mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-08-07 03:03:59 +00:00
Merge pull request #120567 from skitt/drop-deprecated-pointer-kubeadm
kubeadm: drop deprecated pointer package
This commit is contained in:
Kubernetes Prow Robot
GitHub
commit
51a8ee26f2
@ -23,7 +23,7 @@ import (
|
|||||||
clientset "k8s.io/client-go/kubernetes"
|
clientset "k8s.io/client-go/kubernetes"
|
||||||
"k8s.io/klog/v2"
|
"k8s.io/klog/v2"
|
||||||
kubeletconfig "k8s.io/kubelet/config/v1beta1"
|
kubeletconfig "k8s.io/kubelet/config/v1beta1"
|
||||||
"k8s.io/utils/pointer"
|
"k8s.io/utils/ptr"
|
||||||
|
|
||||||
kubeadmapi "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm"
|
kubeadmapi "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm"
|
||||||
kubeadmapiv1 "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta3"
|
kubeadmapiv1 "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta3"
|
||||||
@ -151,7 +151,7 @@ func (kc *kubeletConfig) Default(cfg *kubeadmapi.ClusterConfiguration, _ *kubead
|
|||||||
}
|
}
|
||||||
|
|
||||||
if kc.config.Authentication.Anonymous.Enabled == nil {
|
if kc.config.Authentication.Anonymous.Enabled == nil {
|
||||||
kc.config.Authentication.Anonymous.Enabled = pointer.Bool(kubeletAuthenticationAnonymousEnabled)
|
kc.config.Authentication.Anonymous.Enabled = ptr.To(kubeletAuthenticationAnonymousEnabled)
|
||||||
} else if *kc.config.Authentication.Anonymous.Enabled {
|
} else if *kc.config.Authentication.Anonymous.Enabled {
|
||||||
warnDefaultComponentConfigValue(kind, "authentication.anonymous.enabled", kubeletAuthenticationAnonymousEnabled, *kc.config.Authentication.Anonymous.Enabled)
|
warnDefaultComponentConfigValue(kind, "authentication.anonymous.enabled", kubeletAuthenticationAnonymousEnabled, *kc.config.Authentication.Anonymous.Enabled)
|
||||||
}
|
}
|
||||||
@ -166,7 +166,7 @@ func (kc *kubeletConfig) Default(cfg *kubeadmapi.ClusterConfiguration, _ *kubead
|
|||||||
|
|
||||||
// Let clients using other authentication methods like ServiceAccount tokens also access the kubelet API
|
// Let clients using other authentication methods like ServiceAccount tokens also access the kubelet API
|
||||||
if kc.config.Authentication.Webhook.Enabled == nil {
|
if kc.config.Authentication.Webhook.Enabled == nil {
|
||||||
kc.config.Authentication.Webhook.Enabled = pointer.Bool(kubeletAuthenticationWebhookEnabled)
|
kc.config.Authentication.Webhook.Enabled = ptr.To(kubeletAuthenticationWebhookEnabled)
|
||||||
} else if !*kc.config.Authentication.Webhook.Enabled {
|
} else if !*kc.config.Authentication.Webhook.Enabled {
|
||||||
warnDefaultComponentConfigValue(kind, "authentication.webhook.enabled", kubeletAuthenticationWebhookEnabled, *kc.config.Authentication.Webhook.Enabled)
|
warnDefaultComponentConfigValue(kind, "authentication.webhook.enabled", kubeletAuthenticationWebhookEnabled, *kc.config.Authentication.Webhook.Enabled)
|
||||||
}
|
}
|
||||||
@ -179,7 +179,7 @@ func (kc *kubeletConfig) Default(cfg *kubeadmapi.ClusterConfiguration, _ *kubead
|
|||||||
}
|
}
|
||||||
|
|
||||||
if kc.config.HealthzPort == nil {
|
if kc.config.HealthzPort == nil {
|
||||||
