vendor cleanup: remove unused,non-go and test files

vendor/k8s.io/kubernetes/pkg/security/apparmor/BUILD

@@ -1,82 +0,0 @@
-package(default_visibility = ["//visibility:public"])
-
-load(
-    "@io_bazel_rules_go//go:def.bzl",
-    "go_library",
-    "go_test",
-)
-
-go_library(
-    name = "go_default_library",
-    srcs = [
-        "helpers.go",
-        "validate.go",
-    ] + select({
-        "@io_bazel_rules_go//go/platform:android": [
-            "validate_disabled.go",
-        ],
-        "@io_bazel_rules_go//go/platform:darwin": [
-            "validate_disabled.go",
-        ],
-        "@io_bazel_rules_go//go/platform:dragonfly": [
-            "validate_disabled.go",
-        ],
-        "@io_bazel_rules_go//go/platform:freebsd": [
-            "validate_disabled.go",
-        ],
-        "@io_bazel_rules_go//go/platform:nacl": [
-            "validate_disabled.go",
-        ],
-        "@io_bazel_rules_go//go/platform:netbsd": [
-            "validate_disabled.go",
-        ],
-        "@io_bazel_rules_go//go/platform:openbsd": [
-            "validate_disabled.go",
-        ],
-        "@io_bazel_rules_go//go/platform:plan9": [
-            "validate_disabled.go",
-        ],
-        "@io_bazel_rules_go//go/platform:solaris": [
-            "validate_disabled.go",
-        ],
-        "@io_bazel_rules_go//go/platform:windows": [
-            "validate_disabled.go",
-        ],
-        "//conditions:default": [],
-    }),
-    importpath = "k8s.io/kubernetes/pkg/security/apparmor",
-    deps = [
-        "//pkg/features:go_default_library",
-        "//pkg/kubelet/types:go_default_library",
-        "//pkg/util/file:go_default_library",
-        "//vendor/k8s.io/api/core/v1:go_default_library",
-        "//vendor/k8s.io/apiserver/pkg/util/feature:go_default_library",
-    ],
-)
-
-go_test(
-    name = "go_default_test",
-    srcs = ["validate_test.go"],
-    data = [
-        "testdata/profiles",
-    ],
-    embed = [":go_default_library"],
-    deps = [
-        "//vendor/github.com/stretchr/testify/assert:go_default_library",
-        "//vendor/k8s.io/api/core/v1:go_default_library",
-        "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
-    ],
-)
-
-filegroup(
-    name = "package-srcs",
-    srcs = glob(["**"]),
-    tags = ["automanaged"],
-    visibility = ["//visibility:private"],
-)
-
-filegroup(
-    name = "all-srcs",
-    srcs = [":package-srcs"],
-    tags = ["automanaged"],
-)

vendor/k8s.io/kubernetes/pkg/security/apparmor/helpers.go

@@ -1,80 +0,0 @@
-/*
-Copyright 2016 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package apparmor
-
-import (
-	"strings"
-
-	"k8s.io/api/core/v1"
-)
-
-// TODO: Move these values into the API package.
-const (
-	// The prefix to an annotation key specifying a container profile.
-	ContainerAnnotationKeyPrefix = "container.apparmor.security.beta.kubernetes.io/"
-	// The annotation key specifying the default AppArmor profile.
-	DefaultProfileAnnotationKey = "apparmor.security.beta.kubernetes.io/defaultProfileName"
-	// The annotation key specifying the allowed AppArmor profiles.
-	AllowedProfilesAnnotationKey = "apparmor.security.beta.kubernetes.io/allowedProfileNames"
-
-	// The profile specifying the runtime default.
-	ProfileRuntimeDefault = "runtime/default"
-	// The prefix for specifying profiles loaded on the node.
-	ProfileNamePrefix = "localhost/"
-
-	// Unconfined profile
-	ProfileNameUnconfined = "unconfined"
-)
-
-// Checks whether app armor is required for pod to be run.
-func isRequired(pod *v1.Pod) bool {
-	for key, value := range pod.Annotations {
-		if strings.HasPrefix(key, ContainerAnnotationKeyPrefix) {
-			return value != ProfileNameUnconfined
-		}
-	}
-	return false
-}
-
-// Returns the name of the profile to use with the container.
-func GetProfileName(pod *v1.Pod, containerName string) string {
-	return GetProfileNameFromPodAnnotations(pod.Annotations, containerName)
-}
-
-// GetProfileNameFromPodAnnotations gets the name of the profile to use with container from
-// pod annotations
-func GetProfileNameFromPodAnnotations(annotations map[string]string, containerName string) string {
-	return annotations[ContainerAnnotationKeyPrefix+containerName]
-}
-
-// Sets the name of the profile to use with the container.
-func SetProfileName(pod *v1.Pod, containerName, profileName string) error {
-	if pod.Annotations == nil {
-		pod.Annotations = map[string]string{}
-	}
-	pod.Annotations[ContainerAnnotationKeyPrefix+containerName] = profileName
-	return nil
-}
-
-// Sets the name of the profile to use with the container.
-func SetProfileNameFromPodAnnotations(annotations map[string]string, containerName, profileName string) error {
-	if annotations == nil {
-		return nil
-	}
-	annotations[ContainerAnnotationKeyPrefix+containerName] = profileName
-	return nil
-}

