alexlebens/external-snapshotter
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Bumping k8s dependencies to 1.13

Browse Source
This commit is contained in:
Cheng Xing
2018-11-16 14:08:25 -08:00
parent 305407125c
commit b4c0b68ec7
8002 changed files with 884099 additions and 276228 deletions
Download Patch File Download Diff File Expand all files Collapse all files

43
vendor/k8s.io/kubernetes/pkg/security/apparmor/BUILD generated vendored
View File

@@ -11,46 +11,15 @@ go_library(
srcs = [
"helpers.go",
"validate.go",
] + select({
"@io_bazel_rules_go//go/platform:android": [
"validate_disabled.go",
],
"@io_bazel_rules_go//go/platform:darwin": [
"validate_disabled.go",
],
"@io_bazel_rules_go//go/platform:dragonfly": [
"validate_disabled.go",
],
"@io_bazel_rules_go//go/platform:freebsd": [
"validate_disabled.go",
],
"@io_bazel_rules_go//go/platform:nacl": [
"validate_disabled.go",
],
"@io_bazel_rules_go//go/platform:netbsd": [
"validate_disabled.go",
],
"@io_bazel_rules_go//go/platform:openbsd": [
"validate_disabled.go",
],
"@io_bazel_rules_go//go/platform:plan9": [
"validate_disabled.go",
],
"@io_bazel_rules_go//go/platform:solaris": [
"validate_disabled.go",
],
"@io_bazel_rules_go//go/platform:windows": [
"validate_disabled.go",
],
"//conditions:default": [],
}),
"validate_disabled.go",
],
importpath = "k8s.io/kubernetes/pkg/security/apparmor",
deps = [
"//pkg/features:go_default_library",
"//pkg/kubelet/types:go_default_library",
"//pkg/util/file:go_default_library",
"//vendor/k8s.io/api/core/v1:go_default_library",
"//vendor/k8s.io/apiserver/pkg/util/feature:go_default_library",
"//staging/src/k8s.io/api/core/v1:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/util/feature:go_default_library",
],
)
@@ -62,9 +31,9 @@ go_test(
],
embed = [":go_default_library"],
deps = [
"//staging/src/k8s.io/api/core/v1:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
"//vendor/github.com/stretchr/testify/assert:go_default_library",
"//vendor/k8s.io/api/core/v1:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
],
)

14
vendor/k8s.io/kubernetes/pkg/security/podsecuritypolicy/BUILD generated vendored
View File

@@ -27,8 +27,8 @@ go_library(
"//pkg/security/podsecuritypolicy/user:go_default_library",
"//pkg/security/podsecuritypolicy/util:go_default_library",
"//pkg/securitycontext:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/util/errors:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/util/errors:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
],
)
@@ -43,11 +43,13 @@ go_test(
"//pkg/security/apparmor:go_default_library",
"//pkg/security/podsecuritypolicy/seccomp:go_default_library",
"//pkg/security/podsecuritypolicy/util:go_default_library",
"//staging/src/k8s.io/api/core/v1:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/util/diff:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
"//vendor/github.com/davecgh/go-spew/spew:go_default_library",
"//vendor/k8s.io/api/core/v1:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/util/diff:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
"//vendor/github.com/stretchr/testify/assert:go_default_library",
"//vendor/github.com/stretchr/testify/require:go_default_library",
],
)

4
vendor/k8s.io/kubernetes/pkg/security/podsecuritypolicy/apparmor/BUILD generated vendored
View File

@@ -14,7 +14,7 @@ go_library(
"//pkg/apis/core:go_default_library",
"//pkg/security/apparmor:go_default_library",
"//pkg/util/maps:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
],
)
@@ -26,9 +26,9 @@ go_test(
"//pkg/apis/core:go_default_library",
"//pkg/security/apparmor:go_default_library",
"//pkg/util/maps:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
"//vendor/github.com/davecgh/go-spew/spew:go_default_library",
"//vendor/github.com/stretchr/testify/assert:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
],
)

5
vendor/k8s.io/kubernetes/pkg/security/podsecuritypolicy/capabilities/BUILD generated vendored
View File

@@ -17,8 +17,8 @@ go_library(
deps = [
"//pkg/apis/core:go_default_library",
"//pkg/apis/policy:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/util/sets:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/util/sets:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
],
)
@@ -29,6 +29,7 @@ go_test(
deps = [
"//pkg/apis/core:go_default_library",
"//pkg/apis/policy:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
],
)

8
vendor/k8s.io/kubernetes/pkg/security/podsecuritypolicy/capabilities/capabilities.go generated vendored
View File

@@ -81,7 +81,7 @@ func (s *defaultCapabilities) Generate(pod *api.Pod, container *api.Container) (
}
// Validate ensures that the specified values fall within the range of the strategy.
func (s *defaultCapabilities) Validate(pod *api.Pod, container *api.Container, capabilities *api.Capabilities) field.ErrorList {
func (s *defaultCapabilities) Validate(fldPath *field.Path, pod *api.Pod, container *api.Container, capabilities *api.Capabilities) field.ErrorList {
allErrs := field.ErrorList{}
if capabilities == nil {
@@ -94,7 +94,7 @@ func (s *defaultCapabilities) Validate(pod *api.Pod, container *api.Container, c
// container has no requested caps but we have required caps. We should have something in
// at least the drops on the container.
allErrs = append(allErrs, field.Invalid(field.NewPath("capabilities"), capabilities,
allErrs = append(allErrs, field.Invalid(fldPath, capabilities,
"required capabilities are not set on the securityContext"))
return allErrs
}
@@ -112,7 +112,7 @@ func (s *defaultCapabilities) Validate(pod *api.Pod, container *api.Container, c
for _, cap := range capabilities.Add {
sCap := string(cap)
if !defaultAdd.Has(sCap) && !allowedAdd.Has(sCap) {
allErrs = append(allErrs, field.Invalid(field.NewPath("capabilities", "add"), sCap, "capability may not be added"))
allErrs = append(allErrs, field.Invalid(fldPath.Child("add"), sCap, "capability may not be added"))
}
}
@@ -122,7 +122,7 @@ func (s *defaultCapabilities) Validate(pod *api.Pod, container *api.Container, c
for _, requiredDrop := range s.requiredDropCapabilities {
sDrop := string(requiredDrop)
if !containerDrops.Has(sDrop) {
allErrs = append(allErrs, field.Invalid(field.NewPath("capabilities", "drop"), capabilities.Drop,
allErrs = append(allErrs, field.Invalid(fldPath.Child("drop"), capabilities.Drop,
fmt.Sprintf("%s is required to be dropped but was not found", sDrop)))
}
}

