Fresh dep ensure

vendor/k8s.io/kubernetes/pkg/securitycontext/BUILD

@@ -17,7 +17,7 @@ go_library(
     importpath = "k8s.io/kubernetes/pkg/securitycontext",
     deps = [
         "//pkg/apis/core:go_default_library",
-        "//vendor/k8s.io/api/core/v1:go_default_library",
+        "//staging/src/k8s.io/api/core/v1:go_default_library",
     ],
 )
 
@@ -30,8 +30,8 @@ go_test(
     embed = [":go_default_library"],
     deps = [
         "//pkg/apis/core:go_default_library",
-        "//vendor/k8s.io/api/core/v1:go_default_library",
-        "//vendor/k8s.io/apimachinery/pkg/util/diff:go_default_library",
+        "//staging/src/k8s.io/api/core/v1:go_default_library",
+        "//staging/src/k8s.io/apimachinery/pkg/util/diff:go_default_library",
     ],
 )
 

vendor/k8s.io/kubernetes/pkg/securitycontext/accessors.go

@@ -29,6 +29,7 @@ type PodSecurityContextAccessor interface {
 	HostIPC() bool
 	SELinuxOptions() *api.SELinuxOptions
 	RunAsUser() *int64
+	RunAsGroup() *int64
 	RunAsNonRoot() *bool
 	SupplementalGroups() []int64
 	FSGroup() *int64
@@ -43,6 +44,7 @@ type PodSecurityContextMutator interface {
 	SetHostIPC(bool)
 	SetSELinuxOptions(*api.SELinuxOptions)
 	SetRunAsUser(*int64)
+	SetRunAsGroup(*int64)
 	SetRunAsNonRoot(*bool)
 	SetSupplementalGroups([]int64)
 	SetFSGroup(*int64)
@@ -142,6 +144,20 @@ func (w *podSecurityContextWrapper) SetRunAsUser(v *int64) {
 	w.ensurePodSC()
 	w.podSC.RunAsUser = v
 }
+func (w *podSecurityContextWrapper) RunAsGroup() *int64 {
+	if w.podSC == nil {
+		return nil
+	}
+	return w.podSC.RunAsGroup
+}
+func (w *podSecurityContextWrapper) SetRunAsGroup(v *int64) {
+	if w.podSC == nil && v == nil {
+		return
+	}
+	w.ensurePodSC()
+	w.podSC.RunAsGroup = v
+}
+
 func (w *podSecurityContextWrapper) RunAsNonRoot() *bool {
 	if w.podSC == nil {
 		return nil
@@ -188,8 +204,10 @@ func (w *podSecurityContextWrapper) SetFSGroup(v *int64) {
 type ContainerSecurityContextAccessor interface {
 	Capabilities() *api.Capabilities
 	Privileged() *bool
+	ProcMount() api.ProcMountType
 	SELinuxOptions() *api.SELinuxOptions
 	RunAsUser() *int64
+	RunAsGroup() *int64
 	RunAsNonRoot() *bool
 	ReadOnlyRootFilesystem() *bool
 	AllowPrivilegeEscalation() *bool
@@ -204,6 +222,7 @@ type ContainerSecurityContextMutator interface {
 	SetPrivileged(*bool)
 	SetSELinuxOptions(*api.SELinuxOptions)
 	SetRunAsUser(*int64)
+	SetRunAsGroup(*int64)
 	SetRunAsNonRoot(*bool)
 	SetReadOnlyRootFilesystem(*bool)
 	SetAllowPrivilegeEscalation(*bool)
@@ -257,6 +276,15 @@ func (w *containerSecurityContextWrapper) SetPrivileged(v *bool) {
 	w.ensureContainerSC()
 	w.containerSC.Privileged = v
 }
+func (w *containerSecurityContextWrapper) ProcMount() api.ProcMountType {
+	if w.containerSC == nil {
+		return api.DefaultProcMount
+	}
+	if w.containerSC.ProcMount == nil {
+		return api.DefaultProcMount
+	}
+	return *w.containerSC.ProcMount
+}
 func (w *containerSecurityContextWrapper) SELinuxOptions() *api.SELinuxOptions {
 	if w.containerSC == nil {
 		return nil
@@ -283,6 +311,20 @@ func (w *containerSecurityContextWrapper) SetRunAsUser(v *int64) {
 	w.ensureContainerSC()
 	w.containerSC.RunAsUser = v
 }
+func (w *containerSecurityContextWrapper) RunAsGroup() *int64 {
+	if w.containerSC == nil {
+		return nil
+	}
+	return w.containerSC.RunAsGroup
+}
+func (w *containerSecurityContextWrapper) SetRunAsGroup(v *int64) {
+	if w.containerSC == nil && v == nil {
+		return
+	}
+	w.ensureContainerSC()
+	w.containerSC.RunAsGroup = v
+}
+
 func (w *containerSecurityContextWrapper) RunAsNonRoot() *bool {
 	if w.containerSC == nil {
 		return nil
@@ -356,6 +398,9 @@ func (w *effectiveContainerSecurityContextWrapper) SetPrivileged(v *bool) {
 		w.containerSC.SetPrivileged(v)
 	}
 }
+func (w *effectiveContainerSecurityContextWrapper) ProcMount() api.ProcMountType {
+	return w.containerSC.ProcMount()
+}
 func (w *effectiveContainerSecurityContextWrapper) SELinuxOptions() *api.SELinuxOptions {
 	if v := w.containerSC.SELinuxOptions(); v != nil {
 		return v
@@ -378,6 +423,18 @@ func (w *effectiveContainerSecurityContextWrapper) SetRunAsUser(v *int64) {
 		w.containerSC.SetRunAsUser(v)
 	}
 }
+func (w *effectiveContainerSecurityContextWrapper) RunAsGroup() *int64 {
+	if v := w.containerSC.RunAsGroup(); v != nil {
+		return v
+	}
+	return w.podSC.RunAsGroup()
+}
+func (w *effectiveContainerSecurityContextWrapper) SetRunAsGroup(v *int64) {
+	if !reflect.DeepEqual(w.RunAsGroup(), v) {
+		w.containerSC.SetRunAsGroup(v)
+	}
+}
+
 func (w *effectiveContainerSecurityContextWrapper) RunAsNonRoot() *bool {
 	if v := w.containerSC.RunAsNonRoot(); v != nil {
 		return v