vendor/k8s.io/kubernetes/pkg/security/apparmor/testdata/profiles

@@ -1,24 +0,0 @@
-/usr/bin/evince-thumbnailer (enforce)
-/usr/bin/evince-thumbnailer//sanitized_helper (enforce)
-/usr/bin/evince-previewer (enforce)
-/usr/bin/evince-previewer//sanitized_helper (enforce)
-/usr/bin/evince (enforce)
-/usr/bin/evince//sanitized_helper (enforce)
-/usr/lib/telepathy/telepathy-ofono (enforce)
-/usr/lib/telepathy/telepathy-* (enforce)
-/usr/lib/telepathy/telepathy-*//sanitized_helper (enforce)
-/usr/lib/telepathy/telepathy-*//pxgsettings (enforce)
-/usr/lib/telepathy/mission-control-5 (enforce)
-/usr/lib/lightdm/lightdm-guest-session (enforce)
-/usr/lib/lightdm/lightdm-guest-session//chromium (enforce)
-/usr/sbin/tcpdump (enforce)
-docker-default (enforce)
-/usr/sbin/cups-browsed (enforce)
-/usr/sbin/cupsd (enforce)
-/usr/lib/cups/backend/cups-pdf (enforce)
-/usr/sbin/ntpd (enforce)
-/usr/lib/connman/scripts/dhclient-script (enforce)
-/usr/lib/NetworkManager/nm-dhcp-client.action (enforce)
-/sbin/dhclient (enforce)
-foo-container (complain)
-foo://namespaced-profile (enforce)

