DeploymentStatus is the most recently observed status of the Deployment.
@@ -7691,6 +7727,13 @@ Both these may change in the future. Incoming requests are matched against the h
boolean |
false |
+
+allowedHostPaths |
+AllowedHostPaths is a white list of allowed host paths. Empty indicates that all host paths may be used. |
+false |
+v1beta1.AllowedHostPath array |
+ |
+
diff --git a/pkg/apis/extensions/types.go b/pkg/apis/extensions/types.go
index 55511f96f1..7af14ac95d 100644
--- a/pkg/apis/extensions/types.go
+++ b/pkg/apis/extensions/types.go
@@ -933,6 +933,22 @@ type PodSecurityPolicySpec struct {
// privilege escalation.
// +optional
AllowPrivilegeEscalation bool
+ // AllowedHostPaths is a white list of allowed host paths. Empty indicates that all host paths may be used.
+ // +optional
+ AllowedHostPaths []AllowedHostPath
+}
+
+// AllowedHostPath defines the host volume conditions that will be enabled by a policy
+// for pods to use. It requires the path prefix to be defined.
+type AllowedHostPath struct {
+ // PathPrefix is the path prefix that the host volume must match.
+ // PathPrefix does not support `*`.
+ // Trailing slashes are trimmed when validating the path prefix with a host path.
+ //
+ // Examples:
+ // `/foo` would allow `/foo`, `/foo/` and `/foo/bar`
+ // `/foo` would not allow `/food` or `/etc/foo`
+ PathPrefix string
}
// HostPortRange defines a range of host ports that will be enabled by a policy
diff --git a/pkg/apis/extensions/v1beta1/zz_generated.conversion.go b/pkg/apis/extensions/v1beta1/zz_generated.conversion.go
index aee174500a..e323a882c3 100644
--- a/pkg/apis/extensions/v1beta1/zz_generated.conversion.go
+++ b/pkg/apis/extensions/v1beta1/zz_generated.conversion.go
@@ -42,6 +42,8 @@ func RegisterConversions(scheme *runtime.Scheme) error {
return scheme.AddGeneratedConversionFuncs(
Convert_v1beta1_APIVersion_To_extensions_APIVersion,
Convert_extensions_APIVersion_To_v1beta1_APIVersion,
+ Convert_v1beta1_AllowedHostPath_To_extensions_AllowedHostPath,
+ Convert_extensions_AllowedHostPath_To_v1beta1_AllowedHostPath,
Convert_v1beta1_CustomMetricCurrentStatus_To_extensions_CustomMetricCurrentStatus,
Convert_extensions_CustomMetricCurrentStatus_To_v1beta1_CustomMetricCurrentStatus,
Convert_v1beta1_CustomMetricCurrentStatusList_To_extensions_CustomMetricCurrentStatusList,
@@ -165,6 +167,26 @@ func Convert_extensions_APIVersion_To_v1beta1_APIVersion(in *extensions.APIVersi
return autoConvert_extensions_APIVersion_To_v1beta1_APIVersion(in, out, s)
}
+func autoConvert_v1beta1_AllowedHostPath_To_extensions_AllowedHostPath(in *v1beta1.AllowedHostPath, out *extensions.AllowedHostPath, s conversion.Scope) error {
+ out.PathPrefix = in.PathPrefix
+ return nil
+}
+
+// Convert_v1beta1_AllowedHostPath_To_extensions_AllowedHostPath is an autogenerated conversion function.
+func Convert_v1beta1_AllowedHostPath_To_extensions_AllowedHostPath(in *v1beta1.AllowedHostPath, out *extensions.AllowedHostPath, s conversion.Scope) error {
+ return autoConvert_v1beta1_AllowedHostPath_To_extensions_AllowedHostPath(in, out, s)
+}
+
+func autoConvert_extensions_AllowedHostPath_To_v1beta1_AllowedHostPath(in *extensions.AllowedHostPath, out *v1beta1.AllowedHostPath, s conversion.Scope) error {
+ out.PathPrefix = in.PathPrefix
+ return nil
+}
+
+// Convert_extensions_AllowedHostPath_To_v1beta1_AllowedHostPath is an autogenerated conversion function.
+func Convert_extensions_AllowedHostPath_To_v1beta1_AllowedHostPath(in *extensions.AllowedHostPath, out *v1beta1.AllowedHostPath, s conversion.Scope) error {
+ return autoConvert_extensions_AllowedHostPath_To_v1beta1_AllowedHostPath(in, out, s)
+}
+
func autoConvert_v1beta1_CustomMetricCurrentStatus_To_extensions_CustomMetricCurrentStatus(in *v1beta1.CustomMetricCurrentStatus, out *extensions.CustomMetricCurrentStatus, s conversion.Scope) error {
out.Name = in.Name
out.CurrentValue = in.CurrentValue
@@ -1070,6 +1092,7 @@ func autoConvert_v1beta1_PodSecurityPolicySpec_To_extensions_PodSecurityPolicySp
out.ReadOnlyRootFilesystem = in.ReadOnlyRootFilesystem
out.DefaultAllowPrivilegeEscalation = (*bool)(unsafe.Pointer(in.DefaultAllowPrivilegeEscalation))
out.AllowPrivilegeEscalation = in.AllowPrivilegeEscalation
+ out.AllowedHostPaths = *(*[]extensions.AllowedHostPath)(unsafe.Pointer(&in.AllowedHostPaths))
return nil
}
@@ -1113,6 +1136,7 @@ func autoConvert_extensions_PodSecurityPolicySpec_To_v1beta1_PodSecurityPolicySp
out.ReadOnlyRootFilesystem = in.ReadOnlyRootFilesystem
out.DefaultAllowPrivilegeEscalation = (*bool)(unsafe.Pointer(in.DefaultAllowPrivilegeEscalation))
out.AllowPrivilegeEscalation = in.AllowPrivilegeEscalation
+ out.AllowedHostPaths = *(*[]v1beta1.AllowedHostPath)(unsafe.Pointer(&in.AllowedHostPaths))
return nil
}
diff --git a/pkg/apis/extensions/validation/validation.go b/pkg/apis/extensions/validation/validation.go
index 6696d0b195..7323b6c989 100644
--- a/pkg/apis/extensions/validation/validation.go
+++ b/pkg/apis/extensions/validation/validation.go
@@ -19,6 +19,8 @@ package validation
import (
"fmt"
"net"
+
+ "path/filepath"
"regexp"
"strconv"
"strings"
@@ -661,6 +663,7 @@ func ValidatePodSecurityPolicySpec(spec *extensions.PodSecurityPolicySpec, fldPa
allErrs = append(allErrs, validatePSPCapsAgainstDrops(spec.RequiredDropCapabilities, spec.DefaultAddCapabilities, field.NewPath("defaultAddCapabilities"))...)
allErrs = append(allErrs, validatePSPCapsAgainstDrops(spec.RequiredDropCapabilities, spec.AllowedCapabilities, field.NewPath("allowedCapabilities"))...)
allErrs = append(allErrs, validatePSPDefaultAllowPrivilegeEscalation(fldPath.Child("defaultAllowPrivilegeEscalation"), spec.DefaultAllowPrivilegeEscalation, spec.AllowPrivilegeEscalation)...)
+ allErrs = append(allErrs, validatePSPAllowedHostPaths(fldPath.Child("allowedHostPaths"), spec.AllowedHostPaths)...)
return allErrs
}
@@ -701,6 +704,29 @@ func ValidatePodSecurityPolicySpecificAnnotations(annotations map[string]string,
return allErrs
}
+// validatePSPAllowedHostPaths makes sure all allowed host paths follow:
+// 1. path prefix is required
+// 2. path prefix does not have any element which is ".."
+func validatePSPAllowedHostPaths(fldPath *field.Path, allowedHostPaths []extensions.AllowedHostPath) field.ErrorList {
+ allErrs := field.ErrorList{}
+
+ for i, target := range allowedHostPaths {
+ if target.PathPrefix == "" {
+ allErrs = append(allErrs, field.Required(fldPath.Index(i), "is required"))
+ break
+ }
+ parts := strings.Split(filepath.ToSlash(target.PathPrefix), "/")
+ for _, item := range parts {
+ if item == ".." {
+ allErrs = append(allErrs, field.Invalid(fldPath.Index(i), target.PathPrefix, "must not contain '..'"))
+ break // even for `../../..`, one error is sufficient to make the point
+ }
+ }
+ }
+
+ return allErrs
+}
+
// validatePSPSELinux validates the SELinux fields of PodSecurityPolicy.
func validatePSPSELinux(fldPath *field.Path, seLinux *extensions.SELinuxStrategyOptions) field.ErrorList {
allErrs := field.ErrorList{}
diff --git a/pkg/apis/extensions/validation/validation_test.go b/pkg/apis/extensions/validation/validation_test.go
index 0afd286dcc..2bd0d5a051 100644
--- a/pkg/apis/extensions/validation/validation_test.go
+++ b/pkg/apis/extensions/validation/validation_test.go
@@ -2418,6 +2418,10 @@ func TestValidatePodSecurityPolicy(t *testing.T) {
SupplementalGroups: extensions.SupplementalGroupsStrategyOptions{
Rule: extensions.SupplementalGroupsStrategyRunAsAny,
},
+ AllowedHostPaths: []extensions.AllowedHostPath{
+ {PathPrefix: "/foo/bar"},
+ {PathPrefix: "/baz/"},
+ },
},
}
}
@@ -2497,6 +2501,16 @@ func TestValidatePodSecurityPolicy(t *testing.T) {
seccomp.AllowedProfilesAnnotationKey: "docker/default,not-good",
}
+ invalidAllowedHostPathMissingPath := validPSP()
+ invalidAllowedHostPathMissingPath.Spec.AllowedHostPaths = []extensions.AllowedHostPath{
+ {PathPrefix: ""},
+ }
+
+ invalidAllowedHostPathBacksteps := validPSP()
+ invalidAllowedHostPathBacksteps.Spec.AllowedHostPaths = []extensions.AllowedHostPath{
+ {PathPrefix: "/dont/allow/backsteps/.."},
+ }
+
invalidDefaultAllowPrivilegeEscalation := validPSP()
pe := true
invalidDefaultAllowPrivilegeEscalation.Spec.DefaultAllowPrivilegeEscalation = &pe
@@ -2612,6 +2626,16 @@ func TestValidatePodSecurityPolicy(t *testing.T) {
errorType: field.ErrorTypeInvalid,
errorDetail: "Cannot set DefaultAllowPrivilegeEscalation to true without also setting AllowPrivilegeEscalation to true",
},
+ "invalid allowed host path empty path": {
+ psp: invalidAllowedHostPathMissingPath,
+ errorType: field.ErrorTypeRequired,
+ errorDetail: "is required",
+ },
+ "invalid allowed host path with backsteps": {
+ psp: invalidAllowedHostPathBacksteps,
+ errorType: field.ErrorTypeInvalid,
+ errorDetail: "must not contain '..'",
+ },
}
for k, v := range errorCases {
diff --git a/pkg/apis/extensions/zz_generated.deepcopy.go b/pkg/apis/extensions/zz_generated.deepcopy.go
index 69414fa715..d41048a5a8 100644
--- a/pkg/apis/extensions/zz_generated.deepcopy.go
+++ b/pkg/apis/extensions/zz_generated.deepcopy.go
@@ -42,6 +42,10 @@ func RegisterDeepCopies(scheme *runtime.Scheme) error {
in.(*APIVersion).DeepCopyInto(out.(*APIVersion))
return nil
}, InType: reflect.TypeOf(&APIVersion{})},
+ conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+ in.(*AllowedHostPath).DeepCopyInto(out.(*AllowedHostPath))
+ return nil
+ }, InType: reflect.TypeOf(&AllowedHostPath{})},
conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
in.(*CustomMetricCurrentStatus).DeepCopyInto(out.(*CustomMetricCurrentStatus))
return nil
@@ -269,6 +273,22 @@ func (in *APIVersion) DeepCopy() *APIVersion {
return out
}
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AllowedHostPath) DeepCopyInto(out *AllowedHostPath) {
+ *out = *in
+ return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AllowedHostPath.
+func (in *AllowedHostPath) DeepCopy() *AllowedHostPath {
+ if in == nil {
+ return nil
+ }
+ out := new(AllowedHostPath)
+ in.DeepCopyInto(out)
+ return out
+}
+
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *CustomMetricCurrentStatus) DeepCopyInto(out *CustomMetricCurrentStatus) {
*out = *in
@@ -1117,6 +1137,11 @@ func (in *PodSecurityPolicySpec) DeepCopyInto(out *PodSecurityPolicySpec) {
**out = **in
}
}
+ if in.AllowedHostPaths != nil {
+ in, out := &in.AllowedHostPaths, &out.AllowedHostPaths
+ *out = make([]AllowedHostPath, len(*in))
+ copy(*out, *in)
+ }
return
}
diff --git a/pkg/security/podsecuritypolicy/provider.go b/pkg/security/podsecuritypolicy/provider.go
index 0f12241f62..0d171e1db1 100644
--- a/pkg/security/podsecuritypolicy/provider.go
+++ b/pkg/security/podsecuritypolicy/provider.go
@@ -239,7 +239,8 @@ func (s *simpleProvider) ValidatePodSecurityContext(pod *api.Pod, fldPath *field
// TODO(tallclair): ValidatePodSecurityContext should be renamed to ValidatePod since its scope
// is not limited to the PodSecurityContext.
