github
/
k3s
mirror of https://github.com/k3s-io/k3s
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request #44714 from jamiehannaford/unix_user_type 

Automatic merge from submit-queue (batch tested with PRs 44590, 44969, 45325, 45208, 44714)

Use dedicated UnixUserID and UnixGroupID types

**What this PR does / why we need it**:

DRYs up type definitions by using the dedicated types in apimachinery 

**Which issue this PR fixes**

#38120

**Release note**:
```release-note
UIDs and GIDs now use apimachinery types
```
pull/6/head
Kubernetes Submit Queue 2017-05-05 14:08:17 -07:00 committed by GitHub
parent 32335ee473 9440a68744
commit 5b3d0bbe66
120 changed files with 4881 additions and 4396 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
api/swagger-spec/apps_v1beta1.json
View File

@ -4057,8 +4057,7 @@
"description": "The SELinux context to be applied to the container. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence."
},
"runAsUser": {
"type": "integer",
"format": "int64",
"$ref": "types.UnixUserID",
"description": "The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence."
},
"runAsNonRoot": {
@ -4117,6 +4116,10 @@
}
}
},
"types.UnixUserID": {
"id": "types.UnixUserID",
"properties": {}
},
"v1.PodSecurityContext": {
"id": "v1.PodSecurityContext",
"description": "PodSecurityContext holds pod-level security attributes and common container settings. Some fields are also present in container.securityContext. Field values of container.securityContext take precedence over field values of PodSecurityContext.",
@ -4126,8 +4129,7 @@
"description": "The SELinux context to be applied to all containers. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container."
},
"runAsUser": {
"type": "integer",
"format": "int64",
"$ref": "types.UnixUserID",
"description": "The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container."
},
"runAsNonRoot": {
@ -4137,17 +4139,20 @@
"supplementalGroups": {
"type": "array",
"items": {
"type": "integer"
"$ref": "types.UnixGroupID"
},
"description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID. If unspecified, no groups will be added to any container."
},
"fsGroup": {
"type": "integer",
"format": "int64",
"$ref": "types.UnixGroupID",
"description": "A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to change the ownership of that volume to be owned by the pod:\n\n1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 3. The permission bits are OR'd with rw-rw "
}
}
},
"types.UnixGroupID": {
"id": "types.UnixGroupID",
"properties": {}
},
"v1.Affinity": {
"id": "v1.Affinity",
"description": "Affinity is a group of affinity scheduling rules.",

19
api/swagger-spec/batch_v1.json
View File

@ -2840,8 +2840,7 @@
"description": "The SELinux context to be applied to the container. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence."
},
"runAsUser": {
"type": "integer",
"format": "int64",
"$ref": "types.UnixUserID",
"description": "The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence."
},
"runAsNonRoot": {
@ -2900,6 +2899,10 @@
}
}
},
"types.UnixUserID": {
"id": "types.UnixUserID",
"properties": {}
},
"v1.PodSecurityContext": {
"id": "v1.PodSecurityContext",
"description": "PodSecurityContext holds pod-level security attributes and common container settings. Some fields are also present in container.securityContext. Field values of container.securityContext take precedence over field values of PodSecurityContext.",
@ -2909,8 +2912,7 @@
"description": "The SELinux context to be applied to all containers. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container."
},
"runAsUser": {
"type": "integer",
"format": "int64",
"$ref": "types.UnixUserID",
"description": "The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container."
},
"runAsNonRoot": {
@ -2920,17 +2922,20 @@
"supplementalGroups": {
"type": "array",
"items": {
"type": "integer"
"$ref": "types.UnixGroupID"
},
"description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID. If unspecified, no groups will be added to any container."
},
"fsGroup": {
"type": "integer",
"format": "int64",
"$ref": "types.UnixGroupID",
"description": "A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to change the ownership of that volume to be owned by the pod:\n\n1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 3. The permission bits are OR'd with rw-rw "
}
}
},
"types.UnixGroupID": {
"id": "types.UnixGroupID",
"properties": {}
},
"v1.Affinity": {
"id": "v1.Affinity",
"description": "Affinity is a group of affinity scheduling rules.",

19
api/swagger-spec/batch_v2alpha1.json
View File

@ -3873,8 +3873,7 @@
"description": "The SELinux context to be applied to the container. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence."
},
"runAsUser": {
"type": "integer",
"format": "int64",
"$ref": "types.UnixUserID",
"description": "The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence."
},
"runAsNonRoot": {
@ -3933,6 +3932,10 @@
}
}
},
"types.UnixUserID": {
"id": "types.UnixUserID",
"properties": {}
},
"v1.PodSecurityContext": {
"id": "v1.PodSecurityContext",
"description": "PodSecurityContext holds pod-level security attributes and common container settings. Some fields are also present in container.securityContext. Field values of container.securityContext take precedence over field values of PodSecurityContext.",
@ -3942,8 +3945,7 @@
"description": "The SELinux context to be applied to all containers. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container."
},
"runAsUser": {
"type": "integer",
"format": "int64",
"$ref": "types.UnixUserID",
"description": "The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container."
},
"runAsNonRoot": {
@ -3953,17 +3955,20 @@
"supplementalGroups": {
"type": "array",
"items": {
"type": "integer"
"$ref": "types.UnixGroupID"
},
"description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID. If unspecified, no groups will be added to any container."
},
"fsGroup": {
"type": "integer",
"format": "int64",
"$ref": "types.UnixGroupID",
"description": "A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to change the ownership of that volume to be owned by the pod:\n\n1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 3. The permission bits are OR'd with rw-rw "
}
}
},
"types.UnixGroupID": {
"id": "types.UnixGroupID",
"properties": {}
},
"v1.Affinity": {
"id": "v1.Affinity",
"description": "Affinity is a group of affinity scheduling rules.",

19
api/swagger-spec/extensions_v1beta1.json
View File

@ -8304,8 +8304,7 @@
"description": "The SELinux context to be applied to the container. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence."
},
"runAsUser": {
"type": "integer",
"format": "int64",
"$ref": "types.UnixUserID",
"description": "The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence."
},
"runAsNonRoot": {
@ -8364,6 +8363,10 @@
}
}
},
"types.UnixUserID": {
"id": "types.UnixUserID",
"properties": {}
},
"v1.PodSecurityContext": {
"id": "v1.PodSecurityContext",
"description": "PodSecurityContext holds pod-level security attributes and common container settings. Some fields are also present in container.securityContext. Field values of container.securityContext take precedence over field values of PodSecurityContext.",
@ -8373,8 +8376,7 @@
"description": "The SELinux context to be applied to all containers. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container."
},
"runAsUser": {
"type": "integer",
"format": "int64",
"$ref": "types.UnixUserID",
"description": "The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container."
},
"runAsNonRoot": {
@ -8384,17 +8386,20 @@
"supplementalGroups": {
"type": "array",
"items": {
"type": "integer"
"$ref": "types.UnixGroupID"
},
"description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID. If unspecified, no groups will be added to any container."
},
"fsGroup": {
"type": "integer",
"format": "int64",
"$ref": "types.UnixGroupID",
"description": "A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to change the ownership of that volume to be owned by the pod:\n\n1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 3. The permission bits are OR'd with rw-rw "
}
}
},
"types.UnixGroupID": {
"id": "types.UnixGroupID",
"properties": {}
},
"v1.Affinity": {
"id": "v1.Affinity",
"description": "Affinity is a group of affinity scheduling rules.",

19
api/swagger-spec/v1.json
View File

@ -19891,8 +19891,7 @@
"description": "The SELinux context to be applied to the container. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence."
},
"runAsUser": {
"type": "integer",
"format": "int64",
"$ref": "types.UnixUserID",
"description": "The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence."
},
"runAsNonRoot": {
@ -19951,6 +19950,10 @@
}
}
},
"types.UnixUserID": {
"id": "types.UnixUserID",
"properties": {}
},
"v1.PodSecurityContext": {
"id": "v1.PodSecurityContext",
"description": "PodSecurityContext holds pod-level security attributes and common container settings. Some fields are also present in container.securityContext. Field values of container.securityContext take precedence over field values of PodSecurityContext.",
@ -19960,8 +19963,7 @@
"description": "The SELinux context to be applied to all containers. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container."
},
"runAsUser": {
"type": "integer",
"format": "int64",
"$ref": "types.UnixUserID",
"description": "The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container."
},
"runAsNonRoot": {
@ -19971,17 +19973,20 @@
"supplementalGroups": {
"type": "array",
"items": {
"type": "integer"
"$ref": "types.UnixGroupID"
},
"description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID. If unspecified, no groups will be added to any container."
},
"fsGroup": {
"type": "integer",
"format": "int64",
"$ref": "types.UnixGroupID",
"description": "A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to change the ownership of that volume to be owned by the pod:\n\n1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 3. The permission bits are OR'd with rw-rw "
}
}
},
"types.UnixGroupID": {
"id": "types.UnixGroupID",
"properties": {}
},
"v1.Affinity": {
"id": "v1.Affinity",
"description": "Affinity is a group of affinity scheduling rules.",

26
docs/api-reference/apps/v1beta1/definitions.html
View File

@ -1755,6 +1755,10 @@ Populated by the system when a graceful deletion is requested. Read-only. More i
</tbody>
</table>
</div>
<div class="sect2">
<h3 id="_types_uid">types.UID</h3>
</div>
<div class="sect2">
<h3 id="_v1_azurefilevolumesource">v1.AzureFileVolumeSource</h3>
@ -1803,10 +1807,6 @@ Populated by the system when a graceful deletion is requested. Read-only. More i
</tbody>
</table>
</div>
<div class="sect2">
<h3 id="_types_uid">types.UID</h3>
</div>
<div class="sect2">
<h3 id="_v1_iscsivolumesource">v1.ISCSIVolumeSource</h3>
@ -4218,6 +4218,10 @@ Examples:<br>
</tbody>
</table>
</div>
<div class="sect2">
<h3 id="_types_unixuserid">types.UnixUserID</h3>
</div>
<div class="sect2">
<h3 id="_v1_scaleiovolumesource">v1.ScaleIOVolumeSource</h3>
@ -4590,6 +4594,10 @@ Examples:<br>
</tbody>
</table>
</div>
<div class="sect2">
<h3 id="_types_unixgroupid">types.UnixGroupID</h3>
</div>
<div class="sect2">
<h3 id="_v1beta1_deploymentrollback">v1beta1.DeploymentRollback</h3>
@ -5242,7 +5250,7 @@ Examples:<br>
<td class="tableblock halign-left valign-top"><p class="tableblock">runAsUser</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">integer (int64)</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_types_unixuserid">types.UnixUserID</a></p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
<tr>
@ -5256,7 +5264,7 @@ Examples:<br>
<td class="tableblock halign-left valign-top"><p class="tableblock">supplementalGroups</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">A list of groups applied to the first process run in each container, in addition to the container&#8217;s primary GID. If unspecified, no groups will be added to any container.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">integer (int32) array</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_types_unixgroupid">types.UnixGroupID</a> array</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
<tr>
@ -5265,7 +5273,7 @@ Examples:<br>
<br>
1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 3. The permission bits are OR&#8217;d with rw-rw</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">integer (int64)</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_types_unixgroupid">types.UnixGroupID</a></p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
</tbody>
@ -5639,7 +5647,7 @@ Examples:<br>
<td class="tableblock halign-left valign-top"><p class="tableblock">runAsUser</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">integer (int64)</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_types_unixuserid">types.UnixUserID</a></p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
<tr>
@ -6339,7 +6347,7 @@ Examples:<br>
</div>
<div id="footer">
<div id="footer-text">
Last updated 2017-05-02 14:37:22 UTC
Last updated 2017-05-04 11:35:33 UTC
</div>
</div>
</body>

18
docs/api-reference/batch/v1/definitions.html
View File

@ -535,6 +535,10 @@ span.icon > [class^="icon-"], span.icon > [class*=" icon-"] { cursor: default; }
</tbody>
</table>
</div>
<div class="sect2">
<h3 id="_types_unixuserid">types.UnixUserID</h3>
</div>
<div class="sect2">
<h3 id="_v1_photonpersistentdiskvolumesource">v1.PhotonPersistentDiskVolumeSource</h3>
@ -1167,6 +1171,10 @@ span.icon > [class^="icon-"], span.icon > [class*=" icon-"] { cursor: default; }
</tbody>
</table>
</div>
<div class="sect2">
<h3 id="_types_unixgroupid">types.UnixGroupID</h3>
</div>
<div class="sect2">
<h3 id="_v1_httpheader">v1.HTTPHeader</h3>
@ -2088,7 +2096,7 @@ span.icon > [class^="icon-"], span.icon > [class*=" icon-"] { cursor: default; }
<td class="tableblock halign-left valign-top"><p class="tableblock">runAsUser</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">integer (int64)</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_types_unixuserid">types.UnixUserID</a></p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
<tr>
@ -2102,7 +2110,7 @@ span.icon > [class^="icon-"], span.icon > [class*=" icon-"] { cursor: default; }
<td class="tableblock halign-left valign-top"><p class="tableblock">supplementalGroups</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">A list of groups applied to the first process run in each container, in addition to the container&#8217;s primary GID. If unspecified, no groups will be added to any container.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">integer (int32) array</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_types_unixgroupid">types.UnixGroupID</a> array</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
<tr>
@ -2111,7 +2119,7 @@ span.icon > [class^="icon-"], span.icon > [class*=" icon-"] { cursor: default; }
<br>
1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 3. The permission bits are OR&#8217;d with rw-rw</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">integer (int64)</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_types_unixgroupid">types.UnixGroupID</a></p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
</tbody>
@ -3013,7 +3021,7 @@ Populated by the system when a graceful deletion is requested. Read-only. More i
<td class="tableblock halign-left valign-top"><p class="tableblock">runAsUser</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">integer (int64)</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_types_unixuserid">types.UnixUserID</a></p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
<tr>
@ -5581,7 +5589,7 @@ Examples:<br>
</div>
<div id="footer">
<div id="footer-text">
Last updated 2017-05-02 14:37:51 UTC
Last updated 2017-04-26 21:11:54 UTC
</div>
</div>
</body>

4750
docs/api-reference/batch/v2alpha1/definitions.html
View File

File diff suppressed because it is too large Load Diff

142
docs/api-reference/extensions/v1beta1/definitions.html
View File

@ -2196,68 +2196,6 @@ Populated by the system when a graceful deletion is requested. Read-only. More i
</tbody>
</table>
</div>
<div class="sect2">
<h3 id="_v1beta1_daemonsetspec">v1beta1.DaemonSetSpec</h3>
<div class="paragraph">
<p>DaemonSetSpec is the specification of a daemon set.</p>
</div>
<table class="tableblock frame-all grid-all" style="width:100%; ">
<colgroup>
<col style="width:20%;">
<col style="width:20%;">
<col style="width:20%;">
<col style="width:20%;">
<col style="width:20%;">
</colgroup>
<thead>
<tr>
<th class="tableblock halign-left valign-top">Name</th>
<th class="tableblock halign-left valign-top">Description</th>
<th class="tableblock halign-left valign-top">Required</th>
<th class="tableblock halign-left valign-top">Schema</th>
<th class="tableblock halign-left valign-top">Default</th>
</tr>
</thead>
<tbody>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">selector</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">A label query over pods that are managed by the daemon set. Must match in order to be controlled. If empty, defaulted to labels on Pod template. More info: <a href="http://kubernetes.io/docs/user-guide/labels#label-selectors">http://kubernetes.io/docs/user-guide/labels#label-selectors</a></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_v1_labelselector">v1.LabelSelector</a></p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">template</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">An object that describes the pod that will be created. The DaemonSet will create exactly one copy of this pod on every node that matches the template&#8217;s node selector (or on every node if no node selector is specified). More info: <a href="http://kubernetes.io/docs/user-guide/replication-controller#pod-template">http://kubernetes.io/docs/user-guide/replication-controller#pod-template</a></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">true</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_v1_podtemplatespec">v1.PodTemplateSpec</a></p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">updateStrategy</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">An update strategy to replace existing DaemonSet pods with new pods.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_v1beta1_daemonsetupdatestrategy">v1beta1.DaemonSetUpdateStrategy</a></p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">minReadySeconds</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">The minimum number of seconds for which a newly created DaemonSet pod should be ready without any of its container crashing, for it to be considered available. Defaults to 0 (pod will be considered available as soon as it is ready).</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">integer (int32)</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">templateGeneration</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">A sequence number representing a specific generation of the template. Populated by the system. It can be set only during the creation.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">integer (int64)</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
</tbody>
</table>
</div>
<div class="sect2">
<h3 id="_v1beta1_deployment">v1beta1.Deployment</h3>
@ -2320,6 +2258,68 @@ Populated by the system when a graceful deletion is requested. Read-only. More i
</tbody>
</table>
</div>
<div class="sect2">
<h3 id="_v1beta1_daemonsetspec">v1beta1.DaemonSetSpec</h3>
<div class="paragraph">
<p>DaemonSetSpec is the specification of a daemon set.</p>
</div>
<table class="tableblock frame-all grid-all" style="width:100%; ">
<colgroup>
<col style="width:20%;">
<col style="width:20%;">
<col style="width:20%;">
<col style="width:20%;">
<col style="width:20%;">
</colgroup>
<thead>
<tr>
<th class="tableblock halign-left valign-top">Name</th>
<th class="tableblock halign-left valign-top">Description</th>
<th class="tableblock halign-left valign-top">Required</th>
<th class="tableblock halign-left valign-top">Schema</th>
<th class="tableblock halign-left valign-top">Default</th>
</tr>
</thead>
<tbody>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">selector</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">A label query over pods that are managed by the daemon set. Must match in order to be controlled. If empty, defaulted to labels on Pod template. More info: <a href="http://kubernetes.io/docs/user-guide/labels#label-selectors">http://kubernetes.io/docs/user-guide/labels#label-selectors</a></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_v1_labelselector">v1.LabelSelector</a></p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">template</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">An object that describes the pod that will be created. The DaemonSet will create exactly one copy of this pod on every node that matches the template&#8217;s node selector (or on every node if no node selector is specified). More info: <a href="http://kubernetes.io/docs/user-guide/replication-controller#pod-template">http://kubernetes.io/docs/user-guide/replication-controller#pod-template</a></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">true</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_v1_podtemplatespec">v1.PodTemplateSpec</a></p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">updateStrategy</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">An update strategy to replace existing DaemonSet pods with new pods.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_v1beta1_daemonsetupdatestrategy">v1beta1.DaemonSetUpdateStrategy</a></p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">minReadySeconds</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">The minimum number of seconds for which a newly created DaemonSet pod should be ready without any of its container crashing, for it to be considered available. Defaults to 0 (pod will be considered available as soon as it is ready).</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">integer (int32)</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">templateGeneration</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">A sequence number representing a specific generation of the template. Populated by the system. It can be set only during the creation.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">integer (int64)</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
</tbody>
</table>
</div>
<div class="sect2">
<h3 id="_v1_azurefilevolumesource">v1.AzureFileVolumeSource</h3>
@ -4995,6 +4995,10 @@ Examples:<br>
</tbody>
</table>
</div>
<div class="sect2">
<h3 id="_types_unixuserid">types.UnixUserID</h3>
</div>
<div class="sect2">
<h3 id="_v1_scaleiovolumesource">v1.ScaleIOVolumeSource</h3>
@ -5461,6 +5465,10 @@ Examples:<br>
</tbody>
</table>
</div>
<div class="sect2">
<h3 id="_types_unixgroupid">types.UnixGroupID</h3>
</div>
<div class="sect2">
<h3 id="_v1beta1_deploymentrollback">v1beta1.DeploymentRollback</h3>
@ -6252,7 +6260,7 @@ Both these may change in the future. Incoming requests are matched against the h
<td class="tableblock halign-left valign-top"><p class="tableblock">runAsUser</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">integer (int64)</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_types_unixuserid">types.UnixUserID</a></p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
<tr>
@ -6266,7 +6274,7 @@ Both these may change in the future. Incoming requests are matched against the h
<td class="tableblock halign-left valign-top"><p class="tableblock">supplementalGroups</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">A list of groups applied to the first process run in each container, in addition to the container&#8217;s primary GID. If unspecified, no groups will be added to any container.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">integer (int32) array</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_types_unixgroupid">types.UnixGroupID</a> array</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
<tr>
@ -6275,7 +6283,7 @@ Both these may change in the future. Incoming requests are matched against the h
<br>
1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 3. The permission bits are OR&#8217;d with rw-rw</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">integer (int64)</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_types_unixgroupid">types.UnixGroupID</a></p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
</tbody>
@ -6883,7 +6891,7 @@ Both these may change in the future. Incoming requests are matched against the h
<td class="tableblock halign-left valign-top"><p class="tableblock">runAsUser</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">integer (int64)</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_types_unixuserid">types.UnixUserID</a></p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
<tr>
@ -7986,7 +7994,7 @@ Both these may change in the future. Incoming requests are matched against the h
</div>
<div id="footer">
<div id="footer-text">
Last updated 2017-05-02 14:38:05 UTC
Last updated 2017-04-26 21:12:08 UTC
</div>
</div>
</body>

