From fab6044a31cbba4205d9f1cddf10da48b0112223 Mon Sep 17 00:00:00 2001 From: Josh Horwitz Date: Sun, 6 Aug 2017 15:40:18 -0400 Subject: [PATCH] Allow PSP's to specify a whitelist of allowed paths for host volume removed files not supposed to be there --- api/openapi-spec/swagger.json | 16 + api/swagger-spec/extensions_v1beta1.json | 17 + .../extensions/v1beta1/definitions.html | 43 ++ pkg/apis/extensions/types.go | 16 + .../v1beta1/zz_generated.conversion.go | 24 + pkg/apis/extensions/validation/validation.go | 26 + .../extensions/validation/validation_test.go | 24 + pkg/apis/extensions/zz_generated.deepcopy.go | 25 + pkg/security/podsecuritypolicy/provider.go | 14 +- .../podsecuritypolicy/provider_test.go | 54 ++ pkg/security/podsecuritypolicy/util/util.go | 51 ++ .../podsecuritypolicy/util/util_test.go | 92 +++ .../api/extensions/v1beta1/generated.pb.go | 447 ++++++++++- .../api/extensions/v1beta1/generated.proto | 17 + .../api/extensions/v1beta1/types.generated.go | 696 +++++++++++++----- .../k8s.io/api/extensions/v1beta1/types.go | 16 + .../v1beta1/types_swagger_doc_generated.go | 10 + .../v1beta1/zz_generated.deepcopy.go | 25 + 18 files changed, 1424 insertions(+), 189 deletions(-) diff --git a/api/openapi-spec/swagger.json b/api/openapi-spec/swagger.json index c1a6d551f5..5d41e9d97b 100644 --- a/api/openapi-spec/swagger.json +++ b/api/openapi-spec/swagger.json @@ -62402,6 +62402,15 @@ } } }, + "io.k8s.api.extensions.v1beta1.AllowedHostPath": { + "description": "AllowedHostPath defines the host volume conditions that will be enabled by a policy for pods to use. It requires the path prefix to be defined.", + "properties": { + "path": { + "description": "PathPrefix is the path prefix that the host volume must match. PathPrefix does not support `*`. Trailing slashes are trimmed when validating the path prefix with a host path.\n\nExamples: `/foo` would allow `/foo`, `/foo/` and `/foo/bar` `/foo` would not allow `/food` or `/etc/foo`", + "type": "string" + } + } + }, "io.k8s.api.extensions.v1beta1.DaemonSet": { "description": "DaemonSet represents the configuration of a daemon set.", "properties": { @@ -63275,6 +63284,13 @@ "type": "string" } }, + "allowedHostPaths": { + "description": "AllowedHostPaths is a white list of allowed host paths. Empty indicates that all host paths may be used.", + "type": "array", + "items": { + "$ref": "#/definitions/io.k8s.api.extensions.v1beta1.AllowedHostPath" + } + }, "defaultAddCapabilities": { "description": "DefaultAddCapabilities is the default set of capabilities that will be added to the container unless the pod spec specifically drops the capability. You may not list a capabiility in both DefaultAddCapabilities and RequiredDropCapabilities.", "type": "array", diff --git a/api/swagger-spec/extensions_v1beta1.json b/api/swagger-spec/extensions_v1beta1.json index 504c359cfd..52fb685423 100644 --- a/api/swagger-spec/extensions_v1beta1.json +++ b/api/swagger-spec/extensions_v1beta1.json @@ -9470,6 +9470,13 @@ "allowPrivilegeEscalation": { "type": "boolean", "description": "AllowPrivilegeEscalation determines if a pod can request to allow privilege escalation." + }, + "allowedHostPaths": { + "type": "array", + "items": { + "$ref": "v1beta1.AllowedHostPath" + }, + "description": "AllowedHostPaths is a white list of allowed host paths. Empty indicates that all host paths may be used." } } }, @@ -9588,6 +9595,16 @@ } } }, + "v1beta1.AllowedHostPath": { + "id": "v1beta1.AllowedHostPath", + "description": "AllowedHostPath defines the host volume conditions that will be enabled by a policy for pods to use. It requires the path prefix to be defined.", + "properties": { + "path": { + "type": "string", + "description": "PathPrefix is the path prefix that the host volume must match. PathPrefix does not support `*`. Trailing slashes are trimmed when validating the path prefix with a host path.\n\nExamples: `/foo` would allow `/foo`, `/foo/` and `/foo/bar` `/foo` would not allow `/food` or `/etc/foo`" + } + } + }, "v1beta1.ReplicaSetList": { "id": "v1beta1.ReplicaSetList", "description": "ReplicaSetList is a collection of ReplicaSets.", diff --git a/docs/api-reference/extensions/v1beta1/definitions.html b/docs/api-reference/extensions/v1beta1/definitions.html index f6eb9aab99..61cfdfbc1e 100755 --- a/docs/api-reference/extensions/v1beta1/definitions.html +++ b/docs/api-reference/extensions/v1beta1/definitions.html @@ -419,6 +419,42 @@ span.icon > [class^="icon-"], span.icon > [class*=" icon-"] { cursor: default; }

Definitions

+

v1beta1.AllowedHostPath

+
+

AllowedHostPath defines the host volume conditions that will be enabled by a policy for pods to use. It requires the path prefix to be defined.

+
+ +++++++ + + + + + + + + + + + + + + + + + + +
NameDescriptionRequiredSchemaDefault

path

PathPrefix is the path prefix that the host volume must match. PathPrefix does not support *. Trailing slashes are trimmed when validating the path prefix with a host path.
+
+Examples: /foo would allow /foo, /foo/ and /foo/bar /foo would not allow /food or /etc/foo

false

string

+ +
+

v1beta1.DeploymentStatus

DeploymentStatus is the most recently observed status of the Deployment.

@@ -7691,6 +7727,13 @@ Both these may change in the future. Incoming requests are matched against the h

boolean

false

+ +

allowedHostPaths

+

AllowedHostPaths is a white list of allowed host paths. Empty indicates that all host paths may be used.

