PodSecurity: preconstruct reused values

benchmark old ns/op new ns/op delta BenchmarkVerifyPod/enforce-implicit_pod-12 370 228 -38.49% BenchmarkVerifyPod/enforce-implicit_deployment-12 408 241 -40.86% BenchmarkVerifyPod/enforce-privileged_pod-12 420 242 -42.27% BenchmarkVerifyPod/enforce-privileged_deployment-12 426 256 -39.84% BenchmarkVerifyPod/enforce-baseline_pod-12 4259 3006 -29.42% BenchmarkVerifyPod/enforce-baseline_deployment-12 341 266 -22.12% BenchmarkVerifyPod/enforce-restricted_pod-12 3322 3282 -1.20% BenchmarkVerifyPod/enforce-restricted_deployment-12 327 260 -20.59% BenchmarkVerifyPod/warn-baseline_pod-12 2964 3020 +1.89% BenchmarkVerifyPod/warn-baseline_deployment-12 3069 3127 +1.89% BenchmarkVerifyPod/warn-restricted_pod-12 3223 3330 +3.32% BenchmarkVerifyPod/warn-restricted_deployment-12 3443 3533 +2.61% BenchmarkVerifyPod/enforce-warn-audit-baseline_pod-12 5193 5405 +4.08% BenchmarkVerifyPod/enforce-warn-audit-baseline_deployment-12 4295 4358 +1.47% BenchmarkVerifyPod/warn-baseline-audit-restricted_pod-12 4363 4513 +3.44% BenchmarkVerifyPod/warn-baseline-audit-restricted_deployment-12 4482 4588 +2.37% benchmark old allocs new allocs delta BenchmarkVerifyPod/enforce-implicit_pod-12 2 1 -50.00% BenchmarkVerifyPod/enforce-implicit_deployment-12 2 1 -50.00% BenchmarkVerifyPod/enforce-privileged_pod-12 2 1 -50.00% BenchmarkVerifyPod/enforce-privileged_deployment-12 2 1 -50.00% BenchmarkVerifyPod/enforce-baseline_pod-12 17 17 +0.00% BenchmarkVerifyPod/enforce-baseline_deployment-12 2 1 -50.00% BenchmarkVerifyPod/enforce-restricted_pod-12 17 17 +0.00% BenchmarkVerifyPod/enforce-restricted_deployment-12 2 1 -50.00% BenchmarkVerifyPod/warn-baseline_pod-12 17 17 +0.00% BenchmarkVerifyPod/warn-baseline_deployment-12 19 19 +0.00% BenchmarkVerifyPod/warn-restricted_pod-12 17 17 +0.00% BenchmarkVerifyPod/warn-restricted_deployment-12 19 19 +0.00% BenchmarkVerifyPod/enforce-warn-audit-baseline_pod-12 27 27 +0.00% BenchmarkVerifyPod/enforce-warn-audit-baseline_deployment-12 24 24 +0.00% BenchmarkVerifyPod/warn-baseline-audit-restricted_pod-12 22 22 +0.00% BenchmarkVerifyPod/warn-baseline-audit-restricted_deployment-12 24 24 +0.00% benchmark old bytes new bytes delta BenchmarkVerifyPod/enforce-implicit_pod-12 208 112 -46.15% BenchmarkVerifyPod/enforce-implicit_deployment-12 208 112 -46.15% BenchmarkVerifyPod/enforce-privileged_pod-12 208 112 -46.15% BenchmarkVerifyPod/enforce-privileged_deployment-12 208 112 -46.15% BenchmarkVerifyPod/enforce-baseline_pod-12 3368 3368 +0.00% BenchmarkVerifyPod/enforce-baseline_deployment-12 208 112 -46.15% BenchmarkVerifyPod/enforce-restricted_pod-12 3368 3368 +0.00% BenchmarkVerifyPod/enforce-restricted_deployment-12 208 112 -46.15% BenchmarkVerifyPod/warn-baseline_pod-12 3368 3368 +0.00% BenchmarkVerifyPod/warn-baseline_deployment-12 3552 3552 +0.00% BenchmarkVerifyPod/warn-restricted_pod-12 3368 3368 +0.00% BenchmarkVerifyPod/warn-restricted_deployment-12 3552 3552 +0.00% BenchmarkVerifyPod/enforce-warn-audit-baseline_pod-12 5864 5864 +0.00% BenchmarkVerifyPod/enforce-warn-audit-baseline_deployment-12 4800 4800 +0.00% BenchmarkVerifyPod/warn-baseline-audit-restricted_pod-12 4616 4616 +0.00% BenchmarkVerifyPod/warn-baseline-audit-restricted_deployment-12 4800 4800 +0.00%
2025-07-23 11:50:44 +00:00 · 2021-08-25 14:38:45 -04:00 · 2021-08-25 14:38:45 -04:00 · 636c769fb8
commit 636c769fb8
parent d5589ba65f
2 changed files with 74 additions and 18 deletions
--- a/staging/src/k8s.io/pod-security-admission/admission/admission.go
+++ b/staging/src/k8s.io/pod-security-admission/admission/admission.go
@ -188,14 +188,20 @@ func (a *Admission) ValidateConfiguration() error {
 	return nil
 }
 var (
 	namespacesResource = corev1.Resource("namespaces")
 	podsResource       = corev1.Resource("pods")
 )
 // Validate admits an API request.