18
docs/api-reference/v1/definitions.html
View File

@ -6039,6 +6039,10 @@ Examples:<br>
</tbody>
</table>
</div>
<div class="sect2">
<h3 id="_types_unixuserid">types.UnixUserID</h3>
</div>
<div class="sect2">
<h3 id="_v1_photonpersistentdiskvolumesource">v1.PhotonPersistentDiskVolumeSource</h3>
@ -6397,6 +6401,10 @@ Examples:<br>
</tbody>
</table>
</div>
<div class="sect2">
<h3 id="_types_unixgroupid">types.UnixGroupID</h3>
</div>
<div class="sect2">
<h3 id="_v1_httpheader">v1.HTTPHeader</h3>
@ -7042,7 +7050,7 @@ Examples:<br>
<td class="tableblock halign-left valign-top"><p class="tableblock">runAsUser</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">integer (int64)</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_types_unixuserid">types.UnixUserID</a></p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
<tr>
@ -7056,7 +7064,7 @@ Examples:<br>
<td class="tableblock halign-left valign-top"><p class="tableblock">supplementalGroups</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">A list of groups applied to the first process run in each container, in addition to the container&#8217;s primary GID. If unspecified, no groups will be added to any container.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">integer (int32) array</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_types_unixgroupid">types.UnixGroupID</a> array</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
<tr>
@ -7065,7 +7073,7 @@ Examples:<br>
<br>
1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 3. The permission bits are OR&#8217;d with rw-rw</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">integer (int64)</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_types_unixgroupid">types.UnixGroupID</a></p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
</tbody>
@ -8092,7 +8100,7 @@ Examples:<br>
<td class="tableblock halign-left valign-top"><p class="tableblock">runAsUser</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">integer (int64)</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_types_unixuserid">types.UnixUserID</a></p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
<tr>
@ -9919,7 +9927,7 @@ Examples:<br>
</div>
<div id="footer">
<div id="footer-text">
Last updated 2017-05-02 14:37:16 UTC
Last updated 2017-04-26 21:11:18 UTC
</div>
</div>
</body>

8
pkg/api/types.go
View File

@ -2153,7 +2153,7 @@ type PodSecurityContext struct {
// PodSecurityContext, the value specified in SecurityContext takes precedence
// for that container.
// +optional
RunAsUser *int64
RunAsUser *types.UnixUserID
// Indicates that the container must run as a non-root user.
// If true, the Kubelet will validate the image at runtime to ensure that it
// does not run as UID 0 (root) and fail to start the container if it does.
@ -2166,7 +2166,7 @@ type PodSecurityContext struct {
// to the container's primary GID. If unspecified, no groups will be added to
// any container.
// +optional
SupplementalGroups []int64
SupplementalGroups []types.UnixGroupID
// A special supplemental group that applies to all containers in a pod.
// Some volume types allow the Kubelet to change the ownership of that volume
// to be owned by the pod:
@ -2177,7 +2177,7 @@ type PodSecurityContext struct {
//
// If unset, the Kubelet will not modify the ownership and permissions of any volume.
// +optional
FSGroup *int64
FSGroup *types.UnixGroupID
}
// PodQOSClass defines the supported qos classes of Pods.
@ -3780,7 +3780,7 @@ type SecurityContext struct {
// May also be set in PodSecurityContext. If set in both SecurityContext and
// PodSecurityContext, the value specified in SecurityContext takes precedence.
// +optional
RunAsUser *int64
RunAsUser *types.UnixUserID
// Indicates that the container must run as a non-root user.
// If true, the Kubelet will validate the image at runtime to ensure that it
// does not run as UID 0 (root) and fail to start the container if it does.

1418
pkg/api/v1/generated.pb.go
View File

File diff suppressed because it is too large Load Diff

169
pkg/api/v1/types.generated.go
View File

@ -35864,6 +35864,7 @@ func (x *PodSecurityContext) CodecEncodeSelf(e *codec1978.Encoder) {
yym8 := z.EncBinary()
_ = yym8
if false {
} else if z.HasExtensions() && z.EncExt(yy7) {
} else {
r.EncodeInt(int64(yy7))
}
@ -35883,6 +35884,7 @@ func (x *PodSecurityContext) CodecEncodeSelf(e *codec1978.Encoder) {
yym10 := z.EncBinary()
_ = yym10
if false {
} else if z.HasExtensions() && z.EncExt(yy9) {
} else {
r.EncodeInt(int64(yy9))
}
@ -35934,7 +35936,7 @@ func (x *PodSecurityContext) CodecEncodeSelf(e *codec1978.Encoder) {
_ = yym17
if false {
} else {
z.F.EncSliceInt64V(x.SupplementalGroups, false, e)
h.encSlicetypes_UnixGroupID(([]pkg1_types.UnixGroupID)(x.SupplementalGroups), e)
}
}
} else {
@ -35952,7 +35954,7 @@ func (x *PodSecurityContext) CodecEncodeSelf(e *codec1978.Encoder) {
_ = yym18
if false {
} else {
z.F.EncSliceInt64V(x.SupplementalGroups, false, e)
h.encSlicetypes_UnixGroupID(([]pkg1_types.UnixGroupID)(x.SupplementalGroups), e)
}
}
}
@ -35967,6 +35969,7 @@ func (x *PodSecurityContext) CodecEncodeSelf(e *codec1978.Encoder) {
yym21 := z.EncBinary()
_ = yym21
if false {
} else if z.HasExtensions() && z.EncExt(yy20) {
} else {
r.EncodeInt(int64(yy20))
}
@ -35986,6 +35989,7 @@ func (x *PodSecurityContext) CodecEncodeSelf(e *codec1978.Encoder) {
yym23 := z.EncBinary()
_ = yym23
if false {
} else if z.HasExtensions() && z.EncExt(yy22) {
} else {
r.EncodeInt(int64(yy22))
}
@ -36071,11 +36075,12 @@ func (x *PodSecurityContext) codecDecodeSelfFromMap(l int, d *codec1978.Decoder)
}
} else {
if x.RunAsUser == nil {
x.RunAsUser = new(int64)
x.RunAsUser = new(pkg1_types.UnixUserID)
}
yym6 := z.DecBinary()
_ = yym6
if false {
} else if z.HasExtensions() && z.DecExt(x.RunAsUser) {
} else {
*((*int64)(x.RunAsUser)) = int64(r.DecodeInt(64))
}
@ -36105,7 +36110,7 @@ func (x *PodSecurityContext) codecDecodeSelfFromMap(l int, d *codec1978.Decoder)
_ = yym10
if false {
} else {
z.F.DecSliceInt64X(yyv9, false, d)
h.decSlicetypes_UnixGroupID((*[]pkg1_types.UnixGroupID)(yyv9), d)
}
}
case "fsGroup":
@ -36115,11 +36120,12 @@ func (x *PodSecurityContext) codecDecodeSelfFromMap(l int, d *codec1978.Decoder)
}
} else {
if x.FSGroup == nil {
x.FSGroup = new(int64)
x.FSGroup = new(pkg1_types.UnixGroupID)
}
yym12 := z.DecBinary()
_ = yym12
if false {
} else if z.HasExtensions() && z.DecExt(x.FSGroup) {
} else {
*((*int64)(x.FSGroup)) = int64(r.DecodeInt(64))
}
@ -36176,11 +36182,12 @@ func (x *PodSecurityContext) codecDecodeSelfFromArray(l int, d *codec1978.Decode
}
} else {
if x.RunAsUser == nil {
x.RunAsUser = new(int64)
x.RunAsUser = new(pkg1_types.UnixUserID)
}
yym16 := z.DecBinary()
_ = yym16
if false {
} else if z.HasExtensions() && z.DecExt(x.RunAsUser) {
} else {
*((*int64)(x.RunAsUser)) = int64(r.DecodeInt(64))
}
@ -36230,7 +36237,7 @@ func (x *PodSecurityContext) codecDecodeSelfFromArray(l int, d *codec1978.Decode
_ = yym20
if false {
} else {
z.F.DecSliceInt64X(yyv19, false, d)
h.decSlicetypes_UnixGroupID((*[]pkg1_types.UnixGroupID)(yyv19), d)
}
}
yyj13++
@ -36250,11 +36257,12 @@ func (x *PodSecurityContext) codecDecodeSelfFromArray(l int, d *codec1978.Decode
}
} else {
if x.FSGroup == nil {
x.FSGroup = new(int64)
x.FSGroup = new(pkg1_types.UnixGroupID)
}
yym22 := z.DecBinary()
_ = yym22
if false {
} else if z.HasExtensions() && z.DecExt(x.FSGroup) {
} else {
*((*int64)(x.FSGroup)) = int64(r.DecodeInt(64))
}
@ -66020,6 +66028,7 @@ func (x *SecurityContext) CodecEncodeSelf(e *codec1978.Encoder) {
yym16 := z.EncBinary()
_ = yym16
if false {
} else if z.HasExtensions() && z.EncExt(yy15) {
} else {
r.EncodeInt(int64(yy15))
}
@ -66039,6 +66048,7 @@ func (x *SecurityContext) CodecEncodeSelf(e *codec1978.Encoder) {
yym18 := z.EncBinary()
_ = yym18
if false {
} else if z.HasExtensions() && z.EncExt(yy17) {
} else {
r.EncodeInt(int64(yy17))
}
@ -66221,11 +66231,12 @@ func (x *SecurityContext) codecDecodeSelfFromMap(l int, d *codec1978.Decoder) {
}
} else {
if x.RunAsUser == nil {
x.RunAsUser = new(int64)
x.RunAsUser = new(pkg1_types.UnixUserID)
}
yym9 := z.DecBinary()
_ = yym9
if false {
} else if z.HasExtensions() && z.DecExt(x.RunAsUser) {
} else {
*((*int64)(x.RunAsUser)) = int64(r.DecodeInt(64))
}
@ -66361,11 +66372,12 @@ func (x *SecurityContext) codecDecodeSelfFromArray(l int, d *codec1978.Decoder)
}
} else {
if x.RunAsUser == nil {
x.RunAsUser = new(int64)
x.RunAsUser = new(pkg1_types.UnixUserID)
}
yym20 := z.DecBinary()
_ = yym20
if false {
} else if z.HasExtensions() && z.DecExt(x.RunAsUser) {
} else {
*((*int64)(x.RunAsUser)) = int64(r.DecodeInt(64))
}
@ -70239,6 +70251,143 @@ func (x codecSelfer1234) decSliceHostAlias(v *[]HostAlias, d *codec1978.Decoder)
}
}
func (x codecSelfer1234) encSlicetypes_UnixGroupID(v []pkg1_types.UnixGroupID, e *codec1978.Encoder) {
var h codecSelfer1234
z, r := codec1978.GenHelperEncoder(e)
_, _, _ = h, z, r
r.EncodeArrayStart(len(v))
for _, yyv1 := range v {
z.EncSendContainerState(codecSelfer_containerArrayElem1234)
yym2 := z.EncBinary()
_ = yym2
if false {
} else if z.HasExtensions() && z.EncExt(yyv1) {
} else {
r.EncodeInt(int64(yyv1))
}
}
z.EncSendContainerState(codecSelfer_containerArrayEnd1234)
}
func (x codecSelfer1234) decSlicetypes_UnixGroupID(v *[]pkg1_types.UnixGroupID, d *codec1978.Decoder) {
var h codecSelfer1234
z, r := codec1978.GenHelperDecoder(d)
_, _, _ = h, z, r
yyv1 := *v
yyh1, yyl1 := z.DecSliceHelperStart()
var yyc1 bool
_ = yyc1
if yyl1 == 0 {
if yyv1 == nil {
yyv1 = []pkg1_types.UnixGroupID{}
yyc1 = true
} else if len(yyv1) != 0 {
yyv1 = yyv1[:0]
yyc1 = true
}
} else if yyl1 > 0 {
var yyrr1, yyrl1 int
var yyrt1 bool
_, _ = yyrl1, yyrt1
yyrr1 = yyl1 // len(yyv1)
if yyl1 > cap(yyv1) {
yyrl1, yyrt1 = z.DecInferLen(yyl1, z.DecBasicHandle().MaxInitLen, 8)
if yyrt1 {
if yyrl1 <= cap(yyv1) {
yyv1 = yyv1[:yyrl1]
} else {
yyv1 = make([]pkg1_types.UnixGroupID, yyrl1)
}
} else {
yyv1 = make([]pkg1_types.UnixGroupID, yyrl1)
}
yyc1 = true
yyrr1 = len(yyv1)
} else if yyl1 != len(yyv1) {
yyv1 = yyv1[:yyl1]
yyc1 = true
}
yyj1 := 0
for ; yyj1 < yyrr1; yyj1++ {
yyh1.ElemContainerState(yyj1)
if r.TryDecodeAsNil() {
yyv1[yyj1] = 0
} else {
yyv2 := &yyv1[yyj1]
yym3 := z.DecBinary()
_ = yym3
if false {
} else if z.HasExtensions() && z.DecExt(yyv2) {
} else {
*((*int64)(yyv2)) = int64(r.DecodeInt(64))
}
}
}
if yyrt1 {
for ; yyj1 < yyl1; yyj1++ {
yyv1 = append(yyv1, 0)
yyh1.ElemContainerState(yyj1)
if r.TryDecodeAsNil() {
yyv1[yyj1] = 0
} else {
yyv4 := &yyv1[yyj1]
yym5 := z.DecBinary()
_ = yym5
if false {
} else if z.HasExtensions() && z.DecExt(yyv4) {
} else {
*((*int64)(yyv4)) = int64(r.DecodeInt(64))
}
}
}
}
} else {
yyj1 := 0
for ; !r.CheckBreak(); yyj1++ {
if yyj1 >= len(yyv1) {
yyv1 = append(yyv1, 0) // var yyz1 pkg1_types.UnixGroupID
yyc1 = true
}
yyh1.ElemContainerState(yyj1)
if yyj1 < len(yyv1) {
if r.TryDecodeAsNil() {
yyv1[yyj1] = 0
} else {
yyv6 := &yyv1[yyj1]
yym7 := z.DecBinary()
_ = yym7
if false {
} else if z.HasExtensions() && z.DecExt(yyv6) {
} else {
*((*int64)(yyv6)) = int64(r.DecodeInt(64))
}
}
} else {
z.DecSwallow()
}
}
if yyj1 < len(yyv1) {
yyv1 = yyv1[:yyj1]
yyc1 = true
} else if yyj1 == 0 && yyv1 == nil {
yyv1 = []pkg1_types.UnixGroupID{}
yyc1 = true
}
}
yyh1.End()
if yyc1 {
*v = yyv1
}
}
func (x codecSelfer1234) encSlicePodCondition(v []PodCondition, e *codec1978.Encoder) {
var h codecSelfer1234
z, r := codec1978.GenHelperEncoder(e)

8
pkg/api/v1/types.go
View File

@ -2440,7 +2440,7 @@ type PodSecurityContext struct {
// PodSecurityContext, the value specified in SecurityContext takes precedence
// for that container.
// +optional
RunAsUser *int64 `json:"runAsUser,omitempty" protobuf:"varint,2,opt,name=runAsUser"`
RunAsUser *types.UnixUserID `json:"runAsUser,omitempty" protobuf:"varint,2,opt,name=runAsUser,casttype=k8s.io/apimachinery/pkg/types.UnixUserID"`
// Indicates that the container must run as a non-root user.
// If true, the Kubelet will validate the image at runtime to ensure that it
// does not run as UID 0 (root) and fail to start the container if it does.
@ -2453,7 +2453,7 @@ type PodSecurityContext struct {
// to the container's primary GID. If unspecified, no groups will be added to
// any container.
// +optional
SupplementalGroups []int64 `json:"supplementalGroups,omitempty" protobuf:"varint,4,rep,name=supplementalGroups"`
SupplementalGroups []types.UnixGroupID `json:"supplementalGroups,omitempty" protobuf:"varint,4,rep,name=supplementalGroups,casttype=k8s.io/apimachinery/pkg/types.UnixGroupID"`
// A special supplemental group that applies to all containers in a pod.
// Some volume types allow the Kubelet to change the ownership of that volume
// to be owned by the pod:
@ -2464,7 +2464,7 @@ type PodSecurityContext struct {
//
// If unset, the Kubelet will not modify the ownership and permissions of any volume.
// +optional
FSGroup *int64 `json:"fsGroup,omitempty" protobuf:"varint,5,opt,name=fsGroup"`
FSGroup *types.UnixGroupID `json:"fsGroup,omitempty" protobuf:"varint,5,opt,name=fsGroup,casttype=k8s.io/apimachinery/pkg/types.UnixGroupID"`
}
// PodQOSClass defines the supported qos classes of Pods.
@ -4369,7 +4369,7 @@ type SecurityContext struct {
// May also be set in PodSecurityContext. If set in both SecurityContext and
// PodSecurityContext, the value specified in SecurityContext takes precedence.
// +optional
RunAsUser *int64 `json:"runAsUser,omitempty" protobuf:"varint,4,opt,name=runAsUser"`
RunAsUser *types.UnixUserID `json:"runAsUser,omitempty" protobuf:"varint,4,opt,name=runAsUser,casttype=k8s.io/apimachinery/pkg/types.UnixUserID"`
// Indicates that the container must run as a non-root user.
// If true, the Kubelet will validate the image at runtime to ensure that it
// does not run as UID 0 (root) and fail to start the container if it does.

