diff --git a/pkg/admission/imagepolicy/imagepolicy_test.go b/pkg/admission/imagepolicy/imagepolicy_test.go index 7a0ca016a..ce160d59a 100644 --- a/pkg/admission/imagepolicy/imagepolicy_test.go +++ b/pkg/admission/imagepolicy/imagepolicy_test.go @@ -151,7 +151,7 @@ func TestDefaultPolicy(t *testing.T) { &kapi.Pod{Spec: kapi.PodSpec{Containers: []kapi.Container{{Image: "index.docker.io/mysql:latest"}}}}, nil, schema.GroupVersionKind{Version: "v1", Kind: "Pod"}, "default", "pod1", schema.GroupVersionResource{Version: "v1", Resource: "pods"}, - "", admission.Create, false, nil, + "", admission.Create, nil, false, nil, ) if err := plugin.Admit(attrs, nil); err != nil { t.Fatal(err) @@ -165,7 +165,7 @@ func TestDefaultPolicy(t *testing.T) { &kapi.Pod{Spec: kapi.PodSpec{Containers: []kapi.Container{{Image: "index.docker.io/mysql@" + goodSHA}}}}, nil, schema.GroupVersionKind{Version: "v1", Kind: "Pod"}, "default", "pod1", schema.GroupVersionResource{Version: "v1", Resource: "pods"}, - "", admission.Create, false, nil, + "", admission.Create, nil,false, nil, ) if err := plugin.Admit(attrs, nil); err != nil { t.Fatal(err) @@ -179,7 +179,7 @@ func TestDefaultPolicy(t *testing.T) { &kapi.Pod{Spec: kapi.PodSpec{Containers: []kapi.Container{{Image: "integrated.registry/repo/mysql@" + goodSHA}}}}, nil, schema.GroupVersionKind{Version: "v1", Kind: "Pod"}, "default", "pod1", schema.GroupVersionResource{Version: "v1", Resource: "pods"}, - "", admission.Create, false, nil, + "", admission.Create, nil, false, nil, ) if err := plugin.Admit(attrs, nil); err != nil { t.Fatal(err) @@ -193,7 +193,7 @@ func TestDefaultPolicy(t *testing.T) { &kapi.Pod{Spec: kapi.PodSpec{Containers: []kapi.Container{{Image: "integrated.registry/repo/mysql:missingtag"}}}}, nil, schema.GroupVersionKind{Version: "v1", Kind: "Pod"}, "default", "pod1", schema.GroupVersionResource{Version: "v1", Resource: "pods"}, - "", admission.Create, false, nil, + "", admission.Create, nil, false, nil, ) if err := plugin.Admit(attrs, nil); err != nil { t.Fatal(err) @@ -207,7 +207,7 @@ func TestDefaultPolicy(t *testing.T) { &kapi.Pod{Spec: kapi.PodSpec{Containers: []kapi.Container{{Image: "integrated.registry/repo/mysql:goodtag"}}}}, nil, schema.GroupVersionKind{Version: "v1", Kind: "Pod"}, "default", "pod1", schema.GroupVersionResource{Version: "v1", Resource: "pods"}, - "", admission.Create, false, nil, + "", admission.Create, nil, false, nil, ) if err := plugin.Admit(attrs, nil); err != nil { t.Fatal(err) @@ -221,7 +221,7 @@ func TestDefaultPolicy(t *testing.T) { &kapi.Pod{Spec: kapi.PodSpec{Containers: []kapi.Container{{Image: "integrated.registry/repo/mysql:badtag"}}}}, nil, schema.GroupVersionKind{Version: "v1", Kind: "Pod"}, "default", "pod1", schema.GroupVersionResource{Version: "v1", Resource: "pods"}, - "", admission.Create, false, nil, + "", admission.Create, nil, false, nil, ) t.Logf("%#v", plugin.accepter) if err := plugin.Admit(attrs, nil); err == nil || !kerrors.IsInvalid(err) { @@ -236,7 +236,7 @@ func TestDefaultPolicy(t *testing.T) { &kapi.Pod{Spec: kapi.PodSpec{Containers: []kapi.Container{{Image: "index.docker.io/mysql@" + badSHA}}}}, nil, schema.GroupVersionKind{Version: "v1", Kind: "Pod"}, "default", "pod1", schema.GroupVersionResource{Version: "v1", Resource: "pods"}, - "", admission.Create, false, nil, + "", admission.Create, nil, false, nil, ) if err := plugin.Admit(attrs, nil); err == nil || !kerrors.IsInvalid(err) { t.Fatal(err) @@ -250,7 +250,7 @@ func TestDefaultPolicy(t *testing.T) { &kapi.Pod{Spec: kapi.PodSpec{InitContainers: []kapi.Container{{Image: "index.docker.io/mysql@" + badSHA}}}}, nil, schema.GroupVersionKind{Version: "v1", Kind: "Pod"}, "default", "pod1", schema.GroupVersionResource{Version: "v1", Resource: "pods"}, - "", admission.Create, false, nil, + "", admission.Create, nil, false, nil, ) if err := plugin.Admit(attrs, nil); err == nil || !kerrors.IsInvalid(err) { t.Fatal(err) @@ -265,7 +265,7 @@ func TestDefaultPolicy(t *testing.T) { &kapi.Pod{Spec: kapi.PodSpec{Containers: []kapi.Container{{Image: "index.docker.io/mysql@" + goodSHA}}}}, nil, schema.GroupVersionKind{Version: "v1", Kind: "Pod"}, "default", "pod1", schema.GroupVersionResource{Version: "v1", Resource: "pods"}, - "", admission.Create, false, nil, + "", admission.Create, nil, false, nil, ) if err := plugin.Admit(attrs, nil); err != nil { t.Fatal(err) @@ -280,7 +280,7 @@ func TestDefaultPolicy(t *testing.T) { &kapi.Pod{Spec: kapi.PodSpec{Containers: []kapi.Container{{Image: "index.docker.io/mysql@" + goodSHA}}}}, nil, schema.GroupVersionKind{Version: "v1", Kind: "Pod"}, "default", "pod1", schema.GroupVersionResource{Version: "v1", Resource: "pods"}, - "", admission.Create, false, nil, + "", admission.Create, nil, false, nil, ) if err := plugin.Admit(attrs, nil); err == nil || !kerrors.IsInvalid(err) { t.Fatal(err) @@ -303,7 +303,7 @@ func TestDefaultPolicy(t *testing.T) { &kapi.Pod{Spec: kapi.PodSpec{Containers: []kapi.Container{{Image: "index.docker.io/mysql@" + goodSHA}}}}, nil, schema.GroupVersionKind{Version: "v1", Kind: "Pod"}, "default", "pod1", schema.GroupVersionResource{Version: "v1", Resource: "pods"}, - "", admission.Create, false, nil, + "", admission.Create, nil, false, nil, ) if err := plugin.Admit(attrs, nil); err != nil { t.Fatal(err) @@ -328,7 +328,7 @@ func TestAdmissionWithoutPodSpec(t *testing.T) { &kapi.Node{}, nil, schema.GroupVersionKind{Version: "v1", Kind: "Node"}, "", "node1", schema.GroupVersionResource{Version: "v1", Resource: "nodes"}, - "", admission.Create, false, nil, + "", admission.Create, nil, false, nil, ) if err := p.Admit(attrs, nil); !kerrors.IsForbidden(err) || !strings.Contains(err.Error(), "No list of images available for this object") { t.Fatal(err) @@ -389,6 +389,7 @@ func TestAdmissionResolution(t *testing.T) { nil, schema.GroupVersionKind{Version: "v1", Kind: "Pod"}, "default", "pod1", schema.GroupVersionResource{Version: "v1", Resource: "pods"}, "", admission.Create, + nil, false, nil, ) @@ -411,7 +412,7 @@ func TestAdmissionResolution(t *testing.T) { pod, nil, schema.GroupVersionKind{Version: "v1", Kind: "Pod"}, "default", "pod1", schema.GroupVersionResource{Version: "v1", Resource: "pods"}, - "", admission.Create, false, nil, + "", admission.Create, nil, false, nil, ) if err := p.Admit(attrs, nil); err != nil { t.Logf("object: %#v", attrs.GetObject()) @@ -484,7 +485,7 @@ func TestAdmissionResolveImages(t *testing.T) { }, }, nil, schema.GroupVersionKind{Version: "v1", Kind: "Pod"}, "default", "pod1", schema.GroupVersionResource{Version: "v1", Resource: "pods"}, - "", admission.Create, false, nil, + "", admission.Create, nil, false, nil, ), }, { @@ -502,7 +503,7 @@ func TestAdmissionResolveImages(t *testing.T) { }, }, nil, schema.GroupVersionKind{Version: "v1", Kind: "Pod"}, "default", "pod1", schema.GroupVersionResource{Version: "v1", Resource: "pods"}, - "", admission.Create, false, nil, + "", admission.Create, nil, false, nil, ), admit: true, expect: &kapi.Pod{ @@ -528,7 +529,7 @@ func TestAdmissionResolveImages(t *testing.T) { }, }, nil, schema.GroupVersionKind{Version: "v1", Kind: "Pod"}, "default", "pod1", schema.GroupVersionResource{Version: "v1", Resource: "pods"}, - "", admission.Create, false, nil, + "", admission.Create, nil, false, nil, ), admit: true, expect: &kapi.Pod{ @@ -558,7 +559,7 @@ func TestAdmissionResolveImages(t *testing.T) { }, }, nil, schema.GroupVersionKind{Version: "v1", Kind: "Pod", Group: ""}, "default", "pod1", schema.GroupVersionResource{Version: "v1", Resource: "pods", Group: ""}, - "", admission.Create, false, nil, + "", admission.Create, nil, false, nil, ), admit: true, expect: &kapi.Pod{ @@ -592,7 +593,7 @@ func TestAdmissionResolveImages(t *testing.T) { }, }, nil, schema.GroupVersionKind{Version: "v1", Kind: "ReplicaSet", Group: "extensions"}, "default", "rs1", schema.GroupVersionResource{Version: "v1", Resource: "replicasets", Group: "extensions"}, - "", admission.Create, false, nil, + "", admission.Create, nil, false, nil, ), admit: true, expect: &apps.ReplicaSet{ @@ -629,7 +630,7 @@ func TestAdmissionResolveImages(t *testing.T) { }, }, nil, schema.GroupVersionKind{Version: "v1", Kind: "ReplicaSet", Group: "extensions"}, "default", "rs1", schema.GroupVersionResource{Version: "v1", Resource: "replicasets", Group: "extensions"}, - "", admission.Create, false, nil, + "", admission.Create, nil, false, nil, ), admit: true, expect: &apps.ReplicaSet{ @@ -668,7 +669,7 @@ func TestAdmissionResolveImages(t *testing.T) { }, }, nil, schema.GroupVersionKind{Version: "v1", Kind: "ReplicaSet", Group: "extensions"}, "default", "rs1", schema.GroupVersionResource{Version: "v1", Resource: "replicasets", Group: "extensions"}, - "", admission.Create, false, nil, + "", admission.Create, nil, false, nil, ), admit: true, expect: &apps.ReplicaSet{ @@ -718,7 +719,7 @@ func TestAdmissionResolveImages(t *testing.T) { }, }, nil, schema.GroupVersionKind{Version: "v1", Kind: "ReplicaSet", Group: "extensions"}, "default", "rs1", schema.GroupVersionResource{Version: "v1", Resource: "replicasets", Group: "extensions"}, - "", admission.Create, false, nil, + "", admission.Create, nil, false, nil, ), admit: true, expect: &apps.ReplicaSet{ @@ -767,7 +768,7 @@ func TestAdmissionResolveImages(t *testing.T) { }, }, nil, schema.GroupVersionKind{Version: "v1", Kind: "ReplicaSet", Group: "extensions"}, "default", "rs1", schema.GroupVersionResource{Version: "v1", Resource: "replicasets", Group: "extensions"}, - "", admission.Create, false, nil, + "", admission.Create, nil, false, nil, ), admit: true, expect: &apps.ReplicaSet{ @@ -816,7 +817,7 @@ func TestAdmissionResolveImages(t *testing.T) { }, }, nil, schema.GroupVersionKind{Version: "v1", Kind: "ReplicaSet", Group: "extensions"}, "default", "rs1", schema.GroupVersionResource{Version: "v1", Resource: "replicasets", Group: "extensions"}, - "", admission.Create, false, nil, + "", admission.Create, nil, false, nil, ), admit: true, expect: &apps.ReplicaSet{ diff --git a/pkg/admission/quota/clusterresourcequota/accessor.go b/pkg/admission/quota/clusterresourcequota/accessor.go index 0363d659c..fe4a30461 100644 --- a/pkg/admission/quota/clusterresourcequota/accessor.go +++ b/pkg/admission/quota/clusterresourcequota/accessor.go @@ -9,7 +9,7 @@ import ( "k8s.io/apimachinery/pkg/api/equality" kapierrors "k8s.io/apimachinery/pkg/api/errors" utilwait "k8s.io/apimachinery/pkg/util/wait" - //etcd "k8s.io/apiserver/pkg/storage/etcd" + etcd "k8s.io/apiserver/pkg/storage/etcd3" corev1listers "k8s.io/client-go/listers/core/v1" utilquota "k8s.io/kubernetes/pkg/quota/v1" diff --git a/pkg/securitycontextconstraints/sccadmission/admission_test.go b/pkg/securitycontextconstraints/sccadmission/admission_test.go