Merge pull request #110459 from wangyysde/promote-pod-security-to-ga

PodSecurity: promote config and feature gate to GA

pkg/features/kube_features.go

@@ -611,6 +611,7 @@ const (
 	// owner: @liggitt, @tallclair, sig-auth
 	// alpha: v1.22
 	// beta: v1.23
+	// ga: v1.25
 	//
 	// Enables the PodSecurity admission plugin
 	PodSecurity featuregate.Feature = "PodSecurity"
@@ -962,7 +963,7 @@ var defaultKubernetesFeatureGates = map[featuregate.Feature]featuregate.FeatureS
 
 	PodOverhead: {Default: true, PreRelease: featuregate.GA, LockToDefault: true}, // remove in 1.26
 
-	PodSecurity: {Default: true, PreRelease: featuregate.Beta},
+	PodSecurity: {Default: true, PreRelease: featuregate.GA, LockToDefault: true},
 
 	PreferNominatedNode: {Default: true, PreRelease: featuregate.GA, LockToDefault: true}, // remove in 1.26
 

plugin/pkg/admission/security/podsecurity/admission.go

@@ -48,7 +48,6 @@ import (
 	"k8s.io/kubernetes/pkg/apis/apps"
 	"k8s.io/kubernetes/pkg/apis/batch"
 	"k8s.io/kubernetes/pkg/apis/core"
-	"k8s.io/kubernetes/pkg/features"
 	podsecurityadmission "k8s.io/pod-security-admission/admission"
 	podsecurityconfigloader "k8s.io/pod-security-admission/admission/api/load"
 	podsecurityadmissionapi "k8s.io/pod-security-admission/api"
@@ -70,7 +69,6 @@ func Register(plugins *admission.Plugins) {
 type Plugin struct {
 	*admission.Handler
 
-	enabled               bool
 	inspectedFeatureGates bool
 
 	client          kubernetes.Interface
@@ -152,7 +150,6 @@ func (p *Plugin) updateDelegate() {
 }
 
 func (c *Plugin) InspectFeatureGates(featureGates featuregate.FeatureGate) {
-	c.enabled = featureGates.Enabled(features.PodSecurity)
 	c.inspectedFeatureGates = true
 }
 
@@ -178,9 +175,6 @@ var (
 )
 
 func (p *Plugin) Validate(ctx context.Context, a admission.Attributes, o admission.ObjectInterfaces) error {
-	if !p.enabled {
-		return nil
-	}
 	gr := a.GetResource().GroupResource()
 	if !applicableResources[gr] && !p.delegate.PodSpecExtractor.HasPodSpec(gr) {
 		return nil

plugin/pkg/admission/security/podsecurity/admission_test.go

@@ -34,12 +34,10 @@ import (
 	"k8s.io/apiserver/pkg/warning"
 	"k8s.io/client-go/informers"
 	"k8s.io/client-go/kubernetes/fake"
-	featuregatetesting "k8s.io/component-base/featuregate/testing"
 	"k8s.io/kubernetes/pkg/apis/apps"
 	"k8s.io/kubernetes/pkg/apis/batch"
 	"k8s.io/kubernetes/pkg/apis/core"
 	v1 "k8s.io/kubernetes/pkg/apis/core/v1"
-	"k8s.io/kubernetes/pkg/features"
 	podsecurityadmission "k8s.io/pod-security-admission/admission"
 	"k8s.io/utils/pointer"
 	"sigs.k8s.io/yaml"
@@ -78,8 +76,6 @@ func TestConvert(t *testing.T) {
 }
 
 func BenchmarkVerifyPod(b *testing.B) {
-	defer featuregatetesting.SetFeatureGateDuringTest(b, utilfeature.DefaultFeatureGate, features.PodSecurity, true)()
-
 	p, err := newPlugin(nil)
 	if err != nil {
 		b.Fatal(err)
@@ -188,8 +184,6 @@ func BenchmarkVerifyPod(b *testing.B) {
 }
 
 func BenchmarkVerifyNamespace(b *testing.B) {
-	defer featuregatetesting.SetFeatureGateDuringTest(b, utilfeature.DefaultFeatureGate, features.PodSecurity, true)()
-
 	p, err := newPlugin(nil)
 	if err != nil {
 		b.Fatal(err)

staging/src/k8s.io/pod-security-admission/admission/api/load/load.go

@@ -24,7 +24,7 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/pod-security-admission/admission/api"
 	"k8s.io/pod-security-admission/admission/api/scheme"
-	apiv1beta1 "k8s.io/pod-security-admission/admission/api/v1beta1"
+	apiv1 "k8s.io/pod-security-admission/admission/api/v1"
 )
 
