From 01fa142ef52adbba93e586f6e73f7b67827f73d1 Mon Sep 17 00:00:00 2001 From: Jordan Liggitt Date: Tue, 2 Nov 2021 09:43:24 -0400 Subject: [PATCH 1/4] PodSecurity: promote to beta --- pkg/features/kube_features.go | 3 ++- test/integration/auth/podsecurity_test.go | 4 ++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/pkg/features/kube_features.go b/pkg/features/kube_features.go index 337963f182a..e82c81f6fec 100644 --- a/pkg/features/kube_features.go +++ b/pkg/features/kube_features.go @@ -712,6 +712,7 @@ const ( // owner: @liggitt, @tallclair, sig-auth // alpha: v1.22 + // beta: v1.23 // // Enables the PodSecurity admission plugin PodSecurity featuregate.Feature = "PodSecurity" @@ -895,7 +896,7 @@ var defaultKubernetesFeatureGates = map[featuregate.Feature]featuregate.FeatureS StatefulSetMinReadySeconds: {Default: true, PreRelease: featuregate.Beta}, ExpandedDNSConfig: {Default: false, PreRelease: featuregate.Alpha}, SeccompDefault: {Default: false, PreRelease: featuregate.Alpha}, - PodSecurity: {Default: false, PreRelease: featuregate.Alpha}, + PodSecurity: {Default: true, PreRelease: featuregate.Beta}, ReadWriteOncePod: {Default: false, PreRelease: featuregate.Alpha}, CSRDuration: {Default: true, PreRelease: featuregate.Beta}, DelegateFSGroupToCSIDriver: {Default: false, PreRelease: featuregate.Alpha}, diff --git a/test/integration/auth/podsecurity_test.go b/test/integration/auth/podsecurity_test.go index ad7c8e215ca..7206955f928 100644 --- a/test/integration/auth/podsecurity_test.go +++ b/test/integration/auth/podsecurity_test.go @@ -102,14 +102,14 @@ func TestPodSecurityWebhook(t *testing.T) { defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.ProcMountType, true)() defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.WindowsHostProcessContainers, true)() defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.AppArmor, true)() - // The webhook should pass tests even when PodSecurity is disabled. - defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.PodSecurity, false)() // Start test API server. capabilities.SetForTests(capabilities.Capabilities{AllowPrivileged: true}) testServer := kubeapiservertesting.StartTestServerOrDie(t, kubeapiservertesting.NewDefaultTestServerOptions(), []string{ "--anonymous-auth=false", "--allow-privileged=true", + // The webhook should pass tests even when PodSecurity is disabled. + "--disable-admission-plugins=PodSecurity", }, framework.SharedEtcd()) t.Cleanup(testServer.TearDownFn) From 23e2f1a378e94f792d4ca914fb3dae9dc401b73c Mon Sep 17 00:00:00 2001 From: Jordan Liggitt Date: Tue, 2 Nov 2021 11:35:18 -0400 Subject: [PATCH 2/4] PodSecurity: copy v1alpha1 config to v1beta1 --- .../admission/api/v1beta1/defaults.go | 48 ++++++ .../admission/api/v1beta1/defaults_test.go | 17 ++ .../admission/api/v1beta1/doc.go | 23 +++ .../admission/api/v1beta1/register.go | 50 ++++++ .../admission/api/v1beta1/types.go | 44 +++++ .../api/v1beta1/zz_generated.conversion.go | 154 ++++++++++++++++++ .../api/v1beta1/zz_generated.deepcopy.go | 100 ++++++++++++ .../api/v1beta1/zz_generated.defaults.go | 38 +++++ 8 files changed, 474 insertions(+) create mode 100644 staging/src/k8s.io/pod-security-admission/admission/api/v1beta1/defaults.go create mode 100644 staging/src/k8s.io/pod-security-admission/admission/api/v1beta1/defaults_test.go create mode 100644 staging/src/k8s.io/pod-security-admission/admission/api/v1beta1/doc.go create mode 100644 staging/src/k8s.io/pod-security-admission/admission/api/v1beta1/register.go create mode 100644 staging/src/k8s.io/pod-security-admission/admission/api/v1beta1/types.go create mode 100644 staging/src/k8s.io/pod-security-admission/admission/api/v1beta1/zz_generated.conversion.go create mode 100644 staging/src/k8s.io/pod-security-admission/admission/api/v1beta1/zz_generated.deepcopy.go create mode 100644 staging/src/k8s.io/pod-security-admission/admission/api/v1beta1/zz_generated.defaults.go diff --git a/staging/src/k8s.io/pod-security-admission/admission/api/v1beta1/defaults.go b/staging/src/k8s.io/pod-security-admission/admission/api/v1beta1/defaults.go new file mode 100644 index 00000000000..649fad63605 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/admission/api/v1beta1/defaults.go @@ -0,0 +1,48 @@ +/* +Copyright 2021 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1alpha1 + +import ( + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/pod-security-admission/api" +) + +func addDefaultingFuncs(scheme *runtime.Scheme) error { + return RegisterDefaults(scheme) +} + +func SetDefaults_PodSecurityDefaults(obj *PodSecurityDefaults) { + if len(obj.Enforce) == 0 { + obj.Enforce = string(api.LevelPrivileged) + } + if len(obj.Warn) == 0 { + obj.Warn = string(api.LevelPrivileged) + } + if len(obj.Audit) == 0 { + obj.Audit = string(api.LevelPrivileged) + } + + if len(obj.EnforceVersion) == 0 { + obj.EnforceVersion = string(api.VersionLatest) + } + if len(obj.WarnVersion) == 0 { + obj.WarnVersion = string(api.VersionLatest) + } + if len(obj.AuditVersion) == 0 { + obj.AuditVersion = string(api.VersionLatest) + } +} diff --git a/staging/src/k8s.io/pod-security-admission/admission/api/v1beta1/defaults_test.go b/staging/src/k8s.io/pod-security-admission/admission/api/v1beta1/defaults_test.go new file mode 100644 index 00000000000..fb95f067628 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/admission/api/v1beta1/defaults_test.go @@ -0,0 +1,17 @@ +/* +Copyright 2021 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1alpha1 diff --git a/staging/src/k8s.io/pod-security-admission/admission/api/v1beta1/doc.go b/staging/src/k8s.io/pod-security-admission/admission/api/v1beta1/doc.go new file mode 100644 index 00000000000..f7d9c1ce612 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/admission/api/v1beta1/doc.go @@ -0,0 +1,23 @@ +/* +Copyright 2021 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// +k8s:deepcopy-gen=package +// +k8s:conversion-gen=k8s.io/pod-security-admission/admission/api +// +k8s:defaulter-gen=TypeMeta +// +groupName=pod-security.admission.config.k8s.io + +// Package v1alpha1 contains PodSecurity admission configuration file types +package v1alpha1 diff --git a/staging/src/k8s.io/pod-security-admission/admission/api/v1beta1/register.go b/staging/src/k8s.io/pod-security-admission/admission/api/v1beta1/register.go new file mode 100644 index 00000000000..1cd622832ce --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/admission/api/v1beta1/register.go @@ -0,0 +1,50 @@ +/* +Copyright 2021 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1alpha1 + +import ( + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" +) + +// GroupName is the group name use in this package +const GroupName = "pod-security.admission.config.k8s.io" + +// SchemeGroupVersion is group version used to register these objects +var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"} + +var ( + // SchemeBuilder is a pointer used to call AddToScheme + SchemeBuilder runtime.SchemeBuilder + localSchemeBuilder = &SchemeBuilder + // AddToScheme is used to register the types to API encoding/decoding machinery + AddToScheme = localSchemeBuilder.AddToScheme +) + +func init() { + // We only register manually written functions here. The registration of the + // generated functions takes place in the generated files. The separation + // makes the code compile even when the generated files are missing. + localSchemeBuilder.Register(addKnownTypes, addDefaultingFuncs) +} + +func addKnownTypes(scheme *runtime.Scheme) error { + scheme.AddKnownTypes(SchemeGroupVersion, + &PodSecurityConfiguration{}, + ) + return nil +} diff --git a/staging/src/k8s.io/pod-security-admission/admission/api/v1beta1/types.go b/staging/src/k8s.io/pod-security-admission/admission/api/v1beta1/types.go new file mode 100644 index 00000000000..77630c965c0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/admission/api/v1beta1/types.go @@ -0,0 +1,44 @@ +/* +Copyright 2021 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +type PodSecurityConfiguration struct { + metav1.TypeMeta + Defaults PodSecurityDefaults `json:"defaults"` + Exemptions PodSecurityExemptions `json:"exemptions"` +} + +type PodSecurityDefaults struct { + Enforce string `json:"enforce,omitempty"` + EnforceVersion string `json:"enforce-version,omitempty"` + Audit string `json:"audit,omitempty"` + AuditVersion string `json:"audit-version,omitempty"` + Warn string `json:"warn,omitempty"` + WarnVersion string `json:"warn-version,omitempty"` +} + +type PodSecurityExemptions struct { + Usernames []string `json:"usernames,omitempty"` + Namespaces []string `json:"namespaces,omitempty"` + RuntimeClasses []string `json:"runtimeClasses,omitempty"` +} diff --git a/staging/src/k8s.io/pod-security-admission/admission/api/v1beta1/zz_generated.conversion.go b/staging/src/k8s.io/pod-security-admission/admission/api/v1beta1/zz_generated.conversion.go new file mode 100644 index 00000000000..826f4835755 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/admission/api/v1beta1/zz_generated.conversion.go @@ -0,0 +1,154 @@ +//go:build !ignore_autogenerated +// +build !ignore_autogenerated + +/* +Copyright The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by conversion-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + unsafe "unsafe" + + conversion "k8s.io/apimachinery/pkg/conversion" + runtime "k8s.io/apimachinery/pkg/runtime" + api "k8s.io/pod-security-admission/admission/api" +) + +func init() { + localSchemeBuilder.Register(RegisterConversions) +} + +// RegisterConversions adds conversion functions to the given scheme. +// Public to allow building arbitrary schemes. +func RegisterConversions(s *runtime.Scheme) error { + if err := s.AddGeneratedConversionFunc((*PodSecurityConfiguration)(nil), (*api.PodSecurityConfiguration)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha1_PodSecurityConfiguration_To_api_PodSecurityConfiguration(a.(*PodSecurityConfiguration), b.(*api.PodSecurityConfiguration), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*api.PodSecurityConfiguration)(nil), (*PodSecurityConfiguration)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_api_PodSecurityConfiguration_To_v1alpha1_PodSecurityConfiguration(a.(*api.PodSecurityConfiguration), b.(*PodSecurityConfiguration), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*PodSecurityDefaults)(nil), (*api.PodSecurityDefaults)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha1_PodSecurityDefaults_To_api_PodSecurityDefaults(a.(*PodSecurityDefaults), b.(*api.PodSecurityDefaults), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*api.PodSecurityDefaults)(nil), (*PodSecurityDefaults)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_api_PodSecurityDefaults_To_v1alpha1_PodSecurityDefaults(a.