github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-07 03:03:59 +00:00
Code Issues Projects Releases Wiki Activity

remove support for seccomp annotations when determining whether a container update should trigger a policy evaluation

Browse Source
This commit is contained in:
SataQiu 2023-01-05 17:56:38 +08:00
parent 3f752b5edf
commit dbee23f7a5
1 changed files with 5 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
staging/src/k8s.io/pod-security-admission/admission/admission.go
View File

@ -638,12 +638,12 @@ func isSignificantPodUpdate(pod, oldPod *corev1.Pod) bool {
return true return true
} }
for i := 0; i < len(pod.Spec.Containers); i++ { for i := 0; i < len(pod.Spec.Containers); i++ {
if isSignificantContainerUpdate(&pod.Spec.Containers[i], &oldPod.Spec.Containers[i], pod.Annotations, oldPod.Annotations) { if isSignificantContainerUpdate(&pod.Spec.Containers[i], &oldPod.Spec.Containers[i]) {
return true return true
} }
} }
for i := 0; i < len(pod.Spec.InitContainers); i++ { for i := 0; i < len(pod.Spec.InitContainers); i++ {
if isSignificantContainerUpdate(&pod.Spec.InitContainers[i], &oldPod.Spec.InitContainers[i], pod.Annotations, oldPod.Annotations) { if isSignificantContainerUpdate(&pod.Spec.InitContainers[i], &oldPod.Spec.InitContainers[i]) {
return true return true
} }
} }
@ -658,7 +658,7 @@ func isSignificantPodUpdate(pod, oldPod *corev1.Pod) bool {
if oldC == nil { if oldC == nil {
return true // EphemeralContainer added return true // EphemeralContainer added
} }
if isSignificantContainerUpdate((*corev1.Container)(&c.EphemeralContainerCommon), oldC, pod.Annotations, oldPod.Annotations) { if isSignificantContainerUpdate((*corev1.Container)(&c.EphemeralContainerCommon), oldC) {
return true return true
} }
} }
@ -666,13 +666,8 @@ func isSignificantPodUpdate(pod, oldPod *corev1.Pod) bool {
} }
// isSignificantContainerUpdate determines whether a container update should trigger a policy evaluation. // isSignificantContainerUpdate determines whether a container update should trigger a policy evaluation.
func isSignificantContainerUpdate(container, oldContainer *corev1.Container, annotations, oldAnnotations map[string]string) bool { func isSignificantContainerUpdate(container, oldContainer *corev1.Container) bool {
if container.Image != oldContainer.Image { return container.Image != oldContainer.Image
return true
}
// TODO(saschagrunert): Remove this logic in 1.27.
seccompKey := corev1.SeccompContainerAnnotationKeyPrefix + container.Name
return annotations[seccompKey] != oldAnnotations[seccompKey]
} }
func (a *Admission) exemptNamespace(namespace string) bool { func (a *Admission) exemptNamespace(namespace string) bool {