github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-23 03:41:45 +00:00
Code Issues Projects Releases Wiki Activity

psp: remove unused PodSecurityPolicyValidationOptions

Browse Source 
Since the only member of that struct is gone, the struct itself can also be
removed. If for whatever reason the struct is needed again, then this commit
can be reverted to bring it back.
This commit is contained in:
Patrick Ohly 2021-10-28 17:25:07 +02:00
parent a8c930ef46
commit d55f7c85ef
3 changed files with 16 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
pkg/apis/policy/validation/validation.go
View File

@ -92,23 +92,19 @@ func ValidatePodDisruptionBudgetStatusUpdate(status, oldStatus policy.PodDisrupt
// trailing dashes are allowed. // trailing dashes are allowed.
var ValidatePodSecurityPolicyName = apimachineryvalidation.NameIsDNSSubdomain var ValidatePodSecurityPolicyName = apimachineryvalidation.NameIsDNSSubdomain
// PodSecurityPolicyValidationOptions contains additional parameters for ValidatePodSecurityPolicy.
type PodSecurityPolicyValidationOptions struct {
}
// ValidatePodSecurityPolicy validates a PodSecurityPolicy and returns an ErrorList // ValidatePodSecurityPolicy validates a PodSecurityPolicy and returns an ErrorList
// with any errors. // with any errors.
func ValidatePodSecurityPolicy(psp *policy.PodSecurityPolicy, opts PodSecurityPolicyValidationOptions) field.ErrorList { func ValidatePodSecurityPolicy(psp *policy.PodSecurityPolicy) field.ErrorList {
allErrs := field.ErrorList{} allErrs := field.ErrorList{}
allErrs = append(allErrs, apivalidation.ValidateObjectMeta(&psp.ObjectMeta, false, ValidatePodSecurityPolicyName, field.NewPath("metadata"))...) allErrs = append(allErrs, apivalidation.ValidateObjectMeta(&psp.ObjectMeta, false, ValidatePodSecurityPolicyName, field.NewPath("metadata"))...)
allErrs = append(allErrs, ValidatePodSecurityPolicySpecificAnnotations(psp.Annotations, field.NewPath("metadata").Child("annotations"))...) allErrs = append(allErrs, ValidatePodSecurityPolicySpecificAnnotations(psp.Annotations, field.NewPath("metadata").Child("annotations"))...)
allErrs = append(allErrs, ValidatePodSecurityPolicySpec(&psp.Spec, opts, field.NewPath("spec"))...) allErrs = append(allErrs, ValidatePodSecurityPolicySpec(&psp.Spec, field.NewPath("spec"))...)
return allErrs return allErrs
} }
// ValidatePodSecurityPolicySpec validates a PodSecurityPolicySpec and returns an ErrorList // ValidatePodSecurityPolicySpec validates a PodSecurityPolicySpec and returns an ErrorList
// with any errors. // with any errors.
func ValidatePodSecurityPolicySpec(spec *policy.PodSecurityPolicySpec, opts PodSecurityPolicyValidationOptions, fldPath *field.Path) field.ErrorList { func ValidatePodSecurityPolicySpec(spec *policy.PodSecurityPolicySpec, fldPath *field.Path) field.ErrorList {
allErrs := field.ErrorList{} allErrs := field.ErrorList{}
allErrs = append(allErrs, validatePSPRunAsUser(fldPath.Child("runAsUser"), &spec.RunAsUser)...) allErrs = append(allErrs, validatePSPRunAsUser(fldPath.Child("runAsUser"), &spec.RunAsUser)...)
@ -116,7 +112,7 @@ func ValidatePodSecurityPolicySpec(spec *policy.PodSecurityPolicySpec, opts PodS
allErrs = append(allErrs, validatePSPSELinux(fldPath.Child("seLinux"), &spec.SELinux)...) allErrs = append(allErrs, validatePSPSELinux(fldPath.Child("seLinux"), &spec.SELinux)...)