kc.config.HealthzPort = pointer.Int32(constants.KubeletHealthzPort)
|
kc.config.HealthzPort = ptr.To[int32](constants.KubeletHealthzPort)
|
||||||
} else if *kc.config.HealthzPort != constants.KubeletHealthzPort {
|
} else if *kc.config.HealthzPort != constants.KubeletHealthzPort {
|
||||||
warnDefaultComponentConfigValue(kind, "healthzPort", constants.KubeletHealthzPort, *kc.config.HealthzPort)
|
warnDefaultComponentConfigValue(kind, "healthzPort", constants.KubeletHealthzPort, *kc.config.HealthzPort)
|
||||||
}
|
}
|
||||||
@ -203,7 +203,7 @@ func (kc *kubeletConfig) Default(cfg *kubeadmapi.ClusterConfiguration, _ *kubead
|
|||||||
}
|
}
|
||||||
if ok {
|
if ok {
|
||||||
if kc.config.ResolverConfig == nil {
|
if kc.config.ResolverConfig == nil {
|
||||||
kc.config.ResolverConfig = pointer.String(kubeletSystemdResolverConfig)
|
kc.config.ResolverConfig = ptr.To(kubeletSystemdResolverConfig)
|
||||||
} else {
|
} else {
|
||||||
if *kc.config.ResolverConfig != kubeletSystemdResolverConfig {
|
if *kc.config.ResolverConfig != kubeletSystemdResolverConfig {
|
||||||
warnDefaultComponentConfigValue(kind, "resolvConf", kubeletSystemdResolverConfig, *kc.config.ResolverConfig)
|
warnDefaultComponentConfigValue(kind, "resolvConf", kubeletSystemdResolverConfig, *kc.config.ResolverConfig)
|
||||||
|
|||||||
@ -29,7 +29,7 @@ import (
|
|||||||
"k8s.io/apimachinery/pkg/runtime/schema"
|
"k8s.io/apimachinery/pkg/runtime/schema"
|
||||||
clientsetfake "k8s.io/client-go/kubernetes/fake"
|
clientsetfake "k8s.io/client-go/kubernetes/fake"
|
||||||
kubeletconfig "k8s.io/kubelet/config/v1beta1"
|
kubeletconfig "k8s.io/kubelet/config/v1beta1"
|
||||||
"k8s.io/utils/pointer"
|
"k8s.io/utils/ptr"
|
||||||
|
|
||||||
kubeadmapi "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm"
|
kubeadmapi "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm"
|
||||||
kubeadmapiv1 "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta3"
|
kubeadmapiv1 "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta3"
|
||||||
@ -52,7 +52,7 @@ func TestKubeletDefault(t *testing.T) {
|
|||||||
var resolverConfig *string
|
var resolverConfig *string
|
||||||
if isSystemdResolvedActive, _ := isServiceActive("systemd-resolved"); isSystemdResolvedActive {
|
if isSystemdResolvedActive, _ := isServiceActive("systemd-resolved"); isSystemdResolvedActive {
|
||||||
// If systemd-resolved is active, we need to set the default resolver config
|
// If systemd-resolved is active, we need to set the default resolver config
|
||||||
resolverConfig = pointer.String(kubeletSystemdResolverConfig)
|
resolverConfig = ptr.To(kubeletSystemdResolverConfig)
|
||||||
}
|
}
|
||||||
|
|
||||||
tests := []struct {
|
tests := []struct {
|
||||||
@ -73,17 +73,17 @@ func TestKubeletDefault(t *testing.T) {
|
|||||||
ClientCAFile: constants.CACertName,
|
ClientCAFile: constants.CACertName,
|
||||||
},
|
},
|
||||||
Anonymous: kubeletconfig.KubeletAnonymousAuthentication{
|
Anonymous: kubeletconfig.KubeletAnonymousAuthentication{
|
||||||
Enabled: pointer.Bool(kubeletAuthenticationAnonymousEnabled),
|
Enabled: ptr.To(kubeletAuthenticationAnonymousEnabled),
|
||||||
},
