kubectl: remove psp support

2025-07-24 12:15:52 +00:00 · 2022-11-02 21:03:09 +08:00 · 2022-11-02 21:03:09 +08:00 · cc0f828058
commit cc0f828058
parent bd43394467
5 changed files with 0 additions and 1439 deletions
--- a/pkg/printers/internalversion/printers.go
+++ b/pkg/printers/internalversion/printers.go
@ -38,7 +38,6 @@ import (
 	extensionsv1beta1 "k8s.io/api/extensions/v1beta1"
 	flowcontrolv1beta3 "k8s.io/api/flowcontrol/v1beta3"
 	networkingv1alpha1 "k8s.io/api/networking/v1alpha1"
-	policyv1beta1 "k8s.io/api/policy/v1beta1"
 	rbacv1beta1 "k8s.io/api/rbac/v1beta1"
 	resourcev1alpha1 "k8s.io/api/resource/v1alpha1"
 	schedulingv1 "k8s.io/api/scheduling/v1"
@ -367,20 +366,6 @@ func AddHandlers(h printers.PrintHandler) {
 	_ = h.TableHandler(configMapColumnDefinitions, printConfigMap)
 	_ = h.TableHandler(configMapColumnDefinitions, printConfigMapList)

-	podSecurityPolicyColumnDefinitions := []metav1.TableColumnDefinition{
-		{Name: "Name", Type: "string", Format: "name", Description: metav1.ObjectMeta{}.SwaggerDoc()["name"]},
-		{Name: "Priv", Type: "string", Description: policyv1beta1.PodSecurityPolicySpec{}.SwaggerDoc()["privileged"]},
-		{Name: "Caps", Type: "string", Description: policyv1beta1.PodSecurityPolicySpec{}.SwaggerDoc()["allowedCapabilities"]},
-		{Name: "SELinux", Type: "string", Description: policyv1beta1.PodSecurityPolicySpec{}.SwaggerDoc()["seLinux"]},
-		{Name: "RunAsUser", Type: "string", Description: policyv1beta1.PodSecurityPolicySpec{}.SwaggerDoc()["runAsUser"]},
-		{Name: "FsGroup", Type: "string", Description: policyv1beta1.PodSecurityPolicySpec{}.SwaggerDoc()["fsGroup"]},
-		{Name: "SupGroup", Type: "string", Description: policyv1beta1.PodSecurityPolicySpec{}.SwaggerDoc()["supplementalGroups"]},
-		{Name: "ReadOnlyRootFs", Type: "string", Description: policyv1beta1.PodSecurityPolicySpec{}.SwaggerDoc()["readOnlyRootFilesystem"]},
-		{Name: "Volumes", Type: "string", Description: policyv1beta1.PodSecurityPolicySpec{}.SwaggerDoc()["volumes"]},
-	}
-	_ = h.TableHandler(podSecurityPolicyColumnDefinitions, printPodSecurityPolicy)
-	_ = h.TableHandler(podSecurityPolicyColumnDefinitions, printPodSecurityPolicyList)
-
 	networkPolicyColumnDefinitioins := []metav1.TableColumnDefinition{
 		{Name: "Name", Type: "string", Format: "name", Description: metav1.ObjectMeta{}.SwaggerDoc()["name"]},
 		{Name: "Pod-Selector", Type: "string", Description: extensionsv1beta1.NetworkPolicySpec{}.SwaggerDoc()["podSelector"]},
@ -2326,39 +2311,6 @@ func printConfigMapList(list *api.ConfigMapList, options printers.GenerateOption
 	return rows, nil
 }

-func printPodSecurityPolicy(obj *policy.PodSecurityPolicy, options printers.GenerateOptions) ([]metav1.TableRow, error) {
-	row := metav1.TableRow{
-		Object: runtime.RawExtension{Object: obj},
-	}
-
-	capabilities := make([]string, len(obj.Spec.AllowedCapabilities))
