Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug 1977920: Ensure scc compatibility with BoundServiceAccountTokenVolume #841

Merged
merged 2 commits into from Jul 1, 2021
Merged

Bug 1977920: Ensure scc compatibility with BoundServiceAccountTokenVolume #841

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
ff5c39f
UPSTREAM: <carry>: <squash> Add unit testing for service ca configmap…
marun Jul 1, 2021
e281103
UPSTREAM: <drop>: bump(apiserver-library-go)
stlaz Jul 1, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
32 changes: 16 additions & 16 deletions go.mod
View file
Open in desktop
Expand Up @@ -69,10 +69,10 @@ require (
github.com/opencontainers/go-digest v1.0.0
github.com/opencontainers/runc v1.0.0-rc95.0.20210608002938-1f5126fe967e
github.com/opencontainers/selinux v1.8.0
github.com/openshift/api v0.0.0-20210422150128-d8a48168c81c
github.com/openshift/apiserver-library-go v0.0.0-20210426120049-59b0e972bfb7
github.com/openshift/client-go v0.0.0-20210422153130-25c8450d1535
github.com/openshift/library-go v0.0.0-20210407092538-7021fda6f427
github.com/openshift/api v0.0.0-20210521075222-e273a339932a
github.com/openshift/apiserver-library-go v0.0.0-20210701134359-ec2b755e3a59
github.com/openshift/client-go v0.0.0-20210521082421-73d9475a9142
github.com/openshift/library-go v0.0.0-20210521084623-7392ea9b02ca
github.com/pkg/errors v0.9.1
github.com/pmezard/go-difflib v1.0.0
github.com/prometheus/client_model v0.2.0
Expand Down Expand Up @@ -103,16 +103,16 @@ require (
gopkg.in/natefinch/lumberjack.v2 v2.0.0
gopkg.in/square/go-jose.v2 v2.2.2
gopkg.in/yaml.v2 v2.4.0
k8s.io/api v0.21.0-rc.0
k8s.io/api v0.21.1
k8s.io/apiextensions-apiserver v0.21.0-rc.0
k8s.io/apimachinery v0.21.0-rc.0
k8s.io/apiserver v0.21.0-rc.0
k8s.io/apimachinery v0.21.1
k8s.io/apiserver v0.21.1
k8s.io/cli-runtime v0.0.0
k8s.io/client-go v0.21.0-rc.0
k8s.io/client-go v0.21.1
k8s.io/cloud-provider v0.0.0
k8s.io/cluster-bootstrap v0.0.0
k8s.io/code-generator v0.21.0-rc.0
k8s.io/component-base v0.21.0-rc.0
k8s.io/code-generator v0.21.1
k8s.io/component-base v0.21.1
k8s.io/component-helpers v0.0.0
k8s.io/controller-manager v0.0.0
k8s.io/cri-api v0.0.0
Expand Down Expand Up @@ -397,7 +397,7 @@ replace (
github.com/opencontainers/runtime-spec => github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417
github.com/opencontainers/selinux => github.com/opencontainers/selinux v1.8.0
github.com/openshift/api => github.com/openshift/api v0.0.0-20210422150128-d8a48168c81c
github.com/openshift/apiserver-library-go => github.com/openshift/apiserver-library-go v0.0.0-20210426120049-59b0e972bfb7
