Merge pull request #106089 from liggitt/podsecurity-beta

PodSecurity: promote config and feature gate to beta

pkg/features/kube_features.go

@@ -712,6 +712,7 @@ const (
 
 	// owner: @liggitt, @tallclair, sig-auth
 	// alpha: v1.22
+	// beta: v1.23
 	//
 	// Enables the PodSecurity admission plugin
 	PodSecurity featuregate.Feature = "PodSecurity"
@@ -895,7 +896,7 @@ var defaultKubernetesFeatureGates = map[featuregate.Feature]featuregate.FeatureS
 	StatefulSetMinReadySeconds:                     {Default: true, PreRelease: featuregate.Beta},
 	ExpandedDNSConfig:                              {Default: false, PreRelease: featuregate.Alpha},
 	SeccompDefault:                                 {Default: false, PreRelease: featuregate.Alpha},
-	PodSecurity:                                    {Default: false, PreRelease: featuregate.Alpha},
+	PodSecurity:                                    {Default: true, PreRelease: featuregate.Beta},
 	ReadWriteOncePod:                               {Default: false, PreRelease: featuregate.Alpha},
 	CSRDuration:                                    {Default: true, PreRelease: featuregate.Beta},
 	DelegateFSGroupToCSIDriver:                     {Default: false, PreRelease: featuregate.Alpha},

staging/src/k8s.io/pod-security-admission/admission/api/load/load.go

@@ -24,7 +24,7 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/pod-security-admission/admission/api"
 	"k8s.io/pod-security-admission/admission/api/scheme"
-	apiv1alpha1 "k8s.io/pod-security-admission/admission/api/v1alpha1"
+	apiv1beta1 "k8s.io/pod-security-admission/admission/api/v1beta1"
 )
 
 func LoadFromFile(file string) (*api.PodSecurityConfiguration, error) {
@@ -57,7 +57,7 @@ func LoadFromReader(reader io.Reader) (*api.PodSecurityConfiguration, error) {
 func LoadFromData(data []byte) (*api.PodSecurityConfiguration, error) {
 	if len(data) == 0 {
 		// no config provided, return default
-		externalConfig := &apiv1alpha1.PodSecurityConfiguration{}
+		externalConfig := &apiv1beta1.PodSecurityConfiguration{}
 		scheme.Scheme.Default(externalConfig)
 		internalConfig := &api.PodSecurityConfiguration{}
 		if err := scheme.Scheme.Convert(externalConfig, internalConfig, nil); err != nil {

staging/src/k8s.io/pod-security-admission/admission/api/load/load_test.go

@@ -98,6 +98,29 @@ func TestLoadFromFile(t *testing.T) {
 		}
 	}
 
+	// valid file
+	{
+		input := `{
+			"apiVersion":"pod-security.admission.config.k8s.io/v1beta1",
+			"kind":"PodSecurityConfiguration",
+			"defaults":{"enforce":"baseline"}}`
+		expect := &api.PodSecurityConfiguration{
+			Defaults: api.PodSecurityDefaults{
+				Enforce: "baseline", EnforceVersion: "latest",
+				Warn: "privileged", WarnVersion: "latest",
+				Audit: "privileged", AuditVersion: "latest",
+			},
+		}
+
+		config, err := LoadFromFile(writeTempFile(t, input))
+		if err != nil {
+			t.Fatalf("unexpected err: %v", err)
+		}
+		if !reflect.DeepEqual(config, expect) {
+			t.Fatalf("unexpected config:\n%s", cmp.Diff(expect, config))
+		}
+	}
+
 	// missing file
 	{
 		_, err := LoadFromFile(`bogus-missing-pod-security-policy-config-file`)
@@ -172,6 +195,29 @@ func TestLoadFromReader(t *testing.T) {
 		}
 	}
 