|
},
|
||||||
Webhook: kubeletconfig.KubeletWebhookAuthentication{
|
Webhook: kubeletconfig.KubeletWebhookAuthentication{
|
||||||
Enabled: pointer.Bool(kubeletAuthenticationWebhookEnabled),
|
Enabled: ptr.To(kubeletAuthenticationWebhookEnabled),
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
Authorization: kubeletconfig.KubeletAuthorization{
|
Authorization: kubeletconfig.KubeletAuthorization{
|
||||||
Mode: kubeletconfig.KubeletAuthorizationModeWebhook,
|
Mode: kubeletconfig.KubeletAuthorizationModeWebhook,
|
||||||
},
|
},
|
||||||
HealthzBindAddress: kubeletHealthzBindAddress,
|
HealthzBindAddress: kubeletHealthzBindAddress,
|
||||||
HealthzPort: pointer.Int32(constants.KubeletHealthzPort),
|
HealthzPort: ptr.To[int32](constants.KubeletHealthzPort),
|
||||||
RotateCertificates: kubeletRotateCertificates,
|
RotateCertificates: kubeletRotateCertificates,
|
||||||
ResolverConfig: resolverConfig,
|
ResolverConfig: resolverConfig,
|
||||||
CgroupDriver: constants.CgroupDriverSystemd,
|
CgroupDriver: constants.CgroupDriverSystemd,
|
||||||
@ -107,17 +107,17 @@ func TestKubeletDefault(t *testing.T) {
|
|||||||
ClientCAFile: constants.CACertName,
|
ClientCAFile: constants.CACertName,
|
||||||
},
|
},
|
||||||
Anonymous: kubeletconfig.KubeletAnonymousAuthentication{
|
Anonymous: kubeletconfig.KubeletAnonymousAuthentication{
|
||||||
Enabled: pointer.Bool(kubeletAuthenticationAnonymousEnabled),
|
Enabled: ptr.To(kubeletAuthenticationAnonymousEnabled),
|
||||||
},
|
},
|
||||||
Webhook: kubeletconfig.KubeletWebhookAuthentication{
|
Webhook: kubeletconfig.KubeletWebhookAuthentication{
|
||||||
Enabled: pointer.Bool(kubeletAuthenticationWebhookEnabled),
|
Enabled: ptr.To(kubeletAuthenticationWebhookEnabled),
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
Authorization: kubeletconfig.KubeletAuthorization{
|
Authorization: kubeletconfig.KubeletAuthorization{
|
||||||
Mode: kubeletconfig.KubeletAuthorizationModeWebhook,
|
Mode: kubeletconfig.KubeletAuthorizationModeWebhook,
|
||||||
},
|
},
|
||||||
HealthzBindAddress: kubeletHealthzBindAddress,
|
HealthzBindAddress: kubeletHealthzBindAddress,
|
||||||
HealthzPort: pointer.Int32(constants.KubeletHealthzPort),
|
HealthzPort: ptr.To[int32](constants.KubeletHealthzPort),
|
||||||
RotateCertificates: kubeletRotateCertificates,
|
RotateCertificates: kubeletRotateCertificates,
|
||||||
ResolverConfig: resolverConfig,
|
ResolverConfig: resolverConfig,
|
||||||
CgroupDriver: constants.CgroupDriverSystemd,
|
CgroupDriver: constants.CgroupDriverSystemd,
|
||||||
@ -141,17 +141,17 @@ func TestKubeletDefault(t *testing.T) {
|
|||||||
ClientCAFile: constants.CACertName,
|
ClientCAFile: constants.CACertName,
|
||||||
},
|
},
|
||||||
Anonymous: kubeletconfig.KubeletAnonymousAuthentication{
|
Anonymous: kubeletconfig.KubeletAnonymousAuthentication{
|
||||||
Enabled: pointer.Bool(kubeletAuthenticationAnonymousEnabled),
|
Enabled: ptr.To(kubeletAuthenticationAnonymousEnabled),
|
||||||
},
|
},
|
||||||
Webhook: kubeletconfig.KubeletWebhookAuthentication{
|
Webhook: kubeletconfig.KubeletWebhookAuthentication{
|
||||||
Enabled: pointer.Bool(kubeletAuthenticationWebhookEnabled),