-	for i, c := range obj.Spec.AllowedCapabilities {
-		capabilities[i] = string(c)
-	}
-	volumes := make([]string, len(obj.Spec.Volumes))
-	for i, v := range obj.Spec.Volumes {
-		volumes[i] = string(v)
-	}
-	row.Cells = append(row.Cells, obj.Name, fmt.Sprintf("%v", obj.Spec.Privileged),
-		strings.Join(capabilities, ","), string(obj.Spec.SELinux.Rule),
-		string(obj.Spec.RunAsUser.Rule), string(obj.Spec.FSGroup.Rule),
-		string(obj.Spec.SupplementalGroups.Rule), obj.Spec.ReadOnlyRootFilesystem,
-		strings.Join(volumes, ","))
-	return []metav1.TableRow{row}, nil
-}
-
-func printPodSecurityPolicyList(list *policy.PodSecurityPolicyList, options printers.GenerateOptions) ([]metav1.TableRow, error) {
-	rows := make([]metav1.TableRow, 0, len(list.Items))
-	for i := range list.Items {
-		r, err := printPodSecurityPolicy(&list.Items[i], options)
-		if err != nil {
-			return nil, err
-		}
-		rows = append(rows, r...)
-	}
-	return rows, nil
-}
-
 func printNetworkPolicy(obj *networking.NetworkPolicy, options printers.GenerateOptions) ([]metav1.TableRow, error) {
 	row := metav1.TableRow{
 		Object: runtime.RawExtension{Object: obj},
--- a/pkg/printers/internalversion/printers_test.go
+++ b/pkg/printers/internalversion/printers_test.go
@ -6097,12 +6097,6 @@ func TestTableRowDeepCopyShouldNotPanic(t *testing.T) {
 				return printConfigMap(&api.ConfigMap{}, printers.GenerateOptions{})
 			},
 		},
-		{
-			name: "PodSecurityPolicy",
-			printer: func() ([]metav1.TableRow, error) {
-				return printPodSecurityPolicy(&policy.PodSecurityPolicy{}, printers.GenerateOptions{})
-			},
-		},
 		{
 			name: "NetworkPolicy",
 			printer: func() ([]metav1.TableRow, error) {
--- a/staging/src/k8s.io/kubectl/pkg/describe/describe.go
+++ b/staging/src/k8s.io/kubectl/pkg/describe/describe.go
@ -209,7 +209,6 @@ func describerMap(clientConfig *rest.Config) (map[schema.GroupKind]ResourceDescr
 		{Group: corev1.GroupName, Kind: "PriorityClass"}:                          &PriorityClassDescriber{c},
 		{Group: discoveryv1beta1.GroupName, Kind: "EndpointSlice"}:                &EndpointSliceDescriber{c},
 		{Group: discoveryv1.GroupName, Kind: "EndpointSlice"}:                     &EndpointSliceDescriber{c},
-		{Group: policyv1beta1.GroupName, Kind: "PodSecurityPolicy"}:               &PodSecurityPolicyDescriber{c},
 		{Group: autoscalingv2beta2.GroupName, Kind: "HorizontalPodAutoscaler"}:    &HorizontalPodAutoscalerDescriber{c},
 		{Group: extensionsv1beta1.GroupName, Kind: "Ingress"}:                     &IngressDescriber{c},
 		{Group: networkingv1beta1.GroupName, Kind: "Ingress"}:                     &IngressDescriber{c},
@ -4890,84 +4889,6 @@ func describePriorityClass(pc *schedulingv1.PriorityClass, events *corev1.EventL
 	})
 }

-// PodSecurityPolicyDescriber generates information about a PodSecuritypolicyv1beta1.
