github
/
k3s
mirror of https://github.com/k3s-io/k3s
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Allow PSP's to specify a whitelist of allowed paths for host volume 

removed files not supposed to be there
pull/6/head
Josh Horwitz 2017-08-06 15:40:18 -04:00
parent a235ba4e49
commit fab6044a31
18 changed files with 1424 additions and 189 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
api/openapi-spec/swagger.json
View File

@ -62402,6 +62402,15 @@
}
}
},
"io.k8s.api.extensions.v1beta1.AllowedHostPath": {
"description": "AllowedHostPath defines the host volume conditions that will be enabled by a policy for pods to use. It requires the path prefix to be defined.",
"properties": {
"path": {
"description": "PathPrefix is the path prefix that the host volume must match. PathPrefix does not support `*`. Trailing slashes are trimmed when validating the path prefix with a host path.\n\nExamples: `/foo` would allow `/foo`, `/foo/` and `/foo/bar` `/foo` would not allow `/food` or `/etc/foo`",
"type": "string"
}
}
},
"io.k8s.api.extensions.v1beta1.DaemonSet": {
"description": "DaemonSet represents the configuration of a daemon set.",
"properties": {
@ -63275,6 +63284,13 @@
"type": "string"
}
},
"allowedHostPaths": {
"description": "AllowedHostPaths is a white list of allowed host paths. Empty indicates that all host paths may be used.",
"type": "array",
"items": {
"$ref": "#/definitions/io.k8s.api.extensions.v1beta1.AllowedHostPath"
}
},
"defaultAddCapabilities": {
"description": "DefaultAddCapabilities is the default set of capabilities that will be added to the container unless the pod spec specifically drops the capability. You may not list a capabiility in both DefaultAddCapabilities and RequiredDropCapabilities.",
"type": "array",

17
api/swagger-spec/extensions_v1beta1.json
View File

@ -9470,6 +9470,13 @@
"allowPrivilegeEscalation": {
"type": "boolean",
"description": "AllowPrivilegeEscalation determines if a pod can request to allow privilege escalation."
},
"allowedHostPaths": {
"type": "array",
"items": {
"$ref": "v1beta1.AllowedHostPath"
},
"description": "AllowedHostPaths is a white list of allowed host paths. Empty indicates that all host paths may be used."
}
}
},
@ -9588,6 +9595,16 @@
}
}
},
"v1beta1.AllowedHostPath": {
"id": "v1beta1.AllowedHostPath",
"description": "AllowedHostPath defines the host volume conditions that will be enabled by a policy for pods to use. It requires the path prefix to be defined.",
"properties": {
"path": {
"type": "string",
"description": "PathPrefix is the path prefix that the host volume must match. PathPrefix does not support `*`. Trailing slashes are trimmed when validating the path prefix with a host path.\n\nExamples: `/foo` would allow `/foo`, `/foo/` and `/foo/bar` `/foo` would not allow `/food` or `/etc/foo`"
}
}
},
"v1beta1.ReplicaSetList": {
"id": "v1beta1.ReplicaSetList",
"description": "ReplicaSetList is a collection of ReplicaSets.",

43
docs/api-reference/extensions/v1beta1/definitions.html
View File

@ -419,6 +419,42 @@ span.icon > [class^="icon-"], span.icon > [class*=" icon-"] { cursor: default; }
<h2 id="_definitions">Definitions</h2>
<div class="sectionbody">
<div class="sect2">
<h3 id="_v1beta1_allowedhostpath">v1beta1.AllowedHostPath</h3>
<div class="paragraph">
<p>AllowedHostPath defines the host volume conditions that will be enabled by a policy for pods to use. It requires the path prefix to be defined.</p>
</div>
<table class="tableblock frame-all grid-all" style="width:100%; ">
<colgroup>
<col style="width:20%;">
<col style="width:20%;">
<col style="width:20%;">
<col style="width:20%;">
<col style="width:20%;">
</colgroup>
<thead>
<tr>
<th class="tableblock halign-left valign-top">Name</th>
<th class="tableblock halign-left valign-top">Description</th>
<th class="tableblock halign-left valign-top">Required</th>
<th class="tableblock halign-left valign-top">Schema</th>
<th class="tableblock halign-left valign-top">Default</th>
</tr>
</thead>
<tbody>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">path</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">PathPrefix is the path prefix that the host volume must match. PathPrefix does not support <code>*</code>. Trailing slashes are trimmed when validating the path prefix with a host path.<br>
<br>
Examples: <code>/foo</code> would allow <code>/foo</code>, <code>/foo/</code> and <code>/foo/bar</code> <code>/foo</code> would not allow <code>/food</code> or <code>/etc/foo</code></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
</tbody>
</table>
</div>
<div class="sect2">
<h3 id="_v1beta1_deploymentstatus">v1beta1.DeploymentStatus</h3>
<div class="paragraph">
<p>DeploymentStatus is the most recently observed status of the Deployment.</p>
@ -7691,6 +7727,13 @@ Both these may change in the future. Incoming requests are matched against the h
<td class="tableblock halign-left valign-top"><p class="tableblock">boolean</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">allowedHostPaths</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">AllowedHostPaths is a white list of allowed host paths. Empty indicates that all host paths may be used.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_v1beta1_allowedhostpath">v1beta1.AllowedHostPath</a> array</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
</tbody>
</table>

16
pkg/apis/extensions/types.go
View File

@ -933,6 +933,22 @@ type PodSecurityPolicySpec struct {
// privilege escalation.
// +optional
AllowPrivilegeEscalation bool
// AllowedHostPaths is a white list of allowed host paths. Empty indicates that all host paths may be used.
// +optional
AllowedHostPaths []AllowedHostPath
}
// AllowedHostPath defines the host volume conditions that will be enabled by a policy
// for pods to use. It requires the path prefix to be defined.
type AllowedHostPath struct {
// PathPrefix is the path prefix that the host volume must match.
// PathPrefix does not support `*`.
// Trailing slashes are trimmed when validating the path prefix with a host path.
//
// Examples:
// `/foo` would allow `/foo`, `/foo/` and `/foo/bar`
// `/foo` would not allow `/food` or `/etc/foo`
PathPrefix string
}
// HostPortRange defines a range of host ports that will be enabled by a policy

24
pkg/apis/extensions/v1beta1/zz_generated.conversion.go
View File

@ -42,6 +42,8 @@ func RegisterConversions(scheme *runtime.Scheme) error {
return scheme.AddGeneratedConversionFuncs(
Convert_v1beta1_APIVersion_To_extensions_APIVersion,
Convert_extensions_APIVersion_To_v1beta1_APIVersion,
Convert_v1beta1_AllowedHostPath_To_extensions_AllowedHostPath,
Convert_extensions_AllowedHostPath_To_v1beta1_AllowedHostPath,
Convert_v1beta1_CustomMetricCurrentStatus_To_extensions_CustomMetricCurrentStatus,
Convert_extensions_CustomMetricCurrentStatus_To_v1beta1_CustomMetricCurrentStatus,
Convert_v1beta1_CustomMetricCurrentStatusList_To_extensions_CustomMetricCurrentStatusList,
@ -165,6 +167,26 @@ func Convert_extensions_APIVersion_To_v1beta1_APIVersion(in *extensions.APIVersi
return autoConvert_extensions_APIVersion_To_v1beta1_APIVersion(in, out, s)
}
func autoConvert_v1beta1_AllowedHostPath_To_extensions_AllowedHostPath(in *v1beta1.AllowedHostPath, out *extensions.AllowedHostPath, s conversion.Scope) error {
out.PathPrefix = in.PathPrefix
return nil
}
// Convert_v1beta1_AllowedHostPath_To_extensions_AllowedHostPath is an autogenerated conversion function.
func Convert_v1beta1_AllowedHostPath_To_extensions_AllowedHostPath(in *v1beta1.AllowedHostPath, out *extensions.AllowedHostPath, s conversion.Scope) error {
return autoConvert_v1beta1_AllowedHostPath_To_extensions_AllowedHostPath(in, out, s)
}
func autoConvert_extensions_AllowedHostPath_To_v1beta1_AllowedHostPath(in *extensions.AllowedHostPath, out *v1beta1.AllowedHostPath, s conversion.Scope) error {
out.PathPrefix = in.PathPrefix
return nil
}
// Convert_extensions_AllowedHostPath_To_v1beta1_AllowedHostPath is an autogenerated conversion function.
func Convert_extensions_AllowedHostPath_To_v1beta1_AllowedHostPath(in *extensions.AllowedHostPath, out *v1beta1.AllowedHostPath, s conversion.Scope) error {
return autoConvert_extensions_AllowedHostPath_To_v1beta1_AllowedHostPath(in, out, s)
}
func autoConvert_v1beta1_CustomMetricCurrentStatus_To_extensions_CustomMetricCurrentStatus(in *v1beta1.CustomMetricCurrentStatus, out *extensions.CustomMetricCurrentStatus, s conversion.Scope) error {
out.Name = in.Name
out.CurrentValue = in.CurrentValue
@ -1070,6 +1092,7 @@ func autoConvert_v1beta1_PodSecurityPolicySpec_To_extensions_PodSecurityPolicySp
out.ReadOnlyRootFilesystem = in.ReadOnlyRootFilesystem
out.DefaultAllowPrivilegeEscalation = (*bool)(unsafe.Pointer(in.DefaultAllowPrivilegeEscalation))
out.AllowPrivilegeEscalation = in.AllowPrivilegeEscalation
out.AllowedHostPaths = *(*[]extensions.AllowedHostPath)(unsafe.Pointer(&in.AllowedHostPaths))
return nil
}
@ -1113,6 +1136,7 @@ func autoConvert_extensions_PodSecurityPolicySpec_To_v1beta1_PodSecurityPolicySp
out.ReadOnlyRootFilesystem = in.ReadOnlyRootFilesystem
out.DefaultAllowPrivilegeEscalation = (*bool)(unsafe.Pointer(in.DefaultAllowPrivilegeEscalation))
out.AllowPrivilegeEscalation = in.AllowPrivilegeEscalation
out.AllowedHostPaths = *(*[]v1beta1.AllowedHostPath)(unsafe.Pointer(&in.AllowedHostPaths))
return nil
}

26
pkg/apis/extensions/validation/validation.go
View File

@ -19,6 +19,8 @@ package validation
import (
"fmt"
"net"
"path/filepath"
"regexp"
"strconv"
"strings"
@ -661,6 +663,7 @@ func ValidatePodSecurityPolicySpec(spec *extensions.PodSecurityPolicySpec, fldPa
allErrs = append(allErrs, validatePSPCapsAgainstDrops(spec.RequiredDropCapabilities, spec.DefaultAddCapabilities, field.NewPath("defaultAddCapabilities"))...)
allErrs = append(allErrs, validatePSPCapsAgainstDrops(spec.RequiredDropCapabilities, spec.AllowedCapabilities, field.NewPath("allowedCapabilities"))...)
allErrs = append(allErrs, validatePSPDefaultAllowPrivilegeEscalation(fldPath.Child("defaultAllowPrivilegeEscalation"), spec.DefaultAllowPrivilegeEscalation, spec.AllowPrivilegeEscalation)...)
allErrs = append(allErrs, validatePSPAllowedHostPaths(fldPath.Child("allowedHostPaths"), spec.AllowedHostPaths)...)
return allErrs
}
@ -701,6 +704,29 @@ func ValidatePodSecurityPolicySpecificAnnotations(annotations map[string]string,
return allErrs
}
// validatePSPAllowedHostPaths makes sure all allowed host paths follow:
// 1. path prefix is required
// 2. path prefix does not have any element which is ".."
func validatePSPAllowedHostPaths(fldPath *field.Path, allowedHostPaths []extensions.AllowedHostPath) field.ErrorList {
allErrs := field.ErrorList{}
for i, target := range allowedHostPaths {
if target.PathPrefix == "" {
allErrs = append(allErrs, field.Required(fldPath.Index(i), "is required"))
break
}
parts := strings.Split(filepath.ToSlash(target.PathPrefix), "/")
for _, item := range parts {
if item == ".." {
allErrs = append(allErrs, field.Invalid(fldPath.Index(i), target.PathPrefix, "must not contain '..'"))
break // even for `../../..`, one error is sufficient to make the point
}
}
}
return allErrs
}
// validatePSPSELinux validates the SELinux fields of PodSecurityPolicy.
func validatePSPSELinux(fldPath *field.Path, seLinux *extensions.SELinuxStrategyOptions) field.ErrorList {
allErrs := field.ErrorList{}

24
pkg/apis/extensions/validation/validation_test.go
View File

@ -2418,6 +2418,10 @@ func TestValidatePodSecurityPolicy(t *testing.T) {
SupplementalGroups: extensions.SupplementalGroupsStrategyOptions{
Rule: extensions.SupplementalGroupsStrategyRunAsAny,
},
AllowedHostPaths: []extensions.AllowedHostPath{
{PathPrefix: "/foo/bar"},
{PathPrefix: "/baz/"},
},
},
}
}
@ -2497,6 +2501,16 @@ func TestValidatePodSecurityPolicy(t *testing.T) {
seccomp.AllowedProfilesAnnotationKey: "docker/default,not-good",
}
invalidAllowedHostPathMissingPath := validPSP()
invalidAllowedHostPathMissingPath.Spec.AllowedHostPaths = []extensions.AllowedHostPath{
{PathPrefix: ""},
}
invalidAllowedHostPathBacksteps := validPSP()
invalidAllowedHostPathBacksteps.Spec.AllowedHostPaths = []extensions.AllowedHostPath{
{PathPrefix: "/dont/allow/backsteps/.."},
}
invalidDefaultAllowPrivilegeEscalation := validPSP()
pe := true
invalidDefaultAllowPrivilegeEscalation.Spec.DefaultAllowPrivilegeEscalation = &pe
@ -2612,6 +2626,16 @@ func TestValidatePodSecurityPolicy(t *testing.T) {
errorType: field.ErrorTypeInvalid,
errorDetail: "Cannot set DefaultAllowPrivilegeEscalation to true without also setting AllowPrivilegeEscalation to true",
},
"invalid allowed host path empty path": {
psp: invalidAllowedHostPathMissingPath,
errorType: field.ErrorTypeRequired,
errorDetail: "is required",
},
"invalid allowed host path with backsteps": {
psp: invalidAllowedHostPathBacksteps,
errorType: field.ErrorTypeInvalid,
errorDetail: "must not contain '..'",
},
}
for k, v := range errorCases {

