From 40d238b91a94aafef4932a6aec4100ab84e37fbd Mon Sep 17 00:00:00 2001
From: Jess Frazelle <acidburn@microsoft.com>
Date: Thu, 30 Aug 2018 11:46:36 -0400
Subject: [PATCH] address comments

Signed-off-by: Jess Frazelle <acidburn@microsoft.com>
---
 pkg/api/podsecuritypolicy/OWNERS              |  3 +
 pkg/api/podsecuritypolicy/util.go             | 31 +++++++++
 pkg/api/podsecuritypolicy/util_test.go        | 69 +++++++++++++++++++
 pkg/apis/core/types.go                        |  2 +-
 .../policy/podsecuritypolicy/strategy.go      |  9 +++
 staging/src/k8s.io/api/core/v1/types.go       |  3 +-
 .../k8s.io/api/extensions/v1beta1/types.go    |  1 +
 .../src/k8s.io/api/policy/v1beta1/types.go    |  1 +
 8 files changed, 117 insertions(+), 2 deletions(-)
 create mode 100755 pkg/api/podsecuritypolicy/OWNERS
 create mode 100644 pkg/api/podsecuritypolicy/util.go
 create mode 100644 pkg/api/podsecuritypolicy/util_test.go

diff --git a/pkg/api/podsecuritypolicy/OWNERS b/pkg/api/podsecuritypolicy/OWNERS
new file mode 100755
index 00000000000..652fc4cefab
--- /dev/null
+++ b/pkg/api/podsecuritypolicy/OWNERS
@@ -0,0 +1,3 @@
+reviewers:
+- smarterclayton
+- jessfraz
diff --git a/pkg/api/podsecuritypolicy/util.go b/pkg/api/podsecuritypolicy/util.go
new file mode 100644
index 00000000000..28a6d7f7d47
--- /dev/null
+++ b/pkg/api/podsecuritypolicy/util.go
@@ -0,0 +1,31 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package podsecuritypolicy
+
+import (
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
+	"k8s.io/kubernetes/pkg/apis/policy"
+	"k8s.io/kubernetes/pkg/features"
+)
+
+// DropDisabledAlphaFields removes disabled fields from the pod security policy spec.
+// This should be called from PrepareForCreate/PrepareForUpdate for all resources containing a od security policy spec.
+func DropDisabledAlphaFields(pspSpec *policy.PodSecurityPolicySpec) {
+	if !utilfeature.DefaultFeatureGate.Enabled(features.ProcMountType) {
+		pspSpec.AllowedProcMountTypes = nil
+	}
+}
diff --git a/pkg/api/podsecuritypolicy/util_test.go b/pkg/api/podsecuritypolicy/util_test.go
new file mode 100644
index 00000000000..420e73b77c7
--- /dev/null
+++ b/pkg/api/podsecuritypolicy/util_test.go
@@ -0,0 +1,69 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package podsecuritypolicy
+
+import (
+	"testing"
+
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
+	api "k8s.io/kubernetes/pkg/apis/core"
+	"k8s.io/kubernetes/pkg/apis/policy"
+	"k8s.io/kubernetes/pkg/features"
+)
+
+func TestDropAlphaProcMountType(t *testing.T) {
+	// PodSecurityPolicy with AllowedProcMountTypes set
+	psp := policy.PodSecurityPolicy{
+		Spec: policy.PodSecurityPolicySpec{
+			AllowedProcMountTypes: []api.ProcMountType{api.UnmaskedProcMount},
+		},
+	}
+
+	// Enable alpha feature ProcMountType
+	err1 := utilfeature.DefaultFeatureGate.Set("ProcMountType=true")
+	if err1 != nil {
+		t.Fatalf("Failed to enable feature gate for ProcMountType: %v", err1)
+	}
+
+	// now test dropping the fields - should not be dropped
+	DropDisabledAlphaFields(&psp.Spec)
+
+	// check to make sure AllowedProcMountTypes is still present
+	// if featureset is set to true
+	if utilfeature.DefaultFeatureGate.Enabled(features.ProcMountType) {
+		if psp.Spec.AllowedProcMountTypes == nil {
+			t.Error("AllowedProcMountTypes in pvc.Spec should not have been dropped based on feature-gate")
+		}
+	}
+
+	// Disable alpha feature ProcMountType
+	err := utilfeature.DefaultFeatureGate.Set("ProcMountType=false")
+	if err != nil {
+		t.Fatalf("Failed to disable feature gate for ProcMountType: %v", err)
+	}
+
+	// now test dropping the fields
+	DropDisabledAlphaFields(&psp.Spec)
+
+	// check to make sure AllowedProcMountTypes is nil
+	// if featureset is set to false
+	if utilfeature.DefaultFeatureGate.Enabled(features.ProcMountType) {
+		if psp.Spec.AllowedProcMountTypes != nil {
+			t.Error("DropDisabledAlphaFields AllowedProcMountTypes for psp.Spec failed")
+		}
+	}
+}
diff --git a/pkg/apis/core/types.go b/pkg/apis/core/types.go
index a9a561c5bc8..11e1664eedd 100644
--- a/pkg/apis/core/types.go
+++ b/pkg/apis/core/types.go
@@ -4632,7 +4632,7 @@ const (
 	DefaultProcMount ProcMountType = "Default"
 