 // The objects in admission attributes are expected to be external v1 objects that we care about.
 // The returned response may be shared and must not be mutated.
 func (a *Admission) Validate(ctx context.Context, attrs Attributes) *admissionv1.AdmissionResponse {
 	var response *admissionv1.AdmissionResponse
 	switch attrs.GetResource().GroupResource() {
-	case corev1.Resource("namespaces"):
+	case namespacesResource:
 		response = a.ValidateNamespace(ctx, attrs)
-	case corev1.Resource("pods"):
+	case podsResource:
 		response = a.ValidatePod(ctx, attrs)
 	default:
 		response = a.ValidatePodController(ctx, attrs)
@ -206,10 +212,13 @@ func (a *Admission) Validate(ctx context.Context, attrs Attributes) *admissionv1
 	return response
 }
 // ValidateNamespace evaluates a namespace create or update request to ensure the pod security labels are valid,
 // and checks existing pods in the namespace for violations of the new policy when updating the enforce level on a namespace.
 // The returned response may be shared between evaluations and must not be mutated.
 func (a *Admission) ValidateNamespace(ctx context.Context, attrs Attributes) *admissionv1.AdmissionResponse {
 	// short-circuit on subresources
 	if attrs.GetSubresource() != "" {
-		return allowedResponse()
+		return sharedAllowedResponse()
 	}
 	obj, err := attrs.GetObject()
 	if err != nil {
@ -230,7 +239,7 @@ func (a *Admission) ValidateNamespace(ctx context.Context, attrs Attributes) *ad
 		if newErr != nil {
 			return invalidResponse(newErr.Error())
 		}
-		return allowedResponse()
+		return sharedAllowedResponse()
 	case admissionv1.Update:
 		// if update, check if policy labels changed
@ -257,24 +266,24 @@ func (a *Admission) ValidateNamespace(ctx context.Context, attrs Attributes) *ad
 		// * if the new enforce is the same version and level was relaxed
 		// * for exempt namespaces
 		if newPolicy.Enforce == oldPolicy.Enforce {
-			return allowedResponse()
+			return sharedAllowedResponse()
 		}
 		if newPolicy.Enforce.Level == api.LevelPrivileged {
-			return allowedResponse()
+			return sharedAllowedResponse()
 		}
 		if newPolicy.Enforce.Version == oldPolicy.Enforce.Version &&
 			api.CompareLevels(newPolicy.Enforce.Level, oldPolicy.Enforce.Level) < 1 {
-			return allowedResponse()
+			return sharedAllowedResponse()
 		}
 		if a.exemptNamespace(attrs.GetNamespace()) {
-			return allowedResponse()
+			return sharedAllowedResponse()
 		}
 		response := allowedResponse()
 		response.Warnings = a.EvaluatePodsInNamespace(ctx, namespace.Name, newPolicy.Enforce)
 		return response
 	default:
-		return allowedResponse()
+		return sharedAllowedResponse()
 	}
 }
@ -292,14 +301,16 @@ var ignoredPodSubresources = map[string]bool{
 	"status":      true,
 }
 // ValidatePod evaluates a pod create or update request against the effective policy for the namespace.
 // The returned response may be shared between evaluations and must not be mutated.