vendor/k8s.io/kubernetes/pkg/securitycontext/accessors_test.go

@@ -27,6 +27,7 @@ import (
 func TestPodSecurityContextAccessor(t *testing.T) {
 	fsGroup := int64(2)
 	runAsUser := int64(1)
+	runAsGroup := int64(1)
 	runAsNonRoot := true
 
 	testcases := []*api.PodSecurityContext{
@@ -38,6 +39,7 @@ func TestPodSecurityContextAccessor(t *testing.T) {
 		{HostPID: true},
 		{RunAsNonRoot: &runAsNonRoot},
 		{RunAsUser: &runAsUser},
+		{RunAsGroup: &runAsGroup},
 		{SELinuxOptions: &api.SELinuxOptions{User: "bob"}},
 		{SupplementalGroups: []int64{1, 2, 3}},
 	}
@@ -68,6 +70,9 @@ func TestPodSecurityContextAccessor(t *testing.T) {
 		if v := a.RunAsUser(); !reflect.DeepEqual(expected.RunAsUser, v) {
 			t.Errorf("%d: expected %#v, got %#v", i, expected.RunAsUser, v)
 		}
+		if v := a.RunAsGroup(); !reflect.DeepEqual(expected.RunAsGroup, v) {
+			t.Errorf("%d: expected %#v, got %#v", i, expected.RunAsGroup, v)
+		}
 		if v := a.SELinuxOptions(); !reflect.DeepEqual(expected.SELinuxOptions, v) {
 			t.Errorf("%d: expected %#v, got %#v", i, expected.SELinuxOptions, v)
 		}
@@ -95,6 +100,7 @@ func TestPodSecurityContextMutator(t *testing.T) {
 					HostPID:            true,
 					SELinuxOptions:     &api.SELinuxOptions{},
 					RunAsUser:          nil,
+					RunAsGroup:         nil,
 					RunAsNonRoot:       nil,
 					SupplementalGroups: nil,
 					FSGroup:            nil,
@@ -123,6 +129,7 @@ func TestPodSecurityContextMutator(t *testing.T) {
 			m.SetHostPID(m.HostPID())
 			m.SetRunAsNonRoot(m.RunAsNonRoot())
 			m.SetRunAsUser(m.RunAsUser())
+			m.SetRunAsGroup(m.RunAsGroup())
 			m.SetSELinuxOptions(m.SELinuxOptions())
 			m.SetSupplementalGroups(m.SupplementalGroups())
 			if !reflect.DeepEqual(sc, originalSC) {
@@ -208,6 +215,19 @@ func TestPodSecurityContextMutator(t *testing.T) {
 			}
 		}
 
