From 7cd905e897f44b049c71ff284ced02ab147f3e8f Mon Sep 17 00:00:00 2001
From: Jordan Liggitt <liggitt@google.com>
Date: Thu, 28 Oct 2021 00:16:45 -0400
Subject: [PATCH] PodSecurity: plumb kind in attributes

---
 .../admission/admission_test.go                      | 12 ++++++++++++
 .../pod-security-admission/admission/attributes.go   |  7 +++++++
 .../k8s.io/pod-security-admission/api/interfaces.go  |  2 ++
 3 files changed, 21 insertions(+)

diff --git a/staging/src/k8s.io/pod-security-admission/admission/admission_test.go b/staging/src/k8s.io/pod-security-admission/admission/admission_test.go
index da198f8391e..49fd3b7f8fa 100644
--- a/staging/src/k8s.io/pod-security-admission/admission/admission_test.go
+++ b/staging/src/k8s.io/pod-security-admission/admission/admission_test.go
@@ -460,7 +460,9 @@ func TestValidateNamespace(t *testing.T) {
 			attrs := &AttributesRecord{
 				Object:      newObject,
 				OldObject:   oldObject,
+				Name:        newObject.Name,
 				Namespace:   newObject.Name,
+				Kind:        schema.GroupVersionKind{Group: "", Version: "v1", Kind: "Namespace"},
 				Resource:    schema.GroupVersionResource{Group: "", Version: "v1", Resource: "namespaces"},
 				Subresource: tc.subresource,
 				Operation:   operation,
@@ -592,6 +594,7 @@ func TestValidatePodController(t *testing.T) {
 		newObject runtime.Object
 		// for update
 		oldObject runtime.Object
+		gvk       schema.GroupVersionKind
 		gvr       schema.GroupVersionResource
 
