,9 +78,9 @@ func (f *simpleStrategyFactory) CreateStrategies(psp *extensions.PodSecurityPoli
} }
var unsafeSysctls []string var unsafeSysctls []string
if ann, found := psp.Annotations[extensions.SysctlsPodSecurityPolicyAnnotationKey]; found { if ann, found := psp.Annotations[policy.SysctlsPodSecurityPolicyAnnotationKey]; found {
var err error var err error
unsafeSysctls, err = extensions.SysctlsFromPodSecurityPolicyAnnotation(ann) unsafeSysctls, err = policy.SysctlsFromPodSecurityPolicyAnnotation(ann)
if err != nil { if err != nil {
errs = append(errs, err) errs = append(errs, err)
} }
...@@ -106,13 +106,13 @@ func (f *simpleStrategyFactory) CreateStrategies(psp *extensions.PodSecurityPoli ...@@ -106,13 +106,13 @@ func (f *simpleStrategyFactory) CreateStrategies(psp *extensions.PodSecurityPoli
} }
// createUserStrategy creates a new user strategy. // createUserStrategy creates a new user strategy.
func createUserStrategy(opts *extensions.RunAsUserStrategyOptions) (user.RunAsUserStrategy, error) { func createUserStrategy(opts *policy.RunAsUserStrategyOptions) (user.RunAsUserStrategy, error) {
switch opts.Rule { switch opts.Rule {
case extensions.RunAsUserStrategyMustRunAs: case policy.RunAsUserStrategyMustRunAs:
return user.NewMustRunAs(opts) return user.NewMustRunAs(opts)
case extensions.RunAsUserStrategyMustRunAsNonRoot: case policy.RunAsUserStrategyMustRunAsNonRoot:
return user.NewRunAsNonRoot(opts) return user.NewRunAsNonRoot(opts)
case extensions.RunAsUserStrategyRunAsAny: case policy.RunAsUserStrategyRunAsAny:
return user.NewRunAsAny(opts) return user.NewRunAsAny(opts)
default: default:
return nil, fmt.Errorf("Unrecognized RunAsUser strategy type %s", opts.Rule) return nil, fmt.Errorf("Unrecognized RunAsUser strategy type %s", opts.Rule)
...@@ -120,11 +120,11 @@ func createUserStrategy(opts *extensions.RunAsUserStrategyOptions) (user.RunAsUs ...@@ -120,11 +120,11 @@ func createUserStrategy(opts *extensions.RunAsUserStrategyOptions) (user.RunAsUs
} }
// createSELinuxStrategy creates a new selinux strategy. // createSELinuxStrategy creates a new selinux strategy.
func createSELinuxStrategy(opts *extensions.SELinuxStrategyOptions) (selinux.SELinuxStrategy, error) { func createSELinuxStrategy(opts *policy.SELinuxStrategyOptions) (selinux.SELinuxStrategy, error) {
switch opts.Rule { switch opts.Rule {
case extensions.SELinuxStrategyMustRunAs: case policy.SELinuxStrategyMustRunAs:
return selinux.NewMustRunAs(opts) return selinux.NewMustRunAs(opts)
case extensions.SELinuxStrategyRunAsAny: case policy.SELinuxStrategyRunAsAny:
return selinux.NewRunAsAny(opts) return selinux.NewRunAsAny(opts)
default: default:
return nil, fmt.Errorf("Unrecognized SELinuxContext strategy type %s", opts.Rule) return nil, fmt.Errorf("Unrecognized SELinuxContext strategy type %s", opts.Rule)
...@@ -132,21 +132,21 @@ func createSELinuxStrategy(opts *extensions.SELinuxStrategyOptions) (selinux.SEL ...@@ -132,21 +132,21 @@ func createSELinuxStrategy(opts *extensions.SELinuxStrategyOptions) (selinux.SEL
} }
// createAppArmorStrategy creates a new AppArmor strategy. // createAppArmorStrategy creates a new AppArmor strategy.
func createAppArmorStrategy(psp *extensions.PodSecurityPolicy) (apparmor.Strategy, error) { func createAppArmorStrategy(psp *policy.PodSecurityPolicy) (apparmor.Strategy, error) {
return apparmor.NewStrategy(psp.Annotations), nil return apparmor.NewStrategy(psp.Annotations), nil
} }
// createSeccompStrategy creates a new seccomp strategy. // createSeccompStrategy creates a new seccomp strategy.
func createSeccompStrategy(psp *extensions.PodSecurityPolicy) (seccomp.Strategy, error) { func createSeccompStrategy(psp *policy.PodSecurityPolicy) (seccomp.Strategy, error) {
return seccomp.NewStrategy(psp.Annotations), nil return seccomp.NewStrategy(psp.Annotations), nil
} }
// createFSGroupStrategy creates a new fsgroup strategy // createFSGroupStrategy creates a new fsgroup strategy
func createFSGroupStrategy(opts *extensions.FSGroupStrategyOptions) (group.GroupStrategy, error) { func createFSGroupStrategy(opts *policy.FSGroupStrategyOptions) (group.GroupStrategy, error) {
switch opts.Rule { switch opts.Rule {
case extensions.FSGroupStrategyRunAsAny: case policy.FSGroupStrategyRunAsAny:
return group.NewRunAsAny() return group.NewRunAsAny()
case extensions.FSGroupStrategyMustRunAs: case policy.FSGroupStrategyMustRunAs:
return group.NewMustRunAs(opts.Ranges, fsGroupField) return group.NewMustRunAs(opts.Ranges, fsGroupField)
default: default:
return nil, fmt.Errorf("Unrecognized FSGroup strategy type %s", opts.Rule) return nil, fmt.Errorf("Unrecognized FSGroup strategy type %s", opts.Rule)
...@@ -154,11 +154,11 @@ func createFSGroupStrategy(opts *extensions.FSGroupStrategyOptions) (group.Group ...@@ -154,11 +154,11 @@ func createFSGroupStrategy(opts *extensions.FSGroupStrategyOptions) (group.Group
} }
// createSupplementalGroupStrategy creates a new supplemental group strategy // createSupplementalGroupStrategy creates a new supplemental group strategy
func createSupplementalGroupStrategy(opts *extensions.SupplementalGroupsStrategyOptions) (group.GroupStrategy, error) { func createSupplementalGroupStrategy(opts *policy.SupplementalGroupsStrategyOptions) (group.GroupStrategy, error) {
switch opts.Rule { switch opts.Rule {
case extensions.SupplementalGroupsStrategyRunAsAny: case policy.SupplementalGroupsStrategyRunAsAny:
return group.NewRunAsAny() return group.NewRunAsAny()
case extensions.SupplementalGroupsStrategyMustRunAs: case policy.SupplementalGroupsStrategyMustRunAs:
return group.NewMustRunAs(opts.Ranges, supplementalGroupsField) return group.NewMustRunAs(opts.Ranges, supplementalGroupsField)
default: default:
return nil, fmt.Errorf("Unrecognized SupplementalGroups strategy type %s", opts.Rule) return nil, fmt.Errorf("Unrecognized SupplementalGroups strategy type %s", opts.Rule)
......
...@@ -17,7 +17,7 @@ go_library( ...@@ -17,7 +17,7 @@ go_library(
importpath = "k8s.io/kubernetes/pkg/security/podsecuritypolicy/group", importpath = "k8s.io/kubernetes/pkg/security/podsecuritypolicy/group",
deps = [ deps = [
"//pkg/apis/core:go_default_library", "//pkg/apis/core:go_default_library",
"//pkg/apis/extensions:go_default_library", "//pkg/apis/policy:go_default_library",
"//pkg/security/podsecuritypolicy/util:go_default_library", "//pkg/security/podsecuritypolicy/util:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/util/validation/field:go_default_library", "//vendor/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
], ],
...@@ -30,7 +30,7 @@ go_test( ...@@ -30,7 +30,7 @@ go_test(
"runasany_test.go", "runasany_test.go",
], ],
embed = [":go_default_library"], embed = [":go_default_library"],
deps = ["//pkg/apis/extensions:go_default_library"], deps = ["//pkg/apis/policy:go_default_library"],
) )
filegroup( filegroup(
......
...@@ -21,20 +21,20 @@ import ( ...@@ -21,20 +21,20 @@ import (
"k8s.io/apimachinery/pkg/util/validation/field" "k8s.io/apimachinery/pkg/util/validation/field"
api "k8s.io/kubernetes/pkg/apis/core" api "k8s.io/kubernetes/pkg/apis/core"
"k8s.io/kubernetes/pkg/apis/extensions" "k8s.io/kubernetes/pkg/apis/policy"
psputil "k8s.io/kubernetes/pkg/security/podsecuritypolicy/util" psputil "k8s.io/kubernetes/pkg/security/podsecuritypolicy/util"
) )
// mustRunAs implements the GroupStrategy interface // mustRunAs implements the GroupStrategy interface
type mustRunAs struct { type mustRunAs struct {
ranges []extensions.GroupIDRange ranges []policy.GroupIDRange
field string field string
} }
var _ GroupStrategy = &mustRunAs{} var _ GroupStrategy = &mustRunAs{}
// NewMustRunAs provides a new MustRunAs strategy based on ranges. // NewMustRunAs provides a new MustRunAs strategy based on ranges.
func NewMustRunAs(ranges []extensions.GroupIDRange, field string) (GroupStrategy, error) { func NewMustRunAs(ranges []policy.GroupIDRange, field string) (GroupStrategy, error) {
if len(ranges) == 0 { if len(ranges) == 0 {
return nil, fmt.Errorf("ranges must be supplied for MustRunAs") return nil, fmt.Errorf("ranges must be supplied for MustRunAs")
} }
......
...@@ -20,19 +20,19 @@ import ( ...@@ -20,19 +20,19 @@ import (
"strings" "strings"
"testing" "testing"
"k8s.io/kubernetes/pkg/apis/extensions" "k8s.io/kubernetes/pkg/apis/policy"
) )
func TestMustRunAsOptions(t *testing.T) { func TestMustRunAsOptions(t *testing.T) {
tests := map[string]struct { tests := map[string]struct {
ranges []extensions.GroupIDRange ranges []policy.GroupIDRange
pass bool pass bool
}{ }{
"empty": { "empty": {
ranges: []extensions.GroupIDRange{}, ranges: []policy.GroupIDRange{},
}, },
"ranges": { "ranges": {
ranges: []extensions.GroupIDRange{ ranges: []policy.GroupIDRange{
{Min: 1, Max: 1}, {Min: 1, Max: 1},
}, },
pass: true, pass: true,
...@@ -52,23 +52,23 @@ func TestMustRunAsOptions(t *testing.T) { ...@@ -52,23 +52,23 @@ func TestMustRunAsOptions(t *testing.T) {
func TestGenerate(t *testing.T) { func TestGenerate(t *testing.T) {
tests := map[string]struct { tests := map[string]struct {
ranges []extensions.GroupIDRange ranges []policy.GroupIDRange
expected []int64 expected []int64
}{ }{
"multi value": { "multi value": {
ranges: []extensions.GroupIDRange{ ranges: []policy.GroupIDRange{
{Min: 1, Max: 2}, {Min: 1, Max: 2},
}, },
expected: []int64{1}, expected: []int64{1},
}, },
"single value": { "single value": {
ranges: []extensions.GroupIDRange{ ranges: []policy.GroupIDRange{
{Min: 1, Max: 1}, {Min: 1, Max: 1},
}, },
expected: []int64{1}, expected: []int64{1},
}, },
"multi range": { "multi range": {
ranges: []extensions.GroupIDRange{ ranges: []policy.GroupIDRange{
{Min: 1, Max: 1}, {Min: 1, Max: 1},
{Min: 2, Max: 500}, {Min: 2, Max: 500},
}, },
...@@ -110,25 +110,25 @@ func TestGenerate(t *testing.T) { ...@@ -110,25 +110,25 @@ func TestGenerate(t *testing.T) {
func TestValidate(t *testing.T) { func TestValidate(t *testing.T) {
tests := map[string]struct { tests := map[string]struct {
ranges []extensions.GroupIDRange ranges []policy.GroupIDRange
groups []int64 groups []int64
expectedError string expectedError string
}{ }{
"nil security context": { "nil security context": {
ranges: []extensions.GroupIDRange{ ranges: []policy.GroupIDRange{
{Min: 1, Max: 3}, {Min: 1, Max: 3},
}, },
expectedError: "unable to validate empty groups against required ranges", expectedError: "unable to validate empty groups against required ranges",
}, },
"empty groups": { "empty groups": {
ranges: []extensions.GroupIDRange{ ranges: []policy.GroupIDRange{
{Min: 1, Max: 3}, {Min: 1, Max: 3},
}, },
expectedError: "unable to validate empty groups against required ranges", expectedError: "unable to validate empty groups against required ranges",
}, },
"not in range": { "not in range": {
groups: []int64{5}, groups: []int64{5},
ranges: []extensions.GroupIDRange{ ranges: []policy.GroupIDRange{
{Min: 1, Max: 3}, {Min: 1, Max: 3},
{Min: 4, Max: 4}, {Min: 4, Max: 4},
}, },
...@@ -136,25 +136,25 @@ func TestValidate(t *testing.T) { ...@@ -136,25 +136,25 @@ func TestValidate(t *testing.T) {
}, },
"in range 1": { "in range 1": {
groups: []int64{2}, groups: []int64{2},
ranges: []extensions.GroupIDRange{ ranges: []policy.GroupIDRange{
{Min: 1, Max: 3}, {Min: 1, Max: 3},
}, },
}, },
"in range boundary min": { "in range boundary min": {
groups: []int64{1}, groups: []int64{1},
ranges: []extensions.GroupIDRange{ ranges: []policy.GroupIDRange{
{Min: 1, Max: 3}, {Min: 1, Max: 3},
}, },
}, },
"in range boundary max": { "in range boundary max": {
groups: []int64{3}, groups: []int64{3},
ranges: []extensions.GroupIDRange{ ranges: []policy.GroupIDRange{
{Min: 1, Max: 3}, {Min: 1, Max: 3},
}, },
}, },
"singular range": { "singular range": {
groups: []int64{4}, groups: []int64{4},
ranges: []extensions.GroupIDRange{ ranges: []policy.GroupIDRange{
{Min: 4, Max: 4}, {Min: 4, Max: 4},
}, },
}, },
......
...@@ -22,7 +22,7 @@ import ( ...@@ -22,7 +22,7 @@ import (
"k8s.io/apimachinery/pkg/util/validation/field" "k8s.io/apimachinery/pkg/util/validation/field"
api "k8s.io/kubernetes/pkg/apis/core" api "k8s.io/kubernetes/pkg/apis/core"
"k8s.io/kubernetes/pkg/apis/extensions" "k8s.io/kubernetes/pkg/apis/policy"
psputil "k8s.io/kubernetes/pkg/security/podsecuritypolicy/util" psputil "k8s.io/kubernetes/pkg/security/podsecuritypolicy/util"
"k8s.io/kubernetes/pkg/securitycontext" "k8s.io/kubernetes/pkg/securitycontext"
) )
...@@ -36,7 +36,7 @@ const ( ...@@ -36,7 +36,7 @@ const (
// simpleProvider is the default implementation of Provider. // simpleProvider is the default implementation of Provider.
type simpleProvider struct { type simpleProvider struct {
psp *extensions.PodSecurityPolicy psp *policy.PodSecurityPolicy
strategies *ProviderStrategies strategies *ProviderStrategies
} }
...@@ -44,7 +44,7 @@ type simpleProvider struct { ...@@ -44,7 +44,7 @@ type simpleProvider struct {
var _ Provider = &simpleProvider{} var _ Provider = &simpleProvider{}
// NewSimpleProvider creates a new Provider instance. // NewSimpleProvider creates a new Provider instance.
func NewSimpleProvider(psp *extensions.PodSecurityPolicy, namespace string, strategyFactory StrategyFactory) (Provider, error) { func NewSimpleProvider(psp *policy.PodSecurityPolicy, namespace string, strategyFactory StrategyFactory) (Provider, error) {
if psp == nil { if psp == nil {
return nil, fmt.Errorf("NewSimpleProvider requires a PodSecurityPolicy") return nil, fmt.Errorf("NewSimpleProvider requires a PodSecurityPolicy")
} }
...@@ -144,7 +144,7 @@ func (s *simpleProvider) DefaultContainerSecurityContext(pod *api.Pod, container ...@@ -144,7 +144,7 @@ func (s *simpleProvider) DefaultContainerSecurityContext(pod *api.Pod, container
// if we're using the non-root strategy set the marker that this container should not be // if we're using the non-root strategy set the marker that this container should not be
// run as root which will signal to the kubelet to do a final check either on the runAsUser // run as root which will signal to the kubelet to do a final check either on the runAsUser
// or, if runAsUser is not set, the image UID will be checked. // or, if runAsUser is not set, the image UID will be checked.
if sc.RunAsNonRoot() == nil && sc.RunAsUser() == nil && s.psp.Spec.RunAsUser.Rule == extensions.RunAsUserStrategyMustRunAsNonRoot { if sc.RunAsNonRoot() == nil && sc.RunAsUser() == nil && s.psp.Spec.RunAsUser.Rule == policy.RunAsUserStrategyMustRunAsNonRoot {
nonRoot := true nonRoot := true
sc.SetRunAsNonRoot(&nonRoot) sc.SetRunAsNonRoot(&nonRoot)
} }
...@@ -226,7 +226,7 @@ func (s *simpleProvider) ValidatePod(pod *api.Pod, fldPath *field.Path) field.Er ...@@ -226,7 +226,7 @@ func (s *simpleProvider) ValidatePod(pod *api.Pod, fldPath *field.Path) field.Er
continue continue
} }
if fsType == extensions.HostPath { if fsType == policy.HostPath {
if !psputil.AllowsHostVolumePath(s.psp, v.HostPath.Path) { if !psputil.AllowsHostVolumePath(s.psp, v.HostPath.Path) {
allErrs = append(allErrs, field.Invalid( allErrs = append(allErrs, field.Invalid(
field.NewPath("spec", "volumes").Index(i).Child("hostPath", "pathPrefix"), v.HostPath.Path, field.NewPath("spec", "volumes").Index(i).Child("hostPath", "pathPrefix"), v.HostPath.Path,
...@@ -234,7 +234,7 @@ func (s *simpleProvider) ValidatePod(pod *api.Pod, fldPath *field.Path) field.Er ...@@ -234,7 +234,7 @@ func (s *simpleProvider) ValidatePod(pod *api.Pod, fldPath *field.Path) field.Er
} }
} }
if fsType == extensions.FlexVolume && len(s.psp.Spec.AllowedFlexVolumes) > 0 { if fsType == policy.FlexVolume && len(s.psp.Spec.AllowedFlexVolumes) > 0 {
found := false found := false
driver := v.FlexVolume.Driver driver := v.FlexVolume.Driver
for _, allowedFlexVolume := range s.psp.Spec.AllowedFlexVolumes { for _, allowedFlexVolume := range s.psp.Spec.AllowedFlexVolumes {
...@@ -333,7 +333,7 @@ func (s *simpleProvider) GetPSPName() string { ...@@ -333,7 +333,7 @@ func (s *simpleProvider) GetPSPName() string {
return s.psp.Name return s.psp.Name
} }
func hostPortRangesToString(ranges []extensions.HostPortRange) string { func hostPortRangesToString(ranges []policy.HostPortRange) string {
formattedString := "" formattedString := ""
if ranges != nil { if ranges != nil {
strRanges := []string{} strRanges := []string{}
......