github.com/openshift/apiserver-library-go => github.com/openshift/apiserver-library-go v0.0.0-20210701134359-ec2b755e3a59
github.com/openshift/build-machinery-go => github.com/openshift/build-machinery-go v0.0.0-20210209125900-0da259a2c359
github.com/openshift/client-go => github.com/openshift/client-go v0.0.0-20210422153130-25c8450d1535
github.com/openshift/library-go => github.com/openshift/library-go v0.0.0-20210407092538-7021fda6f427
Expand Down Expand Up @@ -508,15 +508,15 @@ replace (
gotest.tools => gotest.tools v2.2.0+incompatible
gotest.tools/v3 => gotest.tools/v3 v3.0.3
honnef.co/go/tools => honnef.co/go/tools v0.0.1-2020.1.3
k8s.io/api => k8s.io/api v0.21.0-rc.0
k8s.io/api => k8s.io/api v0.21.1
k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.21.0-rc.0
k8s.io/apimachinery => k8s.io/apimachinery v0.21.0-rc.0
k8s.io/apiserver => k8s.io/apiserver v0.21.0-rc.0
k8s.io/apimachinery => k8s.io/apimachinery v0.21.1
k8s.io/apiserver => k8s.io/apiserver v0.21.1
k8s.io/cli-runtime => ./staging/src/k8s.io/cli-runtime
k8s.io/client-go => k8s.io/client-go v0.21.0-rc.0
k8s.io/client-go => k8s.io/client-go v0.21.1
k8s.io/cloud-provider => ./staging/src/k8s.io/cloud-provider
k8s.io/cluster-bootstrap => ./staging/src/k8s.io/cluster-bootstrap
k8s.io/code-generator => k8s.io/code-generator v0.21.0-rc.0
k8s.io/code-generator => k8s.io/code-generator v0.21.1
k8s.io/component-base => k8s.io/component-base v0.21.0-rc.0
k8s.io/component-helpers => ./staging/src/k8s.io/component-helpers
k8s.io/controller-manager => ./staging/src/k8s.io/controller-manager
Expand Down
26 changes: 13 additions & 13 deletions go.sum
View file
Open in desktop
Expand Up @@ -402,8 +402,8 @@ github.com/opencontainers/selinux v1.8.0 h1:+77ba4ar4jsCbL1GLbFL8fFM57w6suPfSS9P
github.com/opencontainers/selinux v1.8.0/go.mod h1:RScLhm78qiWa2gbVCcGkC7tCGdgk3ogry1nUQF8Evvo=
github.com/openshift/api v0.0.0-20210422150128-d8a48168c81c h1:vEOCkpisFTnbTtDfC313LEVmA+d38KEEroN/iABOSlw=
github.com/openshift/api v0.0.0-20210422150128-d8a48168c81c/go.mod h1:dZ4kytOo3svxJHNYd0J55hwe/6IQG5gAUHUE0F3Jkio=
github.com/openshift/apiserver-library-go v0.0.0-20210426120049-59b0e972bfb7 h1:eJDIx4xV8J+9Zg1W8UJPv5SME0pGNmXttWIUU5Fg6O4=
github.com/openshift/apiserver-library-go v0.0.0-20210426120049-59b0e972bfb7/go.mod h1:nqn2IWld2A+Q9Lp/xGsbmUr2RyDCQixRU83yqAbymUM=
github.com/openshift/apiserver-library-go v0.0.0-20210701134359-ec2b755e3a59 h1:pRgxFotomM8z8wzBbOESO7i6n36FSAUDFjGLOVaU4ew=
github.com/openshift/apiserver-library-go v0.0.0-20210701134359-ec2b755e3a59/go.mod h1:hmRcqTWiLRXXEnVLhCNoZBfmciZD2N2NrHTEzcRqhK8=
github.com/openshift/build-machinery-go v0.0.0-20210209125900-0da259a2c359/go.mod h1:b1BuldmJlbA/xYtdZvKi+7j5YGB44qJUJDZ9zwiNCfE=
