mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-24 04:06:03 +00:00
kubectl: remove psp support
This commit is contained in:
parent
bd43394467
commit
cc0f828058
@ -38,7 +38,6 @@ import (
|
||||
extensionsv1beta1 "k8s.io/api/extensions/v1beta1"
|
||||
flowcontrolv1beta3 "k8s.io/api/flowcontrol/v1beta3"
|
||||
networkingv1alpha1 "k8s.io/api/networking/v1alpha1"
|
||||
policyv1beta1 "k8s.io/api/policy/v1beta1"
|
||||
rbacv1beta1 "k8s.io/api/rbac/v1beta1"
|
||||
resourcev1alpha1 "k8s.io/api/resource/v1alpha1"
|
||||
schedulingv1 "k8s.io/api/scheduling/v1"
|
||||
@ -367,20 +366,6 @@ func AddHandlers(h printers.PrintHandler) {
|
||||
_ = h.TableHandler(configMapColumnDefinitions, printConfigMap)
|
||||
_ = h.TableHandler(configMapColumnDefinitions, printConfigMapList)
|
||||
|
||||
podSecurityPolicyColumnDefinitions := []metav1.TableColumnDefinition{
|
||||
{Name: "Name", Type: "string", Format: "name", Description: metav1.ObjectMeta{}.SwaggerDoc()["name"]},
|
||||
{Name: "Priv", Type: "string", Description: policyv1beta1.PodSecurityPolicySpec{}.SwaggerDoc()["privileged"]},
|
||||
{Name: "Caps", Type: "string", Description: policyv1beta1.PodSecurityPolicySpec{}.SwaggerDoc()["allowedCapabilities"]},
|
||||
{Name: "SELinux", Type: "string", Description: policyv1beta1.PodSecurityPolicySpec{}.SwaggerDoc()["seLinux"]},
|
||||
{Name: "RunAsUser", Type: "string", Description: policyv1beta1.PodSecurityPolicySpec{}.SwaggerDoc()["runAsUser"]},
|
||||
{Name: "FsGroup", Type: "string", Description: policyv1beta1.PodSecurityPolicySpec{}.SwaggerDoc()["fsGroup"]},
|
||||
{Name: "SupGroup", Type: "string", Description: policyv1beta1.PodSecurityPolicySpec{}.SwaggerDoc()["supplementalGroups"]},
|
||||
{Name: "ReadOnlyRootFs", Type: "string", Description: policyv1beta1.PodSecurityPolicySpec{}.SwaggerDoc()["readOnlyRootFilesystem"]},
|
||||
{Name: "Volumes", Type: "string", Description: policyv1beta1.PodSecurityPolicySpec{}.SwaggerDoc()["volumes"]},
|
||||
}
|
||||
_ = h.TableHandler(podSecurityPolicyColumnDefinitions, printPodSecurityPolicy)
|
||||
_ = h.TableHandler(podSecurityPolicyColumnDefinitions, printPodSecurityPolicyList)
|
||||
|
||||
networkPolicyColumnDefinitioins := []metav1.TableColumnDefinition{
|
||||
{Name: "Name", Type: "string", Format: "name", Description: metav1.ObjectMeta{}.SwaggerDoc()["name"]},
|
||||
{Name: "Pod-Selector", Type: "string", Description: extensionsv1beta1.NetworkPolicySpec{}.SwaggerDoc()["podSelector"]},
|
||||
@ -2326,39 +2311,6 @@ func printConfigMapList(list *api.ConfigMapList, options printers.GenerateOption
|
||||
return rows, nil
|
||||
}
|
||||
|
||||
func printPodSecurityPolicy(obj *policy.PodSecurityPolicy, options printers.GenerateOptions) ([]metav1.TableRow, error) {
|
||||
row := metav1.TableRow{
|
||||
Object: runtime.RawExtension{Object: obj},
|
||||
}
|
||||
|
||||
capabilities := make([]string, len(obj.Spec.AllowedCapabilities))
|
||||
for i, c := range obj.Spec.AllowedCapabilities {
|
||||
capabilities[i] = string(c)
|
||||
}
|
||||
volumes := make([]string, len(obj.Spec.Volumes))
|
||||
for i, v := range obj.Spec.Volumes {
|
||||
volumes[i] = string(v)
|
||||
}
|
||||
row.Cells = append(row.Cells, obj.Name, fmt.Sprintf("%v", obj.Spec.Privileged),
|
||||
strings.Join(capabilities, ","), string(obj.Spec.SELinux.Rule),
|
||||
string(obj.Spec.RunAsUser.Rule), string(obj.Spec.FSGroup.Rule),
|
||||
string(obj.Spec.SupplementalGroups.Rule), obj.Spec.ReadOnlyRootFilesystem,
|
||||
strings.Join(volumes, ","))
|
||||
return []metav1.TableRow{row}, nil
|
||||
}
|
||||
|
||||
func printPodSecurityPolicyList(list *policy.PodSecurityPolicyList, options printers.GenerateOptions) ([]metav1.TableRow, error) {
|
||||
rows := make([]metav1.TableRow, 0, len(list.Items))
|
||||
for i := range list.Items {
|
||||
r, err := printPodSecurityPolicy(&list.Items[i], options)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
rows = append(rows, r...)