...@@ -30,7 +30,7 @@ import ( ...@@ -30,7 +30,7 @@ import (
"k8s.io/apimachinery/pkg/util/validation/field" "k8s.io/apimachinery/pkg/util/validation/field"
api "k8s.io/kubernetes/pkg/apis/core" api "k8s.io/kubernetes/pkg/apis/core"
k8s_api_v1 "k8s.io/kubernetes/pkg/apis/core/v1" k8s_api_v1 "k8s.io/kubernetes/pkg/apis/core/v1"
"k8s.io/kubernetes/pkg/apis/extensions" "k8s.io/kubernetes/pkg/apis/policy"
"k8s.io/kubernetes/pkg/security/apparmor" "k8s.io/kubernetes/pkg/security/apparmor"
"k8s.io/kubernetes/pkg/security/podsecuritypolicy/seccomp" "k8s.io/kubernetes/pkg/security/podsecuritypolicy/seccomp"
psputil "k8s.io/kubernetes/pkg/security/podsecuritypolicy/util" psputil "k8s.io/kubernetes/pkg/security/podsecuritypolicy/util"
...@@ -49,27 +49,27 @@ func TestDefaultPodSecurityContextNonmutating(t *testing.T) { ...@@ -49,27 +49,27 @@ func TestDefaultPodSecurityContextNonmutating(t *testing.T) {
} }
// Create a PSP with strategies that will populate a blank psc // Create a PSP with strategies that will populate a blank psc
createPSP := func() *extensions.PodSecurityPolicy { createPSP := func() *policy.PodSecurityPolicy {
return &extensions.PodSecurityPolicy{ return &policy.PodSecurityPolicy{
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Name: "psp-sa", Name: "psp-sa",
Annotations: map[string]string{ Annotations: map[string]string{
seccomp.AllowedProfilesAnnotationKey: "*", seccomp.AllowedProfilesAnnotationKey: "*",
}, },
}, },
Spec: extensions.PodSecurityPolicySpec{ Spec: policy.PodSecurityPolicySpec{
AllowPrivilegeEscalation: true, AllowPrivilegeEscalation: true,
RunAsUser: extensions.RunAsUserStrategyOptions{ RunAsUser: policy.RunAsUserStrategyOptions{
Rule: extensions.RunAsUserStrategyRunAsAny, Rule: policy.RunAsUserStrategyRunAsAny,
}, },
SELinux: extensions.SELinuxStrategyOptions{ SELinux: policy.SELinuxStrategyOptions{
Rule: extensions.SELinuxStrategyRunAsAny, Rule: policy.SELinuxStrategyRunAsAny,
}, },
FSGroup: extensions.FSGroupStrategyOptions{ FSGroup: policy.FSGroupStrategyOptions{
Rule: extensions.FSGroupStrategyRunAsAny, Rule: policy.FSGroupStrategyRunAsAny,
}, },
SupplementalGroups: extensions.SupplementalGroupsStrategyOptions{ SupplementalGroups: policy.SupplementalGroupsStrategyOptions{
Rule: extensions.SupplementalGroupsStrategyRunAsAny, Rule: policy.SupplementalGroupsStrategyRunAsAny,
}, },
}, },
} }
...@@ -120,8 +120,8 @@ func TestDefaultContainerSecurityContextNonmutating(t *testing.T) { ...@@ -120,8 +120,8 @@ func TestDefaultContainerSecurityContextNonmutating(t *testing.T) {
} }
// Create a PSP with strategies that will populate a blank security context // Create a PSP with strategies that will populate a blank security context
createPSP := func() *extensions.PodSecurityPolicy { createPSP := func() *policy.PodSecurityPolicy {
return &extensions.PodSecurityPolicy{ return &policy.PodSecurityPolicy{
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Name: "psp-sa", Name: "psp-sa",
Annotations: map[string]string{ Annotations: map[string]string{
...@@ -129,19 +129,19 @@ func TestDefaultContainerSecurityContextNonmutating(t *testing.T) { ...@@ -129,19 +129,19 @@ func TestDefaultContainerSecurityContextNonmutating(t *testing.T) {
seccomp.DefaultProfileAnnotationKey: "foo", seccomp.DefaultProfileAnnotationKey: "foo",
}, },
}, },
Spec: extensions.PodSecurityPolicySpec{ Spec: policy.PodSecurityPolicySpec{
AllowPrivilegeEscalation: true, AllowPrivilegeEscalation: true,
RunAsUser: extensions.RunAsUserStrategyOptions{ RunAsUser: policy.RunAsUserStrategyOptions{
Rule: extensions.RunAsUserStrategyRunAsAny, Rule: policy.RunAsUserStrategyRunAsAny,
}, },
SELinux: extensions.SELinuxStrategyOptions{ SELinux: policy.SELinuxStrategyOptions{
Rule: extensions.SELinuxStrategyRunAsAny, Rule: policy.SELinuxStrategyRunAsAny,
}, },
FSGroup: extensions.FSGroupStrategyOptions{ FSGroup: policy.FSGroupStrategyOptions{
Rule: extensions.FSGroupStrategyRunAsAny, Rule: policy.FSGroupStrategyRunAsAny,
}, },
SupplementalGroups: extensions.SupplementalGroupsStrategyOptions{ SupplementalGroups: policy.SupplementalGroupsStrategyOptions{
Rule: extensions.SupplementalGroupsStrategyRunAsAny, Rule: policy.SupplementalGroupsStrategyRunAsAny,
}, },
}, },
} }
...@@ -184,9 +184,9 @@ func TestValidatePodSecurityContextFailures(t *testing.T) { ...@@ -184,9 +184,9 @@ func TestValidatePodSecurityContextFailures(t *testing.T) {
failSupplementalGroupPod := defaultPod() failSupplementalGroupPod := defaultPod()
failSupplementalGroupPod.Spec.SecurityContext.SupplementalGroups = []int64{999} failSupplementalGroupPod.Spec.SecurityContext.SupplementalGroups = []int64{999}
failSupplementalGroupPSP := defaultPSP() failSupplementalGroupPSP := defaultPSP()
failSupplementalGroupPSP.Spec.SupplementalGroups = extensions.SupplementalGroupsStrategyOptions{ failSupplementalGroupPSP.Spec.SupplementalGroups = policy.SupplementalGroupsStrategyOptions{
Rule: extensions.SupplementalGroupsStrategyMustRunAs, Rule: policy.SupplementalGroupsStrategyMustRunAs,
Ranges: []extensions.GroupIDRange{ Ranges: []policy.GroupIDRange{
{Min: 1, Max: 1}, {Min: 1, Max: 1},
}, },
} }
...@@ -195,16 +195,16 @@ func TestValidatePodSecurityContextFailures(t *testing.T) { ...@@ -195,16 +195,16 @@ func TestValidatePodSecurityContextFailures(t *testing.T) {
fsGroup := int64(999) fsGroup := int64(999)
failFSGroupPod.Spec.SecurityContext.FSGroup = &fsGroup failFSGroupPod.Spec.SecurityContext.FSGroup = &fsGroup
failFSGroupPSP := defaultPSP() failFSGroupPSP := defaultPSP()
failFSGroupPSP.Spec.FSGroup = extensions.FSGroupStrategyOptions{ failFSGroupPSP.Spec.FSGroup = policy.FSGroupStrategyOptions{
Rule: extensions.FSGroupStrategyMustRunAs, Rule: policy.FSGroupStrategyMustRunAs,
Ranges: []extensions.GroupIDRange{ Ranges: []policy.GroupIDRange{
{Min: 1, Max: 1}, {Min: 1, Max: 1},
}, },
} }
failNilSELinuxPod := defaultPod() failNilSELinuxPod := defaultPod()
failSELinuxPSP := defaultPSP() failSELinuxPSP := defaultPSP()
failSELinuxPSP.Spec.SELinux.Rule = extensions.SELinuxStrategyMustRunAs failSELinuxPSP.Spec.SELinux.Rule = policy.SELinuxStrategyMustRunAs
failSELinuxPSP.Spec.SELinux.SELinuxOptions = &api.SELinuxOptions{ failSELinuxPSP.Spec.SELinux.SELinuxOptions = &api.SELinuxOptions{
Level: "foo", Level: "foo",
} }
...@@ -236,16 +236,16 @@ func TestValidatePodSecurityContextFailures(t *testing.T) { ...@@ -236,16 +236,16 @@ func TestValidatePodSecurityContextFailures(t *testing.T) {
}, },
} }
failHostPathDirPSP := defaultPSP() failHostPathDirPSP := defaultPSP()
failHostPathDirPSP.Spec.Volumes = []extensions.FSType{extensions.HostPath} failHostPathDirPSP.Spec.Volumes = []policy.FSType{policy.HostPath}
failHostPathDirPSP.Spec.AllowedHostPaths = []extensions.AllowedHostPath{ failHostPathDirPSP.Spec.AllowedHostPaths = []policy.AllowedHostPath{
{PathPrefix: "/foo/bar"}, {PathPrefix: "/foo/bar"},
} }
failOtherSysctlsAllowedPSP := defaultPSP() failOtherSysctlsAllowedPSP := defaultPSP()
failOtherSysctlsAllowedPSP.Annotations[extensions.SysctlsPodSecurityPolicyAnnotationKey] = "bar,abc" failOtherSysctlsAllowedPSP.Annotations[policy.SysctlsPodSecurityPolicyAnnotationKey] = "bar,abc"
failNoSysctlAllowedPSP := defaultPSP() failNoSysctlAllowedPSP := defaultPSP()
failNoSysctlAllowedPSP.Annotations[extensions.SysctlsPodSecurityPolicyAnnotationKey] = "" failNoSysctlAllowedPSP.Annotations[policy.SysctlsPodSecurityPolicyAnnotationKey] = ""
failSafeSysctlFooPod := defaultPod() failSafeSysctlFooPod := defaultPod()
failSafeSysctlFooPod.Annotations[api.SysctlsPodAnnotationKey] = "foo=1" failSafeSysctlFooPod.Annotations[api.SysctlsPodAnnotationKey] = "foo=1"
...@@ -270,7 +270,7 @@ func TestValidatePodSecurityContextFailures(t *testing.T) { ...@@ -270,7 +270,7 @@ func TestValidatePodSecurityContextFailures(t *testing.T) {
errorCases := map[string]struct { errorCases := map[string]struct {
pod *api.Pod pod *api.Pod
psp *extensions.PodSecurityPolicy psp *policy.PodSecurityPolicy
expectedError string expectedError string
}{ }{
"failHostNetwork": { "failHostNetwork": {
...@@ -380,24 +380,24 @@ func TestValidatePodSecurityContextFailures(t *testing.T) { ...@@ -380,24 +380,24 @@ func TestValidatePodSecurityContextFailures(t *testing.T) {
} }
} }
func allowFlexVolumesPSP(allowAllFlexVolumes, allowAllVolumes bool) *extensions.PodSecurityPolicy { func allowFlexVolumesPSP(allowAllFlexVolumes, allowAllVolumes bool) *policy.PodSecurityPolicy {
psp := defaultPSP() psp := defaultPSP()
allowedVolumes := []extensions.AllowedFlexVolume{ allowedVolumes := []policy.AllowedFlexVolume{
{Driver: "example/foo"}, {Driver: "example/foo"},
{Driver: "example/bar"}, {Driver: "example/bar"},
} }
if allowAllFlexVolumes { if allowAllFlexVolumes {
allowedVolumes = []extensions.AllowedFlexVolume{} allowedVolumes = []policy.AllowedFlexVolume{}
} }
allowedVolumeType := extensions.FlexVolume allowedVolumeType := policy.FlexVolume
if allowAllVolumes { if allowAllVolumes {
allowedVolumeType = extensions.All allowedVolumeType = policy.All
} }
psp.Spec.AllowedFlexVolumes = allowedVolumes psp.Spec.AllowedFlexVolumes = allowedVolumes
psp.Spec.Volumes = []extensions.FSType{allowedVolumeType} psp.Spec.Volumes = []policy.FSType{allowedVolumeType}
return psp return psp
} }
...@@ -407,17 +407,17 @@ func TestValidateContainerSecurityContextFailures(t *testing.T) { ...@@ -407,17 +407,17 @@ func TestValidateContainerSecurityContextFailures(t *testing.T) {
failUserPSP := defaultPSP() failUserPSP := defaultPSP()
uid := int64(999) uid := int64(999)
badUID := int64(1) badUID := int64(1)
failUserPSP.Spec.RunAsUser = extensions.RunAsUserStrategyOptions{ failUserPSP.Spec.RunAsUser = policy.RunAsUserStrategyOptions{
Rule: extensions.RunAsUserStrategyMustRunAs, Rule: policy.RunAsUserStrategyMustRunAs,
Ranges: []extensions.UserIDRange{{Min: uid, Max: uid}}, Ranges: []policy.UserIDRange{{Min: uid, Max: uid}},
} }
failUserPod := defaultPod() failUserPod := defaultPod()
failUserPod.Spec.Containers[0].SecurityContext.RunAsUser = &badUID failUserPod.Spec.Containers[0].SecurityContext.RunAsUser = &badUID
// fail selinux strategy // fail selinux strategy
failSELinuxPSP := defaultPSP() failSELinuxPSP := defaultPSP()
failSELinuxPSP.Spec.SELinux = extensions.SELinuxStrategyOptions{ failSELinuxPSP.Spec.SELinux = policy.SELinuxStrategyOptions{
Rule: extensions.SELinuxStrategyMustRunAs, Rule: policy.SELinuxStrategyMustRunAs,
SELinuxOptions: &api.SELinuxOptions{ SELinuxOptions: &api.SELinuxOptions{
Level: "foo", Level: "foo",
}, },
...@@ -469,7 +469,7 @@ func TestValidateContainerSecurityContextFailures(t *testing.T) { ...@@ -469,7 +469,7 @@ func TestValidateContainerSecurityContextFailures(t *testing.T) {
errorCases := map[string]struct { errorCases := map[string]struct {
pod *api.Pod pod *api.Pod
psp *extensions.PodSecurityPolicy psp *policy.PodSecurityPolicy
expectedError string expectedError string
}{ }{
"failUserPSP": { "failUserPSP": {
...@@ -562,9 +562,9 @@ func TestValidatePodSecurityContextSuccess(t *testing.T) { ...@@ -562,9 +562,9 @@ func TestValidatePodSecurityContextSuccess(t *testing.T) {
hostIPCPod.Spec.SecurityContext.HostIPC = true hostIPCPod.Spec.SecurityContext.HostIPC = true
supGroupPSP := defaultPSP() supGroupPSP := defaultPSP()
supGroupPSP.Spec.SupplementalGroups = extensions.SupplementalGroupsStrategyOptions{ supGroupPSP.Spec.SupplementalGroups = policy.SupplementalGroupsStrategyOptions{
Rule: extensions.SupplementalGroupsStrategyMustRunAs, Rule: policy.SupplementalGroupsStrategyMustRunAs,
Ranges: []extensions.GroupIDRange{ Ranges: []policy.GroupIDRange{
{Min: 1, Max: 5}, {Min: 1, Max: 5},
}, },
} }
...@@ -572,9 +572,9 @@ func TestValidatePodSecurityContextSuccess(t *testing.T) { ...@@ -572,9 +572,9 @@ func TestValidatePodSecurityContextSuccess(t *testing.T) {
supGroupPod.Spec.SecurityContext.SupplementalGroups = []int64{3} supGroupPod.Spec.SecurityContext.SupplementalGroups = []int64{3}
fsGroupPSP := defaultPSP() fsGroupPSP := defaultPSP()
fsGroupPSP.Spec.FSGroup = extensions.FSGroupStrategyOptions{ fsGroupPSP.Spec.FSGroup = policy.FSGroupStrategyOptions{
Rule: extensions.FSGroupStrategyMustRunAs, Rule: policy.FSGroupStrategyMustRunAs,
Ranges: []extensions.GroupIDRange{ Ranges: []policy.GroupIDRange{
{Min: 1, Max: 5}, {Min: 1, Max: 5},
}, },
} }
...@@ -590,7 +590,7 @@ func TestValidatePodSecurityContextSuccess(t *testing.T) { ...@@ -590,7 +590,7 @@ func TestValidatePodSecurityContextSuccess(t *testing.T) {
Level: "level", Level: "level",
} }
seLinuxPSP := defaultPSP() seLinuxPSP := defaultPSP()
seLinuxPSP.Spec.SELinux.Rule = extensions.SELinuxStrategyMustRunAs seLinuxPSP.Spec.SELinux.Rule = policy.SELinuxStrategyMustRunAs
seLinuxPSP.Spec.SELinux.SELinuxOptions = &api.SELinuxOptions{ seLinuxPSP.Spec.SELinux.SELinuxOptions = &api.SELinuxOptions{
User: "user", User: "user",
Role: "role", Role: "role",
...@@ -611,19 +611,19 @@ func TestValidatePodSecurityContextSuccess(t *testing.T) { ...@@ -611,19 +611,19 @@ func TestValidatePodSecurityContextSuccess(t *testing.T) {
} }
hostPathDirPSP := defaultPSP() hostPathDirPSP := defaultPSP()
hostPathDirPSP.Spec.Volumes = []extensions.FSType{extensions.HostPath} hostPathDirPSP.Spec.Volumes = []policy.FSType{policy.HostPath}
hostPathDirPSP.Spec.AllowedHostPaths = []extensions.AllowedHostPath{ hostPathDirPSP.Spec.AllowedHostPaths = []policy.AllowedHostPath{
{PathPrefix: "/foo/bar"}, {PathPrefix: "/foo/bar"},
} }
hostPathDirAsterisksPSP := defaultPSP() hostPathDirAsterisksPSP := defaultPSP()
hostPathDirAsterisksPSP.Spec.Volumes = []extensions.FSType{extensions.All} hostPathDirAsterisksPSP.Spec.Volumes = []policy.FSType{policy.All}
hostPathDirAsterisksPSP.Spec.AllowedHostPaths = []extensions.AllowedHostPath{ hostPathDirAsterisksPSP.Spec.AllowedHostPaths = []policy.AllowedHostPath{
{PathPrefix: "/foo/bar"}, {PathPrefix: "/foo/bar"},
} }
sysctlAllowFooPSP := defaultPSP() sysctlAllowFooPSP := defaultPSP()
sysctlAllowFooPSP.Annotations[extensions.SysctlsPodSecurityPolicyAnnotationKey] = "foo" sysctlAllowFooPSP.Annotations[policy.SysctlsPodSecurityPolicyAnnotationKey] = "foo"
safeSysctlFooPod := defaultPod() safeSysctlFooPod := defaultPod()
safeSysctlFooPod.Annotations[api.SysctlsPodAnnotationKey] = "foo=1" safeSysctlFooPod.Annotations[api.SysctlsPodAnnotationKey] = "foo=1"
...@@ -655,7 +655,7 @@ func TestValidatePodSecurityContextSuccess(t *testing.T) { ...@@ -655,7 +655,7 @@ func TestValidatePodSecurityContextSuccess(t *testing.T) {
successCases := map[string]struct { successCases := map[string]struct {
pod *api.Pod pod *api.Pod
psp *extensions.PodSecurityPolicy psp *policy.PodSecurityPolicy
}{ }{
"pass hostNetwork validating PSP": { "pass hostNetwork validating PSP": {
pod: hostNetworkPod, pod: hostNetworkPod,
...@@ -744,17 +744,17 @@ func TestValidateContainerSecurityContextSuccess(t *testing.T) { ...@@ -744,17 +744,17 @@ func TestValidateContainerSecurityContextSuccess(t *testing.T) {
// success user strategy // success user strategy
userPSP := defaultPSP() userPSP := defaultPSP()
uid := int64(999) uid := int64(999)
userPSP.Spec.RunAsUser = extensions.RunAsUserStrategyOptions{ userPSP.Spec.RunAsUser = policy.RunAsUserStrategyOptions{
Rule: extensions.RunAsUserStrategyMustRunAs, Rule: policy.RunAsUserStrategyMustRunAs,
Ranges: []extensions.UserIDRange{{Min: uid, Max: uid}}, Ranges: []policy.UserIDRange{{Min: uid, Max: uid}},
} }
userPod := defaultPod() userPod := defaultPod()
userPod.Spec.Containers[0].SecurityContext.RunAsUser = &uid userPod.Spec.Containers[0].SecurityContext.RunAsUser = &uid
// success selinux strategy // success selinux strategy
seLinuxPSP := defaultPSP() seLinuxPSP := defaultPSP()
seLinuxPSP.Spec.SELinux = extensions.SELinuxStrategyOptions{ seLinuxPSP.Spec.SELinux = policy.SELinuxStrategyOptions{
Rule: extensions.SELinuxStrategyMustRunAs, Rule: policy.SELinuxStrategyMustRunAs,
SELinuxOptions: &api.SELinuxOptions{ SELinuxOptions: &api.SELinuxOptions{
Level: "foo", Level: "foo",
}, },
...@@ -795,7 +795,7 @@ func TestValidateContainerSecurityContextSuccess(t *testing.T) { ...@@ -795,7 +795,7 @@ func TestValidateContainerSecurityContextSuccess(t *testing.T) {
} }
hostDirPSP := defaultPSP() hostDirPSP := defaultPSP()
hostDirPSP.Spec.Volumes = []extensions.FSType{extensions.HostPath} hostDirPSP.Spec.Volumes = []policy.FSType{policy.HostPath}
hostDirPod := defaultPod() hostDirPod := defaultPod()
hostDirPod.Spec.Volumes = []api.Volume{ hostDirPod.Spec.Volumes = []api.Volume{
{ {
...@@ -807,7 +807,7 @@ func TestValidateContainerSecurityContextSuccess(t *testing.T) { ...@@ -807,7 +807,7 @@ func TestValidateContainerSecurityContextSuccess(t *testing.T) {
} }
hostPortPSP := defaultPSP() hostPortPSP := defaultPSP()
hostPortPSP.Spec.HostPorts = []extensions.HostPortRange{{Min: 1, Max: 1}} hostPortPSP.Spec.HostPorts = []policy.HostPortRange{{Min: 1, Max: 1}}
hostPortPod := defaultPod() hostPortPod := defaultPod()
hostPortPod.Spec.Containers[0].Ports = []api.ContainerPort{{HostPort: 1}} hostPortPod.Spec.Containers[0].Ports = []api.ContainerPort{{HostPort: 1}}
...@@ -836,7 +836,7 @@ func TestValidateContainerSecurityContextSuccess(t *testing.T) { ...@@ -836,7 +836,7 @@ func TestValidateContainerSecurityContextSuccess(t *testing.T) {
successCases := map[string]struct { successCases := map[string]struct {
pod *api.Pod pod *api.Pod
psp *extensions.PodSecurityPolicy psp *policy.PodSecurityPolicy
}{ }{
"pass user must run as PSP": { "pass user must run as PSP": {
pod: userPod, pod: userPod,
...@@ -922,7 +922,7 @@ func TestGenerateContainerSecurityContextReadOnlyRootFS(t *testing.T) { ...@@ -922,7 +922,7 @@ func TestGenerateContainerSecurityContextReadOnlyRootFS(t *testing.T) {
tests := map[string]struct { tests := map[string]struct {
pod *api.Pod pod *api.Pod
psp *extensions.PodSecurityPolicy psp *policy.PodSecurityPolicy
expected *bool expected *bool
}{ }{
"false psp, nil sc": { "false psp, nil sc": {
...@@ -985,24 +985,24 @@ func TestGenerateContainerSecurityContextReadOnlyRootFS(t *testing.T) { ...@@ -985,24 +985,24 @@ func TestGenerateContainerSecurityContextReadOnlyRootFS(t *testing.T) {
} }
} }
func defaultPSP() *extensions.PodSecurityPolicy { func defaultPSP() *policy.PodSecurityPolicy {
return &extensions.PodSecurityPolicy{ return &policy.PodSecurityPolicy{
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Name: "psp-sa", Name: "psp-sa",
Annotations: map[string]string{}, Annotations: map[string]string{},
}, },
Spec: extensions.PodSecurityPolicySpec{ Spec: policy.PodSecurityPolicySpec{
RunAsUser: extensions.RunAsUserStrategyOptions{ RunAsUser: policy.RunAsUserStrategyOptions{
Rule: extensions.RunAsUserStrategyRunAsAny, Rule: policy.RunAsUserStrategyRunAsAny,
}, },
SELinux: extensions.SELinuxStrategyOptions{ SELinux: policy.SELinuxStrategyOptions{
Rule: extensions.SELinuxStrategyRunAsAny, Rule: policy.SELinuxStrategyRunAsAny,
}, },
FSGroup: extensions.FSGroupStrategyOptions{ FSGroup: policy.FSGroupStrategyOptions{
Rule: extensions.FSGroupStrategyRunAsAny, Rule: policy.FSGroupStrategyRunAsAny,
}, },
SupplementalGroups: extensions.SupplementalGroupsStrategyOptions{ SupplementalGroups: policy.SupplementalGroupsStrategyOptions{
Rule: extensions.SupplementalGroupsStrategyRunAsAny, Rule: policy.SupplementalGroupsStrategyRunAsAny,
}, },
AllowPrivilegeEscalation: true, AllowPrivilegeEscalation: true,
}, },
...@@ -1104,14 +1104,14 @@ func TestValidateAllowedVolumes(t *testing.T) { ...@@ -1104,14 +1104,14 @@ func TestValidateAllowedVolumes(t *testing.T) {
} }
// now add the fstype directly to the psp and it should validate // now add the fstype directly to the psp and it should validate
psp.Spec.Volumes = []extensions.FSType{fsType} psp.Spec.Volumes = []policy.FSType{fsType}
errs = provider.ValidatePod(pod, field.NewPath("")) errs = provider.ValidatePod(pod, field.NewPath(""))
if len(errs) != 0 { if len(errs) != 0 {
t.Errorf("directly allowing volume expected no errors for %s but got %v", fieldVal.Name, errs) t.Errorf("directly allowing volume expected no errors for %s but got %v", fieldVal.Name, errs)
} }
// now change the psp to allow any volumes and the pod should still validate // now change the psp to allow any volumes and the pod should still validate
psp.Spec.Volumes = []extensions.FSType{extensions.All} psp.Spec.Volumes = []policy.FSType{policy.All}
errs = provider.ValidatePod(pod, field.NewPath("")) errs = provider.ValidatePod(pod, field.NewPath(""))
if len(errs) != 0 { if len(errs) != 0 {
t.Errorf("wildcard volume expected no errors for %s but got %v", fieldVal.Name, errs) t.Errorf("wildcard volume expected no errors for %s but got %v", fieldVal.Name, errs)
......
...@@ -17,7 +17,7 @@ go_library( ...@@ -17,7 +17,7 @@ go_library(
importpath = "k8s.io/kubernetes/pkg/security/podsecuritypolicy/selinux", importpath = "k8s.io/kubernetes/pkg/security/podsecuritypolicy/selinux",
deps = [ deps = [
"//pkg/apis/core:go_default_library", "//pkg/apis/core:go_default_library",
"//pkg/apis/extensions:go_default_library", "//pkg/apis/policy:go_default_library",
"//pkg/security/podsecuritypolicy/util:go_default_library", "//pkg/security/podsecuritypolicy/util:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/util/validation/field:go_default_library", "//vendor/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
], ],
...@@ -32,7 +32,7 @@ go_test( ...@@ -32,7 +32,7 @@ go_test(
embed = [":go_default_library"], embed = [":go_default_library"],
deps = [ deps = [
"//pkg/apis/core:go_default_library", "//pkg/apis/core:go_default_library",
"//pkg/apis/extensions:go_default_library", "//pkg/apis/policy:go_default_library",
], ],
) )
......
...@@ -23,17 +23,17 @@ import ( ...@@ -23,17 +23,17 @@ import (
"k8s.io/apimachinery/pkg/util/validation/field" "k8s.io/apimachinery/pkg/util/validation/field"
api "k8s.io/kubernetes/pkg/apis/core" api "k8s.io/kubernetes/pkg/apis/core"
"k8s.io/kubernetes/pkg/apis/extensions" "k8s.io/kubernetes/pkg/apis/policy"
"k8s.io/kubernetes/pkg/security/podsecuritypolicy/util" "k8s.io/kubernetes/pkg/security/podsecuritypolicy/util"
) )
type mustRunAs struct { type mustRunAs struct {
opts *extensions.SELinuxStrategyOptions opts *policy.SELinuxStrategyOptions
} }
var _ SELinuxStrategy = &mustRunAs{} var _ SELinuxStrategy = &mustRunAs{}
func NewMustRunAs(options *extensions.SELinuxStrategyOptions) (SELinuxStrategy, error) { func NewMustRunAs(options *policy.SELinuxStrategyOptions) (SELinuxStrategy, error) {
if options == nil { if options == nil {
return nil, fmt.Errorf("MustRunAs requires SELinuxContextStrategyOptions") return nil, fmt.Errorf("MustRunAs requires SELinuxContextStrategyOptions")
} }
......
...@@ -18,7 +18,7 @@ package selinux ...@@ -18,7 +18,7 @@ package selinux
import ( import (
api "k8s.io/kubernetes/pkg/apis/core" api "k8s.io/kubernetes/pkg/apis/core"
"k8s.io/kubernetes/pkg/apis/extensions" "k8s.io/kubernetes/pkg/apis/policy"
"reflect" "reflect"
"strings" "strings"
"testing" "testing"
...@@ -26,7 +26,7 @@ import ( ...@@ -26,7 +26,7 @@ import (
func TestMustRunAsOptions(t *testing.T) { func TestMustRunAsOptions(t *testing.T) {
tests := map[string]struct { tests := map[string]struct {
opts *extensions.SELinuxStrategyOptions opts *policy.SELinuxStrategyOptions
pass bool pass bool
}{ }{
"nil opts": { "nil opts": {
...@@ -34,11 +34,11 @@ func TestMustRunAsOptions(t *testing.T) { ...@@ -34,11 +34,11 @@ func TestMustRunAsOptions(t *testing.T) {
pass: false, pass: false,
}, },
"invalid opts": { "invalid opts": {
opts: &extensions.SELinuxStrategyOptions{}, opts: &policy.SELinuxStrategyOptions{},
pass: false, pass: false,
}, },
"valid opts": { "valid opts": {
opts: &extensions.SELinuxStrategyOptions{SELinuxOptions: &api.SELinuxOptions{}}, opts: &policy.SELinuxStrategyOptions{SELinuxOptions: &api.SELinuxOptions{}},
pass: true, pass: true,
}, },
} }
...@@ -54,7 +54,7 @@ func TestMustRunAsOptions(t *testing.T) { ...@@ -54,7 +54,7 @@ func TestMustRunAsOptions(t *testing.T) {
} }
func TestMustRunAsGenerate(t *testing.T) { func TestMustRunAsGenerate(t *testing.T) {
opts := &extensions.SELinuxStrategyOptions{ opts := &policy.SELinuxStrategyOptions{
SELinuxOptions: &api.SELinuxOptions{ SELinuxOptions: &api.SELinuxOptions{
User: "user", User: "user",
Role: "role", Role: "role",
...@@ -145,7 +145,7 @@ func TestMustRunAsValidate(t *testing.T) { ...@@ -145,7 +145,7 @@ func TestMustRunAsValidate(t *testing.T) {
} }
for name, tc := range tests { for name, tc := range tests {
opts := &extensions.SELinuxStrategyOptions{ opts := &policy.SELinuxStrategyOptions{
SELinuxOptions: tc.pspSeLinux, SELinuxOptions: tc.pspSeLinux,
} }
mustRunAs, err := NewMustRunAs(opts) mustRunAs, err := NewMustRunAs(opts)
......
...@@ -19,7 +19,7 @@ package selinux ...@@ -19,7 +19,7 @@ package selinux
import ( import (
"k8s.io/apimachinery/pkg/util/validation/field" "k8s.io/apimachinery/pkg/util/validation/field"
api "k8s.io/kubernetes/pkg/apis/core" api "k8s.io/kubernetes/pkg/apis/core"
"k8s.io/kubernetes/pkg/apis/extensions" "k8s.io/kubernetes/pkg/apis/policy"
) )
// runAsAny implements the SELinuxStrategy interface. // runAsAny implements the SELinuxStrategy interface.
...@@ -28,7 +28,7 @@ type runAsAny struct{} ...@@ -28,7 +28,7 @@ type runAsAny struct{}
var _ SELinuxStrategy = &runAsAny{} var _ SELinuxStrategy = &runAsAny{}
// NewRunAsAny provides a strategy that will return the configured se linux context or nil. // NewRunAsAny provides a strategy that will return the configured se linux context or nil.
func NewRunAsAny(options *extensions.SELinuxStrategyOptions) (SELinuxStrategy, error) { func NewRunAsAny(options *policy.SELinuxStrategyOptions) (SELinuxStrategy, error) {
return &runAsAny{}, nil return &runAsAny{}, nil
} }
......
