mirror of https://github.com/k3s-io/k3s
Remove all references to types.UnixUserID and types.UnixGroupID
mbohlool
parent
9139666704
commit
c91a12d205
|
|
@ -2263,7 +2263,7 @@ type PodSecurityContext struct {
|
|||
// PodSecurityContext, the value specified in SecurityContext takes precedence
|
||||
// for that container.
|
||||
// +optional
|
||||
RunAsUser *types.UnixUserID
|
||||
RunAsUser *int64
|
||||
// Indicates that the container must run as a non-root user.
|
||||
// If true, the Kubelet will validate the image at runtime to ensure that it
|
||||
// does not run as UID 0 (root) and fail to start the container if it does.
|
||||
|
|
@ -2276,7 +2276,7 @@ type PodSecurityContext struct {
|
|||
// to the container's primary GID. If unspecified, no groups will be added to
|
||||
// any container.
|
||||
// +optional
|
||||
SupplementalGroups []types.UnixGroupID
|
||||
SupplementalGroups []int64
|
||||
// A special supplemental group that applies to all containers in a pod.
|
||||
// Some volume types allow the Kubelet to change the ownership of that volume
|
||||
// to be owned by the pod:
|
||||
|
|
@ -2287,7 +2287,7 @@ type PodSecurityContext struct {
|
|||
//
|
||||
// If unset, the Kubelet will not modify the ownership and permissions of any volume.
|
||||
// +optional
|
||||
FSGroup *types.UnixGroupID
|
||||
FSGroup *int64
|
||||
}
|
||||
|
||||
// PodQOSClass defines the supported qos classes of Pods.
|
||||
|
|
@ -3924,7 +3924,7 @@ type SecurityContext struct {
|
|||
// May also be set in PodSecurityContext. If set in both SecurityContext and
|
||||
// PodSecurityContext, the value specified in SecurityContext takes precedence.
|
||||
// +optional
|
||||
RunAsUser *types.UnixUserID
|
||||
RunAsUser *int64
|
||||
// Indicates that the container must run as a non-root user.
|
||||
// If true, the Kubelet will validate the image at runtime to ensure that it
|
||||
// does not run as UID 0 (root) and fail to start the container if it does.
|
||||
|
|
|
|||
|
|
@ -2548,7 +2548,7 @@ type PodSecurityContext struct {
|
|||
// PodSecurityContext, the value specified in SecurityContext takes precedence
|
||||
// for that container.
|
||||
// +optional
|
||||
RunAsUser *types.UnixUserID `json:"runAsUser,omitempty" protobuf:"varint,2,opt,name=runAsUser,casttype=k8s.io/apimachinery/pkg/types.UnixUserID"`
|
||||
RunAsUser *int64 `json:"runAsUser,omitempty" protobuf:"varint,2,opt,name=runAsUser"`
|
||||
// Indicates that the container must run as a non-root user.
|
||||
// If true, the Kubelet will validate the image at runtime to ensure that it
|
||||
// does not run as UID 0 (root) and fail to start the container if it does.
|
||||
|
|
@ -2561,7 +2561,7 @@ type PodSecurityContext struct {
|
|||
// to the container's primary GID. If unspecified, no groups will be added to
|
||||
// any container.
|
||||
// +optional
|
||||
SupplementalGroups []types.UnixGroupID `json:"supplementalGroups,omitempty" protobuf:"varint,4,rep,name=supplementalGroups,casttype=k8s.io/apimachinery/pkg/types.UnixGroupID"`
|
||||
SupplementalGroups []int64 `json:"supplementalGroups,omitempty" protobuf:"varint,4,rep,name=supplementalGroups"`
|
||||
// A special supplemental group that applies to all containers in a pod.
|
||||
// Some volume types allow the Kubelet to change the ownership of that volume
|
||||
// to be owned by the pod:
|
||||
|
|
@ -2572,7 +2572,7 @@ type PodSecurityContext struct {
|
|||
//
|
||||
// If unset, the Kubelet will not modify the ownership and permissions of any volume.
|
||||
// +optional
|
||||
FSGroup *types.UnixGroupID `json:"fsGroup,omitempty" protobuf:"varint,5,opt,name=fsGroup,casttype=k8s.io/apimachinery/pkg/types.UnixGroupID"`
|
||||
FSGroup *int64 `json:"fsGroup,omitempty" protobuf:"varint,5,opt,name=fsGroup"`
|
||||
}
|
||||
|
||||
// PodQOSClass defines the supported qos classes of Pods.
|
||||
|
|
@ -4511,7 +4511,7 @@ type SecurityContext struct {
|
|||
// May also be set in PodSecurityContext. If set in both SecurityContext and
|
||||
// PodSecurityContext, the value specified in SecurityContext takes precedence.
|
||||
// +optional
|
||||
RunAsUser *types.UnixUserID `json:"runAsUser,omitempty" protobuf:"varint,4,opt,name=runAsUser,casttype=k8s.io/apimachinery/pkg/types.UnixUserID"`
|
||||
RunAsUser *int64 `json:"runAsUser,omitempty" protobuf:"varint,4,opt,name=runAsUser"`
|
||||
// Indicates that the container must run as a non-root user.
|
||||
// If true, the Kubelet will validate the image at runtime to ensure that it
|
||||
// does not run as UID 0 (root) and fail to start the container if it does.
|
||||
|
|
|
|||
|
|
@ -24,7 +24,6 @@ import (
|
|||
|
||||
"k8s.io/apimachinery/pkg/api/resource"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/types"
|
||||
"k8s.io/apimachinery/pkg/util/intstr"
|
||||
"k8s.io/apimachinery/pkg/util/sets"
|
||||
"k8s.io/apimachinery/pkg/util/validation/field"
|
||||
|
|
@ -3612,10 +3611,10 @@ func TestValidatePodSpec(t *testing.T) {
|
|||
activeDeadlineSeconds := int64(30)
|
||||
activeDeadlineSecondsMax := int64(math.MaxInt32)
|
||||
|
||||
minUserID := types.UnixUserID(0)
|
||||
maxUserID := types.UnixUserID(2147483647)
|
||||
minGroupID := types.UnixGroupID(0)
|
||||
maxGroupID := types.UnixGroupID(2147483647)
|
||||
minUserID := int64(0)
|
||||
maxUserID := int64(2147483647)
|
||||
minGroupID := int64(0)
|
||||
maxGroupID := int64(2147483647)
|
||||
|
||||
successCases := []api.PodSpec{
|
||||
{ // Populate basic fields, leave defaults for most.
|
||||
|
|
@ -3670,7 +3669,7 @@ func TestValidatePodSpec(t *testing.T) {
|
|||
{ // Populate RunAsUser SupplementalGroups FSGroup with minID 0
|
||||
Containers: []api.Container{{Name: "ctr", Image: "image", ImagePullPolicy: "IfNotPresent", TerminationMessagePolicy: "File"}},
|
||||
SecurityContext: &api.PodSecurityContext{
|
||||
SupplementalGroups: []types.UnixGroupID{minGroupID},
|
||||
SupplementalGroups: []int64{minGroupID},
|
||||
RunAsUser: &minUserID,
|
||||
FSGroup: &minGroupID,
|
||||
},
|
||||
|
|
@ -3680,7 +3679,7 @@ func TestValidatePodSpec(t *testing.T) {
|
|||
{ // Populate RunAsUser SupplementalGroups FSGroup with maxID 2147483647
|
||||
Containers: []api.Container{{Name: "ctr", Image: "image", ImagePullPolicy: "IfNotPresent", TerminationMessagePolicy: "File"}},
|
||||
SecurityContext: &api.PodSecurityContext{
|
||||
SupplementalGroups: []types.UnixGroupID{maxGroupID},
|
||||
SupplementalGroups: []int64{maxGroupID},
|
||||
RunAsUser: &maxUserID,
|
||||
FSGroup: &maxGroupID,
|
||||
},
|
||||
|
|
@ -3735,10 +3734,10 @@ func TestValidatePodSpec(t *testing.T) {
|
|||
activeDeadlineSeconds = int64(0)
|
||||
activeDeadlineSecondsTooLarge := int64(math.MaxInt32 + 1)
|
||||
|
||||
minUserID = types.UnixUserID(-1)
|
||||
maxUserID = types.UnixUserID(2147483648)
|
||||
minGroupID = types.UnixGroupID(-1)
|
||||
maxGroupID = types.UnixGroupID(2147483648)
|
||||
minUserID = int64(-1)
|
||||
maxUserID = int64(2147483648)
|
||||
minGroupID = int64(-1)
|
||||
maxGroupID = int64(2147483648)
|
||||
|
||||
failureCases := map[string]api.PodSpec{
|
||||
"bad volume": {
|
||||
|
|
@ -3812,7 +3811,7 @@ func TestValidatePodSpec(t *testing.T) {
|
|||
Containers: []api.Container{{Name: "ctr", Image: "image", ImagePullPolicy: "IfNotPresent", TerminationMessagePolicy: "File"}},
|
||||
SecurityContext: &api.PodSecurityContext{
|
||||
HostNetwork: false,
|
||||
SupplementalGroups: []types.UnixGroupID{maxGroupID, 1234},
|
||||
SupplementalGroups: []int64{maxGroupID, 1234},
|
||||
},
|
||||
RestartPolicy: api.RestartPolicyAlways,
|
||||
DNSPolicy: api.DNSClusterFirst,
|
||||
|
|
@ -3821,7 +3820,7 @@ func TestValidatePodSpec(t *testing.T) {
|
|||
Containers: []api.Container{{Name: "ctr", Image: "image", ImagePullPolicy: "IfNotPresent", TerminationMessagePolicy: "File"}},
|
||||
SecurityContext: &api.PodSecurityContext{
|
||||
HostNetwork: false,
|
||||
SupplementalGroups: []types.UnixGroupID{minGroupID, 1234},
|
||||
SupplementalGroups: []int64{minGroupID, 1234},
|
||||
},
|
||||
RestartPolicy: api.RestartPolicyAlways,
|
||||
DNSPolicy: api.DNSClusterFirst,
|
||||
|
|
@ -9582,7 +9581,7 @@ func TestValidateTLSSecret(t *testing.T) {
|
|||
|
||||
func TestValidateSecurityContext(t *testing.T) {
|
||||
priv := false
|
||||
runAsUser := types.UnixUserID(1)
|
||||
runAsUser := int64(1)
|
||||
fullValidSC := func() *api.SecurityContext {
|
||||
return &api.SecurityContext{
|
||||
Privileged: &priv,
|
||||
|
|
@ -9634,7 +9633,7 @@ func TestValidateSecurityContext(t *testing.T) {
|
|||
privRequestWithGlobalDeny.Privileged = &requestPrivileged
|
||||
|
||||
negativeRunAsUser := fullValidSC()
|
||||
negativeUser := types.UnixUserID(-1)
|
||||
negativeUser := int64(-1)
|
||||
negativeRunAsUser.RunAsUser = &negativeUser
|
||||
|
||||
errorCases := map[string]struct {
|
||||
|
|
|
|||
|
|
@ -31,7 +31,6 @@ package extensions
|
|||
import (
|
||||
"k8s.io/apimachinery/pkg/api/resource"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/types"
|
||||
"k8s.io/apimachinery/pkg/util/intstr"
|
||||
"k8s.io/kubernetes/pkg/api"
|
||||
)
|
||||
|
|
@ -980,17 +979,17 @@ type RunAsUserStrategyOptions struct {
|
|||
// UserIDRange provides a min/max of an allowed range of UserIDs.
|
||||
type UserIDRange struct {
|
||||
// Min is the start of the range, inclusive.
|
||||
Min types.UnixUserID
|
||||
Min int64
|
||||
// Max is the end of the range, inclusive.
|
||||
Max types.UnixUserID
|
||||
Max int64
|
||||
}
|
||||
|
||||
// GroupIDRange provides a min/max of an allowed range of GroupIDs.
|
||||
type GroupIDRange struct {
|
||||
// Min is the start of the range, inclusive.
|
||||
Min types.UnixGroupID
|
||||
Min int64
|
||||
// Max is the end of the range, inclusive.
|
||||
Max types.UnixGroupID
|
||||
Max int64
|
||||
}
|
||||
|
||||
// RunAsUserStrategy denotes strategy types for generating RunAsUser values for a
|
||||
|
|
|
|||
|
|
@ -23,14 +23,13 @@ import (
|
|||
"testing"
|
||||
|
||||
dockercontainer "github.com/docker/engine-api/types/container"
|
||||
"k8s.io/apimachinery/pkg/types"
|
||||
apitesting "k8s.io/kubernetes/pkg/api/testing"
|
||||
"k8s.io/kubernetes/pkg/api/v1"
|
||||
)
|
||||
|
||||
func TestModifyContainerConfig(t *testing.T) {
|
||||
userID := types.UnixUserID(123)
|
||||
overrideUserID := types.UnixUserID(321)
|
||||
userID := int64(123)
|
||||
overrideUserID := int64(321)
|
||||
|
||||
cases := []struct {
|
||||
name string
|
||||
|
|
@ -177,7 +176,7 @@ func TestModifyHostConfig(t *testing.T) {
|
|||
|
||||
func TestModifyHostConfigPodSecurityContext(t *testing.T) {
|
||||
supplementalGroupsSC := &v1.PodSecurityContext{}
|
||||
supplementalGroupsSC.SupplementalGroups = []types.UnixGroupID{2222}
|
||||
supplementalGroupsSC.SupplementalGroups = []int64{2222}
|
||||
supplementalGroupHC := fullValidHostConfig()
|
||||
supplementalGroupHC.GroupAdd = []string{"2222"}
|
||||
fsGroupHC := fullValidHostConfig()
|
||||
|
|
@ -186,7 +185,7 @@ func TestModifyHostConfigPodSecurityContext(t *testing.T) {
|
|||
extraSupplementalGroupHC.GroupAdd = []string{"1234"}
|
||||
bothHC := fullValidHostConfig()
|
||||
bothHC.GroupAdd = []string{"2222", "1234"}
|
||||
fsGroup := types.UnixGroupID(1234)
|
||||
fsGroup := int64(1234)
|
||||
extraSupplementalGroup := []int64{1234}
|
||||
|
||||
testCases := map[string]struct {
|
||||
|
|
@ -211,7 +210,7 @@ func TestModifyHostConfigPodSecurityContext(t *testing.T) {
|
|||
},
|
||||
"FSGroup + SupplementalGroups": {
|
||||
securityContext: &v1.PodSecurityContext{
|
||||
SupplementalGroups: []types.UnixGroupID{2222},
|
||||
SupplementalGroups: []int64{2222},
|
||||
FSGroup: &fsGroup,
|
||||
},
|
||||
expected: bothHC,
|
||||
|
|
|
|||
|
|
@ -453,10 +453,10 @@ func (f *stubVolume) CanMount() error {
|
|||
return nil
|
||||
}
|
||||
|
||||
func (f *stubVolume) SetUp(fsGroup *types.UnixGroupID) error {
|
||||
func (f *stubVolume) SetUp(fsGroup *int64) error {
|
||||
return nil
|
||||
}
|
||||
|
||||
func (f *stubVolume) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
|
||||
func (f *stubVolume) SetUpAt(dir string, fsGroup *int64) error {
|
||||
return nil
|
||||
}
|
||||
|
|
|
|||
|
|
@ -24,7 +24,6 @@ import (
|
|||
"github.com/stretchr/testify/assert"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
|
||||
"k8s.io/apimachinery/pkg/types"
|
||||
"k8s.io/kubernetes/pkg/api/v1"
|
||||
runtimeapi "k8s.io/kubernetes/pkg/kubelet/apis/cri/v1alpha1/runtime"
|
||||
kubecontainer "k8s.io/kubernetes/pkg/kubelet/container"
|
||||
|
|
@ -227,7 +226,7 @@ func TestGenerateContainerConfig(t *testing.T) {
|
|||
assert.NoError(t, err)
|
||||
assert.Equal(t, expectedConfig, containerConfig, "generate container config for kubelet runtime v1.")
