rebase: bump k8s.io/kubernetes from 1.26.2 to 1.27.2

Bumps [k8s.io/kubernetes](https://github.com/kubernetes/kubernetes) from 1.26.2 to 1.27.2. - [Release notes](https://github.com/kubernetes/kubernetes/releases) - [Commits](https://github.com/kubernetes/kubernetes/compare/v1.26.2...v1.27.2) --- updated-dependencies: - dependency-name: k8s.io/kubernetes dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
2025-06-13 10:33:35 +00:00 · 2023-05-29 21:03:29 +00:00
parent 0e79135419
commit 07b05616a0
1072 changed files with 208716 additions and 198880 deletions
--- a/vendor/k8s.io/kubernetes/pkg/securitycontext/accessors.go
+++ b/vendor/k8s.io/kubernetes/pkg/securitycontext/accessors.go
@ -31,6 +31,7 @@ type PodSecurityContextAccessor interface {
 	RunAsUser() *int64
 	RunAsGroup() *int64
 	RunAsNonRoot() *bool
+	SeccompProfile() *api.SeccompProfile
 	SupplementalGroups() []int64
 	FSGroup() *int64
 }
@ -46,6 +47,7 @@ type PodSecurityContextMutator interface {
 	SetRunAsUser(*int64)
 	SetRunAsGroup(*int64)
 	SetRunAsNonRoot(*bool)
+	SetSeccompProfile(*api.SeccompProfile)
 	SetSupplementalGroups([]int64)
 	SetFSGroup(*int64)

@ -171,6 +173,19 @@ func (w *podSecurityContextWrapper) SetRunAsNonRoot(v *bool) {
 	w.ensurePodSC()
 	w.podSC.RunAsNonRoot = v
 }
+func (w *podSecurityContextWrapper) SeccompProfile() *api.SeccompProfile {
+	if w.podSC == nil {
+		return nil
+	}
+	return w.podSC.SeccompProfile
+}
+func (w *podSecurityContextWrapper) SetSeccompProfile(p *api.SeccompProfile) {
+	if w.podSC == nil && p == nil {
+		return
+	}
+	w.ensurePodSC()
+	w.podSC.SeccompProfile = p
+}
 func (w *podSecurityContextWrapper) SupplementalGroups() []int64 {
 	if w.podSC == nil {
 		return nil
@ -211,6 +226,7 @@ type ContainerSecurityContextAccessor interface {
 	RunAsGroup() *int64
 	RunAsNonRoot() *bool
 	ReadOnlyRootFilesystem() *bool
+	SeccompProfile() *api.SeccompProfile
 	AllowPrivilegeEscalation() *bool
 }

@ -227,6 +243,7 @@ type ContainerSecurityContextMutator interface {
 	SetRunAsGroup(*int64)
 	SetRunAsNonRoot(*bool)
 	SetReadOnlyRootFilesystem(*bool)
+	SetSeccompProfile(*api.SeccompProfile)
 	SetAllowPrivilegeEscalation(*bool)
 }

@ -357,6 +374,20 @@ func (w *containerSecurityContextWrapper) SetReadOnlyRootFilesystem(v *bool) {
 	w.ensureContainerSC()
 	w.containerSC.ReadOnlyRootFilesystem = v
 }
+func (w *containerSecurityContextWrapper) SeccompProfile() *api.SeccompProfile {
+	if w.containerSC == nil {
+		return nil
+	}
+	return w.containerSC.SeccompProfile
+}
+func (w *containerSecurityContextWrapper) SetSeccompProfile(p *api.SeccompProfile) {
+	if w.containerSC == nil && p == nil {
+		return
+	}
+	w.ensureContainerSC()
+	w.containerSC.SeccompProfile = p
+}
+
 func (w *containerSecurityContextWrapper) AllowPrivilegeEscalation() *bool {
 	if w.containerSC == nil {
 		return nil
@ -464,6 +495,14 @@ func (w *effectiveContainerSecurityContextWrapper) SetReadOnlyRootFilesystem(v *
 		w.containerSC.SetReadOnlyRootFilesystem(v)
 	}
 }
+func (w *effectiveContainerSecurityContextWrapper) SeccompProfile() *api.SeccompProfile {
+	return w.containerSC.SeccompProfile()
+}
+func (w *effectiveContainerSecurityContextWrapper) SetSeccompProfile(p *api.SeccompProfile) {
+	if !reflect.DeepEqual(w.SeccompProfile(), p) {
+		w.containerSC.SetSeccompProfile(p)
+	}
+}
 func (w *effectiveContainerSecurityContextWrapper) AllowPrivilegeEscalation() *bool {
 	return w.containerSC.AllowPrivilegeEscalation()
 }
--- a/vendor/k8s.io/kubernetes/pkg/securitycontext/util.go
+++ b/vendor/k8s.io/kubernetes/pkg/securitycontext/util.go
@ -20,30 +20,6 @@ import (
 	v1 "k8s.io/api/core/v1"
 )

-// HasPrivilegedRequest returns the value of SecurityContext.Privileged, taking into account
-// the possibility of nils
-func HasPrivilegedRequest(container *v1.Container) bool {
-	if container.SecurityContext == nil {
-		return false
-	}
-	if container.SecurityContext.Privileged == nil {
-		return false
-	}
-	return *container.SecurityContext.Privileged
-}
-
-// HasCapabilitiesRequest returns true if Adds or Drops are defined in the security context
-// capabilities, taking into account nils
-func HasCapabilitiesRequest(container *v1.Container) bool {
-	if container.SecurityContext == nil {
-		return false
-	}
-	if container.SecurityContext.Capabilities == nil {
-		return false
-	}
-	return len(container.SecurityContext.Capabilities.Add) > 0 || len(container.SecurityContext.Capabilities.Drop) > 0
-}
-
 // HasWindowsHostProcessRequest returns true if container should run as HostProcess container,
 // taking into account nils
 func HasWindowsHostProcessRequest(pod *v1.Pod, container *v1.Container) bool {
@ -212,9 +188,10 @@ func AddNoNewPrivileges(sc *v1.SecurityContext) bool {

 var (
 	// These *must* be kept in sync with moby/moby.
-	// https://github.com/moby/moby/blob/master/oci/defaults.go#L116-L134
+	// https://github.com/moby/moby/blob/master/oci/defaults.go#L105-L123
 	// @jessfraz will watch changes to those files upstream.
 	defaultMaskedPaths = []string{
+		"/proc/asound",
 		"/proc/acpi",
 		"/proc/kcore",
 		"/proc/keys",
@ -226,7 +203,6 @@ var (
 		"/sys/firmware",
 	}
 	defaultReadonlyPaths = []string{
-		"/proc/asound",
 		"/proc/bus",
 		"/proc/fs",
 		"/proc/irq",