...@@ -18,7 +18,7 @@ package selinux ...@@ -18,7 +18,7 @@ package selinux
import ( import (
api "k8s.io/kubernetes/pkg/apis/core" api "k8s.io/kubernetes/pkg/apis/core"
"k8s.io/kubernetes/pkg/apis/extensions" "k8s.io/kubernetes/pkg/apis/policy"
"testing" "testing"
) )
...@@ -27,14 +27,14 @@ func TestRunAsAnyOptions(t *testing.T) { ...@@ -27,14 +27,14 @@ func TestRunAsAnyOptions(t *testing.T) {
if err != nil { if err != nil {
t.Fatalf("unexpected error initializing NewRunAsAny %v", err) t.Fatalf("unexpected error initializing NewRunAsAny %v", err)
} }
_, err = NewRunAsAny(&extensions.SELinuxStrategyOptions{}) _, err = NewRunAsAny(&policy.SELinuxStrategyOptions{})
if err != nil { if err != nil {
t.Errorf("unexpected error initializing NewRunAsAny %v", err) t.Errorf("unexpected error initializing NewRunAsAny %v", err)
} }
} }
func TestRunAsAnyGenerate(t *testing.T) { func TestRunAsAnyGenerate(t *testing.T) {
s, err := NewRunAsAny(&extensions.SELinuxStrategyOptions{}) s, err := NewRunAsAny(&policy.SELinuxStrategyOptions{})
if err != nil { if err != nil {
t.Fatalf("unexpected error initializing NewRunAsAny %v", err) t.Fatalf("unexpected error initializing NewRunAsAny %v", err)
} }
...@@ -48,7 +48,7 @@ func TestRunAsAnyGenerate(t *testing.T) { ...@@ -48,7 +48,7 @@ func TestRunAsAnyGenerate(t *testing.T) {
} }
func TestRunAsAnyValidate(t *testing.T) { func TestRunAsAnyValidate(t *testing.T) {
s, err := NewRunAsAny(&extensions.SELinuxStrategyOptions{ s, err := NewRunAsAny(&policy.SELinuxStrategyOptions{
SELinuxOptions: &api.SELinuxOptions{ SELinuxOptions: &api.SELinuxOptions{
Level: "foo", Level: "foo",
}, },
...@@ -61,7 +61,7 @@ func TestRunAsAnyValidate(t *testing.T) { ...@@ -61,7 +61,7 @@ func TestRunAsAnyValidate(t *testing.T) {
if len(errs) != 0 { if len(errs) != 0 {
t.Errorf("unexpected errors validating with ") t.Errorf("unexpected errors validating with ")
} }
s, err = NewRunAsAny(&extensions.SELinuxStrategyOptions{}) s, err = NewRunAsAny(&policy.SELinuxStrategyOptions{})
if err != nil { if err != nil {
t.Fatalf("unexpected error initializing NewRunAsAny %v", err) t.Fatalf("unexpected error initializing NewRunAsAny %v", err)
} }
......
...@@ -19,7 +19,7 @@ package podsecuritypolicy ...@@ -19,7 +19,7 @@ package podsecuritypolicy
import ( import (
"k8s.io/apimachinery/pkg/util/validation/field" "k8s.io/apimachinery/pkg/util/validation/field"
api "k8s.io/kubernetes/pkg/apis/core" api "k8s.io/kubernetes/pkg/apis/core"
"k8s.io/kubernetes/pkg/apis/extensions" "k8s.io/kubernetes/pkg/apis/policy"
"k8s.io/kubernetes/pkg/security/podsecuritypolicy/apparmor" "k8s.io/kubernetes/pkg/security/podsecuritypolicy/apparmor"
"k8s.io/kubernetes/pkg/security/podsecuritypolicy/capabilities" "k8s.io/kubernetes/pkg/security/podsecuritypolicy/capabilities"
"k8s.io/kubernetes/pkg/security/podsecuritypolicy/group" "k8s.io/kubernetes/pkg/security/podsecuritypolicy/group"
...@@ -54,7 +54,7 @@ type Provider interface { ...@@ -54,7 +54,7 @@ type Provider interface {
type StrategyFactory interface { type StrategyFactory interface {
// CreateStrategies creates the strategies that a provider will use. The namespace argument // CreateStrategies creates the strategies that a provider will use. The namespace argument
// should be the namespace of the object being checked (the pod's namespace). // should be the namespace of the object being checked (the pod's namespace).
CreateStrategies(psp *extensions.PodSecurityPolicy, namespace string) (*ProviderStrategies, error) CreateStrategies(psp *policy.PodSecurityPolicy, namespace string) (*ProviderStrategies, error)
} }
// ProviderStrategies is a holder for all strategies that the provider requires to be populated. // ProviderStrategies is a holder for all strategies that the provider requires to be populated.
......
...@@ -18,7 +18,7 @@ go_library( ...@@ -18,7 +18,7 @@ go_library(
importpath = "k8s.io/kubernetes/pkg/security/podsecuritypolicy/user", importpath = "k8s.io/kubernetes/pkg/security/podsecuritypolicy/user",
deps = [ deps = [
"//pkg/apis/core:go_default_library", "//pkg/apis/core:go_default_library",
"//pkg/apis/extensions:go_default_library", "//pkg/apis/policy:go_default_library",
"//pkg/security/podsecuritypolicy/util:go_default_library", "//pkg/security/podsecuritypolicy/util:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/util/validation/field:go_default_library", "//vendor/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
], ],
...@@ -34,7 +34,7 @@ go_test( ...@@ -34,7 +34,7 @@ go_test(
embed = [":go_default_library"], embed = [":go_default_library"],
deps = [ deps = [
"//pkg/apis/core:go_default_library", "//pkg/apis/core:go_default_library",
"//pkg/apis/extensions:go_default_library", "//pkg/apis/policy:go_default_library",
], ],
) )
......
...@@ -21,17 +21,17 @@ import ( ...@@ -21,17 +21,17 @@ import (
"k8s.io/apimachinery/pkg/util/validation/field" "k8s.io/apimachinery/pkg/util/validation/field"
api "k8s.io/kubernetes/pkg/apis/core" api "k8s.io/kubernetes/pkg/apis/core"
"k8s.io/kubernetes/pkg/apis/extensions" "k8s.io/kubernetes/pkg/apis/policy"
psputil "k8s.io/kubernetes/pkg/security/podsecuritypolicy/util" psputil "k8s.io/kubernetes/pkg/security/podsecuritypolicy/util"
) )
// mustRunAs implements the RunAsUserStrategy interface // mustRunAs implements the RunAsUserStrategy interface
type mustRunAs struct { type mustRunAs struct {
opts *extensions.RunAsUserStrategyOptions opts *policy.RunAsUserStrategyOptions
} }
// NewMustRunAs provides a strategy that requires the container to run as a specific UID in a range. // NewMustRunAs provides a strategy that requires the container to run as a specific UID in a range.
func NewMustRunAs(options *extensions.RunAsUserStrategyOptions) (RunAsUserStrategy, error) { func NewMustRunAs(options *policy.RunAsUserStrategyOptions) (RunAsUserStrategy, error) {
if options == nil { if options == nil {
return nil, fmt.Errorf("MustRunAs requires run as user options") return nil, fmt.Errorf("MustRunAs requires run as user options")
} }
......
...@@ -18,14 +18,14 @@ package user ...@@ -18,14 +18,14 @@ package user
import ( import (
api "k8s.io/kubernetes/pkg/apis/core" api "k8s.io/kubernetes/pkg/apis/core"
"k8s.io/kubernetes/pkg/apis/extensions" "k8s.io/kubernetes/pkg/apis/policy"
"strings" "strings"
"testing" "testing"
) )
func TestNewMustRunAs(t *testing.T) { func TestNewMustRunAs(t *testing.T) {
tests := map[string]struct { tests := map[string]struct {
opts *extensions.RunAsUserStrategyOptions opts *policy.RunAsUserStrategyOptions
pass bool pass bool
}{ }{
"nil opts": { "nil opts": {
...@@ -33,12 +33,12 @@ func TestNewMustRunAs(t *testing.T) { ...@@ -33,12 +33,12 @@ func TestNewMustRunAs(t *testing.T) {
pass: false, pass: false,
}, },
"invalid opts": { "invalid opts": {
opts: &extensions.RunAsUserStrategyOptions{}, opts: &policy.RunAsUserStrategyOptions{},
pass: false, pass: false,
}, },
"valid opts": { "valid opts": {
opts: &extensions.RunAsUserStrategyOptions{ opts: &policy.RunAsUserStrategyOptions{
Ranges: []extensions.UserIDRange{ Ranges: []policy.UserIDRange{
{Min: 1, Max: 1}, {Min: 1, Max: 1},
}, },
}, },
...@@ -57,8 +57,8 @@ func TestNewMustRunAs(t *testing.T) { ...@@ -57,8 +57,8 @@ func TestNewMustRunAs(t *testing.T) {
} }
func TestGenerate(t *testing.T) { func TestGenerate(t *testing.T) {
opts := &extensions.RunAsUserStrategyOptions{ opts := &policy.RunAsUserStrategyOptions{
Ranges: []extensions.UserIDRange{ Ranges: []policy.UserIDRange{
{Min: 1, Max: 1}, {Min: 1, Max: 1},
}, },
} }
...@@ -76,8 +76,8 @@ func TestGenerate(t *testing.T) { ...@@ -76,8 +76,8 @@ func TestGenerate(t *testing.T) {
} }
func TestValidate(t *testing.T) { func TestValidate(t *testing.T) {
opts := &extensions.RunAsUserStrategyOptions{ opts := &policy.RunAsUserStrategyOptions{
Ranges: []extensions.UserIDRange{ Ranges: []policy.UserIDRange{
{Min: 1, Max: 1}, {Min: 1, Max: 1},
{Min: 10, Max: 20}, {Min: 10, Max: 20},
}, },
......
...@@ -19,14 +19,14 @@ package user ...@@ -19,14 +19,14 @@ package user
import ( import (
"k8s.io/apimachinery/pkg/util/validation/field" "k8s.io/apimachinery/pkg/util/validation/field"
api "k8s.io/kubernetes/pkg/apis/core" api "k8s.io/kubernetes/pkg/apis/core"
"k8s.io/kubernetes/pkg/apis/extensions" "k8s.io/kubernetes/pkg/apis/policy"
) )
type nonRoot struct{} type nonRoot struct{}
var _ RunAsUserStrategy = &nonRoot{} var _ RunAsUserStrategy = &nonRoot{}
func NewRunAsNonRoot(options *extensions.RunAsUserStrategyOptions) (RunAsUserStrategy, error) { func NewRunAsNonRoot(options *policy.RunAsUserStrategyOptions) (RunAsUserStrategy, error) {
return &nonRoot{}, nil return &nonRoot{}, nil
} }
......
...@@ -18,7 +18,7 @@ package user ...@@ -18,7 +18,7 @@ package user
import ( import (
api "k8s.io/kubernetes/pkg/apis/core" api "k8s.io/kubernetes/pkg/apis/core"
"k8s.io/kubernetes/pkg/apis/extensions" "k8s.io/kubernetes/pkg/apis/policy"
"testing" "testing"
) )
...@@ -27,14 +27,14 @@ func TestNonRootOptions(t *testing.T) { ...@@ -27,14 +27,14 @@ func TestNonRootOptions(t *testing.T) {
if err != nil { if err != nil {
t.Fatalf("unexpected error initializing NewRunAsNonRoot %v", err) t.Fatalf("unexpected error initializing NewRunAsNonRoot %v", err)
} }
_, err = NewRunAsNonRoot(&extensions.RunAsUserStrategyOptions{}) _, err = NewRunAsNonRoot(&policy.RunAsUserStrategyOptions{})
if err != nil { if err != nil {
t.Errorf("unexpected error initializing NewRunAsNonRoot %v", err) t.Errorf("unexpected error initializing NewRunAsNonRoot %v", err)
} }
} }
func TestNonRootGenerate(t *testing.T) { func TestNonRootGenerate(t *testing.T) {
s, err := NewRunAsNonRoot(&extensions.RunAsUserStrategyOptions{}) s, err := NewRunAsNonRoot(&policy.RunAsUserStrategyOptions{})
if err != nil { if err != nil {
t.Fatalf("unexpected error initializing NewRunAsNonRoot %v", err) t.Fatalf("unexpected error initializing NewRunAsNonRoot %v", err)
} }
...@@ -52,7 +52,7 @@ func TestNonRootValidate(t *testing.T) { ...@@ -52,7 +52,7 @@ func TestNonRootValidate(t *testing.T) {
badUID := int64(0) badUID := int64(0)
untrue := false untrue := false
unfalse := true unfalse := true
s, err := NewRunAsNonRoot(&extensions.RunAsUserStrategyOptions{}) s, err := NewRunAsNonRoot(&policy.RunAsUserStrategyOptions{})
if err != nil { if err != nil {
t.Fatalf("unexpected error initializing NewMustRunAs %v", err) t.Fatalf("unexpected error initializing NewMustRunAs %v", err)
} }
......
...@@ -19,7 +19,7 @@ package user ...@@ -19,7 +19,7 @@ package user
import ( import (
"k8s.io/apimachinery/pkg/util/validation/field" "k8s.io/apimachinery/pkg/util/validation/field"
api "k8s.io/kubernetes/pkg/apis/core" api "k8s.io/kubernetes/pkg/apis/core"
"k8s.io/kubernetes/pkg/apis/extensions" "k8s.io/kubernetes/pkg/apis/policy"
) )
// runAsAny implements the interface RunAsUserStrategy. // runAsAny implements the interface RunAsUserStrategy.
...@@ -28,7 +28,7 @@ type runAsAny struct{} ...@@ -28,7 +28,7 @@ type runAsAny struct{}
var _ RunAsUserStrategy = &runAsAny{} var _ RunAsUserStrategy = &runAsAny{}
// NewRunAsAny provides a strategy that will return nil. // NewRunAsAny provides a strategy that will return nil.
func NewRunAsAny(options *extensions.RunAsUserStrategyOptions) (RunAsUserStrategy, error) { func NewRunAsAny(options *policy.RunAsUserStrategyOptions) (RunAsUserStrategy, error) {
return &runAsAny{}, nil return &runAsAny{}, nil
} }
......
...@@ -19,7 +19,7 @@ package user ...@@ -19,7 +19,7 @@ package user
import ( import (
"testing" "testing"
"k8s.io/kubernetes/pkg/apis/extensions" "k8s.io/kubernetes/pkg/apis/policy"
) )
func TestRunAsAnyOptions(t *testing.T) { func TestRunAsAnyOptions(t *testing.T) {
...@@ -27,14 +27,14 @@ func TestRunAsAnyOptions(t *testing.T) { ...@@ -27,14 +27,14 @@ func TestRunAsAnyOptions(t *testing.T) {
if err != nil { if err != nil {
t.Fatalf("unexpected error initializing NewRunAsAny %v", err) t.Fatalf("unexpected error initializing NewRunAsAny %v", err)
} }
_, err = NewRunAsAny(&extensions.RunAsUserStrategyOptions{}) _, err = NewRunAsAny(&policy.RunAsUserStrategyOptions{})
if err != nil { if err != nil {
t.Errorf("unexpected error initializing NewRunAsAny %v", err) t.Errorf("unexpected error initializing NewRunAsAny %v", err)
} }
} }
func TestRunAsAnyGenerate(t *testing.T) { func TestRunAsAnyGenerate(t *testing.T) {
s, err := NewRunAsAny(&extensions.RunAsUserStrategyOptions{}) s, err := NewRunAsAny(&policy.RunAsUserStrategyOptions{})
if err != nil { if err != nil {
t.Fatalf("unexpected error initializing NewRunAsAny %v", err) t.Fatalf("unexpected error initializing NewRunAsAny %v", err)
} }
...@@ -48,7 +48,7 @@ func TestRunAsAnyGenerate(t *testing.T) { ...@@ -48,7 +48,7 @@ func TestRunAsAnyGenerate(t *testing.T) {
} }
func TestRunAsAnyValidate(t *testing.T) { func TestRunAsAnyValidate(t *testing.T) {
s, err := NewRunAsAny(&extensions.RunAsUserStrategyOptions{}) s, err := NewRunAsAny(&policy.RunAsUserStrategyOptions{})
if err != nil { if err != nil {
t.Fatalf("unexpected error initializing NewRunAsAny %v", err) t.Fatalf("unexpected error initializing NewRunAsAny %v", err)
} }
......
...@@ -15,7 +15,7 @@ go_library( ...@@ -15,7 +15,7 @@ go_library(
importpath = "k8s.io/kubernetes/pkg/security/podsecuritypolicy/util", importpath = "k8s.io/kubernetes/pkg/security/podsecuritypolicy/util",
deps = [ deps = [
"//pkg/apis/core:go_default_library", "//pkg/apis/core:go_default_library",
"//pkg/apis/extensions:go_default_library", "//pkg/apis/policy:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/util/sets:go_default_library", "//vendor/k8s.io/apimachinery/pkg/util/sets:go_default_library",
], ],
) )
...@@ -26,7 +26,7 @@ go_test( ...@@ -26,7 +26,7 @@ go_test(
embed = [":go_default_library"], embed = [":go_default_library"],
deps = [ deps = [
"//pkg/apis/core:go_default_library", "//pkg/apis/core:go_default_library",
"//pkg/apis/extensions:go_default_library", "//pkg/apis/policy:go_default_library",
], ],
) )
......
...@@ -22,7 +22,7 @@ import ( ...@@ -22,7 +22,7 @@ import (
"k8s.io/apimachinery/pkg/util/sets" "k8s.io/apimachinery/pkg/util/sets"
api "k8s.io/kubernetes/pkg/apis/core" api "k8s.io/kubernetes/pkg/apis/core"
"k8s.io/kubernetes/pkg/apis/extensions" "k8s.io/kubernetes/pkg/apis/policy"
) )
const ( const (
...@@ -40,102 +40,102 @@ func GetAllFSTypesExcept(exceptions ...string) sets.String { ...@@ -40,102 +40,102 @@ func GetAllFSTypesExcept(exceptions ...string) sets.String {
func GetAllFSTypesAsSet() sets.String { func GetAllFSTypesAsSet() sets.String {
fstypes := sets.NewString() fstypes := sets.NewString()
fstypes.Insert( fstypes.Insert(
string(extensions.HostPath), string(policy.HostPath),
string(extensions.AzureFile), string(policy.AzureFile),
string(extensions.Flocker), string(policy.Flocker),
string(extensions.FlexVolume), string(policy.FlexVolume),
string(extensions.EmptyDir), string(policy.EmptyDir),
string(extensions.GCEPersistentDisk), string(policy.GCEPersistentDisk),
string(extensions.AWSElasticBlockStore), string(policy.AWSElasticBlockStore),
string(extensions.GitRepo), string(policy.GitRepo),
string(extensions.Secret), string(policy.Secret),
string(extensions.NFS), string(policy.NFS),
string(extensions.ISCSI), string(policy.ISCSI),
string(extensions.Glusterfs), string(policy.Glusterfs),
string(extensions.PersistentVolumeClaim), string(policy.PersistentVolumeClaim),
string(extensions.RBD), string(policy.RBD),
string(extensions.Cinder), string(policy.Cinder),
string(extensions.CephFS), string(policy.CephFS),
string(extensions.DownwardAPI), string(policy.DownwardAPI),
string(extensions.FC), string(policy.FC),
string(extensions.ConfigMap), string(policy.ConfigMap),
string(extensions.VsphereVolume), string(policy.VsphereVolume),
string(extensions.Quobyte), string(policy.Quobyte),
string(extensions.AzureDisk), string(policy.AzureDisk),
string(extensions.PhotonPersistentDisk), string(policy.PhotonPersistentDisk),
string(extensions.StorageOS), string(policy.StorageOS),
string(extensions.Projected), string(policy.Projected),
string(extensions.PortworxVolume), string(policy.PortworxVolume),
string(extensions.ScaleIO), string(policy.ScaleIO),
string(extensions.CSI), string(policy.CSI),
) )
return fstypes return fstypes
} }
// getVolumeFSType gets the FSType for a volume. // getVolumeFSType gets the FSType for a volume.
func GetVolumeFSType(v api.Volume) (extensions.FSType, error) { func GetVolumeFSType(v api.Volume) (policy.FSType, error) {
switch { switch {
case v.HostPath != nil: case v.HostPath != nil:
return extensions.HostPath, nil return policy.HostPath, nil
case v.EmptyDir != nil: case v.EmptyDir != nil:
return extensions.EmptyDir, nil return policy.EmptyDir, nil
case v.GCEPersistentDisk != nil: case v.GCEPersistentDisk != nil:
return extensions.GCEPersistentDisk, nil return policy.GCEPersistentDisk, nil
case v.AWSElasticBlockStore != nil: case v.AWSElasticBlockStore != nil:
return extensions.AWSElasticBlockStore, nil return policy.AWSElasticBlockStore, nil
case v.GitRepo != nil: case v.GitRepo != nil:
return extensions.GitRepo, nil return policy.GitRepo, nil
case v.Secret != nil: case v.Secret != nil:
return extensions.Secret, nil return policy.Secret, nil
case v.NFS != nil: case v.NFS != nil:
return extensions.NFS, nil return policy.NFS, nil
case v.ISCSI != nil: case v.ISCSI != nil:
return extensions.ISCSI, nil return policy.ISCSI, nil
case v.Glusterfs != nil: case v.Glusterfs != nil:
return extensions.Glusterfs, nil return policy.Glusterfs, nil
case v.PersistentVolumeClaim != nil: case v.PersistentVolumeClaim != nil:
return extensions.PersistentVolumeClaim, nil return policy.PersistentVolumeClaim, nil
case v.RBD != nil: case v.RBD != nil:
return extensions.RBD, nil return policy.RBD, nil
case v.FlexVolume != nil: case v.FlexVolume != nil:
return extensions.FlexVolume, nil return policy.FlexVolume, nil
case v.Cinder != nil: case v.Cinder != nil:
return extensions.Cinder, nil return policy.Cinder, nil
case v.CephFS != nil: case v.CephFS != nil:
return extensions.CephFS, nil return policy.CephFS, nil
case v.Flocker != nil: case v.Flocker != nil:
return extensions.Flocker, nil return policy.Flocker, nil
case v.DownwardAPI != nil: case v.DownwardAPI != nil:
return extensions.DownwardAPI, nil return policy.DownwardAPI, nil
case v.FC != nil: case v.FC != nil:
return extensions.FC, nil return policy.FC, nil
case v.AzureFile != nil: case v.AzureFile != nil:
return extensions.AzureFile, nil return policy.AzureFile, nil
case v.ConfigMap != nil: case v.ConfigMap != nil:
return extensions.ConfigMap, nil return policy.ConfigMap, nil
case v.VsphereVolume != nil: case v.VsphereVolume != nil:
return extensions.VsphereVolume, nil return policy.VsphereVolume, nil
case v.Quobyte != nil: case v.Quobyte != nil:
return extensions.Quobyte, nil return policy.Quobyte, nil
case v.AzureDisk != nil: case v.AzureDisk != nil:
return extensions.AzureDisk, nil return policy.AzureDisk, nil
case v.PhotonPersistentDisk != nil: case v.PhotonPersistentDisk != nil:
return extensions.PhotonPersistentDisk, nil return policy.PhotonPersistentDisk, nil
case v.StorageOS != nil: case v.StorageOS != nil:
return extensions.StorageOS, nil return policy.StorageOS, nil
case v.Projected != nil: case v.Projected != nil:
return extensions.Projected, nil return policy.Projected, nil
case v.PortworxVolume != nil: case v.PortworxVolume != nil:
return extensions.PortworxVolume, nil return policy.PortworxVolume, nil
case v.ScaleIO != nil: case v.ScaleIO != nil:
return extensions.ScaleIO, nil return policy.ScaleIO, nil
} }
return "", fmt.Errorf("unknown volume type for volume: %#v", v) return "", fmt.Errorf("unknown volume type for volume: %#v", v)
} }
// FSTypeToStringSet converts an FSType slice to a string set. // FSTypeToStringSet converts an FSType slice to a string set.
func FSTypeToStringSet(fsTypes []extensions.FSType) sets.String { func FSTypeToStringSet(fsTypes []policy.FSType) sets.String {
set := sets.NewString() set := sets.NewString()
for _, v := range fsTypes { for _, v := range fsTypes {
set.Insert(string(v)) set.Insert(string(v))
...@@ -144,19 +144,19 @@ func FSTypeToStringSet(fsTypes []extensions.FSType) sets.String { ...@@ -144,19 +144,19 @@ func FSTypeToStringSet(fsTypes []extensions.FSType) sets.String {
} }
// PSPAllowsAllVolumes checks for FSTypeAll in the psp's allowed volumes. // PSPAllowsAllVolumes checks for FSTypeAll in the psp's allowed volumes.
func PSPAllowsAllVolumes(psp *extensions.PodSecurityPolicy) bool { func PSPAllowsAllVolumes(psp *policy.PodSecurityPolicy) bool {
return PSPAllowsFSType(psp, extensions.All) return PSPAllowsFSType(psp, policy.All)
} }
// PSPAllowsFSType is a utility for checking if a PSP allows a particular FSType. // PSPAllowsFSType is a utility for checking if a PSP allows a particular FSType.
// If all volumes are allowed then this will return true for any FSType passed. // If all volumes are allowed then this will return true for any FSType passed.
func PSPAllowsFSType(psp *extensions.PodSecurityPolicy, fsType extensions.FSType) bool { func PSPAllowsFSType(psp *policy.PodSecurityPolicy, fsType policy.FSType) bool {
if psp == nil { if psp == nil {
return false return false
} }
for _, v := range psp.Spec.Volumes { for _, v := range psp.Spec.Volumes {
if v == fsType || v == extensions.All { if v == fsType || v == policy.All {
return true return true
} }
} }
...@@ -164,18 +164,18 @@ func PSPAllowsFSType(psp *extensions.PodSecurityPolicy, fsType extensions.FSType ...@@ -164,18 +164,18 @@ func PSPAllowsFSType(psp *extensions.PodSecurityPolicy, fsType extensions.FSType
} }
// UserFallsInRange is a utility to determine it the id falls in the valid range. // UserFallsInRange is a utility to determine it the id falls in the valid range.
func UserFallsInRange(id int64, rng extensions.UserIDRange) bool { func UserFallsInRange(id int64, rng policy.UserIDRange) bool {
return id >= rng.Min && id <= rng.Max return id >= rng.Min && id <= rng.Max
} }
// GroupFallsInRange is a utility to determine it the id falls in the valid range. // GroupFallsInRange is a utility to determine it the id falls in the valid range.
func GroupFallsInRange(id int64, rng extensions.GroupIDRange) bool { func GroupFallsInRange(id int64, rng policy.GroupIDRange) bool {
return id >= rng.Min && id <= rng.Max return id >= rng.Min && id <= rng.Max
} }
// AllowsHostVolumePath is a utility for checking if a PSP allows the host volume path. // AllowsHostVolumePath is a utility for checking if a PSP allows the host volume path.