16
pkg/api/v1/zz_generated.conversion.go
View File

@ -3412,10 +3412,10 @@ func Convert_api_PodProxyOptions_To_v1_PodProxyOptions(in *api.PodProxyOptions,
func autoConvert_v1_PodSecurityContext_To_api_PodSecurityContext(in *PodSecurityContext, out *api.PodSecurityContext, s conversion.Scope) error {
out.SELinuxOptions = (*api.SELinuxOptions)(unsafe.Pointer(in.SELinuxOptions))
out.RunAsUser = (*int64)(unsafe.Pointer(in.RunAsUser))
out.RunAsUser = (*types.UnixUserID)(unsafe.Pointer(in.RunAsUser))
out.RunAsNonRoot = (*bool)(unsafe.Pointer(in.RunAsNonRoot))
out.SupplementalGroups = *(*[]int64)(unsafe.Pointer(&in.SupplementalGroups))
out.FSGroup = (*int64)(unsafe.Pointer(in.FSGroup))
out.SupplementalGroups = *(*[]types.UnixGroupID)(unsafe.Pointer(&in.SupplementalGroups))
out.FSGroup = (*types.UnixGroupID)(unsafe.Pointer(in.FSGroup))
return nil
}
@ -3424,10 +3424,10 @@ func autoConvert_api_PodSecurityContext_To_v1_PodSecurityContext(in *api.PodSecu
// INFO: in.HostPID opted out of conversion generation
// INFO: in.HostIPC opted out of conversion generation
out.SELinuxOptions = (*SELinuxOptions)(unsafe.Pointer(in.SELinuxOptions))
out.RunAsUser = (*int64)(unsafe.Pointer(in.RunAsUser))
out.RunAsUser = (*types.UnixUserID)(unsafe.Pointer(in.RunAsUser))
out.RunAsNonRoot = (*bool)(unsafe.Pointer(in.RunAsNonRoot))
out.SupplementalGroups = *(*[]int64)(unsafe.Pointer(&in.SupplementalGroups))
out.FSGroup = (*int64)(unsafe.Pointer(in.FSGroup))
out.SupplementalGroups = *(*[]types.UnixGroupID)(unsafe.Pointer(&in.SupplementalGroups))
out.FSGroup = (*types.UnixGroupID)(unsafe.Pointer(in.FSGroup))
return nil
}
@ -4487,7 +4487,7 @@ func autoConvert_v1_SecurityContext_To_api_SecurityContext(in *SecurityContext,
out.Capabilities = (*api.Capabilities)(unsafe.Pointer(in.Capabilities))
out.Privileged = (*bool)(unsafe.Pointer(in.Privileged))
out.SELinuxOptions = (*api.SELinuxOptions)(unsafe.Pointer(in.SELinuxOptions))
out.RunAsUser = (*int64)(unsafe.Pointer(in.RunAsUser))
out.RunAsUser = (*types.UnixUserID)(unsafe.Pointer(in.RunAsUser))
out.RunAsNonRoot = (*bool)(unsafe.Pointer(in.RunAsNonRoot))
out.ReadOnlyRootFilesystem = (*bool)(unsafe.Pointer(in.ReadOnlyRootFilesystem))
return nil
@ -4502,7 +4502,7 @@ func autoConvert_api_SecurityContext_To_v1_SecurityContext(in *api.SecurityConte
out.Capabilities = (*Capabilities)(unsafe.Pointer(in.Capabilities))
out.Privileged = (*bool)(unsafe.Pointer(in.Privileged))
out.SELinuxOptions = (*SELinuxOptions)(unsafe.Pointer(in.SELinuxOptions))
out.RunAsUser = (*int64)(unsafe.Pointer(in.RunAsUser))
out.RunAsUser = (*types.UnixUserID)(unsafe.Pointer(in.RunAsUser))
out.RunAsNonRoot = (*bool)(unsafe.Pointer(in.RunAsNonRoot))
out.ReadOnlyRootFilesystem = (*bool)(unsafe.Pointer(in.ReadOnlyRootFilesystem))
return nil

8
pkg/api/v1/zz_generated.deepcopy.go
View File

@ -2317,7 +2317,7 @@ func DeepCopy_v1_PodSecurityContext(in interface{}, out interface{}, c *conversi
}
if in.RunAsUser != nil {
in, out := &in.RunAsUser, &out.RunAsUser
*out = new(int64)
*out = new(types.UnixUserID)
**out = **in
}
if in.RunAsNonRoot != nil {
@ -2327,12 +2327,12 @@ func DeepCopy_v1_PodSecurityContext(in interface{}, out interface{}, c *conversi
}
if in.SupplementalGroups != nil {
in, out := &in.SupplementalGroups, &out.SupplementalGroups
*out = make([]int64, len(*in))
*out = make([]types.UnixGroupID, len(*in))
copy(*out, *in)
}
if in.FSGroup != nil {
in, out := &in.FSGroup, &out.FSGroup
*out = new(int64)
*out = new(types.UnixGroupID)
**out = **in
}
return nil
@ -3076,7 +3076,7 @@ func DeepCopy_v1_SecurityContext(in interface{}, out interface{}, c *conversion.
}
if in.RunAsUser != nil {
in, out := &in.RunAsUser, &out.RunAsUser
*out = new(int64)
*out = new(types.UnixUserID)
**out = **in
}
if in.RunAsNonRoot != nil {

1
pkg/api/validation/BUILD
View File

@ -82,6 +82,7 @@ go_test(
"//vendor/k8s.io/apimachinery/pkg/api/testing:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/runtime:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/types:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/util/intstr:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/util/sets:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",

2
pkg/api/validation/schema.go
View File

@ -359,7 +359,7 @@ func (s *SwaggerSchema) isGenericArray(p swagger.ModelProperty) bool {
}
// This matches type name in the swagger spec, such as "v1.Binding".
var versionRegexp = regexp.MustCompile(`^(v.+|unversioned)\..*`)
var versionRegexp = regexp.MustCompile(`^(v.+|unversioned|types)\..*`)
func (s *SwaggerSchema) validateField(value interface{}, fieldName, fieldType string, fieldDetails *swagger.ModelProperty) []error {
allErrs := []error{}

6
pkg/api/validation/validation.go
View File

@ -2430,17 +2430,17 @@ func ValidatePodSecurityContext(securityContext *api.PodSecurityContext, spec *a
allErrs = append(allErrs, validateHostNetwork(securityContext.HostNetwork, spec.Containers, specPath.Child("containers"))...)
allErrs = append(allErrs, validateHostNetworkNoHostAliases(securityContext.HostNetwork, spec.HostAliases, specPath)...)
if securityContext.FSGroup != nil {
for _, msg := range validation.IsValidGroupId(*securityContext.FSGroup) {
for _, msg := range validation.IsValidGroupID(*securityContext.FSGroup) {
allErrs = append(allErrs, field.Invalid(fldPath.Child("fsGroup"), *(securityContext.FSGroup), msg))
}
}
if securityContext.RunAsUser != nil {
for _, msg := range validation.IsValidUserId(*securityContext.RunAsUser) {
for _, msg := range validation.IsValidUserID(*securityContext.RunAsUser) {
allErrs = append(allErrs, field.Invalid(fldPath.Child("runAsUser"), *(securityContext.RunAsUser), msg))
}
}
for g, gid := range securityContext.SupplementalGroups {
for _, msg := range validation.IsValidGroupId(gid) {
for _, msg := range validation.IsValidGroupID(gid) {
allErrs = append(allErrs, field.Invalid(fldPath.Child("supplementalGroups").Index(g), gid, msg))
}
}

45
pkg/api/validation/validation_test.go
View File

@ -23,6 +23,7 @@ import (
"k8s.io/apimachinery/pkg/api/resource"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/types"
"k8s.io/apimachinery/pkg/util/intstr"
"k8s.io/apimachinery/pkg/util/sets"
"k8s.io/apimachinery/pkg/util/validation/field"
@ -3121,8 +3122,12 @@ func TestValidateDNSPolicy(t *testing.T) {
func TestValidatePodSpec(t *testing.T) {
activeDeadlineSeconds := int64(30)
minID := int64(0)
maxID := int64(2147483647)
minUserID := types.UnixUserID(0)
maxUserID := types.UnixUserID(2147483647)
minGroupID := types.UnixGroupID(0)
maxGroupID := types.UnixGroupID(2147483647)
successCases := []api.PodSpec{
{ // Populate basic fields, leave defaults for most.
Volumes: []api.Volume{{Name: "vol", VolumeSource: api.VolumeSource{EmptyDir: &api.EmptyDirVolumeSource{}}}},
@ -3161,9 +3166,9 @@ func TestValidatePodSpec(t *testing.T) {
{ // Populate RunAsUser SupplementalGroups FSGroup with minID 0
Containers: []api.Container{{Name: "ctr", Image: "image", ImagePullPolicy: "IfNotPresent", TerminationMessagePolicy: "File"}},
SecurityContext: &api.PodSecurityContext{
SupplementalGroups: []int64{minID},
RunAsUser: &minID,
FSGroup: &minID,
SupplementalGroups: []types.UnixGroupID{minGroupID},
RunAsUser: &minUserID,
FSGroup: &minGroupID,
},
RestartPolicy: api.RestartPolicyAlways,
DNSPolicy: api.DNSClusterFirst,
@ -3171,9 +3176,9 @@ func TestValidatePodSpec(t *testing.T) {
{ // Populate RunAsUser SupplementalGroups FSGroup with maxID 2147483647
Containers: []api.Container{{Name: "ctr", Image: "image", ImagePullPolicy: "IfNotPresent", TerminationMessagePolicy: "File"}},
SecurityContext: &api.PodSecurityContext{
SupplementalGroups: []int64{maxID},
RunAsUser: &maxID,
FSGroup: &maxID,
SupplementalGroups: []types.UnixGroupID{maxGroupID},
RunAsUser: &maxUserID,
FSGroup: &maxGroupID,
},
RestartPolicy: api.RestartPolicyAlways,
DNSPolicy: api.DNSClusterFirst,
@ -3217,8 +3222,12 @@ func TestValidatePodSpec(t *testing.T) {
}
activeDeadlineSeconds = int64(0)
minID = int64(-1)
maxID = int64(2147483648)
minUserID = types.UnixUserID(-1)
maxUserID = types.UnixUserID(2147483648)
minGroupID = types.UnixGroupID(-1)
maxGroupID = types.UnixGroupID(2147483648)
failureCases := map[string]api.PodSpec{
"bad volume": {
Volumes: []api.Volume{{}},
@ -3291,7 +3300,7 @@ func TestValidatePodSpec(t *testing.T) {
Containers: []api.Container{{Name: "ctr", Image: "image", ImagePullPolicy: "IfNotPresent", TerminationMessagePolicy: "File"}},
SecurityContext: &api.PodSecurityContext{
HostNetwork: false,
SupplementalGroups: []int64{maxID, 1234},
SupplementalGroups: []types.UnixGroupID{maxGroupID, 1234},
},
RestartPolicy: api.RestartPolicyAlways,
DNSPolicy: api.DNSClusterFirst,
@ -3300,7 +3309,7 @@ func TestValidatePodSpec(t *testing.T) {
Containers: []api.Container{{Name: "ctr", Image: "image", ImagePullPolicy: "IfNotPresent", TerminationMessagePolicy: "File"}},
SecurityContext: &api.PodSecurityContext{
HostNetwork: false,
SupplementalGroups: []int64{minID, 1234},
SupplementalGroups: []types.UnixGroupID{minGroupID, 1234},
},
RestartPolicy: api.RestartPolicyAlways,
DNSPolicy: api.DNSClusterFirst,
@ -3309,7 +3318,7 @@ func TestValidatePodSpec(t *testing.T) {
Containers: []api.Container{{Name: "ctr", Image: "image", ImagePullPolicy: "IfNotPresent", TerminationMessagePolicy: "File"}},
SecurityContext: &api.PodSecurityContext{
HostNetwork: false,
RunAsUser: &maxID,
RunAsUser: &maxUserID,
},
RestartPolicy: api.RestartPolicyAlways,
DNSPolicy: api.DNSClusterFirst,
@ -3318,7 +3327,7 @@ func TestValidatePodSpec(t *testing.T) {
Containers: []api.Container{{Name: "ctr", Image: "image", ImagePullPolicy: "IfNotPresent", TerminationMessagePolicy: "File"}},
SecurityContext: &api.PodSecurityContext{
HostNetwork: false,
RunAsUser: &minID,
RunAsUser: &minUserID,
},
RestartPolicy: api.RestartPolicyAlways,
DNSPolicy: api.DNSClusterFirst,
@ -3327,7 +3336,7 @@ func TestValidatePodSpec(t *testing.T) {
Containers: []api.Container{{Name: "ctr", Image: "image", ImagePullPolicy: "IfNotPresent", TerminationMessagePolicy: "File"}},
SecurityContext: &api.PodSecurityContext{
HostNetwork: false,
FSGroup: &maxID,
FSGroup: &maxGroupID,
},
RestartPolicy: api.RestartPolicyAlways,
DNSPolicy: api.DNSClusterFirst,
@ -3336,7 +3345,7 @@ func TestValidatePodSpec(t *testing.T) {
Containers: []api.Container{{Name: "ctr", Image: "image", ImagePullPolicy: "IfNotPresent", TerminationMessagePolicy: "File"}},
SecurityContext: &api.PodSecurityContext{
HostNetwork: false,
FSGroup: &minID,
FSGroup: &minGroupID,
},
RestartPolicy: api.RestartPolicyAlways,
DNSPolicy: api.DNSClusterFirst,
@ -8721,7 +8730,7 @@ func TestValidateTLSSecret(t *testing.T) {
func TestValidateSecurityContext(t *testing.T) {
priv := false
var runAsUser int64 = 1
runAsUser := types.UnixUserID(1)
fullValidSC := func() *api.SecurityContext {
return &api.SecurityContext{
Privileged: &priv,
@ -8773,7 +8782,7 @@ func TestValidateSecurityContext(t *testing.T) {
privRequestWithGlobalDeny.Privileged = &requestPrivileged
negativeRunAsUser := fullValidSC()
var negativeUser int64 = -1
negativeUser := types.UnixUserID(-1)
negativeRunAsUser.RunAsUser = &negativeUser
errorCases := map[string]struct {

8
pkg/api/zz_generated.deepcopy.go
View File

@ -2335,7 +2335,7 @@ func DeepCopy_api_PodSecurityContext(in interface{}, out interface{}, c *convers
}
if in.RunAsUser != nil {
in, out := &in.RunAsUser, &out.RunAsUser
*out = new(int64)
*out = new(types.UnixUserID)
**out = **in
}
if in.RunAsNonRoot != nil {
@ -2345,12 +2345,12 @@ func DeepCopy_api_PodSecurityContext(in interface{}, out interface{}, c *convers
}
if in.SupplementalGroups != nil {
in, out := &in.SupplementalGroups, &out.SupplementalGroups
*out = make([]int64, len(*in))
*out = make([]types.UnixGroupID, len(*in))
copy(*out, *in)
}
if in.FSGroup != nil {
in, out := &in.FSGroup, &out.FSGroup
*out = new(int64)
*out = new(types.UnixGroupID)
**out = **in
}
return nil
@ -3082,7 +3082,7 @@ func DeepCopy_api_SecurityContext(in interface{}, out interface{}, c *conversion
}
if in.RunAsUser != nil {
in, out := &in.RunAsUser, &out.RunAsUser
*out = new(int64)
*out = new(types.UnixUserID)
**out = **in
}
if in.RunAsNonRoot != nil {

1
pkg/apis/extensions/BUILD
View File

@ -32,6 +32,7 @@ go_library(
"//vendor/k8s.io/apimachinery/pkg/conversion:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/runtime:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/runtime/schema:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/types:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/util/intstr:go_default_library",
],
)

23
pkg/apis/extensions/types.go
View File

@ -31,6 +31,7 @@ package extensions
import (
"k8s.io/apimachinery/pkg/api/resource"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/types"
"k8s.io/apimachinery/pkg/util/intstr"
"k8s.io/kubernetes/pkg/api"
)
@ -948,15 +949,23 @@ type RunAsUserStrategyOptions struct {
Rule RunAsUserStrategy
// Ranges are the allowed ranges of uids that may be used.
// +optional
Ranges []IDRange
Ranges []UserIDRange
}
// IDRange provides a min/max of an allowed range of IDs.
type IDRange struct {
// UserIDRange provides a min/max of an allowed range of UserIDs.
type UserIDRange struct {
// Min is the start of the range, inclusive.
Min int64
Min types.UnixUserID
// Max is the end of the range, inclusive.
Max int64
Max types.UnixUserID
}
// GroupIDRange provides a min/max of an allowed range of GroupIDs.
type GroupIDRange struct {
// Min is the start of the range, inclusive.
Min types.UnixGroupID
// Max is the end of the range, inclusive.
Max types.UnixGroupID
}
// RunAsUserStrategy denotes strategy types for generating RunAsUser values for a
@ -980,7 +989,7 @@ type FSGroupStrategyOptions struct {
// Ranges are the allowed ranges of fs groups. If you would like to force a single
// fs group then supply a single range with the same start and end.
// +optional
Ranges []IDRange
Ranges []GroupIDRange
}
// FSGroupStrategyType denotes strategy types for generating FSGroup values for a
@ -1002,7 +1011,7 @@ type SupplementalGroupsStrategyOptions struct {
// Ranges are the allowed ranges of supplemental groups. If you would like to force a single
// supplemental group then supply a single range with the same start and end.
// +optional
Ranges []IDRange
Ranges []GroupIDRange
}
// SupplementalGroupsStrategyType denotes strategy types for determining valid supplemental

30
pkg/apis/extensions/v1beta1/zz_generated.conversion.go
View File

@ -81,8 +81,6 @@ func RegisterConversions(scheme *runtime.Scheme) error {
Convert_extensions_HTTPIngressRuleValue_To_v1beta1_HTTPIngressRuleValue,
Convert_v1beta1_HostPortRange_To_extensions_HostPortRange,
Convert_extensions_HostPortRange_To_v1beta1_HostPortRange,
Convert_v1beta1_IDRange_To_extensions_IDRange,
Convert_extensions_IDRange_To_v1beta1_IDRange,
Convert_v1beta1_Ingress_To_extensions_Ingress,
Convert_extensions_Ingress_To_v1beta1_Ingress,
Convert_v1beta1_IngressBackend_To_extensions_IngressBackend,
@ -684,7 +682,7 @@ func autoConvert_extensions_DeploymentStrategy_To_v1beta1_DeploymentStrategy(in
func autoConvert_v1beta1_FSGroupStrategyOptions_To_extensions_FSGroupStrategyOptions(in *FSGroupStrategyOptions, out *extensions.FSGroupStrategyOptions, s conversion.Scope) error {
out.Rule = extensions.FSGroupStrategyType(in.Rule)
out.Ranges = *(*[]extensions.IDRange)(unsafe.Pointer(&in.Ranges))
out.Ranges = *(*[]extensions.GroupIDRange)(unsafe.Pointer(&in.Ranges))
return nil
}
@ -776,28 +774,6 @@ func Convert_extensions_HostPortRange_To_v1beta1_HostPortRange(in *extensions.Ho
return autoConvert_extensions_HostPortRange_To_v1beta1_HostPortRange(in, out, s)
}
func autoConvert_v1beta1_IDRange_To_extensions_IDRange(in *IDRange, out *extensions.IDRange, s conversion.Scope) error {
out.Min = in.Min
out.Max = in.Max
return nil
}
// Convert_v1beta1_IDRange_To_extensions_IDRange is an autogenerated conversion function.
func Convert_v1beta1_IDRange_To_extensions_IDRange(in *IDRange, out *extensions.IDRange, s conversion.Scope) error {
return autoConvert_v1beta1_IDRange_To_extensions_IDRange(in, out, s)
}
func autoConvert_extensions_IDRange_To_v1beta1_IDRange(in *extensions.IDRange, out *IDRange, s conversion.Scope) error {
out.Min = in.Min
out.Max = in.Max
return nil
}
// Convert_extensions_IDRange_To_v1beta1_IDRange is an autogenerated conversion function.
func Convert_extensions_IDRange_To_v1beta1_IDRange(in *extensions.IDRange, out *IDRange, s conversion.Scope) error {
return autoConvert_extensions_IDRange_To_v1beta1_IDRange(in, out, s)
}
func autoConvert_v1beta1_Ingress_To_extensions_Ingress(in *Ingress, out *extensions.Ingress, s conversion.Scope) error {
out.ObjectMeta = in.ObjectMeta
if err := Convert_v1beta1_IngressSpec_To_extensions_IngressSpec(&in.Spec, &out.Spec, s); err != nil {
@ -1504,7 +1480,7 @@ func autoConvert_extensions_RollingUpdateDeployment_To_v1beta1_RollingUpdateDepl
func autoConvert_v1beta1_RunAsUserStrategyOptions_To_extensions_RunAsUserStrategyOptions(in *RunAsUserStrategyOptions, out *extensions.RunAsUserStrategyOptions, s conversion.Scope) error {
out.Rule = extensions.RunAsUserStrategy(in.Rule)
out.Ranges = *(*[]extensions.IDRange)(unsafe.Pointer(&in.Ranges))
out.Ranges = *(*[]extensions.UserIDRange)(unsafe.Pointer(&in.Ranges))
return nil
}
@ -1613,7 +1589,7 @@ func autoConvert_extensions_ScaleStatus_To_v1beta1_ScaleStatus(in *extensions.Sc
func autoConvert_v1beta1_SupplementalGroupsStrategyOptions_To_extensions_SupplementalGroupsStrategyOptions(in *SupplementalGroupsStrategyOptions, out *extensions.SupplementalGroupsStrategyOptions, s conversion.Scope) error {
out.Rule = extensions.SupplementalGroupsStrategyType(in.Rule)
out.Ranges = *(*[]extensions.IDRange)(unsafe.Pointer(&in.Ranges))
out.Ranges = *(*[]extensions.GroupIDRange)(unsafe.Pointer(&in.Ranges))
return nil
}