(*api.PodSecurityDefaults), b.(*PodSecurityDefaults), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*PodSecurityExemptions)(nil), (*api.PodSecurityExemptions)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha1_PodSecurityExemptions_To_api_PodSecurityExemptions(a.(*PodSecurityExemptions), b.(*api.PodSecurityExemptions), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*api.PodSecurityExemptions)(nil), (*PodSecurityExemptions)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_api_PodSecurityExemptions_To_v1alpha1_PodSecurityExemptions(a.(*api.PodSecurityExemptions), b.(*PodSecurityExemptions), scope) + }); err != nil { + return err + } + return nil +} + +func autoConvert_v1alpha1_PodSecurityConfiguration_To_api_PodSecurityConfiguration(in *PodSecurityConfiguration, out *api.PodSecurityConfiguration, s conversion.Scope) error { + if err := Convert_v1alpha1_PodSecurityDefaults_To_api_PodSecurityDefaults(&in.Defaults, &out.Defaults, s); err != nil { + return err + } + if err := Convert_v1alpha1_PodSecurityExemptions_To_api_PodSecurityExemptions(&in.Exemptions, &out.Exemptions, s); err != nil { + return err + } + return nil +} + +// Convert_v1alpha1_PodSecurityConfiguration_To_api_PodSecurityConfiguration is an autogenerated conversion function. +func Convert_v1alpha1_PodSecurityConfiguration_To_api_PodSecurityConfiguration(in *PodSecurityConfiguration, out *api.PodSecurityConfiguration, s conversion.Scope) error { + return autoConvert_v1alpha1_PodSecurityConfiguration_To_api_PodSecurityConfiguration(in, out, s) +} + +func autoConvert_api_PodSecurityConfiguration_To_v1alpha1_PodSecurityConfiguration(in *api.PodSecurityConfiguration, out *PodSecurityConfiguration, s conversion.Scope) error { + if err := Convert_api_PodSecurityDefaults_To_v1alpha1_PodSecurityDefaults(&in.Defaults, &out.Defaults, s); err != nil { + return err + } + if err := Convert_api_PodSecurityExemptions_To_v1alpha1_PodSecurityExemptions(&in.Exemptions, &out.Exemptions, s); err != nil { + return err + } + return nil +} + +// Convert_api_PodSecurityConfiguration_To_v1alpha1_PodSecurityConfiguration is an autogenerated conversion function. +func Convert_api_PodSecurityConfiguration_To_v1alpha1_PodSecurityConfiguration(in *api.PodSecurityConfiguration, out *PodSecurityConfiguration, s conversion.Scope) error { + return autoConvert_api_PodSecurityConfiguration_To_v1alpha1_PodSecurityConfiguration(in, out, s) +} + +func autoConvert_v1alpha1_PodSecurityDefaults_To_api_PodSecurityDefaults(in *PodSecurityDefaults, out *api.PodSecurityDefaults, s conversion.Scope) error { + out.Enforce = in.Enforce + out.EnforceVersion = in.EnforceVersion + out.Audit = in.Audit + out.AuditVersion = in.AuditVersion + out.Warn = in.Warn + out.WarnVersion = in.WarnVersion + return nil +} + +// Convert_v1alpha1_PodSecurityDefaults_To_api_PodSecurityDefaults is an autogenerated conversion function. +func Convert_v1alpha1_PodSecurityDefaults_To_api_PodSecurityDefaults(in *PodSecurityDefaults, out *api.PodSecurityDefaults, s conversion.Scope) error { + return autoConvert_v1alpha1_PodSecurityDefaults_To_api_PodSecurityDefaults(in, out, s) +} + +func autoConvert_api_PodSecurityDefaults_To_v1alpha1_PodSecurityDefaults(in *api.PodSecurityDefaults, out *PodSecurityDefaults, s conversion.Scope) error { + out.Enforce = in.Enforce + out.EnforceVersion = in.EnforceVersion + out.Audit = in.Audit + out.AuditVersion = in.AuditVersion + out.Warn = in.Warn + out.WarnVersion = in.WarnVersion + return nil +} + +// Convert_api_PodSecurityDefaults_To_v1alpha1_PodSecurityDefaults is an autogenerated conversion function. +func Convert_api_PodSecurityDefaults_To_v1alpha1_PodSecurityDefaults(in *api.PodSecurityDefaults, out *PodSecurityDefaults, s conversion.Scope) error { + return autoConvert_api_PodSecurityDefaults_To_v1alpha1_PodSecurityDefaults(in, out, s) +} + +func autoConvert_v1alpha1_PodSecurityExemptions_To_api_PodSecurityExemptions(in *PodSecurityExemptions, out *api.PodSecurityExemptions, s conversion.Scope) error { + out.Usernames = *(*[]string)(unsafe.Pointer(&in.Usernames)) + out.Namespaces = *(*[]string)(unsafe.Pointer(&in.Namespaces)) + out.RuntimeClasses = *(*[]string)(unsafe.Pointer(&in.RuntimeClasses)) + return nil +} + +// Convert_v1alpha1_PodSecurityExemptions_To_api_PodSecurityExemptions is an autogenerated conversion function. +func Convert_v1alpha1_PodSecurityExemptions_To_api_PodSecurityExemptions(in *PodSecurityExemptions, out *api.PodSecurityExemptions, s conversion.Scope) error { + return autoConvert_v1alpha1_PodSecurityExemptions_To_api_PodSecurityExemptions(in, out, s) +} + +func autoConvert_api_PodSecurityExemptions_To_v1alpha1_PodSecurityExemptions(in *api.PodSecurityExemptions, out *PodSecurityExemptions, s conversion.Scope) error { + out.Usernames = *(*[]string)(unsafe.Pointer(&in.Usernames)) + out.Namespaces = *(*[]string)(unsafe.Pointer(&in.Namespaces)) + out.RuntimeClasses = *(*[]string)(unsafe.Pointer(&in.RuntimeClasses)) + return nil +} + +// Convert_api_PodSecurityExemptions_To_v1alpha1_PodSecurityExemptions is an autogenerated conversion function. +func Convert_api_PodSecurityExemptions_To_v1alpha1_PodSecurityExemptions(in *api.PodSecurityExemptions, out *PodSecurityExemptions, s conversion.Scope) error { + return autoConvert_api_PodSecurityExemptions_To_v1alpha1_PodSecurityExemptions(in, out, s) +} diff --git