github.com/openshift/client-go v0.0.0-20210422153130-25c8450d1535 h1:JGSJhDJiQxqUETyqseqeXD7X/hgA6V/F3WW/2dN4QCs=
github.com/openshift/client-go v0.0.0-20210422153130-25c8450d1535/go.mod h1:v5/AYttPCjfqMGC1Ed/vutuDpuXmgWc5O+W9nwQ7EtE=
Expand Down Expand Up @@ -605,18 +605,18 @@ gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81
gotest.tools/v3 v3.0.3 h1:4AuOwCGf4lLR9u3YOe2awrHygurzhO/HeQ6laiA6Sx0=
gotest.tools/v3 v3.0.3/go.mod h1:Z7Lb0S5l+klDB31fvDQX8ss/FlKDxtlFlw3Oa8Ymbl8=
honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
k8s.io/api v0.21.0-rc.0 h1:t/kW96KdNJNamYNqxaxRirahK+FaWJQ6BJPbXm5Jb+o=
k8s.io/api v0.21.0-rc.0/go.mod h1:Dkc/ZauWJrgZhjOjeBgW89xZQiTBJA2RaBKYHXPsi2Y=
k8s.io/api v0.21.1 h1:94bbZ5NTjdINJEdzOkpS4vdPhkb1VFpTYC9zh43f75c=
k8s.io/api v0.21.1/go.mod h1:FstGROTmsSHBarKc8bylzXih8BLNYTiS3TZcsoEDg2s=
k8s.io/apiextensions-apiserver v0.21.0-rc.0 h1:gxeak4PvTBhuiZagZRFv9WyNnAdG39/VCmI9XTwVCRk=
k8s.io/apiextensions-apiserver v0.21.0-rc.0/go.mod h1:ItIoMBJU1gy93Qwr/B2699r4b0VmZqAOU+15BvozxMY=
k8s.io/apimachinery v0.21.0-rc.0 h1:m9dyzHb8QZAHOZKIz2SiabSif1oLsfgrnwiago/9xJA=
k8s.io/apimachinery v0.21.0-rc.0/go.mod h1:jbreFvJo3ov9rj7eWT7+sYiRx+qZuCYXwWT1bcDswPY=
k8s.io/apiserver v0.21.0-rc.0 h1:Ecvg4oAoQn5dK8V7W0TQIQqA4r+B/DH83HKSY4SuMSs=
k8s.io/apiserver v0.21.0-rc.0/go.mod h1:QlW7+1CZTZtAcKvJ34/n4DIb8sC93FeQpkd1KSU+Sok=
k8s.io/client-go v0.21.0-rc.0 h1:lsPZHT1ZniXJcwg2udlaTOhAT8wf7BE0rn9Vj0+LWMA=
k8s.io/client-go v0.21.0-rc.0/go.mod h1:zU5HY/bSOKH3YOqoge9nFvICgrpeSdJu8DQ4fkjKIZk=
k8s.io/code-generator v0.21.0-rc.0 h1:5XqZwy0dHr3LssJ9ImpO8dCjdTvZ8Bw84b90dZ46kPk=
k8s.io/code-generator v0.21.0-rc.0/go.mod h1:hUlps5+9QaTrKx+jiM4rmq7YmH8wPOIko64uZCHDh6Q=
k8s.io/apimachinery v0.21.1 h1:Q6XuHGlj2xc+hlMCvqyYfbv3H7SRGn2c8NycxJquDVs=
k8s.io/apimachinery v0.21.1/go.mod h1:jbreFvJo3ov9rj7eWT7+sYiRx+qZuCYXwWT1bcDswPY=
k8s.io/apiserver v0.21.1 h1:wTRcid53IhxhbFt4KTrFSw8tAncfr01EP91lzfcygVg=
k8s.io/apiserver v0.21.1/go.mod h1:nLLYZvMWn35glJ4/FZRhzLG/3MPxAaZTgV4FJZdr+tY=
k8s.io/client-go v0.21.1 h1:bhblWYLZKUu+pm50plvQF8WpY6TXdRRtcS/K9WauOj4=
k8s.io/client-go v0.21.1/go.mod h1:/kEw4RgW+3xnBGzvp9IWxKSNA+lXn3A7AuH3gdOAzLs=
k8s.io/code-generator v0.21.1 h1:jvcxHpVu5dm/LMXr3GOj/jroiP8+v2YnJE9i2OVRenk=
k8s.io/code-generator v0.21.1/go.mod h1:hUlps5+9QaTrKx+jiM4rmq7YmH8wPOIko64uZCHDh6Q=
k8s.io/component-base v0.21.0-rc.0 h1:8YgFPDsIhRx7zCOxikZn77nYRnwxrc9aMiuQDJtK1+g=
k8s.io/component-base v0.21.0-rc.0/go.mod h1:XlP0bM7QJFWRGZYPc5NmphkvsYQ+o7804HWH3GTGjDY=
k8s.io/gengo v0.0.0-20201214224949-b6c5ce23f027 h1:Uusb3oh8XcdzDF/ndlI4ToKTYVlkCSJP39SRY2mfRAw=
