diff --git a/pkg/security/podsecuritypolicy/BUILD b/pkg/security/podsecuritypolicy/BUILD index 38cbe10d41..abfd148dc4 100644 --- a/pkg/security/podsecuritypolicy/BUILD +++ b/pkg/security/podsecuritypolicy/BUILD @@ -17,7 +17,6 @@ go_library( importpath = "k8s.io/kubernetes/pkg/security/podsecuritypolicy", deps = [ "//pkg/apis/core:go_default_library", - "//pkg/apis/policy:go_default_library", "//pkg/features:go_default_library", "//pkg/security/podsecuritypolicy/apparmor:go_default_library", "//pkg/security/podsecuritypolicy/capabilities:go_default_library", @@ -28,6 +27,8 @@ go_library( "//pkg/security/podsecuritypolicy/user:go_default_library", "//pkg/security/podsecuritypolicy/util:go_default_library", "//pkg/securitycontext:go_default_library", + "//staging/src/k8s.io/api/core/v1:go_default_library", + "//staging/src/k8s.io/api/policy/v1beta1:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/util/errors:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/util/validation/field:go_default_library", "//staging/src/k8s.io/apiserver/pkg/util/feature:go_default_library", @@ -41,11 +42,11 @@ go_test( deps = [ "//pkg/apis/core:go_default_library", "//pkg/apis/core/v1:go_default_library", - "//pkg/apis/policy:go_default_library", "//pkg/security/apparmor:go_default_library", "//pkg/security/podsecuritypolicy/seccomp:go_default_library", "//pkg/security/podsecuritypolicy/util:go_default_library", "//staging/src/k8s.io/api/core/v1:go_default_library", + "//staging/src/k8s.io/api/policy/v1beta1:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/util/diff:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/util/validation/field:go_default_library", diff --git a/pkg/security/podsecuritypolicy/capabilities/BUILD b/pkg/security/podsecuritypolicy/capabilities/BUILD index c86bcd5b90..7e01f351e4 100644 --- a/pkg/security/podsecuritypolicy/capabilities/BUILD +++ b/pkg/security/podsecuritypolicy/capabilities/BUILD @@ -16,7 +16,8 @@ go_library( importpath = "k8s.io/kubernetes/pkg/security/podsecuritypolicy/capabilities", deps = [ "//pkg/apis/core:go_default_library", - "//pkg/apis/policy:go_default_library", + "//staging/src/k8s.io/api/core/v1:go_default_library", + "//staging/src/k8s.io/api/policy/v1beta1:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/util/sets:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/util/validation/field:go_default_library", ], @@ -28,7 +29,8 @@ go_test( embed = [":go_default_library"], deps = [ "//pkg/apis/core:go_default_library", - "//pkg/apis/policy:go_default_library", + "//staging/src/k8s.io/api/core/v1:go_default_library", + "//staging/src/k8s.io/api/policy/v1beta1:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/util/validation/field:go_default_library", ], ) diff --git a/pkg/security/podsecuritypolicy/capabilities/capabilities.go b/pkg/security/podsecuritypolicy/capabilities/capabilities.go index f2fd012a2f..aa8c180509 100644 --- a/pkg/security/podsecuritypolicy/capabilities/capabilities.go +++ b/pkg/security/podsecuritypolicy/capabilities/capabilities.go @@ -19,10 +19,11 @@ package capabilities import ( "fmt" + corev1 "k8s.io/api/core/v1" + policy "k8s.io/api/policy/v1beta1" "k8s.io/apimachinery/pkg/util/sets" "k8s.io/apimachinery/pkg/util/validation/field" api "k8s.io/kubernetes/pkg/apis/core" - "k8s.io/kubernetes/pkg/apis/policy" ) // defaultCapabilities implements the Strategy interface @@ -36,11 +37,23 @@ var _ Strategy = &defaultCapabilities{} // NewDefaultCapabilities creates a new defaultCapabilities strategy that will provide defaults and validation // based on the configured initial caps and allowed caps. -func NewDefaultCapabilities(defaultAddCapabilities, requiredDropCapabilities, allowedCaps []api.Capability) (Strategy, error) { +func NewDefaultCapabilities(defaultAddCapabilities, requiredDropCapabilities, allowedCaps []corev1.Capability) (Strategy, error) { + internalDefaultAddCaps := make([]api.Capability, len(defaultAddCapabilities)) + for i, capability := range defaultAddCapabilities { + internalDefaultAddCaps[i] = api.Capability(capability) + } + internalRequiredDropCaps := make([]api.Capability, len(requiredDropCapabilities)) + for i, capability := range requiredDropCapabilities { + internalRequiredDropCaps[i] = api.Capability(capability) + } + internalAllowedCaps := make([]api.Capability, len(allowedCaps)) + for i, capability := range allowedCaps { + internalAllowedCaps[i] = api.Capability(capability) + } return &defaultCapabilities{ - defaultAddCapabilities: defaultAddCapabilities, - requiredDropCapabilities: requiredDropCapabilities, - allowedCaps: allowedCaps, + defaultAddCapabilities: internalDefaultAddCaps, + requiredDropCapabilities: internalRequiredDropCaps, + allowedCaps: internalAllowedCaps, }, nil } diff --git a/pkg/security/podsecuritypolicy/capabilities/capabilities_test.go b/pkg/security/podsecuritypolicy/capabilities/capabilities_test.go index 2bf32b8599..21eb092333 100644 --- a/pkg/security/podsecuritypolicy/capabilities/capabilities_test.go +++ b/pkg/security/podsecuritypolicy/capabilities/capabilities_test.go @@ -20,14 +20,15 @@ import ( "reflect" "testing" + corev1 "k8s.io/api/core/v1" + policy "k8s.io/api/policy/v1beta1" "k8s.io/apimachinery/pkg/util/validation/field" api "k8s.io/kubernetes/pkg/apis/core" - "k8s.io/kubernetes/pkg/apis/policy" ) func TestGenerateAdds(t *testing.T) { tests := map[string]struct { - defaultAddCaps []api.Capability + defaultAddCaps []corev1.Capability containerCaps *api.Capabilities expectedCaps *api.Capabilities }{ @@ -37,13 +38,13 @@ func TestGenerateAdds(t *testing.T) { expectedCaps: &api.Capabilities{}, }, "required, no container requests": { - defaultAddCaps: []api.Capability{"foo"}, + defaultAddCaps: []corev1.Capability{"foo"}, expectedCaps: &api.Capabilities{ Add: []api.Capability{"foo"}, }, }, "required, container requests add required": { - defaultAddCaps: []api.Capability{"foo"}, + defaultAddCaps: []corev1.Capability{"foo"}, containerCaps: &api.Capabilities{ Add: []api.Capability{"foo"}, }, @@ -52,7 +53,7 @@ func TestGenerateAdds(t *testing.T) { }, }, "multiple required, container requests add required": { - defaultAddCaps: []api.Capability{"foo", "bar", "baz"}, + defaultAddCaps: []corev1.Capability{"foo", "bar", "baz"}, containerCaps: &api.Capabilities{ Add: []api.Capability{"foo"}, }, @@ -61,7 +62,7 @@ func TestGenerateAdds(t *testing.T) { }, }, "required, container requests add non-required": { - defaultAddCaps: []api.Capability{"foo"}, + defaultAddCaps: []corev1.Capability{"foo"}, containerCaps: &api.Capabilities{ Add: []api.Capability{"bar"}, }, @@ -70,7 +71,7 @@ func TestGenerateAdds(t *testing.T) { }, }, "generation does not mutate unnecessarily": { - defaultAddCaps: []api.Capability{"foo", "bar"}, + defaultAddCaps: []corev1.Capability{"foo", "bar"}, containerCaps: &api.Capabilities{ Add: []api.Capability{"foo", "foo", "bar", "baz"}, }, @@ -79,7 +80,7 @@ func TestGenerateAdds(t *testing.T) { }, }, "generation dedupes": { - defaultAddCaps: []api.Capability{"foo", "bar"}, + defaultAddCaps: []corev1.Capability{"foo", "bar"}, containerCaps: &api.Capabilities{ Add: []api.Capability{"foo", "baz"}, }, @@ -88,7 +89,7 @@ func TestGenerateAdds(t *testing.T) { }, }, "generation is case sensitive - will not dedupe": { - defaultAddCaps: []api.Capability{"foo"}, + defaultAddCaps: []corev1.Capability{"foo"}, containerCaps: &api.Capabilities{ Add: []api.Capability{"FOO"}, }, @@ -127,8 +128,8 @@ func TestGenerateAdds(t *testing.T) { func TestGenerateDrops(t *testing.T) { tests := map[string]struct { - defaultAddCaps []api.Capability - requiredDropCaps []api.Capability + defaultAddCaps []corev1.Capability + requiredDropCaps []corev1.Capability containerCaps *api.Capabilities expectedCaps *api.Capabilities }{ @@ -140,13 +141,13 @@ func TestGenerateDrops(t *testing.T) { expectedCaps: &api.Capabilities{}, }, "required drops are defaulted": { - requiredDropCaps: []api.Capability{"foo"}, + requiredDropCaps: []corev1.Capability{"foo"}, expectedCaps: &api.Capabilities{ Drop: []api.Capability{"foo"}, }, }, "required drops are defaulted when making container requests": { - requiredDropCaps: []api.Capability{"baz"}, + requiredDropCaps: []corev1.Capability{"baz"}, containerCaps: &api.Capabilities{ Drop: []api.Capability{"foo", "bar"}, }, @@ -155,7 +156,7 @@ func TestGenerateDrops(t *testing.T) { }, }, "required drops do not mutate unnecessarily": { - requiredDropCaps: []api.Capability{"baz"}, + requiredDropCaps: []corev1.Capability{"baz"}, containerCaps: &api.Capabilities{ Drop: []api.Capability{"foo", "bar", "baz"}, }, @@ -164,7 +165,7 @@ func TestGenerateDrops(t *testing.T) { }, }, "can drop a required add": { - defaultAddCaps: []api.Capability{"foo"}, + defaultAddCaps: []corev1.Capability{"foo"}, containerCaps: &api.Capabilities{ Drop: []api.Capability{"foo"}, }, @@ -173,7 +174,7 @@ func TestGenerateDrops(t *testing.T) { }, }, "can drop non-required add": { - defaultAddCaps: []api.Capability{"foo"}, + defaultAddCaps: []corev1.Capability{"foo"}, containerCaps: &api.Capabilities{ Drop: []api.Capability{"bar"}, }, @@ -183,8 +184,8 @@ func TestGenerateDrops(t *testing.T) { }, }, "defaulting adds and drops, dropping a required add": { - defaultAddCaps: []api.Capability{"foo", "bar", "baz"}, - requiredDropCaps: []api.Capability{"abc"}, + defaultAddCaps: []corev1.Capability{"foo", "bar", "baz"}, + requiredDropCaps: []corev1.Capability{"abc"}, containerCaps: &api.Capabilities{ Drop: []api.Capability{"foo"}, }, @@ -194,7 +195,7 @@ func TestGenerateDrops(t *testing.T) { }, }, "generation dedupes": { - requiredDropCaps: []api.Capability{"baz", "foo"}, + requiredDropCaps: []corev1.Capability{"baz", "foo"}, containerCaps: &api.Capabilities{ Drop: []api.Capability{"bar", "foo"}, }, @@ -203,7 +204,7 @@ func TestGenerateDrops(t *testing.T) { }, }, "generation is case sensitive - will not dedupe": { - requiredDropCaps: []api.Capability{"bar"}, + requiredDropCaps: []corev1.Capability{"bar"}, containerCaps: &api.Capabilities{ Drop: []api.Capability{"BAR"}, }, @@ -241,30 +242,30 @@ func TestGenerateDrops(t *testing.T) { func TestValidateAdds(t *testing.T) { tests := map[string]struct { - defaultAddCaps []api.Capability - allowedCaps []api.Capability + defaultAddCaps []corev1.Capability + allowedCaps []corev1.Capability containerCaps *api.Capabilities expectedError string }{ // no container requests "no required, no allowed, no container requests": {}, "no required, allowed, no container requests": { - allowedCaps: []api.Capability{"foo"}, + allowedCaps: []corev1.Capability{"foo"}, }, "required, no allowed, no container requests": { - defaultAddCaps: []api.Capability{"foo"}, + defaultAddCaps: []corev1.Capability{"foo"}, expectedError: `capabilities: Invalid value: "null": required capabilities are not set on the securityContext`, }, // container requests match required "required, no allowed, container requests valid": { - defaultAddCaps: []api.Capability{"foo"}, + defaultAddCaps: []corev1.Capability{"foo"}, containerCaps: &api.Capabilities{ Add: []api.Capability{"foo"}, }, }, "required, no allowed, container requests invalid": { - defaultAddCaps: []api.Capability{"foo"}, + defaultAddCaps: []corev1.Capability{"foo"}, containerCaps: &api.Capabilities{ Add: []api.Capability{"bar"}, }, @@ -273,19 +274,19 @@ func TestValidateAdds(t *testing.T) { // container requests match allowed "no required, allowed, container requests valid": { - allowedCaps: []api.Capability{"foo"}, + allowedCaps: []corev1.Capability{"foo"}, containerCaps: &api.Capabilities{ Add: []api.Capability{"foo"}, }, }, "no required, all allowed, container requests valid": { - allowedCaps: []api.Capability{policy.AllowAllCapabilities}, + allowedCaps: []corev1.Capability{policy.AllowAllCapabilities}, containerCaps: &api.Capabilities{ Add: []api.Capability{"foo"}, }, }, "no required, allowed, container requests invalid": { - allowedCaps: []api.Capability{"foo"}, + allowedCaps: []corev1.Capability{"foo"}, containerCaps: &api.Capabilities{ Add: []api.Capability{"bar"}, }, @@ -294,29 +295,29 @@ func TestValidateAdds(t *testing.T) { // required and allowed "required, allowed, container requests valid required": { - defaultAddCaps: []api.Capability{"foo"}, - allowedCaps: []api.Capability{"bar"}, + defaultAddCaps: []corev1.Capability{"foo"}, + allowedCaps: []corev1.Capability{"bar"}, containerCaps: &api.Capabilities{ Add: []api.Capability{"foo"}, }, }, "required, allowed, container requests valid allowed": { - defaultAddCaps: []api.Capability{"foo"}, - allowedCaps: []api.Capability{"bar"}, + defaultAddCaps: []corev1.Capability{"foo"}, + allowedCaps: []corev1.Capability{"bar"}, containerCaps: &api.Capabilities{ Add: []api.Capability{"bar"}, }, }, "required, allowed, container requests invalid": { - defaultAddCaps: []api.Capability{"foo"}, - allowedCaps: []api.Capability{"bar"}, + defaultAddCaps: []corev1.Capability{"foo"}, + allowedCaps: []corev1.Capability{"bar"}, containerCaps: &api.Capabilities{ Add: []api.Capability{"baz"}, }, expectedError: `capabilities.add: Invalid value: "baz": capability may not be added`, }, "validation is case sensitive": { - defaultAddCaps: []api.Capability{"foo"}, + defaultAddCaps: []corev1.Capability{"foo"}, containerCaps: &api.Capabilities{ Add: []api.Capability{"FOO"}, }, @@ -351,33 +352,33 @@ func TestValidateAdds(t *testing.T) { func TestValidateDrops(t *testing.T) { tests := map[string]struct { - requiredDropCaps []api.Capability + requiredDropCaps []corev1.Capability containerCaps *api.Capabilities expectedError string }{ // no container requests "no required, no container requests": {}, "required, no container requests": { - requiredDropCaps: []api.Capability{"foo"}, + requiredDropCaps: []corev1.Capability{"foo"}, expectedError: `capabilities: Invalid value: "null": required capabilities are not set on the securityContext`, }, // container requests match required "required, container requests valid": { - requiredDropCaps: []api.Capability{"foo"}, + requiredDropCaps: []corev1.Capability{"foo"}, containerCaps: &api.Capabilities{ Drop: []api.Capability{"foo"}, }, }, "required, container requests invalid": { - requiredDropCaps: []api.Capability{"foo"}, + requiredDropCaps: []corev1.Capability{"foo"}, containerCaps: &api.Capabilities{ Drop: []api.Capability{"bar"}, }, expectedError: `capabilities.drop: Invalid value: []core.Capability{"bar"}: foo is required to be dropped but was not found`, }, "validation is case sensitive": { - requiredDropCaps: []api.Capability{"foo"}, + requiredDropCaps: []corev1.Capability{"foo"}, containerCaps: &api.Capabilities{ Drop: []api.Capability{"FOO"}, }, diff --git a/pkg/security/podsecuritypolicy/factory.go b/pkg/security/podsecuritypolicy/factory.go index cc447ded01..e68cf647dd 100644 --- a/pkg/security/podsecuritypolicy/factory.go +++ b/pkg/security/podsecuritypolicy/factory.go @@ -22,9 +22,9 @@ import ( utilfeature "k8s.io/apiserver/pkg/util/feature" "k8s.io/kubernetes/pkg/features" + corev1 "k8s.io/api/core/v1" + policy "k8s.io/api/policy/v1beta1" "k8s.io/apimachinery/pkg/util/errors" - api "k8s.io/kubernetes/pkg/apis/core" - "k8s.io/kubernetes/pkg/apis/policy" "k8s.io/kubernetes/pkg/security/podsecuritypolicy/apparmor" "k8s.io/kubernetes/pkg/security/podsecuritypolicy/capabilities" "k8s.io/kubernetes/pkg/security/podsecuritypolicy/group" @@ -191,7 +191,7 @@ func createSupplementalGroupStrategy(opts *policy.SupplementalGroupsStrategyOpti } // createCapabilitiesStrategy creates a new capabilities strategy. -func createCapabilitiesStrategy(defaultAddCaps, requiredDropCaps, allowedCaps []api.Capability) (capabilities.Strategy, error) { +func createCapabilitiesStrategy(defaultAddCaps, requiredDropCaps, allowedCaps []corev1.Capability) (capabilities.Strategy, error) { return capabilities.NewDefaultCapabilities(defaultAddCaps, requiredDropCaps, allowedCaps) } diff --git a/pkg/security/podsecuritypolicy/group/BUILD b/pkg/security/podsecuritypolicy/group/BUILD index ba98f7a610..b3d58e2b83 100644 --- a/pkg/security/podsecuritypolicy/group/BUILD +++ b/pkg/security/podsecuritypolicy/group/BUILD @@ -19,8 +19,8 @@ go_library( importpath = "k8s.io/kubernetes/pkg/security/podsecuritypolicy/group", deps = [ "//pkg/apis/core:go_default_library", - "//pkg/apis/policy:go_default_library", "//pkg/security/podsecuritypolicy/util:go_default_library", + "//staging/src/k8s.io/api/policy/v1beta1:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/util/validation/field:go_default_library", ], ) @@ -34,7 +34,7 @@ go_test( ], embed = [":go_default_library"], deps = [ - "//pkg/apis/policy:go_default_library", + "//staging/src/k8s.io/api/policy/v1beta1:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/util/validation/field:go_default_library", ], ) diff --git a/pkg/security/podsecuritypolicy/group/helpers.go b/pkg/security/podsecuritypolicy/group/helpers.go index 1fa2ecad0d..b7f4547eab 100644 --- a/pkg/security/podsecuritypolicy/group/helpers.go +++ b/pkg/security/podsecuritypolicy/group/helpers.go @@ -19,8 +19,8 @@ package group import ( "fmt" + policy "k8s.io/api/policy/v1beta1" "k8s.io/apimachinery/pkg/util/validation/field" - "k8s.io/kubernetes/pkg/apis/policy" psputil "k8s.io/kubernetes/pkg/security/podsecuritypolicy/util" ) diff --git a/pkg/security/podsecuritypolicy/group/mayrunas.go b/pkg/security/podsecuritypolicy/group/mayrunas.go index 086f0c8092..94da43d507 100644 --- a/pkg/security/podsecuritypolicy/group/mayrunas.go +++ b/pkg/security/podsecuritypolicy/group/mayrunas.go @@ -19,9 +19,9 @@ package group import ( "fmt" + policy "k8s.io/api/policy/v1beta1" "k8s.io/apimachinery/pkg/util/validation/field" api "k8s.io/kubernetes/pkg/apis/core" - "k8s.io/kubernetes/pkg/apis/policy" ) // mayRunAs implements the GroupStrategy interface. diff --git a/pkg/security/podsecuritypolicy/group/mayrunas_test.go b/pkg/security/podsecuritypolicy/group/mayrunas_test.go index 04288efee2..506a7a8b99 100644 --- a/pkg/security/podsecuritypolicy/group/mayrunas_test.go +++ b/pkg/security/podsecuritypolicy/group/mayrunas_test.go @@ -21,8 +21,8 @@ import ( "strings" "testing" + policy "k8s.io/api/policy/v1beta1" "k8s.io/apimachinery/pkg/util/validation/field" - "k8s.io/kubernetes/pkg/apis/policy" ) func TestMayRunAsOptions(t *testing.T) { diff --git a/pkg/security/podsecuritypolicy/group/mustrunas.go b/pkg/security/podsecuritypolicy/group/mustrunas.go index 2c83ae0973..9f78d0d901 100644 --- a/pkg/security/podsecuritypolicy/group/mustrunas.go +++ b/pkg/security/podsecuritypolicy/group/mustrunas.go @@ -19,9 +19,9 @@ package group import ( "fmt" + policy "k8s.io/api/policy/v1beta1" "k8s.io/apimachinery/pkg/util/validation/field" api "k8s.io/kubernetes/pkg/apis/core" - "k8s.io/kubernetes/pkg/apis/policy" ) // mustRunAs implements the GroupStrategy interface diff --git a/pkg/security/podsecuritypolicy/group/mustrunas_test.go b/pkg/security/podsecuritypolicy/group/mustrunas_test.go index 3cd5fdce99..5578fac99c 100644 --- a/pkg/security/podsecuritypolicy/group/mustrunas_test.go +++ b/pkg/security/podsecuritypolicy/group/mustrunas_test.go @@ -20,8 +20,8 @@ import ( "strings" "testing" + policy "k8s.io/api/policy/v1beta1" "k8s.io/apimachinery/pkg/util/validation/field" - "k8s.io/kubernetes/pkg/apis/policy" ) func TestMustRunAsOptions(t *testing.T) { diff --git a/pkg/security/podsecuritypolicy/provider.go b/pkg/security/podsecuritypolicy/provider.go index 35259d7900..d347bcbf53 100644 --- a/pkg/security/podsecuritypolicy/provider.go +++ b/pkg/security/podsecuritypolicy/provider.go @@ -20,10 +20,11 @@ import ( "fmt" "strings" + corev1 "k8s.io/api/core/v1" + policy "k8s.io/api/policy/v1beta1" "k8s.io/apimachinery/pkg/util/validation/field" utilfeature "k8s.io/apiserver/pkg/util/feature" api "k8s.io/kubernetes/pkg/apis/core" - "k8s.io/kubernetes/pkg/apis/policy" "k8s.io/kubernetes/pkg/features" psputil "k8s.io/kubernetes/pkg/security/podsecuritypolicy/util" "k8s.io/kubernetes/pkg/securitycontext" @@ -174,9 +175,9 @@ func (s *simpleProvider) DefaultContainerSecurityContext(pod *api.Pod, container sc.SetAllowPrivilegeEscalation(s.psp.Spec.DefaultAllowPrivilegeEscalation) } - // if the PSP sets psp.AllowPrivilegeEscalation to false set that as the default - if !s.psp.Spec.AllowPrivilegeEscalation && sc.AllowPrivilegeEscalation() == nil { - sc.SetAllowPrivilegeEscalation(&s.psp.Spec.AllowPrivilegeEscalation) + // if the PSP sets psp.AllowPrivilegeEscalation to false, set that as the default + if !