28
pkg/apis/extensions/validation/validation.go
View File

@ -750,7 +750,7 @@ func validatePSPRunAsUser(fldPath *field.Path, runAsUser *extensions.RunAsUserSt
// validate range settings
for idx, rng := range runAsUser.Ranges {
allErrs = append(allErrs, validateIDRanges(fldPath.Child("ranges").Index(idx), rng)...)
allErrs = append(allErrs, validateUserIDRange(fldPath.Child("ranges").Index(idx), rng)...)
}
return allErrs
@ -769,7 +769,7 @@ func validatePSPFSGroup(fldPath *field.Path, groupOptions *extensions.FSGroupStr
}
for idx, rng := range groupOptions.Ranges {
allErrs = append(allErrs, validateIDRanges(fldPath.Child("ranges").Index(idx), rng)...)
allErrs = append(allErrs, validateGroupIDRange(fldPath.Child("ranges").Index(idx), rng)...)
}
return allErrs
}
@ -787,7 +787,7 @@ func validatePSPSupplementalGroup(fldPath *field.Path, groupOptions *extensions.
}
for idx, rng := range groupOptions.Ranges {
allErrs = append(allErrs, validateIDRanges(fldPath.Child("ranges").Index(idx), rng)...)
allErrs = append(allErrs, validateGroupIDRange(fldPath.Child("ranges").Index(idx), rng)...)
}
return allErrs
}
@ -837,20 +837,28 @@ func validatePodSecurityPolicySysctls(fldPath *field.Path, sysctls []string) fie
return allErrs
}
func validateUserIDRange(fldPath *field.Path, rng extensions.UserIDRange) field.ErrorList {
return validateIDRanges(fldPath, int64(rng.Min), int64(rng.Max))
}
func validateGroupIDRange(fldPath *field.Path, rng extensions.GroupIDRange) field.ErrorList {
return validateIDRanges(fldPath, int64(rng.Min), int64(rng.Max))
}
// validateIDRanges ensures the range is valid.
func validateIDRanges(fldPath *field.Path, rng extensions.IDRange) field.ErrorList {
func validateIDRanges(fldPath *field.Path, min, max int64) field.ErrorList {
allErrs := field.ErrorList{}
// if 0 <= Min <= Max then we do not need to validate max. It is always greater than or
// equal to 0 and Min.
if rng.Min < 0 {
allErrs = append(allErrs, field.Invalid(fldPath.Child("min"), rng.Min, "min cannot be negative"))
if min < 0 {
allErrs = append(allErrs, field.Invalid(fldPath.Child("min"), min, "min cannot be negative"))
}
if rng.Max < 0 {
allErrs = append(allErrs, field.Invalid(fldPath.Child("max"), rng.Max, "max cannot be negative"))
if max < 0 {
allErrs = append(allErrs, field.Invalid(fldPath.Child("max"), max, "max cannot be negative"))
}
if rng.Min > rng.Max {
allErrs = append(allErrs, field.Invalid(fldPath.Child("min"), rng.Min, "min cannot be greater than max"))
if min > max {
allErrs = append(allErrs, field.Invalid(fldPath.Child("min"), min, "min cannot be greater than max"))
}
return allErrs

12
pkg/apis/extensions/validation/validation_test.go
View File

@ -2346,9 +2346,7 @@ func TestValidatePodSecurityPolicy(t *testing.T) {
invalidUIDPSP := validPSP()
invalidUIDPSP.Spec.RunAsUser.Rule = extensions.RunAsUserStrategyMustRunAs
invalidUIDPSP.Spec.RunAsUser.Ranges = []extensions.IDRange{
{Min: -1, Max: 1},
}
invalidUIDPSP.Spec.RunAsUser.Ranges = []extensions.UserIDRange{{Min: -1, Max: 1}}
missingObjectMetaName := validPSP()
missingObjectMetaName.ObjectMeta.Name = ""
@ -2366,17 +2364,17 @@ func TestValidatePodSecurityPolicy(t *testing.T) {
invalidSupGroupStratType.Spec.SupplementalGroups.Rule = "invalid"
invalidRangeMinGreaterThanMax := validPSP()
invalidRangeMinGreaterThanMax.Spec.FSGroup.Ranges = []extensions.IDRange{
invalidRangeMinGreaterThanMax.Spec.FSGroup.Ranges = []extensions.GroupIDRange{
{Min: 2, Max: 1},
}
invalidRangeNegativeMin := validPSP()
invalidRangeNegativeMin.Spec.FSGroup.Ranges = []extensions.IDRange{
invalidRangeNegativeMin.Spec.FSGroup.Ranges = []extensions.GroupIDRange{
{Min: -1, Max: 10},
}
invalidRangeNegativeMax := validPSP()
invalidRangeNegativeMax.Spec.FSGroup.Ranges = []extensions.IDRange{
invalidRangeNegativeMax.Spec.FSGroup.Ranges = []extensions.GroupIDRange{
{Min: 1, Max: -10},
}
@ -2558,7 +2556,7 @@ func TestValidatePodSecurityPolicy(t *testing.T) {
mustRunAs.Spec.FSGroup.Rule = extensions.FSGroupStrategyMustRunAs
mustRunAs.Spec.SupplementalGroups.Rule = extensions.SupplementalGroupsStrategyMustRunAs
mustRunAs.Spec.RunAsUser.Rule = extensions.RunAsUserStrategyMustRunAs
mustRunAs.Spec.RunAsUser.Ranges = []extensions.IDRange{
mustRunAs.Spec.RunAsUser.Ranges = []extensions.UserIDRange{
{Min: 1, Max: 1},
}
mustRunAs.Spec.SELinux.Rule = extensions.SELinuxStrategyMustRunAs

36
pkg/apis/extensions/zz_generated.deepcopy.go
View File

@ -55,10 +55,10 @@ func RegisterDeepCopies(scheme *runtime.Scheme) error {
conversion.GeneratedDeepCopyFunc{Fn: DeepCopy_extensions_DeploymentStatus, InType: reflect.TypeOf(&DeploymentStatus{})},
conversion.GeneratedDeepCopyFunc{Fn: DeepCopy_extensions_DeploymentStrategy, InType: reflect.TypeOf(&DeploymentStrategy{})},
conversion.GeneratedDeepCopyFunc{Fn: DeepCopy_extensions_FSGroupStrategyOptions, InType: reflect.TypeOf(&FSGroupStrategyOptions{})},
conversion.GeneratedDeepCopyFunc{Fn: DeepCopy_extensions_GroupIDRange, InType: reflect.TypeOf(&GroupIDRange{})},
conversion.GeneratedDeepCopyFunc{Fn: DeepCopy_extensions_HTTPIngressPath, InType: reflect.TypeOf(&HTTPIngressPath{})},
conversion.GeneratedDeepCopyFunc{Fn: DeepCopy_extensions_HTTPIngressRuleValue, InType: reflect.TypeOf(&HTTPIngressRuleValue{})},
conversion.GeneratedDeepCopyFunc{Fn: DeepCopy_extensions_HostPortRange, InType: reflect.TypeOf(&HostPortRange{})},
conversion.GeneratedDeepCopyFunc{Fn: DeepCopy_extensions_IDRange, InType: reflect.TypeOf(&IDRange{})},
conversion.GeneratedDeepCopyFunc{Fn: DeepCopy_extensions_Ingress, InType: reflect.TypeOf(&Ingress{})},
conversion.GeneratedDeepCopyFunc{Fn: DeepCopy_extensions_IngressBackend, InType: reflect.TypeOf(&IngressBackend{})},
conversion.GeneratedDeepCopyFunc{Fn: DeepCopy_extensions_IngressList, InType: reflect.TypeOf(&IngressList{})},
@ -95,6 +95,7 @@ func RegisterDeepCopies(scheme *runtime.Scheme) error {
conversion.GeneratedDeepCopyFunc{Fn: DeepCopy_extensions_ThirdPartyResourceData, InType: reflect.TypeOf(&ThirdPartyResourceData{})},
conversion.GeneratedDeepCopyFunc{Fn: DeepCopy_extensions_ThirdPartyResourceDataList, InType: reflect.TypeOf(&ThirdPartyResourceDataList{})},
conversion.GeneratedDeepCopyFunc{Fn: DeepCopy_extensions_ThirdPartyResourceList, InType: reflect.TypeOf(&ThirdPartyResourceList{})},
conversion.GeneratedDeepCopyFunc{Fn: DeepCopy_extensions_UserIDRange, InType: reflect.TypeOf(&UserIDRange{})},
)
}
@ -386,13 +387,22 @@ func DeepCopy_extensions_FSGroupStrategyOptions(in interface{}, out interface{},
*out = *in
if in.Ranges != nil {
in, out := &in.Ranges, &out.Ranges
*out = make([]IDRange, len(*in))
*out = make([]GroupIDRange, len(*in))
copy(*out, *in)
}
return nil
}
}
func DeepCopy_extensions_GroupIDRange(in interface{}, out interface{}, c *conversion.Cloner) error {
{
in := in.(*GroupIDRange)
out := out.(*GroupIDRange)
*out = *in
return nil
}
}
func DeepCopy_extensions_HTTPIngressPath(in interface{}, out interface{}, c *conversion.Cloner) error {
{
in := in.(*HTTPIngressPath)
@ -425,15 +435,6 @@ func DeepCopy_extensions_HostPortRange(in interface{}, out interface{}, c *conve
}
}
func DeepCopy_extensions_IDRange(in interface{}, out interface{}, c *conversion.Cloner) error {
{
in := in.(*IDRange)
out := out.(*IDRange)
*out = *in
return nil
}
}
func DeepCopy_extensions_Ingress(in interface{}, out interface{}, c *conversion.Cloner) error {
{
in := in.(*Ingress)
@ -906,7 +907,7 @@ func DeepCopy_extensions_RunAsUserStrategyOptions(in interface{}, out interface{
*out = *in
if in.Ranges != nil {
in, out := &in.Ranges, &out.Ranges
*out = make([]IDRange, len(*in))
*out = make([]UserIDRange, len(*in))
copy(*out, *in)
}
return nil
@ -977,7 +978,7 @@ func DeepCopy_extensions_SupplementalGroupsStrategyOptions(in interface{}, out i
*out = *in
if in.Ranges != nil {
in, out := &in.Ranges, &out.Ranges
*out = make([]IDRange, len(*in))
*out = make([]GroupIDRange, len(*in))
copy(*out, *in)
}
return nil
@ -1057,3 +1058,12 @@ func DeepCopy_extensions_ThirdPartyResourceList(in interface{}, out interface{},
return nil
}
}
func DeepCopy_extensions_UserIDRange(in interface{}, out interface{}, c *conversion.Cloner) error {
{
in := in.(*UserIDRange)
out := out.(*UserIDRange)
*out = *in
return nil
}
}

1
pkg/kubelet/dockershim/securitycontext/BUILD
View File

@ -36,6 +36,7 @@ go_test(
"//pkg/api/testing:go_default_library",
"//pkg/api/v1:go_default_library",
"//vendor/github.com/docker/engine-api/types/container:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/types:go_default_library",
],
)

25
pkg/kubelet/dockershim/securitycontext/provider_test.go
View File

@ -23,13 +23,14 @@ import (
"testing"
dockercontainer "github.com/docker/engine-api/types/container"
"k8s.io/apimachinery/pkg/types"
apitesting "k8s.io/kubernetes/pkg/api/testing"
"k8s.io/kubernetes/pkg/api/v1"
)
func TestModifyContainerConfig(t *testing.T) {
var uid int64 = 123
var overrideUid int64 = 321
userID := types.UnixUserID(123)
overrideUserID := types.UnixUserID(321)
cases := []struct {
name string
@ -40,10 +41,10 @@ func TestModifyContainerConfig(t *testing.T) {
{
name: "container.SecurityContext.RunAsUser set",
sc: &v1.SecurityContext{
RunAsUser: &uid,
RunAsUser: &userID,
},
expected: &dockercontainer.Config{
User: strconv.FormatInt(uid, 10),
User: strconv.FormatInt(int64(userID), 10),
},
},
{
@ -54,22 +55,22 @@ func TestModifyContainerConfig(t *testing.T) {
{
name: "pod.Spec.SecurityContext.RunAsUser set",
podSc: &v1.PodSecurityContext{
RunAsUser: &uid,
RunAsUser: &userID,
},
expected: &dockercontainer.Config{
User: strconv.FormatInt(uid, 10),
User: strconv.FormatInt(int64(userID), 10),
},
},
{
name: "container.SecurityContext.RunAsUser overrides pod.Spec.SecurityContext.RunAsUser",
podSc: &v1.PodSecurityContext{
RunAsUser: &uid,
RunAsUser: &userID,
},
sc: &v1.SecurityContext{
RunAsUser: &overrideUid,
RunAsUser: &overrideUserID,
},
expected: &dockercontainer.Config{
User: strconv.FormatInt(overrideUid, 10),
User: strconv.FormatInt(int64(overrideUserID), 10),
},
},
}
@ -176,7 +177,7 @@ func TestModifyHostConfig(t *testing.T) {
func TestModifyHostConfigPodSecurityContext(t *testing.T) {
supplementalGroupsSC := &v1.PodSecurityContext{}
supplementalGroupsSC.SupplementalGroups = []int64{2222}
supplementalGroupsSC.SupplementalGroups = []types.UnixGroupID{2222}
supplementalGroupHC := fullValidHostConfig()
supplementalGroupHC.GroupAdd = []string{"2222"}
fsGroupHC := fullValidHostConfig()
@ -185,7 +186,7 @@ func TestModifyHostConfigPodSecurityContext(t *testing.T) {
extraSupplementalGroupHC.GroupAdd = []string{"1234"}
bothHC := fullValidHostConfig()
bothHC.GroupAdd = []string{"2222", "1234"}
fsGroup := int64(1234)
fsGroup := types.UnixGroupID(1234)
extraSupplementalGroup := []int64{1234}
testCases := map[string]struct {
@ -210,7 +211,7 @@ func TestModifyHostConfigPodSecurityContext(t *testing.T) {
},
"FSGroup + SupplementalGroups": {
securityContext: &v1.PodSecurityContext{
SupplementalGroups: []int64{2222},
SupplementalGroups: []types.UnixGroupID{2222},
FSGroup: &fsGroup,
},
expected: bothHC,

4
pkg/kubelet/kubelet_volumes_test.go
View File

@ -452,10 +452,10 @@ func (f *stubVolume) CanMount() error {
return nil
}
func (f *stubVolume) SetUp(fsGroup *int64) error {
func (f *stubVolume) SetUp(fsGroup *types.UnixGroupID) error {
return nil
}
func (f *stubVolume) SetUpAt(dir string, fsGroup *int64) error {
func (f *stubVolume) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
return nil
}

8
pkg/kubelet/kuberuntime/kuberuntime_sandbox.go
View File

@ -138,7 +138,7 @@ func (m *kubeGenericRuntimeManager) generatePodSandboxLinuxConfig(pod *v1.Pod, c
if pod.Spec.SecurityContext != nil {
sc := pod.Spec.SecurityContext
if sc.RunAsUser != nil {
lc.SecurityContext.RunAsUser = &runtimeapi.Int64Value{Value: *sc.RunAsUser}
lc.SecurityContext.RunAsUser = &runtimeapi.Int64Value{Value: int64(*sc.RunAsUser)}
}
lc.SecurityContext.NamespaceOptions = &runtimeapi.NamespaceOption{
HostNetwork: pod.Spec.HostNetwork,
@ -147,13 +147,15 @@ func (m *kubeGenericRuntimeManager) generatePodSandboxLinuxConfig(pod *v1.Pod, c
}
if sc.FSGroup != nil {
lc.SecurityContext.SupplementalGroups = append(lc.SecurityContext.SupplementalGroups, *sc.FSGroup)
lc.SecurityContext.SupplementalGroups = append(lc.SecurityContext.SupplementalGroups, int64(*sc.FSGroup))
}
if groups := m.runtimeHelper.GetExtraSupplementalGroupsForPod(pod); len(groups) > 0 {
lc.SecurityContext.SupplementalGroups = append(lc.SecurityContext.SupplementalGroups, groups...)
}
if sc.SupplementalGroups != nil {
lc.SecurityContext.SupplementalGroups = append(lc.SecurityContext.SupplementalGroups, sc.SupplementalGroups...)
for _, sg := range sc.SupplementalGroups {
lc.SecurityContext.SupplementalGroups = append(lc.SecurityContext.SupplementalGroups, int64(sg))
}
}
if sc.SELinuxOptions != nil {
lc.SecurityContext.SelinuxOptions = &runtimeapi.SELinuxOption{

8
pkg/kubelet/kuberuntime/security_context.go
View File

@ -53,11 +53,13 @@ func (m *kubeGenericRuntimeManager) determineEffectiveSecurityContext(pod *v1.Po
podSc := pod.Spec.SecurityContext
if podSc != nil {
if podSc.FSGroup != nil {
synthesized.SupplementalGroups = append(synthesized.SupplementalGroups, *podSc.FSGroup)
synthesized.SupplementalGroups = append(synthesized.SupplementalGroups, int64(*podSc.FSGroup))
}
if podSc.SupplementalGroups != nil {
synthesized.SupplementalGroups = append(synthesized.SupplementalGroups, podSc.SupplementalGroups...)
for _, sg := range podSc.SupplementalGroups {
synthesized.SupplementalGroups = append(synthesized.SupplementalGroups, int64(sg))
}
}
}
if groups := m.runtimeHelper.GetExtraSupplementalGroupsForPod(pod); len(groups) > 0 {
@ -99,7 +101,7 @@ func convertToRuntimeSecurityContext(securityContext *v1.SecurityContext) *runti
SelinuxOptions: convertToRuntimeSELinuxOption(securityContext.SELinuxOptions),
}
if securityContext.RunAsUser != nil {
sc.RunAsUser = &runtimeapi.Int64Value{Value: *securityContext.RunAsUser}
sc.RunAsUser = &runtimeapi.Int64Value{Value: int64(*securityContext.RunAsUser)}
}
if securityContext.Privileged != nil {
sc.Privileged = *securityContext.Privileged