|
||||
|
||||
runAsUser := types.UnixUserID(0)
|
||||
runAsUser := int64(0)
|
||||
runAsNonRootTrue := true
|
||||
podWithContainerSecurityContext := &v1.Pod{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
|
|
|
|||
|
|
@ -18,7 +18,6 @@ package kuberuntime
|
|||
|
||||
import (
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/types"
|
||||
"k8s.io/kubernetes/pkg/api/v1"
|
||||
|
||||
"github.com/stretchr/testify/assert"
|
||||
|
|
@ -45,7 +44,7 @@ func TestVerifyRunAsNonRoot(t *testing.T) {
|
|||
},
|
||||
}
|
||||
|
||||
rootUser := types.UnixUserID(0)
|
||||
rootUser := int64(0)
|
||||
runAsNonRootTrue := true
|
||||
runAsNonRootFalse := false
|
||||
imageRootUser := int64(0)
|
||||
|
|
|
|||
|
|
@ -983,10 +983,10 @@ func TestSetApp(t *testing.T) {
|
|||
}
|
||||
defer os.RemoveAll(tmpDir)
|
||||
|
||||
rootUser := kubetypes.UnixUserID(0)
|
||||
nonRootUser := kubetypes.UnixUserID(42)
|
||||
rootUser := int64(0)
|
||||
nonRootUser := int64(42)
|
||||
runAsNonRootTrue := true
|
||||
fsgid := kubetypes.UnixGroupID(3)
|
||||
fsgid := int64(3)
|
||||
|
||||
tests := []struct {
|
||||
container *v1.Container
|
||||
|
|
@ -1092,9 +1092,9 @@ func TestSetApp(t *testing.T) {
|
|||
RunAsNonRoot: &runAsNonRootTrue,
|
||||
},
|
||||
podCtx: &v1.PodSecurityContext{
|
||||
SupplementalGroups: []kubetypes.UnixGroupID{
|
||||
kubetypes.UnixGroupID(1),
|
||||
kubetypes.UnixGroupID(2),
|
||||
SupplementalGroups: []int64{
|
||||
int64(1),
|
||||
int64(2),
|
||||
},
|
||||
FSGroup: &fsgid,
|
||||
},
|
||||
|
|
@ -1157,9 +1157,9 @@ func TestSetApp(t *testing.T) {
|
|||
RunAsNonRoot: &runAsNonRootTrue,
|
||||
},
|
||||
podCtx: &v1.PodSecurityContext{
|
||||
SupplementalGroups: []kubetypes.UnixGroupID{
|
||||
kubetypes.UnixGroupID(1),
|
||||
kubetypes.UnixGroupID(2),
|
||||
SupplementalGroups: []int64{
|
||||
int64(1),
|
||||
int64(2),
|
||||
},
|
||||
FSGroup: &fsgid,
|
||||
},
|
||||
|
|
|
|||
|
|
@ -24,7 +24,6 @@ import (
|
|||
"time"
|
||||
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
kubetypes "k8s.io/apimachinery/pkg/types"
|
||||
"k8s.io/apimachinery/pkg/util/sets"
|
||||
"k8s.io/client-go/tools/record"
|
||||
utiltesting "k8s.io/client-go/util/testing"
|
||||
|
|
@ -239,7 +238,7 @@ func createObjects() (*v1.Node, *v1.Pod, *v1.PersistentVolume, *v1.PersistentVol
|
|||
},
|
||||
},
|
||||
SecurityContext: &v1.PodSecurityContext{
|
||||
SupplementalGroups: []kubetypes.UnixGroupID{555},
|
||||
SupplementalGroups: []int64{555},
|
||||
},
|
||||
},
|
||||
}
|
||||
|
|
|
|||
|
|
@ -19,7 +19,6 @@ package group
|
|||
import (
|
||||
"fmt"
|
||||
|
||||
"k8s.io/apimachinery/pkg/types"
|
||||
"k8s.io/apimachinery/pkg/util/validation/field"
|
||||
"k8s.io/kubernetes/pkg/api"
|
||||
"k8s.io/kubernetes/pkg/apis/extensions"
|
||||
|
|
@ -47,14 +46,14 @@ func NewMustRunAs(ranges []extensions.GroupIDRange, field string) (GroupStrategy
|
|||
|
||||
// Generate creates the group based on policy rules. By default this returns the first group of the
|
||||
// first range (min val).
|
||||
func (s *mustRunAs) Generate(pod *api.Pod) ([]types.UnixGroupID, error) {
|
||||
return []types.UnixGroupID{s.ranges[0].Min}, nil
|
||||
func (s *mustRunAs) Generate(pod *api.Pod) ([]int64, error) {
|
||||
return []int64{s.ranges[0].Min}, nil
|
||||
}
|
||||
|
||||
// Generate a single value to be applied. This is used for FSGroup. This strategy will return
|
||||
// the first group of the first range (min val).
|
||||
func (s *mustRunAs) GenerateSingle(pod *api.Pod) (*types.UnixGroupID, error) {
|
||||
single := new(types.UnixGroupID)
|
||||
func (s *mustRunAs) GenerateSingle(pod *api.Pod) (*int64, error) {
|
||||
single := new(int64)
|
||||
*single = s.ranges[0].Min
|
||||
return single, nil
|
||||
}
|
||||
|
|
@ -62,7 +61,7 @@ func (s *mustRunAs) GenerateSingle(pod *api.Pod) (*types.UnixGroupID, error) {
|
|||
// Validate ensures that the specified values fall within the range of the strategy.
|
||||
// Groups are passed in here to allow this strategy to support multiple group fields (fsgroup and
|
||||
// supplemental groups).
|
||||
func (s *mustRunAs) Validate(pod *api.Pod, groups []types.UnixGroupID) field.ErrorList {
|
||||
func (s *mustRunAs) Validate(pod *api.Pod, groups []int64) field.ErrorList {
|
||||
allErrs := field.ErrorList{}
|
||||
|
||||
if pod.Spec.SecurityContext == nil {
|
||||
|
|
@ -84,7 +83,7 @@ func (s *mustRunAs) Validate(pod *api.Pod, groups []types.UnixGroupID) field.Err
|
|||
return allErrs
|
||||
}
|
||||
|
||||
func (s *mustRunAs) isGroupValid(group types.UnixGroupID) bool {
|
||||
func (s *mustRunAs) isGroupValid(group int64) bool {
|
||||
for _, rng := range s.ranges {
|
||||
if psputil.GroupFallsInRange(group, rng) {
|
||||
return true
|
||||
|
|
|
|||
|
|
@ -19,7 +19,6 @@ package group
|
|||
import (
|
||||
"testing"
|
||||
|
||||
"k8s.io/apimachinery/pkg/types"
|
||||
"k8s.io/kubernetes/pkg/api"
|
||||
"k8s.io/kubernetes/pkg/apis/extensions"
|
||||
)
|
||||
|
|
@ -54,26 +53,26 @@ func TestMustRunAsOptions(t *testing.T) {
|
|||
func TestGenerate(t *testing.T) {
|
||||
tests := map[string]struct {
|
||||
ranges []extensions.GroupIDRange
|
||||
expected []types.UnixGroupID
|
||||
expected []int64
|
||||
}{
|
||||
"multi value": {
|
||||
ranges: []extensions.GroupIDRange{
|
||||
{Min: 1, Max: 2},
|
||||
},
|
||||
expected: []types.UnixGroupID{1},
|
||||
expected: []int64{1},
|
||||
},
|
||||
"single value": {
|
||||
ranges: []extensions.GroupIDRange{
|
||||
{Min: 1, Max: 1},
|
||||
},
|
||||
expected: []types.UnixGroupID{1},
|
||||
expected: []int64{1},
|
||||
},
|
||||
"multi range": {
|
||||
ranges: []extensions.GroupIDRange{
|
||||
{Min: 1, Max: 1},
|
||||
{Min: 2, Max: 500},
|
||||
},
|
||||
expected: []types.UnixGroupID{1},
|
||||
expected: []int64{1},
|
||||
},
|
||||
}
|
||||
|
||||
|
|
@ -121,7 +120,7 @@ func TestValidate(t *testing.T) {
|
|||
tests := map[string]struct {
|
||||
ranges []extensions.GroupIDRange
|
||||
pod *api.Pod
|
||||
groups []types.UnixGroupID
|
||||
groups []int64
|
||||
pass bool
|
||||
}{
|
||||
"nil security context": {
|
||||
|
|
@ -138,7 +137,7 @@ func TestValidate(t *testing.T) {
|
|||
},
|
||||
"not in range": {
|
||||
pod: validPod(),
|
||||
groups: []types.UnixGroupID{5},
|
||||
groups: []int64{5},
|
||||
ranges: []extensions.GroupIDRange{
|
||||
{Min: 1, Max: 3},
|
||||
{Min: 4, Max: 4},
|
||||
|
|
@ -146,7 +145,7 @@ func TestValidate(t *testing.T) {
|
|||
},
|
||||
"in range 1": {
|
||||
pod: validPod(),
|
||||
groups: []types.UnixGroupID{2},
|
||||
groups: []int64{2},
|
||||
ranges: []extensions.GroupIDRange{
|
||||
{Min: 1, Max: 3},
|
||||
},
|
||||
|
|
@ -154,7 +153,7 @@ func TestValidate(t *testing.T) {
|
|||
},
|
||||
"in range boundry min": {
|
||||
pod: validPod(),
|
||||
groups: []types.UnixGroupID{1},
|
||||
groups: []int64{1},
|
||||
ranges: []extensions.GroupIDRange{
|
||||
{Min: 1, Max: 3},
|
||||
},
|
||||
|
|
@ -162,7 +161,7 @@ func TestValidate(t *testing.T) {
|
|||
},
|
||||
"in range boundry max": {
|
||||
pod: validPod(),
|
||||
groups: []types.UnixGroupID{3},
|
||||
groups: []int64{3},
|
||||
ranges: []extensions.GroupIDRange{
|
||||
{Min: 1, Max: 3},
|
||||
},
|
||||
|
|
@ -170,7 +169,7 @@ func TestValidate(t *testing.T) {
|
|||
},
|
||||
"singular range": {
|
||||
pod: validPod(),
|
||||
groups: []types.UnixGroupID{4},
|
||||
groups: []int64{4},
|
||||
ranges: []extensions.GroupIDRange{
|
||||
{Min: 4, Max: 4},
|
||||
},
|
||||
|
|
|
|||
|
|
@ -17,7 +17,6 @@ limitations under the License.
|
|||
package group
|
||||
|
||||
import (
|
||||
"k8s.io/apimachinery/pkg/types"
|
||||
"k8s.io/apimachinery/pkg/util/validation/field"
|
||||
"k8s.io/kubernetes/pkg/api"
|
||||
)
|
||||
|
|
@ -34,17 +33,17 @@ func NewRunAsAny() (GroupStrategy, error) {
|
|||
}
|
||||
|
||||
// Generate creates the group based on policy rules. This strategy returns an empty slice.
|
||||
func (s *runAsAny) Generate(pod *api.Pod) ([]types.UnixGroupID, error) {
|
||||
return []types.UnixGroupID{}, nil
|
||||
func (s *runAsAny) Generate(pod *api.Pod) ([]int64, error) {
|
||||
return []int64{}, nil
|
||||
}
|
||||
|
||||
// Generate a single value to be applied. This is used for FSGroup. This strategy returns nil.
|
||||
func (s *runAsAny) GenerateSingle(pod *api.Pod) (*types.UnixGroupID, error) {
|
||||
func (s *runAsAny) GenerateSingle(pod *api.Pod) (*int64, error) {
|
||||
return nil, nil
|
||||
}
|
||||
|
||||
// Validate ensures that the specified values fall within the range of the strategy.
|
||||
func (s *runAsAny) Validate(pod *api.Pod, groups []types.UnixGroupID) field.ErrorList {
|
||||
func (s *runAsAny) Validate(pod *api.Pod, groups []int64) field.ErrorList {
|
||||
return field.ErrorList{}
|
||||
|
||||
}
|
||||
|
|
|
|||
|
|
@ -17,7 +17,6 @@ limitations under the License.
|
|||
package group
|
||||
|
||||
import (
|
||||
"k8s.io/apimachinery/pkg/types"
|
||||
"k8s.io/apimachinery/pkg/util/validation/field"
|
||||
"k8s.io/kubernetes/pkg/api"
|
||||
)
|
||||
|
|
@ -27,10 +26,10 @@ type GroupStrategy interface {
|
|||
// Generate creates the group based on policy rules. The underlying implementation can
|
||||
// decide whether it will return a full range of values or a subset of values from the
|
||||
// configured ranges.
|
||||
Generate(pod *api.Pod) ([]types.UnixGroupID, error)
|
||||
Generate(pod *api.Pod) ([]int64, error)
|
||||
// Generate a single value to be applied. The underlying implementation decides which
|
||||
// value to return if configured with multiple ranges. This is used for FSGroup.
|
||||
GenerateSingle(pod *api.Pod) (*types.UnixGroupID, error)
|
||||
GenerateSingle(pod *api.Pod) (*int64, error)
|
||||
// Validate ensures that the specified values fall within the range of the strategy.
