PodSecurity: register/test v1beta1 config

2025-07-30 15:05:27 +00:00 · 2021-11-02 11:42:51 -04:00 · 2021-11-02 11:42:51 -04:00 · 1f8f996dc9
commit 1f8f996dc9
parent d997607eb9
4 changed files with 92 additions and 3 deletions
--- a/staging/src/k8s.io/pod-security-admission/admission/api/load/load.go
+++ b/staging/src/k8s.io/pod-security-admission/admission/api/load/load.go
@ -24,7 +24,7 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/pod-security-admission/admission/api"
 	"k8s.io/pod-security-admission/admission/api/scheme"
-	apiv1alpha1 "k8s.io/pod-security-admission/admission/api/v1alpha1"
+	apiv1beta1 "k8s.io/pod-security-admission/admission/api/v1beta1"
 )

 func LoadFromFile(file string) (*api.PodSecurityConfiguration, error) {
@ -57,7 +57,7 @@ func LoadFromReader(reader io.Reader) (*api.PodSecurityConfiguration, error) {
 func LoadFromData(data []byte) (*api.PodSecurityConfiguration, error) {
 	if len(data) == 0 {
 		// no config provided, return default
-		externalConfig := &apiv1alpha1.PodSecurityConfiguration{}
+		externalConfig := &apiv1beta1.PodSecurityConfiguration{}
 		scheme.Scheme.Default(externalConfig)
 		internalConfig := &api.PodSecurityConfiguration{}
 		if err := scheme.Scheme.Convert(externalConfig, internalConfig, nil); err != nil {
--- a/staging/src/k8s.io/pod-security-admission/admission/api/load/load_test.go
+++ b/staging/src/k8s.io/pod-security-admission/admission/api/load/load_test.go
@ -98,6 +98,29 @@ func TestLoadFromFile(t *testing.T) {
 		}
 	}

+	// valid file
+	{
+		input := `{
+			"apiVersion":"pod-security.admission.config.k8s.io/v1beta1",
+			"kind":"PodSecurityConfiguration",
+			"defaults":{"enforce":"baseline"}}`
+		expect := &api.PodSecurityConfiguration{
+			Defaults: api.PodSecurityDefaults{
+				Enforce: "baseline", EnforceVersion: "latest",
+				Warn: "privileged", WarnVersion: "latest",
+				Audit: "privileged", AuditVersion: "latest",
+			},
+		}
+
+		config, err := LoadFromFile(writeTempFile(t, input))
+		if err != nil {
+			t.Fatalf("unexpected err: %v", err)
+		}
+		if !reflect.DeepEqual(config, expect) {
+			t.Fatalf("unexpected config:\n%s", cmp.Diff(expect, config))
+		}
+	}
+
 	// missing file
 	{
 		_, err := LoadFromFile(`bogus-missing-pod-security-policy-config-file`)
@ -172,6 +195,29 @@ func TestLoadFromReader(t *testing.T) {
 		}
 	}

+	// valid reader
+	{
+		input := `{
+			"apiVersion":"pod-security.admission.config.k8s.io/v1beta1",
+			"kind":"PodSecurityConfiguration",
+			"defaults":{"enforce":"baseline"}}`
+		expect := &api.PodSecurityConfiguration{
+			Defaults: api.PodSecurityDefaults{
+				Enforce: "baseline", EnforceVersion: "latest",
+				Warn: "privileged", WarnVersion: "latest",
+				Audit: "privileged", AuditVersion: "latest",
+			},
+		}
+
+		config, err := LoadFromReader(bytes.NewBufferString(input))
+		if err != nil {
+			t.Fatalf("unexpected err: %v", err)
+		}
+		if !reflect.DeepEqual(config, expect) {
+			t.Fatalf("unexpected config:\n%s", cmp.Diff(expect, config))
+		}
+	}
+
 	// invalid reader
 	{
 		input := `{
@ -225,6 +271,46 @@ func TestLoadFromData(t *testing.T) {
 			data: []byte(`
 apiVersion: pod-security.admission.config.k8s.io/v1alpha1
 kind: PodSecurityConfiguration
+defaults:
+  enforce: baseline
+  enforce-version: v1.7
+exemptions:
+  usernames: ["alice","bob"]
+  namespaces: ["kube-system"]
+  runtimeClasses: ["special"]
+`),
+			expectConfig: &api.PodSecurityConfiguration{
+				Defaults: api.PodSecurityDefaults{
+					Enforce: "baseline", EnforceVersion: "v1.7",
+					Warn: "privileged", WarnVersion: "latest",
+					Audit: "privileged", AuditVersion: "latest",
+				},
+				Exemptions: api.PodSecurityExemptions{
+					Usernames:      []string{"alice", "bob"},
+					Namespaces:     []string{"kube-system"},
+					RuntimeClasses: []string{"special"},
+				},
+			},
+		},
+		{
+			name: "v1beta1 - json",
+			data: []byte(`{
+"apiVersion":"pod-security.admission.config.k8s.io/v1beta1",
+"kind":"PodSecurityConfiguration",
+"defaults":{"enforce":"baseline"}}`),
+			expectConfig: &api.PodSecurityConfiguration{
+				Defaults: api.PodSecurityDefaults{
+					Enforce: "baseline", EnforceVersion: "latest",
+					Warn: "privileged", WarnVersion: "latest",
+					Audit: "privileged", AuditVersion: "latest",
+				},
+			},
+		},
+		{
+			name: "v1beta1 - yaml",
+			data: []byte(`
+apiVersion: pod-security.admission.config.k8s.io/v1beta1
+kind: PodSecurityConfiguration
 defaults:
  enforce: baseline
  enforce-version: v1.7
--- a/staging/src/k8s.io/pod-security-admission/admission/api/scheme/scheme.go
+++ b/staging/src/k8s.io/pod-security-admission/admission/api/scheme/scheme.go
@ -22,6 +22,7 @@ import (
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	podsecurityapi "k8s.io/pod-security-admission/admission/api"
 	podsecurityv1alpha1 "k8s.io/pod-security-admission/admission/api/v1alpha1"
+	podsecurityv1beta1 "k8s.io/pod-security-admission/admission/api/v1beta1"
 )

 var (
@ -40,5 +41,6 @@ func init() {
 func AddToScheme(scheme *runtime.Scheme) {
 	utilruntime.Must(podsecurityapi.AddToScheme(scheme))
 	utilruntime.Must(podsecurityv1alpha1.AddToScheme(scheme))
-	utilruntime.Must(scheme.SetVersionPriority(podsecurityv1alpha1.SchemeGroupVersion))
+	utilruntime.Must(podsecurityv1beta1.AddToScheme(scheme))
+	utilruntime.Must(scheme.SetVersionPriority(podsecurityv1beta1.SchemeGroupVersion, podsecurityv1alpha1.SchemeGroupVersion))
 }
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@ -2254,6 +2254,7 @@ k8s.io/pod-security-admission/admission/api
 k8s.io/pod-security-admission/admission/api/load
 k8s.io/pod-security-admission/admission/api/scheme
 k8s.io/pod-security-admission/admission/api/v1alpha1
+k8s.io/pod-security-admission/admission/api/v1beta1
 k8s.io/pod-security-admission/admission/api/validation
 k8s.io/pod-security-admission/api
 k8s.io/pod-security-admission/cmd/webhook/server