mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-24 04:06:03 +00:00
Merge pull request #106089 from liggitt/podsecurity-beta
PodSecurity: promote config and feature gate to beta
This commit is contained in:
commit
9af2ece18a
@ -712,6 +712,7 @@ const (
|
||||
|
||||
// owner: @liggitt, @tallclair, sig-auth
|
||||
// alpha: v1.22
|
||||
// beta: v1.23
|
||||
//
|
||||
// Enables the PodSecurity admission plugin
|
||||
PodSecurity featuregate.Feature = "PodSecurity"
|
||||
@ -895,7 +896,7 @@ var defaultKubernetesFeatureGates = map[featuregate.Feature]featuregate.FeatureS
|
||||
StatefulSetMinReadySeconds: {Default: true, PreRelease: featuregate.Beta},
|
||||
ExpandedDNSConfig: {Default: false, PreRelease: featuregate.Alpha},
|
||||
SeccompDefault: {Default: false, PreRelease: featuregate.Alpha},
|
||||
PodSecurity: {Default: false, PreRelease: featuregate.Alpha},
|
||||
PodSecurity: {Default: true, PreRelease: featuregate.Beta},
|
||||
ReadWriteOncePod: {Default: false, PreRelease: featuregate.Alpha},
|
||||
CSRDuration: {Default: true, PreRelease: featuregate.Beta},
|
||||
DelegateFSGroupToCSIDriver: {Default: false, PreRelease: featuregate.Alpha},
|
||||
|
@ -24,7 +24,7 @@ import (
|
||||
"k8s.io/apimachinery/pkg/runtime"
|
||||
"k8s.io/pod-security-admission/admission/api"
|
||||
"k8s.io/pod-security-admission/admission/api/scheme"
|
||||
apiv1alpha1 "k8s.io/pod-security-admission/admission/api/v1alpha1"
|
||||
apiv1beta1 "k8s.io/pod-security-admission/admission/api/v1beta1"
|
||||
)
|
||||
|
||||
func LoadFromFile(file string) (*api.PodSecurityConfiguration, error) {
|
||||
@ -57,7 +57,7 @@ func LoadFromReader(reader io.Reader) (*api.PodSecurityConfiguration, error) {
|
||||
func LoadFromData(data []byte) (*api.PodSecurityConfiguration, error) {
|
||||
if len(data) == 0 {
|
||||
// no config provided, return default
|
||||
externalConfig := &apiv1alpha1.PodSecurityConfiguration{}
|
||||
externalConfig := &apiv1beta1.PodSecurityConfiguration{}
|
||||
scheme.Scheme.Default(externalConfig)
|
||||
internalConfig := &api.PodSecurityConfiguration{}
|
||||
if err := scheme.Scheme.Convert(externalConfig, internalConfig, nil); err != nil {
|
||||
|
@ -98,6 +98,29 @@ func TestLoadFromFile(t *testing.T) {
|
||||
}
|
||||
}
|
||||
|
||||
// valid file
|
||||
{
|
||||
input := `{
|
||||
"apiVersion":"pod-security.admission.config.k8s.io/v1beta1",
|
||||
"kind":"PodSecurityConfiguration",
|
||||
"defaults":{"enforce":"baseline"}}`
|
||||
expect := &api.PodSecurityConfiguration{
|
||||
Defaults: api.PodSecurityDefaults{
|
||||
Enforce: "baseline", EnforceVersion: "latest",
|
||||
Warn: "privileged", WarnVersion: "latest",
|
||||
Audit: "privileged", AuditVersion: "latest",
|
||||
},
|
||||
}
|
||||
|
||||
config, err := LoadFromFile(writeTempFile(t, input))
|
||||
if err != nil {
|
||||
t.Fatalf("unexpected err: %v", err)
|
||||
}
|
||||
if !reflect.DeepEqual(config, expect) {
|
||||
t.Fatalf("unexpected config:\n%s", cmp.Diff(expect, config))
|
||||
}
|
||||
}
|
||||
|
||||
// missing file
|
||||
{
|
||||
_, err := LoadFromFile(`bogus-missing-pod-security-policy-config-file`)
|
||||
@ -172,6 +195,29 @@ func TestLoadFromReader(t *testing.T) {
|
||||
}
|
||||
}
|
||||
|
||||
// valid reader
|
||||
{
|
||||
input := `{
|
||||
"apiVersion":"pod-security.admission.config.k8s.io/v1beta1",
|
||||
"kind":"PodSecurityConfiguration",
|
||||
"defaults":{"enforce":"baseline"}}`
|
||||
expect := &api.PodSecurityConfiguration{
|
||||
Defaults: api.PodSecurityDefaults{
|
||||
Enforce: "baseline", EnforceVersion: "latest",
|
||||
Warn: "privileged", WarnVersion: "latest",
|
||||
Audit: "privileged", AuditVersion: "latest",
|
||||
},
|
||||
