Merge pull request #106089 from liggitt/podsecurity-beta

PodSecurity: promote config and feature gate to beta
kubernetes · Nov 3, 2021 · 9af2ece · 9af2ece
2 parents 6de257e + 1f8f996
commit 9af2ece
Show file tree

Hide file tree

Showing 14 changed files with 570 additions and 6 deletions.
diff --git a/pkg/features/kube_features.go b/pkg/features/kube_features.go
@@ -712,6 +712,7 @@ const (
 
 	// owner: @liggitt, @tallclair, sig-auth
 	// alpha: v1.22
+	// beta: v1.23
 	//
 	// Enables the PodSecurity admission plugin
 	PodSecurity featuregate.Feature = "PodSecurity"
@@ -895,7 +896,7 @@ var defaultKubernetesFeatureGates = map[featuregate.Feature]featuregate.FeatureS
 	StatefulSetMinReadySeconds:                     {Default: true, PreRelease: featuregate.Beta},
 	ExpandedDNSConfig:                              {Default: false, PreRelease: featuregate.Alpha},
 	SeccompDefault:                                 {Default: false, PreRelease: featuregate.Alpha},
-	PodSecurity:                                    {Default: false, PreRelease: featuregate.Alpha},
+	PodSecurity:                                    {Default: true, PreRelease: featuregate.Beta},
 	ReadWriteOncePod:                               {Default: false, PreRelease: featuregate.Alpha},
 	CSRDuration:                                    {Default: true, PreRelease: featuregate.Beta},
 	DelegateFSGroupToCSIDriver:                     {Default: false, PreRelease: featuregate.Alpha},

diff --git a/staging/src/k8s.io/pod-security-admission/admission/api/load/load.go b/staging/src/k8s.io/pod-security-admission/admission/api/load/load.go
@@ -24,7 +24,7 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/pod-security-admission/admission/api"
 	"k8s.io/pod-security-admission/admission/api/scheme"
-	apiv1alpha1 "k8s.io/pod-security-admission/admission/api/v1alpha1"
+	apiv1beta1 "k8s.io/pod-security-admission/admission/api/v1beta1"
 )
 
 func LoadFromFile(file string) (*api.PodSecurityConfiguration, error) {
@@ -57,7 +57,7 @@ func LoadFromReader(reader io.Reader) (*api.PodSecurityConfiguration, error) {
 func LoadFromData(data []byte) (*api.PodSecurityConfiguration, error) {
 	if len(data) == 0 {
 		// no config provided, return default
-		externalConfig := &apiv1alpha1.PodSecurityConfiguration{}
+		externalConfig := &apiv1beta1.PodSecurityConfiguration{}
 		scheme.Scheme.Default(externalConfig)
 		internalConfig := &api.PodSecurityConfiguration{}
 		if err := scheme.Scheme.Convert(externalConfig, internalConfig, nil); err != nil {

diff --git a/staging/src/k8s.io/pod-security-admission/admission/api/load/load_test.go b/staging/src/k8s.io/pod-security-admission/admission/api/load/load_test.go
@@ -98,6 +98,29 @@ func TestLoadFromFile(t *testing.T) {
 		}
 	}
 
+	// valid file
+	{
+		input := `{
+			"apiVersion":"pod-security.admission.config.k8s.io/v1beta1",
+			"kind":"PodSecurityConfiguration",
+			"defaults":{"enforce":"baseline"}}`
+		expect := &api.PodSecurityConfiguration{
+			Defaults: api.PodSecurityDefaults{
+				Enforce: "baseline", EnforceVersion: "latest",
+				Warn: "privileged", WarnVersion: "latest",
+				Audit: "privileged", AuditVersion: "latest",
+			},
+		}
+
+		config, err := LoadFromFile(writeTempFile(t, input))
+		if err != nil {
+			t.Fatalf("unexpected err: %v", err)
+		}
+		if !reflect.DeepEqual(config, expect) {
+			t.Fatalf("unexpected config:\n%s", cmp.Diff(expect, config))
+		}
+	}
+
 	// missing file
 	{
 		_, err := LoadFromFile(`bogus-missing-pod-security-policy-config-file`)
@@ -172,6 +195,29 @@ func TestLoadFromReader(t *testing.T) {
 		}
 	}
 