+

false

+

v1beta1.AllowedHostPath array

+ + diff --git a/pkg/apis/extensions/types.go b/pkg/apis/extensions/types.go index 55511f96f1..7af14ac95d 100644 --- a/pkg/apis/extensions/types.go +++ b/pkg/apis/extensions/types.go @@ -933,6 +933,22 @@ type PodSecurityPolicySpec struct { // privilege escalation. // +optional AllowPrivilegeEscalation bool + // AllowedHostPaths is a white list of allowed host paths. Empty indicates that all host paths may be used. + // +optional + AllowedHostPaths []AllowedHostPath +} + +// AllowedHostPath defines the host volume conditions that will be enabled by a policy +// for pods to use. It requires the path prefix to be defined. +type AllowedHostPath struct { + // PathPrefix is the path prefix that the host volume must match. + // PathPrefix does not support `*`. + // Trailing slashes are trimmed when validating the path prefix with a host path. + // + // Examples: + // `/foo` would allow `/foo`, `/foo/` and `/foo/bar` + // `/foo` would not allow `/food` or `/etc/foo` + PathPrefix string } // HostPortRange defines a range of host ports that will be enabled by a policy diff --git a/pkg/apis/extensions/v1beta1/zz_generated.conversion.go b/pkg/apis/extensions/v1beta1/zz_generated.conversion.go index aee174500a..e323a882c3 100644 --- a/pkg/apis/extensions/v1beta1/zz_generated.conversion.go +++ b/pkg/apis/extensions/v1beta1/zz_generated.conversion.go @@ -42,6 +42,8 @@ func RegisterConversions(scheme *runtime.Scheme) error { return scheme.AddGeneratedConversionFuncs( Convert_v1beta1_APIVersion_To_extensions_APIVersion, Convert_extensions_APIVersion_To_v1beta1_APIVersion, + Convert_v1beta1_AllowedHostPath_To_extensions_AllowedHostPath, + Convert_extensions_AllowedHostPath_To_v1beta1_AllowedHostPath, Convert_v1beta1_CustomMetricCurrentStatus_To_extensions_CustomMetricCurrentStatus, Convert_extensions_CustomMetricCurrentStatus_To_v1beta1_CustomMetricCurrentStatus, Convert_v1beta1_CustomMetricCurrentStatusList_To_extensions_CustomMetricCurrentStatusList, @@ -165,6 +167,26 @@ func Convert_extensions_APIVersion_To_v1beta1_APIVersion(in *extensions.APIVersi return autoConvert_extensions_APIVersion_To_v1beta1_APIVersion(in, out, s) } +func autoConvert_v1beta1_AllowedHostPath_To_extensions_AllowedHostPath(in *v1beta1.AllowedHostPath, out *extensions.AllowedHostPath, s conversion.Scope) error { + out.PathPrefix = in.PathPrefix + return nil +} + +// Convert_v1beta1_AllowedHostPath_To_extensions_AllowedHostPath is an autogenerated conversion function. +func Convert_v1beta1_AllowedHostPath_To_extensions_AllowedHostPath(in *v1beta1.AllowedHostPath, out *extensions.AllowedHostPath, s conversion.Scope) error { + return autoConvert_v1beta1_AllowedHostPath_To_extensions_AllowedHostPath(in, out, s) +} + +func autoConvert_extensions_AllowedHostPath_To_v1beta1_AllowedHostPath(in *extensions.AllowedHostPath, out *v1beta1.AllowedHostPath, s conversion.Scope) error { + out.PathPrefix = in.PathPrefix + return nil +} + +// Convert_extensions_AllowedHostPath_To_v1beta1_AllowedHostPath is an autogenerated conversion function. +func Convert_extensions_AllowedHostPath_To_v1beta1_AllowedHostPath(in *extensions.AllowedHostPath, out *v1beta1.AllowedHostPath, s conversion.Scope) error { + return autoConvert_extensions_AllowedHostPath_To_v1beta1_AllowedHostPath(in, out, s) +} + func autoConvert_v1beta1_CustomMetricCurrentStatus_To_extensions_CustomMetricCurrentStatus(in *v1beta1.CustomMetricCurrentStatus, out *extensions.CustomMetricCurrentStatus, s conversion.Scope) error { out.Name = in.Name out.CurrentValue = in.CurrentValue @@ -1070,6 +1092,7 @@ func autoConvert_v1beta1_PodSecurityPolicySpec_To_extensions_PodSecurityPolicySp out.ReadOnlyRootFilesystem = in.ReadOnlyRootFilesystem out.DefaultAllowPrivilegeEscalation = (*bool)(unsafe.Pointer(in.DefaultAllowPrivilegeEscalation)) out.AllowPrivilegeEscalation = in.AllowPrivilegeEscalation + out.AllowedHostPaths = *(*[]extensions.AllowedHostPath)(unsafe.Pointer(&in.AllowedHostPaths)) return nil } @@ -1113,6 +1136,7 @@ func autoConvert_extensions_PodSecurityPolicySpec_To_v1beta1_PodSecurityPolicySp out.ReadOnlyRootFilesystem = in.ReadOnlyRootFilesystem out.DefaultAllowPrivilegeEscalation = (*bool)(unsafe.Pointer(in.DefaultAllowPrivilegeEscalation)) out.AllowPrivilegeEscalation = in.AllowPrivilegeEscalation + out.AllowedHostPaths = *(*[]v1beta1.AllowedHostPath)(unsafe.Pointer(&in.AllowedHostPaths)) return nil } diff --git a/pkg/apis/extensions/validation/validation.go b/pkg/apis/extensions/validation/validation.go index 6696d0b195..7323b6c989 100644 --- a/pkg/apis/extensions/validation/validation.go +++ b/pkg/apis/extensions/validation/validation.go @@ -19,6 +19,8 @@ package validation import ( "fmt" "net" + + "path/filepath" "regexp" "strconv" "strings" @@ -661,6 +663,7 @@ func ValidatePodSecurityPolicySpec(spec *extensions.PodSecurityPolicySpec, fldPa allErrs = append(allErrs, validatePSPCapsAgainstDrops(spec.RequiredDropCapabilities, spec.DefaultAddCapabilities, field.NewPath("defaultAddCapabilities"))...) allErrs = append(allErrs, validatePSPCapsAgainstDrops(spec.RequiredDropCapabilities, spec.AllowedCapabilities, field.NewPath("allowedCapabilities"))...) allErrs = append(allErrs, validatePSPDefaultAllowPrivilegeEscalation(fldPath.Child("defaultAllowPrivilegeEscalation"), spec.DefaultAllowPrivilegeEscalation, spec.AllowPrivilegeEscalation)...) + allErrs = append(allErrs, validatePSPAllowedHostPaths(fldPath.Child("allowedHostPaths"), spec.AllowedHostPaths)...) return allErrs } @@ -701,6 +704,29 @@ func ValidatePodSecurityPolicySpecificAnnotations(annotations map[string]string, return allErrs } +// validatePSPAllowedHostPaths makes sure all allowed host paths follow: +// 1. path prefix is required +// 2. path prefix does not have any element which is ".." +func validatePSPAllowedHostPaths(fldPath *field.Path, allowedHostPaths []extensions.AllowedHostPath) field.ErrorList { + allErrs := field.ErrorList{} + + for i, target := range allowedHostPaths { + if target.PathPrefix == "" { + allErrs = append(allErrs, field.Required(fldPath.Index(i), "is required")) + break + } + parts := strings.Split(filepath.ToSlash(target.PathPrefix), "/") + for _, item := range parts { + if item == ".." { + allErrs = append(allErrs, field.Invalid(fldPath.Index(i), target.PathPrefix, "must not contain '..'")) + break // even for `../../..`, one error is sufficient to make the point + } + } + } + + return allErrs +} + // validatePSPSELinux validates the SELinux fields of PodSecurityPolicy. func validatePSPSELinux(fldPath *field.Path, seLinux *extensions.SELinuxStrategyOptions) field.ErrorList { allErrs := field.ErrorList{} diff --git a/pkg/apis/extensions/validation/validation_test.go b/pkg/apis/extensions/validation/validation_test.go index 0afd286dcc..2bd0d5a051 100644 --- a/pkg/apis/extensions/validation/validation_test.go +++ b/pkg/apis/extensions/validation/validation_test.go @@ -2418,6 +2418,10 @@ func TestValidatePodSecurityPolicy(t *testing.T) { SupplementalGroups: extensions.SupplementalGroupsStrategyOptions{ Rule: extensions.SupplementalGroupsStrategyRunAsAny, }, + AllowedHostPaths: []extensions.AllowedHostPath{ + {PathPrefix: "/foo/bar"}, + {PathPrefix: "/baz/"}, + }, }, } } @@ -2497,6 +2501,16 @@ func TestValidatePodSecurityPolicy(t *testing.T) { seccomp.AllowedProfilesAnnotationKey: "docker/default,not-good", } + invalidAllowedHostPathMissingPath := validPSP() + invalidAllowedHostPathMissingPath.Spec.AllowedHostPaths = []extensions.AllowedHostPath{ + {PathPrefix: ""}, + } + + invalidAllowedHostPathBacksteps := validPSP() + invalidAllowedHostPathBacksteps.Spec.AllowedHostPaths = []extensions.AllowedHostPath{ + {PathPrefix: "/dont/allow/backsteps/.."}, + } + invalidDefaultAllowPrivilegeEscalation := validPSP() pe := true invalidDefaultAllowPrivilegeEscalation.Spec.DefaultAllowPrivilegeEscalation = &pe @@ -2612,6 +2626,16 @@ func TestValidatePodSecurityPolicy(t *testing.T) { errorType: field.ErrorTypeInvalid, errorDetail: "Cannot set DefaultAllowPrivilegeEscalation to true without also setting AllowPrivilegeEscalation to true", }, + "invalid allowed host path empty path": { + psp: invalidAllowedHostPathMissingPath, + errorType: field.ErrorTypeRequired, + errorDetail: "is required", + }, + "invalid allowed host path with backsteps": { + psp: invalidAllowedHostPathBacksteps, + errorType: field.ErrorTypeInvalid, + errorDetail: "must not contain '..'", + }, } for k, v := range errorCases { diff --git a/pkg/apis/extensions/zz_generated.deepcopy.go b/pkg/apis/extensions/zz_generated.deepcopy.go index 69414fa715..d41048a5a8 100644 --- a/pkg/apis/extensions/zz_generated.deepcopy.go +++ b/pkg/apis/extensions/zz_generated.deepcopy.go @@ -42,6 +42,10 @@ func RegisterDeepCopies(scheme *runtime.Scheme) error { in.(*APIVersion).DeepCopyInto(out.(*APIVersion)) return nil }, InType: reflect.TypeOf(&APIVersion{})}, + conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error { + in.(*AllowedHostPath).DeepCopyInto(out.(*AllowedHostPath)) + return nil + }, InType: reflect.TypeOf(&AllowedHostPath{})}, conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error { in.(*CustomMetricCurrentStatus).DeepCopyInto(out.(*CustomMetricCurrentStatus)) return nil @@ -269,6 +273,22 @@ func (in *APIVersion) DeepCopy() *APIVersion { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *AllowedHostPath) DeepCopyInto(out *AllowedHostPath) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AllowedHostPath. +func (in *AllowedHostPath) DeepCopy() *AllowedHostPath { + if in == nil { + return nil + } + out := new(AllowedHostPath) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *CustomMetricCurrentStatus) DeepCopyInto(out *CustomMetricCurrentStatus) { *out = *in @@ -1117,6 +1137,11 @@ func (in *PodSecurityPolicySpec) DeepCopyInto(out *PodSecurityPolicySpec) { **out = **in } } + if in.AllowedHostPaths != nil { + in, out := &in.AllowedHostPaths, &out.AllowedHostPaths + *out = make([]AllowedHostPath, len(*in)) + copy(*out, *in) + } return } diff --git a/pkg/security/podsecuritypolicy/provider.go b/pkg/security/podsecuritypolicy/provider.go index 0f12241f62..0d171e1db1 100644 --- a/pkg/security/podsecuritypolicy/provider.go +++ b/pkg/security/podsecuritypolicy/provider.go @@ -239,7 +239,8 @@ func (s *simpleProvider) ValidatePodSecurityContext(pod *api.Pod, fldPath *field // TODO(tallclair): ValidatePodSecurityContext should be renamed to ValidatePod since its scope // is not limited to the PodSecurityContext. - if len(pod.Spec.Volumes) > 0 && !psputil.PSPAllowsAllVolumes(s.psp) { + if len(pod.Spec.Volumes) > 0 { + allowsAllVolumeTypes := psputil.PSPAllowsAllVolumes(s.psp) allowedVolumes := psputil.FSTypeToStringSet(s.psp.Spec.Volumes) for i, v := range pod.Spec.Volumes { fsType, err := psputil.GetVolumeFSType(v) @@ -248,10 +249,19 @@ func (s *simpleProvider) ValidatePodSecurityContext(pod *api.Pod, fldPath *field continue } - if !allowedVolumes.Has(string(fsType)) { + if !allowsAllVolumeTypes && !allowedVolumes.Has(string(fsType)) { allErrs = append(allErrs, field.Invalid( field.NewPath("spec", "volumes").Index(i), string(fsType), fmt.Sprintf("%s volumes are not allowed to be used", string(fsType)))) + continue + } + + if fsType == extensions.HostPath { + if !psputil.AllowsHostVolumePath(s.psp, v.HostPath.Path) { + allErrs = append(allErrs, field.Invalid( + field.NewPath("spec", "volumes").Index(i).Child("hostPath", "pathPrefix"), v.HostPath.Path, + fmt.Sprintf("is not allowed