vendor/k8s.io/kubernetes/pkg/security/apparmor/validate.go

@@ -1,229 +0,0 @@
-/*
-Copyright 2016 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package apparmor
-
-import (
-	"bufio"
-	"errors"
-	"fmt"
-	"io/ioutil"
-	"os"
-	"path"
-	"strings"
-
-	"k8s.io/api/core/v1"
-	utilfeature "k8s.io/apiserver/pkg/util/feature"
-	"k8s.io/kubernetes/pkg/features"
-	kubetypes "k8s.io/kubernetes/pkg/kubelet/types"
-	utilfile "k8s.io/kubernetes/pkg/util/file"
-)
-
-// Whether AppArmor should be disabled by default.
-// Set to true if the wrong build tags are set (see validate_disabled.go).
-var isDisabledBuild bool
-
-// Interface for validating that a pod with with an AppArmor profile can be run by a Node.
-type Validator interface {
-	Validate(pod *v1.Pod) error
-	ValidateHost() error
-}
-
-func NewValidator(runtime string) Validator {
-	if err := validateHost(runtime); err != nil {
-		return &validator{validateHostErr: err}
-	}
-	appArmorFS, err := getAppArmorFS()
-	if err != nil {
-		return &validator{
-			validateHostErr: fmt.Errorf("error finding AppArmor FS: %v", err),
-		}
-	}
-	return &validator{
-		appArmorFS: appArmorFS,
-	}
-}
-
-type validator struct {
-	validateHostErr error
-	appArmorFS      string
-}
-
-func (v *validator) Validate(pod *v1.Pod) error {
-	if !isRequired(pod) {
-		return nil
-	}
-
-	if v.ValidateHost() != nil {
-		return v.validateHostErr
-	}
-
-	loadedProfiles, err := v.getLoadedProfiles()
-	if err != nil {
-		return fmt.Errorf("could not read loaded profiles: %v", err)
-	}
-
-	for _, container := range pod.Spec.InitContainers {
-		if err := validateProfile(GetProfileName(pod, container.Name), loadedProfiles); err != nil {
-			return err
-		}
-	}
-	for _, container := range pod.Spec.Containers {
-		if err := validateProfile(GetProfileName(pod, container.Name), loadedProfiles); err != nil {
-			return err
-		}
-	}
-
-	return nil
-}
-
-func (v *validator) ValidateHost() error {
-	return v.validateHostErr
-}
-
-// Verify that the host and runtime is capable of enforcing AppArmor profiles.
-func validateHost(runtime string) error {
-	// Check feature-gates
-	if !utilfeature.DefaultFeatureGate.Enabled(features.AppArmor) {
-		return errors.New("AppArmor disabled by feature-gate")
-	}
-
-	// Check build support.
-	if isDisabledBuild {
-		return errors.New("Binary not compiled for linux")
-	}
-
-	// Check kernel support.
-	if !IsAppArmorEnabled() {
-		return errors.New("AppArmor is not enabled on the host")
-	}
-
-	// Check runtime support. Currently only Docker is supported.
-	if runtime != kubetypes.DockerContainerRuntime && runtime != kubetypes.RemoteContainerRuntime {
-		return fmt.Errorf("AppArmor is only enabled for 'docker' and 'remote' runtimes. Found: %q.", runtime)
-	}
-
-	return nil
-}
-
-// Verify that the profile is valid and loaded.
-func validateProfile(profile string, loadedProfiles map[string]bool) error {
-	if err := ValidateProfileFormat(profile); err != nil {
-		return err
-	}
-
-	if strings.HasPrefix(profile, ProfileNamePrefix) {
-		profileName := strings.TrimPrefix(profile, ProfileNamePrefix)