|
Enabled: ptr.To(kubeletAuthenticationWebhookEnabled),
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
Authorization: kubeletconfig.KubeletAuthorization{
|
Authorization: kubeletconfig.KubeletAuthorization{
|
||||||
Mode: kubeletconfig.KubeletAuthorizationModeWebhook,
|
Mode: kubeletconfig.KubeletAuthorizationModeWebhook,
|
||||||
},
|
},
|
||||||
HealthzBindAddress: kubeletHealthzBindAddress,
|
HealthzBindAddress: kubeletHealthzBindAddress,
|
||||||
HealthzPort: pointer.Int32(constants.KubeletHealthzPort),
|
HealthzPort: ptr.To[int32](constants.KubeletHealthzPort),
|
||||||
RotateCertificates: kubeletRotateCertificates,
|
RotateCertificates: kubeletRotateCertificates,
|
||||||
ResolverConfig: resolverConfig,
|
ResolverConfig: resolverConfig,
|
||||||
CgroupDriver: constants.CgroupDriverSystemd,
|
CgroupDriver: constants.CgroupDriverSystemd,
|
||||||
@ -176,17 +176,17 @@ func TestKubeletDefault(t *testing.T) {
|
|||||||
ClientCAFile: constants.CACertName,
|
ClientCAFile: constants.CACertName,
|
||||||
},
|
},
|
||||||
Anonymous: kubeletconfig.KubeletAnonymousAuthentication{
|
Anonymous: kubeletconfig.KubeletAnonymousAuthentication{
|
||||||
Enabled: pointer.Bool(kubeletAuthenticationAnonymousEnabled),
|
Enabled: ptr.To(kubeletAuthenticationAnonymousEnabled),
|
||||||
},
|
},
|
||||||
Webhook: kubeletconfig.KubeletWebhookAuthentication{
|
Webhook: kubeletconfig.KubeletWebhookAuthentication{
|
||||||
Enabled: pointer.Bool(kubeletAuthenticationWebhookEnabled),
|
Enabled: ptr.To(kubeletAuthenticationWebhookEnabled),
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
Authorization: kubeletconfig.KubeletAuthorization{
|
Authorization: kubeletconfig.KubeletAuthorization{
|
||||||
Mode: kubeletconfig.KubeletAuthorizationModeWebhook,
|
Mode: kubeletconfig.KubeletAuthorizationModeWebhook,
|
||||||
},
|
},
|
||||||
HealthzBindAddress: kubeletHealthzBindAddress,
|
HealthzBindAddress: kubeletHealthzBindAddress,
|
||||||
HealthzPort: pointer.Int32(constants.KubeletHealthzPort),
|
HealthzPort: ptr.To[int32](constants.KubeletHealthzPort),
|
||||||
RotateCertificates: kubeletRotateCertificates,
|
RotateCertificates: kubeletRotateCertificates,
|
||||||
ResolverConfig: resolverConfig,
|
ResolverConfig: resolverConfig,
|
||||||
CgroupDriver: constants.CgroupDriverSystemd,
|
CgroupDriver: constants.CgroupDriverSystemd,
|
||||||
@ -208,17 +208,17 @@ func TestKubeletDefault(t *testing.T) {
|
|||||||
ClientCAFile: filepath.Join("/path/to/certs", constants.CACertName),
|
ClientCAFile: filepath.Join("/path/to/certs", constants.CACertName),
|
||||||
},
|
},
|
||||||
Anonymous: kubeletconfig.KubeletAnonymousAuthentication{
|
Anonymous: kubeletconfig.KubeletAnonymousAuthentication{
|
||||||
Enabled: pointer.Bool(kubeletAuthenticationAnonymousEnabled),
|
Enabled: ptr.To(kubeletAuthenticationAnonymousEnabled),
|
||||||
},
|
},
|
||||||
Webhook: kubeletconfig.KubeletWebhookAuthentication{
|
Webhook: kubeletconfig.KubeletWebhookAuthentication{
|
||||||
Enabled: pointer.Bool(kubeletAuthenticationWebhookEnabled),
|
Enabled: ptr.To(kubeletAuthenticationWebhookEnabled),
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
