Bumping k8s dependencies to 1.13

2018-11-16 14:08:25 -08:00
parent 305407125c
commit b4c0b68ec7
8002 changed files with 884099 additions and 276228 deletions
--- a/vendor/k8s.io/kubernetes/pkg/securitycontext/BUILD
+++ b/vendor/k8s.io/kubernetes/pkg/securitycontext/BUILD
@@ -17,7 +17,7 @@ go_library(
    importpath = "k8s.io/kubernetes/pkg/securitycontext",
    deps = [
        "//pkg/apis/core:go_default_library",
-        "//vendor/k8s.io/api/core/v1:go_default_library",
+        "//staging/src/k8s.io/api/core/v1:go_default_library",
    ],
 )

@@ -30,8 +30,8 @@ go_test(
    embed = [":go_default_library"],
    deps = [
        "//pkg/apis/core:go_default_library",
-        "//vendor/k8s.io/api/core/v1:go_default_library",
-        "//vendor/k8s.io/apimachinery/pkg/util/diff:go_default_library",
+        "//staging/src/k8s.io/api/core/v1:go_default_library",
+        "//staging/src/k8s.io/apimachinery/pkg/util/diff:go_default_library",
    ],
 )

--- a/vendor/k8s.io/kubernetes/pkg/securitycontext/accessors.go
+++ b/vendor/k8s.io/kubernetes/pkg/securitycontext/accessors.go
@@ -188,6 +188,7 @@ func (w *podSecurityContextWrapper) SetFSGroup(v *int64) {
 type ContainerSecurityContextAccessor interface {
 	Capabilities() *api.Capabilities
 	Privileged() *bool
+	ProcMount() api.ProcMountType
 	SELinuxOptions() *api.SELinuxOptions
 	RunAsUser() *int64
 	RunAsNonRoot() *bool
@@ -257,6 +258,15 @@ func (w *containerSecurityContextWrapper) SetPrivileged(v *bool) {
 	w.ensureContainerSC()
 	w.containerSC.Privileged = v
 }
+func (w *containerSecurityContextWrapper) ProcMount() api.ProcMountType {
+	if w.containerSC == nil {
+		return api.DefaultProcMount
+	}
+	if w.containerSC.ProcMount == nil {
+		return api.DefaultProcMount
+	}
+	return *w.containerSC.ProcMount
+}
 func (w *containerSecurityContextWrapper) SELinuxOptions() *api.SELinuxOptions {
 	if w.containerSC == nil {
 		return nil
@@ -356,6 +366,9 @@ func (w *effectiveContainerSecurityContextWrapper) SetPrivileged(v *bool) {
 		w.containerSC.SetPrivileged(v)
 	}
 }
+func (w *effectiveContainerSecurityContextWrapper) ProcMount() api.ProcMountType {
+	return w.containerSC.ProcMount()
+}
 func (w *effectiveContainerSecurityContextWrapper) SELinuxOptions() *api.SELinuxOptions {
 	if v := w.containerSC.SELinuxOptions(); v != nil {
 		return v
--- a/vendor/k8s.io/kubernetes/pkg/securitycontext/fake.go
+++ b/vendor/k8s.io/kubernetes/pkg/securitycontext/fake.go
@@ -35,8 +35,10 @@ func ValidSecurityContextWithContainerDefaults() *v1.SecurityContext {
 // empty container defaults.  Used for testing.
 func ValidInternalSecurityContextWithContainerDefaults() *api.SecurityContext {
 	priv := false
+	dpm := api.DefaultProcMount
 	return &api.SecurityContext{
 		Capabilities: &api.Capabilities{},
 		Privileged:   &priv,
+		ProcMount:    &dpm,
 	}
 }
--- a/vendor/k8s.io/kubernetes/pkg/securitycontext/util.go
+++ b/vendor/k8s.io/kubernetes/pkg/securitycontext/util.go
@@ -72,7 +72,7 @@ func DetermineEffectiveSecurityContext(pod *v1.Pod, container *v1.Container) *v1
 	containerSc := container.SecurityContext

 	if effectiveSc == nil && containerSc == nil {
-		return nil
+		return &v1.SecurityContext{}
 	}
 	if effectiveSc != nil && containerSc == nil {
 		return effectiveSc
@@ -121,6 +121,11 @@ func DetermineEffectiveSecurityContext(pod *v1.Pod, container *v1.Container) *v1
 		*effectiveSc.AllowPrivilegeEscalation = *containerSc.AllowPrivilegeEscalation
 	}