}
|
||||
|
||||
config, err := LoadFromReader(bytes.NewBufferString(input))
|
||||
if err != nil {
|
||||
t.Fatalf("unexpected err: %v", err)
|
||||
}
|
||||
if !reflect.DeepEqual(config, expect) {
|
||||
t.Fatalf("unexpected config:\n%s", cmp.Diff(expect, config))
|
||||
}
|
||||
}
|
||||
|
||||
// invalid reader
|
||||
{
|
||||
input := `{
|
||||
@ -225,6 +271,46 @@ func TestLoadFromData(t *testing.T) {
|
||||
data: []byte(`
|
||||
apiVersion: pod-security.admission.config.k8s.io/v1alpha1
|
||||
kind: PodSecurityConfiguration
|
||||
defaults:
|
||||
enforce: baseline
|
||||
enforce-version: v1.7
|
||||
exemptions:
|
||||
usernames: ["alice","bob"]
|
||||
namespaces: ["kube-system"]
|
||||
runtimeClasses: ["special"]
|
||||
`),
|
||||
expectConfig: &api.PodSecurityConfiguration{
|
||||
Defaults: api.PodSecurityDefaults{
|
||||
Enforce: "baseline", EnforceVersion: "v1.7",
|
||||
Warn: "privileged", WarnVersion: "latest",
|
||||
Audit: "privileged", AuditVersion: "latest",
|
||||
},
|
||||
Exemptions: api.PodSecurityExemptions{
|
||||
Usernames: []string{"alice", "bob"},
|
||||
Namespaces: []string{"kube-system"},
|
||||
RuntimeClasses: []string{"special"},
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "v1beta1 - json",
|
||||
data: []byte(`{
|
||||
"apiVersion":"pod-security.admission.config.k8s.io/v1beta1",
|
||||
"kind":"PodSecurityConfiguration",
|
||||
"defaults":{"enforce":"baseline"}}`),
|
||||
expectConfig: &api.PodSecurityConfiguration{
|
||||
Defaults: api.PodSecurityDefaults{
|
||||
Enforce: "baseline", EnforceVersion: "latest",
|
||||
Warn: "privileged", WarnVersion: "latest",
|
||||
Audit: "privileged", AuditVersion: "latest",
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "v1beta1 - yaml",
|
||||
data: []byte(`
|
||||
apiVersion: pod-security.admission.config.k8s.io/v1beta1
|
||||
kind: PodSecurityConfiguration
|
||||
defaults:
|
||||
enforce: baseline
|
||||
enforce-version: v1.7
|
||||
|
@ -22,6 +22,7 @@ import (
|
||||
utilruntime "k8s.io/apimachinery/pkg/util/runtime"
|
||||
podsecurityapi "k8s.io/pod-security-admission/admission/api"
|
||||
podsecurityv1alpha1 "k8s.io/pod-security-admission/admission/api/v1alpha1"
|
||||
podsecurityv1beta1 "k8s.io/pod-security-admission/admission/api/v1beta1"
|
||||
)
|
||||
|
||||
var (
|
||||
@ -40,5 +41,6 @@ func init() {
|
||||
func AddToScheme(scheme *runtime.Scheme) {
|
||||
utilruntime.Must(podsecurityapi.AddToScheme(scheme))
|
||||
utilruntime.Must(podsecurityv1alpha1.AddToScheme(scheme))
|
||||
utilruntime.Must(scheme.SetVersionPriority(podsecurityv1alpha1.SchemeGroupVersion))
|
||||
utilruntime.Must(podsecurityv1beta1.AddToScheme(scheme))
|
||||
utilruntime.Must(scheme.SetVersionPriority(podsecurityv1beta1.SchemeGroupVersion, podsecurityv1alpha1.SchemeGroupVersion))
|
||||
}
|
||||
|
@ -0,0 +1,48 @@
|
||||
/*
|
||||
Copyright 2021 The Kubernetes Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
package v1beta1
|
||||
|
||||
import (
|
||||
"k8s.io/apimachinery/pkg/runtime"
|
||||
"k8s.io/pod-security-admission/api"
|
||||
)
|
||||
|
||||
func addDefaultingFuncs(scheme *runtime.Scheme) error {
|
||||
return RegisterDefaults(scheme)
|
||||
}
|
||||
|
||||
func SetDefaults_PodSecurityDefaults(obj *PodSecurityDefaults) {
|
||||
if len(obj.Enforce) == 0 {
|
||||
obj.Enforce = string(api.LevelPrivileged)
|
||||
}
|
||||
if len(obj.Warn) == 0 {
|
||||
obj.Warn = string(api.LevelPrivileged)
|
||||
}
|
||||
if len(obj.Audit) == 0 {
|
||||
obj.Audit = string(api.LevelPrivileged)
|
||||
}
|
||||
|
||||
if len(obj.EnforceVersion) == 0 {
|
||||
obj.EnforceVersion = string(api.VersionLatest)
|
||||
}
|
||||
if len(obj.WarnVersion) == 0 {
|
||||