25
pkg/apis/extensions/zz_generated.deepcopy.go
View File

@ -42,6 +42,10 @@ func RegisterDeepCopies(scheme *runtime.Scheme) error {
in.(*APIVersion).DeepCopyInto(out.(*APIVersion))
return nil
}, InType: reflect.TypeOf(&APIVersion{})},
conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
in.(*AllowedHostPath).DeepCopyInto(out.(*AllowedHostPath))
return nil
}, InType: reflect.TypeOf(&AllowedHostPath{})},
conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
in.(*CustomMetricCurrentStatus).DeepCopyInto(out.(*CustomMetricCurrentStatus))
return nil
@ -269,6 +273,22 @@ func (in *APIVersion) DeepCopy() *APIVersion {
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *AllowedHostPath) DeepCopyInto(out *AllowedHostPath) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AllowedHostPath.
func (in *AllowedHostPath) DeepCopy() *AllowedHostPath {
if in == nil {
return nil
}
out := new(AllowedHostPath)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *CustomMetricCurrentStatus) DeepCopyInto(out *CustomMetricCurrentStatus) {
*out = *in
@ -1117,6 +1137,11 @@ func (in *PodSecurityPolicySpec) DeepCopyInto(out *PodSecurityPolicySpec) {
**out = **in
}
}
if in.AllowedHostPaths != nil {
in, out := &in.AllowedHostPaths, &out.AllowedHostPaths
*out = make([]AllowedHostPath, len(*in))
copy(*out, *in)
}
return
}

14
pkg/security/podsecuritypolicy/provider.go
View File

@ -239,7 +239,8 @@ func (s *simpleProvider) ValidatePodSecurityContext(pod *api.Pod, fldPath *field
// TODO(tallclair): ValidatePodSecurityContext should be renamed to ValidatePod since its scope
// is not limited to the PodSecurityContext.
if len(pod.Spec.Volumes) > 0 && !psputil.PSPAllowsAllVolumes(s.psp) {
if len(pod.Spec.Volumes) > 0 {
allowsAllVolumeTypes := psputil.PSPAllowsAllVolumes(s.psp)
allowedVolumes := psputil.FSTypeToStringSet(s.psp.Spec.Volumes)
for i, v := range pod.Spec.Volumes {
fsType, err := psputil.GetVolumeFSType(v)
@ -248,10 +249,19 @@ func (s *simpleProvider) ValidatePodSecurityContext(pod *api.Pod, fldPath *field
continue
}
if !allowedVolumes.Has(string(fsType)) {
if !allowsAllVolumeTypes && !allowedVolumes.Has(string(fsType)) {
allErrs = append(allErrs, field.Invalid(
field.NewPath("spec", "volumes").Index(i), string(fsType),
fmt.Sprintf("%s volumes are not allowed to be used", string(fsType))))
continue
}
if fsType == extensions.HostPath {
if !psputil.AllowsHostVolumePath(s.psp, v.HostPath.Path) {
allErrs = append(allErrs, field.Invalid(
field.NewPath("spec", "volumes").Index(i).Child("hostPath", "pathPrefix"), v.HostPath.Path,
fmt.Sprintf("is not allowed to be used")))
}
}
}
}

54
pkg/security/podsecuritypolicy/provider_test.go
View File

@ -248,6 +248,23 @@ func TestValidatePodSecurityContextFailures(t *testing.T) {
},
}
failHostPathDirPod := defaultPod()
failHostPathDirPod.Spec.Volumes = []api.Volume{
{
Name: "bad volume",
VolumeSource: api.VolumeSource{
HostPath: &api.HostPathVolumeSource{
Path: "/fail",
},
},
},
}
failHostPathDirPSP := defaultPSP()
failHostPathDirPSP.Spec.Volumes = []extensions.FSType{extensions.HostPath}
failHostPathDirPSP.Spec.AllowedHostPaths = []extensions.AllowedHostPath{
{PathPrefix: "/foo/bar"},
}
failOtherSysctlsAllowedPSP := defaultPSP()
failOtherSysctlsAllowedPSP.Annotations[extensions.SysctlsPodSecurityPolicyAnnotationKey] = "bar,abc"
@ -318,6 +335,11 @@ func TestValidatePodSecurityContextFailures(t *testing.T) {
psp: defaultPSP(),
expectedError: "hostPath volumes are not allowed to be used",
},
"failHostPathDirPSP": {
pod: failHostPathDirPod,
psp: failHostPathDirPSP,
expectedError: "is not allowed to be used",
},
"failSafeSysctlFooPod with failNoSysctlAllowedSCC": {
pod: failSafeSysctlFooPod,
psp: failNoSysctlAllowedPSP,
@ -556,6 +578,30 @@ func TestValidatePodSecurityContextSuccess(t *testing.T) {
Level: "level",
}
hostPathDirPod := defaultPod()
hostPathDirPod.Spec.Volumes = []api.Volume{
{
Name: "good volume",
VolumeSource: api.VolumeSource{
HostPath: &api.HostPathVolumeSource{
Path: "/foo/bar/baz",
},
},
},
}
hostPathDirPSP := defaultPSP()
hostPathDirPSP.Spec.Volumes = []extensions.FSType{extensions.HostPath}
hostPathDirPSP.Spec.AllowedHostPaths = []extensions.AllowedHostPath{
{PathPrefix: "/foo/bar"},
}
hostPathDirAsterisksPSP := defaultPSP()
hostPathDirAsterisksPSP.Spec.Volumes = []extensions.FSType{extensions.All}
hostPathDirAsterisksPSP.Spec.AllowedHostPaths = []extensions.AllowedHostPath{
{PathPrefix: "/foo/bar"},
}
sysctlAllowFooPSP := defaultPSP()
sysctlAllowFooPSP.Annotations[extensions.SysctlsPodSecurityPolicyAnnotationKey] = "foo"
@ -619,6 +665,14 @@ func TestValidatePodSecurityContextSuccess(t *testing.T) {
pod: unsafeSysctlFooPod,
psp: defaultPSP(),
},
"pass hostDir allowed directory validating PSP": {
pod: hostPathDirPod,
psp: hostPathDirPSP,
},
"pass hostDir all volumes allowed validating PSP": {
pod: hostPathDirPod,
psp: hostPathDirAsterisksPSP,
},
"pass seccomp validating PSP": {
pod: seccompPod,
psp: seccompPSP,

51
pkg/security/podsecuritypolicy/util/util.go
View File

@ -18,6 +18,7 @@ package util
import (
"fmt"
"strings"
"k8s.io/apimachinery/pkg/util/sets"
"k8s.io/kubernetes/pkg/api"
@ -170,3 +171,53 @@ func UserFallsInRange(id int64, rng extensions.UserIDRange) bool {
func GroupFallsInRange(id int64, rng extensions.GroupIDRange) bool {
return id >= rng.Min && id <= rng.Max
}
// AllowsHostVolumePath is a utility for checking if a PSP allows the host volume path.
// This only checks the path. You should still check to make sure the host volume fs type is allowed.
func AllowsHostVolumePath(psp *extensions.PodSecurityPolicy, hostPath string) bool {
if psp == nil {
return false
}
// If no allowed paths are specified then allow any path
if len(psp.Spec.AllowedHostPaths) == 0 {
return true
}
for _, allowedPath := range psp.Spec.AllowedHostPaths {
if hasPathPrefix(hostPath, allowedPath.PathPrefix) {
return true
}
}
return false
}
// hasPathPrefix returns true if the string matches pathPrefix exactly, or if is prefixed with pathPrefix at a path segment boundary
// the string and pathPrefix are both normalized to remove trailing slashes prior to checking.
func hasPathPrefix(s, pathPrefix string) bool {
s = strings.TrimSuffix(s, "/")
pathPrefix = strings.TrimSuffix(pathPrefix, "/")
// Short circuit if s doesn't contain the prefix at all
if !strings.HasPrefix(s, pathPrefix) {
return false
}
pathPrefixLength := len(pathPrefix)
if len(s) == pathPrefixLength {
// Exact match
return true
}
if s[pathPrefixLength:pathPrefixLength+1] == "/" {
// The next character in s is a path segment boundary
// Check this instead of normalizing pathPrefix to avoid allocating on every call
// Example where this check applies: s=/foo/bar and pathPrefix=/foo
return true
}
return false
}

92
pkg/security/podsecuritypolicy/util/util_test.go
View File

@ -103,3 +103,95 @@ func TestPSPAllowsFSType(t *testing.T) {
}
}
}
func TestAllowsHostVolumePath(t *testing.T) {
tests := map[string]struct {
psp *extensions.PodSecurityPolicy
path string
allows bool
}{
"nil psp": {
psp: nil,
path: "/test",
allows: false,
},
"empty allowed paths": {
psp: &extensions.PodSecurityPolicy{},
path: "/test",
allows: true,
},
"non-matching": {
psp: &extensions.PodSecurityPolicy{
Spec: extensions.PodSecurityPolicySpec{
AllowedHostPaths: []extensions.AllowedHostPath{
{PathPrefix: "/foo"},
},
},
},
path: "/foobar",
allows: false,
},
"match on direct match": {
psp: &extensions.PodSecurityPolicy{
Spec: extensions.PodSecurityPolicySpec{
AllowedHostPaths: []extensions.AllowedHostPath{
{PathPrefix: "/foo"},
},
},
},
path: "/foo",
allows: true,
},
"match with trailing slash on host path": {
psp: &extensions.PodSecurityPolicy{
Spec: extensions.PodSecurityPolicySpec{
AllowedHostPaths: []extensions.AllowedHostPath{
{PathPrefix: "/foo"},
},
},
},
path: "/foo/",
allows: true,
},
"match with trailing slash on allowed path": {
psp: &extensions.PodSecurityPolicy{
Spec: extensions.PodSecurityPolicySpec{
AllowedHostPaths: []extensions.AllowedHostPath{
{PathPrefix: "/foo/"},
},
},
},
path: "/foo",
allows: true,
},
"match child directory": {
psp: &extensions.PodSecurityPolicy{
Spec: extensions.PodSecurityPolicySpec{
AllowedHostPaths: []extensions.AllowedHostPath{
{PathPrefix: "/foo/"},
},
},
},
path: "/foo/bar",
allows: true,
},
"non-matching parent directory": {
psp: &extensions.PodSecurityPolicy{
Spec: extensions.PodSecurityPolicySpec{
AllowedHostPaths: []extensions.AllowedHostPath{
{PathPrefix: "/foo/bar"},
},
},
},
path: "/foo",
allows: false,
},
}
for k, v := range tests {
allows := AllowsHostVolumePath(v.psp, v.path)
if v.allows != allows {
t.Errorf("%s expected %t but got %t", k, v.allows, allows)
}
}
}

