rebase: update kubernetes to v1.20.0

updated kubernetes packages to latest
release.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>

vendor/k8s.io/kubernetes/pkg/security/apparmor/helpers.go

@@ -22,29 +22,11 @@ import (
 	"k8s.io/api/core/v1"
 )
 
-// TODO: Move these values into the API package.
-const (
-	// The prefix to an annotation key specifying a container profile.
-	ContainerAnnotationKeyPrefix = "container.apparmor.security.beta.kubernetes.io/"
-	// The annotation key specifying the default AppArmor profile.
-	DefaultProfileAnnotationKey = "apparmor.security.beta.kubernetes.io/defaultProfileName"
-	// The annotation key specifying the allowed AppArmor profiles.
-	AllowedProfilesAnnotationKey = "apparmor.security.beta.kubernetes.io/allowedProfileNames"
-
-	// The profile specifying the runtime default.
-	ProfileRuntimeDefault = "runtime/default"
-	// The prefix for specifying profiles loaded on the node.
-	ProfileNamePrefix = "localhost/"
-
-	// Unconfined profile
-	ProfileNameUnconfined = "unconfined"
-)
-
 // Checks whether app armor is required for pod to be run.
 func isRequired(pod *v1.Pod) bool {
 	for key, value := range pod.Annotations {
-		if strings.HasPrefix(key, ContainerAnnotationKeyPrefix) {
-			return value != ProfileNameUnconfined
+		if strings.HasPrefix(key, v1.AppArmorBetaContainerAnnotationKeyPrefix) {
+			return value != v1.AppArmorBetaProfileNameUnconfined
 		}
 	}
 	return false
@@ -58,7 +40,7 @@ func GetProfileName(pod *v1.Pod, containerName string) string {
 // GetProfileNameFromPodAnnotations gets the name of the profile to use with container from
 // pod annotations
 func GetProfileNameFromPodAnnotations(annotations map[string]string, containerName string) string {
-	return annotations[ContainerAnnotationKeyPrefix+containerName]
+	return annotations[v1.AppArmorBetaContainerAnnotationKeyPrefix+containerName]
 }
 
 // SetProfileName sets the name of the profile to use with the container.
@@ -66,7 +48,7 @@ func SetProfileName(pod *v1.Pod, containerName, profileName string) error {
 	if pod.Annotations == nil {
 		pod.Annotations = map[string]string{}
 	}
-	pod.Annotations[ContainerAnnotationKeyPrefix+containerName] = profileName
+	pod.Annotations[v1.AppArmorBetaContainerAnnotationKeyPrefix+containerName] = profileName
 	return nil
 }
 
@@ -75,6 +57,6 @@ func SetProfileNameFromPodAnnotations(annotations map[string]string, containerNa
 	if annotations == nil {
 		return nil
 	}
-	annotations[ContainerAnnotationKeyPrefix+containerName] = profileName
+	annotations[v1.AppArmorBetaContainerAnnotationKeyPrefix+containerName] = profileName
 	return nil
 }

vendor/k8s.io/kubernetes/pkg/security/apparmor/validate.go

@@ -25,7 +25,7 @@ import (
 	"path"
 	"strings"
 
-	"k8s.io/api/core/v1"
+	v1 "k8s.io/api/core/v1"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	podutil "k8s.io/kubernetes/pkg/api/v1/pod"
 	"k8s.io/kubernetes/pkg/features"
@@ -79,7 +79,7 @@ func (v *validator) Validate(pod *v1.Pod) error {
 	}
 
 	var retErr error
-	podutil.VisitContainers(&pod.Spec, func(container *v1.Container) bool {
+	podutil.VisitContainers(&pod.Spec, podutil.AllContainers, func(container *v1.Container, containerType podutil.ContainerType) bool {
 		retErr = validateProfile(GetProfileName(pod, container.Name), loadedProfiles)
 		if retErr != nil {
 			return false
@@ -125,8 +125,8 @@ func validateProfile(profile string, loadedProfiles map[string]bool) error {
 		return err
 	}
 
-	if strings.HasPrefix(profile, ProfileNamePrefix) {
-		profileName := strings.TrimPrefix(profile, ProfileNamePrefix)
+	if strings.HasPrefix(profile, v1.AppArmorBetaProfileNamePrefix) {
+		profileName := strings.TrimPrefix(profile, v1.AppArmorBetaProfileNamePrefix)
 		if !loadedProfiles[profileName] {
 			return fmt.Errorf("profile %q is not loaded", profileName)
 		}
@@ -137,10 +137,10 @@ func validateProfile(profile string, loadedProfiles map[string]bool) error {
 
