Merge pull request #106089 from liggitt/podsecurity-beta

PodSecurity: promote config and feature gate to beta
This commit is contained in:
Kubernetes Prow Robot 2021-11-02 22:22:57 -07:00 committed by GitHub
commit 9af2ece18a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
14 changed files with 570 additions and 6 deletions

View File

@ -712,6 +712,7 @@ const (
// owner: @liggitt, @tallclair, sig-auth
// alpha: v1.22
// beta: v1.23
//
// Enables the PodSecurity admission plugin
PodSecurity featuregate.Feature = "PodSecurity"
@ -895,7 +896,7 @@ var defaultKubernetesFeatureGates = map[featuregate.Feature]featuregate.FeatureS
StatefulSetMinReadySeconds: {Default: true, PreRelease: featuregate.Beta},
ExpandedDNSConfig: {Default: false, PreRelease: featuregate.Alpha},
SeccompDefault: {Default: false, PreRelease: featuregate.Alpha},
PodSecurity: {Default: false, PreRelease: featuregate.Alpha},
PodSecurity: {Default: true, PreRelease: featuregate.Beta},
ReadWriteOncePod: {Default: false, PreRelease: featuregate.Alpha},
CSRDuration: {Default: true, PreRelease: featuregate.Beta},
DelegateFSGroupToCSIDriver: {Default: false, PreRelease: featuregate.Alpha},

View File

@ -24,7 +24,7 @@ import (
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/pod-security-admission/admission/api"
"k8s.io/pod-security-admission/admission/api/scheme"
apiv1alpha1 "k8s.io/pod-security-admission/admission/api/v1alpha1"
apiv1beta1 "k8s.io/pod-security-admission/admission/api/v1beta1"
)
func LoadFromFile(file string) (*api.PodSecurityConfiguration, error) {
@ -57,7 +57,7 @@ func LoadFromReader(reader io.Reader) (*api.PodSecurityConfiguration, error) {
func LoadFromData(data []byte) (*api.PodSecurityConfiguration, error) {
if len(data) == 0 {
// no config provided, return default
externalConfig := &apiv1alpha1.PodSecurityConfiguration{}
externalConfig := &apiv1beta1.PodSecurityConfiguration{}
scheme.Scheme.Default(externalConfig)
internalConfig := &api.PodSecurityConfiguration{}
if err := scheme.Scheme.Convert(externalConfig, internalConfig, nil); err != nil {

View File

@ -98,6 +98,29 @@ func TestLoadFromFile(t *testing.T) {
}
}
// valid file
{
input := `{
"apiVersion":"pod-security.admission.config.k8s.io/v1beta1",
"kind":"PodSecurityConfiguration",
"defaults":{"enforce":"baseline"}}`
expect := &api.PodSecurityConfiguration{
Defaults: api.PodSecurityDefaults{
Enforce: "baseline", EnforceVersion: "latest",
Warn: "privileged", WarnVersion: "latest",
Audit: "privileged", AuditVersion: "latest",
},
}
config, err := LoadFromFile(writeTempFile(t, input))
if err != nil {
t.Fatalf("unexpected err: %v", err)
}
if !reflect.DeepEqual(config, expect) {
t.Fatalf("unexpected config:\n%s", cmp.Diff(expect, config))
}
}
// missing file
{
_, err := LoadFromFile(`bogus-missing-pod-security-policy-config-file`)
@ -172,6 +195,29 @@ func TestLoadFromReader(t *testing.T) {
}
}
// valid reader
{
input := `{
"apiVersion":"pod-security.admission.config.k8s.io/v1beta1",
"kind":"PodSecurityConfiguration",
"defaults":{"enforce":"baseline"}}`
expect := &api.PodSecurityConfiguration{
Defaults: api.PodSecurityDefaults{
Enforce: "baseline", EnforceVersion: "latest",
Warn: "privileged", WarnVersion: "latest",
Audit: "privileged", AuditVersion: "latest",
},
}
config, err := LoadFromReader(bytes.NewBufferString(input))
if err != nil {
t.Fatalf("unexpected err: %v", err)
}
if !reflect.DeepEqual(config, expect) {
t.Fatalf("unexpected config:\n%s", cmp.Diff(expect, config))
}
}
// invalid reader
{
input := `{
@ -225,6 +271,46 @@ func TestLoadFromData(t *testing.T) {
data: []byte(`
apiVersion: pod-security.admission.config.k8s.io/v1alpha1
kind: PodSecurityConfiguration
defaults:
enforce: baseline
enforce-version: v1.7
exemptions:
usernames: ["alice","bob"]
namespaces: ["kube-system"]
runtimeClasses: ["special"]
`),
expectConfig: &api.PodSecurityConfiguration{
Defaults: api.PodSecurityDefaults{
Enforce: "baseline", EnforceVersion: "v1.7",
Warn: "privileged", WarnVersion: "latest",
Audit: "privileged", AuditVersion: "latest",
},
Exemptions: api.PodSecurityExemptions{
Usernames: []string{"alice", "bob"},
Namespaces: []string{"kube-system"},
RuntimeClasses: []string{"special"},
},
},
},
{
name: "v1beta1 - json",
data: []byte(`{
"apiVersion":"pod-security.admission.config.k8s.io/v1beta1",
"kind":"PodSecurityConfiguration",
"defaults":{"enforce":"baseline"}}`),
expectConfig: &api.PodSecurityConfiguration{
Defaults: api.PodSecurityDefaults{
Enforce: "baseline", EnforceVersion: "latest",
Warn: "privileged", WarnVersion: "latest",
Audit: "privileged", AuditVersion: "latest",
},
},
},
{
name: "v1beta1 - yaml",
data: []byte(`
apiVersion: pod-security.admission.config.k8s.io/v1beta1
kind: PodSecurityConfiguration
defaults:
enforce: baseline
enforce-version: v1.7