 func LoadFromFile(file string) (*api.PodSecurityConfiguration, error) {
@@ -57,7 +57,7 @@ func LoadFromReader(reader io.Reader) (*api.PodSecurityConfiguration, error) {
 func LoadFromData(data []byte) (*api.PodSecurityConfiguration, error) {
 	if len(data) == 0 {
 		// no config provided, return default
-		externalConfig := &apiv1beta1.PodSecurityConfiguration{}
+		externalConfig := &apiv1.PodSecurityConfiguration{}
 		scheme.Scheme.Default(externalConfig)
 		internalConfig := &api.PodSecurityConfiguration{}
 		if err := scheme.Scheme.Convert(externalConfig, internalConfig, nil); err != nil {

staging/src/k8s.io/pod-security-admission/admission/api/load/load_test.go

@@ -98,7 +98,7 @@ func TestLoadFromFile(t *testing.T) {
 		}
 	}
 
-	// valid file
+	// valid v1beta1 file
 	{
 		input := `{
 			"apiVersion":"pod-security.admission.config.k8s.io/v1beta1",
@@ -121,6 +121,29 @@ func TestLoadFromFile(t *testing.T) {
 		}
 	}
 
+	// valid v1 file
+	{
+		input := `{
+			"apiVersion":"pod-security.admission.config.k8s.io/v1",
+			"kind":"PodSecurityConfiguration",
+			"defaults":{"enforce":"baseline"}}`
+		expect := &api.PodSecurityConfiguration{
+			Defaults: api.PodSecurityDefaults{
+				Enforce: "baseline", EnforceVersion: "latest",
+				Warn: "privileged", WarnVersion: "latest",
+				Audit: "privileged", AuditVersion: "latest",
+			},
+		}
+
+		config, err := LoadFromFile(writeTempFile(t, input))
+		if err != nil {
+			t.Fatalf("unexpected err: %v", err)
+		}
+		if !reflect.DeepEqual(config, expect) {
+			t.Fatalf("unexpected config:\n%s", cmp.Diff(expect, config))
+		}
+	}
+
 	// missing file
 	{
 		_, err := LoadFromFile(`bogus-missing-pod-security-policy-config-file`)
@@ -218,6 +241,29 @@ func TestLoadFromReader(t *testing.T) {
 		}
 	}
 
+	// valid reader
+	{
+		input := `{
+			"apiVersion":"pod-security.admission.config.k8s.io/v1",
+			"kind":"PodSecurityConfiguration",
+			"defaults":{"enforce":"baseline"}}`
+		expect := &api.PodSecurityConfiguration{
+			Defaults: api.PodSecurityDefaults{
+				Enforce: "baseline", EnforceVersion: "latest",
+				Warn: "privileged", WarnVersion: "latest",
+				Audit: "privileged", AuditVersion: "latest",
+			},
+		}
+
+		config, err := LoadFromReader(bytes.NewBufferString(input))
+		if err != nil {
+			t.Fatalf("unexpected err: %v", err)
+		}
+		if !reflect.DeepEqual(config, expect) {
+			t.Fatalf("unexpected config:\n%s", cmp.Diff(expect, config))
+		}
+	}
+
 	// invalid reader
 	{
 		input := `{
@@ -311,6 +357,46 @@ exemptions:
 			data: []byte(`
 apiVersion: pod-security.admission.config.k8s.io/v1beta1
 kind: PodSecurityConfiguration
+defaults:
+  enforce: baseline
+  enforce-version: v1.7
+exemptions:
+  usernames: ["alice","bob"]
+  namespaces: ["kube-system"]
+  runtimeClasses: ["special"]
+`),
+			expectConfig: &api.PodSecurityConfiguration{
+				Defaults: api.PodSecurityDefaults{
+					Enforce: "baseline", EnforceVersion: "v1.7",
+					Warn: "privileged", WarnVersion: "latest",
+					Audit: "privileged", AuditVersion: "latest",
+				},
+				Exemptions: api.PodSecurityExemptions{
+					Usernames:      []string{"alice", "bob"},
+					Namespaces:     []string{"kube-system"},
+					RuntimeClasses: []string{"special"},
+				},
+			},
+		},
+		{
+			name: "v1 - json",
+			data: []byte(`{
+"apiVersion":"pod-security.admission.config.k8s.io/v1",
+"kind":"PodSecurityConfiguration",
+"defaults":{"enforce":"baseline"}}`),
+			expectConfig: &api.PodSecurityConfiguration{
+				Defaults: api.PodSecurityDefaults{
+					Enforce: "baseline", EnforceVersion: "latest",
+					Warn: "privileged", WarnVersion: "latest",
+					Audit: "privileged", AuditVersion: "latest",
+				},
+			},
+		},
+		{
+			name: "v1 - yaml",
+			data: []byte(`
+apiVersion: pod-security.admission.config.k8s.io/v1
+kind: PodSecurityConfiguration
 defaults:
   enforce: baseline
   enforce-version: v1.7

