kubectl: remove psp support

This commit is contained in:
Paco Xu 2022-11-02 21:03:09 +08:00
parent bd43394467
commit cc0f828058
5 changed files with 0 additions and 1439 deletions

View File

@ -38,7 +38,6 @@ import (
extensionsv1beta1 "k8s.io/api/extensions/v1beta1"
flowcontrolv1beta3 "k8s.io/api/flowcontrol/v1beta3"
networkingv1alpha1 "k8s.io/api/networking/v1alpha1"
policyv1beta1 "k8s.io/api/policy/v1beta1"
rbacv1beta1 "k8s.io/api/rbac/v1beta1"
resourcev1alpha1 "k8s.io/api/resource/v1alpha1"
schedulingv1 "k8s.io/api/scheduling/v1"
@ -367,20 +366,6 @@ func AddHandlers(h printers.PrintHandler) {
_ = h.TableHandler(configMapColumnDefinitions, printConfigMap)
_ = h.TableHandler(configMapColumnDefinitions, printConfigMapList)
podSecurityPolicyColumnDefinitions := []metav1.TableColumnDefinition{
{Name: "Name", Type: "string", Format: "name", Description: metav1.ObjectMeta{}.SwaggerDoc()["name"]},
{Name: "Priv", Type: "string", Description: policyv1beta1.PodSecurityPolicySpec{}.SwaggerDoc()["privileged"]},
{Name: "Caps", Type: "string", Description: policyv1beta1.PodSecurityPolicySpec{}.SwaggerDoc()["allowedCapabilities"]},
{Name: "SELinux", Type: "string", Description: policyv1beta1.PodSecurityPolicySpec{}.SwaggerDoc()["seLinux"]},
{Name: "RunAsUser", Type: "string", Description: policyv1beta1.PodSecurityPolicySpec{}.SwaggerDoc()["runAsUser"]},
{Name: "FsGroup", Type: "string", Description: policyv1beta1.PodSecurityPolicySpec{}.SwaggerDoc()["fsGroup"]},
{Name: "SupGroup", Type: "string", Description: policyv1beta1.PodSecurityPolicySpec{}.SwaggerDoc()["supplementalGroups"]},
{Name: "ReadOnlyRootFs", Type: "string", Description: policyv1beta1.PodSecurityPolicySpec{}.SwaggerDoc()["readOnlyRootFilesystem"]},
{Name: "Volumes", Type: "string", Description: policyv1beta1.PodSecurityPolicySpec{}.SwaggerDoc()["volumes"]},
}
_ = h.TableHandler(podSecurityPolicyColumnDefinitions, printPodSecurityPolicy)
_ = h.TableHandler(podSecurityPolicyColumnDefinitions, printPodSecurityPolicyList)
networkPolicyColumnDefinitioins := []metav1.TableColumnDefinition{
{Name: "Name", Type: "string", Format: "name", Description: metav1.ObjectMeta{}.SwaggerDoc()["name"]},
{Name: "Pod-Selector", Type: "string", Description: extensionsv1beta1.NetworkPolicySpec{}.SwaggerDoc()["podSelector"]},
@ -2326,39 +2311,6 @@ func printConfigMapList(list *api.ConfigMapList, options printers.GenerateOption
return rows, nil
}
func printPodSecurityPolicy(obj *policy.PodSecurityPolicy, options printers.GenerateOptions) ([]metav1.TableRow, error) {
row := metav1.TableRow{
Object: runtime.RawExtension{Object: obj},
}
capabilities := make([]string, len(obj.Spec.AllowedCapabilities))
for i, c := range obj.Spec.AllowedCapabilities {
capabilities[i] = string(c)
}
volumes := make([]string, len(obj.Spec.Volumes))
for i, v := range obj.Spec.Volumes {
volumes[i] = string(v)
}
row.Cells = append(row.Cells, obj.Name, fmt.Sprintf("%v", obj.Spec.Privileged),
strings.Join(capabilities, ","), string(obj.Spec.SELinux.Rule),
string(obj.Spec.RunAsUser.Rule), string(obj.Spec.FSGroup.Rule),
string(obj.Spec.SupplementalGroups.Rule), obj.Spec.ReadOnlyRootFilesystem,
strings.Join(volumes, ","))
return []metav1.TableRow{row}, nil
}
func printPodSecurityPolicyList(list *policy.PodSecurityPolicyList, options printers.GenerateOptions) ([]metav1.TableRow, error) {
rows := make([]metav1.TableRow, 0, len(list.Items))
for i := range list.Items {
r, err := printPodSecurityPolicy(&list.Items[i], options)
if err != nil {
return nil, err
}
rows = append(rows, r...)
}
return rows, nil
}
func printNetworkPolicy(obj *networking.NetworkPolicy, options printers.GenerateOptions) ([]metav1.TableRow, error) {
row := metav1.TableRow{
Object: runtime.RawExtension{Object: obj},