+	if containerSc.ProcMount != nil {
+		effectiveSc.ProcMount = new(v1.ProcMountType)
+		*effectiveSc.ProcMount = *containerSc.ProcMount
+	}
+
 	return effectiveSc
 }

@@ -167,3 +172,52 @@ func AddNoNewPrivileges(sc *v1.SecurityContext) bool {
 	// handle the case where defaultAllowPrivilegeEscalation is false or the user explicitly set allowPrivilegeEscalation to true/false
 	return !*sc.AllowPrivilegeEscalation
 }
+
+var (
+	// These *must* be kept in sync with moby/moby.
+	// https://github.com/moby/moby/blob/master/oci/defaults.go#L116-L134
+	// @jessfraz will watch changes to those files upstream.
+	defaultMaskedPaths = []string{
+		"/proc/acpi",
+		"/proc/kcore",
+		"/proc/keys",
+		"/proc/latency_stats",
+		"/proc/timer_list",
+		"/proc/timer_stats",
+		"/proc/sched_debug",
+		"/proc/scsi",
+		"/sys/firmware",
+	}
+	defaultReadonlyPaths = []string{
+		"/proc/asound",
+		"/proc/bus",
+		"/proc/fs",
+		"/proc/irq",
+		"/proc/sys",
+		"/proc/sysrq-trigger",
+	}
+)
+
+// ConvertToRuntimeMaskedPaths converts the ProcMountType to the specified or default
+// masked paths.
+func ConvertToRuntimeMaskedPaths(opt *v1.ProcMountType) []string {
+	if opt != nil && *opt == v1.UnmaskedProcMount {
+		// Unmasked proc mount should have no paths set as masked.
+		return []string{}
+	}
+
+	// Otherwise, add the default masked paths to the runtime security context.
+	return defaultMaskedPaths
+}
+
+// ConvertToRuntimeReadonlyPaths converts the ProcMountType to the specified or default
+// readonly paths.
+func ConvertToRuntimeReadonlyPaths(opt *v1.ProcMountType) []string {
+	if opt != nil && *opt == v1.UnmaskedProcMount {
+		// Unmasked proc mount should have no paths set as readonly.
+		return []string{}
+	}
+
+	// Otherwise, add the default readonly paths to the runtime security context.
+	return defaultReadonlyPaths
+}
--- a/vendor/k8s.io/kubernetes/pkg/securitycontext/util_test.go
+++ b/vendor/k8s.io/kubernetes/pkg/securitycontext/util_test.go
@@ -17,6 +17,7 @@ limitations under the License.
 package securitycontext

 import (
+	"reflect"
 	"testing"

 	"k8s.io/api/core/v1"
@@ -123,3 +124,61 @@ func TestAddNoNewPrivileges(t *testing.T) {
 		}
 	}
 }
+
+func TestConvertToRuntimeMaskedPaths(t *testing.T) {
+	dPM := v1.DefaultProcMount
+	uPM := v1.UnmaskedProcMount
+	tests := map[string]struct {
+		pm     *v1.ProcMountType
+		expect []string
+	}{
+		"procMount nil": {
+			pm:     nil,
+			expect: defaultMaskedPaths,
+		},
+		"procMount default": {
+			pm:     &dPM,
+			expect: defaultMaskedPaths,
+		},
+		"procMount unmasked": {
+			pm:     &uPM,
+			expect: []string{},
+		},
+	}
+
+	for k, v := range tests {
+		actual := ConvertToRuntimeMaskedPaths(v.pm)
+		if !reflect.DeepEqual(actual, v.expect) {
+			t.Errorf("%s failed, expected %#v but received %#v", k, v.expect, actual)
+		}
+	}
+}
+
+func TestConvertToRuntimeReadonlyPaths(t *testing.T) {
+	dPM := v1.DefaultProcMount
+	uPM := v1.UnmaskedProcMount
+	tests := map[string]struct {
+		pm     *v1.ProcMountType
+		expect []string
+	}{
+		"procMount nil": {
+			pm:     nil,
+			expect: defaultReadonlyPaths,
+		},
+		"procMount default": {
+			pm:     &dPM,
+			expect: defaultReadonlyPaths,
+		},
+		"procMount unmasked": {
+			pm:     &uPM,
+			expect: []string{},
+		},
+	}
+
+	for k, v := range tests {
+		actual := ConvertToRuntimeReadonlyPaths(v.pm)
+		if !reflect.DeepEqual(actual, v.expect) {
+			t.Errorf("%s failed, expected %#v but received %#v", k, v.expect, actual)
+		}
+	}
+}