 		expectWarnings         []string
@@ -602,40 +605,47 @@ func TestValidatePodController(t *testing.T) {
 			subresource: "status",
 			newObject:   &badDeploy,
 			oldObject:   &goodDeploy,
+			gvk:         schema.GroupVersionKind{Group: "apps", Version: "v1", Kind: "Deployment"},
 			gvr:         schema.GroupVersionResource{Group: "apps", Version: "v1", Resource: "deployments"},
 		},
 		{
 			desc:             "namespace in exemptNamespaces will be exempted",
 			newObject:        &badDeploy,
+			gvk:              schema.GroupVersionKind{Group: "apps", Version: "v1", Kind: "Deployment"},
 			gvr:              schema.GroupVersionResource{Group: "apps", Version: "v1", Resource: "deployments"},
 			exemptNamespaces: []string{testNamespace},
 		},
 		{
 			desc:                 "runtimeClass in exemptRuntimeClasses will be exempted",
 			newObject:            &badDeploy,
+			gvk:                  schema.GroupVersionKind{Group: "apps", Version: "v1", Kind: "Deployment"},
 			gvr:                  schema.GroupVersionResource{Group: "apps", Version: "v1", Resource: "deployments"},
 			exemptRuntimeClasses: []string{"containerd"},
 		},
 		{
 			desc:        "user in exemptUsers will be exempted",
 			newObject:   &badDeploy,
+			gvk:         schema.GroupVersionKind{Group: "apps", Version: "v1", Kind: "Deployment"},
 			gvr:         schema.GroupVersionResource{Group: "apps", Version: "v1", Resource: "deployments"},
 			exemptUsers: []string{"testuser"},
 		},
 		{
 			desc:      "podMetadata == nil && podSpec == nil will skip verification",
 			newObject: &corev1.ReplicationController{ObjectMeta: metav1.ObjectMeta{Name: "foo-rc"}},
+			gvk:       schema.GroupVersionKind{Group: "", Version: "v1", Kind: "ReplicationController"},
 			gvr:       schema.GroupVersionResource{Group: "", Version: "v1", Resource: "replicationcontrollers"},
 		},
 		{
 			desc:                   "good deploy creates and produce nothing",
 			newObject:              &goodDeploy,
+			gvk:                    schema.GroupVersionKind{Group: "apps", Version: "v1", Kind: "Deployment"},
 			gvr:                    schema.GroupVersionResource{Group: "apps", Version: "v1", Resource: "deployments"},
 			expectAuditAnnotations: map[string]string{},
 		},
 		{
 			desc:                   "bad deploy creates produce correct user-visible warnings and correct auditAnnotations",
 			newObject:              &badDeploy,
+			gvk:                    schema.GroupVersionKind{Group: "apps", Version: "v1", Kind: "Deployment"},
 			gvr:                    schema.GroupVersionResource{Group: "apps", Version: "v1", Resource: "deployments"},
 			expectAuditAnnotations: map[string]string{"audit": "would violate PodSecurity \"baseline:latest\": forbidden sysctls (unknown)"},
 			expectWarnings:         []string{"would violate PodSecurity \"baseline:latest\": forbidden sysctls (unknown)"},
@@ -644,6 +654,7 @@ func TestValidatePodController(t *testing.T) {
 			desc:                   "bad spec updates don't block on enforce failures and returns correct information",
 			newObject:              &badDeploy,
 			oldObject:              &goodDeploy,
+			gvk:                    schema.GroupVersionKind{Group: "apps", Version: "v1", Kind: "Deployment"},
 			gvr:                    schema.GroupVersionResource{Group: "apps", Version: "v1", Resource: "deployments"},
 			expectAuditAnnotations: map[string]string{"audit": "would violate PodSecurity \"baseline:latest\": forbidden sysctls (unknown)"},
 			expectWarnings:         []string{"would violate PodSecurity \"baseline:latest\": forbidden sysctls (unknown)"},
@@ -660,6 +671,7 @@ func TestValidatePodController(t *testing.T) {
 			attrs := &AttributesRecord{
 				testName,
 				testNamespace,
+				tc.gvk,
 				tc.gvr,
 				tc.subresource,
 				operation,
diff --git a/staging/src/k8s.io/pod-security-admission/admission/attributes.go b/staging/src/k8s.io/pod-security-admission/admission/attributes.go
index f1821f70fae..f55c5a92505 100644
--- a/staging/src/k8s.io/pod-security-admission/admission/attributes.go
+++ b/staging/src/k8s.io/pod-security-admission/admission/attributes.go
@@ -27,6 +27,7 @@ import (
 type AttributesRecord struct {
 	Name        string
 	Namespace   string
+	Kind        schema.GroupVersionKind
 	Resource    schema.GroupVersionResource
 	Subresource string
 	Operation   admissionv1.Operation
@@ -41,6 +42,9 @@ func (a *AttributesRecord) GetName() string {
 func (a *AttributesRecord) GetNamespace() string {
 	return a.Namespace
 }
+func (a *AttributesRecord) GetKind() schema.GroupVersionKind {
+	return a.Kind
+}
 func (a *AttributesRecord) GetResource() schema.GroupVersionResource {
 	return a.Resource
 }
@@ -81,6 +85,9 @@ func (a *attributes) GetName() string {
 func (a *attributes) GetNamespace() string {
 	return a.r.Namespace
 }
+func (a *attributes) GetKind() schema.GroupVersionKind {
+	return schema.GroupVersionKind(a.r.Kind)
+}
 func (a *attributes) GetResource() schema.GroupVersionResource {
 	return schema.GroupVersionResource(a.r.Resource)
 }
diff --git a/staging/src/k8s.io/pod-security-admission/api/interfaces.go b/staging/src/k8s.io/pod-security-admission/api/interfaces.go
index 585a5ad6ce9..30fd002eaec 100644
--- a/staging/src/k8s.io/pod-security-admission/api/interfaces.go
+++ b/staging/src/k8s.io/pod-security-admission/api/interfaces.go
@@ -30,6 +30,8 @@ type Attributes interface {
 	GetNamespace() string
 	// GetResource is the name of the resource being requested.  This is not the kind.  For example: pods
 	GetResource() schema.GroupVersionResource
+	// GetKind is the name of the kind being requested.  For example: Pod
+	GetKind() schema.GroupVersionKind
 	// GetSubresource is the name of the subresource being requested.  This is a different resource, scoped to the parent resource, but it may have a different kind.
 	// For instance, /pods has the resource "pods" and the kind "Pod", while /pods/foo/status has the resource "pods", the sub resource "status", and the kind "Pod"
 	// (because status operates on pods). The binding resource for a pod though may be /pods/foo/binding, which has resource "pods", subresource "binding", and kind "Binding".