Authorization: kubeletconfig.KubeletAuthorization{
|
Authorization: kubeletconfig.KubeletAuthorization{
|
||||||
Mode: kubeletconfig.KubeletAuthorizationModeWebhook,
|
Mode: kubeletconfig.KubeletAuthorizationModeWebhook,
|
||||||
},
|
},
|
||||||
HealthzBindAddress: kubeletHealthzBindAddress,
|
HealthzBindAddress: kubeletHealthzBindAddress,
|
||||||
HealthzPort: pointer.Int32(constants.KubeletHealthzPort),
|
HealthzPort: ptr.To[int32](constants.KubeletHealthzPort),
|
||||||
RotateCertificates: kubeletRotateCertificates,
|
RotateCertificates: kubeletRotateCertificates,
|
||||||
ResolverConfig: resolverConfig,
|
ResolverConfig: resolverConfig,
|
||||||
CgroupDriver: constants.CgroupDriverSystemd,
|
CgroupDriver: constants.CgroupDriverSystemd,
|
||||||
|
|||||||
@ -24,7 +24,7 @@ import (
|
|||||||
"github.com/pkg/errors"
|
"github.com/pkg/errors"
|
||||||
"k8s.io/klog/v2"
|
"k8s.io/klog/v2"
|
||||||
kubeletconfig "k8s.io/kubelet/config/v1beta1"
|
kubeletconfig "k8s.io/kubelet/config/v1beta1"
|
||||||
utilpointer "k8s.io/utils/pointer"
|
"k8s.io/utils/ptr"
|
||||||
)
|
)
|
||||||
|
|
||||||
// Mutate modifies absolute path fields in the KubeletConfiguration to be Windows compatible absolute paths.
|
// Mutate modifies absolute path fields in the KubeletConfiguration to be Windows compatible absolute paths.
|
||||||
@ -70,7 +70,7 @@ func mutatePaths(cfg *kubeletconfig.KubeletConfiguration, drive string) {
|
|||||||
|
|
||||||
// Mutate the fields we care about.
|
// Mutate the fields we care about.
|
||||||
klog.V(2).Infof("[componentconfig] kubelet/Windows: changing field \"resolverConfig\" to empty")
|
klog.V(2).Infof("[componentconfig] kubelet/Windows: changing field \"resolverConfig\" to empty")
|
||||||
cfg.ResolverConfig = utilpointer.String("")
|
cfg.ResolverConfig = ptr.To("")
|
||||||
mutateStringField("staticPodPath", &cfg.StaticPodPath)
|
mutateStringField("staticPodPath", &cfg.StaticPodPath)
|
||||||
mutateStringField("authentication.x509.clientCAFile", &cfg.Authentication.X509.ClientCAFile)
|
mutateStringField("authentication.x509.clientCAFile", &cfg.Authentication.X509.ClientCAFile)
|
||||||
}
|
}
|
||||||
|
|||||||
@ -22,7 +22,7 @@ import (
|
|||||||
"testing"
|
"testing"
|
||||||
|
|
||||||
kubeletconfig "k8s.io/kubelet/config/v1beta1"
|
kubeletconfig "k8s.io/kubelet/config/v1beta1"
|
||||||
utilpointer "k8s.io/utils/pointer"
|
"k8s.io/utils/ptr"
|
||||||
)
|
)
|
||||||
|
|
||||||
func TestMutatePaths(t *testing.T) {
|
func TestMutatePaths(t *testing.T) {
|
||||||
@ -46,7 +46,7 @@ func TestMutatePaths(t *testing.T) {
|
|||||||
},
|
},
|
||||||
},
|
},
|
||||||
expected: &kubeletconfig.KubeletConfiguration{
|
expected: &kubeletconfig.KubeletConfiguration{
|
||||||
ResolverConfig: utilpointer.String(""),
|
ResolverConfig: ptr.To(""),
|
||||||
StaticPodPath: filepath.Join(drive, "/foo/staticpods"),
|
StaticPodPath: filepath.Join(drive, "/foo/staticpods"),
|
||||||
Authentication: kubeletconfig.KubeletAuthentication{
|
Authentication: kubeletconfig.KubeletAuthentication{
|
||||||
X509: kubeletconfig.KubeletX509Authentication{
|
X509: kubeletconfig.KubeletX509Authentication{
