vendor update for CSI 0.3.0

vendor/k8s.io/kubernetes/plugin/pkg/admission/gc/BUILD

@@ -30,6 +30,7 @@ go_test(
         "//pkg/api/legacyscheme:go_default_library",
         "//pkg/apis/core:go_default_library",
         "//pkg/kubeapiserver/admission:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/api/meta/testrestmapper:go_default_library",
         "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
         "//vendor/k8s.io/apimachinery/pkg/runtime:go_default_library",
         "//vendor/k8s.io/apimachinery/pkg/runtime/schema:go_default_library",

vendor/k8s.io/kubernetes/plugin/pkg/admission/gc/gc_admission.go

@@ -95,21 +95,26 @@ func (a *gcPermissionsEnforcement) Validate(attributes admission.Attributes) (er
 		return nil
 	}
 
-	deleteAttributes := authorizer.AttributesRecord{
-		User:            attributes.GetUserInfo(),
-		Verb:            "delete",
-		Namespace:       attributes.GetNamespace(),
-		APIGroup:        attributes.GetResource().Group,
-		APIVersion:      attributes.GetResource().Version,
-		Resource:        attributes.GetResource().Resource,
-		Subresource:     attributes.GetSubresource(),
-		Name:            attributes.GetName(),
-		ResourceRequest: true,
-		Path:            "",
-	}
-	decision, reason, err := a.authorizer.Authorize(deleteAttributes)
-	if decision != authorizer.DecisionAllow {
-		return admission.NewForbidden(attributes, fmt.Errorf("cannot set an ownerRef on a resource you can't delete: %v, %v", reason, err))
+	// if you are creating a thing, you should always be allowed to set an owner ref since you logically had the power
+	// to never create it.  We still need to check block owner deletion below, because the power to delete does not
+	// imply the power to prevent deletion on other resources.
+	if attributes.GetOperation() != admission.Create {
+		deleteAttributes := authorizer.AttributesRecord{
+			User:            attributes.GetUserInfo(),
+			Verb:            "delete",
+			Namespace:       attributes.GetNamespace(),
+			APIGroup:        attributes.GetResource().Group,
+			APIVersion:      attributes.GetResource().Version,
+			Resource:        attributes.GetResource().Resource,
+			Subresource:     attributes.GetSubresource(),
+			Name:            attributes.GetName(),
+			ResourceRequest: true,
+			Path:            "",
+		}
+		decision, reason, err := a.authorizer.Authorize(deleteAttributes)
+		if decision != authorizer.DecisionAllow {
+			return admission.NewForbidden(attributes, fmt.Errorf("cannot set an ownerRef on a resource you can't delete: %v, %v", reason, err))
+		}
 	}
 
 	// Further check if the user is setting ownerReference.blockOwnerDeletion to
@@ -119,7 +124,7 @@ func (a *gcPermissionsEnforcement) Validate(attributes admission.Attributes) (er
 	for _, ref := range newBlockingRefs {
 		records, err := a.ownerRefToDeleteAttributeRecords(ref, attributes)
 		if err != nil {
-			return admission.NewForbidden(attributes, fmt.Errorf("cannot set blockOwnerDeletion in this case because cannot find RESTMapping for APIVersion %s Kind %s: %v, %v", ref.APIVersion, ref.Kind, reason, err))
+			return admission.NewForbidden(attributes, fmt.Errorf("cannot set blockOwnerDeletion in this case because cannot find RESTMapping for APIVersion %s Kind %s: %v", ref.APIVersion, ref.Kind, err))
 		}
 		// Multiple records are returned if ref.Kind could map to multiple
 		// resources. User needs to have delete permission on all the
@@ -186,9 +191,9 @@ func (a *gcPermissionsEnforcement) ownerRefToDeleteAttributeRecords(ref metav1.O
 			Verb: "update",
 			// ownerReference can only refer to an object in the same namespace, so attributes.GetNamespace() equals to the owner's namespace
 			Namespace:       attributes.GetNamespace(),
-			APIGroup:        groupVersion.Group,
-			APIVersion:      groupVersion.Version,
-			Resource:        mapping.Resource,
+			APIGroup:        mapping.Resource.Group,
+			APIVersion:      mapping.Resource.Version,
+			Resource:        mapping.Resource.Resource,
 			Subresource:     "finalizers",
 			Name:            ref.Name,
 			ResourceRequest: true,

vendor/k8s.io/kubernetes/plugin/pkg/admission/gc/gc_admission_test.go

@@ -20,6 +20,7 @@ import (
 	"strings"
 	"testing"
 