5
vendor/k8s.io/kubernetes/pkg/security/podsecuritypolicy/capabilities/capabilities_test.go generated vendored
View File

@@ -20,6 +20,7 @@ import (
"reflect"
"testing"
"k8s.io/apimachinery/pkg/util/validation/field"
api "k8s.io/kubernetes/pkg/apis/core"
"k8s.io/kubernetes/pkg/apis/policy"
)
@@ -329,7 +330,7 @@ func TestValidateAdds(t *testing.T) {
t.Errorf("%s failed: %v", k, err)
continue
}
errs := strategy.Validate(nil, nil, v.containerCaps)
errs := strategy.Validate(field.NewPath("capabilities"), nil, nil, v.containerCaps)
if v.expectedError == "" && len(errs) > 0 {
t.Errorf("%s should have passed but had errors %v", k, errs)
continue
@@ -390,7 +391,7 @@ func TestValidateDrops(t *testing.T) {
t.Errorf("%s failed: %v", k, err)
continue
}
errs := strategy.Validate(nil, nil, v.containerCaps)
errs := strategy.Validate(field.NewPath("capabilities"), nil, nil, v.containerCaps)
if v.expectedError == "" && len(errs) > 0 {
t.Errorf("%s should have passed but had errors %v", k, errs)
continue

2
vendor/k8s.io/kubernetes/pkg/security/podsecuritypolicy/capabilities/types.go generated vendored
View File

@@ -26,5 +26,5 @@ type Strategy interface {
// Generate creates the capabilities based on policy rules.
Generate(pod *api.Pod, container *api.Container) (*api.Capabilities, error)
// Validate ensures that the specified values fall within the range of the strategy.
Validate(pod *api.Pod, container *api.Container, capabilities *api.Capabilities) field.ErrorList
Validate(fldPath *field.Path, pod *api.Pod, container *api.Container, capabilities *api.Capabilities) field.ErrorList
}

4
vendor/k8s.io/kubernetes/pkg/security/podsecuritypolicy/factory.go generated vendored
View File

@@ -139,7 +139,7 @@ func createFSGroupStrategy(opts *policy.FSGroupStrategyOptions) (group.GroupStra
case policy.FSGroupStrategyRunAsAny:
return group.NewRunAsAny()
case policy.FSGroupStrategyMustRunAs:
return group.NewMustRunAs(opts.Ranges, fsGroupField)
return group.NewMustRunAs(opts.Ranges)
default:
return nil, fmt.Errorf("Unrecognized FSGroup strategy type %s", opts.Rule)
}
@@ -151,7 +151,7 @@ func createSupplementalGroupStrategy(opts *policy.SupplementalGroupsStrategyOpti
case policy.SupplementalGroupsStrategyRunAsAny:
return group.NewRunAsAny()
case policy.SupplementalGroupsStrategyMustRunAs:
return group.NewMustRunAs(opts.Ranges, supplementalGroupsField)
return group.NewMustRunAs(opts.Ranges)
default:
return nil, fmt.Errorf("Unrecognized SupplementalGroups strategy type %s", opts.Rule)
}

7
vendor/k8s.io/kubernetes/pkg/security/podsecuritypolicy/group/BUILD generated vendored
View File

@@ -19,7 +19,7 @@ go_library(
"//pkg/apis/core:go_default_library",
"//pkg/apis/policy:go_default_library",
"//pkg/security/podsecuritypolicy/util:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
],
)
@@ -30,7 +30,10 @@ go_test(
"runasany_test.go",
],
embed = [":go_default_library"],
deps = ["//pkg/apis/policy:go_default_library"],
deps = [
"//pkg/apis/policy:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
],
)
filegroup(

10
vendor/k8s.io/kubernetes/pkg/security/podsecuritypolicy/group/mustrunas.go generated vendored
View File

@@ -28,19 +28,17 @@ import (
// mustRunAs implements the GroupStrategy interface
type mustRunAs struct {
ranges []policy.IDRange
field string
}
var _ GroupStrategy = &mustRunAs{}
// NewMustRunAs provides a new MustRunAs strategy based on ranges.
func NewMustRunAs(ranges []policy.IDRange, field string) (GroupStrategy, error) {
func NewMustRunAs(ranges []policy.IDRange) (GroupStrategy, error) {
if len(ranges) == 0 {
return nil, fmt.Errorf("ranges must be supplied for MustRunAs")
}
return &mustRunAs{
ranges: ranges,
field: field,
}, nil
}
@@ -61,17 +59,17 @@ func (s *mustRunAs) GenerateSingle(_ *api.Pod) (*int64, error) {
// Validate ensures that the specified values fall within the range of the strategy.
// Groups are passed in here to allow this strategy to support multiple group fields (fsgroup and
// supplemental groups).
func (s *mustRunAs) Validate(_ *api.Pod, groups []int64) field.ErrorList {
func (s *mustRunAs) Validate(fldPath *field.Path, _ *api.Pod, groups []int64) field.ErrorList {
allErrs := field.ErrorList{}
if len(groups) == 0 && len(s.ranges) > 0 {
allErrs = append(allErrs, field.Invalid(field.NewPath(s.field), groups, "unable to validate empty groups against required ranges"))
allErrs = append(allErrs, field.Invalid(fldPath, groups, "unable to validate empty groups against required ranges"))
}
for _, group := range groups {
if !s.isGroupValid(group) {
detail := fmt.Sprintf("group %d must be in the ranges: %v", group, s.ranges)
allErrs = append(allErrs, field.Invalid(field.NewPath(s.field), groups, detail))
allErrs = append(allErrs, field.Invalid(fldPath, groups, detail))
}
}

