chore: comment unused code to stop linter complains (#958)

ref #496

Signed-off-by: Artur Troian <troian.ap@gmail.com>

provider/cluster/kube/apply.go

@@ -59,22 +59,23 @@ func applyNetPolicies(ctx context.Context, kc kubernetes.Interface, b *netPolBui
 	return err
 }
 
-func applyRestrictivePodSecPoliciesToNS(ctx context.Context, kc kubernetes.Interface, p *pspRestrictedBuilder) error {
-	obj, err := kc.PolicyV1beta1().PodSecurityPolicies().Get(ctx, p.name(), metav1.GetOptions{})
-	switch {
-	case err == nil:
-		obj, err = p.update(obj)
-		if err == nil {
-			_, err = kc.PolicyV1beta1().PodSecurityPolicies().Update(ctx, obj, metav1.UpdateOptions{})
-		}
-	case errors.IsNotFound(err):
-		obj, err = p.create()
-		if err == nil {
-			_, err = kc.PolicyV1beta1().PodSecurityPolicies().Create(ctx, obj, metav1.CreateOptions{})
-		}
-	}
-	return err
-}
+// TODO: re-enable.  see #946
+// func applyRestrictivePodSecPoliciesToNS(ctx context.Context, kc kubernetes.Interface, p *pspRestrictedBuilder) error {
+// 	obj, err := kc.PolicyV1beta1().PodSecurityPolicies().Get(ctx, p.name(), metav1.GetOptions{})
+// 	switch {
+// 	case err == nil:
+// 		obj, err = p.update(obj)
+// 		if err == nil {
+// 			_, err = kc.PolicyV1beta1().PodSecurityPolicies().Update(ctx, obj, metav1.UpdateOptions{})
+// 		}
+// 	case errors.IsNotFound(err):
+// 		obj, err = p.create()
+// 		if err == nil {
+// 			_, err = kc.PolicyV1beta1().PodSecurityPolicies().Create(ctx, obj, metav1.CreateOptions{})
+// 		}
+// 	}
+// 	return err
+// }
 
 func applyDeployment(ctx context.Context, kc kubernetes.Interface, b *deploymentBuilder) error {
 	obj, err := kc.AppsV1().Deployments(b.ns()).Get(ctx, b.name(), metav1.GetOptions{})

provider/cluster/kube/builder.go

@@ -16,7 +16,8 @@ import (
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	netv1 "k8s.io/api/networking/v1"
-	"k8s.io/api/policy/v1beta1"
+	// TODO: re-enable.  see #946
+	// "k8s.io/api/policy/v1beta1"
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/intstr"
@@ -92,78 +93,79 @@ func (b *nsBuilder) update(obj *corev1.Namespace) (*corev1.Namespace, error) { /
 	return obj, nil
 }
 