20
pkg/kubelet/rkt/rkt_test.go
View File

@ -972,10 +972,10 @@ func TestSetApp(t *testing.T) {
}
defer os.RemoveAll(tmpDir)
rootUser := int64(0)
nonRootUser := int64(42)
rootUser := kubetypes.UnixUserID(0)
nonRootUser := kubetypes.UnixUserID(42)
runAsNonRootTrue := true
fsgid := int64(3)
fsgid := kubetypes.UnixGroupID(3)
tests := []struct {
container *v1.Container
@ -1081,8 +1081,11 @@ func TestSetApp(t *testing.T) {
RunAsNonRoot: &runAsNonRootTrue,
},
podCtx: &v1.PodSecurityContext{
SupplementalGroups: []int64{1, 2},
FSGroup: &fsgid,
SupplementalGroups: []kubetypes.UnixGroupID{
kubetypes.UnixGroupID(1),
kubetypes.UnixGroupID(2),
},
FSGroup: &fsgid,
},
supplementalGids: []int64{4},
expect: &appctypes.App{
@ -1143,8 +1146,11 @@ func TestSetApp(t *testing.T) {
RunAsNonRoot: &runAsNonRootTrue,
},
podCtx: &v1.PodSecurityContext{
SupplementalGroups: []int64{1, 2},
FSGroup: &fsgid,
SupplementalGroups: []kubetypes.UnixGroupID{
kubetypes.UnixGroupID(1),
kubetypes.UnixGroupID(2),
},
FSGroup: &fsgid,
},
supplementalGids: []int64{4},
expect: &appctypes.App{

1
pkg/kubelet/volumemanager/BUILD
View File

@ -59,6 +59,7 @@ go_test(
"//pkg/volume/util/types:go_default_library",
"//pkg/volume/util/volumehelper:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/types:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/util/sets:go_default_library",
"//vendor/k8s.io/client-go/tools/record:go_default_library",
"//vendor/k8s.io/client-go/util/testing:go_default_library",

2
pkg/kubelet/volumemanager/volume_manager.go
View File

@ -434,7 +434,7 @@ func getExtraSupplementalGid(volumeGidValue string, pod *v1.Pod) (int64, bool) {
if pod.Spec.SecurityContext != nil {
for _, existingGid := range pod.Spec.SecurityContext.SupplementalGroups {
if gid == existingGid {
if gid == int64(existingGid) {
return 0, false
}
}

5
pkg/kubelet/volumemanager/volume_manager_test.go
View File

@ -24,6 +24,7 @@ import (
"time"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
kubetypes "k8s.io/apimachinery/pkg/types"
"k8s.io/apimachinery/pkg/util/sets"
"k8s.io/client-go/tools/record"
utiltesting "k8s.io/client-go/util/testing"
@ -115,7 +116,7 @@ func TestGetExtraSupplementalGroupsForPod(t *testing.T) {
expected: []int64{777},
},
{
gidAnnotation: strconv.FormatInt(existingGid, 10),
gidAnnotation: strconv.FormatInt(int64(existingGid), 10),
expected: []int64{},
},
{
@ -240,7 +241,7 @@ func createObjects() (*v1.Node, *v1.Pod, *v1.PersistentVolume, *v1.PersistentVol
},
},
SecurityContext: &v1.PodSecurityContext{
SupplementalGroups: []int64{555},
SupplementalGroups: []kubetypes.UnixGroupID{555},
},
},
}

2
pkg/security/podsecuritypolicy/BUILD
View File

@ -29,6 +29,7 @@ go_library(
"//pkg/security/podsecuritypolicy/user:go_default_library",
"//pkg/security/podsecuritypolicy/util:go_default_library",
"//pkg/util/maps:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/types:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/util/errors:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
],
@ -48,6 +49,7 @@ go_test(
"//pkg/security/podsecuritypolicy/util:go_default_library",
"//vendor/github.com/davecgh/go-spew/spew:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/types:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/util/diff:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
],

2
pkg/security/podsecuritypolicy/group/BUILD
View File

@ -21,6 +21,7 @@ go_library(
"//pkg/api:go_default_library",
"//pkg/apis/extensions:go_default_library",
"//pkg/security/podsecuritypolicy/util:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/types:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
],
)
@ -36,6 +37,7 @@ go_test(
deps = [
"//pkg/api:go_default_library",
"//pkg/apis/extensions:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/types:go_default_library",
],
)

19
pkg/security/podsecuritypolicy/group/mustrunas.go
View File

@ -19,6 +19,7 @@ package group
import (
"fmt"
"k8s.io/apimachinery/pkg/types"
"k8s.io/apimachinery/pkg/util/validation/field"
"k8s.io/kubernetes/pkg/api"
"k8s.io/kubernetes/pkg/apis/extensions"
@ -27,14 +28,14 @@ import (
// mustRunAs implements the GroupStrategy interface
type mustRunAs struct {
ranges []extensions.IDRange
ranges []extensions.GroupIDRange
field string
}
var _ GroupStrategy = &mustRunAs{}
// NewMustRunAs provides a new MustRunAs strategy based on ranges.
func NewMustRunAs(ranges []extensions.IDRange, field string) (GroupStrategy, error) {
func NewMustRunAs(ranges []extensions.GroupIDRange, field string) (GroupStrategy, error) {
if len(ranges) == 0 {
return nil, fmt.Errorf("ranges must be supplied for MustRunAs")
}
@ -46,14 +47,14 @@ func NewMustRunAs(ranges []extensions.IDRange, field string) (GroupStrategy, err
// Generate creates the group based on policy rules. By default this returns the first group of the
// first range (min val).
func (s *mustRunAs) Generate(pod *api.Pod) ([]int64, error) {
return []int64{s.ranges[0].Min}, nil
func (s *mustRunAs) Generate(pod *api.Pod) ([]types.UnixGroupID, error) {
return []types.UnixGroupID{s.ranges[0].Min}, nil
}
// Generate a single value to be applied. This is used for FSGroup. This strategy will return
// the first group of the first range (min val).
func (s *mustRunAs) GenerateSingle(pod *api.Pod) (*int64, error) {
single := new(int64)
func (s *mustRunAs) GenerateSingle(pod *api.Pod) (*types.UnixGroupID, error) {
single := new(types.UnixGroupID)
*single = s.ranges[0].Min
return single, nil
}
@ -61,7 +62,7 @@ func (s *mustRunAs) GenerateSingle(pod *api.Pod) (*int64, error) {
// Validate ensures that the specified values fall within the range of the strategy.
// Groups are passed in here to allow this strategy to support multiple group fields (fsgroup and
// supplemental groups).
func (s *mustRunAs) Validate(pod *api.Pod, groups []int64) field.ErrorList {
func (s *mustRunAs) Validate(pod *api.Pod, groups []types.UnixGroupID) field.ErrorList {
allErrs := field.ErrorList{}
if pod.Spec.SecurityContext == nil {
@ -83,9 +84,9 @@ func (s *mustRunAs) Validate(pod *api.Pod, groups []int64) field.ErrorList {
return allErrs
}
func (s *mustRunAs) isGroupValid(group int64) bool {
func (s *mustRunAs) isGroupValid(group types.UnixGroupID) bool {
for _, rng := range s.ranges {
if psputil.FallsInRange(group, rng) {
if psputil.GroupFallsInRange(group, rng) {
return true
}
}

51
pkg/security/podsecuritypolicy/group/mustrunas_test.go
View File

@ -19,20 +19,21 @@ package group
import (
"testing"
"k8s.io/apimachinery/pkg/types"
"k8s.io/kubernetes/pkg/api"
"k8s.io/kubernetes/pkg/apis/extensions"
)
func TestMustRunAsOptions(t *testing.T) {
tests := map[string]struct {
ranges []extensions.IDRange
ranges []extensions.GroupIDRange
pass bool
}{
"empty": {
ranges: []extensions.IDRange{},
ranges: []extensions.GroupIDRange{},
},
"ranges": {
ranges: []extensions.IDRange{
ranges: []extensions.GroupIDRange{
{Min: 1, Max: 1},
},
pass: true,
@ -52,27 +53,27 @@ func TestMustRunAsOptions(t *testing.T) {
func TestGenerate(t *testing.T) {
tests := map[string]struct {
ranges []extensions.IDRange
expected []int64
ranges []extensions.GroupIDRange
expected []types.UnixGroupID
}{
"multi value": {
ranges: []extensions.IDRange{
ranges: []extensions.GroupIDRange{
{Min: 1, Max: 2},
},
expected: []int64{1},
expected: []types.UnixGroupID{1},
},
"single value": {
ranges: []extensions.IDRange{
ranges: []extensions.GroupIDRange{
{Min: 1, Max: 1},
},
expected: []int64{1},
expected: []types.UnixGroupID{1},
},
"multi range": {
ranges: []extensions.IDRange{
ranges: []extensions.GroupIDRange{
{Min: 1, Max: 1},
{Min: 2, Max: 500},
},
expected: []int64{1},
expected: []types.UnixGroupID{1},
},
}
@ -118,59 +119,59 @@ func TestValidate(t *testing.T) {
}
tests := map[string]struct {
ranges []extensions.IDRange
ranges []extensions.GroupIDRange
pod *api.Pod
groups []int64
groups []types.UnixGroupID
pass bool
}{
"nil security context": {
pod: &api.Pod{},
ranges: []extensions.IDRange{
ranges: []extensions.GroupIDRange{
{Min: 1, Max: 3},
},
},
"empty groups": {
pod: validPod(),
ranges: []extensions.IDRange{
ranges: []extensions.GroupIDRange{
{Min: 1, Max: 3},
},
},
"not in range": {
pod: validPod(),
groups: []int64{5},
ranges: []extensions.IDRange{
groups: []types.UnixGroupID{5},
ranges: []extensions.GroupIDRange{
{Min: 1, Max: 3},
{Min: 4, Max: 4},
},
},
"in range 1": {
pod: validPod(),
groups: []int64{2},
ranges: []extensions.IDRange{
groups: []types.UnixGroupID{2},
ranges: []extensions.GroupIDRange{
{Min: 1, Max: 3},
},
pass: true,
},
"in range boundry min": {
pod: validPod(),
groups: []int64{1},
ranges: []extensions.IDRange{
groups: []types.UnixGroupID{1},
ranges: []extensions.GroupIDRange{
{Min: 1, Max: 3},
},
pass: true,
},
"in range boundry max": {
pod: validPod(),
groups: []int64{3},
ranges: []extensions.IDRange{
groups: []types.UnixGroupID{3},
ranges: []extensions.GroupIDRange{
{Min: 1, Max: 3},
},
pass: true,
},
"singular range": {
pod: validPod(),
groups: []int64{4},
ranges: []extensions.IDRange{
groups: []types.UnixGroupID{4},
ranges: []extensions.GroupIDRange{
{Min: 4, Max: 4},
},
pass: true,

9
pkg/security/podsecuritypolicy/group/runasany.go
View File

@ -17,6 +17,7 @@ limitations under the License.
package group
import (
"k8s.io/apimachinery/pkg/types"
"k8s.io/apimachinery/pkg/util/validation/field"
"k8s.io/kubernetes/pkg/api"
)
@ -33,17 +34,17 @@ func NewRunAsAny() (GroupStrategy, error) {
}
// Generate creates the group based on policy rules. This strategy returns an empty slice.
func (s *runAsAny) Generate(pod *api.Pod) ([]int64, error) {
return []int64{}, nil
func (s *runAsAny) Generate(pod *api.Pod) ([]types.UnixGroupID, error) {
return []types.UnixGroupID{}, nil
}
// Generate a single value to be applied. This is used for FSGroup. This strategy returns nil.
func (s *runAsAny) GenerateSingle(pod *api.Pod) (*int64, error) {
func (s *runAsAny) GenerateSingle(pod *api.Pod) (*types.UnixGroupID, error) {
return nil, nil
}
// Validate ensures that the specified values fall within the range of the strategy.
func (s *runAsAny) Validate(pod *api.Pod, groups []int64) field.ErrorList {
func (s *runAsAny) Validate(pod *api.Pod, groups []types.UnixGroupID) field.ErrorList {
return field.ErrorList{}
}

7
pkg/security/podsecuritypolicy/group/types.go
View File

@ -17,6 +17,7 @@ limitations under the License.
package group
import (
"k8s.io/apimachinery/pkg/types"
"k8s.io/apimachinery/pkg/util/validation/field"
"k8s.io/kubernetes/pkg/api"
)
@ -26,10 +27,10 @@ type GroupStrategy interface {
// Generate creates the group based on policy rules. The underlying implementation can
// decide whether it will return a full range of values or a subset of values from the
// configured ranges.
Generate(pod *api.Pod) ([]int64, error)
Generate(pod *api.Pod) ([]types.UnixGroupID, error)
// Generate a single value to be applied. The underlying implementation decides which
// value to return if configured with multiple ranges. This is used for FSGroup.
GenerateSingle(pod *api.Pod) (*int64, error)
GenerateSingle(pod *api.Pod) (*types.UnixGroupID, error)
// Validate ensures that the specified values fall within the range of the strategy.
Validate(pod *api.Pod, groups []int64) field.ErrorList
Validate(pod *api.Pod, groups []types.UnixGroupID) field.ErrorList
}

3
pkg/security/podsecuritypolicy/provider.go
View File

@ -19,6 +19,7 @@ package podsecuritypolicy
import (
"fmt"
"k8s.io/apimachinery/pkg/types"
"k8s.io/apimachinery/pkg/util/validation/field"
"k8s.io/kubernetes/pkg/api"
"k8s.io/kubernetes/pkg/apis/extensions"
@ -194,7 +195,7 @@ func (s *simpleProvider) ValidatePodSecurityContext(pod *api.Pod, fldPath *field
return allErrs
}
fsGroups := []int64{}
fsGroups := []types.UnixGroupID{}
if pod.Spec.SecurityContext.FSGroup != nil {
fsGroups = append(fsGroups, *pod.Spec.SecurityContext.FSGroup)
}

35
pkg/security/podsecuritypolicy/provider_test.go
View File

@ -25,6 +25,7 @@ import (
"github.com/davecgh/go-spew/spew"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/types"
"k8s.io/apimachinery/pkg/util/diff"
"k8s.io/apimachinery/pkg/util/validation/field"
"k8s.io/kubernetes/pkg/api"
@ -69,13 +70,13 @@ func TestCreatePodSecurityContextNonmutating(t *testing.T) {
// these are pod mutating strategies that are tested above
FSGroup: extensions.FSGroupStrategyOptions{
Rule: extensions.FSGroupStrategyMustRunAs,
Ranges: []extensions.IDRange{
Ranges: []extensions.GroupIDRange{
{Min: 1, Max: 1},
},
},
SupplementalGroups: extensions.SupplementalGroupsStrategyOptions{
Rule: extensions.SupplementalGroupsStrategyMustRunAs,
Ranges: []extensions.IDRange{
Ranges: []extensions.GroupIDRange{
{Min: 1, Max: 1},
},
},
@ -124,7 +125,7 @@ func TestCreateContainerSecurityContextNonmutating(t *testing.T) {
// Create a PSP with strategies that will populate a blank security context
createPSP := func() *extensions.PodSecurityPolicy {
var uid int64 = 1
uid := types.UnixUserID(1)
return &extensions.PodSecurityPolicy{
ObjectMeta: metav1.ObjectMeta{
Name: "psp-sa",
@ -138,7 +139,7 @@ func TestCreateContainerSecurityContextNonmutating(t *testing.T) {
RequiredDropCapabilities: []api.Capability{"bar"},
RunAsUser: extensions.RunAsUserStrategyOptions{
Rule: extensions.RunAsUserStrategyMustRunAs,
Ranges: []extensions.IDRange{{Min: uid, Max: uid}},
Ranges: []extensions.UserIDRange{{Min: uid, Max: uid}},
},
SELinux: extensions.SELinuxStrategyOptions{
Rule: extensions.SELinuxStrategyMustRunAs,
@ -195,22 +196,22 @@ func TestValidatePodSecurityContextFailures(t *testing.T) {
failHostIPCPod.Spec.SecurityContext.HostIPC = true
failSupplementalGroupPod := defaultPod()
failSupplementalGroupPod.Spec.SecurityContext.SupplementalGroups = []int64{999}
failSupplementalGroupPod.Spec.SecurityContext.SupplementalGroups = []types.UnixGroupID{999}
failSupplementalGroupPSP := defaultPSP()
failSupplementalGroupPSP.Spec.SupplementalGroups = extensions.SupplementalGroupsStrategyOptions{
Rule: extensions.SupplementalGroupsStrategyMustRunAs,
Ranges: []extensions.IDRange{
Ranges: []extensions.GroupIDRange{
{Min: 1, Max: 1},
},
}
failFSGroupPod := defaultPod()
fsGroup := int64(999)
fsGroup := types.UnixGroupID(999)
failFSGroupPod.Spec.SecurityContext.FSGroup = &fsGroup
failFSGroupPSP := defaultPSP()
failFSGroupPSP.Spec.FSGroup = extensions.FSGroupStrategyOptions{
Rule: extensions.FSGroupStrategyMustRunAs,
Ranges: []extensions.IDRange{
Ranges: []extensions.GroupIDRange{
{Min: 1, Max: 1},
},
}
@ -352,11 +353,11 @@ func TestValidatePodSecurityContextFailures(t *testing.T) {
func TestValidateContainerSecurityContextFailures(t *testing.T) {
// fail user strat
failUserPSP := defaultPSP()
var uid int64 = 999
var badUID int64 = 1
uid := types.UnixUserID(999)
badUID := types.UnixUserID(1)
failUserPSP.Spec.RunAsUser = extensions.RunAsUserStrategyOptions{
Rule: extensions.RunAsUserStrategyMustRunAs,
Ranges: []extensions.IDRange{{Min: uid, Max: uid}},
Ranges: []extensions.UserIDRange{{Min: uid, Max: uid}},
}
failUserPod := defaultPod()
failUserPod.Spec.Containers[0].SecurityContext.RunAsUser = &badUID
@ -511,22 +512,22 @@ func TestValidatePodSecurityContextSuccess(t *testing.T) {
supGroupPSP := defaultPSP()
supGroupPSP.Spec.SupplementalGroups = extensions.SupplementalGroupsStrategyOptions{
Rule: extensions.SupplementalGroupsStrategyMustRunAs,
Ranges: []extensions.IDRange{
Ranges: []extensions.GroupIDRange{
{Min: 1, Max: 5},
},
}
supGroupPod := defaultPod()
supGroupPod.Spec.SecurityContext.SupplementalGroups = []int64{3}
supGroupPod.Spec.SecurityContext.SupplementalGroups = []types.UnixGroupID{3}
fsGroupPSP := defaultPSP()
fsGroupPSP.Spec.FSGroup = extensions.FSGroupStrategyOptions{
Rule: extensions.FSGroupStrategyMustRunAs,
Ranges: []extensions.IDRange{
Ranges: []extensions.GroupIDRange{
{Min: 1, Max: 5},
},
}
fsGroupPod := defaultPod()
fsGroup := int64(3)
fsGroup := types.UnixGroupID(3)
fsGroupPod.Spec.SecurityContext.FSGroup = &fsGroup
seLinuxPod := defaultPod()
@ -649,10 +650,10 @@ func TestValidateContainerSecurityContextSuccess(t *testing.T) {
// success user strat
userPSP := defaultPSP()
var uid int64 = 999
uid := types.UnixUserID(999)
userPSP.Spec.RunAsUser = extensions.RunAsUserStrategyOptions{
Rule: extensions.RunAsUserStrategyMustRunAs,
Ranges: []extensions.IDRange{{Min: uid, Max: uid}},
Ranges: []extensions.UserIDRange{{Min: uid, Max: uid}},
}
userPod := defaultPod()
userPod.Spec.Containers[0].SecurityContext.RunAsUser = &uid