447
staging/src/k8s.io/api/extensions/v1beta1/generated.pb.go
View File

@ -26,6 +26,7 @@ limitations under the License.
It has these top-level messages:
APIVersion
AllowedHostPath
CustomMetricCurrentStatus
CustomMetricCurrentStatusList
CustomMetricTarget
@ -119,93 +120,99 @@ func (m *APIVersion) Reset() { *m = APIVersion{} }
func (*APIVersion) ProtoMessage() {}
func (*APIVersion) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{0} }
func (m *AllowedHostPath) Reset() { *m = AllowedHostPath{} }
func (*AllowedHostPath) ProtoMessage() {}
func (*AllowedHostPath) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{1} }
func (m *CustomMetricCurrentStatus) Reset() { *m = CustomMetricCurrentStatus{} }
func (*CustomMetricCurrentStatus) ProtoMessage() {}
func (*CustomMetricCurrentStatus) Descriptor() ([]byte, []int) {
return fileDescriptorGenerated, []int{1}
return fileDescriptorGenerated, []int{2}
}
func (m *CustomMetricCurrentStatusList) Reset() { *m = CustomMetricCurrentStatusList{} }
func (*CustomMetricCurrentStatusList) ProtoMessage() {}
func (*CustomMetricCurrentStatusList) Descriptor() ([]byte, []int) {
return fileDescriptorGenerated, []int{2}
return fileDescriptorGenerated, []int{3}
}
func (m *CustomMetricTarget) Reset() { *m = CustomMetricTarget{} }
func (*CustomMetricTarget) ProtoMessage() {}
func (*CustomMetricTarget) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{3} }
func (*CustomMetricTarget) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{4} }
func (m *CustomMetricTargetList) Reset() { *m = CustomMetricTargetList{} }
func (*CustomMetricTargetList) ProtoMessage() {}
func (*CustomMetricTargetList) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{4} }
func (*CustomMetricTargetList) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{5} }
func (m *DaemonSet) Reset() { *m = DaemonSet{} }
func (*DaemonSet) ProtoMessage() {}
func (*DaemonSet) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{5} }
func (*DaemonSet) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{6} }
func (m *DaemonSetList) Reset() { *m = DaemonSetList{} }
func (*DaemonSetList) ProtoMessage() {}
func (*DaemonSetList) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{6} }
func (*DaemonSetList) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{7} }
func (m *DaemonSetSpec) Reset() { *m = DaemonSetSpec{} }
func (*DaemonSetSpec) ProtoMessage() {}
func (*DaemonSetSpec) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{7} }
func (*DaemonSetSpec) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{8} }
func (m *DaemonSetStatus) Reset() { *m = DaemonSetStatus{} }
func (*DaemonSetStatus) ProtoMessage() {}
func (*DaemonSetStatus) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{8} }
func (*DaemonSetStatus) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{9} }
func (m *DaemonSetUpdateStrategy) Reset() { *m = DaemonSetUpdateStrategy{} }
func (*DaemonSetUpdateStrategy) ProtoMessage() {}
func (*DaemonSetUpdateStrategy) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{9} }
func (m *DaemonSetUpdateStrategy) Reset() { *m = DaemonSetUpdateStrategy{} }
func (*DaemonSetUpdateStrategy) ProtoMessage() {}
func (*DaemonSetUpdateStrategy) Descriptor() ([]byte, []int) {
return fileDescriptorGenerated, []int{10}
}
func (m *Deployment) Reset() { *m = Deployment{} }
func (*Deployment) ProtoMessage() {}
func (*Deployment) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{10} }
func (*Deployment) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{11} }
func (m *DeploymentCondition) Reset() { *m = DeploymentCondition{} }
func (*DeploymentCondition) ProtoMessage() {}
func (*DeploymentCondition) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{11} }
func (*DeploymentCondition) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{12} }
func (m *DeploymentList) Reset() { *m = DeploymentList{} }
func (*DeploymentList) ProtoMessage() {}
func (*DeploymentList) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{12} }
func (*DeploymentList) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{13} }
func (m *DeploymentRollback) Reset() { *m = DeploymentRollback{} }
func (*DeploymentRollback) ProtoMessage() {}
func (*DeploymentRollback) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{13} }
func (*DeploymentRollback) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{14} }
func (m *DeploymentSpec) Reset() { *m = DeploymentSpec{} }
func (*DeploymentSpec) ProtoMessage() {}
func (*DeploymentSpec) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{14} }
func (*DeploymentSpec) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{15} }
func (m *DeploymentStatus) Reset() { *m = DeploymentStatus{} }
func (*DeploymentStatus) ProtoMessage() {}
func (*DeploymentStatus) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{15} }
func (*DeploymentStatus) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{16} }
func (m *DeploymentStrategy) Reset() { *m = DeploymentStrategy{} }
func (*DeploymentStrategy) ProtoMessage() {}
func (*DeploymentStrategy) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{16} }
func (*DeploymentStrategy) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{17} }
func (m *FSGroupStrategyOptions) Reset() { *m = FSGroupStrategyOptions{} }
func (*FSGroupStrategyOptions) ProtoMessage() {}
func (*FSGroupStrategyOptions) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{17} }
func (*FSGroupStrategyOptions) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{18} }
func (m *HTTPIngressPath) Reset() { *m = HTTPIngressPath{} }
func (*HTTPIngressPath) ProtoMessage() {}
func (*HTTPIngressPath) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{18} }
func (*HTTPIngressPath) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{19} }
func (m *HTTPIngressRuleValue) Reset() { *m = HTTPIngressRuleValue{} }
func (*HTTPIngressRuleValue) ProtoMessage() {}
func (*HTTPIngressRuleValue) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{19} }
func (*HTTPIngressRuleValue) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{20} }
func (m *HostPortRange) Reset() { *m = HostPortRange{} }
func (*HostPortRange) ProtoMessage() {}
func (*HostPortRange) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{20} }
func (*HostPortRange) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{21} }
func (m *IDRange) Reset() { *m = IDRange{} }
func (*IDRange) ProtoMessage() {}
func (*IDRange) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{21} }
func (*IDRange) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{22} }
func (m *IPBlock) Reset() { *m = IPBlock{} }
func (*IPBlock) ProtoMessage() {}
@ -369,6 +376,7 @@ func (*ThirdPartyResourceList) Descriptor() ([]byte, []int) { return fileDescrip
func init() {
proto.RegisterType((*APIVersion)(nil), "k8s.io.api.extensions.v1beta1.APIVersion")
proto.RegisterType((*AllowedHostPath)(nil), "k8s.io.api.extensions.v1beta1.AllowedHostPath")
proto.RegisterType((*CustomMetricCurrentStatus)(nil), "k8s.io.api.extensions.v1beta1.CustomMetricCurrentStatus")
proto.RegisterType((*CustomMetricCurrentStatusList)(nil), "k8s.io.api.extensions.v1beta1.CustomMetricCurrentStatusList")
proto.RegisterType((*CustomMetricTarget)(nil), "k8s.io.api.extensions.v1beta1.CustomMetricTarget")
@ -450,6 +458,28 @@ func (m *APIVersion) MarshalTo(dAtA []byte) (int, error) {
return i, nil
}
func (m *AllowedHostPath) Marshal() (dAtA []byte, err error) {
size := m.Size()
dAtA = make([]byte, size)
n, err := m.MarshalTo(dAtA)
if err != nil {
return nil, err
}
return dAtA[:n], nil
}
func (m *AllowedHostPath) MarshalTo(dAtA []byte) (int, error) {
var i int
_ = i
var l int
_ = l
dAtA[i] = 0xa
i++
i = encodeVarintGenerated(dAtA, i, uint64(len(m.PathPrefix)))
i += copy(dAtA[i:], m.PathPrefix)
return i, nil
}
func (m *CustomMetricCurrentStatus) Marshal() (dAtA []byte, err error) {
size := m.Size()
dAtA = make([]byte, size)
@ -2078,6 +2108,20 @@ func (m *PodSecurityPolicySpec) MarshalTo(dAtA []byte) (int, error) {
dAtA[i] = 0
}
i++
if len(m.AllowedHostPaths) > 0 {
for _, msg := range m.AllowedHostPaths {
dAtA[i] = 0x8a
i++
dAtA[i] = 0x1
i++
i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
n, err := msg.MarshalTo(dAtA[i:])
if err != nil {
return 0, err
}
i += n
}
}
return i, nil
}
@ -2792,6 +2836,14 @@ func (m *APIVersion) Size() (n int) {
return n
}
func (m *AllowedHostPath) Size() (n int) {
var l int
_ = l
l = len(m.PathPrefix)
n += 1 + l + sovGenerated(uint64(l))
return n
}
func (m *CustomMetricCurrentStatus) Size() (n int) {