|
||||
Validate(pod *api.Pod, groups []types.UnixGroupID) field.ErrorList
|
||||
Validate(pod *api.Pod, groups []int64) field.ErrorList
|
||||
}
|
||||
|
|
|
|||
|
|
@ -19,7 +19,6 @@ package podsecuritypolicy
|
|||
import (
|
||||
"fmt"
|
||||
|
||||
"k8s.io/apimachinery/pkg/types"
|
||||
"k8s.io/apimachinery/pkg/util/validation/field"
|
||||
"k8s.io/kubernetes/pkg/api"
|
||||
"k8s.io/kubernetes/pkg/apis/extensions"
|
||||
|
|
@ -195,7 +194,7 @@ func (s *simpleProvider) ValidatePodSecurityContext(pod *api.Pod, fldPath *field
|
|||
return allErrs
|
||||
}
|
||||
|
||||
fsGroups := []types.UnixGroupID{}
|
||||
fsGroups := []int64{}
|
||||
if pod.Spec.SecurityContext.FSGroup != nil {
|
||||
fsGroups = append(fsGroups, *pod.Spec.SecurityContext.FSGroup)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -25,7 +25,6 @@ import (
|
|||
"github.com/davecgh/go-spew/spew"
|
||||
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/types"
|
||||
"k8s.io/apimachinery/pkg/util/diff"
|
||||
"k8s.io/apimachinery/pkg/util/validation/field"
|
||||
"k8s.io/kubernetes/pkg/api"
|
||||
|
|
@ -134,7 +133,7 @@ func TestCreateContainerSecurityContextNonmutating(t *testing.T) {
|
|||
|
||||
// Create a PSP with strategies that will populate a blank security context
|
||||
createPSP := func() *extensions.PodSecurityPolicy {
|
||||
uid := types.UnixUserID(1)
|
||||
uid := int64(1)
|
||||
return &extensions.PodSecurityPolicy{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: "psp-sa",
|
||||
|
|
@ -206,7 +205,7 @@ func TestValidatePodSecurityContextFailures(t *testing.T) {
|
|||
failHostIPCPod.Spec.SecurityContext.HostIPC = true
|
||||
|
||||
failSupplementalGroupPod := defaultPod()
|
||||
failSupplementalGroupPod.Spec.SecurityContext.SupplementalGroups = []types.UnixGroupID{999}
|
||||
failSupplementalGroupPod.Spec.SecurityContext.SupplementalGroups = []int64{999}
|
||||
failSupplementalGroupPSP := defaultPSP()
|
||||
failSupplementalGroupPSP.Spec.SupplementalGroups = extensions.SupplementalGroupsStrategyOptions{
|
||||
Rule: extensions.SupplementalGroupsStrategyMustRunAs,
|
||||
|
|
@ -216,7 +215,7 @@ func TestValidatePodSecurityContextFailures(t *testing.T) {
|
|||
}
|
||||
|
||||
failFSGroupPod := defaultPod()
|
||||
fsGroup := types.UnixGroupID(999)
|
||||
fsGroup := int64(999)
|
||||
failFSGroupPod.Spec.SecurityContext.FSGroup = &fsGroup
|
||||
failFSGroupPSP := defaultPSP()
|
||||
failFSGroupPSP.Spec.FSGroup = extensions.FSGroupStrategyOptions{
|
||||
|
|
@ -383,8 +382,8 @@ func TestValidatePodSecurityContextFailures(t *testing.T) {
|
|||
func TestValidateContainerSecurityContextFailures(t *testing.T) {
|
||||
// fail user strat
|
||||
failUserPSP := defaultPSP()
|
||||
uid := types.UnixUserID(999)
|
||||
badUID := types.UnixUserID(1)
|
||||
uid := int64(999)
|
||||
badUID := int64(1)
|
||||
failUserPSP.Spec.RunAsUser = extensions.RunAsUserStrategyOptions{
|
||||
Rule: extensions.RunAsUserStrategyMustRunAs,
|
||||
Ranges: []extensions.UserIDRange{{Min: uid, Max: uid}},
|
||||
|
|
@ -547,7 +546,7 @@ func TestValidatePodSecurityContextSuccess(t *testing.T) {
|
|||
},
|
||||
}
|
||||
supGroupPod := defaultPod()
|
||||
supGroupPod.Spec.SecurityContext.SupplementalGroups = []types.UnixGroupID{3}
|
||||
supGroupPod.Spec.SecurityContext.SupplementalGroups = []int64{3}
|
||||
|
||||
fsGroupPSP := defaultPSP()
|
||||
fsGroupPSP.Spec.FSGroup = extensions.FSGroupStrategyOptions{
|
||||
|
|
@ -557,7 +556,7 @@ func TestValidatePodSecurityContextSuccess(t *testing.T) {
|
|||
},
|
||||
}
|
||||
fsGroupPod := defaultPod()
|
||||
fsGroup := types.UnixGroupID(3)
|
||||
fsGroup := int64(3)
|
||||
fsGroupPod.Spec.SecurityContext.FSGroup = &fsGroup
|
||||
|
||||
seLinuxPod := defaultPod()
|
||||
|
|
@ -680,7 +679,7 @@ func TestValidateContainerSecurityContextSuccess(t *testing.T) {
|
|||
|
||||
// success user strat
|
||||
userPSP := defaultPSP()
|
||||
uid := types.UnixUserID(999)
|
||||
uid := int64(999)
|
||||
userPSP.Spec.RunAsUser = extensions.RunAsUserStrategyOptions{
|
||||
Rule: extensions.RunAsUserStrategyMustRunAs,
|
||||
Ranges: []extensions.UserIDRange{{Min: uid, Max: uid}},
|
||||
|
|
|
|||
|
|
@ -19,7 +19,6 @@ package user
|
|||
import (
|
||||
"fmt"
|
||||
|
||||
"k8s.io/apimachinery/pkg/types"
|
||||
"k8s.io/apimachinery/pkg/util/validation/field"
|
||||
"k8s.io/kubernetes/pkg/api"
|
||||
"k8s.io/kubernetes/pkg/apis/extensions"
|
||||
|
|
@ -45,7 +44,7 @@ func NewMustRunAs(options *extensions.RunAsUserStrategyOptions) (RunAsUserStrate
|
|||
}
|
||||
|
||||
// Generate creates the uid based on policy rules. MustRunAs returns the first range's Min.
|
||||
func (s *mustRunAs) Generate(pod *api.Pod, container *api.Container) (*types.UnixUserID, error) {
|
||||
func (s *mustRunAs) Generate(pod *api.Pod, container *api.Container) (*int64, error) {
|
||||
return &s.opts.Ranges[0].Min, nil
|
||||
}
|
||||
|
||||
|
|
@ -75,7 +74,7 @@ func (s *mustRunAs) Validate(pod *api.Pod, container *api.Container) field.Error
|
|||
return allErrs
|
||||
}
|
||||
|
||||
func (s *mustRunAs) isValidUID(id types.UnixUserID) bool {
|
||||
func (s *mustRunAs) isValidUID(id int64) bool {
|
||||
for _, rng := range s.opts.Ranges {
|
||||
if psputil.UserFallsInRange(id, rng) {
|
||||
return true
|
||||
|
|
|
|||
|
|
@ -20,7 +20,6 @@ import (
|
|||
"strings"
|
||||
"testing"
|
||||
|
||||
"k8s.io/apimachinery/pkg/types"
|
||||
"k8s.io/kubernetes/pkg/api"
|
||||
"k8s.io/kubernetes/pkg/apis/extensions"
|
||||
)
|
||||
|
|
@ -85,8 +84,8 @@ func TestValidate(t *testing.T) {
|
|||
},
|
||||
}
|
||||
|
||||
validID := types.UnixUserID(15)
|
||||
invalidID := types.UnixUserID(21)
|
||||
validID := int64(15)
|
||||
invalidID := int64(21)
|
||||
|
||||
tests := map[string]struct {
|
||||
container *api.Container
|
||||
|
|
|
|||
|
|
@ -19,7 +19,6 @@ package user
|
|||
import (
|
||||
"fmt"
|
||||
|
||||
"k8s.io/apimachinery/pkg/types"
|
||||
"k8s.io/apimachinery/pkg/util/validation/field"
|
||||
"k8s.io/kubernetes/pkg/api"
|
||||
"k8s.io/kubernetes/pkg/apis/extensions"
|
||||
|
|
@ -35,7 +34,7 @@ func NewRunAsNonRoot(options *extensions.RunAsUserStrategyOptions) (RunAsUserStr
|
|||
|
||||
// Generate creates the uid based on policy rules. This strategy does return a UID. It assumes
|
||||
// that the user will specify a UID or the container image specifies a UID.
|
||||
func (s *nonRoot) Generate(pod *api.Pod, container *api.Container) (*types.UnixUserID, error) {
|
||||
func (s *nonRoot) Generate(pod *api.Pod, container *api.Container) (*int64, error) {
|
||||
return nil, nil
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -19,7 +19,6 @@ package user
|
|||
import (
|
||||
"testing"
|
||||
|
||||
"k8s.io/apimachinery/pkg/types"
|
||||
"k8s.io/kubernetes/pkg/api"
|
||||
"k8s.io/kubernetes/pkg/apis/extensions"
|
||||
)
|
||||
|
|
@ -50,8 +49,8 @@ func TestNonRootGenerate(t *testing.T) {
|
|||
}
|
||||
|
||||
func TestNonRootValidate(t *testing.T) {
|
||||
goodUID := types.UnixUserID(1)
|
||||
badUID := types.UnixUserID(0)
|
||||
goodUID := int64(1)
|
||||
badUID := int64(0)
|
||||
untrue := false
|
||||
unfalse := true
|
||||
s, err := NewRunAsNonRoot(&extensions.RunAsUserStrategyOptions{})
|
||||
|
|
|
|||
|
|
@ -17,7 +17,6 @@ limitations under the License.
|
|||
package user
|
||||
|
||||
import (
|
||||
"k8s.io/apimachinery/pkg/types"
|
||||
"k8s.io/apimachinery/pkg/util/validation/field"
|
||||
"k8s.io/kubernetes/pkg/api"
|
||||
"k8s.io/kubernetes/pkg/apis/extensions"
|
||||
|
|
@ -34,7 +33,7 @@ func NewRunAsAny(options *extensions.RunAsUserStrategyOptions) (RunAsUserStrateg
|
|||
}
|
||||
|
||||
// Generate creates the uid based on policy rules.
|
||||
func (s *runAsAny) Generate(pod *api.Pod, container *api.Container) (*types.UnixUserID, error) {
|
||||
func (s *runAsAny) Generate(pod *api.Pod, container *api.Container) (*int64, error) {
|
||||
return nil, nil
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -17,7 +17,6 @@ limitations under the License.
|
|||
package user
|
||||
|
||||
import (
|
||||
"k8s.io/apimachinery/pkg/types"
|
||||
"k8s.io/apimachinery/pkg/util/validation/field"
|
||||
"k8s.io/kubernetes/pkg/api"
|
||||
)
|
||||
|
|
@ -25,7 +24,7 @@ import (
|
|||
// RunAsUserStrategy defines the interface for all uid constraint strategies.
|
||||
type RunAsUserStrategy interface {
|
||||
// Generate creates the uid based on policy rules.
|
||||
Generate(pod *api.Pod, container *api.Container) (*types.UnixUserID, error)
|
||||
Generate(pod *api.Pod, container *api.Container) (*int64, error)
|
||||
// Validate ensures that the specified values fall within the range of the strategy.
|
||||
Validate(pod *api.Pod, container *api.Container) field.ErrorList
|
||||
}
|
||||
|
|
|
|||
|
|
@ -20,7 +20,6 @@ import (
|
|||
"fmt"
|
||||
"strings"
|
||||
|
||||
"k8s.io/apimachinery/pkg/types"
|
||||
"k8s.io/apimachinery/pkg/util/sets"
|
||||
"k8s.io/kubernetes/pkg/api"
|
||||
"k8s.io/kubernetes/pkg/apis/extensions"
|
||||
|
|
@ -164,12 +163,12 @@ func PSPAllowsFSType(psp *extensions.PodSecurityPolicy, fsType extensions.FSType
|
|||
}
|
||||
|
||||
// UserFallsInRange is a utility to determine it the id falls in the valid range.
|
||||
func UserFallsInRange(id types.UnixUserID, rng extensions.UserIDRange) bool {
|
||||
func UserFallsInRange(id int64, rng extensions.UserIDRange) bool {
|
||||
return id >= rng.Min && id <= rng.Max
|
||||
}
|
||||
|
||||
// GroupFallsInRange is a utility to determine it the id falls in the valid range.
|
||||
func GroupFallsInRange(id types.UnixGroupID, rng extensions.GroupIDRange) bool {
|
||||
func GroupFallsInRange(id int64, rng extensions.GroupIDRange) bool {
|
||||
return id >= rng.Min && id <= rng.Max
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -20,7 +20,6 @@ import (
|
|||
"fmt"
|
||||
"strings"
|
||||
|
||||
"k8s.io/apimachinery/pkg/types"
|
||||
"k8s.io/kubernetes/pkg/api"
|
||||
"k8s.io/kubernetes/pkg/api/v1"
|
||||
)
|
||||
|
|
@ -120,7 +119,7 @@ func DetermineEffectiveSecurityContext(pod *v1.Pod, container *v1.Container) *v1
|
|||
}
|
||||
|
||||
if containerSc.RunAsUser != nil {
|
||||
effectiveSc.RunAsUser = new(types.UnixUserID)
|
||||
effectiveSc.RunAsUser = new(int64)
|
||||
*effectiveSc.RunAsUser = *containerSc.RunAsUser
|
||||
}
|
||||
|
||||
|
|
@ -149,7 +148,7 @@ func securityContextFromPodSecurityContext(pod *v1.Pod) *v1.SecurityContext {
|
|||
*synthesized.SELinuxOptions = *pod.Spec.SecurityContext.SELinuxOptions
|
||||
}
|
||||
if pod.Spec.SecurityContext.RunAsUser != nil {
|
||||
synthesized.RunAsUser = new(types.UnixUserID)
|
||||
synthesized.RunAsUser = new(int64)
|
||||
*synthesized.RunAsUser = *pod.Spec.SecurityContext.RunAsUser
|
||||
}
|
||||
|
||||
|
|
@ -192,7 +191,7 @@ func InternalDetermineEffectiveSecurityContext(pod *api.Pod, container *api.Cont
|
|||
}
|
||||
|
||||
if containerSc.RunAsUser != nil {
|
||||
effectiveSc.RunAsUser = new(types.UnixUserID)
|
||||
effectiveSc.RunAsUser = new(int64)
|
||||
*effectiveSc.RunAsUser = *containerSc.RunAsUser
|
||||
}
|
||||
|
||||
|
|
@ -221,7 +220,7 @@ func internalSecurityContextFromPodSecurityContext(pod *api.Pod) *api.SecurityCo
|
|||
*synthesized.SELinuxOptions = *pod.Spec.SecurityContext.SELinuxOptions
|
||||
}
|
||||
if pod.Spec.SecurityContext.RunAsUser != nil {
|
||||
synthesized.RunAsUser = new(types.UnixUserID)
|
||||
synthesized.RunAsUser = new(int64)
|
||||
*synthesized.RunAsUser = *pod.Spec.SecurityContext.RunAsUser
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -19,7 +19,6 @@ package securitycontext
|
|||
import (
|
||||
"testing"
|
||||
|
||||
"k8s.io/apimachinery/pkg/types"
|
||||
"k8s.io/kubernetes/pkg/api/v1"
|
||||
)
|
||||
|
||||
|
|
@ -85,13 +84,13 @@ func compareContexts(name string, ex, ac *v1.SELinuxOptions, t *testing.T) {
|
|||
}
|
||||
}
|
||||
|
||||
func containerWithUser(ptr *types.UnixUserID) *v1.Container {
|
||||
func containerWithUser(ptr *int64) *v1.Container {
|
||||
return &v1.Container{SecurityContext: &v1.SecurityContext{RunAsUser: ptr}}
|
||||
}
|
||||
|
||||
func TestHaRootUID(t *testing.T) {
|
||||
nonRoot := types.UnixUserID(1)
|
||||
root := types.UnixUserID(0)
|
||||
nonRoot := int64(1)
|
||||
root := int64(0)
|
||||
|
||||
tests := map[string]struct {
|
||||
container *v1.Container
|
||||
|
|
@ -121,7 +120,7 @@ func TestHaRootUID(t *testing.T) {
|
|||
}
|
||||
|
||||
func TestHasRunAsUser(t *testing.T) {
|
||||
runAsUser := types.UnixUserID(0)
|
||||
runAsUser := int64(0)
|
||||
|
||||
tests := map[string]struct {
|
||||
container *v1.Container
|
||||
|
|
@ -148,8 +147,8 @@ func TestHasRunAsUser(t *testing.T) {
|
|||
}
|
||||
|
||||
func TestHasRootRunAsUser(t *testing.T) {
|
||||
nonRoot := types.UnixUserID(1)
|
||||
root := types.UnixUserID(0)
|
||||
nonRoot := int64(1)
|
||||
root := int64(0)
|
||||
|
||||
tests := map[string]struct {
|
||||
container *v1.Container
|
||||
|
|
|
|||
|
|
@ -294,12 +294,12 @@ func (b *awsElasticBlockStoreMounter) CanMount() error {
|
|||
}
|
||||
|
||||
// SetUp attaches the disk and bind mounts to the volume path.