View File

@ -6097,12 +6097,6 @@ func TestTableRowDeepCopyShouldNotPanic(t *testing.T) {
return printConfigMap(&api.ConfigMap{}, printers.GenerateOptions{})
},
},
{
name: "PodSecurityPolicy",
printer: func() ([]metav1.TableRow, error) {
return printPodSecurityPolicy(&policy.PodSecurityPolicy{}, printers.GenerateOptions{})
},
},
{
name: "NetworkPolicy",
printer: func() ([]metav1.TableRow, error) {

View File

@ -209,7 +209,6 @@ func describerMap(clientConfig *rest.Config) (map[schema.GroupKind]ResourceDescr
{Group: corev1.GroupName, Kind: "PriorityClass"}: &PriorityClassDescriber{c},
{Group: discoveryv1beta1.GroupName, Kind: "EndpointSlice"}: &EndpointSliceDescriber{c},
{Group: discoveryv1.GroupName, Kind: "EndpointSlice"}: &EndpointSliceDescriber{c},
{Group: policyv1beta1.GroupName, Kind: "PodSecurityPolicy"}: &PodSecurityPolicyDescriber{c},
{Group: autoscalingv2beta2.GroupName, Kind: "HorizontalPodAutoscaler"}: &HorizontalPodAutoscalerDescriber{c},
{Group: extensionsv1beta1.GroupName, Kind: "Ingress"}: &IngressDescriber{c},
{Group: networkingv1beta1.GroupName, Kind: "Ingress"}: &IngressDescriber{c},
@ -4890,84 +4889,6 @@ func describePriorityClass(pc *schedulingv1.PriorityClass, events *corev1.EventL
})
}
// PodSecurityPolicyDescriber generates information about a PodSecuritypolicyv1beta1.
type PodSecurityPolicyDescriber struct {
clientset.Interface
}
func (d *PodSecurityPolicyDescriber) Describe(namespace, name string, describerSettings DescriberSettings) (string, error) {
psp, err := d.PolicyV1beta1().PodSecurityPolicies().Get(context.TODO(), name, metav1.GetOptions{})
if err != nil {
return "", err
}
return describePodSecurityPolicy(psp)
}
func describePodSecurityPolicy(psp *policyv1beta1.PodSecurityPolicy) (string, error) {
return tabbedString(func(out io.Writer) error {
w := NewPrefixWriter(out)
w.Write(LEVEL_0, "Name:\t%s\n", psp.Name)
w.Write(LEVEL_0, "\nSettings:\n")
w.Write(LEVEL_1, "Allow Privileged:\t%t\n", psp.Spec.Privileged)
if psp.Spec.AllowPrivilegeEscalation != nil {
w.Write(LEVEL_1, "Allow Privilege Escalation:\t%t\n", *psp.Spec.AllowPrivilegeEscalation)
} else {
w.Write(LEVEL_1, "Allow Privilege Escalation:\t<unset>\n")
}
w.Write(LEVEL_1, "Default Add Capabilities:\t%v\n", capsToString(psp.Spec.DefaultAddCapabilities))
w.Write(LEVEL_1, "Required Drop Capabilities:\t%s\n", capsToString(psp.Spec.RequiredDropCapabilities))
w.Write(LEVEL_1, "Allowed Capabilities:\t%s\n", capsToString(psp.Spec.AllowedCapabilities))
w.Write(LEVEL_1, "Allowed Volume Types:\t%s\n", fsTypeToString(psp.Spec.Volumes))
if len(psp.Spec.AllowedFlexVolumes) > 0 {
w.Write(LEVEL_1, "Allowed FlexVolume Types:\t%s\n", flexVolumesToString(psp.Spec.AllowedFlexVolumes))
}
if len(psp.Spec.AllowedCSIDrivers) > 0 {
w.Write(LEVEL_1, "Allowed CSI Drivers:\t%s\n", csiDriversToString(psp.Spec.AllowedCSIDrivers))
}
if len(psp.Spec.AllowedUnsafeSysctls) > 0 {
w.Write(LEVEL_1, "Allowed Unsafe Sysctls:\t%s\n", sysctlsToString(psp.Spec.AllowedUnsafeSysctls))
}
if len(psp.Spec.ForbiddenSysctls) > 0 {
w.Write(LEVEL_1, "Forbidden Sysctls:\t%s\n", sysctlsToString(psp.Spec.ForbiddenSysctls))
}
w.Write(LEVEL_1, "Allow Host Network:\t%t\n", psp.Spec.HostNetwork)
w.Write(LEVEL_1, "Allow Host Ports:\t%s\n", hostPortRangeToString(psp.Spec.HostPorts))