staging/src/k8s.io/pod-security-admission/admission/api/scheme/scheme.go

@@ -21,6 +21,7 @@ import (
 	"k8s.io/apimachinery/pkg/runtime/serializer"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	podsecurityapi "k8s.io/pod-security-admission/admission/api"
+	podsecurityv1 "k8s.io/pod-security-admission/admission/api/v1"
 	podsecurityv1alpha1 "k8s.io/pod-security-admission/admission/api/v1alpha1"
 	podsecurityv1beta1 "k8s.io/pod-security-admission/admission/api/v1beta1"
 )
@@ -42,5 +43,6 @@ func AddToScheme(scheme *runtime.Scheme) {
 	utilruntime.Must(podsecurityapi.AddToScheme(scheme))
 	utilruntime.Must(podsecurityv1alpha1.AddToScheme(scheme))
 	utilruntime.Must(podsecurityv1beta1.AddToScheme(scheme))
-	utilruntime.Must(scheme.SetVersionPriority(podsecurityv1beta1.SchemeGroupVersion, podsecurityv1alpha1.SchemeGroupVersion))
+	utilruntime.Must(podsecurityv1.AddToScheme(scheme))
+	utilruntime.Must(scheme.SetVersionPriority(podsecurityv1.SchemeGroupVersion, podsecurityv1beta1.SchemeGroupVersion, podsecurityv1alpha1.SchemeGroupVersion))
 }

staging/src/k8s.io/pod-security-admission/admission/api/v1/defaults.go

@@ -0,0 +1,48 @@
+/*
+Copyright 2022 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/pod-security-admission/api"
+)
+
+func addDefaultingFuncs(scheme *runtime.Scheme) error {
+	return RegisterDefaults(scheme)
+}
+
+func SetDefaults_PodSecurityDefaults(obj *PodSecurityDefaults) {
+	if len(obj.Enforce) == 0 {
+		obj.Enforce = string(api.LevelPrivileged)
+	}
+	if len(obj.Warn) == 0 {
+		obj.Warn = string(api.LevelPrivileged)
+	}
+	if len(obj.Audit) == 0 {
+		obj.Audit = string(api.LevelPrivileged)
+	}
+
+	if len(obj.EnforceVersion) == 0 {
+		obj.EnforceVersion = string(api.VersionLatest)
+	}
+	if len(obj.WarnVersion) == 0 {
+		obj.WarnVersion = string(api.VersionLatest)
+	}
+	if len(obj.AuditVersion) == 0 {
+		obj.AuditVersion = string(api.VersionLatest)
+	}
+}

staging/src/k8s.io/pod-security-admission/admission/api/v1/defaults_test.go

@@ -0,0 +1,17 @@
+/*
+Copyright 2022 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1

staging/src/k8s.io/pod-security-admission/admission/api/v1/doc.go

@@ -0,0 +1,23 @@
+/*
+Copyright 2022 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// +k8s:deepcopy-gen=package
+// +k8s:conversion-gen=k8s.io/pod-security-admission/admission/api
+// +k8s:defaulter-gen=TypeMeta
+// +groupName=pod-security.admission.config.k8s.io
+
+// Package v1 contains PodSecurity admission configuration file types
+package v1

staging/src/k8s.io/pod-security-admission/admission/api/v1/register.go

@@ -0,0 +1,50 @@
+/*
+Copyright 2022 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+// GroupName is the group name use in this package
+const GroupName = "pod-security.admission.config.k8s.io"
+
+// SchemeGroupVersion is group version used to register these objects
+var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1"}
+
+var (
+	// SchemeBuilder is a pointer used to call AddToScheme
+	SchemeBuilder      runtime.SchemeBuilder
+	localSchemeBuilder = &SchemeBuilder
+	// AddToScheme is used to register the types to API encoding/decoding machinery
+	AddToScheme = localSchemeBuilder.AddToScheme
+)
+
+func init() {
+	// We only register manually written functions here. The registration of the
+	// generated functions takes place in the generated files. The separation
+	// makes the code compile even when the generated files are missing.
+	localSchemeBuilder.Register(addKnownTypes, addDefaultingFuncs)
+}
+
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&PodSecurityConfiguration{},
+	)
+	return nil
+}

