rebase: update k8s.io packages to v0.29.0

Signed-off-by: Niels de Vos <ndevos@ibm.com>
2025-06-14 02:43:36 +00:00 · 2023-12-20 13:23:59 +01:00
parent 328a264202
commit f080b9e0c9
367 changed files with 21340 additions and 11878 deletions
--- a/vendor/k8s.io/pod-security-admission/policy/helpers.go
+++ b/vendor/k8s.io/pod-security-admission/policy/helpers.go
@ -16,7 +16,12 @@ limitations under the License.

 package policy

-import "strings"
+import (
+	"strings"
+	"sync/atomic"
+
+	corev1 "k8s.io/api/core/v1"
+)

 func joinQuote(items []string) string {
 	if len(items) == 0 {
@ -31,3 +36,21 @@ func pluralize(singular, plural string, count int) string {
 	}
 	return plural
 }
+
+var relaxPolicyForUserNamespacePods = &atomic.Bool{}
+
+// RelaxPolicyForUserNamespacePods allows opting into relaxing runAsUser /
+// runAsNonRoot restricted policies for user namespace pods, before the
+// usernamespace feature has reached GA and propagated to the oldest supported
+// nodes.
+// This should only be opted into in clusters where the administrator ensures
+// all nodes in the cluster enable the user namespace feature.
+func RelaxPolicyForUserNamespacePods(relax bool) {
+	relaxPolicyForUserNamespacePods.Store(relax)
+}
+
+// relaxPolicyForUserNamespacePod returns true if a policy should be relaxed
+// because of enabled user namespaces in the provided pod spec.
+func relaxPolicyForUserNamespacePod(podSpec *corev1.PodSpec) bool {
+	return relaxPolicyForUserNamespacePods.Load() && podSpec != nil && podSpec.HostUsers != nil && !*podSpec.HostUsers
+}