|
||||
func (b *awsElasticBlockStoreMounter) SetUp(fsGroup *types.UnixGroupID) error {
|
||||
func (b *awsElasticBlockStoreMounter) SetUp(fsGroup *int64) error {
|
||||
return b.SetUpAt(b.GetPath(), fsGroup)
|
||||
}
|
||||
|
||||
// SetUpAt attaches the disk and bind mounts to the volume path.
|
||||
func (b *awsElasticBlockStoreMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
|
||||
func (b *awsElasticBlockStoreMounter) SetUpAt(dir string, fsGroup *int64) error {
|
||||
// TODO: handle failed mounts here.
|
||||
notMnt, err := b.mounter.IsLikelyNotMountPoint(dir)
|
||||
glog.V(4).Infof("PersistentDisk set up: %s %v %v", dir, !notMnt, err)
|
||||
|
|
|
|||
|
|
@ -234,12 +234,12 @@ func (b *azureDiskMounter) CanMount() error {
|
|||
}
|
||||
|
||||
// SetUp attaches the disk and bind mounts to the volume path.
|
||||
func (b *azureDiskMounter) SetUp(fsGroup *types.UnixGroupID) error {
|
||||
func (b *azureDiskMounter) SetUp(fsGroup *int64) error {
|
||||
return b.SetUpAt(b.GetPath(), fsGroup)
|
||||
}
|
||||
|
||||
// SetUpAt attaches the disk and bind mounts to the volume path.
|
||||
func (b *azureDiskMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
|
||||
func (b *azureDiskMounter) SetUpAt(dir string, fsGroup *int64) error {
|
||||
b.plugin.volumeLocks.LockKey(b.diskName)
|
||||
defer b.plugin.volumeLocks.UnlockKey(b.diskName)
|
||||
|
||||
|
|
|
|||
|
|
@ -189,11 +189,11 @@ func (b *azureFileMounter) CanMount() error {
|
|||
}
|
||||
|
||||
// SetUp attaches the disk and bind mounts to the volume path.
|
||||
func (b *azureFileMounter) SetUp(fsGroup *types.UnixGroupID) error {
|
||||
func (b *azureFileMounter) SetUp(fsGroup *int64) error {
|
||||
return b.SetUpAt(b.GetPath(), fsGroup)
|
||||
}
|
||||
|
||||
func (b *azureFileMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
|
||||
func (b *azureFileMounter) SetUpAt(dir string, fsGroup *int64) error {
|
||||
notMnt, err := b.mounter.IsLikelyNotMountPoint(dir)
|
||||
glog.V(4).Infof("AzureFile mount set up: %s %v %v", dir, !notMnt, err)
|
||||
if err != nil && !os.IsNotExist(err) {
|
||||
|
|
|
|||
|
|
@ -217,12 +217,12 @@ func (cephfsMounter *cephfsMounter) CanMount() error {
|
|||
}
|
||||
|
||||
// SetUp attaches the disk and bind mounts to the volume path.
|
||||
func (cephfsVolume *cephfsMounter) SetUp(fsGroup *types.UnixGroupID) error {
|
||||
func (cephfsVolume *cephfsMounter) SetUp(fsGroup *int64) error {
|
||||
return cephfsVolume.SetUpAt(cephfsVolume.GetPath(), fsGroup)
|
||||
}
|
||||
|
||||
// SetUpAt attaches the disk and bind mounts to the volume path.
|
||||
func (cephfsVolume *cephfsMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
|
||||
func (cephfsVolume *cephfsMounter) SetUpAt(dir string, fsGroup *int64) error {
|
||||
notMnt, err := cephfsVolume.mounter.IsLikelyNotMountPoint(dir)
|
||||
glog.V(4).Infof("CephFS mount set up: %s %v %v", dir, !notMnt, err)
|
||||
if err != nil && !os.IsNotExist(err) {
|
||||
|
|
|
|||
|
|
@ -298,12 +298,12 @@ func (b *cinderVolumeMounter) CanMount() error {
|
|||
return nil
|
||||
}
|
||||
|
||||
func (b *cinderVolumeMounter) SetUp(fsGroup *types.UnixGroupID) error {
|
||||
func (b *cinderVolumeMounter) SetUp(fsGroup *int64) error {
|
||||
return b.SetUpAt(b.GetPath(), fsGroup)
|
||||
}
|
||||
|
||||
// SetUp bind mounts to the volume path.
|
||||
func (b *cinderVolumeMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
|
||||
func (b *cinderVolumeMounter) SetUpAt(dir string, fsGroup *int64) error {
|
||||
glog.V(5).Infof("Cinder SetUp %s to %s", b.pdName, dir)
|
||||
|
||||
b.plugin.volumeLocks.LockKey(b.pdName)
|
||||
|
|
|
|||
|
|
@ -179,11 +179,11 @@ func (b *configMapVolumeMounter) CanMount() error {
|
|||
return nil
|
||||
}
|
||||
|
||||
func (b *configMapVolumeMounter) SetUp(fsGroup *types.UnixGroupID) error {
|
||||
func (b *configMapVolumeMounter) SetUp(fsGroup *int64) error {
|
||||
return b.SetUpAt(b.GetPath(), fsGroup)
|
||||
}
|
||||
|
||||
func (b *configMapVolumeMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
|
||||
func (b *configMapVolumeMounter) SetUpAt(dir string, fsGroup *int64) error {
|
||||
glog.V(3).Infof("Setting up volume %v for pod %v at %v", b.volName, b.pod.UID, dir)
|
||||
|
||||
// Wrap EmptyDir, let it do the setup.
|
||||
|
|
|
|||
|
|
@ -333,7 +333,7 @@ func TestPlugin(t *testing.T) {
|
|||
t.Errorf("Got unexpected path: %s", volumePath)
|
||||
}
|
||||
|
||||
fsGroup := types.UnixGroupID(1001)
|
||||
fsGroup := int64(1001)
|
||||
err = mounter.SetUp(&fsGroup)
|
||||
if err != nil {
|
||||
t.Errorf("Failed to setup volume: %v", err)
|
||||
|
|
@ -391,7 +391,7 @@ func TestPluginReboot(t *testing.T) {
|
|||
t.Errorf("Got unexpected path: %s", volumePath)
|
||||
}
|
||||
|
||||
fsGroup := types.UnixGroupID(1001)
|
||||
fsGroup := int64(1001)
|
||||
err = mounter.SetUp(&fsGroup)
|
||||
if err != nil {
|
||||
t.Errorf("Failed to setup volume: %v", err)
|
||||
|
|
@ -453,7 +453,7 @@ func TestPluginOptional(t *testing.T) {
|
|||
t.Errorf("Got unexpected path: %s", volumePath)
|
||||
}
|
||||
|
||||
fsGroup := types.UnixGroupID(1001)
|
||||
fsGroup := int64(1001)
|
||||
err = mounter.SetUp(&fsGroup)
|
||||
if err != nil {
|
||||
t.Errorf("Failed to setup volume: %v", err)
|
||||
|
|
@ -528,7 +528,7 @@ func TestPluginKeysOptional(t *testing.T) {
|
|||
t.Errorf("Got unexpected path: %s", volumePath)
|
||||
}
|
||||
|
||||
fsGroup := types.UnixGroupID(1001)
|
||||
fsGroup := int64(1001)
|
||||
err = mounter.SetUp(&fsGroup)
|
||||
if err != nil {
|
||||
t.Errorf("Failed to setup volume: %v", err)
|
||||
|
|
|
|||
|
|
@ -168,11 +168,11 @@ func (b *downwardAPIVolumeMounter) CanMount() error {
|
|||
// This function is not idempotent by design. We want the data to be refreshed periodically.
|
||||
// The internal sync interval of kubelet will drive the refresh of data.
|
||||
// TODO: Add volume specific ticker and refresh loop
|
||||
func (b *downwardAPIVolumeMounter) SetUp(fsGroup *types.UnixGroupID) error {
|
||||
func (b *downwardAPIVolumeMounter) SetUp(fsGroup *int64) error {
|
||||
return b.SetUpAt(b.GetPath(), fsGroup)
|
||||
}
|
||||
|
||||
func (b *downwardAPIVolumeMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
|
||||
func (b *downwardAPIVolumeMounter) SetUpAt(dir string, fsGroup *int64) error {
|
||||
glog.V(3).Infof("Setting up a downwardAPI volume %v for pod %v/%v at %v", b.volName, b.pod.Namespace, b.pod.Name, dir)
|
||||
// Wrap EmptyDir. Here we rely on the idempotency of the wrapped plugin to avoid repeatedly mounting
|
||||
wrapped, err := b.plugin.host.NewWrapperMounter(b.volName, wrappedVolumeSpec(), b.pod, *b.opts)
|
||||
|
|
|
|||
|
|
@ -191,12 +191,12 @@ func (b *emptyDir) CanMount() error {
|
|||
}
|
||||
|
||||
// SetUp creates new directory.
|
||||
func (ed *emptyDir) SetUp(fsGroup *types.UnixGroupID) error {
|
||||
func (ed *emptyDir) SetUp(fsGroup *int64) error {
|
||||
return ed.SetUpAt(ed.GetPath(), fsGroup)
|
||||
}
|
||||
|
||||
// SetUpAt creates new directory.
|
||||
func (ed *emptyDir) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
|
||||
func (ed *emptyDir) SetUpAt(dir string, fsGroup *int64) error {
|
||||
notMnt, err := ed.mounter.IsLikelyNotMountPoint(dir)
|
||||
// Getting an os.IsNotExist err from is a contingency; the directory
|
||||
// may not exist yet, in which case, setup should run.
|
||||
|
|
|
|||
|
|
@ -20,7 +20,6 @@ import (
|
|||
"os"
|
||||
|
||||
"github.com/golang/glog"
|
||||
"k8s.io/apimachinery/pkg/types"
|
||||
"k8s.io/kubernetes/pkg/util/mount"
|
||||
"k8s.io/kubernetes/pkg/volume"
|
||||
)
|
||||
|
|
@ -35,7 +34,7 @@ type diskManager interface {
|
|||
}
|
||||
|
||||
// utility to mount a disk based filesystem
|
||||
func diskSetUp(manager diskManager, b fcDiskMounter, volPath string, mounter mount.Interface, fsGroup *types.UnixGroupID) error {
|
||||
func diskSetUp(manager diskManager, b fcDiskMounter, volPath string, mounter mount.Interface, fsGroup *int64) error {
|
||||
globalPDPath := manager.MakeGlobalPDName(*b.fcDisk)
|
||||
// TODO: handle failed mounts here.
|
||||
noMnt, err := mounter.IsLikelyNotMountPoint(volPath)
|
||||
|
|
|
|||
|
|
@ -204,11 +204,11 @@ func (b *fcDiskMounter) CanMount() error {
|
|||
return nil
|
||||
}
|
||||
|
||||
func (b *fcDiskMounter) SetUp(fsGroup *types.UnixGroupID) error {
|
||||
func (b *fcDiskMounter) SetUp(fsGroup *int64) error {
|
||||
return b.SetUpAt(b.GetPath(), fsGroup)
|
||||
}
|
||||
|
||||
func (b *fcDiskMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
|
||||
func (b *fcDiskMounter) SetUpAt(dir string, fsGroup *int64) error {
|
||||
// diskSetUp checks mountpoints and prevent repeated calls
|
||||
err := diskSetUp(b.manager, *b, dir, b.mounter, fsGroup)
|
||||
if err != nil {
|
||||
|
|
|
|||
|
|
@ -21,7 +21,6 @@ import (
|
|||
|
||||
"github.com/golang/glog"
|
||||
|
||||
"k8s.io/apimachinery/pkg/types"
|
||||
"k8s.io/kubernetes/pkg/volume"
|
||||
)
|
||||
|
||||
|
|
@ -29,7 +28,7 @@ type mounterDefaults flexVolumeMounter
|
|||
|
||||
// SetUpAt is part of the volume.Mounter interface.
|
||||
// This implementation relies on the attacher's device mount path and does a bind mount to dir.
|
||||
func (f *mounterDefaults) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
|
||||
func (f *mounterDefaults) SetUpAt(dir string, fsGroup *int64) error {
|
||||
glog.Warning(logPrefix(f.plugin), "using default SetUpAt to ", dir)
|
||||
|
||||
a, err := f.plugin.NewAttacher()
|
||||
|
|
|
|||
|
|
@ -19,7 +19,6 @@ package flexvolume
|
|||
import (
|
||||
"strconv"
|
||||
|
||||
"k8s.io/apimachinery/pkg/types"
|
||||
"k8s.io/kubernetes/pkg/util/exec"
|
||||
"k8s.io/kubernetes/pkg/util/mount"
|
||||
"k8s.io/kubernetes/pkg/volume"
|
||||
|
|
@ -44,12 +43,12 @@ var _ volume.Mounter = &flexVolumeMounter{}
|
|||
// Mounter interface
|
||||
|
||||
// SetUp creates new directory.
|
||||
func (f *flexVolumeMounter) SetUp(fsGroup *types.UnixGroupID) error {
|
||||
func (f *flexVolumeMounter) SetUp(fsGroup *int64) error {
|
||||
return f.SetUpAt(f.GetPath(), fsGroup)
|
||||
}
|
||||
|
||||
// SetUpAt creates new directory.