 	// UnmaskedProcMount bypasses the default masking behavior of the container
-	// runtime and ensures the newly created /proc the container stays in tact with
+	// runtime and ensures the newly created /proc the container stays intact with
 	// no modifications.
 	UnmaskedProcMount ProcMountType = "Unmasked"
 )
diff --git a/pkg/registry/policy/podsecuritypolicy/strategy.go b/pkg/registry/policy/podsecuritypolicy/strategy.go
index 668bafa3319..c9940fe2d83 100644
--- a/pkg/registry/policy/podsecuritypolicy/strategy.go
+++ b/pkg/registry/policy/podsecuritypolicy/strategy.go
@@ -24,6 +24,7 @@ import (
 	"k8s.io/apiserver/pkg/registry/rest"
 	"k8s.io/apiserver/pkg/storage/names"
 	"k8s.io/kubernetes/pkg/api/legacyscheme"
+	psputil "k8s.io/kubernetes/pkg/api/podsecuritypolicy"
 	"k8s.io/kubernetes/pkg/apis/policy"
 	"k8s.io/kubernetes/pkg/apis/policy/validation"
 )
@@ -55,9 +56,17 @@ func (strategy) AllowUnconditionalUpdate() bool {
 }
 
 func (strategy) PrepareForCreate(ctx context.Context, obj runtime.Object) {
+	psp := obj.(*policy.PodSecurityPolicy)
+
+	psputil.DropDisabledAlphaFields(&psp.Spec)
 }
 
 func (strategy) PrepareForUpdate(ctx context.Context, obj, old runtime.Object) {
+	newPsp := obj.(*policy.PodSecurityPolicy)
+	oldPsp := old.(*policy.PodSecurityPolicy)
+
+	psputil.DropDisabledAlphaFields(&newPsp.Spec)
+	psputil.DropDisabledAlphaFields(&oldPsp.Spec)
 }
 
 func (strategy) Canonicalize(obj runtime.Object) {
diff --git a/staging/src/k8s.io/api/core/v1/types.go b/staging/src/k8s.io/api/core/v1/types.go
index 7e9a818a14e..893e0fdc727 100644
--- a/staging/src/k8s.io/api/core/v1/types.go
+++ b/staging/src/k8s.io/api/core/v1/types.go
@@ -5198,9 +5198,10 @@ type SecurityContext struct {
 	// 2) has CAP_SYS_ADMIN
 	// +optional
 	AllowPrivilegeEscalation *bool `json:"allowPrivilegeEscalation,omitempty" protobuf:"varint,7,opt,name=allowPrivilegeEscalation"`
-	// ProcMount denotes the type of proc mount to use for the containers.
+	// procMount denotes the type of proc mount to use for the containers.
 	// The default is DefaultProcMount which uses the container runtime defaults for
 	// readonly paths and masked paths.
+	// This requires the ProcMountType feature flag to be enabled.
 	// +optional
 	ProcMount *ProcMountType `json:"procMount,omitEmpty" protobuf:"bytes,9,opt,name=procMount"`
 }
diff --git a/staging/src/k8s.io/api/extensions/v1beta1/types.go b/staging/src/k8s.io/api/extensions/v1beta1/types.go
index 475f9136b55..38e112d1e0e 100644
--- a/staging/src/k8s.io/api/extensions/v1beta1/types.go
+++ b/staging/src/k8s.io/api/extensions/v1beta1/types.go
@@ -967,6 +967,7 @@ type PodSecurityPolicySpec struct {
 	ForbiddenSysctls []string `json:"forbiddenSysctls,omitempty" protobuf:"bytes,20,rep,name=forbiddenSysctls"`
 	// AllowedProcMountTypes is a whitelist of allowed ProcMountTypes.
 	// Empty or nil indicates that only the DefaultProcMountType may be used.
+	// This requires the ProcMountType feature flag to be enabled.
 	// +optional
 	AllowedProcMountTypes []v1.ProcMountType `json:"allowedProcMountTypes,omitempty" protobuf:"bytes,21,opt,name=allowedProcMountTypes"`
 }
diff --git a/staging/src/k8s.io/api/policy/v1beta1/types.go b/staging/src/k8s.io/api/policy/v1beta1/types.go
index 07d6710f4fe..c1a2727509a 100644
--- a/staging/src/k8s.io/api/policy/v1beta1/types.go
+++ b/staging/src/k8s.io/api/policy/v1beta1/types.go
@@ -223,6 +223,7 @@ type PodSecurityPolicySpec struct {
 	ForbiddenSysctls []string `json:"forbiddenSysctls,omitempty" protobuf:"bytes,20,rep,name=forbiddenSysctls"`
 	// AllowedProcMountTypes is a whitelist of allowed ProcMountTypes.
 	// Empty or nil indicates that only the DefaultProcMountType may be used.
+	// This requires the ProcMountType feature flag to be enabled.
 	// +optional
 	AllowedProcMountTypes []v1.ProcMountType `json:"allowedProcMountTypes,omitempty" protobuf:"bytes,21,opt,name=allowedProcMountTypes"`
 }