index 6eb939f8c..b14abc2ce 100644 --- a/pkg/securitycontextconstraints/sccadmission/admission_test.go +++ b/pkg/securitycontextconstraints/sccadmission/admission_test.go @@ -59,7 +59,7 @@ func newTestAdmission(lister securityv1listers.SecurityContextConstraintsLister, func TestFailClosedOnInvalidPod(t *testing.T) { plugin := newTestAdmission(nil, nil, nil) pod := &corev1.Pod{} - attrs := admission.NewAttributesRecord(pod, nil, coreapi.Kind("Pod").WithVersion("version"), pod.Namespace, pod.Name, coreapi.Resource("pods").WithVersion("version"), "", admission.Create, false, &user.DefaultInfo{}) + attrs := admission.NewAttributesRecord(pod, nil, coreapi.Kind("Pod").WithVersion("version"), pod.Namespace, pod.Name, coreapi.Resource("pods").WithVersion("version"), "", admission.Create, nil, false, &user.DefaultInfo{}) err := plugin.(admission.MutationInterface).Admit(attrs, nil) if err == nil { @@ -189,7 +189,7 @@ func testSCCAdmit(testCaseName string, sccs []*securityv1.SecurityContextConstra testAuthorizer := &sccTestAuthorizer{t: t} plugin := newTestAdmission(lister, tc, testAuthorizer) - attrs := admission.NewAttributesRecord(pod, nil, coreapi.Kind("Pod").WithVersion("version"), pod.Namespace, pod.Name, coreapi.Resource("pods").WithVersion("version"), "", admission.Create, false, &user.DefaultInfo{}) + attrs := admission.NewAttributesRecord(pod, nil, coreapi.Kind("Pod").WithVersion("version"), pod.Namespace, pod.Name, coreapi.Resource("pods").WithVersion("version"), "", admission.Create, nil, false, &user.DefaultInfo{}) err := plugin.(admission.MutationInterface).Admit(attrs, nil) if shouldPass && err != nil { t.Errorf("%s expected no mutating admission errors but received %v", testCaseName, err) @@ -426,7 +426,7 @@ func TestAdmitFailure(t *testing.T) { for i := 0; i < 2; i++ { for k, v := range testCases { v.pod.Spec.Containers, v.pod.Spec.InitContainers = v.pod.Spec.InitContainers, v.pod.Spec.Containers - attrs := admission.NewAttributesRecord(v.pod, nil, coreapi.Kind("Pod").WithVersion("version"), v.pod.Namespace, v.pod.Name, coreapi.Resource("pods").WithVersion("version"), "", admission.Create, false, &user.DefaultInfo{}) + attrs := admission.NewAttributesRecord(v.pod, nil, coreapi.Kind("Pod").WithVersion("version"), v.pod.Namespace, v.pod.Name, coreapi.Resource("pods").WithVersion("version"), "", admission.Create, nil, false, &user.DefaultInfo{}) err := p.(admission.MutationInterface).Admit(attrs, nil) if err == nil { @@ -675,7 +675,7 @@ func TestCreateProvidersFromConstraints(t *testing.T) { scc := v.scc() // create the providers, this method only needs the namespace - attributes := admission.NewAttributesRecord(nil, nil, coreapi.Kind("Pod").WithVersion("version"), v.namespace.Name, "", coreapi.Resource("pods").WithVersion("version"), "", admission.Create, false, nil) + attributes := admission.NewAttributesRecord(nil, nil, coreapi.Kind("Pod").WithVersion("version"), v.namespace.Name, "", coreapi.Resource("pods").WithVersion("version"), "", admission.Create, nil, false, nil) _, errs := sccmatching.CreateProvidersFromConstraints(attributes.GetNamespace(), []*securityv1.SecurityContextConstraints{scc}, tc) if !reflect.DeepEqual(scc, v.scc()) { @@ -1065,7 +1065,7 @@ func TestAdmitPreferNonmutatingWhenPossible(t *testing.T) { testAuthorizer := &sccTestAuthorizer{t: t} plugin := newTestAdmission(lister, tc, testAuthorizer) - attrs := admission.NewAttributesRecord(testCase.newPod, testCase.oldPod, coreapi.Kind("Pod").WithVersion("version"), testCase.newPod.Namespace, testCase.newPod.Name, coreapi.Resource("pods").WithVersion("version"), "", testCase.operation, false, &user.DefaultInfo{}) + attrs := admission.NewAttributesRecord(testCase.newPod, testCase.oldPod, coreapi.Kind("Pod").WithVersion("version"), testCase.newPod.Namespace, testCase.newPod.Name, coreapi.Resource("pods").WithVersion("version"), "", testCase.operation, nil, false, &user.DefaultInfo{}) err := plugin.