address comments

Signed-off-by: Jess Frazelle <acidburn@microsoft.com>

pkg/api/podsecuritypolicy/OWNERS

@@ -0,0 +1,3 @@
+reviewers:
+- smarterclayton
+- jessfraz

pkg/api/podsecuritypolicy/util.go

@@ -0,0 +1,31 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package podsecuritypolicy
+
+import (
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
+	"k8s.io/kubernetes/pkg/apis/policy"
+	"k8s.io/kubernetes/pkg/features"
+)
+
+// DropDisabledAlphaFields removes disabled fields from the pod security policy spec.
+// This should be called from PrepareForCreate/PrepareForUpdate for all resources containing a od security policy spec.
+func DropDisabledAlphaFields(pspSpec *policy.PodSecurityPolicySpec) {
+	if !utilfeature.DefaultFeatureGate.Enabled(features.ProcMountType) {
+		pspSpec.AllowedProcMountTypes = nil
+	}
+}

pkg/api/podsecuritypolicy/util_test.go

@@ -0,0 +1,69 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package podsecuritypolicy
+
+import (
+	"testing"
+
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
+	api "k8s.io/kubernetes/pkg/apis/core"
+	"k8s.io/kubernetes/pkg/apis/policy"
+	"k8s.io/kubernetes/pkg/features"
+)
+
+func TestDropAlphaProcMountType(t *testing.T) {
+	// PodSecurityPolicy with AllowedProcMountTypes set
+	psp := policy.PodSecurityPolicy{
+		Spec: policy.PodSecurityPolicySpec{
+			AllowedProcMountTypes: []api.ProcMountType{api.UnmaskedProcMount},
+		},
+	}
+
+	// Enable alpha feature ProcMountType
+	err1 := utilfeature.DefaultFeatureGate.Set("ProcMountType=true")
+	if err1 != nil {
+		t.Fatalf("Failed to enable feature gate for ProcMountType: %v", err1)
+	}
+
+	// now test dropping the fields - should not be dropped
+	DropDisabledAlphaFields(&psp.Spec)
+
+	// check to make sure AllowedProcMountTypes is still present
+	// if featureset is set to true
+	if utilfeature.DefaultFeatureGate.Enabled(features.ProcMountType) {
+		if psp.Spec.AllowedProcMountTypes == nil {
+			t.Error("AllowedProcMountTypes in pvc.Spec should not have been dropped based on feature-gate")
+		}
+	}
+
+	// Disable alpha feature ProcMountType
+	err := utilfeature.DefaultFeatureGate.Set("ProcMountType=false")
+	if err != nil {
+		t.Fatalf("Failed to disable feature gate for ProcMountType: %v", err)
+	}
+
+	// now test dropping the fields
+	DropDisabledAlphaFields(&psp.Spec)
+
+	// check to make sure AllowedProcMountTypes is nil
+	// if featureset is set to false
+	if utilfeature.DefaultFeatureGate.Enabled(features.ProcMountType) {
+		if psp.Spec.AllowedProcMountTypes != nil {
+			t.Error("DropDisabledAlphaFields AllowedProcMountTypes for psp.Spec failed")
+		}
+	}
+}

pkg/apis/core/types.go

@@ -4632,7 +4632,7 @@ const (
 	DefaultProcMount ProcMountType = "Default"
 
 	// UnmaskedProcMount bypasses the default masking behavior of the container
-	// runtime and ensures the newly created /proc the container stays in tact with
+	// runtime and ensures the newly created /proc the container stays intact with
 	// no modifications.
 	UnmaskedProcMount ProcMountType = "Unmasked"
 )

pkg/registry/policy/podsecuritypolicy/strategy.go

@@ -24,6 +24,7 @@ import (
 	"k8s.io/apiserver/pkg/registry/rest"
 	"k8s.io/apiserver/pkg/storage/names"
 	"k8s.io/kubernetes/pkg/api/legacyscheme"
+	psputil "k8s.io/kubernetes/pkg/api/podsecuritypolicy"
 	"k8s.io/kubernetes/pkg/apis/policy"
 	"k8s.io/kubernetes/pkg/apis/policy/validation"
 )
@@ -55,9 +56,17 @@ func (strategy) AllowUnconditionalUpdate() bool {
 }
 
 func (strategy) PrepareForCreate(ctx context.Context, obj runtime.Object) {
+	psp := obj.(*policy.PodSecurityPolicy)
+
+	psputil.DropDisabledAlphaFields(&psp.Spec)
 }
 
 func (strategy) PrepareForUpdate(ctx context.Context, obj, old runtime.Object) {
+	newPsp := obj.(*policy.PodSecurityPolicy)
+	oldPsp := old.(*policy.PodSecurityPolicy)
+
+	psputil.DropDisabledAlphaFields(&newPsp.Spec)
+	psputil.DropDisabledAlphaFields(&oldPsp.Spec)
 }
 
 func (strategy) Canonicalize(obj runtime.Object) {

staging/src/k8s.io/api/core/v1/types.go

@@ -5198,9 +5198,10 @@ type SecurityContext struct {
 	// 2) has CAP_SYS_ADMIN
 	// +optional
 	AllowPrivilegeEscalation *bool `json:"allowPrivilegeEscalation,omitempty" protobuf:"varint,7,opt,name=allowPrivilegeEscalation"`
-	// ProcMount denotes the type of proc mount to use for the containers.
+	// procMount denotes the type of proc mount to use for the containers.
 	// The default is DefaultProcMount which uses the container runtime defaults for
 	// readonly paths and masked paths.
+	// This requires the ProcMountType feature flag to be enabled.
 	// +optional
 	ProcMount *ProcMountType `json:"procMount,omitEmpty" protobuf:"bytes,9,opt,name=procMount"`
 }

staging/src/k8s.io/api/extensions/v1beta1/types.go

@@ -967,6 +967,7 @@ type PodSecurityPolicySpec struct {
 	ForbiddenSysctls []string `json:"forbiddenSysctls,omitempty" protobuf:"bytes,20,rep,name=forbiddenSysctls"`
 	// AllowedProcMountTypes is a whitelist of allowed ProcMountTypes.
 	// Empty or nil indicates that only the DefaultProcMountType may be used.
+	// This requires the ProcMountType feature flag to be enabled.
 	// +optional
 	AllowedProcMountTypes []v1.ProcMountType `json:"allowedProcMountTypes,omitempty" protobuf:"bytes,21,opt,name=allowedProcMountTypes"`
 }

staging/src/k8s.io/api/policy/v1beta1/types.go

@@ -223,6 +223,7 @@ type PodSecurityPolicySpec struct {
 	ForbiddenSysctls []string `json:"forbiddenSysctls,omitempty" protobuf:"bytes,20,rep,name=forbiddenSysctls"`
 	// AllowedProcMountTypes is a whitelist of allowed ProcMountTypes.
 	// Empty or nil indicates that only the DefaultProcMountType may be used.
+	// This requires the ProcMountType feature flag to be enabled.
 	// +optional
 	AllowedProcMountTypes []v1.ProcMountType `json:"allowedProcMountTypes,omitempty" protobuf:"bytes,21,opt,name=allowedProcMountTypes"`
 }