View File

@ -22,6 +22,7 @@ import (
utilruntime "k8s.io/apimachinery/pkg/util/runtime"
podsecurityapi "k8s.io/pod-security-admission/admission/api"
podsecurityv1alpha1 "k8s.io/pod-security-admission/admission/api/v1alpha1"
podsecurityv1beta1 "k8s.io/pod-security-admission/admission/api/v1beta1"
)
var (
@ -40,5 +41,6 @@ func init() {
func AddToScheme(scheme *runtime.Scheme) {
utilruntime.Must(podsecurityapi.AddToScheme(scheme))
utilruntime.Must(podsecurityv1alpha1.AddToScheme(scheme))
utilruntime.Must(scheme.SetVersionPriority(podsecurityv1alpha1.SchemeGroupVersion))
utilruntime.Must(podsecurityv1beta1.AddToScheme(scheme))
utilruntime.Must(scheme.SetVersionPriority(podsecurityv1beta1.SchemeGroupVersion, podsecurityv1alpha1.SchemeGroupVersion))
}

View File

@ -0,0 +1,48 @@
/*
Copyright 2021 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package v1beta1
import (
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/pod-security-admission/api"
)
func addDefaultingFuncs(scheme *runtime.Scheme) error {
return RegisterDefaults(scheme)
}
func SetDefaults_PodSecurityDefaults(obj *PodSecurityDefaults) {
if len(obj.Enforce) == 0 {
obj.Enforce = string(api.LevelPrivileged)
}
if len(obj.Warn) == 0 {
obj.Warn = string(api.LevelPrivileged)
}
if len(obj.Audit) == 0 {
obj.Audit = string(api.LevelPrivileged)
}
if len(obj.EnforceVersion) == 0 {
obj.EnforceVersion = string(api.VersionLatest)
}
if len(obj.WarnVersion) == 0 {
obj.WarnVersion = string(api.VersionLatest)
}
if len(obj.AuditVersion) == 0 {
obj.AuditVersion = string(api.VersionLatest)
}
}

View File

@ -0,0 +1,17 @@
/*
Copyright 2021 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package v1beta1

View File

@ -0,0 +1,23 @@
/*
Copyright 2021 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// +k8s:deepcopy-gen=package
// +k8s:conversion-gen=k8s.io/pod-security-admission/admission/api
// +k8s:defaulter-gen=TypeMeta
// +groupName=pod-security.admission.config.k8s.io
// Package v1beta1 contains PodSecurity admission configuration file types
package v1beta1

View File

@ -0,0 +1,50 @@
/*
Copyright 2021 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package v1beta1
import (
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/runtime/schema"
)
// GroupName is the group name use in this package
const GroupName = "pod-security.admission.config.k8s.io"
// SchemeGroupVersion is group version used to register these objects
var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1beta1"}
var (
// SchemeBuilder is a pointer used to call AddToScheme
SchemeBuilder runtime.SchemeBuilder
localSchemeBuilder = &SchemeBuilder
// AddToScheme is used to register the types to API encoding/decoding machinery
AddToScheme = localSchemeBuilder.AddToScheme
)
func init() {
// We only register manually written functions here. The registration of the
// generated functions takes place in the generated files. The separation
// makes the code compile even when the generated files are missing.
localSchemeBuilder.Register(addKnownTypes, addDefaultingFuncs)
}
func addKnownTypes(scheme *runtime.Scheme) error {
scheme.AddKnownTypes(SchemeGroupVersion,
&PodSecurityConfiguration{},
)
return nil
}