obj.WarnVersion = string(api.VersionLatest)
|
||||
}
|
||||
if len(obj.AuditVersion) == 0 {
|
||||
obj.AuditVersion = string(api.VersionLatest)
|
||||
}
|
||||
}
|
@ -0,0 +1,17 @@
|
||||
/*
|
||||
Copyright 2021 The Kubernetes Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
package v1beta1
|
@ -0,0 +1,23 @@
|
||||
/*
|
||||
Copyright 2021 The Kubernetes Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
// +k8s:deepcopy-gen=package
|
||||
// +k8s:conversion-gen=k8s.io/pod-security-admission/admission/api
|
||||
// +k8s:defaulter-gen=TypeMeta
|
||||
// +groupName=pod-security.admission.config.k8s.io
|
||||
|
||||
// Package v1beta1 contains PodSecurity admission configuration file types
|
||||
package v1beta1
|
@ -0,0 +1,50 @@
|
||||
/*
|
||||
Copyright 2021 The Kubernetes Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
package v1beta1
|
||||
|
||||
import (
|
||||
"k8s.io/apimachinery/pkg/runtime"
|
||||
"k8s.io/apimachinery/pkg/runtime/schema"
|
||||
)
|
||||
|
||||
// GroupName is the group name use in this package
|
||||
const GroupName = "pod-security.admission.config.k8s.io"
|
||||
|
||||
// SchemeGroupVersion is group version used to register these objects
|
||||
var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1beta1"}
|
||||
|
||||
var (
|
||||
// SchemeBuilder is a pointer used to call AddToScheme
|
||||
SchemeBuilder runtime.SchemeBuilder
|
||||
localSchemeBuilder = &SchemeBuilder
|
||||
// AddToScheme is used to register the types to API encoding/decoding machinery
|
||||
AddToScheme = localSchemeBuilder.AddToScheme
|
||||
)
|
||||
|
||||
func init() {
|
||||
// We only register manually written functions here. The registration of the
|
||||
// generated functions takes place in the generated files. The separation
|
||||
// makes the code compile even when the generated files are missing.
|
||||
localSchemeBuilder.Register(addKnownTypes, addDefaultingFuncs)
|
||||
}
|
||||
|
||||
func addKnownTypes(scheme *runtime.Scheme) error {
|
||||
scheme.AddKnownTypes(SchemeGroupVersion,
|
||||
&PodSecurityConfiguration{},
|
||||
)
|
||||
return nil
|
||||
}
|
@ -0,0 +1,44 @@
|
||||
/*
|
||||
Copyright 2021 The Kubernetes Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
package v1beta1
|
||||
|
||||
import (
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
)
|
||||
|
||||
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
||||
|
||||
type PodSecurityConfiguration struct {
|
||||
metav1.TypeMeta
|
||||
Defaults PodSecurityDefaults `json:"defaults"`
|
||||
Exemptions PodSecurityExemptions `json:"exemptions"`
|
||||
}
|
||||
|
||||
type PodSecurityDefaults struct {
|
||||
Enforce string `json:"enforce,omitempty"`
|
||||
EnforceVersion string `json:"enforce-version,omitempty"`
|
||||
Audit string `json:"audit,omitempty"`
|
||||
AuditVersion string `json:"audit-version,omitempty"`
|
||||
Warn string `json:"warn,omitempty"`
|
||||
WarnVersion string `json:"warn-version,omitempty"`
|
||||
}
|
||||
|
||||
type PodSecurityExemptions struct {
|
||||
Usernames []string `json:"usernames,omitempty"`
|
||||
Namespaces []string `json:"namespaces,omitempty"`
|
||||
RuntimeClasses []string `json:"runtimeClasses,omitempty"`
|
||||
}
|
154
staging/src/k8s.io/pod-security-admission/admission/api/v1beta1/zz_generated.conversion.go
generated
Normal file
154
staging/src/k8s.io/pod-security-admission/admission/api/v1beta1/zz_generated.conversion.go
generated
Normal file
@ -0,0 +1,154 @@
|
||||
//go:build !ignore_autogenerated
|
||||
// +build !ignore_autogenerated
|
||||
|
||||
/*
|
||||
Copyright The Kubernetes Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
// Code generated by conversion-gen. DO NOT EDIT.