(admission.MutationInterface).Admit(attrs, nil) if testCase.shouldPass { @@ -1093,7 +1093,7 @@ func TestAdmitPreferNonmutatingWhenPossible(t *testing.T) { // SCC. Returns true when errors have been encountered. func testSCCAdmission(pod *coreapi.Pod, plugin admission.Interface, expectedSCC, testName string, t *testing.T) bool { t.Helper() - attrs := admission.NewAttributesRecord(pod, nil, coreapi.Kind("Pod").WithVersion("version"), pod.Namespace, pod.Name, coreapi.Resource("pods").WithVersion("version"), "", admission.Create, false, &user.DefaultInfo{}) + attrs := admission.NewAttributesRecord(pod, nil, coreapi.Kind("Pod").WithVersion("version"), pod.Namespace, pod.Name, coreapi.Resource("pods").WithVersion("version"), "", admission.Create, nil, false, &user.DefaultInfo{}) err := plugin.(admission.MutationInterface).Admit(attrs, nil) if err != nil { t.Errorf("%s error admitting pod: %v", testName, err) diff --git a/pkg/securitycontextconstraints/sccadmission/scc_exec.go b/pkg/securitycontextconstraints/sccadmission/scc_exec.go index 3096f67f5..cf19da18d 100644 --- a/pkg/securitycontextconstraints/sccadmission/scc_exec.go +++ b/pkg/securitycontextconstraints/sccadmission/scc_exec.go @@ -61,7 +61,7 @@ func (d *sccExecRestrictions) Validate(a admission.Attributes, o admission.Objec // TODO, if we want to actually limit who can use which service account, then we'll need to add logic here to make sure that // we're allowed to use the SA the pod is using. Otherwise, user-A creates pod and user-B (who can't use the SA) can exec into it. - createAttributes := admission.NewAttributesRecord(internalPod, nil, coreapi.Kind("Pod").WithVersion(""), a.GetNamespace(), a.GetName(), a.GetResource(), "", admission.Create, false, a.GetUserInfo()) + createAttributes := admission.NewAttributesRecord(internalPod, nil, coreapi.Kind("Pod").WithVersion(""), a.GetNamespace(), a.GetName(), a.GetResource(), "", admission.Create, a.GetOperationOptions(), false, a.GetUserInfo()) // call SCC.Admit instead of SCC.Validate because we accept that a different SCC is chosen. SCC.Validate would require // that the chosen SCC (stored in the "openshift.io/scc" annotation) does not change. if err := d.constraintAdmission.Admit(createAttributes, o); err != nil { diff --git a/pkg/securitycontextconstraints/sccadmission/scc_exec_test.go b/pkg/securitycontextconstraints/sccadmission/scc_exec_test.go index 044d9a35c..a92720166 100644 --- a/pkg/securitycontextconstraints/sccadmission/scc_exec_test.go +++ b/pkg/securitycontextconstraints/sccadmission/scc_exec_test.go @@ -99,7 +99,7 @@ func TestExecAdmit(t *testing.T) { p.constraintAdmission.sccLister = cache p.SetExternalKubeClientSet(tc) - attrs := admission.NewAttributesRecord(nil, nil, coreapi.Kind("Pod").WithVersion("version"), "namespace", "pod-name", coreapi.Resource(v.resource).WithVersion("version"), v.subresource, v.operation, false, &user.DefaultInfo{}) + attrs := admission.NewAttributesRecord(nil, nil, coreapi.Kind("Pod").WithVersion("version"), "namespace", "pod-name", coreapi.Resource(v.resource).WithVersion("version"), v.subresource, v.operation, nil, false, &user.DefaultInfo{}) err := p.Validate(attrs, nil) if v.shouldAdmit && err != nil {