*s.psp.Spec.AllowPrivilegeEscalation && sc.AllowPrivilegeEscalation() == nil { + sc.SetAllowPrivilegeEscalation(s.psp.Spec.AllowPrivilegeEscalation) } pod.Annotations = annotations @@ -313,14 +314,15 @@ func (s *simpleProvider) ValidateContainer(pod *api.Pod, container *api.Containe procMount := sc.ProcMount() allowedProcMounts := s.psp.Spec.AllowedProcMountTypes if len(allowedProcMounts) == 0 { - allowedProcMounts = []api.ProcMountType{api.DefaultProcMount} + allowedProcMounts = []corev1.ProcMountType{corev1.DefaultProcMount} } foundProcMountType := false for _, pm := range allowedProcMounts { - if pm == procMount { + if string(pm) == string(procMount) { foundProcMountType = true } } + if !foundProcMountType { allErrs = append(allErrs, field.Invalid(scPath.Child("procMount"), procMount, "ProcMountType is not allowed")) } @@ -339,14 +341,10 @@ func (s *simpleProvider) ValidateContainer(pod *api.Pod, container *api.Containe } allowEscalation := sc.AllowPrivilegeEscalation() - if !s.psp.Spec.AllowPrivilegeEscalation && allowEscalation == nil { + if !*s.psp.Spec.AllowPrivilegeEscalation && (allowEscalation == nil || *allowEscalation) { allErrs = append(allErrs, field.Invalid(scPath.Child("allowPrivilegeEscalation"), allowEscalation, "Allowing privilege escalation for containers is not allowed")) } - if !s.psp.Spec.AllowPrivilegeEscalation && allowEscalation != nil && *allowEscalation { - allErrs = append(allErrs, field.Invalid(scPath.Child("allowPrivilegeEscalation"), *allowEscalation, "Allowing privilege escalation for containers is not allowed")) - } - return allErrs } diff --git a/pkg/security/podsecuritypolicy/provider_test.go b/pkg/security/podsecuritypolicy/provider_test.go index ace225ec92..ad6b31ffcf 100644 --- a/pkg/security/podsecuritypolicy/provider_test.go +++ b/pkg/security/podsecuritypolicy/provider_test.go @@ -28,12 +28,12 @@ import ( "github.com/stretchr/testify/require" "k8s.io/api/core/v1" + policy "k8s.io/api/policy/v1beta1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/util/diff" "k8s.io/apimachinery/pkg/util/validation/field" api "k8s.io/kubernetes/pkg/apis/core" k8s_api_v1 "k8s.io/kubernetes/pkg/apis/core/v1" - "k8s.io/kubernetes/pkg/apis/policy" "k8s.io/kubernetes/pkg/security/apparmor" "k8s.io/kubernetes/pkg/security/podsecuritypolicy/seccomp" psputil "k8s.io/kubernetes/pkg/security/podsecuritypolicy/util" @@ -52,6 +52,7 @@ func TestDefaultPodSecurityContextNonmutating(t *testing.T) { } // Create a PSP with strategies that will populate a blank psc + allowPrivilegeEscalation := true createPSP := func() *policy.PodSecurityPolicy { return &policy.PodSecurityPolicy{ ObjectMeta: metav1.ObjectMeta{ @@ -61,7 +62,7 @@ func TestDefaultPodSecurityContextNonmutating(t *testing.T) { }, }, Spec: policy.PodSecurityPolicySpec{ - AllowPrivilegeEscalation: true, + AllowPrivilegeEscalation: &allowPrivilegeEscalation, RunAsUser: policy.RunAsUserStrategyOptions{ Rule: policy.RunAsUserStrategyRunAsAny, }, @@ -126,6 +127,7 @@ func TestDefaultContainerSecurityContextNonmutating(t *testing.T) { } // Create a PSP with strategies that will populate a blank security context + allowPrivilegeEscalation := true createPSP := func() *policy.PodSecurityPolicy { return &policy.PodSecurityPolicy{ ObjectMeta: metav1.ObjectMeta{ @@ -136,7 +138,7 @@ func TestDefaultContainerSecurityContextNonmutating(t *testing.T) { }, }, Spec: policy.PodSecurityPolicySpec{ - AllowPrivilegeEscalation: true, + AllowPrivilegeEscalation: &allowPrivilegeEscalation, RunAsUser: policy.RunAsUserStrategyOptions{ Rule: policy.RunAsUserStrategyRunAsAny, }, @@ -231,7 +233,7 @@ func TestValidatePodSecurityContextFailures(t *testing.T) { failNilSELinuxPod := defaultPod() failSELinuxPSP := defaultPSP() failSELinuxPSP.Spec.SELinux.Rule = policy.SELinuxStrategyMustRunAs - failSELinuxPSP.Spec.SELinux.SELinuxOptions = &api.SELinuxOptions{ + failSELinuxPSP.Spec.SELinux.SELinuxOptions = &v1.SELinuxOptions{ Level: "foo", } @@ -497,7 +499,7 @@ func TestValidateContainerFailures(t *testing.T) { failSELinuxPSP := defaultPSP() failSELinuxPSP.Spec.SELinux = policy.SELinuxStrategyOptions{ Rule: policy.SELinuxStrategyMustRunAs, - SELinuxOptions: &api.SELinuxOptions{ + SELinuxOptions: &v1.SELinuxOptions{ Level: "foo", }, } @@ -693,7 +695,7 @@ func TestValidatePodSecurityContextSuccess(t *testing.T) { } seLinuxPSP := defaultPSP() seLinuxPSP.Spec.SELinux.Rule = policy.SELinuxStrategyMustRunAs - seLinuxPSP.Spec.SELinux.SELinuxOptions = &api.SELinuxOptions{ + seLinuxPSP.Spec.SELinux.SELinuxOptions = &v1.SELinuxOptions{ User: "user", Role: "role", Type: "type", @@ -934,7 +936,7 @@ func TestValidateContainerSuccess(t *testing.T) { seLinuxPSP := defaultPSP() seLinuxPSP.Spec.SELinux = policy.SELinuxStrategyOptions{ Rule: policy.SELinuxStrategyMustRunAs, - SELinuxOptions: &api.SELinuxOptions{ + SELinuxOptions: &v1.SELinuxOptions{ Level: "foo", }, } @@ -959,7 +961,7 @@ func TestValidateContainerSuccess(t *testing.T) { privPod.Spec.Containers[0].SecurityContext.Privileged = &priv capsPSP := defaultPSP() - capsPSP.Spec.AllowedCapabilities = []api.Capability{"foo"} + capsPSP.Spec.AllowedCapabilities = []v1.Capability{"foo"} capsPod := defaultPod() capsPod.Spec.Containers[0].SecurityContext.Capabilities = &api.Capabilities{ Add: []api.Capability{"foo"}, @@ -967,7 +969,7 @@ func TestValidateContainerSuccess(t *testing.T) { // pod should be able to request caps that are in the required set even if not specified in the allowed set requiredCapsPSP := defaultPSP() - requiredCapsPSP.Spec.DefaultAddCapabilities = []api.Capability{"foo"} + requiredCapsPSP.Spec.DefaultAddCapabilities = []v1.Capability{"foo"} requiredCapsPod := defaultPod() requiredCapsPod.Spec.Containers[0].SecurityContext.Capabilities = &api.Capabilities{ Add: []api.Capability{"foo"}, @@ -1165,6 +1167,7 @@ func TestGenerateContainerSecurityContextReadOnlyRootFS(t *testing.T) { } func defaultPSP() *policy.PodSecurityPolicy { + allowPrivilegeEscalation := true return &policy.PodSecurityPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: "psp-sa", @@ -1186,7 +1189,7 @@ func defaultPSP() *policy.PodSecurityPolicy { SupplementalGroups: policy.SupplementalGroupsStrategyOptions{ Rule: policy.SupplementalGroupsStrategyRunAsAny, }, - AllowPrivilegeEscalation: true, + AllowPrivilegeEscalation: &allowPrivilegeEscalation, }, } } @@ -1342,7 +1345,7 @@ func TestAllowPrivilegeEscalation(t *testing.T) { pod.Spec.Containers[0].SecurityContext.AllowPrivilegeEscalation = test.podAPE psp := defaultPSP() - psp.Spec.AllowPrivilegeEscalation = test.pspAPE + psp.Spec.AllowPrivilegeEscalation = &test.pspAPE psp.Spec.DefaultAllowPrivilegeEscalation = test.pspDAPE provider, err := NewSimpleProvider(psp, "namespace", NewSimpleStrategyFactory()) diff --git a/pkg/security/podsecuritypolicy/selinux/BUILD b/pkg/security/podsecuritypolicy/selinux/BUILD index f439332274..275659c1aa 100644 --- a/pkg/security/podsecuritypolicy/selinux/BUILD +++ b/pkg/security/podsecuritypolicy/selinux/BUILD @@ -17,8 +17,9 @@ go_library( importpath = "k8s.io/kubernetes/pkg/security/podsecuritypolicy/selinux", deps = [ "//pkg/apis/core:go_default_library", - "//pkg/apis/policy:go_default_library", + "//pkg/apis/core/v1:go_default_library", "//pkg/security/podsecuritypolicy/util:go_default_library", + "//staging/src/k8s.io/api/policy/v1beta1:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/util/validation/field:go_default_library", ], ) @@ -32,7 +33,9 @@ go_test( embed = [":go_default_library"], deps = [ "//pkg/apis/core:go_default_library", - "//pkg/apis/policy:go_default_library", + "//pkg/apis/core/v1:go_default_library", + "//staging/src/k8s.io/api/core/v1:go_default_library", + "//staging/src/k8s.io/api/policy/v1beta1:go_default_library", ], ) diff --git a/pkg/security/podsecuritypolicy/selinux/mustrunas.go b/pkg/security/podsecuritypolicy/selinux/mustrunas.go index e958555ffa..11b881e09c 100644 --- a/pkg/security/podsecuritypolicy/selinux/mustrunas.go +++ b/pkg/security/podsecuritypolicy/selinux/mustrunas.go @@ -21,14 +21,15 @@ import ( "sort" "strings" + policy "k8s.io/api/policy/v1beta1" "k8s.io/apimachinery/pkg/util/validation/field" api "k8s.io/kubernetes/pkg/apis/core" - "k8s.io/kubernetes/pkg/apis/policy" + "k8s.io/kubernetes/pkg/apis/core/v1" "k8s.io/kubernetes/pkg/security/podsecuritypolicy/util" ) type mustRunAs struct { - opts *policy.SELinuxStrategyOptions + opts *api.SELinuxOptions } var _ SELinuxStrategy = &mustRunAs{} @@ -40,14 +41,19 @@ func NewMustRunAs(options *policy.SELinuxStrategyOptions) (SELinuxStrategy, erro if options.SELinuxOptions == nil { return nil, fmt.Errorf("MustRunAs requires SELinuxOptions") } + + internalSELinuxOptions := &api.SELinuxOptions{} + if err := v1.Convert_v1_SELinuxOptions_To_core_SELinuxOptions(options.SELinuxOptions, internalSELinuxOptions, nil); err != nil { + return nil, err + } return &mustRunAs{ - opts: options, + opts: internalSELinuxOptions, }, nil } // Generate creates the SELinuxOptions based on constraint rules. func (s *mustRunAs) Generate(_ *api.Pod, _ *api.Container) (*api.SELinuxOptions, error) { - return s.opts.SELinuxOptions, nil + return s.opts, nil } // Validate ensures that the specified values fall within the range of the strategy. @@ -58,20 +64,20 @@ func (s *mustRunAs) Validate(fldPath *field.Path, _ *api.Pod, _ *api.Container, allErrs = append(allErrs, field.Required(fldPath, "")) return allErrs } - if !equalLevels(s.opts.SELinuxOptions.Level, seLinux.Level) { - detail := fmt.Sprintf("must be %s", s.opts.SELinuxOptions.Level) + if !equalLevels(s.opts.Level, seLinux.Level) { + detail := fmt.Sprintf("must be %s", s.opts.Level) allErrs = append(allErrs, field.Invalid(fldPath.Child("level"), seLinux.Level, detail)) } - if seLinux.Role != s.opts.SELinuxOptions.Role { - detail := fmt.Sprintf("must be %s", s.opts.SELinuxOptions.Role) + if seLinux.Role != s.opts.Role { + detail := fmt.Sprintf("must be %s", s.opts.Role) allErrs = append(allErrs, field.Invalid(fldPath.Child("role"), seLinux.Role, detail)) } - if seLinux.Type != s.opts.SELinuxOptions.Type { - detail := fmt.Sprintf("must be %s", s.opts.SELinuxOptions.Type) + if seLinux.Type != s.opts.Type { + detail := fmt.Sprintf("must be %s", s.opts.Type) allErrs = append(allErrs, field.Invalid(fldPath.Child("type"), seLinux.Type, detail)) } - if seLinux.User != s.opts.SELinuxOptions.User { - detail := fmt.Sprintf("must be %s", s.opts.SELinuxOptions.User) + if seLinux.User != s.opts.User { + detail := fmt.Sprintf("must be %s", s.opts.User) allErrs = append(allErrs, field.Invalid(fldPath.Child("user"), seLinux.User, detail)) } diff --git a/pkg/security/podsecuritypolicy/selinux/mustrunas_test.go b/pkg/security/podsecuritypolicy/selinux/mustrunas_test.go index 41fbce7b32..b386d8a049 100644 --- a/pkg/security/podsecuritypolicy/selinux/mustrunas_test.go +++ b/pkg/security/podsecuritypolicy/selinux/mustrunas_test.go @@ -17,8 +17,10 @@ limitations under the License. package selinux import ( + corev1 "k8s.io/api/core/v1" + policy "k8s.io/api/policy/v1beta1" api "k8s.io/kubernetes/pkg/apis/core" - "k8s.io/kubernetes/pkg/apis/policy" + "k8s.io/kubernetes/pkg/apis/core/v1" "reflect" "strings" "testing" @@ -38,7 +40,7 @@ func TestMustRunAsOptions(t *testing.T) { pass: false, }, "valid opts": { - opts: &policy.SELinuxStrategyOptions{SELinuxOptions: &api.SELinuxOptions{}}, + opts: &policy.SELinuxStrategyOptions{SELinuxOptions: &corev1.SELinuxOptions{}}, pass: true, }, } @@ -55,7 +57,7 @@ func TestMustRunAsOptions(t *testing.T) { func TestMustRunAsGenerate(t *testing.T) { opts := &policy.SELinuxStrategyOptions{ - SELinuxOptions: &api.SELinuxOptions{ + SELinuxOptions: &corev1.SELinuxOptions{ User: "user", Role: "role", Type: "type", @@ -70,14 +72,16 @@ func TestMustRunAsGenerate(t *testing.T) { if err != nil { t.Fatalf("unexpected error generating selinux %v", err) } - if !reflect.DeepEqual(generated, opts.SELinuxOptions) { + internalSELinuxOptions := &api.SELinuxOptions{} + v1.Convert_v1_SELinuxOptions_To_core_SELinuxOptions(opts.SELinuxOptions, internalSELinuxOptions, nil) + if !reflect.DeepEqual(generated, internalSELinuxOptions) { t.Errorf("generated selinux does not equal configured selinux") } } func TestMustRunAsValidate(t *testing.T) { - newValidOpts := func() *api.SELinuxOptions { - return &api.SELinuxOptions{ + newValidOpts := func() *corev1.SELinuxOptions { + return &corev1.SELinuxOptions{ User: "user", Role: "role", Level: "s0:c0,c6", @@ -85,7 +89,7 @@ func TestMustRunAsValidate(t *testing.T) { } } - newValidOptsWithLevel := func(level string) *api.SELinuxOptions { + newValidOptsWithLevel := func(level string) *corev1.SELinuxOptions { opts := newValidOpts() opts.Level = level return opts @@ -103,8 +107,8 @@ func TestMustRunAsValidate(t *testing.T) { validOpts := newValidOpts() tests := map[string]struct { - podSeLinux *api.SELinuxOptions - pspSeLinux *api.SELinuxOptions + podSeLinux *corev1.SELinuxOptions + pspSeLinux *corev1.SELinuxOptions expectedMsg string }{ "invalid role": { @@ -154,7 +158,9 @@ func TestMustRunAsValidate(t *testing.T) { continue } - errs := mustRunAs.Validate(nil, nil, nil, tc.podSeLinux) + internalSELinuxOptions := api.SELinuxOptions{} + v1.Convert_v1_SELinuxOptions_To_core_SELinuxOptions(tc.podSeLinux, &internalSELinuxOptions, nil) + errs := mustRunAs.Validate(nil, nil, nil, &internalSELinuxOptions) //should've