 func (a *Admission) ValidatePod(ctx context.Context, attrs Attributes) *admissionv1.AdmissionResponse {
 	// short-circuit on ignored subresources
 	if ignoredPodSubresources[attrs.GetSubresource()] {
-		return allowedResponse()
+		return sharedAllowedResponse()
 	}
 	// short-circuit on exempt namespaces and users
 	if a.exemptNamespace(attrs.GetNamespace()) || a.exemptUser(attrs.GetUserName()) {
-		return allowedResponse()
+		return sharedAllowedResponse()
 	}
 	// short-circuit on privileged enforce+audit+warn namespaces
@ -310,7 +321,7 @@ func (a *Admission) ValidatePod(ctx context.Context, attrs Attributes) *admissio
 	}
 	nsPolicy, _ := a.PolicyToEvaluate(namespace.Labels)
 	if nsPolicy.Enforce.Level == api.LevelPrivileged && nsPolicy.Warn.Level == api.LevelPrivileged && nsPolicy.Audit.Level == api.LevelPrivileged {
-		return allowedResponse()
+		return sharedAllowedResponse()
 	}
 	obj, err := attrs.GetObject()
@ -336,20 +347,22 @@ func (a *Admission) ValidatePod(ctx context.Context, attrs Attributes) *admissio
 		}
 		if !isSignificantPodUpdate(pod, oldPod) {
 			// Nothing we care about changed, so always allow the update.
-			return allowedResponse()
+			return sharedAllowedResponse()
 		}
 	}
 	return a.EvaluatePod(ctx, attrs.GetNamespace(), &pod.ObjectMeta, &pod.Spec, true)
 }
 // ValidatePodController evaluates a pod controller create or update request against the effective policy for the namespace.
 // The returned response may be shared between evaluations and must not be mutated.
 func (a *Admission) ValidatePodController(ctx context.Context, attrs Attributes) *admissionv1.AdmissionResponse {
 	// short-circuit on subresources
 	if attrs.GetSubresource() != "" {
-		return allowedResponse()
+		return sharedAllowedResponse()
 	}
 	// short-circuit on exempt namespaces and users
 	if a.exemptNamespace(attrs.GetNamespace()) || a.exemptUser(attrs.GetUserName()) {
-		return allowedResponse()
+		return sharedAllowedResponse()
 	}
 	// short-circuit on privileged audit+warn namespaces
@ -360,7 +373,7 @@ func (a *Admission) ValidatePodController(ctx context.Context, attrs Attributes)
 	}
 	nsPolicy, _ := a.PolicyToEvaluate(namespace.Labels)
 	if nsPolicy.Warn.Level == api.LevelPrivileged && nsPolicy.Audit.Level == api.LevelPrivileged {
-		return allowedResponse()
+		return sharedAllowedResponse()
 	}
 	obj, err := attrs.GetObject()
@ -375,17 +388,18 @@ func (a *Admission) ValidatePodController(ctx context.Context, attrs Attributes)
 	}
 	if podMetadata == nil && podSpec == nil {
 		// if a controller with an optional pod spec does not contain a pod spec, skip validation
-		return allowedResponse()
+		return sharedAllowedResponse()
 	}
 	return a.EvaluatePod(ctx, attrs.GetNamespace(), podMetadata, podSpec, false)
 }
 // EvaluatePod looks up the policy for the pods namespace, and checks it against the given pod(-like) object.
 // The enforce policy is only checked if enforce=true.
 // The returned response may be shared between evaluations and must not be mutated.
 func (a *Admission) EvaluatePod(ctx context.Context, namespaceName string, podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec, enforce bool) *admissionv1.AdmissionResponse {
 	// short-circuit on exempt runtimeclass
 	if a.exemptRuntimeClass(podSpec.RuntimeClassName) {
-		return allowedResponse()
+		return sharedAllowedResponse()
 	}
 	namespace, err := a.NamespaceGetter.GetNamespace(ctx, namespaceName)
@ -478,6 +492,12 @@ func (a *Admission) PolicyToEvaluate(labels map[string]string) (api.Policy, erro
 	return api.PolicyToEvaluate(labels, a.defaultPolicy)
 }
 var _sharedAllowedResponse = allowedResponse()
 func sharedAllowedResponse() *admissionv1.AdmissionResponse {
 	return _sharedAllowedResponse
 }
 // allowedResponse is the response used when the admission decision is allow.
 func allowedResponse() *admissionv1.AdmissionResponse {
 	return &admissionv1.AdmissionResponse{Allowed: true}
--- a/staging/src/k8s.io/pod-security-admission/admission/main_test.go
+++ b/staging/src/k8s.io/pod-security-admission/admission/main_test.go
@ -0,0 +1,36 @@
 /*
 Copyright 2021 The Kubernetes Authors.
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package admission
 import (
 	"fmt"
 	"os"
 	"reflect"
 	"testing"
 )
 func TestMain(m *testing.M) {
 	sharedCopy := sharedAllowedResponse().DeepCopy()
 	rc := m.Run()
 	if !reflect.DeepEqual(sharedCopy, sharedAllowedResponse()) {
 		fmt.Println("sharedAllowedReponse mutated")
 		rc = 1
 	}
 	os.Exit(rc)
 }