+	// valid reader
+	{
+		input := `{
+			"apiVersion":"pod-security.admission.config.k8s.io/v1beta1",
+			"kind":"PodSecurityConfiguration",
+			"defaults":{"enforce":"baseline"}}`
+		expect := &api.PodSecurityConfiguration{
+			Defaults: api.PodSecurityDefaults{
+				Enforce: "baseline", EnforceVersion: "latest",
+				Warn: "privileged", WarnVersion: "latest",
+				Audit: "privileged", AuditVersion: "latest",
+			},
+		}
+
+		config, err := LoadFromReader(bytes.NewBufferString(input))
+		if err != nil {
+			t.Fatalf("unexpected err: %v", err)
+		}
+		if !reflect.DeepEqual(config, expect) {
+			t.Fatalf("unexpected config:\n%s", cmp.Diff(expect, config))
+		}
+	}
+
 	// invalid reader
 	{
 		input := `{
@@ -225,6 +271,46 @@ func TestLoadFromData(t *testing.T) {
 			data: []byte(`
 apiVersion: pod-security.admission.config.k8s.io/v1alpha1
 kind: PodSecurityConfiguration
+defaults:
+  enforce: baseline
+  enforce-version: v1.7
+exemptions:
+  usernames: ["alice","bob"]
+  namespaces: ["kube-system"]
+  runtimeClasses: ["special"]
+`),
+			expectConfig: &api.PodSecurityConfiguration{
+				Defaults: api.PodSecurityDefaults{
+					Enforce: "baseline", EnforceVersion: "v1.7",
+					Warn: "privileged", WarnVersion: "latest",
+					Audit: "privileged", AuditVersion: "latest",
+				},
+				Exemptions: api.PodSecurityExemptions{
+					Usernames:      []string{"alice", "bob"},
+					Namespaces:     []string{"kube-system"},
+					RuntimeClasses: []string{"special"},
+				},
+			},
+		},
+		{
+			name: "v1beta1 - json",
+			data: []byte(`{
+"apiVersion":"pod-security.admission.config.k8s.io/v1beta1",
+"kind":"PodSecurityConfiguration",
+"defaults":{"enforce":"baseline"}}`),
+			expectConfig: &api.PodSecurityConfiguration{
+				Defaults: api.PodSecurityDefaults{
+					Enforce: "baseline", EnforceVersion: "latest",
+					Warn: "privileged", WarnVersion: "latest",
+					Audit: "privileged", AuditVersion: "latest",
+				},
+			},
+		},
+		{
+			name: "v1beta1 - yaml",
+			data: []byte(`
+apiVersion: pod-security.admission.config.k8s.io/v1beta1
+kind: PodSecurityConfiguration
 defaults:
   enforce: baseline
   enforce-version: v1.7

diff --git a/staging/src/k8s.io/pod-security-admission/admission/api/scheme/scheme.go b/staging/src/k8s.io/pod-security-admission/admission/api/scheme/scheme.go
@@ -22,6 +22,7 @@ import (
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	podsecurityapi "k8s.io/pod-security-admission/admission/api"
 	podsecurityv1alpha1 "k8s.io/pod-security-admission/admission/api/v1alpha1"
+	podsecurityv1beta1 "k8s.io/pod-security-admission/admission/api/v1beta1"
 )
 