- if len(pod.Spec.Volumes) > 0 && !psputil.PSPAllowsAllVolumes(s.psp) {
+ if len(pod.Spec.Volumes) > 0 {
+ allowsAllVolumeTypes := psputil.PSPAllowsAllVolumes(s.psp)
allowedVolumes := psputil.FSTypeToStringSet(s.psp.Spec.Volumes)
for i, v := range pod.Spec.Volumes {
fsType, err := psputil.GetVolumeFSType(v)
@@ -248,10 +249,19 @@ func (s *simpleProvider) ValidatePodSecurityContext(pod *api.Pod, fldPath *field
continue
}
- if !allowedVolumes.Has(string(fsType)) {
+ if !allowsAllVolumeTypes && !allowedVolumes.Has(string(fsType)) {
allErrs = append(allErrs, field.Invalid(
field.NewPath("spec", "volumes").Index(i), string(fsType),
fmt.Sprintf("%s volumes are not allowed to be used", string(fsType))))
+ continue
+ }
+
+ if fsType == extensions.HostPath {
+ if !psputil.AllowsHostVolumePath(s.psp, v.HostPath.Path) {
+ allErrs = append(allErrs, field.Invalid(
+ field.NewPath("spec", "volumes").Index(i).Child("hostPath", "pathPrefix"), v.HostPath.Path,
+ fmt.Sprintf("is not allowed to be used")))
+ }
}
}
}
diff --git a/pkg/security/podsecuritypolicy/provider_test.go b/pkg/security/podsecuritypolicy/provider_test.go
index b1f34b39d8..2dc6111c77 100644
--- a/pkg/security/podsecuritypolicy/provider_test.go
+++ b/pkg/security/podsecuritypolicy/provider_test.go
@@ -248,6 +248,23 @@ func TestValidatePodSecurityContextFailures(t *testing.T) {
},
}
+ failHostPathDirPod := defaultPod()
+ failHostPathDirPod.Spec.Volumes = []api.Volume{
+ {
+ Name: "bad volume",
+ VolumeSource: api.VolumeSource{
+ HostPath: &api.HostPathVolumeSource{
+ Path: "/fail",
+ },
+ },
+ },
+ }
+ failHostPathDirPSP := defaultPSP()
+ failHostPathDirPSP.Spec.Volumes = []extensions.FSType{extensions.HostPath}
+ failHostPathDirPSP.Spec.AllowedHostPaths = []extensions.AllowedHostPath{
+ {PathPrefix: "/foo/bar"},
+ }
+
failOtherSysctlsAllowedPSP := defaultPSP()
failOtherSysctlsAllowedPSP.Annotations[extensions.SysctlsPodSecurityPolicyAnnotationKey] = "bar,abc"
@@ -318,6 +335,11 @@ func TestValidatePodSecurityContextFailures(t *testing.T) {
psp: defaultPSP(),
expectedError: "hostPath volumes are not allowed to be used",
},
+ "failHostPathDirPSP": {
+ pod: failHostPathDirPod,
+ psp: failHostPathDirPSP,
+ expectedError: "is not allowed to be used",
+ },
"failSafeSysctlFooPod with failNoSysctlAllowedSCC": {
pod: failSafeSysctlFooPod,
psp: failNoSysctlAllowedPSP,
@@ -556,6 +578,30 @@ func TestValidatePodSecurityContextSuccess(t *testing.T) {
Level: "level",
}
+ hostPathDirPod := defaultPod()
+ hostPathDirPod.Spec.Volumes = []api.Volume{
+ {
+ Name: "good volume",
+ VolumeSource: api.VolumeSource{
+ HostPath: &api.HostPathVolumeSource{
+ Path: "/foo/bar/baz",
+ },
+ },
+ },
+ }
+
+ hostPathDirPSP := defaultPSP()
+ hostPathDirPSP.Spec.Volumes = []extensions.FSType{extensions.HostPath}
+ hostPathDirPSP.Spec.AllowedHostPaths = []extensions.AllowedHostPath{
+ {PathPrefix: "/foo/bar"},
+ }
+
+ hostPathDirAsterisksPSP := defaultPSP()
+ hostPathDirAsterisksPSP.Spec.Volumes = []extensions.FSType{extensions.All}
+ hostPathDirAsterisksPSP.Spec.AllowedHostPaths = []extensions.AllowedHostPath{
+ {PathPrefix: "/foo/bar"},
+ }
+
sysctlAllowFooPSP := defaultPSP()
sysctlAllowFooPSP.Annotations[extensions.SysctlsPodSecurityPolicyAnnotationKey] = "foo"
@@ -619,6 +665,14 @@ func TestValidatePodSecurityContextSuccess(t *testing.T) {
pod: unsafeSysctlFooPod,
psp: defaultPSP(),
},
+ "pass hostDir allowed directory validating PSP": {
+ pod: hostPathDirPod,
+ psp: hostPathDirPSP,
+ },
+ "pass hostDir all volumes allowed validating PSP": {
+ pod: hostPathDirPod,
+ psp: hostPathDirAsterisksPSP,
+ },
"pass seccomp validating PSP": {
pod: seccompPod,
psp: seccompPSP,
diff --git a/pkg/security/podsecuritypolicy/util/util.go b/pkg/security/podsecuritypolicy/util/util.go
index 277623d5ce..3ff6d89bc7 100644
--- a/pkg/security/podsecuritypolicy/util/util.go
+++ b/pkg/security/podsecuritypolicy/util/util.go
@@ -18,6 +18,7 @@ package util
import (
"fmt"
+ "strings"
"k8s.io/apimachinery/pkg/util/sets"
"k8s.io/kubernetes/pkg/api"
@@ -170,3 +171,53 @@ func UserFallsInRange(id int64, rng extensions.UserIDRange) bool {
func GroupFallsInRange(id int64, rng extensions.GroupIDRange) bool {
return id >= rng.Min && id <= rng.Max
}
+
+// AllowsHostVolumePath is a utility for checking if a PSP allows the host volume path.
+// This only checks the path. You should still check to make sure the host volume fs type is allowed.
+func AllowsHostVolumePath(psp *extensions.PodSecurityPolicy, hostPath string) bool {
+ if psp == nil {
+ return false
+ }
+
+ // If no allowed paths are specified then allow any path
+ if len(psp.Spec.AllowedHostPaths) == 0 {
+ return true
+ }
+
+ for _, allowedPath := range psp.Spec.AllowedHostPaths {
+ if hasPathPrefix(hostPath, allowedPath.PathPrefix) {
+ return true
+ }
+ }
+
+ return false
+}
+
+// hasPathPrefix returns true if the string matches pathPrefix exactly, or if is prefixed with pathPrefix at a path segment boundary
+// the string and pathPrefix are both normalized to remove trailing slashes prior to checking.
+func hasPathPrefix(s, pathPrefix string) bool {
+
+ s = strings.TrimSuffix(s, "/")
+ pathPrefix = strings.TrimSuffix(pathPrefix, "/")
+
+ // Short circuit if s doesn't contain the prefix at all
+ if !strings.HasPrefix(s, pathPrefix) {
+ return false
+ }
+
+ pathPrefixLength := len(pathPrefix)
+
+ if len(s) == pathPrefixLength {
+ // Exact match
+ return true
+ }
+
+ if s[pathPrefixLength:pathPrefixLength+1] == "/" {
+ // The next character in s is a path segment boundary
+ // Check this instead of normalizing pathPrefix to avoid allocating on every call
+ // Example where this check applies: s=/foo/bar and pathPrefix=/foo
+ return true
+ }
+
+ return false
+}
diff --git a/pkg/security/podsecuritypolicy/util/util_test.go b/pkg/security/podsecuritypolicy/util/util_test.go
index 63a2dd3de0..048e793fa8 100644
--- a/pkg/security/podsecuritypolicy/util/util_test.go
+++ b/pkg/security/podsecuritypolicy/util/util_test.go
@@ -103,3 +103,95 @@ func TestPSPAllowsFSType(t *testing.T) {
}
}
}
+
+func TestAllowsHostVolumePath(t *testing.T) {
+ tests := map[string]struct {
+ psp *extensions.PodSecurityPolicy
+ path string
+ allows bool
+ }{
+ "nil psp": {
+ psp: nil,
+ path: "/test",
+ allows: false,
+ },
+ "empty allowed paths": {
+ psp: &extensions.PodSecurityPolicy{},
+ path: "/test",
+ allows: true,
+ },
+ "non-matching": {
+ psp: &extensions.PodSecurityPolicy{
+ Spec: extensions.PodSecurityPolicySpec{
+ AllowedHostPaths: []extensions.AllowedHostPath{
+ {PathPrefix: "/foo"},
+ },
+ },
+ },
+ path: "/foobar",
+ allows: false,
+ },
+ "match on direct match": {
+ psp: &extensions.PodSecurityPolicy{
+ Spec: extensions.PodSecurityPolicySpec{
+ AllowedHostPaths: []extensions.AllowedHostPath{
+ {PathPrefix: "/foo"},
+ },
+ },
+ },
+ path: "/foo",
+ allows: true,
+ },
+ "match with trailing slash on host path": {
+ psp: &extensions.PodSecurityPolicy{
+ Spec: extensions.PodSecurityPolicySpec{
+ AllowedHostPaths: []extensions.AllowedHostPath{
+ {PathPrefix: "/foo"},
+ },
+ },
+ },
+ path: "/foo/",
+ allows: true,
+ },
+ "match with trailing slash on allowed path": {
+ psp: &extensions.PodSecurityPolicy{
+ Spec: extensions.PodSecurityPolicySpec{
+ AllowedHostPaths: []extensions.AllowedHostPath{
+ {PathPrefix: "/foo/"},
+ },
+ },
+ },
+ path: "/foo",
+ allows: true,
+ },
+ "match child directory": {
+ psp: &extensions.PodSecurityPolicy{
+ Spec: extensions.PodSecurityPolicySpec{
+ AllowedHostPaths: []extensions.AllowedHostPath{
+ {PathPrefix: "/foo/"},
+ },
+ },
+ },
+ path: "/foo/bar",
+ allows: true,
+ },
+ "non-matching parent directory": {
+ psp: &extensions.PodSecurityPolicy{
+ Spec: extensions.PodSecurityPolicySpec{
+ AllowedHostPaths: []extensions.AllowedHostPath{
+ {PathPrefix: "/foo/bar"},
+ },
+ },
+ },
+ path: "/foo",
+ allows: false,
+ },
+ }
+
+ for k, v := range tests {
+ allows := AllowsHostVolumePath(v.psp, v.path)
+ if v.allows != allows {
+ t.Errorf("%s expected %t but got %t", k, v.allows, allows)
+ }
+ }
+}
diff --git a/staging/src/k8s.io/api/extensions/v1beta1/generated.pb.go b/staging/src/k8s.io/api/extensions/v1beta1/generated.pb.go
index f7eb3b4d65..c56777d009 100644
--- a/staging/src/k8s.io/api/extensions/v1beta1/generated.pb.go
+++ b/staging/src/k8s.io/api/extensions/v1beta1/generated.pb.go
@@ -26,6 +26,7 @@ limitations under the License.
It has these top-level messages:
APIVersion
+ AllowedHostPath
CustomMetricCurrentStatus
CustomMetricCurrentStatusList
CustomMetricTarget
@@ -119,93 +120,99 @@ func (m *APIVersion) Reset() { *m = APIVersion{} }
func (*APIVersion) ProtoMessage() {}
func (*APIVersion) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{0} }
+func (m *AllowedHostPath) Reset() { *m = AllowedHostPath{} }
+func (*AllowedHostPath) ProtoMessage() {}
+func (*AllowedHostPath) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{1} }
+
