Add generated file

This PR adds generated files under pkg/client and vendor folder.

vendor/k8s.io/kubernetes/pkg/registry/rbac/clusterrole/policybased/BUILD

@@ -0,0 +1,34 @@
+package(default_visibility = ["//visibility:public"])
+
+load(
+    "@io_bazel_rules_go//go:def.bzl",
+    "go_library",
+)
+
+go_library(
+    name = "go_default_library",
+    srcs = ["storage.go"],
+    importpath = "k8s.io/kubernetes/pkg/registry/rbac/clusterrole/policybased",
+    deps = [
+        "//pkg/apis/core/helper:go_default_library",
+        "//pkg/apis/rbac:go_default_library",
+        "//pkg/registry/rbac:go_default_library",
+        "//pkg/registry/rbac/validation:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/api/errors:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/runtime:go_default_library",
+        "//vendor/k8s.io/apiserver/pkg/registry/rest:go_default_library",
+    ],
+)
+
+filegroup(
+    name = "package-srcs",
+    srcs = glob(["**"]),
+    tags = ["automanaged"],
+    visibility = ["//visibility:private"],
+)
+
+filegroup(
+    name = "all-srcs",
+    srcs = [":package-srcs"],
+    tags = ["automanaged"],
+)

vendor/k8s.io/kubernetes/pkg/registry/rbac/clusterrole/policybased/storage.go

@@ -0,0 +1,107 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package policybased implements a standard storage for ClusterRole that prevents privilege escalation.
+package policybased
+
+import (
+	"context"
+	"errors"
+
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apiserver/pkg/registry/rest"
+	kapihelper "k8s.io/kubernetes/pkg/apis/core/helper"
+	"k8s.io/kubernetes/pkg/apis/rbac"
+	rbacregistry "k8s.io/kubernetes/pkg/registry/rbac"
+	rbacregistryvalidation "k8s.io/kubernetes/pkg/registry/rbac/validation"
+)
+
+var groupResource = rbac.Resource("clusterroles")
+
+type Storage struct {
+	rest.StandardStorage
+
+	ruleResolver rbacregistryvalidation.AuthorizationRuleResolver
+}
+
+func NewStorage(s rest.StandardStorage, ruleResolver rbacregistryvalidation.AuthorizationRuleResolver) *Storage {
+	return &Storage{s, ruleResolver}
+}
+
+func (r *Storage) NamespaceScoped() bool {
+	return false
+}
+
+var fullAuthority = []rbac.PolicyRule{
+	rbac.NewRule("*").Groups("*").Resources("*").RuleOrDie(),
+	rbac.NewRule("*").URLs("*").RuleOrDie(),
+}
+
+func (s *Storage) Create(ctx context.Context, obj runtime.Object, createValidatingAdmission rest.ValidateObjectFunc, includeUninitialized bool) (runtime.Object, error) {
+	if rbacregistry.EscalationAllowed(ctx) {
+		return s.StandardStorage.Create(ctx, obj, createValidatingAdmission, includeUninitialized)
+	}
+
+	clusterRole := obj.(*rbac.ClusterRole)
+	rules := clusterRole.Rules
+	if err := rbacregistryvalidation.ConfirmNoEscalationInternal(ctx, s.ruleResolver, rules); err != nil {
+		return nil, apierrors.NewForbidden(groupResource, clusterRole.Name, err)
+	}
+	// to set the aggregation rule, since it can gather anything, requires * on *.*
+	if hasAggregationRule(clusterRole) {
+		if err := rbacregistryvalidation.ConfirmNoEscalationInternal(ctx, s.ruleResolver, fullAuthority); err != nil {
+			return nil, apierrors.NewForbidden(groupResource, clusterRole.Name, errors.New("must have cluster-admin privileges to use the aggregationRule"))
+		}
+	}
+
+	return s.StandardStorage.Create(ctx, obj, createValidatingAdmission, includeUninitialized)
+}
+
+func (s *Storage) Update(ctx context.Context, name string, obj rest.UpdatedObjectInfo, createValidation rest.ValidateObjectFunc, updateValidation rest.ValidateObjectUpdateFunc) (runtime.Object, bool, error) {
+	if rbacregistry.EscalationAllowed(ctx) {
+		return s.StandardStorage.Update(ctx, name, obj, createValidation, updateValidation)
+	}
+
+	nonEscalatingInfo := rest.WrapUpdatedObjectInfo(obj, func(ctx context.Context, obj runtime.Object, oldObj runtime.Object) (runtime.Object, error) {
+		clusterRole := obj.(*rbac.ClusterRole)
+		oldClusterRole := oldObj.(*rbac.ClusterRole)
+
+		// if we're only mutating fields needed for the GC to eventually delete this obj, return
+		if rbacregistry.IsOnlyMutatingGCFields(obj, oldObj, kapihelper.Semantic) {
+			return obj, nil
+		}
+
+		rules := clusterRole.Rules
+		if err := rbacregistryvalidation.ConfirmNoEscalationInternal(ctx, s.ruleResolver, rules); err != nil {
+			return nil, apierrors.NewForbidden(groupResource, clusterRole.Name, err)
+		}
+		// to change the aggregation rule, since it can gather anything and prevent tightening, requires * on *.*
+		if hasAggregationRule(clusterRole) || hasAggregationRule(oldClusterRole) {
+			if err := rbacregistryvalidation.ConfirmNoEscalationInternal(ctx, s.ruleResolver, fullAuthority); err != nil {
+				return nil, apierrors.NewForbidden(groupResource, clusterRole.Name, errors.New("must have cluster-admin privileges to use the aggregationRule"))
+			}
+		}
+
+		return obj, nil
+	})
+
+	return s.StandardStorage.Update(ctx, name, nonEscalatingInfo, createValidation, updateValidation)
+}
+
+func hasAggregationRule(clusterRole *rbac.ClusterRole) bool {
+	return clusterRole.AggregationRule != nil && len(clusterRole.AggregationRule.ClusterRoleSelectors) > 0
+}