|
||||
|
||||
package v1beta1
|
||||
|
||||
import (
|
||||
unsafe "unsafe"
|
||||
|
||||
conversion "k8s.io/apimachinery/pkg/conversion"
|
||||
runtime "k8s.io/apimachinery/pkg/runtime"
|
||||
api "k8s.io/pod-security-admission/admission/api"
|
||||
)
|
||||
|
||||
func init() {
|
||||
localSchemeBuilder.Register(RegisterConversions)
|
||||
}
|
||||
|
||||
// RegisterConversions adds conversion functions to the given scheme.
|
||||
// Public to allow building arbitrary schemes.
|
||||
func RegisterConversions(s *runtime.Scheme) error {
|
||||
if err := s.AddGeneratedConversionFunc((*PodSecurityConfiguration)(nil), (*api.PodSecurityConfiguration)(nil), func(a, b interface{}, scope conversion.Scope) error {
|
||||
return Convert_v1beta1_PodSecurityConfiguration_To_api_PodSecurityConfiguration(a.(*PodSecurityConfiguration), b.(*api.PodSecurityConfiguration), scope)
|
||||
}); err != nil {
|
||||
return err
|
||||
}
|
||||
if err := s.AddGeneratedConversionFunc((*api.PodSecurityConfiguration)(nil), (*PodSecurityConfiguration)(nil), func(a, b interface{}, scope conversion.Scope) error {
|
||||
return Convert_api_PodSecurityConfiguration_To_v1beta1_PodSecurityConfiguration(a.(*api.PodSecurityConfiguration), b.(*PodSecurityConfiguration), scope)
|
||||
}); err != nil {
|
||||
return err
|
||||
}
|
||||
if err := s.AddGeneratedConversionFunc((*PodSecurityDefaults)(nil), (*api.PodSecurityDefaults)(nil), func(a, b interface{}, scope conversion.Scope) error {
|
||||
return Convert_v1beta1_PodSecurityDefaults_To_api_PodSecurityDefaults(a.(*PodSecurityDefaults), b.(*api.PodSecurityDefaults), scope)
|
||||
}); err != nil {
|
||||
return err
|
||||
}
|
||||
if err := s.AddGeneratedConversionFunc((*api.PodSecurityDefaults)(nil), (*PodSecurityDefaults)(nil), func(a, b interface{}, scope conversion.Scope) error {
|
||||
return Convert_api_PodSecurityDefaults_To_v1beta1_PodSecurityDefaults(a.(*api.PodSecurityDefaults), b.(*PodSecurityDefaults), scope)
|
||||
}); err != nil {
|
||||
return err
|
||||
}
|
||||
if err := s.AddGeneratedConversionFunc((*PodSecurityExemptions)(nil), (*api.PodSecurityExemptions)(nil), func(a, b interface{}, scope conversion.Scope) error {
|
||||
return Convert_v1beta1_PodSecurityExemptions_To_api_PodSecurityExemptions(a.(*PodSecurityExemptions), b.(*api.PodSecurityExemptions), scope)
|
||||
}); err != nil {
|
||||
return err
|
||||
}
|
||||
if err := s.AddGeneratedConversionFunc((*api.PodSecurityExemptions)(nil), (*PodSecurityExemptions)(nil), func(a, b interface{}, scope conversion.Scope) error {
|
||||
return Convert_api_PodSecurityExemptions_To_v1beta1_PodSecurityExemptions(a.(*api.PodSecurityExemptions), b.(*PodSecurityExemptions), scope)
|
||||
}); err != nil {
|
||||
return err
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func autoConvert_v1beta1_PodSecurityConfiguration_To_api_PodSecurityConfiguration(in *PodSecurityConfiguration, out *api.PodSecurityConfiguration, s conversion.Scope) error {
|
||||
if err := Convert_v1beta1_PodSecurityDefaults_To_api_PodSecurityDefaults(&in.Defaults, &out.Defaults, s); err != nil {
|
||||
return err
|
||||
}
|
||||
if err := Convert_v1beta1_PodSecurityExemptions_To_api_PodSecurityExemptions(&in.Exemptions, &out.Exemptions, s); err != nil {
|
||||
return err
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// Convert_v1beta1_PodSecurityConfiguration_To_api_PodSecurityConfiguration is an autogenerated conversion function.