to be used"))) + } } } } diff --git a/pkg/security/podsecuritypolicy/provider_test.go b/pkg/security/podsecuritypolicy/provider_test.go index b1f34b39d8..2dc6111c77 100644 --- a/pkg/security/podsecuritypolicy/provider_test.go +++ b/pkg/security/podsecuritypolicy/provider_test.go @@ -248,6 +248,23 @@ func TestValidatePodSecurityContextFailures(t *testing.T) { }, } + failHostPathDirPod := defaultPod() + failHostPathDirPod.Spec.Volumes = []api.Volume{ + { + Name: "bad volume", + VolumeSource: api.VolumeSource{ + HostPath: &api.HostPathVolumeSource{ + Path: "/fail", + }, + }, + }, + } + failHostPathDirPSP := defaultPSP() + failHostPathDirPSP.Spec.Volumes = []extensions.FSType{extensions.HostPath} + failHostPathDirPSP.Spec.AllowedHostPaths = []extensions.AllowedHostPath{ + {PathPrefix: "/foo/bar"}, + } + failOtherSysctlsAllowedPSP := defaultPSP() failOtherSysctlsAllowedPSP.Annotations[extensions.SysctlsPodSecurityPolicyAnnotationKey] = "bar,abc" @@ -318,6 +335,11 @@ func TestValidatePodSecurityContextFailures(t *testing.T) { psp: defaultPSP(), expectedError: "hostPath volumes are not allowed to be used", }, + "failHostPathDirPSP": { + pod: failHostPathDirPod, + psp: failHostPathDirPSP, + expectedError: "is not allowed to be used", + }, "failSafeSysctlFooPod with failNoSysctlAllowedSCC": { pod: failSafeSysctlFooPod, psp: failNoSysctlAllowedPSP, @@ -556,6 +578,30 @@ func TestValidatePodSecurityContextSuccess(t *testing.T) { Level: "level", } + hostPathDirPod := defaultPod() + hostPathDirPod.Spec.Volumes = []api.Volume{ + { + Name: "good volume", + VolumeSource: api.VolumeSource{ + HostPath: &api.HostPathVolumeSource{ + Path: "/foo/bar/baz", + }, + }, + }, + } + + hostPathDirPSP := defaultPSP() + hostPathDirPSP.Spec.Volumes = []extensions.FSType{extensions.HostPath} + hostPathDirPSP.Spec.AllowedHostPaths = []extensions.AllowedHostPath{ + {PathPrefix: "/foo/bar"}, + } + + hostPathDirAsterisksPSP := defaultPSP() + hostPathDirAsterisksPSP.Spec.Volumes = []extensions.FSType{extensions.All} + hostPathDirAsterisksPSP.Spec.AllowedHostPaths = []extensions.AllowedHostPath{ + {PathPrefix: "/foo/bar"}, + } + sysctlAllowFooPSP := defaultPSP() sysctlAllowFooPSP.Annotations[extensions.SysctlsPodSecurityPolicyAnnotationKey] = "foo" @@ -619,6 +665,14 @@ func TestValidatePodSecurityContextSuccess(t *testing.T) { pod: unsafeSysctlFooPod, psp: defaultPSP(), }, + "pass hostDir allowed directory validating PSP": { + pod: hostPathDirPod, + psp: hostPathDirPSP, + }, + "pass hostDir all volumes allowed validating PSP": { + pod: hostPathDirPod, + psp: hostPathDirAsterisksPSP, + }, "pass seccomp validating PSP": { pod: seccompPod, psp: seccompPSP, diff --git a/pkg/security/podsecuritypolicy/util/util.go b/pkg/security/podsecuritypolicy/util/util.go index 277623d5ce..3ff6d89bc7 100644 --- a/pkg/security/podsecuritypolicy/util/util.go +++ b/pkg/security/podsecuritypolicy/util/util.go @@ -18,6 +18,7 @@ package util import ( "fmt" + "strings" "k8s.io/apimachinery/pkg/util/sets" "k8s.io/kubernetes/pkg/api" @@ -170,3 +171,53 @@ func UserFallsInRange(id int64, rng extensions.UserIDRange) bool { func GroupFallsInRange(id int64, rng extensions.GroupIDRange) bool { return id >= rng.Min && id <= rng.Max } + +// AllowsHostVolumePath is a utility for checking if a PSP allows the host volume path. +// This only checks the path. You should still check to make sure the host volume fs type is allowed. +func AllowsHostVolumePath(psp *extensions.PodSecurityPolicy, hostPath string) bool { + if psp == nil { + return false + } + + // If no allowed paths are specified then allow any path + if len(psp.Spec.AllowedHostPaths) == 0 { + return true + } + + for _, allowedPath := range psp.Spec.AllowedHostPaths { + if hasPathPrefix(hostPath, allowedPath.PathPrefix) { + return true + } + } + + return false +} + +// hasPathPrefix returns true if the string matches pathPrefix exactly, or if is prefixed with pathPrefix at a path segment boundary +// the string and pathPrefix are both normalized to remove trailing slashes prior to checking. +func hasPathPrefix(s, pathPrefix string) bool { + + s = strings.TrimSuffix(s, "/") + pathPrefix = strings.TrimSuffix(pathPrefix, "/") + + // Short circuit if s doesn't contain the prefix at all + if !strings.HasPrefix(s, pathPrefix) { + return false + } + + pathPrefixLength := len(pathPrefix) + + if len(s) == pathPrefixLength { + // Exact match + return true + } + + if s[pathPrefixLength:pathPrefixLength+1] == "/" { + // The next character in s is a path segment boundary + // Check this instead of normalizing pathPrefix to avoid allocating on every call + // Example where this check applies: s=/foo/bar and pathPrefix=/foo + return true + } + + return false +} diff --git a/pkg/security/podsecuritypolicy/util/util_test.go b/pkg/security/podsecuritypolicy/util/util_test.go index 63a2dd3de0..048e793fa8 100644 --- a/pkg/security/podsecuritypolicy/util/util_test.go +++ b/pkg/security/podsecuritypolicy/util/util_test.go @@ -103,3 +103,95 @@ func TestPSPAllowsFSType(t *testing.T) { } } } + +func TestAllowsHostVolumePath(t *testing.T) { + tests := map[string]struct { + psp *extensions.PodSecurityPolicy + path string + allows bool + }{ + "nil psp": { + psp: nil, + path: "/test", + allows: false, + }, + "empty allowed paths": { + psp: &extensions.PodSecurityPolicy{}, + path: "/test", + allows: true, + }, + "non-matching": { + psp: &extensions.PodSecurityPolicy{ + Spec: extensions.PodSecurityPolicySpec{ + AllowedHostPaths: []extensions.AllowedHostPath{ + {PathPrefix: "/foo"}, + }, + }, + }, + path: "/foobar", + allows: false, + }, + "match on direct match": { + psp: &extensions.PodSecurityPolicy{ + Spec: extensions.PodSecurityPolicySpec{ + AllowedHostPaths: []extensions.AllowedHostPath{ + {PathPrefix: "/foo"}, + }, + }, + }, + path: "/foo", + allows: true, + }, + "match with trailing slash on host path": { + psp: &extensions.PodSecurityPolicy{ + Spec: extensions.PodSecurityPolicySpec{ + AllowedHostPaths: []extensions.AllowedHostPath{ + {PathPrefix: "/foo"}, + }, + }, + }, + path: "/foo/", + allows: true, + }, + "match with trailing slash on allowed path": { + psp: &extensions.PodSecurityPolicy{ + Spec: extensions.PodSecurityPolicySpec{ + AllowedHostPaths: []extensions.AllowedHostPath{ + {PathPrefix: "/foo/"}, + }, + }, + }, + path: "/foo", + allows: true, + }, + "match child directory": { + psp: &extensions.PodSecurityPolicy{ + Spec: extensions.PodSecurityPolicySpec{ + AllowedHostPaths: []extensions.AllowedHostPath{ + {PathPrefix: "/foo/"}, + }, + }, + }, + path: "/foo/bar", + allows: true, + }, + "non-matching parent directory": { + psp: &extensions.PodSecurityPolicy{ + Spec: extensions.PodSecurityPolicySpec{ + AllowedHostPaths: []extensions.AllowedHostPath{ + {PathPrefix: "/foo/bar"}, + }, + }, + }, + path: "/foo", + allows: false, + }, + } + + for k, v := range tests { + allows := AllowsHostVolumePath(v.psp, v.path) + if v.allows != allows { + t.Errorf("%s expected %t but got %t", k, v.allows, allows) + } + } +} diff --git a/staging/src/k8s.io/api/extensions/v1beta1/generated.pb.go b/staging/src/k8s.io/api/extensions/v1beta1/generated.pb.go index f7eb3b4d65..c56777d009 100644 --- a/staging/src/k8s.io/api/extensions/v1beta1/generated.pb.go +++ b/staging/src/k8s.io/api/extensions/v1beta1/generated.pb.go @@ -26,6 +26,7 @@ limitations under the License. It has these top-level messages: APIVersion + AllowedHostPath CustomMetricCurrentStatus CustomMetricCurrentStatusList CustomMetricTarget @@ -119,93 +120,99 @@ func (m *APIVersion) Reset() { *m = APIVersion{} } func (*APIVersion) ProtoMessage() {} func (*APIVersion) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{0} } +func (m *AllowedHostPath) Reset() { *m = AllowedHostPath{} } +func (*AllowedHostPath) ProtoMessage() {} +func (*AllowedHostPath) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{1} } + func (m *CustomMetricCurrentStatus) Reset() { *m = CustomMetricCurrentStatus{} } func (*CustomMetricCurrentStatus) ProtoMessage() {} func (*CustomMetricCurrentStatus) Descriptor() ([]byte, []int) { - return fileDescriptorGenerated, []int{1} + return fileDescriptorGenerated, []int{2} } func (m *CustomMetricCurrentStatusList) Reset() { *m = CustomMetricCurrentStatusList{} } func (*CustomMetricCurrentStatusList) ProtoMessage() {} func (*CustomMetricCurrentStatusList) Descriptor() ([]byte, []int) { - return fileDescriptorGenerated, []int{2} + return fileDescriptorGenerated, []int{3} } func (m *CustomMetricTarget) Reset() { *m = CustomMetricTarget{} } func (*CustomMetricTarget) ProtoMessage() {} -func (*CustomMetricTarget) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{3} } +func (*CustomMetricTarget) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{4} } func (m *CustomMetricTargetList) Reset() { *m = CustomMetricTargetList{} } func (*CustomMetricTargetList) ProtoMessage() {} -func (*CustomMetricTargetList) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{4} } +func (*CustomMetricTargetList) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{5} } func (m *DaemonSet) Reset() { *m = DaemonSet{} } func (*DaemonSet) ProtoMessage() {} -func (*DaemonSet) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{5} } +func (*DaemonSet) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{6} } func (m *DaemonSetList) Reset() { *m = DaemonSetList{} } func (*DaemonSetList) ProtoMessage() {} -func (*DaemonSetList) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{6} } +func (*DaemonSetList) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{7} } func (m *DaemonSetSpec) Reset() { *m = DaemonSetSpec{} } func (*DaemonSetSpec) ProtoMessage() {} -func (*DaemonSetSpec) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{7} } +func (*DaemonSetSpec) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{8} } func (m *DaemonSetStatus) Reset() { *m = DaemonSetStatus{} } func (*DaemonSetStatus) ProtoMessage() {} -func (*DaemonSetStatus) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{8} } +func (*DaemonSetStatus) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{9} } -func (m *DaemonSetUpdateStrategy) Reset() { *m = DaemonSetUpdateStrategy{} } -func (*DaemonSetUpdateStrategy) ProtoMessage() {} -func (*DaemonSetUpdateStrategy) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{9} } +func (m *DaemonSetUpdateStrategy) Reset() { *m = DaemonSetUpdateStrategy{} } +func (*DaemonSetUpdateStrategy) ProtoMessage() {} +func (*DaemonSetUpdateStrategy) Descriptor() ([]byte, []int) { + return fileDescriptorGenerated, []int{10} +} func (m *Deployment) Reset() { *m = Deployment{} } func (*Deployment) ProtoMessage() {} -func (*Deployment) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{10} } +func (*Deployment) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{11} } func (m *DeploymentCondition) Reset() { *m = DeploymentCondition{} } func (*DeploymentCondition) ProtoMessage() {} -func (*DeploymentCondition) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{11} } +func (*DeploymentCondition) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{12} } func (m *DeploymentList) Reset() { *m = DeploymentList{} } func (*DeploymentList) ProtoMessage() {} -func (*DeploymentList) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{12} } +func (*DeploymentList) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{13} } func (m *DeploymentRollback) Reset() { *m = DeploymentRollback{} } func (*DeploymentRollback) ProtoMessage() {} -func (*DeploymentRollback) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{13} } +func (*DeploymentRollback) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{14} } func (m *DeploymentSpec) Reset() { *m = DeploymentSpec{} } func (*DeploymentSpec) ProtoMessage() {} -func (*DeploymentSpec) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{14} } +func (*DeploymentSpec) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{15} } func (m *DeploymentStatus) Reset() { *m = DeploymentStatus{} } func (*DeploymentStatus) ProtoMessage() {} -func (*DeploymentStatus) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{15} } +func (*DeploymentStatus) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{16} } func (m *DeploymentStrategy) Reset() { *m = DeploymentStrategy{} } func (*DeploymentStrategy) ProtoMessage() {} -func (*DeploymentStrategy) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{16} } +func (*DeploymentStrategy) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{17} } func (m *FSGroupStrategyOptions) Reset() { *m = FSGroupStrategyOptions{} } func (*FSGroupStrategyOptions) ProtoMessage() {} -func (*FSGroupStrategyOptions) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{17} } +func (*FSGroupStrategyOptions) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{18} } func (m *HTTPIngressPath) Reset() { *m = HTTPIngressPath{} } func (*HTTPIngressPath) ProtoMessage() {} -func (*HTTPIngressPath) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{18} } +func (*HTTPIngressPath) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{19} } func (m *HTTPIngressRuleValue) Reset() { *m = HTTPIngressRuleValue{} } func (*HTTPIngressRuleValue) ProtoMessage() {} -func (*HTTPIngressRuleValue) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{19} } +func (*HTTPIngressRuleValue) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{20} } func (m *HostPortRange) Reset() { *m = HostPortRange{} } func (*HostPortRange) ProtoMessage() {} -func (*HostPortRange) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{20} } +func (*HostPortRange) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{21} } func (m *IDRange) Reset() { *m = IDRange{} } func (*IDRange) ProtoMessage() {} -func (*IDRange) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{21} } +func (*IDRange) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{22} } func (m *IPBlock) Reset() { *m = IPBlock{} } func (*IPBlock) ProtoMessage() {} @@ -369,6 +376,7 @@ func (*ThirdPartyResourceList) Descriptor() ([]byte, []int) { return fileDescrip func init() { proto.RegisterType((*APIVersion)(nil), "k8s.io.api.extensions.v1beta1.APIVersion") + proto.RegisterType((*AllowedHostPath)(nil), "k8s.io.api.extensions.v1beta1.AllowedHostPath") proto.RegisterType((*CustomMetricCurrentStatus)(nil), "k8s.io.api.extensions.v1beta1.CustomMetricCurrentStatus") proto.RegisterType((*CustomMetricCurrentStatusList)(nil), "k8s.io.api.extensions.v1beta1.CustomMetricCurrentStatusList") proto.RegisterType((*CustomMetricTarget)(nil), "k8s.io.api.extensions.v1beta1.CustomMetricTarget") @@ -450,6 +458,28 @@ func (m *APIVersion) MarshalTo(dAtA []byte) (int, error) { return i, nil } +func (m *AllowedHostPath) Marshal() (dAtA []byte, err error) { + size := m.Size() + dAtA = make([]byte, size) + n, err := m.MarshalTo(dAtA) + if err != nil { + return nil, err + } + return dAtA[:n], nil +} + +func (m *AllowedHostPath) MarshalTo(dAtA []byte) (int, error) { + var i int + _ = i + var l int + _ = l + dAtA[i] = 0xa + i++ + i = encodeVarintGenerated(dAtA, i, uint64(len(m.PathPrefix))) + i += copy(dAtA[i:], m.PathPrefix) + return i, nil +} + func (m *CustomMetricCurrentStatus) Marshal() (dAtA []byte, err error) { size := m.Size() dAtA = make([]byte, size) @@ -2078,6 +2108,20 @@ func (m *PodSecurityPolicySpec) MarshalTo(dAtA []byte) (int, error) { dAtA[i] = 0 } i++ + if len(m.AllowedHostPaths) > 0 { + for _, msg := range m.AllowedHostPaths { + dAtA[i] = 0x8a + i++ + dAtA[i] = 0x1 + i++ + i = encodeVarintGenerated(dAtA, i, uint64(msg.Size())) + n, err := msg.MarshalTo(dAtA[i:]) + if err != nil { + return 0, err + } + i += n + } + } return i, nil } @@ -2792,6 +2836,14 @@ func (m *APIVersion) Size() (n int) { return n } +func (m *AllowedHostPath) Size() (n int) { + var l int + _ = l + l = len(m.PathPrefix) + n += 1 + l + sovGenerated(uint64(l)) + return n +} + func (m *CustomMetricCurrentStatus) Size() (n int) { var l int _ = l @@ -3362,6 +3414,12 @@ func (m *PodSecurityPolicySpec) Size() (n int) { n += 2 } n += 3 + if len(m.AllowedHostPaths) > 0 { + for _, e := range m.AllowedHostPaths { + l = e.Size() + n += 2 + l + sovGenerated(uint64(l)) + } + } return n } @@ -3632,6 +3690,16 @@ func (this *APIVersion) String() string { }, "") return s } +func (this *AllowedHostPath) String() string { + if this == nil { + return "nil" + } + s := strings.Join([]string{`&AllowedHostPath{`, + `PathPrefix:` + fmt.Sprintf("%v", this.PathPrefix) + `,`, + `}`, + }, "") + return s +} func (this *CustomMetricCurrentStatus) String() string { if this == nil { return "nil" @@ -4110,6 +4178,7 @@ func (this *PodSecurityPolicySpec) String() string { `ReadOnlyRootFilesystem:` + fmt.Sprintf("%v", this.ReadOnlyRootFilesystem) + `,`, `DefaultAllowPrivilegeEscalation:` + valueToStringGenerated(this.DefaultAllowPrivilegeEscalation) + `,`, `AllowPrivilegeEscalation:` + fmt.Sprintf("%v", this.AllowPrivilegeEscalation) + `,`, + `AllowedHostPaths:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.AllowedHostPaths), "AllowedHostPath", "AllowedHostPath", 1), `&`, ``, 1) + `,`, `}`, }, "") return s @@ -4428,6 +4497,85 @@ func (m *APIVersion) Unmarshal(dAtA []byte) error { } return nil } +func (m *AllowedHostPath) Unmarshal(dAtA []byte) error { + l := len(dAtA) + iNdEx := 0 + for iNdEx < l { + preIndex := iNdEx + var wire uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + wire |= (uint64(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + fieldNum := int32(wire >> 3) + wireType := int(wire & 0x7) + if wireType == 4 { + return fmt.Errorf("proto: AllowedHostPath: wiretype end group for non-group") + } + if fieldNum <= 0 { + return fmt.Errorf("proto: AllowedHostPath: illegal tag %d (wire type %d)", fieldNum, wire) + } + switch fieldNum { + case 1: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field PathPrefix", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= (uint64(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + intStringLen + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.PathPrefix = string(dAtA[iNdEx:postIndex]) + iNdEx = postIndex + default: + iNdEx = preIndex + skippy, err := skipGenerated(dAtA[iNdEx:]) + if err != nil { + return err + } + if skippy < 0 { + return ErrInvalidLengthGenerated + } + if (iNdEx + skippy) > l { + return io.ErrUnexpectedEOF + } + iNdEx += skippy + } + } + + if iNdEx > l { + return io.ErrUnexpectedEOF + } + return nil +} func (m *CustomMetricCurrentStatus) Unmarshal(dAtA []byte) error { l := len(dAtA) iNdEx := 0 @@ -9731,6 +9879,37 @@ func (m *PodSecurityPolicySpec) Unmarshal(dAtA []byte) error { } } m.AllowPrivilegeEscalation = bool(v != 0) + case 17: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field AllowedHostPaths", wireType) + } + var msglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + msglen |= (int(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + if msglen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + msglen + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.AllowedHostPaths = append(m.AllowedHostPaths, AllowedHostPath{}) + if err := m.AllowedHostPaths[len(m.AllowedHostPaths)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } + iNdEx = postIndex default: iNdEx = preIndex skippy, err := skipGenerated(dAtA[iNdEx:]) @@ -12183,6 +12362,7 @@ func init() { } var fileDescriptorGenerated = []byte{ +<<<<<<< a235ba4e49451c779b8328378addf0d7bd7b84fd // 3495 bytes of a gzipped FileDescriptorProto 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xdc, 0x5b, 0xcd, 0x6f, 0x1b, 0xd7, 0xb5, 0xf7, 0x90, 0xa2, 0x48, 0x1d, 0x5a, 0x92, 0x75, 0xe5, 0xc8, 0x8c, 0x1c, 0x8b, 0xce, 0x04, @@ -12403,4 +12583,225 @@ var fileDescriptorGenerated = []byte{ 0x78, 0x74, 0x30, 0x27, 0x7c, 0x7e, 0x30, 0x27, 0x7c, 0x71, 0x30, 0x27, 0xfc, 0xed, 0x60, 0x4e, 0xf8, 0xf1, 0x57, 0x73, 0x27, 0xee, 0xe7, 0x39, 0xee, 0xbf, 0x02, 0x00, 0x00, 0xff, 0xff, 0x6f, 0x30, 0xd5, 0x91, 0x29, 0x3b, 0x00, 0x00, +======= + // 3487 bytes of a gzipped FileDescriptorProto + 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xdc, 0x5b, 0x4d, 0x6c, 0x1c, 0xc7, + 0x95, 0x56, 0xcf, 0x0f, 0x39, 0x7c, 0x14, 0xff, 0x8a, 0x32, 0x35, 0xa6, 0x2c, 0x0e, 0xdd, 0x06, + 0xb4, 0x92, 0x57, 0x9a, 0xb1, 0x64, 0xcb, 0x96, 0x2d, 0xac, 0x77, 0x39, 0xa4, 0x7e, 0xe8, 0x25, + 0x29, 0xaa, 0x66, 0x48, 0xef, 0x0a, 0xd6, 0xae, 0x9b, 0x33, 0xc5, 0x61, 0x8b, 0x3d, 0xdd, 0xe3, + 0xee, 0x6a, 0x9a, 0x73, 0x59, 0xec, 0xc9, 0xc0, 0x02, 0xbb, 0xd8, 0xdd, 0x83, 0x03, 0x07, 0xc8, + 0x21, 0xbe, 0xe4, 0x94, 0x20, 0xbe, 0x25, 0x07, 0x23, 0x40, 0x80, 0x04, 0x10, 0x02, 0x27, 0xf0, + 0x29, 0xf1, 0x89, 0x88, 0xe9, 0x63, 0xce, 0x01, 0x02, 0x1d, 0x82, 0xa0, 0xaa, 0xab, 0xff, 0xbb, + 0x39, 0x33, 0xb4, 0x44, 0x04, 0xb9, 0x71, 0xea, 0xbd, 0xf7, 0xbd, 0x9f, 0xaa, 0x7a, 0xf5, 0xaa, + 0x5e, 0x13, 0x6e, 0xef, 0xde, 0xb0, 0xca, 0xaa, 0x51, 0xd9, 0xb5, 0xb7, 0x88, 0xa9, 0x13, 0x4a, + 0xac, 0xca, 0x1e, 0xd1, 0x9b, 0x86, 0x59, 0x11, 0x04, 0xa5, 0xa3, 0x56, 0xc8, 0x3e, 0x25, 0xba, + 0xa5, 0x1a, 0xba, 0x55, 0xd9, 0xbb, 0xba, 0x45, 0xa8, 0x72, 0xb5, 0xd2, 0x22, 0x3a, 0x31, 0x15, + 0x4a, 0x9a, 0xe5, 0x8e, 0x69, 0x50, 0x03, 0x9d, 0x77, 0xd8, 0xcb, 0x4a, 0x47, 0x2d, 0xfb, 0xec, + 0x65, 0xc1, 0x3e, 0x7b, 0xa5, 0xa5, 0xd2, 0x1d, 0x7b, 0xab, 0xdc, 0x30, 0xda, 0x95, 0x96, 0xd1, + 0x32, 0x2a, 0x5c, 0x6a, 0xcb, 0xde, 0xe6, 0xbf, 0xf8, 0x0f, 0xfe, 0x97, 0x83, 0x36, 0x2b, 0x07, + 0x94, 0x37, 0x0c, 0x93, 0x54, 0xf6, 0x62, 0x1a, 0x67, 0x2f, 0x05, 0x78, 0x3a, 0x86, 0xa6, 0x36, + 0xba, 0x69, 0xc6, 0xcd, 0xbe, 0xe6, 0xb3, 0xb6, 0x95, 0xc6, 0x8e, 0xaa, 0x13, 0xb3, 0x5b, 0xe9, + 0xec, 0xb6, 0xb8, 0xac, 0x49, 0x2c, 0xc3, 0x36, 0x1b, 0x64, 0x20, 0x29, 0xab, 0xd2, 0x26, 0x54, + 0x49, 0x32, 0xab, 0x92, 0x26, 0x65, 0xda, 0x3a, 0x55, 0xdb, 0x71, 0x35, 0xaf, 0xf7, 0x12, 0xb0, + 0x1a, 0x3b, 0xa4, 0xad, 0xc4, 0xe4, 0x5e, 0x4d, 0x93, 0xb3, 0xa9, 0xaa, 0x55, 0x54, 0x9d, 0x5a, + 0xd4, 0x8c, 0x0a, 0xc9, 0x65, 0x80, 0x85, 0xf5, 0xe5, 0x4d, 0x62, 0xb2, 0xe9, 0x41, 0xf3, 0x90, + 0xd3, 0x95, 0x36, 0x29, 0x4a, 0xf3, 0xd2, 0xc5, 0x91, 0xea, 0xe9, 0xc7, 0x07, 0xa5, 0x53, 0x87, + 0x07, 0xa5, 0xdc, 0x9a, 0xd2, 0x26, 0x98, 0x53, 0xe4, 0x37, 0x61, 0x62, 0x41, 0xd3, 0x8c, 0x0f, + 0x49, 0xf3, 0xae, 0x61, 0xd1, 0x75, 0x85, 0xee, 0xa0, 0x0b, 0x90, 0xeb, 0x28, 0x74, 0x47, 0x08, + 0x21, 0x21, 0x04, 0x8c, 0xb6, 0x6e, 0x92, 0x6d, 0x75, 0x1f, 0x73, 0xba, 0xfc, 0x5d, 0x09, 0x9e, + 0x5f, 0xb4, 0x2d, 0x6a, 0xb4, 0x57, 0x09, 0x35, 0xd5, 0xc6, 0xa2, 0x6d, 0x9a, 0x44, 0xa7, 0x35, + 0xaa, 0x50, 0xdb, 0xea, 0xad, 0x1a, 0x3d, 0x80, 0xfc, 0x9e, 0xa2, 0xd9, 0xa4, 0x98, 0x99, 0x97, + 0x2e, 0x8e, 0x5e, 0x2b, 0x97, 0xfd, 0x15, 0xe6, 0xf9, 0x5b, 0xee, 0xec, 0xb6, 0xf8, 0x92, 0x73, + 0x27, 0xb1, 0x7c, 0xdf, 0x56, 0x74, 0xaa, 0xd2, 0x6e, 0xf5, 0x8c, 0x80, 0x3c, 0x2d, 0xf4, 0x6e, + 0x32, 0x2c, 0xec, 0x40, 0xca, 0xff, 0x01, 0xe7, 0x53, 0x4d, 0x5b, 0x51, 0x2d, 0x8a, 0x1e, 0x42, + 0x5e, 0xa5, 0xa4, 0x6d, 0x15, 0xa5, 0xf9, 0xec, 0xc5, 0xd1, 0x6b, 0x37, 0xca, 0x47, 0x2e, 0xef, + 0x72, 0x2a, 0x58, 0x75, 0x4c, 0x98, 0x91, 0x5f, 0x66, 0x70, 0xd8, 0x41, 0x95, 0xff, 0x5f, 0x02, + 0x14, 0x94, 0xa9, 0x2b, 0x66, 0x8b, 0xd0, 