9
vendor/k8s.io/kubernetes/pkg/security/podsecuritypolicy/group/mustrunas_test.go generated vendored
View File

@@ -20,6 +20,7 @@ import (
"strings"
"testing"
"k8s.io/apimachinery/pkg/util/validation/field"
"k8s.io/kubernetes/pkg/apis/policy"
)
@@ -40,7 +41,7 @@ func TestMustRunAsOptions(t *testing.T) {
}
for k, v := range tests {
_, err := NewMustRunAs(v.ranges, "")
_, err := NewMustRunAs(v.ranges)
if v.pass && err != nil {
t.Errorf("error creating strategy for %s: %v", k, err)
}
@@ -77,7 +78,7 @@ func TestGenerate(t *testing.T) {
}
for k, v := range tests {
s, err := NewMustRunAs(v.ranges, "")
s, err := NewMustRunAs(v.ranges)
if err != nil {
t.Errorf("error creating strategy for %s: %v", k, err)
}
@@ -161,11 +162,11 @@ func TestValidate(t *testing.T) {
}
for k, v := range tests {
s, err := NewMustRunAs(v.ranges, "")
s, err := NewMustRunAs(v.ranges)
if err != nil {
t.Errorf("error creating strategy for %s: %v", k, err)
}
errs := s.Validate(nil, v.groups)
errs := s.Validate(field.NewPath(""), nil, v.groups)
if v.expectedError == "" && len(errs) > 0 {
t.Errorf("unexpected errors for %s: %v", k, errs)
}

2
vendor/k8s.io/kubernetes/pkg/security/podsecuritypolicy/group/runasany.go generated vendored
View File

@@ -43,7 +43,7 @@ func (s *runAsAny) GenerateSingle(_ *api.Pod) (*int64, error) {
}
// Validate ensures that the specified values fall within the range of the strategy.
func (s *runAsAny) Validate(_ *api.Pod, groups []int64) field.ErrorList {
func (s *runAsAny) Validate(fldPath *field.Path, _ *api.Pod, groups []int64) field.ErrorList {
return field.ErrorList{}
}

4
vendor/k8s.io/kubernetes/pkg/security/podsecuritypolicy/group/runasany_test.go generated vendored
View File

@@ -18,6 +18,8 @@ package group
import (
"testing"
"k8s.io/apimachinery/pkg/util/validation/field"
)
func TestRunAsAnyGenerate(t *testing.T) {
@@ -53,7 +55,7 @@ func TestRunAsAnyValidte(t *testing.T) {
if err != nil {
t.Fatalf("unexpected error initializing NewRunAsAny %v", err)
}
errs := s.Validate(nil, nil)
errs := s.Validate(field.NewPath(""), nil, nil)
if len(errs) != 0 {
t.Errorf("unexpected errors: %v", errs)
}

2
vendor/k8s.io/kubernetes/pkg/security/podsecuritypolicy/group/types.go generated vendored
View File

@@ -31,5 +31,5 @@ type GroupStrategy interface {
// value to return if configured with multiple ranges. This is used for FSGroup.
GenerateSingle(pod *api.Pod) (*int64, error)
// Validate ensures that the specified values fall within the range of the strategy.
Validate(pod *api.Pod, groups []int64) field.ErrorList
Validate(fldPath *field.Path, pod *api.Pod, groups []int64) field.ErrorList
}

72
vendor/k8s.io/kubernetes/pkg/security/podsecuritypolicy/provider.go generated vendored
View File