View File

@ -0,0 +1,44 @@
/*
Copyright 2021 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package v1beta1
import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
type PodSecurityConfiguration struct {
metav1.TypeMeta
Defaults PodSecurityDefaults `json:"defaults"`
Exemptions PodSecurityExemptions `json:"exemptions"`
}
type PodSecurityDefaults struct {
Enforce string `json:"enforce,omitempty"`
EnforceVersion string `json:"enforce-version,omitempty"`
Audit string `json:"audit,omitempty"`
AuditVersion string `json:"audit-version,omitempty"`
Warn string `json:"warn,omitempty"`
WarnVersion string `json:"warn-version,omitempty"`
}
type PodSecurityExemptions struct {
Usernames []string `json:"usernames,omitempty"`
Namespaces []string `json:"namespaces,omitempty"`
RuntimeClasses []string `json:"runtimeClasses,omitempty"`
}

View File

@ -0,0 +1,154 @@
//go:build !ignore_autogenerated
// +build !ignore_autogenerated
/*
Copyright The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by conversion-gen. DO NOT EDIT.
package v1beta1
import (
unsafe "unsafe"
conversion "k8s.io/apimachinery/pkg/conversion"
runtime "k8s.io/apimachinery/pkg/runtime"
api "k8s.io/pod-security-admission/admission/api"
)
func init() {
localSchemeBuilder.Register(RegisterConversions)
}
// RegisterConversions adds conversion functions to the given scheme.
// Public to allow building arbitrary schemes.
func RegisterConversions(s *runtime.Scheme) error {
if err := s.AddGeneratedConversionFunc((*PodSecurityConfiguration)(nil), (*api.PodSecurityConfiguration)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1beta1_PodSecurityConfiguration_To_api_PodSecurityConfiguration(a.(*PodSecurityConfiguration), b.(*api.PodSecurityConfiguration), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*api.PodSecurityConfiguration)(nil), (*PodSecurityConfiguration)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_api_PodSecurityConfiguration_To_v1beta1_PodSecurityConfiguration(a.(*api.PodSecurityConfiguration), b.(*PodSecurityConfiguration), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*PodSecurityDefaults)(nil), (*api.PodSecurityDefaults)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1beta1_PodSecurityDefaults_To_api_PodSecurityDefaults(a.(*PodSecurityDefaults), b.(*api.PodSecurityDefaults), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*api.PodSecurityDefaults)(nil), (*PodSecurityDefaults)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_api_PodSecurityDefaults_To_v1beta1_PodSecurityDefaults(a.(*api.PodSecurityDefaults), b.(*PodSecurityDefaults), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*PodSecurityExemptions)(nil), (*api.PodSecurityExemptions)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1beta1_PodSecurityExemptions_To_api_PodSecurityExemptions(a.(*PodSecurityExemptions), b.(*api.PodSecurityExemptions), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*api.PodSecurityExemptions)(nil), (*PodSecurityExemptions)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_api_PodSecurityExemptions_To_v1beta1_PodSecurityExemptions(a.(*api.PodSecurityExemptions), b.(*PodSecurityExemptions), scope)
}); err != nil {
return err
}
return nil
}
func autoConvert_v1beta1_PodSecurityConfiguration_To_api_PodSecurityConfiguration(in *PodSecurityConfiguration, out *api.PodSecurityConfiguration, s conversion.Scope) error {
if err := Convert_v1beta1_PodSecurityDefaults_To_api_PodSecurityDefaults(&in.Defaults, &out.Defaults, s); err != nil {
return err
}
if err := Convert_v1beta1_PodSecurityExemptions_To_api_PodSecurityExemptions(&in.Exemptions, &out.Exemptions, s); err != nil {
return err
}
return nil
}
// Convert_v1beta1_PodSecurityConfiguration_To_api_PodSecurityConfiguration is an autogenerated conversion function.
func Convert_v1beta1_PodSecurityConfiguration_To_api_PodSecurityConfiguration(in *PodSecurityConfiguration, out *api.PodSecurityConfiguration, s conversion.Scope) error {