+	// valid reader
+	{
+		input := `{
+			"apiVersion":"pod-security.admission.config.k8s.io/v1beta1",
+			"kind":"PodSecurityConfiguration",
+			"defaults":{"enforce":"baseline"}}`
+		expect := &api.PodSecurityConfiguration{
+			Defaults: api.PodSecurityDefaults{
+				Enforce: "baseline", EnforceVersion: "latest",
+				Warn: "privileged", WarnVersion: "latest",
+				Audit: "privileged", AuditVersion: "latest",
+			},
+		}
+
+		config, err := LoadFromReader(bytes.NewBufferString(input))
+		if err != nil {
+			t.Fatalf("unexpected err: %v", err)
+		}
+		if !reflect.DeepEqual(config, expect) {
+			t.Fatalf("unexpected config:\n%s", cmp.Diff(expect, config))
+		}
+	}
+
 	// invalid reader
 	{
 		input := `{
@@ -225,6 +271,46 @@ func TestLoadFromData(t *testing.T) {
 			data: []byte(`
 apiVersion: pod-security.admission.config.k8s.io/v1alpha1
 kind: PodSecurityConfiguration
+defaults:
+  enforce: baseline
+  enforce-version: v1.7
+exemptions:
+  usernames: ["alice","bob"]
+  namespaces: ["kube-system"]
+  runtimeClasses: ["special"]
+`),
+			expectConfig: &api.PodSecurityConfiguration{
+				Defaults: api.PodSecurityDefaults{
+					Enforce: "baseline", EnforceVersion: "v1.7",
+					Warn: "privileged", WarnVersion: "latest",
+					Audit: "privileged", AuditVersion: "latest",
+				},
+				Exemptions: api.PodSecurityExemptions{
+					Usernames:      []string{"alice", "bob"},
+					Namespaces:     []string{"kube-system"},
+					RuntimeClasses: []string{"special"},
+				},
+			},
+		},
+		{
+			name: "v1beta1 - json",
+			data: []byte(`{
+"apiVersion":"pod-security.admission.config.k8s.io/v1beta1",
+"kind":"PodSecurityConfiguration",
+"defaults":{"enforce":"baseline"}}`),
+			expectConfig: &api.PodSecurityConfiguration{
+				Defaults: api.PodSecurityDefaults{
+					Enforce: "baseline", EnforceVersion: "latest",
+					Warn: "privileged", WarnVersion: "latest",
+					Audit: "privileged", AuditVersion: "latest",
+				},
+			},
+		},
+		{
+			name: "v1beta1 - yaml",
+			data: []byte(`
+apiVersion: pod-security.admission.config.k8s.io/v1beta1
+kind: PodSecurityConfiguration
 defaults:
   enforce: baseline
   enforce-version: v1.7

staging/src/k8s.io/pod-security-admission/admission/api/scheme/scheme.go

@@ -22,6 +22,7 @@ import (
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	podsecurityapi "k8s.io/pod-security-admission/admission/api"
 	podsecurityv1alpha1 "k8s.io/pod-security-admission/admission/api/v1alpha1"
+	podsecurityv1beta1 "k8s.io/pod-security-admission/admission/api/v1beta1"
 )
 
 var (
@@ -40,5 +41,6 @@ func init() {
 func AddToScheme(scheme *runtime.Scheme) {
 	utilruntime.Must(podsecurityapi.AddToScheme(scheme))
 	utilruntime.Must(podsecurityv1alpha1.AddToScheme(scheme))
-	utilruntime.Must(scheme.SetVersionPriority(podsecurityv1alpha1.SchemeGroupVersion))
+	utilruntime.Must(podsecurityv1beta1.AddToScheme(scheme))
+	utilruntime.Must(scheme.SetVersionPriority(podsecurityv1beta1.SchemeGroupVersion, podsecurityv1alpha1.SchemeGroupVersion))
 }