// This only checks the path. You should still check to make sure the host volume fs type is allowed. // This only checks the path. You should still check to make sure the host volume fs type is allowed.
func AllowsHostVolumePath(psp *extensions.PodSecurityPolicy, hostPath string) bool { func AllowsHostVolumePath(psp *policy.PodSecurityPolicy, hostPath string) bool {
if psp == nil { if psp == nil {
return false return false
} }
......
...@@ -18,7 +18,7 @@ package util ...@@ -18,7 +18,7 @@ package util
import ( import (
api "k8s.io/kubernetes/pkg/apis/core" api "k8s.io/kubernetes/pkg/apis/core"
"k8s.io/kubernetes/pkg/apis/extensions" "k8s.io/kubernetes/pkg/apis/policy"
"reflect" "reflect"
"testing" "testing"
) )
...@@ -52,45 +52,45 @@ func TestVolumeSourceFSTypeDrift(t *testing.T) { ...@@ -52,45 +52,45 @@ func TestVolumeSourceFSTypeDrift(t *testing.T) {
func TestPSPAllowsFSType(t *testing.T) { func TestPSPAllowsFSType(t *testing.T) {
tests := map[string]struct { tests := map[string]struct {
psp *extensions.PodSecurityPolicy psp *policy.PodSecurityPolicy
fsType extensions.FSType fsType policy.FSType
allows bool allows bool
}{ }{
"nil psp": { "nil psp": {
psp: nil, psp: nil,
fsType: extensions.HostPath, fsType: policy.HostPath,
allows: false, allows: false,
}, },
"empty volumes": { "empty volumes": {
psp: &extensions.PodSecurityPolicy{}, psp: &policy.PodSecurityPolicy{},
fsType: extensions.HostPath, fsType: policy.HostPath,
allows: false, allows: false,
}, },
"non-matching": { "non-matching": {
psp: &extensions.PodSecurityPolicy{ psp: &policy.PodSecurityPolicy{
Spec: extensions.PodSecurityPolicySpec{ Spec: policy.PodSecurityPolicySpec{
Volumes: []extensions.FSType{extensions.AWSElasticBlockStore}, Volumes: []policy.FSType{policy.AWSElasticBlockStore},
}, },
}, },
fsType: extensions.HostPath, fsType: policy.HostPath,
allows: false, allows: false,
}, },
"match on FSTypeAll": { "match on FSTypeAll": {
psp: &extensions.PodSecurityPolicy{ psp: &policy.PodSecurityPolicy{
Spec: extensions.PodSecurityPolicySpec{ Spec: policy.PodSecurityPolicySpec{
Volumes: []extensions.FSType{extensions.All}, Volumes: []policy.FSType{policy.All},
}, },
}, },
fsType: extensions.HostPath, fsType: policy.HostPath,
allows: true, allows: true,
}, },
"match on direct match": { "match on direct match": {
psp: &extensions.PodSecurityPolicy{ psp: &policy.PodSecurityPolicy{
Spec: extensions.PodSecurityPolicySpec{ Spec: policy.PodSecurityPolicySpec{
Volumes: []extensions.FSType{extensions.HostPath}, Volumes: []policy.FSType{policy.HostPath},
}, },
}, },
fsType: extensions.HostPath, fsType: policy.HostPath,
allows: true, allows: true,
}, },
} }
...@@ -105,7 +105,7 @@ func TestPSPAllowsFSType(t *testing.T) { ...@@ -105,7 +105,7 @@ func TestPSPAllowsFSType(t *testing.T) {
func TestAllowsHostVolumePath(t *testing.T) { func TestAllowsHostVolumePath(t *testing.T) {
tests := map[string]struct { tests := map[string]struct {
psp *extensions.PodSecurityPolicy psp *policy.PodSecurityPolicy
path string path string
allows bool allows bool
}{ }{
...@@ -115,14 +115,14 @@ func TestAllowsHostVolumePath(t *testing.T) { ...@@ -115,14 +115,14 @@ func TestAllowsHostVolumePath(t *testing.T) {
allows: false, allows: false,
}, },
"empty allowed paths": { "empty allowed paths": {
psp: &extensions.PodSecurityPolicy{}, psp: &policy.PodSecurityPolicy{},
path: "/test", path: "/test",
allows: true, allows: true,
}, },
"non-matching": { "non-matching": {
psp: &extensions.PodSecurityPolicy{ psp: &policy.PodSecurityPolicy{
Spec: extensions.PodSecurityPolicySpec{ Spec: policy.PodSecurityPolicySpec{
AllowedHostPaths: []extensions.AllowedHostPath{ AllowedHostPaths: []policy.AllowedHostPath{
{PathPrefix: "/foo"}, {PathPrefix: "/foo"},
}, },
}, },
...@@ -131,9 +131,9 @@ func TestAllowsHostVolumePath(t *testing.T) { ...@@ -131,9 +131,9 @@ func TestAllowsHostVolumePath(t *testing.T) {
allows: false, allows: false,
}, },
"match on direct match": { "match on direct match": {
psp: &extensions.PodSecurityPolicy{ psp: &policy.PodSecurityPolicy{
Spec: extensions.PodSecurityPolicySpec{ Spec: policy.PodSecurityPolicySpec{
AllowedHostPaths: []extensions.AllowedHostPath{ AllowedHostPaths: []policy.AllowedHostPath{
{PathPrefix: "/foo"}, {PathPrefix: "/foo"},
}, },
}, },
...@@ -142,9 +142,9 @@ func TestAllowsHostVolumePath(t *testing.T) { ...@@ -142,9 +142,9 @@ func TestAllowsHostVolumePath(t *testing.T) {
allows: true, allows: true,
}, },
"match with trailing slash on host path": { "match with trailing slash on host path": {
psp: &extensions.PodSecurityPolicy{ psp: &policy.PodSecurityPolicy{
Spec: extensions.PodSecurityPolicySpec{ Spec: policy.PodSecurityPolicySpec{
AllowedHostPaths: []extensions.AllowedHostPath{ AllowedHostPaths: []policy.AllowedHostPath{
{PathPrefix: "/foo"}, {PathPrefix: "/foo"},
}, },
}, },
...@@ -153,9 +153,9 @@ func TestAllowsHostVolumePath(t *testing.T) { ...@@ -153,9 +153,9 @@ func TestAllowsHostVolumePath(t *testing.T) {
allows: true, allows: true,
}, },
"match with trailing slash on allowed path": { "match with trailing slash on allowed path": {
psp: &extensions.PodSecurityPolicy{ psp: &policy.PodSecurityPolicy{
Spec: extensions.PodSecurityPolicySpec{ Spec: policy.PodSecurityPolicySpec{
AllowedHostPaths: []extensions.AllowedHostPath{ AllowedHostPaths: []policy.AllowedHostPath{
{PathPrefix: "/foo/"}, {PathPrefix: "/foo/"},
}, },
}, },
...@@ -164,9 +164,9 @@ func TestAllowsHostVolumePath(t *testing.T) { ...@@ -164,9 +164,9 @@ func TestAllowsHostVolumePath(t *testing.T) {
allows: true, allows: true,
}, },
"match child directory": { "match child directory": {
psp: &extensions.PodSecurityPolicy{ psp: &policy.PodSecurityPolicy{
Spec: extensions.PodSecurityPolicySpec{ Spec: policy.PodSecurityPolicySpec{
AllowedHostPaths: []extensions.AllowedHostPath{ AllowedHostPaths: []policy.AllowedHostPath{
{PathPrefix: "/foo/"}, {PathPrefix: "/foo/"},
}, },
}, },
...@@ -175,9 +175,9 @@ func TestAllowsHostVolumePath(t *testing.T) { ...@@ -175,9 +175,9 @@ func TestAllowsHostVolumePath(t *testing.T) {
allows: true, allows: true,
}, },
"non-matching parent directory": { "non-matching parent directory": {
psp: &extensions.PodSecurityPolicy{ psp: &policy.PodSecurityPolicy{
Spec: extensions.PodSecurityPolicySpec{ Spec: policy.PodSecurityPolicySpec{
AllowedHostPaths: []extensions.AllowedHostPath{ AllowedHostPaths: []policy.AllowedHostPath{
{PathPrefix: "/foo/bar"}, {PathPrefix: "/foo/bar"},
}, },
}, },
......
...@@ -15,7 +15,7 @@ go_library( ...@@ -15,7 +15,7 @@ go_library(
"//pkg/apis/extensions:go_default_library", "//pkg/apis/extensions:go_default_library",
"//pkg/apis/policy:go_default_library", "//pkg/apis/policy:go_default_library",
"//pkg/client/informers/informers_generated/internalversion:go_default_library", "//pkg/client/informers/informers_generated/internalversion:go_default_library",
"//pkg/client/listers/extensions/internalversion:go_default_library", "//pkg/client/listers/policy/internalversion:go_default_library",
"//pkg/kubeapiserver/admission:go_default_library", "//pkg/kubeapiserver/admission:go_default_library",
"//pkg/registry/rbac:go_default_library", "//pkg/registry/rbac:go_default_library",
"//pkg/security/podsecuritypolicy:go_default_library", "//pkg/security/podsecuritypolicy:go_default_library",
...@@ -40,7 +40,6 @@ go_test( ...@@ -40,7 +40,6 @@ go_test(
"//pkg/api/legacyscheme:go_default_library", "//pkg/api/legacyscheme:go_default_library",
"//pkg/apis/core:go_default_library", "//pkg/apis/core:go_default_library",
"//pkg/apis/core/helper:go_default_library", "//pkg/apis/core/helper:go_default_library",
"//pkg/apis/extensions:go_default_library",
"//pkg/apis/policy:go_default_library", "//pkg/apis/policy:go_default_library",
"//pkg/client/informers/informers_generated/internalversion:go_default_library", "//pkg/client/informers/informers_generated/internalversion:go_default_library",
"//pkg/controller:go_default_library", "//pkg/controller:go_default_library",
......
...@@ -35,7 +35,7 @@ import ( ...@@ -35,7 +35,7 @@ import (
"k8s.io/kubernetes/pkg/apis/extensions" "k8s.io/kubernetes/pkg/apis/extensions"
"k8s.io/kubernetes/pkg/apis/policy" "k8s.io/kubernetes/pkg/apis/policy"
informers "k8s.io/kubernetes/pkg/client/informers/informers_generated/internalversion" informers "k8s.io/kubernetes/pkg/client/informers/informers_generated/internalversion"
extensionslisters "k8s.io/kubernetes/pkg/client/listers/extensions/internalversion" policylisters "k8s.io/kubernetes/pkg/client/listers/policy/internalversion"
kubeapiserveradmission "k8s.io/kubernetes/pkg/kubeapiserver/admission" kubeapiserveradmission "k8s.io/kubernetes/pkg/kubeapiserver/admission"
rbacregistry "k8s.io/kubernetes/pkg/registry/rbac" rbacregistry "k8s.io/kubernetes/pkg/registry/rbac"
psp "k8s.io/kubernetes/pkg/security/podsecuritypolicy" psp "k8s.io/kubernetes/pkg/security/podsecuritypolicy"
...@@ -61,7 +61,7 @@ type PodSecurityPolicyPlugin struct { ...@@ -61,7 +61,7 @@ type PodSecurityPolicyPlugin struct {
strategyFactory psp.StrategyFactory strategyFactory psp.StrategyFactory
failOnNoPolicies bool failOnNoPolicies bool
authz authorizer.Authorizer authz authorizer.Authorizer
lister extensionslisters.PodSecurityPolicyLister lister policylisters.PodSecurityPolicyLister
} }
// SetAuthorizer sets the authorizer. // SetAuthorizer sets the authorizer.
...@@ -95,7 +95,7 @@ func newPlugin(strategyFactory psp.StrategyFactory, failOnNoPolicies bool) *PodS ...@@ -95,7 +95,7 @@ func newPlugin(strategyFactory psp.StrategyFactory, failOnNoPolicies bool) *PodS
} }
func (a *PodSecurityPolicyPlugin) SetInternalKubeInformerFactory(f informers.SharedInformerFactory) { func (a *PodSecurityPolicyPlugin) SetInternalKubeInformerFactory(f informers.SharedInformerFactory) {
podSecurityPolicyInformer := f.Extensions().InternalVersion().PodSecurityPolicies() podSecurityPolicyInformer := f.Policy().InternalVersion().PodSecurityPolicies()
a.lister = podSecurityPolicyInformer.Lister() a.lister = podSecurityPolicyInformer.Lister()
a.SetReadyFunc(podSecurityPolicyInformer.Informer().HasSynced) a.SetReadyFunc(podSecurityPolicyInformer.Informer().HasSynced)
} }
...@@ -329,7 +329,7 @@ func assignSecurityContext(provider psp.Provider, pod *api.Pod, fldPath *field.P ...@@ -329,7 +329,7 @@ func assignSecurityContext(provider psp.Provider, pod *api.Pod, fldPath *field.P
} }
// createProvidersFromPolicies creates providers from the constraints supplied. // createProvidersFromPolicies creates providers from the constraints supplied.
func (c *PodSecurityPolicyPlugin) createProvidersFromPolicies(psps []*extensions.PodSecurityPolicy, namespace string) ([]psp.Provider, []error) { func (c *PodSecurityPolicyPlugin) createProvidersFromPolicies(psps []*policy.PodSecurityPolicy, namespace string) ([]psp.Provider, []error) {
var ( var (
// collected providers // collected providers
providers []psp.Provider providers []psp.Provider
......
...@@ -36,7 +36,6 @@ import ( ...@@ -36,7 +36,6 @@ import (
"k8s.io/kubernetes/pkg/api/legacyscheme" "k8s.io/kubernetes/pkg/api/legacyscheme"
kapi "k8s.io/kubernetes/pkg/apis/core" kapi "k8s.io/kubernetes/pkg/apis/core"
"k8s.io/kubernetes/pkg/apis/core/helper" "k8s.io/kubernetes/pkg/apis/core/helper"
"k8s.io/kubernetes/pkg/apis/extensions"
"k8s.io/kubernetes/pkg/apis/policy" "k8s.io/kubernetes/pkg/apis/policy"
informers "k8s.io/kubernetes/pkg/client/informers/informers_generated/internalversion" informers "k8s.io/kubernetes/pkg/client/informers/informers_generated/internalversion"
"k8s.io/kubernetes/pkg/controller" "k8s.io/kubernetes/pkg/controller"
...@@ -50,13 +49,13 @@ import ( ...@@ -50,13 +49,13 @@ import (
const defaultContainerName = "test-c" const defaultContainerName = "test-c"
// NewTestAdmission provides an admission plugin with test implementations of internal structs. // NewTestAdmission provides an admission plugin with test implementations of internal structs.
func NewTestAdmission(psps []*extensions.PodSecurityPolicy, authz authorizer.Authorizer) *PodSecurityPolicyPlugin { func NewTestAdmission(psps []*policy.PodSecurityPolicy, authz authorizer.Authorizer) *PodSecurityPolicyPlugin {
informerFactory := informers.NewSharedInformerFactory(nil, controller.NoResyncPeriodFunc()) informerFactory := informers.NewSharedInformerFactory(nil, controller.NoResyncPeriodFunc())
store := informerFactory.Extensions().InternalVersion().PodSecurityPolicies().Informer().GetStore() store := informerFactory.Policy().InternalVersion().PodSecurityPolicies().Informer().GetStore()
for _, psp := range psps { for _, psp := range psps {
store.Add(psp) store.Add(psp)
} }
lister := informerFactory.Extensions().InternalVersion().PodSecurityPolicies().Lister() lister := informerFactory.Policy().InternalVersion().PodSecurityPolicies().Lister()
if authz == nil { if authz == nil {
authz = &TestAuthorizer{} authz = &TestAuthorizer{}
} }
...@@ -217,7 +216,7 @@ func TestAdmitSeccomp(t *testing.T) { ...@@ -217,7 +216,7 @@ func TestAdmitSeccomp(t *testing.T) {
}, },
}, },
} }
testPSPAdmit(k, []*extensions.PodSecurityPolicy{psp}, pod, v.shouldPassAdmit, v.shouldPassValidate, psp.Name, t) testPSPAdmit(k, []*policy.PodSecurityPolicy{psp}, pod, v.shouldPassAdmit, v.shouldPassValidate, psp.Name, t)
} }
} }
...@@ -241,7 +240,7 @@ func TestAdmitPrivileged(t *testing.T) { ...@@ -241,7 +240,7 @@ func TestAdmitPrivileged(t *testing.T) {
tests := map[string]struct { tests := map[string]struct {
pod *kapi.Pod pod *kapi.Pod
psps []*extensions.PodSecurityPolicy psps []*policy.PodSecurityPolicy
shouldPassAdmit bool shouldPassAdmit bool
shouldPassValidate bool shouldPassValidate bool
expectedPriv *bool expectedPriv *bool
...@@ -249,7 +248,7 @@ func TestAdmitPrivileged(t *testing.T) { ...@@ -249,7 +248,7 @@ func TestAdmitPrivileged(t *testing.T) {
}{ }{
"pod with priv=nil allowed under non priv PSP": { "pod with priv=nil allowed under non priv PSP": {
pod: goodPod(), pod: goodPod(),
psps: []*extensions.PodSecurityPolicy{nonPrivilegedPSP}, psps: []*policy.PodSecurityPolicy{nonPrivilegedPSP},
shouldPassAdmit: true, shouldPassAdmit: true,
shouldPassValidate: true, shouldPassValidate: true,
expectedPriv: nil, expectedPriv: nil,
...@@ -257,7 +256,7 @@ func TestAdmitPrivileged(t *testing.T) { ...@@ -257,7 +256,7 @@ func TestAdmitPrivileged(t *testing.T) {
}, },
"pod with priv=nil allowed under priv PSP": { "pod with priv=nil allowed under priv PSP": {
pod: goodPod(), pod: goodPod(),
psps: []*extensions.PodSecurityPolicy{privilegedPSP}, psps: []*policy.PodSecurityPolicy{privilegedPSP},
shouldPassAdmit: true, shouldPassAdmit: true,
shouldPassValidate: true, shouldPassValidate: true,
expectedPriv: nil, expectedPriv: nil,
...@@ -265,7 +264,7 @@ func TestAdmitPrivileged(t *testing.T) { ...@@ -265,7 +264,7 @@ func TestAdmitPrivileged(t *testing.T) {
}, },
"pod with priv=false allowed under non priv PSP": { "pod with priv=false allowed under non priv PSP": {
pod: createPodWithPriv(false), pod: createPodWithPriv(false),
psps: []*extensions.PodSecurityPolicy{nonPrivilegedPSP}, psps: []*policy.PodSecurityPolicy{nonPrivilegedPSP},
shouldPassAdmit: true, shouldPassAdmit: true,
shouldPassValidate: true, shouldPassValidate: true,
expectedPriv: &falseValue, expectedPriv: &falseValue,
...@@ -273,7 +272,7 @@ func TestAdmitPrivileged(t *testing.T) { ...@@ -273,7 +272,7 @@ func TestAdmitPrivileged(t *testing.T) {
}, },
"pod with priv=false allowed under priv PSP": { "pod with priv=false allowed under priv PSP": {
pod: createPodWithPriv(false), pod: createPodWithPriv(false),
psps: []*extensions.PodSecurityPolicy{privilegedPSP}, psps: []*policy.PodSecurityPolicy{privilegedPSP},
shouldPassAdmit: true, shouldPassAdmit: true,
shouldPassValidate: true, shouldPassValidate: true,
expectedPriv: &falseValue, expectedPriv: &falseValue,
...@@ -281,13 +280,13 @@ func TestAdmitPrivileged(t *testing.T) { ...@@ -281,13 +280,13 @@ func TestAdmitPrivileged(t *testing.T) {
}, },
"pod with priv=true denied by non priv PSP": { "pod with priv=true denied by non priv PSP": {
pod: createPodWithPriv(true), pod: createPodWithPriv(true),
psps: []*extensions.PodSecurityPolicy{nonPrivilegedPSP}, psps: []*policy.PodSecurityPolicy{nonPrivilegedPSP},
shouldPassAdmit: false, shouldPassAdmit: false,
shouldPassValidate: false, shouldPassValidate: false,
}, },
"pod with priv=true allowed by priv PSP": { "pod with priv=true allowed by priv PSP": {
pod: createPodWithPriv(true), pod: createPodWithPriv(true),
psps: []*extensions.PodSecurityPolicy{nonPrivilegedPSP, privilegedPSP}, psps: []*policy.PodSecurityPolicy{nonPrivilegedPSP, privilegedPSP},
shouldPassAdmit: true, shouldPassAdmit: true,
shouldPassValidate: true, shouldPassValidate: true,
expectedPriv: &trueValue, expectedPriv: &trueValue,
...@@ -325,11 +324,11 @@ func defaultPod(t *testing.T, pod *kapi.Pod) *kapi.Pod { ...@@ -325,11 +324,11 @@ func defaultPod(t *testing.T, pod *kapi.Pod) *kapi.Pod {
func TestAdmitPreferNonmutating(t *testing.T) { func TestAdmitPreferNonmutating(t *testing.T) {
mutating1 := restrictivePSP() mutating1 := restrictivePSP()
mutating1.Name = "mutating1" mutating1.Name = "mutating1"
mutating1.Spec.RunAsUser.Ranges = []extensions.UserIDRange{{Min: int64(1), Max: int64(1)}} mutating1.Spec.RunAsUser.Ranges = []policy.UserIDRange{{Min: int64(1), Max: int64(1)}}
mutating2 := restrictivePSP() mutating2 := restrictivePSP()
mutating2.Name = "mutating2" mutating2.Name = "mutating2"
mutating2.Spec.RunAsUser.Ranges = []extensions.UserIDRange{{Min: int64(2), Max: int64(2)}} mutating2.Spec.RunAsUser.Ranges = []policy.UserIDRange{{Min: int64(2), Max: int64(2)}}
privilegedPSP := permissivePSP() privilegedPSP := permissivePSP()
privilegedPSP.Name = "privileged" privilegedPSP.Name = "privileged"
...@@ -364,7 +363,7 @@ func TestAdmitPreferNonmutating(t *testing.T) { ...@@ -364,7 +363,7 @@ func TestAdmitPreferNonmutating(t *testing.T) {
operation kadmission.Operation operation kadmission.Operation
pod *kapi.Pod pod *kapi.Pod
podBeforeUpdate *kapi.Pod podBeforeUpdate *kapi.Pod
psps []*extensions.PodSecurityPolicy psps []*policy.PodSecurityPolicy
shouldPassValidate bool shouldPassValidate bool
expectMutation bool expectMutation bool
expectedContainerUser *int64 expectedContainerUser *int64
...@@ -373,7 +372,7 @@ func TestAdmitPreferNonmutating(t *testing.T) { ...@@ -373,7 +372,7 @@ func TestAdmitPreferNonmutating(t *testing.T) {
"pod should not be mutated by allow-all strategies": { "pod should not be mutated by allow-all strategies": {
operation: kadmission.Create, operation: kadmission.Create,
pod: unprivilegedRunAsAnyPod.DeepCopy(), pod: unprivilegedRunAsAnyPod.DeepCopy(),
psps: []*extensions.PodSecurityPolicy{privilegedPSP}, psps: []*policy.PodSecurityPolicy{privilegedPSP},
shouldPassValidate: true, shouldPassValidate: true,
expectMutation: false, expectMutation: false,
expectedContainerUser: nil, expectedContainerUser: nil,
...@@ -382,7 +381,7 @@ func TestAdmitPreferNonmutating(t *testing.T) { ...@@ -382,7 +381,7 @@ func TestAdmitPreferNonmutating(t *testing.T) {
"pod should prefer non-mutating PSP on create": { "pod should prefer non-mutating PSP on create": {
operation: kadmission.Create, operation: kadmission.Create,
pod: unprivilegedRunAsAnyPod.DeepCopy(), pod: unprivilegedRunAsAnyPod.DeepCopy(),
psps: []*extensions.PodSecurityPolicy{mutating2, mutating1, privilegedPSP}, psps: []*policy.PodSecurityPolicy{mutating2, mutating1, privilegedPSP},
shouldPassValidate: true, shouldPassValidate: true,
expectMutation: false, expectMutation: false,
expectedContainerUser: nil, expectedContainerUser: nil,
...@@ -391,7 +390,7 @@ func TestAdmitPreferNonmutating(t *testing.T) { ...@@ -391,7 +390,7 @@ func TestAdmitPreferNonmutating(t *testing.T) {
"pod should use deterministic mutating PSP on create": { "pod should use deterministic mutating PSP on create": {
operation: kadmission.Create, operation: kadmission.Create,
pod: unprivilegedRunAsAnyPod.DeepCopy(), pod: unprivilegedRunAsAnyPod.DeepCopy(),
psps: []*extensions.PodSecurityPolicy{mutating2, mutating1}, psps: []*policy.PodSecurityPolicy{mutating2, mutating1},
shouldPassValidate: true, shouldPassValidate: true,
expectMutation: true, expectMutation: true,
expectedContainerUser: &mutating1.Spec.RunAsUser.Ranges[0].Min, expectedContainerUser: &mutating1.Spec.RunAsUser.Ranges[0].Min,
...@@ -400,7 +399,7 @@ func TestAdmitPreferNonmutating(t *testing.T) { ...@@ -400,7 +399,7 @@ func TestAdmitPreferNonmutating(t *testing.T) {
"pod should use deterministic mutating PSP on create even if ValidatedPSPAnnotation is set": { "pod should use deterministic mutating PSP on create even if ValidatedPSPAnnotation is set": {
operation: kadmission.Create, operation: kadmission.Create,
pod: podWithAnnotation, pod: podWithAnnotation,
psps: []*extensions.PodSecurityPolicy{mutating2, mutating1}, psps: []*policy.PodSecurityPolicy{mutating2, mutating1},
shouldPassValidate: true, shouldPassValidate: true,
expectMutation: true, expectMutation: true,
expectedContainerUser: &mutating1.Spec.RunAsUser.Ranges[0].Min, expectedContainerUser: &mutating1.Spec.RunAsUser.Ranges[0].Min,
...@@ -410,7 +409,7 @@ func TestAdmitPreferNonmutating(t *testing.T) { ...@@ -410,7 +409,7 @@ func TestAdmitPreferNonmutating(t *testing.T) {
operation: kadmission.Update, operation: kadmission.Update,
pod: changedPodWithSC.DeepCopy(), pod: changedPodWithSC.DeepCopy(),
podBeforeUpdate: podWithSC.DeepCopy(), podBeforeUpdate: podWithSC.DeepCopy(),
psps: []*extensions.PodSecurityPolicy{mutating2, mutating1, privilegedPSP}, psps: []*policy.PodSecurityPolicy{mutating2, mutating1, privilegedPSP},
shouldPassValidate: true, shouldPassValidate: true,
expectMutation: false, expectMutation: false,
expectedContainerUser: nil, expectedContainerUser: nil,
...@@ -420,7 +419,7 @@ func TestAdmitPreferNonmutating(t *testing.T) { ...@@ -420,7 +419,7 @@ func TestAdmitPreferNonmutating(t *testing.T) {
operation: kadmission.Update, operation: kadmission.Update,
pod: changedPod.DeepCopy(), pod: changedPod.DeepCopy(),
podBeforeUpdate: unprivilegedRunAsAnyPod.DeepCopy(), podBeforeUpdate: unprivilegedRunAsAnyPod.DeepCopy(),
psps: []*extensions.PodSecurityPolicy{mutating2, mutating1}, psps: []*policy.PodSecurityPolicy{mutating2, mutating1},
shouldPassValidate: false, shouldPassValidate: false,
expectMutation: false, expectMutation: false,
expectedContainerUser: nil, expectedContainerUser: nil,
...@@ -430,7 +429,7 @@ func TestAdmitPreferNonmutating(t *testing.T) { ...@@ -430,7 +429,7 @@ func TestAdmitPreferNonmutating(t *testing.T) {
operation: kadmission.Update, operation: kadmission.Update,
pod: unprivilegedRunAsAnyPod.DeepCopy(), pod: unprivilegedRunAsAnyPod.DeepCopy(),
podBeforeUpdate: unprivilegedRunAsAnyPod.DeepCopy(), podBeforeUpdate: unprivilegedRunAsAnyPod.DeepCopy(),
psps: []*extensions.PodSecurityPolicy{mutating2, mutating1}, psps: []*policy.PodSecurityPolicy{mutating2, mutating1},
shouldPassValidate: true, shouldPassValidate: true,
expectMutation: false, expectMutation: false,
expectedContainerUser: nil, expectedContainerUser: nil,
...@@ -440,7 +439,7 @@ func TestAdmitPreferNonmutating(t *testing.T) { ...@@ -440,7 +439,7 @@ func TestAdmitPreferNonmutating(t *testing.T) {
operation: kadmission.Update, operation: kadmission.Update,
pod: gcChangedPod.DeepCopy(), pod: gcChangedPod.DeepCopy(),
podBeforeUpdate: unprivilegedRunAsAnyPod.DeepCopy(), podBeforeUpdate: unprivilegedRunAsAnyPod.DeepCopy(),
psps: []*extensions.PodSecurityPolicy{mutating2, mutating1}, psps: []*policy.PodSecurityPolicy{mutating2, mutating1},
shouldPassValidate: true, shouldPassValidate: true,
expectMutation: false, expectMutation: false,
expectedContainerUser: nil, expectedContainerUser: nil,
...@@ -516,11 +515,11 @@ func TestAdmitCaps(t *testing.T) { ...@@ -516,11 +515,11 @@ func TestAdmitCaps(t *testing.T) {
allowAllInAllowed := restrictivePSP() allowAllInAllowed := restrictivePSP()
allowAllInAllowed.Name = "allowAllCapsInAllowed" allowAllInAllowed.Name = "allowAllCapsInAllowed"
allowAllInAllowed.Spec.AllowedCapabilities = []kapi.Capability{extensions.AllowAllCapabilities} allowAllInAllowed.Spec.AllowedCapabilities = []kapi.Capability{policy.AllowAllCapabilities}
tc := map[string]struct { tc := map[string]struct {
pod *kapi.Pod pod *kapi.Pod
psps []*extensions.PodSecurityPolicy psps []*policy.PodSecurityPolicy
shouldPassAdmit bool shouldPassAdmit bool
shouldPassValidate bool shouldPassValidate bool
expectedCapabilities *kapi.Capabilities expectedCapabilities *kapi.Capabilities
...@@ -530,7 +529,7 @@ func TestAdmitCaps(t *testing.T) { ...@@ -530,7 +529,7 @@ func TestAdmitCaps(t *testing.T) {
// should be rejected. // should be rejected.