+// TODO: re-enable.  see #946
 // pspRestrictedBuilder produces restrictive PodSecurityPolicies for tenant Namespaces.
 // Restricted PSP source: https://raw.githubusercontent.com/kubernetes/website/master/content/en/examples/policy/restricted-psp.yaml
-type pspRestrictedBuilder struct {
-	builder
-}
-
-func newPspBuilder(settings Settings, lid mtypes.LeaseID, group *manifest.Group) *pspRestrictedBuilder { // nolint:golint,unparam
-	return &pspRestrictedBuilder{builder: builder{settings: settings, lid: lid, group: group}}
-}
-
-func (p *pspRestrictedBuilder) name() string {
-	return p.ns()
-}
-
-func (p *pspRestrictedBuilder) create() (*v1beta1.PodSecurityPolicy, error) { // nolint:golint,unparam
-	falseVal := false
-	return &v1beta1.PodSecurityPolicy{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      p.name(),
-			Namespace: p.name(),
-			Labels:    p.labels(),
-			Annotations: map[string]string{
-				"seccomp.security.alpha.kubernetes.io/allowedProfileNames": "docker/default,runtime/default",
-				"apparmor.security.beta.kubernetes.io/allowedProfileNames": "runtime/default",
-				"seccomp.security.alpha.kubernetes.io/defaultProfileName":  "runtime/default",
-				"apparmor.security.beta.kubernetes.io/defaultProfileName":  "runtime/default",
-			},
-		},
-		Spec: v1beta1.PodSecurityPolicySpec{
-			Privileged:               false,
-			AllowPrivilegeEscalation: &falseVal,
-			RequiredDropCapabilities: []corev1.Capability{
-				"ALL",
-			},
-			Volumes: []v1beta1.FSType{
-				v1beta1.EmptyDir,
-				v1beta1.PersistentVolumeClaim, // evaluate necessity later
-			},
-			HostNetwork: false,
-			HostIPC:     false,
-			HostPID:     false,
-			RunAsUser: v1beta1.RunAsUserStrategyOptions{
-				// fixme(#946): previous value RunAsUserStrategyMustRunAsNonRoot was interfering with
-				// (b *deploymentBuilder) create() RunAsNonRoot: false
-				// allow any user at this moment till revise all security debris of kube api
-				Rule: v1beta1.RunAsUserStrategyRunAsAny,
-			},
-			SELinux: v1beta1.SELinuxStrategyOptions{
-				Rule: v1beta1.SELinuxStrategyRunAsAny,
-			},
-			SupplementalGroups: v1beta1.SupplementalGroupsStrategyOptions{
-				Rule: v1beta1.SupplementalGroupsStrategyRunAsAny,
-			},
-			FSGroup: v1beta1.FSGroupStrategyOptions{
-				Rule: v1beta1.FSGroupStrategyMustRunAs,
-				Ranges: []v1beta1.IDRange{
-					{
-						Min: int64(1),
-						Max: int64(65535),
-					},
-				},
-			},
-			ReadOnlyRootFilesystem: false,
-		},
-	}, nil
-}
-
-func (p *pspRestrictedBuilder) update(obj *v1beta1.PodSecurityPolicy) (*v1beta1.PodSecurityPolicy, error) { // nolint:golint,unparam
-	obj.Name = p.ns()
-	obj.Labels = p.labels()
-	return obj, nil
-}
+// type pspRestrictedBuilder struct {
+// 	builder
+// }
+//
+// func newPspBuilder(settings Settings, lid mtypes.LeaseID, group *manifest.Group) *pspRestrictedBuilder { // nolint:golint,unparam
+// 	return &pspRestrictedBuilder{builder: builder{settings: settings, lid: lid, group: group}}
+// }
+//
+// func (p *pspRestrictedBuilder) name() string {
+// 	return p.ns()
+// }
+//
+// func (p *pspRestrictedBuilder) create() (*v1beta1.PodSecurityPolicy, error) { // nolint:golint,unparam
+// 	falseVal := false
+// 	return &v1beta1.PodSecurityPolicy{
+// 		ObjectMeta: metav1.ObjectMeta{
+// 			Name:      p.name(),
+// 			Namespace: p.name(),
+// 			Labels:    p.labels(),
+// 			Annotations: map[string]string{
+// 				"seccomp.security.alpha.kubernetes.io/allowedProfileNames": "docker/default,runtime/default",
+// 				"apparmor.security.beta.kubernetes.io/allowedProfileNames": "runtime/default",
+// 				"seccomp.security.alpha.kubernetes.io/defaultProfileName":  "runtime/default",
+// 				"apparmor.security.beta.kubernetes.io/defaultProfileName":  "runtime/default",
+// 			},
+// 		},
+// 		Spec: v1beta1.PodSecurityPolicySpec{
+// 			Privileged:               false,
+// 			AllowPrivilegeEscalation: &falseVal,
+// 			RequiredDropCapabilities: []corev1.Capability{
+// 				"ALL",
+// 			},
+// 			Volumes: []v1beta1.FSType{
+// 				v1beta1.EmptyDir,
+// 				v1beta1.PersistentVolumeClaim, // evaluate necessity later
+// 			},
+// 			HostNetwork: false,
+// 			HostIPC:     false,
+// 			HostPID:     false,
+// 			RunAsUser: v1beta1.RunAsUserStrategyOptions{
+// 				// fixme(#946): previous value RunAsUserStrategyMustRunAsNonRoot was interfering with
+// 				// (b *deploymentBuilder) create() RunAsNonRoot: false
+// 				// allow any user at this moment till revise all security debris of kube api
+// 				Rule: v1beta1.RunAsUserStrategyRunAsAny,
+// 			},
+// 			SELinux: v1beta1.SELinuxStrategyOptions{
+// 				Rule: v1beta1.SELinuxStrategyRunAsAny,
+// 			},
+// 			SupplementalGroups: v1beta1.SupplementalGroupsStrategyOptions{
+// 				Rule: v1beta1.SupplementalGroupsStrategyRunAsAny,
+// 			},
+// 			FSGroup: v1beta1.FSGroupStrategyOptions{
+// 				Rule: v1beta1.FSGroupStrategyMustRunAs,
+// 				Ranges: []v1beta1.IDRange{
+// 					{
+// 						Min: int64(1),
+// 						Max: int64(65535),
+// 					},
+// 				},
+// 			},
+// 			ReadOnlyRootFilesystem: false,
+// 		},
+// 	}, nil
+// }
+//
+// func (p *pspRestrictedBuilder) update(obj *v1beta1.PodSecurityPolicy) (*v1beta1.PodSecurityPolicy, error) { // nolint:golint,unparam
+// 	obj.Name = p.ns()
+// 	obj.Labels = p.labels()
+// 	return obj, nil
+// }
 
 // deployment
 type deploymentBuilder struct {

provider/cluster/kube/k8s_integration_test.go

@@ -37,7 +37,9 @@ func TestNewClient(t *testing.T) {
 	cc, ok := ac.(*client)
 	require.True(t, ok)
 	require.NotNil(t, cc)
-	kc := cc.kc
+
+	// TODO: re-enable.  see #946
+	// kc := cc.kc
 
 	// check inventory
 	nodes, err := ac.Inventory(ctx)
@@ -67,9 +69,10 @@ func TestNewClient(t *testing.T) {
 	assert.Equal(t, lid, deployment.LeaseID())
 
 	// query namespace and pod security policies
-	psp, err := kc.PolicyV1beta1().PodSecurityPolicies().Get(ctx, ns, metav1.GetOptions{})
-	require.NoError(t, err)
-	require.NotNil(t, psp)
+	// TODO: re-enable.  see #946
+	// psp, err := kc.PolicyV1beta1().PodSecurityPolicies().Get(ctx, ns, metav1.GetOptions{})
+	// require.NoError(t, err)
+	// require.NotNil(t, psp)
 
 	svcname := group.Services[0].Name
 

provider/cluster/monitor.go

@@ -160,7 +160,7 @@ func (m *deploymentMonitor) doCheck() (bool, error) {
 			}
 		}
 
-		if !foundService  {
+		if !foundService {
 			badsvc++
 			m.log.Debug("service status not found", "service", spec.Name)
 		}