staging/src/k8s.io/pod-security-admission/admission/api/v1beta1/defaults.go

@@ -0,0 +1,48 @@
+/*
+Copyright 2021 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/pod-security-admission/api"
+)
+
+func addDefaultingFuncs(scheme *runtime.Scheme) error {
+	return RegisterDefaults(scheme)
+}
+
+func SetDefaults_PodSecurityDefaults(obj *PodSecurityDefaults) {
+	if len(obj.Enforce) == 0 {
+		obj.Enforce = string(api.LevelPrivileged)
+	}
+	if len(obj.Warn) == 0 {
+		obj.Warn = string(api.LevelPrivileged)
+	}
+	if len(obj.Audit) == 0 {
+		obj.Audit = string(api.LevelPrivileged)
+	}
+
+	if len(obj.EnforceVersion) == 0 {
+		obj.EnforceVersion = string(api.VersionLatest)
+	}
+	if len(obj.WarnVersion) == 0 {
+		obj.WarnVersion = string(api.VersionLatest)
+	}
+	if len(obj.AuditVersion) == 0 {
+		obj.AuditVersion = string(api.VersionLatest)
+	}
+}

staging/src/k8s.io/pod-security-admission/admission/api/v1beta1/defaults_test.go

@@ -0,0 +1,17 @@
+/*
+Copyright 2021 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1

staging/src/k8s.io/pod-security-admission/admission/api/v1beta1/doc.go

@@ -0,0 +1,23 @@
+/*
+Copyright 2021 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// +k8s:deepcopy-gen=package
+// +k8s:conversion-gen=k8s.io/pod-security-admission/admission/api
+// +k8s:defaulter-gen=TypeMeta
+// +groupName=pod-security.admission.config.k8s.io
+
+// Package v1beta1 contains PodSecurity admission configuration file types
+package v1beta1

staging/src/k8s.io/pod-security-admission/admission/api/v1beta1/register.go

@@ -0,0 +1,50 @@
+/*
+Copyright 2021 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+// GroupName is the group name use in this package
+const GroupName = "pod-security.admission.config.k8s.io"
+
+// SchemeGroupVersion is group version used to register these objects
+var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1beta1"}
+
+var (
+	// SchemeBuilder is a pointer used to call AddToScheme
+	SchemeBuilder      runtime.SchemeBuilder
+	localSchemeBuilder = &SchemeBuilder
+	// AddToScheme is used to register the types to API encoding/decoding machinery
+	AddToScheme = localSchemeBuilder.AddToScheme
+)
+
+func init() {
+	// We only register manually written functions here. The registration of the
+	// generated functions takes place in the generated files. The separation
+	// makes the code compile even when the generated files are missing.
+	localSchemeBuilder.Register(addKnownTypes, addDefaultingFuncs)
+}
+
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&PodSecurityConfiguration{},
+	)
+	return nil
+}

staging/src/k8s.io/pod-security-admission/admission/api/v1beta1/types.go

@@ -0,0 +1,44 @@
+/*
+Copyright 2021 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+type PodSecurityConfiguration struct {
+	metav1.TypeMeta
+	Defaults   PodSecurityDefaults   `json:"defaults"`
+	Exemptions PodSecurityExemptions `json:"exemptions"`
+}
+
+type PodSecurityDefaults struct {
+	Enforce        string `json:"enforce,omitempty"`
+	EnforceVersion string `json:"enforce-version,omitempty"`
+	Audit          string `json:"audit,omitempty"`
+	AuditVersion   string `json:"audit-version,omitempty"`
+	Warn           string `json:"warn,omitempty"`
+	WarnVersion    string `json:"warn-version,omitempty"`
+}
+
+type PodSecurityExemptions struct {
+	Usernames      []string `json:"usernames,omitempty"`
+	Namespaces     []string `json:"namespaces,omitempty"`
+	RuntimeClasses []string `json:"runtimeClasses,omitempty"`
+}

staging/src/k8s.io/pod-security-admission/admission/api/v1beta1/zz_generated.conversion.go