-type PodSecurityPolicyDescriber struct {
-	clientset.Interface
-}
-
-func (d *PodSecurityPolicyDescriber) Describe(namespace, name string, describerSettings DescriberSettings) (string, error) {
-	psp, err := d.PolicyV1beta1().PodSecurityPolicies().Get(context.TODO(), name, metav1.GetOptions{})
-	if err != nil {
-		return "", err
-	}
-
-	return describePodSecurityPolicy(psp)
-}
-
-func describePodSecurityPolicy(psp *policyv1beta1.PodSecurityPolicy) (string, error) {
-	return tabbedString(func(out io.Writer) error {
-		w := NewPrefixWriter(out)
-		w.Write(LEVEL_0, "Name:\t%s\n", psp.Name)
-
-		w.Write(LEVEL_0, "\nSettings:\n")
-
-		w.Write(LEVEL_1, "Allow Privileged:\t%t\n", psp.Spec.Privileged)
-		if psp.Spec.AllowPrivilegeEscalation != nil {
-			w.Write(LEVEL_1, "Allow Privilege Escalation:\t%t\n", *psp.Spec.AllowPrivilegeEscalation)
-		} else {
-			w.Write(LEVEL_1, "Allow Privilege Escalation:\t<unset>\n")
-		}
-		w.Write(LEVEL_1, "Default Add Capabilities:\t%v\n", capsToString(psp.Spec.DefaultAddCapabilities))
-		w.Write(LEVEL_1, "Required Drop Capabilities:\t%s\n", capsToString(psp.Spec.RequiredDropCapabilities))
-		w.Write(LEVEL_1, "Allowed Capabilities:\t%s\n", capsToString(psp.Spec.AllowedCapabilities))
-		w.Write(LEVEL_1, "Allowed Volume Types:\t%s\n", fsTypeToString(psp.Spec.Volumes))
-
-		if len(psp.Spec.AllowedFlexVolumes) > 0 {
-			w.Write(LEVEL_1, "Allowed FlexVolume Types:\t%s\n", flexVolumesToString(psp.Spec.AllowedFlexVolumes))
-		}
-
-		if len(psp.Spec.AllowedCSIDrivers) > 0 {
-			w.Write(LEVEL_1, "Allowed CSI Drivers:\t%s\n", csiDriversToString(psp.Spec.AllowedCSIDrivers))
-		}
-
-		if len(psp.Spec.AllowedUnsafeSysctls) > 0 {
-			w.Write(LEVEL_1, "Allowed Unsafe Sysctls:\t%s\n", sysctlsToString(psp.Spec.AllowedUnsafeSysctls))
-		}
-		if len(psp.Spec.ForbiddenSysctls) > 0 {
-			w.Write(LEVEL_1, "Forbidden Sysctls:\t%s\n", sysctlsToString(psp.Spec.ForbiddenSysctls))
-		}
-		w.Write(LEVEL_1, "Allow Host Network:\t%t\n", psp.Spec.HostNetwork)
-		w.Write(LEVEL_1, "Allow Host Ports:\t%s\n", hostPortRangeToString(psp.Spec.HostPorts))
-		w.Write(LEVEL_1, "Allow Host PID:\t%t\n", psp.Spec.HostPID)
-		w.Write(LEVEL_1, "Allow Host IPC:\t%t\n", psp.Spec.HostIPC)
-		w.Write(LEVEL_1, "Read Only Root Filesystem:\t%v\n", psp.Spec.ReadOnlyRootFilesystem)
-
-		w.Write(LEVEL_1, "SELinux Context Strategy: %s\t\n", string(psp.Spec.SELinux.Rule))
-		var user, role, seLinuxType, level string
-		if psp.Spec.SELinux.SELinuxOptions != nil {
-			user = psp.Spec.SELinux.SELinuxOptions.User
-			role = psp.Spec.SELinux.SELinuxOptions.Role
-			seLinuxType = psp.Spec.SELinux.SELinuxOptions.Type
-			level = psp.Spec.SELinux.SELinuxOptions.Level
-		}
-		w.Write(LEVEL_2, "User:\t%s\n", stringOrNone(user))
-		w.Write(LEVEL_2, "Role:\t%s\n", stringOrNone(role))