return autoConvert_v1beta1_PodSecurityConfiguration_To_api_PodSecurityConfiguration(in, out, s)
}
func autoConvert_api_PodSecurityConfiguration_To_v1beta1_PodSecurityConfiguration(in *api.PodSecurityConfiguration, out *PodSecurityConfiguration, s conversion.Scope) error {
if err := Convert_api_PodSecurityDefaults_To_v1beta1_PodSecurityDefaults(&in.Defaults, &out.Defaults, s); err != nil {
return err
}
if err := Convert_api_PodSecurityExemptions_To_v1beta1_PodSecurityExemptions(&in.Exemptions, &out.Exemptions, s); err != nil {
return err
}
return nil
}
// Convert_api_PodSecurityConfiguration_To_v1beta1_PodSecurityConfiguration is an autogenerated conversion function.
func Convert_api_PodSecurityConfiguration_To_v1beta1_PodSecurityConfiguration(in *api.PodSecurityConfiguration, out *PodSecurityConfiguration, s conversion.Scope) error {
return autoConvert_api_PodSecurityConfiguration_To_v1beta1_PodSecurityConfiguration(in, out, s)
}
func autoConvert_v1beta1_PodSecurityDefaults_To_api_PodSecurityDefaults(in *PodSecurityDefaults, out *api.PodSecurityDefaults, s conversion.Scope) error {
out.Enforce = in.Enforce
out.EnforceVersion = in.EnforceVersion
out.Audit = in.Audit
out.AuditVersion = in.AuditVersion
out.Warn = in.Warn
out.WarnVersion = in.WarnVersion
return nil
}
// Convert_v1beta1_PodSecurityDefaults_To_api_PodSecurityDefaults is an autogenerated conversion function.
func Convert_v1beta1_PodSecurityDefaults_To_api_PodSecurityDefaults(in *PodSecurityDefaults, out *api.PodSecurityDefaults, s conversion.Scope) error {
return autoConvert_v1beta1_PodSecurityDefaults_To_api_PodSecurityDefaults(in, out, s)
}
func autoConvert_api_PodSecurityDefaults_To_v1beta1_PodSecurityDefaults(in *api.PodSecurityDefaults, out *PodSecurityDefaults, s conversion.Scope) error {
out.Enforce = in.Enforce
out.EnforceVersion = in.EnforceVersion
out.Audit = in.Audit
out.AuditVersion = in.AuditVersion
out.Warn = in.Warn
out.WarnVersion = in.WarnVersion
return nil
}
// Convert_api_PodSecurityDefaults_To_v1beta1_PodSecurityDefaults is an autogenerated conversion function.
func Convert_api_PodSecurityDefaults_To_v1beta1_PodSecurityDefaults(in *api.PodSecurityDefaults, out *PodSecurityDefaults, s conversion.Scope) error {
return autoConvert_api_PodSecurityDefaults_To_v1beta1_PodSecurityDefaults(in, out, s)
}
func autoConvert_v1beta1_PodSecurityExemptions_To_api_PodSecurityExemptions(in *PodSecurityExemptions, out *api.PodSecurityExemptions, s conversion.Scope) error {
out.Usernames = *(*[]string)(unsafe.Pointer(&in.Usernames))
out.Namespaces = *(*[]string)(unsafe.Pointer(&in.Namespaces))
out.RuntimeClasses = *(*[]string)(unsafe.Pointer(&in.RuntimeClasses))
return nil
}
// Convert_v1beta1_PodSecurityExemptions_To_api_PodSecurityExemptions is an autogenerated conversion function.
func Convert_v1beta1_PodSecurityExemptions_To_api_PodSecurityExemptions(in *PodSecurityExemptions, out *api.PodSecurityExemptions, s conversion.Scope) error {
return autoConvert_v1beta1_PodSecurityExemptions_To_api_PodSecurityExemptions(in, out, s)
}
func autoConvert_api_PodSecurityExemptions_To_v1beta1_PodSecurityExemptions(in *api.PodSecurityExemptions, out *PodSecurityExemptions, s conversion.Scope) error {
out.Usernames = *(*[]string)(unsafe.Pointer(&in.Usernames))
out.Namespaces = *(*[]string)(unsafe.Pointer(&in.Namespaces))
out.RuntimeClasses = *(*[]string)(unsafe.Pointer(&in.RuntimeClasses))
return nil
}
// Convert_api_PodSecurityExemptions_To_v1beta1_PodSecurityExemptions is an autogenerated conversion function.
func Convert_api_PodSecurityExemptions_To_v1beta1_PodSecurityExemptions(in *api.PodSecurityExemptions, out *PodSecurityExemptions, s conversion.Scope) error {
return autoConvert_api_PodSecurityExemptions_To_v1beta1_PodSecurityExemptions(in, out, s)
}