Expand All @@ -631,7 +631,7 @@ k8s.io/kube-aggregator v0.21.0-rc.0 h1:PxnBqTgEQHCOhWl3J6EX2OKbfx0epwgKF4phlhgNy
k8s.io/kube-aggregator v0.21.0-rc.0/go.mod h1:M+whOmsAeQf8ObJ0/eO9Af1Dz2UQEB9OW9BWmt9b2sU=
k8s.io/kube-openapi v0.0.0-20210305001622-591a79e4bda7 h1:vEx13qjvaZ4yfObSSXW7BrMc/KQBBT/Jyee8XtLf4x0=
k8s.io/kube-openapi v0.0.0-20210305001622-591a79e4bda7/go.mod h1:wXW5VT87nVfh/iLV8FpR2uDvrFyomxbtb1KivDbvPTE=
k8s.io/kubernetes v1.21.0-rc.0/go.mod h1:Yx6XZ8zalyqEk7but+j4+5SvLzdyH1eeqZ4cwO+5dD4=
k8s.io/kubernetes v1.21.1/go.mod h1:ef++isEL1PW0taH6z7DXrSztPglrZ7jQhyvcMEtm0gQ=
k8s.io/system-validators v1.4.0 h1:8ruXIHkuTAGfv9rHJproNWFW8oLASThFkCOxeHPYkNU=
k8s.io/system-validators v1.4.0/go.mod h1:bPldcLgkIUK22ALflnsXk8pvkTEndYdNuaHH6gRrl0Q=
k8s.io/utils v0.0.0-20210521133846-da695404a2bc h1:dx6VGe+PnOW/kD/2UV4aUSsRfJGd7+lcqgJ6Xg0HwUs=
Expand Down
40 changes: 31 additions & 9 deletions pkg/security/podsecuritypolicy/util/util_test.go
View file
Open in desktop
Expand Up @@ -259,7 +259,7 @@ func TestIsOnlyServiceAccountTokenSources(t *testing.T) {
Path: "token",
ExpirationSeconds: serviceaccount.WarnOnlyBoundTokenExpirationSeconds,
}}
configMap := api.VolumeProjection{
rootConfigMap := api.VolumeProjection{
ConfigMap: &api.ConfigMapProjection{
LocalObjectReference: api.LocalObjectReference{
Name: "kube-root-ca.crt",
Expand All @@ -272,6 +272,19 @@ func TestIsOnlyServiceAccountTokenSources(t *testing.T) {
},
},
}
serviceCAConfigMap := api.VolumeProjection{
ConfigMap: &api.ConfigMapProjection{
LocalObjectReference: api.LocalObjectReference{
Name: "openshift-service-ca.crt",
},
Items: []api.KeyToPath{
{
Key: "service-ca.crt",
Path: "service-ca.crt",
},
},
},
}
downwardAPI := api.VolumeProjection{
DownwardAPI: &api.DownwardAPIProjection{
Items: []api.DownwardAPIVolumeFile{
Expand Down Expand Up @@ -299,7 +312,8 @@ func TestIsOnlyServiceAccountTokenSources(t *testing.T) {
Path: "notatoken",
ExpirationSeconds: serviceaccount.WarnOnlyBoundTokenExpirationSeconds,
}},
configMap,
rootConfigMap,
serviceCAConfigMap,
downwardAPI,
},
},
Expand All @@ -313,7 +327,8 @@ func TestIsOnlyServiceAccountTokenSources(t *testing.T) {
Audience: "not api server",
ExpirationSeconds: serviceaccount.WarnOnlyBoundTokenExpirationSeconds,
}},
configMap,
rootConfigMap,
serviceCAConfigMap,
downwardAPI,
},
},
Expand All @@ -336,6 +351,7 @@ func TestIsOnlyServiceAccountTokenSources(t *testing.T) {
},
},
},
serviceCAConfigMap,
downwardAPI,
},
},
Expand All @@ -345,7 +361,8 @@ func TestIsOnlyServiceAccountTokenSources(t *testing.T) {
volume: &api.ProjectedVolumeSource{
Sources: []api.VolumeProjection{
serviceAccountToken,
configMap,
rootConfigMap,
serviceCAConfigMap,