 // ValidateProfileFormat checks the format of the profile.
 func ValidateProfileFormat(profile string) error {
-	if profile == "" || profile == ProfileRuntimeDefault || profile == ProfileNameUnconfined {
+	if profile == "" || profile == v1.AppArmorBetaProfileRuntimeDefault || profile == v1.AppArmorBetaProfileNameUnconfined {
 		return nil
 	}
-	if !strings.HasPrefix(profile, ProfileNamePrefix) {
+	if !strings.HasPrefix(profile, v1.AppArmorBetaProfileNamePrefix) {
 		return fmt.Errorf("invalid AppArmor profile name: %q", profile)
 	}
 	return nil

vendor/k8s.io/kubernetes/pkg/security/podsecuritypolicy/seccomp/BUILD

@@ -1,40 +0,0 @@
-package(default_visibility = ["//visibility:public"])
-
-load(
-    "@io_bazel_rules_go//go:def.bzl",
-    "go_library",
-    "go_test",
-)
-
-go_library(
-    name = "go_default_library",
-    srcs = ["strategy.go"],
-    importpath = "k8s.io/kubernetes/pkg/security/podsecuritypolicy/seccomp",
-    deps = [
-        "//pkg/apis/core:go_default_library",
-        "//staging/src/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
-    ],
-)
-
-go_test(
-    name = "go_default_test",
-    srcs = ["strategy_test.go"],
-    embed = [":go_default_library"],
-    deps = [
-        "//pkg/apis/core:go_default_library",
-        "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
-    ],
-)
-
-filegroup(
-    name = "package-srcs",
-    srcs = glob(["**"]),
-    tags = ["automanaged"],
-    visibility = ["//visibility:private"],
-)
-
-filegroup(
-    name = "all-srcs",
-    srcs = [":package-srcs"],
-    tags = ["automanaged"],
-)