View File

@ -0,0 +1,100 @@
//go:build !ignore_autogenerated
// +build !ignore_autogenerated
/*
Copyright The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by deepcopy-gen. DO NOT EDIT.
package v1beta1
import (
runtime "k8s.io/apimachinery/pkg/runtime"
)
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *PodSecurityConfiguration) DeepCopyInto(out *PodSecurityConfiguration) {
*out = *in
out.TypeMeta = in.TypeMeta
out.Defaults = in.Defaults
in.Exemptions.DeepCopyInto(&out.Exemptions)
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodSecurityConfiguration.
func (in *PodSecurityConfiguration) DeepCopy() *PodSecurityConfiguration {
if in == nil {
return nil
}
out := new(PodSecurityConfiguration)
in.DeepCopyInto(out)
return out
}
// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (in *PodSecurityConfiguration) DeepCopyObject() runtime.Object {
if c := in.DeepCopy(); c != nil {
return c
}
return nil
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *PodSecurityDefaults) DeepCopyInto(out *PodSecurityDefaults) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodSecurityDefaults.
func (in *PodSecurityDefaults) DeepCopy() *PodSecurityDefaults {
if in == nil {
return nil
}
out := new(PodSecurityDefaults)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *PodSecurityExemptions) DeepCopyInto(out *PodSecurityExemptions) {
*out = *in
if in.Usernames != nil {
in, out := &in.Usernames, &out.Usernames
*out = make([]string, len(*in))
copy(*out, *in)
}
if in.Namespaces != nil {
in, out := &in.Namespaces, &out.Namespaces
*out = make([]string, len(*in))
copy(*out, *in)
}
if in.RuntimeClasses != nil {
in, out := &in.RuntimeClasses, &out.RuntimeClasses
*out = make([]string, len(*in))
copy(*out, *in)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodSecurityExemptions.
func (in *PodSecurityExemptions) DeepCopy() *PodSecurityExemptions {
if in == nil {
return nil
}
out := new(PodSecurityExemptions)
in.DeepCopyInto(out)
return out
}

View File

@ -0,0 +1,38 @@
//go:build !ignore_autogenerated
// +build !ignore_autogenerated
/*
Copyright The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by defaulter-gen. DO NOT EDIT.
package v1beta1
import (
runtime "k8s.io/apimachinery/pkg/runtime"
)
// RegisterDefaults adds defaulters functions to the given scheme.
// Public to allow building arbitrary schemes.
// All generated defaulters are covering - they call all nested defaulters.
func RegisterDefaults(scheme *runtime.Scheme) error {
scheme.AddTypeDefaultingFunc(&PodSecurityConfiguration{}, func(obj interface{}) { SetObjectDefaults_PodSecurityConfiguration(obj.(*PodSecurityConfiguration)) })
return nil
}
func SetObjectDefaults_PodSecurityConfiguration(in *PodSecurityConfiguration) {
SetDefaults_PodSecurityDefaults(&in.Defaults)
}

View File

@ -102,14 +102,14 @@ func TestPodSecurityWebhook(t *testing.T) {
defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.ProcMountType, true)()
defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.WindowsHostProcessContainers, true)()
defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.AppArmor, true)()
// The webhook should pass tests even when PodSecurity is disabled.
defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.PodSecurity, false)()
// Start test API server.
capabilities.SetForTests(capabilities.Capabilities{AllowPrivileged: true})
testServer := kubeapiservertesting.StartTestServerOrDie(t, kubeapiservertesting.NewDefaultTestServerOptions(), []string{
"--anonymous-auth=false",
"--allow-privileged=true",
// The webhook should pass tests even when PodSecurity is disabled.
"--disable-admission-plugins=PodSecurity",
}, framework.SharedEtcd())
t.Cleanup(testServer.TearDownFn)

1
vendor/modules.txt vendored
View File

@ -2254,6 +2254,7 @@ k8s.io/pod-security-admission/admission/api
k8s.io/pod-security-admission/admission/api/load
k8s.io/pod-security-admission/admission/api/scheme
k8s.io/pod-security-admission/admission/api/v1alpha1
k8s.io/pod-security-admission/admission/api/v1beta1
k8s.io/pod-security-admission/admission/api/validation
k8s.io/pod-security-admission/api
k8s.io/pod-security-admission/cmd/webhook/server