allowPrivilegeEscalation: update code generation

parent ed3b7863
......@@ -888,7 +888,15 @@ func autoConvert_v1_Container_To_api_Container(in *v1.Container, out *api.Contai
out.TerminationMessagePath = in.TerminationMessagePath
out.TerminationMessagePolicy = api.TerminationMessagePolicy(in.TerminationMessagePolicy)
out.ImagePullPolicy = api.PullPolicy(in.ImagePullPolicy)
out.SecurityContext = (*api.SecurityContext)(unsafe.Pointer(in.SecurityContext))
if in.SecurityContext != nil {
in, out := &in.SecurityContext, &out.SecurityContext
*out = new(api.SecurityContext)
if err := Convert_v1_SecurityContext_To_api_SecurityContext(*in, *out, s); err != nil {
return err
}
} else {
out.SecurityContext = nil
}
out.Stdin = in.Stdin
out.StdinOnce = in.StdinOnce
out.TTY = in.TTY
......@@ -919,7 +927,15 @@ func autoConvert_api_Container_To_v1_Container(in *api.Container, out *v1.Contai
out.TerminationMessagePath = in.TerminationMessagePath
out.TerminationMessagePolicy = v1.TerminationMessagePolicy(in.TerminationMessagePolicy)
out.ImagePullPolicy = v1.PullPolicy(in.ImagePullPolicy)
out.SecurityContext = (*v1.SecurityContext)(unsafe.Pointer(in.SecurityContext))
if in.SecurityContext != nil {
in, out := &in.SecurityContext, &out.SecurityContext
*out = new(v1.SecurityContext)
if err := Convert_api_SecurityContext_To_v1_SecurityContext(*in, *out, s); err != nil {
return err
}
} else {
out.SecurityContext = nil
}
out.Stdin = in.Stdin
out.StdinOnce = in.StdinOnce
out.TTY = in.TTY
......@@ -3502,8 +3518,28 @@ func autoConvert_v1_PodSpec_To_api_PodSpec(in *v1.PodSpec, out *api.PodSpec, s c
} else {
out.Volumes = nil
}
out.InitContainers = *(*[]api.Container)(unsafe.Pointer(&in.InitContainers))
out.Containers = *(*[]api.Container)(unsafe.Pointer(&in.Containers))
if in.InitContainers != nil {
in, out := &in.InitContainers, &out.InitContainers
*out = make([]api.Container, len(*in))
for i := range *in {
if err := Convert_v1_Container_To_api_Container(&(*in)[i], &(*out)[i], s); err != nil {
return err
}
}
} else {
out.InitContainers = nil
}
if in.Containers != nil {
in, out := &in.Containers, &out.Containers
*out = make([]api.Container, len(*in))
for i := range *in {
if err := Convert_v1_Container_To_api_Container(&(*in)[i], &(*out)[i], s); err != nil {
return err
}
}
} else {
out.Containers = nil
}
out.RestartPolicy = api.RestartPolicy(in.RestartPolicy)
out.TerminationGracePeriodSeconds = (*int64)(unsafe.Pointer(in.TerminationGracePeriodSeconds))
out.ActiveDeadlineSeconds = (*int64)(unsafe.Pointer(in.ActiveDeadlineSeconds))
......@@ -3549,11 +3585,27 @@ func autoConvert_api_PodSpec_To_v1_PodSpec(in *api.PodSpec, out *v1.PodSpec, s c
} else {
out.Volumes = nil
}
out.InitContainers = *(*[]v1.Container)(unsafe.Pointer(&in.InitContainers))
if in.Containers == nil {
out.Containers = make([]v1.Container, 0)
if in.InitContainers != nil {
in, out := &in.InitContainers, &out.InitContainers
*out = make([]v1.Container, len(*in))
for i := range *in {
if err := Convert_api_Container_To_v1_Container(&(*in)[i], &(*out)[i], s); err != nil {
return err
}
}
} else {
out.InitContainers = nil
}
if in.Containers != nil {
in, out := &in.Containers, &out.Containers
*out = make([]v1.Container, len(*in))
for i := range *in {
if err := Convert_api_Container_To_v1_Container(&(*in)[i], &(*out)[i], s); err != nil {
return err
}
}