var l int
_ = l
@ -3362,6 +3414,12 @@ func (m *PodSecurityPolicySpec) Size() (n int) {
n += 2
}
n += 3
if len(m.AllowedHostPaths) > 0 {
for _, e := range m.AllowedHostPaths {
l = e.Size()
n += 2 + l + sovGenerated(uint64(l))
}
}
return n
}
@ -3632,6 +3690,16 @@ func (this *APIVersion) String() string {
}, "")
return s
}
func (this *AllowedHostPath) String() string {
if this == nil {
return "nil"
}
s := strings.Join([]string{`&AllowedHostPath{`,
`PathPrefix:` + fmt.Sprintf("%v", this.PathPrefix) + `,`,
`}`,
}, "")
return s
}
func (this *CustomMetricCurrentStatus) String() string {
if this == nil {
return "nil"
@ -4110,6 +4178,7 @@ func (this *PodSecurityPolicySpec) String() string {
`ReadOnlyRootFilesystem:` + fmt.Sprintf("%v", this.ReadOnlyRootFilesystem) + `,`,
`DefaultAllowPrivilegeEscalation:` + valueToStringGenerated(this.DefaultAllowPrivilegeEscalation) + `,`,
`AllowPrivilegeEscalation:` + fmt.Sprintf("%v", this.AllowPrivilegeEscalation) + `,`,
`AllowedHostPaths:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.AllowedHostPaths), "AllowedHostPath", "AllowedHostPath", 1), `&`, ``, 1) + `,`,
`}`,
}, "")
return s
@ -4428,6 +4497,85 @@ func (m *APIVersion) Unmarshal(dAtA []byte) error {
}
return nil
}
func (m *AllowedHostPath) Unmarshal(dAtA []byte) error {
l := len(dAtA)
iNdEx := 0
for iNdEx < l {
preIndex := iNdEx
var wire uint64
for shift := uint(0); ; shift += 7 {
if shift >= 64 {
return ErrIntOverflowGenerated
}
if iNdEx >= l {
return io.ErrUnexpectedEOF
}
b := dAtA[iNdEx]
iNdEx++
wire |= (uint64(b) & 0x7F) << shift
if b < 0x80 {
break
}
}
fieldNum := int32(wire >> 3)
wireType := int(wire & 0x7)
if wireType == 4 {
return fmt.Errorf("proto: AllowedHostPath: wiretype end group for non-group")
}
if fieldNum <= 0 {
return fmt.Errorf("proto: AllowedHostPath: illegal tag %d (wire type %d)", fieldNum, wire)
}
switch fieldNum {
case 1:
if wireType != 2 {
return fmt.Errorf("proto: wrong wireType = %d for field PathPrefix", wireType)
}
var stringLen uint64
for shift := uint(0); ; shift += 7 {
if shift >= 64 {
return ErrIntOverflowGenerated
}
if iNdEx >= l {
return io.ErrUnexpectedEOF
}
b := dAtA[iNdEx]
iNdEx++
stringLen |= (uint64(b) & 0x7F) << shift
if b < 0x80 {
break
}
}
intStringLen := int(stringLen)
if intStringLen < 0 {
return ErrInvalidLengthGenerated
}
postIndex := iNdEx + intStringLen
if postIndex > l {
return io.ErrUnexpectedEOF
}
m.PathPrefix = string(dAtA[iNdEx:postIndex])
iNdEx = postIndex
default:
iNdEx = preIndex
skippy, err := skipGenerated(dAtA[iNdEx:])
if err != nil {
return err
}
if skippy < 0 {
return ErrInvalidLengthGenerated
}
if (iNdEx + skippy) > l {
return io.ErrUnexpectedEOF
}
iNdEx += skippy
}
}
if iNdEx > l {
return io.ErrUnexpectedEOF
}
return nil
}
func (m *CustomMetricCurrentStatus) Unmarshal(dAtA []byte) error {
l := len(dAtA)
iNdEx := 0
@ -9731,6 +9879,37 @@ func (m *PodSecurityPolicySpec) Unmarshal(dAtA []byte) error {
}
}
m.AllowPrivilegeEscalation = bool(v != 0)
case 17:
if wireType != 2 {
return fmt.Errorf("proto: wrong wireType = %d for field AllowedHostPaths", wireType)
}
var msglen int
for shift := uint(0); ; shift += 7 {
if shift >= 64 {
return ErrIntOverflowGenerated
}
if iNdEx >= l {
return io.ErrUnexpectedEOF
}
b := dAtA[iNdEx]
iNdEx++
msglen |= (int(b) & 0x7F) << shift
if b < 0x80 {
break
}
}
if msglen < 0 {
return ErrInvalidLengthGenerated
}
postIndex := iNdEx + msglen
if postIndex > l {
return io.ErrUnexpectedEOF
}
m.AllowedHostPaths = append(m.AllowedHostPaths, AllowedHostPath{})
if err := m.AllowedHostPaths[len(m.AllowedHostPaths)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
return err
}
iNdEx = postIndex
default:
iNdEx = preIndex
skippy, err := skipGenerated(dAtA[iNdEx:])
@ -12183,6 +12362,7 @@ func init() {
}
var fileDescriptorGenerated = []byte{
<<<<<<< a235ba4e49451c779b8328378addf0d7bd7b84fd
// 3495 bytes of a gzipped FileDescriptorProto
0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xdc, 0x5b, 0xcd, 0x6f, 0x1b, 0xd7,
0xb5, 0xf7, 0x90, 0xa2, 0x48, 0x1d, 0x5a, 0x92, 0x75, 0xe5, 0xc8, 0x8c, 0x1c, 0x8b, 0xce, 0x04,
@ -12403,4 +12583,225 @@ var fileDescriptorGenerated = []byte{
0x78, 0x74, 0x30, 0x27, 0x7c, 0x7e, 0x30, 0x27, 0x7c, 0x71, 0x30, 0x27, 0xfc, 0xed, 0x60, 0x4e,
0xf8, 0xf1, 0x57, 0x73, 0x27, 0xee, 0xe7, 0x39, 0xee, 0xbf, 0x02, 0x00, 0x00, 0xff, 0xff, 0x6f,
0x30, 0xd5, 0x91, 0x29, 0x3b, 0x00, 0x00,
=======
// 3487 bytes of a gzipped FileDescriptorProto
0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xdc, 0x5b, 0x4d, 0x6c, 0x1c, 0xc7,
0x95, 0x56, 0xcf, 0x0f, 0x39, 0x7c, 0x14, 0xff, 0x8a, 0x32, 0x35, 0xa6, 0x2c, 0x0e, 0xdd, 0x06,
0xb4, 0x92, 0x57, 0x9a, 0xb1, 0x64, 0xcb, 0x96, 0x2d, 0xac, 0x77, 0x39, 0xa4, 0x7e, 0xe8, 0x25,
0x29, 0xaa, 0x66, 0x48, 0xef, 0x0a, 0xd6, 0xae, 0x9b, 0x33, 0xc5, 0x61, 0x8b, 0x3d, 0xdd, 0xe3,
0xee, 0x6a, 0x9a, 0x73, 0x59, 0xec, 0xc9, 0xc0, 0x02, 0xbb, 0xd8, 0xdd, 0x83, 0x03, 0x07, 0xc8,
0x21, 0xbe, 0xe4, 0x94, 0x20, 0xbe, 0x25, 0x07, 0x23, 0x40, 0x80, 0x04, 0x10, 0x02, 0x27, 0xf0,
0x29, 0xf1, 0x89, 0x88, 0xe9, 0x63, 0xce, 0x01, 0x02, 0x1d, 0x82, 0xa0, 0xaa, 0xab, 0xff, 0xbb,
0x39, 0x33, 0xb4, 0x44, 0x04, 0xb9, 0x71, 0xea, 0xbd, 0xf7, 0xbd, 0x9f, 0xaa, 0x7a, 0xf5, 0xaa,
0x5e, 0x13, 0x6e, 0xef, 0xde, 0xb0, 0xca, 0xaa, 0x51, 0xd9, 0xb5, 0xb7, 0x88, 0xa9, 0x13, 0x4a,
0xac, 0xca, 0x1e, 0xd1, 0x9b, 0x86, 0x59, 0x11, 0x04, 0xa5, 0xa3, 0x56, 0xc8, 0x3e, 0x25, 0xba,
0xa5, 0x1a, 0xba, 0x55, 0xd9, 0xbb, 0xba, 0x45, 0xa8, 0x72, 0xb5, 0xd2, 0x22, 0x3a, 0x31, 0x15,
0x4a, 0x9a, 0xe5, 0x8e, 0x69, 0x50, 0x03, 0x9d, 0x77, 0xd8, 0xcb, 0x4a, 0x47, 0x2d, 0xfb, 0xec,
0x65, 0xc1, 0x3e, 0x7b, 0xa5, 0xa5, 0xd2, 0x1d, 0x7b, 0xab, 0xdc, 0x30, 0xda, 0x95, 0x96, 0xd1,
0x32, 0x2a, 0x5c, 0x6a, 0xcb, 0xde, 0xe6, 0xbf, 0xf8, 0x0f, 0xfe, 0x97, 0x83, 0x36, 0x2b, 0x07,
0x94, 0x37, 0x0c, 0x93, 0x54, 0xf6, 0x62, 0x1a, 0x67, 0x2f, 0x05, 0x78, 0x3a, 0x86, 0xa6, 0x36,
0xba, 0x69, 0xc6, 0xcd, 0xbe, 0xe6, 0xb3, 0xb6, 0x95, 0xc6, 0x8e, 0xaa, 0x13, 0xb3, 0x5b, 0xe9,
0xec, 0xb6, 0xb8, 0xac, 0x49, 0x2c, 0xc3, 0x36, 0x1b, 0x64, 0x20, 0x29, 0xab, 0xd2, 0x26, 0x54,
0x49, 0x32, 0xab, 0x92, 0x26, 0x65, 0xda, 0x3a, 0x55, 0xdb, 0x71, 0x35, 0xaf, 0xf7, 0x12, 0xb0,
0x1a, 0x3b, 0xa4, 0xad, 0xc4, 0xe4, 0x5e, 0x4d, 0x93, 0xb3, 0xa9, 0xaa, 0x55, 0x54, 0x9d, 0x5a,
0xd4, 0x8c, 0x0a, 0xc9, 0x65, 0x80, 0x85, 0xf5, 0xe5, 0x4d, 0x62, 0xb2, 0xe9, 0x41, 0xf3, 0x90,
0xd3, 0x95, 0x36, 0x29, 0x4a, 0xf3, 0xd2, 0xc5, 0x91, 0xea, 0xe9, 0xc7, 0x07, 0xa5, 0x53, 0x87,
0x07, 0xa5, 0xdc, 0x9a, 0xd2, 0x26, 0x98, 0x53, 0xe4, 0x37, 0x61, 0x62, 0x41, 0xd3, 0x8c, 0x0f,
0x49, 0xf3, 0xae, 0x61, 0xd1, 0x75, 0x85, 0xee, 0xa0, 0x0b, 0x90, 0xeb, 0x28, 0x74, 0x47, 0x08,
0x21, 0x21, 0x04, 0x8c, 0xb6, 0x6e, 0x92, 0x6d, 0x75, 0x1f, 0x73, 0xba, 0xfc, 0x5d, 0x09, 0x9e,
0x5f, 0xb4, 0x2d, 0x6a, 0xb4, 0x57, 0x09, 0x35, 0xd5, 0xc6, 0xa2, 0x6d, 0x9a, 0x44, 0xa7, 0x35,
0xaa, 0x50, 0xdb, 0xea, 0xad, 0x1a, 0x3d, 0x80, 0xfc, 0x9e, 0xa2, 0xd9, 0xa4, 0x98, 0x99, 0x97,
0x2e, 0x8e, 0x5e, 0x2b, 0x97, 0xfd, 0x15, 0xe6, 0xf9, 0x5b, 0xee, 0xec, 0xb6, 0xf8, 0x92, 0x73,
0x27, 0xb1, 0x7c, 0xdf, 0x56, 0x74, 0xaa, 0xd2, 0x6e, 0xf5, 0x8c, 0x80, 0x3c, 0x2d, 0xf4, 0x6e,
0x32, 0x2c, 0xec, 0x40, 0xca, 0xff, 0x01, 0xe7, 0x53, 0x4d, 0x5b, 0x51, 0x2d, 0x8a, 0x1e, 0x42,
0x5e, 0xa5, 0xa4, 0x6d, 0x15, 0xa5, 0xf9, 0xec, 0xc5, 0xd1, 0x6b, 0x37, 0xca, 0x47, 0x2e, 0xef,
0x72, 0x2a, 0x58, 0x75, 0x4c, 0x98, 0x91, 0x5f, 0x66, 0x70, 0xd8, 0x41, 0x95, 0xff, 0x5f, 0x02,
0x14, 0x94, 0xa9, 0x2b, 0x66, 0x8b, 0xd0, 0x3e, 0x82, 0xf2, 0xaf, 0xdf, 0x2e, 0x28, 0xd3, 0x02,
0x72, 0xd4, 0x51, 0x18, 0x8a, 0x49, 0x07, 0x66, 0xe2, 0x26, 0xf1, 0x60, 0x6c, 0x86, 0x83, 0x71,
0x75, 0x80, 0x60, 0x38, 0x28, 0x29, 0x51, 0xf8, 0x38, 0x03, 0x23, 0x4b, 0x0a, 0x69, 0x1b, 0x7a,
0x8d, 0x50, 0xf4, 0x3e, 0x14, 0xd8, 0x9e, 0x6a, 0x2a, 0x54, 0xe1, 0x01, 0x18, 0xbd, 0xf6, 0xca,
0x51, 0xde, 0x59, 0x65, 0xc6, 0x5d, 0xde, 0xbb, 0x5a, 0xbe, 0xb7, 0xf5, 0x88, 0x34, 0xe8, 0x2a,
0xa1, 0x8a, 0xbf, 0x1a, 0xfd, 0x31, 0xec, 0xa1, 0xa2, 0x35, 0xc8, 0x59, 0x1d, 0xd2, 0x10, 0xb1,
0xbb, 0xdc, 0xc3, 0x0d, 0xcf, 0xb2, 0x5a, 0x87, 0x34, 0xfc, 0xc9, 0x60, 0xbf, 0x30, 0xc7, 0x41,
0x9b, 0x30, 0x64, 0xf1, 0x59, 0x2e, 0x66, 0x63, 0xb3, 0x71, 0x34, 0xa2, 0xb3, 0x36, 0xc6, 0x05,
0xe6, 0x90, 0xf3, 0x1b, 0x0b, 0x34, 0xf9, 0x73, 0x09, 0xc6, 0x3c, 0x5e, 0x3e, 0x03, 0xef, 0xc5,
0x62, 0x53, 0xee, 0x2f, 0x36, 0x4c, 0x9a, 0x47, 0x66, 0x52, 0xe8, 0x2a, 0xb8, 0x23, 0x81, 0xb8,
0xac, 0xba, 0xf3, 0x9b, 0xe1, 0xf3, 0x7b, 0xb1, 0x5f, 0x37, 0x52, 0xa6, 0xf5, 0x3b, 0xb9, 0x80,