|
||||
func (f *flexVolumeMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
|
||||
func (f *flexVolumeMounter) SetUpAt(dir string, fsGroup *int64) error {
|
||||
// Mount only once.
|
||||
alreadyMounted, err := prepareForMount(f.mounter, dir)
|
||||
if err != nil {
|
||||
|
|
|
|||
|
|
@ -67,6 +67,6 @@ func TestSetUpAt(t *testing.T) {
|
|||
m, _ := plugin.newMounterInternal(spec, pod, mounter, plugin.runner)
|
||||
m.SetUpAt(rootDir+"/mount-dir", nil)
|
||||
|
||||
fsGroup := types.UnixGroupID(42)
|
||||
fsGroup := int64(42)
|
||||
m.SetUpAt(rootDir+"/mount-dir", &fsGroup)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -232,7 +232,7 @@ func (b *flockerVolumeMounter) GetPath() string {
|
|||
}
|
||||
|
||||
// SetUp bind mounts the disk global mount to the volume path.
|
||||
func (b *flockerVolumeMounter) SetUp(fsGroup *types.UnixGroupID) error {
|
||||
func (b *flockerVolumeMounter) SetUp(fsGroup *int64) error {
|
||||
return b.SetUpAt(b.GetPath(), fsGroup)
|
||||
}
|
||||
|
||||
|
|
@ -274,7 +274,7 @@ control service:
|
|||
need to update the Primary UUID for this volume.
|
||||
5. Wait until the Primary UUID was updated or timeout.
|
||||
*/
|
||||
func (b *flockerVolumeMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
|
||||
func (b *flockerVolumeMounter) SetUpAt(dir string, fsGroup *int64) error {
|
||||
var err error
|
||||
if b.flockerClient == nil {
|
||||
b.flockerClient, err = b.newFlockerClient()
|
||||
|
|
|
|||
|
|
@ -257,12 +257,12 @@ func (b *gcePersistentDiskMounter) CanMount() error {
|
|||
}
|
||||
|
||||
// SetUp bind mounts the disk global mount to the volume path.
|
||||
func (b *gcePersistentDiskMounter) SetUp(fsGroup *types.UnixGroupID) error {
|
||||
func (b *gcePersistentDiskMounter) SetUp(fsGroup *int64) error {
|
||||
return b.SetUpAt(b.GetPath(), fsGroup)
|
||||
}
|
||||
|
||||
// SetUp bind mounts the disk global mount to the give volume path.
|
||||
func (b *gcePersistentDiskMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
|
||||
func (b *gcePersistentDiskMounter) SetUpAt(dir string, fsGroup *int64) error {
|
||||
// TODO: handle failed mounts here.
|
||||
notMnt, err := b.mounter.IsLikelyNotMountPoint(dir)
|
||||
glog.V(4).Infof("GCE PersistentDisk set up: Dir (%s) PD name (%q) Mounted (%t) Error (%v), ReadOnly (%t)", dir, b.pdName, !notMnt, err, b.readOnly)
|
||||
|
|
|
|||
|
|
@ -171,12 +171,12 @@ func (b *gitRepoVolumeMounter) CanMount() error {
|
|||
}
|
||||
|
||||
// SetUp creates new directory and clones a git repo.
|
||||
func (b *gitRepoVolumeMounter) SetUp(fsGroup *types.UnixGroupID) error {
|
||||
func (b *gitRepoVolumeMounter) SetUp(fsGroup *int64) error {
|
||||
return b.SetUpAt(b.GetPath(), fsGroup)
|
||||
}
|
||||
|
||||
// SetUpAt creates new directory and clones a git repo.
|
||||
func (b *gitRepoVolumeMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
|
||||
func (b *gitRepoVolumeMounter) SetUpAt(dir string, fsGroup *int64) error {
|
||||
if volumeutil.IsReady(b.getMetaDir()) {
|
||||
return nil
|
||||
}
|
||||
|
|
|
|||
|
|
@ -252,11 +252,11 @@ func (b *glusterfsMounter) CanMount() error {
|
|||
}
|
||||
|
||||
// SetUp attaches the disk and bind mounts to the volume path.
|
||||
func (b *glusterfsMounter) SetUp(fsGroup *types.UnixGroupID) error {
|
||||
func (b *glusterfsMounter) SetUp(fsGroup *int64) error {
|
||||
return b.SetUpAt(b.GetPath(), fsGroup)
|
||||
}
|
||||
|
||||
func (b *glusterfsMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
|
||||
func (b *glusterfsMounter) SetUpAt(dir string, fsGroup *int64) error {
|
||||
notMnt, err := b.mounter.IsLikelyNotMountPoint(dir)
|
||||
glog.V(4).Infof("glusterfs: mount set up: %s %v %v", dir, !notMnt, err)
|
||||
if err != nil && !os.IsNotExist(err) {
|
||||
|
|
|
|||
|
|
@ -206,7 +206,7 @@ func (b *hostPathMounter) CanMount() error {
|
|||
}
|
||||
|
||||
// SetUp does nothing.
|
||||
func (b *hostPathMounter) SetUp(fsGroup *types.UnixGroupID) error {
|
||||
func (b *hostPathMounter) SetUp(fsGroup *int64) error {
|
||||
err := validation.ValidatePathNoBacksteps(b.GetPath())
|
||||
if err != nil {
|
||||
return fmt.Errorf("invalid HostPath `%s`: %v", b.GetPath(), err)
|
||||
|
|
@ -215,7 +215,7 @@ func (b *hostPathMounter) SetUp(fsGroup *types.UnixGroupID) error {
|
|||
}
|
||||
|
||||
// SetUpAt does not make sense for host paths - probably programmer error.
|
||||
func (b *hostPathMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
|
||||
func (b *hostPathMounter) SetUpAt(dir string, fsGroup *int64) error {
|
||||
return fmt.Errorf("SetUpAt() does not make sense for host paths")
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -20,7 +20,6 @@ import (
|
|||
"os"
|
||||
|
||||
"github.com/golang/glog"
|
||||
"k8s.io/apimachinery/pkg/types"
|
||||
"k8s.io/kubernetes/pkg/util/mount"
|
||||
"k8s.io/kubernetes/pkg/volume"
|
||||
)
|
||||
|
|
@ -35,7 +34,7 @@ type diskManager interface {
|
|||
}
|
||||
|
||||
// utility to mount a disk based filesystem
|
||||
func diskSetUp(manager diskManager, b iscsiDiskMounter, volPath string, mounter mount.Interface, fsGroup *types.UnixGroupID) error {
|
||||
func diskSetUp(manager diskManager, b iscsiDiskMounter, volPath string, mounter mount.Interface, fsGroup *int64) error {
|
||||
globalPDPath := manager.MakeGlobalPDName(*b.iscsiDisk)
|
||||
// TODO: handle failed mounts here.
|
||||
notMnt, err := mounter.IsLikelyNotMountPoint(volPath)
|
||||
|
|
|
|||
|
|
@ -236,11 +236,11 @@ func (b *iscsiDiskMounter) CanMount() error {
|
|||
return nil
|
||||
}
|
||||
|
||||
func (b *iscsiDiskMounter) SetUp(fsGroup *types.UnixGroupID) error {
|
||||
func (b *iscsiDiskMounter) SetUp(fsGroup *int64) error {
|
||||
return b.SetUpAt(b.GetPath(), fsGroup)
|
||||
}
|
||||
|
||||
func (b *iscsiDiskMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
|
||||
func (b *iscsiDiskMounter) SetUpAt(dir string, fsGroup *int64) error {
|
||||
// diskSetUp checks mountpoints and prevent repeated calls
|
||||
err := diskSetUp(b.manager, *b, dir, b.mounter, fsGroup)
|
||||
if err != nil {
|
||||
|
|
|
|||
|
|
@ -181,12 +181,12 @@ func (m *localVolumeMounter) CanMount() error {
|
|||
}
|
||||
|
||||
// SetUp bind mounts the directory to the volume path
|
||||
func (m *localVolumeMounter) SetUp(fsGroup *types.UnixGroupID) error {
|
||||
func (m *localVolumeMounter) SetUp(fsGroup *int64) error {
|
||||
return m.SetUpAt(m.GetPath(), fsGroup)
|
||||
}
|
||||
|
||||
// SetUpAt bind mounts the directory to the volume path and sets up volume ownership
|
||||
func (m *localVolumeMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
|
||||
func (m *localVolumeMounter) SetUpAt(dir string, fsGroup *int64) error {
|
||||
if m.globalPath == "" {
|
||||
err := fmt.Errorf("LocalVolume volume %q path is empty", m.volName)
|
||||
return err
|
||||
|
|
|
|||
|
|
@ -229,11 +229,11 @@ func (b *nfsMounter) GetAttributes() volume.Attributes {
|
|||
}
|
||||
|
||||
// SetUp attaches the disk and bind mounts to the volume path.
|
||||
func (b *nfsMounter) SetUp(fsGroup *types.UnixGroupID) error {
|
||||
func (b *nfsMounter) SetUp(fsGroup *int64) error {
|
||||
return b.SetUpAt(b.GetPath(), fsGroup)
|
||||
}
|
||||
|
||||
func (b *nfsMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
|
||||
func (b *nfsMounter) SetUpAt(dir string, fsGroup *int64) error {
|
||||
notMnt, err := b.mounter.IsLikelyNotMountPoint(dir)
|
||||
glog.V(4).Infof("NFS mount set up: %s %v %v", dir, !notMnt, err)
|
||||
if err != nil && !os.IsNotExist(err) {
|
||||
|
|
|
|||
|
|
@ -195,12 +195,12 @@ func (b *photonPersistentDiskMounter) CanMount() error {
|
|||
}
|
||||
|
||||
// SetUp attaches the disk and bind mounts to the volume path.
|
||||
func (b *photonPersistentDiskMounter) SetUp(fsGroup *types.UnixGroupID) error {
|
||||
func (b *photonPersistentDiskMounter) SetUp(fsGroup *int64) error {
|
||||
return b.SetUpAt(b.GetPath(), fsGroup)
|
||||
}
|
||||
|
||||
// SetUp attaches the disk and bind mounts to the volume path.
|
||||
func (b *photonPersistentDiskMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
|
||||
func (b *photonPersistentDiskMounter) SetUpAt(dir string, fsGroup *int64) error {
|
||||
glog.V(4).Infof("Photon Persistent Disk setup %s to %s", b.pdID, dir)
|
||||
|
||||
// TODO: handle failed mounts here.
|
||||
|
|
|
|||
|
|
@ -259,12 +259,12 @@ func (b *portworxVolumeMounter) CanMount() error {
|
|||
}
|
||||
|
||||
// SetUp attaches the disk and bind mounts to the volume path.
|
||||
func (b *portworxVolumeMounter) SetUp(fsGroup *types.UnixGroupID) error {
|
||||
func (b *portworxVolumeMounter) SetUp(fsGroup *int64) error {
|
||||
return b.SetUpAt(b.GetPath(), fsGroup)
|
||||
}
|
||||
|
||||
// SetUpAt attaches the disk and bind mounts to the volume path.
|
||||
func (b *portworxVolumeMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
|
||||
func (b *portworxVolumeMounter) SetUpAt(dir string, fsGroup *int64) error {
|
||||
notMnt, err := b.mounter.IsLikelyNotMountPoint(dir)
|
||||
glog.V(4).Infof("Portworx Volume set up: %s %v %v", dir, !notMnt, err)
|
||||
if err != nil && !os.IsNotExist(err) {
|
||||
|
|
|
|||
|
|
@ -177,11 +177,11 @@ func (s *projectedVolumeMounter) CanMount() error {
|
|||
return nil
|
||||
}
|
||||
|
||||
func (s *projectedVolumeMounter) SetUp(fsGroup *types.UnixGroupID) error {
|
||||
func (s *projectedVolumeMounter) SetUp(fsGroup *int64) error {
|
||||
return s.SetUpAt(s.GetPath(), fsGroup)
|
||||
}
|
||||
|
||||
func (s *projectedVolumeMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
|
||||
func (s *projectedVolumeMounter) SetUpAt(dir string, fsGroup *int64) error {
|
||||
glog.V(3).Infof("Setting up volume %v for pod %v at %v", s.volName, s.pod.UID, dir)
|
||||
|
||||
wrapped, err := s.plugin.host.NewWrapperMounter(s.volName, wrappedVolumeSpec(), s.pod, *s.opts)
|
||||
|
|
|
|||
|
|
@ -234,12 +234,12 @@ func (mounter *quobyteMounter) CanMount() error {
|
|||
}
|
||||
|
||||
// SetUp attaches the disk and bind mounts to the volume path.
|
||||
func (mounter *quobyteMounter) SetUp(fsGroup *types.UnixGroupID) error {
|
||||
func (mounter *quobyteMounter) SetUp(fsGroup *int64) error {
|
||||
pluginDir := mounter.plugin.host.GetPluginDir(strings.EscapeQualifiedNameForDisk(quobytePluginName))
|
||||
return mounter.SetUpAt(pluginDir, fsGroup)
|
||||
}
|
||||
|
||||
func (mounter *quobyteMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
|
||||
func (mounter *quobyteMounter) SetUpAt(dir string, fsGroup *int64) error {
|
||||
// Check if Quobyte is already mounted on the host in the Plugin Dir
|
||||
// if so we can use this mountpoint instead of creating a new one
|
||||
// IsLikelyNotMountPoint wouldn't check the mount type
|
||||
|
|
|
|||
|
|
@ -26,7 +26,6 @@ import (
|
|||
"os"
|
||||
|
||||
"github.com/golang/glog"
|
||||
"k8s.io/apimachinery/pkg/types"
|
||||
"k8s.io/kubernetes/pkg/api/v1"
|
||||
"k8s.io/kubernetes/pkg/util/mount"
|
||||
"k8s.io/kubernetes/pkg/volume"
|
||||
|
|
@ -46,7 +45,7 @@ type diskManager interface {
|
|||
}
|
||||
|
||||
// utility to mount a disk based filesystem
|
||||
func diskSetUp(manager diskManager, b rbdMounter, volPath string, mounter mount.Interface, fsGroup *types.UnixGroupID) error {
|
||||
func diskSetUp(manager diskManager, b rbdMounter, volPath string, mounter mount.Interface, fsGroup *int64) error {
|
||||
globalPDPath := manager.MakeGlobalPDName(*b.rbd)
|
||||
// TODO: handle failed mounts here.