|
||||
}
|
||||
return rows, nil
|
||||
}
|
||||
|
||||
func printNetworkPolicy(obj *networking.NetworkPolicy, options printers.GenerateOptions) ([]metav1.TableRow, error) {
|
||||
row := metav1.TableRow{
|
||||
Object: runtime.RawExtension{Object: obj},
|
||||
|
@ -6097,12 +6097,6 @@ func TestTableRowDeepCopyShouldNotPanic(t *testing.T) {
|
||||
return printConfigMap(&api.ConfigMap{}, printers.GenerateOptions{})
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "PodSecurityPolicy",
|
||||
printer: func() ([]metav1.TableRow, error) {
|
||||
return printPodSecurityPolicy(&policy.PodSecurityPolicy{}, printers.GenerateOptions{})
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "NetworkPolicy",
|
||||
printer: func() ([]metav1.TableRow, error) {
|
||||
|
@ -209,7 +209,6 @@ func describerMap(clientConfig *rest.Config) (map[schema.GroupKind]ResourceDescr
|
||||
{Group: corev1.GroupName, Kind: "PriorityClass"}: &PriorityClassDescriber{c},
|
||||
{Group: discoveryv1beta1.GroupName, Kind: "EndpointSlice"}: &EndpointSliceDescriber{c},
|
||||
{Group: discoveryv1.GroupName, Kind: "EndpointSlice"}: &EndpointSliceDescriber{c},
|
||||
{Group: policyv1beta1.GroupName, Kind: "PodSecurityPolicy"}: &PodSecurityPolicyDescriber{c},
|
||||
{Group: autoscalingv2beta2.GroupName, Kind: "HorizontalPodAutoscaler"}: &HorizontalPodAutoscalerDescriber{c},
|
||||
{Group: extensionsv1beta1.GroupName, Kind: "Ingress"}: &IngressDescriber{c},
|
||||
{Group: networkingv1beta1.GroupName, Kind: "Ingress"}: &IngressDescriber{c},
|
||||
@ -4890,84 +4889,6 @@ func describePriorityClass(pc *schedulingv1.PriorityClass, events *corev1.EventL
|
||||
})
|
||||
}
|
||||
|
||||
// PodSecurityPolicyDescriber generates information about a PodSecuritypolicyv1beta1.