+		// RunAsGroup
+		{
+			modifiedSC := nonNilSC(tc.newSC())
+			m := NewPodSecurityContextMutator(tc.newSC())
+			i := int64(1123)
+			modifiedSC.RunAsGroup = &i
+			m.SetRunAsGroup(&i)
+			if !reflect.DeepEqual(m.PodSecurityContext(), modifiedSC) {
+				t.Errorf("%s: unexpected object:\n%s", k, diff.ObjectGoPrintSideBySide(modifiedSC, m.PodSecurityContext()))
+				continue
+			}
+		}
+
 		// SELinuxOptions
 		{
 			modifiedSC := nonNilSC(tc.newSC())
@@ -429,6 +449,8 @@ func TestEffectiveContainerSecurityContextAccessor(t *testing.T) {
 	privileged := true
 	runAsUser := int64(1)
 	runAsUserPod := int64(12)
+	runAsGroup := int64(1)
+	runAsGroupPod := int64(12)
 	runAsNonRoot := true
 	runAsNonRootPod := false
 	readOnlyRootFilesystem := true
@@ -500,6 +522,26 @@ func TestEffectiveContainerSecurityContextAccessor(t *testing.T) {
 				SELinuxOptions:           &api.SELinuxOptions{User: "bob"},
 			},
 		},
+		{
+			PodSC: &api.PodSecurityContext{
+				RunAsGroup: &runAsGroup,
+			},
+			SC: nil,
+			Effective: &api.SecurityContext{
+				RunAsGroup: &runAsGroup,
+			},
+		},
+		{
+			PodSC: &api.PodSecurityContext{
+				RunAsGroup: &runAsGroupPod,
+			},
+			SC: &api.SecurityContext{
+				RunAsGroup: &runAsGroup,
+			},
+			Effective: &api.SecurityContext{
+				RunAsGroup: &runAsGroup,
+			},
+		},
 	}
 
 	for i, tc := range testcases {

vendor/k8s.io/kubernetes/pkg/securitycontext/fake.go

@@ -35,8 +35,10 @@ func ValidSecurityContextWithContainerDefaults() *v1.SecurityContext {
 // empty container defaults.  Used for testing.
 func ValidInternalSecurityContextWithContainerDefaults() *api.SecurityContext {
 	priv := false
+	dpm := api.DefaultProcMount
 	return &api.SecurityContext{
 		Capabilities: &api.Capabilities{},
 		Privileged:   &priv,
+		ProcMount:    &dpm,
 	}
 }

vendor/k8s.io/kubernetes/pkg/securitycontext/util.go

@@ -72,7 +72,7 @@ func DetermineEffectiveSecurityContext(pod *v1.Pod, container *v1.Container) *v1
 	containerSc := container.SecurityContext
 
 	if effectiveSc == nil && containerSc == nil {
-		return nil
+		return &v1.SecurityContext{}
 	}
 	if effectiveSc != nil && containerSc == nil {
 		return effectiveSc
@@ -121,6 +121,11 @@ func DetermineEffectiveSecurityContext(pod *v1.Pod, container *v1.Container) *v1
 		*effectiveSc.AllowPrivilegeEscalation = *containerSc.AllowPrivilegeEscalation
 	}
 
+	if containerSc.ProcMount != nil {
+		effectiveSc.ProcMount = new(v1.ProcMountType)
+		*effectiveSc.ProcMount = *containerSc.ProcMount
+	}
+
 	return effectiveSc
 }
 