2
pkg/security/podsecuritypolicy/user/BUILD
View File

@ -22,6 +22,7 @@ go_library(
"//pkg/api:go_default_library",
"//pkg/apis/extensions:go_default_library",
"//pkg/security/podsecuritypolicy/util:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/types:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
],
)
@ -38,6 +39,7 @@ go_test(
deps = [
"//pkg/api:go_default_library",
"//pkg/apis/extensions:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/types:go_default_library",
],
)

7
pkg/security/podsecuritypolicy/user/mustrunas.go
View File

@ -19,6 +19,7 @@ package user
import (
"fmt"
"k8s.io/apimachinery/pkg/types"
"k8s.io/apimachinery/pkg/util/validation/field"
"k8s.io/kubernetes/pkg/api"
"k8s.io/kubernetes/pkg/apis/extensions"
@ -44,7 +45,7 @@ func NewMustRunAs(options *extensions.RunAsUserStrategyOptions) (RunAsUserStrate
}
// Generate creates the uid based on policy rules. MustRunAs returns the first range's Min.
func (s *mustRunAs) Generate(pod *api.Pod, container *api.Container) (*int64, error) {
func (s *mustRunAs) Generate(pod *api.Pod, container *api.Container) (*types.UnixUserID, error) {
return &s.opts.Ranges[0].Min, nil
}
@ -74,9 +75,9 @@ func (s *mustRunAs) Validate(pod *api.Pod, container *api.Container) field.Error
return allErrs
}
func (s *mustRunAs) isValidUID(id int64) bool {
func (s *mustRunAs) isValidUID(id types.UnixUserID) bool {
for _, rng := range s.opts.Ranges {
if psputil.FallsInRange(id, rng) {
if psputil.UserFallsInRange(id, rng) {
return true
}
}

18
pkg/security/podsecuritypolicy/user/mustrunas_test.go
View File

@ -20,6 +20,7 @@ import (
"strings"
"testing"
"k8s.io/apimachinery/pkg/types"
"k8s.io/kubernetes/pkg/api"
"k8s.io/kubernetes/pkg/apis/extensions"
)
@ -39,7 +40,7 @@ func TestNewMustRunAs(t *testing.T) {
},
"valid opts": {
opts: &extensions.RunAsUserStrategyOptions{
Ranges: []extensions.IDRange{
Ranges: []extensions.UserIDRange{
{Min: 1, Max: 1},
},
},
@ -59,7 +60,7 @@ func TestNewMustRunAs(t *testing.T) {
func TestGenerate(t *testing.T) {
opts := &extensions.RunAsUserStrategyOptions{
Ranges: []extensions.IDRange{
Ranges: []extensions.UserIDRange{
{Min: 1, Max: 1},
},
}
@ -78,12 +79,15 @@ func TestGenerate(t *testing.T) {
func TestValidate(t *testing.T) {
opts := &extensions.RunAsUserStrategyOptions{
Ranges: []extensions.IDRange{
Ranges: []extensions.UserIDRange{
{Min: 1, Max: 1},
{Min: 10, Max: 20},
},
}
validID := types.UnixUserID(15)
invalidID := types.UnixUserID(21)
tests := map[string]struct {
container *api.Container
expectedMsg string
@ -91,7 +95,7 @@ func TestValidate(t *testing.T) {
"good container": {
container: &api.Container{
SecurityContext: &api.SecurityContext{
RunAsUser: int64Ptr(15),
RunAsUser: &validID,
},
},
},
@ -112,7 +116,7 @@ func TestValidate(t *testing.T) {
"invalid id": {
container: &api.Container{
SecurityContext: &api.SecurityContext{
RunAsUser: int64Ptr(21),
RunAsUser: &invalidID,
},
},
expectedMsg: "does not match required range",
@ -146,7 +150,3 @@ func TestValidate(t *testing.T) {
}
}
}
func int64Ptr(i int64) *int64 {
return &i
}

3
pkg/security/podsecuritypolicy/user/nonroot.go
View File

@ -19,6 +19,7 @@ package user
import (
"fmt"
"k8s.io/apimachinery/pkg/types"
"k8s.io/apimachinery/pkg/util/validation/field"
"k8s.io/kubernetes/pkg/api"
"k8s.io/kubernetes/pkg/apis/extensions"
@ -34,7 +35,7 @@ func NewRunAsNonRoot(options *extensions.RunAsUserStrategyOptions) (RunAsUserStr
// Generate creates the uid based on policy rules. This strategy does return a UID. It assumes
// that the user will specify a UID or the container image specifies a UID.
func (s *nonRoot) Generate(pod *api.Pod, container *api.Container) (*int64, error) {
func (s *nonRoot) Generate(pod *api.Pod, container *api.Container) (*types.UnixUserID, error) {
return nil, nil
}

7
pkg/security/podsecuritypolicy/user/nonroot_test.go
View File

@ -19,6 +19,7 @@ package user
import (
"testing"
"k8s.io/apimachinery/pkg/types"
"k8s.io/kubernetes/pkg/api"
"k8s.io/kubernetes/pkg/apis/extensions"
)
@ -49,8 +50,8 @@ func TestNonRootGenerate(t *testing.T) {
}
func TestNonRootValidate(t *testing.T) {
var uid int64 = 1
var badUID int64 = 0
goodUID := types.UnixUserID(1)
badUID := types.UnixUserID(0)
s, err := NewRunAsNonRoot(&extensions.RunAsUserStrategyOptions{})
if err != nil {
t.Fatalf("unexpected error initializing NewMustRunAs %v", err)
@ -66,7 +67,7 @@ func TestNonRootValidate(t *testing.T) {
t.Errorf("expected errors from root uid but got none")
}
container.SecurityContext.RunAsUser = &uid
container.SecurityContext.RunAsUser = &goodUID
errs = s.Validate(nil, container)
if len(errs) != 0 {
t.Errorf("expected no errors from non-root uid but got %v", errs)

3
pkg/security/podsecuritypolicy/user/runasany.go
View File

@ -17,6 +17,7 @@ limitations under the License.
package user
import (
"k8s.io/apimachinery/pkg/types"
"k8s.io/apimachinery/pkg/util/validation/field"
"k8s.io/kubernetes/pkg/api"
"k8s.io/kubernetes/pkg/apis/extensions"
@ -33,7 +34,7 @@ func NewRunAsAny(options *extensions.RunAsUserStrategyOptions) (RunAsUserStrateg
}
// Generate creates the uid based on policy rules.
func (s *runAsAny) Generate(pod *api.Pod, container *api.Container) (*int64, error) {
func (s *runAsAny) Generate(pod *api.Pod, container *api.Container) (*types.UnixUserID, error) {
return nil, nil
}

3
pkg/security/podsecuritypolicy/user/types.go
View File

@ -17,6 +17,7 @@ limitations under the License.
package user
import (
"k8s.io/apimachinery/pkg/types"
"k8s.io/apimachinery/pkg/util/validation/field"
"k8s.io/kubernetes/pkg/api"
)
@ -24,7 +25,7 @@ import (
// RunAsUserStrategy defines the interface for all uid constraint strategies.
type RunAsUserStrategy interface {
// Generate creates the uid based on policy rules.
Generate(pod *api.Pod, container *api.Container) (*int64, error)
Generate(pod *api.Pod, container *api.Container) (*types.UnixUserID, error)
// Validate ensures that the specified values fall within the range of the strategy.
Validate(pod *api.Pod, container *api.Container) field.ErrorList
}

1
pkg/security/podsecuritypolicy/util/BUILD
View File

@ -18,6 +18,7 @@ go_library(
deps = [
"//pkg/api:go_default_library",
"//pkg/apis/extensions:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/types:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/util/sets:go_default_library",
],
)

10
pkg/security/podsecuritypolicy/util/util.go
View File

@ -19,6 +19,7 @@ package util
import (
"fmt"
"k8s.io/apimachinery/pkg/types"
"k8s.io/apimachinery/pkg/util/sets"
"k8s.io/kubernetes/pkg/api"
"k8s.io/kubernetes/pkg/apis/extensions"
@ -158,7 +159,12 @@ func PSPAllowsFSType(psp *extensions.PodSecurityPolicy, fsType extensions.FSType
return false
}
// FallsInRange is a utility to determine it the id falls in the valid range.
func FallsInRange(id int64, rng extensions.IDRange) bool {
// UserFallsInRange is a utility to determine it the id falls in the valid range.
func UserFallsInRange(id types.UnixUserID, rng extensions.UserIDRange) bool {
return id >= rng.Min && id <= rng.Max
}
// GroupFallsInRange is a utility to determine it the id falls in the valid range.
func GroupFallsInRange(id types.UnixGroupID, rng extensions.GroupIDRange) bool {
return id >= rng.Min && id <= rng.Max
}

6
pkg/securitycontext/BUILD
View File

@ -19,6 +19,7 @@ go_library(
deps = [
"//pkg/api:go_default_library",
"//pkg/api/v1:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/types:go_default_library",
],
)
@ -27,7 +28,10 @@ go_test(
srcs = ["util_test.go"],
library = ":go_default_library",
tags = ["automanaged"],
deps = ["//pkg/api/v1:go_default_library"],
deps = [
"//pkg/api/v1:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/types:go_default_library",
],
)
filegroup(

9
pkg/securitycontext/util.go
View File

@ -20,6 +20,7 @@ import (
"fmt"
"strings"
"k8s.io/apimachinery/pkg/types"
"k8s.io/kubernetes/pkg/api"
"k8s.io/kubernetes/pkg/api/v1"
)
@ -119,7 +120,7 @@ func DetermineEffectiveSecurityContext(pod *v1.Pod, container *v1.Container) *v1
}
if containerSc.RunAsUser != nil {
effectiveSc.RunAsUser = new(int64)
effectiveSc.RunAsUser = new(types.UnixUserID)
*effectiveSc.RunAsUser = *containerSc.RunAsUser
}
@ -148,7 +149,7 @@ func securityContextFromPodSecurityContext(pod *v1.Pod) *v1.SecurityContext {
*synthesized.SELinuxOptions = *pod.Spec.SecurityContext.SELinuxOptions
}
if pod.Spec.SecurityContext.RunAsUser != nil {
synthesized.RunAsUser = new(int64)
synthesized.RunAsUser = new(types.UnixUserID)
*synthesized.RunAsUser = *pod.Spec.SecurityContext.RunAsUser
}
@ -191,7 +192,7 @@ func InternalDetermineEffectiveSecurityContext(pod *api.Pod, container *api.Cont
}
if containerSc.RunAsUser != nil {
effectiveSc.RunAsUser = new(int64)
effectiveSc.RunAsUser = new(types.UnixUserID)
*effectiveSc.RunAsUser = *containerSc.RunAsUser
}
@ -220,7 +221,7 @@ func internalSecurityContextFromPodSecurityContext(pod *api.Pod) *api.SecurityCo
*synthesized.SELinuxOptions = *pod.Spec.SecurityContext.SELinuxOptions
}
if pod.Spec.SecurityContext.RunAsUser != nil {
synthesized.RunAsUser = new(int64)
synthesized.RunAsUser = new(types.UnixUserID)
*synthesized.RunAsUser = *pod.Spec.SecurityContext.RunAsUser
}

13
pkg/securitycontext/util_test.go
View File

@ -19,6 +19,7 @@ package securitycontext
import (
"testing"
"k8s.io/apimachinery/pkg/types"
"k8s.io/kubernetes/pkg/api/v1"
)
@ -84,13 +85,13 @@ func compareContexts(name string, ex, ac *v1.SELinuxOptions, t *testing.T) {
}
}
func containerWithUser(ptr *int64) *v1.Container {
func containerWithUser(ptr *types.UnixUserID) *v1.Container {
return &v1.Container{SecurityContext: &v1.SecurityContext{RunAsUser: ptr}}
}
func TestHaRootUID(t *testing.T) {
var nonRoot int64 = 1
var root int64 = 0
nonRoot := types.UnixUserID(1)
root := types.UnixUserID(0)
tests := map[string]struct {
container *v1.Container
@ -120,7 +121,7 @@ func TestHaRootUID(t *testing.T) {
}
func TestHasRunAsUser(t *testing.T) {
var runAsUser int64 = 0
runAsUser := types.UnixUserID(0)
tests := map[string]struct {
container *v1.Container
@ -147,8 +148,8 @@ func TestHasRunAsUser(t *testing.T) {
}
func TestHasRootRunAsUser(t *testing.T) {
var nonRoot int64 = 1
var root int64 = 0
nonRoot := types.UnixUserID(1)
root := types.UnixUserID(0)
tests := map[string]struct {
container *v1.Container

4
pkg/volume/aws_ebs/aws_ebs.go
View File

@ -293,12 +293,12 @@ func (b *awsElasticBlockStoreMounter) CanMount() error {
}
// SetUp attaches the disk and bind mounts to the volume path.
func (b *awsElasticBlockStoreMounter) SetUp(fsGroup *int64) error {
func (b *awsElasticBlockStoreMounter) SetUp(fsGroup *types.UnixGroupID) error {
return b.SetUpAt(b.GetPath(), fsGroup)
}
// SetUpAt attaches the disk and bind mounts to the volume path.
func (b *awsElasticBlockStoreMounter) SetUpAt(dir string, fsGroup *int64) error {
func (b *awsElasticBlockStoreMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
// TODO: handle failed mounts here.
notMnt, err := b.mounter.IsLikelyNotMountPoint(dir)
glog.V(4).Infof("PersistentDisk set up: %s %v %v", dir, !notMnt, err)

4
pkg/volume/azure_dd/azure_dd.go
View File

@ -234,12 +234,12 @@ func (b *azureDiskMounter) CanMount() error {
}
// SetUp attaches the disk and bind mounts to the volume path.
func (b *azureDiskMounter) SetUp(fsGroup *int64) error {
func (b *azureDiskMounter) SetUp(fsGroup *types.UnixGroupID) error {
return b.SetUpAt(b.GetPath(), fsGroup)
}
// SetUpAt attaches the disk and bind mounts to the volume path.
func (b *azureDiskMounter) SetUpAt(dir string, fsGroup *int64) error {
func (b *azureDiskMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
b.plugin.volumeLocks.LockKey(b.diskName)
defer b.plugin.volumeLocks.UnlockKey(b.diskName)

4
pkg/volume/azure_file/azure_file.go
View File

@ -189,11 +189,11 @@ func (b *azureFileMounter) CanMount() error {
}
// SetUp attaches the disk and bind mounts to the volume path.
func (b *azureFileMounter) SetUp(fsGroup *int64) error {
func (b *azureFileMounter) SetUp(fsGroup *types.UnixGroupID) error {
return b.SetUpAt(b.GetPath(), fsGroup)
}
func (b *azureFileMounter) SetUpAt(dir string, fsGroup *int64) error {
func (b *azureFileMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
notMnt, err := b.mounter.IsLikelyNotMountPoint(dir)
glog.V(4).Infof("AzureFile mount set up: %s %v %v", dir, !notMnt, err)
if err != nil && !os.IsNotExist(err) {

4
pkg/volume/cephfs/cephfs.go
View File

@ -217,12 +217,12 @@ func (cephfsMounter *cephfsMounter) CanMount() error {
}
// SetUp attaches the disk and bind mounts to the volume path.
func (cephfsVolume *cephfsMounter) SetUp(fsGroup *int64) error {
func (cephfsVolume *cephfsMounter) SetUp(fsGroup *types.UnixGroupID) error {
return cephfsVolume.SetUpAt(cephfsVolume.GetPath(), fsGroup)
}
// SetUpAt attaches the disk and bind mounts to the volume path.
func (cephfsVolume *cephfsMounter) SetUpAt(dir string, fsGroup *int64) error {
func (cephfsVolume *cephfsMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
notMnt, err := cephfsVolume.mounter.IsLikelyNotMountPoint(dir)
glog.V(4).Infof("CephFS mount set up: %s %v %v", dir, !notMnt, err)
if err != nil && !os.IsNotExist(err) {

4
pkg/volume/cinder/cinder.go
View File

@ -298,12 +298,12 @@ func (b *cinderVolumeMounter) CanMount() error {
return nil
}
func (b *cinderVolumeMounter) SetUp(fsGroup *int64) error {
func (b *cinderVolumeMounter) SetUp(fsGroup *types.UnixGroupID) error {
return b.SetUpAt(b.GetPath(), fsGroup)
}
// SetUp bind mounts to the volume path.
func (b *cinderVolumeMounter) SetUpAt(dir string, fsGroup *int64) error {
func (b *cinderVolumeMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
glog.V(5).Infof("Cinder SetUp %s to %s", b.pdName, dir)
b.plugin.volumeLocks.LockKey(b.pdName)

4
pkg/volume/configmap/configmap.go
View File

@ -158,11 +158,11 @@ func (b *configMapVolumeMounter) CanMount() error {
return nil
}
func (b *configMapVolumeMounter) SetUp(fsGroup *int64) error {
func (b *configMapVolumeMounter) SetUp(fsGroup *types.UnixGroupID) error {
return b.SetUpAt(b.GetPath(), fsGroup)
}
func (b *configMapVolumeMounter) SetUpAt(dir string, fsGroup *int64) error {
func (b *configMapVolumeMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
glog.V(3).Infof("Setting up volume %v for pod %v at %v", b.volName, b.pod.UID, dir)
// Wrap EmptyDir, let it do the setup.

