Merge pull request #24600 from pweil-/psp

Automatic merge from submit-queue

PSP admission

```release-note
Update PodSecurityPolicy types and add admission controller that could enforce them
```

Still working on removing the non-relevant parts of the tests but I wanted to get this open to start soliciting feedback.

- [x] bring PSP up to date with any new features we've added to SCC for discussion
- [x] create admission controller that is a pared down version of SCC (no ns based strategies, no user/groups/service account permissioning)
- [x] fix tests

@liggitt @pmorie - this is the simple implementation requested that assumes all PSPs should be checked for each requests.  It is a slimmed down version of our SCC admission controller

@erictune @smarterclayton

pkg/client/unversioned/podsecuritypolicy.go

@@ -28,7 +28,7 @@ type PodSecurityPoliciesInterface interface {
 
 type PodSecurityPolicyInterface interface {
 	Get(name string) (result *extensions.PodSecurityPolicy, err error)
-	Create(scc *extensions.PodSecurityPolicy) (*extensions.PodSecurityPolicy, error)
+	Create(psp *extensions.PodSecurityPolicy) (*extensions.PodSecurityPolicy, error)
 	List(opts api.ListOptions) (*extensions.PodSecurityPolicyList, error)
 	Delete(name string) error
 	Update(*extensions.PodSecurityPolicy) (*extensions.PodSecurityPolicy, error)
@@ -45,11 +45,11 @@ func newPodSecurityPolicy(c *ExtensionsClient) *podSecurityPolicy {
 	return &podSecurityPolicy{c}
 }
 
-func (s *podSecurityPolicy) Create(scc *extensions.PodSecurityPolicy) (*extensions.PodSecurityPolicy, error) {
+func (s *podSecurityPolicy) Create(psp *extensions.PodSecurityPolicy) (*extensions.PodSecurityPolicy, error) {
 	result := &extensions.PodSecurityPolicy{}
 	err := s.client.Post().
 		Resource("podsecuritypolicies").
-		Body(scc).
+		Body(psp).
 		Do().
 		Into(result)
 

pkg/client/unversioned/podsecuritypolicy_test.go

@@ -29,7 +29,7 @@ import (
 
 func TestPodSecurityPolicyCreate(t *testing.T) {
 	ns := api.NamespaceNone
-	scc := &extensions.PodSecurityPolicy{
+	psp := &extensions.PodSecurityPolicy{
 		ObjectMeta: api.ObjectMeta{
 			Name: "abc",
 		},
@@ -40,18 +40,18 @@ func TestPodSecurityPolicyCreate(t *testing.T) {
 			Method: "POST",
 			Path:   testapi.Extensions.ResourcePath(getPSPResourcename(), ns, ""),
 			Query:  simple.BuildQueryValues(nil),
-			Body:   scc,
+			Body:   psp,
 		},
-		Response: simple.Response{StatusCode: 200, Body: scc},
+		Response: simple.Response{StatusCode: 200, Body: psp},
 	}
 
-	response, err := c.Setup(t).PodSecurityPolicies().Create(scc)
+	response, err := c.Setup(t).PodSecurityPolicies().Create(psp)
 	c.Validate(t, response, err)
 }
 
 func TestPodSecurityPolicyGet(t *testing.T) {
 	ns := api.NamespaceNone
-	scc := &extensions.PodSecurityPolicy{
+	psp := &extensions.PodSecurityPolicy{
 		ObjectMeta: api.ObjectMeta{
 			Name: "abc",
 		},
@@ -63,7 +63,7 @@ func TestPodSecurityPolicyGet(t *testing.T) {
 			Query:  simple.BuildQueryValues(nil),
 			Body:   nil,
 		},
-		Response: simple.Response{StatusCode: 200, Body: scc},
+		Response: simple.Response{StatusCode: 200, Body: psp},
 	}
 
 	response, err := c.Setup(t).PodSecurityPolicies().Get("abc")
@@ -72,7 +72,7 @@ func TestPodSecurityPolicyGet(t *testing.T) {
 
 func TestPodSecurityPolicyList(t *testing.T) {
 	ns := api.NamespaceNone
-	sccList := &extensions.PodSecurityPolicyList{
+	pspList := &extensions.PodSecurityPolicyList{
 		Items: []extensions.PodSecurityPolicy{
 			{
 				ObjectMeta: api.ObjectMeta{
@@ -88,7 +88,7 @@ func TestPodSecurityPolicyList(t *testing.T) {
 			Query:  simple.BuildQueryValues(nil),
 			Body:   nil,
 		},
-		Response: simple.Response{StatusCode: 200, Body: sccList},
+		Response: simple.Response{StatusCode: 200, Body: pspList},
 	}
 	response, err := c.Setup(t).PodSecurityPolicies().List(api.ListOptions{})
 	c.Validate(t, response, err)
@@ -96,7 +96,7 @@ func TestPodSecurityPolicyList(t *testing.T) {
 
 func TestPodSecurityPolicyUpdate(t *testing.T) {
 	ns := api.NamespaceNone
-	scc := &extensions.PodSecurityPolicy{
+	psp := &extensions.PodSecurityPolicy{
 		ObjectMeta: api.ObjectMeta{
 			Name:            "abc",
 			ResourceVersion: "1",
@@ -104,9 +104,9 @@ func TestPodSecurityPolicyUpdate(t *testing.T) {
 	}
 	c := &simple.Client{
 		Request:  simple.Request{Method: "PUT", Path: testapi.Extensions.ResourcePath(getPSPResourcename(), ns, "abc"), Query: simple.BuildQueryValues(nil)},
-		Response: simple.Response{StatusCode: 200, Body: scc},
+		Response: simple.Response{StatusCode: 200, Body: psp},
 	}
-	response, err := c.Setup(t).PodSecurityPolicies().Update(scc)
+	response, err := c.Setup(t).PodSecurityPolicies().Update(psp)
 	c.Validate(t, response, err)
 }
 

pkg/client/unversioned/testclient/fake_podsecuritypolicy.go

@@ -47,16 +47,16 @@ func (c *FakePodSecurityPolicy) Get(name string) (*extensions.PodSecurityPolicy,
 	return obj.(*extensions.PodSecurityPolicy), err
 }
 
-func (c *FakePodSecurityPolicy) Create(scc *extensions.PodSecurityPolicy) (*extensions.PodSecurityPolicy, error) {
-	obj, err := c.Fake.Invokes(NewCreateAction("podsecuritypolicies", c.Namespace, scc), &extensions.PodSecurityPolicy{})
+func (c *FakePodSecurityPolicy) Create(psp *extensions.PodSecurityPolicy) (*extensions.PodSecurityPolicy, error) {
+	obj, err := c.Fake.Invokes(NewCreateAction("podsecuritypolicies", c.Namespace, psp), &extensions.PodSecurityPolicy{})
 	if obj == nil {
 		return nil, err
 	}
 	return obj.(*extensions.PodSecurityPolicy), err
 }
 
-func (c *FakePodSecurityPolicy) Update(scc *extensions.PodSecurityPolicy) (*extensions.PodSecurityPolicy, error) {
-	obj, err := c.Fake.Invokes(NewUpdateAction("podsecuritypolicies", c.Namespace, scc), &extensions.PodSecurityPolicy{})
+func (c *FakePodSecurityPolicy) Update(psp *extensions.PodSecurityPolicy) (*extensions.PodSecurityPolicy, error) {
+	obj, err := c.Fake.Invokes(NewUpdateAction("podsecuritypolicies", c.Namespace, psp), &extensions.PodSecurityPolicy{})
 	if obj == nil {
 		return nil, err
 	}