@@ -27,13 +27,6 @@ import (
"k8s.io/kubernetes/pkg/securitycontext"
)
// used to pass in the field being validated for reusable group strategies so they
// can create informative error messages.
const (
fsGroupField = "fsGroup"
supplementalGroupsField = "supplementalGroups"
)
// simpleProvider is the default implementation of Provider.
type simpleProvider struct {
psp *policy.PodSecurityPolicy
@@ -180,31 +173,32 @@ func (s *simpleProvider) DefaultContainerSecurityContext(pod *api.Pod, container
}
// ValidatePod ensure a pod is in compliance with the given constraints.
func (s *simpleProvider) ValidatePod(pod *api.Pod, fldPath *field.Path) field.ErrorList {
func (s *simpleProvider) ValidatePod(pod *api.Pod) field.ErrorList {
allErrs := field.ErrorList{}
sc := securitycontext.NewPodSecurityContextAccessor(pod.Spec.SecurityContext)
scPath := field.NewPath("spec", "securityContext")
fsGroups := []int64{}
var fsGroups []int64
if fsGroup := sc.FSGroup(); fsGroup != nil {
fsGroups = append(fsGroups, *fsGroup)
fsGroups = []int64{*fsGroup}
}
allErrs = append(allErrs, s.strategies.FSGroupStrategy.Validate(pod, fsGroups)...)
allErrs = append(allErrs, s.strategies.SupplementalGroupStrategy.Validate(pod, sc.SupplementalGroups())...)
allErrs = append(allErrs, s.strategies.FSGroupStrategy.Validate(scPath.Child("fsGroup"), pod, fsGroups)...)
allErrs = append(allErrs, s.strategies.SupplementalGroupStrategy.Validate(scPath.Child("supplementalGroups"), pod, sc.SupplementalGroups())...)
allErrs = append(allErrs, s.strategies.SeccompStrategy.ValidatePod(pod)...)
allErrs = append(allErrs, s.strategies.SELinuxStrategy.Validate(fldPath.Child("seLinuxOptions"), pod, nil, sc.SELinuxOptions())...)
allErrs = append(allErrs, s.strategies.SELinuxStrategy.Validate(scPath.Child("seLinuxOptions"), pod, nil, sc.SELinuxOptions())...)
if !s.psp.Spec.HostNetwork && sc.HostNetwork() {
allErrs = append(allErrs, field.Invalid(fldPath.Child("hostNetwork"), sc.HostNetwork(), "Host network is not allowed to be used"))
allErrs = append(allErrs, field.Invalid(scPath.Child("hostNetwork"), sc.HostNetwork(), "Host network is not allowed to be used"))
}
if !s.psp.Spec.HostPID && sc.HostPID() {
allErrs = append(allErrs, field.Invalid(fldPath.Child("hostPID"), sc.HostPID(), "Host PID is not allowed to be used"))
allErrs = append(allErrs, field.Invalid(scPath.Child("hostPID"), sc.HostPID(), "Host PID is not allowed to be used"))
}
if !s.psp.Spec.HostIPC && sc.HostIPC() {
allErrs = append(allErrs, field.Invalid(fldPath.Child("hostIPC"), sc.HostIPC(), "Host IPC is not allowed to be used"))
allErrs = append(allErrs, field.Invalid(scPath.Child("hostIPC"), sc.HostIPC(), "Host IPC is not allowed to be used"))
}
allErrs = append(allErrs, s.strategies.SysctlsStrategy.Validate(pod)...)
@@ -268,7 +262,7 @@ func (s *simpleProvider) ValidatePod(pod *api.Pod, fldPath *field.Path) field.Er
}
if !found {
allErrs = append(allErrs,
field.Invalid(fldPath.Child("volumes").Index(i).Child("driver"), driver,
field.Invalid(field.NewPath("spec", "volumes").Index(i).Child("driver"), driver,
"Flexvolume driver is not allowed to be used"))
}
}
@@ -278,52 +272,58 @@ func (s *simpleProvider) ValidatePod(pod *api.Pod, fldPath *field.Path) field.Er
}
// Ensure a container's SecurityContext is in compliance with the given constraints
func (s *simpleProvider) ValidateContainerSecurityContext(pod *api.Pod, container *api.Container, fldPath *field.Path) field.ErrorList {
func (s *simpleProvider) ValidateContainer(pod *api.Pod, container *api.Container, containerPath *field.Path) field.ErrorList {
allErrs := field.ErrorList{}
podSC := securitycontext.NewPodSecurityContextAccessor(pod.Spec.SecurityContext)
sc := securitycontext.NewEffectiveContainerSecurityContextAccessor(podSC, securitycontext.NewContainerSecurityContextMutator(container.SecurityContext))