-		if !loadedProfiles[profileName] {
-			return fmt.Errorf("profile %q is not loaded", profileName)
-		}
-	}
-
-	return nil
-}
-
-func ValidateProfileFormat(profile string) error {
-	if profile == "" || profile == ProfileRuntimeDefault || profile == ProfileNameUnconfined {
-		return nil
-	}
-	if !strings.HasPrefix(profile, ProfileNamePrefix) {
-		return fmt.Errorf("invalid AppArmor profile name: %q", profile)
-	}
-	return nil
-}
-
-func (v *validator) getLoadedProfiles() (map[string]bool, error) {
-	profilesPath := path.Join(v.appArmorFS, "profiles")
-	profilesFile, err := os.Open(profilesPath)
-	if err != nil {
-		return nil, fmt.Errorf("failed to open %s: %v", profilesPath, err)
-	}
-	defer profilesFile.Close()
-
-	profiles := map[string]bool{}
-	scanner := bufio.NewScanner(profilesFile)
-	for scanner.Scan() {
-		profileName := parseProfileName(scanner.Text())
-		if profileName == "" {
-			// Unknown line format; skip it.
-			continue
-		}
-		profiles[profileName] = true
-	}
-	return profiles, nil
-}
-
-// The profiles file is formatted with one profile per line, matching a form:
-//   namespace://profile-name (mode)
-//   profile-name (mode)
-// Where mode is {enforce, complain, kill}. The "namespace://" is only included for namespaced
-// profiles. For the purposes of Kubernetes, we consider the namespace part of the profile name.
-func parseProfileName(profileLine string) string {
-	modeIndex := strings.IndexRune(profileLine, '(')
-	if modeIndex < 0 {
-		return ""
-	}
-	return strings.TrimSpace(profileLine[:modeIndex])
-}
-
-func getAppArmorFS() (string, error) {
-	mountsFile, err := os.Open("/proc/mounts")
-	if err != nil {
-		return "", fmt.Errorf("could not open /proc/mounts: %v", err)
-	}
-	defer mountsFile.Close()
-
-	scanner := bufio.NewScanner(mountsFile)
-	for scanner.Scan() {
-		fields := strings.Fields(scanner.Text())
-		if len(fields) < 3 {
-			// Unknown line format; skip it.
-			continue
-		}
-		if fields[2] == "securityfs" {
-			appArmorFS := path.Join(fields[1], "apparmor")
-			if ok, err := utilfile.FileExists(appArmorFS); !ok {
-				msg := fmt.Sprintf("path %s does not exist", appArmorFS)
-				if err != nil {
-					return "", fmt.Errorf("%s: %v", msg, err)
-				} else {
-					return "", errors.New(msg)
-				}
-			} else {
-				return appArmorFS, nil
-			}
-		}
-	}
-	if err := scanner.Err(); err != nil {
-		return "", fmt.Errorf("error scanning mounts: %v", err)
-	}
-
-	return "", errors.New("securityfs not found")
-}
-
-// IsAppArmorEnabled returns true if apparmor is enabled for the host.
-// This function is forked from
-// https://github.com/opencontainers/runc/blob/1a81e9ab1f138c091fe5c86d0883f87716088527/libcontainer/apparmor/apparmor.go
-// to avoid the libapparmor dependency.
-func IsAppArmorEnabled() bool {
-	if _, err := os.Stat("/sys/kernel/security/apparmor"); err == nil && os.Getenv("container") == "" {
-		if _, err = os.Stat("/sbin/apparmor_parser"); err == nil {
-			buf, err := ioutil.ReadFile("/sys/module/apparmor/parameters/enabled")
-			return err == nil && len(buf) > 1 && buf[0] == 'Y'
-		}
-	}
-	return false
-}

