diff --git a/pkg/registry/policy/podsecuritypolicy/doc.go b/pkg/registry/policy/podsecuritypolicy/doc.go deleted file mode 100644 index 160901d9623..00000000000 --- a/pkg/registry/policy/podsecuritypolicy/doc.go +++ /dev/null @@ -1,19 +0,0 @@ -/* -Copyright 2015 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -// Package podsecuritypolicy provides Registry interface and its REST -// implementation for storing PodSecurityPolicy api objects. -package podsecuritypolicy // import "k8s.io/kubernetes/pkg/registry/policy/podsecuritypolicy" diff --git a/pkg/registry/policy/podsecuritypolicy/storage/storage.go b/pkg/registry/policy/podsecuritypolicy/storage/storage.go deleted file mode 100644 index 2b2ab96cc32..00000000000 --- a/pkg/registry/policy/podsecuritypolicy/storage/storage.go +++ /dev/null @@ -1,60 +0,0 @@ -/* -Copyright 2014 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package storage - -import ( - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apiserver/pkg/registry/generic" - genericregistry "k8s.io/apiserver/pkg/registry/generic/registry" - "k8s.io/kubernetes/pkg/apis/policy" - "k8s.io/kubernetes/pkg/printers" - printersinternal "k8s.io/kubernetes/pkg/printers/internalversion" - printerstorage "k8s.io/kubernetes/pkg/printers/storage" - "k8s.io/kubernetes/pkg/registry/policy/podsecuritypolicy" -) - -// REST implements a RESTStorage for PodSecurityPolicies. -type REST struct { - *genericregistry.Store -} - -// NewREST returns a RESTStorage object that will work against PodSecurityPolicy objects. -func NewREST(optsGetter generic.RESTOptionsGetter) (*REST, error) { - store := &genericregistry.Store{ - NewFunc: func() runtime.Object { return &policy.PodSecurityPolicy{} }, - NewListFunc: func() runtime.Object { return &policy.PodSecurityPolicyList{} }, - DefaultQualifiedResource: policy.Resource("podsecuritypolicies"), - SingularQualifiedResource: policy.Resource("podsecuritypolicy"), - - CreateStrategy: podsecuritypolicy.Strategy, - UpdateStrategy: podsecuritypolicy.Strategy, - DeleteStrategy: podsecuritypolicy.Strategy, - ReturnDeletedObject: true, - - TableConvertor: printerstorage.TableConvertor{TableGenerator: printers.NewTableGenerator().With(printersinternal.AddHandlers)}, - } - options := &generic.StoreOptions{RESTOptions: optsGetter} - if err := store.CompleteWithOptions(options); err != nil { - return nil, err - } - return &REST{store}, nil -} - -// ShortNames implements the ShortNamesProvider interface. Returns a list of short names for a resource. -func (r *REST) ShortNames() []string { - return []string{"psp"} -} diff --git a/pkg/registry/policy/podsecuritypolicy/storage/storage_test.go b/pkg/registry/policy/podsecuritypolicy/storage/storage_test.go deleted file mode 100644 index ebcfbb45eb0..00000000000 --- a/pkg/registry/policy/podsecuritypolicy/storage/storage_test.go +++ /dev/null @@ -1,156 +0,0 @@ -/* -Copyright 2014 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package storage - -import ( - "testing" - - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/kubernetes/pkg/apis/policy" - // Ensure that policy/v1beta1 package is initialized. - _ "k8s.io/api/policy/v1beta1" - "k8s.io/apimachinery/pkg/fields" - "k8s.io/apimachinery/pkg/labels" - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apiserver/pkg/registry/generic" - genericregistrytest "k8s.io/apiserver/pkg/registry/generic/testing" - etcd3testing "k8s.io/apiserver/pkg/storage/etcd3/testing" - "k8s.io/kubernetes/pkg/registry/registrytest" -) - -func newStorage(t *testing.T) (*REST, *etcd3testing.EtcdTestServer) { - etcdStorage, server := registrytest.NewEtcdStorage(t, "policy") - restOptions := generic.RESTOptions{ - StorageConfig: etcdStorage, - Decorator: generic.UndecoratedStorage, - DeleteCollectionWorkers: 1, - ResourcePrefix: "podsecuritypolicies", - } - rest, err := NewREST(restOptions) - if err != nil { - t.Fatalf("unexpected error from REST storage: %v", err) - } - return rest, server -} - -func validNewPodSecurityPolicy() *policy.PodSecurityPolicy { - return &policy.PodSecurityPolicy{ - ObjectMeta: metav1.ObjectMeta{ - Name: "foo", - }, - Spec: policy.PodSecurityPolicySpec{ - SELinux: policy.SELinuxStrategyOptions{ - Rule: policy.SELinuxStrategyRunAsAny, - }, - RunAsUser: policy.RunAsUserStrategyOptions{ - Rule: policy.RunAsUserStrategyRunAsAny, - }, - RunAsGroup: &policy.RunAsGroupStrategyOptions{ - Rule: policy.RunAsGroupStrategyRunAsAny, - }, - FSGroup: policy.FSGroupStrategyOptions{ - Rule: policy.FSGroupStrategyRunAsAny, - }, - SupplementalGroups: policy.SupplementalGroupsStrategyOptions{ - Rule: policy.SupplementalGroupsStrategyRunAsAny, - }, - }, - } -} - -func TestCreate(t *testing.T) { - storage, server := newStorage(t) - defer server.Terminate(t) - defer storage.Store.DestroyFunc() - test := genericregistrytest.New(t, storage.Store).ClusterScope() - psp := validNewPodSecurityPolicy() - psp.ObjectMeta = metav1.ObjectMeta{GenerateName: "foo-"} - test.TestCreate( - // valid - psp, - // invalid - &policy.PodSecurityPolicy{ - ObjectMeta: metav1.ObjectMeta{Name: "name with spaces"}, - }, - ) -} - -func TestUpdate(t *testing.T) { - storage, server := newStorage(t) - defer server.Terminate(t) - defer storage.Store.DestroyFunc() - test := genericregistrytest.New(t, storage.Store).ClusterScope() - test.TestUpdate( - // valid - validNewPodSecurityPolicy(), - // updateFunc - func(obj runtime.Object) runtime.Object { - object := obj.(*policy.PodSecurityPolicy) - object.Labels = map[string]string{"a": "b"} - return object - }, - ) -} - -func TestDelete(t *testing.T) { - storage, server := newStorage(t) - defer server.Terminate(t) - defer storage.Store.DestroyFunc() - test := genericregistrytest.New(t, storage.Store).ClusterScope().ReturnDeletedObject() - test.TestDelete(validNewPodSecurityPolicy()) -} - -func TestGet(t *testing.T) { - storage, server := newStorage(t) - defer server.Terminate(t) - defer storage.Store.DestroyFunc() - test := genericregistrytest.New(t, storage.Store).ClusterScope() - test.TestGet(validNewPodSecurityPolicy()) -} - -func TestList(t *testing.T) { - storage, server := newStorage(t) - defer server.Terminate(t) - defer storage.Store.DestroyFunc() - test := genericregistrytest.New(t, storage.Store).ClusterScope() - test.TestList(validNewPodSecurityPolicy()) -} - -func TestWatch(t *testing.T) { - storage, server := newStorage(t) - defer server.Terminate(t) - defer storage.Store.DestroyFunc() - test := genericregistrytest.New(t, storage.Store).ClusterScope() - test.TestWatch( - validNewPodSecurityPolicy(), - // matching labels - []labels.Set{}, - // not matching labels - []labels.Set{ - {"foo": "bar"}, - }, - // matching fields - []fields.Set{ - {"metadata.name": "foo"}, - }, - // not matching fields - []fields.Set{ - {"metadata.name": "bar"}, - {"name": "foo"}, - }, - ) -} diff --git a/pkg/registry/policy/podsecuritypolicy/strategy.go b/pkg/registry/policy/podsecuritypolicy/strategy.go deleted file mode 100644 index 3654ebd8f8b..00000000000 --- a/pkg/registry/policy/podsecuritypolicy/strategy.go +++ /dev/null @@ -1,88 +0,0 @@ -/* -Copyright 2015 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package podsecuritypolicy - -import ( - "context" - - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apimachinery/pkg/util/validation/field" - "k8s.io/apiserver/pkg/registry/rest" - "k8s.io/apiserver/pkg/storage/names" - "k8s.io/kubernetes/pkg/api/legacyscheme" - psputil "k8s.io/kubernetes/pkg/api/podsecuritypolicy" - "k8s.io/kubernetes/pkg/apis/policy" - "k8s.io/kubernetes/pkg/apis/policy/validation" -) - -// strategy implements behavior for PodSecurityPolicy objects -type strategy struct { - runtime.ObjectTyper - names.NameGenerator -} - -// Strategy is the default logic that applies when creating and updating PodSecurityPolicy -// objects via the REST API. -var Strategy = strategy{legacyscheme.Scheme, names.SimpleNameGenerator} - -var _ = rest.RESTCreateStrategy(Strategy) - -var _ = rest.RESTUpdateStrategy(Strategy) - -func (strategy) NamespaceScoped() bool { - return false -} - -func (strategy) AllowCreateOnUpdate() bool { - return false -} - -func (strategy) AllowUnconditionalUpdate() bool { - return true -} - -func (strategy) PrepareForCreate(ctx context.Context, obj runtime.Object) { - psp := obj.(*policy.PodSecurityPolicy) - - psputil.DropDisabledFields(&psp.Spec, nil) -} - -func (strategy) PrepareForUpdate(ctx context.Context, obj, old runtime.Object) { - newPsp := obj.(*policy.PodSecurityPolicy) - oldPsp := old.