func (m *CustomMetricCurrentStatus) Reset() { *m = CustomMetricCurrentStatus{} }
func (*CustomMetricCurrentStatus) ProtoMessage() {}
func (*CustomMetricCurrentStatus) Descriptor() ([]byte, []int) {
- return fileDescriptorGenerated, []int{1}
+ return fileDescriptorGenerated, []int{2}
}
func (m *CustomMetricCurrentStatusList) Reset() { *m = CustomMetricCurrentStatusList{} }
func (*CustomMetricCurrentStatusList) ProtoMessage() {}
func (*CustomMetricCurrentStatusList) Descriptor() ([]byte, []int) {
- return fileDescriptorGenerated, []int{2}
+ return fileDescriptorGenerated, []int{3}
}
func (m *CustomMetricTarget) Reset() { *m = CustomMetricTarget{} }
func (*CustomMetricTarget) ProtoMessage() {}
-func (*CustomMetricTarget) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{3} }
+func (*CustomMetricTarget) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{4} }
func (m *CustomMetricTargetList) Reset() { *m = CustomMetricTargetList{} }
func (*CustomMetricTargetList) ProtoMessage() {}
-func (*CustomMetricTargetList) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{4} }
+func (*CustomMetricTargetList) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{5} }
func (m *DaemonSet) Reset() { *m = DaemonSet{} }
func (*DaemonSet) ProtoMessage() {}
-func (*DaemonSet) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{5} }
+func (*DaemonSet) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{6} }
func (m *DaemonSetList) Reset() { *m = DaemonSetList{} }
func (*DaemonSetList) ProtoMessage() {}
-func (*DaemonSetList) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{6} }
+func (*DaemonSetList) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{7} }
func (m *DaemonSetSpec) Reset() { *m = DaemonSetSpec{} }
func (*DaemonSetSpec) ProtoMessage() {}
-func (*DaemonSetSpec) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{7} }
+func (*DaemonSetSpec) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{8} }
func (m *DaemonSetStatus) Reset() { *m = DaemonSetStatus{} }
func (*DaemonSetStatus) ProtoMessage() {}
-func (*DaemonSetStatus) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{8} }
+func (*DaemonSetStatus) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{9} }
-func (m *DaemonSetUpdateStrategy) Reset() { *m = DaemonSetUpdateStrategy{} }
-func (*DaemonSetUpdateStrategy) ProtoMessage() {}
-func (*DaemonSetUpdateStrategy) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{9} }
+func (m *DaemonSetUpdateStrategy) Reset() { *m = DaemonSetUpdateStrategy{} }
+func (*DaemonSetUpdateStrategy) ProtoMessage() {}
+func (*DaemonSetUpdateStrategy) Descriptor() ([]byte, []int) {
+ return fileDescriptorGenerated, []int{10}
+}
func (m *Deployment) Reset() { *m = Deployment{} }
func (*Deployment) ProtoMessage() {}
-func (*Deployment) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{10} }
+func (*Deployment) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{11} }
func (m *DeploymentCondition) Reset() { *m = DeploymentCondition{} }
func (*DeploymentCondition) ProtoMessage() {}
-func (*DeploymentCondition) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{11} }
+func (*DeploymentCondition) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{12} }
func (m *DeploymentList) Reset() { *m = DeploymentList{} }
func (*DeploymentList) ProtoMessage() {}
-func (*DeploymentList) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{12} }
+func (*DeploymentList) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{13} }
func (m *DeploymentRollback) Reset() { *m = DeploymentRollback{} }
func (*DeploymentRollback) ProtoMessage() {}
-func (*DeploymentRollback) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{13} }
+func (*DeploymentRollback) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{14} }
func (m *DeploymentSpec) Reset() { *m = DeploymentSpec{} }
func (*DeploymentSpec) ProtoMessage() {}
-func (*DeploymentSpec) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{14} }
+func (*DeploymentSpec) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{15} }
func (m *DeploymentStatus) Reset() { *m = DeploymentStatus{} }
func (*DeploymentStatus) ProtoMessage() {}
-func (*DeploymentStatus) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{15} }
+func (*DeploymentStatus) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{16} }
func (m *DeploymentStrategy) Reset() { *m = DeploymentStrategy{} }
func (*DeploymentStrategy) ProtoMessage() {}
-func (*DeploymentStrategy) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{16} }
+func (*DeploymentStrategy) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{17} }
func (m *FSGroupStrategyOptions) Reset() { *m = FSGroupStrategyOptions{} }
func (*FSGroupStrategyOptions) ProtoMessage() {}
-func (*FSGroupStrategyOptions) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{17} }
+func (*FSGroupStrategyOptions) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{18} }
func (m *HTTPIngressPath) Reset() { *m = HTTPIngressPath{} }
func (*HTTPIngressPath) ProtoMessage() {}
-func (*HTTPIngressPath) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{18} }
+func (*HTTPIngressPath) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{19} }
func (m *HTTPIngressRuleValue) Reset() { *m = HTTPIngressRuleValue{} }
func (*HTTPIngressRuleValue) ProtoMessage() {}
-func (*HTTPIngressRuleValue) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{19} }
+func (*HTTPIngressRuleValue) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{20} }
func (m *HostPortRange) Reset() { *m = HostPortRange{} }
func (*HostPortRange) ProtoMessage() {}
-func (*HostPortRange) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{20} }
+func (*HostPortRange) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{21} }
func (m *IDRange) Reset() { *m = IDRange{} }
func (*IDRange) ProtoMessage() {}
-func (*IDRange) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{21} }
+func (*IDRange) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{22} }
func (m *IPBlock) Reset() { *m = IPBlock{} }
func (*IPBlock) ProtoMessage() {}
@@ -369,6 +376,7 @@ func (*ThirdPartyResourceList) Descriptor() ([]byte, []int) { return fileDescrip
func init() {
proto.RegisterType((*APIVersion)(nil), "k8s.io.api.extensions.v1beta1.APIVersion")
+ proto.RegisterType((*AllowedHostPath)(nil), "k8s.io.api.extensions.v1beta1.AllowedHostPath")
proto.RegisterType((*CustomMetricCurrentStatus)(nil), "k8s.io.api.extensions.v1beta1.CustomMetricCurrentStatus")
proto.RegisterType((*CustomMetricCurrentStatusList)(nil), "k8s.io.api.extensions.v1beta1.CustomMetricCurrentStatusList")
proto.RegisterType((*CustomMetricTarget)(nil), "k8s.io.api.extensions.v1beta1.CustomMetricTarget")
@@ -450,6 +458,28 @@ func (m *APIVersion) MarshalTo(dAtA []byte) (int, error) {
return i, nil
}
+func (m *AllowedHostPath) Marshal() (dAtA []byte, err error) {
+ size := m.Size()
+ dAtA = make([]byte, size)
+ n, err := m.MarshalTo(dAtA)
+ if err != nil {
+ return nil, err
+ }
+ return dAtA[:n], nil
+}
+
+func (m *AllowedHostPath) MarshalTo(dAtA []byte) (int, error) {
+ var i int
+ _ = i
+ var l int
+ _ = l
+ dAtA[i] = 0xa
+ i++
+ i = encodeVarintGenerated(dAtA, i, uint64(len(m.PathPrefix)))
+ i += copy(dAtA[i:], m.PathPrefix)
+ return i, nil
+}
+
func (m *CustomMetricCurrentStatus) Marshal() (dAtA []byte, err error) {
size := m.Size()
dAtA = make([]byte, size)
@@ -2078,6 +2108,20 @@ func (m *PodSecurityPolicySpec) MarshalTo(dAtA []byte) (int, error) {
dAtA[i] = 0
}
i++
+ if len(m.AllowedHostPaths) > 0 {
+ for _, msg := range m.AllowedHostPaths {
+ dAtA[i] = 0x8a
+ i++
+ dAtA[i] = 0x1
+ i++
+ i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+ n, err := msg.MarshalTo(dAtA[i:])
+ if err != nil {
+ return 0, err
+ }
+ i += n
+ }
+ }
return i, nil
}
@@ -2792,6 +2836,14 @@ func (m *APIVersion) Size() (n int) {
return n
}
+func (m *AllowedHostPath) Size() (n int) {
+ var l int
+ _ = l
+ l = len(m.PathPrefix)
+ n += 1 + l + sovGenerated(uint64(l))
+ return n
+}
+
func (m *CustomMetricCurrentStatus) Size() (n int) {
var l int
_ = l
@@ -3362,6 +3414,12 @@ func (m *PodSecurityPolicySpec) Size() (n int) {
n += 2
}
n += 3
+ if len(m.AllowedHostPaths) > 0 {
+ for _, e := range m.AllowedHostPaths {
+ l = e.Size()
+ n += 2 + l + sovGenerated(uint64(l))
+ }
+ }
return n
}
@@ -3632,6 +3690,16 @@ func (this *APIVersion) String() string {
}, "")
return s
}
+func (this *AllowedHostPath) String() string {
+ if this == nil {
+ return "nil"
+ }
+ s := strings.Join([]string{`&AllowedHostPath{`,
+ `PathPrefix:` + fmt.Sprintf("%v", this.PathPrefix) + `,`,
+ `}`,
+ }, "")
+ return s
+}
func (this *CustomMetricCurrentStatus) String() string {
if this == nil {
return "nil"
@@ -4110,6 +4178,7 @@ func (this *PodSecurityPolicySpec) String() string {
`ReadOnlyRootFilesystem:` + fmt.Sprintf("%v", this.ReadOnlyRootFilesystem) + `,`,
`DefaultAllowPrivilegeEscalation:` + valueToStringGenerated(this.DefaultAllowPrivilegeEscalation) + `,`,
