Update to kube v1.17

Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
2025-06-13 10:33:35 +00:00 · 2020-01-14 16:08:55 +05:30
parent 327fcd1b1b
commit 3af1e26d7c
1710 changed files with 289562 additions and 168638 deletions
--- a/vendor/k8s.io/kubernetes/pkg/security/apparmor/helpers.go
+++ b/vendor/k8s.io/kubernetes/pkg/security/apparmor/helpers.go
@ -50,7 +50,7 @@ func isRequired(pod *v1.Pod) bool {
 	return false
 }

-// Returns the name of the profile to use with the container.
+// GetProfileName returns the name of the profile to use with the container.
 func GetProfileName(pod *v1.Pod, containerName string) string {
 	return GetProfileNameFromPodAnnotations(pod.Annotations, containerName)
 }
@ -61,7 +61,7 @@ func GetProfileNameFromPodAnnotations(annotations map[string]string, containerNa
 	return annotations[ContainerAnnotationKeyPrefix+containerName]
 }

-// Sets the name of the profile to use with the container.
+// SetProfileName sets the name of the profile to use with the container.
 func SetProfileName(pod *v1.Pod, containerName, profileName string) error {
 	if pod.Annotations == nil {
 		pod.Annotations = map[string]string{}
@ -70,7 +70,7 @@ func SetProfileName(pod *v1.Pod, containerName, profileName string) error {
 	return nil
 }

-// Sets the name of the profile to use with the container.
+// SetProfileNameFromPodAnnotations sets the name of the profile to use with the container.
 func SetProfileNameFromPodAnnotations(annotations map[string]string, containerName, profileName string) error {
 	if annotations == nil {
 		return nil
--- a/vendor/k8s.io/kubernetes/pkg/security/apparmor/validate.go
+++ b/vendor/k8s.io/kubernetes/pkg/security/apparmor/validate.go
@ -27,6 +27,7 @@ import (

 	"k8s.io/api/core/v1"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
+	podutil "k8s.io/kubernetes/pkg/api/v1/pod"
 	"k8s.io/kubernetes/pkg/features"
 	kubetypes "k8s.io/kubernetes/pkg/kubelet/types"
 	utilpath "k8s.io/utils/path"
@ -36,12 +37,13 @@ import (
 // Set to true if the wrong build tags are set (see validate_disabled.go).
 var isDisabledBuild bool

-// Interface for validating that a pod with an AppArmor profile can be run by a Node.
+// Validator is a interface for validating that a pod with an AppArmor profile can be run by a Node.
 type Validator interface {
 	Validate(pod *v1.Pod) error
 	ValidateHost() error
 }

+// NewValidator is in order to find AppArmor FS
 func NewValidator(runtime string) Validator {
 	if err := validateHost(runtime); err != nil {
 		return &validator{validateHostErr: err}
@ -76,18 +78,16 @@ func (v *validator) Validate(pod *v1.Pod) error {
 		return fmt.Errorf("could not read loaded profiles: %v", err)
 	}

-	for _, container := range pod.Spec.InitContainers {
-		if err := validateProfile(GetProfileName(pod, container.Name), loadedProfiles); err != nil {
-			return err
+	var retErr error
+	podutil.VisitContainers(&pod.Spec, func(container *v1.Container) bool {
+		retErr = validateProfile(GetProfileName(pod, container.Name), loadedProfiles)
+		if retErr != nil {
+			return false
 		}
-	}
-	for _, container := range pod.Spec.Containers {
-		if err := validateProfile(GetProfileName(pod, container.Name), loadedProfiles); err != nil {
-			return err
-		}
-	}
+		return true
+	})

-	return nil
+	return retErr
 }

 func (v *validator) ValidateHost() error {
@ -103,7 +103,7 @@ func validateHost(runtime string) error {

 	// Check build support.
 	if isDisabledBuild {
-		return errors.New("Binary not compiled for linux")
+		return errors.New("binary not compiled for linux")
 	}

 	// Check kernel support.
@ -113,7 +113,7 @@ func validateHost(runtime string) error {

 	// Check runtime support. Currently only Docker is supported.
 	if runtime != kubetypes.DockerContainerRuntime && runtime != kubetypes.RemoteContainerRuntime {
-		return fmt.Errorf("AppArmor is only enabled for 'docker' and 'remote' runtimes. Found: %q.", runtime)
+		return fmt.Errorf("AppArmor is only enabled for 'docker' and 'remote' runtimes. Found: %q", runtime)
 	}

 	return nil
@ -135,6 +135,7 @@ func validateProfile(profile string, loadedProfiles map[string]bool) error {
 	return nil
 }

+// ValidateProfileFormat checks the format of the profile.
 func ValidateProfileFormat(profile string) error {
 	if profile == "" || profile == ProfileRuntimeDefault || profile == ProfileNameUnconfined {
 		return nil
@ -199,12 +200,10 @@ func getAppArmorFS() (string, error) {
 				msg := fmt.Sprintf("path %s does not exist", appArmorFS)
 				if err != nil {
 					return "", fmt.Errorf("%s: %v", msg, err)
-				} else {
-					return "", errors.New(msg)
 				}
-			} else {
-				return appArmorFS, nil
+				return "", errors.New(msg)
 			}
+			return appArmorFS, nil
 		}
 	}
 	if err := scanner.Err(); err != nil {
--- a/vendor/k8s.io/kubernetes/pkg/security/podsecuritypolicy/seccomp/strategy.go
+++ b/vendor/k8s.io/kubernetes/pkg/security/podsecuritypolicy/seccomp/strategy.go
@ -27,9 +27,9 @@ import (
 const (
 	// AllowAny is the wildcard used to allow any profile.
 	AllowAny = "*"
-	// The annotation key specifying the default seccomp profile.
+	// DefaultProfileAnnotationKey specifies the default seccomp profile.
 	DefaultProfileAnnotationKey = "seccomp.security.alpha.kubernetes.io/defaultProfileName"
-	// The annotation key specifying the allowed seccomp profiles.
+	// AllowedProfilesAnnotationKey specifies the allowed seccomp profiles.
 	AllowedProfilesAnnotationKey = "seccomp.security.alpha.kubernetes.io/allowedProfileNames"
 )