|
||||||
@ -67,7 +67,7 @@ func TestMutatePaths(t *testing.T) {
|
|||||||
},
|
},
|
||||||
},
|
},
|
||||||
expected: &kubeletconfig.KubeletConfiguration{
|
expected: &kubeletconfig.KubeletConfiguration{
|
||||||
ResolverConfig: utilpointer.String(""),
|
ResolverConfig: ptr.To(""),
|
||||||
StaticPodPath: "./foo/staticpods",
|
StaticPodPath: "./foo/staticpods",
|
||||||
Authentication: kubeletconfig.KubeletAuthentication{
|
Authentication: kubeletconfig.KubeletAuthentication{
|
||||||
X509: kubeletconfig.KubeletX509Authentication{
|
X509: kubeletconfig.KubeletX509Authentication{
|
||||||
|
|||||||
@ -32,7 +32,7 @@ import (
|
|||||||
"k8s.io/apimachinery/pkg/util/wait"
|
"k8s.io/apimachinery/pkg/util/wait"
|
||||||
clientset "k8s.io/client-go/kubernetes"
|
clientset "k8s.io/client-go/kubernetes"
|
||||||
"k8s.io/klog/v2"
|
"k8s.io/klog/v2"
|
||||||
"k8s.io/utils/pointer"
|
"k8s.io/utils/ptr"
|
||||||
|
|
||||||
kubeadmapi "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm"
|
kubeadmapi "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm"
|
||||||
"k8s.io/kubernetes/cmd/kubeadm/app/constants"
|
"k8s.io/kubernetes/cmd/kubeadm/app/constants"
|
||||||
@ -112,14 +112,14 @@ func createJob(client clientset.Interface, cfg *kubeadmapi.ClusterConfiguration)
|
|||||||
Namespace: ns,
|
Namespace: ns,
|
||||||
},
|
},
|
||||||
Spec: batchv1.JobSpec{
|
Spec: batchv1.JobSpec{
|
||||||
BackoffLimit: pointer.Int32(0),
|
BackoffLimit: ptr.To[int32](0),
|
||||||
Template: v1.PodTemplateSpec{
|
Template: v1.PodTemplateSpec{
|
||||||
Spec: v1.PodSpec{
|
Spec: v1.PodSpec{
|
||||||
RestartPolicy: v1.RestartPolicyNever,
|
RestartPolicy: v1.RestartPolicyNever,
|
||||||
SecurityContext: &v1.PodSecurityContext{
|
SecurityContext: &v1.PodSecurityContext{
|
||||||
RunAsUser: pointer.Int64(999),
|
RunAsUser: ptr.To[int64](999),
|
||||||
RunAsGroup: pointer.Int64(999),
|
RunAsGroup: ptr.To[int64](999),
|
||||||
RunAsNonRoot: pointer.Bool(true),
|
RunAsNonRoot: ptr.To(true),
|
||||||
},
|
},
|
||||||
Tolerations: []v1.Toleration{
|
Tolerations: []v1.Toleration{
|
||||||
{
|
{
|
||||||
|
|||||||
@ -26,7 +26,7 @@ import (
|
|||||||
"github.com/pkg/errors"
|
"github.com/pkg/errors"
|
||||||
|
|
||||||
v1 "k8s.io/api/core/v1"
|
v1 "k8s.io/api/core/v1"
|
||||||
"k8s.io/utils/pointer"
|
"k8s.io/utils/ptr"
|
||||||
|
|
||||||
kubeadmapi "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm"
|
kubeadmapi "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm"
|
||||||
kubeadmconstants "k8s.io/kubernetes/cmd/kubeadm/app/constants"
|
kubeadmconstants "k8s.io/kubernetes/cmd/kubeadm/app/constants"
|
||||||
@ -140,7 +140,7 @@ func runKubeControllerManagerAsNonRoot(pod *v1.Pod, runAsUser, runAsGroup, suppl
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
pod.Spec.Containers[0].SecurityContext = &v1.SecurityContext{
|
pod.Spec.Containers[0].SecurityContext = &v1.SecurityContext{
|
||||||
AllowPrivilegeEscalation: pointer.Bool(false),
|
AllowPrivilegeEscalation: ptr.To(false),
|
||||||
Capabilities: &v1.Capabilities{
|
Capabilities: &v1.Capabilities{
|
||||||
// We drop all capabilities that are added by default.