|
||||
type PodSecurityPolicyDescriber struct {
|
||||
clientset.Interface
|
||||
}
|
||||
|
||||
func (d *PodSecurityPolicyDescriber) Describe(namespace, name string, describerSettings DescriberSettings) (string, error) {
|
||||
psp, err := d.PolicyV1beta1().PodSecurityPolicies().Get(context.TODO(), name, metav1.GetOptions{})
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
|
||||
return describePodSecurityPolicy(psp)
|
||||
}
|
||||
|
||||
func describePodSecurityPolicy(psp *policyv1beta1.PodSecurityPolicy) (string, error) {
|
||||
return tabbedString(func(out io.Writer) error {
|
||||
w := NewPrefixWriter(out)
|
||||
w.Write(LEVEL_0, "Name:\t%s\n", psp.Name)
|
||||
|
||||
w.Write(LEVEL_0, "\nSettings:\n")
|
||||
|
||||
w.Write(LEVEL_1, "Allow Privileged:\t%t\n", psp.Spec.Privileged)
|
||||
if psp.Spec.AllowPrivilegeEscalation != nil {
|
||||
w.Write(LEVEL_1, "Allow Privilege Escalation:\t%t\n", *psp.Spec.AllowPrivilegeEscalation)
|
||||
} else {
|
||||
w.Write(LEVEL_1, "Allow Privilege Escalation:\t<unset>\n")
|
||||
}
|
||||
w.Write(LEVEL_1, "Default Add Capabilities:\t%v\n", capsToString(psp.Spec.DefaultAddCapabilities))
|
||||
w.Write(LEVEL_1, "Required Drop Capabilities:\t%s\n", capsToString(psp.Spec.RequiredDropCapabilities))
|
||||
w.Write(LEVEL_1, "Allowed Capabilities:\t%s\n", capsToString(psp.Spec.AllowedCapabilities))
|
||||
w.Write(LEVEL_1, "Allowed Volume Types:\t%s\n", fsTypeToString(psp.Spec.Volumes))
|
||||
|
||||
if len(psp.Spec.AllowedFlexVolumes) > 0 {
|
||||
w.Write(LEVEL_1, "Allowed FlexVolume Types:\t%s\n", flexVolumesToString(psp.Spec.AllowedFlexVolumes))
|
||||
}
|
||||
|
||||
if len(psp.Spec.AllowedCSIDrivers) > 0 {
|
||||
w.Write(LEVEL_1, "Allowed CSI Drivers:\t%s\n", csiDriversToString(psp.Spec.AllowedCSIDrivers))
|
||||
}
|
||||
|
||||
if len(psp.Spec.AllowedUnsafeSysctls) > 0 {
|
||||
w.Write(LEVEL_1, "Allowed Unsafe Sysctls:\t%s\n", sysctlsToString(psp.Spec.AllowedUnsafeSysctls))
|
||||
}
|
||||
if len(psp.Spec.ForbiddenSysctls) > 0 {
|
||||
w.Write(LEVEL_1, "Forbidden Sysctls:\t%s\n", sysctlsToString(psp.Spec.ForbiddenSysctls))
|
||||
}
|
||||
w.Write(LEVEL_1, "Allow Host Network:\t%t\n", psp.Spec.HostNetwork)
|
||||
w.Write(LEVEL_1, "Allow Host Ports:\t%s\n", hostPortRangeToString(psp.Spec.HostPorts))
|
||||
w.Write(LEVEL_1, "Allow Host PID:\t%t\n", psp.Spec.HostPID)
|
||||
w.Write(LEVEL_1, "Allow Host IPC:\t%t\n", psp.Spec.HostIPC)
|
||||
w.Write(LEVEL_1, "Read Only Root Filesystem:\t%v\n", psp.Spec.ReadOnlyRootFilesystem)
|
||||
|
||||
w.Write(LEVEL_1, "SELinux Context Strategy: %s\t\n", string(psp.Spec.SELinux.Rule))
|
||||
var user, role, seLinuxType, level string
|
||||
if psp.Spec.SELinux.SELinuxOptions != nil {
|
||||
user = psp.Spec.SELinux.SELinuxOptions.User
|
||||
role = psp.Spec.SELinux.SELinuxOptions.Role
|
||||
seLinuxType = psp.Spec.SELinux.SELinuxOptions.Type
|
||||
level = psp.Spec.SELinux.SELinuxOptions.Level
|
||||
}
|
||||
w.Write(LEVEL_2, "User:\t%s\n", stringOrNone(user))
|
||||
w.Write(LEVEL_2, "Role:\t%s\n", stringOrNone(role))
|
||||
w.Write(LEVEL_2, "Type:\t%s\n", stringOrNone(seLinuxType))
|
||||