} else {
out.Containers = *(*[]v1.Container)(unsafe.Pointer(&in.Containers))
out.Containers = make([]v1.Container, 0)
}
out.RestartPolicy = v1.RestartPolicy(in.RestartPolicy)
out.TerminationGracePeriodSeconds = (*int64)(unsafe.Pointer(in.TerminationGracePeriodSeconds))
......@@ -4533,6 +4585,7 @@ func autoConvert_v1_SecurityContext_To_api_SecurityContext(in *v1.SecurityContex
out.RunAsUser = (*int64)(unsafe.Pointer(in.RunAsUser))
out.RunAsNonRoot = (*bool)(unsafe.Pointer(in.RunAsNonRoot))
out.ReadOnlyRootFilesystem = (*bool)(unsafe.Pointer(in.ReadOnlyRootFilesystem))
out.AllowPrivilegeEscalation = (*bool)(unsafe.Pointer(in.AllowPrivilegeEscalation))
return nil
}
......@@ -4548,14 +4601,10 @@ func autoConvert_api_SecurityContext_To_v1_SecurityContext(in *api.SecurityConte
out.RunAsUser = (*int64)(unsafe.Pointer(in.RunAsUser))
out.RunAsNonRoot = (*bool)(unsafe.Pointer(in.RunAsNonRoot))
out.ReadOnlyRootFilesystem = (*bool)(unsafe.Pointer(in.ReadOnlyRootFilesystem))
out.AllowPrivilegeEscalation = (*bool)(unsafe.Pointer(in.AllowPrivilegeEscalation))
return nil
}
// Convert_api_SecurityContext_To_v1_SecurityContext is an autogenerated conversion function.
func Convert_api_SecurityContext_To_v1_SecurityContext(in *api.SecurityContext, out *v1.SecurityContext, s conversion.Scope) error {
return autoConvert_api_SecurityContext_To_v1_SecurityContext(in, out, s)
}
func autoConvert_v1_SerializedReference_To_api_SerializedReference(in *v1.SerializedReference, out *api.SerializedReference, s conversion.Scope) error {
if err := Convert_v1_ObjectReference_To_api_ObjectReference(&in.Reference, &out.Reference, s); err != nil {
return err
......
......@@ -5260,6 +5260,15 @@ func (in *SecurityContext) DeepCopyInto(out *SecurityContext) {
**out = **in
}
}
if in.AllowPrivilegeEscalation != nil {
in, out := &in.AllowPrivilegeEscalation, &out.AllowPrivilegeEscalation
if *in == nil {
*out = nil
} else {
*out = new(bool)
**out = **in
}
}
return
}
......
......@@ -1221,6 +1221,8 @@ func autoConvert_v1beta1_PodSecurityPolicySpec_To_extensions_PodSecurityPolicySp
return err
}
out.ReadOnlyRootFilesystem = in.ReadOnlyRootFilesystem
out.DefaultAllowPrivilegeEscalation = (*bool)(unsafe.Pointer(in.DefaultAllowPrivilegeEscalation))
out.AllowPrivilegeEscalation = in.AllowPrivilegeEscalation
return nil
}
......@@ -1262,14 +1264,11 @@ func autoConvert_extensions_PodSecurityPolicySpec_To_v1beta1_PodSecurityPolicySp
return err
}
out.ReadOnlyRootFilesystem = in.ReadOnlyRootFilesystem
out.DefaultAllowPrivilegeEscalation = (*bool)(unsafe.Pointer(in.DefaultAllowPrivilegeEscalation))
out.AllowPrivilegeEscalation = in.AllowPrivilegeEscalation
return nil
}
// Convert_extensions_PodSecurityPolicySpec_To_v1beta1_PodSecurityPolicySpec is an autogenerated conversion function.
func Convert_extensions_PodSecurityPolicySpec_To_v1beta1_PodSecurityPolicySpec(in *extensions.PodSecurityPolicySpec, out *v1beta1.PodSecurityPolicySpec, s conversion.Scope) error {
return autoConvert_extensions_PodSecurityPolicySpec_To_v1beta1_PodSecurityPolicySpec(in, out, s)
}
func autoConvert_v1beta1_ReplicaSet_To_extensions_ReplicaSet(in *v1beta1.ReplicaSet, out *extensions.ReplicaSet, s conversion.Scope) error {
out.ObjectMeta = in.ObjectMeta
if err := Convert_v1beta1_ReplicaSetSpec_To_extensions_ReplicaSetSpec(&in.Spec, &out.Spec, s); err != nil {
......
