rebase: update kubernetes dep to 1.24.0

As kubernetes 1.24.0 is released, updating
kubernetes dependencies to 1.24.0

updates: #3086

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>

vendor/k8s.io/pod-security-admission/api/attributes.go

@@ -0,0 +1,146 @@
+/*
+Copyright 2021 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package api
+
+import (
+	admissionv1 "k8s.io/api/admission/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+// Attributes exposes the admission request parameters consumed by the PodSecurity admission controller.
+type Attributes interface {
+	// GetName is the name of the object associated with the request.
+	GetName() string
+	// GetNamespace is the namespace associated with the request (if any)
+	GetNamespace() string
+	// GetResource is the name of the resource being requested.  This is not the kind.  For example: pods
+	GetResource() schema.GroupVersionResource
+	// GetKind is the name of the kind being requested.  For example: Pod
+	GetKind() schema.GroupVersionKind
+	// GetSubresource is the name of the subresource being requested.  This is a different resource, scoped to the parent resource, but it may have a different kind.
+	// For instance, /pods has the resource "pods" and the kind "Pod", while /pods/foo/status has the resource "pods", the sub resource "status", and the kind "Pod"
+	// (because status operates on pods). The binding resource for a pod though may be /pods/foo/binding, which has resource "pods", subresource "binding", and kind "Binding".
+	GetSubresource() string
+	// GetOperation is the operation being performed
+	GetOperation() admissionv1.Operation
+
+	// GetObject returns the typed Object from incoming request.
+	// For objects in the core API group, the result must use the v1 API.
+	GetObject() (runtime.Object, error)
+	// GetOldObject returns the typed existing object. Only populated for UPDATE requests.
+	// For objects in the core API group, the result must use the v1 API.
+	GetOldObject() (runtime.Object, error)
+	// GetUserName is the requesting user's authenticated name.
+	GetUserName() string
+}
+
+// AttributesRecord is a simple struct implementing the Attributes interface.
+type AttributesRecord struct {
+	Name        string
+	Namespace   string
+	Kind        schema.GroupVersionKind
+	Resource    schema.GroupVersionResource
+	Subresource string
+	Operation   admissionv1.Operation
+	Object      runtime.Object
+	OldObject   runtime.Object
+	Username    string
+}
+
+func (a *AttributesRecord) GetName() string {
+	return a.Name
+}
+func (a *AttributesRecord) GetNamespace() string {
+	return a.Namespace
+}
+func (a *AttributesRecord) GetKind() schema.GroupVersionKind {
+	return a.Kind
+}
+func (a *AttributesRecord) GetResource() schema.GroupVersionResource {
+	return a.Resource
+}
+func (a *AttributesRecord) GetSubresource() string {
+	return a.Subresource
+}
+func (a *AttributesRecord) GetOperation() admissionv1.Operation {
+	return a.Operation
+}
+func (a *AttributesRecord) GetUserName() string {
+	return a.Username
+}
+func (a *AttributesRecord) GetObject() (runtime.Object, error) {
+	return a.Object, nil
+}
+func (a *AttributesRecord) GetOldObject() (runtime.Object, error) {
+	return a.OldObject, nil
+}
+
+var _ Attributes = &AttributesRecord{}
+
+// RequestAttributes adapts an admission.Request to the Attributes interface.
+func RequestAttributes(request *admissionv1.AdmissionRequest, decoder runtime.Decoder) Attributes {
+	return &attributes{
+		r:       request,
+		decoder: decoder,
+	}
+}
+
+// attributes is an interface used by AdmissionController to get information about a request
+// that is used to make an admission decision.
+type attributes struct {
+	r       *admissionv1.AdmissionRequest
+	decoder runtime.Decoder
+}
+
+func (a *attributes) GetName() string {
+	return a.r.Name
+}
+func (a *attributes) GetNamespace() string {
+	return a.r.Namespace
+}
+func (a *attributes) GetKind() schema.GroupVersionKind {
+	return schema.GroupVersionKind(a.r.Kind)
+}
+func (a *attributes) GetResource() schema.GroupVersionResource {
+	return schema.GroupVersionResource(a.r.Resource)
+}
+func (a *attributes) GetSubresource() string {
+	return a.r.RequestSubResource
+}
+func (a *attributes) GetOperation() admissionv1.Operation {
+	return a.r.Operation
+}
+func (a *attributes) GetUserName() string {
+	return a.r.UserInfo.Username
+}
+func (a *attributes) GetObject() (runtime.Object, error) {
+	return a.decode(a.r.Object)
+}
+func (a *attributes) GetOldObject() (runtime.Object, error) {
+	return a.decode(a.r.OldObject)
+}
+func (a *attributes) decode(in runtime.RawExtension) (runtime.Object, error) {
+	if in.Raw == nil {
+		return nil, nil
+	}
+	gvk := schema.GroupVersionKind(a.r.Kind)
+	out, _, err := a.decoder.Decode(in.Raw, &gvk, nil)
+	return out, err
+}
+
+var _ Attributes = &attributes{}

