diff --git a/go.mod b/go.mod index 2e1f1a97d407..9906400388af 100644 --- a/go.mod +++ b/go.mod @@ -68,7 +68,7 @@ require ( github.com/opencontainers/runc v1.0.2 github.com/opencontainers/selinux v1.8.2 github.com/openshift/api v0.0.0-20211028023115-7224b732cc14 - github.com/openshift/apiserver-library-go v0.0.0-20210831182412-e8d18275584f + github.com/openshift/apiserver-library-go v0.0.0-20211105091019-06e87e7030eb github.com/openshift/client-go v0.0.0-20210831095141-e19a065e79f7 github.com/openshift/library-go v0.0.0-20211014100835-efbd9a7e5841 github.com/pkg/errors v0.9.1 @@ -393,7 +393,7 @@ replace ( github.com/opencontainers/runtime-spec => github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417 github.com/opencontainers/selinux => github.com/opencontainers/selinux v1.8.2 github.com/openshift/api => github.com/openshift/api v0.0.0-20211028023115-7224b732cc14 - github.com/openshift/apiserver-library-go => github.com/openshift/apiserver-library-go v0.0.0-20210831182412-e8d18275584f + github.com/openshift/apiserver-library-go => github.com/openshift/apiserver-library-go v0.0.0-20211105091019-06e87e7030eb github.com/openshift/build-machinery-go => github.com/openshift/build-machinery-go v0.0.0-20210806203541-4ea9b6da3a37 github.com/openshift/client-go => github.com/openshift/client-go v0.0.0-20210831095141-e19a065e79f7 github.com/openshift/library-go => github.com/openshift/library-go v0.0.0-20211014100835-efbd9a7e5841 diff --git a/go.sum b/go.sum index 9e8fcecfa010..fd0b0a1346e0 100644 --- a/go.sum +++ b/go.sum @@ -393,8 +393,8 @@ github.com/opencontainers/selinux v1.8.2 h1:c4ca10UMgRcvZ6h0K4HtS15UaVSBEaE+iln2 github.com/opencontainers/selinux v1.8.2/go.mod h1:MUIHuUEvKB1wtJjQdOyYRgOnLD2xAPP8dBsCoU0KuF8= github.com/openshift/api v0.0.0-20211028023115-7224b732cc14 h1:kVSPSHkiepEIqFSVpDye5b8a8nu5tHsbmyLyeFHtLh4= github.com/openshift/api v0.0.0-20211028023115-7224b732cc14/go.mod h1:RsQCVJu4qhUawxxDP7pGlwU3IA4F01wYm3qKEu29Su8= -github.com/openshift/apiserver-library-go v0.0.0-20210831182412-e8d18275584f h1:taLc45qQz+hEhi1dxFA/yXAkCqWIgpXzUlaLeuKk7sw= -github.com/openshift/apiserver-library-go v0.0.0-20210831182412-e8d18275584f/go.mod h1:zl9Q7KxHokDX4mc8NEeYlSnrHkAsKAzptlQESi/jNJw= +github.com/openshift/apiserver-library-go v0.0.0-20211105091019-06e87e7030eb h1:2wGykXjl9bVOBX2xksMvcTqca2HlLuut3CDnmcBdKys= +github.com/openshift/apiserver-library-go v0.0.0-20211105091019-06e87e7030eb/go.mod h1:zl9Q7KxHokDX4mc8NEeYlSnrHkAsKAzptlQESi/jNJw= github.com/openshift/build-machinery-go v0.0.0-20210806203541-4ea9b6da3a37/go.mod h1:b1BuldmJlbA/xYtdZvKi+7j5YGB44qJUJDZ9zwiNCfE= github.com/openshift/client-go v0.0.0-20210831095141-e19a065e79f7 h1:iKVU5Tga76kiCWpq9giPi0TfI/gZcFoYb7/x+1SkgwM= github.com/openshift/client-go v0.0.0-20210831095141-e19a065e79f7/go.mod h1:D6P8RkJzwdkBExQdYUnkWcePMLBiTeCCr8eQIQ7y8Dk= diff --git a/staging/src/k8s.io/api/go.sum b/staging/src/k8s.io/api/go.sum index c02117c157c7..ac7cdec39395 100644 --- a/staging/src/k8s.io/api/go.sum +++ b/staging/src/k8s.io/api/go.sum @@ -421,7 +421,7 @@ github.com/opencontainers/selinux v1.8.0/go.mod h1:RScLhm78qiWa2gbVCcGkC7tCGdgk3 github.com/opencontainers/selinux v1.8.2/go.mod h1:MUIHuUEvKB1wtJjQdOyYRgOnLD2xAPP8dBsCoU0KuF8= github.com/openshift/api v0.0.0-20210831091943-07e756545ac1/go.mod h1:RsQCVJu4qhUawxxDP7pGlwU3IA4F01wYm3qKEu29Su8= github.com/openshift/api v0.0.0-20211028023115-7224b732cc14/go.mod h1:RsQCVJu4qhUawxxDP7pGlwU3IA4F01wYm3qKEu29Su8= -github.com/openshift/apiserver-library-go v0.0.0-20210831182412-e8d18275584f/go.mod h1:zl9Q7KxHokDX4mc8NEeYlSnrHkAsKAzptlQESi/jNJw= +github.com/openshift/apiserver-library-go v0.0.0-20211105091019-06e87e7030eb/go.mod h1:zl9Q7KxHokDX4mc8NEeYlSnrHkAsKAzptlQESi/jNJw= github.com/openshift/build-machinery-go v0.0.0-20210712174854-1bb7fd1518d3/go.mod h1:b1BuldmJlbA/xYtdZvKi+7j5YGB44qJUJDZ9zwiNCfE= github.com/openshift/build-machinery-go