@@ -167,3 +172,52 @@ func AddNoNewPrivileges(sc *v1.SecurityContext) bool {
 	// handle the case where defaultAllowPrivilegeEscalation is false or the user explicitly set allowPrivilegeEscalation to true/false
 	return !*sc.AllowPrivilegeEscalation
 }
+
+var (
+	// These *must* be kept in sync with moby/moby.
+	// https://github.com/moby/moby/blob/master/oci/defaults.go#L116-L134
+	// @jessfraz will watch changes to those files upstream.
+	defaultMaskedPaths = []string{
+		"/proc/acpi",
+		"/proc/kcore",
+		"/proc/keys",
+		"/proc/latency_stats",
+		"/proc/timer_list",
+		"/proc/timer_stats",
+		"/proc/sched_debug",
+		"/proc/scsi",
+		"/sys/firmware",
+	}
+	defaultReadonlyPaths = []string{
+		"/proc/asound",
+		"/proc/bus",
+		"/proc/fs",
+		"/proc/irq",
+		"/proc/sys",
+		"/proc/sysrq-trigger",
+	}
+)
+
+// ConvertToRuntimeMaskedPaths converts the ProcMountType to the specified or default
+// masked paths.
+func ConvertToRuntimeMaskedPaths(opt *v1.ProcMountType) []string {
+	if opt != nil && *opt == v1.UnmaskedProcMount {
+		// Unmasked proc mount should have no paths set as masked.
+		return []string{}
+	}
+
+	// Otherwise, add the default masked paths to the runtime security context.
+	return defaultMaskedPaths
+}
+
+// ConvertToRuntimeReadonlyPaths converts the ProcMountType to the specified or default
+// readonly paths.
+func ConvertToRuntimeReadonlyPaths(opt *v1.ProcMountType) []string {
+	if opt != nil && *opt == v1.UnmaskedProcMount {
+		// Unmasked proc mount should have no paths set as readonly.
+		return []string{}
+	}
+
+	// Otherwise, add the default readonly paths to the runtime security context.
+	return defaultReadonlyPaths
+}

vendor/k8s.io/kubernetes/pkg/securitycontext/util_test.go

@@ -17,6 +17,7 @@ limitations under the License.
 package securitycontext
 
 import (
+	"reflect"
 	"testing"
 
 	"k8s.io/api/core/v1"
@@ -123,3 +124,61 @@ func TestAddNoNewPrivileges(t *testing.T) {
 		}
 	}
 }
+
+func TestConvertToRuntimeMaskedPaths(t *testing.T) {
+	dPM := v1.DefaultProcMount
+	uPM := v1.UnmaskedProcMount
+	tests := map[string]struct {
+		pm     *v1.ProcMountType
+		expect []string
+	}{
+		"procMount nil": {
+			pm:     nil,
+			expect: defaultMaskedPaths,
+		},
+		"procMount default": {
+			pm:     &dPM,
+			expect: defaultMaskedPaths,
+		},
+		"procMount unmasked": {
+			pm:     &uPM,
+			expect: []string{},
+		},
+	}
+
+	for k, v := range tests {
+		actual := ConvertToRuntimeMaskedPaths(v.pm)
+		if !reflect.DeepEqual(actual, v.expect) {
+			t.Errorf("%s failed, expected %#v but received %#v", k, v.expect, actual)
+		}
+	}
+}
+
+func TestConvertToRuntimeReadonlyPaths(t *testing.T) {
+	dPM := v1.DefaultProcMount
+	uPM := v1.UnmaskedProcMount
+	tests := map[string]struct {
+		pm     *v1.ProcMountType
+		expect []string
+	}{
+		"procMount nil": {
+			pm:     nil,
+			expect: defaultReadonlyPaths,
+		},
+		"procMount default": {
+			pm:     &dPM,
+			expect: defaultReadonlyPaths,
+		},
+		"procMount unmasked": {
+			pm:     &uPM,
+			expect: []string{},
+		},
+	}
+
+	for k, v := range tests {
+		actual := ConvertToRuntimeReadonlyPaths(v.pm)
+		if !reflect.DeepEqual(actual, v.expect) {
+			t.Errorf("%s failed, expected %#v but received %#v", k, v.expect, actual)
+		}
+	}
+}