|
// We drop all capabilities that are added by default.
|
||||||
Drop: []v1.Capability{"ALL"},
|
Drop: []v1.Capability{"ALL"},
|
||||||
@ -159,7 +159,7 @@ func runKubeSchedulerAsNonRoot(pod *v1.Pod, runAsUser, runAsGroup *int64, update
|
|||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
pod.Spec.Containers[0].SecurityContext = &v1.SecurityContext{
|
pod.Spec.Containers[0].SecurityContext = &v1.SecurityContext{
|
||||||
AllowPrivilegeEscalation: pointer.Bool(false),
|
AllowPrivilegeEscalation: ptr.To(false),
|
||||||
// We drop all capabilities that are added by default.
|
// We drop all capabilities that are added by default.
|
||||||
Capabilities: &v1.Capabilities{
|
Capabilities: &v1.Capabilities{
|
||||||
Drop: []v1.Capability{"ALL"},
|
Drop: []v1.Capability{"ALL"},
|
||||||
@ -184,7 +184,7 @@ func runEtcdAsNonRoot(pod *v1.Pod, runAsUser, runAsGroup *int64, updatePathOwner
|
|||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
pod.Spec.Containers[0].SecurityContext = &v1.SecurityContext{
|
pod.Spec.Containers[0].SecurityContext = &v1.SecurityContext{
|
||||||
AllowPrivilegeEscalation: pointer.Bool(false),
|
AllowPrivilegeEscalation: ptr.To(false),
|
||||||
// We drop all capabilities that are added by default.
|
// We drop all capabilities that are added by default.
|
||||||
Capabilities: &v1.Capabilities{
|
Capabilities: &v1.Capabilities{
|
||||||
Drop: []v1.Capability{"ALL"},
|
Drop: []v1.Capability{"ALL"},
|
||||||
|
|||||||
@ -25,7 +25,7 @@ import (
|
|||||||
"testing"
|
"testing"
|
||||||
|
|
||||||
v1 "k8s.io/api/core/v1"
|
v1 "k8s.io/api/core/v1"
|
||||||
"k8s.io/utils/pointer"
|
"k8s.io/utils/ptr"
|
||||||
|
|
||||||
"k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm"
|
"k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm"
|
||||||
kubeadmconstants "k8s.io/kubernetes/cmd/kubeadm/app/constants"
|
kubeadmconstants "k8s.io/kubernetes/cmd/kubeadm/app/constants"
|
||||||
@ -40,8 +40,8 @@ type ownerAndPermissions struct {
|
|||||||
func verifyPodSecurityContext(t *testing.T, pod *v1.Pod, wantRunAsUser, wantRunAsGroup int64, wantSupGroup []int64) {
|
func verifyPodSecurityContext(t *testing.T, pod *v1.Pod, wantRunAsUser, wantRunAsGroup int64, wantSupGroup []int64) {
|
||||||
t.Helper()
|
t.Helper()
|
||||||
wantPodSecurityContext := &v1.PodSecurityContext{
|
wantPodSecurityContext := &v1.PodSecurityContext{
|
||||||
RunAsUser: pointer.Int64(wantRunAsUser),
|
RunAsUser: ptr.To(wantRunAsUser),
|
||||||
RunAsGroup: pointer.Int64(wantRunAsGroup),
|
RunAsGroup: ptr.To(wantRunAsGroup),
|
||||||
SupplementalGroups: wantSupGroup,
|
SupplementalGroups: wantSupGroup,
|
||||||
SeccompProfile: &v1.SeccompProfile{
|
SeccompProfile: &v1.SeccompProfile{
|
||||||
Type: v1.SeccompProfileTypeRuntimeDefault,
|
Type: v1.SeccompProfileTypeRuntimeDefault,
|
||||||
@ -109,7 +109,7 @@ func TestRunKubeControllerManagerAsNonRoot(t *testing.T) {
|
|||||||
t.Fatal(err)
|
t.Fatal(err)
|
||||||
}
|
}
|
||||||
verifyPodSecurityContext(t, &pod, runAsUser, runAsGroup, []int64{supGroup})