allErrs = append(allErrs, s.strategies.RunAsUserStrategy.Validate(fldPath.Child("securityContext"), pod, container, sc.RunAsNonRoot(), sc.RunAsUser())...)
allErrs = append(allErrs, s.strategies.SELinuxStrategy.Validate(fldPath.Child("seLinuxOptions"), pod, container, sc.SELinuxOptions())...)
scPath := containerPath.Child("securityContext")
allErrs = append(allErrs, s.strategies.RunAsUserStrategy.Validate(scPath, pod, container, sc.RunAsNonRoot(), sc.RunAsUser())...)
allErrs = append(allErrs, s.strategies.SELinuxStrategy.Validate(scPath.Child("seLinuxOptions"), pod, container, sc.SELinuxOptions())...)
allErrs = append(allErrs, s.strategies.AppArmorStrategy.Validate(pod, container)...)
allErrs = append(allErrs, s.strategies.SeccompStrategy.ValidateContainer(pod, container)...)
privileged := sc.Privileged()
if !s.psp.Spec.Privileged && privileged != nil && *privileged {
allErrs = append(allErrs, field.Invalid(fldPath.Child("privileged"), *privileged, "Privileged containers are not allowed"))
allErrs = append(allErrs, field.Invalid(scPath.Child("privileged"), *privileged, "Privileged containers are not allowed"))
}
allErrs = append(allErrs, s.strategies.CapabilitiesStrategy.Validate(pod, container, sc.Capabilities())...)
containersPath := fldPath.Child("containers")
for idx, c := range pod.Spec.Containers {
idxPath := containersPath.Index(idx)
allErrs = append(allErrs, s.hasInvalidHostPort(&c, idxPath)...)
procMount := sc.ProcMount()
allowedProcMounts := s.psp.Spec.AllowedProcMountTypes
if len(allowedProcMounts) == 0 {
allowedProcMounts = []api.ProcMountType{api.DefaultProcMount}
}
foundProcMountType := false
for _, pm := range allowedProcMounts {
if pm == procMount {
foundProcMountType = true
}
}
if !foundProcMountType {
allErrs = append(allErrs, field.Invalid(scPath.Child("procMount"), procMount, "ProcMountType is not allowed"))
}
containersPath = fldPath.Child("initContainers")
for idx, c := range pod.Spec.InitContainers {
idxPath := containersPath.Index(idx)
allErrs = append(allErrs, s.hasInvalidHostPort(&c, idxPath)...)
}
allErrs = append(allErrs, s.strategies.CapabilitiesStrategy.Validate(scPath.Child("capabilities"), pod, container, sc.Capabilities())...)
allErrs = append(allErrs, s.hasInvalidHostPort(container, containerPath)...)
if s.psp.Spec.ReadOnlyRootFilesystem {
readOnly := sc.ReadOnlyRootFilesystem()
if readOnly == nil {
allErrs = append(allErrs, field.Invalid(fldPath.Child("readOnlyRootFilesystem"), readOnly, "ReadOnlyRootFilesystem may not be nil and must be set to true"))
allErrs = append(allErrs, field.Invalid(scPath.Child("readOnlyRootFilesystem"), readOnly, "ReadOnlyRootFilesystem may not be nil and must be set to true"))
} else if !*readOnly {
allErrs = append(allErrs, field.Invalid(fldPath.Child("readOnlyRootFilesystem"), *readOnly, "ReadOnlyRootFilesystem must be set to true"))
allErrs = append(allErrs, field.Invalid(scPath.Child("readOnlyRootFilesystem"), *readOnly, "ReadOnlyRootFilesystem must be set to true"))
}
}
allowEscalation := sc.AllowPrivilegeEscalation()
if !s.psp.Spec.AllowPrivilegeEscalation && allowEscalation == nil {
allErrs = append(allErrs, field.Invalid(fldPath.Child("allowPrivilegeEscalation"), allowEscalation, "Allowing privilege escalation for containers is not allowed"))
allErrs = append(allErrs, field.Invalid(scPath.Child("allowPrivilegeEscalation"), allowEscalation, "Allowing privilege escalation for containers is not allowed"))
}
if !s.psp.Spec.AllowPrivilegeEscalation && allowEscalation != nil && *allowEscalation {
allErrs = append(allErrs, field.Invalid(fldPath.Child("allowPrivilegeEscalation"), *allowEscalation, "Allowing privilege escalation for containers is not allowed"))
allErrs = append(allErrs, field.Invalid(scPath.Child("allowPrivilegeEscalation"), *allowEscalation, "Allowing privilege escalation for containers is not allowed"))
}
return allErrs