a/staging/src/k8s.io/pod-security-admission/admission/api/v1beta1/zz_generated.deepcopy.go b/staging/src/k8s.io/pod-security-admission/admission/api/v1beta1/zz_generated.deepcopy.go new file mode 100644 index 00000000000..d3cb59279b1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/admission/api/v1beta1/zz_generated.deepcopy.go @@ -0,0 +1,100 @@ +//go:build !ignore_autogenerated +// +build !ignore_autogenerated + +/* +Copyright The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by deepcopy-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + runtime "k8s.io/apimachinery/pkg/runtime" +) + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PodSecurityConfiguration) DeepCopyInto(out *PodSecurityConfiguration) { + *out = *in + out.TypeMeta = in.TypeMeta + out.Defaults = in.Defaults + in.Exemptions.DeepCopyInto(&out.Exemptions) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodSecurityConfiguration. +func (in *PodSecurityConfiguration) DeepCopy() *PodSecurityConfiguration { + if in == nil { + return nil + } + out := new(PodSecurityConfiguration) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *PodSecurityConfiguration) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PodSecurityDefaults) DeepCopyInto(out *PodSecurityDefaults) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodSecurityDefaults. +func (in *PodSecurityDefaults) DeepCopy() *PodSecurityDefaults { + if in == nil { + return nil + } + out := new(PodSecurityDefaults) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PodSecurityExemptions) DeepCopyInto(out *PodSecurityExemptions) { + *out = *in + if in.Usernames != nil { + in, out := &in.Usernames, &out.Usernames + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.Namespaces != nil { + in, out := &in.Namespaces, &out.Namespaces + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.RuntimeClasses != nil { + in, out := &in.RuntimeClasses, &out.RuntimeClasses + *out = make([]string, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodSecurityExemptions. +func (in *PodSecurityExemptions) DeepCopy() *PodSecurityExemptions { + if in == nil { + return nil + } + out := new(PodSecurityExemptions) + in.DeepCopyInto(out) + return out +} diff --git a/staging/src/k8s.io/pod-security-admission/admission/api/v1beta1/zz_generated.defaults.go b/staging/src/k8s.io/pod-security-admission/admission/api/v1beta1/zz_generated.defaults.go new file mode 100644 index 00000000000..50ac8478495 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/admission/api/v1beta1/zz_generated.defaults.go @@ -0,0 +1,38 @@ +//go:build !ignore_autogenerated +// +build !ignore_autogenerated + +/* +Copyright The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by defaulter-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + runtime "k8s.io/apimachinery/pkg/runtime" +) + +// RegisterDefaults adds defaulters functions to the given scheme. +// Public to allow building arbitrary schemes. +// All generated defaulters are covering - they call all nested defaulters. +func RegisterDefaults(scheme *runtime.Scheme) error { + scheme.AddTypeDefaultingFunc(&PodSecurityConfiguration{}, func(obj interface{}) { SetObjectDefaults_PodSecurityConfiguration(obj.(*PodSecurityConfiguration)) }) + return nil +} + +func SetObjectDefaults_PodSecurityConfiguration(in *PodSecurityConfiguration) { + SetDefaults_PodSecurityDefaults(&in.Defaults) +} From d997607eb9902f06a8e9edd6877def6fc58e36c5 Mon Sep 17 00:00:00 2001 From: Jordan Liggitt Date: Tue, 2 Nov 2021 11:42:31 -0400 Subject: [PATCH 3/4] PodSecurity: find/replace v1alpha1 -> v1beta1 --- .../admission/api/v1beta1/defaults.go | 2 +- .../admission/api/v1beta1/defaults_test.go | 2 +- .../admission/api/v1beta1/doc.go | 4 +- .../admission/api/v1beta1/register.go | 4 +- .../admission/api/v1beta1/types.go | 2 +- .../api/v1beta1/zz_generated.conversion.go | 70 +++++++++---------- .../api/v1beta1/zz_generated.deepcopy.go | 2 +- .../api/v1beta1/zz_generated.defaults.go | 2 +- 8 files changed, 44 insertions(+), 44 deletions(-) diff --git a/staging/src/k8s.io/pod-security-admission/admission/api/v1beta1/defaults.go b/staging/src/k8s.io/pod-security-admission/admission/api/v1beta1/defaults.go index 649fad63605..0f285376bc6 100644 --- a/staging/src/k8s.io/pod-security-admission/admission/api/v1beta1/defaults.go +++ b/staging/src/k8s.io/pod-security-admission/admission/api/v1beta1/defaults.go @@ -14,7 +14,7 @@ See the License for the specific language governing permissions and limitations under the License. */ -package v1alpha1 +package v1beta1 import ( "k8s.io/apimachinery/pkg/runtime" diff --git a/staging/src/k8s.io/pod-security-admission/admission/api/v1beta1/defaults_test.go b/staging/src/k8s.io/pod-security-admission/admission/api/v1beta1/defaults_test.go index fb95f067628..d55ab5609a7 100644 --- a/staging/src/k8s.io/pod-security-admission/admission/api/v1beta1/defaults_test.go +++ b/staging/src/k8s.io/pod-security-admission/admission/api/v1beta1/defaults_test.go @@ -14,4 +14,4 @@ See the License for the specific language governing permissions and limitations under the License. */ -package v1alpha1 +package v1beta1 diff --git a/staging/src/k8s.io/pod-security-admission/admission/api/v1beta1/doc.go b/staging/src/k8s.io/pod-security-admission/admission/api/v1beta1/doc.go index f7d9c1ce612..f4a85e72b47 100644 --- a/staging/src/k8s.io/pod-security-admission/admission/api/v1beta1/doc.go +++ b/staging/src/k8s.io/pod-security-admission/admission/api/v1beta1/doc.go @@ -19,5 +19,5 @@ limitations under the License. // +k8s:defaulter-gen=TypeMeta // +groupName=pod-security.admission.config.k8s.io -// Package v1alpha1 contains PodSecurity admission configuration file types -package v1alpha1 +// Package v1beta1 contains PodSecurity admission configuration file types +package v1beta1 diff --git a/staging/src/k8s.io/pod-security-admission/admission/api/v1beta1/register.go b/staging/src/k8s.io/pod-security-admission/admission/api/v1beta1/register.go index 1cd622832ce..9107c0c0c2c 100644 --- a/staging/src/k8s.io/pod-security-admission/admission/api/v1beta1/register.go +++ b/staging/src/k8s.io/pod-security-admission/admission/api/v1beta1/register.go @@ -14,7 +14,7 @@ See the License for the specific language governing permissions and limitations under the License. */ -package v1alpha1 +package v1beta1 import ( "k8s.io/apimachinery/pkg/runtime" @@ -25,7 +25,7 @@ import ( const GroupName = "pod-security.admission.config.k8s.io" // SchemeGroupVersion is group version used to register these objects -var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"} +var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1beta1"} var ( // SchemeBuilder is a pointer used to call AddToScheme diff --git a/staging/src/k8s.io/pod-security-admission/admission/api/v1beta1/types.go b/staging/src/k8s.io/pod-security-admission/admission/api/v1beta1/types.go index 77630c965c0..66ffc297624 100644 --- a/staging/src/k8s.io/pod-security-admission/admission/api/v1beta1/types.go +++ b/staging/src/k8s.io/pod-security-admission/admission/api/v1beta1/types.go @@ -14,7 +14,7 @@ See the License for the specific language governing permissions and limitations under the License. */ -package v1alpha1 +package v1beta1 import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" diff --git a/staging/src/k8s.io/pod-security-admission/admission/api/v1beta1/zz_generated.conversion.go b/staging/src/k8s.io/pod-security-admission/admission/api/v1beta1/zz_generated.conversion.go index 826f4835755..8306144bc6c 100644 --- a/staging/src/k8s.io/pod-security-admission/admission/api/v1beta1/zz_generated.conversion.go +++ b/staging/src/k8s.io/pod-security-admission/admission/api/v1beta1/zz_generated.conversion.go @@ -19,7 +19,7 @@ limitations under the License. // Code generated by conversion-gen. DO NOT EDIT. -package v1alpha1 +package v1beta1 import ( unsafe "unsafe" @@ -37,69 +37,69 @@ func init() { // Public to allow building arbitrary schemes. func RegisterConversions(s *runtime.Scheme) error { if err := s.AddGeneratedConversionFunc((*PodSecurityConfiguration)(nil), (*api.PodSecurityConfiguration)(nil), func(a, b interface{}, scope conversion.Scope) error { - return Convert_v1alpha1_PodSecurityConfiguration_To_api_PodSecurityConfiguration(a.(*PodSecurityConfiguration), b.(*api.PodSecurityConfiguration), scope) + return Convert_v1beta1_PodSecurityConfiguration_To_api_PodSecurityConfiguration(a.(*PodSecurityConfiguration), b.(*api.PodSecurityConfiguration), scope) }); err != nil { return err } if err := s.AddGeneratedConversionFunc((*api.PodSecurityConfiguration)(nil), (*PodSecurityConfiguration)(nil), func(a, b interface{}, scope conversion.Scope) error { - return Convert_api_PodSecurityConfiguration_To_v1alpha1_PodSecurityConfiguration(a.(*api.PodSecurityConfiguration), b.(*PodSecurityConfiguration), scope) + return Convert_api_PodSecurityConfiguration_To_v1beta1_PodSecurityConfiguration(a.(*api.PodSecurityConfiguration), b.(*PodSecurityConfiguration), scope) }); err != nil { return err } if err := s.AddGeneratedConversionFunc((*PodSecurityDefaults)(nil), (*api.PodSecurityDefaults)(nil), func(a, b interface{}, scope conversion.Scope) error { - return Convert_v1alpha1_PodSecurityDefaults_To_api_PodSecurityDefaults(a.(*PodSecurityDefaults), b.(*api.PodSecurityDefaults), scope) + return Convert_v1beta1_PodSecurityDefaults_To_api_PodSecurityDefaults(a.(*PodSecurityDefaults), b.(*api.PodSecurityDefaults), scope) }); err != nil { return err } if err := s.AddGeneratedConversionFunc((*api.PodSecurityDefaults)(nil), (*PodSecurityDefaults)(nil), func(a, b interface{}, scope conversion.Scope) error { - return Convert_api_PodSecurityDefaults_To_v1alpha1_PodSecurityDefaults(a.(*api.PodSecurityDefaults), b.(*PodSecurityDefaults), scope) + return Convert_api_PodSecurityDefaults_To_v1beta1_PodSecurityDefaults(a.(*api.PodSecurityDefaults), b.(*PodSecurityDefaults), scope) }); err != nil { return err } if err := s.AddGeneratedConversionFunc((*PodSecurityExemptions)(nil), (*api.PodSecurityExemptions)(nil), func(a, b interface{}, scope conversion.Scope) error { - return Convert_v1alpha1_PodSecurityExemptions_To_api_PodSecurityExemptions(a.(*PodSecurityExemptions), b.(*api.PodSecurityExemptions), scope) + return Convert_v1beta1_PodSecurityExemptions_To_api_PodSecurityExemptions(a.(*PodSecurityExemptions), b.(*api.PodSecurityExemptions), scope) }); err != nil { return err } if err := s.AddGeneratedConversionFunc((*api.PodSecurityExemptions)(nil), (*PodSecurityExemptions)(nil), func(a, b interface{}, scope conversion.Scope) error { - return Convert_api_PodSecurityExemptions_To_v1alpha1_PodSecurityExemptions(a.(*api.PodSecurityExemptions), b.(*PodSecurityExemptions), scope) + return Convert_api_PodSecurityExemptions_To_v1beta1_PodSecurityExemptions(a.