externalize psp admission controller

shengnuo · Oct 23, 2018 · e2c6116 · e2c6116
1 parent 7de4c00
commit e2c6116
Show file tree

Hide file tree

Showing 32 changed files with 196 additions and 151 deletions.
diff --git a/pkg/security/podsecuritypolicy/BUILD b/pkg/security/podsecuritypolicy/BUILD
@@ -17,7 +17,6 @@ go_library(
     importpath = "k8s.io/kubernetes/pkg/security/podsecuritypolicy",
     deps = [
         "//pkg/apis/core:go_default_library",
-        "//pkg/apis/policy:go_default_library",
         "//pkg/features:go_default_library",
         "//pkg/security/podsecuritypolicy/apparmor:go_default_library",
         "//pkg/security/podsecuritypolicy/capabilities:go_default_library",
@@ -28,6 +27,8 @@ go_library(
         "//pkg/security/podsecuritypolicy/user:go_default_library",
         "//pkg/security/podsecuritypolicy/util:go_default_library",
         "//pkg/securitycontext:go_default_library",
+        "//staging/src/k8s.io/api/core/v1:go_default_library",
+        "//staging/src/k8s.io/api/policy/v1beta1:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/util/errors:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
         "//staging/src/k8s.io/apiserver/pkg/util/feature:go_default_library",
@@ -41,11 +42,11 @@ go_test(
     deps = [
         "//pkg/apis/core:go_default_library",
         "//pkg/apis/core/v1:go_default_library",
-        "//pkg/apis/policy:go_default_library",
         "//pkg/security/apparmor:go_default_library",
         "//pkg/security/podsecuritypolicy/seccomp:go_default_library",
         "//pkg/security/podsecuritypolicy/util:go_default_library",
         "//staging/src/k8s.io/api/core/v1:go_default_library",
+        "//staging/src/k8s.io/api/policy/v1beta1:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/util/diff:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",

diff --git a/pkg/security/podsecuritypolicy/capabilities/BUILD b/pkg/security/podsecuritypolicy/capabilities/BUILD
@@ -16,7 +16,8 @@ go_library(
     importpath = "k8s.io/kubernetes/pkg/security/podsecuritypolicy/capabilities",
     deps = [
         "//pkg/apis/core:go_default_library",
-        "//pkg/apis/policy:go_default_library",
+        "//staging/src/k8s.io/api/core/v1:go_default_library",
+        "//staging/src/k8s.io/api/policy/v1beta1:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/util/sets:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
     ],
@@ -28,7 +29,8 @@ go_test(
     embed = [":go_default_library"],
     deps = [
         "//pkg/apis/core:go_default_library",
-        "//pkg/apis/policy:go_default_library",
+        "//staging/src/k8s.io/api/core/v1:go_default_library",
+        "//staging/src/k8s.io/api/policy/v1beta1:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
     ],
 )

diff --git a/pkg/security/podsecuritypolicy/capabilities/capabilities.go b/pkg/security/podsecuritypolicy/capabilities/capabilities.go
@@ -19,10 +19,11 @@ package capabilities
 import (
 	"fmt"
 
+	corev1 "k8s.io/api/core/v1"
+	policy "k8s.io/api/policy/v1beta1"
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	api "k8s.io/kubernetes/pkg/apis/core"
-	"k8s.io/kubernetes/pkg/apis/policy"
 )
 
 // defaultCapabilities implements the Strategy interface
@@ -36,11 +37,23 @@ var _ Strategy = &defaultCapabilities{}
 
 // NewDefaultCapabilities creates a new defaultCapabilities strategy that will provide defaults and validation
 // based on the configured initial caps and allowed caps.
-func NewDefaultCapabilities(defaultAddCapabilities, requiredDropCapabilities, allowedCaps []api.Capability) (Strategy, error) {
+func NewDefaultCapabilities(defaultAddCapabilities, requiredDropCapabilities, allowedCaps []corev1.Capability) (Strategy, error) {
+	internalDefaultAddCaps := make([]api.Capability, len(defaultAddCapabilities))
+	for i, capability := range defaultAddCapabilities {
+		internalDefaultAddCaps[i] = api.Capability(capability)
+	}
+	internalRequiredDropCaps := make([]api.Capability, len(requiredDropCapabilities))
+	for i, capability := range requiredDropCapabilities {
+		internalRequiredDropCaps[i] = api.Capability(capability)
+	}
+	internalAllowedCaps := make([]api.Capability, len(allowedCaps))
+	for i, capability := range allowedCaps {
+		internalAllowedCaps[i] = api.Capability(capability)
+	}
 	return &defaultCapabilities{
-		defaultAddCapabilities:   defaultAddCapabilities,
-		requiredDropCapabilities: requiredDropCapabilities,
-		allowedCaps:              allowedCaps,
+		defaultAddCapabilities:   internalDefaultAddCaps,
+		requiredDropCapabilities: internalRequiredDropCaps,
+		allowedCaps:              internalAllowedCaps,
 	}, nil
 }
 