v0.0.0-20210806203541-4ea9b6da3a37/go.mod h1:b1BuldmJlbA/xYtdZvKi+7j5YGB44qJUJDZ9zwiNCfE= github.com/openshift/client-go v0.0.0-20210831095141-e19a065e79f7/go.mod h1:D6P8RkJzwdkBExQdYUnkWcePMLBiTeCCr8eQIQ7y8Dk= diff --git a/staging/src/k8s.io/apiextensions-apiserver/go.sum b/staging/src/k8s.io/apiextensions-apiserver/go.sum index 12c3a8f5c4d3..17a0da30f07d 100644 --- a/staging/src/k8s.io/apiextensions-apiserver/go.sum +++ b/staging/src/k8s.io/apiextensions-apiserver/go.sum @@ -472,7 +472,7 @@ github.com/opencontainers/selinux v1.8.2/go.mod h1:MUIHuUEvKB1wtJjQdOyYRgOnLD2xA github.com/openshift/api v0.0.0-20210831091943-07e756545ac1/go.mod h1:RsQCVJu4qhUawxxDP7pGlwU3IA4F01wYm3qKEu29Su8= github.com/openshift/api v0.0.0-20211028023115-7224b732cc14 h1:kVSPSHkiepEIqFSVpDye5b8a8nu5tHsbmyLyeFHtLh4= github.com/openshift/api v0.0.0-20211028023115-7224b732cc14/go.mod h1:RsQCVJu4qhUawxxDP7pGlwU3IA4F01wYm3qKEu29Su8= -github.com/openshift/apiserver-library-go v0.0.0-20210831182412-e8d18275584f/go.mod h1:zl9Q7KxHokDX4mc8NEeYlSnrHkAsKAzptlQESi/jNJw= +github.com/openshift/apiserver-library-go v0.0.0-20211105091019-06e87e7030eb/go.mod h1:zl9Q7KxHokDX4mc8NEeYlSnrHkAsKAzptlQESi/jNJw= github.com/openshift/build-machinery-go v0.0.0-20210712174854-1bb7fd1518d3/go.mod h1:b1BuldmJlbA/xYtdZvKi+7j5YGB44qJUJDZ9zwiNCfE= github.com/openshift/build-machinery-go v0.0.0-20210806203541-4ea9b6da3a37/go.mod h1:b1BuldmJlbA/xYtdZvKi+7j5YGB44qJUJDZ9zwiNCfE= github.com/openshift/client-go v0.0.0-20210831095141-e19a065e79f7/go.mod h1:D6P8RkJzwdkBExQdYUnkWcePMLBiTeCCr8eQIQ7y8Dk= diff --git a/staging/src/k8s.io/apiserver/go.sum b/staging/src/k8s.io/apiserver/go.sum index d5eecfb204de..0bc9f54c1adb 100644 --- a/staging/src/k8s.io/apiserver/go.sum +++ b/staging/src/k8s.io/apiserver/go.sum @@ -465,7 +465,7 @@ github.com/opencontainers/selinux v1.8.0/go.mod h1:RScLhm78qiWa2gbVCcGkC7tCGdgk3 github.com/opencontainers/selinux v1.8.2/go.mod h1:MUIHuUEvKB1wtJjQdOyYRgOnLD2xAPP8dBsCoU0KuF8= github.com/openshift/api v0.0.0-20210831091943-07e756545ac1/go.mod h1:RsQCVJu4qhUawxxDP7pGlwU3IA4F01wYm3qKEu29Su8= github.com/openshift/api v0.0.0-20211028023115-7224b732cc14/go.mod h1:RsQCVJu4qhUawxxDP7pGlwU3IA4F01wYm3qKEu29Su8= -github.com/openshift/apiserver-library-go v0.0.0-20210831182412-e8d18275584f/go.mod h1:zl9Q7KxHokDX4mc8NEeYlSnrHkAsKAzptlQESi/jNJw= +github.com/openshift/apiserver-library-go v0.0.0-20211105091019-06e87e7030eb/go.mod h1:zl9Q7KxHokDX4mc8NEeYlSnrHkAsKAzptlQESi/jNJw= github.com/openshift/build-machinery-go v0.0.0-20210712174854-1bb7fd1518d3/go.mod h1:b1BuldmJlbA/xYtdZvKi+7j5YGB44qJUJDZ9zwiNCfE= github.com/openshift/build-machinery-go v0.0.0-20210806203541-4ea9b6da3a37/go.mod h1:b1BuldmJlbA/xYtdZvKi+7j5YGB44qJUJDZ9zwiNCfE= github.com/openshift/client-go v0.0.0-20210831095141-e19a065e79f7/go.mod h1:D6P8RkJzwdkBExQdYUnkWcePMLBiTeCCr8eQIQ7y8Dk= diff --git a/staging/src/k8s.io/cli-runtime/go.sum b/staging/src/k8s.io/cli-runtime/go.sum index f6445f1692c0..cdf361da1941 100644 --- a/staging/src/k8s.io/cli-runtime/go.sum +++ b/staging/src/k8s.io/cli-runtime/go.sum @@ -439,7 +439,7 @@ github.com/opencontainers/selinux v1.8.0/go.mod h1:RScLhm78qiWa2gbVCcGkC7tCGdgk3 github.com/opencontainers/selinux v1.8.2/go.mod h1:MUIHuUEvKB1wtJjQdOyYRgOnLD2xAPP8dBsCoU0KuF8= github.com/openshift/api v0.0.0-20210831091943-07e756545ac1/go.mod h1:RsQCVJu4qhUawxxDP7pGlwU3IA4F01wYm3qKEu29Su8= github.com/openshift/api v0.0.0-20211028023115-7224b732cc14/go.mod h1:RsQCVJu4qhUawxxDP7pGlwU3IA4F01wYm3qKEu29Su8= -github.com/openshift/apiserver-library-go v0.0.0-20210831182412-e8d18275584f/go.mod h1:zl9Q7KxHokDX4mc8NEeYlSnrHkAsKAzptlQESi/jNJw= +github.com/openshift/apiserver-library-go v0.0.0-20211105091019-06e87e7030eb/go.mod h1:zl9Q7KxHokDX4mc8NEeYlSnrHkAsKAzptlQESi/jNJw= github.com/openshift/build-machinery-go v0.0.0-20210712174854-1bb7fd1518d3/go.mod h1:b1BuldmJlbA/xYtdZvKi+7j5YGB44qJUJDZ9zwiNCfE= github.com/openshift/build-machinery-go