`AllowPrivilegeEscalation:` + fmt.Sprintf("%v", this.AllowPrivilegeEscalation) + `,`,
+ `AllowedHostPaths:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.AllowedHostPaths), "AllowedHostPath", "AllowedHostPath", 1), `&`, ``, 1) + `,`,
`}`,
}, "")
return s
@@ -4428,6 +4497,85 @@ func (m *APIVersion) Unmarshal(dAtA []byte) error {
}
return nil
}
+func (m *AllowedHostPath) Unmarshal(dAtA []byte) error {
+ l := len(dAtA)
+ iNdEx := 0
+ for iNdEx < l {
+ preIndex := iNdEx
+ var wire uint64
+ for shift := uint(0); ; shift += 7 {
+ if shift >= 64 {
+ return ErrIntOverflowGenerated
+ }
+ if iNdEx >= l {
+ return io.ErrUnexpectedEOF
+ }
+ b := dAtA[iNdEx]
+ iNdEx++
+ wire |= (uint64(b) & 0x7F) << shift
+ if b < 0x80 {
+ break
+ }
+ }
+ fieldNum := int32(wire >> 3)
+ wireType := int(wire & 0x7)
+ if wireType == 4 {
+ return fmt.Errorf("proto: AllowedHostPath: wiretype end group for non-group")
+ }
+ if fieldNum <= 0 {
+ return fmt.Errorf("proto: AllowedHostPath: illegal tag %d (wire type %d)", fieldNum, wire)
+ }
+ switch fieldNum {
+ case 1:
+ if wireType != 2 {
+ return fmt.Errorf("proto: wrong wireType = %d for field PathPrefix", wireType)
+ }
+ var stringLen uint64
+ for shift := uint(0); ; shift += 7 {
+ if shift >= 64 {
+ return ErrIntOverflowGenerated
+ }
+ if iNdEx >= l {
+ return io.ErrUnexpectedEOF
+ }
+ b := dAtA[iNdEx]
+ iNdEx++
+ stringLen |= (uint64(b) & 0x7F) << shift
+ if b < 0x80 {
+ break
+ }
+ }
+ intStringLen := int(stringLen)
+ if intStringLen < 0 {
+ return ErrInvalidLengthGenerated
+ }
+ postIndex := iNdEx + intStringLen
+ if postIndex > l {
+ return io.ErrUnexpectedEOF
+ }
+ m.PathPrefix = string(dAtA[iNdEx:postIndex])
+ iNdEx = postIndex
+ default:
+ iNdEx = preIndex
+ skippy, err := skipGenerated(dAtA[iNdEx:])
+ if err != nil {
+ return err
+ }
+ if skippy < 0 {
+ return ErrInvalidLengthGenerated
+ }
+ if (iNdEx + skippy) > l {
+ return io.ErrUnexpectedEOF
+ }
+ iNdEx += skippy
+ }
+ }
+
+ if iNdEx > l {
+ return io.ErrUnexpectedEOF
+ }
+ return nil
+}
func (m *CustomMetricCurrentStatus) Unmarshal(dAtA []byte) error {
l := len(dAtA)
iNdEx := 0
@@ -9731,6 +9879,37 @@ func (m *PodSecurityPolicySpec) Unmarshal(dAtA []byte) error {
}
}
m.AllowPrivilegeEscalation = bool(v != 0)
+ case 17:
+ if wireType != 2 {
+ return fmt.Errorf("proto: wrong wireType = %d for field AllowedHostPaths", wireType)
+ }
+ var msglen int
+ for shift := uint(0); ; shift += 7 {
+ if shift >= 64 {
+ return ErrIntOverflowGenerated
+ }
+ if iNdEx >= l {
+ return io.ErrUnexpectedEOF
+ }
+ b := dAtA[iNdEx]
+ iNdEx++
+ msglen |= (int(b) & 0x7F) << shift
+ if b < 0x80 {
+ break
+ }
+ }
+ if msglen < 0 {
+ return ErrInvalidLengthGenerated
+ }
+ postIndex := iNdEx + msglen
+ if postIndex > l {
+ return io.ErrUnexpectedEOF
+ }
+ m.AllowedHostPaths = append(m.AllowedHostPaths, AllowedHostPath{})
+ if err := m.AllowedHostPaths[len(m.AllowedHostPaths)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+ return err
+ }
+ iNdEx = postIndex
default:
iNdEx = preIndex
skippy, err := skipGenerated(dAtA[iNdEx:])
@@ -12183,6 +12362,7 @@ func init() {
}
var fileDescriptorGenerated = []byte{
+<<<<<<< a235ba4e49451c779b8328378addf0d7bd7b84fd
// 3495 bytes of a gzipped FileDescriptorProto
0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xdc, 0x5b, 0xcd, 0x6f, 0x1b, 0xd7,
0xb5, 0xf7, 0x90, 0xa2, 0x48, 0x1d, 0x5a, 0x92, 0x75, 0xe5, 0xc8, 0x8c, 0x1c, 0x8b, 0xce, 0x04,
@@ -12403,4 +12583,225 @@ var fileDescriptorGenerated = []byte{
0x78, 0x74, 0x30, 0x27, 0x7c, 0x7e, 0x30, 0x27, 0x7c, 0x71, 0x30, 0x27, 0xfc, 0xed, 0x60, 0x4e,
0xf8, 0xf1, 0x57, 0x73, 0x27, 0xee, 0xe7, 0x39, 0xee, 0xbf, 0x02, 0x00, 0x00, 0xff, 0xff, 0x6f,
0x30, 0xd5, 0x91, 0x29, 0x3b, 0x00, 0x00,
+=======
+ // 3487 bytes of a gzipped FileDescriptorProto
+ 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xdc, 0x5b, 0x4d, 0x6c, 0x1c, 0xc7,
+ 0x95, 0x56, 0xcf, 0x0f, 0x39, 0x7c, 0x14, 0xff, 0x8a, 0x32, 0x35, 0xa6, 0x2c, 0x0e, 0xdd, 0x06,
+ 0xb4, 0x92, 0x57, 0x9a, 0xb1, 0x64, 0xcb, 0x96, 0x2d, 0xac, 0x77, 0x39, 0xa4, 0x7e, 0xe8, 0x25,
+ 0x29, 0xaa, 0x66, 0x48, 0xef, 0x0a, 0xd6, 0xae, 0x9b, 0x33, 0xc5, 0x61, 0x8b, 0x3d, 0xdd, 0xe3,
+ 0xee, 0x6a, 0x9a, 0x73, 0x59, 0xec, 0xc9, 0xc0, 0x02, 0xbb, 0xd8, 0xdd, 0x83, 0x03, 0x07, 0xc8,
+ 0x21, 0xbe, 0xe4, 0x94, 0x20, 0xbe, 0x25, 0x07, 0x23, 0x40, 0x80, 0x04, 0x10, 0x02, 0x27, 0xf0,
+ 0x29, 0xf1, 0x89, 0x88, 0xe9, 0x63, 0xce, 0x01, 0x02, 0x1d, 0x82, 0xa0, 0xaa, 0xab, 0xff, 0xbb,
+ 0x39, 0x33, 0xb4, 0x44, 0x04, 0xb9, 0x71, 0xea, 0xbd, 0xf7, 0xbd, 0x9f, 0xaa, 0x7a, 0xf5, 0xaa,
+ 0x5e, 0x13, 0x6e, 0xef, 0xde, 0xb0, 0xca, 0xaa, 0x51, 0xd9, 0xb5, 0xb7, 0x88, 0xa9, 0x13, 0x4a,
+ 0xac, 0xca, 0x1e, 0xd1, 0x9b, 0x86, 0x59, 0x11, 0x04, 0xa5, 0xa3, 0x56, 0xc8, 0x3e, 0x25, 0xba,
+ 0xa5, 0x1a, 0xba, 0x55, 0xd9, 0xbb, 0xba, 0x45, 0xa8, 0x72, 0xb5, 0xd2, 0x22, 0x3a, 0x31, 0x15,
+ 0x4a, 0x9a, 0xe5, 0x8e, 0x69, 0x50, 0x03, 0x9d, 0x77, 0xd8, 0xcb, 0x4a, 0x47, 0x2d, 0xfb, 0xec,
+ 0x65, 0xc1, 0x3e, 0x7b, 0xa5, 0xa5, 0xd2, 0x1d, 0x7b, 0xab, 0xdc, 0x30, 0xda, 0x95, 0x96, 0xd1,
+ 0x32, 0x2a, 0x5c, 0x6a, 0xcb, 0xde, 0xe6, 0xbf, 0xf8, 0x0f, 0xfe, 0x97, 0x83, 0x36, 0x2b, 0x07,
+ 0x94, 0x37, 0x0c, 0x93, 0x54, 0xf6, 0x62, 0x1a, 0x67, 0x2f, 0x05, 0x78, 0x3a, 0x86, 0xa6, 0x36,
+ 0xba, 0x69, 0xc6, 0xcd, 0xbe, 0xe6, 0xb3, 0xb6, 0x95, 0xc6, 0x8e, 0xaa, 0x13, 0xb3, 0x5b, 0xe9,
+ 0xec, 0xb6, 0xb8, 0xac, 0x49, 0x2c, 0xc3, 0x36, 0x1b, 0x64, 0x20, 0x29, 0xab, 0xd2, 0x26, 0x54,
+ 0x49, 0x32, 0xab, 0x92, 0x26, 0x65, 0xda, 0x3a, 0x55, 0xdb, 0x71, 0x35, 0xaf, 0xf7, 0x12, 0xb0,
+ 0x1a, 0x3b, 0xa4, 0xad, 0xc4, 0xe4, 0x5e, 0x4d, 0x93, 0xb3, 0xa9, 0xaa, 0x55, 0x54, 0x9d, 0x5a,
+ 0xd4, 0x8c, 0x0a, 0xc9, 0x65, 0x80, 0x85, 0xf5, 0xe5, 0x4d, 0x62, 0xb2, 0xe9, 0x41, 0xf3, 0x90,
+ 0xd3, 0x95, 0x36, 0x29, 0x4a, 0xf3, 0xd2, 0xc5, 0x91, 0xea, 0xe9, 0xc7, 0x07, 0xa5, 0x53, 0x87,
+ 0x07, 0xa5, 0xdc, 0x9a, 0xd2, 0x26, 0x98, 0x53, 0xe4, 0x37, 0x61, 0x62, 0x41, 0xd3, 0x8c, 0x0f,
+ 0x49, 0xf3, 0xae, 0x61, 0xd1, 0x75, 0x85, 0xee, 0xa0, 0x0b, 0x90, 0xeb, 0x28, 0x74, 0x47, 0x08,
+ 0x21, 0x21, 0x04, 0x8c, 0xb6, 0x6e, 0x92, 0x6d, 0x75, 0x1f, 0x73, 0xba, 0xfc, 0x5d, 0x09, 0x9e,
+ 0x5f, 0xb4, 0x2d, 0x6a, 0xb4, 0x57, 0x09, 0x35, 0xd5, 0xc6, 0xa2, 0x6d, 0x9a, 0x44, 0xa7, 0x35,
+ 0xaa, 0x50, 0xdb, 0xea, 0xad, 0x1a, 0x3d, 0x80, 0xfc, 0x9e, 0xa2, 0xd9, 0xa4, 0x98, 0x99, 0x97,
+ 0x2e, 0x8e, 0x5e, 0x2b, 0x97, 0xfd, 0x15, 0xe6, 0xf9, 0x5b, 0xee, 0xec, 0xb6, 0xf8, 0x92, 0x73,
+ 0x27, 0xb1, 0x7c, 0xdf, 0x56, 0x74, 0xaa, 0xd2, 0x6e, 0xf5, 0x8c, 0x80, 0x3c, 0x2d, 0xf4, 0x6e,
+ 0x32, 0x2c, 0xec, 0x40, 0xca, 0xff, 0x01, 0xe7, 0x53, 0x4d, 0x5b, 0x51, 0x2d, 0x8a, 0x1e, 0x42,
+ 0x5e, 0xa5, 0xa4, 0x6d, 0x15, 0xa5, 0xf9, 0xec, 0xc5, 0xd1, 0x6b, 0x37, 0xca, 0x47, 0x2e, 0xef,
+ 0x72, 0x2a, 0x58, 0x75, 0x4c, 0x98, 0x91, 0x5f, 0x66, 0x70, 0xd8, 0x41, 0x95, 0xff, 0x5f, 0x02,
+ 0x14, 0x94, 0xa9, 0x2b, 0x66, 0x8b, 0xd0, 0x3e, 0x82, 0xf2, 0xaf, 0xdf, 0x2e, 0x28, 0xd3, 0x02,
+ 0x72, 0xd4, 0x51, 0x18, 0x8a, 0x49, 0x07, 0x66, 0xe2, 0x26, 0xf1, 0x60, 0x6c, 0x86, 0x83, 0x71,
+ 0x75, 0x80, 0x60, 0x38, 0x28, 0x29, 0x51, 0xf8, 0x38, 0x03, 0x23, 0x4b, 0x0a, 0x69, 0x1b, 0x7a,
+ 0x8d, 0x50, 0xf4, 0x3e, 0x14, 0xd8, 0x9e, 0x6a, 0x2a, 0x54, 0xe1, 0x01, 0x18, 0xbd, 0xf6, 0xca,
+ 0x51, 0xde, 0x59, 0x65, 0xc6, 0x5d, 0xde, 0xbb, 0x5a, 0xbe, 0xb7, 0xf5, 0x88, 0x34, 0xe8, 0x2a,
+ 0xa1, 0x8a, 0xbf, 0x1a, 0xfd, 0x31, 0xec, 0xa1, 0xa2, 0x35, 0xc8, 0x59, 0x1d, 0xd2, 0x10, 0xb1,
+ 0xbb, 0xdc, 0xc3, 0x0d, 0xcf, 0xb2, 0x5a, 0x87, 0x34, 0xfc, 0xc9, 0x60, 0xbf, 0x30, 0xc7, 0x41,
+ 0x9b, 0x30, 0x64, 0xf1, 0x59, 0x2e, 0x66, 0x63, 0xb3, 0x71, 0x34, 0xa2, 0xb3, 0x36, 0xc6, 0x05,
+ 0xe6, 0x90, 0xf3, 0x1b, 0x0b, 0x34, 0xf9, 0x73, 0x09, 0xc6, 0x3c, 0x5e, 0x3e, 0x03, 0xef, 0xc5,
+ 0x62, 0x53, 0xee, 0x2f, 0x36, 0x4c, 0x9a, 0x47, 0x66, 0x52, 0xe8, 0x2a, 0xb8, 0x23, 0x81, 0xb8,
+ 0xac, 0xba, 0xf3, 0x9b, 0xe1, 0xf3, 0x7b, 0xb1, 0x5f, 0x37, 0x52, 0xa6, 0xf5, 0x3b, 0xb9, 0x80,
+ 0xf9, 0x2c, 0x5c, 0xe8, 0x21, 0x14, 0x2c, 0xa2, 0x91, 0x06, 0x35, 0x4c, 0x61, 0xfe, 0xab, 0x7d,
+ 0x9a, 0xaf, 0x6c, 0x11, 0xad, 0x26, 0x44, 0xab, 0xa7, 0x99, 0xfd, 0xee, 0x2f, 0xec, 0x41, 0xa2,
+ 0xfb, 0x50, 0xa0, 0xa4, 0xdd, 0xd1, 0x14, 0xea, 0xee, 0x8b, 0x97, 0x82, 0x2e, 0xb0, 0x03, 0x84,
+ 0x81, 0xad, 0x1b, 0xcd, 0xba, 0x60, 0xe3, 0x53, 0xea, 0x85, 0xc4, 0x1d, 0xc5, 0x1e, 0x0c, 0xda,
+ 0x83, 0x71, 0xbb, 0xd3, 0x64, 0x9c, 0x94, 0xa5, 0xcf, 0x56, 0x57, 0x4c, 0xf1, 0xeb, 0xfd, 0xc6,
+ 0x66, 0x23, 0x24, 0x5d, 0x9d, 0x11, 0xba, 0xc6, 0xc3, 0xe3, 0x38, 0xa2, 0x05, 0x2d, 0xc0, 0x44,
+ 0x5b, 0xd5, 0x31, 0x51, 0x9a, 0xdd, 0x1a, 0x69, 0x18, 0x7a, 0xd3, 0x2a, 0xe6, 0xe6, 0xa5, 0x8b,
+ 0xf9, 0xea, 0x59, 0x01, 0x30, 0xb1, 0x1a, 0x26, 0xe3, 0x28, 0x3f, 0x7a, 0x07, 0x90, 0xeb, 0xc6,
+ 0x1d, 0x27, 0xfb, 0xab, 0x86, 0x5e, 0xcc, 0xcf, 0x4b, 0x17, 0xb3, 0xd5, 0x59, 0x81, 0x82, 0xea,
+ 0x31, 0x0e, 0x9c, 0x20, 0x85, 0x56, 0xe0, 0x8c, 0x49, 0xf6, 0x54, 0xe6, 0xe3, 0x5d, 0xd5, 0xa2,