w.Write(LEVEL_1, "Allow Host PID:\t%t\n", psp.Spec.HostPID)
w.Write(LEVEL_1, "Allow Host IPC:\t%t\n", psp.Spec.HostIPC)
w.Write(LEVEL_1, "Read Only Root Filesystem:\t%v\n", psp.Spec.ReadOnlyRootFilesystem)
w.Write(LEVEL_1, "SELinux Context Strategy: %s\t\n", string(psp.Spec.SELinux.Rule))
var user, role, seLinuxType, level string
if psp.Spec.SELinux.SELinuxOptions != nil {
user = psp.Spec.SELinux.SELinuxOptions.User
role = psp.Spec.SELinux.SELinuxOptions.Role
seLinuxType = psp.Spec.SELinux.SELinuxOptions.Type
level = psp.Spec.SELinux.SELinuxOptions.Level
}
w.Write(LEVEL_2, "User:\t%s\n", stringOrNone(user))
w.Write(LEVEL_2, "Role:\t%s\n", stringOrNone(role))
w.Write(LEVEL_2, "Type:\t%s\n", stringOrNone(seLinuxType))
w.Write(LEVEL_2, "Level:\t%s\n", stringOrNone(level))
w.Write(LEVEL_1, "Run As User Strategy: %s\t\n", string(psp.Spec.RunAsUser.Rule))
w.Write(LEVEL_2, "Ranges:\t%s\n", idRangeToString(psp.Spec.RunAsUser.Ranges))
w.Write(LEVEL_1, "FSGroup Strategy: %s\t\n", string(psp.Spec.FSGroup.Rule))
w.Write(LEVEL_2, "Ranges:\t%s\n", idRangeToString(psp.Spec.FSGroup.Ranges))
w.Write(LEVEL_1, "Supplemental Groups Strategy: %s\t\n", string(psp.Spec.SupplementalGroups.Rule))
w.Write(LEVEL_2, "Ranges:\t%s\n", idRangeToString(psp.Spec.SupplementalGroups.Ranges))
return nil
})
}
func stringOrNone(s string) string {
return stringOrDefaultValue(s, "<none>")
}
@ -4979,70 +4900,6 @@ func stringOrDefaultValue(s, defaultValue string) string {
return defaultValue
}
func fsTypeToString(volumes []policyv1beta1.FSType) string {
strVolumes := []string{}
for _, v := range volumes {
strVolumes = append(strVolumes, string(v))
}
return stringOrNone(strings.Join(strVolumes, ","))
}
func flexVolumesToString(flexVolumes []policyv1beta1.AllowedFlexVolume) string {
volumes := []string{}
for _, flexVolume := range flexVolumes {
volumes = append(volumes, "driver="+flexVolume.Driver)
}
return stringOrDefaultValue(strings.Join(volumes, ","), "<all>")
}
func csiDriversToString(csiDrivers []policyv1beta1.AllowedCSIDriver) string {
drivers := []string{}
for _, csiDriver := range csiDrivers {
drivers = append(drivers, "driver="+csiDriver.Name)
}
return stringOrDefaultValue(strings.Join(drivers, ","), "<all>")
}
func sysctlsToString(sysctls []string) string {
return stringOrNone(strings.Join(sysctls, ","))
}
func hostPortRangeToString(ranges []policyv1beta1.HostPortRange) string {
formattedString := ""
if ranges != nil {
strRanges := []string{}
for _, r := range ranges {
strRanges = append(strRanges, fmt.Sprintf("%d-%d", r.Min, r.Max))
}
formattedString = strings.Join(strRanges, ",")
}
return stringOrNone(formattedString)
}
func idRangeToString(ranges []policyv1beta1.IDRange) string {
formattedString := ""
if ranges != nil {
strRanges := []string{}
for _, r := range ranges {
strRanges = append(strRanges, fmt.Sprintf("%d-%d", r.Min, r.Max))
}
formattedString = strings.Join(strRanges, ",")
}
return stringOrNone(formattedString)
}
func capsToString(caps []corev1.Capability) string {
formattedString := ""
if caps != nil {
strCaps := []string{}
for _, c := range caps {
strCaps = append(strCaps, string(c))
}
formattedString = strings.Join(strCaps, ",")
}
return stringOrNone(formattedString)
}
func policyTypesToString(pts []networkingv1.PolicyType) string {
formattedString := ""
if pts != nil {