|
||||
notMnt, err := mounter.IsLikelyNotMountPoint(volPath)
|
||||
|
|
|
|||
|
|
@ -403,11 +403,11 @@ func (b *rbdMounter) CanMount() error {
|
|||
return nil
|
||||
}
|
||||
|
||||
func (b *rbdMounter) SetUp(fsGroup *types.UnixGroupID) error {
|
||||
func (b *rbdMounter) SetUp(fsGroup *int64) error {
|
||||
return b.SetUpAt(b.GetPath(), fsGroup)
|
||||
}
|
||||
|
||||
func (b *rbdMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
|
||||
func (b *rbdMounter) SetUpAt(dir string, fsGroup *int64) error {
|
||||
// diskSetUp checks mountpoints and prevent repeated calls
|
||||
glog.V(4).Infof("rbd: attempting to SetUp and mount %s", dir)
|
||||
err := diskSetUp(b.manager, *b, dir, b.mounter, fsGroup)
|
||||
|
|
|
|||
|
|
@ -79,12 +79,12 @@ func (v *sioVolume) CanMount() error {
|
|||
return nil
|
||||
}
|
||||
|
||||
func (v *sioVolume) SetUp(fsGroup *types.UnixGroupID) error {
|
||||
func (v *sioVolume) SetUp(fsGroup *int64) error {
|
||||
return v.SetUpAt(v.GetPath(), fsGroup)
|
||||
}
|
||||
|
||||
// SetUp bind mounts the disk global mount to the volume path.
|
||||
func (v *sioVolume) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
|
||||
func (v *sioVolume) SetUpAt(dir string, fsGroup *int64) error {
|
||||
v.plugin.volumeMtx.LockKey(v.volSpecName)
|
||||
defer v.plugin.volumeMtx.UnlockKey(v.volSpecName)
|
||||
|
||||
|
|
|
|||
|
|
@ -178,11 +178,11 @@ func (b *secretVolumeMounter) CanMount() error {
|
|||
return nil
|
||||
}
|
||||
|
||||
func (b *secretVolumeMounter) SetUp(fsGroup *types.UnixGroupID) error {
|
||||
func (b *secretVolumeMounter) SetUp(fsGroup *int64) error {
|
||||
return b.SetUpAt(b.GetPath(), fsGroup)
|
||||
}
|
||||
|
||||
func (b *secretVolumeMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
|
||||
func (b *secretVolumeMounter) SetUpAt(dir string, fsGroup *int64) error {
|
||||
glog.V(3).Infof("Setting up volume %v for pod %v at %v", b.volName, b.pod.UID, dir)
|
||||
|
||||
// Wrap EmptyDir, let it do the setup.
|
||||
|
|
|
|||
|
|
@ -333,7 +333,7 @@ func (b *storageosMounter) CanMount() error {
|
|||
}
|
||||
|
||||
// SetUp attaches the disk and bind mounts to the volume path.
|
||||
func (b *storageosMounter) SetUp(fsGroup *types.UnixGroupID) error {
|
||||
func (b *storageosMounter) SetUp(fsGroup *int64) error {
|
||||
// Need a namespace to find the volume, try pod's namespace if not set.
|
||||
if b.volNamespace == "" {
|
||||
glog.V(2).Infof("Setting StorageOS volume namespace to pod namespace: %s", b.podNamespace)
|
||||
|
|
@ -360,7 +360,7 @@ func (b *storageosMounter) SetUp(fsGroup *types.UnixGroupID) error {
|
|||
}
|
||||
|
||||
// SetUp bind mounts the disk global mount to the give volume path.
|
||||
func (b *storageosMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
|
||||
func (b *storageosMounter) SetUpAt(dir string, fsGroup *int64) error {
|
||||
notMnt, err := b.mounter.IsLikelyNotMountPoint(dir)
|
||||
glog.V(4).Infof("StorageOS volume set up: %s %v %v", dir, !notMnt, err)
|
||||
if err != nil && !os.IsNotExist(err) {
|
||||
|
|
|
|||
|
|
@ -354,7 +354,7 @@ func (fv *FakeVolume) CanMount() error {
|
|||
return nil
|
||||
}
|
||||
|
||||
func (fv *FakeVolume) SetUp(fsGroup *types.UnixGroupID) error {
|
||||
func (fv *FakeVolume) SetUp(fsGroup *int64) error {
|
||||
fv.Lock()
|
||||
defer fv.Unlock()
|
||||
fv.SetUpCallCount++
|
||||
|
|
@ -367,7 +367,7 @@ func (fv *FakeVolume) GetSetUpCallCount() int {
|
|||
return fv.SetUpCallCount
|
||||
}
|
||||
|
||||
func (fv *FakeVolume) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
|
||||
func (fv *FakeVolume) SetUpAt(dir string, fsGroup *int64) error {
|
||||
return os.MkdirAll(dir, 0750)
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -392,7 +392,7 @@ func (og *operationGenerator) GenerateMountVolumeFunc(
|
|||
volumeAttacher, _ = attachableVolumePlugin.NewAttacher()
|
||||
}
|
||||
|
||||
var fsGroup *types.UnixGroupID
|
||||
var fsGroup *int64
|
||||
if volumeToMount.Pod.Spec.SecurityContext != nil &&
|
||||
volumeToMount.Pod.Spec.SecurityContext.FSGroup != nil {
|
||||
fsGroup = volumeToMount.Pod.Spec.SecurityContext.FSGroup
|
||||
|
|
|
|||
|
|
@ -109,14 +109,14 @@ type Mounter interface {
|
|||
// content should be owned by 'fsGroup' so that it can be
|
||||
// accessed by the pod. This may be called more than once, so
|
||||
// implementations must be idempotent.
|
||||
SetUp(fsGroup *types.UnixGroupID) error
|
||||
SetUp(fsGroup *int64) error
|
||||
// SetUpAt prepares and mounts/unpacks the volume to the
|
||||
// specified directory path, which may or may not exist yet.
|
||||
// The mount point and its content should be owned by
|
||||
// 'fsGroup' so that it can be accessed by the pod. This may
|
||||
// be called more than once, so implementations must be
|
||||
// idempotent.
|
||||
SetUpAt(dir string, fsGroup *types.UnixGroupID) error
|
||||
SetUpAt(dir string, fsGroup *int64) error
|
||||
// GetAttributes returns the attributes of the mounter.
|
||||
GetAttributes() Attributes
|
||||
}
|
||||
|
|
|
|||
|
|
@ -24,8 +24,6 @@ import (
|
|||
|
||||
"os"
|
||||
|
||||
"k8s.io/apimachinery/pkg/types"
|
||||
|
||||
"github.com/golang/glog"
|
||||
)
|
||||
|
||||
|
|
@ -37,7 +35,7 @@ const (
|
|||
// SetVolumeOwnership modifies the given volume to be owned by
|
||||
// fsGroup, and sets SetGid so that newly created files are owned by
|
||||
// fsGroup. If fsGroup is nil nothing is done.
|
||||
func SetVolumeOwnership(mounter Mounter, fsGroup *types.UnixGroupID) error {
|
||||
func SetVolumeOwnership(mounter Mounter, fsGroup *int64) error {
|
||||
|
||||
if fsGroup == nil {
|
||||
return nil
|
||||
|
|
|
|||
|
|
@ -18,8 +18,6 @@ limitations under the License.
|
|||
|
||||
package volume
|
||||
|
||||
import "k8s.io/apimachinery/pkg/types"
|
||||
|
||||
func SetVolumeOwnership(mounter Mounter, fsGroup *types.UnixGroupID) error {
|
||||
func SetVolumeOwnership(mounter Mounter, fsGroup *int64) error {
|
||||
return nil
|
||||
}
|
||||
|
|
|
|||
|
|
@ -194,7 +194,7 @@ func (b *vsphereVolumeMounter) GetAttributes() volume.Attributes {
|
|||
}
|
||||
|
||||
// SetUp attaches the disk and bind mounts to the volume path.
|
||||
func (b *vsphereVolumeMounter) SetUp(fsGroup *types.UnixGroupID) error {
|
||||
func (b *vsphereVolumeMounter) SetUp(fsGroup *int64) error {
|
||||
return b.SetUpAt(b.GetPath(), fsGroup)
|
||||
}
|
||||
|
||||
|
|
@ -206,7 +206,7 @@ func (b *vsphereVolumeMounter) CanMount() error {
|
|||
}
|
||||
|
||||
// SetUp attaches the disk and bind mounts to the volume path.
|
||||
func (b *vsphereVolumeMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
|
||||
func (b *vsphereVolumeMounter) SetUpAt(dir string, fsGroup *int64) error {
|
||||
glog.V(5).Infof("vSphere volume setup %s to %s", b.volPath, dir)
|
||||
|
||||
// TODO: handle failed mounts here.
|
||||
|
|
|
|||
|
|
@ -25,7 +25,6 @@ import (
|
|||
"github.com/stretchr/testify/assert"
|
||||
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/types"
|
||||
"k8s.io/apimachinery/pkg/util/diff"
|
||||
"k8s.io/apimachinery/pkg/util/sets"
|
||||
kadmission "k8s.io/apiserver/pkg/admission"
|
||||
|
|
@ -835,7 +834,7 @@ func TestAdmitRunAsUser(t *testing.T) {
|
|||
// doesn't matter if we set it here or on the container, the
|
||||
// admission controller uses DetermineEffectiveSC to get the defaulting
|
||||
// behavior so it can validate what will be applied at runtime
|
||||
userID := types.UnixUserID(user)
|
||||
userID := int64(user)
|
||||
pod.Spec.SecurityContext.RunAsUser = &userID
|
||||
return pod
|
||||
}
|
||||
|
|
@ -855,7 +854,7 @@ func TestAdmitRunAsUser(t *testing.T) {
|
|||
pod *kapi.Pod
|
||||
psps []*extensions.PodSecurityPolicy
|
||||
shouldPass bool
|
||||
expectedRunAsUser *types.UnixUserID
|
||||
expectedRunAsUser *int64
|
||||
expectedPSP string
|
||||
}{
|
||||
"runAsAny no pod request": {
|
||||
|
|
@ -941,8 +940,8 @@ func TestAdmitSupplementalGroups(t *testing.T) {
|
|||
// doesn't matter if we set it here or on the container, the
|
||||
// admission controller uses DetermineEffectiveSC to get the defaulting
|
||||
// behavior so it can validate what will be applied at runtime
|
||||
groupID := types.UnixGroupID(group)
|
||||
pod.Spec.SecurityContext.SupplementalGroups = []types.UnixGroupID{groupID}
|
||||
groupID := int64(group)
|
||||
pod.Spec.SecurityContext.SupplementalGroups = []int64{groupID}
|
||||
return pod
|
||||
}
|
||||
|
||||
|
|
@ -957,28 +956,28 @@ func TestAdmitSupplementalGroups(t *testing.T) {
|
|||
pod *kapi.Pod
|
||||
psps []*extensions.PodSecurityPolicy
|
||||
shouldPass bool
|
||||
expectedSupGroups []types.UnixGroupID
|
||||
expectedSupGroups []int64
|
||||
expectedPSP string
|
||||
}{
|
||||
"runAsAny no pod request": {
|
||||
pod: goodPod(),
|
||||
psps: []*extensions.PodSecurityPolicy{runAsAny},
|
||||
shouldPass: true,
|
||||
expectedSupGroups: []types.UnixGroupID{},
|
||||
expectedSupGroups: []int64{},
|
||||
expectedPSP: runAsAny.Name,
|
||||
},
|
||||
"runAsAny pod request": {
|
||||
pod: createPodWithSupGroup(1),
|
||||
psps: []*extensions.PodSecurityPolicy{runAsAny},
|
||||
shouldPass: true,
|
||||
expectedSupGroups: []types.UnixGroupID{1},
|
||||
expectedSupGroups: []int64{1},
|
||||
expectedPSP: runAsAny.Name,
|
||||
},
|
||||
"mustRunAs no pod request": {
|
||||
pod: goodPod(),
|
||||
psps: []*extensions.PodSecurityPolicy{mustRunAs},
|
||||
shouldPass: true,
|
||||
expectedSupGroups: []types.UnixGroupID{mustRunAs.Spec.SupplementalGroups.Ranges[0].Min},
|
||||
expectedSupGroups: []int64{mustRunAs.Spec.SupplementalGroups.Ranges[0].Min},
|
||||
expectedPSP: mustRunAs.Name,
|
||||
},
|
||||
"mustRunAs bad pod request": {
|
||||
|
|
@ -990,7 +989,7 @@ func TestAdmitSupplementalGroups(t *testing.T) {
|
|||
pod: createPodWithSupGroup(999),
|
||||
psps: []*extensions.PodSecurityPolicy{mustRunAs},
|
||||
shouldPass: true,
|
||||
expectedSupGroups: []types.UnixGroupID{999},
|
||||
expectedSupGroups: []int64{999},
|
||||
expectedPSP: mustRunAs.Name,
|
||||
},
|
||||
}
|
||||
|
|
@ -1035,7 +1034,7 @@ func TestAdmitFSGroup(t *testing.T) {
|
|||
pod *kapi.Pod
|
||||
psps []*extensions.PodSecurityPolicy
|
||||
shouldPass bool
|
||||
expectedFSGroup *types.UnixGroupID
|
||||
expectedFSGroup *int64
|
||||
expectedPSP string
|
||||
}{
|
||||
"runAsAny no pod request": {
|
||||
|
|
@ -1711,7 +1710,7 @@ func restrictivePSP() *extensions.PodSecurityPolicy {
|
|||
RunAsUser: extensions.RunAsUserStrategyOptions{
|
||||
Rule: extensions.RunAsUserStrategyMustRunAs,
|
||||
Ranges: []extensions.UserIDRange{
|
||||
{Min: types.UnixUserID(999), Max: types.UnixUserID(999)},
|
||||
{Min: int64(999), Max: int64(999)},
|
||||
},
|
||||
},
|
||||
SELinux: extensions.SELinuxStrategyOptions{
|
||||
|
|
@ -1723,13 +1722,13 @@ func restrictivePSP() *extensions.PodSecurityPolicy {
|
|||
FSGroup: extensions.FSGroupStrategyOptions{
|
||||
Rule: extensions.FSGroupStrategyMustRunAs,
|
||||
Ranges: []extensions.GroupIDRange{
|
||||
{Min: types.UnixGroupID(999), Max: types.UnixGroupID(999)},
|
||||
{Min: int64(999), Max: int64(999)},
|
||||
},
|
||||
},
|
||||
SupplementalGroups: extensions.SupplementalGroupsStrategyOptions{
|
||||
Rule: extensions.SupplementalGroupsStrategyMustRunAs,
|
||||
Ranges: []extensions.GroupIDRange{
|
||||
{Min: types.UnixGroupID(999), Max: types.UnixGroupID(999)},
|
||||
{Min: int64(999), Max: int64(999)},
|
||||
},
|
||||
},
|
||||
},
|
||||
|
|
@ -1774,12 +1773,12 @@ func goodPod() *kapi.Pod {
|
|||
}
|
||||
}
|
||||
|
||||
func userIDPtr(i int) *types.UnixUserID {
|
||||
userID := types.UnixUserID(i)
|
||||
func userIDPtr(i int) *int64 {
|
||||
userID := int64(i)
|
||||
return &userID
|
||||
}
|
||||
|
||||
func groupIDPtr(i int) *types.UnixGroupID {
|
||||
groupID := types.UnixGroupID(i)
|
||||
func groupIDPtr(i int) *int64 {
|
||||
groupID := int64(i)
|
||||
return &groupID
|
||||
}
|
||||
|
|
|
|||
|
|
@ -19,7 +19,6 @@ package scdeny
|
|||
import (
|
||||
"testing"
|
||||
|
||||
"k8s.io/apimachinery/pkg/types"
|
||||
"k8s.io/apiserver/pkg/admission"
|
||||
"k8s.io/kubernetes/pkg/api"
|
||||
)
|
||||
|
|
@ -28,7 +27,7 @@ import (
|
|||
func TestAdmission(t *testing.T) {
|
||||
handler := NewSecurityContextDeny()
|
||||
|
||||
runAsUser := types.UnixUserID(1)
|
||||
runAsUser := int64(1)
|
||||
priv := true
|
||||
|
||||
cases := []struct {
|
||||
|
|
@ -116,7 +115,7 @@ func TestPodSecurityContextAdmission(t *testing.T) {
|
|||
},
|
||||
}
|
||||
|
||||
fsGroup := types.UnixGroupID(1001)
|
||||
fsGroup := int64(1001)
|
||||
|
||||
tests := []struct {
|
||||
securityContext api.PodSecurityContext
|
||||
|
|
@ -128,7 +127,7 @@ func TestPodSecurityContextAdmission(t *testing.T) {
|
|||
},
|
||||
{
|
||||
securityContext: api.PodSecurityContext{
|
||||
SupplementalGroups: []types.UnixGroupID{types.UnixGroupID(1234)},
|
||||
SupplementalGroups: []int64{int64(1234)},
|
||||
},
|
||||
errorExpected: true,
|
||||
},
|
||||
|
|
|
|||
|
|
@ -1,23 +0,0 @@
|
|||
/*
|
||||
Copyright 2016 The Kubernetes Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
package types
|
||||
|
||||
// int64 is used as a safe bet against wrap-around (uid's are general
|
||||
// int32) and to support uid_t -1, and -2.