+ 0x86, 0xd9, 0x5d, 0x51, 0xdb, 0x2a, 0x2d, 0x0e, 0x71, 0x9b, 0x8a, 0x87, 0x07, 0xa5, 0x33, 0x38,
+ 0x81, 0x8e, 0x13, 0xa5, 0xe4, 0xcf, 0xf2, 0x30, 0x11, 0xd9, 0x03, 0x68, 0x13, 0x66, 0x1a, 0x4e,
+ 0xc2, 0x5c, 0xb3, 0xdb, 0x5b, 0xc4, 0xac, 0x35, 0x76, 0x48, 0xd3, 0xd6, 0x48, 0x93, 0x2f, 0x94,
+ 0x7c, 0x75, 0x4e, 0x58, 0x3c, 0xb3, 0x98, 0xc8, 0x85, 0x53, 0xa4, 0x59, 0x14, 0x74, 0x3e, 0xb4,
+ 0xaa, 0x5a, 0x96, 0x87, 0x99, 0xe1, 0x98, 0x5e, 0x14, 0xd6, 0x62, 0x1c, 0x38, 0x41, 0x8a, 0xd9,
+ 0xd8, 0x24, 0x96, 0x6a, 0x92, 0x66, 0xd4, 0xc6, 0x6c, 0xd8, 0xc6, 0xa5, 0x44, 0x2e, 0x9c, 0x22,
+ 0x8d, 0xae, 0xc3, 0xa8, 0xa3, 0x8d, 0xcf, 0x9f, 0x98, 0x68, 0x2f, 0x45, 0xaf, 0xf9, 0x24, 0x1c,
+ 0xe4, 0x63, 0xae, 0x19, 0x5b, 0x16, 0x31, 0xf7, 0x48, 0x33, 0x7d, 0x82, 0xef, 0xc5, 0x38, 0x70,
+ 0x82, 0x14, 0x73, 0xcd, 0x59, 0x81, 0x31, 0xd7, 0x86, 0xc2, 0xae, 0x6d, 0x24, 0x72, 0xe1, 0x14,
+ 0x69, 0xb6, 0x8e, 0x1d, 0x93, 0x17, 0xf6, 0x14, 0x55, 0x53, 0xb6, 0x34, 0x52, 0x1c, 0x0e, 0xaf,
+ 0xe3, 0xb5, 0x30, 0x19, 0x47, 0xf9, 0xd1, 0x1d, 0x98, 0x72, 0x86, 0x36, 0x74, 0xc5, 0x03, 0x29,
+ 0x70, 0x90, 0xe7, 0x05, 0xc8, 0xd4, 0x5a, 0x94, 0x01, 0xc7, 0x65, 0xd0, 0x5b, 0x30, 0xde, 0x30,
+ 0x34, 0x8d, 0xaf, 0xc7, 0x45, 0xc3, 0xd6, 0x69, 0x71, 0x84, 0xa3, 0x20, 0xb6, 0x1f, 0x17, 0x43,
+ 0x14, 0x1c, 0xe1, 0x94, 0x7f, 0x25, 0xc1, 0xd9, 0x94, 0x3d, 0x8d, 0xfe, 0x11, 0x72, 0xb4, 0xdb,
+ 0x71, 0x4f, 0xeb, 0xbf, 0x77, 0x0f, 0x88, 0x7a, 0xb7, 0x43, 0x9e, 0x1c, 0x94, 0xce, 0xa5, 0x88,
+ 0x31, 0x32, 0xe6, 0x82, 0x48, 0x87, 0x31, 0x93, 0xa9, 0xd3, 0x5b, 0x0e, 0x8b, 0x48, 0x5e, 0xd7,
+ 0x7b, 0xe4, 0x18, 0x1c, 0x94, 0xf1, 0x93, 0xf1, 0xd4, 0xe1, 0x41, 0x69, 0x2c, 0x44, 0xc3, 0x61,
+ 0x78, 0xf9, 0x93, 0x0c, 0xc0, 0x12, 0xe9, 0x68, 0x46, 0xb7, 0x4d, 0xf4, 0x93, 0x38, 0x70, 0xef,
+ 0x85, 0x0e, 0xdc, 0x2b, 0xbd, 0x72, 0xa7, 0x67, 0x5a, 0xea, 0x89, 0xfb, 0x6e, 0xe4, 0xc4, 0xad,
+ 0xf4, 0x0f, 0x79, 0xf4, 0x91, 0xfb, 0xbb, 0x2c, 0x4c, 0xfb, 0xcc, 0x8b, 0x86, 0xde, 0x54, 0xf9,
+ 0xfe, 0xb8, 0x19, 0x9a, 0xe3, 0xbf, 0x8b, 0xcc, 0xf1, 0xd9, 0x04, 0x91, 0xc0, 0xfc, 0xae, 0x78,
+ 0xd6, 0x66, 0xb8, 0xf8, 0x6b, 0x61, 0xe5, 0x4f, 0x0e, 0x4a, 0x09, 0xf7, 0x9c, 0xb2, 0x87, 0x14,
+ 0x36, 0x11, 0x5d, 0x80, 0x21, 0x93, 0x28, 0x96, 0xa1, 0xf3, 0x44, 0x31, 0xe2, 0xbb, 0x82, 0xf9,
+ 0x28, 0x16, 0x54, 0x74, 0x09, 0x86, 0xdb, 0xc4, 0xb2, 0x94, 0x16, 0xe1, 0x39, 0x61, 0xa4, 0x3a,
+ 0x21, 0x18, 0x87, 0x57, 0x9d, 0x61, 0xec, 0xd2, 0xd1, 0x23, 0x18, 0xd7, 0x14, 0x4b, 0x2c, 0xd0,
+ 0xba, 0xda, 0x26, 0x7c, 0xd7, 0x8f, 0x5e, 0x7b, 0xb9, 0xbf, 0x75, 0xc0, 0x24, 0xfc, 0x93, 0x6d,
+ 0x25, 0x84, 0x84, 0x23, 0xc8, 0x68, 0x0f, 0x10, 0x1b, 0xa9, 0x9b, 0x8a, 0x6e, 0x39, 0x81, 0x62,
+ 0xfa, 0x86, 0x07, 0xd6, 0xe7, 0x65, 0xb8, 0x95, 0x18, 0x1a, 0x4e, 0xd0, 0x20, 0xff, 0x4c, 0x82,
+ 0x71, 0x7f, 0x9a, 0x4e, 0xa0, 0x9a, 0x5a, 0x0b, 0x57, 0x53, 0x97, 0xfa, 0x5e, 0xa2, 0x29, 0xe5,
+ 0xd4, 0x9f, 0x32, 0x80, 0x7c, 0x26, 0xb6, 0xc1, 0xb7, 0x94, 0xc6, 0x6e, 0x1f, 0x77, 0x85, 0x8f,
+ 0x25, 0x40, 0x22, 0x3d, 0x2f, 0xe8, 0xba, 0x41, 0x79, 0xc6, 0x77, 0xcd, 0x5a, 0xee, 0xdb, 0x2c,
+ 0x57, 0x63, 0x79, 0x23, 0x86, 0x75, 0x4b, 0xa7, 0x66, 0xd7, 0x9f, 0x91, 0x38, 0x03, 0x4e, 0x30,
+ 0x00, 0x29, 0x00, 0xa6, 0xc0, 0xac, 0x1b, 0x62, 0x23, 0x5f, 0xe9, 0x23, 0xe7, 0x31, 0x81, 0x45,
+ 0x43, 0xdf, 0x56, 0x5b, 0x7e, 0xda, 0xc1, 0x1e, 0x10, 0x0e, 0x80, 0xce, 0xde, 0x82, 0xb3, 0x29,
+ 0xd6, 0xa2, 0x49, 0xc8, 0xee, 0x92, 0xae, 0x13, 0x36, 0xcc, 0xfe, 0x44, 0x67, 0x82, 0x77, 0xaa,
+ 0x11, 0x71, 0x1d, 0x7a, 0x2b, 0x73, 0x43, 0x92, 0x3f, 0xcf, 0x07, 0xd7, 0x0e, 0x2f, 0x65, 0x2f,
+ 0x42, 0xc1, 0x24, 0x1d, 0x4d, 0x6d, 0x28, 0x96, 0xa8, 0x50, 0x78, 0x55, 0x8a, 0xc5, 0x18, 0xf6,
+ 0xa8, 0xa1, 0xa2, 0x37, 0xf3, 0x6c, 0x8b, 0xde, 0xec, 0xd3, 0x29, 0x7a, 0xff, 0x1d, 0x0a, 0x96,
+ 0x5b, 0xee, 0xe6, 0x38, 0xe4, 0xd5, 0x01, 0xf2, 0xab, 0xa8, 0x74, 0x3d, 0x05, 0x5e, 0x8d, 0xeb,
+ 0x81, 0x26, 0x55, 0xb7, 0xf9, 0x01, 0xab, 0xdb, 0xa7, 0x5a, 0x91, 0xb2, 0x9c, 0xda, 0x51, 0x6c,
+ 0x8b, 0x34, 0x79, 0x22, 0x2a, 0xf8, 0x39, 0x75, 0x9d, 0x8f, 0x62, 0x41, 0x45, 0x0f, 0x43, 0x4b,
+ 0xb6, 0x70, 0x9c, 0x25, 0x3b, 0x9e, 0xbe, 0x5c, 0xd1, 0x06, 0x9c, 0xed, 0x98, 0x46, 0xcb, 0x24,
+ 0x96, 0xb5, 0x44, 0x94, 0xa6, 0xa6, 0xea, 0xc4, 0x8d, 0x8f, 0x53, 0xaa, 0x9c, 0x3b, 0x3c, 0x28,
+ 0x9d, 0x5d, 0x4f, 0x66, 0xc1, 0x69, 0xb2, 0xf2, 0xe3, 0x1c, 0x4c, 0x46, 0x4f, 0xc0, 0x94, 0xea,
+ 0x51, 0x3a, 0x56, 0xf5, 0x78, 0x39, 0xb0, 0x19, 0x9c, 0xd2, 0xda, 0x9b, 0xfd, 0x84, 0x0d, 0xb1,
+ 0x00, 0x13, 0x22, 0x1b, 0xb8, 0x44, 0x51, 0x3f, 0x7b, 0xb3, 0xbf, 0x11, 0x26, 0xe3, 0x28, 0x3f,
+ 0xab, 0x09, 0xfd, 0x52, 0xcf, 0x05, 0xc9, 0x85, 0x6b, 0xc2, 0x85, 0x28, 0x03, 0x8e, 0xcb, 0xa0,
+ 0x55, 0x98, 0xb6, 0xf5, 0x38, 0x94, 0xb3, 0x1a, 0xcf, 0x09, 0xa8, 0xe9, 0x8d, 0x38, 0x0b, 0x4e,
+ 0x92, 0x43, 0xdb, 0x00, 0x0d, 0xf7, 0xd8, 0xb6, 0x8a, 0x43, 0x3c, 0xc3, 0x5e, 0xeb, 0x7b, 0xef,
+ 0x78, 0x27, 0xbe, 0x9f, 0xd7, 0xbc, 0x21, 0x0b, 0x07, 0x90, 0xd1, 0x4d, 0x18, 0x33, 0xf9, 0x85,
+ 0xc0, 0x35, 0xd8, 0x29, 0xaa, 0x9f, 0x13, 0x62, 0x63, 0x38, 0x48, 0xc4, 0x61, 0xde, 0x84, 0x3a,
+ 0xb8, 0xd0, 0x77, 0x1d, 0xfc, 0x73, 0x29, 0x78, 0x08, 0x79, 0x25, 0xf0, 0x5b, 0xa1, 0xf2, 0xe8,
+ 0x42, 0xa4, 0x3c, 0x9a, 0x89, 0x4b, 0x04, 0xaa, 0x23, 0x23, 0xb9, 0xfa, 0x7d, 0x7d, 0xa0, 0xea,
+ 0xd7, 0x3f, 0x3c, 0x7b, 0x97, 0xbf, 0x9f, 0x4a, 0x30, 0x73, 0xbb, 0x76, 0xc7, 0x34, 0xec, 0x8e,
+ 0x6b, 0xce, 0xbd, 0x8e, 0x13, 0xd7, 0x37, 0x20, 0x67, 0xda, 0x9a, 0xeb, 0xc7, 0x4b, 0xae, 0x1f,
+ 0xd8, 0xd6, 0x98, 0x1f, 0xd3, 0x11, 0x29, 0xc7, 0x09, 0x26, 0x80, 0xd6, 0x60, 0xc8, 0x54, 0xf4,
+ 0x16, 0x71, 0x8f, 0xd5, 0x0b, 0x3d, 0xac, 0x5f, 0x5e, 0xc2, 0x8c, 0x3d, 0x50, 0xbc, 0x71, 0x69,
+ 0x2c, 0x50, 0xe4, 0xff, 0x91, 0x60, 0xe2, 0x6e, 0xbd, 0xbe, 0xbe, 0xac, 0xf3, 0x1d, 0xcd, 0x1f,
+ 0x5c, 0xe7, 0x43, 0x0f, 0xae, 0xde, 0x49, 0xcf, 0x68, 0xce, 0x53, 0x2b, 0xfa, 0x17, 0x18, 0x66,
+ 0x99, 0x84, 0xe8, 0xcd, 0x3e, 0x4b, 0x6d, 0x01, 0x5f, 0x75, 0x84, 0xfc, 0x0a, 0x51, 0x0c, 0x60,
+ 0x17, 0x4e, 0xde, 0x85, 0x33, 0x01, 0x73, 0x58, 0x3c, 0xf8, 0x9b, 0x21, 0xaa, 0x41, 0x9e, 0x69,
+ 0x76, 0x9f, 0x04, 0x7b, 0xbd, 0x7c, 0x45, 0x5c, 0xf2, 0x2b, 0x1d, 0xf6, 0xcb, 0xc2, 0x0e, 0x96,
+ 0xbc, 0x0a, 0x63, 0xfc, 0x95, 0xd9, 0x30, 0x29, 0x0f, 0x0b, 0x3a, 0x0f, 0xd9, 0xb6, 0xaa, 0x8b,
+ 0x73, 0x76, 0x54, 0xc8, 0x64, 0xd9, 0x19, 0xc1, 0xc6, 0x39, 0x59, 0xd9, 0x17, 0x99, 0xc7, 0x27,
+ 0x2b, 0xfb, 0x98, 0x8d, 0xcb, 0x77, 0x60, 0x58, 0x84, 0x3b, 0x08, 0x94, 0x3d, 0x1a, 0x28, 0x9b,
+ 0x00, 0xf4, 0xbf, 0x19, 0x18, 0x16, 0xd6, 0x9f, 0xc0, 0xa5, 0x69, 0x25, 0x74, 0x69, 0x7a, 0xb9,
+ 0xbf, 0x99, 0x4c, 0xbd, 0x31, 0xd5, 0x23, 0x37, 0xa6, 0xcb, 0x7d, 0xe2, 0x1d, 0x7d, 0x5d, 0xfa,
+ 0x4c, 0x82, 0xf1, 0xf0, 0x1a, 0x42, 0xd7, 0x61, 0x94, 0x9d, 0x0f, 0x6a, 0x83, 0xac, 0xf9, 0x65,
+ 0xa9, 0xf7, 0x98, 0x51, 0xf3, 0x49, 0x38, 0xc8, 0x87, 0x5a, 0x9e, 0x18, 0x9b, 0x76, 0xe1, 0x74,
+ 0x7a, 0x48, 0x6d, 0xaa, 0x6a, 0x65, 0xa7, 0xb7, 0x51, 0x5e, 0xd6, 0xe9, 0x3d, 0xb3, 0x46, 0x4d,
+ 0x55, 0x6f, 0xc5, 0x14, 0xf1, 0x35, 0x14, 0x44, 0x96, 0x7f, 0x2a, 0xc1, 0xa8, 0x30, 0xf9, 0x04,
+ 0x2e, 0x01, 0xff, 0x1c, 0xbe, 0x04, 0x5c, 0xe8, 0x73, 0x3f, 0x26, 0xdf, 0x00, 0x7e, 0xe0, 0x9b,
+ 0xce, 0x76, 0x20, 0x4b, 0x08, 0x3b, 0x86, 0x45, 0xa3, 0x09, 0x81, 0xed, 0x1d, 0xcc, 0x29, 0xc8,
+ 0x86, 0x49, 0x35, 0xb2, 0x65, 0x45, 0x68, 0x2b, 0xfd, 0x59, 0xe2, 0x89, 0x55, 0x8b, 0x02, 0x7e,
+ 0x32, 0x4a, 0xc1, 0x31, 0x15, 0x32, 0x81, 0x18, 0x17, 0xba, 0x0f, 0xb9, 0x1d, 0x4a, 0x3b, 0x09,
+ 0xef, 0xbe, 0x3d, 0x12, 0x85, 0x6f, 0x42, 0x81, 0x7b, 0x57, 0xaf, 0xaf, 0x63, 0x0e, 0x25, 0xff,
+ 0xd9, 0x8f, 0x47, 0xcd, 0x59, 0xe3, 0x5e, 0xfa, 0x93, 0x8e, 0x93, 0xfe, 0x46, 0x93, 0x52, 0x1f,
+ 0xba, 0x0b, 0x59, 0xaa, 0xf5, 0x7b, 0x8b, 0x13, 0x88, 0xf5, 0x95, 0x9a, 0x9f, 0x3f, 0xea, 0x2b,
+ 0x35, 0xcc, 0x20, 0xd0, 0x3d, 0xc8, 0xb3, 0xc3, 0x82, 0x6d, 0xc1, 0x6c, 0xff, 0x5b, 0x9a, 0xf9,
+ 0xef, 0x2f, 0x08, 0xf6, 0xcb, 0xc2, 0x0e, 0x8e, 0xfc, 0x01, 0x8c, 0x85, 0xf6, 0x29, 0x7a, 0x1f,
+ 0x4e, 0x6b, 0x86, 0xd2, 0xac, 0x2a, 0x9a, 0xa2, 0x37, 0x88, 0xfb, 0xc8, 0x7e, 0x21, 0xe9, 0x42,
+ 0xb0, 0x12, 0xe0, 0x13, 0xbb, 0xdc, 0x6b, 0x95, 0x05, 0x69, 0x38, 0x84, 0x28, 0x2b, 0x00, 0xbe,
+ 0x8f, 0xa8, 0x04, 0x79, 0xb6, 0xce, 0x9c, 0xf4, 0x3f, 0x52, 0x1d, 0x61, 0x16, 0xb2, 0xe5, 0x67,
+ 0x61, 0x67, 0x1c, 0x5d, 0x03, 0xb0, 0x48, 0xc3, 0x24, 0x94, 0x27, 0x83, 0x4c, 0xb8, 0x55, 0x58,
+ 0xf3, 0x28, 0x38, 0xc0, 0x25, 0xff, 0x52, 0x82, 0xb1, 0x35, 0x42, 0x3f, 0x34, 0xcc, 0xdd, 0x75,
+ 0xde, 0xcf, 0x3d, 0x81, 0x64, 0x8b, 0x43, 0xc9, 0xf6, 0x95, 0x1e, 0x33, 0x13, 0xb2, 0x2e, 0x2d,
+ 0xe5, 0x32, 0x3f, 0x8a, 0x21, 0xce, 0xe0, 0xde, 0xdd, 0x80, 0x7c, 0xc7, 0x30, 0xa9, 0x7b, 0x70,
+ 0x0e, 0xa4, 0x91, 0xe5, 0xb1, 0xc0, 0xd1, 0xc9, 0x60, 0xb0, 0x83, 0xc6, 0xfc, 0xd8, 0x36, 0x8d,
+ 0xb6, 0x58, 0xad, 0x83, 0xa1, 0x12, 0x62, 0xfa, 0x7e, 0xdc, 0x36, 0x8d, 0x36, 0xe6, 0x58, 0xf2,
+ 0x2f, 0x24, 0x98, 0x0a, 0x71, 0x9e, 0x40, 0xde, 0xbc, 0x1f, 0xce, 0x9b, 0x97, 0x07, 0x71, 0x24,