184
vendor/k8s.io/kubernetes/pkg/security/podsecuritypolicy/provider_test.go generated vendored
View File

@@ -19,10 +19,13 @@ package podsecuritypolicy
import (
"fmt"
"reflect"
"strconv"
"strings"
"testing"
"github.com/davecgh/go-spew/spew"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -412,7 +415,7 @@ func TestValidatePodSecurityContextFailures(t *testing.T) {
if err != nil {
t.Fatalf("unable to create provider %v", err)
}
errs := provider.ValidatePod(v.pod, field.NewPath(""))
errs := provider.ValidatePod(v.pod)
if len(errs) == 0 {
t.Errorf("%s expected validation failure but did not receive errors", k)
continue
@@ -445,7 +448,7 @@ func allowFlexVolumesPSP(allowAllFlexVolumes, allowAllVolumes bool) *policy.PodS
return psp
}
func TestValidateContainerSecurityContextFailures(t *testing.T) {
func TestValidateContainerFailures(t *testing.T) {
// fail user strategy
failUserPSP := defaultPSP()
uid := int64(999)
@@ -485,6 +488,10 @@ func TestValidateContainerSecurityContextFailures(t *testing.T) {
var priv bool = true
failPrivPod.Spec.Containers[0].SecurityContext.Privileged = &priv
failProcMountPod := defaultPod()
failProcMountPod.Spec.Containers[0].SecurityContext.ProcMount = new(api.ProcMountType)
*failProcMountPod.Spec.Containers[0].SecurityContext.ProcMount = api.UnmaskedProcMount
failCapsPod := defaultPod()
failCapsPod.Spec.Containers[0].SecurityContext.Capabilities = &api.Capabilities{
Add: []api.Capability{"foo"},
@@ -540,6 +547,11 @@ func TestValidateContainerSecurityContextFailures(t *testing.T) {
psp: defaultPSP(),
expectedError: "Privileged containers are not allowed",
},
"failProcMountPSP": {
pod: failProcMountPod,
psp: defaultPSP(),
expectedError: "ProcMountType is not allowed",
},
"failCapsPSP": {
pod: failCapsPod,
psp: defaultPSP(),
@@ -577,7 +589,7 @@ func TestValidateContainerSecurityContextFailures(t *testing.T) {
if err != nil {
t.Fatalf("unable to create provider %v", err)
}
errs := provider.ValidateContainerSecurityContext(v.pod, &v.pod.Spec.Containers[0], field.NewPath(""))
errs := provider.ValidateContainer(v.pod, &v.pod.Spec.Containers[0], field.NewPath(""))
if len(errs) == 0 {
t.Errorf("%s expected validation failure but did not receive errors", k)
continue
@@ -836,7 +848,7 @@ func TestValidatePodSecurityContextSuccess(t *testing.T) {
if err != nil {
t.Fatalf("unable to create provider %v", err)
}
errs := provider.ValidatePod(v.pod, field.NewPath(""))
errs := provider.ValidatePod(v.pod)
if len(errs) != 0 {
t.Errorf("%s expected validation pass but received errors %v", k, errs)
continue
@@ -844,7 +856,7 @@ func TestValidatePodSecurityContextSuccess(t *testing.T) {
}
}
func TestValidateContainerSecurityContextSuccess(t *testing.T) {
func TestValidateContainerSuccess(t *testing.T) {
// success user strategy
userPSP := defaultPSP()
uid := int64(999)
@@ -1001,7 +1013,7 @@ func TestValidateContainerSecurityContextSuccess(t *testing.T) {
if err != nil {
t.Fatalf("unable to create provider %v", err)
}
errs := provider.ValidateContainerSecurityContext(v.pod, &v.pod.Spec.Containers[0], field.NewPath(""))
errs := provider.ValidateContainer(v.pod, &v.pod.Spec.Containers[0], field.NewPath(""))
if len(errs) != 0 {
t.Errorf("%s expected validation pass but received errors %v\n%s", k, errs, spew.Sdump(v.pod.ObjectMeta))
continue
@@ -1198,7 +1210,7 @@ func TestValidateAllowedVolumes(t *testing.T) {
}
// expect a denial for this PSP and test the error message to ensure it's related to the volumesource
errs := provider.ValidatePod(pod, field.NewPath(""))
errs := provider.ValidatePod(pod)
if len(errs) != 1 {
t.Errorf("expected exactly 1 error for %s but got %v", fieldVal.Name, errs)
} else {
@@ -1209,124 +1221,78 @@ func TestValidateAllowedVolumes(t *testing.T) {
// now add the fstype directly to the psp and it should validate
psp.Spec.Volumes = []policy.FSType{fsType}
errs = provider.ValidatePod(pod, field.NewPath(""))
errs = provider.ValidatePod(pod)
if len(errs) != 0 {
t.Errorf("directly allowing volume expected no errors for %s but got %v", fieldVal.Name, errs)
}
// now change the psp to allow any volumes and the pod should still validate
psp.Spec.Volumes = []policy.FSType{policy.All}
errs = provider.ValidatePod(pod, field.NewPath(""))
errs = provider.ValidatePod(pod)
if len(errs) != 0 {
t.Errorf("wildcard volume expected no errors for %s but got %v", fieldVal.Name, errs)
}
}
}
// TestValidateAllowPrivilegeEscalation will test that when the podSecurityPolicy
// AllowPrivilegeEscalation is false we cannot set a container's securityContext
// to allowPrivilegeEscalation, but when it is true we can.
func TestValidateAllowPrivilegeEscalation(t *testing.T) {
pod := defaultPod()
pe := true
pod.Spec.Containers[0].SecurityContext.AllowPrivilegeEscalation = &pe
// create a PSP that does not allow privilege escalation
psp := defaultPSP()
psp.Spec.AllowPrivilegeEscalation = false
provider, err := NewSimpleProvider(psp, "namespace", NewSimpleStrategyFactory())
if err != nil {
t.Errorf("error creating provider: %v", err.Error())
func TestAllowPrivilegeEscalation(t *testing.T) {
ptr := func(b bool) *bool { return &b }
tests := []struct {
pspAPE bool // PSP AllowPrivilegeEscalation
pspDAPE *bool // PSP DefaultAllowPrivilegeEscalation
podAPE *bool // Pod AllowPrivilegeEscalation
expectErr bool
expectAPE *bool // Expected value of pod APE (if no error)
}{
// Test all valid combinations of PSP AllowPrivilegeEscalation,
// DefaultAllowPrivilegeEscalation, and Pod AllowPrivilegeEscalation.
{true, nil, nil, false, nil},
{true, nil, ptr(false), false, ptr(false)},