|
||||
|
||||
type UnixUserID int64
|
||||
type UnixGroupID int64
|
||||
|
|
@ -22,8 +22,6 @@ import (
|
|||
"net"
|
||||
"regexp"
|
||||
"strings"
|
||||
|
||||
"k8s.io/apimachinery/pkg/types"
|
||||
)
|
||||
|
||||
const qnameCharFmt string = "[A-Za-z0-9]"
|
||||
|
|
@ -200,7 +198,7 @@ const (
|
|||
)
|
||||
|
||||
// IsValidGroupID tests that the argument is a valid Unix GID.
|
||||
func IsValidGroupID(gid types.UnixGroupID) []string {
|
||||
func IsValidGroupID(gid int64) []string {
|
||||
if minGroupID <= gid && gid <= maxGroupID {
|
||||
return nil
|
||||
}
|
||||
|
|
@ -208,7 +206,7 @@ func IsValidGroupID(gid types.UnixGroupID) []string {
|
|||
}
|
||||
|
||||
// IsValidUserID tests that the argument is a valid Unix UID.
|
||||
func IsValidUserID(uid types.UnixUserID) []string {
|
||||
func IsValidUserID(uid int64) []string {
|
||||
if minUserID <= uid && uid <= maxUserID {
|
||||
return nil
|
||||
}
|
||||
|
|
|
|||
|
|
@ -19,8 +19,6 @@ package validation
|
|||
import (
|
||||
"strings"
|
||||
"testing"
|
||||
|
||||
"k8s.io/apimachinery/pkg/types"
|
||||
)
|
||||
|
||||
func TestIsDNS1123Label(t *testing.T) {
|
||||
|
|
@ -156,18 +154,18 @@ func TestIsValidPortNum(t *testing.T) {
|
|||
}
|
||||
}
|
||||
|
||||
func createGroupIDs(ids ...int64) []types.UnixGroupID {
|
||||
var output []types.UnixGroupID
|
||||
func createGroupIDs(ids ...int64) []int64 {
|
||||
var output []int64
|
||||
for _, id := range ids {
|
||||
output = append(output, types.UnixGroupID(id))
|
||||
output = append(output, int64(id))
|
||||
}
|
||||
return output
|
||||
}
|
||||
|
||||
func createUserIDs(ids ...int64) []types.UnixUserID {
|
||||
var output []types.UnixUserID
|
||||
func createUserIDs(ids ...int64) []int64 {
|
||||
var output []int64
|
||||
for _, id := range ids {
|
||||
output = append(output, types.UnixUserID(id))
|
||||
output = append(output, int64(id))
|
||||
}
|
||||
return output
|
||||
}
|
||||
|
|
|
|||
|
|
@ -2263,7 +2263,7 @@ type PodSecurityContext struct {
|
|||
// PodSecurityContext, the value specified in SecurityContext takes precedence
|
||||
// for that container.
|
||||
// +optional
|
||||
RunAsUser *types.UnixUserID
|
||||
RunAsUser *int64
|
||||
// Indicates that the container must run as a non-root user.
|
||||
// If true, the Kubelet will validate the image at runtime to ensure that it
|
||||
// does not run as UID 0 (root) and fail to start the container if it does.
|
||||
|
|
@ -2276,7 +2276,7 @@ type PodSecurityContext struct {
|
|||
// to the container's primary GID. If unspecified, no groups will be added to
|
||||
// any container.
|
||||
// +optional
|
||||
SupplementalGroups []types.UnixGroupID
|
||||
SupplementalGroups []int64
|
||||
// A special supplemental group that applies to all containers in a pod.
|
||||
// Some volume types allow the Kubelet to change the ownership of that volume
|
||||
// to be owned by the pod:
|
||||
|
|
@ -2287,7 +2287,7 @@ type PodSecurityContext struct {
|
|||
//
|
||||
// If unset, the Kubelet will not modify the ownership and permissions of any volume.
|
||||
// +optional
|
||||
FSGroup *types.UnixGroupID
|
||||
FSGroup *int64
|
||||
}
|
||||
|
||||
// PodQOSClass defines the supported qos classes of Pods.
|
||||
|
|
@ -3924,7 +3924,7 @@ type SecurityContext struct {
|
|||
// May also be set in PodSecurityContext. If set in both SecurityContext and
|
||||
// PodSecurityContext, the value specified in SecurityContext takes precedence.
|
||||
// +optional
|
||||
RunAsUser *types.UnixUserID
|
||||
RunAsUser *int64
|
||||
// Indicates that the container must run as a non-root user.
|
||||
// If true, the Kubelet will validate the image at runtime to ensure that it
|
||||
// does not run as UID 0 (root) and fail to start the container if it does.
|
||||
|
|
|
|||
|
|
@ -2548,7 +2548,7 @@ type PodSecurityContext struct {
|
|||
// PodSecurityContext, the value specified in SecurityContext takes precedence
|
||||
// for that container.
|
||||
// +optional
|
||||
RunAsUser *types.UnixUserID `json:"runAsUser,omitempty" protobuf:"varint,2,opt,name=runAsUser,casttype=k8s.io/apimachinery/pkg/types.UnixUserID"`
|
||||
RunAsUser *int64 `json:"runAsUser,omitempty" protobuf:"varint,2,opt,name=runAsUser"`
|
||||
// Indicates that the container must run as a non-root user.
|
||||
// If true, the Kubelet will validate the image at runtime to ensure that it
|
||||
// does not run as UID 0 (root) and fail to start the container if it does.
|
||||
|
|
@ -2561,7 +2561,7 @@ type PodSecurityContext struct {
|
|||
// to the container's primary GID. If unspecified, no groups will be added to
|
||||
// any container.
|
||||
// +optional
|
||||
SupplementalGroups []types.UnixGroupID `json:"supplementalGroups,omitempty" protobuf:"varint,4,rep,name=supplementalGroups,casttype=k8s.io/apimachinery/pkg/types.UnixGroupID"`
|
||||
SupplementalGroups []int64 `json:"supplementalGroups,omitempty" protobuf:"varint,4,rep,name=supplementalGroups"`
|
||||
// A special supplemental group that applies to all containers in a pod.
|
||||
// Some volume types allow the Kubelet to change the ownership of that volume
|
||||
// to be owned by the pod:
|
||||
|
|
@ -2572,7 +2572,7 @@ type PodSecurityContext struct {
|
|||
//
|
||||
// If unset, the Kubelet will not modify the ownership and permissions of any volume.
|
||||
// +optional
|
||||
FSGroup *types.UnixGroupID `json:"fsGroup,omitempty" protobuf:"varint,5,opt,name=fsGroup,casttype=k8s.io/apimachinery/pkg/types.UnixGroupID"`
|
||||
FSGroup *int64 `json:"fsGroup,omitempty" protobuf:"varint,5,opt,name=fsGroup"`
|
||||
}
|
||||
|
||||
// PodQOSClass defines the supported qos classes of Pods.
|
||||
|
|
@ -4511,7 +4511,7 @@ type SecurityContext struct {
|
|||
// May also be set in PodSecurityContext. If set in both SecurityContext and
|
||||
// PodSecurityContext, the value specified in SecurityContext takes precedence.
|
||||
// +optional
|
||||
RunAsUser *types.UnixUserID `json:"runAsUser,omitempty" protobuf:"varint,4,opt,name=runAsUser,casttype=k8s.io/apimachinery/pkg/types.UnixUserID"`
|
||||
RunAsUser *int64 `json:"runAsUser,omitempty" protobuf:"varint,4,opt,name=runAsUser"`
|
||||
// Indicates that the container must run as a non-root user.
|
||||
// If true, the Kubelet will validate the image at runtime to ensure that it
|
||||
// does not run as UID 0 (root) and fail to start the container if it does.
|
||||
|
|
|
|||
|
|
@ -31,7 +31,6 @@ package extensions
|
|||
import (
|
||||
"k8s.io/apimachinery/pkg/api/resource"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/types"
|
||||
"k8s.io/apimachinery/pkg/util/intstr"
|
||||
"k8s.io/client-go/pkg/api"
|
||||
)
|
||||
|
|
@ -980,17 +979,17 @@ type RunAsUserStrategyOptions struct {
|
|||
// UserIDRange provides a min/max of an allowed range of UserIDs.
|
||||
type UserIDRange struct {
|
||||
// Min is the start of the range, inclusive.
|
||||
Min types.UnixUserID
|
||||
Min int64
|
||||
// Max is the end of the range, inclusive.
|
||||
Max types.UnixUserID
|
||||
Max int64
|
||||
}
|
||||
|
||||
// GroupIDRange provides a min/max of an allowed range of GroupIDs.
|
||||
type GroupIDRange struct {
|
||||
// Min is the start of the range, inclusive.
|
||||
Min types.UnixGroupID
|
||||
Min int64
|
||||
// Max is the end of the range, inclusive.