0xf9, 0x2c, 0x5c, 0xe8, 0x21, 0x14, 0x2c, 0xa2, 0x91, 0x06, 0x35, 0x4c, 0x61, 0xfe, 0xab, 0x7d,
0x9a, 0xaf, 0x6c, 0x11, 0xad, 0x26, 0x44, 0xab, 0xa7, 0x99, 0xfd, 0xee, 0x2f, 0xec, 0x41, 0xa2,
0xfb, 0x50, 0xa0, 0xa4, 0xdd, 0xd1, 0x14, 0xea, 0xee, 0x8b, 0x97, 0x82, 0x2e, 0xb0, 0x03, 0x84,
0x81, 0xad, 0x1b, 0xcd, 0xba, 0x60, 0xe3, 0x53, 0xea, 0x85, 0xc4, 0x1d, 0xc5, 0x1e, 0x0c, 0xda,
0x83, 0x71, 0xbb, 0xd3, 0x64, 0x9c, 0x94, 0xa5, 0xcf, 0x56, 0x57, 0x4c, 0xf1, 0xeb, 0xfd, 0xc6,
0x66, 0x23, 0x24, 0x5d, 0x9d, 0x11, 0xba, 0xc6, 0xc3, 0xe3, 0x38, 0xa2, 0x05, 0x2d, 0xc0, 0x44,
0x5b, 0xd5, 0x31, 0x51, 0x9a, 0xdd, 0x1a, 0x69, 0x18, 0x7a, 0xd3, 0x2a, 0xe6, 0xe6, 0xa5, 0x8b,
0xf9, 0xea, 0x59, 0x01, 0x30, 0xb1, 0x1a, 0x26, 0xe3, 0x28, 0x3f, 0x7a, 0x07, 0x90, 0xeb, 0xc6,
0x1d, 0x27, 0xfb, 0xab, 0x86, 0x5e, 0xcc, 0xcf, 0x4b, 0x17, 0xb3, 0xd5, 0x59, 0x81, 0x82, 0xea,
0x31, 0x0e, 0x9c, 0x20, 0x85, 0x56, 0xe0, 0x8c, 0x49, 0xf6, 0x54, 0xe6, 0xe3, 0x5d, 0xd5, 0xa2,
0x86, 0xd9, 0x5d, 0x51, 0xdb, 0x2a, 0x2d, 0x0e, 0x71, 0x9b, 0x8a, 0x87, 0x07, 0xa5, 0x33, 0x38,
0x81, 0x8e, 0x13, 0xa5, 0xe4, 0xcf, 0xf2, 0x30, 0x11, 0xd9, 0x03, 0x68, 0x13, 0x66, 0x1a, 0x4e,
0xc2, 0x5c, 0xb3, 0xdb, 0x5b, 0xc4, 0xac, 0x35, 0x76, 0x48, 0xd3, 0xd6, 0x48, 0x93, 0x2f, 0x94,
0x7c, 0x75, 0x4e, 0x58, 0x3c, 0xb3, 0x98, 0xc8, 0x85, 0x53, 0xa4, 0x59, 0x14, 0x74, 0x3e, 0xb4,
0xaa, 0x5a, 0x96, 0x87, 0x99, 0xe1, 0x98, 0x5e, 0x14, 0xd6, 0x62, 0x1c, 0x38, 0x41, 0x8a, 0xd9,
0xd8, 0x24, 0x96, 0x6a, 0x92, 0x66, 0xd4, 0xc6, 0x6c, 0xd8, 0xc6, 0xa5, 0x44, 0x2e, 0x9c, 0x22,
0x8d, 0xae, 0xc3, 0xa8, 0xa3, 0x8d, 0xcf, 0x9f, 0x98, 0x68, 0x2f, 0x45, 0xaf, 0xf9, 0x24, 0x1c,
0xe4, 0x63, 0xae, 0x19, 0x5b, 0x16, 0x31, 0xf7, 0x48, 0x33, 0x7d, 0x82, 0xef, 0xc5, 0x38, 0x70,
0x82, 0x14, 0x73, 0xcd, 0x59, 0x81, 0x31, 0xd7, 0x86, 0xc2, 0xae, 0x6d, 0x24, 0x72, 0xe1, 0x14,
0x69, 0xb6, 0x8e, 0x1d, 0x93, 0x17, 0xf6, 0x14, 0x55, 0x53, 0xb6, 0x34, 0x52, 0x1c, 0x0e, 0xaf,
0xe3, 0xb5, 0x30, 0x19, 0x47, 0xf9, 0xd1, 0x1d, 0x98, 0x72, 0x86, 0x36, 0x74, 0xc5, 0x03, 0x29,
0x70, 0x90, 0xe7, 0x05, 0xc8, 0xd4, 0x5a, 0x94, 0x01, 0xc7, 0x65, 0xd0, 0x5b, 0x30, 0xde, 0x30,
0x34, 0x8d, 0xaf, 0xc7, 0x45, 0xc3, 0xd6, 0x69, 0x71, 0x84, 0xa3, 0x20, 0xb6, 0x1f, 0x17, 0x43,
0x14, 0x1c, 0xe1, 0x94, 0x7f, 0x25, 0xc1, 0xd9, 0x94, 0x3d, 0x8d, 0xfe, 0x11, 0x72, 0xb4, 0xdb,
0x71, 0x4f, 0xeb, 0xbf, 0x77, 0x0f, 0x88, 0x7a, 0xb7, 0x43, 0x9e, 0x1c, 0x94, 0xce, 0xa5, 0x88,
0x31, 0x32, 0xe6, 0x82, 0x48, 0x87, 0x31, 0x93, 0xa9, 0xd3, 0x5b, 0x0e, 0x8b, 0x48, 0x5e, 0xd7,
0x7b, 0xe4, 0x18, 0x1c, 0x94, 0xf1, 0x93, 0xf1, 0xd4, 0xe1, 0x41, 0x69, 0x2c, 0x44, 0xc3, 0x61,
0x78, 0xf9, 0x93, 0x0c, 0xc0, 0x12, 0xe9, 0x68, 0x46, 0xb7, 0x4d, 0xf4, 0x93, 0x38, 0x70, 0xef,
0x85, 0x0e, 0xdc, 0x2b, 0xbd, 0x72, 0xa7, 0x67, 0x5a, 0xea, 0x89, 0xfb, 0x6e, 0xe4, 0xc4, 0xad,
0xf4, 0x0f, 0x79, 0xf4, 0x91, 0xfb, 0xbb, 0x2c, 0x4c, 0xfb, 0xcc, 0x8b, 0x86, 0xde, 0x54, 0xf9,
0xfe, 0xb8, 0x19, 0x9a, 0xe3, 0xbf, 0x8b, 0xcc, 0xf1, 0xd9, 0x04, 0x91, 0xc0, 0xfc, 0xae, 0x78,
0xd6, 0x66, 0xb8, 0xf8, 0x6b, 0x61, 0xe5, 0x4f, 0x0e, 0x4a, 0x09, 0xf7, 0x9c, 0xb2, 0x87, 0x14,
0x36, 0x11, 0x5d, 0x80, 0x21, 0x93, 0x28, 0x96, 0xa1, 0xf3, 0x44, 0x31, 0xe2, 0xbb, 0x82, 0xf9,
0x28, 0x16, 0x54, 0x74, 0x09, 0x86, 0xdb, 0xc4, 0xb2, 0x94, 0x16, 0xe1, 0x39, 0x61, 0xa4, 0x3a,
0x21, 0x18, 0x87, 0x57, 0x9d, 0x61, 0xec, 0xd2, 0xd1, 0x23, 0x18, 0xd7, 0x14, 0x4b, 0x2c, 0xd0,
0xba, 0xda, 0x26, 0x7c, 0xd7, 0x8f, 0x5e, 0x7b, 0xb9, 0xbf, 0x75, 0xc0, 0x24, 0xfc, 0x93, 0x6d,
0x25, 0x84, 0x84, 0x23, 0xc8, 0x68, 0x0f, 0x10, 0x1b, 0xa9, 0x9b, 0x8a, 0x6e, 0x39, 0x81, 0x62,
0xfa, 0x86, 0x07, 0xd6, 0xe7, 0x65, 0xb8, 0x95, 0x18, 0x1a, 0x4e, 0xd0, 0x20, 0xff, 0x4c, 0x82,
0x71, 0x7f, 0x9a, 0x4e, 0xa0, 0x9a, 0x5a, 0x0b, 0x57, 0x53, 0x97, 0xfa, 0x5e, 0xa2, 0x29, 0xe5,
0xd4, 0x9f, 0x32, 0x80, 0x7c, 0x26, 0xb6, 0xc1, 0xb7, 0x94, 0xc6, 0x6e, 0x1f, 0x77, 0x85, 0x8f,
0x25, 0x40, 0x22, 0x3d, 0x2f, 0xe8, 0xba, 0x41, 0x79, 0xc6, 0x77, 0xcd, 0x5a, 0xee, 0xdb, 0x2c,
0x57, 0x63, 0x79, 0x23, 0x86, 0x75, 0x4b, 0xa7, 0x66, 0xd7, 0x9f, 0x91, 0x38, 0x03, 0x4e, 0x30,
0x00, 0x29, 0x00, 0xa6, 0xc0, 0xac, 0x1b, 0x62, 0x23, 0x5f, 0xe9, 0x23, 0xe7, 0x31, 0x81, 0x45,
0x43, 0xdf, 0x56, 0x5b, 0x7e, 0xda, 0xc1, 0x1e, 0x10, 0x0e, 0x80, 0xce, 0xde, 0x82, 0xb3, 0x29,
0xd6, 0xa2, 0x49, 0xc8, 0xee, 0x92, 0xae, 0x13, 0x36, 0xcc, 0xfe, 0x44, 0x67, 0x82, 0x77, 0xaa,
0x11, 0x71, 0x1d, 0x7a, 0x2b, 0x73, 0x43, 0x92, 0x3f, 0xcf, 0x07, 0xd7, 0x0e, 0x2f, 0x65, 0x2f,
0x42, 0xc1, 0x24, 0x1d, 0x4d, 0x6d, 0x28, 0x96, 0xa8, 0x50, 0x78, 0x55, 0x8a, 0xc5, 0x18, 0xf6,
0xa8, 0xa1, 0xa2, 0x37, 0xf3, 0x6c, 0x8b, 0xde, 0xec, 0xd3, 0x29, 0x7a, 0xff, 0x1d, 0x0a, 0x96,
0x5b, 0xee, 0xe6, 0x38, 0xe4, 0xd5, 0x01, 0xf2, 0xab, 0xa8, 0x74, 0x3d, 0x05, 0x5e, 0x8d, 0xeb,
0x81, 0x26, 0x55, 0xb7, 0xf9, 0x01, 0xab, 0xdb, 0xa7, 0x5a, 0x91, 0xb2, 0x9c, 0xda, 0x51, 0x6c,
0x8b, 0x34, 0x79, 0x22, 0x2a, 0xf8, 0x39, 0x75, 0x9d, 0x8f, 0x62, 0x41, 0x45, 0x0f, 0x43, 0x4b,
0xb6, 0x70, 0x9c, 0x25, 0x3b, 0x9e, 0xbe, 0x5c, 0xd1, 0x06, 0x9c, 0xed, 0x98, 0x46, 0xcb, 0x24,
0x96, 0xb5, 0x44, 0x94, 0xa6, 0xa6, 0xea, 0xc4, 0x8d, 0x8f, 0x53, 0xaa, 0x9c, 0x3b, 0x3c, 0x28,
0x9d, 0x5d, 0x4f, 0x66, 0xc1, 0x69, 0xb2, 0xf2, 0xe3, 0x1c, 0x4c, 0x46, 0x4f, 0xc0, 0x94, 0xea,
0x51, 0x3a, 0x56, 0xf5, 0x78, 0x39, 0xb0, 0x19, 0x9c, 0xd2, 0xda, 0x9b, 0xfd, 0x84, 0x0d, 0xb1,
0x00, 0x13, 0x22, 0x1b, 0xb8, 0x44, 0x51, 0x3f, 0x7b, 0xb3, 0xbf, 0x11, 0x26, 0xe3, 0x28, 0x3f,
0xab, 0x09, 0xfd, 0x52, 0xcf, 0x05, 0xc9, 0x85, 0x6b, 0xc2, 0x85, 0x28, 0x03, 0x8e, 0xcb, 0xa0,
0x55, 0x98, 0xb6, 0xf5, 0x38, 0x94, 0xb3, 0x1a, 0xcf, 0x09, 0xa8, 0xe9, 0x8d, 0x38, 0x0b, 0x4e,
0x92, 0x43, 0xdb, 0x00, 0x0d, 0xf7, 0xd8, 0xb6, 0x8a, 0x43, 0x3c, 0xc3, 0x5e, 0xeb, 0x7b, 0xef,
0x78, 0x27, 0xbe, 0x9f, 0xd7, 0xbc, 0x21, 0x0b, 0x07, 0x90, 0xd1, 0x4d, 0x18, 0x33, 0xf9, 0x85,
0xc0, 0x35, 0xd8, 0x29, 0xaa, 0x9f, 0x13, 0x62, 0x63, 0x38, 0x48, 0xc4, 0x61, 0xde, 0x84, 0x3a,
0xb8, 0xd0, 0x77, 0x1d, 0xfc, 0x73, 0x29, 0x78, 0x08, 0x79, 0x25, 0xf0, 0x5b, 0xa1, 0xf2, 0xe8,
0x42, 0xa4, 0x3c, 0x9a, 0x89, 0x4b, 0x04, 0xaa, 0x23, 0x23, 0xb9, 0xfa, 0x7d, 0x7d, 0xa0, 0xea,
0xd7, 0x3f, 0x3c, 0x7b, 0x97, 0xbf, 0x9f, 0x4a, 0x30, 0x73, 0xbb, 0x76, 0xc7, 0x34, 0xec, 0x8e,
0x6b, 0xce, 0xbd, 0x8e, 0x13, 0xd7, 0x37, 0x20, 0x67, 0xda, 0x9a, 0xeb, 0xc7, 0x4b, 0xae, 0x1f,
0xd8, 0xd6, 0x98, 0x1f, 0xd3, 0x11, 0x29, 0xc7, 0x09, 0x26, 0x80, 0xd6, 0x60, 0xc8, 0x54, 0xf4,
0x16, 0x71, 0x8f, 0xd5, 0x0b, 0x3d, 0xac, 0x5f, 0x5e, 0xc2, 0x8c, 0x3d, 0x50, 0xbc, 0x71, 0x69,
0x2c, 0x50, 0xe4, 0xff, 0x91, 0x60, 0xe2, 0x6e, 0xbd, 0xbe, 0xbe, 0xac, 0xf3, 0x1d, 0xcd, 0x1f,
0x5c, 0xe7, 0x43, 0x0f, 0xae, 0xde, 0x49, 0xcf, 0x68, 0xce, 0x53, 0x2b, 0xfa, 0x17, 0x18, 0x66,
0x99, 0x84, 0xe8, 0xcd, 0x3e, 0x4b, 0x6d, 0x01, 0x5f, 0x75, 0x84, 0xfc, 0x0a, 0x51, 0x0c, 0x60,
0x17, 0x4e, 0xde, 0x85, 0x33, 0x01, 0x73, 0x58, 0x3c, 0xf8, 0x9b, 0x21, 0xaa, 0x41, 0x9e, 0x69,
0x76, 0x9f, 0x04, 0x7b, 0xbd, 0x7c, 0x45, 0x5c, 0xf2, 0x2b, 0x1d, 0xf6, 0xcb, 0xc2, 0x0e, 0x96,
0xbc, 0x0a, 0x63, 0xfc, 0x95, 0xd9, 0x30, 0x29, 0x0f, 0x0b, 0x3a, 0x0f, 0xd9, 0xb6, 0xaa, 0x8b,
0x73, 0x76, 0x54, 0xc8, 0x64, 0xd9, 0x19, 0xc1, 0xc6, 0x39, 0x59, 0xd9, 0x17, 0x99, 0xc7, 0x27,
0x2b, 0xfb, 0x98, 0x8d, 0xcb, 0x77, 0x60, 0x58, 0x84, 0x3b, 0x08, 0x94, 0x3d, 0x1a, 0x28, 0x9b,
0x00, 0xf4, 0xbf, 0x19, 0x18, 0x16, 0xd6, 0x9f, 0xc0, 0xa5, 0x69, 0x25, 0x74, 0x69, 0x7a, 0xb9,
0xbf, 0x99, 0x4c, 0xbd, 0x31, 0xd5, 0x23, 0x37, 0xa6, 0xcb, 0x7d, 0xe2, 0x1d, 0x7d, 0x5d, 0xfa,
0x4c, 0x82, 0xf1, 0xf0, 0x1a, 0x42, 0xd7, 0x61, 0x94, 0x9d, 0x0f, 0x6a, 0x83, 0xac, 0xf9, 0x65,
0xa9, 0xf7, 0x98, 0x51, 0xf3, 0x49, 0x38, 0xc8, 0x87, 0x5a, 0x9e, 0x18, 0x9b, 0x76, 0xe1, 0x74,
0x7a, 0x48, 0x6d, 0xaa, 0x6a, 0x65, 0xa7, 0xb7, 0x51, 0x5e, 0xd6, 0xe9, 0x3d, 0xb3, 0x46, 0x4d,
0x55, 0x6f, 0xc5, 0x14, 0xf1, 0x35, 0x14, 0x44, 0x96, 0x7f, 0x2a, 0xc1, 0xa8, 0x30, 0xf9, 0x04,
0x2e, 0x01, 0xff, 0x1c, 0xbe, 0x04, 0x5c, 0xe8, 0x73, 0x3f, 0x26, 0xdf, 0x00, 0x7e, 0xe0, 0x9b,
0xce, 0x76, 0x20, 0x4b, 0x08, 0x3b, 0x86, 0x45, 0xa3, 0x09, 0x81, 0xed, 0x1d, 0xcc, 0x29, 0xc8,
0x86, 0x49, 0x35, 0xb2, 0x65, 0x45, 0x68, 0x2b, 0xfd, 0x59, 0xe2, 0x89, 0x55, 0x8b, 0x02, 0x7e,
0x32, 0x4a, 0xc1, 0x31, 0x15, 0x32, 0x81, 0x18, 0x17, 0xba, 0x0f, 0xb9, 0x1d, 0x4a, 0x3b, 0x09,
0xef, 0xbe, 0x3d, 0x12, 0x85, 0x6f, 0x42, 0x81, 0x7b, 0x57, 0xaf, 0xaf, 0x63, 0x0e, 0x25, 0xff,
0xd9, 0x8f, 0x47, 0xcd, 0x59, 0xe3, 0x5e, 0xfa, 0x93, 0x8e, 0x93, 0xfe, 0x46, 0x93, 0x52, 0x1f,
0xba, 0x0b, 0x59, 0xaa, 0xf5, 0x7b, 0x8b, 0x13, 0x88, 0xf5, 0x95, 0x9a, 0x9f, 0x3f, 0xea, 0x2b,
0x35, 0xcc, 0x20, 0xd0, 0x3d, 0xc8, 0xb3, 0xc3, 0x82, 0x6d, 0xc1, 0x6c, 0xff, 0x5b, 0x9a, 0xf9,