@@ -0,0 +1,154 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by conversion-gen. DO NOT EDIT.
+
+package v1beta1
+
+import (
+	unsafe "unsafe"
+
+	conversion "k8s.io/apimachinery/pkg/conversion"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	api "k8s.io/pod-security-admission/admission/api"
+)
+
+func init() {
+	localSchemeBuilder.Register(RegisterConversions)
+}
+
+// RegisterConversions adds conversion functions to the given scheme.
+// Public to allow building arbitrary schemes.
+func RegisterConversions(s *runtime.Scheme) error {
+	if err := s.AddGeneratedConversionFunc((*PodSecurityConfiguration)(nil), (*api.PodSecurityConfiguration)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1beta1_PodSecurityConfiguration_To_api_PodSecurityConfiguration(a.(*PodSecurityConfiguration), b.(*api.PodSecurityConfiguration), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*api.PodSecurityConfiguration)(nil), (*PodSecurityConfiguration)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_api_PodSecurityConfiguration_To_v1beta1_PodSecurityConfiguration(a.(*api.PodSecurityConfiguration), b.(*PodSecurityConfiguration), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*PodSecurityDefaults)(nil), (*api.PodSecurityDefaults)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1beta1_PodSecurityDefaults_To_api_PodSecurityDefaults(a.(*PodSecurityDefaults), b.(*api.PodSecurityDefaults), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*api.PodSecurityDefaults)(nil), (*PodSecurityDefaults)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_api_PodSecurityDefaults_To_v1beta1_PodSecurityDefaults(a.(*api.PodSecurityDefaults), b.(*PodSecurityDefaults), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*PodSecurityExemptions)(nil), (*api.PodSecurityExemptions)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1beta1_PodSecurityExemptions_To_api_PodSecurityExemptions(a.(*PodSecurityExemptions), b.(*api.PodSecurityExemptions), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*api.PodSecurityExemptions)(nil), (*PodSecurityExemptions)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_api_PodSecurityExemptions_To_v1beta1_PodSecurityExemptions(a.(*api.PodSecurityExemptions), b.(*PodSecurityExemptions), scope)
+	}); err != nil {
+		return err
+	}
+	return nil
+}
+
+func autoConvert_v1beta1_PodSecurityConfiguration_To_api_PodSecurityConfiguration(in *PodSecurityConfiguration, out *api.PodSecurityConfiguration, s conversion.Scope) error {
+	if err := Convert_v1beta1_PodSecurityDefaults_To_api_PodSecurityDefaults(&in.Defaults, &out.Defaults, s); err != nil {
+		return err
+	}
+	if err := Convert_v1beta1_PodSecurityExemptions_To_api_PodSecurityExemptions(&in.Exemptions, &out.Exemptions, s); err != nil {
+		return err
+	}
+	return nil
+}
+
+// Convert_v1beta1_PodSecurityConfiguration_To_api_PodSecurityConfiguration is an autogenerated conversion function.
+func Convert_v1beta1_PodSecurityConfiguration_To_api_PodSecurityConfiguration(in *PodSecurityConfiguration, out *api.PodSecurityConfiguration, s conversion.Scope) error {
+	return autoConvert_v1beta1_PodSecurityConfiguration_To_api_PodSecurityConfiguration(in, out, s)
+}
+
+func autoConvert_api_PodSecurityConfiguration_To_v1beta1_PodSecurityConfiguration(in *api.PodSecurityConfiguration, out *PodSecurityConfiguration, s conversion.Scope) error {
+	if err := Convert_api_PodSecurityDefaults_To_v1beta1_PodSecurityDefaults(&in.Defaults, &out.Defaults, s); err != nil {
+		return err