 var (
@@ -40,5 +41,6 @@ func init() {
 func AddToScheme(scheme *runtime.Scheme) {
 	utilruntime.Must(podsecurityapi.AddToScheme(scheme))
 	utilruntime.Must(podsecurityv1alpha1.AddToScheme(scheme))
-	utilruntime.Must(scheme.SetVersionPriority(podsecurityv1alpha1.SchemeGroupVersion))
+	utilruntime.Must(podsecurityv1beta1.AddToScheme(scheme))
+	utilruntime.Must(scheme.SetVersionPriority(podsecurityv1beta1.SchemeGroupVersion, podsecurityv1alpha1.SchemeGroupVersion))
 }
diff --git a/staging/src/k8s.io/pod-security-admission/admission/api/v1beta1/defaults.go b/staging/src/k8s.io/pod-security-admission/admission/api/v1beta1/defaults.go
@@ -0,0 +1,48 @@
+/*
+Copyright 2021 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/pod-security-admission/api"
+)
+
+func addDefaultingFuncs(scheme *runtime.Scheme) error {
+	return RegisterDefaults(scheme)
+}
+
+func SetDefaults_PodSecurityDefaults(obj *PodSecurityDefaults) {
+	if len(obj.Enforce) == 0 {
+		obj.Enforce = string(api.LevelPrivileged)
+	}
+	if len(obj.Warn) == 0 {
+		obj.Warn = string(api.LevelPrivileged)
+	}
+	if len(obj.Audit) == 0 {
+		obj.Audit = string(api.LevelPrivileged)
+	}
+
+	if len(obj.EnforceVersion) == 0 {
+		obj.EnforceVersion = string(api.VersionLatest)
+	}
+	if len(obj.WarnVersion) == 0 {
+		obj.WarnVersion = string(api.VersionLatest)
+	}
+	if len(obj.AuditVersion) == 0 {
+		obj.AuditVersion = string(api.VersionLatest)
+	}
+}
diff --git a/staging/src/k8s.io/pod-security-admission/admission/api/v1beta1/defaults_test.go b/staging/src/k8s.io/pod-security-admission/admission/api/v1beta1/defaults_test.go
@@ -0,0 +1,17 @@
+/*
+Copyright 2021 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
diff --git a/staging/src/k8s.io/pod-security-admission/admission/api/v1beta1/doc.go b/staging/src/k8s.io/pod-security-admission/admission/api/v1beta1/doc.go
@@ -0,0 +1,23 @@
+/*
+Copyright 2021 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// +k8s:deepcopy-gen=package
+// +k8s:conversion-gen=k8s.io/pod-security-admission/admission/api
+// +k8s:defaulter-gen=TypeMeta
+// +groupName=pod-security.admission.config.k8s.io
+
+// Package v1beta1 contains PodSecurity admission configuration file types
+package v1beta1
diff --git a/staging/src/k8s.io/pod-security-admission/admission/api/v1beta1/register.go b/staging/src/k8s.io/pod-security-admission/admission/api/v1beta1/register.go
@@ -0,0 +1,50 @@
+/*
+Copyright 2021 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+// GroupName is the group name use in this package
+const GroupName = "pod-security.admission.config.k8s.io"
+
+// SchemeGroupVersion is group version used to register these objects
+var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1beta1"}
+
+var (
+	// SchemeBuilder is a pointer used to call AddToScheme
+	SchemeBuilder      runtime.SchemeBuilder
+	localSchemeBuilder = &SchemeBuilder
+	// AddToScheme is used to register the types to API encoding/decoding machinery
+	AddToScheme = localSchemeBuilder.AddToScheme
+)
+
+func init() {
+	// We only register manually written functions here. The registration of the
+	// generated functions takes place in the generated files. The separation
+	// makes the code compile even when the generated files are missing.
+	localSchemeBuilder.Register(addKnownTypes, addDefaultingFuncs)
+}
+
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&PodSecurityConfiguration{},
+	)
+	return nil
+}
diff --git a/staging/src/k8s.io/pod-security-admission/admission/api/v1beta1/types.go b/staging/src/k8s.io/pod-security-admission/admission/api/v1beta1/types.go
@@ -0,0 +1,44 @@
+/*
+Copyright 2021 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+type PodSecurityConfiguration struct {
+	metav1.TypeMeta
+	Defaults   PodSecurityDefaults   `json:"defaults"`
+	Exemptions PodSecurityExemptions `json:"exemptions"`
+}
+
+type PodSecurityDefaults struct {
+	Enforce        string `json:"enforce,omitempty"`
+	EnforceVersion string `json:"enforce-version,omitempty"`
+	Audit          string `json:"audit,omitempty"`
+	AuditVersion   string `json:"audit-version,omitempty"`
+	Warn           string `json:"warn,omitempty"`
+	WarnVersion    string `json:"warn-version,omitempty"`
+}
+
+type PodSecurityExemptions struct {
+	Usernames      []string `json:"usernames,omitempty"`
+	Namespaces     []string `json:"namespaces,omitempty"`
+	RuntimeClasses []string `json:"runtimeClasses,omitempty"`
+}