8
pkg/volume/configmap/configmap_test.go
View File

@ -333,7 +333,7 @@ func TestPlugin(t *testing.T) {
t.Errorf("Got unexpected path: %s", volumePath)
}
fsGroup := int64(1001)
fsGroup := types.UnixGroupID(1001)
err = mounter.SetUp(&fsGroup)
if err != nil {
t.Errorf("Failed to setup volume: %v", err)
@ -391,7 +391,7 @@ func TestPluginReboot(t *testing.T) {
t.Errorf("Got unexpected path: %s", volumePath)
}
fsGroup := int64(1001)
fsGroup := types.UnixGroupID(1001)
err = mounter.SetUp(&fsGroup)
if err != nil {
t.Errorf("Failed to setup volume: %v", err)
@ -453,7 +453,7 @@ func TestPluginOptional(t *testing.T) {
t.Errorf("Got unexpected path: %s", volumePath)
}
fsGroup := int64(1001)
fsGroup := types.UnixGroupID(1001)
err = mounter.SetUp(&fsGroup)
if err != nil {
t.Errorf("Failed to setup volume: %v", err)
@ -528,7 +528,7 @@ func TestPluginKeysOptional(t *testing.T) {
t.Errorf("Got unexpected path: %s", volumePath)
}
fsGroup := int64(1001)
fsGroup := types.UnixGroupID(1001)
err = mounter.SetUp(&fsGroup)
if err != nil {
t.Errorf("Failed to setup volume: %v", err)

4
pkg/volume/downwardapi/downwardapi.go
View File

@ -168,11 +168,11 @@ func (b *downwardAPIVolumeMounter) CanMount() error {
// This function is not idempotent by design. We want the data to be refreshed periodically.
// The internal sync interval of kubelet will drive the refresh of data.
// TODO: Add volume specific ticker and refresh loop
func (b *downwardAPIVolumeMounter) SetUp(fsGroup *int64) error {
func (b *downwardAPIVolumeMounter) SetUp(fsGroup *types.UnixGroupID) error {
return b.SetUpAt(b.GetPath(), fsGroup)
}
func (b *downwardAPIVolumeMounter) SetUpAt(dir string, fsGroup *int64) error {
func (b *downwardAPIVolumeMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
glog.V(3).Infof("Setting up a downwardAPI volume %v for pod %v/%v at %v", b.volName, b.pod.Namespace, b.pod.Name, dir)
// Wrap EmptyDir. Here we rely on the idempotency of the wrapped plugin to avoid repeatedly mounting
wrapped, err := b.plugin.host.NewWrapperMounter(b.volName, wrappedVolumeSpec(), b.pod, *b.opts)

4
pkg/volume/empty_dir/empty_dir.go
View File

@ -191,12 +191,12 @@ func (b *emptyDir) CanMount() error {
}
// SetUp creates new directory.
func (ed *emptyDir) SetUp(fsGroup *int64) error {
func (ed *emptyDir) SetUp(fsGroup *types.UnixGroupID) error {
return ed.SetUpAt(ed.GetPath(), fsGroup)
}
// SetUpAt creates new directory.
func (ed *emptyDir) SetUpAt(dir string, fsGroup *int64) error {
func (ed *emptyDir) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
notMnt, err := ed.mounter.IsLikelyNotMountPoint(dir)
// Getting an os.IsNotExist err from is a contingency; the directory
// may not exist yet, in which case, setup should run.

3
pkg/volume/fc/disk_manager.go
View File

@ -20,6 +20,7 @@ import (
"os"
"github.com/golang/glog"
"k8s.io/apimachinery/pkg/types"
"k8s.io/kubernetes/pkg/util/mount"
"k8s.io/kubernetes/pkg/volume"
)
@ -34,7 +35,7 @@ type diskManager interface {
}
// utility to mount a disk based filesystem
func diskSetUp(manager diskManager, b fcDiskMounter, volPath string, mounter mount.Interface, fsGroup *int64) error {
func diskSetUp(manager diskManager, b fcDiskMounter, volPath string, mounter mount.Interface, fsGroup *types.UnixGroupID) error {
globalPDPath := manager.MakeGlobalPDName(*b.fcDisk)
// TODO: handle failed mounts here.
noMnt, err := mounter.IsLikelyNotMountPoint(volPath)

4
pkg/volume/fc/fc.go
View File

@ -204,11 +204,11 @@ func (b *fcDiskMounter) CanMount() error {
return nil
}
func (b *fcDiskMounter) SetUp(fsGroup *int64) error {
func (b *fcDiskMounter) SetUp(fsGroup *types.UnixGroupID) error {
return b.SetUpAt(b.GetPath(), fsGroup)
}
func (b *fcDiskMounter) SetUpAt(dir string, fsGroup *int64) error {
func (b *fcDiskMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
// diskSetUp checks mountpoints and prevent repeated calls
err := diskSetUp(b.manager, *b, dir, b.mounter, fsGroup)
if err != nil {

4
pkg/volume/flexvolume/mounter-defaults.go
View File

@ -18,8 +18,10 @@ package flexvolume
import (
"fmt"
"github.com/golang/glog"
"k8s.io/apimachinery/pkg/types"
"k8s.io/kubernetes/pkg/volume"
)
@ -27,7 +29,7 @@ type mounterDefaults flexVolumeMounter
// SetUpAt is part of the volume.Mounter interface.
// This implementation relies on the attacher's device mount path and does a bind mount to dir.
func (f *mounterDefaults) SetUpAt(dir string, fsGroup *int64) error {
func (f *mounterDefaults) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
glog.Warning(logPrefix(f.plugin), "using default SetUpAt to ", dir)
a, err := f.plugin.NewAttacher()

7
pkg/volume/flexvolume/mounter.go
View File

@ -19,6 +19,7 @@ package flexvolume
import (
"strconv"
"k8s.io/apimachinery/pkg/types"
"k8s.io/kubernetes/pkg/util/exec"
"k8s.io/kubernetes/pkg/util/mount"
"k8s.io/kubernetes/pkg/volume"
@ -43,12 +44,12 @@ var _ volume.Mounter = &flexVolumeMounter{}
// Mounter interface
// SetUp creates new directory.
func (f *flexVolumeMounter) SetUp(fsGroup *int64) error {
func (f *flexVolumeMounter) SetUp(fsGroup *types.UnixGroupID) error {
return f.SetUpAt(f.GetPath(), fsGroup)
}
// SetUpAt creates new directory.
func (f *flexVolumeMounter) SetUpAt(dir string, fsGroup *int64) error {
func (f *flexVolumeMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
// Mount only once.
alreadyMounted, err := prepareForMount(f.mounter, dir)
if err != nil {
@ -72,7 +73,7 @@ func (f *flexVolumeMounter) SetUpAt(dir string, fsGroup *int64) error {
// Implicit parameters
if fsGroup != nil {
extraOptions[optionFSGroup] = strconv.FormatInt(*fsGroup, 10)
extraOptions[optionFSGroup] = strconv.FormatInt(int64(*fsGroup), 10)
}
call.AppendSpec(f.spec, f.plugin.host, extraOptions)

3
pkg/volume/flexvolume/mounter_test.go
View File

@ -19,6 +19,7 @@ package flexvolume
import (
"testing"
"k8s.io/apimachinery/pkg/types"
"k8s.io/kubernetes/pkg/api/v1"
"k8s.io/kubernetes/pkg/util/mount"
)
@ -47,6 +48,6 @@ func TestSetUpAt(t *testing.T) {
m, _ := plugin.newMounterInternal(spec, pod, mounter, plugin.runner)
m.SetUpAt(rootDir+"/mount-dir", nil)
fsGroup := int64(42)
fsGroup := types.UnixGroupID(42)
m.SetUpAt(rootDir+"/mount-dir", &fsGroup)
}

4
pkg/volume/flocker/flocker.go
View File

@ -232,7 +232,7 @@ func (b *flockerVolumeMounter) GetPath() string {
}
// SetUp bind mounts the disk global mount to the volume path.
func (b *flockerVolumeMounter) SetUp(fsGroup *int64) error {
func (b *flockerVolumeMounter) SetUp(fsGroup *types.UnixGroupID) error {
return b.SetUpAt(b.GetPath(), fsGroup)
}
@ -274,7 +274,7 @@ control service:
need to update the Primary UUID for this volume.
5. Wait until the Primary UUID was updated or timeout.
*/
func (b *flockerVolumeMounter) SetUpAt(dir string, fsGroup *int64) error {
func (b *flockerVolumeMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
var err error
if b.flockerClient == nil {
b.flockerClient, err = b.newFlockerClient()

4
pkg/volume/gce_pd/gce_pd.go
View File

@ -256,12 +256,12 @@ func (b *gcePersistentDiskMounter) CanMount() error {
}
// SetUp bind mounts the disk global mount to the volume path.
func (b *gcePersistentDiskMounter) SetUp(fsGroup *int64) error {
func (b *gcePersistentDiskMounter) SetUp(fsGroup *types.UnixGroupID) error {
return b.SetUpAt(b.GetPath(), fsGroup)
}
// SetUp bind mounts the disk global mount to the give volume path.
func (b *gcePersistentDiskMounter) SetUpAt(dir string, fsGroup *int64) error {
func (b *gcePersistentDiskMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
// TODO: handle failed mounts here.
notMnt, err := b.mounter.IsLikelyNotMountPoint(dir)
glog.V(4).Infof("GCE PersistentDisk set up: Dir (%s) PD name (%q) Mounted (%t) Error (%v), ReadOnly (%t)", dir, b.pdName, !notMnt, err, b.readOnly)

4
pkg/volume/git_repo/git_repo.go
View File

@ -171,12 +171,12 @@ func (b *gitRepoVolumeMounter) CanMount() error {
}
// SetUp creates new directory and clones a git repo.
func (b *gitRepoVolumeMounter) SetUp(fsGroup *int64) error {
func (b *gitRepoVolumeMounter) SetUp(fsGroup *types.UnixGroupID) error {
return b.SetUpAt(b.GetPath(), fsGroup)
}
// SetUpAt creates new directory and clones a git repo.
func (b *gitRepoVolumeMounter) SetUpAt(dir string, fsGroup *int64) error {
func (b *gitRepoVolumeMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
if volumeutil.IsReady(b.getMetaDir()) {
return nil
}

4
pkg/volume/glusterfs/glusterfs.go
View File

@ -251,11 +251,11 @@ func (b *glusterfsMounter) CanMount() error {
}
// SetUp attaches the disk and bind mounts to the volume path.
func (b *glusterfsMounter) SetUp(fsGroup *int64) error {
func (b *glusterfsMounter) SetUp(fsGroup *types.UnixGroupID) error {
return b.SetUpAt(b.GetPath(), fsGroup)
}
func (b *glusterfsMounter) SetUpAt(dir string, fsGroup *int64) error {
func (b *glusterfsMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
notMnt, err := b.mounter.IsLikelyNotMountPoint(dir)
glog.V(4).Infof("glusterfs: mount set up: %s %v %v", dir, !notMnt, err)
if err != nil && !os.IsNotExist(err) {

4
pkg/volume/host_path/host_path.go
View File

@ -203,12 +203,12 @@ func (b *hostPathMounter) CanMount() error {
}
// SetUp does nothing.
func (b *hostPathMounter) SetUp(fsGroup *int64) error {
func (b *hostPathMounter) SetUp(fsGroup *types.UnixGroupID) error {
return nil
}
// SetUpAt does not make sense for host paths - probably programmer error.
func (b *hostPathMounter) SetUpAt(dir string, fsGroup *int64) error {
func (b *hostPathMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
return fmt.Errorf("SetUpAt() does not make sense for host paths")
}

3
pkg/volume/iscsi/disk_manager.go
View File

@ -20,6 +20,7 @@ import (
"os"
"github.com/golang/glog"
"k8s.io/apimachinery/pkg/types"
"k8s.io/kubernetes/pkg/util/mount"
"k8s.io/kubernetes/pkg/volume"
)
@ -34,7 +35,7 @@ type diskManager interface {
}
// utility to mount a disk based filesystem
func diskSetUp(manager diskManager, b iscsiDiskMounter, volPath string, mounter mount.Interface, fsGroup *int64) error {
func diskSetUp(manager diskManager, b iscsiDiskMounter, volPath string, mounter mount.Interface, fsGroup *types.UnixGroupID) error {
globalPDPath := manager.MakeGlobalPDName(*b.iscsiDisk)
// TODO: handle failed mounts here.
notMnt, err := mounter.IsLikelyNotMountPoint(volPath)

4
pkg/volume/iscsi/iscsi.go
View File

@ -236,11 +236,11 @@ func (b *iscsiDiskMounter) CanMount() error {
return nil
}
func (b *iscsiDiskMounter) SetUp(fsGroup *int64) error {
func (b *iscsiDiskMounter) SetUp(fsGroup *types.UnixGroupID) error {
return b.SetUpAt(b.GetPath(), fsGroup)
}
func (b *iscsiDiskMounter) SetUpAt(dir string, fsGroup *int64) error {
func (b *iscsiDiskMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
// diskSetUp checks mountpoints and prevent repeated calls
err := diskSetUp(b.manager, *b, dir, b.mounter, fsGroup)
if err != nil {

4
pkg/volume/nfs/nfs.go
View File

@ -233,11 +233,11 @@ func (b *nfsMounter) GetAttributes() volume.Attributes {
}
// SetUp attaches the disk and bind mounts to the volume path.
func (b *nfsMounter) SetUp(fsGroup *int64) error {
func (b *nfsMounter) SetUp(fsGroup *types.UnixGroupID) error {
return b.SetUpAt(b.GetPath(), fsGroup)
}
func (b *nfsMounter) SetUpAt(dir string, fsGroup *int64) error {
func (b *nfsMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
notMnt, err := b.mounter.IsLikelyNotMountPoint(dir)
glog.V(4).Infof("NFS mount set up: %s %v %v", dir, !notMnt, err)
if err != nil && !os.IsNotExist(err) {

4
pkg/volume/photon_pd/photon_pd.go
View File

@ -194,12 +194,12 @@ func (b *photonPersistentDiskMounter) CanMount() error {
}
// SetUp attaches the disk and bind mounts to the volume path.
func (b *photonPersistentDiskMounter) SetUp(fsGroup *int64) error {
func (b *photonPersistentDiskMounter) SetUp(fsGroup *types.UnixGroupID) error {
return b.SetUpAt(b.GetPath(), fsGroup)
}
// SetUp attaches the disk and bind mounts to the volume path.
func (b *photonPersistentDiskMounter) SetUpAt(dir string, fsGroup *int64) error {
func (b *photonPersistentDiskMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
glog.V(4).Infof("Photon Persistent Disk setup %s to %s", b.pdID, dir)
// TODO: handle failed mounts here.

4
pkg/volume/portworx/portworx.go
View File

@ -255,12 +255,12 @@ func (b *portworxVolumeMounter) CanMount() error {
}
// SetUp attaches the disk and bind mounts to the volume path.
func (b *portworxVolumeMounter) SetUp(fsGroup *int64) error {
func (b *portworxVolumeMounter) SetUp(fsGroup *types.UnixGroupID) error {
return b.SetUpAt(b.GetPath(), fsGroup)
}
// SetUpAt attaches the disk and bind mounts to the volume path.
func (b *portworxVolumeMounter) SetUpAt(dir string, fsGroup *int64) error {
func (b *portworxVolumeMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
notMnt, err := b.mounter.IsLikelyNotMountPoint(dir)
glog.V(4).Infof("Portworx Volume set up: %s %v %v", dir, !notMnt, err)
if err != nil && !os.IsNotExist(err) {

4
pkg/volume/projected/projected.go
View File

@ -175,11 +175,11 @@ func (s *projectedVolumeMounter) CanMount() error {
return nil
}
func (s *projectedVolumeMounter) SetUp(fsGroup *int64) error {
func (s *projectedVolumeMounter) SetUp(fsGroup *types.UnixGroupID) error {
return s.SetUpAt(s.GetPath(), fsGroup)
}
func (s *projectedVolumeMounter) SetUpAt(dir string, fsGroup *int64) error {
func (s *projectedVolumeMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
glog.V(3).Infof("Setting up volume %v for pod %v at %v", s.volName, s.pod.UID, dir)
wrapped, err := s.plugin.host.NewWrapperMounter(s.volName, wrappedVolumeSpec(), s.pod, *s.opts)

4
pkg/volume/quobyte/quobyte.go
View File

@ -237,12 +237,12 @@ func (mounter *quobyteMounter) CanMount() error {
}
// SetUp attaches the disk and bind mounts to the volume path.
func (mounter *quobyteMounter) SetUp(fsGroup *int64) error {
func (mounter *quobyteMounter) SetUp(fsGroup *types.UnixGroupID) error {
pluginDir := mounter.plugin.host.GetPluginDir(strings.EscapeQualifiedNameForDisk(quobytePluginName))
return mounter.SetUpAt(pluginDir, fsGroup)
}
func (mounter *quobyteMounter) SetUpAt(dir string, fsGroup *int64) error {
func (mounter *quobyteMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
// Check if Quobyte is already mounted on the host in the Plugin Dir
// if so we can use this mountpoint instead of creating a new one
// IsLikelyNotMountPoint wouldn't check the mount type

3
pkg/volume/rbd/disk_manager.go
View File

@ -26,6 +26,7 @@ import (
"os"
"github.com/golang/glog"
"k8s.io/apimachinery/pkg/types"
"k8s.io/kubernetes/pkg/api/v1"
"k8s.io/kubernetes/pkg/util/mount"
"k8s.io/kubernetes/pkg/volume"
@ -45,7 +46,7 @@ type diskManager interface {
}
// utility to mount a disk based filesystem
func diskSetUp(manager diskManager, b rbdMounter, volPath string, mounter mount.Interface, fsGroup *int64) error {
func diskSetUp(manager diskManager, b rbdMounter, volPath string, mounter mount.Interface, fsGroup *types.UnixGroupID) error {
globalPDPath := manager.MakeGlobalPDName(*b.rbd)
// TODO: handle failed mounts here.
notMnt, err := mounter.IsLikelyNotMountPoint(volPath)

4
pkg/volume/rbd/rbd.go
View File

@ -396,11 +396,11 @@ func (b *rbdMounter) CanMount() error {
return nil
}
func (b *rbdMounter) SetUp(fsGroup *int64) error {
func (b *rbdMounter) SetUp(fsGroup *types.UnixGroupID) error {
return b.SetUpAt(b.GetPath(), fsGroup)
}
func (b *rbdMounter) SetUpAt(dir string, fsGroup *int64) error {
func (b *rbdMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
// diskSetUp checks mountpoints and prevent repeated calls
glog.V(4).Infof("rbd: attempting to SetUp and mount %s", dir)
err := diskSetUp(b.manager, *b, dir, b.mounter, fsGroup)

4
pkg/volume/scaleio/sio_volume.go
View File

@ -78,12 +78,12 @@ func (v *sioVolume) CanMount() error {
return nil
}
func (v *sioVolume) SetUp(fsGroup *int64) error {
func (v *sioVolume) SetUp(fsGroup *types.UnixGroupID) error {
return v.SetUpAt(v.GetPath(), fsGroup)
}
// SetUp bind mounts the disk global mount to the volume path.
func (v *sioVolume) SetUpAt(dir string, fsGroup *int64) error {
func (v *sioVolume) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
v.plugin.volumeMtx.LockKey(v.volSpecName)
defer v.plugin.volumeMtx.UnlockKey(v.volSpecName)

4
pkg/volume/secret/secret.go
View File

@ -178,11 +178,11 @@ func (b *secretVolumeMounter) CanMount() error {
return nil
}
func (b *secretVolumeMounter) SetUp(fsGroup *int64) error {
func (b *secretVolumeMounter) SetUp(fsGroup *types.UnixGroupID) error {
return b.SetUpAt(b.GetPath(), fsGroup)
}
func (b *secretVolumeMounter) SetUpAt(dir string, fsGroup *int64) error {
func (b *secretVolumeMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
glog.V(3).Infof("Setting up volume %v for pod %v at %v", b.volName, b.pod.UID, dir)
// Wrap EmptyDir, let it do the setup.