(*policy.PodSecurityPolicy) - - psputil.DropDisabledFields(&newPsp.Spec, &oldPsp.Spec) -} - -func (strategy) Canonicalize(obj runtime.Object) { -} - -func (strategy) Validate(ctx context.Context, obj runtime.Object) field.ErrorList { - return validation.ValidatePodSecurityPolicy(obj.(*policy.PodSecurityPolicy)) -} - -// WarningsOnCreate returns warnings for the creation of the given object. -func (strategy) WarningsOnCreate(ctx context.Context, obj runtime.Object) []string { return nil } - -func (strategy) ValidateUpdate(ctx context.Context, obj, old runtime.Object) field.ErrorList { - return validation.ValidatePodSecurityPolicyUpdate(old.(*policy.PodSecurityPolicy), obj.(*policy.PodSecurityPolicy)) -} - -// WarningsOnUpdate returns warnings for the given update. -func (strategy) WarningsOnUpdate(ctx context.Context, obj, old runtime.Object) []string { - return nil -} diff --git a/pkg/registry/policy/podsecuritypolicy/strategy_test.go b/pkg/registry/policy/podsecuritypolicy/strategy_test.go deleted file mode 100644 index c5c8cfd3bdc..00000000000 --- a/pkg/registry/policy/podsecuritypolicy/strategy_test.go +++ /dev/null @@ -1,104 +0,0 @@ -/* -Copyright 2021 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package podsecuritypolicy - -import ( - "context" - "fmt" - "testing" - - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/util/validation/field" - "k8s.io/kubernetes/pkg/apis/policy" -) - -func TestAllowEphemeralVolumeType(t *testing.T) { - pspWithoutGenericVolume := func() *policy.PodSecurityPolicy { - return &policy.PodSecurityPolicy{ - ObjectMeta: metav1.ObjectMeta{ - Name: "psp", - ResourceVersion: "1", - }, - Spec: policy.PodSecurityPolicySpec{ - RunAsUser: policy.RunAsUserStrategyOptions{ - Rule: policy.RunAsUserStrategyMustRunAs, - }, - SupplementalGroups: policy.SupplementalGroupsStrategyOptions{ - Rule: policy.SupplementalGroupsStrategyMustRunAs, - }, - SELinux: policy.SELinuxStrategyOptions{ - Rule: policy.SELinuxStrategyMustRunAs, - }, - FSGroup: policy.FSGroupStrategyOptions{ - Rule: policy.FSGroupStrategyMustRunAs, - }, - }, - } - } - pspWithGenericVolume := func() *policy.PodSecurityPolicy { - psp := pspWithoutGenericVolume() - psp.Spec.Volumes = append(psp.Spec.Volumes, policy.Ephemeral) - return psp - } - pspNil := func() *policy.PodSecurityPolicy { - return nil - } - - pspInfo := []struct { - description string - hasGenericVolume bool - psp func() *policy.PodSecurityPolicy - }{ - { - description: "PodSecurityPolicySpec Without GenericVolume", - hasGenericVolume: false, - psp: pspWithoutGenericVolume, - }, - { - description: "PodSecurityPolicySpec With GenericVolume", - hasGenericVolume: true, - psp: pspWithGenericVolume, - }, - { - description: "is nil", - hasGenericVolume: false, - psp: pspNil, - }, - } - - for _, oldPSPInfo := range pspInfo { - for _, newPSPInfo := range pspInfo { - oldPSP := oldPSPInfo.psp() - newPSP := newPSPInfo.psp() - if newPSP == nil { - continue - } - - t.Run(fmt.Sprintf("old PodSecurityPolicySpec %v, new PodSecurityPolicySpec %v", oldPSPInfo.description, newPSPInfo.description), func(t *testing.T) { - var errs field.ErrorList - if oldPSP == nil { - errs = Strategy.Validate(context.Background(), newPSP) - } else { - errs = Strategy.ValidateUpdate(context.Background(), newPSP, oldPSP) - } - if len(errs) > 0 { - t.Errorf("expected no errors, got: %v", errs) - } - }) - } - } -} diff --git a/pkg/registry/policy/rest/storage_policy.go b/pkg/registry/policy/rest/storage_policy.go index 49ac0f2f590..1eabc0dda64 100644 --- a/pkg/registry/policy/rest/storage_policy.go +++ b/pkg/registry/policy/rest/storage_policy.go @@ -26,7 +26,6 @@ import ( "k8s.io/kubernetes/pkg/api/legacyscheme" "k8s.io/kubernetes/pkg/apis/policy" poddisruptionbudgetstore "k8s.io/kubernetes/pkg/registry/policy/poddisruptionbudget/storage" - pspstore "k8s.io/kubernetes/pkg/registry/policy/podsecuritypolicy/storage" ) type RESTStorageProvider struct{} @@ -64,14 +63,6 @@ func (p RESTStorageProvider) v1beta1Storage(apiResourceConfigSource serverstorag storage[resource+"/status"] = poddisruptionbudgetStatusStorage } - if resource := "podsecuritypolicies"; apiResourceConfigSource.ResourceEnabled(policyapiv1beta1.SchemeGroupVersion.WithResource(resource)) { - rest, err := pspstore.NewREST(restOptionsGetter) - if err != nil { - return storage, err - } - storage[resource] = rest - } - return storage, nil }