allErrs = append(allErrs, validatePSPSupplementalGroup(fldPath.Child("supplementalGroups"), &spec.SupplementalGroups)...) allErrs = append(allErrs, validatePSPSupplementalGroup(fldPath.Child("supplementalGroups"), &spec.SupplementalGroups)...)
allErrs = append(allErrs, validatePSPFSGroup(fldPath.Child("fsGroup"), &spec.FSGroup)...) allErrs = append(allErrs, validatePSPFSGroup(fldPath.Child("fsGroup"), &spec.FSGroup)...)
allErrs = append(allErrs, validatePodSecurityPolicyVolumes(opts, fldPath, spec.Volumes)...) allErrs = append(allErrs, validatePodSecurityPolicyVolumes(fldPath, spec.Volumes)...)
if len(spec.RequiredDropCapabilities) > 0 && hasCap(policy.AllowAllCapabilities, spec.AllowedCapabilities) { if len(spec.RequiredDropCapabilities) > 0 && hasCap(policy.AllowAllCapabilities, spec.AllowedCapabilities) {
allErrs = append(allErrs, field.Invalid(field.NewPath("requiredDropCapabilities"), spec.RequiredDropCapabilities, allErrs = append(allErrs, field.Invalid(field.NewPath("requiredDropCapabilities"), spec.RequiredDropCapabilities,
"must be empty when all capabilities are allowed by a wildcard")) "must be empty when all capabilities are allowed by a wildcard"))
@ -324,7 +320,7 @@ func validatePSPSupplementalGroup(fldPath *field.Path, groupOptions *policy.Supp
} }
// validatePodSecurityPolicyVolumes validates the volume fields of PodSecurityPolicy. // validatePodSecurityPolicyVolumes validates the volume fields of PodSecurityPolicy.
func validatePodSecurityPolicyVolumes(opts PodSecurityPolicyValidationOptions, fldPath *field.Path, volumes []policy.FSType) field.ErrorList { func validatePodSecurityPolicyVolumes(fldPath *field.Path, volumes []policy.FSType) field.ErrorList {
allErrs := field.ErrorList{} allErrs := field.ErrorList{}
allowed := psputil.GetAllFSTypesAsSet() allowed := psputil.GetAllFSTypesAsSet()
// add in the * value since that is a pseudo type that is not included by default // add in the * value since that is a pseudo type that is not included by default
@ -523,11 +519,11 @@ func validateRuntimeClassStrategy(fldPath *field.Path, rc *policy.RuntimeClassSt
} }
// ValidatePodSecurityPolicyUpdate validates a PSP for updates. // ValidatePodSecurityPolicyUpdate validates a PSP for updates.
func ValidatePodSecurityPolicyUpdate(old *policy.PodSecurityPolicy, new *policy.PodSecurityPolicy, opts PodSecurityPolicyValidationOptions) field.ErrorList { func ValidatePodSecurityPolicyUpdate(old *policy.PodSecurityPolicy, new *policy.PodSecurityPolicy) field.ErrorList {
allErrs := field.ErrorList{} allErrs := field.ErrorList{}
allErrs = append(allErrs, apivalidation.ValidateObjectMetaUpdate(&new.ObjectMeta, &old.ObjectMeta, field.NewPath("metadata"))...) allErrs = append(allErrs, apivalidation.ValidateObjectMetaUpdate(&new.ObjectMeta, &old.ObjectMeta, field.NewPath("metadata"))...)
allErrs = append(allErrs, ValidatePodSecurityPolicySpecificAnnotations(new.Annotations, field.NewPath("metadata").Child("annotations"))...) allErrs = append(allErrs, ValidatePodSecurityPolicySpecificAnnotations(new.Annotations, field.NewPath("metadata").Child("annotations"))...)
allErrs = append(allErrs, ValidatePodSecurityPolicySpec(&new.Spec, opts, field.NewPath("spec"))...) allErrs = append(allErrs, ValidatePodSecurityPolicySpec(&new.Spec, field.NewPath("spec"))...)
return allErrs return allErrs
} }