+	}
+	if err := Convert_api_PodSecurityExemptions_To_v1beta1_PodSecurityExemptions(&in.Exemptions, &out.Exemptions, s); err != nil {
+		return err
+	}
+	return nil
+}
+
+// Convert_api_PodSecurityConfiguration_To_v1beta1_PodSecurityConfiguration is an autogenerated conversion function.
+func Convert_api_PodSecurityConfiguration_To_v1beta1_PodSecurityConfiguration(in *api.PodSecurityConfiguration, out *PodSecurityConfiguration, s conversion.Scope) error {
+	return autoConvert_api_PodSecurityConfiguration_To_v1beta1_PodSecurityConfiguration(in, out, s)
+}
+
+func autoConvert_v1beta1_PodSecurityDefaults_To_api_PodSecurityDefaults(in *PodSecurityDefaults, out *api.PodSecurityDefaults, s conversion.Scope) error {
+	out.Enforce = in.Enforce
+	out.EnforceVersion = in.EnforceVersion
+	out.Audit = in.Audit
+	out.AuditVersion = in.AuditVersion
+	out.Warn = in.Warn
+	out.WarnVersion = in.WarnVersion
+	return nil
+}
+
+// Convert_v1beta1_PodSecurityDefaults_To_api_PodSecurityDefaults is an autogenerated conversion function.
+func Convert_v1beta1_PodSecurityDefaults_To_api_PodSecurityDefaults(in *PodSecurityDefaults, out *api.PodSecurityDefaults, s conversion.Scope) error {
+	return autoConvert_v1beta1_PodSecurityDefaults_To_api_PodSecurityDefaults(in, out, s)
+}
+
+func autoConvert_api_PodSecurityDefaults_To_v1beta1_PodSecurityDefaults(in *api.PodSecurityDefaults, out *PodSecurityDefaults, s conversion.Scope) error {
+	out.Enforce = in.Enforce
+	out.EnforceVersion = in.EnforceVersion
+	out.Audit = in.Audit
+	out.AuditVersion = in.AuditVersion
+	out.Warn = in.Warn
+	out.WarnVersion = in.WarnVersion
+	return nil
+}
+
+// Convert_api_PodSecurityDefaults_To_v1beta1_PodSecurityDefaults is an autogenerated conversion function.
+func Convert_api_PodSecurityDefaults_To_v1beta1_PodSecurityDefaults(in *api.PodSecurityDefaults, out *PodSecurityDefaults, s conversion.Scope) error {
+	return autoConvert_api_PodSecurityDefaults_To_v1beta1_PodSecurityDefaults(in, out, s)
+}
+
+func autoConvert_v1beta1_PodSecurityExemptions_To_api_PodSecurityExemptions(in *PodSecurityExemptions, out *api.PodSecurityExemptions, s conversion.Scope) error {
+	out.Usernames = *(*[]string)(unsafe.Pointer(&in.Usernames))
+	out.Namespaces = *(*[]string)(unsafe.Pointer(&in.Namespaces))
+	out.RuntimeClasses = *(*[]string)(unsafe.Pointer(&in.RuntimeClasses))
+	return nil
+}
+
+// Convert_v1beta1_PodSecurityExemptions_To_api_PodSecurityExemptions is an autogenerated conversion function.
+func Convert_v1beta1_PodSecurityExemptions_To_api_PodSecurityExemptions(in *PodSecurityExemptions, out *api.PodSecurityExemptions, s conversion.Scope) error {
+	return autoConvert_v1beta1_PodSecurityExemptions_To_api_PodSecurityExemptions(in, out, s)
+}
+
+func autoConvert_api_PodSecurityExemptions_To_v1beta1_PodSecurityExemptions(in *api.PodSecurityExemptions, out *PodSecurityExemptions, s conversion.Scope) error {
+	out.Usernames = *(*[]string)(unsafe.Pointer(&in.Usernames))
+	out.Namespaces = *(*[]string)(unsafe.Pointer(&in.Namespaces))
+	out.RuntimeClasses = *(*[]string)(unsafe.Pointer(&in.RuntimeClasses))
+	return nil
+}
+
+// Convert_api_PodSecurityExemptions_To_v1beta1_PodSecurityExemptions is an autogenerated conversion function.
+func Convert_api_PodSecurityExemptions_To_v1beta1_PodSecurityExemptions(in *api.PodSecurityExemptions, out *PodSecurityExemptions, s conversion.Scope) error {
+	return autoConvert_api_PodSecurityExemptions_To_v1beta1_PodSecurityExemptions(in, out, s)
+}