diff --git a/pkg/security/podsecuritypolicy/capabilities/capabilities_test.go b/pkg/security/podsecuritypolicy/capabilities/capabilities_test.go
@@ -20,14 +20,15 @@ import (
 	"reflect"
 	"testing"
 
+	corev1 "k8s.io/api/core/v1"
+	policy "k8s.io/api/policy/v1beta1"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	api "k8s.io/kubernetes/pkg/apis/core"
-	"k8s.io/kubernetes/pkg/apis/policy"
 )
 
 func TestGenerateAdds(t *testing.T) {
 	tests := map[string]struct {
-		defaultAddCaps []api.Capability
+		defaultAddCaps []corev1.Capability
 		containerCaps  *api.Capabilities
 		expectedCaps   *api.Capabilities
 	}{
@@ -37,13 +38,13 @@ func TestGenerateAdds(t *testing.T) {
 			expectedCaps:  &api.Capabilities{},
 		},
 		"required, no container requests": {
-			defaultAddCaps: []api.Capability{"foo"},
+			defaultAddCaps: []corev1.Capability{"foo"},
 			expectedCaps: &api.Capabilities{
 				Add: []api.Capability{"foo"},
 			},
 		},
 		"required, container requests add required": {
-			defaultAddCaps: []api.Capability{"foo"},
+			defaultAddCaps: []corev1.Capability{"foo"},
 			containerCaps: &api.Capabilities{
 				Add: []api.Capability{"foo"},
 			},
@@ -52,7 +53,7 @@ func TestGenerateAdds(t *testing.T) {
 			},
 		},
 		"multiple required, container requests add required": {
-			defaultAddCaps: []api.Capability{"foo", "bar", "baz"},
+			defaultAddCaps: []corev1.Capability{"foo", "bar", "baz"},
 			containerCaps: &api.Capabilities{
 				Add: []api.Capability{"foo"},
 			},
@@ -61,7 +62,7 @@ func TestGenerateAdds(t *testing.T) {
 			},
 		},
 		"required, container requests add non-required": {
-			defaultAddCaps: []api.Capability{"foo"},
+			defaultAddCaps: []corev1.Capability{"foo"},
 			containerCaps: &api.Capabilities{
 				Add: []api.Capability{"bar"},
 			},
@@ -70,7 +71,7 @@ func TestGenerateAdds(t *testing.T) {
 			},
 		},
 		"generation does not mutate unnecessarily": {
-			defaultAddCaps: []api.Capability{"foo", "bar"},
+			defaultAddCaps: []corev1.Capability{"foo", "bar"},
 			containerCaps: &api.Capabilities{
 				Add: []api.Capability{"foo", "foo", "bar", "baz"},
 			},
@@ -79,7 +80,7 @@ func TestGenerateAdds(t *testing.T) {
 			},
 		},
 		"generation dedupes": {
-			defaultAddCaps: []api.Capability{"foo", "bar"},
+			defaultAddCaps: []corev1.Capability{"foo", "bar"},
 			containerCaps: &api.Capabilities{
 				Add: []api.Capability{"foo", "baz"},
 			},
@@ -88,7 +89,7 @@ func TestGenerateAdds(t *testing.T) {
 			},
 		},
 		"generation is case sensitive - will not dedupe": {
-			defaultAddCaps: []api.Capability{"foo"},
+			defaultAddCaps: []corev1.Capability{"foo"},
 			containerCaps: &api.Capabilities{
 				Add: []api.Capability{"FOO"},
 			},
@@ -127,8 +128,8 @@ func TestGenerateAdds(t *testing.T) {
 