-		w.Write(LEVEL_2, "Type:\t%s\n", stringOrNone(seLinuxType))
-		w.Write(LEVEL_2, "Level:\t%s\n", stringOrNone(level))
-
-		w.Write(LEVEL_1, "Run As User Strategy: %s\t\n", string(psp.Spec.RunAsUser.Rule))
-		w.Write(LEVEL_2, "Ranges:\t%s\n", idRangeToString(psp.Spec.RunAsUser.Ranges))
-
-		w.Write(LEVEL_1, "FSGroup Strategy: %s\t\n", string(psp.Spec.FSGroup.Rule))
-		w.Write(LEVEL_2, "Ranges:\t%s\n", idRangeToString(psp.Spec.FSGroup.Ranges))
-
-		w.Write(LEVEL_1, "Supplemental Groups Strategy: %s\t\n", string(psp.Spec.SupplementalGroups.Rule))
-		w.Write(LEVEL_2, "Ranges:\t%s\n", idRangeToString(psp.Spec.SupplementalGroups.Ranges))
-
-		return nil
-	})
-}
-
 func stringOrNone(s string) string {
 	return stringOrDefaultValue(s, "<none>")
 }
@ -4979,70 +4900,6 @@ func stringOrDefaultValue(s, defaultValue string) string {
 	return defaultValue
 }

-func fsTypeToString(volumes []policyv1beta1.FSType) string {
-	strVolumes := []string{}
-	for _, v := range volumes {
-		strVolumes = append(strVolumes, string(v))
-	}
-	return stringOrNone(strings.Join(strVolumes, ","))
-}
-
-func flexVolumesToString(flexVolumes []policyv1beta1.AllowedFlexVolume) string {
-	volumes := []string{}
-	for _, flexVolume := range flexVolumes {
-		volumes = append(volumes, "driver="+flexVolume.Driver)
-	}
-	return stringOrDefaultValue(strings.Join(volumes, ","), "<all>")
-}
-
-func csiDriversToString(csiDrivers []policyv1beta1.AllowedCSIDriver) string {
-	drivers := []string{}
-	for _, csiDriver := range csiDrivers {
-		drivers = append(drivers, "driver="+csiDriver.Name)
-	}
-	return stringOrDefaultValue(strings.Join(drivers, ","), "<all>")
-}
-
-func sysctlsToString(sysctls []string) string {
-	return stringOrNone(strings.Join(sysctls, ","))
-}
-
-func hostPortRangeToString(ranges []policyv1beta1.HostPortRange) string {
-	formattedString := ""
-	if ranges != nil {
-		strRanges := []string{}
-		for _, r := range ranges {
-			strRanges = append(strRanges, fmt.Sprintf("%d-%d", r.Min, r.Max))
-		}
-		formattedString = strings.Join(strRanges, ",")
-	}
-	return stringOrNone(formattedString)
-}
-
-func idRangeToString(ranges []policyv1beta1.IDRange) string {
-	formattedString := ""
-	if ranges != nil {
-		strRanges := []string{}
-		for _, r := range ranges {
-			strRanges = append(strRanges, fmt.Sprintf("%d-%d", r.Min, r.Max))
-		}
-		formattedString = strings.Join(strRanges, ",")
-	}
-	return stringOrNone(formattedString)
-}
-
-func capsToString(caps []corev1.Capability) string {
-	formattedString := ""
-	if caps != nil {
-		strCaps := []string{}
-		for _, c := range caps {
-			strCaps = append(strCaps, string(c))
-		}
-		formattedString = strings.Join(strCaps, ",")
-	}
-	return stringOrNone(formattedString)
-}
-
