rebase: update K8s packages to v0.32.1

Update K8s packages in go.mod to v0.32.1

Signed-off-by: Praveen M <m.praveen@ibm.com>

vendor/k8s.io/kubernetes/pkg/security/apparmor/OWNERS

@@ -0,0 +1,10 @@
+# See the OWNERS docs at https://go.k8s.io/owners
+
+approvers:
+  - sig-node-approvers
+  - tallclair
+reviewers:
+  - sig-node-reviewers
+  - tallclair
+labels:
+  - sig/node

vendor/k8s.io/kubernetes/pkg/security/apparmor/helpers.go

@@ -0,0 +1,99 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package apparmor
+
+import (
+	"strings"
+
+	v1 "k8s.io/api/core/v1"
+	podutil "k8s.io/kubernetes/pkg/api/v1/pod"
+)
+
+// Checks whether app armor is required for the pod to run. AppArmor is considered required if any
+// non-unconfined profiles are specified.
+func isRequired(pod *v1.Pod) bool {
+	if pod.Spec.SecurityContext != nil && pod.Spec.SecurityContext.AppArmorProfile != nil &&
+		pod.Spec.SecurityContext.AppArmorProfile.Type != v1.AppArmorProfileTypeUnconfined {
+		return true
+	}
+
+	inUse := !podutil.VisitContainers(&pod.Spec, podutil.AllContainers, func(c *v1.Container, _ podutil.ContainerType) bool {
+		if c.SecurityContext != nil && c.SecurityContext.AppArmorProfile != nil &&
+			c.SecurityContext.AppArmorProfile.Type != v1.AppArmorProfileTypeUnconfined {
+			return false // is in use; short-circuit
+		}
+		return true
+	})
+	if inUse {
+		return true
+	}
+
+	for key, value := range pod.Annotations {
+		if strings.HasPrefix(key, v1.DeprecatedAppArmorBetaContainerAnnotationKeyPrefix) {
+			return value != v1.DeprecatedAppArmorBetaProfileNameUnconfined
+		}
+	}
+	return false
+}
+
+// GetProfileName returns the name of the profile to use with the container.
+func GetProfile(pod *v1.Pod, container *v1.Container) *v1.AppArmorProfile {
+	if container.SecurityContext != nil && container.SecurityContext.AppArmorProfile != nil {
+		return container.SecurityContext.AppArmorProfile
+	}
+
+	// Static pods may not have had annotations synced to fields, so fallback to annotations before
+	// the pod profile.
+	if profile := getProfileFromPodAnnotations(pod.Annotations, container.Name); profile != nil {
+		return profile
+	}
+
+	if pod.Spec.SecurityContext != nil && pod.Spec.SecurityContext.AppArmorProfile != nil {
+		return pod.Spec.SecurityContext.AppArmorProfile
+	}
+
+	return nil
+}
+
+// getProfileFromPodAnnotations gets the AppArmor profile to use with container from
+// (deprecated) pod annotations.
+func getProfileFromPodAnnotations(annotations map[string]string, containerName string) *v1.AppArmorProfile {
+	val, ok := annotations[v1.DeprecatedAppArmorBetaContainerAnnotationKeyPrefix+containerName]
+	if !ok {
+		return nil
+	}
+
+	switch {
+	case val == v1.DeprecatedAppArmorBetaProfileRuntimeDefault:
+		return &v1.AppArmorProfile{Type: v1.AppArmorProfileTypeRuntimeDefault}
+
+	case val == v1.DeprecatedAppArmorBetaProfileNameUnconfined:
+		return &v1.AppArmorProfile{Type: v1.AppArmorProfileTypeUnconfined}
+
+	case strings.HasPrefix(val, v1.DeprecatedAppArmorBetaProfileNamePrefix):
+		// Note: an invalid empty localhost profile will be rejected by kubelet admission.
+		profileName := strings.TrimPrefix(val, v1.DeprecatedAppArmorBetaProfileNamePrefix)
+		return &v1.AppArmorProfile{
+			Type:             v1.AppArmorProfileTypeLocalhost,
+			LocalhostProfile: &profileName,
+		}
+
+	default:
+		// Invalid annotation.
+		return nil
+	}
+}

vendor/k8s.io/kubernetes/pkg/security/apparmor/validate.go

@@ -0,0 +1,101 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package apparmor
+
+import (
+	"errors"
+	"fmt"
+	"strings"
+
+	v1 "k8s.io/api/core/v1"
+	podutil "k8s.io/kubernetes/pkg/api/v1/pod"
+	"k8s.io/kubernetes/third_party/forked/libcontainer/apparmor"
+)
+
+// Whether AppArmor should be disabled by default.
+// Set to true if the wrong build tags are set (see validate_disabled.go).
+var isDisabledBuild bool
+
+// Validator is a interface for validating that a pod with an AppArmor profile can be run by a Node.
+type Validator interface {
+	Validate(pod *v1.Pod) error
+	ValidateHost() error
+}
+
+// NewValidator is in order to find AppArmor FS
+func NewValidator() Validator {
+	if err := validateHost(); err != nil {
+		return &validator{validateHostErr: err}
+	}
+	return &validator{}
+}
+
+type validator struct {
+	validateHostErr error
+}
+
+func (v *validator) Validate(pod *v1.Pod) error {
+	if !isRequired(pod) {
+		return nil
+	}
+
+	if v.ValidateHost() != nil {
+		return v.validateHostErr
+	}
+
+	var retErr error
+	podutil.VisitContainers(&pod.Spec, podutil.AllContainers, func(container *v1.Container, containerType podutil.ContainerType) bool {
+		profile := GetProfile(pod, container)
+		if profile == nil {
+			return true
+		}
+
+		// TODO(#64841): This would ideally be part of validation.ValidateAppArmorProfileFormat, but
+		// that is called for API validation, and this is tightening validation.
+		if profile.Type == v1.AppArmorProfileTypeLocalhost {
+			if profile.LocalhostProfile == nil || strings.TrimSpace(*profile.LocalhostProfile) == "" {
+				retErr = fmt.Errorf("invalid empty AppArmor profile name: %q", profile)
+				return false
+			}
+		}
+		return true
+	})
+
+	return retErr
+}
+
+// ValidateHost verifies that the host and runtime is capable of enforcing AppArmor profiles.
+// Note, this is intentionally only check the host at kubelet startup and never re-evaluates the host
+// as the expectation is that the kubelet restart will be needed to enable or disable AppArmor support.
+func (v *validator) ValidateHost() error {
+	return v.validateHostErr
+}
+
+// validateHost verifies that the host and runtime is capable of enforcing AppArmor profiles.
+func validateHost() error {
+	// Check build support.
+	if isDisabledBuild {
+		return errors.New("binary not compiled for linux")
+	}
+
+	// Check kernel support.
+	if !apparmor.IsEnabled() {
+		return errors.New("AppArmor is not enabled on the host")
+	}
+
+	return nil
+}

vendor/k8s.io/kubernetes/pkg/security/apparmor/validate_disabled.go

@@ -0,0 +1,25 @@
+//go:build !linux
+// +build !linux
+
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package apparmor
+
+func init() {
+	// If Kubernetes was not built for linux, apparmor is always disabled.
+	isDisabledBuild = true
+}