+ 0x25, 0x7b, 0xfe, 0x31, 0xea, 0x06, 0x73, 0x18, 0x6d, 0xc3, 0x68, 0xc7, 0x68, 0xd6, 0x9e, 0x42,
+ 0x57, 0x6a, 0x82, 0x1d, 0x3b, 0xeb, 0x3e, 0x16, 0x0e, 0x02, 0xa3, 0x7d, 0x98, 0xd2, 0x95, 0x36,
+ 0xb1, 0x3a, 0x4a, 0x83, 0xd4, 0x9e, 0xc2, 0x73, 0xc0, 0x73, 0xfc, 0xd9, 0x3b, 0x8a, 0x88, 0xe3,
+ 0x4a, 0xe4, 0x1f, 0xc6, 0xfc, 0x36, 0x4c, 0x8a, 0xee, 0x40, 0x81, 0x7f, 0x09, 0xd0, 0x30, 0x34,
+ 0xf7, 0xe1, 0x9a, 0x4d, 0xc5, 0xba, 0x18, 0x7b, 0x72, 0x50, 0x3a, 0x97, 0xf0, 0x26, 0xe9, 0x92,
+ 0xb1, 0x27, 0x8c, 0xd6, 0x20, 0xd7, 0xf9, 0x36, 0x27, 0x36, 0x4f, 0xea, 0xfc, 0x98, 0xe6, 0x38,
+ 0xf2, 0x37, 0x51, 0x73, 0x79, 0x6a, 0x7f, 0xf4, 0xd4, 0xa6, 0xc9, 0xab, 0x10, 0x52, 0xa7, 0x6a,
+ 0x0b, 0x86, 0xc5, 0x89, 0x26, 0x56, 0xdf, 0x1b, 0x83, 0xac, 0xbe, 0x60, 0xd6, 0xf6, 0xea, 0x69,
+ 0x77, 0xd0, 0x05, 0x96, 0x7f, 0x2d, 0xc1, 0x14, 0x37, 0xa0, 0x61, 0x9b, 0x2a, 0xed, 0x9e, 0x58,
+ 0x9e, 0xdb, 0x0c, 0xe5, 0xb9, 0xd7, 0x7a, 0x38, 0x16, 0xb3, 0x30, 0x35, 0xd7, 0x7d, 0x21, 0xc1,
+ 0x73, 0x31, 0xee, 0x13, 0xc8, 0x13, 0x1b, 0xe1, 0x3c, 0xf1, 0xca, 0xa0, 0x0e, 0xa5, 0xe4, 0x8a,
+ 0xef, 0x9d, 0x4e, 0x70, 0x87, 0x2f, 0xc4, 0x6b, 0x00, 0x1d, 0x53, 0xdd, 0x53, 0x35, 0xd2, 0x12,
+ 0xbd, 0xc9, 0x42, 0xe0, 0xdb, 0x17, 0x8f, 0x82, 0x03, 0x5c, 0xc8, 0x82, 0x99, 0x26, 0xd9, 0x56,
+ 0x6c, 0x8d, 0x2e, 0x34, 0x9b, 0x8b, 0x4a, 0x47, 0xd9, 0x52, 0x35, 0x95, 0xaa, 0xe2, 0xb2, 0x38,
+ 0x52, 0xbd, 0xe9, 0xf4, 0x0c, 0x93, 0x38, 0x9e, 0x1c, 0x94, 0xce, 0x27, 0xf5, 0x06, 0x5c, 0x96,
+ 0x2e, 0x4e, 0x81, 0x46, 0x5d, 0x28, 0x9a, 0xe4, 0x03, 0x5b, 0x35, 0x49, 0x73, 0xc9, 0x34, 0x3a,
+ 0x21, 0xb5, 0x59, 0xae, 0xf6, 0x1f, 0x0e, 0x0f, 0x4a, 0x45, 0x9c, 0xc2, 0xd3, 0x5b, 0x71, 0x2a,
+ 0x3c, 0x7a, 0x04, 0xd3, 0x8a, 0xf3, 0xb1, 0x50, 0x48, 0x6b, 0x8e, 0x6b, 0xbd, 0x71, 0x78, 0x50,
+ 0x9a, 0x5e, 0x88, 0x93, 0x7b, 0x2b, 0x4c, 0x02, 0x45, 0x15, 0x18, 0xde, 0x33, 0x34, 0xbb, 0x4d,
+ 0xac, 0x62, 0x9e, 0xe3, 0xb3, 0xc4, 0x38, 0xbc, 0xe9, 0x0c, 0x3d, 0x39, 0x28, 0x0d, 0xdd, 0xae,
+ 0xf1, 0x6b, 0xba, 0xcb, 0xc5, 0xee, 0x27, 0xac, 0x34, 0x11, 0x7b, 0x96, 0xbf, 0x17, 0x16, 0xfc,
+ 0xa4, 0x70, 0xd7, 0x27, 0xe1, 0x20, 0x1f, 0x7a, 0x08, 0x23, 0x3b, 0xe2, 0x4e, 0x6a, 0x15, 0x87,
+ 0xfb, 0x3a, 0x94, 0x42, 0x77, 0xd8, 0xea, 0x94, 0x50, 0x31, 0xe2, 0x0e, 0x5b, 0xd8, 0x47, 0x44,
+ 0x97, 0x60, 0x98, 0xff, 0x58, 0x5e, 0xe2, 0x8f, 0x31, 0x05, 0x3f, 0x75, 0xdc, 0x75, 0x86, 0xb1,
+ 0x4b, 0x77, 0x59, 0x97, 0xd7, 0x17, 0xf9, 0xa3, 0x60, 0x84, 0x75, 0x79, 0x7d, 0x11, 0xbb, 0x74,
+ 0xf4, 0x3e, 0x0c, 0x5b, 0x64, 0x45, 0xd5, 0xed, 0xfd, 0x22, 0xf4, 0xd5, 0x52, 0xac, 0xdd, 0xe2,
+ 0xdc, 0x91, 0x67, 0x11, 0x5f, 0x83, 0xa0, 0x63, 0x17, 0x16, 0xed, 0xc0, 0x88, 0x69, 0xeb, 0x0b,
+ 0xd6, 0x86, 0x45, 0xcc, 0xe2, 0x28, 0xd7, 0xd1, 0x2b, 0x5b, 0x62, 0x97, 0x3f, 0xaa, 0xc5, 0x8b,
+ 0x90, 0xc7, 0x81, 0x7d, 0x70, 0xf4, 0xdf, 0x12, 0x20, 0xcb, 0xee, 0x74, 0x34, 0xd2, 0x26, 0x3a,
+ 0x55, 0x34, 0xfe, 0x12, 0x63, 0x15, 0x4f, 0x73, 0x9d, 0xff, 0xd4, 0xcb, 0xaf, 0x98, 0x60, 0x54,
+ 0xb9, 0xf7, 0xe4, 0x19, 0x67, 0xc5, 0x09, 0x7a, 0x59, 0x68, 0xb7, 0x2d, 0xfe, 0x77, 0x71, 0xac,
+ 0xaf, 0xd0, 0x26, 0xbf, 0x38, 0xf9, 0xa1, 0x15, 0x74, 0xec, 0xc2, 0xa2, 0x4d, 0x98, 0x31, 0x89,
+ 0xd2, 0xbc, 0xa7, 0x6b, 0x5d, 0x6c, 0x18, 0xf4, 0xb6, 0xaa, 0x11, 0xab, 0x6b, 0x51, 0xd2, 0x2e,
+ 0x8e, 0xf3, 0x69, 0xf7, 0x5a, 0xf2, 0x38, 0x91, 0x0b, 0xa7, 0x48, 0xa3, 0x36, 0x94, 0xdc, 0x94,
+ 0xc1, 0xf6, 0x93, 0x97, 0xb3, 0x6e, 0x59, 0x0d, 0x45, 0x73, 0x5e, 0x81, 0x27, 0xb8, 0x82, 0x97,
+ 0x0e, 0x0f, 0x4a, 0xa5, 0xa5, 0xa3, 0x59, 0x71, 0x2f, 0x2c, 0xf4, 0x1e, 0x14, 0x95, 0x34, 0x3d,
+ 0x93, 0x5c, 0xcf, 0xbc, 0x70, 0xa4, 0x98, 0xaa, 0x24, 0x15, 0x01, 0x51, 0x98, 0x54, 0xc2, 0xdf,
+ 0x25, 0x5a, 0xc5, 0xa9, 0xbe, 0x9e, 0xa2, 0x22, 0x9f, 0x33, 0xfa, 0xf7, 0xdb, 0x08, 0xc1, 0xc2,
+ 0x31, 0x0d, 0xbc, 0x81, 0x2e, 0x9e, 0x53, 0x4f, 0xe6, 0x8b, 0xb5, 0xc1, 0x1a, 0xe8, 0xbe, 0x69,
+ 0x4f, 0xad, 0x81, 0x1e, 0x80, 0x3c, 0xfa, 0x45, 0xe8, 0x0f, 0x19, 0x98, 0xf6, 0x99, 0xfb, 0x6e,
+ 0xa0, 0x27, 0x88, 0x3c, 0xb3, 0x06, 0x7a, 0x72, 0x07, 0x3a, 0xfb, 0xac, 0x3b, 0xd0, 0xcf, 0xa0,
+ 0x71, 0xcf, 0x9b, 0xda, 0x7e, 0xe8, 0xfe, 0xfa, 0x9a, 0xda, 0xbe, 0x6d, 0x29, 0x85, 0xd6, 0x8f,
+ 0x33, 0x41, 0x07, 0xfe, 0xe6, 0x3b, 0xab, 0xdf, 0xfe, 0xb3, 0x3e, 0xf9, 0x8b, 0x2c, 0x4c, 0x46,
+ 0x77, 0x63, 0xa8, 0x01, 0x27, 0xf5, 0x6c, 0xc0, 0xad, 0xc3, 0x99, 0x6d, 0x5b, 0xd3, 0xba, 0x3c,
+ 0x0c, 0x81, 0x2e, 0x9c, 0xf3, 0x80, 0xfe, 0x82, 0x90, 0x3c, 0x73, 0x3b, 0x81, 0x07, 0x27, 0x4a,
+ 0xa6, 0x34, 0x13, 0xb3, 0xc7, 0x6a, 0x26, 0xc6, 0x7a, 0x5b, 0xb9, 0x01, 0x7a, 0x5b, 0x89, 0x8d,
+ 0xc1, 0xfc, 0x31, 0x1a, 0x83, 0xc7, 0xe9, 0xe4, 0x25, 0x24, 0xb1, 0x5e, 0x9d, 0x3c, 0xf9, 0x05,
+ 0x98, 0x15, 0x62, 0x94, 0x37, 0xd9, 0x74, 0x6a, 0x1a, 0x9a, 0x46, 0xcc, 0x25, 0xbb, 0xdd, 0xee,
+ 0xca, 0x6f, 0xc3, 0x78, 0xb8, 0x7d, 0xec, 0xcc, 0xb4, 0xd3, 0xc1, 0x16, 0x6d, 0x8c, 0xc0, 0x4c,
+ 0x3b, 0xe3, 0xd8, 0xe3, 0x90, 0x3f, 0x92, 0x60, 0x26, 0xf9, 0x33, 0x31, 0xa4, 0xc1, 0x78, 0x5b,
+ 0xd9, 0x0f, 0x7e, 0x53, 0x27, 0x1d, 0xf3, 0x06, 0xcf, 0xfb, 0x86, 0xab, 0x21, 0x2c, 0x1c, 0xc1,
+ 0x66, 0xb7, 0xfa, 0xb3, 0x29, 0x1d, 0xbb, 0x93, 0xb5, 0x04, 0x3d, 0x80, 0x42, 0x5b, 0xd9, 0xaf,
+ 0xd9, 0x66, 0x8b, 0x1c, 0xfb, 0xcd, 0x82, 0x67, 0x8c, 0x55, 0x81, 0x82, 0x3d, 0x3c, 0xf9, 0x53,
+ 0x09, 0x8a, 0x69, 0xe5, 0x2d, 0xba, 0x1e, 0xea, 0x2d, 0xbe, 0x18, 0xe9, 0x2d, 0x4e, 0xc5, 0xe4,
+ 0x9e, 0x51, 0x67, 0xf1, 0x47, 0x12, 0xcc, 0x24, 0x97, 0xf9, 0xe8, 0xd5, 0x90, 0x85, 0xa5, 0x88,
+ 0x85, 0x13, 0x11, 0x29, 0x61, 0xdf, 0xbf, 0xc1, 0xb8, 0xb8, 0x0c, 0x08, 0x18, 0x11, 0x55, 0x39,
+ 0x29, 0x57, 0x0a, 0x08, 0xb7, 0xf8, 0xe5, 0xf3, 0x15, 0x1e, 0xc3, 0x11, 0x34, 0xf9, 0xbf, 0x32,
+ 0x90, 0xaf, 0x35, 0x14, 0x8d, 0x9c, 0x40, 0x99, 0xf5, 0x4e, 0xa8, 0xcc, 0xea, 0xf5, 0xfd, 0x3b,
+ 0xb7, 0x2a, 0xb5, 0xc2, 0xc2, 0x91, 0x0a, 0xeb, 0xe5, 0xbe, 0xd0, 0x8e, 0x2e, 0xae, 0xde, 0x84,
+ 0x11, 0x4f, 0xe9, 0x60, 0x39, 0x5f, 0xfe, 0x7e, 0x06, 0x46, 0x03, 0x2a, 0x06, 0x3c, 0x31, 0xb6,
+ 0x43, 0x27, 0x6d, 0x3f, 0xff, 0x09, 0x13, 0xd0, 0x55, 0x76, 0xcf, 0x56, 0xe7, 0x33, 0x31, 0xff,
+ 0xc3, 0xa0, 0xf8, 0x91, 0xfb, 0x36, 0x8c, 0x53, 0xfe, 0x9f, 0x22, 0xde, 0x4b, 0x5f, 0x96, 0xaf,
+ 0x45, 0xef, 0xe3, 0xc2, 0x7a, 0x88, 0x8a, 0x23, 0xdc, 0xb3, 0x37, 0x61, 0x2c, 0xa4, 0x6c, 0xa0,
+ 0xaf, 0xbc, 0x7e, 0x22, 0xc1, 0x8b, 0x3d, 0x2f, 0x8a, 0xa8, 0x1a, 0xda, 0x24, 0xe5, 0xc8, 0x26,
+ 0x99, 0x4b, 0x07, 0x78, 0x86, 0x5f, 0x0b, 0x7c, 0x94, 0x01, 0x54, 0xdf, 0x51, 0xcd, 0xe6, 0xba,
+ 0x62, 0xd2, 0x2e, 0x16, 0xff, 0xee, 0x73, 0x02, 0x1b, 0xe6, 0x3a, 0x8c, 0x36, 0x89, 0xd5, 0x30,
+ 0x55, 0x1e, 0x1c, 0x51, 0x9d, 0x7b, 0x8f, 0x29, 0x4b, 0x3e, 0x09, 0x07, 0xf9, 0xd0, 0xbb, 0x50,
+ 0xd8, 0x73, 0xfe, 0xf5, 0xcc, 0xed, 0x85, 0xf5, 0x2a, 0x24, 0xfd, 0x7f, 0x56, 0xf3, 0xd7, 0x8f,
+ 0x18, 0xb0, 0xb0, 0x07, 0x26, 0x7f, 0x22, 0xc1, 0x4c, 0x3c, 0x10, 0x4b, 0xcc, 0xd4, 0x67, 0x1f,
+ 0x8c, 0x17, 0x20, 0xc7, 0xd1, 0x59, 0x14, 0x4e, 0x3b, 0xef, 0xda, 0x4c, 0x33, 0xe6, 0xa3, 0xf2,
+ 0x6f, 0x25, 0x98, 0x4d, 0x36, 0xed, 0x04, 0xca, 0xf6, 0x07, 0xe1, 0xb2, 0xbd, 0xd7, 0x5b, 0x45,
+ 0xb2, 0x9d, 0x29, 0x25, 0xfc, 0x6f, 0x12, 0x63, 0x7e, 0x02, 0x4e, 0x6d, 0x86, 0x9d, 0xba, 0x3a,
+ 0xb0, 0x53, 0xc9, 0x0e, 0x55, 0xaf, 0x3c, 0xfe, 0x7a, 0xee, 0xd4, 0x97, 0x5f, 0xcf, 0x9d, 0xfa,
+ 0xea, 0xeb, 0xb9, 0x53, 0xff, 0x79, 0x38, 0x27, 0x3d, 0x3e, 0x9c, 0x93, 0xbe, 0x3c, 0x9c, 0x93,
+ 0xbe, 0x3a, 0x9c, 0x93, 0x7e, 0x7f, 0x38, 0x27, 0xfd, 0xdf, 0x37, 0x73, 0xa7, 0x1e, 0x0c, 0x0b,
+ 0xdc, 0xbf, 0x04, 0x00, 0x00, 0xff, 0xff, 0xc0, 0xf0, 0x58, 0xb7, 0x3a, 0x3b, 0x00, 0x00,
+>>>>>>> Allow PSP's to specify a whitelist of allowed paths for host volume
}
diff --git a/staging/src/k8s.io/api/extensions/v1beta1/generated.proto b/staging/src/k8s.io/api/extensions/v1beta1/generated.proto
index 87a2f91687..fb91d5cc10 100644
--- a/staging/src/k8s.io/api/extensions/v1beta1/generated.proto
+++ b/staging/src/k8s.io/api/extensions/v1beta1/generated.proto
@@ -39,6 +39,19 @@ message APIVersion {
optional string name = 1;
}
+// AllowedHostPath defines the host volume conditions that will be enabled by a policy
+// for pods to use. It requires the path prefix to be defined.
+message AllowedHostPath {
+ // PathPrefix is the path prefix that the host volume must match.
+ // PathPrefix does not support `*`.
+ // Trailing slashes are trimmed when validating the path prefix with a host path.
+ //
+ // Examples:
+ // `/foo` would allow `/foo`, `/foo/` and `/foo/bar`
+ // `/foo` would not allow `/food` or `/etc/foo`
+ optional string path = 1;
+}
+
message CustomMetricCurrentStatus {
// Custom Metric name.
optional string name = 1;
@@ -754,6 +767,10 @@ message PodSecurityPolicySpec {
// privilege escalation.
// +optional
optional bool allowPrivilegeEscalation = 16;
+
+ // AllowedHostPaths is a white list of allowed host paths. Empty indicates that all host paths may be used.
+ // +optional
+ repeated AllowedHostPath allowedHostPaths = 17;
}
// ReplicaSet represents the configuration of a ReplicaSet.