15
pkg/apis/policy/validation/validation_test.go
View File

@ -590,7 +590,7 @@ func TestValidatePodSecurityPolicy(t *testing.T) {
} }
for k, v := range errorCases { for k, v := range errorCases {
errs := ValidatePodSecurityPolicy(v.psp, PodSecurityPolicyValidationOptions{}) errs := ValidatePodSecurityPolicy(v.psp)
if len(errs) == 0 { if len(errs) == 0 {
t.Errorf("%s expected errors but got none", k) t.Errorf("%s expected errors but got none", k)
continue continue
@ -613,7 +613,7 @@ func TestValidatePodSecurityPolicy(t *testing.T) {
// Should not be able to update to an invalid policy. // Should not be able to update to an invalid policy.
for k, v := range errorCases { for k, v := range errorCases {
v.psp.ResourceVersion = "444" // Required for updates. v.psp.ResourceVersion = "444" // Required for updates.
errs := ValidatePodSecurityPolicyUpdate(validPSP(), v.psp, PodSecurityPolicyValidationOptions{}) errs := ValidatePodSecurityPolicyUpdate(validPSP(), v.psp)
if len(errs) == 0 { if len(errs) == 0 {
t.Errorf("[%s] expected update errors but got none", k) t.Errorf("[%s] expected update errors but got none", k)
continue continue
@ -743,13 +743,13 @@ func TestValidatePodSecurityPolicy(t *testing.T) {
} }
for k, v := range successCases { for k, v := range successCases {
if errs := ValidatePodSecurityPolicy(v.psp, PodSecurityPolicyValidationOptions{}); len(errs) != 0 { if errs := ValidatePodSecurityPolicy(v.psp); len(errs) != 0 {
t.Errorf("Expected success for %s, got %v", k, errs) t.Errorf("Expected success for %s, got %v", k, errs)
} }
// Should be able to update to a valid PSP. // Should be able to update to a valid PSP.
v.psp.ResourceVersion = "444" // Required for updates. v.psp.ResourceVersion = "444" // Required for updates.
if errs := ValidatePodSecurityPolicyUpdate(validPSP(), v.psp, PodSecurityPolicyValidationOptions{}); len(errs) != 0 { if errs := ValidatePodSecurityPolicyUpdate(validPSP(), v.psp); len(errs) != 0 {
t.Errorf("Expected success for %s update, got %v", k, errs) t.Errorf("Expected success for %s update, got %v", k, errs)
} }
} }
@ -786,7 +786,7 @@ func TestValidatePSPVolumes(t *testing.T) {
for _, strVolume := range volumes.List() { for _, strVolume := range volumes.List() {
psp := validPSP() psp := validPSP()
psp.Spec.Volumes = []policy.FSType{policy.FSType(strVolume)} psp.Spec.Volumes = []policy.FSType{policy.FSType(strVolume)}
errs := ValidatePodSecurityPolicy(psp, PodSecurityPolicyValidationOptions{}) errs := ValidatePodSecurityPolicy(psp)
if len(errs) != 0 { if len(errs) != 0 {
t.Errorf("%s validation expected no errors but received %v", strVolume, errs) t.Errorf("%s validation expected no errors but received %v", strVolume, errs)
} }
@ -1127,12 +1127,11 @@ func TestAllowEphemeralVolumeType(t *testing.T) {
} }
t.Run(fmt.Sprintf("old PodSecurityPolicySpec %v, new PodSecurityPolicySpec %v", oldPSPInfo.description, newPSPInfo.description), func(t *testing.T) { t.Run(fmt.Sprintf("old PodSecurityPolicySpec %v, new PodSecurityPolicySpec %v", oldPSPInfo.description, newPSPInfo.description), func(t *testing.T) {
opts := PodSecurityPolicyValidationOptions{}
var errs field.ErrorList var errs field.ErrorList
if oldPSP == nil { if oldPSP == nil {
errs = ValidatePodSecurityPolicy(newPSP, opts) errs = ValidatePodSecurityPolicy(newPSP)
} else { } else {
errs = ValidatePodSecurityPolicyUpdate(oldPSP, newPSP, opts) errs = ValidatePodSecurityPolicyUpdate(oldPSP, newPSP)
} }
if len(errs) > 0 { if len(errs) > 0 {
t.Errorf("expected no errors, got: %v", errs) t.Errorf("expected no errors, got: %v", errs)

6
pkg/registry/policy/podsecuritypolicy/strategy.go
View File

@ -72,16 +72,14 @@ func (strategy) Canonicalize(obj runtime.Object) {
} }
func (strategy) Validate(ctx context.Context, obj runtime.Object) field.ErrorList { func (strategy) Validate(ctx context.Context, obj runtime.Object) field.ErrorList {
opts := validation.PodSecurityPolicyValidationOptions{} return validation.ValidatePodSecurityPolicy(obj.(*policy.PodSecurityPolicy))
return validation.ValidatePodSecurityPolicy(obj.(*policy.PodSecurityPolicy), opts)
} }
// WarningsOnCreate returns warnings for the creation of the given object. // WarningsOnCreate returns warnings for the creation of the given object.
func (strategy) WarningsOnCreate(ctx context.Context, obj runtime.Object) []string { return nil } func (strategy) WarningsOnCreate(ctx context.Context, obj runtime.Object) []string { return nil }
func (strategy) ValidateUpdate(ctx context.Context, obj, old runtime.Object) field.ErrorList { func (strategy) ValidateUpdate(ctx context.Context, obj, old runtime.Object) field.ErrorList {
opts := validation.PodSecurityPolicyValidationOptions{} return validation.ValidatePodSecurityPolicyUpdate(old.(*policy.PodSecurityPolicy), obj.(*policy.PodSecurityPolicy))
return validation.ValidatePodSecurityPolicyUpdate(old.(*policy.PodSecurityPolicy), obj.(*policy.PodSecurityPolicy), opts)
} }
// WarningsOnUpdate returns warnings for the given update. // WarningsOnUpdate returns warnings for the given update.