|
verifyPodSecurityContext(t, &pod, runAsUser, runAsGroup, []int64{supGroup})
|
||||||
verifyContainerSecurityContext(t, pod.Spec.Containers[0], nil, []v1.Capability{"ALL"}, pointer.Bool(false))
|
verifyContainerSecurityContext(t, pod.Spec.Containers[0], nil, []v1.Capability{"ALL"}, ptr.To(false))
|
||||||
wantUpdateFiles := map[string]ownerAndPermissions{
|
wantUpdateFiles := map[string]ownerAndPermissions{
|
||||||
filepath.Join(kubeadmconstants.KubernetesDir, kubeadmconstants.ControllerManagerKubeConfigFileName): {uid: runAsUser, gid: runAsGroup, permissions: 0600},
|
filepath.Join(kubeadmconstants.KubernetesDir, kubeadmconstants.ControllerManagerKubeConfigFileName): {uid: runAsUser, gid: runAsGroup, permissions: 0600},
|
||||||
filepath.Join(cfg.CertificatesDir, kubeadmconstants.ServiceAccountPrivateKeyName): {uid: 0, gid: supGroup, permissions: 0640},
|
filepath.Join(cfg.CertificatesDir, kubeadmconstants.ServiceAccountPrivateKeyName): {uid: 0, gid: supGroup, permissions: 0640},
|
||||||
@ -129,7 +129,7 @@ func TestRunKubeSchedulerAsNonRoot(t *testing.T) {
|
|||||||
t.Fatal(err)
|
t.Fatal(err)
|
||||||
}
|
}
|
||||||
verifyPodSecurityContext(t, &pod, runAsUser, runAsGroup, nil)
|
verifyPodSecurityContext(t, &pod, runAsUser, runAsGroup, nil)
|
||||||
verifyContainerSecurityContext(t, pod.Spec.Containers[0], nil, []v1.Capability{"ALL"}, pointer.Bool(false))
|
verifyContainerSecurityContext(t, pod.Spec.Containers[0], nil, []v1.Capability{"ALL"}, ptr.To(false))
|
||||||
wantUpdateFiles := map[string]ownerAndPermissions{
|
wantUpdateFiles := map[string]ownerAndPermissions{
|
||||||
filepath.Join(kubeadmconstants.KubernetesDir, kubeadmconstants.SchedulerKubeConfigFileName): {uid: runAsUser, gid: runAsGroup, permissions: 0600},
|
filepath.Join(kubeadmconstants.KubernetesDir, kubeadmconstants.SchedulerKubeConfigFileName): {uid: runAsUser, gid: runAsGroup, permissions: 0600},
|
||||||
}
|
}
|
||||||
@ -158,7 +158,7 @@ func TestRunEtcdAsNonRoot(t *testing.T) {
|
|||||||
t.Fatal(err)
|
t.Fatal(err)
|
||||||
}
|
}
|
||||||
verifyPodSecurityContext(t, &pod, runAsUser, runAsGroup, nil)
|
verifyPodSecurityContext(t, &pod, runAsUser, runAsGroup, nil)
|
||||||
verifyContainerSecurityContext(t, pod.Spec.Containers[0], nil, []v1.Capability{"ALL"}, pointer.Bool(false))
|
verifyContainerSecurityContext(t, pod.Spec.Containers[0], nil, []v1.Capability{"ALL"}, ptr.To(false))
|
||||||
wantUpdateFiles := map[string]ownerAndPermissions{
|
wantUpdateFiles := map[string]ownerAndPermissions{
|
||||||
cfg.Etcd.Local.DataDir: {uid: runAsUser, gid: runAsGroup, permissions: 0700},
|
cfg.Etcd.Local.DataDir: {uid: runAsUser, gid: runAsGroup, permissions: 0700},
|
||||||
filepath.Join(cfg.CertificatesDir, kubeadmconstants.EtcdServerKeyName): {uid: runAsUser, gid: runAsGroup, permissions: 0600},
|
filepath.Join(cfg.CertificatesDir, kubeadmconstants.EtcdServerKeyName): {uid: runAsUser, gid: runAsGroup, permissions: 0600},
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user