v0.0.0-20210806203541-4ea9b6da3a37/go.mod h1:b1BuldmJlbA/xYtdZvKi+7j5YGB44qJUJDZ9zwiNCfE= github.com/openshift/client-go v0.0.0-20210831095141-e19a065e79f7/go.mod h1:D6P8RkJzwdkBExQdYUnkWcePMLBiTeCCr8eQIQ7y8Dk= diff --git a/staging/src/k8s.io/cloud-provider/go.sum b/staging/src/k8s.io/cloud-provider/go.sum index fa3445e81447..9f8edd6db5be 100644 --- a/staging/src/k8s.io/cloud-provider/go.sum +++ b/staging/src/k8s.io/cloud-provider/go.sum @@ -462,7 +462,7 @@ github.com/opencontainers/selinux v1.8.0/go.mod h1:RScLhm78qiWa2gbVCcGkC7tCGdgk3 github.com/opencontainers/selinux v1.8.2/go.mod h1:MUIHuUEvKB1wtJjQdOyYRgOnLD2xAPP8dBsCoU0KuF8= github.com/openshift/api v0.0.0-20210831091943-07e756545ac1/go.mod h1:RsQCVJu4qhUawxxDP7pGlwU3IA4F01wYm3qKEu29Su8= github.com/openshift/api v0.0.0-20211028023115-7224b732cc14/go.mod h1:RsQCVJu4qhUawxxDP7pGlwU3IA4F01wYm3qKEu29Su8= -github.com/openshift/apiserver-library-go v0.0.0-20210831182412-e8d18275584f/go.mod h1:zl9Q7KxHokDX4mc8NEeYlSnrHkAsKAzptlQESi/jNJw= +github.com/openshift/apiserver-library-go v0.0.0-20211105091019-06e87e7030eb/go.mod h1:zl9Q7KxHokDX4mc8NEeYlSnrHkAsKAzptlQESi/jNJw= github.com/openshift/build-machinery-go v0.0.0-20210712174854-1bb7fd1518d3/go.mod h1:b1BuldmJlbA/xYtdZvKi+7j5YGB44qJUJDZ9zwiNCfE= github.com/openshift/build-machinery-go v0.0.0-20210806203541-4ea9b6da3a37/go.mod h1:b1BuldmJlbA/xYtdZvKi+7j5YGB44qJUJDZ9zwiNCfE= github.com/openshift/client-go v0.0.0-20210831095141-e19a065e79f7/go.mod h1:D6P8RkJzwdkBExQdYUnkWcePMLBiTeCCr8eQIQ7y8Dk= diff --git a/staging/src/k8s.io/controller-manager/go.sum b/staging/src/k8s.io/controller-manager/go.sum index 093bc95b46f0..89984f87b95b 100644 --- a/staging/src/k8s.io/controller-manager/go.sum +++ b/staging/src/k8s.io/controller-manager/go.sum @@ -550,7 +550,7 @@ github.com/opencontainers/selinux v1.8.0/go.mod h1:RScLhm78qiWa2gbVCcGkC7tCGdgk3 github.com/opencontainers/selinux v1.8.2/go.mod h1:MUIHuUEvKB1wtJjQdOyYRgOnLD2xAPP8dBsCoU0KuF8= github.com/openshift/api v0.0.0-20210831091943-07e756545ac1/go.mod h1:RsQCVJu4qhUawxxDP7pGlwU3IA4F01wYm3qKEu29Su8= github.com/openshift/api v0.0.0-20211028023115-7224b732cc14/go.mod h1:RsQCVJu4qhUawxxDP7pGlwU3IA4F01wYm3qKEu29Su8= -github.com/openshift/apiserver-library-go v0.0.0-20210831182412-e8d18275584f/go.mod h1:zl9Q7KxHokDX4mc8NEeYlSnrHkAsKAzptlQESi/jNJw= +github.com/openshift/apiserver-library-go v0.0.0-20211105091019-06e87e7030eb/go.mod h1:zl9Q7KxHokDX4mc8NEeYlSnrHkAsKAzptlQESi/jNJw= github.com/openshift/build-machinery-go v0.0.0-20210712174854-1bb7fd1518d3/go.mod h1:b1BuldmJlbA/xYtdZvKi+7j5YGB44qJUJDZ9zwiNCfE= github.com/openshift/build-machinery-go v0.0.0-20210806203541-4ea9b6da3a37/go.mod h1:b1BuldmJlbA/xYtdZvKi+7j5YGB44qJUJDZ9zwiNCfE= github.com/openshift/client-go v0.0.0-20210831095141-e19a065e79f7/go.mod h1:D6P8RkJzwdkBExQdYUnkWcePMLBiTeCCr8eQIQ7y8Dk= diff --git a/staging/src/k8s.io/kube-aggregator/go.sum b/staging/src/k8s.io/kube-aggregator/go.sum index c2b766319d41..8c4fc0aa8cd5 100644 --- a/staging/src/k8s.io/kube-aggregator/go.sum +++ b/staging/src/k8s.io/kube-aggregator/go.sum @@ -463,7 +463,7 @@ github.com/opencontainers/selinux v1.8.0/go.mod h1:RScLhm78qiWa2gbVCcGkC7tCGdgk3 github.com/opencontainers/selinux v1.8.2/go.mod h1:MUIHuUEvKB1wtJjQdOyYRgOnLD2xAPP8dBsCoU0KuF8= github.com/openshift/api v0.0.0-20210831091943-07e756545ac1/go.mod h1:RsQCVJu4qhUawxxDP7pGlwU3IA4F01wYm3qKEu29Su8= github.com/openshift/api v0.0.0-20211028023115-7224b732cc14/go.mod h1:RsQCVJu4qhUawxxDP7pGlwU3IA4F01wYm3qKEu29Su8= -github.com/openshift/apiserver-library-go v0.0.0-20210831182412-e8d18275584f/go.mod h1:zl9Q7KxHokDX4mc8NEeYlSnrHkAsKAzptlQESi/jNJw= +github.com/openshift/apiserver-library-go v0.0.0-20211105091019-06e87e7030eb/go.mod h1:zl9Q7KxHokDX4mc8NEeYlSnrHkAsKAzptlQESi/jNJw= github.com/openshift/build-machinery-go v0.0.0-20210712174854-1bb7fd1518d3/go.mod h1:b1BuldmJlbA/xYtdZvKi+7j5YGB44qJUJDZ9zwiNCfE= github.com/openshift/build-machinery-go