|
||||
func Convert_v1beta1_PodSecurityConfiguration_To_api_PodSecurityConfiguration(in *PodSecurityConfiguration, out *api.PodSecurityConfiguration, s conversion.Scope) error {
|
||||
return autoConvert_v1beta1_PodSecurityConfiguration_To_api_PodSecurityConfiguration(in, out, s)
|
||||
}
|
||||
|
||||
func autoConvert_api_PodSecurityConfiguration_To_v1beta1_PodSecurityConfiguration(in *api.PodSecurityConfiguration, out *PodSecurityConfiguration, s conversion.Scope) error {
|
||||
if err := Convert_api_PodSecurityDefaults_To_v1beta1_PodSecurityDefaults(&in.Defaults, &out.Defaults, s); err != nil {
|
||||
return err
|
||||
}
|
||||
if err := Convert_api_PodSecurityExemptions_To_v1beta1_PodSecurityExemptions(&in.Exemptions, &out.Exemptions, s); err != nil {
|
||||
return err
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// Convert_api_PodSecurityConfiguration_To_v1beta1_PodSecurityConfiguration is an autogenerated conversion function.
|
||||
func Convert_api_PodSecurityConfiguration_To_v1beta1_PodSecurityConfiguration(in *api.PodSecurityConfiguration, out *PodSecurityConfiguration, s conversion.Scope) error {
|
||||
return autoConvert_api_PodSecurityConfiguration_To_v1beta1_PodSecurityConfiguration(in, out, s)
|
||||
}
|
||||
|
||||
func autoConvert_v1beta1_PodSecurityDefaults_To_api_PodSecurityDefaults(in *PodSecurityDefaults, out *api.PodSecurityDefaults, s conversion.Scope) error {
|
||||
out.Enforce = in.Enforce
|
||||
out.EnforceVersion = in.EnforceVersion
|
||||
out.Audit = in.Audit
|
||||
out.AuditVersion = in.AuditVersion
|
||||
out.Warn = in.Warn
|
||||
out.WarnVersion = in.WarnVersion
|
||||
return nil
|
||||
}
|
||||
|
||||
// Convert_v1beta1_PodSecurityDefaults_To_api_PodSecurityDefaults is an autogenerated conversion function.
|
||||
func Convert_v1beta1_PodSecurityDefaults_To_api_PodSecurityDefaults(in *PodSecurityDefaults, out *api.PodSecurityDefaults, s conversion.Scope) error {
|
||||
return autoConvert_v1beta1_PodSecurityDefaults_To_api_PodSecurityDefaults(in, out, s)
|
||||
}
|
||||
|
||||
func autoConvert_api_PodSecurityDefaults_To_v1beta1_PodSecurityDefaults(in *api.PodSecurityDefaults, out *PodSecurityDefaults, s conversion.Scope) error {
|
||||
out.Enforce = in.Enforce
|
||||
out.EnforceVersion = in.EnforceVersion
|
||||
out.Audit = in.Audit
|
||||
out.AuditVersion = in.AuditVersion
|
||||
out.Warn = in.Warn
|
||||
out.WarnVersion = in.WarnVersion
|
||||
return nil
|
||||
}
|
||||
|
||||
// Convert_api_PodSecurityDefaults_To_v1beta1_PodSecurityDefaults is an autogenerated conversion function.