vendor/k8s.io/pod-security-admission/api/constants.go

@@ -0,0 +1,50 @@
+/*
+Copyright 2021 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package api
+
+type Level string
+
+const (
+	LevelPrivileged Level = "privileged"
+	LevelBaseline   Level = "baseline"
+	LevelRestricted Level = "restricted"
+)
+
+var validLevels = []string{
+	string(LevelPrivileged),
+	string(LevelBaseline),
+	string(LevelRestricted),
+}
+
+const VersionLatest = "latest"
+
+const AuditAnnotationPrefix = labelPrefix
+
+const (
+	labelPrefix = "pod-security.kubernetes.io/"
+
+	EnforceLevelLabel   = labelPrefix + "enforce"
+	EnforceVersionLabel = labelPrefix + "enforce-version"
+	AuditLevelLabel     = labelPrefix + "audit"
+	AuditVersionLabel   = labelPrefix + "audit-version"
+	WarnLevelLabel      = labelPrefix + "warn"
+	WarnVersionLabel    = labelPrefix + "warn-version"
+
+	ExemptionReasonAnnotationKey = "exempt"
+	AuditViolationsAnnotationKey = "audit-violations"
+	EnforcedPolicyAnnotationKey  = "enforce-policy"
+)

vendor/k8s.io/pod-security-admission/api/doc.go

@@ -0,0 +1,18 @@
+/*
+Copyright 2021 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package api contains constants and helpers for PodSecurity admission label keys and values
+package api // import "k8s.io/pod-security-admission/api"