v0.0.0-20210806203541-4ea9b6da3a37/go.mod h1:b1BuldmJlbA/xYtdZvKi+7j5YGB44qJUJDZ9zwiNCfE= github.com/openshift/client-go v0.0.0-20210831095141-e19a065e79f7/go.mod h1:D6P8RkJzwdkBExQdYUnkWcePMLBiTeCCr8eQIQ7y8Dk= diff --git a/staging/src/k8s.io/kubectl/go.sum b/staging/src/k8s.io/kubectl/go.sum index 72ae20d6a549..1cd69f6a12f8 100644 --- a/staging/src/k8s.io/kubectl/go.sum +++ b/staging/src/k8s.io/kubectl/go.sum @@ -460,7 +460,7 @@ github.com/opencontainers/selinux v1.8.0/go.mod h1:RScLhm78qiWa2gbVCcGkC7tCGdgk3 github.com/opencontainers/selinux v1.8.2/go.mod h1:MUIHuUEvKB1wtJjQdOyYRgOnLD2xAPP8dBsCoU0KuF8= github.com/openshift/api v0.0.0-20210831091943-07e756545ac1/go.mod h1:RsQCVJu4qhUawxxDP7pGlwU3IA4F01wYm3qKEu29Su8= github.com/openshift/api v0.0.0-20211028023115-7224b732cc14/go.mod h1:RsQCVJu4qhUawxxDP7pGlwU3IA4F01wYm3qKEu29Su8= -github.com/openshift/apiserver-library-go v0.0.0-20210831182412-e8d18275584f/go.mod h1:zl9Q7KxHokDX4mc8NEeYlSnrHkAsKAzptlQESi/jNJw= +github.com/openshift/apiserver-library-go v0.0.0-20211105091019-06e87e7030eb/go.mod h1:zl9Q7KxHokDX4mc8NEeYlSnrHkAsKAzptlQESi/jNJw= github.com/openshift/build-machinery-go v0.0.0-20210712174854-1bb7fd1518d3/go.mod h1:b1BuldmJlbA/xYtdZvKi+7j5YGB44qJUJDZ9zwiNCfE= github.com/openshift/build-machinery-go v0.0.0-20210806203541-4ea9b6da3a37/go.mod h1:b1BuldmJlbA/xYtdZvKi+7j5YGB44qJUJDZ9zwiNCfE= github.com/openshift/client-go v0.0.0-20210831095141-e19a065e79f7/go.mod h1:D6P8RkJzwdkBExQdYUnkWcePMLBiTeCCr8eQIQ7y8Dk= diff --git a/staging/src/k8s.io/legacy-cloud-providers/go.sum b/staging/src/k8s.io/legacy-cloud-providers/go.sum index ea7d5b74ab4e..ca3bf379578c 100644 --- a/staging/src/k8s.io/legacy-cloud-providers/go.sum +++ b/staging/src/k8s.io/legacy-cloud-providers/go.sum @@ -454,7 +454,7 @@ github.com/opencontainers/selinux v1.8.0/go.mod h1:RScLhm78qiWa2gbVCcGkC7tCGdgk3 github.com/opencontainers/selinux v1.8.2/go.mod h1:MUIHuUEvKB1wtJjQdOyYRgOnLD2xAPP8dBsCoU0KuF8= github.com/openshift/api v0.0.0-20210831091943-07e756545ac1/go.mod h1:RsQCVJu4qhUawxxDP7pGlwU3IA4F01wYm3qKEu29Su8= github.com/openshift/api v0.0.0-20211028023115-7224b732cc14/go.mod h1:RsQCVJu4qhUawxxDP7pGlwU3IA4F01wYm3qKEu29Su8= -github.com/openshift/apiserver-library-go v0.0.0-20210831182412-e8d18275584f/go.mod h1:zl9Q7KxHokDX4mc8NEeYlSnrHkAsKAzptlQESi/jNJw= +github.com/openshift/apiserver-library-go v0.0.0-20211105091019-06e87e7030eb/go.mod h1:zl9Q7KxHokDX4mc8NEeYlSnrHkAsKAzptlQESi/jNJw= github.com/openshift/build-machinery-go v0.0.0-20210712174854-1bb7fd1518d3/go.mod h1:b1BuldmJlbA/xYtdZvKi+7j5YGB44qJUJDZ9zwiNCfE= github.com/openshift/build-machinery-go v0.0.0-20210806203541-4ea9b6da3a37/go.mod h1:b1BuldmJlbA/xYtdZvKi+7j5YGB44qJUJDZ9zwiNCfE= github.com/openshift/client-go v0.0.0-20210831095141-e19a065e79f7/go.mod h1:D6P8RkJzwdkBExQdYUnkWcePMLBiTeCCr8eQIQ7y8Dk= diff --git a/vendor/github.com/openshift/apiserver-library-go/pkg/admission/imagepolicy/apis/imagepolicy/v1/defaults.go b/vendor/github.com/openshift/apiserver-library-go/pkg/admission/imagepolicy/apis/imagepolicy/v1/defaults.go index 6c2d1499caf9..b0fbe3a573b4 100644 --- a/vendor/github.com/openshift/apiserver-library-go/pkg/admission/imagepolicy/apis/imagepolicy/v1/defaults.go +++ b/vendor/github.com/openshift/apiserver-library-go/pkg/admission/imagepolicy/apis/imagepolicy/v1/defaults.go @@ -25,6 +25,7 @@ func SetDefaults_ImagePolicyConfig(obj *ImagePolicyConfig) { obj.ResolutionRules = []ImageResolutionPolicyRule{ {TargetResource: metav1.GroupResource{Group: "", Resource: "pods"}, LocalNames: true}, {TargetResource: metav1.GroupResource{Group: "", Resource: "replicationcontrollers"}, LocalNames: true}, + {TargetResource: metav1.GroupResource{Group: "apps.openshift.io", Resource: "deploymentconfigs"}, LocalNames: true}, {TargetResource: metav1.GroupResource{Group: "apps", Resource: "daemonsets"}, LocalNames: true}, {TargetResource: metav1.GroupResource{Group: "apps", Resource: "deployments"}, LocalNames: true}, {TargetResource: metav1.GroupResource{Group: "apps", Resource: "statefulsets"}, LocalNames: true}, diff --git a/vendor/github.com/openshift/apiserver-library-go/pkg/admission/imagepolicy/imagepolicy.go b/vendor/github.com/openshift/apiserver-library-go/pkg/admission/imagepolicy/imagepolicy.go index 359420a89265..855a554a86db 100644 --- a/vendor/github.com/openshift/apiserver-library-go/pkg/admission/imagepolicy/imagepolicy.go +++ b/vendor/github.com/openshift/apiserver-library-go/pkg/admission/imagepolicy/imagepolicy.go @@ -488,8 +488,6 @@ var skipImageRewriteOnUpdate = map[metav1.GroupResource]struct{}{ {Group: "batch", Resource: "jobs"}: {}, // Build specs are immutable, they cannot be updated. {Group: "build.openshift.io", Resource: "builds"}: {}, - // TODO: remove when statefulsets allow spec.template updates in 3.7 - {Group: "apps", Resource: "statefulsets"}: {}, } // RewriteImagePullSpec applies to implicit rewrite attributes and local resources as well as if the policy requires it. diff --git a/vendor/github.com/openshift/apiserver-library-go/pkg/securitycontextconstraints/sccadmission/admission.go b/vendor/github.com/openshift/apiserver-library-go/pkg/securitycontextconstraints/sccadmission/admission.go index 990fd7a012e9..34c22d94c649 100644 --- a/vendor/github.com/openshift/apiserver-library-go/pkg/securitycontextconstraints/sccadmission/admission.go +++ b/vendor/github.com/openshift/apiserver-library-go/pkg/securitycontextconstraints/sccadmission/admission.go @@ -8,8 +8,11 @@ import ( "strings" "time" + "k8s.io/apimachinery/pkg/util/sets" + apiequality "k8s.io/apimachinery/pkg/api/equality" "k8s.io/apimachinery/pkg/labels" + kutilerrors "k8s.io/apimachinery/pkg/util/errors" "k8s.io/apimachinery/pkg/util/validation/field" "k8s.io/apimachinery/pkg/util/wait" "k8s.io/apiserver/pkg/admission" @@ -131,17 +134,66 @@ func (c *constraint) Validate(ctx context.Context, a admission.Attributes, _ adm return admission.NewForbidden(a, fmt.Errorf("unable to validate against any security context constraint: %v", validationErrs)) } +// these are the SCCs created by the cluster-kube-apiserver-operator. +// see the list in https://github.com/openshift/cluster-kube-apiserver-operator/blob/3b0218cf9778cbcf2650ad5aa4e01d7b40a2d05e/bindata/bootkube/scc-manifests/0000_20_kube-apiserver-operator_00_scc-restricted.yaml +// if these are not present, the lister isn't really finished listing. +var standardSCCNames = sets.NewString( + "anyuid", + "hostaccess", + "hostmount-anyuid", + "hostnetwork", + "nonroot", + "privileged", + "restricted", +) + +func requireStandardSCCs(sccs []*securityv1.SecurityContextConstraints, err error) error { + if err != nil { + return err + } + + allCurrentSCCNames := sets.NewString() + for _, curr := range sccs { + allCurrentSCCNames.Insert(curr.Name) + } + + missingSCCs := standardSCCNames.Difference(allCurrentSCCNames) + if len(missingSCCs) == 0 { + return nil + } + + return fmt.Errorf("securitycontextconstraints.security.openshift.io cache is missing %v", strings.Join(missingSCCs.List(), ", ")) +} + func (c *constraint) computeSecurityContext(ctx context.Context, a admission.Attributes, pod *coreapi.Pod, specMutationAllowed bool, validatedSCCHint string) (*coreapi.Pod, string, field.ErrorList, error) { // get all constraints that are usable by the user klog.V(4).Infof("getting security context constraints for pod %s (generate: %s) in namespace %s with user info %v", pod.Name, pod.GenerateName, a.GetNamespace(), a.GetUserInfo()) - err := wait.PollImmediate(1*time.Second, 10*time.Second, func() (bool, error) { + err := wait.PollImmediateWithContext(ctx, 1*time.Second, 10*time.Second, func(context.Context) (bool, error) { return c.sccSynced(), nil }) if err != nil { return nil, "", nil, admission.NewForbidden(a, fmt.Errorf("securitycontextconstraints.security.openshift.io