4
pkg/volume/testing/testing.go
View File

@ -339,7 +339,7 @@ func (fv *FakeVolume) CanMount() error {
return nil
}
func (fv *FakeVolume) SetUp(fsGroup *int64) error {
func (fv *FakeVolume) SetUp(fsGroup *types.UnixGroupID) error {
fv.Lock()
defer fv.Unlock()
fv.SetUpCallCount++
@ -352,7 +352,7 @@ func (fv *FakeVolume) GetSetUpCallCount() int {
return fv.SetUpCallCount
}
func (fv *FakeVolume) SetUpAt(dir string, fsGroup *int64) error {
func (fv *FakeVolume) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
return os.MkdirAll(dir, 0750)
}

2
pkg/volume/util/operationexecutor/operation_generator.go
View File

@ -383,7 +383,7 @@ func (og *operationGenerator) GenerateMountVolumeFunc(
volumeAttacher, _ = attachableVolumePlugin.NewAttacher()
}
var fsGroup *int64
var fsGroup *types.UnixGroupID
if volumeToMount.Pod.Spec.SecurityContext != nil &&
volumeToMount.Pod.Spec.SecurityContext.FSGroup != nil {
fsGroup = volumeToMount.Pod.Spec.SecurityContext.FSGroup

4
pkg/volume/volume.go
View File

@ -109,14 +109,14 @@ type Mounter interface {
// content should be owned by 'fsGroup' so that it can be
// accessed by the pod. This may be called more than once, so
// implementations must be idempotent.
SetUp(fsGroup *int64) error
SetUp(fsGroup *types.UnixGroupID) error
// SetUpAt prepares and mounts/unpacks the volume to the
// specified directory path, which may or may not exist yet.
// The mount point and its content should be owned by
// 'fsGroup' so that it can be accessed by the pod. This may
// be called more than once, so implementations must be
// idempotent.
SetUpAt(dir string, fsGroup *int64) error
SetUpAt(dir string, fsGroup *types.UnixGroupID) error
// GetAttributes returns the attributes of the mounter.
GetAttributes() Attributes
}

4
pkg/volume/volume_linux.go
View File

@ -24,6 +24,8 @@ import (
"os"
"k8s.io/apimachinery/pkg/types"
"github.com/golang/glog"
)
@ -35,7 +37,7 @@ const (
// SetVolumeOwnership modifies the given volume to be owned by
// fsGroup, and sets SetGid so that newly created files are owned by
// fsGroup. If fsGroup is nil nothing is done.
func SetVolumeOwnership(mounter Mounter, fsGroup *int64) error {
func SetVolumeOwnership(mounter Mounter, fsGroup *types.UnixGroupID) error {
if fsGroup == nil {
return nil

4
pkg/volume/volume_unsupported.go
View File

@ -18,6 +18,8 @@ limitations under the License.
package volume
func SetVolumeOwnership(mounter Mounter, fsGroup *int64) error {
import "k8s.io/apimachinery/pkg/types"
func SetVolumeOwnership(mounter Mounter, fsGroup *types.UnixGroupID) error {
return nil
}

4
pkg/volume/vsphere_volume/vsphere_volume.go
View File

@ -193,7 +193,7 @@ func (b *vsphereVolumeMounter) GetAttributes() volume.Attributes {
}
// SetUp attaches the disk and bind mounts to the volume path.
func (b *vsphereVolumeMounter) SetUp(fsGroup *int64) error {
func (b *vsphereVolumeMounter) SetUp(fsGroup *types.UnixGroupID) error {
return b.SetUpAt(b.GetPath(), fsGroup)
}
@ -205,7 +205,7 @@ func (b *vsphereVolumeMounter) CanMount() error {
}
// SetUp attaches the disk and bind mounts to the volume path.
func (b *vsphereVolumeMounter) SetUpAt(dir string, fsGroup *int64) error {
func (b *vsphereVolumeMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
glog.V(5).Infof("vSphere volume setup %s to %s", b.volPath, dir)
// TODO: handle failed mounts here.

1
plugin/pkg/admission/security/podsecuritypolicy/BUILD
View File

@ -50,6 +50,7 @@ go_test(
"//pkg/security/podsecuritypolicy/util:go_default_library",
"//vendor/github.com/stretchr/testify/assert:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/types:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/util/diff:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/util/sets:go_default_library",
"//vendor/k8s.io/apiserver/pkg/admission:go_default_library",

62
plugin/pkg/admission/security/podsecuritypolicy/admission_test.go
View File

@ -25,6 +25,7 @@ import (
"github.com/stretchr/testify/assert"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/types"
"k8s.io/apimachinery/pkg/util/diff"
"k8s.io/apimachinery/pkg/util/sets"
kadmission "k8s.io/apiserver/pkg/admission"
@ -834,7 +835,8 @@ func TestAdmitRunAsUser(t *testing.T) {
// doesn't matter if we set it here or on the container, the
// admission controller uses DetermineEffectiveSC to get the defaulting
// behavior so it can validate what will be applied at runtime
pod.Spec.SecurityContext.RunAsUser = &user
userID := types.UnixUserID(user)
pod.Spec.SecurityContext.RunAsUser = &userID
return pod
}
@ -853,7 +855,7 @@ func TestAdmitRunAsUser(t *testing.T) {
pod *kapi.Pod
psps []*extensions.PodSecurityPolicy
shouldPass bool
expectedRunAsUser *int
expectedRunAsUser *types.UnixUserID
expectedPSP string
}{
"runAsAny no pod request": {
@ -867,7 +869,7 @@ func TestAdmitRunAsUser(t *testing.T) {
pod: createPodWithRunAsUser(1),
psps: []*extensions.PodSecurityPolicy{runAsAny},
shouldPass: true,
expectedRunAsUser: intPtr(1),
expectedRunAsUser: userIDPtr(1),
expectedPSP: runAsAny.Name,
},
"mustRunAs pod request out of range": {
@ -879,14 +881,14 @@ func TestAdmitRunAsUser(t *testing.T) {
pod: createPodWithRunAsUser(999),
psps: []*extensions.PodSecurityPolicy{mustRunAs},
shouldPass: true,
expectedRunAsUser: intPtr(int(mustRunAs.Spec.RunAsUser.Ranges[0].Min)),
expectedRunAsUser: &mustRunAs.Spec.RunAsUser.Ranges[0].Min,
expectedPSP: mustRunAs.Name,
},
"mustRunAs no pod request": {
pod: goodPod(),
psps: []*extensions.PodSecurityPolicy{mustRunAs},
shouldPass: true,
expectedRunAsUser: intPtr(int(mustRunAs.Spec.RunAsUser.Ranges[0].Min)),
expectedRunAsUser: &mustRunAs.Spec.RunAsUser.Ranges[0].Min,
expectedPSP: mustRunAs.Name,
},
"runAsNonRoot no pod request": {
@ -905,7 +907,7 @@ func TestAdmitRunAsUser(t *testing.T) {
pod: createPodWithRunAsUser(1),
psps: []*extensions.PodSecurityPolicy{runAsNonRoot},
shouldPass: true,
expectedRunAsUser: intPtr(1),
expectedRunAsUser: userIDPtr(1),
expectedPSP: runAsNonRoot.Name,
},
}
@ -926,7 +928,7 @@ func TestAdmitRunAsUser(t *testing.T) {
t.Errorf("%s expected RunAsUser to be nil but found: %v", k, *v.pod.Spec.Containers[0].SecurityContext.RunAsUser)
continue
}
if int64(*v.expectedRunAsUser) != *v.pod.Spec.Containers[0].SecurityContext.RunAsUser {
if *v.expectedRunAsUser != *v.pod.Spec.Containers[0].SecurityContext.RunAsUser {
t.Errorf("%s expected RunAsUser to be: %v but found %v", k, *v.expectedRunAsUser, *v.pod.Spec.Containers[0].SecurityContext.RunAsUser)
}
}
@ -939,7 +941,8 @@ func TestAdmitSupplementalGroups(t *testing.T) {
// doesn't matter if we set it here or on the container, the
// admission controller uses DetermineEffectiveSC to get the defaulting
// behavior so it can validate what will be applied at runtime
pod.Spec.SecurityContext.SupplementalGroups = []int64{group}
groupID := types.UnixGroupID(group)
pod.Spec.SecurityContext.SupplementalGroups = []types.UnixGroupID{groupID}
return pod
}
@ -954,28 +957,28 @@ func TestAdmitSupplementalGroups(t *testing.T) {
pod *kapi.Pod
psps []*extensions.PodSecurityPolicy
shouldPass bool
expectedSupGroups []int64
expectedSupGroups []types.UnixGroupID
expectedPSP string
}{
"runAsAny no pod request": {
pod: goodPod(),
psps: []*extensions.PodSecurityPolicy{runAsAny},
shouldPass: true,
expectedSupGroups: []int64{},
expectedSupGroups: []types.UnixGroupID{},
expectedPSP: runAsAny.Name,
},
"runAsAny pod request": {
pod: createPodWithSupGroup(1),
psps: []*extensions.PodSecurityPolicy{runAsAny},
shouldPass: true,
expectedSupGroups: []int64{1},
expectedSupGroups: []types.UnixGroupID{1},
expectedPSP: runAsAny.Name,
},
"mustRunAs no pod request": {
pod: goodPod(),
psps: []*extensions.PodSecurityPolicy{mustRunAs},
shouldPass: true,
expectedSupGroups: []int64{mustRunAs.Spec.SupplementalGroups.Ranges[0].Min},
expectedSupGroups: []types.UnixGroupID{mustRunAs.Spec.SupplementalGroups.Ranges[0].Min},
expectedPSP: mustRunAs.Name,
},
"mustRunAs bad pod request": {
@ -987,7 +990,7 @@ func TestAdmitSupplementalGroups(t *testing.T) {
pod: createPodWithSupGroup(999),
psps: []*extensions.PodSecurityPolicy{mustRunAs},
shouldPass: true,
expectedSupGroups: []int64{999},
expectedSupGroups: []types.UnixGroupID{999},
expectedPSP: mustRunAs.Name,
},
}
@ -1012,12 +1015,12 @@ func TestAdmitSupplementalGroups(t *testing.T) {
}
func TestAdmitFSGroup(t *testing.T) {
createPodWithFSGroup := func(group int64) *kapi.Pod {
createPodWithFSGroup := func(group int) *kapi.Pod {
pod := goodPod()
// doesn't matter if we set it here or on the container, the
// admission controller uses DetermineEffectiveSC to get the defaulting
// behavior so it can validate what will be applied at runtime
pod.Spec.SecurityContext.FSGroup = &group
pod.Spec.SecurityContext.FSGroup = groupIDPtr(group)
return pod
}
@ -1032,7 +1035,7 @@ func TestAdmitFSGroup(t *testing.T) {
pod *kapi.Pod
psps []*extensions.PodSecurityPolicy
shouldPass bool
expectedFSGroup *int64
expectedFSGroup *types.UnixGroupID
expectedPSP string
}{
"runAsAny no pod request": {
@ -1046,7 +1049,7 @@ func TestAdmitFSGroup(t *testing.T) {
pod: createPodWithFSGroup(1),
psps: []*extensions.PodSecurityPolicy{runAsAny},
shouldPass: true,
expectedFSGroup: int64Ptr(1),
expectedFSGroup: groupIDPtr(1),
expectedPSP: runAsAny.Name,
},
"mustRunAs no pod request": {
@ -1065,7 +1068,7 @@ func TestAdmitFSGroup(t *testing.T) {
pod: createPodWithFSGroup(999),
psps: []*extensions.PodSecurityPolicy{mustRunAs},
shouldPass: true,
expectedFSGroup: int64Ptr(999),
expectedFSGroup: groupIDPtr(999),
expectedPSP: mustRunAs.Name,
},
}
@ -1707,8 +1710,8 @@ func restrictivePSP() *extensions.PodSecurityPolicy {
Spec: extensions.PodSecurityPolicySpec{
RunAsUser: extensions.RunAsUserStrategyOptions{
Rule: extensions.RunAsUserStrategyMustRunAs,
Ranges: []extensions.IDRange{
{Min: 999, Max: 999},
Ranges: []extensions.UserIDRange{
{Min: types.UnixUserID(999), Max: types.UnixUserID(999)},
},
},
SELinux: extensions.SELinuxStrategyOptions{
@ -1719,14 +1722,14 @@ func restrictivePSP() *extensions.PodSecurityPolicy {
},
FSGroup: extensions.FSGroupStrategyOptions{
Rule: extensions.FSGroupStrategyMustRunAs,
Ranges: []extensions.IDRange{
{Min: 999, Max: 999},
Ranges: []extensions.GroupIDRange{
{Min: types.UnixGroupID(999), Max: types.UnixGroupID(999)},
},
},
SupplementalGroups: extensions.SupplementalGroupsStrategyOptions{
Rule: extensions.SupplementalGroupsStrategyMustRunAs,
Ranges: []extensions.IDRange{
{Min: 999, Max: 999},
Ranges: []extensions.GroupIDRange{
{Min: types.UnixGroupID(999), Max: types.UnixGroupID(999)},
},
},
},
@ -1771,11 +1774,12 @@ func goodPod() *kapi.Pod {
}
}
func intPtr(i int) *int {
return &i
func userIDPtr(i int) *types.UnixUserID {
userID := types.UnixUserID(i)
return &userID
}
func int64Ptr(i int) *int64 {
i64 := int64(i)
return &i64
func groupIDPtr(i int) *types.UnixGroupID {
groupID := types.UnixGroupID(i)
return &groupID
}

1
plugin/pkg/admission/securitycontext/scdeny/BUILD
View File

@ -27,6 +27,7 @@ go_test(
tags = ["automanaged"],
deps = [
"//pkg/api:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/types:go_default_library",
"//vendor/k8s.io/apiserver/pkg/admission:go_default_library",
],
)

7
plugin/pkg/admission/securitycontext/scdeny/admission_test.go
View File

@ -19,6 +19,7 @@ package scdeny
import (
"testing"
"k8s.io/apimachinery/pkg/types"
"k8s.io/apiserver/pkg/admission"
"k8s.io/kubernetes/pkg/api"
)
@ -27,7 +28,7 @@ import (
func TestAdmission(t *testing.T) {
handler := NewSecurityContextDeny()
var runAsUser int64 = 1
runAsUser := types.UnixUserID(1)
priv := true
cases := []struct {
@ -115,7 +116,7 @@ func TestPodSecurityContextAdmission(t *testing.T) {
},
}
fsGroup := int64(1001)
fsGroup := types.UnixGroupID(1001)
tests := []struct {
securityContext api.PodSecurityContext
@ -127,7 +128,7 @@ func TestPodSecurityContextAdmission(t *testing.T) {
},
{
securityContext: api.PodSecurityContext{
SupplementalGroups: []int64{1234},
SupplementalGroups: []types.UnixGroupID{types.UnixGroupID(1234)},
},
errorExpected: true,
},

2
staging/src/k8s.io/apimachinery/pkg/util/validation/BUILD
View File

@ -13,10 +13,12 @@ go_test(
srcs = ["validation_test.go"],
library = ":go_default_library",
tags = ["automanaged"],
deps = ["//vendor/k8s.io/apimachinery/pkg/types:go_default_library"],
)
go_library(
name = "go_default_library",
srcs = ["validation.go"],
tags = ["automanaged"],
deps = ["//vendor/k8s.io/apimachinery/pkg/types:go_default_library"],
)

10
staging/src/k8s.io/apimachinery/pkg/util/validation/validation.go
View File

@ -22,6 +22,8 @@ import (
"net"
"regexp"
"strings"
"k8s.io/apimachinery/pkg/types"
)
const qnameCharFmt string = "[A-Za-z0-9]"
@ -197,16 +199,16 @@ const (
maxGroupID = math.MaxInt32
)
// IsValidGroupId tests that the argument is a valid Unix GID.
func IsValidGroupId(gid int64) []string {
// IsValidGroupID tests that the argument is a valid Unix GID.
func IsValidGroupID(gid types.UnixGroupID) []string {
if minGroupID <= gid && gid <= maxGroupID {
return nil
}
return []string{InclusiveRangeError(minGroupID, maxGroupID)}
}
// IsValidUserId tests that the argument is a valid Unix UID.
func IsValidUserId(uid int64) []string {
// IsValidUserID tests that the argument is a valid Unix UID.
func IsValidUserID(uid types.UnixUserID) []string {
if minUserID <= uid && uid <= maxUserID {
return nil
}

38
staging/src/k8s.io/apimachinery/pkg/util/validation/validation_test.go
View File

@ -19,6 +19,8 @@ package validation
import (
"strings"
"testing"
"k8s.io/apimachinery/pkg/types"
)
func TestIsDNS1123Label(t *testing.T) {
@ -154,33 +156,49 @@ func TestIsValidPortNum(t *testing.T) {
}
}
func TestIsValidGroupId(t *testing.T) {
goodValues := []int64{0, 1, 1000, 65535, 2147483647}
func createGroupIDs(ids ...int64) []types.UnixGroupID {
var output []types.UnixGroupID
for _, id := range ids {
output = append(output, types.UnixGroupID(id))
}
return output
}
func createUserIDs(ids ...int64) []types.UnixUserID {
var output []types.UnixUserID
for _, id := range ids {
output = append(output, types.UnixUserID(id))
}
return output
}
func TestIsValidGroupID(t *testing.T) {
goodValues := createGroupIDs(0, 1, 1000, 65535, 2147483647)
for _, val := range goodValues {
if msgs := IsValidGroupId(val); len(msgs) != 0 {
if msgs := IsValidGroupID(val); len(msgs) != 0 {
t.Errorf("expected true for '%d': %v", val, msgs)
}
}
badValues := []int64{-1, -1003, 2147483648, 4147483647}
badValues := createGroupIDs(-1, -1003, 2147483648, 4147483647)
for _, val := range badValues {
if msgs := IsValidGroupId(val); len(msgs) == 0 {
if msgs := IsValidGroupID(val); len(msgs) == 0 {
t.Errorf("expected false for '%d'", val)
}
}
}
func TestIsValidUserId(t *testing.T) {
goodValues := []int64{0, 1, 1000, 65535, 2147483647}
func TestIsValidUserID(t *testing.T) {
goodValues := createUserIDs(0, 1, 1000, 65535, 2147483647)
for _, val := range goodValues {
if msgs := IsValidUserId(val); len(msgs) != 0 {
if msgs := IsValidUserID(val); len(msgs) != 0 {
t.Errorf("expected true for '%d': %v", val, msgs)
}
}
badValues := []int64{-1, -1003, 2147483648, 4147483647}
badValues := createUserIDs(-1, -1003, 2147483648, 4147483647)
for _, val := range badValues {
if msgs := IsValidUserId(val); len(msgs) == 0 {
if msgs := IsValidUserID(val); len(msgs) == 0 {
t.Errorf("expected false for '%d'", val)
}
}

8
staging/src/k8s.io/client-go/pkg/api/types.go
View File

@ -2153,7 +2153,7 @@ type PodSecurityContext struct {
// PodSecurityContext, the value specified in SecurityContext takes precedence
// for that container.
// +optional
RunAsUser *int64
RunAsUser *types.UnixUserID
// Indicates that the container must run as a non-root user.
// If true, the Kubelet will validate the image at runtime to ensure that it
// does not run as UID 0 (root) and fail to start the container if it does.
@ -2166,7 +2166,7 @@ type PodSecurityContext struct {
// to the container's primary GID. If unspecified, no groups will be added to
// any container.
// +optional
SupplementalGroups []int64
SupplementalGroups []types.UnixGroupID
// A special supplemental group that applies to all containers in a pod.
// Some volume types allow the Kubelet to change the ownership of that volume
// to be owned by the pod:
@ -2177,7 +2177,7 @@ type PodSecurityContext struct {
//
// If unset, the Kubelet will not modify the ownership and permissions of any volume.
// +optional
FSGroup *int64
FSGroup *types.UnixGroupID
}
// PodQOSClass defines the supported qos classes of Pods.
@ -3780,7 +3780,7 @@ type SecurityContext struct {
// May also be set in PodSecurityContext. If set in both SecurityContext and
// PodSecurityContext, the value specified in SecurityContext takes precedence.
// +optional
RunAsUser *int64
RunAsUser *types.UnixUserID
// Indicates that the container must run as a non-root user.
// If true, the Kubelet will validate the image at runtime to ensure that it
// does not run as UID 0 (root) and fail to start the container if it does.

Some files were not shown because too many files have changed in this diff Show More