View File

@ -20,7 +20,6 @@ import (
"bytes"
"fmt"
"reflect"
"regexp"
"strings"
"testing"
"time"
@ -4696,70 +4695,6 @@ URL: http://localhost
}
}
func TestDescribePodSecurityPolicy(t *testing.T) {
expected := []string{
"Name:\\s*mypsp",
"Allow Privileged:\\s*false",
"Allow Privilege Escalation:\\s*false",
"Default Add Capabilities:\\s*<none>",
"Required Drop Capabilities:\\s*<none>",
"Allowed Capabilities:\\s*<none>",
"Allowed Volume Types:\\s*<none>",
"Allowed Unsafe Sysctls:\\s*kernel\\.\\*,net\\.ipv4.ip_local_port_range",
"Forbidden Sysctls:\\s*net\\.ipv4\\.ip_default_ttl",
"Allow Host Network:\\s*false",
"Allow Host Ports:\\s*<none>",
"Allow Host PID:\\s*false",
"Allow Host IPC:\\s*false",
"Read Only Root Filesystem:\\s*false",
"SELinux Context Strategy: RunAsAny",
"User:\\s*<none>",
"Role:\\s*<none>",
"Type:\\s*<none>",
"Level:\\s*<none>",
"Run As User Strategy: RunAsAny",
"FSGroup Strategy: RunAsAny",
"Supplemental Groups Strategy: RunAsAny",
}
falseVal := false
fake := fake.NewSimpleClientset(&policyv1beta1.PodSecurityPolicy{
ObjectMeta: metav1.ObjectMeta{
Name: "mypsp",
},
Spec: policyv1beta1.PodSecurityPolicySpec{
AllowPrivilegeEscalation: &falseVal,
AllowedUnsafeSysctls: []string{"kernel.*", "net.ipv4.ip_local_port_range"},
ForbiddenSysctls: []string{"net.ipv4.ip_default_ttl"},
SELinux: policyv1beta1.SELinuxStrategyOptions{
Rule: policyv1beta1.SELinuxStrategyRunAsAny,
},
RunAsUser: policyv1beta1.RunAsUserStrategyOptions{
Rule: policyv1beta1.RunAsUserStrategyRunAsAny,
},
FSGroup: policyv1beta1.FSGroupStrategyOptions{
Rule: policyv1beta1.FSGroupStrategyRunAsAny,
},
SupplementalGroups: policyv1beta1.SupplementalGroupsStrategyOptions{
Rule: policyv1beta1.SupplementalGroupsStrategyRunAsAny,
},
},
})
c := &describeClient{T: t, Namespace: "", Interface: fake}
d := PodSecurityPolicyDescriber{c}
out, err := d.Describe("", "mypsp", DescriberSettings{})
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
for _, item := range expected {
if matched, _ := regexp.MatchString(item, out); !matched {
t.Errorf("Expected to find %q in: %q", item, out)
}
}
}
func TestDescribeResourceQuota(t *testing.T) {
fake := fake.NewSimpleClientset(&corev1.ResourceQuota{
ObjectMeta: metav1.ObjectMeta{

File diff suppressed because it is too large Load Diff