......@@ -1316,6 +1316,15 @@ func (in *PodSecurityPolicySpec) DeepCopyInto(out *PodSecurityPolicySpec) {
in.RunAsUser.DeepCopyInto(&out.RunAsUser)
in.SupplementalGroups.DeepCopyInto(&out.SupplementalGroups)
in.FSGroup.DeepCopyInto(&out.FSGroup)
if in.DefaultAllowPrivilegeEscalation != nil {
in, out := &in.DefaultAllowPrivilegeEscalation, &out.DefaultAllowPrivilegeEscalation
if *in == nil {
*out = nil
} else {
*out = new(bool)
**out = **in
}
}
return
}
......
This source diff could not be displayed because it is too large. You can view the blob instead.
......@@ -3540,6 +3540,15 @@ message SecurityContext {
// Default is false.
// +optional
optional bool readOnlyRootFilesystem = 6;
// AllowPrivilegeEscalation controls whether a process can gain more
// privileges than it's parent process. This bool directly controls if
// the no_new_privs flag will be set on the container process.
// AllowPrivilegeEscalation is true always when the container is:
// 1) run as Privileged
// 2) has CAP_SYS_ADMIN
// +optional
optional bool allowPrivilegeEscalation = 7;
}
// SerializedReference is a reference to serialized object.
......
......@@ -67986,7 +67986,7 @@ func (x *SecurityContext) CodecEncodeSelf(e *codec1978.Encoder) {
} else {
yysep2 := !z.EncBinary()
yy2arr2 := z.EncBasicHandle().StructToArray
var yyq2 [6]bool
var yyq2 [7]bool
_, _, _ = yysep2, yyq2, yy2arr2
const yyr2 bool = false
yyq2[0] = x.Capabilities != nil
......@@ -67995,9 +67995,10 @@ func (x *SecurityContext) CodecEncodeSelf(e *codec1978.Encoder) {
yyq2[3] = x.RunAsUser != nil
yyq2[4] = x.RunAsNonRoot != nil
yyq2[5] = x.ReadOnlyRootFilesystem != nil
yyq2[6] = x.AllowPrivilegeEscalation != nil
var yynn2 int
if yyr2 || yy2arr2 {
r.EncodeArrayStart(6)
r.EncodeArrayStart(7)
} else {
yynn2 = 0
for _, b := range yyq2 {
......@@ -68195,6 +68196,41 @@ func (x *SecurityContext) CodecEncodeSelf(e *codec1978.Encoder) {
}
}
if yyr2 || yy2arr2 {
z.EncSendContainerState(codecSelfer_containerArrayElem1234)
if yyq2[6] {
if x.AllowPrivilegeEscalation == nil {
r.EncodeNil()
} else {
yy30 := *x.AllowPrivilegeEscalation
yym31 := z.EncBinary()
_ = yym31
if false {
} else {
r.EncodeBool(bool(yy30))
}
}
} else {
r.EncodeNil()
}
} else {
if yyq2[6] {
z.EncSendContainerState(codecSelfer_containerMapKey1234)
r.EncodeString(codecSelferC_UTF81234, string("allowPrivilegeEscalation"))
z.EncSendContainerState(codecSelfer_containerMapValue1234)
if x.AllowPrivilegeEscalation == nil {
r.EncodeNil()
} else {
yy32 := *x.AllowPrivilegeEscalation
yym33 := z.EncBinary()
_ = yym33
if false {
} else {
r.EncodeBool(bool(yy32))
}
}
}
}
if yyr2 || yy2arr2 {
z.EncSendContainerState(codecSelfer_containerArrayEnd1234)
} else {
z.EncSendContainerState(codecSelfer_containerMapEnd1234)
......@@ -68341,6 +68377,22 @@ func (x *SecurityContext) codecDecodeSelfFromMap(l int, d *codec1978.Decoder) {
*((*bool)(x.ReadOnlyRootFilesystem)) = r.DecodeBool()
}
}
case "allowPrivilegeEscalation":
if r.TryDecodeAsNil() {
if x.AllowPrivilegeEscalation != nil {
x.AllowPrivilegeEscalation = nil
}
} else {
if x.AllowPrivilegeEscalation == nil {
x.AllowPrivilegeEscalation = new(bool)
}
yym15 := z.DecBinary()
_ = yym15
if false {
} else {
*((*bool)(x.AllowPrivilegeEscalation)) = r.DecodeBool()
}
}
default:
z.DecStructFieldNotFound(-1, yys3)
} // end switch yys3
......@@ -68352,16 +68404,16 @@ func (x *SecurityContext) codecDecodeSelfFromArray(l int, d *codec1978.Decoder)
var h codecSelfer1234
z, r := codec1978.GenHelperDecoder(d)
_, _, _ = h, z, r
var yyj14 int
var yyb14 bool
var yyhl14 bool = l >= 0
yyj14++
if yyhl14 {
yyb14 = yyj14 > l
var yyj16 int
var yyb16 bool
var yyhl16 bool = l >= 0
yyj16++
if yyhl16 {
yyb16 = yyj16 > l
} else {
yyb14 = r.CheckBreak()