+	"k8s.io/apimachinery/pkg/api/meta/testrestmapper"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
@@ -87,7 +88,7 @@ func newGCPermissionsEnforcement() (*gcPermissionsEnforcement, error) {
 	}
 
 	genericPluginInitializer := initializer.New(nil, nil, fakeAuthorizer{}, nil)
-	pluginInitializer := kubeadmission.NewPluginInitializer(nil, nil, nil, legacyscheme.Registry.RESTMapper(), nil)
+	pluginInitializer := kubeadmission.NewPluginInitializer(nil, nil, nil, testrestmapper.TestOnlyStaticRESTMapper(legacyscheme.Scheme), nil)
 	initializersChain := admission.PluginInitializers{}
 	initializersChain = append(initializersChain, genericPluginInitializer)
 	initializersChain = append(initializersChain, pluginInitializer)
@@ -101,6 +102,9 @@ func TestGCAdmission(t *testing.T) {
 		return err == nil
 	}
 	expectCantSetOwnerRefError := func(err error) bool {
+		if err == nil {
+			return false
+		}
 		return strings.Contains(err.Error(), "cannot set an ownerRef on a resource you can't delete")
 	}
 	tests := []struct {
@@ -139,7 +143,7 @@ func TestGCAdmission(t *testing.T) {
 			username:   "non-deleter",
 			resource:   api.SchemeGroupVersion.WithResource("pods"),
 			newObj:     &api.Pod{ObjectMeta: metav1.ObjectMeta{OwnerReferences: []metav1.OwnerReference{{Name: "first"}}}},
-			checkError: expectCantSetOwnerRefError,
+			checkError: expectNoError,
 		},
 		{
 			name:       "non-pod-deleter, create, no objectref change",
@@ -153,7 +157,7 @@ func TestGCAdmission(t *testing.T) {
 			username:   "non-pod-deleter",
 			resource:   api.SchemeGroupVersion.WithResource("pods"),
 			newObj:     &api.Pod{ObjectMeta: metav1.ObjectMeta{OwnerReferences: []metav1.OwnerReference{{Name: "first"}}}},
-			checkError: expectCantSetOwnerRefError,
+			checkError: expectNoError,
 		},
 		{
 			name:       "non-pod-deleter, create, objectref change, but not a pod",
@@ -253,32 +257,34 @@ func TestGCAdmission(t *testing.T) {
 			checkError: expectNoError,
 		},
 	}
-	gcAdmit, err := newGCPermissionsEnforcement()
-	if err != nil {
-		t.Error(err)
-	}
 
 	for _, tc := range tests {
-		operation := admission.Create
-		if tc.oldObj != nil {
-			operation = admission.Update
-		}
-		user := &user.DefaultInfo{Name: tc.username}
-		attributes := admission.NewAttributesRecord(tc.newObj, tc.oldObj, schema.GroupVersionKind{}, metav1.NamespaceDefault, "foo", tc.resource, tc.subresource, operation, user)
+		t.Run(tc.name, func(t *testing.T) {
+			gcAdmit, err := newGCPermissionsEnforcement()
+			if err != nil {
+				t.Error(err)
+			}
 
-		err := gcAdmit.Validate(attributes)
-		if !tc.checkError(err) {
-			t.Errorf("%v: unexpected err: %v", tc.name, err)
-		}
+			operation := admission.Create
+			if tc.oldObj != nil {
+				operation = admission.Update
+			}
+			user := &user.DefaultInfo{Name: tc.username}
+			attributes := admission.NewAttributesRecord(tc.newObj, tc.oldObj, schema.GroupVersionKind{}, metav1.NamespaceDefault, "foo", tc.resource, tc.subresource, operation, user)
+
+			err = gcAdmit.Validate(attributes)
+			if !tc.checkError(err) {
+				t.Errorf("unexpected err: %v", err)
+			}
+		})
 	}
 }
 
 func TestBlockOwnerDeletionAdmission(t *testing.T) {
 	podWithOwnerRefs := func(refs ...metav1.OwnerReference) *api.Pod {
 		var refSlice []metav1.OwnerReference
-		for _, ref := range refs {
-			refSlice = append(refSlice, ref)
-		}
+		refSlice = append(refSlice, refs...)
+
 		return &api.Pod{
 			ObjectMeta: metav1.ObjectMeta{
 				OwnerReferences: refSlice,