diff --git a/staging/src/k8s.io/api/extensions/v1beta1/types.generated.go b/staging/src/k8s.io/api/extensions/v1beta1/types.generated.go
index 37120e62d1..25d3c99c79 100644
--- a/staging/src/k8s.io/api/extensions/v1beta1/types.generated.go
+++ b/staging/src/k8s.io/api/extensions/v1beta1/types.generated.go
@@ -14751,7 +14751,7 @@ func (x *PodSecurityPolicySpec) CodecEncodeSelf(e *codec1978.Encoder) {
} else {
yysep2 := !z.EncBinary()
yy2arr2 := z.EncBasicHandle().StructToArray
- var yyq2 [16]bool
+ var yyq2 [17]bool
_, _, _ = yysep2, yyq2, yy2arr2
const yyr2 bool = false
yyq2[0] = x.Privileged != false
@@ -14766,9 +14766,10 @@ func (x *PodSecurityPolicySpec) CodecEncodeSelf(e *codec1978.Encoder) {
yyq2[13] = x.ReadOnlyRootFilesystem != false
yyq2[14] = x.DefaultAllowPrivilegeEscalation != nil
yyq2[15] = x.AllowPrivilegeEscalation != false
+ yyq2[16] = len(x.AllowedHostPaths) != 0
var yynn2 int
if yyr2 || yy2arr2 {
- r.EncodeArrayStart(16)
+ r.EncodeArrayStart(17)
} else {
yynn2 = 4
for _, b := range yyq2 {
@@ -15173,6 +15174,39 @@ func (x *PodSecurityPolicySpec) CodecEncodeSelf(e *codec1978.Encoder) {
}
}
}
+ if yyr2 || yy2arr2 {
+ z.EncSendContainerState(codecSelfer_containerArrayElem1234)
+ if yyq2[16] {
+ if x.AllowedHostPaths == nil {
+ r.EncodeNil()
+ } else {
+ yym62 := z.EncBinary()
+ _ = yym62
+ if false {
+ } else {
+ h.encSliceAllowedHostPath(([]AllowedHostPath)(x.AllowedHostPaths), e)
+ }
+ }
+ } else {
+ r.EncodeNil()
+ }
+ } else {
+ if yyq2[16] {
+ z.EncSendContainerState(codecSelfer_containerMapKey1234)
+ r.EncodeString(codecSelferC_UTF81234, string("allowedHostPaths"))
+ z.EncSendContainerState(codecSelfer_containerMapValue1234)
+ if x.AllowedHostPaths == nil {
+ r.EncodeNil()
+ } else {
+ yym63 := z.EncBinary()
+ _ = yym63
+ if false {
+ } else {
+ h.encSliceAllowedHostPath(([]AllowedHostPath)(x.AllowedHostPaths), e)
+ }
+ }
+ }
+ }
if yyr2 || yy2arr2 {
z.EncSendContainerState(codecSelfer_containerArrayEnd1234)
} else {
@@ -15410,6 +15444,18 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromMap(l int, d *codec1978.Decod
*((*bool)(yyv30)) = r.DecodeBool()
}
}
+ case "allowedHostPaths":
+ if r.TryDecodeAsNil() {
+ x.AllowedHostPaths = nil
+ } else {
+ yyv32 := &x.AllowedHostPaths
+ yym33 := z.DecBinary()
+ _ = yym33
+ if false {
+ } else {
+ h.decSliceAllowedHostPath((*[]AllowedHostPath)(yyv32), d)
+ }
+ }
default:
z.DecStructFieldNotFound(-1, yys3)
} // end switch yys3
@@ -15421,16 +15467,16 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromArray(l int, d *codec1978.Dec
var h codecSelfer1234
z, r := codec1978.GenHelperDecoder(d)
_, _, _ = h, z, r
- var yyj32 int
- var yyb32 bool
- var yyhl32 bool = l >= 0
- yyj32++
- if yyhl32 {
- yyb32 = yyj32 > l
+ var yyj34 int
+ var yyb34 bool
+ var yyhl34 bool = l >= 0
+ yyj34++
+ if yyhl34 {
+ yyb34 = yyj34 > l
} else {
- yyb32 = r.CheckBreak()
+ yyb34 = r.CheckBreak()
}
- if yyb32 {
+ if yyb34 {
z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
return
}
@@ -15438,21 +15484,21 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromArray(l int, d *codec1978.Dec
if r.TryDecodeAsNil() {
x.Privileged = false
} else {
- yyv33 := &x.Privileged
- yym34 := z.DecBinary()
- _ = yym34
+ yyv35 := &x.Privileged
+ yym36 := z.DecBinary()
+ _ = yym36
if false {
} else {
- *((*bool)(yyv33)) = r.DecodeBool()
+ *((*bool)(yyv35)) = r.DecodeBool()
}
}
- yyj32++
- if yyhl32 {
- yyb32 = yyj32 > l
+ yyj34++
+ if yyhl34 {
+ yyb34 = yyj34 > l
} else {
- yyb32 = r.CheckBreak()
+ yyb34 = r.CheckBreak()
}
- if yyb32 {
+ if yyb34 {
z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
return
}
@@ -15460,29 +15506,7 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromArray(l int, d *codec1978.Dec
if r.TryDecodeAsNil() {
x.DefaultAddCapabilities = nil
} else {
- yyv35 := &x.DefaultAddCapabilities
- yym36 := z.DecBinary()
- _ = yym36
- if false {
- } else {
- h.decSlicev1_Capability((*[]pkg4_v1.Capability)(yyv35), d)
- }
- }
- yyj32++
- if yyhl32 {
- yyb32 = yyj32 > l
- } else {
- yyb32 = r.CheckBreak()
- }
- if yyb32 {
- z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
- return
- }
- z.DecSendContainerState(codecSelfer_containerArrayElem1234)
- if r.TryDecodeAsNil() {
- x.RequiredDropCapabilities = nil
- } else {
- yyv37 := &x.RequiredDropCapabilities
+ yyv37 := &x.DefaultAddCapabilities
yym38 := z.DecBinary()
_ = yym38
if false {
@@ -15490,21 +15514,21 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromArray(l int, d *codec1978.Dec
h.decSlicev1_Capability((*[]pkg4_v1.Capability)(yyv37), d)
}
}
- yyj32++
- if yyhl32 {
- yyb32 = yyj32 > l
+ yyj34++
+ if yyhl34 {
+ yyb34 = yyj34 > l
} else {
- yyb32 = r.CheckBreak()
+ yyb34 = r.CheckBreak()
}
- if yyb32 {
+ if yyb34 {
z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
return
}
z.DecSendContainerState(codecSelfer_containerArrayElem1234)
if r.TryDecodeAsNil() {
- x.AllowedCapabilities = nil
+ x.RequiredDropCapabilities = nil
} else {
- yyv39 := &x.AllowedCapabilities
+ yyv39 := &x.RequiredDropCapabilities
yym40 := z.DecBinary()
_ = yym40
if false {
@@ -15512,13 +15536,35 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromArray(l int, d *codec1978.Dec
h.decSlicev1_Capability((*[]pkg4_v1.Capability)(yyv39), d)
}
}
- yyj32++
- if yyhl32 {
- yyb32 = yyj32 > l
+ yyj34++
+ if yyhl34 {
+ yyb34 = yyj34 > l
} else {
- yyb32 = r.CheckBreak()
+ yyb34 = r.CheckBreak()
}
- if yyb32 {
+ if yyb34 {
+ z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
+ return
+ }
+ z.DecSendContainerState(codecSelfer_containerArrayElem1234)
+ if r.TryDecodeAsNil() {
+ x.AllowedCapabilities = nil
+ } else {
+ yyv41 := &x.AllowedCapabilities
+ yym42 := z.DecBinary()
+ _ = yym42
+ if false {
+ } else {
+ h.decSlicev1_Capability((*[]pkg4_v1.Capability)(yyv41), d)
+ }
+ }
+ yyj34++
+ if yyhl34 {
+ yyb34 = yyj34 > l
+ } else {
+ yyb34 = r.CheckBreak()
+ }
+ if yyb34 {
z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
return
}
@@ -15526,21 +15572,21 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromArray(l int, d *codec1978.Dec
if r.TryDecodeAsNil() {
x.Volumes = nil
} else {
- yyv41 := &x.Volumes
- yym42 := z.DecBinary()
- _ = yym42
+ yyv43 := &x.Volumes
+ yym44 := z.DecBinary()
+ _ = yym44
if false {
} else {
- h.decSliceFSType((*[]FSType)(yyv41), d)
+ h.decSliceFSType((*[]FSType)(yyv43), d)
}
}
- yyj32++
- if yyhl32 {
- yyb32 = yyj32 > l
+ yyj34++
+ if yyhl34 {
+ yyb34 = yyj34 > l
} else {
- yyb32 = r.CheckBreak()
+ yyb34 = r.CheckBreak()
}
- if yyb32 {
+ if yyb34 {
z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
return
}
@@ -15548,21 +15594,21 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromArray(l int, d *codec1978.Dec
if r.TryDecodeAsNil() {
x.HostNetwork = false
} else {
- yyv43 := &x.HostNetwork
- yym44 := z.DecBinary()
- _ = yym44
+ yyv45 := &x.HostNetwork
+ yym46 := z.DecBinary()
+ _ = yym46
if false {
} else {
- *((*bool)(yyv43)) = r.DecodeBool()
+ *((*bool)(yyv45)) = r.DecodeBool()
}
}
- yyj32++
- if yyhl32 {
- yyb32 = yyj32 > l
+ yyj34++
+ if yyhl34 {
+ yyb34 = yyj34 > l
} else {
- yyb32 = r.CheckBreak()
+ yyb34 = r.CheckBreak()
}
- if yyb32 {
+ if yyb34 {
z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
return
}
@@ -15570,21 +15616,21 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromArray(l int, d *codec1978.Dec
if r.TryDecodeAsNil() {
x.HostPorts = nil
} else {
- yyv45 := &x.HostPorts
- yym46 := z.DecBinary()
- _ = yym46
+ yyv47 := &x.HostPorts
+ yym48 := z.DecBinary()
+ _ = yym48
if false {
} else {
- h.decSliceHostPortRange((*[]HostPortRange)(yyv45), d)
+ h.decSliceHostPortRange((*[]HostPortRange)(yyv47), d)
}
}
- yyj32++
- if yyhl32 {
- yyb32 = yyj32 > l
+ yyj34++
+ if yyhl34 {
+ yyb34 = yyj34 > l
} else {
- yyb32 = r.CheckBreak()
+ yyb34 = r.CheckBreak()
}
- if yyb32 {
+ if yyb34 {
z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
return
}
@@ -15592,29 +15638,7 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromArray(l int, d *codec1978.Dec
if r.TryDecodeAsNil() {
x.HostPID = false
} else {
- yyv47 := &x.HostPID
- yym48 := z.DecBinary()
- _ = yym48
- if false {
- } else {
- *((*bool)(yyv47)) = r.DecodeBool()
- }
- }
- yyj32++
- if yyhl32 {
- yyb32 = yyj32 > l
- } else {
- yyb32 = r.CheckBreak()
- }
- if yyb32 {
- z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
- return
- }
- z.DecSendContainerState(codecSelfer_containerArrayElem1234)
- if r.TryDecodeAsNil() {
- x.HostIPC = false
- } else {
- yyv49 := &x.HostIPC
+ yyv49 := &x.HostPID
yym50 := z.DecBinary()
_ = yym50
if false {
@@ -15622,13 +15646,35 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromArray(l int, d *codec1978.Dec
*((*bool)(yyv49)) = r.DecodeBool()
}
}
- yyj32++
- if yyhl32 {
- yyb32 = yyj32 > l
+ yyj34++
+ if yyhl34 {
+ yyb34 = yyj34 > l
} else {
- yyb32 = r.CheckBreak()
+ yyb34 = r.CheckBreak()
}
- if yyb32 {
+ if yyb34 {
+ z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
+ return
+ }
+ z.DecSendContainerState(codecSelfer_containerArrayElem1234)
+ if r.TryDecodeAsNil() {
+ x.HostIPC = false
+ } else {
+ yyv51 := &x.HostIPC
+ yym52 := z.DecBinary()
+ _ = yym52
+ if false {
+ } else {
+ *((*bool)(yyv51)) = r.DecodeBool()
+ }
+ }
+ yyj34++
+ if yyhl34 {
+ yyb34 = yyj34 > l
+ } else {
+ yyb34 = r.CheckBreak()
+ }
+ if yyb34 {
z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
return
}
@@ -15636,16 +15682,16 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromArray(l int, d *codec1978.Dec
if r.TryDecodeAsNil() {
x.SELinux = SELinuxStrategyOptions{}
} else {
- yyv51 := &x.SELinux
- yyv51.CodecDecodeSelf(d)
+ yyv53 := &x.SELinux
+ yyv53.CodecDecodeSelf(d)
}
- yyj32++
- if yyhl32 {
- yyb32 = yyj32 > l
+ yyj34++
+ if yyhl34 {
+ yyb34 = yyj34 > l
} else {
- yyb32 = r.CheckBreak()
+ yyb34 = r.CheckBreak()
}
- if yyb32 {
+ if yyb34 {
z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
return
}
@@ -15653,16 +15699,16 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromArray(l int, d *codec1978.Dec
if r.TryDecodeAsNil() {
x.RunAsUser = RunAsUserStrategyOptions{}
} else {
- yyv52 := &x.RunAsUser
- yyv52.CodecDecodeSelf(d)
+ yyv54 := &x.RunAsUser
+ yyv54.CodecDecodeSelf(d)
}
- yyj32++
- if yyhl32 {
- yyb32 = yyj32 > l
+ yyj34++
+ if yyhl34 {
+ yyb34 = yyj34 > l
} else {
- yyb32 = r.CheckBreak()
+ yyb34 = r.CheckBreak()
}
- if yyb32 {
+ if yyb34 {
z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
return
}
@@ -15670,16 +15716,16 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromArray(l int, d *codec1978.Dec
if r.TryDecodeAsNil() {
x.SupplementalGroups = SupplementalGroupsStrategyOptions{}
} else {
- yyv53 := &x.SupplementalGroups
- yyv53.CodecDecodeSelf(d)
+ yyv55 := &x.SupplementalGroups
+ yyv55.CodecDecodeSelf(d)
}
- yyj32++
- if yyhl32 {
- yyb32 = yyj32 > l
+ yyj34++
+ if yyhl34 {
+ yyb34 = yyj34 > l
} else {
- yyb32 = r.CheckBreak()
+ yyb34 = r.CheckBreak()
}
- if yyb32 {
+ if yyb34 {
z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
return
}
@@ -15687,16 +15733,16 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromArray(l int, d *codec1978.Dec
if r.TryDecodeAsNil() {
x.FSGroup = FSGroupStrategyOptions{}
} else {
- yyv54 := &x.FSGroup
- yyv54.CodecDecodeSelf(d)
+ yyv56 := &x.FSGroup
+ yyv56.CodecDecodeSelf(d)
}
- yyj32++
- if yyhl32 {
- yyb32 = yyj32 > l
+ yyj34++
+ if yyhl34 {
+ yyb34 = yyj34 > l
} else {
- yyb32 = r.CheckBreak()
+ yyb34 = r.CheckBreak()
}
- if yyb32 {
+ if yyb34 {
z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
return
}
@@ -15704,21 +15750,21 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromArray(l int, d *codec1978.Dec
if r.TryDecodeAsNil() {
x.ReadOnlyRootFilesystem = false
} else {
- yyv55 := &x.ReadOnlyRootFilesystem
- yym56 := z.DecBinary()
- _ = yym56
+ yyv57 := &x.ReadOnlyRootFilesystem
+ yym58 := z.DecBinary()
+ _ = yym58
if false {
} else {
- *((*bool)(yyv55)) = r.DecodeBool()
+ *((*bool)(yyv57)) = r.DecodeBool()
}
}
- yyj32++
- if yyhl32 {
- yyb32 = yyj32 > l
+ yyj34++
+ if yyhl34 {
+ yyb34 = yyj34 > l
} else {
- yyb32 = r.CheckBreak()
+ yyb34 = r.CheckBreak()
}
- if yyb32 {
+ if yyb34 {
z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
return
}
@@ -15731,20 +15777,20 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromArray(l int, d *codec1978.Dec
if x.DefaultAllowPrivilegeEscalation == nil {
x.DefaultAllowPrivilegeEscalation = new(bool)
}
- yym58 := z.DecBinary()
- _ = yym58
+ yym60 := z.DecBinary()
+ _ = yym60
if false {
} else {
*((*bool)(x.DefaultAllowPrivilegeEscalation)) = r.DecodeBool()
}
}
- yyj32++
- if yyhl32 {
- yyb32 = yyj32 > l
+ yyj34++
+ if yyhl34 {
+ yyb34 = yyj34 > l
} else {
- yyb32 = r.CheckBreak()
+ yyb34 = r.CheckBreak()
}
- if yyb32 {
+ if yyb34 {
z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
return
}
@@ -15752,26 +15798,229 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromArray(l int, d *codec1978.Dec
if r.TryDecodeAsNil() {
x.AllowPrivilegeEscalation = false
} else {
- yyv59 := &x.AllowPrivilegeEscalation
- yym60 := z.DecBinary()
- _ = yym60
+ yyv61 := &x.AllowPrivilegeEscalation
+ yym62 := z.DecBinary()
+ _ = yym62
if false {
} else {
- *((*bool)(yyv59)) = r.DecodeBool()
+ *((*bool)(yyv61)) = r.DecodeBool()