yyb16 = r.CheckBreak()
}
if yyb14 {
if yyb16 {
z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
return
}
......@@ -68376,13 +68428,13 @@ func (x *SecurityContext) codecDecodeSelfFromArray(l int, d *codec1978.Decoder)
}
x.Capabilities.CodecDecodeSelf(d)
}
yyj14++
if yyhl14 {
yyb14 = yyj14 > l
yyj16++
if yyhl16 {
yyb16 = yyj16 > l
} else {
yyb14 = r.CheckBreak()
yyb16 = r.CheckBreak()
}
if yyb14 {
if yyb16 {
z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
return
}
......@@ -68395,20 +68447,20 @@ func (x *SecurityContext) codecDecodeSelfFromArray(l int, d *codec1978.Decoder)
if x.Privileged == nil {
x.Privileged = new(bool)
}
yym17 := z.DecBinary()
_ = yym17
yym19 := z.DecBinary()
_ = yym19
if false {
} else {
*((*bool)(x.Privileged)) = r.DecodeBool()
}
}
yyj14++
if yyhl14 {
yyb14 = yyj14 > l
yyj16++
if yyhl16 {
yyb16 = yyj16 > l
} else {
yyb14 = r.CheckBreak()
yyb16 = r.CheckBreak()
}
if yyb14 {
if yyb16 {
z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
return
}
......@@ -68423,13 +68475,13 @@ func (x *SecurityContext) codecDecodeSelfFromArray(l int, d *codec1978.Decoder)
}
x.SELinuxOptions.CodecDecodeSelf(d)
}
yyj14++
if yyhl14 {
yyb14 = yyj14 > l
yyj16++
if yyhl16 {
yyb16 = yyj16 > l
} else {
yyb14 = r.CheckBreak()
yyb16 = r.CheckBreak()
}
if yyb14 {
if yyb16 {
z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
return
}
......@@ -68442,20 +68494,20 @@ func (x *SecurityContext) codecDecodeSelfFromArray(l int, d *codec1978.Decoder)
if x.RunAsUser == nil {
x.RunAsUser = new(int64)
}
yym20 := z.DecBinary()
_ = yym20
yym22 := z.DecBinary()
_ = yym22
if false {
} else {
*((*int64)(x.RunAsUser)) = int64(r.DecodeInt(64))
}
}
yyj14++
if yyhl14 {
yyb14 = yyj14 > l
yyj16++
if yyhl16 {
yyb16 = yyj16 > l
} else {
yyb14 = r.CheckBreak()
yyb16 = r.CheckBreak()
}
if yyb14 {
if yyb16 {
z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
return
}
......@@ -68468,20 +68520,20 @@ func (x *SecurityContext) codecDecodeSelfFromArray(l int, d *codec1978.Decoder)
if x.RunAsNonRoot == nil {
x.RunAsNonRoot = new(bool)
}
yym22 := z.DecBinary()
_ = yym22
yym24 := z.DecBinary()
_ = yym24
if false {
} else {
*((*bool)(x.RunAsNonRoot)) = r.DecodeBool()
}
}
yyj14++
if yyhl14 {
yyb14 = yyj14 > l
yyj16++
if yyhl16 {
yyb16 = yyj16 > l
} else {
yyb14 = r.CheckBreak()
yyb16 = r.CheckBreak()
}
if yyb14 {
if yyb16 {
z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
return
}
......@@ -68494,25 +68546,51 @@ func (x *SecurityContext) codecDecodeSelfFromArray(l int, d *codec1978.Decoder)
if x.ReadOnlyRootFilesystem == nil {
x.ReadOnlyRootFilesystem = new(bool)
}
yym24 := z.DecBinary()
_ = yym24
yym26 := z.DecBinary()
_ = yym26
if false {
} else {
*((*bool)(x.ReadOnlyRootFilesystem)) = r.DecodeBool()
}
}
yyj16++
if yyhl16 {
yyb16 = yyj16 > l
} else {
yyb16 = r.CheckBreak()
}
if yyb16 {
z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
return
}
z.DecSendContainerState(codecSelfer_containerArrayElem1234)
if r.TryDecodeAsNil() {
if x.AllowPrivilegeEscalation != nil {
x.AllowPrivilegeEscalation = nil
}
} else {
if x.AllowPrivilegeEscalation == nil {
x.AllowPrivilegeEscalation = new(bool)
}
yym28 := z.DecBinary()
_ = yym28
if false {
} else {
*((*bool)(x.AllowPrivilegeEscalation)) = r.DecodeBool()
}
}
for {
yyj14++
if yyhl14 {
yyb14 = yyj14 > l
yyj16++
if yyhl16 {
yyb16 = yyj16 > l
} else {
yyb14 = r.CheckBreak()
yyb16 = r.CheckBreak()
}
if yyb14 {
if yyb16 {
break
}
z.DecSendContainerState(codecSelfer_containerArrayElem1234)
z.DecStructFieldNotFound(yyj14-1, "")
z.DecStructFieldNotFound(yyj16-1, "")
}
z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
}
......@@ -4613,6 +4613,14 @@ type SecurityContext struct {
// Default is false.