{true, nil, ptr(true), false, ptr(true)},
{true, ptr(false), nil, false, ptr(false)},
{true, ptr(false), ptr(false), false, ptr(false)},
{true, ptr(false), ptr(true), false, ptr(true)},
{true, ptr(true), nil, false, ptr(true)},
{true, ptr(true), ptr(false), false, ptr(false)},
{true, ptr(true), ptr(true), false, ptr(true)},
{false, nil, nil, false, ptr(false)},
{false, nil, ptr(false), false, ptr(false)},
{false, nil, ptr(true), true, nil},
{false, ptr(false), nil, false, ptr(false)},
{false, ptr(false), ptr(false), false, ptr(false)},
{false, ptr(false), ptr(true), true, nil},
// Invalid cases: pspAPE=false, pspDAPE=true
}
// expect a denial for this PSP and test the error message to ensure it's related to allowPrivilegeEscalation
errs := provider.ValidateContainerSecurityContext(pod, &pod.Spec.Containers[0], field.NewPath(""))
if len(errs) != 1 {
t.Errorf("expected exactly 1 error but got %v", errs)
} else {
if !strings.Contains(errs.ToAggregate().Error(), "Allowing privilege escalation for containers is not allowed") {
t.Errorf("did not find the expected error, received: %v", errs)
fmtPtr := func(b *bool) string {
if b == nil {
return "nil"
}
return strconv.FormatBool(*b)
}
for _, test := range tests {
t.Run(fmt.Sprintf("pspAPE:%t_pspDAPE:%s_podAPE:%s", test.pspAPE, fmtPtr(test.pspDAPE), fmtPtr(test.podAPE)), func(t *testing.T) {
pod := defaultPod()
pod.Spec.Containers[0].SecurityContext.AllowPrivilegeEscalation = test.podAPE
// now add allowPrivilegeEscalation to the podSecurityPolicy
psp.Spec.AllowPrivilegeEscalation = true
errs = provider.ValidateContainerSecurityContext(pod, &pod.Spec.Containers[0], field.NewPath(""))
if len(errs) != 0 {
t.Errorf("directly allowing privilege escalation expected no errors but got %v", errs)
}
}
// TestValidateDefaultAllowPrivilegeEscalation will test that when the podSecurityPolicy
// DefaultAllowPrivilegeEscalation is false we cannot set a container's
// securityContext to allowPrivilegeEscalation but when it is true we can.
func TestValidateDefaultAllowPrivilegeEscalation(t *testing.T) {
pod := defaultPod()
pe := true
pod.Spec.Containers[0].SecurityContext.AllowPrivilegeEscalation = &pe
// create a PSP that does not allow privilege escalation
psp := defaultPSP()
dpe := false
psp.Spec.DefaultAllowPrivilegeEscalation = &dpe
psp.Spec.AllowPrivilegeEscalation = false
provider, err := NewSimpleProvider(psp, "namespace", NewSimpleStrategyFactory())
if err != nil {
t.Errorf("error creating provider: %v", err.Error())
}
// expect a denial for this PSP and test the error message to ensure it's related to allowPrivilegeEscalation
errs := provider.ValidateContainerSecurityContext(pod, &pod.Spec.Containers[0], field.NewPath(""))
if len(errs) != 1 {
t.Errorf("expected exactly 1 error but got %v", errs)
} else {
if !strings.Contains(errs.ToAggregate().Error(), "Allowing privilege escalation for containers is not allowed") {
t.Errorf("did not find the expected error, received: %v", errs)
}
}
// now add DefaultAllowPrivilegeEscalation to the podSecurityPolicy
dpe = true
psp.Spec.DefaultAllowPrivilegeEscalation = &dpe
psp.Spec.AllowPrivilegeEscalation = false
// expect a denial for this PSP because we did not allowPrivilege Escalation via the PodSecurityPolicy
// and test the error message to ensure it's related to allowPrivilegeEscalation
errs = provider.ValidateContainerSecurityContext(pod, &pod.Spec.Containers[0], field.NewPath(""))
if len(errs) != 1 {
t.Errorf("expected exactly 1 error but got %v", errs)
} else {
if !strings.Contains(errs.ToAggregate().Error(), "Allowing privilege escalation for containers is not allowed") {
t.Errorf("did not find the expected error, received: %v", errs)
}
}
// Now set AllowPrivilegeEscalation
psp.Spec.AllowPrivilegeEscalation = true
errs = provider.ValidateContainerSecurityContext(pod, &pod.Spec.Containers[0], field.NewPath(""))
if len(errs) != 0 {
t.Errorf("directly allowing privilege escalation expected no errors but got %v", errs)
}
// Now set the psp spec to false and reset AllowPrivilegeEscalation
psp.Spec.AllowPrivilegeEscalation = false
pod.Spec.Containers[0].SecurityContext.AllowPrivilegeEscalation = nil
errs = provider.ValidateContainerSecurityContext(pod, &pod.Spec.Containers[0], field.NewPath(""))
if len(errs) != 1 {
t.Errorf("expected exactly 1 error but got %v", errs)
} else {
if !strings.Contains(errs.ToAggregate().Error(), "Allowing privilege escalation for containers is not allowed") {
t.Errorf("did not find the expected error, received: %v", errs)
}
}
// Now unset both AllowPrivilegeEscalation
psp.Spec.AllowPrivilegeEscalation = true
pod.Spec.Containers[0].SecurityContext.AllowPrivilegeEscalation = nil
errs = provider.ValidateContainerSecurityContext(pod, &pod.Spec.Containers[0], field.NewPath(""))
if len(errs) != 0 {
t.Errorf("resetting allowing privilege escalation expected no errors but got %v", errs)
psp := defaultPSP()
psp.Spec.AllowPrivilegeEscalation = test.pspAPE
psp.Spec.DefaultAllowPrivilegeEscalation = test.pspDAPE
provider, err := NewSimpleProvider(psp, "namespace", NewSimpleStrategyFactory())
require.NoError(t, err)
err = provider.DefaultContainerSecurityContext(pod, &pod.Spec.Containers[0])
require.NoError(t, err)
errs := provider.ValidateContainer(pod, &pod.Spec.Containers[0], field.NewPath(""))
if test.expectErr {
assert.NotEmpty(t, errs, "expected validation error")
} else {
assert.Empty(t, errs, "expected no validation errors")
ape := pod.Spec.Containers[0].SecurityContext.AllowPrivilegeEscalation
assert.Equal(t, test.expectAPE, ape, "expected pod AllowPrivilegeEscalation")
}
})
}
}