+ }
+ }
+ yyj34++
+ if yyhl34 {
+ yyb34 = yyj34 > l
+ } else {
+ yyb34 = r.CheckBreak()
+ }
+ if yyb34 {
+ z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
+ return
+ }
+ z.DecSendContainerState(codecSelfer_containerArrayElem1234)
+ if r.TryDecodeAsNil() {
+ x.AllowedHostPaths = nil
+ } else {
+ yyv63 := &x.AllowedHostPaths
+ yym64 := z.DecBinary()
+ _ = yym64
+ if false {
+ } else {
+ h.decSliceAllowedHostPath((*[]AllowedHostPath)(yyv63), d)
}
}
for {
- yyj32++
- if yyhl32 {
- yyb32 = yyj32 > l
+ yyj34++
+ if yyhl34 {
+ yyb34 = yyj34 > l
} else {
- yyb32 = r.CheckBreak()
+ yyb34 = r.CheckBreak()
}
- if yyb32 {
+ if yyb34 {
break
}
z.DecSendContainerState(codecSelfer_containerArrayElem1234)
- z.DecStructFieldNotFound(yyj32-1, "")
+ z.DecStructFieldNotFound(yyj34-1, "")
+ }
+ z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
+}
+
+func (x *AllowedHostPath) CodecEncodeSelf(e *codec1978.Encoder) {
+ var h codecSelfer1234
+ z, r := codec1978.GenHelperEncoder(e)
+ _, _, _ = h, z, r
+ if x == nil {
+ r.EncodeNil()
+ } else {
+ yym1 := z.EncBinary()
+ _ = yym1
+ if false {
+ } else if z.HasExtensions() && z.EncExt(x) {
+ } else {
+ yysep2 := !z.EncBinary()
+ yy2arr2 := z.EncBasicHandle().StructToArray
+ var yyq2 [1]bool
+ _, _, _ = yysep2, yyq2, yy2arr2
+ const yyr2 bool = false
+ yyq2[0] = x.PathPrefix != ""
+ var yynn2 int
+ if yyr2 || yy2arr2 {
+ r.EncodeArrayStart(1)
+ } else {
+ yynn2 = 0
+ for _, b := range yyq2 {
+ if b {
+ yynn2++
+ }
+ }
+ r.EncodeMapStart(yynn2)
+ yynn2 = 0
+ }
+ if yyr2 || yy2arr2 {
+ z.EncSendContainerState(codecSelfer_containerArrayElem1234)
+ if yyq2[0] {
+ yym4 := z.EncBinary()
+ _ = yym4
+ if false {
+ } else {
+ r.EncodeString(codecSelferC_UTF81234, string(x.PathPrefix))
+ }
+ } else {
+ r.EncodeString(codecSelferC_UTF81234, "")
+ }
+ } else {
+ if yyq2[0] {
+ z.EncSendContainerState(codecSelfer_containerMapKey1234)
+ r.EncodeString(codecSelferC_UTF81234, string("path"))
+ z.EncSendContainerState(codecSelfer_containerMapValue1234)
+ yym5 := z.EncBinary()
+ _ = yym5
+ if false {
+ } else {
+ r.EncodeString(codecSelferC_UTF81234, string(x.PathPrefix))
+ }
+ }
+ }
+ if yyr2 || yy2arr2 {
+ z.EncSendContainerState(codecSelfer_containerArrayEnd1234)
+ } else {
+ z.EncSendContainerState(codecSelfer_containerMapEnd1234)
+ }
+ }
+ }
+}
+
+func (x *AllowedHostPath) CodecDecodeSelf(d *codec1978.Decoder) {
+ var h codecSelfer1234
+ z, r := codec1978.GenHelperDecoder(d)
+ _, _, _ = h, z, r
+ yym1 := z.DecBinary()
+ _ = yym1
+ if false {
+ } else if z.HasExtensions() && z.DecExt(x) {
+ } else {
+ yyct2 := r.ContainerType()
+ if yyct2 == codecSelferValueTypeMap1234 {
+ yyl2 := r.ReadMapStart()
+ if yyl2 == 0 {
+ z.DecSendContainerState(codecSelfer_containerMapEnd1234)
+ } else {
+ x.codecDecodeSelfFromMap(yyl2, d)
+ }
+ } else if yyct2 == codecSelferValueTypeArray1234 {
+ yyl2 := r.ReadArrayStart()
+ if yyl2 == 0 {
+ z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
+ } else {
+ x.codecDecodeSelfFromArray(yyl2, d)
+ }
+ } else {
+ panic(codecSelferOnlyMapOrArrayEncodeToStructErr1234)
+ }
+ }
+}
+
+func (x *AllowedHostPath) codecDecodeSelfFromMap(l int, d *codec1978.Decoder) {
+ var h codecSelfer1234
+ z, r := codec1978.GenHelperDecoder(d)
+ _, _, _ = h, z, r
+ var yys3Slc = z.DecScratchBuffer() // default slice to decode into
+ _ = yys3Slc
+ var yyhl3 bool = l >= 0
+ for yyj3 := 0; ; yyj3++ {
+ if yyhl3 {
+ if yyj3 >= l {
+ break
+ }
+ } else {
+ if r.CheckBreak() {
+ break
+ }
+ }
+ z.DecSendContainerState(codecSelfer_containerMapKey1234)
+ yys3Slc = r.DecodeBytes(yys3Slc, true, true)
+ yys3 := string(yys3Slc)
+ z.DecSendContainerState(codecSelfer_containerMapValue1234)
+ switch yys3 {
+ case "path":
+ if r.TryDecodeAsNil() {
+ x.PathPrefix = ""
+ } else {
+ yyv4 := &x.PathPrefix
+ yym5 := z.DecBinary()
+ _ = yym5
+ if false {
+ } else {
+ *((*string)(yyv4)) = r.DecodeString()
+ }
+ }
+ default:
+ z.DecStructFieldNotFound(-1, yys3)
+ } // end switch yys3
+ } // end for yyj3
+ z.DecSendContainerState(codecSelfer_containerMapEnd1234)
+}
+
+func (x *AllowedHostPath) codecDecodeSelfFromArray(l int, d *codec1978.Decoder) {
+ var h codecSelfer1234
+ z, r := codec1978.GenHelperDecoder(d)
+ _, _, _ = h, z, r
+ var yyj6 int
+ var yyb6 bool
+ var yyhl6 bool = l >= 0
+ yyj6++
+ if yyhl6 {
+ yyb6 = yyj6 > l
+ } else {
+ yyb6 = r.CheckBreak()
+ }
+ if yyb6 {
+ z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
+ return
+ }
+ z.DecSendContainerState(codecSelfer_containerArrayElem1234)
+ if r.TryDecodeAsNil() {
+ x.PathPrefix = ""
+ } else {
+ yyv7 := &x.PathPrefix
+ yym8 := z.DecBinary()
+ _ = yym8
+ if false {
+ } else {
+ *((*string)(yyv7)) = r.DecodeString()
+ }
+ }
+ for {
+ yyj6++
+ if yyhl6 {
+ yyb6 = yyj6 > l
+ } else {
+ yyb6 = r.CheckBreak()
+ }
+ if yyb6 {
+ break
+ }
+ z.DecSendContainerState(codecSelfer_containerArrayElem1234)
+ z.DecStructFieldNotFound(yyj6-1, "")
}
z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
}
@@ -21700,6 +21949,125 @@ func (x codecSelfer1234) decSliceHostPortRange(v *[]HostPortRange, d *codec1978.
}
}
+func (x codecSelfer1234) encSliceAllowedHostPath(v []AllowedHostPath, e *codec1978.Encoder) {
+ var h codecSelfer1234
+ z, r := codec1978.GenHelperEncoder(e)
+ _, _, _ = h, z, r
+ r.EncodeArrayStart(len(v))
+ for _, yyv1 := range v {
+ z.EncSendContainerState(codecSelfer_containerArrayElem1234)
+ yy2 := &yyv1
+ yy2.CodecEncodeSelf(e)
+ }
+ z.EncSendContainerState(codecSelfer_containerArrayEnd1234)
+}
+
+func (x codecSelfer1234) decSliceAllowedHostPath(v *[]AllowedHostPath, d *codec1978.Decoder) {
+ var h codecSelfer1234
+ z, r := codec1978.GenHelperDecoder(d)
+ _, _, _ = h, z, r
+
+ yyv1 := *v
+ yyh1, yyl1 := z.DecSliceHelperStart()
+ var yyc1 bool
+ _ = yyc1
+ if yyl1 == 0 {
+ if yyv1 == nil {
+ yyv1 = []AllowedHostPath{}
+ yyc1 = true
+ } else if len(yyv1) != 0 {
+ yyv1 = yyv1[:0]
+ yyc1 = true
+ }
+ } else if yyl1 > 0 {
+ var yyrr1, yyrl1 int
+ var yyrt1 bool
+ _, _ = yyrl1, yyrt1
+ yyrr1 = yyl1 // len(yyv1)
+ if yyl1 > cap(yyv1) {
+
+ yyrg1 := len(yyv1) > 0
+ yyv21 := yyv1
+ yyrl1, yyrt1 = z.DecInferLen(yyl1, z.DecBasicHandle().MaxInitLen, 16)
+ if yyrt1 {
+ if yyrl1 <= cap(yyv1) {
+ yyv1 = yyv1[:yyrl1]
+ } else {
+ yyv1 = make([]AllowedHostPath, yyrl1)
+ }
+ } else {
+ yyv1 = make([]AllowedHostPath, yyrl1)
+ }
+ yyc1 = true
+ yyrr1 = len(yyv1)
+ if yyrg1 {
+ copy(yyv1, yyv21)
+ }
+ } else if yyl1 != len(yyv1) {
+ yyv1 = yyv1[:yyl1]
+ yyc1 = true
+ }
+ yyj1 := 0
+ for ; yyj1 < yyrr1; yyj1++ {
+ yyh1.ElemContainerState(yyj1)
+ if r.TryDecodeAsNil() {
+ yyv1[yyj1] = AllowedHostPath{}
+ } else {
+ yyv2 := &yyv1[yyj1]
+ yyv2.CodecDecodeSelf(d)
+ }
+
+ }
+ if yyrt1 {
+ for ; yyj1 < yyl1; yyj1++ {
+ yyv1 = append(yyv1, AllowedHostPath{})
+ yyh1.ElemContainerState(yyj1)
+ if r.TryDecodeAsNil() {
+ yyv1[yyj1] = AllowedHostPath{}
+ } else {
+ yyv3 := &yyv1[yyj1]
+ yyv3.CodecDecodeSelf(d)
+ }
+
+ }
+ }
+
+ } else {
+ yyj1 := 0
+ for ; !r.CheckBreak(); yyj1++ {
+
+ if yyj1 >= len(yyv1) {
+ yyv1 = append(yyv1, AllowedHostPath{}) // var yyz1 AllowedHostPath
+ yyc1 = true
+ }
+ yyh1.ElemContainerState(yyj1)
+ if yyj1 < len(yyv1) {
+ if r.TryDecodeAsNil() {
+ yyv1[yyj1] = AllowedHostPath{}
+ } else {
+ yyv4 := &yyv1[yyj1]
+ yyv4.CodecDecodeSelf(d)
+ }
+
+ } else {
+ z.DecSwallow()
+ }
+
+ }
+ if yyj1 < len(yyv1) {
+ yyv1 = yyv1[:yyj1]
+ yyc1 = true
+ } else if yyj1 == 0 && yyv1 == nil {
+ yyv1 = []AllowedHostPath{}
+ yyc1 = true
+ }
+ }
+ yyh1.End()
+ if yyc1 {
+ *v = yyv1
+ }
+}
+
func (x codecSelfer1234) encSliceIDRange(v []IDRange, e *codec1978.Encoder) {
var h codecSelfer1234
z, r := codec1978.GenHelperEncoder(e)
@@ -21858,7 +22226,7 @@ func (x codecSelfer1234) decSlicePodSecurityPolicy(v *[]PodSecurityPolicy, d *co
yyrg1 := len(yyv1) > 0
yyv21 := yyv1
- yyrl1, yyrt1 = z.DecInferLen(yyl1, z.DecBasicHandle().MaxInitLen, 576)
+ yyrl1, yyrt1 = z.DecInferLen(yyl1, z.DecBasicHandle().MaxInitLen, 600)
if yyrt1 {
if yyrl1 <= cap(yyv1) {
yyv1 = yyv1[:yyrl1]
diff --git a/staging/src/k8s.io/api/extensions/v1beta1/types.go b/staging/src/k8s.io/api/extensions/v1beta1/types.go
index 2967f053b3..1565de0645 100644
--- a/staging/src/k8s.io/api/extensions/v1beta1/types.go
+++ b/staging/src/k8s.io/api/extensions/v1beta1/types.go
@@ -965,6 +965,22 @@ type PodSecurityPolicySpec struct {
// privilege escalation.
// +optional
AllowPrivilegeEscalation bool `json:"allowPrivilegeEscalation,omitempty" protobuf:"varint,16,opt,name=allowPrivilegeEscalation"`
+ // is a white list of allowed host paths. Empty indicates that all host paths may be used.
+ // +optional
+ AllowedHostPaths []AllowedHostPath `json:"allowedHostPaths,omitempty" protobuf:"bytes,17,rep,name=allowedHostPaths"`
+}
+
+// defines the host volume conditions that will be enabled by a policy
+// for pods to use. It requires the path prefix to be defined.
+type AllowedHostPath struct {
+ // is the path prefix that the host volume must match.
+ // It does not support `*`.
+ // Trailing slashes are trimmed when validating the path prefix with a host path.
+ //
+ // Examples:
+ // `/foo` would allow `/foo`, `/foo/` and `/foo/bar`
+ // `/foo` would not allow `/food` or `/etc/foo`
+ PathPrefix string `json:"pathPrefix,omitempty" protobuf:"bytes,1,rep,name=pathPrefix"`
}
// FS Type gives strong typing to different file systems that are used by volumes.
diff --git a/staging/src/k8s.io/api/extensions/v1beta1/types_swagger_doc_generated.go b/staging/src/k8s.io/api/extensions/v1beta1/types_swagger_doc_generated.go
index 2944ec44ab..eb2916d70c 100644
--- a/staging/src/k8s.io/api/extensions/v1beta1/types_swagger_doc_generated.go
+++ b/staging/src/k8s.io/api/extensions/v1beta1/types_swagger_doc_generated.go
@@ -36,6 +36,15 @@ func (APIVersion) SwaggerDoc() map[string]string {
return map_APIVersion
}
+var map_AllowedHostPath = map[string]string{
+ "": "AllowedHostPath defines the host volume conditions that will be enabled by a policy for pods to use. It requires the path prefix to be defined.",
+ "path": "PathPrefix is the path prefix that the host volume must match. PathPrefix does not support `*`. Trailing slashes are trimmed when validating the path prefix with a host path.\n\nExamples: `/foo` would allow `/foo`, `/foo/` and `/foo/bar` `/foo` would not allow `/food` or `/etc/foo`",
+}
+
+func (AllowedHostPath) SwaggerDoc() map[string]string {
+ return map_AllowedHostPath
+}
+
var map_CustomMetricCurrentStatus = map[string]string{
"name": "Custom Metric name.",
"value": "Custom Metric value (average).",
@@ -438,6 +447,7 @@ var map_PodSecurityPolicySpec = map[string]string{
"readOnlyRootFilesystem": "ReadOnlyRootFilesystem when set to true will force containers to run with a read only root file system. If the container specifically requests to run with a non-read only root file system the PSP should deny the pod. If set to false the container may run with a read only root file system if it wishes but it will not be forced to.",
"defaultAllowPrivilegeEscalation": "DefaultAllowPrivilegeEscalation controls the default setting for whether a process can gain more privileges than it's parent process.",
"allowPrivilegeEscalation": "AllowPrivilegeEscalation determines if a pod can request to allow privilege escalation.",
+ "allowedHostPaths": "AllowedHostPaths is a white list of allowed host paths. Empty indicates that all host paths may be used.",
}
func (PodSecurityPolicySpec) SwaggerDoc() map[string]string {
diff --git a/staging/src/k8s.io/api/extensions/v1beta1/zz_generated.deepcopy.go b/staging/src/k8s.io/api/extensions/v1beta1/zz_generated.deepcopy.go
index c0aa22dad1..c2b52beeb4 100644
--- a/staging/src/k8s.io/api/extensions/v1beta1/zz_generated.deepcopy.go
+++ b/staging/src/k8s.io/api/extensions/v1beta1/zz_generated.deepcopy.go
@@ -43,6 +43,10 @@ func RegisterDeepCopies(scheme *runtime.Scheme) error {
in.(*APIVersion).DeepCopyInto(out.(*APIVersion))
return nil
}, InType: reflect.TypeOf(&APIVersion{})},
+ conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+ in.(*AllowedHostPath).DeepCopyInto(out.(*AllowedHostPath))
+ return nil
+ }, InType: reflect.TypeOf(&AllowedHostPath{})},
conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
in.(*CustomMetricCurrentStatus).DeepCopyInto(out.(*CustomMetricCurrentStatus))
return nil
@@ -294,6 +298,22 @@ func (in *APIVersion) DeepCopy() *APIVersion {
return out
}
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AllowedHostPath) DeepCopyInto(out *AllowedHostPath) {
+ *out = *in
+ return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AllowedHostPath.
+func (in *AllowedHostPath) DeepCopy() *AllowedHostPath {
+ if in == nil {
+ return nil
+ }
+ out := new(AllowedHostPath)
+ in.DeepCopyInto(out)
+ return out
+}
+
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *CustomMetricCurrentStatus) DeepCopyInto(out *CustomMetricCurrentStatus) {
*out = *in
@@ -1365,6 +1385,11 @@ func (in *PodSecurityPolicySpec) DeepCopyInto(out *PodSecurityPolicySpec) {
**out = **in
}
}
+ if in.AllowedHostPaths != nil {
+ in, out := &in.AllowedHostPaths, &out.AllowedHostPaths
+ *out = make([]AllowedHostPath, len(*in))
+ copy(*out, *in)
+ }
return
}