vendor/k8s.io/pod-security-admission/api/helpers.go

@@ -0,0 +1,230 @@
+/*
+Copyright 2021 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package api
+
+import (
+	"fmt"
+	"regexp"
+	"strconv"
+	"strings"
+	"unicode"
+
+	"k8s.io/apimachinery/pkg/util/validation/field"
+	"k8s.io/component-base/version"
+)
+
+type Version struct {
+	major  int
+	minor  int
+	latest bool
+}
+
+func (v Version) String() string {
+	if v.latest {
+		return "latest"
+	}
+	return fmt.Sprintf("v%d.%d", v.major, v.minor)
+}
+
+// Older returns true if this version v is older than the other.
+func (v *Version) Older(other Version) bool {
+	if v.latest { // Latest is always consider newer, even than future versions.
+		return false
+	}
+	if other.latest {
+		return true
+	}
+	if v.major != other.major {
+		return v.major < other.major
+	}
+	return v.minor < other.minor
+}
+
+func (v *Version) Major() int {
+	return v.major
+}
+func (v *Version) Minor() int {
+	return v.minor
+}
+func (v *Version) Latest() bool {
+	return v.latest
+}
+
+func MajorMinorVersion(major, minor int) Version {
+	return Version{major: major, minor: minor}
+}
+
+// GetAPIVersion get the version of apiServer and return the version major and minor
+func GetAPIVersion() Version {
+	var err error
+	v := Version{}
+	apiVersion := version.Get()
+	major, err := strconv.Atoi(apiVersion.Major)
+	if err != nil {
+		return v
+	}
+	// split the "normal" + and - for semver stuff to get the leading minor number
+	minorString := strings.FieldsFunc(apiVersion.Minor, func(r rune) bool {
+		return !unicode.IsDigit(r)
+	})[0]
+	minor, err := strconv.Atoi(minorString)
+	if err != nil {
+		return v
+	}
+	v = MajorMinorVersion(major, minor)
+	return v
+}
+
+func LatestVersion() Version {
+	return Version{latest: true}
+}
+
+// ParseLevel returns the level that should be evaluated.
+// level must be "privileged", "baseline", or "restricted".
+// if level does not match one of those strings, "restricted" and an error is returned.
+func ParseLevel(level string) (Level, error) {
+	switch Level(level) {
+	case LevelPrivileged, LevelBaseline, LevelRestricted:
+		return Level(level), nil
+	default:
+		return LevelRestricted, fmt.Errorf(`must be one of %s`, strings.Join(validLevels, ", "))
+	}
+}
+
+// Valid checks whether the level l is a valid level.
+func (l *Level) Valid() bool {
+	switch *l {
+	case LevelPrivileged, LevelBaseline, LevelRestricted:
+		return true
+	default:
+		return false
+	}
+}
+
+var versionRegexp = regexp.MustCompile(`^v1\.([0-9]|[1-9][0-9]*)$`)
+
+// ParseVersion returns the policy version that should be evaluated.
+// version must be "latest" or "v1.x".
+// If version does not match one of those patterns, the latest version and an error is returned.
+func ParseVersion(version string) (Version, error) {
+	if version == "latest" {
+		return Version{latest: true}, nil
+	}
+	match := versionRegexp.FindStringSubmatch(version)
+	if len(match) != 2 {
+		return Version{latest: true}, fmt.Errorf(`must be "latest" or "v1.x"`)
+	}
+	versionNumber, err := strconv.Atoi(match[1])
+	if err != nil || versionNumber < 0 {
+		return Version{latest: true}, fmt.Errorf(`must be "latest" or "v1.x"`)
+	}
+	return Version{major: 1, minor: versionNumber}, nil
+}
+
+type LevelVersion struct {
+	Level
+	Version
+}
+
+func (lv LevelVersion) String() string {
+	return fmt.Sprintf("%s:%s", lv.Level, lv.Version)
+}
+
+type Policy struct {
+	Enforce LevelVersion
+	Audit   LevelVersion
+	Warn    LevelVersion
+}
+
+// PolicyToEvaluate resolves the PodSecurity namespace labels to the policy for that namespace,
+// falling back to the provided defaults when a label is unspecified. A valid policy is always
+// returned, even when an error is returned. If labels cannot be parsed correctly, the values of
+// "restricted" and "latest" are used for level and version respectively.
+func PolicyToEvaluate(labels map[string]string, defaults Policy) (Policy, field.ErrorList) {
+	var (
+		err  error
+		errs field.ErrorList
+
+		p = defaults
+	)
+	if len(labels) == 0 {
+		return p, nil
+	}
+	if level, ok := labels[EnforceLevelLabel]; ok {
+		p.Enforce.Level, err = ParseLevel(level)
+		errs = appendErr(errs, err, EnforceLevelLabel, level)
+	}
+	if version, ok := labels[EnforceVersionLabel]; ok {
+		p.Enforce.Version, err = ParseVersion(version)
+		errs = appendErr(errs, err, EnforceVersionLabel, version)
+	}
+	if level, ok := labels[AuditLevelLabel]; ok {
+		p.Audit.Level, err = ParseLevel(level)
+		errs = appendErr(errs, err, AuditLevelLabel, level)
+		if err != nil {
+			p.Audit.Level = LevelPrivileged // Fail open for audit.
+		}
+	}
+	if version, ok := labels[AuditVersionLabel]; ok {
+		p.Audit.Version, err = ParseVersion(version)
+		errs = appendErr(errs, err, AuditVersionLabel, version)
+	}
+	if level, ok := labels[WarnLevelLabel]; ok {
+		p.Warn.Level, err = ParseLevel(level)
+		errs = appendErr(errs, err, WarnLevelLabel, level)
+		if err != nil {
+			p.Warn.Level = LevelPrivileged // Fail open for warn.
+		}
+	}
+	if version, ok := labels[WarnVersionLabel]; ok {
+		p.Warn.Version, err = ParseVersion(version)
+		errs = appendErr(errs, err, WarnVersionLabel, version)
+	}
+	return p, errs
+}
+
+// CompareLevels returns an integer comparing two levels by strictness. The result will be 0 if
+// a==b, -1 if a is less strict than b, and +1 if a is more strict than b.
+func CompareLevels(a, b Level) int {
+	if a == b {
+		return 0
+	}
+	switch a {
+	case LevelPrivileged:
+		return -1
+	case LevelRestricted:
+		return 1
+	default:
+		if b == LevelPrivileged {
+			return 1
+		} else if b == LevelRestricted {
+			return -1
+		}
+	}
+	// This should only happen if both a & b are invalid levels.
+	return 0
+}
+
+var labelsPath = field.NewPath("metadata", "labels")
+
+// appendErr is a helper function to collect label-specific errors.
+func appendErr(errs field.ErrorList, err error, label, value string) field.ErrorList {
+	if err != nil {
+		return append(errs, field.Invalid(labelsPath.Key(label), value, err.Error()))
+	}
+	return errs
+}