vendor update for CSI 0.3.0

2025-06-13 10:33:35 +00:00 · 2018-07-18 16:47:22 +02:00
parent 6f484f92fc
commit 8ea659f0d5
6810 changed files with 438061 additions and 193861 deletions
--- a/vendor/k8s.io/kubernetes/pkg/kubelet/sysctl/BUILD
+++ b/vendor/k8s.io/kubernetes/pkg/kubelet/sysctl/BUILD
@ -15,9 +15,8 @@ go_library(
    ],
    importpath = "k8s.io/kubernetes/pkg/kubelet/sysctl",
    deps = [
-        "//pkg/apis/core/v1/helper:go_default_library",
        "//pkg/apis/core/validation:go_default_library",
-        "//pkg/apis/extensions/validation:go_default_library",
+        "//pkg/apis/policy/validation:go_default_library",
        "//pkg/kubelet/container:go_default_library",
        "//pkg/kubelet/lifecycle:go_default_library",
    ],
@ -30,7 +29,7 @@ go_test(
        "whitelist_test.go",
    ],
    embed = [":go_default_library"],
-    deps = ["//vendor/k8s.io/api/core/v1:go_default_library"],
+    deps = ["//pkg/security/podsecuritypolicy/sysctl:go_default_library"],
 )

 filegroup(
--- a/vendor/k8s.io/kubernetes/pkg/kubelet/sysctl/runtime.go
+++ b/vendor/k8s.io/kubernetes/pkg/kubelet/sysctl/runtime.go
@ -19,7 +19,6 @@ package sysctl
 import (
 	"fmt"

-	v1helper "k8s.io/kubernetes/pkg/apis/core/v1/helper"
 	"k8s.io/kubernetes/pkg/kubelet/container"
 	"k8s.io/kubernetes/pkg/kubelet/lifecycle"
 )
@ -31,7 +30,6 @@ const (
 	dockerMinimumAPIVersion = "1.24.0"

 	dockerTypeName = "docker"
-	rktTypeName    = "rkt"
 )

 // TODO: The admission logic in this file is runtime-dependent. It should be
@ -72,14 +70,6 @@ func NewRuntimeAdmitHandler(runtime container.Runtime) (*runtimeAdmitHandler, er
 				Message: "Docker API version before 1.24 does not support sysctls",
 			},
 		}, nil
-	case rktTypeName:
-		return &runtimeAdmitHandler{
-			result: lifecycle.PodAdmitResult{
-				Admit:   false,
-				Reason:  UnsupportedReason,
-				Message: "Rkt does not support sysctls",
-			},
-		}, nil
 	default:
 		// Return admit for other runtimes.
 		return &runtimeAdmitHandler{
@ -92,17 +82,11 @@ func NewRuntimeAdmitHandler(runtime container.Runtime) (*runtimeAdmitHandler, er

 // Admit checks whether the runtime supports sysctls.
 func (w *runtimeAdmitHandler) Admit(attrs *lifecycle.PodAdmitAttributes) lifecycle.PodAdmitResult {
-	sysctls, unsafeSysctls, err := v1helper.SysctlsFromPodAnnotations(attrs.Pod.Annotations)
-	if err != nil {
-		return lifecycle.PodAdmitResult{
-			Admit:   false,
-			Reason:  AnnotationInvalidReason,
-			Message: fmt.Sprintf("invalid sysctl annotation: %v", err),
-		}
-	}
+	if attrs.Pod.Spec.SecurityContext != nil {

-	if len(sysctls)+len(unsafeSysctls) > 0 {
-		return w.result
+		if len(attrs.Pod.Spec.SecurityContext.Sysctls) > 0 {
+			return w.result
+		}
 	}

 	return lifecycle.PodAdmitResult{
--- a/vendor/k8s.io/kubernetes/pkg/kubelet/sysctl/whitelist.go
+++ b/vendor/k8s.io/kubernetes/pkg/kubelet/sysctl/whitelist.go
@ -20,9 +20,8 @@ import (
 	"fmt"
 	"strings"

-	v1helper "k8s.io/kubernetes/pkg/apis/core/v1/helper"
 	"k8s.io/kubernetes/pkg/apis/core/validation"
-	extvalidation "k8s.io/kubernetes/pkg/apis/extensions/validation"
+	policyvalidation "k8s.io/kubernetes/pkg/apis/policy/validation"
 	"k8s.io/kubernetes/pkg/kubelet/lifecycle"
 )

@ -31,44 +30,29 @@ const (
 	ForbiddenReason         = "SysctlForbidden"
 )