staging/src/k8s.io/pod-security-admission/admission/api/v1/types.go

@@ -0,0 +1,44 @@
+/*
+Copyright 2022 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+type PodSecurityConfiguration struct {
+	metav1.TypeMeta
+	Defaults   PodSecurityDefaults   `json:"defaults"`
+	Exemptions PodSecurityExemptions `json:"exemptions"`
+}
+
+type PodSecurityDefaults struct {
+	Enforce        string `json:"enforce,omitempty"`
+	EnforceVersion string `json:"enforce-version,omitempty"`
+	Audit          string `json:"audit,omitempty"`
+	AuditVersion   string `json:"audit-version,omitempty"`
+	Warn           string `json:"warn,omitempty"`
+	WarnVersion    string `json:"warn-version,omitempty"`
+}
+
+type PodSecurityExemptions struct {
+	Usernames      []string `json:"usernames,omitempty"`
+	Namespaces     []string `json:"namespaces,omitempty"`
+	RuntimeClasses []string `json:"runtimeClasses,omitempty"`
+}

staging/src/k8s.io/pod-security-admission/admission/api/v1/zz_generated.conversion.go

@@ -0,0 +1,154 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by conversion-gen. DO NOT EDIT.
+
+package v1
+
+import (
+	unsafe "unsafe"
+
+	conversion "k8s.io/apimachinery/pkg/conversion"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	api "k8s.io/pod-security-admission/admission/api"
+)
+
+func init() {
+	localSchemeBuilder.Register(RegisterConversions)
+}
+
+// RegisterConversions adds conversion functions to the given scheme.
+// Public to allow building arbitrary schemes.
+func RegisterConversions(s *runtime.Scheme) error {
+	if err := s.AddGeneratedConversionFunc((*PodSecurityConfiguration)(nil), (*api.PodSecurityConfiguration)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1_PodSecurityConfiguration_To_api_PodSecurityConfiguration(a.(*PodSecurityConfiguration), b.(*api.PodSecurityConfiguration), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*api.PodSecurityConfiguration)(nil), (*PodSecurityConfiguration)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_api_PodSecurityConfiguration_To_v1_PodSecurityConfiguration(a.(*api.PodSecurityConfiguration), b.(*PodSecurityConfiguration), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*PodSecurityDefaults)(nil), (*api.PodSecurityDefaults)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1_PodSecurityDefaults_To_api_PodSecurityDefaults(a.(*PodSecurityDefaults), b.(*api.PodSecurityDefaults), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*api.PodSecurityDefaults)(nil), (*PodSecurityDefaults)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_api_PodSecurityDefaults_To_v1_PodSecurityDefaults(a.(*api.PodSecurityDefaults), b.(*PodSecurityDefaults), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*PodSecurityExemptions)(nil), (*api.PodSecurityExemptions)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1_PodSecurityExemptions_To_api_PodSecurityExemptions(a.(*PodSecurityExemptions), b.(*api.PodSecurityExemptions), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*api.PodSecurityExemptions)(nil), (*PodSecurityExemptions)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_api_PodSecurityExemptions_To_v1_PodSecurityExemptions(a.(*api.PodSecurityExemptions), b.(*PodSecurityExemptions), scope)
+	}); err != nil {
+		return err
+	}
+	return nil
+}
+
+func autoConvert_v1_PodSecurityConfiguration_To_api_PodSecurityConfiguration(in *PodSecurityConfiguration, out *api.PodSecurityConfiguration, s conversion.Scope) error {
+	if err := Convert_v1_PodSecurityDefaults_To_api_PodSecurityDefaults(&in.Defaults, &out.Defaults, s); err != nil {
+		return err
+	}
+	if err := Convert_v1_PodSecurityExemptions_To_api_PodSecurityExemptions(&in.Exemptions, &out.Exemptions, s); err != nil {
+		return err
+	}
+	return nil
+}
+
+// Convert_v1_PodSecurityConfiguration_To_api_PodSecurityConfiguration is an autogenerated conversion function.