"should reject cap add when not allowed or required": { "should reject cap add when not allowed or required": {
pod: createPodWithCaps(&kapi.Capabilities{Add: []kapi.Capability{"foo"}}), pod: createPodWithCaps(&kapi.Capabilities{Add: []kapi.Capability{"foo"}}),
psps: []*extensions.PodSecurityPolicy{restricted}, psps: []*policy.PodSecurityPolicy{restricted},
shouldPassAdmit: false, shouldPassAdmit: false,
shouldPassValidate: false, shouldPassValidate: false,
}, },
...@@ -538,7 +537,7 @@ func TestAdmitCaps(t *testing.T) { ...@@ -538,7 +537,7 @@ func TestAdmitCaps(t *testing.T) {
// to add the cap. // to add the cap.
"should accept cap add when in allowed": { "should accept cap add when in allowed": {
pod: createPodWithCaps(&kapi.Capabilities{Add: []kapi.Capability{"foo"}}), pod: createPodWithCaps(&kapi.Capabilities{Add: []kapi.Capability{"foo"}}),
psps: []*extensions.PodSecurityPolicy{restricted, allowsFooInAllowed}, psps: []*policy.PodSecurityPolicy{restricted, allowsFooInAllowed},
shouldPassAdmit: true, shouldPassAdmit: true,
shouldPassValidate: true, shouldPassValidate: true,
expectedPSP: allowsFooInAllowed.Name, expectedPSP: allowsFooInAllowed.Name,
...@@ -547,7 +546,7 @@ func TestAdmitCaps(t *testing.T) { ...@@ -547,7 +546,7 @@ func TestAdmitCaps(t *testing.T) {
// to add the cap. // to add the cap.
"should accept cap add when in required": { "should accept cap add when in required": {
pod: createPodWithCaps(&kapi.Capabilities{Add: []kapi.Capability{"foo"}}), pod: createPodWithCaps(&kapi.Capabilities{Add: []kapi.Capability{"foo"}}),
psps: []*extensions.PodSecurityPolicy{restricted, allowsFooInRequired}, psps: []*policy.PodSecurityPolicy{restricted, allowsFooInRequired},
shouldPassAdmit: true, shouldPassAdmit: true,
shouldPassValidate: true, shouldPassValidate: true,
expectedPSP: allowsFooInRequired.Name, expectedPSP: allowsFooInRequired.Name,
...@@ -556,7 +555,7 @@ func TestAdmitCaps(t *testing.T) { ...@@ -556,7 +555,7 @@ func TestAdmitCaps(t *testing.T) {
// in the verification of adds and verification of drops // in the verification of adds and verification of drops
"should reject cap add when requested cap is required to be dropped": { "should reject cap add when requested cap is required to be dropped": {
pod: createPodWithCaps(&kapi.Capabilities{Add: []kapi.Capability{"foo"}}), pod: createPodWithCaps(&kapi.Capabilities{Add: []kapi.Capability{"foo"}}),
psps: []*extensions.PodSecurityPolicy{restricted, requiresFooToBeDropped}, psps: []*policy.PodSecurityPolicy{restricted, requiresFooToBeDropped},
shouldPassAdmit: false, shouldPassAdmit: false,
shouldPassValidate: false, shouldPassValidate: false,
}, },
...@@ -564,7 +563,7 @@ func TestAdmitCaps(t *testing.T) { ...@@ -564,7 +563,7 @@ func TestAdmitCaps(t *testing.T) {
// a manual request to drop the cap. // a manual request to drop the cap.
"should accept cap drop when cap is required to be dropped": { "should accept cap drop when cap is required to be dropped": {
pod: createPodWithCaps(&kapi.Capabilities{Drop: []kapi.Capability{"foo"}}), pod: createPodWithCaps(&kapi.Capabilities{Drop: []kapi.Capability{"foo"}}),
psps: []*extensions.PodSecurityPolicy{requiresFooToBeDropped}, psps: []*policy.PodSecurityPolicy{requiresFooToBeDropped},
shouldPassAdmit: true, shouldPassAdmit: true,
shouldPassValidate: true, shouldPassValidate: true,
expectedPSP: requiresFooToBeDropped.Name, expectedPSP: requiresFooToBeDropped.Name,
...@@ -572,7 +571,7 @@ func TestAdmitCaps(t *testing.T) { ...@@ -572,7 +571,7 @@ func TestAdmitCaps(t *testing.T) {
// UC 6: required add is defaulted // UC 6: required add is defaulted
"required add is defaulted": { "required add is defaulted": {
pod: goodPod(), pod: goodPod(),
psps: []*extensions.PodSecurityPolicy{allowsFooInRequired}, psps: []*policy.PodSecurityPolicy{allowsFooInRequired},
shouldPassAdmit: true, shouldPassAdmit: true,
shouldPassValidate: true, shouldPassValidate: true,
expectedCapabilities: &kapi.Capabilities{ expectedCapabilities: &kapi.Capabilities{
...@@ -583,7 +582,7 @@ func TestAdmitCaps(t *testing.T) { ...@@ -583,7 +582,7 @@ func TestAdmitCaps(t *testing.T) {
// UC 7: required drop is defaulted // UC 7: required drop is defaulted
"required drop is defaulted": { "required drop is defaulted": {
pod: goodPod(), pod: goodPod(),
psps: []*extensions.PodSecurityPolicy{requiresFooToBeDropped}, psps: []*policy.PodSecurityPolicy{requiresFooToBeDropped},
shouldPassAdmit: true, shouldPassAdmit: true,
shouldPassValidate: true, shouldPassValidate: true,
expectedCapabilities: &kapi.Capabilities{ expectedCapabilities: &kapi.Capabilities{
...@@ -594,7 +593,7 @@ func TestAdmitCaps(t *testing.T) { ...@@ -594,7 +593,7 @@ func TestAdmitCaps(t *testing.T) {
// UC 8: using '*' in allowed caps // UC 8: using '*' in allowed caps
"should accept cap add when all caps are allowed": { "should accept cap add when all caps are allowed": {
pod: createPodWithCaps(&kapi.Capabilities{Add: []kapi.Capability{"foo"}}), pod: createPodWithCaps(&kapi.Capabilities{Add: []kapi.Capability{"foo"}}),
psps: []*extensions.PodSecurityPolicy{restricted, allowAllInAllowed}, psps: []*policy.PodSecurityPolicy{restricted, allowAllInAllowed},
shouldPassAdmit: true, shouldPassAdmit: true,
shouldPassValidate: true, shouldPassValidate: true,
expectedPSP: allowAllInAllowed.Name, expectedPSP: allowAllInAllowed.Name,
...@@ -652,19 +651,19 @@ func TestAdmitVolumes(t *testing.T) { ...@@ -652,19 +651,19 @@ func TestAdmitVolumes(t *testing.T) {
psp := restrictivePSP() psp := restrictivePSP()
// expect a denial for this PSP // expect a denial for this PSP
testPSPAdmit(fmt.Sprintf("%s denial", string(fsType)), []*extensions.PodSecurityPolicy{psp}, pod, false, false, "", t) testPSPAdmit(fmt.Sprintf("%s denial", string(fsType)), []*policy.PodSecurityPolicy{psp}, pod, false, false, "", t)
// also expect a denial for this PSP if it's an init container // also expect a denial for this PSP if it's an init container
useInitContainers(pod) useInitContainers(pod)
testPSPAdmit(fmt.Sprintf("%s denial", string(fsType)), []*extensions.PodSecurityPolicy{psp}, pod, false, false, "", t) testPSPAdmit(fmt.Sprintf("%s denial", string(fsType)), []*policy.PodSecurityPolicy{psp}, pod, false, false, "", t)
// now add the fstype directly to the psp and it should validate // now add the fstype directly to the psp and it should validate
psp.Spec.Volumes = []extensions.FSType{fsType} psp.Spec.Volumes = []policy.FSType{fsType}
testPSPAdmit(fmt.Sprintf("%s direct accept", string(fsType)), []*extensions.PodSecurityPolicy{psp}, pod, true, true, psp.Name, t) testPSPAdmit(fmt.Sprintf("%s direct accept", string(fsType)), []*policy.PodSecurityPolicy{psp}, pod, true, true, psp.Name, t)
// now change the psp to allow any volumes and the pod should still validate // now change the psp to allow any volumes and the pod should still validate
psp.Spec.Volumes = []extensions.FSType{extensions.All} psp.Spec.Volumes = []policy.FSType{policy.All}
testPSPAdmit(fmt.Sprintf("%s wildcard accept", string(fsType)), []*extensions.PodSecurityPolicy{psp}, pod, true, true, psp.Name, t) testPSPAdmit(fmt.Sprintf("%s wildcard accept", string(fsType)), []*policy.PodSecurityPolicy{psp}, pod, true, true, psp.Name, t)
} }
} }
...@@ -685,7 +684,7 @@ func TestAdmitHostNetwork(t *testing.T) { ...@@ -685,7 +684,7 @@ func TestAdmitHostNetwork(t *testing.T) {
tests := map[string]struct { tests := map[string]struct {
pod *kapi.Pod pod *kapi.Pod
psps []*extensions.PodSecurityPolicy psps []*policy.PodSecurityPolicy
shouldPassAdmit bool shouldPassAdmit bool
shouldPassValidate bool shouldPassValidate bool
expectedHostNetwork bool expectedHostNetwork bool
...@@ -693,7 +692,7 @@ func TestAdmitHostNetwork(t *testing.T) { ...@@ -693,7 +692,7 @@ func TestAdmitHostNetwork(t *testing.T) {
}{ }{
"pod without hostnetwork request allowed under noHostNetwork PSP": { "pod without hostnetwork request allowed under noHostNetwork PSP": {
pod: goodPod(), pod: goodPod(),
psps: []*extensions.PodSecurityPolicy{noHostNetwork}, psps: []*policy.PodSecurityPolicy{noHostNetwork},
shouldPassAdmit: true, shouldPassAdmit: true,
shouldPassValidate: true, shouldPassValidate: true,
expectedHostNetwork: false, expectedHostNetwork: false,
...@@ -701,7 +700,7 @@ func TestAdmitHostNetwork(t *testing.T) { ...@@ -701,7 +700,7 @@ func TestAdmitHostNetwork(t *testing.T) {
}, },
"pod without hostnetwork request allowed under hostNetwork PSP": { "pod without hostnetwork request allowed under hostNetwork PSP": {
pod: goodPod(), pod: goodPod(),
psps: []*extensions.PodSecurityPolicy{hostNetwork}, psps: []*policy.PodSecurityPolicy{hostNetwork},
shouldPassAdmit: true, shouldPassAdmit: true,
shouldPassValidate: true, shouldPassValidate: true,
expectedHostNetwork: false, expectedHostNetwork: false,
...@@ -709,13 +708,13 @@ func TestAdmitHostNetwork(t *testing.T) { ...@@ -709,13 +708,13 @@ func TestAdmitHostNetwork(t *testing.T) {
}, },
"pod with hostnetwork request denied by noHostNetwork PSP": { "pod with hostnetwork request denied by noHostNetwork PSP": {
pod: createPodWithHostNetwork(true), pod: createPodWithHostNetwork(true),
psps: []*extensions.PodSecurityPolicy{noHostNetwork}, psps: []*policy.PodSecurityPolicy{noHostNetwork},
shouldPassAdmit: false, shouldPassAdmit: false,
shouldPassValidate: false, shouldPassValidate: false,
}, },
"pod with hostnetwork request allowed by hostNetwork PSP": { "pod with hostnetwork request allowed by hostNetwork PSP": {
pod: createPodWithHostNetwork(true), pod: createPodWithHostNetwork(true),
psps: []*extensions.PodSecurityPolicy{noHostNetwork, hostNetwork}, psps: []*policy.PodSecurityPolicy{noHostNetwork, hostNetwork},
shouldPassAdmit: true, shouldPassAdmit: true,
shouldPassValidate: true, shouldPassValidate: true,
expectedHostNetwork: true, expectedHostNetwork: true,
...@@ -760,47 +759,47 @@ func TestAdmitHostPorts(t *testing.T) { ...@@ -760,47 +759,47 @@ func TestAdmitHostPorts(t *testing.T) {
hostPorts := restrictivePSP() hostPorts := restrictivePSP()
hostPorts.Name = "hostPorts" hostPorts.Name = "hostPorts"
hostPorts.Spec.HostPorts = []extensions.HostPortRange{ hostPorts.Spec.HostPorts = []policy.HostPortRange{
{Min: 1, Max: 10}, {Min: 1, Max: 10},
} }
tests := map[string]struct { tests := map[string]struct {
pod *kapi.Pod pod *kapi.Pod
psps []*extensions.PodSecurityPolicy psps []*policy.PodSecurityPolicy
shouldPassAdmit bool shouldPassAdmit bool
shouldPassValidate bool shouldPassValidate bool
expectedPSP string expectedPSP string
}{ }{
"host port out of range": { "host port out of range": {
pod: createPodWithHostPorts(11), pod: createPodWithHostPorts(11),
psps: []*extensions.PodSecurityPolicy{hostPorts}, psps: []*policy.PodSecurityPolicy{hostPorts},
shouldPassAdmit: false, shouldPassAdmit: false,
shouldPassValidate: false, shouldPassValidate: false,
}, },
"host port in range": { "host port in range": {
pod: createPodWithHostPorts(5), pod: createPodWithHostPorts(5),
psps: []*extensions.PodSecurityPolicy{hostPorts}, psps: []*policy.PodSecurityPolicy{hostPorts},
shouldPassAdmit: true, shouldPassAdmit: true,
shouldPassValidate: true, shouldPassValidate: true,
expectedPSP: hostPorts.Name, expectedPSP: hostPorts.Name,
}, },
"no host ports with range": { "no host ports with range": {
pod: goodPod(), pod: goodPod(),
psps: []*extensions.PodSecurityPolicy{hostPorts}, psps: []*policy.PodSecurityPolicy{hostPorts},
shouldPassAdmit: true, shouldPassAdmit: true,
shouldPassValidate: true, shouldPassValidate: true,
expectedPSP: hostPorts.Name, expectedPSP: hostPorts.Name,
}, },
"no host ports without range": { "no host ports without range": {
pod: goodPod(), pod: goodPod(),
psps: []*extensions.PodSecurityPolicy{noHostPorts}, psps: []*policy.PodSecurityPolicy{noHostPorts},
shouldPassAdmit: true, shouldPassAdmit: true,
shouldPassValidate: true, shouldPassValidate: true,
expectedPSP: noHostPorts.Name, expectedPSP: noHostPorts.Name,
}, },
"host ports without range": { "host ports without range": {
pod: createPodWithHostPorts(5), pod: createPodWithHostPorts(5),
psps: []*extensions.PodSecurityPolicy{noHostPorts}, psps: []*policy.PodSecurityPolicy{noHostPorts},
shouldPassAdmit: false, shouldPassAdmit: false,
shouldPassValidate: false, shouldPassValidate: false,
}, },
...@@ -831,7 +830,7 @@ func TestAdmitHostPID(t *testing.T) { ...@@ -831,7 +830,7 @@ func TestAdmitHostPID(t *testing.T) {
tests := map[string]struct { tests := map[string]struct {
pod *kapi.Pod pod *kapi.Pod
psps []*extensions.PodSecurityPolicy psps []*policy.PodSecurityPolicy
shouldPassAdmit bool shouldPassAdmit bool
shouldPassValidate bool shouldPassValidate bool
expectedHostPID bool expectedHostPID bool
...@@ -839,7 +838,7 @@ func TestAdmitHostPID(t *testing.T) { ...@@ -839,7 +838,7 @@ func TestAdmitHostPID(t *testing.T) {
}{ }{
"pod without hostpid request allowed under noHostPID PSP": { "pod without hostpid request allowed under noHostPID PSP": {
pod: goodPod(), pod: goodPod(),
psps: []*extensions.PodSecurityPolicy{noHostPID}, psps: []*policy.PodSecurityPolicy{noHostPID},
shouldPassAdmit: true, shouldPassAdmit: true,
shouldPassValidate: true, shouldPassValidate: true,
expectedHostPID: false, expectedHostPID: false,
...@@ -847,7 +846,7 @@ func TestAdmitHostPID(t *testing.T) { ...@@ -847,7 +846,7 @@ func TestAdmitHostPID(t *testing.T) {
}, },
"pod without hostpid request allowed under hostPID PSP": { "pod without hostpid request allowed under hostPID PSP": {
pod: goodPod(), pod: goodPod(),
psps: []*extensions.PodSecurityPolicy{hostPID}, psps: []*policy.PodSecurityPolicy{hostPID},
shouldPassAdmit: true, shouldPassAdmit: true,
shouldPassValidate: true, shouldPassValidate: true,
expectedHostPID: false, expectedHostPID: false,
...@@ -855,12 +854,12 @@ func TestAdmitHostPID(t *testing.T) { ...@@ -855,12 +854,12 @@ func TestAdmitHostPID(t *testing.T) {
}, },
"pod with hostpid request denied by noHostPID PSP": { "pod with hostpid request denied by noHostPID PSP": {
pod: createPodWithHostPID(true), pod: createPodWithHostPID(true),
psps: []*extensions.PodSecurityPolicy{noHostPID}, psps: []*policy.PodSecurityPolicy{noHostPID},
shouldPassAdmit: false, shouldPassAdmit: false,
}, },
"pod with hostpid request allowed by hostPID PSP": { "pod with hostpid request allowed by hostPID PSP": {
pod: createPodWithHostPID(true), pod: createPodWithHostPID(true),
psps: []*extensions.PodSecurityPolicy{noHostPID, hostPID}, psps: []*policy.PodSecurityPolicy{noHostPID, hostPID},
shouldPassAdmit: true, shouldPassAdmit: true,
shouldPassValidate: true, shouldPassValidate: true,
expectedHostPID: true, expectedHostPID: true,
...@@ -896,7 +895,7 @@ func TestAdmitHostIPC(t *testing.T) { ...@@ -896,7 +895,7 @@ func TestAdmitHostIPC(t *testing.T) {
tests := map[string]struct { tests := map[string]struct {
pod *kapi.Pod pod *kapi.Pod
psps []*extensions.PodSecurityPolicy psps []*policy.PodSecurityPolicy
shouldPassAdmit bool shouldPassAdmit bool
shouldPassValidate bool shouldPassValidate bool
expectedHostIPC bool expectedHostIPC bool
...@@ -904,7 +903,7 @@ func TestAdmitHostIPC(t *testing.T) { ...@@ -904,7 +903,7 @@ func TestAdmitHostIPC(t *testing.T) {
}{ }{
"pod without hostIPC request allowed under noHostIPC PSP": { "pod without hostIPC request allowed under noHostIPC PSP": {
pod: goodPod(), pod: goodPod(),
psps: []*extensions.PodSecurityPolicy{noHostIPC}, psps: []*policy.PodSecurityPolicy{noHostIPC},
shouldPassAdmit: true, shouldPassAdmit: true,
shouldPassValidate: true, shouldPassValidate: true,
expectedHostIPC: false, expectedHostIPC: false,
...@@ -912,7 +911,7 @@ func TestAdmitHostIPC(t *testing.T) { ...@@ -912,7 +911,7 @@ func TestAdmitHostIPC(t *testing.T) {
}, },
"pod without hostIPC request allowed under hostIPC PSP": { "pod without hostIPC request allowed under hostIPC PSP": {
pod: goodPod(), pod: goodPod(),
psps: []*extensions.PodSecurityPolicy{hostIPC}, psps: []*policy.PodSecurityPolicy{hostIPC},
shouldPassAdmit: true, shouldPassAdmit: true,
shouldPassValidate: true, shouldPassValidate: true,
expectedHostIPC: false, expectedHostIPC: false,
...@@ -920,13 +919,13 @@ func TestAdmitHostIPC(t *testing.T) { ...@@ -920,13 +919,13 @@ func TestAdmitHostIPC(t *testing.T) {
}, },
"pod with hostIPC request denied by noHostIPC PSP": { "pod with hostIPC request denied by noHostIPC PSP": {
pod: createPodWithHostIPC(true), pod: createPodWithHostIPC(true),
psps: []*extensions.PodSecurityPolicy{noHostIPC}, psps: []*policy.PodSecurityPolicy{noHostIPC},
shouldPassAdmit: false, shouldPassAdmit: false,
shouldPassValidate: false, shouldPassValidate: false,
}, },
"pod with hostIPC request allowed by hostIPC PSP": { "pod with hostIPC request allowed by hostIPC PSP": {
pod: createPodWithHostIPC(true), pod: createPodWithHostIPC(true),
psps: []*extensions.PodSecurityPolicy{noHostIPC, hostIPC}, psps: []*policy.PodSecurityPolicy{noHostIPC, hostIPC},
shouldPassAdmit: true, shouldPassAdmit: true,
shouldPassValidate: true, shouldPassValidate: true,
expectedHostIPC: true, expectedHostIPC: true,
...@@ -955,12 +954,12 @@ func createPodWithSecurityContexts(podSC *kapi.PodSecurityContext, containerSC * ...@@ -955,12 +954,12 @@ func createPodWithSecurityContexts(podSC *kapi.PodSecurityContext, containerSC *
func TestAdmitSELinux(t *testing.T) { func TestAdmitSELinux(t *testing.T) {
runAsAny := permissivePSP() runAsAny := permissivePSP()
runAsAny.Name = "runAsAny" runAsAny.Name = "runAsAny"
runAsAny.Spec.SELinux.Rule = extensions.SELinuxStrategyRunAsAny runAsAny.Spec.SELinux.Rule = policy.SELinuxStrategyRunAsAny
runAsAny.Spec.SELinux.SELinuxOptions = nil runAsAny.Spec.SELinux.SELinuxOptions = nil
mustRunAs := permissivePSP() mustRunAs := permissivePSP()
mustRunAs.Name = "mustRunAs" mustRunAs.Name = "mustRunAs"
mustRunAs.Spec.SELinux.Rule = extensions.SELinuxStrategyMustRunAs mustRunAs.Spec.SELinux.Rule = policy.SELinuxStrategyMustRunAs
mustRunAs.Spec.SELinux.SELinuxOptions = &kapi.SELinuxOptions{} mustRunAs.Spec.SELinux.SELinuxOptions = &kapi.SELinuxOptions{}
mustRunAs.Spec.SELinux.SELinuxOptions.Level = "level" mustRunAs.Spec.SELinux.SELinuxOptions.Level = "level"
mustRunAs.Spec.SELinux.SELinuxOptions.Role = "role" mustRunAs.Spec.SELinux.SELinuxOptions.Role = "role"
...@@ -969,7 +968,7 @@ func TestAdmitSELinux(t *testing.T) { ...@@ -969,7 +968,7 @@ func TestAdmitSELinux(t *testing.T) {
tests := map[string]struct { tests := map[string]struct {
pod *kapi.Pod pod *kapi.Pod
psps []*extensions.PodSecurityPolicy psps []*policy.PodSecurityPolicy
shouldPassAdmit bool shouldPassAdmit bool
shouldPassValidate bool shouldPassValidate bool
expectedPodSC *kapi.PodSecurityContext expectedPodSC *kapi.PodSecurityContext
...@@ -978,7 +977,7 @@ func TestAdmitSELinux(t *testing.T) { ...@@ -978,7 +977,7 @@ func TestAdmitSELinux(t *testing.T) {
}{ }{
"runAsAny with no request": { "runAsAny with no request": {
pod: createPodWithSecurityContexts(nil, nil), pod: createPodWithSecurityContexts(nil, nil),
psps: []*extensions.PodSecurityPolicy{runAsAny}, psps: []*policy.PodSecurityPolicy{runAsAny},
shouldPassAdmit: true, shouldPassAdmit: true,
shouldPassValidate: true, shouldPassValidate: true,
expectedPodSC: nil, expectedPodSC: nil,
...@@ -987,7 +986,7 @@ func TestAdmitSELinux(t *testing.T) { ...@@ -987,7 +986,7 @@ func TestAdmitSELinux(t *testing.T) {
}, },
"runAsAny with empty pod request": { "runAsAny with empty pod request": {
pod: createPodWithSecurityContexts(&kapi.PodSecurityContext{}, nil), pod: createPodWithSecurityContexts(&kapi.PodSecurityContext{}, nil),
psps: []*extensions.PodSecurityPolicy{runAsAny}, psps: []*policy.PodSecurityPolicy{runAsAny},
shouldPassAdmit: true, shouldPassAdmit: true,
shouldPassValidate: true, shouldPassValidate: true,
expectedPodSC: &kapi.PodSecurityContext{}, expectedPodSC: &kapi.PodSecurityContext{},
...@@ -996,7 +995,7 @@ func TestAdmitSELinux(t *testing.T) { ...@@ -996,7 +995,7 @@ func TestAdmitSELinux(t *testing.T) {
}, },
"runAsAny with empty container request": { "runAsAny with empty container request": {
pod: createPodWithSecurityContexts(nil, &kapi.SecurityContext{}), pod: createPodWithSecurityContexts(nil, &kapi.SecurityContext{}),