|
||||
func Convert_api_PodSecurityDefaults_To_v1beta1_PodSecurityDefaults(in *api.PodSecurityDefaults, out *PodSecurityDefaults, s conversion.Scope) error {
|
||||
return autoConvert_api_PodSecurityDefaults_To_v1beta1_PodSecurityDefaults(in, out, s)
|
||||
}
|
||||
|
||||
func autoConvert_v1beta1_PodSecurityExemptions_To_api_PodSecurityExemptions(in *PodSecurityExemptions, out *api.PodSecurityExemptions, s conversion.Scope) error {
|
||||
out.Usernames = *(*[]string)(unsafe.Pointer(&in.Usernames))
|
||||
out.Namespaces = *(*[]string)(unsafe.Pointer(&in.Namespaces))
|
||||
out.RuntimeClasses = *(*[]string)(unsafe.Pointer(&in.RuntimeClasses))
|
||||
return nil
|
||||
}
|
||||
|
||||
// Convert_v1beta1_PodSecurityExemptions_To_api_PodSecurityExemptions is an autogenerated conversion function.
|
||||
func Convert_v1beta1_PodSecurityExemptions_To_api_PodSecurityExemptions(in *PodSecurityExemptions, out *api.PodSecurityExemptions, s conversion.Scope) error {
|
||||
return autoConvert_v1beta1_PodSecurityExemptions_To_api_PodSecurityExemptions(in, out, s)
|
||||
}
|
||||
|
||||
func autoConvert_api_PodSecurityExemptions_To_v1beta1_PodSecurityExemptions(in *api.PodSecurityExemptions, out *PodSecurityExemptions, s conversion.Scope) error {
|
||||
out.Usernames = *(*[]string)(unsafe.Pointer(&in.Usernames))
|
||||
out.Namespaces = *(*[]string)(unsafe.Pointer(&in.Namespaces))
|
||||
out.RuntimeClasses = *(*[]string)(unsafe.Pointer(&in.RuntimeClasses))
|
||||
return nil
|
||||
}
|
||||
|
||||
// Convert_api_PodSecurityExemptions_To_v1beta1_PodSecurityExemptions is an autogenerated conversion function.
|
||||
func Convert_api_PodSecurityExemptions_To_v1beta1_PodSecurityExemptions(in *api.PodSecurityExemptions, out *PodSecurityExemptions, s conversion.Scope) error {
|
||||
return autoConvert_api_PodSecurityExemptions_To_v1beta1_PodSecurityExemptions(in, out, s)
|
||||
}
|
100
staging/src/k8s.io/pod-security-admission/admission/api/v1beta1/zz_generated.deepcopy.go
generated
Normal file
100
staging/src/k8s.io/pod-security-admission/admission/api/v1beta1/zz_generated.deepcopy.go
generated
Normal file
@ -0,0 +1,100 @@
|
||||
//go:build !ignore_autogenerated
|
||||
// +build !ignore_autogenerated
|
||||
|
||||
/*
|
||||
Copyright The Kubernetes Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
// Code generated by deepcopy-gen. DO NOT EDIT.
|
||||
|
||||
package v1beta1
|
||||
|
||||
import (
|
||||
runtime "k8s.io/apimachinery/pkg/runtime"
|
||||
)
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *PodSecurityConfiguration) DeepCopyInto(out *PodSecurityConfiguration) {
|
||||
*out = *in
|
||||
out.TypeMeta = in.TypeMeta
|
||||
out.Defaults = in.Defaults
|
||||
in.Exemptions.DeepCopyInto(&out.Exemptions)
|
||||
return
|
||||
}
|
||||
|
||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodSecurityConfiguration.
|
||||
func (in *PodSecurityConfiguration) DeepCopy() *PodSecurityConfiguration {
|
||||
if in == nil {
|
||||
return nil
|
||||
}
|
||||
out := new(PodSecurityConfiguration)
|
||||
in.DeepCopyInto(out)
|
||||
return out
|
||||
}
|
||||
|
||||
// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
|
||||
func (in *PodSecurityConfiguration) DeepCopyObject() runtime.Object {
|
||||
if c := in.DeepCopy(); c != nil {
|
||||
return c
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *PodSecurityDefaults) DeepCopyInto(out *PodSecurityDefaults) {
|
||||
*out = *in
|
||||
return
|
||||
}
|
||||
|
||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodSecurityDefaults.
