rebase: update kubernetes to latest

updating the kubernetes release to the latest in main go.mod Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2025-06-13 10:33:35 +00:00 · 2024-08-19 10:01:33 +02:00
parent 63c4c05b35
commit 5a66991bb3
2173 changed files with 98906 additions and 61334 deletions
--- a/vendor/k8s.io/api/authorization/v1/generated.proto
+++ b/vendor/k8s.io/api/authorization/v1/generated.proto
@ -37,6 +37,60 @@ message ExtraValue {
  repeated string items = 1;
 }

+// FieldSelectorAttributes indicates a field limited access.
+// Webhook authors are encouraged to
+// * ensure rawSelector and requirements are not both set
+// * consider the requirements field if set
+// * not try to parse or consider the rawSelector field if set. This is to avoid another CVE-2022-2880 (i.e. getting different systems to agree on how exactly to parse a query is not something we want), see https://www.oxeye.io/resources/golang-parameter-smuggling-attack for more details.
+// For the *SubjectAccessReview endpoints of the kube-apiserver:
+// * If rawSelector is empty and requirements are empty, the request is not limited.
+// * If rawSelector is present and requirements are empty, the rawSelector will be parsed and limited if the parsing succeeds.
+// * If rawSelector is empty and requirements are present, the requirements should be honored
+// * If rawSelector is present and requirements are present, the request is invalid.
+message FieldSelectorAttributes {
+  // rawSelector is the serialization of a field selector that would be included in a query parameter.
+  // Webhook implementations are encouraged to ignore rawSelector.
+  // The kube-apiserver's *SubjectAccessReview will parse the rawSelector as long as the requirements are not present.
+  // +optional
+  optional string rawSelector = 1;
+
+  // requirements is the parsed interpretation of a field selector.
+  // All requirements must be met for a resource instance to match the selector.
+  // Webhook implementations should handle requirements, but how to handle them is up to the webhook.
+  // Since requirements can only limit the request, it is safe to authorize as unlimited request if the requirements
+  // are not understood.
+  // +optional
+  // +listType=atomic
+  repeated .k8s.io.apimachinery.pkg.apis.meta.v1.FieldSelectorRequirement requirements = 2;
+}
+
+// LabelSelectorAttributes indicates a label limited access.
+// Webhook authors are encouraged to
+// * ensure rawSelector and requirements are not both set
+// * consider the requirements field if set
+// * not try to parse or consider the rawSelector field if set. This is to avoid another CVE-2022-2880 (i.e. getting different systems to agree on how exactly to parse a query is not something we want), see https://www.oxeye.io/resources/golang-parameter-smuggling-attack for more details.
+// For the *SubjectAccessReview endpoints of the kube-apiserver:
+// * If rawSelector is empty and requirements are empty, the request is not limited.
+// * If rawSelector is present and requirements are empty, the rawSelector will be parsed and limited if the parsing succeeds.
+// * If rawSelector is empty and requirements are present, the requirements should be honored
+// * If rawSelector is present and requirements are present, the request is invalid.
+message LabelSelectorAttributes {
+  // rawSelector is the serialization of a field selector that would be included in a query parameter.
+  // Webhook implementations are encouraged to ignore rawSelector.
+  // The kube-apiserver's *SubjectAccessReview will parse the rawSelector as long as the requirements are not present.
+  // +optional
+  optional string rawSelector = 1;
+
+  // requirements is the parsed interpretation of a label selector.
+  // All requirements must be met for a resource instance to match the selector.
+  // Webhook implementations should handle requirements, but how to handle them is up to the webhook.
+  // Since requirements can only limit the request, it is safe to authorize as unlimited request if the requirements
+  // are not understood.
+  // +optional
+  // +listType=atomic
+  repeated .k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelectorRequirement requirements = 2;
+}
+
 // LocalSubjectAccessReview checks whether or not a user or group can perform an action in a given namespace.
 // Having a namespace scoped resource makes it much easier to grant namespace scoped policy that includes permissions
 // checking.
@ -44,7 +98,7 @@ message LocalSubjectAccessReview {
  // Standard list metadata.
  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+  optional .k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;

  // Spec holds information about the request being evaluated.  spec.namespace must be equal to the namespace
  // you made the request against.  If empty, it is defaulted.
@ -111,6 +165,20 @@ message ResourceAttributes {
  // Name is the name of the resource being requested for a "get" or deleted for a "delete". "" (empty) means all.
  // +optional
  optional string name = 7;
+
+  // fieldSelector describes the limitation on access based on field.  It can only limit access, not broaden it.
+  //
+  // This field  is alpha-level. To use this field, you must enable the
+  // `AuthorizeWithSelectors` feature gate (disabled by default).
+  // +optional
+  optional FieldSelectorAttributes fieldSelector = 8;
+
+  // labelSelector describes the limitation on access based on labels.  It can only limit access, not broaden it.
+  //
+  // This field  is alpha-level. To use this field, you must enable the
+  // `AuthorizeWithSelectors` feature gate (disabled by default).
+  // +optional
+  optional LabelSelectorAttributes labelSelector = 9;
 }

 // ResourceRule is the list of actions the subject is allowed to perform on resources. The list ordering isn't significant,
@ -145,7 +213,7 @@ message SelfSubjectAccessReview {
  // Standard list metadata.
  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+  optional .k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;

  // Spec holds information about the request being evaluated.  user and groups must be empty
  optional SelfSubjectAccessReviewSpec spec = 2;
@ -177,7 +245,7 @@ message SelfSubjectRulesReview {
  // Standard list metadata.
  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+  optional .k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;

  // Spec holds information about the request being evaluated.
  optional SelfSubjectRulesReviewSpec spec = 2;
@ -198,7 +266,7 @@ message SubjectAccessReview {
  // Standard list metadata.
  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+  optional .k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;

  // Spec holds information about the request being evaluated
  optional SubjectAccessReviewSpec spec = 2;