cache is not synchronized")) } + // wait a few seconds until the synchronized list returns all the required SCCs created by the kas-o. + // If this doesn't happen, then indicate which ones are missing. This seems odd, but our CI system suggests that this happens occasionally. + // If the SCCs were all deleted, then no pod will pass SCC admission until the SCCs are recreated, but the kas-o (which recreates them) + // bypasses SCC admission, so this does not create a cycle. + var requiredSCCErr error + err = wait.PollImmediateWithContext(ctx, 1*time.Second, 10*time.Second, func(context.Context) (bool, error) { + if requiredSCCErr = requireStandardSCCs(c.sccLister.List(labels.Everything())); requiredSCCErr != nil { + return false, nil + } + return true, nil + }) + if err != nil { + if requiredSCCErr != nil { + return nil, "", nil, admission.NewForbidden(a, requiredSCCErr) + } + return nil, "", nil, admission.NewForbidden(a, fmt.Errorf("securitycontextconstraints.security.openshift.io required check failed oddly")) + } + constraints, err := sccmatching.NewDefaultSCCMatcher(c.sccLister, nil).FindApplicableSCCs(ctx, a.GetNamespace()) if err != nil { return nil, "", nil, admission.NewForbidden(a, err) @@ -171,8 +223,11 @@ func (c *constraint) computeSecurityContext(ctx context.Context, a admission.Att return i < j }) - providers, errs := sccmatching.CreateProvidersFromConstraints(a.GetNamespace(), constraints, c.client) + providers, errs := sccmatching.CreateProvidersFromConstraints(ctx, a.GetNamespace(), constraints, c.client) logProviders(pod, providers, errs) + if len(errs) > 0 { + return nil, "", nil, kutilerrors.NewAggregate(errs) + } if len(providers) == 0 { return nil, "", nil, admission.NewForbidden(a, fmt.Errorf("no SecurityContextConstraintsProvider available to validate pod request")) @@ -388,6 +443,6 @@ func logProviders(pod *coreapi.Pod, providers []sccmatching.SecurityContextConst klog.V(4).Infof("validating pod %s (generate: %s) against providers %s", pod.Name, pod.GenerateName, strings.Join(names, ",")) for _, err := range providerCreationErrs { - klog.V(4).Infof("provider creation error: %v", err) + klog.V(2).Infof("provider creation error: %v", err) } } diff --git a/vendor/github.com/openshift/apiserver-library-go/pkg/securitycontextconstraints/sccmatching/matcher.go b/vendor/github.com/openshift/apiserver-library-go/pkg/securitycontextconstraints/sccmatching/matcher.go index 203dc453e8ac..98afd83efc5f 100644 --- a/vendor/github.com/openshift/apiserver-library-go/pkg/securitycontextconstraints/sccmatching/matcher.go +++ b/vendor/github.com/openshift/apiserver-library-go/pkg/securitycontextconstraints/sccmatching/matcher.go @@ -5,16 +5,17 @@ import ( "fmt" "sort" "strings" - - "k8s.io/klog/v2" + "time" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/labels" "k8s.io/apimachinery/pkg/util/validation/field" + "k8s.io/apimachinery/pkg/util/wait" "k8s.io/apiserver/pkg/authentication/user" "k8s.io/apiserver/pkg/authorization/authorizer" "k8s.io/client-go/kubernetes" + "k8s.io/klog/v2" kapi "k8s.io/kubernetes/pkg/apis/core" "github.com/openshift/api/security" @@ -159,17 +160,9 @@ func constraintSupportsGroup(group string, constraintGroups []string) bool { return false } -// getNamespaceByName retrieves a namespace only if ns is nil. -func getNamespaceByName(name string, ns *corev1.Namespace, client kubernetes.Interface) (*corev1.Namespace, error) { - if ns != nil && name == ns.Name { - return ns, nil - } - return client.CoreV1().Namespaces().Get(context.TODO(), name, metav1.GetOptions{}) -} - // CreateProvidersFromConstraints creates providers from the constraints supplied, including // looking up pre-allocated values if necessary using the pod's namespace. -func CreateProvidersFromConstraints(ns string, sccs []*securityv1.SecurityContextConstraints, client kubernetes.Interface) ([]SecurityContextConstraintsProvider, []error) { +func