psps: []*extensions.PodSecurityPolicy{runAsAny}, psps: []*policy.PodSecurityPolicy{runAsAny},
shouldPassAdmit: true, shouldPassAdmit: true,
shouldPassValidate: true, shouldPassValidate: true,
expectedPodSC: nil, expectedPodSC: nil,
...@@ -1006,7 +1005,7 @@ func TestAdmitSELinux(t *testing.T) { ...@@ -1006,7 +1005,7 @@ func TestAdmitSELinux(t *testing.T) {
"runAsAny with pod request": { "runAsAny with pod request": {
pod: createPodWithSecurityContexts(&kapi.PodSecurityContext{SELinuxOptions: &kapi.SELinuxOptions{User: "foo"}}, nil), pod: createPodWithSecurityContexts(&kapi.PodSecurityContext{SELinuxOptions: &kapi.SELinuxOptions{User: "foo"}}, nil),
psps: []*extensions.PodSecurityPolicy{runAsAny}, psps: []*policy.PodSecurityPolicy{runAsAny},
shouldPassAdmit: true, shouldPassAdmit: true,
shouldPassValidate: true, shouldPassValidate: true,
expectedPodSC: &kapi.PodSecurityContext{SELinuxOptions: &kapi.SELinuxOptions{User: "foo"}}, expectedPodSC: &kapi.PodSecurityContext{SELinuxOptions: &kapi.SELinuxOptions{User: "foo"}},
...@@ -1015,7 +1014,7 @@ func TestAdmitSELinux(t *testing.T) { ...@@ -1015,7 +1014,7 @@ func TestAdmitSELinux(t *testing.T) {
}, },
"runAsAny with container request": { "runAsAny with container request": {
pod: createPodWithSecurityContexts(nil, &kapi.SecurityContext{SELinuxOptions: &kapi.SELinuxOptions{User: "foo"}}), pod: createPodWithSecurityContexts(nil, &kapi.SecurityContext{SELinuxOptions: &kapi.SELinuxOptions{User: "foo"}}),
psps: []*extensions.PodSecurityPolicy{runAsAny}, psps: []*policy.PodSecurityPolicy{runAsAny},
shouldPassAdmit: true, shouldPassAdmit: true,
shouldPassValidate: true, shouldPassValidate: true,
expectedPodSC: nil, expectedPodSC: nil,
...@@ -1024,7 +1023,7 @@ func TestAdmitSELinux(t *testing.T) { ...@@ -1024,7 +1023,7 @@ func TestAdmitSELinux(t *testing.T) {
}, },
"runAsAny with pod and container request": { "runAsAny with pod and container request": {
pod: createPodWithSecurityContexts(&kapi.PodSecurityContext{SELinuxOptions: &kapi.SELinuxOptions{User: "bar"}}, &kapi.SecurityContext{SELinuxOptions: &kapi.SELinuxOptions{User: "foo"}}), pod: createPodWithSecurityContexts(&kapi.PodSecurityContext{SELinuxOptions: &kapi.SELinuxOptions{User: "bar"}}, &kapi.SecurityContext{SELinuxOptions: &kapi.SELinuxOptions{User: "foo"}}),
psps: []*extensions.PodSecurityPolicy{runAsAny}, psps: []*policy.PodSecurityPolicy{runAsAny},
shouldPassAdmit: true, shouldPassAdmit: true,
shouldPassValidate: true, shouldPassValidate: true,
expectedPodSC: &kapi.PodSecurityContext{SELinuxOptions: &kapi.SELinuxOptions{User: "bar"}}, expectedPodSC: &kapi.PodSecurityContext{SELinuxOptions: &kapi.SELinuxOptions{User: "bar"}},
...@@ -1034,19 +1033,19 @@ func TestAdmitSELinux(t *testing.T) { ...@@ -1034,19 +1033,19 @@ func TestAdmitSELinux(t *testing.T) {
"mustRunAs with bad pod request": { "mustRunAs with bad pod request": {
pod: createPodWithSecurityContexts(&kapi.PodSecurityContext{SELinuxOptions: &kapi.SELinuxOptions{User: "foo"}}, nil), pod: createPodWithSecurityContexts(&kapi.PodSecurityContext{SELinuxOptions: &kapi.SELinuxOptions{User: "foo"}}, nil),
psps: []*extensions.PodSecurityPolicy{mustRunAs}, psps: []*policy.PodSecurityPolicy{mustRunAs},
shouldPassAdmit: false, shouldPassAdmit: false,
shouldPassValidate: false, shouldPassValidate: false,
}, },
"mustRunAs with bad container request": { "mustRunAs with bad container request": {
pod: createPodWithSecurityContexts(nil, &kapi.SecurityContext{SELinuxOptions: &kapi.SELinuxOptions{User: "foo"}}), pod: createPodWithSecurityContexts(nil, &kapi.SecurityContext{SELinuxOptions: &kapi.SELinuxOptions{User: "foo"}}),
psps: []*extensions.PodSecurityPolicy{mustRunAs}, psps: []*policy.PodSecurityPolicy{mustRunAs},
shouldPassAdmit: false, shouldPassAdmit: false,
shouldPassValidate: false, shouldPassValidate: false,
}, },
"mustRunAs with no request": { "mustRunAs with no request": {
pod: createPodWithSecurityContexts(nil, nil), pod: createPodWithSecurityContexts(nil, nil),
psps: []*extensions.PodSecurityPolicy{mustRunAs}, psps: []*policy.PodSecurityPolicy{mustRunAs},
shouldPassAdmit: true, shouldPassAdmit: true,
shouldPassValidate: true, shouldPassValidate: true,
expectedPodSC: &kapi.PodSecurityContext{SELinuxOptions: mustRunAs.Spec.SELinux.SELinuxOptions}, expectedPodSC: &kapi.PodSecurityContext{SELinuxOptions: mustRunAs.Spec.SELinux.SELinuxOptions},
...@@ -1058,7 +1057,7 @@ func TestAdmitSELinux(t *testing.T) { ...@@ -1058,7 +1057,7 @@ func TestAdmitSELinux(t *testing.T) {
&kapi.PodSecurityContext{SELinuxOptions: &kapi.SELinuxOptions{Level: "level", Role: "role", Type: "type", User: "user"}}, &kapi.PodSecurityContext{SELinuxOptions: &kapi.SELinuxOptions{Level: "level", Role: "role", Type: "type", User: "user"}},
nil, nil,
), ),
psps: []*extensions.PodSecurityPolicy{mustRunAs}, psps: []*policy.PodSecurityPolicy{mustRunAs},
shouldPassAdmit: true, shouldPassAdmit: true,
shouldPassValidate: true, shouldPassValidate: true,
expectedPodSC: &kapi.PodSecurityContext{SELinuxOptions: mustRunAs.Spec.SELinux.SELinuxOptions}, expectedPodSC: &kapi.PodSecurityContext{SELinuxOptions: mustRunAs.Spec.SELinux.SELinuxOptions},
...@@ -1070,7 +1069,7 @@ func TestAdmitSELinux(t *testing.T) { ...@@ -1070,7 +1069,7 @@ func TestAdmitSELinux(t *testing.T) {
&kapi.PodSecurityContext{SELinuxOptions: &kapi.SELinuxOptions{Level: "level", Role: "role", Type: "type", User: "user"}}, &kapi.PodSecurityContext{SELinuxOptions: &kapi.SELinuxOptions{Level: "level", Role: "role", Type: "type", User: "user"}},
nil, nil,
), ),
psps: []*extensions.PodSecurityPolicy{mustRunAs}, psps: []*policy.PodSecurityPolicy{mustRunAs},
shouldPassAdmit: true, shouldPassAdmit: true,
shouldPassValidate: true, shouldPassValidate: true,
expectedPodSC: &kapi.PodSecurityContext{SELinuxOptions: mustRunAs.Spec.SELinux.SELinuxOptions}, expectedPodSC: &kapi.PodSecurityContext{SELinuxOptions: mustRunAs.Spec.SELinux.SELinuxOptions},
...@@ -1117,7 +1116,7 @@ func TestAdmitAppArmor(t *testing.T) { ...@@ -1117,7 +1116,7 @@ func TestAdmitAppArmor(t *testing.T) {
tests := map[string]struct { tests := map[string]struct {
pod *kapi.Pod pod *kapi.Pod
psp *extensions.PodSecurityPolicy psp *policy.PodSecurityPolicy
shouldPassAdmit bool shouldPassAdmit bool
shouldPassValidate bool shouldPassValidate bool
expectedProfile string expectedProfile string
...@@ -1172,7 +1171,7 @@ func TestAdmitAppArmor(t *testing.T) { ...@@ -1172,7 +1171,7 @@ func TestAdmitAppArmor(t *testing.T) {
} }
for k, v := range tests { for k, v := range tests {
testPSPAdmit(k, []*extensions.PodSecurityPolicy{v.psp}, v.pod, v.shouldPassAdmit, v.shouldPassValidate, v.psp.Name, t) testPSPAdmit(k, []*policy.PodSecurityPolicy{v.psp}, v.pod, v.shouldPassAdmit, v.shouldPassValidate, v.psp.Name, t)
if v.shouldPassAdmit { if v.shouldPassAdmit {
assert.Equal(t, v.expectedProfile, apparmor.GetProfileNameFromPodAnnotations(v.pod.Annotations, defaultContainerName), k) assert.Equal(t, v.expectedProfile, apparmor.GetProfileNameFromPodAnnotations(v.pod.Annotations, defaultContainerName), k)
...@@ -1190,24 +1189,24 @@ func TestAdmitRunAsUser(t *testing.T) { ...@@ -1190,24 +1189,24 @@ func TestAdmitRunAsUser(t *testing.T) {
runAsAny := permissivePSP() runAsAny := permissivePSP()
runAsAny.Name = "runAsAny" runAsAny.Name = "runAsAny"
runAsAny.Spec.RunAsUser.Rule = extensions.RunAsUserStrategyRunAsAny runAsAny.Spec.RunAsUser.Rule = policy.RunAsUserStrategyRunAsAny
mustRunAs := permissivePSP() mustRunAs := permissivePSP()
mustRunAs.Name = "mustRunAs" mustRunAs.Name = "mustRunAs"
mustRunAs.Spec.RunAsUser.Rule = extensions.RunAsUserStrategyMustRunAs mustRunAs.Spec.RunAsUser.Rule = policy.RunAsUserStrategyMustRunAs
mustRunAs.Spec.RunAsUser.Ranges = []extensions.UserIDRange{ mustRunAs.Spec.RunAsUser.Ranges = []policy.UserIDRange{
{Min: int64(999), Max: int64(1000)}, {Min: int64(999), Max: int64(1000)},
} }
runAsNonRoot := permissivePSP() runAsNonRoot := permissivePSP()
runAsNonRoot.Name = "runAsNonRoot" runAsNonRoot.Name = "runAsNonRoot"
runAsNonRoot.Spec.RunAsUser.Rule = extensions.RunAsUserStrategyMustRunAsNonRoot runAsNonRoot.Spec.RunAsUser.Rule = policy.RunAsUserStrategyMustRunAsNonRoot
trueValue := true trueValue := true
tests := map[string]struct { tests := map[string]struct {
pod *kapi.Pod pod *kapi.Pod
psps []*extensions.PodSecurityPolicy psps []*policy.PodSecurityPolicy
shouldPassAdmit bool shouldPassAdmit bool
shouldPassValidate bool shouldPassValidate bool
expectedPodSC *kapi.PodSecurityContext expectedPodSC *kapi.PodSecurityContext
...@@ -1216,7 +1215,7 @@ func TestAdmitRunAsUser(t *testing.T) { ...@@ -1216,7 +1215,7 @@ func TestAdmitRunAsUser(t *testing.T) {
}{ }{
"runAsAny no pod request": { "runAsAny no pod request": {
pod: createPodWithSecurityContexts(nil, nil), pod: createPodWithSecurityContexts(nil, nil),
psps: []*extensions.PodSecurityPolicy{runAsAny}, psps: []*policy.PodSecurityPolicy{runAsAny},
shouldPassAdmit: true, shouldPassAdmit: true,
shouldPassValidate: true, shouldPassValidate: true,
expectedPodSC: nil, expectedPodSC: nil,
...@@ -1225,7 +1224,7 @@ func TestAdmitRunAsUser(t *testing.T) { ...@@ -1225,7 +1224,7 @@ func TestAdmitRunAsUser(t *testing.T) {
}, },
"runAsAny pod request": { "runAsAny pod request": {
pod: createPodWithSecurityContexts(podSC(utilpointer.Int64Ptr(1)), nil), pod: createPodWithSecurityContexts(podSC(utilpointer.Int64Ptr(1)), nil),
psps: []*extensions.PodSecurityPolicy{runAsAny}, psps: []*policy.PodSecurityPolicy{runAsAny},
shouldPassAdmit: true, shouldPassAdmit: true,
shouldPassValidate: true, shouldPassValidate: true,
expectedPodSC: podSC(utilpointer.Int64Ptr(1)), expectedPodSC: podSC(utilpointer.Int64Ptr(1)),
...@@ -1234,7 +1233,7 @@ func TestAdmitRunAsUser(t *testing.T) { ...@@ -1234,7 +1233,7 @@ func TestAdmitRunAsUser(t *testing.T) {
}, },
"runAsAny container request": { "runAsAny container request": {
pod: createPodWithSecurityContexts(nil, containerSC(utilpointer.Int64Ptr(1))), pod: createPodWithSecurityContexts(nil, containerSC(utilpointer.Int64Ptr(1))),
psps: []*extensions.PodSecurityPolicy{runAsAny}, psps: []*policy.PodSecurityPolicy{runAsAny},
shouldPassAdmit: true, shouldPassAdmit: true,
shouldPassValidate: true, shouldPassValidate: true,
expectedPodSC: nil, expectedPodSC: nil,
...@@ -1244,20 +1243,20 @@ func TestAdmitRunAsUser(t *testing.T) { ...@@ -1244,20 +1243,20 @@ func TestAdmitRunAsUser(t *testing.T) {
"mustRunAs pod request out of range": { "mustRunAs pod request out of range": {
pod: createPodWithSecurityContexts(podSC(utilpointer.Int64Ptr(1)), nil), pod: createPodWithSecurityContexts(podSC(utilpointer.Int64Ptr(1)), nil),
psps: []*extensions.PodSecurityPolicy{mustRunAs}, psps: []*policy.PodSecurityPolicy{mustRunAs},
shouldPassAdmit: false, shouldPassAdmit: false,
shouldPassValidate: false, shouldPassValidate: false,
}, },
"mustRunAs container request out of range": { "mustRunAs container request out of range": {
pod: createPodWithSecurityContexts(podSC(utilpointer.Int64Ptr(999)), containerSC(utilpointer.Int64Ptr(1))), pod: createPodWithSecurityContexts(podSC(utilpointer.Int64Ptr(999)), containerSC(utilpointer.Int64Ptr(1))),
psps: []*extensions.PodSecurityPolicy{mustRunAs}, psps: []*policy.PodSecurityPolicy{mustRunAs},
shouldPassAdmit: false, shouldPassAdmit: false,
shouldPassValidate: false, shouldPassValidate: false,
}, },
"mustRunAs pod request in range": { "mustRunAs pod request in range": {
pod: createPodWithSecurityContexts(podSC(utilpointer.Int64Ptr(999)), nil), pod: createPodWithSecurityContexts(podSC(utilpointer.Int64Ptr(999)), nil),
psps: []*extensions.PodSecurityPolicy{mustRunAs}, psps: []*policy.PodSecurityPolicy{mustRunAs},
shouldPassAdmit: true, shouldPassAdmit: true,
shouldPassValidate: true, shouldPassValidate: true,
expectedPodSC: podSC(&mustRunAs.Spec.RunAsUser.Ranges[0].Min), expectedPodSC: podSC(&mustRunAs.Spec.RunAsUser.Ranges[0].Min),
...@@ -1266,7 +1265,7 @@ func TestAdmitRunAsUser(t *testing.T) { ...@@ -1266,7 +1265,7 @@ func TestAdmitRunAsUser(t *testing.T) {
}, },
"mustRunAs container request in range": { "mustRunAs container request in range": {
pod: createPodWithSecurityContexts(nil, containerSC(utilpointer.Int64Ptr(999))), pod: createPodWithSecurityContexts(nil, containerSC(utilpointer.Int64Ptr(999))),
psps: []*extensions.PodSecurityPolicy{mustRunAs}, psps: []*policy.PodSecurityPolicy{mustRunAs},
shouldPassAdmit: true, shouldPassAdmit: true,
shouldPassValidate: true, shouldPassValidate: true,
expectedPodSC: nil, expectedPodSC: nil,
...@@ -1275,7 +1274,7 @@ func TestAdmitRunAsUser(t *testing.T) { ...@@ -1275,7 +1274,7 @@ func TestAdmitRunAsUser(t *testing.T) {
}, },
"mustRunAs pod and container request in range": { "mustRunAs pod and container request in range": {
pod: createPodWithSecurityContexts(podSC(utilpointer.Int64Ptr(999)), containerSC(utilpointer.Int64Ptr(1000))), pod: createPodWithSecurityContexts(podSC(utilpointer.Int64Ptr(999)), containerSC(utilpointer.Int64Ptr(1000))),
psps: []*extensions.PodSecurityPolicy{mustRunAs}, psps: []*policy.PodSecurityPolicy{mustRunAs},
shouldPassAdmit: true, shouldPassAdmit: true,
shouldPassValidate: true, shouldPassValidate: true,
expectedPodSC: podSC(utilpointer.Int64Ptr(999)), expectedPodSC: podSC(utilpointer.Int64Ptr(999)),
...@@ -1284,7 +1283,7 @@ func TestAdmitRunAsUser(t *testing.T) { ...@@ -1284,7 +1283,7 @@ func TestAdmitRunAsUser(t *testing.T) {
}, },
"mustRunAs no request": { "mustRunAs no request": {
pod: createPodWithSecurityContexts(nil, nil), pod: createPodWithSecurityContexts(nil, nil),
psps: []*extensions.PodSecurityPolicy{mustRunAs}, psps: []*policy.PodSecurityPolicy{mustRunAs},
shouldPassAdmit: true, shouldPassAdmit: true,
shouldPassValidate: true, shouldPassValidate: true,
expectedPodSC: nil, expectedPodSC: nil,
...@@ -1294,7 +1293,7 @@ func TestAdmitRunAsUser(t *testing.T) { ...@@ -1294,7 +1293,7 @@ func TestAdmitRunAsUser(t *testing.T) {
"runAsNonRoot no request": { "runAsNonRoot no request": {
pod: createPodWithSecurityContexts(nil, nil), pod: createPodWithSecurityContexts(nil, nil),
psps: []*extensions.PodSecurityPolicy{runAsNonRoot}, psps: []*policy.PodSecurityPolicy{runAsNonRoot},
shouldPassAdmit: true, shouldPassAdmit: true,
shouldPassValidate: true, shouldPassValidate: true,
expectedPodSC: nil, expectedPodSC: nil,
...@@ -1303,13 +1302,13 @@ func TestAdmitRunAsUser(t *testing.T) { ...@@ -1303,13 +1302,13 @@ func TestAdmitRunAsUser(t *testing.T) {
}, },
"runAsNonRoot pod request root": { "runAsNonRoot pod request root": {
pod: createPodWithSecurityContexts(podSC(utilpointer.Int64Ptr(0)), nil), pod: createPodWithSecurityContexts(podSC(utilpointer.Int64Ptr(0)), nil),
psps: []*extensions.PodSecurityPolicy{runAsNonRoot}, psps: []*policy.PodSecurityPolicy{runAsNonRoot},
shouldPassAdmit: false, shouldPassAdmit: false,
shouldPassValidate: false, shouldPassValidate: false,
}, },
"runAsNonRoot pod request non-root": { "runAsNonRoot pod request non-root": {
pod: createPodWithSecurityContexts(podSC(utilpointer.Int64Ptr(1)), nil), pod: createPodWithSecurityContexts(podSC(utilpointer.Int64Ptr(1)), nil),
psps: []*extensions.PodSecurityPolicy{runAsNonRoot}, psps: []*policy.PodSecurityPolicy{runAsNonRoot},
shouldPassAdmit: true, shouldPassAdmit: true,
shouldPassValidate: true, shouldPassValidate: true,
expectedPodSC: podSC(utilpointer.Int64Ptr(1)), expectedPodSC: podSC(utilpointer.Int64Ptr(1)),
...@@ -1317,13 +1316,13 @@ func TestAdmitRunAsUser(t *testing.T) { ...@@ -1317,13 +1316,13 @@ func TestAdmitRunAsUser(t *testing.T) {
}, },
"runAsNonRoot container request root": { "runAsNonRoot container request root": {
pod: createPodWithSecurityContexts(podSC(utilpointer.Int64Ptr(1)), containerSC(utilpointer.Int64Ptr(0))), pod: createPodWithSecurityContexts(podSC(utilpointer.Int64Ptr(1)), containerSC(utilpointer.Int64Ptr(0))),
psps: []*extensions.PodSecurityPolicy{runAsNonRoot}, psps: []*policy.PodSecurityPolicy{runAsNonRoot},
shouldPassAdmit: false, shouldPassAdmit: false,
shouldPassValidate: false, shouldPassValidate: false,
}, },
"runAsNonRoot container request non-root": { "runAsNonRoot container request non-root": {
pod: createPodWithSecurityContexts(podSC(utilpointer.Int64Ptr(1)), containerSC(utilpointer.Int64Ptr(2))), pod: createPodWithSecurityContexts(podSC(utilpointer.Int64Ptr(1)), containerSC(utilpointer.Int64Ptr(2))),
psps: []*extensions.PodSecurityPolicy{runAsNonRoot}, psps: []*policy.PodSecurityPolicy{runAsNonRoot},
shouldPassAdmit: true, shouldPassAdmit: true,
shouldPassValidate: true, shouldPassValidate: true,
expectedPodSC: podSC(utilpointer.Int64Ptr(1)), expectedPodSC: podSC(utilpointer.Int64Ptr(1)),
...@@ -1353,16 +1352,16 @@ func TestAdmitSupplementalGroups(t *testing.T) { ...@@ -1353,16 +1352,16 @@ func TestAdmitSupplementalGroups(t *testing.T) {
runAsAny := permissivePSP() runAsAny := permissivePSP()
runAsAny.Name = "runAsAny" runAsAny.Name = "runAsAny"
runAsAny.Spec.SupplementalGroups.Rule = extensions.SupplementalGroupsStrategyRunAsAny runAsAny.Spec.SupplementalGroups.Rule = policy.SupplementalGroupsStrategyRunAsAny
mustRunAs := permissivePSP() mustRunAs := permissivePSP()
mustRunAs.Name = "mustRunAs" mustRunAs.Name = "mustRunAs"
mustRunAs.Spec.SupplementalGroups.Rule = extensions.SupplementalGroupsStrategyMustRunAs mustRunAs.Spec.SupplementalGroups.Rule = policy.SupplementalGroupsStrategyMustRunAs
mustRunAs.Spec.SupplementalGroups.Ranges = []extensions.GroupIDRange{{Min: int64(999), Max: int64(1000)}} mustRunAs.Spec.SupplementalGroups.Ranges = []policy.GroupIDRange{{Min: int64(999), Max: int64(1000)}}
tests := map[string]struct { tests := map[string]struct {
pod *kapi.Pod pod *kapi.Pod
psps []*extensions.PodSecurityPolicy psps []*policy.PodSecurityPolicy
shouldPassAdmit bool shouldPassAdmit bool
shouldPassValidate bool shouldPassValidate bool
expectedPodSC *kapi.PodSecurityContext expectedPodSC *kapi.PodSecurityContext
...@@ -1370,7 +1369,7 @@ func TestAdmitSupplementalGroups(t *testing.T) { ...@@ -1370,7 +1369,7 @@ func TestAdmitSupplementalGroups(t *testing.T) {
}{ }{
"runAsAny no pod request": { "runAsAny no pod request": {
pod: createPodWithSecurityContexts(nil, nil), pod: createPodWithSecurityContexts(nil, nil),
psps: []*extensions.PodSecurityPolicy{runAsAny}, psps: []*policy.PodSecurityPolicy{runAsAny},
shouldPassAdmit: true, shouldPassAdmit: true,
shouldPassValidate: true, shouldPassValidate: true,
expectedPodSC: nil, expectedPodSC: nil,
...@@ -1378,7 +1377,7 @@ func TestAdmitSupplementalGroups(t *testing.T) { ...@@ -1378,7 +1377,7 @@ func TestAdmitSupplementalGroups(t *testing.T) {
}, },
"runAsAny empty pod request": { "runAsAny empty pod request": {
pod: createPodWithSecurityContexts(&kapi.PodSecurityContext{}, nil), pod: createPodWithSecurityContexts(&kapi.PodSecurityContext{}, nil),
psps: []*extensions.PodSecurityPolicy{runAsAny}, psps: []*policy.PodSecurityPolicy{runAsAny},
shouldPassAdmit: true, shouldPassAdmit: true,
shouldPassValidate: true, shouldPassValidate: true,
expectedPodSC: &kapi.PodSecurityContext{}, expectedPodSC: &kapi.PodSecurityContext{},
...@@ -1386,7 +1385,7 @@ func TestAdmitSupplementalGroups(t *testing.T) { ...@@ -1386,7 +1385,7 @@ func TestAdmitSupplementalGroups(t *testing.T) {
}, },
"runAsAny empty pod request empty supplemental groups": { "runAsAny empty pod request empty supplemental groups": {
pod: createPodWithSecurityContexts(&kapi.PodSecurityContext{SupplementalGroups: []int64{}}, nil), pod: createPodWithSecurityContexts(&kapi.PodSecurityContext{SupplementalGroups: []int64{}}, nil),
psps: []*extensions.PodSecurityPolicy{runAsAny}, psps: []*policy.PodSecurityPolicy{runAsAny},
shouldPassAdmit: true, shouldPassAdmit: true,
shouldPassValidate: true, shouldPassValidate: true,
expectedPodSC: &kapi.PodSecurityContext{SupplementalGroups: []int64{}}, expectedPodSC: &kapi.PodSecurityContext{SupplementalGroups: []int64{}},
...@@ -1394,7 +1393,7 @@ func TestAdmitSupplementalGroups(t *testing.T) { ...@@ -1394,7 +1393,7 @@ func TestAdmitSupplementalGroups(t *testing.T) {
}, },
"runAsAny pod request": { "runAsAny pod request": {