0x3e, 0x82, 0xf2, 0xaf, 0xdf, 0x2e, 0x28, 0xd3, 0x02, + 0x72, 0xd4, 0x51, 0x18, 0x8a, 0x49, 0x07, 0x66, 0xe2, 0x26, 0xf1, 0x60, 0x6c, 0x86, 0x83, 0x71, + 0x75, 0x80, 0x60, 0x38, 0x28, 0x29, 0x51, 0xf8, 0x38, 0x03, 0x23, 0x4b, 0x0a, 0x69, 0x1b, 0x7a, + 0x8d, 0x50, 0xf4, 0x3e, 0x14, 0xd8, 0x9e, 0x6a, 0x2a, 0x54, 0xe1, 0x01, 0x18, 0xbd, 0xf6, 0xca, + 0x51, 0xde, 0x59, 0x65, 0xc6, 0x5d, 0xde, 0xbb, 0x5a, 0xbe, 0xb7, 0xf5, 0x88, 0x34, 0xe8, 0x2a, + 0xa1, 0x8a, 0xbf, 0x1a, 0xfd, 0x31, 0xec, 0xa1, 0xa2, 0x35, 0xc8, 0x59, 0x1d, 0xd2, 0x10, 0xb1, + 0xbb, 0xdc, 0xc3, 0x0d, 0xcf, 0xb2, 0x5a, 0x87, 0x34, 0xfc, 0xc9, 0x60, 0xbf, 0x30, 0xc7, 0x41, + 0x9b, 0x30, 0x64, 0xf1, 0x59, 0x2e, 0x66, 0x63, 0xb3, 0x71, 0x34, 0xa2, 0xb3, 0x36, 0xc6, 0x05, + 0xe6, 0x90, 0xf3, 0x1b, 0x0b, 0x34, 0xf9, 0x73, 0x09, 0xc6, 0x3c, 0x5e, 0x3e, 0x03, 0xef, 0xc5, + 0x62, 0x53, 0xee, 0x2f, 0x36, 0x4c, 0x9a, 0x47, 0x66, 0x52, 0xe8, 0x2a, 0xb8, 0x23, 0x81, 0xb8, + 0xac, 0xba, 0xf3, 0x9b, 0xe1, 0xf3, 0x7b, 0xb1, 0x5f, 0x37, 0x52, 0xa6, 0xf5, 0x3b, 0xb9, 0x80, + 0xf9, 0x2c, 0x5c, 0xe8, 0x21, 0x14, 0x2c, 0xa2, 0x91, 0x06, 0x35, 0x4c, 0x61, 0xfe, 0xab, 0x7d, + 0x9a, 0xaf, 0x6c, 0x11, 0xad, 0x26, 0x44, 0xab, 0xa7, 0x99, 0xfd, 0xee, 0x2f, 0xec, 0x41, 0xa2, + 0xfb, 0x50, 0xa0, 0xa4, 0xdd, 0xd1, 0x14, 0xea, 0xee, 0x8b, 0x97, 0x82, 0x2e, 0xb0, 0x03, 0x84, + 0x81, 0xad, 0x1b, 0xcd, 0xba, 0x60, 0xe3, 0x53, 0xea, 0x85, 0xc4, 0x1d, 0xc5, 0x1e, 0x0c, 0xda, + 0x83, 0x71, 0xbb, 0xd3, 0x64, 0x9c, 0x94, 0xa5, 0xcf, 0x56, 0x57, 0x4c, 0xf1, 0xeb, 0xfd, 0xc6, + 0x66, 0x23, 0x24, 0x5d, 0x9d, 0x11, 0xba, 0xc6, 0xc3, 0xe3, 0x38, 0xa2, 0x05, 0x2d, 0xc0, 0x44, + 0x5b, 0xd5, 0x31, 0x51, 0x9a, 0xdd, 0x1a, 0x69, 0x18, 0x7a, 0xd3, 0x2a, 0xe6, 0xe6, 0xa5, 0x8b, + 0xf9, 0xea, 0x59, 0x01, 0x30, 0xb1, 0x1a, 0x26, 0xe3, 0x28, 0x3f, 0x7a, 0x07, 0x90, 0xeb, 0xc6, + 0x1d, 0x27, 0xfb, 0xab, 0x86, 0x5e, 0xcc, 0xcf, 0x4b, 0x17, 0xb3, 0xd5, 0x59, 0x81, 0x82, 0xea, + 0x31, 0x0e, 0x9c, 0x20, 0x85, 0x56, 0xe0, 0x8c, 0x49, 0xf6, 0x54, 0xe6, 0xe3, 0x5d, 0xd5, 0xa2, + 0x86, 0xd9, 0x5d, 0x51, 0xdb, 0x2a, 0x2d, 0x0e, 0x71, 0x9b, 0x8a, 0x87, 0x07, 0xa5, 0x33, 0x38, + 0x81, 0x8e, 0x13, 0xa5, 0xe4, 0xcf, 0xf2, 0x30, 0x11, 0xd9, 0x03, 0x68, 0x13, 0x66, 0x1a, 0x4e, + 0xc2, 0x5c, 0xb3, 0xdb, 0x5b, 0xc4, 0xac, 0x35, 0x76, 0x48, 0xd3, 0xd6, 0x48, 0x93, 0x2f, 0x94, + 0x7c, 0x75, 0x4e, 0x58, 0x3c, 0xb3, 0x98, 0xc8, 0x85, 0x53, 0xa4, 0x59, 0x14, 0x74, 0x3e, 0xb4, + 0xaa, 0x5a, 0x96, 0x87, 0x99, 0xe1, 0x98, 0x5e, 0x14, 0xd6, 0x62, 0x1c, 0x38, 0x41, 0x8a, 0xd9, + 0xd8, 0x24, 0x96, 0x6a, 0x92, 0x66, 0xd4, 0xc6, 0x6c, 0xd8, 0xc6, 0xa5, 0x44, 0x2e, 0x9c, 0x22, + 0x8d, 0xae, 0xc3, 0xa8, 0xa3, 0x8d, 0xcf, 0x9f, 0x98, 0x68, 0x2f, 0x45, 0xaf, 0xf9, 0x24, 0x1c, + 0xe4, 0x63, 0xae, 0x19, 0x5b, 0x16, 0x31, 0xf7, 0x48, 0x33, 0x7d, 0x82, 0xef, 0xc5, 0x38, 0x70, + 0x82, 0x14, 0x73, 0xcd, 0x59, 0x81, 0x31, 0xd7, 0x86, 0xc2, 0xae, 0x6d, 0x24, 0x72, 0xe1, 0x14, + 0x69, 0xb6, 0x8e, 0x1d, 0x93, 0x17, 0xf6, 0x14, 0x55, 0x53, 0xb6, 0x34, 0x52, 0x1c, 0x0e, 0xaf, + 0xe3, 0xb5, 0x30, 0x19, 0x47, 0xf9, 0xd1, 0x1d, 0x98, 0x72, 0x86, 0x36, 0x74, 0xc5, 0x03, 0x29, + 0x70, 0x90, 0xe7, 0x05, 0xc8, 0xd4, 0x5a, 0x94, 0x01, 0xc7, 0x65, 0xd0, 0x5b, 0x30, 0xde, 0x30, + 0x34, 0x8d, 0xaf, 0xc7, 0x45, 0xc3, 0xd6, 0x69, 0x71, 0x84, 0xa3, 0x20, 0xb6, 0x1f, 0x17, 0x43, + 0x14, 0x1c, 0xe1, 0x94, 0x7f, 0x25, 0xc1, 0xd9, 0x94, 0x3d, 0x8d, 0xfe, 0x11, 0x72, 0xb4, 0xdb, + 0x71, 0x4f, 0xeb, 0xbf, 0x77, 0x0f, 0x88, 0x7a, 0xb7, 0x43, 0x9e, 0x1c, 0x94, 0xce, 0xa5, 0x88, + 0x31, 0x32, 0xe6, 0x82, 0x48, 0x87, 0x31, 0x93, 0xa9, 0xd3, 0x5b, 0x0e, 0x8b, 0x48, 0x5e, 0xd7, + 0x7b, 0xe4, 0x18, 0x1c, 0x94, 0xf1, 0x93, 0xf1, 0xd4, 0xe1, 0x41, 0x69, 0x2c, 0x44, 0xc3, 0x61, + 0x78, 0xf9, 0x93, 0x0c, 0xc0, 0x12, 0xe9, 0x68, 0x46, 0xb7, 0x4d, 0xf4, 0x93, 0x38, 0x70, 0xef, + 0x85, 0x0e, 0xdc, 0x2b, 0xbd, 0x72, 0xa7, 0x67, 0x5a, 0xea, 0x89, 0xfb, 0x6e, 0xe4, 0xc4, 0xad, + 0xf4, 0x0f, 0x79, 0xf4, 0x91, 0xfb, 0xbb, 0x2c, 0x4c, 0xfb, 0xcc, 0x8b, 0x86, 0xde, 0x54, 0xf9, + 0xfe, 0xb8, 0x19, 0x9a, 0xe3, 0xbf, 0x8b, 0xcc, 0xf1, 0xd9, 0x04, 0x91, 0xc0, 0xfc, 0xae, 0x78, + 0xd6, 0x66, 0xb8, 0xf8, 0x6b, 0x61, 0xe5, 0x4f, 0x0e, 0x4a, 0x09, 0xf7, 0x9c, 0xb2, 0x87, 0x14, + 0x36, 0x11, 0x5d, 0x80, 0x21, 0x93, 0x28, 0x96, 0xa1, 0xf3, 0x44, 0x31, 0xe2, 0xbb, 0x82, 0xf9, + 0x28, 0x16, 0x54, 0x74, 0x09, 0x86, 0xdb, 0xc4, 0xb2, 0x94, 0x16, 0xe1, 0x39, 0x61, 0xa4, 0x3a, + 0x21, 0x18, 0x87, 0x57, 0x9d, 0x61, 0xec, 0xd2, 0xd1, 0x23, 0x18, 0xd7, 0x14, 0x4b, 0x2c, 0xd0, + 0xba, 0xda, 0x26, 0x7c, 0xd7, 0x8f, 0x5e, 0x7b, 0xb9, 0xbf, 0x75, 0xc0, 0x24, 0xfc, 0x93, 0x6d, + 0x25, 0x84, 0x84, 0x23, 0xc8, 0x68, 0x0f, 0x10, 0x1b, 0xa9, 0x9b, 0x8a, 0x6e, 0x39, 0x81, 0x62, + 0xfa, 0x86, 0x07, 0xd6, 0xe7, 0x65, 0xb8, 0x95, 0x18, 0x1a, 0x4e, 0xd0, 0x20, 0xff, 0x4c, 0x82, + 0x71, 0x7f, 0x9a, 0x4e, 0xa0, 0x9a, 0x5a, 0x0b, 0x57, 0x53, 0x97, 0xfa, 0x5e, 0xa2, 0x29, 0xe5, + 0xd4, 0x9f, 0x32, 0x80, 0x7c, 0x26, 0xb6, 0xc1, 0xb7, 0x94, 0xc6, 0x6e, 0x1f, 0x77, 0x85, 0x8f, + 0x25, 0x40, 0x22, 0x3d, 0x2f, 0xe8, 0xba, 0x41, 0x79, 0xc6, 0x77, 0xcd, 0x5a, 0xee, 0xdb, 0x2c, + 0x57, 0x63, 0x79, 0x23, 0x86, 0x75, 0x4b, 0xa7, 0x66, 0xd7, 0x9f, 0x91, 0x38, 0x03, 0x4e, 0x30, + 0x00, 0x29, 0x00, 0xa6, 0xc0, 0xac, 0x1b, 0x62, 0x23, 0x5f, 0xe9, 0x23, 0xe7, 0x31, 0x81, 0x45, + 0x43, 0xdf, 0x56, 0x5b, 0x7e, 0xda, 0xc1, 0x1e, 0x10, 0x0e, 0x80, 0xce, 0xde, 0x82, 0xb3, 0x29, + 0xd6, 0xa2, 0x49, 0xc8, 0xee, 0x92, 0xae, 0x13, 0x36, 0xcc, 0xfe, 0x44, 0x67, 0x82, 0x77, 0xaa, + 0x11, 0x71, 0x1d, 0x7a, 0x2b, 0x73, 0x43, 0x92, 0x3f, 0xcf, 0x07, 0xd7, 0x0e, 0x2f, 0x65, 0x2f, + 0x42, 0xc1, 0x24, 0x1d, 0x4d, 0x6d, 0x28, 0x96, 0xa8, 0x50, 0x78, 0x55, 0x8a, 0xc5, 0x18, 0xf6, + 0xa8, 0xa1, 0xa2, 0x37, 0xf3, 0x6c, 0x8b, 0xde, 0xec, 0xd3, 0x29, 0x7a, 0xff, 0x1d, 0x0a, 0x96, + 0x5b, 0xee, 0xe6, 0x38, 0xe4, 0xd5, 0x01, 0xf2, 0xab, 0xa8, 0x74, 0x3d, 0x05, 0x5e, 0x8d, 0xeb, + 0x81, 0x26, 0x55, 0xb7, 0xf9, 0x01, 0xab, 0xdb, 0xa7, 0x5a, 0x91, 0xb2, 0x9c, 0xda, 0x51, 0x6c, + 0x8b, 0x34, 0x79, 0x22, 0x2a, 0xf8, 0x39, 0x75, 0x9d, 0x8f, 0x62, 0x41, 0x45, 0x0f, 0x43, 0x4b, + 0xb6, 0x70, 0x9c, 0x25, 0x3b, 0x9e, 0xbe, 0x5c, 0xd1, 0x06, 0x9c, 0xed, 0x98, 0x46, 0xcb, 0x24, + 0x96, 0xb5, 0x44, 0x94, 0xa6, 0xa6, 0xea, 0xc4, 0x8d, 0x8f, 0x53, 0xaa, 0x9c, 0x3b, 0x3c, 0x28, + 0x9d, 0x5d, 0x4f, 0x66, 0xc1, 0x69, 0xb2, 0xf2, 0xe3, 0x1c, 0x4c, 0x46, 0x4f, 0xc0, 0x94, 0xea, + 0x51, 0x3a, 0x56, 0xf5, 0x78, 0x39, 0xb0, 0x19, 0x9c, 0xd2, 0xda, 0x9b, 0xfd, 0x84, 0x0d, 0xb1, + 0x00, 0x13, 0x22, 0x1b, 0xb8, 0x44, 0x51, 0x3f, 0x7b, 0xb3, 0xbf, 0x11, 0x26, 0xe3, 0x28, 0x3f, + 0xab, 0x09, 0xfd, 0x52, 0xcf, 0x05, 0xc9, 0x85, 0x6b, 0xc2, 0x85, 0x28, 0x03, 0x8e, 0xcb, 0xa0, + 0x55, 0x98, 0xb6, 0xf5, 0x38, 0x94, 0xb3, 0x1a, 0xcf, 0x09, 0xa8, 0xe9, 0x8d, 0x38, 0x0b, 0x4e, + 0x92, 0x43, 0xdb, 0x00, 0x0d, 0xf7, 0xd8, 0xb6, 0x8a, 0x43, 0x3c, 0xc3, 0x5e, 0xeb, 0x7b, 0xef, + 0x78, 0x27, 0xbe, 0x9f, 0xd7, 0xbc, 0x21, 0x0b, 0x07, 0x90, 0xd1, 0x4d, 0x18, 0x33, 0xf9, 0x85, + 0xc0, 0x35, 0xd8, 0x29, 0xaa, 0x9f, 0x13, 0x62, 0x63, 0x38, 0x48, 0xc4, 0x61, 0xde, 0x84, 0x3a, + 0xb8, 0xd0, 0x77, 0x1d, 0xfc, 0x73, 0x29, 0x78, 0x08, 0x79, 0x25, 0xf0, 0x5b, 0xa1, 0xf2, 0xe8, + 0x42, 0xa4, 0x3c, 0x9a, 0x89, 0x4b, 0x04, 0xaa, 0x23, 0x23, 0xb9, 0xfa, 0x7d, 0x7d, 0xa0, 0xea, + 0xd7, 0x3f, 0x3c, 0x7b, 0x97, 0xbf, 0x9f, 0x4a, 0x30, 0x73, 0xbb, 0x76, 0xc7, 0x34, 0xec, 0x8e, + 0x6b, 0xce, 0xbd, 0x8e, 0x13, 0xd7, 0x37, 0x20, 0x67, 0xda, 0x9a, 0xeb, 0xc7, 0x4b, 0xae, 0x1f, + 0xd8, 0xd6, 0x98, 0x1f, 0xd3, 0x11, 0x29, 0xc7, 0x09, 0x26, 0x80, 0xd6, 0x60, 0xc8, 0x54, 0xf4, + 0x16, 0x71, 0x8f, 0xd5, 0x0b, 0x3d, 0xac, 0x5f, 0x5e, 0xc2, 0x8c, 0x3d, 0x50, 0xbc, 0x71, 0x69, + 0x2c, 0x50, 0xe4, 0xff, 0x91, 0x60, 0xe2, 0x6e, 0xbd, 0xbe, 0xbe, 0xac, 0xf3, 0x1d, 0xcd, 0x1f, + 0x5c, 0xe7, 0x43, 0x0f, 0xae, 0xde, 0x49, 0xcf, 0x68, 0xce, 0x53, 0x2b, 0xfa, 0x17, 0x18, 0x66, + 0x99, 0x84, 0xe8, 0xcd, 0x3e, 0x4b, 0x6d, 0x01, 0x5f, 0x75, 0x84, 0xfc, 0x0a, 0x51, 0x0c, 0x60, + 0x17, 0x4e, 0xde, 0x85, 0x33, 0x01, 0x73, 0x58, 0x3c, 0xf8, 0x9b, 0x21, 0xaa, 0x41, 0x9e, 0x69, + 0x76, 0x9f, 0x04, 0x7b, 0xbd, 0x7c, 0x45, 0x5c, 0xf2, 0x2b, 0x1d, 0xf6, 0xcb, 0xc2, 0x0e, 0x96, + 0xbc, 0x0a, 0x63, 0xfc, 0x95, 0xd9, 0x30, 0x29, 0x0f, 0x0b, 0x3a, 0x0f, 0xd9, 0xb6, 0xaa, 0x8b, + 0x73, 0x76, 0x54, 0xc8, 0x64, 0xd9, 0x19, 0xc1, 0xc6, 0x39, 0x59, 0xd9, 0x17, 0x99, 0xc7, 0x27, + 0x2b, 0xfb, 0x98, 0x8d, 0xcb, 0x77, 0x60, 0x58, 0x84, 0x3b, 0x08, 0x94, 0x3d, 0x1a, 0x28, 0x9b, + 0x00, 0xf4, 0xbf, 0x19, 0x18, 0x16, 0xd6, 0x9f, 0xc0, 0xa5, 0x69, 0x25, 0x74, 0x69, 0x7a, 0xb9, + 0xbf, 0x99, 0x4c, 0xbd, 0x31, 0xd5, 0x23, 0x37, 0xa6, 0xcb, 0x7d, 0xe2, 0x1d, 0x7d, 0x5d, 0xfa, + 0x4c, 0x82, 0xf1, 0xf0, 0x1a, 0x42, 0xd7, 0x61, 0x94, 0x9d, 0x0f, 0x6a, 0x83, 0xac, 0xf9, 0x65, + 0xa9, 0xf7, 0x98, 0x51, 0xf3, 0x49, 0x38, 0xc8, 0x87, 0x5a, 0x9e, 0x18, 0x9b, 0x76, 0xe1, 0x74, + 0x7a, 0x48, 0x6d, 0xaa, 0x6a, 0x65, 0xa7, 0xb7, 0x51, 0x5e, 0xd6, 0xe9, 0x3d, 0xb3, 0x46, 0x4d, + 0x55, 0x6f, 0xc5, 0x14, 0xf1, 0x35, 0x14, 0x44, 0x96, 0x7f, 0x2a, 0xc1, 0xa8, 0x30, 0xf9, 0x04, + 0x2e, 0x01, 0xff, 0x1c, 0xbe, 0x04, 0x5c, 0xe8, 0x73, 0x3f, 0x26, 0xdf, 0x00, 0x7e, 0xe0, 0x9b, + 0xce, 0x76, 0x20, 0x4b, 0x08, 0x3b, 0x86, 0x45, 0xa3, 0x09, 0x81, 0xed, 0x1d, 0xcc, 0x29, 0xc8, + 0x86, 0x49, 0x35, 0xb2, 0x65, 0x45, 0x68, 0x2b, 0xfd, 0x59, 0xe2, 0x89, 0x55, 0x8b, 0x02, 0x7e, + 0x32, 0x4a, 0xc1, 0x31, 0x15, 0x32, 0x81, 0x18, 0x17, 0xba, 0x0f, 0xb9, 0x1d, 0x4a, 0x3b, 0x09, + 0xef, 0xbe, 0x3d, 0x12, 0x85, 0x6f, 0x42, 0x81, 0x7b, 0x57, 0xaf, 0xaf, 0x63, 0x0e, 0x25, 0xff, + 0xd9, 0x8f, 0x47, 0xcd, 0x59, 0xe3, 0x5e, 0xfa, 0x93, 0x8e, 0x93, 0xfe, 0x46, 0x93, 0x52, 0x1f, + 0xba, 0x0b, 0x59, 0xaa, 0xf5, 0x7b, 0x8b, 0x13, 0x88, 0xf5, 0x95, 0x9a, 0x9f, 0x3f, 0xea, 0x2b, + 0x35, 0xcc, 0x20, 0xd0, 0x3d, 0xc8, 0xb3, 0xc3, 0x82, 0x6d, 0xc1, 0x6c, 0xff, 0x5b, 0x9a, 0xf9, + 0xef, 0x2f, 0x08, 0xf6, 0xcb, 0xc2, 0x0e, 0x8e, 0xfc, 0x01, 0x8c, 0x85, 0xf6, 0x29, 0x7a, 0x1f, + 0x4e, 0x6b, 0x86, 0xd2, 0xac, 0x2a, 0x9a, 0xa2, 0x37, 0x88, 0xfb, 0xc8, 0x7e, 0x21, 0xe9, 0x42, + 0xb0, 0x12, 0xe0, 0x13, 0xbb, 0xdc, 0x6b, 0x95, 0x05, 0x69, 0x38, 0x84, 0x28, 0x2b, 0x00, 0xbe, + 0x8f, 0xa8, 0x04, 0x79, 0xb6, 0xce, 0x9c, 0xf4, 0x3f, 0x52, 0x1d, 0x61, 0x16, 0xb2, 0xe5, 0x67, + 0x61, 0x67, 0x1c, 0x5d, 0x03, 0xb0, 0x48, 0xc3, 0x24, 0x94, 0x27, 0x83, 0x4c, 0xb8, 0x55, 0x58, + 0xf3, 0x28, 0x38, 0xc0, 0x25, 0xff, 0x52, 0x82, 0xb1, 0x35, 0x42, 0x3f, 0x34, 0xcc, 0xdd, 0x75, + 0xde, 0xcf, 0x3d, 0x81, 0x64, 0x8b, 0x43, 0xc9, 0xf6, 0x95, 0x1e, 0x33, 0x13, 0xb2, 0x2e, 0x2d, + 0xe5, 0x32, 0x3f, 0x8a, 0x21, 0xce, 0xe0, 0xde, 0xdd, 0x80, 0x7c, 0xc7, 0x30, 0xa9, 0x7b, 0x70, + 0x0e, 0xa4, 0x91, 0xe5, 0xb1, 0xc0, 0xd1, 0xc9, 0x60, 0xb0, 0x83, 0xc6, 0xfc, 0xd8, 0x36, 0x8d, + 0xb6, 0x58, 0xad, 0x83, 0xa1, 0x12, 0x62, 0xfa, 0x7e, 0xdc, 0x36, 0x8d, 0x36, 0xe6, 0x58, 0xf2, + 0x2f, 0x24, 0x98, 0x0a, 0x71, 0x9e, 0x40, 0xde, 0xbc, 0x1f, 0xce, 0x9b, 0x97, 0x07, 0x71, 0x24, + 0x25, 0x7b, 0xfe, 0x31, 0xea, 0x06, 0x73, 0x18, 0x6d, 0xc3, 0x68, 0xc7, 0x68, 0xd6, 0x9e, 0x42, + 0x57, 0x6a, 0x82, 0x1d, 0x3b, 0xeb, 0x3e, 0x16, 0x0e, 0x02, 0xa3, 0x7d, 0x98, 0xd2, 0x95, 0x36, + 0xb1, 0x3a, 0x4a, 0x83, 0xd4, 0x9e, 0xc2, 0x73, 0xc0, 0x73, 0xfc, 0xd9, 0x3b, 0x8a, 0x88, 0xe3, + 0x4a, 0xe4, 0x1f, 0xc6, 0xfc, 0x36, 0x4c, 0x8a, 0xee, 0x40, 0x81, 0x7f, 0x09, 0xd0, 0x30, 0x34, + 0xf7, 0xe1, 0x9a, 0x4d, 0xc5, 0xba, 0x18, 0x7b, 0x72, 0x50, 0x3a, 0x97, 0xf0, 0x26, 0xe9, 0x92, + 0xb1, 0x27, 0x8c, 0xd6, 0x20, 0xd7, 0xf9, 0x36, 0x27, 0x36, 0x4f, 0xea, 0xfc, 0x98, 0xe6, 0x38, + 0xf2, 0x37, 0x51, 0x73, 0x79, 0x6a, 0x7f, 0xf4, 0xd4, 0xa6, 