// +optional
ReadOnlyRootFilesystem *bool `json:"readOnlyRootFilesystem,omitempty" protobuf:"varint,6,opt,name=readOnlyRootFilesystem"`
// AllowPrivilegeEscalation controls whether a process can gain more
// privileges than it's parent process. This bool directly controls if
// the no_new_privs flag will be set on the container process.
// AllowPrivilegeEscalation is true always when the container is:
// 1) run as Privileged
// 2) has CAP_SYS_ADMIN
// +optional
AllowPrivilegeEscalation *bool `json:"allowPrivilegeEscalation,omitempty" protobuf:"varint,7,opt,name=allowPrivilegeEscalation"`
}
// SELinuxOptions are the labels to be applied to the container
......
......@@ -5262,6 +5262,15 @@ func (in *SecurityContext) DeepCopyInto(out *SecurityContext) {
**out = **in
}
}
if in.AllowPrivilegeEscalation != nil {
in, out := &in.AllowPrivilegeEscalation, &out.AllowPrivilegeEscalation
if *in == nil {
*out = nil
} else {
*out = new(bool)
**out = **in
}
}
return
}
......
......@@ -723,6 +723,16 @@ message PodSecurityPolicySpec {
// will not be forced to.
// +optional
optional bool readOnlyRootFilesystem = 14;
// DefaultAllowPrivilegeEscalation controls the default setting for whether a
// process can gain more privileges than it's parent process.
// +optional
optional bool defaultAllowPrivilegeEscalation = 15;
// AllowPrivilegeEscalation determines if a pod can request to allow
// privilege escalation.
// +optional
optional bool allowPrivilegeEscalation = 16;
}
// ReplicaSet represents the configuration of a ReplicaSet.
......
......@@ -954,6 +954,14 @@ type PodSecurityPolicySpec struct {
// will not be forced to.
// +optional
ReadOnlyRootFilesystem bool `json:"readOnlyRootFilesystem,omitempty" protobuf:"varint,14,opt,name=readOnlyRootFilesystem"`
// DefaultAllowPrivilegeEscalation controls the default setting for whether a
// process can gain more privileges than it's parent process.
// +optional
DefaultAllowPrivilegeEscalation *bool `json:"defaultAllowPrivilegeEscalation,omitempty" protobuf:"varint,15,opt,name=defaultAllowPrivilegeEscalation"`
// AllowPrivilegeEscalation determines if a pod can request to allow
// privilege escalation.
// +optional
AllowPrivilegeEscalation bool `json:"allowPrivilegeEscalation,omitempty" protobuf:"varint,16,opt,name=allowPrivilegeEscalation"`
}
// FS Type gives strong typing to different file systems that are used by volumes.
......
......@@ -1321,6 +1321,15 @@ func (in *PodSecurityPolicySpec) DeepCopyInto(out *PodSecurityPolicySpec) {
in.RunAsUser.DeepCopyInto(&out.RunAsUser)
in.SupplementalGroups.DeepCopyInto(&out.SupplementalGroups)
in.FSGroup.DeepCopyInto(&out.FSGroup)
if in.DefaultAllowPrivilegeEscalation != nil {
in, out := &in.DefaultAllowPrivilegeEscalation, &out.DefaultAllowPrivilegeEscalation
if *in == nil {
*out = nil
} else {
*out = new(bool)
**out = **in
}
}
return
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment