rebase: update kubernetes to v1.25.0

update kubernetes to latest v1.25.0 release. Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2025-06-13 10:33:35 +00:00 · 2022-08-24 07:54:25 +05:30
parent f47839d73d
commit e3bf375035
645 changed files with 42507 additions and 9219 deletions
--- a/vendor/k8s.io/pod-security-admission/policy/check_allowPrivilegeEscalation.go
+++ b/vendor/k8s.io/pod-security-admission/policy/check_allowPrivilegeEscalation.go
@ -0,0 +1,93 @@
+/*
+Copyright 2021 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package policy
+
+import (
+	"fmt"
+
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/pod-security-admission/api"
+)
+
+/*
+Privilege escalation (such as via set-user-ID or set-group-ID file mode) should not be allowed.
+
+**Restricted Fields:**
+
+spec.containers[*].securityContext.allowPrivilegeEscalation
+spec.initContainers[*].securityContext.allowPrivilegeEscalation
+
+**Allowed Values:** false
+*/
+
+func init() {
+	addCheck(CheckAllowPrivilegeEscalation)
+}
+
+// CheckAllowPrivilegeEscalation returns a restricted level check
+// that requires allowPrivilegeEscalation=false in 1.8+
+func CheckAllowPrivilegeEscalation() Check {
+	return Check{
+		ID:    "allowPrivilegeEscalation",
+		Level: api.LevelRestricted,
+		Versions: []VersionedCheck{
+			{
+				// Field added in 1.8:
+				// https://github.com/kubernetes/kubernetes/blob/v1.8.0/staging/src/k8s.io/api/core/v1/types.go#L4797-L4804
+				MinimumVersion: api.MajorMinorVersion(1, 8),
+				CheckPod:       allowPrivilegeEscalation_1_8,
+			},
+			{
+				// Starting 1.25, windows pods would be exempted from this check using pod.spec.os field when set to windows.
+				MinimumVersion: api.MajorMinorVersion(1, 25),
+				CheckPod:       allowPrivilegeEscalation_1_25,
+			},
+		},
+	}
+}
+
+func allowPrivilegeEscalation_1_8(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
+	var badContainers []string
+	visitContainers(podSpec, func(container *corev1.Container) {
+		if container.SecurityContext == nil || container.SecurityContext.AllowPrivilegeEscalation == nil || *container.SecurityContext.AllowPrivilegeEscalation {
+			badContainers = append(badContainers, container.Name)
+		}
+	})
+
+	if len(badContainers) > 0 {
+		return CheckResult{
+			Allowed:         false,
+			ForbiddenReason: "allowPrivilegeEscalation != false",
+			ForbiddenDetail: fmt.Sprintf(
+				"%s %s must set securityContext.allowPrivilegeEscalation=false",
+				pluralize("container", "containers", len(badContainers)),
+				joinQuote(badContainers),
+			),
+		}
+	}
+	return CheckResult{Allowed: true}
+}
+
+func allowPrivilegeEscalation_1_25(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
+	// Pod API validation would have failed if podOS == Windows and if privilegeEscalation has been set.
+	// We can admit the Windows pod even if privilegeEscalation has not been set.
+	if podSpec.OS != nil && podSpec.OS.Name == corev1.Windows {
+		return CheckResult{Allowed: true}
+	}
+	return allowPrivilegeEscalation_1_8(podMetadata, podSpec)
+}