|
||||
func (in *PodSecurityDefaults) DeepCopy() *PodSecurityDefaults {
|
||||
if in == nil {
|
||||
return nil
|
||||
}
|
||||
out := new(PodSecurityDefaults)
|
||||
in.DeepCopyInto(out)
|
||||
return out
|
||||
}
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *PodSecurityExemptions) DeepCopyInto(out *PodSecurityExemptions) {
|
||||
*out = *in
|
||||
if in.Usernames != nil {
|
||||
in, out := &in.Usernames, &out.Usernames
|
||||
*out = make([]string, len(*in))
|
||||
copy(*out, *in)
|
||||
}
|
||||
if in.Namespaces != nil {
|
||||
in, out := &in.Namespaces, &out.Namespaces
|
||||
*out = make([]string, len(*in))
|
||||
copy(*out, *in)
|
||||
}
|
||||
if in.RuntimeClasses != nil {
|
||||
in, out := &in.RuntimeClasses, &out.RuntimeClasses
|
||||
*out = make([]string, len(*in))
|
||||
copy(*out, *in)
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodSecurityExemptions.
|
||||
func (in *PodSecurityExemptions) DeepCopy() *PodSecurityExemptions {
|
||||
if in == nil {
|
||||
return nil
|
||||
}
|
||||
out := new(PodSecurityExemptions)
|
||||
in.DeepCopyInto(out)
|
||||
return out
|
||||
}
|
38
staging/src/k8s.io/pod-security-admission/admission/api/v1beta1/zz_generated.defaults.go
generated
Normal file
38
staging/src/k8s.io/pod-security-admission/admission/api/v1beta1/zz_generated.defaults.go
generated
Normal file
@ -0,0 +1,38 @@
|
||||
//go:build !ignore_autogenerated
|
||||
// +build !ignore_autogenerated
|
||||
|
||||
/*
|
||||
Copyright The Kubernetes Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
// Code generated by defaulter-gen. DO NOT EDIT.
|
||||
|
||||
package v1beta1
|
||||
|
||||
import (
|
||||
runtime "k8s.io/apimachinery/pkg/runtime"
|
||||
)
|
||||
|
||||
// RegisterDefaults adds defaulters functions to the given scheme.
|
||||
// Public to allow building arbitrary schemes.
|
||||
// All generated defaulters are covering - they call all nested defaulters.
|
||||
func RegisterDefaults(scheme *runtime.Scheme) error {
|
||||
scheme.AddTypeDefaultingFunc(&PodSecurityConfiguration{}, func(obj interface{}) { SetObjectDefaults_PodSecurityConfiguration(obj.(*PodSecurityConfiguration)) })
|
||||
return nil
|
||||
}
|
||||
|
||||
func SetObjectDefaults_PodSecurityConfiguration(in *PodSecurityConfiguration) {
|
||||
SetDefaults_PodSecurityDefaults(&in.Defaults)
|
||||
}
|
@ -102,14 +102,14 @@ func TestPodSecurityWebhook(t *testing.T) {
|
||||
defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.ProcMountType, true)()
|
||||
defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.WindowsHostProcessContainers, true)()
|
||||
defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.AppArmor, true)()
|
||||
// The webhook should pass tests even when PodSecurity is disabled.
|
||||
defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.PodSecurity, false)()
|
||||
|
||||
// Start test API server.
|
||||
capabilities.SetForTests(capabilities.Capabilities{AllowPrivileged: true})
|
||||
testServer := kubeapiservertesting.StartTestServerOrDie(t, kubeapiservertesting.NewDefaultTestServerOptions(), []string{
|
||||
"--anonymous-auth=false",
|
||||
"--allow-privileged=true",
|
||||
// The webhook should pass tests even when PodSecurity is disabled.
|
||||
"--disable-admission-plugins=PodSecurity",
|
||||
}, framework.SharedEtcd())
|
||||
t.Cleanup(testServer.TearDownFn)
|
||||
|
||||
|
1
vendor/modules.txt
vendored
1
vendor/modules.txt
vendored
@ -2254,6 +2254,7 @@ k8s.io/pod-security-admission/admission/api
|
||||
k8s.io/pod-security-admission/admission/api/load
|
||||
k8s.io/pod-security-admission/admission/api/scheme
|
||||
k8s.io/pod-security-admission/admission/api/v1alpha1
|
||||
k8s.io/pod-security-admission/admission/api/v1beta1
|
||||
k8s.io/pod-security-admission/admission/api/validation
|
||||
k8s.io/pod-security-admission/api
|
||||
k8s.io/pod-security-admission/cmd/webhook/server
|
||||
|
Loading…
Reference in New Issue
Block a user