vendor update for E2E framework

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>

vendor/k8s.io/kubernetes/pkg/kubelet/sysctl/namespace.go

@@ -0,0 +1,60 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package sysctl
+
+import (
+	"strings"
+)
+
+// Namespace represents a kernel namespace name.
+type Namespace string
+
+const (
+	// the Linux IPC namespace
+	IpcNamespace = Namespace("ipc")
+
+	// the network namespace
+	NetNamespace = Namespace("net")
+
+	// the zero value if no namespace is known
+	UnknownNamespace = Namespace("")
+)
+
+var namespaces = map[string]Namespace{
+	"kernel.sem": IpcNamespace,
+}
+
+var prefixNamespaces = map[string]Namespace{
+	"kernel.shm": IpcNamespace,
+	"kernel.msg": IpcNamespace,
+	"fs.mqueue.": IpcNamespace,
+	"net.":       NetNamespace,
+}
+
+// NamespacedBy returns the namespace of the Linux kernel for a sysctl, or
+// UnknownNamespace if the sysctl is not known to be namespaced.
+func NamespacedBy(val string) Namespace {
+	if ns, found := namespaces[val]; found {
+		return ns
+	}
+	for p, ns := range prefixNamespaces {
+		if strings.HasPrefix(val, p) {
+			return ns
+		}
+	}
+	return UnknownNamespace
+}

vendor/k8s.io/kubernetes/pkg/kubelet/sysctl/runtime.go

@@ -0,0 +1,95 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package sysctl
+
+import (
+	"fmt"
+
+	"k8s.io/kubernetes/pkg/kubelet/container"
+	"k8s.io/kubernetes/pkg/kubelet/lifecycle"
+)
+
+const (
+	UnsupportedReason = "SysctlUnsupported"
+	// CRI uses semver-compatible API version, while docker does not
+	// (e.g., 1.24). Append the version with a ".0".
+	dockerMinimumAPIVersion = "1.24.0"
+
+	dockerTypeName = "docker"
+)
+
+// TODO: The admission logic in this file is runtime-dependent. It should be
+// changed to be generic and CRI-compatible.
+
+type runtimeAdmitHandler struct {
+	result lifecycle.PodAdmitResult
+}
+
+var _ lifecycle.PodAdmitHandler = &runtimeAdmitHandler{}
+
+// NewRuntimeAdmitHandler returns a sysctlRuntimeAdmitHandler which checks whether
+// the given runtime support sysctls.
+func NewRuntimeAdmitHandler(runtime container.Runtime) (*runtimeAdmitHandler, error) {
+	switch runtime.Type() {
+	case dockerTypeName:
+		v, err := runtime.APIVersion()
+		if err != nil {
+			return nil, fmt.Errorf("failed to get runtime version: %v", err)
+		}
+
+		// only Docker API version >= 1.24 supports sysctls
+		c, err := v.Compare(dockerMinimumAPIVersion)
+		if err != nil {
+			return nil, fmt.Errorf("failed to compare Docker version for sysctl support: %v", err)
+		}
+		if c >= 0 {
+			return &runtimeAdmitHandler{
+				result: lifecycle.PodAdmitResult{
+					Admit: true,
+				},
+			}, nil
+		}
+		return &runtimeAdmitHandler{
+			result: lifecycle.PodAdmitResult{
+				Admit:   false,
+				Reason:  UnsupportedReason,
+				Message: "Docker API version before 1.24 does not support sysctls",
+			},
+		}, nil
+	default:
+		// Return admit for other runtimes.
+		return &runtimeAdmitHandler{
+			result: lifecycle.PodAdmitResult{
+				Admit: true,
+			},
+		}, nil
+	}
+}
+
+// Admit checks whether the runtime supports sysctls.
+func (w *runtimeAdmitHandler) Admit(attrs *lifecycle.PodAdmitAttributes) lifecycle.PodAdmitResult {
+	if attrs.Pod.Spec.SecurityContext != nil {
+
+		if len(attrs.Pod.Spec.SecurityContext.Sysctls) > 0 {
+			return w.result
+		}
+	}
+
+	return lifecycle.PodAdmitResult{
+		Admit: true,
+	}
+}

vendor/k8s.io/kubernetes/pkg/kubelet/sysctl/whitelist.go

@@ -0,0 +1,136 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package sysctl
+
+import (
+	"fmt"
+	"strings"
+
+	"k8s.io/kubernetes/pkg/apis/core/validation"
+	policyvalidation "k8s.io/kubernetes/pkg/apis/policy/validation"
+	"k8s.io/kubernetes/pkg/kubelet/lifecycle"
+)
+
+const (
+	AnnotationInvalidReason = "InvalidSysctlAnnotation"
+	ForbiddenReason         = "SysctlForbidden"
+)
+
+// patternWhitelist takes a list of sysctls or sysctl patterns (ending in *) and
+// checks validity via a sysctl and prefix map, rejecting those which are not known
+// to be namespaced.
+type patternWhitelist struct {
+	sysctls  map[string]Namespace
+	prefixes map[string]Namespace
+}
+
+var _ lifecycle.PodAdmitHandler = &patternWhitelist{}
+
+// NewWhitelist creates a new Whitelist from a list of sysctls and sysctl pattern (ending in *).
+func NewWhitelist(patterns []string) (*patternWhitelist, error) {
+	w := &patternWhitelist{
+		sysctls:  map[string]Namespace{},
+		prefixes: map[string]Namespace{},
+	}
+
+	for _, s := range patterns {
+		if !policyvalidation.IsValidSysctlPattern(s) {
+			return nil, fmt.Errorf("sysctl %q must have at most %d characters and match regex %s",
+				s,
+				validation.SysctlMaxLength,
+				policyvalidation.SysctlPatternFmt,
+			)
+		}
+		if strings.HasSuffix(s, "*") {
+			prefix := s[:len(s)-1]
+			ns := NamespacedBy(prefix)
+			if ns == UnknownNamespace {
+				return nil, fmt.Errorf("the sysctls %q are not known to be namespaced", s)
+			}
+			w.prefixes[prefix] = ns
+		} else {
+			ns := NamespacedBy(s)
+			if ns == UnknownNamespace {
+				return nil, fmt.Errorf("the sysctl %q are not known to be namespaced", s)
+			}
+			w.sysctls[s] = ns
+		}
+	}
+	return w, nil
+}
+
+// validateSysctl checks that a sysctl is whitelisted because it is known
+// to be namespaced by the Linux kernel. Note that being whitelisted is required, but not
+// sufficient: the container runtime might have a stricter check and refuse to launch a pod.
+//
+// The parameters hostNet and hostIPC are used to forbid sysctls for pod sharing the
+// respective namespaces with the host. This check is only possible for sysctls on
+// the static default whitelist, not those on the custom whitelist provided by the admin.
+func (w *patternWhitelist) validateSysctl(sysctl string, hostNet, hostIPC bool) error {
+	nsErrorFmt := "%q not allowed with host %s enabled"
+	if ns, found := w.sysctls[sysctl]; found {
+		if ns == IpcNamespace && hostIPC {
+			return fmt.Errorf(nsErrorFmt, sysctl, ns)
+		}
+		if ns == NetNamespace && hostNet {
+			return fmt.Errorf(nsErrorFmt, sysctl, ns)
+		}
+		return nil
+	}
+	for p, ns := range w.prefixes {
+		if strings.HasPrefix(sysctl, p) {
+			if ns == IpcNamespace && hostIPC {
+				return fmt.Errorf(nsErrorFmt, sysctl, ns)
+			}
+			if ns == NetNamespace && hostNet {
+				return fmt.Errorf(nsErrorFmt, sysctl, ns)
+			}
+			return nil
+		}
+	}
+	return fmt.Errorf("%q not whitelisted", sysctl)
+}
+
+// Admit checks that all sysctls given in pod's security context
+// are valid according to the whitelist.
+func (w *patternWhitelist) Admit(attrs *lifecycle.PodAdmitAttributes) lifecycle.PodAdmitResult {
+	pod := attrs.Pod
+	if pod.Spec.SecurityContext == nil || len(pod.Spec.SecurityContext.Sysctls) == 0 {
+		return lifecycle.PodAdmitResult{
+			Admit: true,
+		}
+	}
+
+	var hostNet, hostIPC bool
+	if pod.Spec.SecurityContext != nil {
+		hostNet = pod.Spec.HostNetwork
+		hostIPC = pod.Spec.HostIPC
+	}
+	for _, s := range pod.Spec.SecurityContext.Sysctls {
+		if err := w.validateSysctl(s.Name, hostNet, hostIPC); err != nil {
+			return lifecycle.PodAdmitResult{
+				Admit:   false,
+				Reason:  ForbiddenReason,
+				Message: fmt.Sprintf("forbidden sysctl: %v", err),
+			}
+		}
+	}
+
+	return lifecycle.PodAdmitResult{
+		Admit: true,
+	}
+}