diff --git a/staging/src/k8s.io/pod-security-admission/admission/api/load/load.go b/staging/src/k8s.io/pod-security-admission/admission/api/load/load.go index 3919644ba9f..4bedf9f95f9 100644 --- a/staging/src/k8s.io/pod-security-admission/admission/api/load/load.go +++ b/staging/src/k8s.io/pod-security-admission/admission/api/load/load.go @@ -24,7 +24,7 @@ import ( "k8s.io/apimachinery/pkg/runtime" "k8s.io/pod-security-admission/admission/api" "k8s.io/pod-security-admission/admission/api/scheme" - apiv1alpha1 "k8s.io/pod-security-admission/admission/api/v1alpha1" + apiv1beta1 "k8s.io/pod-security-admission/admission/api/v1beta1" ) func LoadFromFile(file string) (*api.PodSecurityConfiguration, error) { @@ -57,7 +57,7 @@ func LoadFromReader(reader io.Reader) (*api.PodSecurityConfiguration, error) { func LoadFromData(data []byte) (*api.PodSecurityConfiguration, error) { if len(data) == 0 { // no config provided, return default - externalConfig := &apiv1alpha1.PodSecurityConfiguration{} + externalConfig := &apiv1beta1.PodSecurityConfiguration{} scheme.Scheme.Default(externalConfig) internalConfig := &api.PodSecurityConfiguration{} if err := scheme.Scheme.Convert(externalConfig, internalConfig, nil); err != nil { diff --git a/staging/src/k8s.io/pod-security-admission/admission/api/load/load_test.go b/staging/src/k8s.io/pod-security-admission/admission/api/load/load_test.go index 11136c571ed..a75c6cf1594 100644 --- a/staging/src/k8s.io/pod-security-admission/admission/api/load/load_test.go +++ b/staging/src/k8s.io/pod-security-admission/admission/api/load/load_test.go @@ -98,6 +98,29 @@ func TestLoadFromFile(t *testing.T) { } } + // valid file + { + input := `{ + "apiVersion":"pod-security.admission.config.k8s.io/v1beta1", + "kind":"PodSecurityConfiguration", + "defaults":{"enforce":"baseline"}}` + expect := &api.PodSecurityConfiguration{ + Defaults: api.PodSecurityDefaults{ + Enforce: "baseline", EnforceVersion: "latest", + Warn: "privileged", WarnVersion: "latest", + Audit: "privileged", AuditVersion: "latest", + }, + } + + config, err := LoadFromFile(writeTempFile(t, input)) + if err != nil { + t.Fatalf("unexpected err: %v", err) + } + if !reflect.DeepEqual(config, expect) { + t.Fatalf("unexpected config:\n%s", cmp.Diff(expect, config)) + } + } + // missing file { _, err := LoadFromFile(`bogus-missing-pod-security-policy-config-file`) @@ -172,6 +195,29 @@ func TestLoadFromReader(t *testing.T) { } } + // valid reader + { + input := `{ + "apiVersion":"pod-security.admission.config.k8s.io/v1beta1", + "kind":"PodSecurityConfiguration", + "defaults":{"enforce":"baseline"}}` + expect := &api.PodSecurityConfiguration{ + Defaults: api.PodSecurityDefaults{ + Enforce: "baseline", EnforceVersion: "latest", + Warn: "privileged", WarnVersion: "latest", + Audit: "privileged", AuditVersion: "latest", + }, + } + + config, err := LoadFromReader(bytes.NewBufferString(input)) + if err != nil { + t.Fatalf("unexpected err: %v", err) + } + if !reflect.DeepEqual(config, expect) { + t.Fatalf("unexpected config:\n%s", cmp.Diff(expect, config)) + } + } + // invalid reader { input := `{ @@ -225,6 +271,46 @@ func TestLoadFromData(t *testing.T) { data: []byte(` apiVersion: pod-security.admission.config.k8s.io/v1alpha1 kind: PodSecurityConfiguration +defaults: + enforce: baseline + enforce-version: v1.7 +exemptions: + usernames: ["alice","bob"] + namespaces: ["kube-system"] + runtimeClasses: ["special"] +`), + expectConfig: &api.PodSecurityConfiguration{ + Defaults: api.PodSecurityDefaults{ + Enforce: "baseline", EnforceVersion: "v1.7", + Warn: "privileged", WarnVersion: "latest", + Audit: "privileged", AuditVersion: "latest", + }, + Exemptions: api.PodSecurityExemptions{ + Usernames: []string{"alice", "bob"}, + Namespaces: []string{"kube-system"}, + RuntimeClasses: []string{"special"}, + }, + }, + }, + { + name: "v1beta1 - json", + data: []byte(`{ +"apiVersion":"pod-security.admission.config.k8s.io/v1beta1", +"kind":"PodSecurityConfiguration", +"defaults":{"enforce":"baseline"}}`), + expectConfig: &api.PodSecurityConfiguration{ + Defaults: api.PodSecurityDefaults{ + Enforce: "baseline", EnforceVersion: "latest", + Warn: "privileged", WarnVersion: "latest", + Audit: "privileged", AuditVersion: "latest", + }, + }, + }, + { + name: "v1beta1 - yaml", + data: []byte(` +apiVersion: pod-security.admission.config.k8s.io/v1beta1 +kind: PodSecurityConfiguration defaults: enforce: baseline enforce-version: v1.7 diff --git a/staging/src/k8s.io/pod-security-admission/admission/api/scheme/scheme.go b/staging/src/k8s.io/pod-security-admission/admission/api/scheme/scheme.go index fa80b85bd9f..36ab8ca5eeb 100644 --- a/staging/src/k8s.io/pod-security-admission/admission/api/scheme/scheme.go +++ b/staging/src/k8s.io/pod-security-admission/admission/api/scheme/scheme.go @@ -22,6 +22,7 @@ import ( utilruntime "k8s.io/apimachinery/pkg/util/runtime" podsecurityapi "k8s.io/pod-security-admission/admission/api" podsecurityv1alpha1 "k8s.io/pod-security-admission/admission/api/v1alpha1" + podsecurityv1beta1 "k8s.io/pod-security-admission/admission/api/v1beta1" ) var ( @@ -40,5 +41,6 @@ func init() { func AddToScheme(scheme *runtime.Scheme) { utilruntime.Must(podsecurityapi.AddToScheme(scheme)) utilruntime.Must(podsecurityv1alpha1.AddToScheme(scheme)) - utilruntime.Must(scheme.SetVersionPriority(podsecurityv1alpha1.SchemeGroupVersion)) + utilruntime.Must(podsecurityv1beta1.AddToScheme(scheme)) + utilruntime.Must(scheme.SetVersionPriority(podsecurityv1beta1.SchemeGroupVersion, podsecurityv1alpha1.SchemeGroupVersion)) } diff --git a/vendor/modules.txt b/vendor/modules.txt index 6a09b35eda4..3ca29f10bc6 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -2254,6 +2254,7 @@ k8s.io/pod-security-admission/admission/api k8s.io/pod-security-admission/admission/api/load k8s.io/pod-security-admission/admission/api/scheme k8s.io/pod-security-admission/admission/api/v1alpha1 +k8s.io/pod-security-admission/admission/api/v1beta1 k8s.io/pod-security-admission/admission/api/validation k8s.io/pod-security-admission/api k8s.io/pod-security-admission/cmd/webhook/server