+func Convert_v1_PodSecurityConfiguration_To_api_PodSecurityConfiguration(in *PodSecurityConfiguration, out *api.PodSecurityConfiguration, s conversion.Scope) error {
+	return autoConvert_v1_PodSecurityConfiguration_To_api_PodSecurityConfiguration(in, out, s)
+}
+
+func autoConvert_api_PodSecurityConfiguration_To_v1_PodSecurityConfiguration(in *api.PodSecurityConfiguration, out *PodSecurityConfiguration, s conversion.Scope) error {
+	if err := Convert_api_PodSecurityDefaults_To_v1_PodSecurityDefaults(&in.Defaults, &out.Defaults, s); err != nil {
+		return err
+	}
+	if err := Convert_api_PodSecurityExemptions_To_v1_PodSecurityExemptions(&in.Exemptions, &out.Exemptions, s); err != nil {
+		return err
+	}
+	return nil
+}
+
+// Convert_api_PodSecurityConfiguration_To_v1_PodSecurityConfiguration is an autogenerated conversion function.
+func Convert_api_PodSecurityConfiguration_To_v1_PodSecurityConfiguration(in *api.PodSecurityConfiguration, out *PodSecurityConfiguration, s conversion.Scope) error {
+	return autoConvert_api_PodSecurityConfiguration_To_v1_PodSecurityConfiguration(in, out, s)
+}
+
+func autoConvert_v1_PodSecurityDefaults_To_api_PodSecurityDefaults(in *PodSecurityDefaults, out *api.PodSecurityDefaults, s conversion.Scope) error {
+	out.Enforce = in.Enforce
+	out.EnforceVersion = in.EnforceVersion
+	out.Audit = in.Audit
+	out.AuditVersion = in.AuditVersion
+	out.Warn = in.Warn
+	out.WarnVersion = in.WarnVersion
+	return nil
+}
+
+// Convert_v1_PodSecurityDefaults_To_api_PodSecurityDefaults is an autogenerated conversion function.
+func Convert_v1_PodSecurityDefaults_To_api_PodSecurityDefaults(in *PodSecurityDefaults, out *api.PodSecurityDefaults, s conversion.Scope) error {
+	return autoConvert_v1_PodSecurityDefaults_To_api_PodSecurityDefaults(in, out, s)
+}
+
+func autoConvert_api_PodSecurityDefaults_To_v1_PodSecurityDefaults(in *api.PodSecurityDefaults, out *PodSecurityDefaults, s conversion.Scope) error {
+	out.Enforce = in.Enforce
+	out.EnforceVersion = in.EnforceVersion
+	out.Audit = in.Audit
+	out.AuditVersion = in.AuditVersion
+	out.Warn = in.Warn
+	out.WarnVersion = in.WarnVersion
+	return nil
+}
+
+// Convert_api_PodSecurityDefaults_To_v1_PodSecurityDefaults is an autogenerated conversion function.
+func Convert_api_PodSecurityDefaults_To_v1_PodSecurityDefaults(in *api.PodSecurityDefaults, out *PodSecurityDefaults, s conversion.Scope) error {
+	return autoConvert_api_PodSecurityDefaults_To_v1_PodSecurityDefaults(in, out, s)
+}
+
+func autoConvert_v1_PodSecurityExemptions_To_api_PodSecurityExemptions(in *PodSecurityExemptions, out *api.PodSecurityExemptions, s conversion.Scope) error {
+	out.Usernames = *(*[]string)(unsafe.Pointer(&in.Usernames))
+	out.Namespaces = *(*[]string)(unsafe.Pointer(&in.Namespaces))
+	out.RuntimeClasses = *(*[]string)(unsafe.Pointer(&in.RuntimeClasses))
+	return nil
+}
+
+// Convert_v1_PodSecurityExemptions_To_api_PodSecurityExemptions is an autogenerated conversion function.
+func Convert_v1_PodSecurityExemptions_To_api_PodSecurityExemptions(in *PodSecurityExemptions, out *api.PodSecurityExemptions, s conversion.Scope) error {
+	return autoConvert_v1_PodSecurityExemptions_To_api_PodSecurityExemptions(in, out, s)
+}
+
+func autoConvert_api_PodSecurityExemptions_To_v1_PodSecurityExemptions(in *api.PodSecurityExemptions, out *PodSecurityExemptions, s conversion.Scope) error {
+	out.Usernames = *(*[]string)(unsafe.Pointer(&in.Usernames))
+	out.Namespaces = *(*[]string)(unsafe.Pointer(&in.Namespaces))
+	out.RuntimeClasses = *(*[]string)(unsafe.Pointer(&in.RuntimeClasses))
+	return nil
+}
+
+// Convert_api_PodSecurityExemptions_To_v1_PodSecurityExemptions is an autogenerated conversion function.
+func Convert_api_PodSecurityExemptions_To_v1_PodSecurityExemptions(in *api.PodSecurityExemptions, out *PodSecurityExemptions, s conversion.Scope) error {
+	return autoConvert_api_PodSecurityExemptions_To_v1_PodSecurityExemptions(in, out, s)
+}