0xef, 0x2f, 0x08, 0xf6, 0xcb, 0xc2, 0x0e, 0x8e, 0xfc, 0x01, 0x8c, 0x85, 0xf6, 0x29, 0x7a, 0x1f,
0x4e, 0x6b, 0x86, 0xd2, 0xac, 0x2a, 0x9a, 0xa2, 0x37, 0x88, 0xfb, 0xc8, 0x7e, 0x21, 0xe9, 0x42,
0xb0, 0x12, 0xe0, 0x13, 0xbb, 0xdc, 0x6b, 0x95, 0x05, 0x69, 0x38, 0x84, 0x28, 0x2b, 0x00, 0xbe,
0x8f, 0xa8, 0x04, 0x79, 0xb6, 0xce, 0x9c, 0xf4, 0x3f, 0x52, 0x1d, 0x61, 0x16, 0xb2, 0xe5, 0x67,
0x61, 0x67, 0x1c, 0x5d, 0x03, 0xb0, 0x48, 0xc3, 0x24, 0x94, 0x27, 0x83, 0x4c, 0xb8, 0x55, 0x58,
0xf3, 0x28, 0x38, 0xc0, 0x25, 0xff, 0x52, 0x82, 0xb1, 0x35, 0x42, 0x3f, 0x34, 0xcc, 0xdd, 0x75,
0xde, 0xcf, 0x3d, 0x81, 0x64, 0x8b, 0x43, 0xc9, 0xf6, 0x95, 0x1e, 0x33, 0x13, 0xb2, 0x2e, 0x2d,
0xe5, 0x32, 0x3f, 0x8a, 0x21, 0xce, 0xe0, 0xde, 0xdd, 0x80, 0x7c, 0xc7, 0x30, 0xa9, 0x7b, 0x70,
0x0e, 0xa4, 0x91, 0xe5, 0xb1, 0xc0, 0xd1, 0xc9, 0x60, 0xb0, 0x83, 0xc6, 0xfc, 0xd8, 0x36, 0x8d,
0xb6, 0x58, 0xad, 0x83, 0xa1, 0x12, 0x62, 0xfa, 0x7e, 0xdc, 0x36, 0x8d, 0x36, 0xe6, 0x58, 0xf2,
0x2f, 0x24, 0x98, 0x0a, 0x71, 0x9e, 0x40, 0xde, 0xbc, 0x1f, 0xce, 0x9b, 0x97, 0x07, 0x71, 0x24,
0x25, 0x7b, 0xfe, 0x31, 0xea, 0x06, 0x73, 0x18, 0x6d, 0xc3, 0x68, 0xc7, 0x68, 0xd6, 0x9e, 0x42,
0x57, 0x6a, 0x82, 0x1d, 0x3b, 0xeb, 0x3e, 0x16, 0x0e, 0x02, 0xa3, 0x7d, 0x98, 0xd2, 0x95, 0x36,
0xb1, 0x3a, 0x4a, 0x83, 0xd4, 0x9e, 0xc2, 0x73, 0xc0, 0x73, 0xfc, 0xd9, 0x3b, 0x8a, 0x88, 0xe3,
0x4a, 0xe4, 0x1f, 0xc6, 0xfc, 0x36, 0x4c, 0x8a, 0xee, 0x40, 0x81, 0x7f, 0x09, 0xd0, 0x30, 0x34,
0xf7, 0xe1, 0x9a, 0x4d, 0xc5, 0xba, 0x18, 0x7b, 0x72, 0x50, 0x3a, 0x97, 0xf0, 0x26, 0xe9, 0x92,
0xb1, 0x27, 0x8c, 0xd6, 0x20, 0xd7, 0xf9, 0x36, 0x27, 0x36, 0x4f, 0xea, 0xfc, 0x98, 0xe6, 0x38,
0xf2, 0x37, 0x51, 0x73, 0x79, 0x6a, 0x7f, 0xf4, 0xd4, 0xa6, 0xc9, 0xab, 0x10, 0x52, 0xa7, 0x6a,
0x0b, 0x86, 0xc5, 0x89, 0x26, 0x56, 0xdf, 0x1b, 0x83, 0xac, 0xbe, 0x60, 0xd6, 0xf6, 0xea, 0x69,
0x77, 0xd0, 0x05, 0x96, 0x7f, 0x2d, 0xc1, 0x14, 0x37, 0xa0, 0x61, 0x9b, 0x2a, 0xed, 0x9e, 0x58,
0x9e, 0xdb, 0x0c, 0xe5, 0xb9, 0xd7, 0x7a, 0x38, 0x16, 0xb3, 0x30, 0x35, 0xd7, 0x7d, 0x21, 0xc1,
0x73, 0x31, 0xee, 0x13, 0xc8, 0x13, 0x1b, 0xe1, 0x3c, 0xf1, 0xca, 0xa0, 0x0e, 0xa5, 0xe4, 0x8a,
0xef, 0x9d, 0x4e, 0x70, 0x87, 0x2f, 0xc4, 0x6b, 0x00, 0x1d, 0x53, 0xdd, 0x53, 0x35, 0xd2, 0x12,
0xbd, 0xc9, 0x42, 0xe0, 0xdb, 0x17, 0x8f, 0x82, 0x03, 0x5c, 0xc8, 0x82, 0x99, 0x26, 0xd9, 0x56,
0x6c, 0x8d, 0x2e, 0x34, 0x9b, 0x8b, 0x4a, 0x47, 0xd9, 0x52, 0x35, 0x95, 0xaa, 0xe2, 0xb2, 0x38,
0x52, 0xbd, 0xe9, 0xf4, 0x0c, 0x93, 0x38, 0x9e, 0x1c, 0x94, 0xce, 0x27, 0xf5, 0x06, 0x5c, 0x96,
0x2e, 0x4e, 0x81, 0x46, 0x5d, 0x28, 0x9a, 0xe4, 0x03, 0x5b, 0x35, 0x49, 0x73, 0xc9, 0x34, 0x3a,
0x21, 0xb5, 0x59, 0xae, 0xf6, 0x1f, 0x0e, 0x0f, 0x4a, 0x45, 0x9c, 0xc2, 0xd3, 0x5b, 0x71, 0x2a,
0x3c, 0x7a, 0x04, 0xd3, 0x8a, 0xf3, 0xb1, 0x50, 0x48, 0x6b, 0x8e, 0x6b, 0xbd, 0x71, 0x78, 0x50,
0x9a, 0x5e, 0x88, 0x93, 0x7b, 0x2b, 0x4c, 0x02, 0x45, 0x15, 0x18, 0xde, 0x33, 0x34, 0xbb, 0x4d,
0xac, 0x62, 0x9e, 0xe3, 0xb3, 0xc4, 0x38, 0xbc, 0xe9, 0x0c, 0x3d, 0x39, 0x28, 0x0d, 0xdd, 0xae,
0xf1, 0x6b, 0xba, 0xcb, 0xc5, 0xee, 0x27, 0xac, 0x34, 0x11, 0x7b, 0x96, 0xbf, 0x17, 0x16, 0xfc,
0xa4, 0x70, 0xd7, 0x27, 0xe1, 0x20, 0x1f, 0x7a, 0x08, 0x23, 0x3b, 0xe2, 0x4e, 0x6a, 0x15, 0x87,
0xfb, 0x3a, 0x94, 0x42, 0x77, 0xd8, 0xea, 0x94, 0x50, 0x31, 0xe2, 0x0e, 0x5b, 0xd8, 0x47, 0x44,
0x97, 0x60, 0x98, 0xff, 0x58, 0x5e, 0xe2, 0x8f, 0x31, 0x05, 0x3f, 0x75, 0xdc, 0x75, 0x86, 0xb1,
0x4b, 0x77, 0x59, 0x97, 0xd7, 0x17, 0xf9, 0xa3, 0x60, 0x84, 0x75, 0x79, 0x7d, 0x11, 0xbb, 0x74,
0xf4, 0x3e, 0x0c, 0x5b, 0x64, 0x45, 0xd5, 0xed, 0xfd, 0x22, 0xf4, 0xd5, 0x52, 0xac, 0xdd, 0xe2,
0xdc, 0x91, 0x67, 0x11, 0x5f, 0x83, 0xa0, 0x63, 0x17, 0x16, 0xed, 0xc0, 0x88, 0x69, 0xeb, 0x0b,
0xd6, 0x86, 0x45, 0xcc, 0xe2, 0x28, 0xd7, 0xd1, 0x2b, 0x5b, 0x62, 0x97, 0x3f, 0xaa, 0xc5, 0x8b,
0x90, 0xc7, 0x81, 0x7d, 0x70, 0xf4, 0xdf, 0x12, 0x20, 0xcb, 0xee, 0x74, 0x34, 0xd2, 0x26, 0x3a,
0x55, 0x34, 0xfe, 0x12, 0x63, 0x15, 0x4f, 0x73, 0x9d, 0xff, 0xd4, 0xcb, 0xaf, 0x98, 0x60, 0x54,
0xb9, 0xf7, 0xe4, 0x19, 0x67, 0xc5, 0x09, 0x7a, 0x59, 0x68, 0xb7, 0x2d, 0xfe, 0x77, 0x71, 0xac,
0xaf, 0xd0, 0x26, 0xbf, 0x38, 0xf9, 0xa1, 0x15, 0x74, 0xec, 0xc2, 0xa2, 0x4d, 0x98, 0x31, 0x89,
0xd2, 0xbc, 0xa7, 0x6b, 0x5d, 0x6c, 0x18, 0xf4, 0xb6, 0xaa, 0x11, 0xab, 0x6b, 0x51, 0xd2, 0x2e,
0x8e, 0xf3, 0x69, 0xf7, 0x5a, 0xf2, 0x38, 0x91, 0x0b, 0xa7, 0x48, 0xa3, 0x36, 0x94, 0xdc, 0x94,
0xc1, 0xf6, 0x93, 0x97, 0xb3, 0x6e, 0x59, 0x0d, 0x45, 0x73, 0x5e, 0x81, 0x27, 0xb8, 0x82, 0x97,
0x0e, 0x0f, 0x4a, 0xa5, 0xa5, 0xa3, 0x59, 0x71, 0x2f, 0x2c, 0xf4, 0x1e, 0x14, 0x95, 0x34, 0x3d,
0x93, 0x5c, 0xcf, 0xbc, 0x70, 0xa4, 0x98, 0xaa, 0x24, 0x15, 0x01, 0x51, 0x98, 0x54, 0xc2, 0xdf,
0x25, 0x5a, 0xc5, 0xa9, 0xbe, 0x9e, 0xa2, 0x22, 0x9f, 0x33, 0xfa, 0xf7, 0xdb, 0x08, 0xc1, 0xc2,
0x31, 0x0d, 0xbc, 0x81, 0x2e, 0x9e, 0x53, 0x4f, 0xe6, 0x8b, 0xb5, 0xc1, 0x1a, 0xe8, 0xbe, 0x69,
0x4f, 0xad, 0x81, 0x1e, 0x80, 0x3c, 0xfa, 0x45, 0xe8, 0x0f, 0x19, 0x98, 0xf6, 0x99, 0xfb, 0x6e,
0xa0, 0x27, 0x88, 0x3c, 0xb3, 0x06, 0x7a, 0x72, 0x07, 0x3a, 0xfb, 0xac, 0x3b, 0xd0, 0xcf, 0xa0,
0x71, 0xcf, 0x9b, 0xda, 0x7e, 0xe8, 0xfe, 0xfa, 0x9a, 0xda, 0xbe, 0x6d, 0x29, 0x85, 0xd6, 0x8f,
0x33, 0x41, 0x07, 0xfe, 0xe6, 0x3b, 0xab, 0xdf, 0xfe, 0xb3, 0x3e, 0xf9, 0x8b, 0x2c, 0x4c, 0x46,
0x77, 0x63, 0xa8, 0x01, 0x27, 0xf5, 0x6c, 0xc0, 0xad, 0xc3, 0x99, 0x6d, 0x5b, 0xd3, 0xba, 0x3c,
0x0c, 0x81, 0x2e, 0x9c, 0xf3, 0x80, 0xfe, 0x82, 0x90, 0x3c, 0x73, 0x3b, 0x81, 0x07, 0x27, 0x4a,
0xa6, 0x34, 0x13, 0xb3, 0xc7, 0x6a, 0x26, 0xc6, 0x7a, 0x5b, 0xb9, 0x01, 0x7a, 0x5b, 0x89, 0x8d,
0xc1, 0xfc, 0x31, 0x1a, 0x83, 0xc7, 0xe9, 0xe4, 0x25, 0x24, 0xb1, 0x5e, 0x9d, 0x3c, 0xf9, 0x05,
0x98, 0x15, 0x62, 0x94, 0x37, 0xd9, 0x74, 0x6a, 0x1a, 0x9a, 0x46, 0xcc, 0x25, 0xbb, 0xdd, 0xee,
0xca, 0x6f, 0xc3, 0x78, 0xb8, 0x7d, 0xec, 0xcc, 0xb4, 0xd3, 0xc1, 0x16, 0x6d, 0x8c, 0xc0, 0x4c,
0x3b, 0xe3, 0xd8, 0xe3, 0x90, 0x3f, 0x92, 0x60, 0x26, 0xf9, 0x33, 0x31, 0xa4, 0xc1, 0x78, 0x5b,
0xd9, 0x0f, 0x7e, 0x53, 0x27, 0x1d, 0xf3, 0x06, 0xcf, 0xfb, 0x86, 0xab, 0x21, 0x2c, 0x1c, 0xc1,
0x66, 0xb7, 0xfa, 0xb3, 0x29, 0x1d, 0xbb, 0x93, 0xb5, 0x04, 0x3d, 0x80, 0x42, 0x5b, 0xd9, 0xaf,
0xd9, 0x66, 0x8b, 0x1c, 0xfb, 0xcd, 0x82, 0x67, 0x8c, 0x55, 0x81, 0x82, 0x3d, 0x3c, 0xf9, 0x53,
0x09, 0x8a, 0x69, 0xe5, 0x2d, 0xba, 0x1e, 0xea, 0x2d, 0xbe, 0x18, 0xe9, 0x2d, 0x4e, 0xc5, 0xe4,
0x9e, 0x51, 0x67, 0xf1, 0x47, 0x12, 0xcc, 0x24, 0x97, 0xf9, 0xe8, 0xd5, 0x90, 0x85, 0xa5, 0x88,
0x85, 0x13, 0x11, 0x29, 0x61, 0xdf, 0xbf, 0xc1, 0xb8, 0xb8, 0x0c, 0x08, 0x18, 0x11, 0x55, 0x39,
0x29, 0x57, 0x0a, 0x08, 0xb7, 0xf8, 0xe5, 0xf3, 0x15, 0x1e, 0xc3, 0x11, 0x34, 0xf9, 0xbf, 0x32,
0x90, 0xaf, 0x35, 0x14, 0x8d, 0x9c, 0x40, 0x99, 0xf5, 0x4e, 0xa8, 0xcc, 0xea, 0xf5, 0xfd, 0x3b,
0xb7, 0x2a, 0xb5, 0xc2, 0xc2, 0x91, 0x0a, 0xeb, 0xe5, 0xbe, 0xd0, 0x8e, 0x2e, 0xae, 0xde, 0x84,
0x11, 0x4f, 0xe9, 0x60, 0x39, 0x5f, 0xfe, 0x7e, 0x06, 0x46, 0x03, 0x2a, 0x06, 0x3c, 0x31, 0xb6,
0x43, 0x27, 0x6d, 0x3f, 0xff, 0x09, 0x13, 0xd0, 0x55, 0x76, 0xcf, 0x56, 0xe7, 0x33, 0x31, 0xff,
0xc3, 0xa0, 0xf8, 0x91, 0xfb, 0x36, 0x8c, 0x53, 0xfe, 0x9f, 0x22, 0xde, 0x4b, 0x5f, 0x96, 0xaf,
0x45, 0xef, 0xe3, 0xc2, 0x7a, 0x88, 0x8a, 0x23, 0xdc, 0xb3, 0x37, 0x61, 0x2c, 0xa4, 0x6c, 0xa0,
0xaf, 0xbc, 0x7e, 0x22, 0xc1, 0x8b, 0x3d, 0x2f, 0x8a, 0xa8, 0x1a, 0xda, 0x24, 0xe5, 0xc8, 0x26,
0x99, 0x4b, 0x07, 0x78, 0x86, 0x5f, 0x0b, 0x7c, 0x94, 0x01, 0x54, 0xdf, 0x51, 0xcd, 0xe6, 0xba,
0x62, 0xd2, 0x2e, 0x16, 0xff, 0xee, 0x73, 0x02, 0x1b, 0xe6, 0x3a, 0x8c, 0x36, 0x89, 0xd5, 0x30,
0x55, 0x1e, 0x1c, 0x51, 0x9d, 0x7b, 0x8f, 0x29, 0x4b, 0x3e, 0x09, 0x07, 0xf9, 0xd0, 0xbb, 0x50,
0xd8, 0x73, 0xfe, 0xf5, 0xcc, 0xed, 0x85, 0xf5, 0x2a, 0x24, 0xfd, 0x7f, 0x56, 0xf3, 0xd7, 0x8f,
0x18, 0xb0, 0xb0, 0x07, 0x26, 0x7f, 0x22, 0xc1, 0x4c, 0x3c, 0x10, 0x4b, 0xcc, 0xd4, 0x67, 0x1f,
0x8c, 0x17, 0x20, 0xc7, 0xd1, 0x59, 0x14, 0x4e, 0x3b, 0xef, 0xda, 0x4c, 0x33, 0xe6, 0xa3, 0xf2,
0x6f, 0x25, 0x98, 0x4d, 0x36, 0xed, 0x04, 0xca, 0xf6, 0x07, 0xe1, 0xb2, 0xbd, 0xd7, 0x5b, 0x45,
0xb2, 0x9d, 0x29, 0x25, 0xfc, 0x6f, 0x12, 0x63, 0x7e, 0x02, 0x4e, 0x6d, 0x86, 0x9d, 0xba, 0x3a,
0xb0, 0x53, 0xc9, 0x0e, 0x55, 0xaf, 0x3c, 0xfe, 0x7a, 0xee, 0xd4, 0x97, 0x5f, 0xcf, 0x9d, 0xfa,
0xea, 0xeb, 0xb9, 0x53, 0xff, 0x79, 0x38, 0x27, 0x3d, 0x3e, 0x9c, 0x93, 0xbe, 0x3c, 0x9c, 0x93,
0xbe, 0x3a, 0x9c, 0x93, 0x7e, 0x7f, 0x38, 0x27, 0xfd, 0xdf, 0x37, 0x73, 0xa7, 0x1e, 0x0c, 0x0b,
0xdc, 0xbf, 0x04, 0x00, 0x00, 0xff, 0xff, 0xc0, 0xf0, 0x58, 0xb7, 0x3a, 0x3b, 0x00, 0x00,
>>>>>>> Allow PSP's to specify a whitelist of allowed paths for host volume
}

