Merge pull request #50212 from jhorwit2/jah/psp-hostpath

Automatic merge from submit-queue (batch tested with PRs 50719, 51216, 50212, 51408, 51381)

Allow PSP's to specify a whitelist of allowed paths for host volume

**What this PR does / why we need it**:

Reverts the revert for the allowed host path feature that was moved from v1.7 to v1.8. This PR also changes the api as discussed in https://github.com/kubernetes/kubernetes/pull/47811.

Original pr: https://github.com/kubernetes/kubernetes/pull/43946
revert: https://github.com/kubernetes/kubernetes/pull/47851

**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #29326

**Special notes for your reviewer**:

cc @liggitt @ericchiang @php-coder 

It seems the api build process has changed. Hopefully I did it right 👼 .

**Release note**:

```release-note
Allow PSP's to specify a whitelist of allowed paths for host volume
```

api/openapi-spec/swagger.json

@@ -62428,6 +62428,15 @@
      }
     }
    },
+   "io.k8s.api.extensions.v1beta1.AllowedHostPath": {
+    "description": "defines the host volume conditions that will be enabled by a policy for pods to use. It requires the path prefix to be defined.",
+    "properties": {
+     "pathPrefix": {
+      "description": "is the path prefix that the host volume must match. It does not support `*`. Trailing slashes are trimmed when validating the path prefix with a host path.\n\nExamples: `/foo` would allow `/foo`, `/foo/` and `/foo/bar` `/foo` would not allow `/food` or `/etc/foo`",
+      "type": "string"
+     }
+    }
+   },
    "io.k8s.api.extensions.v1beta1.DaemonSet": {
     "description": "DaemonSet represents the configuration of a daemon set.",
     "properties": {
@@ -63302,6 +63311,13 @@
        "type": "string"
       }
      },
+     "allowedHostPaths": {
+      "description": "is a white list of allowed host paths. Empty indicates that all host paths may be used.",
+      "type": "array",
+      "items": {
+       "$ref": "#/definitions/io.k8s.api.extensions.v1beta1.AllowedHostPath"
+      }
+     },
      "defaultAddCapabilities": {
       "description": "DefaultAddCapabilities is the default set of capabilities that will be added to the container unless the pod spec specifically drops the capability.  You may not list a capabiility in both DefaultAddCapabilities and RequiredDropCapabilities.",
       "type": "array",

api/swagger-spec/extensions_v1beta1.json

@@ -9470,6 +9470,13 @@
      "allowPrivilegeEscalation": {
       "type": "boolean",
       "description": "AllowPrivilegeEscalation determines if a pod can request to allow privilege escalation."
+     },
+     "allowedHostPaths": {
+      "type": "array",
+      "items": {
+       "$ref": "v1beta1.AllowedHostPath"
+      },
+      "description": "is a white list of allowed host paths. Empty indicates that all host paths may be used."
      }
     }
    },
@@ -9588,6 +9595,16 @@
      }
     }
    },
+   "v1beta1.AllowedHostPath": {
+    "id": "v1beta1.AllowedHostPath",
+    "description": "defines the host volume conditions that will be enabled by a policy for pods to use. It requires the path prefix to be defined.",
+    "properties": {
+     "pathPrefix": {
+      "type": "string",
+      "description": "is the path prefix that the host volume must match. It does not support `*`. Trailing slashes are trimmed when validating the path prefix with a host path.\n\nExamples: `/foo` would allow `/foo`, `/foo/` and `/foo/bar` `/foo` would not allow `/food` or `/etc/foo`"
+     }
+    }
+   },
    "v1beta1.ReplicaSetList": {
     "id": "v1beta1.ReplicaSetList",
     "description": "ReplicaSetList is a collection of ReplicaSets.",