4
vendor/k8s.io/kubernetes/pkg/security/podsecuritypolicy/seccomp/BUILD generated vendored
View File

@@ -12,7 +12,7 @@ go_library(
importpath = "k8s.io/kubernetes/pkg/security/podsecuritypolicy/seccomp",
deps = [
"//pkg/apis/core:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
],
)
@@ -22,7 +22,7 @@ go_test(
embed = [":go_default_library"],
deps = [
"//pkg/apis/core:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
],
)

2
vendor/k8s.io/kubernetes/pkg/security/podsecuritypolicy/selinux/BUILD generated vendored
View File

@@ -19,7 +19,7 @@ go_library(
"//pkg/apis/core:go_default_library",
"//pkg/apis/policy:go_default_library",
"//pkg/security/podsecuritypolicy/util:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
],
)

2
vendor/k8s.io/kubernetes/pkg/security/podsecuritypolicy/sysctl/BUILD generated vendored
View File

@@ -15,7 +15,7 @@ go_library(
importpath = "k8s.io/kubernetes/pkg/security/podsecuritypolicy/sysctl",
deps = [
"//pkg/apis/core:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
],
)

6
vendor/k8s.io/kubernetes/pkg/security/podsecuritypolicy/types.go generated vendored
View File

@@ -39,9 +39,9 @@ type Provider interface {
// It modifies the SecurityContext of the container and annotations of the pod.
DefaultContainerSecurityContext(pod *api.Pod, container *api.Container) error
// Ensure a pod is in compliance with the given constraints.
ValidatePod(pod *api.Pod, fldPath *field.Path) field.ErrorList
// Ensure a container's SecurityContext is in compliance with the given constraints
ValidateContainerSecurityContext(pod *api.Pod, container *api.Container, fldPath *field.Path) field.ErrorList
ValidatePod(pod *api.Pod) field.ErrorList
// Ensure a container's SecurityContext is in compliance with the given constraints.
ValidateContainer(pod *api.Pod, container *api.Container, containerPath *field.Path) field.ErrorList
// Get the name of the PSP that this provider was initialized with.
GetPSPName() string
}

2
vendor/k8s.io/kubernetes/pkg/security/podsecuritypolicy/user/BUILD generated vendored
View File

@@ -20,7 +20,7 @@ go_library(
"//pkg/apis/core:go_default_library",
"//pkg/apis/policy:go_default_library",
"//pkg/security/podsecuritypolicy/util:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
],
)

6
vendor/k8s.io/kubernetes/pkg/security/podsecuritypolicy/user/mustrunas.go generated vendored
View File

@@ -49,17 +49,17 @@ func (s *mustRunAs) Generate(pod *api.Pod, container *api.Container) (*int64, er
}
// Validate ensures that the specified values fall within the range of the strategy.
func (s *mustRunAs) Validate(fldPath *field.Path, _ *api.Pod, _ *api.Container, runAsNonRoot *bool, runAsUser *int64) field.ErrorList {
func (s *mustRunAs) Validate(scPath *field.Path, _ *api.Pod, _ *api.Container, runAsNonRoot *bool, runAsUser *int64) field.ErrorList {
allErrs := field.ErrorList{}
if runAsUser == nil {
allErrs = append(allErrs, field.Required(fldPath.Child("runAsUser"), ""))
allErrs = append(allErrs, field.Required(scPath.Child("runAsUser"), ""))
return allErrs
}
if !s.isValidUID(*runAsUser) {
detail := fmt.Sprintf("must be in the ranges: %v", s.opts.Ranges)
allErrs = append(allErrs, field.Invalid(fldPath.Child("runAsUser"), *runAsUser, detail))
allErrs = append(allErrs, field.Invalid(scPath.Child("runAsUser"), *runAsUser, detail))
}
return allErrs
}

8
vendor/k8s.io/kubernetes/pkg/security/podsecuritypolicy/user/nonroot.go generated vendored
View File

@@ -41,18 +41,18 @@ func (s *nonRoot) Generate(pod *api.Pod, container *api.Container) (*int64, erro
// or if the UID is set it is not root. Validation will fail if RunAsNonRoot is set to false.
// In order to work properly this assumes that the kubelet performs a final check on runAsUser
// or the image UID when runAsUser is nil.
func (s *nonRoot) Validate(fldPath *field.Path, _ *api.Pod, _ *api.Container, runAsNonRoot *bool, runAsUser *int64) field.ErrorList {
func (s *nonRoot) Validate(scPath *field.Path, _ *api.Pod, _ *api.Container, runAsNonRoot *bool, runAsUser *int64) field.ErrorList {
allErrs := field.ErrorList{}
if runAsNonRoot == nil && runAsUser == nil {
allErrs = append(allErrs, field.Required(fldPath.Child("runAsNonRoot"), "must be true"))
allErrs = append(allErrs, field.Required(scPath.Child("runAsNonRoot"), "must be true"))
return allErrs
}
if runAsNonRoot != nil && *runAsNonRoot == false {
allErrs = append(allErrs, field.Invalid(fldPath.Child("runAsNonRoot"), *runAsNonRoot, "must be true"))
allErrs = append(allErrs, field.Invalid(scPath.Child("runAsNonRoot"), *runAsNonRoot, "must be true"))
return allErrs
}
if runAsUser != nil && *runAsUser == 0 {
allErrs = append(allErrs, field.Invalid(fldPath.Child("runAsUser"), *runAsUser, "running with the root UID is forbidden"))
allErrs = append(allErrs, field.Invalid(scPath.Child("runAsUser"), *runAsUser, "running with the root UID is forbidden"))
return allErrs
}
return allErrs

2
vendor/k8s.io/kubernetes/pkg/security/podsecuritypolicy/user/runasany.go generated vendored
View File

@@ -38,6 +38,6 @@ func (s *runAsAny) Generate(pod *api.Pod, container *api.Container) (*int64, err
}
// Validate ensures that the specified values fall within the range of the strategy.
func (s *runAsAny) Validate(fldPath *field.Path, _ *api.Pod, _ *api.Container, runAsNonRoot *bool, runAsUser *int64) field.ErrorList {
func (s *runAsAny) Validate(_ *field.Path, _ *api.Pod, _ *api.Container, runAsNonRoot *bool, runAsUser *int64) field.ErrorList {
return field.ErrorList{}
}

3
vendor/k8s.io/kubernetes/pkg/security/podsecuritypolicy/user/types.go generated vendored
View File

@@ -26,5 +26,6 @@ type RunAsUserStrategy interface {
// Generate creates the uid based on policy rules.
Generate(pod *api.Pod, container *api.Container) (*int64, error)
// Validate ensures that the specified values fall within the range of the strategy.
Validate(fldPath *field.Path, pod *api.Pod, container *api.Container, runAsNonRoot *bool, runAsUser *int64) field.ErrorList
// scPath is the field path to the container's security context
Validate(scPath *field.Path, pod *api.Pod, container *api.Container, runAsNonRoot *bool, runAsUser *int64) field.ErrorList
}

2
vendor/k8s.io/kubernetes/pkg/security/podsecuritypolicy/util/BUILD generated vendored
View File

@@ -16,7 +16,7 @@ go_library(
deps = [
"//pkg/apis/core:go_default_library",
"//pkg/apis/policy:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/util/sets:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/util/sets:go_default_library",
],
)