pod: createPodWithSecurityContexts(podSC(1), nil), pod: createPodWithSecurityContexts(podSC(1), nil),
psps: []*extensions.PodSecurityPolicy{runAsAny}, psps: []*policy.PodSecurityPolicy{runAsAny},
shouldPassAdmit: true, shouldPassAdmit: true,
shouldPassValidate: true, shouldPassValidate: true,
expectedPodSC: &kapi.PodSecurityContext{SupplementalGroups: []int64{1}}, expectedPodSC: &kapi.PodSecurityContext{SupplementalGroups: []int64{1}},
...@@ -1402,7 +1401,7 @@ func TestAdmitSupplementalGroups(t *testing.T) { ...@@ -1402,7 +1401,7 @@ func TestAdmitSupplementalGroups(t *testing.T) {
}, },
"mustRunAs no pod request": { "mustRunAs no pod request": {
pod: createPodWithSecurityContexts(nil, nil), pod: createPodWithSecurityContexts(nil, nil),
psps: []*extensions.PodSecurityPolicy{mustRunAs}, psps: []*policy.PodSecurityPolicy{mustRunAs},
shouldPassAdmit: true, shouldPassAdmit: true,
shouldPassValidate: true, shouldPassValidate: true,
expectedPodSC: podSC(mustRunAs.Spec.SupplementalGroups.Ranges[0].Min), expectedPodSC: podSC(mustRunAs.Spec.SupplementalGroups.Ranges[0].Min),
...@@ -1410,13 +1409,13 @@ func TestAdmitSupplementalGroups(t *testing.T) { ...@@ -1410,13 +1409,13 @@ func TestAdmitSupplementalGroups(t *testing.T) {
}, },
"mustRunAs bad pod request": { "mustRunAs bad pod request": {
pod: createPodWithSecurityContexts(podSC(1), nil), pod: createPodWithSecurityContexts(podSC(1), nil),
psps: []*extensions.PodSecurityPolicy{mustRunAs}, psps: []*policy.PodSecurityPolicy{mustRunAs},
shouldPassAdmit: false, shouldPassAdmit: false,
shouldPassValidate: false, shouldPassValidate: false,
}, },
"mustRunAs good pod request": { "mustRunAs good pod request": {
pod: createPodWithSecurityContexts(podSC(999), nil), pod: createPodWithSecurityContexts(podSC(999), nil),
psps: []*extensions.PodSecurityPolicy{mustRunAs}, psps: []*policy.PodSecurityPolicy{mustRunAs},
shouldPassAdmit: true, shouldPassAdmit: true,
shouldPassValidate: true, shouldPassValidate: true,
expectedPodSC: podSC(999), expectedPodSC: podSC(999),
...@@ -1447,14 +1446,14 @@ func TestAdmitFSGroup(t *testing.T) { ...@@ -1447,14 +1446,14 @@ func TestAdmitFSGroup(t *testing.T) {
runAsAny := restrictivePSP() runAsAny := restrictivePSP()
runAsAny.Name = "runAsAny" runAsAny.Name = "runAsAny"
runAsAny.Spec.FSGroup.Rule = extensions.FSGroupStrategyRunAsAny runAsAny.Spec.FSGroup.Rule = policy.FSGroupStrategyRunAsAny
mustRunAs := restrictivePSP() mustRunAs := restrictivePSP()
mustRunAs.Name = "mustRunAs" mustRunAs.Name = "mustRunAs"
tests := map[string]struct { tests := map[string]struct {
pod *kapi.Pod pod *kapi.Pod
psps []*extensions.PodSecurityPolicy psps []*policy.PodSecurityPolicy
shouldPassAdmit bool shouldPassAdmit bool
shouldPassValidate bool shouldPassValidate bool
expectedFSGroup *int64 expectedFSGroup *int64
...@@ -1462,7 +1461,7 @@ func TestAdmitFSGroup(t *testing.T) { ...@@ -1462,7 +1461,7 @@ func TestAdmitFSGroup(t *testing.T) {
}{ }{
"runAsAny no pod request": { "runAsAny no pod request": {
pod: goodPod(), pod: goodPod(),
psps: []*extensions.PodSecurityPolicy{runAsAny}, psps: []*policy.PodSecurityPolicy{runAsAny},
shouldPassAdmit: true, shouldPassAdmit: true,
shouldPassValidate: true, shouldPassValidate: true,
expectedFSGroup: nil, expectedFSGroup: nil,
...@@ -1470,7 +1469,7 @@ func TestAdmitFSGroup(t *testing.T) { ...@@ -1470,7 +1469,7 @@ func TestAdmitFSGroup(t *testing.T) {
}, },
"runAsAny pod request": { "runAsAny pod request": {
pod: createPodWithFSGroup(1), pod: createPodWithFSGroup(1),
psps: []*extensions.PodSecurityPolicy{runAsAny}, psps: []*policy.PodSecurityPolicy{runAsAny},
shouldPassAdmit: true, shouldPassAdmit: true,
shouldPassValidate: true, shouldPassValidate: true,
expectedFSGroup: utilpointer.Int64Ptr(1), expectedFSGroup: utilpointer.Int64Ptr(1),
...@@ -1478,7 +1477,7 @@ func TestAdmitFSGroup(t *testing.T) { ...@@ -1478,7 +1477,7 @@ func TestAdmitFSGroup(t *testing.T) {
}, },
"mustRunAs no pod request": { "mustRunAs no pod request": {
pod: goodPod(), pod: goodPod(),
psps: []*extensions.PodSecurityPolicy{mustRunAs}, psps: []*policy.PodSecurityPolicy{mustRunAs},
shouldPassAdmit: true, shouldPassAdmit: true,
shouldPassValidate: true, shouldPassValidate: true,
expectedFSGroup: &mustRunAs.Spec.SupplementalGroups.Ranges[0].Min, expectedFSGroup: &mustRunAs.Spec.SupplementalGroups.Ranges[0].Min,
...@@ -1486,13 +1485,13 @@ func TestAdmitFSGroup(t *testing.T) { ...@@ -1486,13 +1485,13 @@ func TestAdmitFSGroup(t *testing.T) {
}, },
"mustRunAs bad pod request": { "mustRunAs bad pod request": {
pod: createPodWithFSGroup(1), pod: createPodWithFSGroup(1),
psps: []*extensions.PodSecurityPolicy{mustRunAs}, psps: []*policy.PodSecurityPolicy{mustRunAs},
shouldPassAdmit: false, shouldPassAdmit: false,
shouldPassValidate: false, shouldPassValidate: false,
}, },
"mustRunAs good pod request": { "mustRunAs good pod request": {
pod: createPodWithFSGroup(999), pod: createPodWithFSGroup(999),
psps: []*extensions.PodSecurityPolicy{mustRunAs}, psps: []*policy.PodSecurityPolicy{mustRunAs},
shouldPassAdmit: true, shouldPassAdmit: true,
shouldPassValidate: true, shouldPassValidate: true,
expectedFSGroup: utilpointer.Int64Ptr(999), expectedFSGroup: utilpointer.Int64Ptr(999),
...@@ -1540,7 +1539,7 @@ func TestAdmitReadOnlyRootFilesystem(t *testing.T) { ...@@ -1540,7 +1539,7 @@ func TestAdmitReadOnlyRootFilesystem(t *testing.T) {
tests := map[string]struct { tests := map[string]struct {
pod *kapi.Pod pod *kapi.Pod
psps []*extensions.PodSecurityPolicy psps []*policy.PodSecurityPolicy
shouldPassAdmit bool shouldPassAdmit bool
shouldPassValidate bool shouldPassValidate bool
expectedRORFS bool expectedRORFS bool
...@@ -1548,7 +1547,7 @@ func TestAdmitReadOnlyRootFilesystem(t *testing.T) { ...@@ -1548,7 +1547,7 @@ func TestAdmitReadOnlyRootFilesystem(t *testing.T) {
}{ }{
"no-rorfs allows pod request with rorfs": { "no-rorfs allows pod request with rorfs": {
pod: createPodWithRORFS(true), pod: createPodWithRORFS(true),
psps: []*extensions.PodSecurityPolicy{noRORFS}, psps: []*policy.PodSecurityPolicy{noRORFS},
shouldPassAdmit: true, shouldPassAdmit: true,
shouldPassValidate: true, shouldPassValidate: true,
expectedRORFS: true, expectedRORFS: true,
...@@ -1556,7 +1555,7 @@ func TestAdmitReadOnlyRootFilesystem(t *testing.T) { ...@@ -1556,7 +1555,7 @@ func TestAdmitReadOnlyRootFilesystem(t *testing.T) {
}, },
"no-rorfs allows pod request without rorfs": { "no-rorfs allows pod request without rorfs": {
pod: createPodWithRORFS(false), pod: createPodWithRORFS(false),
psps: []*extensions.PodSecurityPolicy{noRORFS}, psps: []*policy.PodSecurityPolicy{noRORFS},
shouldPassAdmit: true, shouldPassAdmit: true,
shouldPassValidate: true, shouldPassValidate: true,
expectedRORFS: false, expectedRORFS: false,
...@@ -1564,13 +1563,13 @@ func TestAdmitReadOnlyRootFilesystem(t *testing.T) { ...@@ -1564,13 +1563,13 @@ func TestAdmitReadOnlyRootFilesystem(t *testing.T) {
}, },
"rorfs rejects pod request without rorfs": { "rorfs rejects pod request without rorfs": {
pod: createPodWithRORFS(false), pod: createPodWithRORFS(false),
psps: []*extensions.PodSecurityPolicy{rorfs}, psps: []*policy.PodSecurityPolicy{rorfs},
shouldPassAdmit: false, shouldPassAdmit: false,
shouldPassValidate: false, shouldPassValidate: false,
}, },
"rorfs defaults nil pod request": { "rorfs defaults nil pod request": {
pod: goodPod(), pod: goodPod(),
psps: []*extensions.PodSecurityPolicy{rorfs}, psps: []*policy.PodSecurityPolicy{rorfs},
shouldPassAdmit: true, shouldPassAdmit: true,
shouldPassValidate: true, shouldPassValidate: true,
expectedRORFS: true, expectedRORFS: true,
...@@ -1578,7 +1577,7 @@ func TestAdmitReadOnlyRootFilesystem(t *testing.T) { ...@@ -1578,7 +1577,7 @@ func TestAdmitReadOnlyRootFilesystem(t *testing.T) {
}, },
"rorfs accepts pod request with rorfs": { "rorfs accepts pod request with rorfs": {
pod: createPodWithRORFS(true), pod: createPodWithRORFS(true),
psps: []*extensions.PodSecurityPolicy{rorfs}, psps: []*policy.PodSecurityPolicy{rorfs},
shouldPassAdmit: true, shouldPassAdmit: true,
shouldPassValidate: true, shouldPassValidate: true,
expectedRORFS: true, expectedRORFS: true,
...@@ -1619,156 +1618,156 @@ func TestAdmitSysctls(t *testing.T) { ...@@ -1619,156 +1618,156 @@ func TestAdmitSysctls(t *testing.T) {
emptySysctls := restrictivePSP() emptySysctls := restrictivePSP()
emptySysctls.Name = "empty sysctls" emptySysctls.Name = "empty sysctls"
emptySysctls.Annotations[extensions.SysctlsPodSecurityPolicyAnnotationKey] = "" emptySysctls.Annotations[policy.SysctlsPodSecurityPolicyAnnotationKey] = ""
mixedSysctls := restrictivePSP() mixedSysctls := restrictivePSP()
mixedSysctls.Name = "wildcard sysctls" mixedSysctls.Name = "wildcard sysctls"
mixedSysctls.Annotations[extensions.SysctlsPodSecurityPolicyAnnotationKey] = "a.*,b.*,c,d.e.f" mixedSysctls.Annotations[policy.SysctlsPodSecurityPolicyAnnotationKey] = "a.*,b.*,c,d.e.f"
aSysctl := restrictivePSP() aSysctl := restrictivePSP()
aSysctl.Name = "a sysctl" aSysctl.Name = "a sysctl"
aSysctl.Annotations[extensions.SysctlsPodSecurityPolicyAnnotationKey] = "a" aSysctl.Annotations[policy.SysctlsPodSecurityPolicyAnnotationKey] = "a"
bSysctl := restrictivePSP() bSysctl := restrictivePSP()
bSysctl.Name = "b sysctl" bSysctl.Name = "b sysctl"
bSysctl.Annotations[extensions.SysctlsPodSecurityPolicyAnnotationKey] = "b" bSysctl.Annotations[policy.SysctlsPodSecurityPolicyAnnotationKey] = "b"
cSysctl := restrictivePSP() cSysctl := restrictivePSP()
cSysctl.Name = "c sysctl" cSysctl.Name = "c sysctl"
cSysctl.Annotations[extensions.SysctlsPodSecurityPolicyAnnotationKey] = "c" cSysctl.Annotations[policy.SysctlsPodSecurityPolicyAnnotationKey] = "c"
catchallSysctls := restrictivePSP() catchallSysctls := restrictivePSP()
catchallSysctls.Name = "catchall sysctl" catchallSysctls.Name = "catchall sysctl"
catchallSysctls.Annotations[extensions.SysctlsPodSecurityPolicyAnnotationKey] = "*" catchallSysctls.Annotations[policy.SysctlsPodSecurityPolicyAnnotationKey] = "*"
tests := map[string]struct { tests := map[string]struct {
pod *kapi.Pod pod *kapi.Pod
psps []*extensions.PodSecurityPolicy psps []*policy.PodSecurityPolicy
shouldPassAdmit bool shouldPassAdmit bool
shouldPassValidate bool shouldPassValidate bool
expectedPSP string expectedPSP string
}{ }{
"pod without unsafe sysctls request allowed under noSysctls PSP": { "pod without unsafe sysctls request allowed under noSysctls PSP": {
pod: goodPod(), pod: goodPod(),
psps: []*extensions.PodSecurityPolicy{noSysctls}, psps: []*policy.PodSecurityPolicy{noSysctls},
shouldPassAdmit: true, shouldPassAdmit: true,
shouldPassValidate: true, shouldPassValidate: true,
expectedPSP: noSysctls.Name, expectedPSP: noSysctls.Name,
}, },
"pod without any sysctls request allowed under emptySysctls PSP": { "pod without any sysctls request allowed under emptySysctls PSP": {
pod: goodPod(), pod: goodPod(),
psps: []*extensions.PodSecurityPolicy{emptySysctls}, psps: []*policy.PodSecurityPolicy{emptySysctls},
shouldPassAdmit: true, shouldPassAdmit: true,
shouldPassValidate: true, shouldPassValidate: true,
expectedPSP: emptySysctls.Name, expectedPSP: emptySysctls.Name,
}, },
"pod with safe sysctls request allowed under noSysctls PSP": { "pod with safe sysctls request allowed under noSysctls PSP": {
pod: podWithSysctls([]string{"a", "b"}, []string{}), pod: podWithSysctls([]string{"a", "b"}, []string{}),
psps: []*extensions.PodSecurityPolicy{noSysctls}, psps: []*policy.PodSecurityPolicy{noSysctls},
shouldPassAdmit: true, shouldPassAdmit: true,
shouldPassValidate: true, shouldPassValidate: true,
expectedPSP: noSysctls.Name, expectedPSP: noSysctls.Name,
}, },
"pod with unsafe sysctls request allowed under noSysctls PSP": { "pod with unsafe sysctls request allowed under noSysctls PSP": {
pod: podWithSysctls([]string{}, []string{"a", "b"}), pod: podWithSysctls([]string{}, []string{"a", "b"}),
psps: []*extensions.PodSecurityPolicy{noSysctls}, psps: []*policy.PodSecurityPolicy{noSysctls},
shouldPassAdmit: true, shouldPassAdmit: true,
shouldPassValidate: true, shouldPassValidate: true,
expectedPSP: noSysctls.Name, expectedPSP: noSysctls.Name,
}, },
"pod with safe sysctls request disallowed under emptySysctls PSP": { "pod with safe sysctls request disallowed under emptySysctls PSP": {
pod: podWithSysctls([]string{"a", "b"}, []string{}), pod: podWithSysctls([]string{"a", "b"}, []string{}),
psps: []*extensions.PodSecurityPolicy{emptySysctls}, psps: []*policy.PodSecurityPolicy{emptySysctls},
shouldPassAdmit: false, shouldPassAdmit: false,
shouldPassValidate: false, shouldPassValidate: false,
}, },
"pod with unsafe sysctls a, b request disallowed under aSysctls SCC": { "pod with unsafe sysctls a, b request disallowed under aSysctls SCC": {
pod: podWithSysctls([]string{}, []string{"a", "b"}), pod: podWithSysctls([]string{}, []string{"a", "b"}),
psps: []*extensions.PodSecurityPolicy{aSysctl}, psps: []*policy.PodSecurityPolicy{aSysctl},
shouldPassAdmit: false, shouldPassAdmit: false,
shouldPassValidate: false, shouldPassValidate: false,
}, },
"pod with unsafe sysctls b request disallowed under aSysctls SCC": { "pod with unsafe sysctls b request disallowed under aSysctls SCC": {
pod: podWithSysctls([]string{}, []string{"b"}), pod: podWithSysctls([]string{}, []string{"b"}),
psps: []*extensions.PodSecurityPolicy{aSysctl}, psps: []*policy.PodSecurityPolicy{aSysctl},
shouldPassAdmit: false, shouldPassAdmit: false,
shouldPassValidate: false, shouldPassValidate: false,
}, },
"pod with unsafe sysctls a request allowed under aSysctls SCC": { "pod with unsafe sysctls a request allowed under aSysctls SCC": {
pod: podWithSysctls([]string{}, []string{"a"}), pod: podWithSysctls([]string{}, []string{"a"}),
psps: []*extensions.PodSecurityPolicy{aSysctl}, psps: []*policy.PodSecurityPolicy{aSysctl},
shouldPassAdmit: true, shouldPassAdmit: true,
shouldPassValidate: true, shouldPassValidate: true,
expectedPSP: aSysctl.Name, expectedPSP: aSysctl.Name,
}, },
"pod with safe sysctls a, b request disallowed under aSysctls SCC": { "pod with safe sysctls a, b request disallowed under aSysctls SCC": {
pod: podWithSysctls([]string{"a", "b"}, []string{}), pod: podWithSysctls([]string{"a", "b"}, []string{}),
psps: []*extensions.PodSecurityPolicy{aSysctl}, psps: []*policy.PodSecurityPolicy{aSysctl},
shouldPassAdmit: false, shouldPassAdmit: false,
shouldPassValidate: false, shouldPassValidate: false,
}, },
"pod with safe sysctls b request disallowed under aSysctls SCC": { "pod with safe sysctls b request disallowed under aSysctls SCC": {
pod: podWithSysctls([]string{"b"}, []string{}), pod: podWithSysctls([]string{"b"}, []string{}),
psps: []*extensions.PodSecurityPolicy{aSysctl}, psps: []*policy.PodSecurityPolicy{aSysctl},
shouldPassAdmit: false, shouldPassAdmit: false,
shouldPassValidate: false, shouldPassValidate: false,
}, },
"pod with safe sysctls a request allowed under aSysctls SCC": { "pod with safe sysctls a request allowed under aSysctls SCC": {
pod: podWithSysctls([]string{"a"}, []string{}), pod: podWithSysctls([]string{"a"}, []string{}),
psps: []*extensions.PodSecurityPolicy{aSysctl}, psps: []*policy.PodSecurityPolicy{aSysctl},
shouldPassAdmit: true, shouldPassAdmit: true,
shouldPassValidate: true, shouldPassValidate: true,
expectedPSP: aSysctl.Name, expectedPSP: aSysctl.Name,
}, },
"pod with unsafe sysctls request disallowed under emptySysctls PSP": { "pod with unsafe sysctls request disallowed under emptySysctls PSP": {
pod: podWithSysctls([]string{}, []string{"a", "b"}), pod: podWithSysctls([]string{}, []string{"a", "b"}),
psps: []*extensions.PodSecurityPolicy{emptySysctls}, psps: []*policy.PodSecurityPolicy{emptySysctls},
shouldPassAdmit: false, shouldPassAdmit: false,
shouldPassValidate: false, shouldPassValidate: false,
}, },
"pod with matching sysctls request allowed under mixedSysctls PSP": { "pod with matching sysctls request allowed under mixedSysctls PSP": {
pod: podWithSysctls([]string{"a.b", "b.c"}, []string{"c", "d.e.f"}), pod: podWithSysctls([]string{"a.b", "b.c"}, []string{"c", "d.e.f"}),
psps: []*extensions.PodSecurityPolicy{mixedSysctls}, psps: []*policy.PodSecurityPolicy{mixedSysctls},
shouldPassAdmit: true, shouldPassAdmit: true,
shouldPassValidate: true, shouldPassValidate: true,
expectedPSP: mixedSysctls.Name, expectedPSP: mixedSysctls.Name,
}, },
"pod with not-matching unsafe sysctls request disallowed under mixedSysctls PSP": { "pod with not-matching unsafe sysctls request disallowed under mixedSysctls PSP": {
pod: podWithSysctls([]string{"a.b", "b.c", "c", "d.e.f"}, []string{"e"}), pod: podWithSysctls([]string{"a.b", "b.c", "c", "d.e.f"}, []string{"e"}),
psps: []*extensions.PodSecurityPolicy{mixedSysctls}, psps: []*policy.PodSecurityPolicy{mixedSysctls},
shouldPassAdmit: false, shouldPassAdmit: false,
shouldPassValidate: false, shouldPassValidate: false,
}, },
"pod with not-matching safe sysctls request disallowed under mixedSysctls PSP": { "pod with not-matching safe sysctls request disallowed under mixedSysctls PSP": {
pod: podWithSysctls([]string{"a.b", "b.c", "c", "d.e.f", "e"}, []string{}), pod: podWithSysctls([]string{"a.b", "b.c", "c", "d.e.f", "e"}, []string{}),
psps: []*extensions.PodSecurityPolicy{mixedSysctls}, psps: []*policy.PodSecurityPolicy{mixedSysctls},
shouldPassAdmit: false, shouldPassAdmit: false,
shouldPassValidate: false, shouldPassValidate: false,
}, },
"pod with sysctls request allowed under catchallSysctls PSP": { "pod with sysctls request allowed under catchallSysctls PSP": {
pod: podWithSysctls([]string{"e"}, []string{"f"}), pod: podWithSysctls([]string{"e"}, []string{"f"}),
psps: []*extensions.PodSecurityPolicy{catchallSysctls}, psps: []*policy.PodSecurityPolicy{catchallSysctls},
shouldPassAdmit: true, shouldPassAdmit: true,
shouldPassValidate: true, shouldPassValidate: true,
expectedPSP: catchallSysctls.Name, expectedPSP: catchallSysctls.Name,
}, },
"pod with sysctls request allowed under catchallSysctls PSP, not under mixedSysctls or emptySysctls PSP": { "pod with sysctls request allowed under catchallSysctls PSP, not under mixedSysctls or emptySysctls PSP": {
pod: podWithSysctls([]string{"e"}, []string{"f"}), pod: podWithSysctls([]string{"e"}, []string{"f"}),
psps: []*extensions.PodSecurityPolicy{mixedSysctls, catchallSysctls, emptySysctls}, psps: []*policy.PodSecurityPolicy{mixedSysctls, catchallSysctls, emptySysctls},
shouldPassAdmit: true, shouldPassAdmit: true,
shouldPassValidate: true, shouldPassValidate: true,
expectedPSP: catchallSysctls.Name, expectedPSP: catchallSysctls.Name,
}, },
"pod with safe c sysctl request allowed under cSysctl PSP, not under aSysctl or bSysctl PSP": { "pod with safe c sysctl request allowed under cSysctl PSP, not under aSysctl or bSysctl PSP": {
pod: podWithSysctls([]string{}, []string{"c"}), pod: podWithSysctls([]string{}, []string{"c"}),
psps: []*extensions.PodSecurityPolicy{aSysctl, bSysctl, cSysctl}, psps: []*policy.PodSecurityPolicy{aSysctl, bSysctl, cSysctl},
shouldPassAdmit: true, shouldPassAdmit: true,
shouldPassValidate: true, shouldPassValidate: true,
expectedPSP: cSysctl.Name, expectedPSP: cSysctl.Name,
}, },
"pod with unsafe c sysctl request allowed under cSysctl PSP, not under aSysctl or bSysctl PSP": { "pod with unsafe c sysctl request allowed under cSysctl PSP, not under aSysctl or bSysctl PSP": {
pod: podWithSysctls([]string{"c"}, []string{}), pod: podWithSysctls([]string{"c"}, []string{}),
psps: []*extensions.PodSecurityPolicy{aSysctl, bSysctl, cSysctl}, psps: []*policy.PodSecurityPolicy{aSysctl, bSysctl, cSysctl},
shouldPassAdmit: true, shouldPassAdmit: true,
shouldPassValidate: true, shouldPassValidate: true,
expectedPSP: cSysctl.Name, expectedPSP: cSysctl.Name,
...@@ -1795,11 +1794,11 @@ func TestAdmitSysctls(t *testing.T) { ...@@ -1795,11 +1794,11 @@ func TestAdmitSysctls(t *testing.T) {
} }
} }
func testPSPAdmit(testCaseName string, psps []*extensions.PodSecurityPolicy, pod *kapi.Pod, shouldPassAdmit, shouldPassValidate bool, expectedPSP string, t *testing.T) { func testPSPAdmit(testCaseName string, psps []*policy.PodSecurityPolicy, pod *kapi.Pod, shouldPassAdmit, shouldPassValidate bool, expectedPSP string, t *testing.T) {