CreateProvidersFromConstraints(ctx context.Context, namespaceName string, sccs []*securityv1.SecurityContextConstraints, client kubernetes.Interface) ([]SecurityContextConstraintsProvider, []error) { var ( // namespace is declared here for reuse but we will not fetch it unless required by the matched constraints namespace *corev1.Namespace @@ -179,13 +172,39 @@ func CreateProvidersFromConstraints(ns string, sccs []*securityv1.SecurityContex errs []error ) + var lastErr error + err := wait.PollImmediateWithContext(ctx, 1*time.Second, 10*time.Second, func(ctx context.Context) (bool, error) { + namespace, lastErr = client.CoreV1().Namespaces().Get(ctx, namespaceName, metav1.GetOptions{}) + if lastErr != nil { + return false, nil + } + + if _, ok := namespace.GetAnnotations()[securityv1.UIDRangeAnnotation]; !ok { + lastErr = fmt.Errorf("unable to find annotation %s", securityv1.UIDRangeAnnotation) + return false, nil + } + + if _, ok := namespace.GetAnnotations()[securityv1.MCSAnnotation]; !ok { + lastErr = fmt.Errorf("unable to find annotation %s", securityv1.MCSAnnotation) + return false, nil + } + + return true, nil + }) + if err != nil { + if lastErr != nil { + return nil, []error{fmt.Errorf("error fetching namespace %q: %w", namespaceName, lastErr)} + } + return nil, []error{fmt.Errorf("error fetching namespace %q: %w", namespaceName, err)} + } + // set pre-allocated values on constraints for _, constraint := range sccs { var ( provider SecurityContextConstraintsProvider err error ) - provider, namespace, err = CreateProviderFromConstraint(ns, namespace, constraint, client) + provider, err = CreateProviderFromConstraint(namespace, constraint) if err != nil { errs = append(errs, err) continue @@ -196,36 +215,23 @@ func CreateProvidersFromConstraints(ns string, sccs []*securityv1.SecurityContex } // CreateProviderFromConstraint creates a SecurityContextConstraintProvider from a SecurityContextConstraint -func CreateProviderFromConstraint(ns string, namespace *corev1.Namespace, constraint *securityv1.SecurityContextConstraints, client kubernetes.Interface) (SecurityContextConstraintsProvider, *corev1.Namespace, error) { +func CreateProviderFromConstraint(namespace *corev1.Namespace, constraint *securityv1.SecurityContextConstraints) (SecurityContextConstraintsProvider, error) { var err error - resolveUIDRange := requiresPreAllocatedUIDRange(constraint) - resolveSELinuxLevel := requiresPreAllocatedSELinuxLevel(constraint) - resolveFSGroup := requiresPreallocatedFSGroup(constraint) - resolveSupplementalGroups := requiresPreallocatedSupplementalGroups(constraint) - requiresNamespaceAllocations := resolveUIDRange || resolveSELinuxLevel || resolveFSGroup || resolveSupplementalGroups - - if requiresNamespaceAllocations { - // Ensure we have the namespace - namespace, err = getNamespaceByName(ns, namespace, client) - if err != nil { - return nil, namespace, fmt.Errorf("error fetching namespace %s required to preallocate values for %s: %v", ns, constraint.Name, err) - } - } // Make a copy of the constraint so we don't mutate the store's cache constraint = constraint.DeepCopy() // Resolve the values from the namespace - if resolveUIDRange { + if requiresPreAllocatedUIDRange(constraint) { constraint.RunAsUser.UIDRangeMin, constraint.RunAsUser.UIDRangeMax, err = getPreallocatedUIDRange(namespace) if err != nil { - return nil, namespace, fmt.Errorf("unable to find pre-allocated uid annotation for namespace %s while trying to configure SCC %s: %v", namespace.Name, constraint.Name, err) + return nil, fmt.Errorf("unable to find pre-allocated uid annotation for namespace %s while trying to configure SCC %s: %v", namespace.Name, constraint.Name, err) } } - if resolveSELinuxLevel { + if requiresPreAllocatedSELinuxLevel(constraint) { var level string if level, err = getPreallocatedLevel(namespace); err != nil { - return