17
staging/src/k8s.io/api/extensions/v1beta1/generated.proto
View File

@ -39,6 +39,19 @@ message APIVersion {
optional string name = 1;
}
// AllowedHostPath defines the host volume conditions that will be enabled by a policy
// for pods to use. It requires the path prefix to be defined.
message AllowedHostPath {
// PathPrefix is the path prefix that the host volume must match.
// PathPrefix does not support `*`.
// Trailing slashes are trimmed when validating the path prefix with a host path.
//
// Examples:
// `/foo` would allow `/foo`, `/foo/` and `/foo/bar`
// `/foo` would not allow `/food` or `/etc/foo`
optional string path = 1;
}
message CustomMetricCurrentStatus {
// Custom Metric name.
optional string name = 1;
@ -754,6 +767,10 @@ message PodSecurityPolicySpec {
// privilege escalation.
// +optional
optional bool allowPrivilegeEscalation = 16;
// AllowedHostPaths is a white list of allowed host paths. Empty indicates that all host paths may be used.
// +optional
repeated AllowedHostPath allowedHostPaths = 17;
}
// ReplicaSet represents the configuration of a ReplicaSet.

696
staging/src/k8s.io/api/extensions/v1beta1/types.generated.go
View File

@ -14751,7 +14751,7 @@ func (x *PodSecurityPolicySpec) CodecEncodeSelf(e *codec1978.Encoder) {
} else {
yysep2 := !z.EncBinary()
yy2arr2 := z.EncBasicHandle().StructToArray
var yyq2 [16]bool
var yyq2 [17]bool
_, _, _ = yysep2, yyq2, yy2arr2
const yyr2 bool = false
yyq2[0] = x.Privileged != false
@ -14766,9 +14766,10 @@ func (x *PodSecurityPolicySpec) CodecEncodeSelf(e *codec1978.Encoder) {
yyq2[13] = x.ReadOnlyRootFilesystem != false
yyq2[14] = x.DefaultAllowPrivilegeEscalation != nil
yyq2[15] = x.AllowPrivilegeEscalation != false
yyq2[16] = len(x.AllowedHostPaths) != 0
var yynn2 int
if yyr2 || yy2arr2 {
r.EncodeArrayStart(16)
r.EncodeArrayStart(17)
} else {
yynn2 = 4
for _, b := range yyq2 {
@ -15173,6 +15174,39 @@ func (x *PodSecurityPolicySpec) CodecEncodeSelf(e *codec1978.Encoder) {
}
}
}
if yyr2 || yy2arr2 {
z.EncSendContainerState(codecSelfer_containerArrayElem1234)
if yyq2[16] {
if x.AllowedHostPaths == nil {
r.EncodeNil()
} else {
yym62 := z.EncBinary()
_ = yym62
if false {
} else {
h.encSliceAllowedHostPath(([]AllowedHostPath)(x.AllowedHostPaths), e)
}
}
} else {
r.EncodeNil()
}
} else {
if yyq2[16] {
z.EncSendContainerState(codecSelfer_containerMapKey1234)
r.EncodeString(codecSelferC_UTF81234, string("allowedHostPaths"))
z.EncSendContainerState(codecSelfer_containerMapValue1234)
if x.AllowedHostPaths == nil {
r.EncodeNil()
} else {
yym63 := z.EncBinary()
_ = yym63
if false {
} else {
h.encSliceAllowedHostPath(([]AllowedHostPath)(x.AllowedHostPaths), e)
}
}
}
}
if yyr2 || yy2arr2 {
z.EncSendContainerState(codecSelfer_containerArrayEnd1234)
} else {
@ -15410,6 +15444,18 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromMap(l int, d *codec1978.Decod
*((*bool)(yyv30)) = r.DecodeBool()
}
}
case "allowedHostPaths":
if r.TryDecodeAsNil() {
x.AllowedHostPaths = nil
} else {
yyv32 := &x.AllowedHostPaths
yym33 := z.DecBinary()
_ = yym33
if false {
} else {
h.decSliceAllowedHostPath((*[]AllowedHostPath)(yyv32), d)
}
}
default:
z.DecStructFieldNotFound(-1, yys3)
} // end switch yys3
@ -15421,16 +15467,16 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromArray(l int, d *codec1978.Dec
var h codecSelfer1234
z, r := codec1978.GenHelperDecoder(d)
_, _, _ = h, z, r
var yyj32 int
var yyb32 bool
var yyhl32 bool = l >= 0
yyj32++
if yyhl32 {
yyb32 = yyj32 > l
var yyj34 int
var yyb34 bool
var yyhl34 bool = l >= 0
yyj34++
if yyhl34 {
yyb34 = yyj34 > l
} else {
yyb32 = r.CheckBreak()
yyb34 = r.CheckBreak()
}
if yyb32 {
if yyb34 {
z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
return
}
@ -15438,21 +15484,21 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromArray(l int, d *codec1978.Dec
if r.TryDecodeAsNil() {
x.Privileged = false
} else {
yyv33 := &x.Privileged
yym34 := z.DecBinary()
_ = yym34
yyv35 := &x.Privileged
yym36 := z.DecBinary()
_ = yym36
if false {
} else {
*((*bool)(yyv33)) = r.DecodeBool()
*((*bool)(yyv35)) = r.DecodeBool()
}
}
yyj32++
if yyhl32 {
yyb32 = yyj32 > l
yyj34++
if yyhl34 {
yyb34 = yyj34 > l
} else {
yyb32 = r.CheckBreak()
yyb34 = r.CheckBreak()
}
if yyb32 {
if yyb34 {
z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
return
}
@ -15460,29 +15506,7 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromArray(l int, d *codec1978.Dec
if r.TryDecodeAsNil() {
x.DefaultAddCapabilities = nil
} else {
yyv35 := &x.DefaultAddCapabilities
yym36 := z.DecBinary()
_ = yym36
if false {
} else {
h.decSlicev1_Capability((*[]pkg4_v1.Capability)(yyv35), d)
}
}
yyj32++
if yyhl32 {
yyb32 = yyj32 > l
} else {
yyb32 = r.CheckBreak()
}
if yyb32 {
z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
return
}
z.DecSendContainerState(codecSelfer_containerArrayElem1234)
if r.TryDecodeAsNil() {
x.RequiredDropCapabilities = nil
} else {
yyv37 := &x.RequiredDropCapabilities
yyv37 := &x.DefaultAddCapabilities
yym38 := z.DecBinary()
_ = yym38
if false {
@ -15490,21 +15514,21 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromArray(l int, d *codec1978.Dec
h.decSlicev1_Capability((*[]pkg4_v1.Capability)(yyv37), d)
}
}
yyj32++
if yyhl32 {
yyb32 = yyj32 > l
yyj34++
if yyhl34 {
yyb34 = yyj34 > l
} else {
yyb32 = r.CheckBreak()
yyb34 = r.CheckBreak()
}
if yyb32 {
if yyb34 {
z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
return
}
z.DecSendContainerState(codecSelfer_containerArrayElem1234)
if r.TryDecodeAsNil() {
x.AllowedCapabilities = nil
x.RequiredDropCapabilities = nil
} else {
yyv39 := &x.AllowedCapabilities
yyv39 := &x.RequiredDropCapabilities
yym40 := z.DecBinary()
_ = yym40
if false {
@ -15512,13 +15536,35 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromArray(l int, d *codec1978.Dec
h.decSlicev1_Capability((*[]pkg4_v1.Capability)(yyv39), d)
}
}
yyj32++
if yyhl32 {
yyb32 = yyj32 > l
yyj34++
if yyhl34 {
yyb34 = yyj34 > l
} else {
yyb32 = r.CheckBreak()
yyb34 = r.CheckBreak()
}
if yyb32 {
if yyb34 {
z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
return
}
z.DecSendContainerState(codecSelfer_containerArrayElem1234)
if r.TryDecodeAsNil() {
x.AllowedCapabilities = nil
} else {
yyv41 := &x.AllowedCapabilities
yym42 := z.DecBinary()
_ = yym42
if false {
} else {
h.decSlicev1_Capability((*[]pkg4_v1.Capability)(yyv41), d)
}
}
yyj34++
if yyhl34 {
yyb34 = yyj34 > l
} else {
yyb34 = r.CheckBreak()
}
if yyb34 {
z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
return
}
@ -15526,21 +15572,21 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromArray(l int, d *codec1978.Dec
if r.TryDecodeAsNil() {
x.Volumes = nil
} else {
yyv41 := &x.Volumes
yym42 := z.DecBinary()
_ = yym42
yyv43 := &x.Volumes
yym44 := z.DecBinary()
_ = yym44
if false {
} else {
h.decSliceFSType((*[]FSType)(yyv41), d)
h.decSliceFSType((*[]FSType)(yyv43), d)
}
}
yyj32++
if yyhl32 {
yyb32 = yyj32 > l
yyj34++
if yyhl34 {
yyb34 = yyj34 > l
} else {
yyb32 = r.CheckBreak()
yyb34 = r.CheckBreak()
}
if yyb32 {
if yyb34 {
z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
return
}
@ -15548,21 +15594,21 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromArray(l int, d *codec1978.Dec
if r.TryDecodeAsNil() {
x.HostNetwork = false
} else {
yyv43 := &x.HostNetwork
yym44 := z.DecBinary()
_ = yym44
yyv45 := &x.HostNetwork
yym46 := z.DecBinary()
_ = yym46
if false {
} else {
*((*bool)(yyv43)) = r.DecodeBool()
*((*bool)(yyv45)) = r.DecodeBool()
}
}
yyj32++
if yyhl32 {
yyb32 = yyj32 > l
yyj34++
if yyhl34 {
yyb34 = yyj34 > l
} else {
yyb32 = r.CheckBreak()
yyb34 = r.CheckBreak()
}
if yyb32 {
if yyb34 {
z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
return
}
@ -15570,21 +15616,21 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromArray(l int, d *codec1978.Dec
if r.TryDecodeAsNil() {
x.HostPorts = nil
} else {
yyv45 := &x.HostPorts
yym46 := z.DecBinary()
_ = yym46
yyv47 := &x.HostPorts
yym48 := z.DecBinary()
_ = yym48
if false {
} else {
h.decSliceHostPortRange((*[]HostPortRange)(yyv45), d)
h.decSliceHostPortRange((*[]HostPortRange)(yyv47), d)
}
}
yyj32++
if yyhl32 {
yyb32 = yyj32 > l
yyj34++
if yyhl34 {
yyb34 = yyj34 > l
} else {
yyb32 = r.CheckBreak()
yyb34 = r.CheckBreak()
}
if yyb32 {
if yyb34 {
z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
return
}
@ -15592,29 +15638,7 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromArray(l int, d *codec1978.Dec
if r.TryDecodeAsNil() {
x.HostPID = false
} else {
yyv47 := &x.HostPID
yym48 := z.DecBinary()
_ = yym48
if false {
} else {
*((*bool)(yyv47)) = r.DecodeBool()
}
}
yyj32++
if yyhl32 {
yyb32 = yyj32 > l
} else {
yyb32 = r.CheckBreak()
}
if yyb32 {
z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
return
}
z.DecSendContainerState(codecSelfer_containerArrayElem1234)
if r.TryDecodeAsNil() {
x.HostIPC = false
} else {
yyv49 := &x.HostIPC
yyv49 := &x.HostPID
yym50 := z.DecBinary()
_ = yym50
if false {
@ -15622,13 +15646,35 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromArray(l int, d *codec1978.Dec
*((*bool)(yyv49)) = r.DecodeBool()
}
}
yyj32++
if yyhl32 {
yyb32 = yyj32 > l
yyj34++
if yyhl34 {
yyb34 = yyj34 > l
} else {
yyb32 = r.CheckBreak()
yyb34 = r.CheckBreak()
}
if yyb32 {
if yyb34 {
z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
return
}
z.DecSendContainerState(codecSelfer_containerArrayElem1234)
if r.TryDecodeAsNil() {
x.HostIPC = false
} else {
yyv51 := &x.HostIPC
yym52 := z.DecBinary()
_ = yym52
if false {
} else {
*((*bool)(yyv51)) = r.DecodeBool()
}
}
yyj34++
if yyhl34 {
yyb34 = yyj34 > l
} else {
yyb34 = r.CheckBreak()
}
if yyb34 {
z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
return
}
@ -15636,16 +15682,16 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromArray(l int, d *codec1978.Dec
if r.TryDecodeAsNil() {
x.SELinux = SELinuxStrategyOptions{}
} else {
yyv51 := &x.SELinux
yyv51.CodecDecodeSelf(d)
yyv53 := &x.SELinux
yyv53.CodecDecodeSelf(d)
}
yyj32++
if yyhl32 {
yyb32 = yyj32 > l
yyj34++
if yyhl34 {
yyb34 = yyj34 > l
} else {
yyb32 = r.CheckBreak()
yyb34 = r.CheckBreak()
}
if yyb32 {
if yyb34 {
z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
return
}
@ -15653,16 +15699,16 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromArray(l int, d *codec1978.Dec
if r.TryDecodeAsNil() {
x.RunAsUser = RunAsUserStrategyOptions{}
} else {
yyv52 := &x.RunAsUser
yyv52.CodecDecodeSelf(d)
yyv54 := &x.RunAsUser
yyv54.CodecDecodeSelf(d)
}
yyj32++
if yyhl32 {
yyb32 = yyj32 > l
yyj34++
if yyhl34 {
yyb34 = yyj34 > l
} else {
yyb32 = r.CheckBreak()
yyb34 = r.CheckBreak()
}
if yyb32 {
if yyb34 {
z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
return
}
@ -15670,16 +15716,16 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromArray(l int, d *codec1978.Dec
if r.TryDecodeAsNil() {
x.SupplementalGroups = SupplementalGroupsStrategyOptions{}
} else {
yyv53 := &x.SupplementalGroups
yyv53.CodecDecodeSelf(d)
yyv55 := &x.SupplementalGroups
yyv55.CodecDecodeSelf(d)
}
yyj32++
if yyhl32 {
yyb32 = yyj32 > l
yyj34++
if yyhl34 {
yyb34 = yyj34 > l
} else {
yyb32 = r.CheckBreak()
yyb34 = r.CheckBreak()
}
if yyb32 {
if yyb34 {
z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
return
}
@ -15687,16 +15733,16 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromArray(l int, d *codec1978.Dec
if r.TryDecodeAsNil() {
x.FSGroup = FSGroupStrategyOptions{}
} else {
yyv54 := &x.FSGroup
yyv54.CodecDecodeSelf(d)
yyv56 := &x.FSGroup
yyv56.CodecDecodeSelf(d)
}
yyj32++
if yyhl32 {
yyb32 = yyj32 > l
yyj34++
if yyhl34 {
yyb34 = yyj34 > l
} else {
yyb32 = r.CheckBreak()
yyb34 = r.CheckBreak()
}
if yyb32 {
if yyb34 {
z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
return
}
@ -15704,21 +15750,21 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromArray(l int, d *codec1978.Dec
if r.TryDecodeAsNil() {
x.ReadOnlyRootFilesystem = false
} else {
yyv55 := &x.ReadOnlyRootFilesystem
yym56 := z.DecBinary()
_ = yym56
yyv57 := &x.ReadOnlyRootFilesystem
yym58 := z.DecBinary()
_ = yym58
if false {
} else {
*((*bool)(yyv55)) = r.DecodeBool()
*((*bool)(yyv57)) = r.DecodeBool()
}
}
yyj32++
if yyhl32 {
yyb32 = yyj32 > l
yyj34++
if yyhl34 {
yyb34 = yyj34 > l
} else {
yyb32 = r.CheckBreak()
yyb34 = r.CheckBreak()
}
if yyb32 {
if yyb34 {
z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
return
}
@ -15731,20 +15777,20 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromArray(l int, d *codec1978.Dec
if x.DefaultAllowPrivilegeEscalation == nil {
x.DefaultAllowPrivilegeEscalation = new(bool)
}
yym58 := z.DecBinary()
_ = yym58
yym60 := z.DecBinary()
_ = yym60
if false {
} else {
*((*bool)(x.DefaultAllowPrivilegeEscalation)) = r.DecodeBool()
}
}
yyj32++
if yyhl32 {
yyb32 = yyj32 > l
yyj34++
if yyhl34 {
yyb34 = yyj34 > l
} else {
yyb32 = r.CheckBreak()
yyb34 = r.CheckBreak()
}
if yyb32 {
if yyb34 {
z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
return
}
@ -15752,26 +15798,229 @@ func (x *PodSecurityPolicySpec) codecDecodeSelfFromArray(l int, d *codec1978.Dec
if r.TryDecodeAsNil() {
x.AllowPrivilegeEscalation = false
} else {
yyv59 := &x.AllowPrivilegeEscalation
yym60 := z.DecBinary()
_ = yym60
yyv61 := &x.AllowPrivilegeEscalation
yym62 := z.DecBinary()
_ = yym62
if false {
} else {
*((*bool)(yyv59)) = r.DecodeBool()
*((*bool)(yyv61)) = r.DecodeBool()
}
}
yyj34++
if yyhl34 {
yyb34 = yyj34 > l
} else {
yyb34 = r.CheckBreak()
}
if yyb34 {
z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
return
}
z.DecSendContainerState(codecSelfer_containerArrayElem1234)
if r.TryDecodeAsNil() {
x.AllowedHostPaths = nil
} else {
yyv63 := &x.AllowedHostPaths
yym64 := z.DecBinary()
_ = yym64
if false {
} else {
h.decSliceAllowedHostPath((*[]AllowedHostPath)(yyv63), d)
}
}
for {
yyj32++
if yyhl32 {
yyb32 = yyj32 > l
yyj34++
if yyhl34 {
yyb34 = yyj34 > l
} else {
yyb32 = r.CheckBreak()
yyb34 = r.CheckBreak()
}
if yyb32 {
if yyb34 {
break
}
z.DecSendContainerState(codecSelfer_containerArrayElem1234)
z.DecStructFieldNotFound(yyj32-1, "")
z.DecStructFieldNotFound(yyj34-1, "")
}
z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
}
func (x *AllowedHostPath) CodecEncodeSelf(e *codec1978.Encoder) {
var h codecSelfer1234
z, r := codec1978.GenHelperEncoder(e)
_, _, _ = h, z, r
if x == nil {
r.EncodeNil()
} else {
yym1 := z.EncBinary()
_ = yym1
if false {
} else if z.HasExtensions() && z.EncExt(x) {
} else {
yysep2 := !z.EncBinary()
yy2arr2 := z.EncBasicHandle().StructToArray
var yyq2 [1]bool
_, _, _ = yysep2, yyq2, yy2arr2
const yyr2 bool = false
yyq2[0] = x.PathPrefix != ""
var yynn2 int
if yyr2 || yy2arr2 {
r.EncodeArrayStart(1)
} else {
yynn2 = 0
for _, b := range yyq2 {
if b {
yynn2++
}
}
r.EncodeMapStart(yynn2)
yynn2 = 0
}
if yyr2 || yy2arr2 {
z.EncSendContainerState(codecSelfer_containerArrayElem1234)
if yyq2[0] {
yym4 := z.EncBinary()
_ = yym4
if false {
} else {
r.EncodeString(codecSelferC_UTF81234, string(x.PathPrefix))
}
} else {
r.EncodeString(codecSelferC_UTF81234, "")
}
} else {
if yyq2[0] {
z.EncSendContainerState(codecSelfer_containerMapKey1234)
r.EncodeString(codecSelferC_UTF81234, string("path"))
z.EncSendContainerState(codecSelfer_containerMapValue1234)
yym5 := z.EncBinary()
_ = yym5
if false {
} else {
r.EncodeString(codecSelferC_UTF81234, string(x.PathPrefix))
}
}
}
if yyr2 || yy2arr2 {
z.EncSendContainerState(codecSelfer_containerArrayEnd1234)
} else {
z.EncSendContainerState(codecSelfer_containerMapEnd1234)
}
}
}
}
func (x *AllowedHostPath) CodecDecodeSelf(d *codec1978.Decoder) {
var h codecSelfer1234
z, r := codec1978.GenHelperDecoder(d)
_, _, _ = h, z, r
yym1 := z.DecBinary()
_ = yym1
if false {
} else if z.HasExtensions() && z.DecExt(x) {
} else {
yyct2 := r.ContainerType()
if yyct2 == codecSelferValueTypeMap1234 {
yyl2 := r.ReadMapStart()
if yyl2 == 0 {
z.DecSendContainerState(codecSelfer_containerMapEnd1234)
} else {
x.codecDecodeSelfFromMap(yyl2, d)
}
} else if yyct2 == codecSelferValueTypeArray1234 {
yyl2 := r.ReadArrayStart()
if yyl2 == 0 {
z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
} else {
x.codecDecodeSelfFromArray(yyl2, d)
}
} else {
panic(codecSelferOnlyMapOrArrayEncodeToStructErr1234)
}
}
}
func (x *AllowedHostPath) codecDecodeSelfFromMap(l int, d *codec1978.Decoder) {
var h codecSelfer1234
z, r := codec1978.GenHelperDecoder(d)
_, _, _ = h, z, r
var yys3Slc = z.DecScratchBuffer() // default slice to decode into
_ = yys3Slc
var yyhl3 bool = l >= 0
for yyj3 := 0; ; yyj3++ {
if yyhl3 {
if yyj3 >= l {
break
}
} else {
if r.CheckBreak() {
break
}
}
z.DecSendContainerState(codecSelfer_containerMapKey1234)
yys3Slc = r.DecodeBytes(yys3Slc, true, true)
yys3 := string(yys3Slc)
z.DecSendContainerState(codecSelfer_containerMapValue1234)
switch yys3 {
case "path":
if r.TryDecodeAsNil() {
x.PathPrefix = ""
} else {
yyv4 := &x.PathPrefix
yym5 := z.DecBinary()
_ = yym5
if false {
} else {
*((*string)(yyv4)) = r.DecodeString()
}
}
default:
z.DecStructFieldNotFound(-1, yys3)
} // end switch yys3
} // end for yyj3
z.DecSendContainerState(codecSelfer_containerMapEnd1234)
}
func (x *AllowedHostPath) codecDecodeSelfFromArray(l int, d *codec1978.Decoder) {
var h codecSelfer1234
z, r := codec1978.GenHelperDecoder(d)
_, _, _ = h, z, r
var yyj6 int
var yyb6 bool
var yyhl6 bool = l >= 0
yyj6++
if yyhl6 {
yyb6 = yyj6 > l
} else {
yyb6 = r.CheckBreak()
}
if yyb6 {
z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
return
}
z.DecSendContainerState(codecSelfer_containerArrayElem1234)
if r.TryDecodeAsNil() {
x.PathPrefix = ""
} else {
yyv7 := &x.PathPrefix
yym8 := z.DecBinary()
_ = yym8
if false {
} else {
*((*string)(yyv7)) = r.DecodeString()
}
}
for {
yyj6++
if yyhl6 {
yyb6 = yyj6 > l
} else {
yyb6 = r.CheckBreak()
}
if yyb6 {
break
}
z.DecSendContainerState(codecSelfer_containerArrayElem1234)
z.DecStructFieldNotFound(yyj6-1, "")
}
z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
}
@ -21700,6 +21949,125 @@ func (x codecSelfer1234) decSliceHostPortRange(v *[]HostPortRange, d *codec1978.
}
}
func (x codecSelfer1234) encSliceAllowedHostPath(v []AllowedHostPath, e *codec1978.Encoder) {
var h codecSelfer1234
z, r := codec1978.GenHelperEncoder(e)
_, _, _ = h, z, r
r.EncodeArrayStart(len(v))
for _, yyv1 := range v {
z.EncSendContainerState(codecSelfer_containerArrayElem1234)
yy2 := &yyv1
yy2.CodecEncodeSelf(e)
}
z.EncSendContainerState(codecSelfer_containerArrayEnd1234)
}
func (x codecSelfer1234) decSliceAllowedHostPath(v *[]AllowedHostPath, d *codec1978.Decoder) {
var h codecSelfer1234
z, r := codec1978.GenHelperDecoder(d)
_, _, _ = h, z, r
yyv1 := *v
yyh1, yyl1 := z.DecSliceHelperStart()
var yyc1 bool
_ = yyc1
if yyl1 == 0 {
if yyv1 == nil {
yyv1 = []AllowedHostPath{}
yyc1 = true
} else if len(yyv1) != 0 {
yyv1 = yyv1[:0]
yyc1 = true
}
} else if yyl1 > 0 {
var yyrr1, yyrl1 int
var yyrt1 bool
_, _ = yyrl1, yyrt1
yyrr1 = yyl1 // len(yyv1)
if yyl1 > cap(yyv1) {
yyrg1 := len(yyv1) > 0
yyv21 := yyv1
yyrl1, yyrt1 = z.DecInferLen(yyl1, z.DecBasicHandle().MaxInitLen, 16)
if yyrt1 {
if yyrl1 <= cap(yyv1) {
yyv1 = yyv1[:yyrl1]
} else {
yyv1 = make([]AllowedHostPath, yyrl1)
}
} else {
yyv1 = make([]AllowedHostPath, yyrl1)
}
yyc1 = true
yyrr1 = len(yyv1)
if yyrg1 {
copy(yyv1, yyv21)
}
} else if yyl1 != len(yyv1) {
yyv1 = yyv1[:yyl1]
yyc1 = true
}
yyj1 := 0
for ; yyj1 < yyrr1; yyj1++ {
yyh1.ElemContainerState(yyj1)
if r.TryDecodeAsNil() {
yyv1[yyj1] = AllowedHostPath{}
} else {
yyv2 := &yyv1[yyj1]
yyv2.CodecDecodeSelf(d)
}
}
if yyrt1 {
for ; yyj1 < yyl1; yyj1++ {
yyv1 = append(yyv1, AllowedHostPath{})
yyh1.ElemContainerState(yyj1)
if r.TryDecodeAsNil() {
yyv1[yyj1] = AllowedHostPath{}
} else {
yyv3 := &yyv1[yyj1]
yyv3.CodecDecodeSelf(d)
}
}
}
} else {
yyj1 := 0
for ; !r.CheckBreak(); yyj1++ {
if yyj1 >= len(yyv1) {
yyv1 = append(yyv1, AllowedHostPath{}) // var yyz1 AllowedHostPath
yyc1 = true
}
yyh1.ElemContainerState(yyj1)
if yyj1 < len(yyv1) {
if r.TryDecodeAsNil() {
yyv1[yyj1] = AllowedHostPath{}
} else {
yyv4 := &yyv1[yyj1]
yyv4.CodecDecodeSelf(d)
}
} else {
z.DecSwallow()
}
}
if yyj1 < len(yyv1) {
yyv1 = yyv1[:yyj1]
yyc1 = true
} else if yyj1 == 0 && yyv1 == nil {
yyv1 = []AllowedHostPath{}
yyc1 = true
}
}
yyh1.End()
if yyc1 {
*v = yyv1
}
}
func (x codecSelfer1234) encSliceIDRange(v []IDRange, e *codec1978.Encoder) {
var h codecSelfer1234
z, r := codec1978.GenHelperEncoder(e)
@ -21858,7 +22226,7 @@ func (x codecSelfer1234) decSlicePodSecurityPolicy(v *[]PodSecurityPolicy, d *co
yyrg1 := len(yyv1) > 0
yyv21 := yyv1
yyrl1, yyrt1 = z.DecInferLen(yyl1, z.DecBasicHandle().MaxInitLen, 576)
yyrl1, yyrt1 = z.DecInferLen(yyl1, z.DecBasicHandle().MaxInitLen, 600)
if yyrt1 {
if yyrl1 <= cap(yyv1) {
yyv1 = yyv1[:yyrl1]