 func policyTypesToString(pts []networkingv1.PolicyType) string {
 	formattedString := ""
 	if pts != nil {
--- a/staging/src/k8s.io/kubectl/pkg/describe/describe_test.go
+++ b/staging/src/k8s.io/kubectl/pkg/describe/describe_test.go
@ -20,7 +20,6 @@ import (
 	"bytes"
 	"fmt"
 	"reflect"
-	"regexp"
 	"strings"
 	"testing"
 	"time"
@ -4696,70 +4695,6 @@ URL:	http://localhost
 	}
 }

-func TestDescribePodSecurityPolicy(t *testing.T) {
-	expected := []string{
-		"Name:\\s*mypsp",
-		"Allow Privileged:\\s*false",
-		"Allow Privilege Escalation:\\s*false",
-		"Default Add Capabilities:\\s*<none>",
-		"Required Drop Capabilities:\\s*<none>",
-		"Allowed Capabilities:\\s*<none>",
-		"Allowed Volume Types:\\s*<none>",
-		"Allowed Unsafe Sysctls:\\s*kernel\\.\\*,net\\.ipv4.ip_local_port_range",
-		"Forbidden Sysctls:\\s*net\\.ipv4\\.ip_default_ttl",
-		"Allow Host Network:\\s*false",
-		"Allow Host Ports:\\s*<none>",
-		"Allow Host PID:\\s*false",
-		"Allow Host IPC:\\s*false",
-		"Read Only Root Filesystem:\\s*false",
-		"SELinux Context Strategy: RunAsAny",
-		"User:\\s*<none>",
-		"Role:\\s*<none>",
-		"Type:\\s*<none>",
-		"Level:\\s*<none>",
-		"Run As User Strategy: RunAsAny",
-		"FSGroup Strategy: RunAsAny",
-		"Supplemental Groups Strategy: RunAsAny",
-	}
-
-	falseVal := false
-	fake := fake.NewSimpleClientset(&policyv1beta1.PodSecurityPolicy{
-		ObjectMeta: metav1.ObjectMeta{
-			Name: "mypsp",
-		},
-		Spec: policyv1beta1.PodSecurityPolicySpec{
-			AllowPrivilegeEscalation: &falseVal,
-			AllowedUnsafeSysctls:     []string{"kernel.*", "net.ipv4.ip_local_port_range"},
-			ForbiddenSysctls:         []string{"net.ipv4.ip_default_ttl"},
-			SELinux: policyv1beta1.SELinuxStrategyOptions{
-				Rule: policyv1beta1.SELinuxStrategyRunAsAny,
-			},
-			RunAsUser: policyv1beta1.RunAsUserStrategyOptions{
-				Rule: policyv1beta1.RunAsUserStrategyRunAsAny,
-			},
-			FSGroup: policyv1beta1.FSGroupStrategyOptions{
-				Rule: policyv1beta1.FSGroupStrategyRunAsAny,
-			},
-			SupplementalGroups: policyv1beta1.SupplementalGroupsStrategyOptions{
-				Rule: policyv1beta1.SupplementalGroupsStrategyRunAsAny,
-			},
-		},
-	})
-
-	c := &describeClient{T: t, Namespace: "", Interface: fake}
-	d := PodSecurityPolicyDescriber{c}
-	out, err := d.Describe("", "mypsp", DescriberSettings{})
-	if err != nil {
-		t.Fatalf("unexpected error: %v", err)
-	}
-
-	for _, item := range expected {
-		if matched, _ := regexp.MatchString(item, out); !matched {
-			t.Errorf("Expected to find %q in: %q", item, out)
-		}
-	}
-}
-
 func TestDescribeResourceQuota(t *testing.T) {
 	fake := fake.NewSimpleClientset(&corev1.ResourceQuota{
 		ObjectMeta: metav1.ObjectMeta{
--- a/staging/src/k8s.io/kubectl/testdata/openapi/swagger.json
+++ b/staging/src/k8s.io/kubectl/testdata/openapi/swagger.json