staging/src/k8s.io/pod-security-admission/admission/api/v1/zz_generated.deepcopy.go

@@ -0,0 +1,100 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by deepcopy-gen. DO NOT EDIT.
+
+package v1
+
+import (
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PodSecurityConfiguration) DeepCopyInto(out *PodSecurityConfiguration) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	out.Defaults = in.Defaults
+	in.Exemptions.DeepCopyInto(&out.Exemptions)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodSecurityConfiguration.
+func (in *PodSecurityConfiguration) DeepCopy() *PodSecurityConfiguration {
+	if in == nil {
+		return nil
+	}
+	out := new(PodSecurityConfiguration)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *PodSecurityConfiguration) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PodSecurityDefaults) DeepCopyInto(out *PodSecurityDefaults) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodSecurityDefaults.
+func (in *PodSecurityDefaults) DeepCopy() *PodSecurityDefaults {
+	if in == nil {
+		return nil
+	}
+	out := new(PodSecurityDefaults)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PodSecurityExemptions) DeepCopyInto(out *PodSecurityExemptions) {
+	*out = *in
+	if in.Usernames != nil {
+		in, out := &in.Usernames, &out.Usernames
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.Namespaces != nil {
+		in, out := &in.Namespaces, &out.Namespaces
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.RuntimeClasses != nil {
+		in, out := &in.RuntimeClasses, &out.RuntimeClasses
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodSecurityExemptions.
+func (in *PodSecurityExemptions) DeepCopy() *PodSecurityExemptions {
+	if in == nil {
+		return nil
+	}
+	out := new(PodSecurityExemptions)
+	in.DeepCopyInto(out)
+	return out
+}

staging/src/k8s.io/pod-security-admission/admission/api/v1/zz_generated.defaults.go

@@ -0,0 +1,38 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by defaulter-gen. DO NOT EDIT.
+
+package v1
+
+import (
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+// RegisterDefaults adds defaulters functions to the given scheme.
+// Public to allow building arbitrary schemes.
+// All generated defaulters are covering - they call all nested defaulters.
+func RegisterDefaults(scheme *runtime.Scheme) error {
+	scheme.AddTypeDefaultingFunc(&PodSecurityConfiguration{}, func(obj interface{}) { SetObjectDefaults_PodSecurityConfiguration(obj.(*PodSecurityConfiguration)) })
+	return nil
+}
+
+func SetObjectDefaults_PodSecurityConfiguration(in *PodSecurityConfiguration) {
+	SetDefaults_PodSecurityDefaults(&in.Defaults)
+}

test/integration/auth/podsecurity_test.go

@@ -55,8 +55,6 @@ func TestPodSecurity(t *testing.T) {
 	defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.ProcMountType, true)()
 	defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.WindowsHostProcessContainers, true)()
 	defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.AppArmor, true)()
-	// Ensure the PodSecurity feature is enabled
-	defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.PodSecurity, true)()
 	// Start server
 	server := startPodSecurityServer(t)
 	opts := podsecuritytest.Options{
@@ -82,8 +80,6 @@ func TestPodSecurityGAOnly(t *testing.T) {
 			defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, k, false)()
 		}
 	}
-	// Ensure PodSecurity feature is enabled
-	defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.PodSecurity, true)()
 	// Start server
 	server := startPodSecurityServer(t)
 

vendor/modules.txt

@@ -2389,6 +2389,7 @@ k8s.io/pod-security-admission/admission
 k8s.io/pod-security-admission/admission/api
 k8s.io/pod-security-admission/admission/api/load
 k8s.io/pod-security-admission/admission/api/scheme
+k8s.io/pod-security-admission/admission/api/v1
 k8s.io/pod-security-admission/admission/api/v1alpha1
 k8s.io/pod-security-admission/admission/api/v1beta1
 k8s.io/pod-security-admission/admission/api/validation