w.Write(LEVEL_2, "Level:\t%s\n", stringOrNone(level))
|
||||
|
||||
w.Write(LEVEL_1, "Run As User Strategy: %s\t\n", string(psp.Spec.RunAsUser.Rule))
|
||||
w.Write(LEVEL_2, "Ranges:\t%s\n", idRangeToString(psp.Spec.RunAsUser.Ranges))
|
||||
|
||||
w.Write(LEVEL_1, "FSGroup Strategy: %s\t\n", string(psp.Spec.FSGroup.Rule))
|
||||
w.Write(LEVEL_2, "Ranges:\t%s\n", idRangeToString(psp.Spec.FSGroup.Ranges))
|
||||
|
||||
w.Write(LEVEL_1, "Supplemental Groups Strategy: %s\t\n", string(psp.Spec.SupplementalGroups.Rule))
|
||||
w.Write(LEVEL_2, "Ranges:\t%s\n", idRangeToString(psp.Spec.SupplementalGroups.Ranges))
|
||||
|
||||
return nil
|
||||
})
|
||||
}
|
||||
|
||||
func stringOrNone(s string) string {
|
||||
return stringOrDefaultValue(s, "<none>")
|
||||
}
|
||||
@ -4979,70 +4900,6 @@ func stringOrDefaultValue(s, defaultValue string) string {
|
||||
return defaultValue
|
||||
}
|
||||
|
||||
func fsTypeToString(volumes []policyv1beta1.FSType) string {
|
||||
strVolumes := []string{}
|
||||
for _, v := range volumes {
|
||||
strVolumes = append(strVolumes, string(v))
|
||||
}
|
||||
return stringOrNone(strings.Join(strVolumes, ","))
|
||||
}
|
||||
|
||||
func flexVolumesToString(flexVolumes []policyv1beta1.AllowedFlexVolume) string {
|
||||
volumes := []string{}
|
||||
for _, flexVolume := range flexVolumes {
|
||||
volumes = append(volumes, "driver="+flexVolume.Driver)
|
||||
}
|
||||
return stringOrDefaultValue(strings.Join(volumes, ","), "<all>")
|
||||
}
|
||||
|
||||
func csiDriversToString(csiDrivers []policyv1beta1.AllowedCSIDriver) string {
|
||||
drivers := []string{}
|
||||
for _, csiDriver := range csiDrivers {
|
||||
drivers = append(drivers, "driver="+csiDriver.Name)
|
||||
}
|
||||
return stringOrDefaultValue(strings.Join(drivers, ","), "<all>")
|
||||
}
|
||||
|
||||
func sysctlsToString(sysctls []string) string {
|
||||
return stringOrNone(strings.Join(sysctls, ","))
|
||||
}
|
||||
|
||||
func hostPortRangeToString(ranges []policyv1beta1.HostPortRange) string {
|
||||
formattedString := ""
|
||||
if ranges != nil {
|
||||
strRanges := []string{}
|
||||
for _, r := range ranges {
|
||||
strRanges = append(strRanges, fmt.Sprintf("%d-%d", r.Min, r.Max))
|
||||
}
|
||||
formattedString = strings.Join(strRanges, ",")
|
||||
}
|
||||
return stringOrNone(formattedString)
|
||||
}
|
||||
|
||||
func idRangeToString(ranges []policyv1beta1.IDRange) string {
|
||||
formattedString := ""
|
||||
if ranges != nil {
|
||||
strRanges := []string{}
|
||||
for _, r := range ranges {
|
||||
strRanges = append(strRanges, fmt.Sprintf("%d-%d", r.Min, r.Max))
|
||||
}
|
||||
formattedString = strings.Join(strRanges, ",")
|
||||
}
|
||||
return stringOrNone(formattedString)
|
||||
}
|
||||
|
||||
func capsToString(caps []corev1.Capability) string {
|
||||
formattedString := ""
|
||||
if caps != nil {
|
||||
strCaps := []string{}
|
||||
for _, c := range caps {
|
||||
strCaps = append(strCaps, string(c))
|
||||
}
|
||||
formattedString = strings.Join(strCaps, ",")
|
||||
}
|
||||
return stringOrNone(formattedString)
|
||||
}
|
||||
|
||||
func policyTypesToString(pts []networkingv1.PolicyType) string {