vendor/k8s.io/kubernetes/pkg/security/podsecuritypolicy/seccomp/strategy.go

@@ -1,149 +0,0 @@
-/*
-Copyright 2016 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package seccomp
-
-import (
-	"fmt"
-	"strings"
-
-	"k8s.io/apimachinery/pkg/util/validation/field"
-	api "k8s.io/kubernetes/pkg/apis/core"
-)
-
-const (
-	// AllowAny is the wildcard used to allow any profile.
-	AllowAny = "*"
-	// DefaultProfileAnnotationKey specifies the default seccomp profile.
-	DefaultProfileAnnotationKey = "seccomp.security.alpha.kubernetes.io/defaultProfileName"
-	// AllowedProfilesAnnotationKey specifies the allowed seccomp profiles.
-	AllowedProfilesAnnotationKey = "seccomp.security.alpha.kubernetes.io/allowedProfileNames"
-)
-
-// Strategy defines the interface for all seccomp constraint strategies.
-type Strategy interface {
-	// Generate returns a profile based on constraint rules.
-	Generate(annotations map[string]string, pod *api.Pod) (string, error)
-	// Validate ensures that the specified values fall within the range of the strategy.
-	ValidatePod(pod *api.Pod) field.ErrorList
-	// Validate ensures that the specified values fall within the range of the strategy.
-	ValidateContainer(pod *api.Pod, container *api.Container) field.ErrorList
-}
-
-type strategy struct {
-	defaultProfile  string
-	allowedProfiles map[string]bool
-	// For printing error messages (preserves order).
-	allowedProfilesString string
-	// does the strategy allow any profile (wildcard)
-	allowAnyProfile bool
-}
-
-var _ Strategy = &strategy{}
-
-// NewStrategy creates a new strategy that enforces seccomp profile constraints.
-func NewStrategy(pspAnnotations map[string]string) Strategy {
-	var allowedProfiles map[string]bool
-	allowAnyProfile := false
-	if allowed, ok := pspAnnotations[AllowedProfilesAnnotationKey]; ok {
-		profiles := strings.Split(allowed, ",")
-		allowedProfiles = make(map[string]bool, len(profiles))
-		for _, p := range profiles {
-			if p == AllowAny {
-				allowAnyProfile = true
-				continue
-			}
-			allowedProfiles[p] = true
-		}
-	}
-	return &strategy{
-		defaultProfile:        pspAnnotations[DefaultProfileAnnotationKey],
-		allowedProfiles:       allowedProfiles,
-		allowedProfilesString: pspAnnotations[AllowedProfilesAnnotationKey],
-		allowAnyProfile:       allowAnyProfile,
-	}
-}
-
-// Generate returns a profile based on constraint rules.
-func (s *strategy) Generate(annotations map[string]string, pod *api.Pod) (string, error) {
-	if annotations[api.SeccompPodAnnotationKey] != "" {
-		// Profile already set, nothing to do.
-		return annotations[api.SeccompPodAnnotationKey], nil
-	}
-	return s.defaultProfile, nil
-}
-
-// ValidatePod ensures that the specified values on the pod fall within the range
-// of the strategy.
-func (s *strategy) ValidatePod(pod *api.Pod) field.ErrorList {
-	allErrs := field.ErrorList{}
-	podSpecFieldPath := field.NewPath("pod", "metadata", "annotations").Key(api.SeccompPodAnnotationKey)
-	podProfile := pod.Annotations[api.SeccompPodAnnotationKey]
-
-	if !s.allowAnyProfile && len(s.allowedProfiles) == 0 && podProfile != "" {
-		allErrs = append(allErrs, field.Forbidden(podSpecFieldPath, "seccomp may not be set"))
-		return allErrs
-	}
-
-	if !s.profileAllowed(podProfile) {
-		msg := fmt.Sprintf("%s is not an allowed seccomp profile. Valid values are %v", podProfile, s.allowedProfilesString)
-		allErrs = append(allErrs, field.Forbidden(podSpecFieldPath, msg))
-	}
-
-	return allErrs
-}
-
-// ValidateContainer ensures that the specified values on the container fall within
-// the range of the strategy.
-func (s *strategy) ValidateContainer(pod *api.Pod, container *api.Container) field.ErrorList {
-	allErrs := field.ErrorList{}
-	fieldPath := field.NewPath("pod", "metadata", "annotations").Key(api.SeccompContainerAnnotationKeyPrefix + container.Name)
-	containerProfile := profileForContainer(pod, container)
-
-	if !s.allowAnyProfile && len(s.allowedProfiles) == 0 && containerProfile != "" {
-		allErrs = append(allErrs, field.Forbidden(fieldPath, "seccomp may not be set"))
-		return allErrs
-	}
-
-	if !s.profileAllowed(containerProfile) {
-		msg := fmt.Sprintf("%s is not an allowed seccomp profile. Valid values are %v", containerProfile, s.allowedProfilesString)
-		allErrs = append(allErrs, field.Forbidden(fieldPath, msg))
-	}
-
-	return allErrs
-}
-
-// profileAllowed checks if profile is in allowedProfiles or if allowedProfiles
-// contains the wildcard.
-func (s *strategy) profileAllowed(profile string) bool {
-	// for backwards compatibility and PSPs without a defined list of allowed profiles.
-	// If a PSP does not have allowedProfiles set then we should allow an empty profile.
-	// This will mean that the runtime default is used.
-	if len(s.allowedProfiles) == 0 && profile == "" {
-		return true
-	}
-
-	return s.allowAnyProfile || s.allowedProfiles[profile]
-}
-
-// profileForContainer returns the container profile if set, otherwise the pod profile.
-func profileForContainer(pod *api.Pod, container *api.Container) string {
-	containerProfile, ok := pod.Annotations[api.SeccompContainerAnnotationKeyPrefix+container.Name]
-	if ok {
-		return containerProfile
-	}
-	return pod.Annotations[api.SeccompPodAnnotationKey]
-}

vendor/k8s.io/kubernetes/pkg/security/podsecuritypolicy/util/BUILD

@@ -1,44 +0,0 @@
-package(default_visibility = ["//visibility:public"])
-
-load(
-    "@io_bazel_rules_go//go:def.bzl",
-    "go_library",
-    "go_test",
-)
-
-go_library(
-    name = "go_default_library",
-    srcs = [
-        "doc.go",
-        "util.go",
-    ],
-    importpath = "k8s.io/kubernetes/pkg/security/podsecuritypolicy/util",
-    deps = [
-        "//pkg/apis/core:go_default_library",
-        "//staging/src/k8s.io/api/policy/v1beta1:go_default_library",
-        "//staging/src/k8s.io/apimachinery/pkg/util/sets:go_default_library",
-    ],
-)
-
-go_test(
-    name = "go_default_test",
-    srcs = ["util_test.go"],
-    embed = [":go_default_library"],
-    deps = [
-        "//pkg/apis/core:go_default_library",
-        "//staging/src/k8s.io/api/policy/v1beta1:go_default_library",
-    ],
-)
-
-filegroup(
-    name = "package-srcs",
-    srcs = glob(["**"]),
-    tags = ["automanaged"],
-    visibility = ["//visibility:private"],
-)
-
-filegroup(
-    name = "all-srcs",
-    srcs = [":package-srcs"],
-    tags = ["automanaged"],
-)