 func TestGenerateDrops(t *testing.T) {
 	tests := map[string]struct {
-		defaultAddCaps   []api.Capability
-		requiredDropCaps []api.Capability
+		defaultAddCaps   []corev1.Capability
+		requiredDropCaps []corev1.Capability
 		containerCaps    *api.Capabilities
 		expectedCaps     *api.Capabilities
 	}{
@@ -140,13 +141,13 @@ func TestGenerateDrops(t *testing.T) {
 			expectedCaps:  &api.Capabilities{},
 		},
 		"required drops are defaulted": {
-			requiredDropCaps: []api.Capability{"foo"},
+			requiredDropCaps: []corev1.Capability{"foo"},
 			expectedCaps: &api.Capabilities{
 				Drop: []api.Capability{"foo"},
 			},
 		},
 		"required drops are defaulted when making container requests": {
-			requiredDropCaps: []api.Capability{"baz"},
+			requiredDropCaps: []corev1.Capability{"baz"},
 			containerCaps: &api.Capabilities{
 				Drop: []api.Capability{"foo", "bar"},
 			},
@@ -155,7 +156,7 @@ func TestGenerateDrops(t *testing.T) {
 			},
 		},
 		"required drops do not mutate unnecessarily": {
-			requiredDropCaps: []api.Capability{"baz"},
+			requiredDropCaps: []corev1.Capability{"baz"},
 			containerCaps: &api.Capabilities{
 				Drop: []api.Capability{"foo", "bar", "baz"},
 			},
@@ -164,7 +165,7 @@ func TestGenerateDrops(t *testing.T) {
 			},
 		},
 		"can drop a required add": {
-			defaultAddCaps: []api.Capability{"foo"},
+			defaultAddCaps: []corev1.Capability{"foo"},
 			containerCaps: &api.Capabilities{
 				Drop: []api.Capability{"foo"},
 			},
@@ -173,7 +174,7 @@ func TestGenerateDrops(t *testing.T) {
 			},
 		},
 		"can drop non-required add": {
-			defaultAddCaps: []api.Capability{"foo"},
+			defaultAddCaps: []corev1.Capability{"foo"},
 			containerCaps: &api.Capabilities{
 				Drop: []api.Capability{"bar"},
 			},
@@ -183,8 +184,8 @@ func TestGenerateDrops(t *testing.T) {
 			},
 		},
 		"defaulting adds and drops, dropping a required add": {
-			defaultAddCaps:   []api.Capability{"foo", "bar", "baz"},
-			requiredDropCaps: []api.Capability{"abc"},
+			defaultAddCaps:   []corev1.Capability{"foo", "bar", "baz"},
+			requiredDropCaps: []corev1.Capability{"abc"},
 			containerCaps: &api.Capabilities{
 				Drop: []api.Capability{"foo"},
 			},
@@ -194,7 +195,7 @@ func TestGenerateDrops(t *testing.T) {
 			},
 		},
 		"generation dedupes": {
-			requiredDropCaps: []api.Capability{"baz", "foo"},
+			requiredDropCaps: []corev1.Capability{"baz", "foo"},
 			containerCaps: &api.Capabilities{
 				Drop: []api.Capability{"bar", "foo"},
 			},
@@ -203,7 +204,7 @@ func TestGenerateDrops(t *testing.T) {
 			},
 		},
 		"generation is case sensitive - will not dedupe": {
-			requiredDropCaps: []api.Capability{"bar"},
+			requiredDropCaps: []corev1.Capability{"bar"},
 			containerCaps: &api.Capabilities{
 				Drop: []api.Capability{"BAR"},
 			},
@@ -241,30 +242,30 @@ func TestGenerateDrops(t *testing.T) {
 
 func TestValidateAdds(t *testing.T) {
 	tests := map[string]struct {
-		defaultAddCaps []api.Capability
-		allowedCaps    []api.Capability
+		defaultAddCaps []corev1.Capability
+		allowedCaps    []corev1.Capability
 		containerCaps  *api.Capabilities
 		expectedError  string
 	}{
 		// no container requests
 		"no required, no allowed, no container requests": {},
 		"no required, allowed, no container requests": {
-			allowedCaps: []api.Capability{"foo"},
+			allowedCaps: []corev1.Capability{"foo"},
 		},
 		"required, no allowed, no container requests": {
-			defaultAddCaps: []api.Capability{"foo"},
+			defaultAddCaps: []corev1.Capability{"foo"},
 			expectedError:  `capabilities: Invalid value: "null": required capabilities are not set on the securityContext`,
 		},
 
 		// container requests match required
 		"required, no allowed, container requests valid": {
-			defaultAddCaps: []api.Capability{"foo"},
+			defaultAddCaps: []corev1.Capability{"foo"},
 			containerCaps: &api.Capabilities{
 				Add: []api.Capability{"foo"},
 			},
 		},
 		"required, no allowed, container requests invalid": {
-			defaultAddCaps: []api.Capability{"foo"},
+			defaultAddCaps: []corev1.Capability{"foo"},
 			containerCaps: &api.Capabilities{
 				Add: []api.Capability{"bar"},
 			},
@@ -273,19 +274,19 @@ func TestValidateAdds(t *testing.T) {
 