|
||||
formattedString := ""
|
||||
if pts != nil {
|
||||
|
@ -20,7 +20,6 @@ import (
|
||||
"bytes"
|
||||
"fmt"
|
||||
"reflect"
|
||||
"regexp"
|
||||
"strings"
|
||||
"testing"
|
||||
"time"
|
||||
@ -4696,70 +4695,6 @@ URL: http://localhost
|
||||
}
|
||||
}
|
||||
|
||||
func TestDescribePodSecurityPolicy(t *testing.T) {
|
||||
expected := []string{
|
||||
"Name:\\s*mypsp",
|
||||
"Allow Privileged:\\s*false",
|
||||
"Allow Privilege Escalation:\\s*false",
|
||||
"Default Add Capabilities:\\s*<none>",
|
||||
"Required Drop Capabilities:\\s*<none>",
|
||||
"Allowed Capabilities:\\s*<none>",
|
||||
"Allowed Volume Types:\\s*<none>",
|
||||
"Allowed Unsafe Sysctls:\\s*kernel\\.\\*,net\\.ipv4.ip_local_port_range",
|
||||
"Forbidden Sysctls:\\s*net\\.ipv4\\.ip_default_ttl",
|
||||
"Allow Host Network:\\s*false",
|
||||
"Allow Host Ports:\\s*<none>",
|
||||
"Allow Host PID:\\s*false",
|
||||
"Allow Host IPC:\\s*false",
|
||||
"Read Only Root Filesystem:\\s*false",
|
||||
"SELinux Context Strategy: RunAsAny",
|
||||
"User:\\s*<none>",
|
||||
"Role:\\s*<none>",
|
||||
"Type:\\s*<none>",
|
||||
"Level:\\s*<none>",
|
||||
"Run As User Strategy: RunAsAny",
|
||||
"FSGroup Strategy: RunAsAny",
|
||||
"Supplemental Groups Strategy: RunAsAny",
|
||||
}
|
||||
|
||||
falseVal := false
|
||||
fake := fake.NewSimpleClientset(&policyv1beta1.PodSecurityPolicy{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: "mypsp",
|
||||
},
|
||||
Spec: policyv1beta1.PodSecurityPolicySpec{
|
||||
AllowPrivilegeEscalation: &falseVal,
|
||||
AllowedUnsafeSysctls: []string{"kernel.*", "net.ipv4.ip_local_port_range"},
|
||||
ForbiddenSysctls: []string{"net.ipv4.ip_default_ttl"},
|
||||
SELinux: policyv1beta1.SELinuxStrategyOptions{
|
||||
Rule: policyv1beta1.SELinuxStrategyRunAsAny,
|
||||
},
|
||||
RunAsUser: policyv1beta1.RunAsUserStrategyOptions{
|
||||
Rule: policyv1beta1.RunAsUserStrategyRunAsAny,
|
||||
},
|
||||
FSGroup: policyv1beta1.FSGroupStrategyOptions{
|
||||
Rule: policyv1beta1.FSGroupStrategyRunAsAny,
|
||||
},
|
||||
SupplementalGroups: policyv1beta1.SupplementalGroupsStrategyOptions{
|
||||
Rule: policyv1beta1.SupplementalGroupsStrategyRunAsAny,
|
||||
},
|
||||
},
|
||||
})
|
||||
|
||||
c := &describeClient{T: t, Namespace: "", Interface: fake}
|
||||
d := PodSecurityPolicyDescriber{c}
|
||||
out, err := d.Describe("", "mypsp", DescriberSettings{})
|
||||
if err != nil {
|
||||
t.Fatalf("unexpected error: %v", err)
|
||||
}
|
||||
|
||||
for _, item := range expected {
|
||||
if matched, _ := regexp.MatchString(item, out); !matched {
|
||||
t.Errorf("Expected to find %q in: %q", item, out)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func TestDescribeResourceQuota(t *testing.T) {
|
||||
fake := fake.NewSimpleClientset(&corev1.ResourceQuota{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
|
1177
staging/src/k8s.io/kubectl/testdata/openapi/swagger.json
vendored
1177
staging/src/k8s.io/kubectl/testdata/openapi/swagger.json
vendored
File diff suppressed because it is too large
Load Diff
Loading…
Reference in New Issue
Block a user