passed but didn't if len(tc.expectedMsg) == 0 && len(errs) > 0 { t.Errorf("%s expected no errors but received %v", name, errs) diff --git a/pkg/security/podsecuritypolicy/selinux/runasany.go b/pkg/security/podsecuritypolicy/selinux/runasany.go index 63e590c7c9..b225b09043 100644 --- a/pkg/security/podsecuritypolicy/selinux/runasany.go +++ b/pkg/security/podsecuritypolicy/selinux/runasany.go @@ -17,9 +17,9 @@ limitations under the License. package selinux import ( + policy "k8s.io/api/policy/v1beta1" "k8s.io/apimachinery/pkg/util/validation/field" api "k8s.io/kubernetes/pkg/apis/core" - "k8s.io/kubernetes/pkg/apis/policy" ) // runAsAny implements the SELinuxStrategy interface. diff --git a/pkg/security/podsecuritypolicy/selinux/runasany_test.go b/pkg/security/podsecuritypolicy/selinux/runasany_test.go index 71ff385055..cebb83477a 100644 --- a/pkg/security/podsecuritypolicy/selinux/runasany_test.go +++ b/pkg/security/podsecuritypolicy/selinux/runasany_test.go @@ -17,8 +17,8 @@ limitations under the License. package selinux import ( - api "k8s.io/kubernetes/pkg/apis/core" - "k8s.io/kubernetes/pkg/apis/policy" + corev1 "k8s.io/api/core/v1" + policy "k8s.io/api/policy/v1beta1" "testing" ) @@ -49,7 +49,7 @@ func TestRunAsAnyGenerate(t *testing.T) { func TestRunAsAnyValidate(t *testing.T) { s, err := NewRunAsAny(&policy.SELinuxStrategyOptions{ - SELinuxOptions: &api.SELinuxOptions{ + SELinuxOptions: &corev1.SELinuxOptions{ Level: "foo", }, }, diff --git a/pkg/security/podsecuritypolicy/types.go b/pkg/security/podsecuritypolicy/types.go index e541a345e3..8caba94dba 100644 --- a/pkg/security/podsecuritypolicy/types.go +++ b/pkg/security/podsecuritypolicy/types.go @@ -17,9 +17,9 @@ limitations under the License. package podsecuritypolicy import ( + policy "k8s.io/api/policy/v1beta1" "k8s.io/apimachinery/pkg/util/validation/field" api "k8s.io/kubernetes/pkg/apis/core" - "k8s.io/kubernetes/pkg/apis/policy" "k8s.io/kubernetes/pkg/security/podsecuritypolicy/apparmor" "k8s.io/kubernetes/pkg/security/podsecuritypolicy/capabilities" "k8s.io/kubernetes/pkg/security/podsecuritypolicy/group" diff --git a/pkg/security/podsecuritypolicy/user/BUILD b/pkg/security/podsecuritypolicy/user/BUILD index 0e68879071..fcd52f258d 100644 --- a/pkg/security/podsecuritypolicy/user/BUILD +++ b/pkg/security/podsecuritypolicy/user/BUILD @@ -18,8 +18,8 @@ go_library( importpath = "k8s.io/kubernetes/pkg/security/podsecuritypolicy/user", deps = [ "//pkg/apis/core:go_default_library", - "//pkg/apis/policy:go_default_library", "//pkg/security/podsecuritypolicy/util:go_default_library", + "//staging/src/k8s.io/api/policy/v1beta1:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/util/validation/field:go_default_library", ], ) @@ -34,7 +34,8 @@ go_test( embed = [":go_default_library"], deps = [ "//pkg/apis/core:go_default_library", - "//pkg/apis/policy:go_default_library", + "//staging/src/k8s.io/api/core/v1:go_default_library", + "//staging/src/k8s.io/api/policy/v1beta1:go_default_library", ], ) diff --git a/pkg/security/podsecuritypolicy/user/mustrunas.go b/pkg/security/podsecuritypolicy/user/mustrunas.go index 995e785388..93611b9afb 100644 --- a/pkg/security/podsecuritypolicy/user/mustrunas.go +++ b/pkg/security/podsecuritypolicy/user/mustrunas.go @@ -19,9 +19,9 @@ package user import ( "fmt" + policy "k8s.io/api/policy/v1beta1" "k8s.io/apimachinery/pkg/util/validation/field" api "k8s.io/kubernetes/pkg/apis/core" - "k8s.io/kubernetes/pkg/apis/policy" psputil "k8s.io/kubernetes/pkg/security/podsecuritypolicy/util" ) diff --git a/pkg/security/podsecuritypolicy/user/mustrunas_test.go b/pkg/security/podsecuritypolicy/user/mustrunas_test.go index f8358fb07e..8e05cefb2a 100644 --- a/pkg/security/podsecuritypolicy/user/mustrunas_test.go +++ b/pkg/security/podsecuritypolicy/user/mustrunas_test.go @@ -17,8 +17,8 @@ limitations under the License. package user import ( + policy "k8s.io/api/policy/v1beta1" api "k8s.io/kubernetes/pkg/apis/core" - "k8s.io/kubernetes/pkg/apis/policy" "strings" "testing" ) diff --git a/pkg/security/podsecuritypolicy/user/nonroot.go b/pkg/security/podsecuritypolicy/user/nonroot.go index 04c26dcaeb..bde5b334a6 100644 --- a/pkg/security/podsecuritypolicy/user/nonroot.go +++ b/pkg/security/podsecuritypolicy/user/nonroot.go @@ -17,9 +17,9 @@ limitations under the License. package user import ( + policy "k8s.io/api/policy/v1beta1" "k8s.io/apimachinery/pkg/util/validation/field" api "k8s.io/kubernetes/pkg/apis/core" - "k8s.io/kubernetes/pkg/apis/policy" ) type nonRoot struct{} diff --git a/pkg/security/podsecuritypolicy/user/nonroot_test.go b/pkg/security/podsecuritypolicy/user/nonroot_test.go index 4a02f3f417..cd1c0b861e 100644 --- a/pkg/security/podsecuritypolicy/user/nonroot_test.go +++ b/pkg/security/podsecuritypolicy/user/nonroot_test.go @@ -17,8 +17,8 @@ limitations under the License. package user import ( - api "k8s.io/kubernetes/pkg/apis/core" - "k8s.io/kubernetes/pkg/apis/policy" + api "k8s.io/api/core/v1" + policy "k8s.io/api/policy/v1beta1" "testing" ) diff --git a/pkg/security/podsecuritypolicy/user/runasany.go b/pkg/security/podsecuritypolicy/user/runasany.go index ea31b6dd0a..33cffe463b 100644 --- a/pkg/security/podsecuritypolicy/user/runasany.go +++ b/pkg/security/podsecuritypolicy/user/runasany.go @@ -17,9 +17,9 @@ limitations under the License. package user import ( + policy "k8s.io/api/policy/v1beta1" "k8s.io/apimachinery/pkg/util/validation/field" api "k8s.io/kubernetes/pkg/apis/core" - "k8s.io/kubernetes/pkg/apis/policy" ) // runAsAny implements the interface RunAsUserStrategy. diff --git a/pkg/security/podsecuritypolicy/user/runasany_test.go b/pkg/security/podsecuritypolicy/user/runasany_test.go index 43b02b6982..1fe9926f9b 100644 --- a/pkg/security/podsecuritypolicy/user/runasany_test.go +++ b/pkg/security/podsecuritypolicy/user/runasany_test.go @@ -19,7 +19,7 @@ package user import ( "testing" - "k8s.io/kubernetes/pkg/apis/policy" + policy "k8s.io/api/policy/v1beta1" ) func TestRunAsAnyOptions(t *testing.T) { diff --git a/pkg/security/podsecuritypolicy/util/BUILD b/pkg/security/podsecuritypolicy/util/BUILD index e1f87a5d3a..7e4100e009 100644 --- a/pkg/security/podsecuritypolicy/util/BUILD +++ b/pkg/security/podsecuritypolicy/util/BUILD @@ -15,7 +15,7 @@ go_library( importpath = "k8s.io/kubernetes/pkg/security/podsecuritypolicy/util", deps = [ "//pkg/apis/core:go_default_library", - "//pkg/apis/policy:go_default_library", + "//staging/src/k8s.io/api/policy/v1beta1:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/util/sets:go_default_library", ], ) @@ -26,7 +26,7 @@ go_test( embed = [":go_default_library"], deps = [ "//pkg/apis/core:go_default_library", - "//pkg/apis/policy:go_default_library", + "//staging/src/k8s.io/api/policy/v1beta1:go_default_library", ], ) diff --git a/pkg/security/podsecuritypolicy/util/util.go b/pkg/security/podsecuritypolicy/util/util.go index 3f29f6e7a4..c0a25da175 100644 --- a/pkg/security/podsecuritypolicy/util/util.go +++ b/pkg/security/podsecuritypolicy/util/util.go @@ -20,9 +20,9 @@ import ( "fmt" "strings" + policy "k8s.io/api/policy/v1beta1" "k8s.io/apimachinery/pkg/util/sets" api "k8s.io/kubernetes/pkg/apis/core" - "k8s.io/kubernetes/pkg/apis/policy" ) const ( diff --git a/pkg/security/podsecuritypolicy/util/util_test.go b/pkg/security/podsecuritypolicy/util/util_test.go index f3d099d308..f495e65e1a 100644 --- a/pkg/security/podsecuritypolicy/util/util_test.go +++ b/pkg/security/podsecuritypolicy/util/util_test.go @@ -20,8 +20,8 @@ import ( "reflect" "testing" + policy "k8s.io/api/policy/v1beta1" api "k8s.io/kubernetes/pkg/apis/core" - "k8s.io/kubernetes/pkg/apis/policy" ) // TestVolumeSourceFSTypeDrift ensures that for every known type of volume source (by the fields on diff --git a/plugin/pkg/admission/security/podsecuritypolicy/BUILD b/plugin/pkg/admission/security/podsecuritypolicy/BUILD index aadfeeb678..673c7fd666 100644 --- a/plugin/pkg/admission/security/podsecuritypolicy/BUILD +++ b/plugin/pkg/admission/security/podsecuritypolicy/BUILD @@ -14,13 +14,11 @@ go_library( "//pkg/apis/core:go_default_library", "//pkg/apis/extensions:go_default_library", "//pkg/apis/policy:go_default_library", - "//pkg/client/informers/informers_generated/internalversion:go_default_library", - "//pkg/client/listers/policy/internalversion:go_default_library", - "//pkg/kubeapiserver/admission:go_default_library", "//pkg/registry/rbac:go_default_library", "//pkg/security/podsecuritypolicy:go_default_library", "//pkg/security/podsecuritypolicy/util:go_default_library", "//pkg/serviceaccount:go_default_library", + "//staging/src/k8s.io/api/policy/v1beta1:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/api/equality:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/labels:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/util/validation/field:go_default_library", @@ -28,6 +26,8 @@ go_library( "//staging/src/k8s.io/apiserver/pkg/admission/initializer:go_default_library", "//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library", "//staging/src/k8s.io/apiserver/pkg/authorization/authorizer:go_default_library", + "//staging/src/k8s.io/client-go/informers:go_default_library", + "//staging/src/k8s.io/client-go/listers/policy/v1beta1:go_default_library", "//vendor/github.com/golang/glog:go_default_library", ], ) @@ -39,14 +39,14 @@ go_test( deps = [ "//pkg/api/legacyscheme:go_default_library", "//pkg/apis/core:go_default_library", - "//pkg/apis/policy:go_default_library", - "//pkg/client/informers/informers_generated/internalversion:go_default_library", + "//pkg/apis/core/v1:go_default_library", "//pkg/controller:go_default_library", "//pkg/security/apparmor:go_default_library", "//pkg/security/podsecuritypolicy:go_default_library", "//pkg/security/podsecuritypolicy/seccomp:go_default_library", "//pkg/security/podsecuritypolicy/util:go_default_library", "//staging/src/k8s.io/api/core/v1:go_default_library", + "//staging/src/k8s.io/api/policy/v1beta1:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/api/equality:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/util/diff:go_default_library", @@ -55,6 +55,7 @@ go_test( "//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library", "//staging/src/k8s.io/apiserver/pkg/authorization/authorizer:go_default_library", "//staging/src/k8s.io/apiserver/pkg/authorization/authorizerfactory:go_default_library", + "//staging/src/k8s.io/client-go/informers:go_default_library", "//vendor/github.com/stretchr/testify/assert:go_default_library", "//vendor/k8s.io/utils/pointer:go_default_library", ], diff --git a/plugin/pkg/admission/security/podsecuritypolicy/admission.go b/plugin/pkg/admission/security/podsecuritypolicy/admission.go index ec5ccb0240..6c4ac7e25f 100644 --- a/plugin/pkg/admission/security/podsecuritypolicy/admission.go +++ b/plugin/pkg/admission/security/podsecuritypolicy/admission.go @@ -24,6 +24,7 @@ import ( "github.com/golang/glog" + policyv1beta1 "k8s.io/api/policy/v1beta1" apiequality "k8s.io/apimachinery/pkg/api/equality" "k8s.io/apimachinery/pkg/labels" "k8s.io/apimachinery/pkg/util/validation/field" @@ -31,12 +32,11 @@ import ( genericadmissioninit "k8s.io/apiserver/pkg/admission/initializer" "k8s.io/apiserver/pkg/authentication/user" "k8s.io/apiserver/pkg/authorization/authorizer" + "k8s.io/client-go/informers" + policylisters "k8s.io/client-go/listers/policy/v1beta1" api "k8s.io/kubernetes/pkg/apis/core" "k8s.io/kubernetes/pkg/apis/extensions" "k8s.io/kubernetes/pkg/apis/policy" - informers "k8s.io/kubernetes/pkg/client/informers/informers_generated/internalversion" - policylisters "k8s.io/kubernetes/pkg/client/listers/policy/internalversion" - kubeapiserveradmission "k8s.io/kubernetes/pkg/kubeapiserver/admission" rbacregistry "k8s.io/kubernetes/pkg/registry/rbac" psp "k8s.io/kubernetes/pkg/security/podsecuritypolicy" psputil "k8s.io/kubernetes/pkg/security/podsecuritypolicy/util" @@ -83,7 +83,7 @@ func (plugin *PodSecurityPolicyPlugin) ValidateInitialization() error { var _ admission.MutationInterface = &PodSecurityPolicyPlugin{} var _ admission.ValidationInterface = &PodSecurityPolicyPlugin{} var _ genericadmissioninit.WantsAuthorizer = &PodSecurityPolicyPlugin{} -var _ kubeapiserveradmission.WantsInternalKubeInformerFactory = &PodSecurityPolicyPlugin{} +var _ genericadmissioninit.WantsExternalKubeInformerFactory = &PodSecurityPolicyPlugin{} var auditKeyPrefix = strings.ToLower(PluginName) + "." + policy.GroupName + ".k8s.io" // newPlugin creates a new PSP admission plugin. @@ -95,8 +95,8 @@ func newPlugin(strategyFactory psp.StrategyFactory, failOnNoPolicies bool) *PodS } } -func (a *PodSecurityPolicyPlugin) SetInternalKubeInformerFactory(f informers.SharedInformerFactory) { - podSecurityPolicyInformer := f.Policy().InternalVersion().PodSecurityPolicies() +func (a *PodSecurityPolicyPlugin) SetExternalKubeInformerFactory(f informers.SharedInformerFactory) { + podSecurityPolicyInformer := f.Policy().V1beta1().PodSecurityPolicies() a.lister = podSecurityPolicyInformer.Lister() a.SetReadyFunc(podSecurityPolicyInformer.Informer().HasSynced) } @@ -338,7 +338,7 @@ func assignSecurityContext(provider psp.Provider, pod *api.Pod) field.ErrorList } // createProvidersFromPolicies creates providers from the constraints supplied. -func (c *PodSecurityPolicyPlugin) createProvidersFromPolicies(psps []*policy.PodSecurityPolicy, namespace string) ([]psp.Provider, []error) { +func (c *PodSecurityPolicyPlugin) createProvidersFromPolicies(psps []*policyv1beta1.PodSecurityPolicy, namespace string) ([]psp.Provider, []error) { var ( // collected providers providers []psp.Provider diff --git a/plugin/pkg/admission/security/podsecuritypolicy/admission_test.go b/plugin/pkg/admission/security/podsecuritypolicy/admission_test.go index b3330c6ac0..a0ce808020 100644 --- a/plugin/pkg/admission/security/podsecuritypolicy/admission_test.go +++ b/plugin/pkg/admission/security/podsecuritypolicy/admission_test.go @@ -25,6 +25,7 @@ import ( "github.com/stretchr/testify/assert" "k8s.io/api/core/v1" + policy "k8s.io/api/policy/v1beta1" apiequality "k8s.io/apimachinery/pkg/api/equality" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/util/diff" @@ -33,10 +34,10 @@ import ( "k8s.io/apiserver/pkg/authentication/user" "k8s.io/apiserver/pkg/authorization/authorizer" "k8s.io/apiserver/pkg/authorization/authorizerfactory" + "k8s.io/client-go/informers" "k8s.io/kubernetes/pkg/api/legacyscheme" kapi "k8s.io/kubernetes/pkg/apis/core" - "k8s.io/kubernetes/pkg/apis/policy" - informers "k8s.io/kubernetes/pkg/client/informers/informers_generated/internalversion" + k8s_api_v1 "k8s.io/kubernetes/pkg/apis/core/v1" "k8s.io/kubernetes/pkg/controller" "k8s.io/kubernetes/pkg/security/apparmor" kpsp "k8s.io/kubernetes/pkg/security/podsecuritypolicy" @@ -50,11 +51,11 @@ const defaultContainerName = "test-c" // NewTestAdmission provides an admission plugin with test implementations of internal structs. func NewTestAdmission(psps []*policy.PodSecurityPolicy, authz authorizer.Authorizer) *PodSecurityPolicyPlugin { informerFactory := informers.NewSharedInformerFactory(nil, controller.NoResyncPeriodFunc()) - store := informerFactory.Policy().InternalVersion().PodSecurityPolicies().Informer().GetStore() + store := informerFactory.Policy().V1beta1().PodSecurityPolicies().Informer().GetStore() for _, psp := range psps { store.Add(psp) } - lister := informerFactory.Policy().InternalVersion().PodSecurityPolicies().Lister() + lister := informerFactory.Policy().V1beta1().PodSecurityPolicies().Lister() if authz == nil { authz = &TestAuthorizer{} } @@ -502,19 +503,19 @@ func TestAdmitCaps(t *testing.T) { allowsFooInAllowed := restrictivePSP() allowsFooInAllowed.Name = "allowCapInAllowed" - allowsFooInAllowed.Spec.AllowedCapabilities = []kapi.Capability{"foo"} + allowsFooInAllowed.Spec.AllowedCapabilities = []v1.Capability{"foo"} allowsFooInRequired := restrictivePSP() allowsFooInRequired.Name = "allowCapInRequired" - allowsFooInRequired.Spec.DefaultAddCapabilities = []kapi.Capability{"foo"} + allowsFooInRequired.Spec.DefaultAddCapabilities = []v1.Capability{"foo"} requiresFooToBeDropped := restrictivePSP() requiresFooToBeDropped.Name = "requireDrop" - requiresFooToBeDropped.Spec.RequiredDropCapabilities = []kapi.Capability{"foo"} + requiresFooToBeDropped.Spec.RequiredDropCapabilities = []v1.Capability{"foo"} allowAllInAllowed := restrictivePSP() allowAllInAllowed.Name = "allowAllCapsInAllowed" - allowAllInAllowed.Spec.AllowedCapabilities = []kapi.Capability{policy.AllowAllCapabilities} + allowAllInAllowed.Spec.AllowedCapabilities = []v1.Capability{policy.AllowAllCapabilities} tc := map[string]struct { pod *kapi.Pod @@ -959,12 +960,18 @@ func TestAdmitSELinux(t *testing.T) { mustRunAs := permissivePSP() mustRunAs.Name = "mustRunAs" mustRunAs.Spec.SELinux.Rule = policy.SELinuxStrategyMustRunAs - mustRunAs.Spec.SELinux.SELinuxOptions = &kapi.SELinuxOptions{} + mustRunAs.Spec.SELinux.SELinuxOptions = &v1.SELinuxOptions{} mustRunAs.Spec.SELinux.SELinuxOptions.Level = "level" mustRunAs.Spec.SELinux.SELinuxOptions.Role = "role" mustRunAs.Spec.SELinux.SELinuxOptions.Type = "type" mustRunAs.Spec.SELinux.SELinuxOptions.User = "user" + getInternalSEOptions := func(policy *policy.PodSecurityPolicy) *kapi.SELinuxOptions { + opt := kapi.SELinuxOptions{} + k8s_api_v1.Convert_v1_SELinuxOptions_To_core_SELinuxOptions(policy.Spec.SELinux.SELinuxOptions, &opt, nil) + return &opt + } + tests := map[string]struct { pod *kapi.Pod psps []*policy.PodSecurityPolicy @@ -1047,7 +1054,7 @@ func TestAdmitSELinux(t *testing.T) { psps: []*policy.PodSecurityPolicy{mustRunAs}, shouldPassAdmit: true, shouldPassValidate: true, - expectedPodSC: &kapi.PodSecurityContext{SELinuxOptions: mustRunAs.Spec.SELinux.SELinuxOptions}, + expectedPodSC: &kapi.PodSecurityContext{SELinuxOptions: getInternalSEOptions(mustRunAs)}, expectedContainerSC: nil, expectedPSP: mustRunAs.Name, }, @@ -1059,7 +1066,7 @@ func TestAdmitSELinux(t *testing.T) { psps: []*policy.PodSecurityPolicy{mustRunAs}, shouldPassAdmit: true, shouldPassValidate: true, - expectedPodSC: &kapi.PodSecurityContext{SELinuxOptions: mustRunAs.Spec.SELinux.SELinuxOptions}, + expectedPodSC: &kapi.PodSecurityContext{SELinuxOptions: getInternalSEOptions(mustRunAs)}, expectedContainerSC: nil, expectedPSP: mustRunAs.Name, }, @@ -1071,7 +1078,7 @@ func TestAdmitSELinux(t *testing.T) { psps: []*policy.PodSecurityPolicy{mustRunAs}, shouldPassAdmit: true, shouldPassValidate: true, - expectedPodSC: &kapi.PodSecurityContext{SELinuxOptions: mustRunAs.Spec.SELinux.SELinuxOptions}, + expectedPodSC: &kapi.PodSecurityContext{SELinuxOptions: getInternalSEOptions(mustRunAs)}, expectedContainerSC: nil, expectedPSP: mustRunAs.Name, }, @@ -2337,12 +2344,14 @@ func TestPreferValidatedPSP(t *testing.T) { } func restrictivePSP() *policy.PodSecurityPolicy { + allowPrivilegeEscalation := false return &policy.PodSecurityPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: "restrictive", Annotations: map[string]string{}, }, Spec: policy.PodSecurityPolicySpec{ + AllowPrivilegeEscalation: &allowPrivilegeEscalation, RunAsUser: policy.RunAsUserStrategyOptions{ Rule: policy.RunAsUserStrategyMustRunAs, Ranges: []policy.IDRange{ @@ -2357,7 +2366,7 @@ func restrictivePSP() *policy.PodSecurityPolicy { }, SELinux: policy.SELinuxStrategyOptions{ Rule: policy.SELinuxStrategyMustRunAs, - SELinuxOptions: &kapi.SELinuxOptions{ + SELinuxOptions: &v1.SELinuxOptions{ Level: "s9:z0,z1", }, }, @@ -2378,19 +2387,20 @@ func restrictivePSP() *policy.PodSecurityPolicy { } func permissivePSP() *policy.PodSecurityPolicy { + allowPrivilegeEscalation := true return &policy.PodSecurityPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: "privileged", Annotations: map[string]string{}, }, Spec: policy.PodSecurityPolicySpec{ - AllowPrivilegeEscalation: true, + AllowPrivilegeEscalation: &allowPrivilegeEscalation, HostIPC: true, HostNetwork: true, HostPID: true, HostPorts: []policy.HostPortRange{{Min: 0, Max: 65536}}, Volumes: []policy.FSType{policy.All}, - AllowedCapabilities: []kapi.Capability{policy.AllowAllCapabilities}, + AllowedCapabilities: []v1.Capability{policy.AllowAllCapabilities}, RunAsUser: policy.RunAsUserStrategyOptions{ Rule: policy.RunAsUserStrategyRunAsAny, },