 		// container requests match allowed
 		"no required, allowed, container requests valid": {
-			allowedCaps: []api.Capability{"foo"},
+			allowedCaps: []corev1.Capability{"foo"},
 			containerCaps: &api.Capabilities{
 				Add: []api.Capability{"foo"},
 			},
 		},
 		"no required, all allowed, container requests valid": {
-			allowedCaps: []api.Capability{policy.AllowAllCapabilities},
+			allowedCaps: []corev1.Capability{policy.AllowAllCapabilities},
 			containerCaps: &api.Capabilities{
 				Add: []api.Capability{"foo"},
 			},
 		},
 		"no required, allowed, container requests invalid": {
-			allowedCaps: []api.Capability{"foo"},
+			allowedCaps: []corev1.Capability{"foo"},
 			containerCaps: &api.Capabilities{
 				Add: []api.Capability{"bar"},
 			},
@@ -294,29 +295,29 @@ func TestValidateAdds(t *testing.T) {
 
 		// required and allowed
 		"required, allowed, container requests valid required": {
-			defaultAddCaps: []api.Capability{"foo"},
-			allowedCaps:    []api.Capability{"bar"},
+			defaultAddCaps: []corev1.Capability{"foo"},
+			allowedCaps:    []corev1.Capability{"bar"},
 			containerCaps: &api.Capabilities{
 				Add: []api.Capability{"foo"},
 			},
 		},
 		"required, allowed, container requests valid allowed": {
-			defaultAddCaps: []api.Capability{"foo"},
-			allowedCaps:    []api.Capability{"bar"},
+			defaultAddCaps: []corev1.Capability{"foo"},
+			allowedCaps:    []corev1.Capability{"bar"},
 			containerCaps: &api.Capabilities{
 				Add: []api.Capability{"bar"},
 			},
 		},
 		"required, allowed, container requests invalid": {
-			defaultAddCaps: []api.Capability{"foo"},
-			allowedCaps:    []api.Capability{"bar"},
+			defaultAddCaps: []corev1.Capability{"foo"},
+			allowedCaps:    []corev1.Capability{"bar"},
 			containerCaps: &api.Capabilities{
 				Add: []api.Capability{"baz"},
 			},
 			expectedError: `capabilities.add: Invalid value: "baz": capability may not be added`,
 		},
 		"validation is case sensitive": {
-			defaultAddCaps: []api.Capability{"foo"},
+			defaultAddCaps: []corev1.Capability{"foo"},
 			containerCaps: &api.Capabilities{
 				Add: []api.Capability{"FOO"},
 			},
@@ -351,33 +352,33 @@ func TestValidateAdds(t *testing.T) {
 
 func TestValidateDrops(t *testing.T) {
 	tests := map[string]struct {
-		requiredDropCaps []api.Capability
+		requiredDropCaps []corev1.Capability
 		containerCaps    *api.Capabilities
 		expectedError    string
 	}{
 		// no container requests
 		"no required, no container requests": {},
 		"required, no container requests": {
-			requiredDropCaps: []api.Capability{"foo"},
+			requiredDropCaps: []corev1.Capability{"foo"},
 			expectedError:    `capabilities: Invalid value: "null": required capabilities are not set on the securityContext`,
 		},
 
 		// container requests match required
 		"required, container requests valid": {
-			requiredDropCaps: []api.Capability{"foo"},
+			requiredDropCaps: []corev1.Capability{"foo"},
 			containerCaps: &api.Capabilities{
 				Drop: []api.Capability{"foo"},
 			},
 		},
 		"required, container requests invalid": {
-			requiredDropCaps: []api.Capability{"foo"},
+			requiredDropCaps: []corev1.Capability{"foo"},
 			containerCaps: &api.Capabilities{
 				Drop: []api.Capability{"bar"},
 			},
 			expectedError: `capabilities.drop: Invalid value: []core.Capability{"bar"}: foo is required to be dropped but was not found`,
 		},
 		"validation is case sensitive": {
-			requiredDropCaps: []api.Capability{"foo"},
+			requiredDropCaps: []corev1.Capability{"foo"},
 			containerCaps: &api.Capabilities{
 				Drop: []api.Capability{"FOO"},
 			},