staging/src/k8s.io/pod-security-admission/admission/api/v1beta1/zz_generated.deepcopy.go

@@ -0,0 +1,100 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by deepcopy-gen. DO NOT EDIT.
+
+package v1beta1
+
+import (
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PodSecurityConfiguration) DeepCopyInto(out *PodSecurityConfiguration) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	out.Defaults = in.Defaults
+	in.Exemptions.DeepCopyInto(&out.Exemptions)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodSecurityConfiguration.
+func (in *PodSecurityConfiguration) DeepCopy() *PodSecurityConfiguration {
+	if in == nil {
+		return nil
+	}
+	out := new(PodSecurityConfiguration)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *PodSecurityConfiguration) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PodSecurityDefaults) DeepCopyInto(out *PodSecurityDefaults) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodSecurityDefaults.
+func (in *PodSecurityDefaults) DeepCopy() *PodSecurityDefaults {
+	if in == nil {
+		return nil
+	}
+	out := new(PodSecurityDefaults)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PodSecurityExemptions) DeepCopyInto(out *PodSecurityExemptions) {
+	*out = *in
+	if in.Usernames != nil {
+		in, out := &in.Usernames, &out.Usernames
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.Namespaces != nil {
+		in, out := &in.Namespaces, &out.Namespaces
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.RuntimeClasses != nil {
+		in, out := &in.RuntimeClasses, &out.RuntimeClasses
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodSecurityExemptions.
+func (in *PodSecurityExemptions) DeepCopy() *PodSecurityExemptions {
+	if in == nil {
+		return nil
+	}
+	out := new(PodSecurityExemptions)
+	in.DeepCopyInto(out)
+	return out
+}

staging/src/k8s.io/pod-security-admission/admission/api/v1beta1/zz_generated.defaults.go

@@ -0,0 +1,38 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by defaulter-gen. DO NOT EDIT.
+
+package v1beta1
+
+import (
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+// RegisterDefaults adds defaulters functions to the given scheme.
+// Public to allow building arbitrary schemes.
+// All generated defaulters are covering - they call all nested defaulters.
+func RegisterDefaults(scheme *runtime.Scheme) error {
+	scheme.AddTypeDefaultingFunc(&PodSecurityConfiguration{}, func(obj interface{}) { SetObjectDefaults_PodSecurityConfiguration(obj.(*PodSecurityConfiguration)) })
+	return nil
+}
+
+func SetObjectDefaults_PodSecurityConfiguration(in *PodSecurityConfiguration) {
+	SetDefaults_PodSecurityDefaults(&in.Defaults)
+}

test/integration/auth/podsecurity_test.go

@@ -102,14 +102,14 @@ func TestPodSecurityWebhook(t *testing.T) {
 	defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.ProcMountType, true)()
 	defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.WindowsHostProcessContainers, true)()
 	defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.AppArmor, true)()
-	// The webhook should pass tests even when PodSecurity is disabled.
-	defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.PodSecurity, false)()
 
 	// Start test API server.
 	capabilities.SetForTests(capabilities.Capabilities{AllowPrivileged: true})
 	testServer := kubeapiservertesting.StartTestServerOrDie(t, kubeapiservertesting.NewDefaultTestServerOptions(), []string{
 		"--anonymous-auth=false",
 		"--allow-privileged=true",
+		// The webhook should pass tests even when PodSecurity is disabled.
+		"--disable-admission-plugins=PodSecurity",
 	}, framework.SharedEtcd())
 	t.Cleanup(testServer.TearDownFn)
 

vendor/modules.txt

@@ -2254,6 +2254,7 @@ k8s.io/pod-security-admission/admission/api
 k8s.io/pod-security-admission/admission/api/load
 k8s.io/pod-security-admission/admission/api/scheme
 k8s.io/pod-security-admission/admission/api/v1alpha1
+k8s.io/pod-security-admission/admission/api/v1beta1
 k8s.io/pod-security-admission/admission/api/validation
 k8s.io/pod-security-admission/api
 k8s.io/pod-security-admission/cmd/webhook/server