nil, namespace, fmt.Errorf("unable to find pre-allocated mcs annotation for namespace %s while trying to configure SCC %s: %v", namespace.Name, constraint.Name, err) + return nil, fmt.Errorf("unable to find pre-allocated mcs annotation for namespace %s while trying to configure SCC %s: %v", namespace.Name, constraint.Name, err) } if constraint.SELinuxContext.SELinuxOptions == nil { @@ -233,17 +239,17 @@ func CreateProviderFromConstraint(ns string, namespace *corev1.Namespace, constr } constraint.SELinuxContext.SELinuxOptions.Level = level } - if resolveFSGroup { + if requiresPreallocatedFSGroup(constraint) { fsGroup, err := getPreallocatedFSGroup(namespace) if err != nil { - return nil, namespace, fmt.Errorf("unable to find pre-allocated group annotation for namespace %s while trying to configure SCC %s: %v", namespace.Name, constraint.Name, err) + return nil, fmt.Errorf("unable to find pre-allocated group annotation for namespace %s while trying to configure SCC %s: %v", namespace.Name, constraint.Name, err) } constraint.FSGroup.Ranges = fsGroup } - if resolveSupplementalGroups { + if requiresPreallocatedSupplementalGroups(constraint) { supplementalGroups, err := getPreallocatedSupplementalGroups(namespace) if err != nil { - return nil, namespace, fmt.Errorf("unable to find pre-allocated group annotation for namespace %s while trying to configure SCC %s: %v", namespace.Name, constraint.Name, err) + return nil, fmt.Errorf("unable to find pre-allocated group annotation for namespace %s while trying to configure SCC %s: %v", namespace.Name, constraint.Name, err) } constraint.SupplementalGroups.Ranges = supplementalGroups } @@ -251,9 +257,9 @@ func CreateProviderFromConstraint(ns string, namespace *corev1.Namespace, constr // Create the provider provider, err := NewSimpleProvider(constraint) if err != nil { - return nil, namespace, fmt.Errorf("error creating provider for SCC %s in namespace %s: %v", constraint.Name, ns, err) + return nil, fmt.Errorf("error creating provider for SCC %s in namespace %s: %v", constraint.Name, namespace.GetName(), err) } - return provider, namespace, nil + return provider, nil } // getPreallocatedUIDRange retrieves the annotated value from the namespace, splits it to make diff --git a/vendor/modules.txt b/vendor/modules.txt index f9b2358d473e..30d0afb65bfd 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -673,7 +673,7 @@ github.com/openshift/api/security github.com/openshift/api/security/v1 github.com/openshift/api/template/v1 github.com/openshift/api/user/v1 -# github.com/openshift/apiserver-library-go v0.0.0-20210831182412-e8d18275584f => github.com/openshift/apiserver-library-go v0.0.0-20210831182412-e8d18275584f +# github.com/openshift/apiserver-library-go v0.0.0-20211105091019-06e87e7030eb => github.com/openshift/apiserver-library-go v0.0.0-20211105091019-06e87e7030eb ## explicit github.com/openshift/apiserver-library-go/pkg/admission/imagepolicy github.com/openshift/apiserver-library-go/pkg/admission/imagepolicy/apis/imagepolicy/v1 @@ -2806,7 +2806,7 @@ sigs.k8s.io/yaml # github.com/opencontainers/runtime-spec => github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417 # github.com/opencontainers/selinux => github.com/opencontainers/selinux v1.8.2 # github.com/openshift/api => github.com/openshift/api v0.0.0-20211028023115-7224b732cc14 -# github.com/openshift/apiserver-library-go => github.com/openshift/apiserver-library-go v0.0.0-20210831182412-e8d18275584f +# github.com/openshift/apiserver-library-go => github.com/openshift/apiserver-library-go v0.0.0-20211105091019-06e87e7030eb # github.com/openshift/build-machinery-go => github.com/openshift/build-machinery-go v0.0.0-20210806203541-4ea9b6da3a37 # github.com/openshift/client-go => github.com/openshift/client-go v0.0.0-20210831095141-e19a065e79f7 # github.com/openshift/library-go => github.com/openshift/library-go v0.0.0-20211014100835-efbd9a7e5841