PodSecurity: register/test v1beta1 config

2025-07-28 22:17:14 +00:00 · 2021-11-02 11:42:51 -04:00 · 2021-11-02 11:42:51 -04:00 · 1f8f996dc9
commit 1f8f996dc9
parent d997607eb9
4 changed files with 92 additions and 3 deletions
--- a/staging/src/k8s.io/pod-security-admission/admission/api/load/load.go
+++ b/staging/src/k8s.io/pod-security-admission/admission/api/load/load.go
@ -24,7 +24,7 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/pod-security-admission/admission/api"
 	"k8s.io/pod-security-admission/admission/api/scheme"
-	apiv1alpha1 "k8s.io/pod-security-admission/admission/api/v1alpha1"
+	apiv1beta1 "k8s.io/pod-security-admission/admission/api/v1beta1"
 )
 func LoadFromFile(file string) (*api.PodSecurityConfiguration, error) {
@ -57,7 +57,7 @@ func LoadFromReader(reader io.Reader) (*api.PodSecurityConfiguration, error) {
 func LoadFromData(data []byte) (*api.PodSecurityConfiguration, error) {
 	if len(data) == 0 {
 		// no config provided, return default
-		externalConfig := &apiv1alpha1.PodSecurityConfiguration{}
+		externalConfig := &apiv1beta1.PodSecurityConfiguration{}
 		scheme.Scheme.Default(externalConfig)
 		internalConfig := &api.PodSecurityConfiguration{}
 		if err := scheme.Scheme.Convert(externalConfig, internalConfig, nil); err != nil {
--- a/staging/src/k8s.io/pod-security-admission/admission/api/load/load_test.go
+++ b/staging/src/k8s.io/pod-security-admission/admission/api/load/load_test.go
@ -98,6 +98,29 @@ func TestLoadFromFile(t *testing.T) {
 		}
 	}
 	// valid file
 	{
 		input := `{
 			"apiVersion":"pod-security.admission.config.k8s.io/v1beta1",
 			"kind":"PodSecurityConfiguration",
 			"defaults":{"enforce":"baseline"}}`
 		expect := &api.PodSecurityConfiguration{
 			Defaults: api.PodSecurityDefaults{
 				Enforce: "baseline", EnforceVersion: "latest",
 				Warn: "privileged", WarnVersion: "latest",
 				Audit: "privileged", AuditVersion: "latest",
 			},
 		}
 		config, err := LoadFromFile(writeTempFile(t, input))
 		if err != nil {
 			t.Fatalf("unexpected err: %v", err)
 		}
 		if !reflect.DeepEqual(config, expect) {
 			t.Fatalf("unexpected config:\n%s", cmp.Diff(expect, config))
 		}
 	}
 	// missing file
 	{
 		_, err := LoadFromFile(`bogus-missing-pod-security-policy-config-file`)
@ -172,6 +195,29 @@ func TestLoadFromReader(t *testing.T) {
 		}
 	}
 	// valid reader
 	{
 		input := `{
 			"apiVersion":"pod-security.admission.config.k8s.io/v1beta1",
 			"kind":"PodSecurityConfiguration",
 			"defaults":{"enforce":"baseline"}}`
 		expect := &api.PodSecurityConfiguration{
 			Defaults: api.PodSecurityDefaults{
 				Enforce: "baseline", EnforceVersion: "latest",
 				Warn: "privileged", WarnVersion: "latest",
 				Audit: "privileged", AuditVersion: "latest",
 			},
 		}
 		config, err := LoadFromReader(bytes.NewBufferString(input))
 		if err != nil {
 			t.Fatalf("unexpected err: %v", err)
 		}
 		if !reflect.DeepEqual(config, expect) {
 			t.Fatalf("unexpected config:\n%s", cmp.Diff(expect, config))
 		}
 	}
 	// invalid reader
 	{
 		input := `{
@ -225,6 +271,46 @@ func TestLoadFromData(t *testing.T) {
 			data: []byte(`
 apiVersion: pod-security.admission.config.k8s.io/v1alpha1
 kind: PodSecurityConfiguration
 defaults:
  enforce: baseline
  enforce-version: v1.7
 exemptions:
  usernames: ["alice","bob"]
  namespaces: ["kube-system"]
  runtimeClasses: ["special"]
 `),
 			expectConfig: &api.PodSecurityConfiguration{
 				Defaults: api.PodSecurityDefaults{
 					Enforce: "baseline", EnforceVersion: "v1.7",
 					Warn: "privileged", WarnVersion: "latest",
 					Audit: "privileged", AuditVersion: "latest",
 				},
 				Exemptions: api.PodSecurityExemptions{
 					Usernames:      []string{"alice", "bob"},
 					Namespaces:     []string{"kube-system"},
 					RuntimeClasses: []string{"special"},
 				},
 			},
 		},
 		{
 			name: "v1beta1 - json",
 			data: []byte(`{
 "apiVersion":"pod-security.admission.config.k8s.io/v1beta1",
 "kind":"PodSecurityConfiguration",
 "defaults":{"enforce":"baseline"}}`),
 			expectConfig: &api.PodSecurityConfiguration{
 				Defaults: api.PodSecurityDefaults{
 					Enforce: "baseline", EnforceVersion: "latest",
 					Warn: "privileged", WarnVersion: "latest",
 					Audit: "privileged", AuditVersion: "latest",
 				},
 			},
 		},
 		{
 			name: "v1beta1 - yaml",
 			data: []byte(`
 apiVersion: pod-security.admission.config.k8s.io/v1beta1
 kind: PodSecurityConfiguration
 defaults:
  enforce: baseline
  enforce-version: v1.7
--- a/staging/src/k8s.io/pod-security-admission/admission/api/scheme/scheme.go
+++ b/staging/src/k8s.io/pod-security-admission/admission/api/scheme/scheme.go
@ -22,6 +22,7 @@ import (
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	podsecurityapi "k8s.io/pod-security-admission/admission/api"
 	podsecurityv1alpha1 "k8s.io/pod-security-admission/admission/api/v1alpha1"
 	podsecurityv1beta1 "k8s.io/pod-security-admission/admission/api/v1beta1"
 )
 var (
@ -40,5 +41,6 @@ func init() {
 func AddToScheme(scheme *runtime.Scheme) {
 	utilruntime.Must(podsecurityapi.AddToScheme(scheme))
 	utilruntime.Must(podsecurityv1alpha1.AddToScheme(scheme))
-	utilruntime.Must(scheme.SetVersionPriority(podsecurityv1alpha1.SchemeGroupVersion))
+	utilruntime.Must(podsecurityv1beta1.AddToScheme(scheme))
 	utilruntime.Must(scheme.SetVersionPriority(podsecurityv1beta1.SchemeGroupVersion, podsecurityv1alpha1.SchemeGroupVersion))
 }
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@ -2254,6 +2254,7 @@ k8s.io/pod-security-admission/admission/api
 k8s.io/pod-security-admission/admission/api/load
 k8s.io/pod-security-admission/admission/api/scheme
 k8s.io/pod-security-admission/admission/api/v1alpha1
 k8s.io/pod-security-admission/admission/api/v1beta1
 k8s.io/pod-security-admission/admission/api/validation
 k8s.io/pod-security-admission/api
 k8s.io/pod-security-admission/cmd/webhook/server