vendor/k8s.io/kubernetes/pkg/security/podsecuritypolicy/util/doc.go

@@ -1,19 +0,0 @@
-/*
-Copyright 2016 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-// Package util contains utility code shared amongst different parts of the
-// pod security policy apparatus.
-package util

vendor/k8s.io/kubernetes/pkg/security/podsecuritypolicy/util/util.go

@@ -1,244 +0,0 @@
-/*
-Copyright 2016 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package util
-
-import (
-	"fmt"
-	"strings"
-
-	policy "k8s.io/api/policy/v1beta1"
-	"k8s.io/apimachinery/pkg/util/sets"
-	api "k8s.io/kubernetes/pkg/apis/core"
-)
-
-const (
-	ValidatedPSPAnnotation = "kubernetes.io/psp"
-)
-
-func GetAllFSTypesExcept(exceptions ...string) sets.String {
-	fstypes := GetAllFSTypesAsSet()
-	for _, e := range exceptions {
-		fstypes.Delete(e)
-	}
-	return fstypes
-}
-
-func GetAllFSTypesAsSet() sets.String {
-	fstypes := sets.NewString()
-	fstypes.Insert(
-		string(policy.HostPath),
-		string(policy.AzureFile),
-		string(policy.Flocker),
-		string(policy.FlexVolume),
-		string(policy.EmptyDir),
-		string(policy.GCEPersistentDisk),
-		string(policy.AWSElasticBlockStore),
-		string(policy.GitRepo),
-		string(policy.Secret),
-		string(policy.NFS),
-		string(policy.ISCSI),
-		string(policy.Glusterfs),
-		string(policy.PersistentVolumeClaim),
-		string(policy.RBD),
-		string(policy.Cinder),
-		string(policy.CephFS),
-		string(policy.DownwardAPI),
-		string(policy.FC),
-		string(policy.ConfigMap),
-		string(policy.VsphereVolume),
-		string(policy.Quobyte),
-		string(policy.AzureDisk),
-		string(policy.PhotonPersistentDisk),
-		string(policy.StorageOS),
-		string(policy.Projected),
-		string(policy.PortworxVolume),
-		string(policy.ScaleIO),
-		string(policy.CSI),
-	)
-	return fstypes
-}
-
-// getVolumeFSType gets the FSType for a volume.
-func GetVolumeFSType(v api.Volume) (policy.FSType, error) {
-	switch {
-	case v.HostPath != nil:
-		return policy.HostPath, nil
-	case v.EmptyDir != nil:
-		return policy.EmptyDir, nil
-	case v.GCEPersistentDisk != nil:
-		return policy.GCEPersistentDisk, nil
-	case v.AWSElasticBlockStore != nil:
-		return policy.AWSElasticBlockStore, nil
-	case v.GitRepo != nil:
-		return policy.GitRepo, nil
-	case v.Secret != nil:
-		return policy.Secret, nil
-	case v.NFS != nil:
-		return policy.NFS, nil
-	case v.ISCSI != nil:
-		return policy.ISCSI, nil
-	case v.Glusterfs != nil:
-		return policy.Glusterfs, nil
-	case v.PersistentVolumeClaim != nil:
-		return policy.PersistentVolumeClaim, nil
-	case v.RBD != nil:
-		return policy.RBD, nil
-	case v.FlexVolume != nil:
-		return policy.FlexVolume, nil
-	case v.Cinder != nil:
-		return policy.Cinder, nil
-	case v.CephFS != nil:
-		return policy.CephFS, nil
-	case v.Flocker != nil:
-		return policy.Flocker, nil
-	case v.DownwardAPI != nil:
-		return policy.DownwardAPI, nil
-	case v.FC != nil:
-		return policy.FC, nil
-	case v.AzureFile != nil:
-		return policy.AzureFile, nil
-	case v.ConfigMap != nil:
-		return policy.ConfigMap, nil
-	case v.VsphereVolume != nil:
-		return policy.VsphereVolume, nil
-	case v.Quobyte != nil:
-		return policy.Quobyte, nil
-	case v.AzureDisk != nil:
-		return policy.AzureDisk, nil
-	case v.PhotonPersistentDisk != nil:
-		return policy.PhotonPersistentDisk, nil
-	case v.StorageOS != nil:
-		return policy.StorageOS, nil
-	case v.Projected != nil:
-		return policy.Projected, nil
-	case v.PortworxVolume != nil:
-		return policy.PortworxVolume, nil
-	case v.ScaleIO != nil:
-		return policy.ScaleIO, nil
-	case v.CSI != nil:
-		return policy.CSI, nil
-	}
-
-	return "", fmt.Errorf("unknown volume type for volume: %#v", v)
-}
-
-// FSTypeToStringSet converts an FSType slice to a string set.
-func FSTypeToStringSet(fsTypes []policy.FSType) sets.String {
-	set := sets.NewString()
-	for _, v := range fsTypes {
-		set.Insert(string(v))
-	}
-	return set
-}
-
-// PSPAllowsAllVolumes checks for FSTypeAll in the psp's allowed volumes.
-func PSPAllowsAllVolumes(psp *policy.PodSecurityPolicy) bool {
-	return PSPAllowsFSType(psp, policy.All)
-}
-
-// PSPAllowsFSType is a utility for checking if a PSP allows a particular FSType.
-// If all volumes are allowed then this will return true for any FSType passed.
-func PSPAllowsFSType(psp *policy.PodSecurityPolicy, fsType policy.FSType) bool {
-	if psp == nil {
-		return false
-	}
-
-	for _, v := range psp.Spec.Volumes {
-		if v == fsType || v == policy.All {
-			return true
-		}
-	}
-	return false
-}
-
-// UserFallsInRange is a utility to determine it the id falls in the valid range.
-func UserFallsInRange(id int64, rng policy.IDRange) bool {
-	return id >= rng.Min && id <= rng.Max
-}
-
-// GroupFallsInRange is a utility to determine it the id falls in the valid range.
-func GroupFallsInRange(id int64, rng policy.IDRange) bool {
-	return id >= rng.Min && id <= rng.Max
-}
-
-// AllowsHostVolumePath is a utility for checking if a PSP allows the host volume path.
-// This only checks the path. You should still check to make sure the host volume fs type is allowed.
-func AllowsHostVolumePath(psp *policy.PodSecurityPolicy, hostPath string) (pathIsAllowed, mustBeReadOnly bool) {
-	if psp == nil {
-		return false, false
-	}
-
-	// If no allowed paths are specified then allow any path
-	if len(psp.Spec.AllowedHostPaths) == 0 {
-		return true, false
-	}
-
-	for _, allowedPath := range psp.Spec.AllowedHostPaths {
-		if hasPathPrefix(hostPath, allowedPath.PathPrefix) {
-			if !allowedPath.ReadOnly {
-				return true, allowedPath.ReadOnly
-			}
-			pathIsAllowed = true
-			mustBeReadOnly = true
-		}
-	}
-
-	return pathIsAllowed, mustBeReadOnly
-}
-
-// hasPathPrefix returns true if the string matches pathPrefix exactly, or if is prefixed with pathPrefix at a path segment boundary
-// the string and pathPrefix are both normalized to remove trailing slashes prior to checking.
-func hasPathPrefix(s, pathPrefix string) bool {
-
-	s = strings.TrimSuffix(s, "/")
-	pathPrefix = strings.TrimSuffix(pathPrefix, "/")
-
-	// Short circuit if s doesn't contain the prefix at all
-	if !strings.HasPrefix(s, pathPrefix) {
-		return false
-	}
-
-	pathPrefixLength := len(pathPrefix)
-
-	if len(s) == pathPrefixLength {
-		// Exact match
-		return true
-	}
-
-	if s[pathPrefixLength:pathPrefixLength+1] == "/" {
-		// The next character in s is a path segment boundary
-		// Check this instead of normalizing pathPrefix to avoid allocating on every call
-		// Example where this check applies: s=/foo/bar and pathPrefix=/foo
-		return true
-	}
-
-	return false
-}
-
-// EqualStringSlices compares string slices for equality. Slices are equal when
-// their sizes and elements on similar positions are equal.
-func EqualStringSlices(a, b []string) bool {
-	if len(a) != len(b) {
-		return false
-	}
-	for i := 0; i < len(a); i++ {
-		if a[i] != b[i] {
-			return false
-		}
-	}
-	return true
-}