16
staging/src/k8s.io/api/extensions/v1beta1/types.go
View File

@ -965,6 +965,22 @@ type PodSecurityPolicySpec struct {
// privilege escalation.
// +optional
AllowPrivilegeEscalation bool `json:"allowPrivilegeEscalation,omitempty" protobuf:"varint,16,opt,name=allowPrivilegeEscalation"`
// is a white list of allowed host paths. Empty indicates that all host paths may be used.
// +optional
AllowedHostPaths []AllowedHostPath `json:"allowedHostPaths,omitempty" protobuf:"bytes,17,rep,name=allowedHostPaths"`
}
// defines the host volume conditions that will be enabled by a policy
// for pods to use. It requires the path prefix to be defined.
type AllowedHostPath struct {
// is the path prefix that the host volume must match.
// It does not support `*`.
// Trailing slashes are trimmed when validating the path prefix with a host path.
//
// Examples:
// `/foo` would allow `/foo`, `/foo/` and `/foo/bar`
// `/foo` would not allow `/food` or `/etc/foo`
PathPrefix string `json:"pathPrefix,omitempty" protobuf:"bytes,1,rep,name=pathPrefix"`
}
// FS Type gives strong typing to different file systems that are used by volumes.

10
staging/src/k8s.io/api/extensions/v1beta1/types_swagger_doc_generated.go
View File

@ -36,6 +36,15 @@ func (APIVersion) SwaggerDoc() map[string]string {
return map_APIVersion
}
var map_AllowedHostPath = map[string]string{
"": "AllowedHostPath defines the host volume conditions that will be enabled by a policy for pods to use. It requires the path prefix to be defined.",
"path": "PathPrefix is the path prefix that the host volume must match. PathPrefix does not support `*`. Trailing slashes are trimmed when validating the path prefix with a host path.\n\nExamples: `/foo` would allow `/foo`, `/foo/` and `/foo/bar` `/foo` would not allow `/food` or `/etc/foo`",
}
func (AllowedHostPath) SwaggerDoc() map[string]string {
return map_AllowedHostPath
}
var map_CustomMetricCurrentStatus = map[string]string{
"name": "Custom Metric name.",
"value": "Custom Metric value (average).",
@ -438,6 +447,7 @@ var map_PodSecurityPolicySpec = map[string]string{
"readOnlyRootFilesystem": "ReadOnlyRootFilesystem when set to true will force containers to run with a read only root file system. If the container specifically requests to run with a non-read only root file system the PSP should deny the pod. If set to false the container may run with a read only root file system if it wishes but it will not be forced to.",
"defaultAllowPrivilegeEscalation": "DefaultAllowPrivilegeEscalation controls the default setting for whether a process can gain more privileges than it's parent process.",
"allowPrivilegeEscalation": "AllowPrivilegeEscalation determines if a pod can request to allow privilege escalation.",
"allowedHostPaths": "AllowedHostPaths is a white list of allowed host paths. Empty indicates that all host paths may be used.",
}
func (PodSecurityPolicySpec) SwaggerDoc() map[string]string {

25
staging/src/k8s.io/api/extensions/v1beta1/zz_generated.deepcopy.go
View File

@ -43,6 +43,10 @@ func RegisterDeepCopies(scheme *runtime.Scheme) error {
in.(*APIVersion).DeepCopyInto(out.(*APIVersion))
return nil
}, InType: reflect.TypeOf(&APIVersion{})},
conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
in.(*AllowedHostPath).DeepCopyInto(out.(*AllowedHostPath))
return nil
}, InType: reflect.TypeOf(&AllowedHostPath{})},
conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
in.(*CustomMetricCurrentStatus).DeepCopyInto(out.(*CustomMetricCurrentStatus))
return nil
@ -294,6 +298,22 @@ func (in *APIVersion) DeepCopy() *APIVersion {
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *AllowedHostPath) DeepCopyInto(out *AllowedHostPath) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AllowedHostPath.
func (in *AllowedHostPath) DeepCopy() *AllowedHostPath {
if in == nil {
return nil
}
out := new(AllowedHostPath)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *CustomMetricCurrentStatus) DeepCopyInto(out *CustomMetricCurrentStatus) {
*out = *in
@ -1365,6 +1385,11 @@ func (in *PodSecurityPolicySpec) DeepCopyInto(out *PodSecurityPolicySpec) {
**out = **in
}
}
if in.AllowedHostPaths != nil {
in, out := &in.AllowedHostPaths, &out.AllowedHostPaths
*out = make([]AllowedHostPath, len(*in))
copy(*out, *in)
}
return
}