0xc9, 0xab, 0x10, 0x52, 0xa7, 0x6a, + 0x0b, 0x86, 0xc5, 0x89, 0x26, 0x56, 0xdf, 0x1b, 0x83, 0xac, 0xbe, 0x60, 0xd6, 0xf6, 0xea, 0x69, + 0x77, 0xd0, 0x05, 0x96, 0x7f, 0x2d, 0xc1, 0x14, 0x37, 0xa0, 0x61, 0x9b, 0x2a, 0xed, 0x9e, 0x58, + 0x9e, 0xdb, 0x0c, 0xe5, 0xb9, 0xd7, 0x7a, 0x38, 0x16, 0xb3, 0x30, 0x35, 0xd7, 0x7d, 0x21, 0xc1, + 0x73, 0x31, 0xee, 0x13, 0xc8, 0x13, 0x1b, 0xe1, 0x3c, 0xf1, 0xca, 0xa0, 0x0e, 0xa5, 0xe4, 0x8a, + 0xef, 0x9d, 0x4e, 0x70, 0x87, 0x2f, 0xc4, 0x6b, 0x00, 0x1d, 0x53, 0xdd, 0x53, 0x35, 0xd2, 0x12, + 0xbd, 0xc9, 0x42, 0xe0, 0xdb, 0x17, 0x8f, 0x82, 0x03, 0x5c, 0xc8, 0x82, 0x99, 0x26, 0xd9, 0x56, + 0x6c, 0x8d, 0x2e, 0x34, 0x9b, 0x8b, 0x4a, 0x47, 0xd9, 0x52, 0x35, 0x95, 0xaa, 0xe2, 0xb2, 0x38, + 0x52, 0xbd, 0xe9, 0xf4, 0x0c, 0x93, 0x38, 0x9e, 0x1c, 0x94, 0xce, 0x27, 0xf5, 0x06, 0x5c, 0x96, + 0x2e, 0x4e, 0x81, 0x46, 0x5d, 0x28, 0x9a, 0xe4, 0x03, 0x5b, 0x35, 0x49, 0x73, 0xc9, 0x34, 0x3a, + 0x21, 0xb5, 0x59, 0xae, 0xf6, 0x1f, 0x0e, 0x0f, 0x4a, 0x45, 0x9c, 0xc2, 0xd3, 0x5b, 0x71, 0x2a, + 0x3c, 0x7a, 0x04, 0xd3, 0x8a, 0xf3, 0xb1, 0x50, 0x48, 0x6b, 0x8e, 0x6b, 0xbd, 0x71, 0x78, 0x50, + 0x9a, 0x5e, 0x88, 0x93, 0x7b, 0x2b, 0x4c, 0x02, 0x45, 0x15, 0x18, 0xde, 0x33, 0x34, 0xbb, 0x4d, + 0xac, 0x62, 0x9e, 0xe3, 0xb3, 0xc4, 0x38, 0xbc, 0xe9, 0x0c, 0x3d, 0x39, 0x28, 0x0d, 0xdd, 0xae, + 0xf1, 0x6b, 0xba, 0xcb, 0xc5, 0xee, 0x27, 0xac, 0x34, 0x11, 0x7b, 0x96, 0xbf, 0x17, 0x16, 0xfc, + 0xa4, 0x70, 0xd7, 0x27, 0xe1, 0x20, 0x1f, 0x7a, 0x08, 0x23, 0x3b, 0xe2, 0x4e, 0x6a, 0x15, 0x87, + 0xfb, 0x3a, 0x94, 0x42, 0x77, 0xd8, 0xea, 0x94, 0x50, 0x31, 0xe2, 0x0e, 0x5b, 0xd8, 0x47, 0x44, + 0x97, 0x60, 0x98, 0xff, 0x58, 0x5e, 0xe2, 0x8f, 0x31, 0x05, 0x3f, 0x75, 0xdc, 0x75, 0x86, 0xb1, + 0x4b, 0x77, 0x59, 0x97, 0xd7, 0x17, 0xf9, 0xa3, 0x60, 0x84, 0x75, 0x79, 0x7d, 0x11, 0xbb, 0x74, + 0xf4, 0x3e, 0x0c, 0x5b, 0x64, 0x45, 0xd5, 0xed, 0xfd, 0x22, 0xf4, 0xd5, 0x52, 0xac, 0xdd, 0xe2, + 0xdc, 0x91, 0x67, 0x11, 0x5f, 0x83, 0xa0, 0x63, 0x17, 0x16, 0xed, 0xc0, 0x88, 0x69, 0xeb, 0x0b, + 0xd6, 0x86, 0x45, 0xcc, 0xe2, 0x28, 0xd7, 0xd1, 0x2b, 0x5b, 0x62, 0x97, 0x3f, 0xaa, 0xc5, 0x8b, + 0x90, 0xc7, 0x81, 0x7d, 0x70, 0xf4, 0xdf, 0x12, 0x20, 0xcb, 0xee, 0x74, 0x34, 0xd2, 0x26, 0x3a, + 0x55, 0x34, 0xfe, 0x12, 0x63, 0x15, 0x4f, 0x73, 0x9d, 0xff, 0xd4, 0xcb, 0xaf, 0x98, 0x60, 0x54, + 0xb9, 0xf7, 0xe4, 0x19, 0x67, 0xc5, 0x09, 0x7a, 0x59, 0x68, 0xb7, 0x2d, 0xfe, 0x77, 0x71, 0xac, + 0xaf, 0xd0, 0x26, 0xbf, 0x38, 0xf9, 0xa1, 0x15, 0x74, 0xec, 0xc2, 0xa2, 0x4d, 0x98, 0x31, 0x89, + 0xd2, 0xbc, 0xa7, 0x6b, 0x5d, 0x6c, 0x18, 0xf4, 0xb6, 0xaa, 0x11, 0xab, 0x6b, 0x51, 0xd2, 0x2e, + 0x8e, 0xf3, 0x69, 0xf7, 0x5a, 0xf2, 0x38, 0x91, 0x0b, 0xa7, 0x48, 0xa3, 0x36, 0x94, 0xdc, 0x94, + 0xc1, 0xf6, 0x93, 0x97, 0xb3, 0x6e, 0x59, 0x0d, 0x45, 0x73, 0x5e, 0x81, 0x27, 0xb8, 0x82, 0x97, + 0x0e, 0x0f, 0x4a, 0xa5, 0xa5, 0xa3, 0x59, 0x71, 0x2f, 0x2c, 0xf4, 0x1e, 0x14, 0x95, 0x34, 0x3d, + 0x93, 0x5c, 0xcf, 0xbc, 0x70, 0xa4, 0x98, 0xaa, 0x24, 0x15, 0x01, 0x51, 0x98, 0x54, 0xc2, 0xdf, + 0x25, 0x5a, 0xc5, 0xa9, 0xbe, 0x9e, 0xa2, 0x22, 0x9f, 0x33, 0xfa, 0xf7, 0xdb, 0x08, 0xc1, 0xc2, + 0x31, 0x0d, 0xbc, 0x81, 0x2e, 0x9e, 0x53, 0x4f, 0xe6, 0x8b, 0xb5, 0xc1, 0x1a, 0xe8, 0xbe, 0x69, + 0x4f, 0xad, 0x81, 0x1e, 0x80, 0x3c, 0xfa, 0x45, 0xe8, 0x0f, 0x19, 0x98, 0xf6, 0x99, 0xfb, 0x6e, + 0xa0, 0x27, 0x88, 0x3c, 0xb3, 0x06, 0x7a, 0x72, 0x07, 0x3a, 0xfb, 0xac, 0x3b, 0xd0, 0xcf, 0xa0, + 0x71, 0xcf, 0x9b, 0xda, 0x7e, 0xe8, 0xfe, 0xfa, 0x9a, 0xda, 0xbe, 0x6d, 0x29, 0x85, 0xd6, 0x8f, + 0x33, 0x41, 0x07, 0xfe, 0xe6, 0x3b, 0xab, 0xdf, 0xfe, 0xb3, 0x3e, 0xf9, 0x8b, 0x2c, 0x4c, 0x46, + 0x77, 0x63, 0xa8, 0x01, 0x27, 0xf5, 0x6c, 0xc0, 0xad, 0xc3, 0x99, 0x6d, 0x5b, 0xd3, 0xba, 0x3c, + 0x0c, 0x81, 0x2e, 0x9c, 0xf3, 0x80, 0xfe, 0x82, 0x90, 0x3c, 0x73, 0x3b, 0x81, 0x07, 0x27, 0x4a, + 0xa6, 0x34, 0x13, 0xb3, 0xc7, 0x6a, 0x26, 0xc6, 0x7a, 0x5b, 0xb9, 0x01, 0x7a, 0x5b, 0x89, 0x8d, + 0xc1, 0xfc, 0x31, 0x1a, 0x83, 0xc7, 0xe9, 0xe4, 0x25, 0x24, 0xb1, 0x5e, 0x9d, 0x3c, 0xf9, 0x05, + 0x98, 0x15, 0x62, 0x94, 0x37, 0xd9, 0x74, 0x6a, 0x1a, 0x9a, 0x46, 0xcc, 0x25, 0xbb, 0xdd, 0xee, + 0xca, 0x6f, 0xc3, 0x78, 0xb8, 0x7d, 0xec, 0xcc, 0xb4, 0xd3, 0xc1, 0x16, 0x6d, 0x8c, 0xc0, 0x4c, + 0x3b, 0xe3, 0xd8, 0xe3, 0x90, 0x3f, 0x92, 0x60, 0x26, 0xf9, 0x33, 0x31, 0xa4, 0xc1, 0x78, 0x5b, + 0xd9, 0x0f, 0x7e, 0x53, 0x27, 0x1d, 0xf3, 0x06, 0xcf, 0xfb, 0x86, 0xab, 0x21, 0x2c, 0x1c, 0xc1, + 0x66, 0xb7, 0xfa, 0xb3, 0x29, 0x1d, 0xbb, 0x93, 0xb5, 0x04, 0x3d, 0x80, 0x42, 0x5b, 0xd9, 0xaf, + 0xd9, 0x66, 0x8b, 0x1c, 0xfb, 0xcd, 0x82, 0x67, 0x8c, 0x55, 0x81, 0x82, 0x3d, 0x3c, 0xf9, 0x53, + 0x09, 0x8a, 0x69, 0xe5, 0x2d, 0xba, 0x1e, 0xea, 0x2d, 0xbe, 0x18, 0xe9, 0x2d, 0x4e, 0xc5, 0xe4, + 0x9e, 0x51, 0x67, 0xf1, 0x47, 0x12, 0xcc, 0x24, 0x97, 0xf9, 0xe8, 0xd5, 0x90, 0x85, 0xa5, 0x88, + 0x85, 0x13, 0x11, 0x29, 0x61, 0xdf, 0xbf, 0xc1, 0xb8, 0xb8, 0x0c, 0x08, 0x18, 0x11, 0x55, 0x39, + 0x29, 0x57, 0x0a, 0x08, 0xb7, 0xf8, 0xe5, 0xf3, 0x15, 0x1e, 0xc3, 0x11, 0x34, 0xf9, 0xbf, 0x32, + 0x90, 0xaf, 0x35, 0x14, 0x8d, 0x9c, 0x40, 0x99, 0xf5, 0x4e, 0xa8, 0xcc, 0xea, 0xf5, 0xfd, 0x3b, + 0xb7, 0x2a, 0xb5, 0xc2, 0xc2, 0x91, 0x0a, 0xeb, 0xe5, 0xbe, 0xd0, 0x8e, 0x2e, 0xae, 0xde, 0x84, + 0x11, 0x4f, 0xe9, 0x60, 0x39, 0x5f, 0xfe, 0x7e, 0x06, 0x46, 0x03, 0x2a, 0x06, 0x3c, 0x31, 0xb6, + 0x43, 0x27, 0x6d, 0x3f, 0xff, 0x09, 0x13, 0xd0, 0x55, 0x76, 0xcf, 0x56, 0xe7, 0x33, 0x31, 0xff, + 0xc3, 0xa0, 0xf8, 0x91, 0xfb, 0x36, 0x8c, 0x53, 0xfe, 0x9f, 0x22, 0xde, 0x4b, 0x5f, 0x96, 0xaf, + 0x45, 0xef, 0xe3, 0xc2, 0x7a, 0x88, 0x8a, 0x23, 0xdc, 0xb3, 0x37, 0x61, 0x2c, 0xa4, 0x6c, 0xa0, + 0xaf, 0xbc, 0x7e, 0x22, 0xc1, 0x8b, 0x3d, 0x2f, 0x8a, 0xa8, 0x1a, 0xda, 0x24, 0xe5, 0xc8, 0x26, + 0x99, 0x4b, 0x07, 0x78, 0x86, 0x5f, 0x0b, 0x7c, 0x94, 0x01, 0x54, 0xdf, 0x51, 0xcd, 0xe6, 0xba, + 0x62, 0xd2, 0x2e, 0x16, 0xff, 0xee, 0x73, 0x02, 0x1b, 0xe6, 0x3a, 0x8c, 0x36, 0x89, 0xd5, 0x30, + 0x55, 0x1e, 0x1c, 0x51, 0x9d, 0x7b, 0x8f, 0x29, 0x4b, 0x3e, 0x09, 0x07, 0xf9, 0xd0, 0xbb, 0x50, + 0xd8, 0x73, 0xfe, 0xf5, 0xcc, 0xed, 0x85, 0xf5, 0x2a, 0x24, 0xfd, 0x7f, 0x56, 0xf3, 0xd7, 0x8f, + 0x18, 0xb0, 0xb0, 0x07, 0x26, 0x7f, 0x22, 0xc1, 0x4c, 0x3c, 0x10, 0x4b, 0xcc, 0xd4, 0x67, 0x1f, + 0x8c, 0x17, 0x20, 0xc7, 0xd1, 0x59, 0x14, 0x4e, 0x3b, 0xef, 0xda, 0x4c, 0x33, 0xe6, 0xa3, 0xf2, + 0x6f, 0x25, 0x98, 0x4d, 0x36, 0xed, 0x04, 0xca, 0xf6, 0x07, 0xe1, 0xb2, 0xbd, 0xd7, 0x5b, 0x45, + 0xb2, 0x9d, 0x29, 0x25, 0xfc, 0x6f, 0x12, 0x63, 0x7e, 0x02, 0x4e, 0x6d, 0x86, 0x9d, 0xba, 0x3a, + 0xb0, 0x53, 0xc9, 0x0e, 0x55, 0xaf, 0x3c, 0xfe, 0x7a, 0xee, 0xd4, 0x97, 0x5f, 0xcf, 0x9d, 0xfa, + 0xea, 0xeb, 0xb9, 0x53, 0xff, 0x79, 0x38, 0x27, 0x3d, 0x3e, 0x9c, 0x93, 0xbe, 0x3c, 0x9c, 0x93, + 0xbe, 0x3a, 0x9c, 0x93, 0x7e, 0x7f, 0x38, 0x27, 0xfd, 0xdf, 0x37, 0x73, 0xa7, 0x1e, 0x0c, 0x0b, + 0xdc, 0xbf, 0x04, 0x00, 0x00, 0xff, 0xff, 0xc0, 0xf0, 0x58, 0xb7, 0x3a, 0x3b, 0x00, 0x00, +>>>>>>> Allow PSP's to specify a whitelist of allowed paths for host volume } diff --git a/staging/src/k8s.io/api/extensions/v1beta1/generated.proto b/staging/src/k8s.io/api/extensions/v1beta1/generated.proto index 87a2f91687..fb91d5cc10 100644 --- a/staging/src/k8s.io/api/extensions/v1beta1/generated.proto +++ b/staging/src/k8s.io/api/extensions/v1beta1/generated.proto @@ -39,6 +39,19 @@ message APIVersion { optional string name = 1; } +// AllowedHostPath defines the host volume conditions that will be enabled by a policy +// for pods to use. It requires the path prefix to be defined. +message AllowedHostPath { + // PathPrefix is the path prefix that the host volume must match. + // PathPrefix does not support `*`. + // Trailing slashes are trimmed when validating the path prefix with a host path. + // + // Examples: + // `/foo` would allow `/foo`, `/foo/` and `/foo/bar` + // `/foo` would not allow `/food` or `/etc/foo` + optional string path = 1; +} + message CustomMetricCurrentStatus { // Custom Metric name. optional string name = 1; @@ -754,6 +767,10 @@ message PodSecurityPolicySpec { // privilege escalation. // +optional optional bool allowPrivilegeEscalation = 16; + + // AllowedHostPaths is a white list of allowed host paths. Empty indicates that all host paths may be used. + // +optional + repeated AllowedHostPath allowedHostPaths = 17; } // ReplicaSet represents the configuration of a ReplicaSet. diff --git a/staging/src/k8s.io/api/extensions/v1beta1/types.generated.go b/staging/src/k8s.io/api/extensions/v1beta1/types.generated.go index 37120e62d1..25d3c99c79 100644 --- a/staging/src/k8s.io/api/extensions/v1beta1/types.generated.go +++ b/staging/src/k8s.io/api/extensions/v1beta1/types.generated.go @@ -14751,7 +14751,7 @@ func (x *PodSecurityPolicySpec) CodecEncodeSelf(e *codec1978.Encoder) { } else { yysep2 := !z.EncBinary() yy2arr2 := z.EncBasicHandle().StructToArray - var yyq2 [16]bool + var yyq2 [17]bool _, _, _ = yysep2, yyq2, yy2arr2 const yyr2 bool = false yyq2[0] = x.Privileged != false @@ -14766,9 +14766,10 @@ func (x *PodSecurityPolicySpec) CodecEncodeSelf(e *codec1978.Encoder) { yyq2[13] = x.ReadOnlyRootFilesystem != false yyq2[14] = x.DefaultAllowPrivilegeEscalation != nil yyq2[15] = x.AllowPrivilegeEscalation != false + yyq2[16] = len(x.AllowedHostPaths) != 0 var yynn2 int if yyr2 || yy2arr2 { - r.EncodeArrayStart(16) + r.EncodeArrayStart(17) } else { yynn2 = 4 for _, b := range yyq2 { @@ -15173,6 +15174,39 @@ func (x *PodSecurityPolicySpec) CodecEncodeSelf(e *codec1978.Encoder) { } } } + if yyr2 || yy2arr2 { + z.EncSendContainerState(codecSelfer_containerArrayElem1234) + if yyq2[16] { + if x.AllowedHostPaths == nil { + r.EncodeNil() + } else { + yym62 := z.EncBinary() + _ = yym62 + if false { + } else { + h.encSliceAllowedHostPath(([]AllowedHostPath)(x.AllowedHostPaths), e) + } + } + } else { + r.EncodeNil() + } + } else { + if yyq2[16] { + z.EncSendContainerState(codecSelfer_containerMapKey1234) + r.EncodeString(codecSelferC_UTF81234, string("allowedHostPaths")) + z.EncSendContainerState(codecSelfer_containerMapValue1234) + if x.AllowedHostPaths == nil { + r.EncodeNil() + } else { + yym63 := z.EncBinary() + _ = yym63 + if false { + } else { + h.encSliceAllowedHostPath(([]AllowedHostPath)(x.AllowedHostPaths), e) + } + } + } + } if yyr2 || yy2arr2 { z.EncSendContainerState(codecSelfer_containerArrayEnd1234) } else { @@ -15410,6 +15444,18 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromMap(l int, d *codec1978.Decod *((*bool)(yyv30)) = r.DecodeBool() } } + case "allowedHostPaths": + if r.TryDecodeAsNil() { + x.AllowedHostPaths = nil + } else { + yyv32 := &x.AllowedHostPaths + yym33 := z.DecBinary() + _ = yym33 + if false { + } else { + h.decSliceAllowedHostPath((*[]AllowedHostPath)(yyv32), d) + } + } default: z.DecStructFieldNotFound(-1, yys3) } // end switch yys3 @@ -15421,16 +15467,16 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromArray(l int, d *codec1978.Dec var h codecSelfer1234 z, r := codec1978.GenHelperDecoder(d) _, _, _ = h, z, r - var yyj32 int - var yyb32 bool - var yyhl32 bool = l >= 0 - yyj32++ - if yyhl32 { - yyb32 = yyj32 > l + var yyj34 int + var yyb34 bool + var yyhl34 bool = l >= 0 + yyj34++ + if yyhl34 { + yyb34 = yyj34 > l } else { - yyb32 = r.CheckBreak() + yyb34 = r.CheckBreak() } - if yyb32 { + if yyb34 { z.DecSendContainerState(codecSelfer_containerArrayEnd1234) return } @@ -15438,21 +15484,21 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromArray(l int, d *codec1978.Dec if r.TryDecodeAsNil() { x.Privileged = false } else { - yyv33 := &x.Privileged - yym34 := z.DecBinary() - _ = yym34 + yyv35 := &x.Privileged + yym36 := z.DecBinary() + _ = yym36 if false { } else { - *((*bool)(yyv33)) = r.DecodeBool() + *((*bool)(yyv35)) = r.DecodeBool() } } - yyj32++ - if yyhl32 { - yyb32 = yyj32 > l + yyj34++ + if yyhl34 { + yyb34 = yyj34 > l } else { - yyb32 = r.CheckBreak() + yyb34 = r.CheckBreak() } - if yyb32 { + if yyb34 { z.DecSendContainerState(codecSelfer_containerArrayEnd1234) return } @@ -15460,29 +15506,7 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromArray(l int, d *codec1978.Dec if r.TryDecodeAsNil() { x.DefaultAddCapabilities = nil } else { - yyv35 := &x.DefaultAddCapabilities - yym36 := z.DecBinary() - _ = yym36 - if false { - } else { - h.decSlicev1_Capability((*[]pkg4_v1.Capability)(yyv35), d) - } - } - yyj32++ - if yyhl32 { - yyb32 = yyj32 > l - } else { - yyb32 = r.CheckBreak() - } - if yyb32 { - z.DecSendContainerState(codecSelfer_containerArrayEnd1234) - return - } - z.DecSendContainerState(codecSelfer_containerArrayElem1234) - if r.TryDecodeAsNil() { - x.RequiredDropCapabilities = nil - } else { - yyv37 := &x.RequiredDropCapabilities + yyv37 := &x.DefaultAddCapabilities yym38 := z.DecBinary() _ = yym38 if false { @@ -15490,21 +15514,21 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromArray(l int, d *codec1978.Dec h.decSlicev1_Capability((*[]pkg4_v1.Capability)(yyv37), d) } } - yyj32++ - if yyhl32 { - yyb32 = yyj32 > l + yyj34++ + if yyhl34 { + yyb34 = yyj34 > l } else { - yyb32 = r.CheckBreak() + yyb34 = r.CheckBreak() } - if yyb32 { + if yyb34 { z.DecSendContainerState(codecSelfer_containerArrayEnd1234) return } z.DecSendContainerState(codecSelfer_containerArrayElem1234) if r.TryDecodeAsNil() { - x.AllowedCapabilities = nil + x.RequiredDropCapabilities = nil } else { - yyv39 := &x.AllowedCapabilities + yyv39 := &x.RequiredDropCapabilities yym40 := z.DecBinary() _ = yym40 if false { @@ -15512,13 +15536,35 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromArray(l int, d *codec1978.Dec h.decSlicev1_Capability((*[]pkg4_v1.Capability)(yyv39), d) } } - yyj32++ - if yyhl32 { - yyb32 = yyj32 > l + yyj34++ + if yyhl34 { + yyb34 = yyj34 > l } else { - yyb32 = r.CheckBreak() + yyb34 = r.CheckBreak() } - if yyb32 { + if yyb34 { + z.DecSendContainerState(codecSelfer_containerArrayEnd1234) + return + } + z.DecSendContainerState(codecSelfer_containerArrayElem1234) + if r.TryDecodeAsNil() { + x.AllowedCapabilities = nil + } else { + yyv41 := &x.AllowedCapabilities + yym42 := z.DecBinary() + _ = yym42 + if false { + } else { + h.decSlicev1_Capability((*[]pkg4_v1.Capability)(yyv41), d) + } + } + yyj34++ + if yyhl34 { + yyb34 = yyj34 > l + } else { + yyb34 = r.CheckBreak() + } + if yyb34 { z.DecSendContainerState(codecSelfer_containerArrayEnd1234) return } @@ -15526,21 +15572,21 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromArray(l int, d *codec1978.Dec if r.TryDecodeAsNil() { x.Volumes = nil } else { - yyv41 := &x.Volumes - yym42 := z.DecBinary() - _ = yym42 + yyv43 := &x.Volumes + yym44 := z.DecBinary() + _ = yym44 if false { } else { - h.decSliceFSType((*[]FSType)(yyv41), d) + h.decSliceFSType((*[]FSType)(yyv43), d) } } - yyj32++ - if yyhl32 { - yyb32 = yyj32 > l + yyj34++ + if yyhl34 { + yyb34 = yyj34 > l } else { - yyb32 = r.CheckBreak() + yyb34 = r.CheckBreak() } - if yyb32 { + if yyb34 { z.DecSendContainerState(codecSelfer_containerArrayEnd1234) return } @@ -15548,21 +15594,21 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromArray(l int, d *codec1978.Dec if r.TryDecodeAsNil() { x.HostNetwork = false } else { - yyv43 := &x.HostNetwork - yym44 := z.DecBinary() - _ = yym44 + yyv45 := &x.HostNetwork + yym46 := z.DecBinary() + _ = yym46 if false { } else { - *((*bool)(yyv43)) = r.DecodeBool() + *((*bool)(yyv45)) = r.DecodeBool() } } - yyj32++ - if yyhl32 { - yyb32 = yyj32 > l + yyj34++ + if yyhl34 { + yyb34 = yyj34 > l } else { - yyb32 = r.CheckBreak() + yyb34 = r.CheckBreak() } - if yyb32 { + if yyb34 { z.DecSendContainerState(codecSelfer_containerArrayEnd1234) return } @@ -15570,21 +15616,21 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromArray(l int, d *codec1978.Dec if r.TryDecodeAsNil() { x.HostPorts = nil } else { - yyv45 := &x.HostPorts - yym46 := z.DecBinary() - _ = yym46 + yyv47 := &x.HostPorts + yym48 := z.DecBinary() + _ = yym48 if false { } else { - h.decSliceHostPortRange((*[]HostPortRange)(yyv45), d) + h.decSliceHostPortRange((*[]HostPortRange)(yyv47), d) } } - yyj32++ - if yyhl32 { - yyb32 = yyj32 > l + yyj34++ + if yyhl34 { + yyb34 = yyj34 > l } else { - yyb32 = r.CheckBreak() + yyb34 = r.CheckBreak() } - if yyb32 { + if yyb34 { z.DecSendContainerState(codecSelfer_containerArrayEnd1234) return } @@ -15592,29 +15638,7 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromArray(l int, d *codec1978.Dec if r.TryDecodeAsNil() { x.HostPID = false } else { - yyv47 := &x.HostPID - yym48 := z.DecBinary() - _ = yym48 - if false { - } else { - *((*bool)(yyv47)) = r.DecodeBool() - } - } - yyj32++ - if yyhl32 { - yyb32 = yyj32 > l - } else { - yyb32 = r.CheckBreak() - } - if yyb32 { - z.DecSendContainerState(codecSelfer_containerArrayEnd1234) - return - } - z.DecSendContainerState(codecSelfer_containerArrayElem1234) - if r.TryDecodeAsNil() { - x.HostIPC = false - } else { - yyv49 := &x.HostIPC + yyv49 := &x.HostPID yym50 := z.DecBinary() _ = yym50 if false { @@ -15622,13 +15646,35 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromArray(l int, d *codec1978.Dec *((*bool)(yyv49)) = r.DecodeBool() } } - yyj32++ - if yyhl32 { - yyb32 = yyj32 > l + yyj34++ + if yyhl34 { + yyb34 = yyj34 > l } else { - yyb32 = r.CheckBreak() + yyb34 = r.CheckBreak() } - if yyb32 { + if yyb34 { + z.DecSendContainerState(codecSelfer_containerArrayEnd1234) + return + } + z.DecSendContainerState(codecSelfer_containerArrayElem1234) + if r.TryDecodeAsNil() { + x.HostIPC = false + } else { + yyv51 := &x.HostIPC + yym52 := z.DecBinary() + _ = yym52 + if false { + } else { + *((*bool)(yyv51)) = r.DecodeBool() + } + } + yyj34++ + if yyhl34 { + yyb34 = yyj34 > l + } else { + yyb34 = r.CheckBreak() + } + if yyb34 { z.DecSendContainerState(codecSelfer_containerArrayEnd1234) return } @@ -15636,16 +15682,16 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromArray(l int, d *codec1978.Dec if r.TryDecodeAsNil() { x.SELinux = SELinuxStrategyOptions{} } else { - yyv51 := &x.SELinux - yyv51.CodecDecodeSelf(d) + yyv53 := &x.SELinux + yyv53.CodecDecodeSelf(d) } - yyj32++ - if yyhl32 { - yyb32 = yyj32 > l + yyj34++ + if yyhl34 { + yyb34 = yyj34 > l } else { - yyb32 = r.CheckBreak() + yyb34 = r.CheckBreak() } - if yyb32 { + if yyb34 { z.DecSendContainerState(codecSelfer_containerArrayEnd1234) return } @@ -15653,16 +15699,16 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromArray(l int, d *codec1978.Dec if r.TryDecodeAsNil() { x.RunAsUser = RunAsUserStrategyOptions{} } else { - yyv52 := &x.RunAsUser - yyv52.CodecDecodeSelf(d) + yyv54 := &x.RunAsUser + yyv54.CodecDecodeSelf(d) } - yyj32++ - if yyhl32 { - yyb32 = yyj32 > l + yyj34++ + if yyhl34 { + yyb34 = yyj34 > l } else { - yyb32 = r.CheckBreak() + yyb34 = r.CheckBreak() } - if yyb32 { + if yyb34 { z.DecSendContainerState(codecSelfer_containerArrayEnd1234) return } @@ -15670,16 +15716,16 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromArray(l int, d *codec1978.Dec if r.TryDecodeAsNil() { x.SupplementalGroups = SupplementalGroupsStrategyOptions{} } else { - yyv53 := &x.SupplementalGroups - yyv53.CodecDecodeSelf(d) + yyv55 := &x.SupplementalGroups + yyv55.CodecDecodeSelf(d) } - yyj32++ - if yyhl32 { - yyb32 = yyj32 > l + yyj34++ + if yyhl34 { + yyb34 = yyj34 > l } else { - yyb32 = r.CheckBreak() + yyb34 = r.CheckBreak() } - if yyb32 { + if yyb34 { z.DecSendContainerState(codecSelfer_containerArrayEnd1234) return } @@ -15687,16 +15733,16 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromArray(l int, d *codec1978.Dec if r.TryDecodeAsNil() { x.FSGroup = FSGroupStrategyOptions{} } else { - yyv54 := &x.FSGroup - yyv54.CodecDecodeSelf(d) + yyv56 := &x.FSGroup + yyv56.CodecDecodeSelf(d) } - yyj32++ - if yyhl32 { - yyb32 = yyj32 > l + yyj34++ + if yyhl34 { + yyb34 = yyj34 > l } else { - yyb32 = r.CheckBreak() + yyb34 = r.CheckBreak() } - if yyb32 { + if yyb34 { z.DecSendContainerState(codecSelfer_containerArrayEnd1234) return } @@ -15704,21 +15750,21 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromArray(l int, d *codec1978.Dec if r.TryDecodeAsNil() { x.ReadOnlyRootFilesystem = false } else { - yyv55 := &x.ReadOnlyRootFilesystem - yym56 := z.DecBinary() - _ = yym56 + yyv57 := &x.ReadOnlyRootFilesystem + yym58 := z.DecBinary() + _ = yym58 if false { } else { - *((*bool)(yyv55)) = r.DecodeBool() + *((*bool)(yyv57)) = r.DecodeBool() } } - yyj32++ - if yyhl32 { - yyb32 = yyj32 > l + yyj34++ + if yyhl34 { + yyb34 = yyj34 > l } else { - yyb32 = r.CheckBreak() + yyb34 = r.CheckBreak() } - if yyb32 { + if yyb34 { z.DecSendContainerState(codecSelfer_containerArrayEnd1234) return } @@ -15731,20 +15777,20 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromArray(l int, d *codec1978.Dec if x.DefaultAllowPrivilegeEscalation == nil { x.DefaultAllowPrivilegeEscalation = new(bool) } - yym58 := z.DecBinary() - _ = yym58 + yym60 := z.DecBinary() + _ = yym60 if false { } else { *((*bool)(x.DefaultAllowPrivilegeEscalation)) = r.DecodeBool() } } - yyj32++ - if yyhl32 { - yyb32 = yyj32 > l + yyj34++ + if yyhl34 { + yyb34 = yyj34 > l } else { - yyb32 = r.CheckBreak() + yyb34 = r.CheckBreak() } - if yyb32 { + if yyb34 { z.DecSendContainerState(codecSelfer_containerArrayEnd1234) return } @@ -15752,26 +15798,229 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromArray(l int, d *codec1978.Dec if r.TryDecodeAsNil() { x.AllowPrivilegeEscalation = false } else { - yyv59 := &x.AllowPrivilegeEscalation - yym60 := z.DecBinary() - _ = yym60 + yyv61 := &x.AllowPrivilegeEscalation + yym62 := z.DecBinary() + _ = yym62 if false { } else { - *((*bool)(yyv59)) = r.DecodeBool() + *((*bool)(yyv61)) = r.DecodeBool() + } + } + yyj34++ + if yyhl34 { + yyb34 = yyj34 > l + } else { + yyb34 = r.CheckBreak() + } + if yyb34 { + z.DecSendContainerState(codecSelfer_containerArrayEnd1234) + return + } + z.DecSendContainerState(codecSelfer_containerArrayElem1234) + if r.TryDecodeAsNil() { + x.AllowedHostPaths = nil + } else { + yyv63 := &x.AllowedHostPaths + yym64 := z.DecBinary() + _ = yym64 + if false { + } else { + h.decSliceAllowedHostPath((*[]AllowedHostPath)(yyv63), d) } } for { - yyj32++ - if yyhl32 { - yyb32 = yyj32 > l + yyj34++ + if yyhl34 { + yyb34 = yyj34 > l } else { - yyb32 = r.CheckBreak() + yyb34 = r.CheckBreak() } - if yyb32 { + if yyb34 { break } z.DecSendContainerState(codecSelfer_containerArrayElem1234) - z.DecStructFieldNotFound(yyj32-1, "") + z.DecStructFieldNotFound(yyj34-1, "") + } + z.DecSendContainerState(codecSelfer_containerArrayEnd1234) +} + +func (x *AllowedHostPath) CodecEncodeSelf(e *codec1978.Encoder) { + var h codecSelfer1234 + z, r := codec1978.GenHelperEncoder(e) + _, _, _ = h, z, r + if x == nil { + r.EncodeNil() + } else { + yym1 := z.EncBinary() + _ = yym1 + if false { + } else if z.HasExtensions() && z.EncExt(x) { + } else { + yysep2 := !z.EncBinary() + yy2arr2 := z.EncBasicHandle().StructToArray + var yyq2 [1]bool + _, _, _ = yysep2, yyq2, yy2arr2 + const yyr2 bool = false + yyq2[0] = x.PathPrefix != "" + var yynn2 int + if yyr2 || yy2arr2 { + r.EncodeArrayStart(1) + } else { + yynn2 = 0 + for _, b := range yyq2 { + if b { + yynn2++ + } + } + r.EncodeMapStart(yynn2) + yynn2 = 0 + } + if yyr2 || yy2arr2 { + z.EncSendContainerState(codecSelfer_containerArrayElem1234) + if yyq2[0] { + yym4 := z.EncBinary() + _ = yym4 + if false { + } else { + r.EncodeString(codecSelferC_UTF81234, string(x.PathPrefix)) + } + } else { + r.EncodeString(codecSelferC_UTF81234, "") + } + } else { + if yyq2[0] { + z.EncSendContainerState(codecSelfer_containerMapKey1234) + r.EncodeString(codecSelferC_UTF81234, string("path")) + z.EncSendContainerState(codecSelfer_containerMapValue1234) + yym5 := z.EncBinary() + _ = yym5 + if false { + } else { + r.EncodeString(codecSelferC_UTF81234, string(x.PathPrefix)) + } + } + } + if yyr2 || yy2arr2 { + z.EncSendContainerState(codecSelfer_containerArrayEnd1234) + } else { + z.EncSendContainerState(codecSelfer_containerMapEnd1234) + } + } + } +} + +func (x *AllowedHostPath) CodecDecodeSelf(d *codec1978.Decoder) { + var h codecSelfer1234 + z, r := codec1978.GenHelperDecoder(d) + _, _, _ = h, z, r + yym1 := z.DecBinary() + _ = yym1 + if false { + } else if z.HasExtensions() && z.DecExt(x) { + } else { + yyct2 := r.ContainerType() + if yyct2 == codecSelferValueTypeMap1234 { + yyl2 := r.ReadMapStart() + if yyl2 == 0 { + z.DecSendContainerState(codecSelfer_containerMapEnd1234) + } else { + x.codecDecodeSelfFromMap(yyl2, d) + } + } else if yyct2 == codecSelferValueTypeArray1234 { + yyl2 := r.ReadArrayStart() + if yyl2 == 0 { + z.DecSendContainerState(codecSelfer_containerArrayEnd1234) + } else { + x.codecDecodeSelfFromArray(yyl2, d) + } + } else { + panic(codecSelferOnlyMapOrArrayEncodeToStructErr1234) + } + } +} + +func (x *AllowedHostPath) codecDecodeSelfFromMap(l int, d *codec1978.Decoder) { + var h codecSelfer1234 + z, r := codec1978.GenHelperDecoder(d) + _, _, _ = h, z, r + var yys3Slc = z.DecScratchBuffer() // default slice to decode into + _ = yys3Slc + var yyhl3 bool = l >= 0 + for yyj3 := 0; ; yyj3++ { + if yyhl3 { + if yyj3 >= l { + break + } + } else { + if r.CheckBreak() { + break + } + } + z.DecSendContainerState(codecSelfer_containerMapKey1234) + yys3Slc = r.DecodeBytes(yys3Slc, true, true) + yys3 := string(yys3Slc) + z.DecSendContainerState(codecSelfer_containerMapValue1234) + switch yys3 { + case "path": + if r.TryDecodeAsNil() { + x.PathPrefix = "" + } else { + yyv4 := &x.PathPrefix + yym5 := z.DecBinary() + _ = yym5 + if false { + } else { + *((*string)(yyv4)) = r.DecodeString() + } + } + default: + z.DecStructFieldNotFound(-1, yys3) + } // end switch yys3 + } // end for yyj3 + z.DecSendContainerState(codecSelfer_containerMapEnd1234) +} + +func (x *AllowedHostPath) codecDecodeSelfFromArray(l int, d *codec1978.Decoder) { + var h codecSelfer1234 + z, r := codec1978.GenHelperDecoder(d) + _, _, _ = h, z, r + var yyj6 int + var yyb6 bool + var yyhl6 bool = l >= 0 + yyj6++ + if yyhl6 { + yyb6 = yyj6 > l + } else { + yyb6 = r.CheckBreak() + } + if yyb6 { + z.DecSendContainerState(codecSelfer_containerArrayEnd1234) + return + } + z.DecSendContainerState(codecSelfer_containerArrayElem1234) + if r.TryDecodeAsNil() { + x.PathPrefix = "" + } else { + yyv7 := &x.PathPrefix + yym8 := z.DecBinary() + _ = yym8 + if false { + } else { + *((*string)(yyv7)) = r.DecodeString() + } + } + for { + yyj6++ + if yyhl6 { + yyb6 = yyj6 > l + } else { + yyb6 = r.CheckBreak() + } + if yyb6 { + break + } + z.DecSendContainerState(codecSelfer_containerArrayElem1234) + z.DecStructFieldNotFound(yyj6-1, "") } z.DecSendContainerState(codecSelfer_containerArrayEnd1234) } @@ -21700,6 +21949,125 @@ func (x codecSelfer1234) decSliceHostPortRange(v *[]HostPortRange, d *codec1978. } } +func (x codecSelfer1234) encSliceAllowedHostPath(v []AllowedHostPath, e *codec1978.Encoder) { + var h codecSelfer1234 + z, r := codec1978.GenHelperEncoder(e) + _, _, _ = h, z, r + r.EncodeArrayStart(len(v)) + for _, yyv1 := range v { + z.EncSendContainerState(codecSelfer_containerArrayElem1234) + yy2 := &yyv1 + yy2.CodecEncodeSelf(e) + } + z.EncSendContainerState(codecSelfer_containerArrayEnd1234) +} + +func (x codecSelfer1234) decSliceAllowedHostPath(v *[]AllowedHostPath, d *codec1978.Decoder) { + var h codecSelfer1234 + z, r := codec1978.GenHelperDecoder(d) + _, _, _ = h, z, r + + yyv1 := *v + yyh1, yyl1 := z.DecSliceHelperStart() + var yyc1 bool + _ = yyc1 + if yyl1 == 0 { + if yyv1 == nil { + yyv1 = []AllowedHostPath{} + yyc1 = true + } else if len(yyv1) != 0 { + yyv1 = yyv1[:0] + yyc1 = true + } + } else if yyl1 > 0 { + var yyrr1, yyrl1 int + var yyrt1 bool + _, _ = yyrl1, yyrt1 + yyrr1 = yyl1 // len(yyv1) + if yyl1 > cap(yyv1) { + + yyrg1 := len(yyv1) > 0 + yyv21 := yyv1 + yyrl1, yyrt1 = z.DecInferLen(yyl1, z.DecBasicHandle().MaxInitLen, 16) + if yyrt1 { + if yyrl1 <= cap(yyv1) { + yyv1 = yyv1[:yyrl1] + } else { + yyv1 = make([]AllowedHostPath, yyrl1) + } + } else { + yyv1 = make([]AllowedHostPath, yyrl1) + } + yyc1 = true + yyrr1 = len(yyv1) + if yyrg1 { + copy(yyv1, yyv21) + } + } else if yyl1 != len(yyv1) { + yyv1 = yyv1[:yyl1] + yyc1 = true + } + yyj1 := 0 + for ; yyj1 < yyrr1; yyj1++ { + yyh1.ElemContainerState(yyj1) + if r.TryDecodeAsNil() { + yyv1[yyj1] = AllowedHostPath{} + } else { + yyv2 := &yyv1[yyj1] + yyv2.CodecDecodeSelf(d) + } + + } + if yyrt1 { + for ; yyj1 < yyl1; yyj1++ { + yyv1 = append(yyv1, AllowedHostPath{}) + yyh1.ElemContainerState(yyj1) + if r.TryDecodeAsNil() { + yyv1[yyj1] = AllowedHostPath{} + } else { + yyv3 := &yyv1[yyj1] + yyv3.CodecDecodeSelf(d) + } + + } + } + + } else { + yyj1 := 0 + for ; !r.CheckBreak(); yyj1++ { + + if yyj1 >= len(yyv1) { + yyv1 = append(yyv1, AllowedHostPath{}) // var yyz1 AllowedHostPath + yyc1 = true + } + yyh1.ElemContainerState(yyj1) + if yyj1 < len(yyv1) { + if r.TryDecodeAsNil() { + yyv1[yyj1] = AllowedHostPath{} + } else { + yyv4 := &yyv1[yyj1] + yyv4.CodecDecodeSelf(d) + } + + } else { + z.DecSwallow() + } + + } + if yyj1 < len(yyv1) { + yyv1 = yyv1[:yyj1] + yyc1 = true + } else if yyj1 == 0 && yyv1 == nil { + yyv1 = []AllowedHostPath{} + yyc1 = true + } + } + yyh1.End() + if yyc1 { + *v = yyv1 + } +} + func (x codecSelfer1234) encSliceIDRange(v []IDRange, e *codec1978.Encoder) { var h codecSelfer1234 z, r := codec1978.GenHelperEncoder(e) @@ -21858,7 +22226,7 @@ func (x codecSelfer1234) decSlicePodSecurityPolicy(v *[]PodSecurityPolicy, d *co yyrg1 := len(yyv1) > 0 yyv21 := yyv1 - yyrl1, yyrt1 = z.DecInferLen(yyl1, z.DecBasicHandle().MaxInitLen, 576) + yyrl1, yyrt1 = z.DecInferLen(yyl1, z.DecBasicHandle().MaxInitLen, 600) if yyrt1 { if yyrl1 <= cap(yyv1) { yyv1 = yyv1[:yyrl1] diff --git a/staging/src/k8s.io/api/extensions/v1beta1/types.go b/staging/src/k8s.io/api/extensions/v1beta1/types.go index 2967f053b3..1565de0645 100644 --- a/staging/src/k8s.io/api/extensions/v1beta1/types.go +++ b/staging/src/k8s.io/api/extensions/v1beta1/types.go @@ -965,6 +965,22 @@ type PodSecurityPolicySpec struct { // privilege escalation. // +optional AllowPrivilegeEscalation bool `json:"allowPrivilegeEscalation,omitempty" protobuf:"varint,16,opt,name=allowPrivilegeEscalation"` + // is a white list of allowed host paths. Empty indicates that all host paths may be used. + // +optional + AllowedHostPaths []AllowedHostPath `json:"allowedHostPaths,omitempty" protobuf:"bytes,17,rep,name=allowedHostPaths"` +} + +// defines the host volume conditions that will be enabled by a policy +// for pods to use. It requires the path prefix to be defined. +type AllowedHostPath struct { + // is the path prefix that the host volume must match. + // It does not support `*`. + // Trailing slashes are trimmed when validating the path prefix with a host path. + // + // Examples: + // `/foo` would allow `/foo`, `/foo/` and `/foo/bar` + // `/foo` would not allow `/food` or `/etc/foo` + PathPrefix string `json:"pathPrefix,omitempty" protobuf:"bytes,1,rep,name=pathPrefix"` } // FS Type gives strong typing to different file systems that are used by volumes. diff --git a/staging/src/k8s.io/api/extensions/v1beta1/types_swagger_doc_generated.go b/staging/src/k8s.io/api/extensions/v1beta1/types_swagger_doc_generated.go index 2944ec44ab..eb2916d70c 100644 --- a/staging/src/k8s.io/api/extensions/v1beta1/types_swagger_doc_generated.go +++ b/staging/src/k8s.io/api/extensions/v1beta1/types_swagger_doc_generated.go @@ -36,6 +36,15 @@ func (APIVersion) SwaggerDoc() map[string]string { return map_APIVersion } +var map_AllowedHostPath = map[string]string{ + "": "AllowedHostPath defines the host volume conditions that will be enabled by a policy for pods to use. It requires the path prefix to be defined.", + "path": "PathPrefix is the path prefix that the host volume must match. PathPrefix does not support `*`. Trailing slashes are trimmed when validating the path prefix with a host path.\n\nExamples: `/foo` would allow `/foo`, `/foo/` and `/foo/bar` `/foo` would not allow `/food` or `/etc/foo`", +} + +func (AllowedHostPath) SwaggerDoc() map[string]string { + return map_AllowedHostPath +} + var map_CustomMetricCurrentStatus = map[string]string{ "name": "Custom Metric name.", "value": "Custom Metric value (average).", @@ -438,6 +447,7 @@ var map_PodSecurityPolicySpec = map[string]string{ "readOnlyRootFilesystem": "ReadOnlyRootFilesystem when set to true will force containers to run with a read only root file system. If the container specifically requests to run with a non-read only root file system the PSP should deny the pod. If set to false the container may run with a read only root file system if it wishes but it will not be forced to.", "defaultAllowPrivilegeEscalation": "DefaultAllowPrivilegeEscalation controls the default setting for whether a process can gain more privileges than it's parent process.", "allowPrivilegeEscalation": "AllowPrivilegeEscalation determines if a pod can request to allow privilege escalation.", + "allowedHostPaths": "AllowedHostPaths is a white list of allowed host paths. Empty indicates that all host paths may be used.", } func (PodSecurityPolicySpec) SwaggerDoc() map[string]string { diff --git a/staging/src/k8s.io/api/extensions/v1beta1/zz_generated.deepcopy.go b/staging/src/k8s.io/api/extensions/v1beta1/zz_generated.deepcopy.go index c0aa22dad1..c2b52beeb4 100644 --- a/staging/src/k8s.io/api/extensions/v1beta1/zz_generated.deepcopy.go +++ b/staging/src/k8s.io/api/extensions/v1beta1/zz_generated.deepcopy.go @@ -43,6 +43,10 @@ func RegisterDeepCopies(scheme *runtime.Scheme) error { in.(*APIVersion).DeepCopyInto(out.(*APIVersion)) return nil }, InType: reflect.TypeOf(&APIVersion{})}, + conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error { + in.(*AllowedHostPath).DeepCopyInto(out.(*AllowedHostPath)) + return nil + }, InType: reflect.TypeOf(&AllowedHostPath{})}, conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error { in.(*CustomMetricCurrentStatus).DeepCopyInto(out.(*CustomMetricCurrentStatus)) return nil @@ -294,6 +298,22 @@ func (in *APIVersion) DeepCopy() *APIVersion { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *AllowedHostPath) DeepCopyInto(out *AllowedHostPath) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AllowedHostPath. +func (in *AllowedHostPath) DeepCopy() *AllowedHostPath { + if in == nil { + return nil + } + out := new(AllowedHostPath) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *CustomMetricCurrentStatus) DeepCopyInto(out *CustomMetricCurrentStatus) { *out = *in @@ -1365,6 +1385,11 @@ func (in *PodSecurityPolicySpec) DeepCopyInto(out *PodSecurityPolicySpec) { **out = **in } } + if in.AllowedHostPaths != nil { + in, out := &in.AllowedHostPaths, &out.AllowedHostPaths + *out = make([]AllowedHostPath, len(*in)) + copy(*out, *in) + } return }