(*api.PodSecurityExemptions), b.(*PodSecurityExemptions), scope) }); err != nil { return err } return nil } -func autoConvert_v1alpha1_PodSecurityConfiguration_To_api_PodSecurityConfiguration(in *PodSecurityConfiguration, out *api.PodSecurityConfiguration, s conversion.Scope) error { - if err := Convert_v1alpha1_PodSecurityDefaults_To_api_PodSecurityDefaults(&in.Defaults, &out.Defaults, s); err != nil { +func autoConvert_v1beta1_PodSecurityConfiguration_To_api_PodSecurityConfiguration(in *PodSecurityConfiguration, out *api.PodSecurityConfiguration, s conversion.Scope) error { + if err := Convert_v1beta1_PodSecurityDefaults_To_api_PodSecurityDefaults(&in.Defaults, &out.Defaults, s); err != nil { return err } - if err := Convert_v1alpha1_PodSecurityExemptions_To_api_PodSecurityExemptions(&in.Exemptions, &out.Exemptions, s); err != nil { + if err := Convert_v1beta1_PodSecurityExemptions_To_api_PodSecurityExemptions(&in.Exemptions, &out.Exemptions, s); err != nil { return err } return nil } -// Convert_v1alpha1_PodSecurityConfiguration_To_api_PodSecurityConfiguration is an autogenerated conversion function. -func Convert_v1alpha1_PodSecurityConfiguration_To_api_PodSecurityConfiguration(in *PodSecurityConfiguration, out *api.PodSecurityConfiguration, s conversion.Scope) error { - return autoConvert_v1alpha1_PodSecurityConfiguration_To_api_PodSecurityConfiguration(in, out, s) +// Convert_v1beta1_PodSecurityConfiguration_To_api_PodSecurityConfiguration is an autogenerated conversion function. +func Convert_v1beta1_PodSecurityConfiguration_To_api_PodSecurityConfiguration(in *PodSecurityConfiguration, out *api.PodSecurityConfiguration, s conversion.Scope) error { + return autoConvert_v1beta1_PodSecurityConfiguration_To_api_PodSecurityConfiguration(in, out, s) } -func autoConvert_api_PodSecurityConfiguration_To_v1alpha1_PodSecurityConfiguration(in *api.PodSecurityConfiguration, out *PodSecurityConfiguration, s conversion.Scope) error { - if err := Convert_api_PodSecurityDefaults_To_v1alpha1_PodSecurityDefaults(&in.Defaults, &out.Defaults, s); err != nil { +func autoConvert_api_PodSecurityConfiguration_To_v1beta1_PodSecurityConfiguration(in *api.PodSecurityConfiguration, out *PodSecurityConfiguration, s conversion.Scope) error { + if err := Convert_api_PodSecurityDefaults_To_v1beta1_PodSecurityDefaults(&in.Defaults, &out.Defaults, s); err != nil { return err } - if err := Convert_api_PodSecurityExemptions_To_v1alpha1_PodSecurityExemptions(&in.Exemptions, &out.Exemptions, s); err != nil { + if err := Convert_api_PodSecurityExemptions_To_v1beta1_PodSecurityExemptions(&in.Exemptions, &out.Exemptions, s); err != nil { return err } return nil } -// Convert_api_PodSecurityConfiguration_To_v1alpha1_PodSecurityConfiguration is an autogenerated conversion function. -func Convert_api_PodSecurityConfiguration_To_v1alpha1_PodSecurityConfiguration(in *api.PodSecurityConfiguration, out *PodSecurityConfiguration, s conversion.Scope) error { - return autoConvert_api_PodSecurityConfiguration_To_v1alpha1_PodSecurityConfiguration(in, out, s) +// Convert_api_PodSecurityConfiguration_To_v1beta1_PodSecurityConfiguration is an autogenerated conversion function. +func Convert_api_PodSecurityConfiguration_To_v1beta1_PodSecurityConfiguration(in *api.PodSecurityConfiguration, out *PodSecurityConfiguration, s conversion.Scope) error { + return autoConvert_api_PodSecurityConfiguration_To_v1beta1_PodSecurityConfiguration(in, out, s) } -func autoConvert_v1alpha1_PodSecurityDefaults_To_api_PodSecurityDefaults(in *PodSecurityDefaults, out *api.PodSecurityDefaults, s conversion.Scope) error { +func autoConvert_v1beta1_PodSecurityDefaults_To_api_PodSecurityDefaults(in *PodSecurityDefaults, out *api.PodSecurityDefaults, s conversion.Scope) error { out.Enforce = in.Enforce out.EnforceVersion = in.EnforceVersion out.Audit = in.Audit @@ -109,12 +109,12 @@ func autoConvert_v1alpha1_PodSecurityDefaults_To_api_PodSecurityDefaults(in *Pod return nil } -// Convert_v1alpha1_PodSecurityDefaults_To_api_PodSecurityDefaults is an autogenerated conversion function. -func Convert_v1alpha1_PodSecurityDefaults_To_api_PodSecurityDefaults(in *PodSecurityDefaults, out *api.PodSecurityDefaults, s conversion.Scope) error { - return autoConvert_v1alpha1_PodSecurityDefaults_To_api_PodSecurityDefaults(in, out, s) +// Convert_v1beta1_PodSecurityDefaults_To_api_PodSecurityDefaults is an autogenerated conversion function. +func Convert_v1beta1_PodSecurityDefaults_To_api_PodSecurityDefaults(in *PodSecurityDefaults, out *api.PodSecurityDefaults, s conversion.Scope) error { + return autoConvert_v1beta1_PodSecurityDefaults_To_api_PodSecurityDefaults(in, out, s) } -func autoConvert_api_PodSecurityDefaults_To_v1alpha1_PodSecurityDefaults(in *api.PodSecurityDefaults, out *PodSecurityDefaults, s conversion.Scope) error { +func autoConvert_api_PodSecurityDefaults_To_v1beta1_PodSecurityDefaults(in *api.PodSecurityDefaults, out *PodSecurityDefaults, s conversion.Scope) error { out.Enforce = in.Enforce out.EnforceVersion = in.EnforceVersion out.Audit = in.Audit @@ -124,31 +124,31 @@ func autoConvert_api_PodSecurityDefaults_To_v1alpha1_PodSecurityDefaults(in *api return nil } -// Convert_api_PodSecurityDefaults_To_v1alpha1_PodSecurityDefaults is an autogenerated conversion function. -func Convert_api_PodSecurityDefaults_To_v1alpha1_PodSecurityDefaults(in *api.PodSecurityDefaults, out *PodSecurityDefaults, s conversion.Scope) error { - return autoConvert_api_PodSecurityDefaults_To_v1alpha1_PodSecurityDefaults(in, out, s) +// Convert_api_PodSecurityDefaults_To_v1beta1_PodSecurityDefaults is an autogenerated conversion function. +func Convert_api_PodSecurityDefaults_To_v1beta1_PodSecurityDefaults(in *api.PodSecurityDefaults, out *PodSecurityDefaults, s conversion.Scope) error { + return autoConvert_api_PodSecurityDefaults_To_v1beta1_PodSecurityDefaults(in, out, s) } -func autoConvert_v1alpha1_PodSecurityExemptions_To_api_PodSecurityExemptions(in *PodSecurityExemptions, out *api.PodSecurityExemptions, s conversion.Scope) error { +func autoConvert_v1beta1_PodSecurityExemptions_To_api_PodSecurityExemptions(in *PodSecurityExemptions, out *api.PodSecurityExemptions, s conversion.Scope) error { out.Usernames = *(*[]string)(unsafe.Pointer(&in.Usernames)) out.Namespaces = *(*[]string)(unsafe.Pointer(&in.Namespaces)) out.RuntimeClasses = *(*[]string)(unsafe.Pointer(&in.RuntimeClasses)) return nil } -// Convert_v1alpha1_PodSecurityExemptions_To_api_PodSecurityExemptions is an autogenerated conversion function. -func Convert_v1alpha1_PodSecurityExemptions_To_api_PodSecurityExemptions(in *PodSecurityExemptions, out *api.PodSecurityExemptions, s conversion.Scope) error { - return autoConvert_v1alpha1_PodSecurityExemptions_To_api_PodSecurityExemptions(in, out, s) +// Convert_v1beta1_PodSecurityExemptions_To_api_PodSecurityExemptions is an autogenerated conversion function. +func Convert_v1beta1_PodSecurityExemptions_To_api_PodSecurityExemptions(in *PodSecurityExemptions, out *api.PodSecurityExemptions, s conversion.Scope) error { + return autoConvert_v1beta1_PodSecurityExemptions_To_api_PodSecurityExemptions(in, out, s) } -func autoConvert_api_PodSecurityExemptions_To_v1alpha1_PodSecurityExemptions(in *api.PodSecurityExemptions, out *PodSecurityExemptions, s conversion.Scope) error { +func autoConvert_api_PodSecurityExemptions_To_v1beta1_PodSecurityExemptions(in *api.PodSecurityExemptions, out *PodSecurityExemptions, s conversion.Scope) error { out.Usernames = *(*[]string)(unsafe.Pointer(&in.Usernames)) out.Namespaces = *(*[]string)(unsafe.Pointer(&in.Namespaces)) out.RuntimeClasses = *(*[]string)(unsafe.Pointer(&in.RuntimeClasses)) return nil } -// Convert_api_PodSecurityExemptions_To_v1alpha1_PodSecurityExemptions is an autogenerated conversion function. -func Convert_api_PodSecurityExemptions_To_v1alpha1_PodSecurityExemptions(in *api.PodSecurityExemptions, out *PodSecurityExemptions, s conversion.Scope) error { - return autoConvert_api_PodSecurityExemptions_To_v1alpha1_PodSecurityExemptions(in, out, s) +// Convert_api_PodSecurityExemptions_To_v1beta1_PodSecurityExemptions is an autogenerated conversion function. +func Convert_api_PodSecurityExemptions_To_v1beta1_PodSecurityExemptions(in *api.PodSecurityExemptions, out *PodSecurityExemptions, s conversion.Scope) error { + return autoConvert_api_PodSecurityExemptions_To_v1beta1_PodSecurityExemptions(in, out, s) } diff --git a/staging/src/k8s.io/pod-security-admission/admission/api/v1beta1/zz_generated.deepcopy.go b/staging/src/k8s.io/pod-security-admission/admission/api/v1beta1/zz_generated.deepcopy.go index d3cb59279b1..87e23b805bb 100644 --- a/staging/src/k8s.io/pod-security-admission/admission/api/v1beta1/zz_generated.deepcopy.go +++ b/staging/src/k8s.io/pod-security-admission/admission/api/v1beta1/zz_generated.deepcopy.go @@ -19,7 +19,7 @@ limitations under the License. // Code generated by deepcopy-gen. DO NOT EDIT. -package v1alpha1 +package v1beta1 import ( runtime "k8s.io/apimachinery/pkg/runtime" diff --git a/staging/src/k8s.io/pod-security-admission/admission/api/v1beta1/zz_generated.defaults.go b/staging/src/k8s.io/pod-security-admission/admission/api/v1beta1/zz_generated.defaults.go index 50ac8478495..6e772470b99 100644 --- a/staging/src/k8s.io/pod-security-admission/admission/api/v1beta1/zz_generated.defaults.go +++ b/staging/src/k8s.io/pod-security-admission/admission/api/v1beta1/zz_generated.defaults.go @@ -19,7 +19,7 @@ limitations under the License. // Code generated by defaulter-gen. DO NOT EDIT. -package v1alpha1 +package v1beta1 import ( runtime "k8s.io/apimachinery/pkg/runtime" From 1f8f996dc92dc4f768469921cce4e46123910805 Mon Sep 17 00:00:00 2001 From: Jordan Liggitt Date: Tue, 2 Nov 2021 11:42:51 -0400 Subject: [PATCH 4/4] PodSecurity: register/test v1beta1 config --- .../admission/api/load/load.go | 4 +- .../admission/api/load/load_test.go | 86 +++++++++++++++++++ .../admission/api/scheme/scheme.go | 4 +- vendor/modules.txt | 1 + 4 files changed, 92 insertions(+), 3 deletions(-) diff --git a/staging/src/k8s.io/pod-security-admission/admission/api/load/load.go b/staging/src/k8s.io/pod-security-admission/admission/api/load/load.go index 3919644ba9f..4bedf9f95f9 100644 --- a/staging/src/k8s.io/pod-security-admission/admission/api/load/load.go +++ b/staging/src/k8s.io/pod-security-admission/admission/api/load/load.go @@ -24,7 +24,7 @@ import ( "k8s.io/apimachinery/pkg/runtime" "k8s.io/pod-security-admission/admission/api" "k8s.io/pod-security-admission/admission/api/scheme" - apiv1alpha1 "k8s.io/pod-security-admission/admission/api/v1alpha1" + apiv1beta1 "k8s.io/pod-security-admission/admission/api/v1beta1" ) func LoadFromFile(file string) (*api.PodSecurityConfiguration, error) { @@ -57,7 +57,7 @@ func LoadFromReader(reader io.Reader) (*api.PodSecurityConfiguration, error) { func LoadFromData(data []byte) (*api.PodSecurityConfiguration, error) { if len(data) == 0 { // no config provided, return default - externalConfig := &apiv1alpha1.PodSecurityConfiguration{} + externalConfig := &apiv1beta1.PodSecurityConfiguration{} scheme.Scheme.Default(externalConfig) internalConfig := &api.PodSecurityConfiguration{} if err := scheme.Scheme.Convert(externalConfig, internalConfig, nil); err != nil { diff --git a/staging/src/k8s.io/pod-security-admission/admission/api/load/load_test.go b/staging/src/k8s.io/pod-security-admission/admission/api/load/load_test.go index 11136c571ed..a75c6cf1594 100644 --- a/staging/src/k8s.io/pod-security-admission/admission/api/load/load_test.go +++ b/staging/src/k8s.io/pod-security-admission/admission/api/load/load_test.go @@ -98,6 +98,29 @@ func TestLoadFromFile(t *testing.T) { } } + // valid file + { + input := `{ + "apiVersion":"pod-security.admission.config.k8s.io/v1beta1", + "kind":"PodSecurityConfiguration", + "defaults":{"enforce":"baseline"}}` + expect := &api.PodSecurityConfiguration{ + Defaults: api.PodSecurityDefaults{ + Enforce: "baseline", EnforceVersion: "latest", + Warn: "privileged", WarnVersion: "latest", + Audit: "privileged", AuditVersion: "latest", + }, + } + + config, err := LoadFromFile(writeTempFile(t, input)) + if err != nil { + t.Fatalf("unexpected err: %v", err) + } + if !reflect.DeepEqual(config, expect) { + t.Fatalf("unexpected config:\n%s", cmp.Diff(expect, config)) + } + } + // missing file { _, err := LoadFromFile(`bogus-missing-pod-security-policy-config-file`) @@ -172,6 +195,29 @@ func TestLoadFromReader(t *testing.T) { } } + // valid reader + { + input := `{ + "apiVersion":"pod-security.admission.config.k8s.io/v1beta1", + "kind":"PodSecurityConfiguration", + "defaults":{"enforce":"baseline"}}` + expect := &api.PodSecurityConfiguration{ + Defaults: api.PodSecurityDefaults{ + Enforce: "baseline", EnforceVersion: "latest", + Warn: "privileged", WarnVersion: "latest", + Audit: "privileged", AuditVersion: "latest", + }, + } + + config, err := LoadFromReader(bytes.NewBufferString(input)) + if err != nil { + t.Fatalf("unexpected err: %v", err) + } + if !reflect.DeepEqual(config, expect) { + t.Fatalf("unexpected config:\n%s", cmp.Diff(expect, config)) + } + } + // invalid reader { input := `{ @@ -225,6 +271,46 @@ func TestLoadFromData(t *testing.T) { data: []byte(` apiVersion: pod-security.admission.config.k8s.io/v1alpha1 kind: PodSecurityConfiguration +defaults: + enforce: baseline + enforce-version: v1.7 +exemptions: + usernames: ["alice","bob"] + namespaces: ["kube-system"] + runtimeClasses: ["special"] +`), + expectConfig: &api.PodSecurityConfiguration{ + Defaults: api.PodSecurityDefaults{ + Enforce: "baseline", EnforceVersion: "v1.7", + Warn: "privileged", WarnVersion: "latest", + Audit: "privileged", AuditVersion: "latest", + }, + Exemptions: api.PodSecurityExemptions{ + Usernames: []string{"alice", "bob"}, + Namespaces: []string{"kube-system"}, + RuntimeClasses: []string{"special"}, + }, + }, + }, + { + name: "v1beta1 - json", + data: []byte(`{ +"apiVersion":"pod-security.admission.config.k8s.io/v1beta1", +"kind":"PodSecurityConfiguration", +"defaults":{"enforce":"baseline"}}`), + expectConfig: &api.PodSecurityConfiguration{ + Defaults: api.PodSecurityDefaults{ + Enforce: "baseline", EnforceVersion: "latest", + Warn: "privileged", WarnVersion: "latest", + Audit: "privileged", AuditVersion: "latest", + }, + }, + }, + { + name: "v1beta1 - yaml", + data: []byte(` +apiVersion: pod-security.admission.config.k8s.io/v1beta1 +kind: PodSecurityConfiguration defaults: enforce: baseline enforce-version: v1.7 diff --git a/staging/src/k8s.io/pod-security-admission/admission/api/scheme/scheme.go b/staging/src/k8s.io/pod-security-admission/admission/api/scheme/scheme.go index fa80b85bd9f..36ab8ca5eeb 100644 --- a/staging/src/k8s.io/pod-security-admission/admission/api/scheme/scheme.go +++ b/staging/src/k8s.io/pod-security-admission/admission/api/scheme/scheme.go @@ -22,6 +22,7 @@ import ( utilruntime "k8s.io/apimachinery/pkg/util/runtime" podsecurityapi "k8s.io/pod-security-admission/admission/api" podsecurityv1alpha1 "k8s.io/pod-security-admission/admission/api/v1alpha1" + podsecurityv1beta1 "k8s.io/pod-security-admission/admission/api/v1beta1" ) var ( @@ -40,5 +41,6 @@ func init() { func AddToScheme(scheme *runtime.Scheme) { utilruntime.Must(podsecurityapi.AddToScheme(scheme)) utilruntime.Must(podsecurityv1alpha1.AddToScheme(scheme)) - utilruntime.Must(scheme.SetVersionPriority(podsecurityv1alpha1.SchemeGroupVersion)) + utilruntime.Must(podsecurityv1beta1.AddToScheme(scheme)) + utilruntime.Must(scheme.SetVersionPriority(podsecurityv1beta1.SchemeGroupVersion, podsecurityv1alpha1.SchemeGroupVersion)) } diff --git a/vendor/modules.txt b/vendor/modules.txt index 6a09b35eda4..3ca29f10bc6 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -2254,6 +2254,7 @@ k8s.io/pod-security-admission/admission/api k8s.io/pod-security-admission/admission/api/load k8s.io/pod-security-admission/admission/api/scheme k8s.io/pod-security-admission/admission/api/v1alpha1 +k8s.io/pod-security-admission/admission/api/v1beta1 k8s.io/pod-security-admission/admission/api/validation k8s.io/pod-security-admission/api k8s.io/pod-security-admission/cmd/webhook/server