-// SafeSysctlWhitelist returns the whitelist of safe sysctls and safe sysctl patterns (ending in *).
-//
-// A sysctl is called safe iff
-// - it is namespaced in the container or the pod
-// - it is isolated, i.e. has no influence on any other pod on the same node.
-func SafeSysctlWhitelist() []string {
-	return []string{
-		"kernel.shm_rmid_forced",
-		"net.ipv4.ip_local_port_range",
-		"net.ipv4.tcp_syncookies",
-	}
-}
-
 // patternWhitelist takes a list of sysctls or sysctl patterns (ending in *) and
 // checks validity via a sysctl and prefix map, rejecting those which are not known
 // to be namespaced.
 type patternWhitelist struct {
-	sysctls       map[string]Namespace
-	prefixes      map[string]Namespace
-	annotationKey string
+	sysctls  map[string]Namespace
+	prefixes map[string]Namespace
 }

 var _ lifecycle.PodAdmitHandler = &patternWhitelist{}

 // NewWhitelist creates a new Whitelist from a list of sysctls and sysctl pattern (ending in *).
-func NewWhitelist(patterns []string, annotationKey string) (*patternWhitelist, error) {
+func NewWhitelist(patterns []string) (*patternWhitelist, error) {
 	w := &patternWhitelist{
-		sysctls:       map[string]Namespace{},
-		prefixes:      map[string]Namespace{},
-		annotationKey: annotationKey,
+		sysctls:  map[string]Namespace{},
+		prefixes: map[string]Namespace{},
 	}

 	for _, s := range patterns {
-		if !extvalidation.IsValidSysctlPattern(s) {
+		if !policyvalidation.IsValidSysctlPattern(s) {
 			return nil, fmt.Errorf("sysctl %q must have at most %d characters and match regex %s",
 				s,
 				validation.SysctlMaxLength,
-				extvalidation.SysctlPatternFmt,
+				policyvalidation.SysctlPatternFmt,
 			)
 		}
 		if strings.HasSuffix(s, "*") {
@ -121,32 +105,22 @@ func (w *patternWhitelist) validateSysctl(sysctl string, hostNet, hostIPC bool)
 	return fmt.Errorf("%q not whitelisted", sysctl)
 }

-// Admit checks that all sysctls given in annotations v1.SysctlsPodAnnotationKey and v1.UnsafeSysctlsPodAnnotationKey
+// Admit checks that all sysctls given in pod's security context
 // are valid according to the whitelist.
 func (w *patternWhitelist) Admit(attrs *lifecycle.PodAdmitAttributes) lifecycle.PodAdmitResult {
 	pod := attrs.Pod
-	a := pod.Annotations[w.annotationKey]
-	if a == "" {
+	if pod.Spec.SecurityContext == nil || len(pod.Spec.SecurityContext.Sysctls) == 0 {
 		return lifecycle.PodAdmitResult{
 			Admit: true,
 		}
 	}

-	sysctls, err := v1helper.SysctlsFromPodAnnotation(a)
-	if err != nil {
-		return lifecycle.PodAdmitResult{
-			Admit:   false,
-			Reason:  AnnotationInvalidReason,
-			Message: fmt.Sprintf("invalid %s annotation: %v", w.annotationKey, err),
-		}
-	}
-
 	var hostNet, hostIPC bool
 	if pod.Spec.SecurityContext != nil {
 		hostNet = pod.Spec.HostNetwork
 		hostIPC = pod.Spec.HostIPC
 	}
-	for _, s := range sysctls {
+	for _, s := range pod.Spec.SecurityContext.Sysctls {
 		if err := w.validateSysctl(s.Name, hostNet, hostIPC); err != nil {
 			return lifecycle.PodAdmitResult{
 				Admit:   false,
--- a/vendor/k8s.io/kubernetes/pkg/kubelet/sysctl/whitelist_test.go
+++ b/vendor/k8s.io/kubernetes/pkg/kubelet/sysctl/whitelist_test.go
@ -19,7 +19,7 @@ package sysctl
 import (
 	"testing"

-	"k8s.io/api/core/v1"
+	"k8s.io/kubernetes/pkg/security/podsecuritypolicy/sysctl"
 )

 func TestNewWhitelist(t *testing.T) {
@ -35,7 +35,7 @@ func TestNewWhitelist(t *testing.T) {
 		{sysctls: []string{"net.*.foo"}, err: true},
 		{sysctls: []string{"foo"}, err: true},
 	} {
-		_, err := NewWhitelist(append(SafeSysctlWhitelist(), test.sysctls...), v1.SysctlsPodAnnotationKey)
+		_, err := NewWhitelist(append(sysctl.SafeSysctlWhitelist(), test.sysctls...))
 		if test.err && err == nil {
 			t.Errorf("expected an error creating a whitelist for %v", test.sysctls)
 		} else if !test.err && err != nil {
@ -65,7 +65,7 @@ func TestWhitelist(t *testing.T) {
 		{sysctl: "kernel.sem", hostIPC: true},
 	}

-	w, err := NewWhitelist(append(SafeSysctlWhitelist(), "kernel.msg*", "kernel.sem"), v1.SysctlsPodAnnotationKey)
+	w, err := NewWhitelist(append(sysctl.SafeSysctlWhitelist(), "kernel.msg*", "kernel.sem"))
 	if err != nil {
 		t.Fatalf("failed to create whitelist: %v", err)
 	}