testPSPAdmitAdvanced(testCaseName, kadmission.Create, psps, nil, &user.DefaultInfo{}, pod, nil, shouldPassAdmit, shouldPassValidate, true, expectedPSP, t) testPSPAdmitAdvanced(testCaseName, kadmission.Create, psps, nil, &user.DefaultInfo{}, pod, nil, shouldPassAdmit, shouldPassValidate, true, expectedPSP, t)
} }
func testPSPAdmitAdvanced(testCaseName string, op kadmission.Operation, psps []*extensions.PodSecurityPolicy, authz authorizer.Authorizer, userInfo user.Info, pod, oldPod *kapi.Pod, shouldPassAdmit, shouldPassValidate bool, canMutate bool, expectedPSP string, t *testing.T) { func testPSPAdmitAdvanced(testCaseName string, op kadmission.Operation, psps []*policy.PodSecurityPolicy, authz authorizer.Authorizer, userInfo user.Info, pod, oldPod *kapi.Pod, shouldPassAdmit, shouldPassValidate bool, canMutate bool, expectedPSP string, t *testing.T) {
originalPod := pod.DeepCopy() originalPod := pod.DeepCopy()
plugin := NewTestAdmission(psps, authz) plugin := NewTestAdmission(psps, authz)
...@@ -1907,50 +1906,50 @@ func TestAssignSecurityContext(t *testing.T) { ...@@ -1907,50 +1906,50 @@ func TestAssignSecurityContext(t *testing.T) {
func TestCreateProvidersFromConstraints(t *testing.T) { func TestCreateProvidersFromConstraints(t *testing.T) {
testCases := map[string]struct { testCases := map[string]struct {
// use a generating function so we can test for non-mutation // use a generating function so we can test for non-mutation
psp func() *extensions.PodSecurityPolicy psp func() *policy.PodSecurityPolicy
expectedErr string expectedErr string
}{ }{
"valid psp": { "valid psp": {
psp: func() *extensions.PodSecurityPolicy { psp: func() *policy.PodSecurityPolicy {
return &extensions.PodSecurityPolicy{ return &policy.PodSecurityPolicy{
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Name: "valid psp", Name: "valid psp",
}, },
Spec: extensions.PodSecurityPolicySpec{ Spec: policy.PodSecurityPolicySpec{
SELinux: extensions.SELinuxStrategyOptions{ SELinux: policy.SELinuxStrategyOptions{
Rule: extensions.SELinuxStrategyRunAsAny, Rule: policy.SELinuxStrategyRunAsAny,
}, },
RunAsUser: extensions.RunAsUserStrategyOptions{ RunAsUser: policy.RunAsUserStrategyOptions{
Rule: extensions.RunAsUserStrategyRunAsAny, Rule: policy.RunAsUserStrategyRunAsAny,
}, },
FSGroup: extensions.FSGroupStrategyOptions{ FSGroup: policy.FSGroupStrategyOptions{
Rule: extensions.FSGroupStrategyRunAsAny, Rule: policy.FSGroupStrategyRunAsAny,
}, },
SupplementalGroups: extensions.SupplementalGroupsStrategyOptions{ SupplementalGroups: policy.SupplementalGroupsStrategyOptions{
Rule: extensions.SupplementalGroupsStrategyRunAsAny, Rule: policy.SupplementalGroupsStrategyRunAsAny,
}, },
}, },
} }
}, },
}, },
"bad psp strategy options": { "bad psp strategy options": {
psp: func() *extensions.PodSecurityPolicy { psp: func() *policy.PodSecurityPolicy {
return &extensions.PodSecurityPolicy{ return &policy.PodSecurityPolicy{
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Name: "bad psp user options", Name: "bad psp user options",
}, },
Spec: extensions.PodSecurityPolicySpec{ Spec: policy.PodSecurityPolicySpec{
SELinux: extensions.SELinuxStrategyOptions{ SELinux: policy.SELinuxStrategyOptions{
Rule: extensions.SELinuxStrategyRunAsAny, Rule: policy.SELinuxStrategyRunAsAny,
}, },
RunAsUser: extensions.RunAsUserStrategyOptions{ RunAsUser: policy.RunAsUserStrategyOptions{
Rule: extensions.RunAsUserStrategyMustRunAs, Rule: policy.RunAsUserStrategyMustRunAs,
}, },
FSGroup: extensions.FSGroupStrategyOptions{ FSGroup: policy.FSGroupStrategyOptions{
Rule: extensions.FSGroupStrategyRunAsAny, Rule: policy.FSGroupStrategyRunAsAny,
}, },
SupplementalGroups: extensions.SupplementalGroupsStrategyOptions{ SupplementalGroups: policy.SupplementalGroupsStrategyOptions{
Rule: extensions.SupplementalGroupsStrategyRunAsAny, Rule: policy.SupplementalGroupsStrategyRunAsAny,
}, },
}, },
} }
...@@ -1966,7 +1965,7 @@ func TestCreateProvidersFromConstraints(t *testing.T) { ...@@ -1966,7 +1965,7 @@ func TestCreateProvidersFromConstraints(t *testing.T) {
} }
psp := v.psp() psp := v.psp()
_, errs := admit.createProvidersFromPolicies([]*extensions.PodSecurityPolicy{psp}, "namespace") _, errs := admit.createProvidersFromPolicies([]*policy.PodSecurityPolicy{psp}, "namespace")
if !reflect.DeepEqual(psp, v.psp()) { if !reflect.DeepEqual(psp, v.psp()) {
diff := diff.ObjectDiff(psp, v.psp()) diff := diff.ObjectDiff(psp, v.psp())
...@@ -1991,7 +1990,7 @@ func TestCreateProvidersFromConstraints(t *testing.T) { ...@@ -1991,7 +1990,7 @@ func TestCreateProvidersFromConstraints(t *testing.T) {
} }
func TestPolicyAuthorization(t *testing.T) { func TestPolicyAuthorization(t *testing.T) {
policyWithName := func(name string) *extensions.PodSecurityPolicy { policyWithName := func(name string) *policy.PodSecurityPolicy {
p := permissivePSP() p := permissivePSP()
p.Name = name p.Name = name
return p return p
...@@ -2002,7 +2001,7 @@ func TestPolicyAuthorization(t *testing.T) { ...@@ -2002,7 +2001,7 @@ func TestPolicyAuthorization(t *testing.T) {
sa string sa string
ns string ns string
expectedPolicy string expectedPolicy string
inPolicies []*extensions.PodSecurityPolicy inPolicies []*policy.PodSecurityPolicy
allowed map[string]map[string]map[string]bool allowed map[string]map[string]map[string]bool
allowedGroup string allowedGroup string
}{ }{
...@@ -2015,7 +2014,7 @@ func TestPolicyAuthorization(t *testing.T) { ...@@ -2015,7 +2014,7 @@ func TestPolicyAuthorization(t *testing.T) {
"test": {"policy": true}, "test": {"policy": true},
}, },
}, },
inPolicies: []*extensions.PodSecurityPolicy{policyWithName("policy")}, inPolicies: []*policy.PodSecurityPolicy{policyWithName("policy")},
expectedPolicy: "policy", expectedPolicy: "policy",
}, },
"policy allowed by sa (extensions API Group)": { "policy allowed by sa (extensions API Group)": {
...@@ -2027,7 +2026,7 @@ func TestPolicyAuthorization(t *testing.T) { ...@@ -2027,7 +2026,7 @@ func TestPolicyAuthorization(t *testing.T) {
"test": {"policy": true}, "test": {"policy": true},
}, },
}, },
inPolicies: []*extensions.PodSecurityPolicy{policyWithName("policy")}, inPolicies: []*policy.PodSecurityPolicy{policyWithName("policy")},
expectedPolicy: "policy", expectedPolicy: "policy",
}, },
"policy allowed by user (policy API Group)": { "policy allowed by user (policy API Group)": {
...@@ -2039,7 +2038,7 @@ func TestPolicyAuthorization(t *testing.T) { ...@@ -2039,7 +2038,7 @@ func TestPolicyAuthorization(t *testing.T) {
"test": {"policy": true}, "test": {"policy": true},
}, },
}, },
inPolicies: []*extensions.PodSecurityPolicy{policyWithName("policy")}, inPolicies: []*policy.PodSecurityPolicy{policyWithName("policy")},
expectedPolicy: "policy", expectedPolicy: "policy",
allowedGroup: policy.GroupName, allowedGroup: policy.GroupName,
}, },
...@@ -2052,7 +2051,7 @@ func TestPolicyAuthorization(t *testing.T) { ...@@ -2052,7 +2051,7 @@ func TestPolicyAuthorization(t *testing.T) {
"test": {"policy": true}, "test": {"policy": true},
}, },
}, },
inPolicies: []*extensions.PodSecurityPolicy{policyWithName("policy")}, inPolicies: []*policy.PodSecurityPolicy{policyWithName("policy")},
expectedPolicy: "policy", expectedPolicy: "policy",
allowedGroup: policy.GroupName, allowedGroup: policy.GroupName,
}, },
...@@ -2061,7 +2060,7 @@ func TestPolicyAuthorization(t *testing.T) { ...@@ -2061,7 +2060,7 @@ func TestPolicyAuthorization(t *testing.T) {
sa: "sa", sa: "sa",
ns: "test", ns: "test",
allowed: map[string]map[string]map[string]bool{}, allowed: map[string]map[string]map[string]bool{},
inPolicies: []*extensions.PodSecurityPolicy{policyWithName("policy")}, inPolicies: []*policy.PodSecurityPolicy{policyWithName("policy")},
expectedPolicy: "", expectedPolicy: "",
}, },
"multiple policies allowed": { "multiple policies allowed": {
...@@ -2080,7 +2079,7 @@ func TestPolicyAuthorization(t *testing.T) { ...@@ -2080,7 +2079,7 @@ func TestPolicyAuthorization(t *testing.T) {
"other": {"policy7": true}, "other": {"policy7": true},
}, },
}, },
inPolicies: []*extensions.PodSecurityPolicy{ inPolicies: []*policy.PodSecurityPolicy{
// Prefix to force checking these policies first. // Prefix to force checking these policies first.
policyWithName("a_policy1"), // not allowed in this namespace policyWithName("a_policy1"), // not allowed in this namespace
policyWithName("a_policy2"), // not allowed in this namespace policyWithName("a_policy2"), // not allowed in this namespace
...@@ -2104,7 +2103,7 @@ func TestPolicyAuthorization(t *testing.T) { ...@@ -2104,7 +2103,7 @@ func TestPolicyAuthorization(t *testing.T) {
"test": {"policy2": true}, "test": {"policy2": true},
}, },
}, },
inPolicies: []*extensions.PodSecurityPolicy{ inPolicies: []*policy.PodSecurityPolicy{
policyWithName("policy1"), policyWithName("policy1"),
policyWithName("policy2"), policyWithName("policy2"),
policyWithName("policy3"), policyWithName("policy3"),
...@@ -2124,7 +2123,7 @@ func TestPolicyAuthorization(t *testing.T) { ...@@ -2124,7 +2123,7 @@ func TestPolicyAuthorization(t *testing.T) {
"test": {"policy2": true}, "test": {"policy2": true},
}, },
}, },
inPolicies: []*extensions.PodSecurityPolicy{ inPolicies: []*policy.PodSecurityPolicy{
policyWithName("policy1"), policyWithName("policy1"),
policyWithName("policy2"), policyWithName("policy2"),
policyWithName("policy3"), policyWithName("policy3"),
...@@ -2144,7 +2143,7 @@ func TestPolicyAuthorization(t *testing.T) { ...@@ -2144,7 +2143,7 @@ func TestPolicyAuthorization(t *testing.T) {
"test": {"policy2": true}, "test": {"policy2": true},
}, },
}, },
inPolicies: []*extensions.PodSecurityPolicy{ inPolicies: []*policy.PodSecurityPolicy{
policyWithName("policy1"), policyWithName("policy1"),
policyWithName("policy2"), policyWithName("policy2"),
policyWithName("policy3"), policyWithName("policy3"),
...@@ -2169,7 +2168,7 @@ func TestPolicyAuthorization(t *testing.T) { ...@@ -2169,7 +2168,7 @@ func TestPolicyAuthorization(t *testing.T) {
} }
func TestPolicyAuthorizationErrors(t *testing.T) { func TestPolicyAuthorizationErrors(t *testing.T) {
policyWithName := func(name string) *extensions.PodSecurityPolicy { policyWithName := func(name string) *policy.PodSecurityPolicy {
p := restrictivePSP() p := restrictivePSP()
p.Name = name p.Name = name
return p return p
...@@ -2182,13 +2181,13 @@ func TestPolicyAuthorizationErrors(t *testing.T) { ...@@ -2182,13 +2181,13 @@ func TestPolicyAuthorizationErrors(t *testing.T) {
) )
tests := map[string]struct { tests := map[string]struct {
inPolicies []*extensions.PodSecurityPolicy inPolicies []*policy.PodSecurityPolicy
allowed map[string]map[string]map[string]bool allowed map[string]map[string]map[string]bool
expectValidationErrs int expectValidationErrs int
}{ }{
"policies not allowed": { "policies not allowed": {
allowed: map[string]map[string]map[string]bool{}, allowed: map[string]map[string]map[string]bool{},
inPolicies: []*extensions.PodSecurityPolicy{ inPolicies: []*policy.PodSecurityPolicy{
policyWithName("policy1"), policyWithName("policy1"),
policyWithName("policy2"), policyWithName("policy2"),
}, },
...@@ -2200,7 +2199,7 @@ func TestPolicyAuthorizationErrors(t *testing.T) { ...@@ -2200,7 +2199,7 @@ func TestPolicyAuthorizationErrors(t *testing.T) {
"test": {"policy1": true}, "test": {"policy1": true},
}, },
}, },
inPolicies: []*extensions.PodSecurityPolicy{ inPolicies: []*policy.PodSecurityPolicy{
policyWithName("policy1"), policyWithName("policy1"),
policyWithName("policy2"), policyWithName("policy2"),
}, },
...@@ -2212,7 +2211,7 @@ func TestPolicyAuthorizationErrors(t *testing.T) { ...@@ -2212,7 +2211,7 @@ func TestPolicyAuthorizationErrors(t *testing.T) {
"test": {"policy2": true}, "test": {"policy2": true},
}, },
}, },
inPolicies: []*extensions.PodSecurityPolicy{ inPolicies: []*policy.PodSecurityPolicy{
policyWithName("policy1"), policyWithName("policy1"),
policyWithName("policy2"), policyWithName("policy2"),
}, },
...@@ -2227,7 +2226,7 @@ func TestPolicyAuthorizationErrors(t *testing.T) { ...@@ -2227,7 +2226,7 @@ func TestPolicyAuthorizationErrors(t *testing.T) {
"test": {"policy2": true}, "test": {"policy2": true},
}, },
}, },
inPolicies: []*extensions.PodSecurityPolicy{ inPolicies: []*policy.PodSecurityPolicy{
policyWithName("policy1"), policyWithName("policy1"),
policyWithName("policy2"), policyWithName("policy2"),
}, },
...@@ -2254,26 +2253,26 @@ func TestPolicyAuthorizationErrors(t *testing.T) { ...@@ -2254,26 +2253,26 @@ func TestPolicyAuthorizationErrors(t *testing.T) {
} }
func TestPreferValidatedPSP(t *testing.T) { func TestPreferValidatedPSP(t *testing.T) {
restrictivePSPWithName := func(name string) *extensions.PodSecurityPolicy { restrictivePSPWithName := func(name string) *policy.PodSecurityPolicy {
p := restrictivePSP() p := restrictivePSP()
p.Name = name p.Name = name
return p return p
} }
permissivePSPWithName := func(name string) *extensions.PodSecurityPolicy { permissivePSPWithName := func(name string) *policy.PodSecurityPolicy {
p := permissivePSP() p := permissivePSP()
p.Name = name p.Name = name
return p return p
} }
tests := map[string]struct { tests := map[string]struct {
inPolicies []*extensions.PodSecurityPolicy inPolicies []*policy.PodSecurityPolicy
expectValidationErrs int expectValidationErrs int
validatedPSPHint string validatedPSPHint string
expectedPSP string expectedPSP string
}{ }{
"no policy saved in annotations, PSPs are ordered lexicographically": { "no policy saved in annotations, PSPs are ordered lexicographically": {
inPolicies: []*extensions.PodSecurityPolicy{ inPolicies: []*policy.PodSecurityPolicy{
restrictivePSPWithName("001restrictive"), restrictivePSPWithName("001restrictive"),
restrictivePSPWithName("002restrictive"), restrictivePSPWithName("002restrictive"),
permissivePSPWithName("002permissive"), permissivePSPWithName("002permissive"),
...@@ -2285,7 +2284,7 @@ func TestPreferValidatedPSP(t *testing.T) { ...@@ -2285,7 +2284,7 @@ func TestPreferValidatedPSP(t *testing.T) {
expectedPSP: "001permissive", expectedPSP: "001permissive",
}, },
"policy saved in annotations is preferred": { "policy saved in annotations is preferred": {
inPolicies: []*extensions.PodSecurityPolicy{ inPolicies: []*policy.PodSecurityPolicy{
restrictivePSPWithName("001restrictive"), restrictivePSPWithName("001restrictive"),
restrictivePSPWithName("002restrictive"), restrictivePSPWithName("002restrictive"),
permissivePSPWithName("001permissive"), permissivePSPWithName("001permissive"),
...@@ -2297,7 +2296,7 @@ func TestPreferValidatedPSP(t *testing.T) { ...@@ -2297,7 +2296,7 @@ func TestPreferValidatedPSP(t *testing.T) {
expectedPSP: "002permissive", expectedPSP: "002permissive",
}, },
"policy saved in annotations is invalid": { "policy saved in annotations is invalid": {
inPolicies: []*extensions.PodSecurityPolicy{ inPolicies: []*policy.PodSecurityPolicy{
restrictivePSPWithName("001restrictive"), restrictivePSPWithName("001restrictive"),
restrictivePSPWithName("002restrictive"), restrictivePSPWithName("002restrictive"),
}, },
...@@ -2306,7 +2305,7 @@ func TestPreferValidatedPSP(t *testing.T) { ...@@ -2306,7 +2305,7 @@ func TestPreferValidatedPSP(t *testing.T) {
expectedPSP: "", expectedPSP: "",
}, },
"policy saved in annotations is disallowed anymore": { "policy saved in annotations is disallowed anymore": {
inPolicies: []*extensions.PodSecurityPolicy{ inPolicies: []*policy.PodSecurityPolicy{
restrictivePSPWithName("001restrictive"), restrictivePSPWithName("001restrictive"),
restrictivePSPWithName("002restrictive"), restrictivePSPWithName("002restrictive"),
}, },
...@@ -2315,7 +2314,7 @@ func TestPreferValidatedPSP(t *testing.T) { ...@@ -2315,7 +2314,7 @@ func TestPreferValidatedPSP(t *testing.T) {
expectedPSP: "", expectedPSP: "",
}, },
"policy saved in annotations is disallowed anymore, but find another one": { "policy saved in annotations is disallowed anymore, but find another one": {
inPolicies: []*extensions.PodSecurityPolicy{ inPolicies: []*policy.PodSecurityPolicy{
restrictivePSPWithName("001restrictive"), restrictivePSPWithName("001restrictive"),
restrictivePSPWithName("002restrictive"), restrictivePSPWithName("002restrictive"),
permissivePSPWithName("002permissive"), permissivePSPWithName("002permissive"),
...@@ -2346,34 +2345,34 @@ func TestPreferValidatedPSP(t *testing.T) { ...@@ -2346,34 +2345,34 @@ func TestPreferValidatedPSP(t *testing.T) {
} }
} }
func restrictivePSP() *extensions.PodSecurityPolicy { func restrictivePSP() *policy.PodSecurityPolicy {
return &extensions.PodSecurityPolicy{ return &policy.PodSecurityPolicy{
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Name: "restrictive", Name: "restrictive",
Annotations: map[string]string{}, Annotations: map[string]string{},
}, },
Spec: extensions.PodSecurityPolicySpec{ Spec: policy.PodSecurityPolicySpec{
RunAsUser: extensions.RunAsUserStrategyOptions{ RunAsUser: policy.RunAsUserStrategyOptions{
Rule: extensions.RunAsUserStrategyMustRunAs, Rule: policy.RunAsUserStrategyMustRunAs,
Ranges: []extensions.UserIDRange{ Ranges: []policy.UserIDRange{
{Min: int64(999), Max: int64(999)}, {Min: int64(999), Max: int64(999)},
}, },
}, },
SELinux: extensions.SELinuxStrategyOptions{ SELinux: policy.SELinuxStrategyOptions{
Rule: extensions.SELinuxStrategyMustRunAs, Rule: policy.SELinuxStrategyMustRunAs,
SELinuxOptions: &kapi.SELinuxOptions{ SELinuxOptions: &kapi.SELinuxOptions{
Level: "s9:z0,z1", Level: "s9:z0,z1",
}, },
}, },
FSGroup: extensions.FSGroupStrategyOptions{ FSGroup: policy.FSGroupStrategyOptions{
Rule: extensions.FSGroupStrategyMustRunAs, Rule: policy.FSGroupStrategyMustRunAs,
Ranges: []extensions.GroupIDRange{ Ranges: []policy.GroupIDRange{
{Min: int64(999), Max: int64(999)}, {Min: int64(999), Max: int64(999)},
}, },
}, },
SupplementalGroups: extensions.SupplementalGroupsStrategyOptions{ SupplementalGroups: policy.SupplementalGroupsStrategyOptions{
Rule: extensions.SupplementalGroupsStrategyMustRunAs, Rule: policy.SupplementalGroupsStrategyMustRunAs,
Ranges: []extensions.GroupIDRange{ Ranges: []policy.GroupIDRange{
{Min: int64(999), Max: int64(999)}, {Min: int64(999), Max: int64(999)},
}, },
}, },
...@@ -2381,31 +2380,31 @@ func restrictivePSP() *extensions.PodSecurityPolicy { ...@@ -2381,31 +2380,31 @@ func restrictivePSP() *extensions.PodSecurityPolicy {
} }
} }
func permissivePSP() *extensions.PodSecurityPolicy { func permissivePSP() *policy.PodSecurityPolicy {
return &extensions.PodSecurityPolicy{ return &policy.PodSecurityPolicy{
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Name: "privileged", Name: "privileged",
Annotations: map[string]string{}, Annotations: map[string]string{},
}, },
Spec: extensions.PodSecurityPolicySpec{ Spec: policy.PodSecurityPolicySpec{
AllowPrivilegeEscalation: true, AllowPrivilegeEscalation: true,
HostIPC: true, HostIPC: true,
HostNetwork: true, HostNetwork: true,
HostPID: true, HostPID: true,
HostPorts: []extensions.HostPortRange{{Min: 0, Max: 65536}}, HostPorts: []policy.HostPortRange{{Min: 0, Max: 65536}},
Volumes: []extensions.FSType{extensions.All}, Volumes: []policy.FSType{policy.All},
AllowedCapabilities: []kapi.Capability{extensions.AllowAllCapabilities}, AllowedCapabilities: []kapi.Capability{policy.AllowAllCapabilities},
RunAsUser: extensions.RunAsUserStrategyOptions{ RunAsUser: policy.RunAsUserStrategyOptions{
Rule: extensions.RunAsUserStrategyRunAsAny, Rule: policy.RunAsUserStrategyRunAsAny,
}, },
SELinux: extensions.SELinuxStrategyOptions{ SELinux: policy.SELinuxStrategyOptions{
Rule: extensions.SELinuxStrategyRunAsAny, Rule: policy.SELinuxStrategyRunAsAny,
}, },
FSGroup: extensions.FSGroupStrategyOptions{ FSGroup: policy.FSGroupStrategyOptions{
Rule: extensions.FSGroupStrategyRunAsAny, Rule: policy.FSGroupStrategyRunAsAny,
}, },
SupplementalGroups: extensions.SupplementalGroupsStrategyOptions{ SupplementalGroups: policy.SupplementalGroupsStrategyOptions{
Rule: extensions.SupplementalGroupsStrategyRunAsAny, Rule: policy.SupplementalGroupsStrategyRunAsAny,
}, },
}, },
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment