rebase: update kubernetes to v1.25.0

update kubernetes to latest v1.25.0 release. Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2025-06-13 10:33:35 +00:00 · 2022-08-24 07:54:25 +05:30
parent f47839d73d
commit e3bf375035
645 changed files with 42507 additions and 9219 deletions
--- a/vendor/k8s.io/kubernetes/pkg/securitycontext/accessors.go
+++ b/vendor/k8s.io/kubernetes/pkg/securitycontext/accessors.go
@ -0,0 +1,474 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package securitycontext
+
+import (
+	"reflect"
+
+	api "k8s.io/kubernetes/pkg/apis/core"
+)
+
+// PodSecurityContextAccessor allows reading the values of a PodSecurityContext object
+type PodSecurityContextAccessor interface {
+	HostNetwork() bool
+	HostPID() bool
+	HostIPC() bool
+	SELinuxOptions() *api.SELinuxOptions
+	RunAsUser() *int64
+	RunAsGroup() *int64
+	RunAsNonRoot() *bool
+	SupplementalGroups() []int64
+	FSGroup() *int64
+}
+
+// PodSecurityContextMutator allows reading and writing the values of a PodSecurityContext object
+type PodSecurityContextMutator interface {
+	PodSecurityContextAccessor
+
+	SetHostNetwork(bool)
+	SetHostPID(bool)
+	SetHostIPC(bool)
+	SetSELinuxOptions(*api.SELinuxOptions)
+	SetRunAsUser(*int64)
+	SetRunAsGroup(*int64)
+	SetRunAsNonRoot(*bool)
+	SetSupplementalGroups([]int64)
+	SetFSGroup(*int64)
+
+	// PodSecurityContext returns the current PodSecurityContext object
+	PodSecurityContext() *api.PodSecurityContext
+}
+
+// NewPodSecurityContextAccessor returns an accessor for the given pod security context.
+// May be initialized with a nil PodSecurityContext.
+func NewPodSecurityContextAccessor(podSC *api.PodSecurityContext) PodSecurityContextAccessor {
+	return &podSecurityContextWrapper{podSC: podSC}
+}
+
+// NewPodSecurityContextMutator returns a mutator for the given pod security context.
+// May be initialized with a nil PodSecurityContext.
+func NewPodSecurityContextMutator(podSC *api.PodSecurityContext) PodSecurityContextMutator {
+	return &podSecurityContextWrapper{podSC: podSC}
+}
+
+type podSecurityContextWrapper struct {
+	podSC *api.PodSecurityContext
+}
+
+func (w *podSecurityContextWrapper) PodSecurityContext() *api.PodSecurityContext {
+	return w.podSC
+}
+
+func (w *podSecurityContextWrapper) ensurePodSC() {
+	if w.podSC == nil {
+		w.podSC = &api.PodSecurityContext{}
+	}
+}
+
+func (w *podSecurityContextWrapper) HostNetwork() bool {
+	if w.podSC == nil {
+		return false
+	}
+	return w.podSC.HostNetwork
+}
+func (w *podSecurityContextWrapper) SetHostNetwork(v bool) {
+	if w.podSC == nil && v == false {
+		return
+	}
+	w.ensurePodSC()
+	w.podSC.HostNetwork = v
+}
+func (w *podSecurityContextWrapper) HostPID() bool {
+	if w.podSC == nil {
+		return false
+	}
+	return w.podSC.HostPID
+}
+func (w *podSecurityContextWrapper) SetHostPID(v bool) {
+	if w.podSC == nil && v == false {
+		return
+	}
+	w.ensurePodSC()
+	w.podSC.HostPID = v
+}
+func (w *podSecurityContextWrapper) HostIPC() bool {
+	if w.podSC == nil {
+		return false
+	}
+	return w.podSC.HostIPC
+}
+func (w *podSecurityContextWrapper) SetHostIPC(v bool) {
+	if w.podSC == nil && v == false {
+		return
+	}
+	w.ensurePodSC()
+	w.podSC.HostIPC = v
+}
+func (w *podSecurityContextWrapper) SELinuxOptions() *api.SELinuxOptions {
+	if w.podSC == nil {
+		return nil
+	}
+	return w.podSC.SELinuxOptions
+}
+func (w *podSecurityContextWrapper) SetSELinuxOptions(v *api.SELinuxOptions) {
+	if w.podSC == nil && v == nil {
+		return
+	}
+	w.ensurePodSC()
+	w.podSC.SELinuxOptions = v
+}
+func (w *podSecurityContextWrapper) RunAsUser() *int64 {
+	if w.podSC == nil {
+		return nil
+	}
+	return w.podSC.RunAsUser
+}
+func (w *podSecurityContextWrapper) SetRunAsUser(v *int64) {
+	if w.podSC == nil && v == nil {
+		return
+	}
+	w.ensurePodSC()
+	w.podSC.RunAsUser = v
+}
+func (w *podSecurityContextWrapper) RunAsGroup() *int64 {
+	if w.podSC == nil {
+		return nil
+	}
+	return w.podSC.RunAsGroup
+}
+func (w *podSecurityContextWrapper) SetRunAsGroup(v *int64) {
+	if w.podSC == nil && v == nil {
+		return
+	}
+	w.ensurePodSC()
+	w.podSC.RunAsGroup = v
+}
+
+func (w *podSecurityContextWrapper) RunAsNonRoot() *bool {
+	if w.podSC == nil {
+		return nil
+	}
+	return w.podSC.RunAsNonRoot
+}
+func (w *podSecurityContextWrapper) SetRunAsNonRoot(v *bool) {
+	if w.podSC == nil && v == nil {
+		return
+	}
+	w.ensurePodSC()
+	w.podSC.RunAsNonRoot = v
+}
+func (w *podSecurityContextWrapper) SupplementalGroups() []int64 {
+	if w.podSC == nil {
+		return nil
+	}
+	return w.podSC.SupplementalGroups
+}
+func (w *podSecurityContextWrapper) SetSupplementalGroups(v []int64) {
+	if w.podSC == nil && len(v) == 0 {
+		return
+	}
+	w.ensurePodSC()
+	if len(v) == 0 && len(w.podSC.SupplementalGroups) == 0 {
+		return
+	}
+	w.podSC.SupplementalGroups = v
+}
+func (w *podSecurityContextWrapper) FSGroup() *int64 {
+	if w.podSC == nil {
+		return nil
+	}
+	return w.podSC.FSGroup
+}
+func (w *podSecurityContextWrapper) SetFSGroup(v *int64) {
+	if w.podSC == nil && v == nil {
+		return
+	}
+	w.ensurePodSC()
+	w.podSC.FSGroup = v
+}
+
+// ContainerSecurityContextAccessor allows reading the values of a SecurityContext object
+type ContainerSecurityContextAccessor interface {
+	Capabilities() *api.Capabilities
+	Privileged() *bool
+	ProcMount() api.ProcMountType
+	SELinuxOptions() *api.SELinuxOptions
+	RunAsUser() *int64
+	RunAsGroup() *int64
+	RunAsNonRoot() *bool
+	ReadOnlyRootFilesystem() *bool
+	AllowPrivilegeEscalation() *bool
+}
+
+// ContainerSecurityContextMutator allows reading and writing the values of a SecurityContext object
+type ContainerSecurityContextMutator interface {
+	ContainerSecurityContextAccessor
+
+	ContainerSecurityContext() *api.SecurityContext
+
+	SetCapabilities(*api.Capabilities)
+	SetPrivileged(*bool)
+	SetSELinuxOptions(*api.SELinuxOptions)
+	SetRunAsUser(*int64)
+	SetRunAsGroup(*int64)
+	SetRunAsNonRoot(*bool)
+	SetReadOnlyRootFilesystem(*bool)
+	SetAllowPrivilegeEscalation(*bool)
+}
+
+// NewContainerSecurityContextAccessor returns an accessor for the provided container security context
+// May be initialized with a nil SecurityContext
+func NewContainerSecurityContextAccessor(containerSC *api.SecurityContext) ContainerSecurityContextAccessor {
+	return &containerSecurityContextWrapper{containerSC: containerSC}
+}
+
+// NewContainerSecurityContextMutator returns a mutator for the provided container security context
+// May be initialized with a nil SecurityContext
+func NewContainerSecurityContextMutator(containerSC *api.SecurityContext) ContainerSecurityContextMutator {
+	return &containerSecurityContextWrapper{containerSC: containerSC}
+}
+
+type containerSecurityContextWrapper struct {
+	containerSC *api.SecurityContext
+}
+
+func (w *containerSecurityContextWrapper) ContainerSecurityContext() *api.SecurityContext {
+	return w.containerSC
+}
+
+func (w *containerSecurityContextWrapper) ensureContainerSC() {
+	if w.containerSC == nil {
+		w.containerSC = &api.SecurityContext{}
+	}
+}
+
+func (w *containerSecurityContextWrapper) Capabilities() *api.Capabilities {
+	if w.containerSC == nil {
+		return nil
+	}
+	return w.containerSC.Capabilities
+}
+func (w *containerSecurityContextWrapper) SetCapabilities(v *api.Capabilities) {
+	if w.containerSC == nil && v == nil {
+		return
+	}
+	w.ensureContainerSC()
+	w.containerSC.Capabilities = v
+}
+func (w *containerSecurityContextWrapper) Privileged() *bool {
+	if w.containerSC == nil {
+		return nil
+	}
+	return w.containerSC.Privileged
+}
+func (w *containerSecurityContextWrapper) SetPrivileged(v *bool) {
+	if w.containerSC == nil && v == nil {
+		return
+	}
+	w.ensureContainerSC()
+	w.containerSC.Privileged = v
+}
+func (w *containerSecurityContextWrapper) ProcMount() api.ProcMountType {
+	if w.containerSC == nil {
+		return api.DefaultProcMount
+	}
+	if w.containerSC.ProcMount == nil {
+		return api.DefaultProcMount
+	}
+	return *w.containerSC.ProcMount
+}
+func (w *containerSecurityContextWrapper) SELinuxOptions() *api.SELinuxOptions {
+	if w.containerSC == nil {
+		return nil
+	}
+	return w.containerSC.SELinuxOptions
+}
+func (w *containerSecurityContextWrapper) SetSELinuxOptions(v *api.SELinuxOptions) {
+	if w.containerSC == nil && v == nil {
+		return
+	}
+	w.ensureContainerSC()
+	w.containerSC.SELinuxOptions = v
+}
+func (w *containerSecurityContextWrapper) RunAsUser() *int64 {
+	if w.containerSC == nil {
+		return nil
+	}
+	return w.containerSC.RunAsUser
+}
+func (w *containerSecurityContextWrapper) SetRunAsUser(v *int64) {
+	if w.containerSC == nil && v == nil {
+		return
+	}
+	w.ensureContainerSC()
+	w.containerSC.RunAsUser = v
+}
+func (w *containerSecurityContextWrapper) RunAsGroup() *int64 {
+	if w.containerSC == nil {
+		return nil
+	}
+	return w.containerSC.RunAsGroup
+}
+func (w *containerSecurityContextWrapper) SetRunAsGroup(v *int64) {
+	if w.containerSC == nil && v == nil {
+		return
+	}
+	w.ensureContainerSC()
+	w.containerSC.RunAsGroup = v
+}
+
+func (w *containerSecurityContextWrapper) RunAsNonRoot() *bool {
+	if w.containerSC == nil {
+		return nil
+	}
+	return w.containerSC.RunAsNonRoot
+}
+func (w *containerSecurityContextWrapper) SetRunAsNonRoot(v *bool) {
+	if w.containerSC == nil && v == nil {
+		return
+	}
+	w.ensureContainerSC()
+	w.containerSC.RunAsNonRoot = v
+}
+func (w *containerSecurityContextWrapper) ReadOnlyRootFilesystem() *bool {
+	if w.containerSC == nil {
+		return nil
+	}
+	return w.containerSC.ReadOnlyRootFilesystem
+}
+func (w *containerSecurityContextWrapper) SetReadOnlyRootFilesystem(v *bool) {
+	if w.containerSC == nil && v == nil {
+		return
+	}
+	w.ensureContainerSC()
+	w.containerSC.ReadOnlyRootFilesystem = v
+}
+func (w *containerSecurityContextWrapper) AllowPrivilegeEscalation() *bool {
+	if w.containerSC == nil {
+		return nil
+	}
+	return w.containerSC.AllowPrivilegeEscalation
+}
+func (w *containerSecurityContextWrapper) SetAllowPrivilegeEscalation(v *bool) {
+	if w.containerSC == nil && v == nil {
+		return
+	}
+	w.ensureContainerSC()
+	w.containerSC.AllowPrivilegeEscalation = v
+}
+
+// NewEffectiveContainerSecurityContextAccessor returns an accessor for reading effective values
+// for the provided pod security context and container security context
+func NewEffectiveContainerSecurityContextAccessor(podSC PodSecurityContextAccessor, containerSC ContainerSecurityContextMutator) ContainerSecurityContextAccessor {
+	return &effectiveContainerSecurityContextWrapper{podSC: podSC, containerSC: containerSC}
+}
+
+// NewEffectiveContainerSecurityContextMutator returns a mutator for reading and writing effective values
+// for the provided pod security context and container security context
+func NewEffectiveContainerSecurityContextMutator(podSC PodSecurityContextAccessor, containerSC ContainerSecurityContextMutator) ContainerSecurityContextMutator {
+	return &effectiveContainerSecurityContextWrapper{podSC: podSC, containerSC: containerSC}
+}
+
+type effectiveContainerSecurityContextWrapper struct {
+	podSC       PodSecurityContextAccessor
+	containerSC ContainerSecurityContextMutator
+}
+
+func (w *effectiveContainerSecurityContextWrapper) ContainerSecurityContext() *api.SecurityContext {
+	return w.containerSC.ContainerSecurityContext()
+}
+
+func (w *effectiveContainerSecurityContextWrapper) Capabilities() *api.Capabilities {
+	return w.containerSC.Capabilities()
+}
+func (w *effectiveContainerSecurityContextWrapper) SetCapabilities(v *api.Capabilities) {
+	if !reflect.DeepEqual(w.Capabilities(), v) {
+		w.containerSC.SetCapabilities(v)
+	}
+}
+func (w *effectiveContainerSecurityContextWrapper) Privileged() *bool {
+	return w.containerSC.Privileged()
+}
+func (w *effectiveContainerSecurityContextWrapper) SetPrivileged(v *bool) {
+	if !reflect.DeepEqual(w.Privileged(), v) {
+		w.containerSC.SetPrivileged(v)
+	}
+}
+func (w *effectiveContainerSecurityContextWrapper) ProcMount() api.ProcMountType {
+	return w.containerSC.ProcMount()
+}
+func (w *effectiveContainerSecurityContextWrapper) SELinuxOptions() *api.SELinuxOptions {
+	if v := w.containerSC.SELinuxOptions(); v != nil {
+		return v
+	}
+	return w.podSC.SELinuxOptions()
+}
+func (w *effectiveContainerSecurityContextWrapper) SetSELinuxOptions(v *api.SELinuxOptions) {
+	if !reflect.DeepEqual(w.SELinuxOptions(), v) {
+		w.containerSC.SetSELinuxOptions(v)
+	}
+}
+func (w *effectiveContainerSecurityContextWrapper) RunAsUser() *int64 {
+	if v := w.containerSC.RunAsUser(); v != nil {
+		return v
+	}
+	return w.podSC.RunAsUser()
+}
+func (w *effectiveContainerSecurityContextWrapper) SetRunAsUser(v *int64) {
+	if !reflect.DeepEqual(w.RunAsUser(), v) {
+		w.containerSC.SetRunAsUser(v)
+	}
+}
+func (w *effectiveContainerSecurityContextWrapper) RunAsGroup() *int64 {
+	if v := w.containerSC.RunAsGroup(); v != nil {
+		return v
+	}
+	return w.podSC.RunAsGroup()
+}
+func (w *effectiveContainerSecurityContextWrapper) SetRunAsGroup(v *int64) {
+	if !reflect.DeepEqual(w.RunAsGroup(), v) {
+		w.containerSC.SetRunAsGroup(v)
+	}
+}
+
+func (w *effectiveContainerSecurityContextWrapper) RunAsNonRoot() *bool {
+	if v := w.containerSC.RunAsNonRoot(); v != nil {
+		return v
+	}
+	return w.podSC.RunAsNonRoot()
+}
+func (w *effectiveContainerSecurityContextWrapper) SetRunAsNonRoot(v *bool) {
+	if !reflect.DeepEqual(w.RunAsNonRoot(), v) {
+		w.containerSC.SetRunAsNonRoot(v)
+	}
+}
+func (w *effectiveContainerSecurityContextWrapper) ReadOnlyRootFilesystem() *bool {
+	return w.containerSC.ReadOnlyRootFilesystem()
+}
+func (w *effectiveContainerSecurityContextWrapper) SetReadOnlyRootFilesystem(v *bool) {
+	if !reflect.DeepEqual(w.ReadOnlyRootFilesystem(), v) {
+		w.containerSC.SetReadOnlyRootFilesystem(v)
+	}
+}
+func (w *effectiveContainerSecurityContextWrapper) AllowPrivilegeEscalation() *bool {
+	return w.containerSC.AllowPrivilegeEscalation()
+}
+func (w *effectiveContainerSecurityContextWrapper) SetAllowPrivilegeEscalation(v *bool) {
+	if !reflect.DeepEqual(w.AllowPrivilegeEscalation(), v) {
+		w.containerSC.SetAllowPrivilegeEscalation(v)
+	}
+}
--- a/vendor/k8s.io/kubernetes/pkg/securitycontext/doc.go
+++ b/vendor/k8s.io/kubernetes/pkg/securitycontext/doc.go
@ -0,0 +1,18 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package securitycontext contains security context api implementations
+package securitycontext // import "k8s.io/kubernetes/pkg/securitycontext"
--- a/vendor/k8s.io/kubernetes/pkg/securitycontext/fake.go
+++ b/vendor/k8s.io/kubernetes/pkg/securitycontext/fake.go
@ -0,0 +1,46 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package securitycontext
+
+import (
+	"k8s.io/api/core/v1"
+	api "k8s.io/kubernetes/pkg/apis/core"
+)
+
+// ValidSecurityContextWithContainerDefaults creates a valid security context provider based on
+// empty container defaults.  Used for testing.
+func ValidSecurityContextWithContainerDefaults() *v1.SecurityContext {
+	priv := false
+	defProcMount := v1.DefaultProcMount
+	return &v1.SecurityContext{
+		Capabilities: &v1.Capabilities{},
+		Privileged:   &priv,
+		ProcMount:    &defProcMount,
+	}
+}
+
+// ValidInternalSecurityContextWithContainerDefaults creates a valid security context provider based on
+// empty container defaults.  Used for testing.
+func ValidInternalSecurityContextWithContainerDefaults() *api.SecurityContext {
+	priv := false
+	dpm := api.DefaultProcMount
+	return &api.SecurityContext{
+		Capabilities: &api.Capabilities{},
+		Privileged:   &priv,
+		ProcMount:    &dpm,
+	}
+}
--- a/vendor/k8s.io/kubernetes/pkg/securitycontext/util.go
+++ b/vendor/k8s.io/kubernetes/pkg/securitycontext/util.go
@ -0,0 +1,260 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package securitycontext
+
+import (
+	v1 "k8s.io/api/core/v1"
+)
+
+// HasPrivilegedRequest returns the value of SecurityContext.Privileged, taking into account
+// the possibility of nils
+func HasPrivilegedRequest(container *v1.Container) bool {
+	if container.SecurityContext == nil {
+		return false
+	}
+	if container.SecurityContext.Privileged == nil {
+		return false
+	}
+	return *container.SecurityContext.Privileged
+}
+
+// HasCapabilitiesRequest returns true if Adds or Drops are defined in the security context
+// capabilities, taking into account nils
+func HasCapabilitiesRequest(container *v1.Container) bool {
+	if container.SecurityContext == nil {
+		return false
+	}
+	if container.SecurityContext.Capabilities == nil {
+		return false
+	}
+	return len(container.SecurityContext.Capabilities.Add) > 0 || len(container.SecurityContext.Capabilities.Drop) > 0
+}
+
+// HasWindowsHostProcessRequest returns true if container should run as HostProcess container,
+// taking into account nils
+func HasWindowsHostProcessRequest(pod *v1.Pod, container *v1.Container) bool {
+	effectiveSc := DetermineEffectiveSecurityContext(pod, container)
+
+	if effectiveSc.WindowsOptions == nil {
+		return false
+	}
+	if effectiveSc.WindowsOptions.HostProcess == nil {
+		return false
+	}
+	return *effectiveSc.WindowsOptions.HostProcess
+}
+
+// DetermineEffectiveSecurityContext returns a synthesized SecurityContext for reading effective configurations
+// from the provided pod's and container's security context. Container's fields take precedence in cases where both
+// are set
+func DetermineEffectiveSecurityContext(pod *v1.Pod, container *v1.Container) *v1.SecurityContext {
+	effectiveSc := securityContextFromPodSecurityContext(pod)
+	containerSc := container.SecurityContext
+
+	if effectiveSc == nil && containerSc == nil {
+		return &v1.SecurityContext{}
+	}
+	if effectiveSc != nil && containerSc == nil {
+		return effectiveSc
+	}
+	if effectiveSc == nil && containerSc != nil {
+		return containerSc
+	}
+
+	if containerSc.SELinuxOptions != nil {
+		effectiveSc.SELinuxOptions = new(v1.SELinuxOptions)
+		*effectiveSc.SELinuxOptions = *containerSc.SELinuxOptions
+	}
+
+	if containerSc.WindowsOptions != nil {
+		// only override fields that are set at the container level, not the whole thing
+		if effectiveSc.WindowsOptions == nil {
+			effectiveSc.WindowsOptions = &v1.WindowsSecurityContextOptions{}
+		}
+		if containerSc.WindowsOptions.GMSACredentialSpecName != nil || containerSc.WindowsOptions.GMSACredentialSpec != nil {
+			// both GMSA fields go hand in hand
+			effectiveSc.WindowsOptions.GMSACredentialSpecName = containerSc.WindowsOptions.GMSACredentialSpecName
+			effectiveSc.WindowsOptions.GMSACredentialSpec = containerSc.WindowsOptions.GMSACredentialSpec
+		}
+		if containerSc.WindowsOptions.RunAsUserName != nil {
+			effectiveSc.WindowsOptions.RunAsUserName = containerSc.WindowsOptions.RunAsUserName
+		}
+		if containerSc.WindowsOptions.HostProcess != nil {
+			effectiveSc.WindowsOptions.HostProcess = containerSc.WindowsOptions.HostProcess
+		}
+	}
+
+	if containerSc.Capabilities != nil {
+		effectiveSc.Capabilities = new(v1.Capabilities)
+		*effectiveSc.Capabilities = *containerSc.Capabilities
+	}
+
+	if containerSc.Privileged != nil {
+		effectiveSc.Privileged = new(bool)
+		*effectiveSc.Privileged = *containerSc.Privileged
+	}
+
+	if containerSc.RunAsUser != nil {
+		effectiveSc.RunAsUser = new(int64)
+		*effectiveSc.RunAsUser = *containerSc.RunAsUser
+	}
+
+	if containerSc.RunAsGroup != nil {
+		effectiveSc.RunAsGroup = new(int64)
+		*effectiveSc.RunAsGroup = *containerSc.RunAsGroup
+	}
+
+	if containerSc.RunAsNonRoot != nil {
+		effectiveSc.RunAsNonRoot = new(bool)
+		*effectiveSc.RunAsNonRoot = *containerSc.RunAsNonRoot
+	}
+
+	if containerSc.ReadOnlyRootFilesystem != nil {
+		effectiveSc.ReadOnlyRootFilesystem = new(bool)
+		*effectiveSc.ReadOnlyRootFilesystem = *containerSc.ReadOnlyRootFilesystem
+	}
+
+	if containerSc.AllowPrivilegeEscalation != nil {
+		effectiveSc.AllowPrivilegeEscalation = new(bool)
+		*effectiveSc.AllowPrivilegeEscalation = *containerSc.AllowPrivilegeEscalation
+	}
+
+	if containerSc.ProcMount != nil {
+		effectiveSc.ProcMount = new(v1.ProcMountType)
+		*effectiveSc.ProcMount = *containerSc.ProcMount
+	}
+
+	return effectiveSc
+}
+
+// DetermineEffectiveRunAsUser returns a pointer of UID from the provided pod's
+// and container's security context and a bool value to indicate if it is absent.
+// Container's runAsUser take precedence in cases where both are set.
+func DetermineEffectiveRunAsUser(pod *v1.Pod, container *v1.Container) (*int64, bool) {
+	var runAsUser *int64
+	if pod.Spec.SecurityContext != nil && pod.Spec.SecurityContext.RunAsUser != nil {
+		runAsUser = new(int64)
+		*runAsUser = *pod.Spec.SecurityContext.RunAsUser
+	}
+	if container.SecurityContext != nil && container.SecurityContext.RunAsUser != nil {
+		runAsUser = new(int64)
+		*runAsUser = *container.SecurityContext.RunAsUser
+	}
+	if runAsUser == nil {
+		return nil, false
+	}
+	return runAsUser, true
+}
+
+func securityContextFromPodSecurityContext(pod *v1.Pod) *v1.SecurityContext {
+	if pod.Spec.SecurityContext == nil {
+		return nil
+	}
+
+	synthesized := &v1.SecurityContext{}
+
+	if pod.Spec.SecurityContext.SELinuxOptions != nil {
+		synthesized.SELinuxOptions = &v1.SELinuxOptions{}
+		*synthesized.SELinuxOptions = *pod.Spec.SecurityContext.SELinuxOptions
+	}
+
+	if pod.Spec.SecurityContext.WindowsOptions != nil {
+		synthesized.WindowsOptions = &v1.WindowsSecurityContextOptions{}
+		*synthesized.WindowsOptions = *pod.Spec.SecurityContext.WindowsOptions
+	}
+
+	if pod.Spec.SecurityContext.RunAsUser != nil {
+		synthesized.RunAsUser = new(int64)
+		*synthesized.RunAsUser = *pod.Spec.SecurityContext.RunAsUser
+	}
+
+	if pod.Spec.SecurityContext.RunAsGroup != nil {
+		synthesized.RunAsGroup = new(int64)
+		*synthesized.RunAsGroup = *pod.Spec.SecurityContext.RunAsGroup
+	}
+
+	if pod.Spec.SecurityContext.RunAsNonRoot != nil {
+		synthesized.RunAsNonRoot = new(bool)
+		*synthesized.RunAsNonRoot = *pod.Spec.SecurityContext.RunAsNonRoot
+	}
+
+	return synthesized
+}
+
+// AddNoNewPrivileges returns if we should add the no_new_privs option.
+func AddNoNewPrivileges(sc *v1.SecurityContext) bool {
+	if sc == nil {
+		return false
+	}
+
+	// handle the case where the user did not set the default and did not explicitly set allowPrivilegeEscalation
+	if sc.AllowPrivilegeEscalation == nil {
+		return false
+	}
+
+	// handle the case where defaultAllowPrivilegeEscalation is false or the user explicitly set allowPrivilegeEscalation to true/false
+	return !*sc.AllowPrivilegeEscalation
+}
+
+var (
+	// These *must* be kept in sync with moby/moby.
+	// https://github.com/moby/moby/blob/master/oci/defaults.go#L116-L134
+	// @jessfraz will watch changes to those files upstream.
+	defaultMaskedPaths = []string{
+		"/proc/acpi",
+		"/proc/kcore",
+		"/proc/keys",
+		"/proc/latency_stats",
+		"/proc/timer_list",
+		"/proc/timer_stats",
+		"/proc/sched_debug",
+		"/proc/scsi",
+		"/sys/firmware",
+	}
+	defaultReadonlyPaths = []string{
+		"/proc/asound",
+		"/proc/bus",
+		"/proc/fs",
+		"/proc/irq",
+		"/proc/sys",
+		"/proc/sysrq-trigger",
+	}
+)
+
+// ConvertToRuntimeMaskedPaths converts the ProcMountType to the specified or default
+// masked paths.
+func ConvertToRuntimeMaskedPaths(opt *v1.ProcMountType) []string {
+	if opt != nil && *opt == v1.UnmaskedProcMount {
+		// Unmasked proc mount should have no paths set as masked.
+		return []string{}
+	}
+
+	// Otherwise, add the default masked paths to the runtime security context.
+	return defaultMaskedPaths
+}
+
+// ConvertToRuntimeReadonlyPaths converts the ProcMountType to the specified or default
+// readonly paths.
+func ConvertToRuntimeReadonlyPaths(opt *v1.ProcMountType) []string {
+	if opt != nil && *opt == v1.UnmaskedProcMount {
+		// Unmasked proc mount should have no paths set as readonly.
+		return []string{}
+	}
+
+	// Otherwise, add the default readonly paths to the runtime security context.
+	return defaultReadonlyPaths
+}