|
||||
Max types.UnixGroupID
|
||||
Max int64
|
||||
}
|
||||
|
||||
// RunAsUserStrategy denotes strategy types for generating RunAsUser values for a
|
||||
|
|
|
|||
|
|
@ -25,7 +25,6 @@ import (
|
|||
. "github.com/onsi/ginkgo"
|
||||
. "github.com/onsi/gomega"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/types"
|
||||
"k8s.io/apimachinery/pkg/util/uuid"
|
||||
"k8s.io/kubernetes/pkg/api/v1"
|
||||
"k8s.io/kubernetes/test/e2e/framework"
|
||||
|
|
@ -523,8 +522,8 @@ func newEnvFromConfigMap(f *framework.Framework, name string) *v1.ConfigMap {
|
|||
}
|
||||
|
||||
func doConfigMapE2EWithoutMappings(f *framework.Framework, uid, fsGroup int64, defaultMode *int32) {
|
||||
userID := types.UnixUserID(uid)
|
||||
groupID := types.UnixGroupID(fsGroup)
|
||||
userID := int64(uid)
|
||||
groupID := int64(fsGroup)
|
||||
|
||||
var (
|
||||
name = "configmap-test-volume-" + string(uuid.NewUUID())
|
||||
|
|
@ -602,8 +601,8 @@ func doConfigMapE2EWithoutMappings(f *framework.Framework, uid, fsGroup int64, d
|
|||
}
|
||||
|
||||
func doConfigMapE2EWithMappings(f *framework.Framework, uid, fsGroup int64, itemMode *int32) {
|
||||
userID := types.UnixUserID(uid)
|
||||
groupID := types.UnixGroupID(fsGroup)
|
||||
userID := int64(uid)
|
||||
groupID := int64(fsGroup)
|
||||
|
||||
var (
|
||||
name = "configmap-test-volume-map-" + string(uuid.NewUUID())
|
||||
|
|
|
|||
|
|
@ -28,7 +28,6 @@ import (
|
|||
|
||||
. "github.com/onsi/ginkgo"
|
||||
. "github.com/onsi/gomega"
|
||||
"k8s.io/apimachinery/pkg/types"
|
||||
)
|
||||
|
||||
var _ = framework.KubeDescribe("Downward API volume", func() {
|
||||
|
|
@ -71,8 +70,8 @@ var _ = framework.KubeDescribe("Downward API volume", func() {
|
|||
|
||||
It("should provide podname as non-root with fsgroup [Feature:FSGroup] [Volume]", func() {
|
||||
podName := "metadata-volume-" + string(uuid.NewUUID())
|
||||
uid := types.UnixUserID(1001)
|
||||
gid := types.UnixGroupID(1234)
|
||||
uid := int64(1001)
|
||||
gid := int64(1234)
|
||||
pod := downwardAPIVolumePodForSimpleTest(podName, "/etc/podname")
|
||||
pod.Spec.SecurityContext = &v1.PodSecurityContext{
|
||||
RunAsUser: &uid,
|
||||
|
|
@ -85,8 +84,8 @@ var _ = framework.KubeDescribe("Downward API volume", func() {
|
|||
|
||||
It("should provide podname as non-root with fsgroup and defaultMode [Feature:FSGroup] [Volume]", func() {
|
||||
podName := "metadata-volume-" + string(uuid.NewUUID())
|
||||
uid := types.UnixUserID(1001)
|
||||
gid := types.UnixGroupID(1234)
|
||||
uid := int64(1001)
|
||||
gid := int64(1234)
|
||||
mode := int32(0440) /* setting fsGroup sets mode to at least 440 */
|
||||
pod := downwardAPIVolumePodForModeTest(podName, "/etc/podname", &mode, nil)
|
||||
pod.Spec.SecurityContext = &v1.PodSecurityContext{
|
||||
|
|
|
|||
|
|
@ -27,7 +27,6 @@ import (
|
|||
"k8s.io/kubernetes/test/e2e/framework"
|
||||
|
||||
. "github.com/onsi/ginkgo"
|
||||
"k8s.io/apimachinery/pkg/types"
|
||||
)
|
||||
|
||||
const (
|
||||
|
|
@ -142,7 +141,7 @@ func doTestSetgidFSGroup(f *framework.Framework, image string, medium v1.Storage
|
|||
fmt.Sprintf("--file_owner=%v", filePath),
|
||||
}
|
||||
|
||||
fsGroup := types.UnixGroupID(123)
|
||||
fsGroup := int64(123)
|
||||
pod.Spec.SecurityContext.FSGroup = &fsGroup
|
||||
|
||||
msg := fmt.Sprintf("emptydir 0644 on %v", formatMedium(medium))
|
||||
|
|
@ -172,7 +171,7 @@ func doTestSubPathFSGroup(f *framework.Framework, image string, medium v1.Storag
|
|||
|
||||
pod.Spec.Containers[0].VolumeMounts[0].SubPath = subPath
|
||||
|
||||
fsGroup := types.UnixGroupID(123)
|
||||
fsGroup := int64(123)
|
||||
pod.Spec.SecurityContext.FSGroup = &fsGroup
|
||||
|
||||
msg := fmt.Sprintf("emptydir subpath on %v", formatMedium(medium))
|
||||
|
|
@ -198,7 +197,7 @@ func doTestVolumeModeFSGroup(f *framework.Framework, image string, medium v1.Sto
|
|||
fmt.Sprintf("--file_perm=%v", volumePath),
|
||||
}
|
||||
|
||||
fsGroup := types.UnixGroupID(1001)
|
||||
fsGroup := int64(1001)
|
||||
pod.Spec.SecurityContext.FSGroup = &fsGroup
|
||||
|
||||
msg := fmt.Sprintf("emptydir volume type on %v", formatMedium(medium))
|
||||
|
|
@ -224,7 +223,7 @@ func doTest0644FSGroup(f *framework.Framework, image string, medium v1.StorageMe
|
|||
fmt.Sprintf("--file_perm=%v", filePath),
|
||||
}
|
||||
|
||||
fsGroup := types.UnixGroupID(123)
|
||||
fsGroup := int64(123)
|
||||
pod.Spec.SecurityContext.FSGroup = &fsGroup
|
||||
|
||||
msg := fmt.Sprintf("emptydir 0644 on %v", formatMedium(medium))
|
||||
|
|
|
|||
|
|
@ -29,7 +29,6 @@ import (
|
|||
|
||||
. "github.com/onsi/ginkgo"
|
||||
. "github.com/onsi/gomega"
|
||||
"k8s.io/apimachinery/pkg/types"
|
||||
)
|
||||
|
||||
var _ = framework.KubeDescribe("Projected", func() {
|
||||
|
|
@ -47,8 +46,8 @@ var _ = framework.KubeDescribe("Projected", func() {
|
|||
|
||||
It("should be consumable from pods in volume as non-root with defaultMode and fsGroup set [Conformance] [Volume]", func() {
|
||||
defaultMode := int32(0440) /* setting fsGroup sets mode to at least 440 */
|
||||
fsGroup := types.UnixGroupID(1001)
|
||||
uid := types.UnixUserID(1000)
|
||||
fsGroup := int64(1001)
|
||||
uid := int64(1000)
|
||||
doProjectedSecretE2EWithoutMapping(f, &defaultMode, "projected-secret-test-"+string(uuid.NewUUID()), &fsGroup, &uid)
|
||||
})
|
||||
|
||||
|
|
@ -834,8 +833,8 @@ var _ = framework.KubeDescribe("Projected", func() {
|
|||
|
||||
It("should provide podname as non-root with fsgroup [Feature:FSGroup] [Volume]", func() {
|
||||
podName := "metadata-volume-" + string(uuid.NewUUID())
|
||||
uid := types.UnixUserID(1001)
|
||||
gid := types.UnixGroupID(1234)
|
||||
uid := int64(1001)
|
||||
gid := int64(1234)
|
||||
pod := downwardAPIVolumePodForSimpleTest(podName, "/etc/podname")
|
||||
pod.Spec.SecurityContext = &v1.PodSecurityContext{
|
||||
RunAsUser: &uid,
|
||||
|
|
@ -848,8 +847,8 @@ var _ = framework.KubeDescribe("Projected", func() {
|
|||
|
||||
It("should provide podname as non-root with fsgroup and defaultMode [Feature:FSGroup] [Volume]", func() {
|
||||
podName := "metadata-volume-" + string(uuid.NewUUID())
|
||||
uid := types.UnixUserID(1001)
|
||||
gid := types.UnixGroupID(1234)
|
||||
uid := int64(1001)
|
||||
gid := int64(1234)
|
||||
mode := int32(0440) /* setting fsGroup sets mode to at least 440 */
|
||||
pod := projectedDownwardAPIVolumePodForModeTest(podName, "/etc/podname", &mode, nil)
|
||||
pod.Spec.SecurityContext = &v1.PodSecurityContext{
|
||||
|
|
@ -1025,7 +1024,7 @@ var _ = framework.KubeDescribe("Projected", func() {
|
|||
})
|
||||
|
||||
func doProjectedSecretE2EWithoutMapping(f *framework.Framework, defaultMode *int32,
|
||||
secretName string, fsGroup *types.UnixGroupID, uid *types.UnixUserID) {
|
||||
secretName string, fsGroup *int64, uid *int64) {
|
||||
var (
|
||||
volumeName = "projected-secret-volume"
|
||||
volumeMountPath = "/etc/projected-secret-volume"
|
||||
|
|
@ -1185,8 +1184,8 @@ func doProjectedSecretE2EWithMapping(f *framework.Framework, mode *int32) {
|
|||
}
|
||||
|
||||
func doProjectedConfigMapE2EWithoutMappings(f *framework.Framework, uid, fsGroup int64, defaultMode *int32) {
|
||||
userID := types.UnixUserID(uid)
|
||||
groupID := types.UnixGroupID(fsGroup)
|
||||
userID := int64(uid)
|
||||
groupID := int64(fsGroup)
|
||||
|
||||
var (
|
||||
name = "projected-configmap-test-volume-" + string(uuid.NewUUID())
|
||||
|
|
@ -1269,8 +1268,8 @@ func doProjectedConfigMapE2EWithoutMappings(f *framework.Framework, uid, fsGroup
|
|||
}
|
||||
|
||||
func doProjectedConfigMapE2EWithMappings(f *framework.Framework, uid, fsGroup int64, itemMode *int32) {
|
||||
userID := types.UnixUserID(uid)
|
||||
groupID := types.UnixGroupID(fsGroup)
|
||||
userID := int64(uid)
|
||||
groupID := int64(fsGroup)
|
||||
|
||||
var (
|
||||
name = "projected-configmap-test-volume-map-" + string(uuid.NewUUID())
|
||||
|
|
|
|||
|
|
@ -29,7 +29,6 @@ import (
|
|||
|
||||
. "github.com/onsi/ginkgo"
|
||||
. "github.com/onsi/gomega"
|
||||
"k8s.io/apimachinery/pkg/types"
|
||||
)
|
||||
|
||||
var _ = framework.KubeDescribe("Secrets", func() {
|
||||
|
|
@ -46,8 +45,8 @@ var _ = framework.KubeDescribe("Secrets", func() {
|
|||
|
||||
It("should be consumable from pods in volume as non-root with defaultMode and fsGroup set [Conformance] [Volume]", func() {
|
||||
defaultMode := int32(0440) /* setting fsGroup sets mode to at least 440 */
|
||||
fsGroup := types.UnixGroupID(1001)
|
||||
uid := types.UnixUserID(1000)
|
||||
fsGroup := int64(1001)
|
||||
uid := int64(1000)
|
||||
doSecretE2EWithoutMapping(f, &defaultMode, "secret-test-"+string(uuid.NewUUID()), &fsGroup, &uid)
|
||||
})
|
||||
|
||||
|
|
@ -455,7 +454,7 @@ func secretForTest(namespace, name string) *v1.Secret {
|
|||
}
|
||||
|
||||
func doSecretE2EWithoutMapping(f *framework.Framework, defaultMode *int32, secretName string,
|
||||
fsGroup *types.UnixGroupID, uid *types.UnixUserID) {
|
||||
fsGroup *int64, uid *int64) {
|
||||
var (
|
||||
volumeName = "secret-volume"
|
||||
volumeMountPath = "/etc/secret-volume"
|
||||
|
|
|
|||
|
|
@ -46,7 +46,6 @@ import (
|
|||
|
||||
apierrs "k8s.io/apimachinery/pkg/api/errors"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/types"
|
||||
"k8s.io/kubernetes/pkg/api/v1"
|
||||
"k8s.io/kubernetes/pkg/client/clientset_generated/clientset"
|
||||
|
||||
|
|
@ -243,7 +242,7 @@ func VolumeTestCleanup(f *Framework, config VolumeTestConfig) {
|
|||
// and check that the pod sees expected data, e.g. from the server pod.
|
||||
// Multiple VolumeTests can be specified to mount multiple volumes to a single
|
||||
// pod.
|
||||
func TestVolumeClient(client clientset.Interface, config VolumeTestConfig, fsGroup *types.UnixGroupID, tests []VolumeTest) {
|
||||
func TestVolumeClient(client clientset.Interface, config VolumeTestConfig, fsGroup *int64, tests []VolumeTest) {
|
||||
By(fmt.Sprint("starting ", config.Prefix, " client"))
|
||||
clientPod := &v1.Pod{
|
||||
TypeMeta: metav1.TypeMeta{
|
||||
|
|
|
|||
|
|
@ -26,7 +26,6 @@ import (
|
|||
"fmt"
|
||||
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/types"
|
||||
"k8s.io/apimachinery/pkg/util/uuid"
|
||||
"k8s.io/kubernetes/pkg/api/v1"
|
||||
"k8s.io/kubernetes/test/e2e/framework"
|
||||
|
|
@ -66,14 +65,14 @@ var _ = framework.KubeDescribe("Security Context [Feature:SecurityContext]", fun
|
|||
It("should support pod.Spec.SecurityContext.SupplementalGroups", func() {
|
||||
pod := scTestPod(false, false)
|
||||
pod.Spec.Containers[0].Command = []string{"id", "-G"}
|
||||
pod.Spec.SecurityContext.SupplementalGroups = []types.UnixGroupID{1234, 5678}
|
||||
pod.Spec.SecurityContext.SupplementalGroups = []int64{1234, 5678}
|
||||
groups := []string{"1234", "5678"}
|
||||
f.TestContainerOutput("pod.Spec.SecurityContext.SupplementalGroups", pod, 0, groups)
|
||||
})
|
||||
|
||||
It("should support pod.Spec.SecurityContext.RunAsUser", func() {
|
||||
pod := scTestPod(false, false)
|
||||
userID := types.UnixUserID(1001)
|
||||
userID := int64(1001)
|
||||
pod.Spec.SecurityContext.RunAsUser = &userID
|
||||
pod.Spec.Containers[0].Command = []string{"sh", "-c", "id -u"}
|
||||
|
||||
|
|
@ -84,8 +83,8 @@ var _ = framework.KubeDescribe("Security Context [Feature:SecurityContext]", fun
|
|||
|
||||
It("should support container.SecurityContext.RunAsUser", func() {
|
||||
pod := scTestPod(false, false)
|
||||
userID := types.UnixUserID(1001)
|
||||
overrideUserID := types.UnixUserID(1002)
|
||||
userID := int64(1001)
|
||||
overrideUserID := int64(1002)
|
||||
pod.Spec.SecurityContext.RunAsUser = &userID
|
||||
pod.Spec.Containers[0].SecurityContext = new(v1.SecurityContext)
|
||||
pod.Spec.Containers[0].SecurityContext.RunAsUser = &overrideUserID
|
||||
|
|
|
|||
|
|
@ -264,7 +264,7 @@ var _ = framework.KubeDescribe("Volumes [Volume]", func() {
|
|||
ExpectedContent: "Hello from iSCSI",
|
||||
},
|
||||
}
|
||||
fsGroup := types.UnixGroupID(1234)
|
||||
fsGroup := int64(1234)
|
||||
framework.TestVolumeClient(cs, config, &fsGroup, tests)
|
||||
})
|
||||
})
|
||||
|
|
@ -343,7 +343,7 @@ var _ = framework.KubeDescribe("Volumes [Volume]", func() {
|
|||
ExpectedContent: "Hello from RBD",
|
||||
},
|
||||
}
|
||||
fsGroup := types.UnixGroupID(1234)
|
||||
fsGroup := int64(1234)
|
||||
framework.TestVolumeClient(cs, config, &fsGroup, tests)
|
||||
})
|
||||
})
|
||||
|
|
@ -496,7 +496,7 @@ var _ = framework.KubeDescribe("Volumes [Volume]", func() {
|
|||
|
||||
framework.InjectHtml(cs, config, tests[0].Volume, tests[0].ExpectedContent)
|
||||
|
||||
fsGroup := types.UnixGroupID(1234)
|
||||
fsGroup := int64(1234)
|
||||
framework.TestVolumeClient(cs, config, &fsGroup, tests)
|
||||
})
|
||||
})
|
||||
|
|
@ -550,7 +550,7 @@ var _ = framework.KubeDescribe("Volumes [Volume]", func() {
|
|||
|
||||
framework.InjectHtml(cs, config, tests[0].Volume, tests[0].ExpectedContent)
|
||||
|
||||
fsGroup := types.UnixGroupID(1234)
|
||||
fsGroup := int64(1234)
|
||||
framework.TestVolumeClient(cs, config, &fsGroup, tests)
|
||||
})
|
||||
})
|
||||
|
|
@ -682,7 +682,7 @@ var _ = framework.KubeDescribe("Volumes [Volume]", func() {
|
|||
|
||||
framework.InjectHtml(cs, config, tests[0].Volume, tests[0].ExpectedContent)
|
||||
|
||||
fsGroup := types.UnixGroupID(1234)
|
||||
fsGroup := int64(1234)
|
||||
framework.TestVolumeClient(cs, config, &fsGroup, tests)
|
||||
})
|
||||
})
|
||||
|
|
@ -732,7 +732,7 @@ var _ = framework.KubeDescribe("Volumes [Volume]", func() {
|
|||
|
||||
framework.InjectHtml(cs, config, tests[0].Volume, tests[0].ExpectedContent)
|
||||
|
||||
fsGroup := types.UnixGroupID(1234)
|
||||
fsGroup := int64(1234)
|
||||
framework.TestVolumeClient(cs, config, &fsGroup, tests)
|
||||
})
|
||||
})
|
||||
|
|
|
|||
|
|
@ -21,7 +21,6 @@ import (
|
|||
"path"
|
||||
"time"
|
||||
|
||||
"k8s.io/apimachinery/pkg/types"
|
||||
"k8s.io/apimachinery/pkg/util/uuid"
|
||||
"k8s.io/kubernetes/pkg/api/v1"
|
||||
"k8s.io/kubernetes/pkg/kubelet/images"
|
||||
|
|
@ -130,8 +129,8 @@ while true; do sleep 1; done
|
|||
}
|
||||
})
|
||||
|
||||
rootUser := types.UnixUserID(0)
|
||||
nonRootUser := types.UnixUserID(10000)
|
||||
rootUser := int64(0)
|
||||
nonRootUser := int64(10000)
|
||||
for _, testCase := range []struct {
|
||||
name string
|
||||
container v1.Container
|
||||
|
|
|
|||
Loading…
Reference in New Issue