rebase: update k8s.io packages to v0.29.0

Signed-off-by: Niels de Vos <ndevos@ibm.com>
2025-06-13 18:43:34 +00:00 · 2023-12-20 13:23:59 +01:00
parent 328a264202
commit f080b9e0c9
367 changed files with 21340 additions and 11878 deletions
--- a/vendor/k8s.io/pod-security-admission/policy/check_runAsNonRoot.go
+++ b/vendor/k8s.io/pod-security-admission/policy/check_runAsNonRoot.go
@ -59,6 +59,11 @@ func CheckRunAsNonRoot() Check {
 }

 func runAsNonRoot_1_0(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
+	// See KEP-127: https://github.com/kubernetes/enhancements/blob/308ba8d/keps/sig-node/127-user-namespaces/README.md?plain=1#L411-L447
+	if relaxPolicyForUserNamespacePod(podSpec) {
+		return CheckResult{Allowed: true}
+	}
+
 	// things that explicitly set runAsNonRoot=false
 	var badSetters []string

--- a/vendor/k8s.io/pod-security-admission/policy/check_runAsUser.go
+++ b/vendor/k8s.io/pod-security-admission/policy/check_runAsUser.go
@ -60,6 +60,11 @@ func CheckRunAsUser() Check {
 }

 func runAsUser_1_23(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
+	// See KEP-127: https://github.com/kubernetes/enhancements/blob/308ba8d/keps/sig-node/127-user-namespaces/README.md?plain=1#L411-L447
+	if relaxPolicyForUserNamespacePod(podSpec) {
+		return CheckResult{Allowed: true}
+	}
+
 	// things that explicitly set runAsUser=0
 	var badSetters []string

--- a/vendor/k8s.io/pod-security-admission/policy/check_sysctls.go
+++ b/vendor/k8s.io/pod-security-admission/policy/check_sysctls.go
@ -43,6 +43,10 @@ spec.securityContext.sysctls[*].name
 'net.ipv4.ping_group_range'
 'net.ipv4.ip_unprivileged_port_start'
 'net.ipv4.ip_local_reserved_ports'
+'net.ipv4.tcp_keepalive_time'
+'net.ipv4.tcp_fin_timeout'
+'net.ipv4.tcp_keepalive_intvl'
+'net.ipv4.tcp_keepalive_probes'

 */

@ -59,25 +63,28 @@ func CheckSysctls() Check {
 		Versions: []VersionedCheck{
 			{
 				MinimumVersion: api.MajorMinorVersion(1, 0),
-				CheckPod:       sysctls_1_0,
+				CheckPod:       sysctlsV1Dot0,
 			},
 			{
 				MinimumVersion: api.MajorMinorVersion(1, 27),
-				CheckPod:       sysctls_1_27,
+				CheckPod:       sysctlsV1Dot27,
+			}, {
+				MinimumVersion: api.MajorMinorVersion(1, 29),
+				CheckPod:       sysctlsV1Dot29,
 			},
 		},
 	}
 }

 var (
-	sysctls_allowed_1_0 = sets.NewString(
+	sysctlsAllowedV1Dot0 = sets.NewString(
 		"kernel.shm_rmid_forced",
 		"net.ipv4.ip_local_port_range",
 		"net.ipv4.tcp_syncookies",
 		"net.ipv4.ping_group_range",
 		"net.ipv4.ip_unprivileged_port_start",
 	)
-	sysctls_allowed_1_27 = sets.NewString(
+	sysctlsAllowedV1Dot27 = sets.NewString(
 		"kernel.shm_rmid_forced",
 		"net.ipv4.ip_local_port_range",
 		"net.ipv4.tcp_syncookies",
@ -85,14 +92,30 @@ var (
 		"net.ipv4.ip_unprivileged_port_start",
 		"net.ipv4.ip_local_reserved_ports",
 	)
+	sysctlsAllowedV1Dot29 = sets.NewString(
+		"kernel.shm_rmid_forced",
+		"net.ipv4.ip_local_port_range",
+		"net.ipv4.tcp_syncookies",
+		"net.ipv4.ping_group_range",
+		"net.ipv4.ip_unprivileged_port_start",
+		"net.ipv4.ip_local_reserved_ports",
+		"net.ipv4.tcp_keepalive_time",
+		"net.ipv4.tcp_fin_timeout",
+		"net.ipv4.tcp_keepalive_intvl",
+		"net.ipv4.tcp_keepalive_probes",
+	)
 )

-func sysctls_1_0(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
-	return sysctls(podMetadata, podSpec, sysctls_allowed_1_0)
+func sysctlsV1Dot0(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
+	return sysctls(podMetadata, podSpec, sysctlsAllowedV1Dot0)
 }

-func sysctls_1_27(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
-	return sysctls(podMetadata, podSpec, sysctls_allowed_1_27)
+func sysctlsV1Dot27(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
+	return sysctls(podMetadata, podSpec, sysctlsAllowedV1Dot27)
+}
+
+func sysctlsV1Dot29(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
+	return sysctls(podMetadata, podSpec, sysctlsAllowedV1Dot29)
 }

 func sysctls(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec, sysctls_allowed_set sets.String) CheckResult {
--- a/vendor/k8s.io/pod-security-admission/policy/helpers.go
+++ b/vendor/k8s.io/pod-security-admission/policy/helpers.go
@ -16,7 +16,12 @@ limitations under the License.

 package policy

-import "strings"
+import (
+	"strings"
+	"sync/atomic"
+
+	corev1 "k8s.io/api/core/v1"
+)

 func joinQuote(items []string) string {
 	if len(items) == 0 {
@ -31,3 +36,21 @@ func pluralize(singular, plural string, count int) string {
 	}
 	return plural
 }
+
+var relaxPolicyForUserNamespacePods = &atomic.Bool{}
+
+// RelaxPolicyForUserNamespacePods allows opting into relaxing runAsUser /
+// runAsNonRoot restricted policies for user namespace pods, before the
+// usernamespace feature has reached GA and propagated to the oldest supported
+// nodes.
+// This should only be opted into in clusters where the administrator ensures
+// all nodes in the cluster enable the user namespace feature.
+func RelaxPolicyForUserNamespacePods(relax bool) {
+	relaxPolicyForUserNamespacePods.Store(relax)
+}
+
+// relaxPolicyForUserNamespacePod returns true if a policy should be relaxed
+// because of enabled user namespaces in the provided pod spec.
+func relaxPolicyForUserNamespacePod(podSpec *corev1.PodSpec) bool {
+	return relaxPolicyForUserNamespacePods.Load() && podSpec != nil && podSpec.HostUsers != nil && !*podSpec.HostUsers
+}