vendor/k8s.io/kubernetes/pkg/security/apparmor/validate_disabled.go

@@ -1,24 +0,0 @@
-// +build !linux
-
-/*
-Copyright 2016 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package apparmor
-
-func init() {
-	// If Kubernetes was not built for linux, apparmor is always disabled.
-	isDisabledBuild = true
-}

vendor/k8s.io/kubernetes/pkg/security/apparmor/validate_test.go

@@ -1,198 +0,0 @@
-/*
-Copyright 2016 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package apparmor
-
-import (
-	"errors"
-	"fmt"
-	"testing"
-
-	"k8s.io/api/core/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-
-	"github.com/stretchr/testify/assert"
-)
-
-func TestGetAppArmorFS(t *testing.T) {
-	// This test only passes on systems running AppArmor with the default configuration.
-	// The test should be manually run if modifying the getAppArmorFS function.
-	t.Skip()
-
-	const expectedPath = "/sys/kernel/security/apparmor"
-	actualPath, err := getAppArmorFS()
-	assert.NoError(t, err)
-	assert.Equal(t, expectedPath, actualPath)
-}
-
-func TestValidateHost(t *testing.T) {
-	// This test only passes on systems running AppArmor with the default configuration.
-	// The test should be manually run if modifying the getAppArmorFS function.
-	t.Skip()
-
-	assert.NoError(t, validateHost("docker"))
-	assert.Error(t, validateHost("rkt"))
-}
-
-func TestValidateProfile(t *testing.T) {
-	loadedProfiles := map[string]bool{
-		"docker-default":                                true,
-		"foo-bar":                                       true,
-		"baz":                                           true,
-		"/usr/sbin/ntpd":                                true,
-		"/usr/lib/connman/scripts/dhclient-script":      true,
-		"/usr/lib/NetworkManager/nm-dhcp-client.action": true,
-		"/usr/bin/evince-previewer//sanitized_helper":   true,
-	}
-	tests := []struct {
-		profile     string
-		expectValid bool
-	}{
-		{"", true},
-		{ProfileRuntimeDefault, true},
-		{ProfileNameUnconfined, true},
-		{"baz", false}, // Missing local prefix.
-		{ProfileNamePrefix + "/usr/sbin/ntpd", true},
-		{ProfileNamePrefix + "foo-bar", true},
-		{ProfileNamePrefix + "unloaded", false}, // Not loaded.
-		{ProfileNamePrefix + "", false},
-	}
-
-	for _, test := range tests {
-		err := validateProfile(test.profile, loadedProfiles)
-		if test.expectValid {
-			assert.NoError(t, err, "Profile %s should be valid", test.profile)
-		} else {
-			assert.Error(t, err, fmt.Sprintf("Profile %s should not be valid", test.profile))
-		}
-	}
-}
-
-func TestValidateBadHost(t *testing.T) {
-	hostErr := errors.New("expected host error")
-	v := &validator{
-		validateHostErr: hostErr,
-	}
-
-	tests := []struct {
-		profile     string
-		expectValid bool
-	}{
-		{"", true},
-		{ProfileRuntimeDefault, false},
-		{ProfileNamePrefix + "docker-default", false},
-	}
-
-	for _, test := range tests {
-		err := v.Validate(getPodWithProfile(test.profile))
-		if test.expectValid {
-			assert.NoError(t, err, "Pod with profile %q should be valid", test.profile)
-		} else {
-			assert.Equal(t, hostErr, err, "Pod with profile %q should trigger a host validation error", test.profile)
-		}
-	}
-}
-
-func TestValidateValidHost(t *testing.T) {
-	v := &validator{
-		appArmorFS: "./testdata/",
-	}
-
-	tests := []struct {
-		profile     string
-		expectValid bool
-	}{
-		{"", true},
-		{ProfileRuntimeDefault, true},
-		{ProfileNamePrefix + "docker-default", true},
-		{ProfileNamePrefix + "foo-container", true},
-		{ProfileNamePrefix + "/usr/sbin/ntpd", true},
-		{"docker-default", false},
-		{ProfileNamePrefix + "foo", false},
-		{ProfileNamePrefix + "", false},
-	}
-
-	for _, test := range tests {
-		err := v.Validate(getPodWithProfile(test.profile))
-		if test.expectValid {
-			assert.NoError(t, err, "Pod with profile %q should be valid", test.profile)
-		} else {
-			assert.Error(t, err, fmt.Sprintf("Pod with profile %q should trigger a validation error", test.profile))
-		}
-	}
-
-	// Test multi-container pod.
-	pod := &v1.Pod{
-		ObjectMeta: metav1.ObjectMeta{
-			Annotations: map[string]string{
-				ContainerAnnotationKeyPrefix + "init":  ProfileNamePrefix + "foo-container",
-				ContainerAnnotationKeyPrefix + "test1": ProfileRuntimeDefault,
-				ContainerAnnotationKeyPrefix + "test2": ProfileNamePrefix + "docker-default",
-			},
-		},
-		Spec: v1.PodSpec{
-			InitContainers: []v1.Container{
-				{Name: "init"},
-			},
-			Containers: []v1.Container{
-				{Name: "test1"},
-				{Name: "test2"},
-				{Name: "no-profile"},
-			},
-		},
-	}
-	assert.NoError(t, v.Validate(pod), "Multi-container pod should validate")
-	for k, val := range pod.Annotations {
-		pod.Annotations[k] = val + "-bad"
-		assert.Error(t, v.Validate(pod), fmt.Sprintf("Multi-container pod with invalid profile %s:%s", k, pod.Annotations[k]))
-		pod.Annotations[k] = val // Restore.
-	}
-}
-
-func TestParseProfileName(t *testing.T) {
-	tests := []struct{ line, expected string }{
-		{"foo://bar/baz (kill)", "foo://bar/baz"},
-		{"foo-bar (enforce)", "foo-bar"},
-		{"/usr/foo/bar/baz (complain)", "/usr/foo/bar/baz"},
-	}
-	for _, test := range tests {
-		name := parseProfileName(test.line)
-		assert.Equal(t, test.expected, name, "Parsing %s", test.line)
-	}
-}
-
-func getPodWithProfile(profile string) *v1.Pod {
-	annotations := map[string]string{
-		ContainerAnnotationKeyPrefix + "test": profile,
-	}
-	if profile == "" {
-		annotations = map[string]string{
-			"foo": "bar",
-		}
-	}
-	return &v1.Pod{
-		ObjectMeta: metav1.ObjectMeta{
-			Annotations: annotations,
-		},
-		Spec: v1.PodSpec{
-			Containers: []v1.Container{
-				{
-					Name: "test",
-				},
-			},
-		},
-	}
-}