{
DownwardAPI: &api.DownwardAPIProjection{
Items: []api.DownwardAPIVolumeFile{
Expand All @@ -367,7 +384,8 @@ func TestIsOnlyServiceAccountTokenSources(t *testing.T) {
volume: &api.ProjectedVolumeSource{
Sources: []api.VolumeProjection{
serviceAccountToken,
configMap,
rootConfigMap,
serviceCAConfigMap,
{
DownwardAPI: &api.DownwardAPIProjection{
Items: []api.DownwardAPIVolumeFile{
Expand All @@ -385,7 +403,8 @@ func TestIsOnlyServiceAccountTokenSources(t *testing.T) {
volume: &api.ProjectedVolumeSource{
Sources: []api.VolumeProjection{
serviceAccountToken,
configMap,
rootConfigMap,
serviceCAConfigMap,
{
DownwardAPI: &api.DownwardAPIProjection{
Items: []api.DownwardAPIVolumeFile{
Expand All @@ -407,7 +426,8 @@ func TestIsOnlyServiceAccountTokenSources(t *testing.T) {
volume: &api.ProjectedVolumeSource{
Sources: []api.VolumeProjection{
serviceAccountToken,
configMap,
rootConfigMap,
serviceCAConfigMap,
{
DownwardAPI: &api.DownwardAPIProjection{
Items: []api.DownwardAPIVolumeFile{
Expand All @@ -431,7 +451,8 @@ func TestIsOnlyServiceAccountTokenSources(t *testing.T) {
{
Secret: &api.SecretProjection{},
},
configMap,
rootConfigMap,
serviceCAConfigMap,
downwardAPI,
serviceAccountToken,
},
Expand All @@ -449,7 +470,8 @@ func TestIsOnlyServiceAccountTokenSources(t *testing.T) {
desc: "allow if any of ServiceAccountToken, ConfigMap and DownwardAPI matches",
volume: &api.ProjectedVolumeSource{
Sources: []api.VolumeProjection{
configMap,
rootConfigMap,
serviceCAConfigMap,
downwardAPI,
serviceAccountToken,
},
Expand Down
6 changes: 5 additions & 1 deletion staging/src/k8s.io/api/go.mod
View file
Open in desktop
Expand Up @@ -7,7 +7,7 @@ go 1.16
require (
github.com/gogo/protobuf v1.3.2
github.com/stretchr/testify v1.6.1
k8s.io/apimachinery v0.21.0-rc.0
k8s.io/apimachinery v0.21.1
)

replace (
Expand All @@ -17,6 +17,10 @@ replace (
github.com/mattn/go-colorable => github.com/mattn/go-colorable v0.0.9
github.com/onsi/ginkgo => github.com/openshift/ginkgo v4.7.0-origin.0+incompatible
github.com/opencontainers/runc => github.com/openshift/opencontainers-runc v1.0.0-rc95.0.20210608002938-1f5126fe967e
github.com/openshift/api => github.com/openshift/api v0.0.0-20210422150128-d8a48168c81c
github.com/openshift/build-machinery-go => github.com/openshift/build-machinery-go v0.0.0-20210209125900-0da259a2c359
github.com/openshift/client-go => github.com/openshift/client-go v0.0.0-20210422153130-25c8450d1535
github.com/openshift/library-go => github.com/openshift/library-go v0.0.0-20210407092538-7021fda6f427
github.com/robfig/cron => github.com/robfig/cron v1.1.0
go.uber.org/multierr => go.uber.org/multierr v1.1.0
k8s.io/api => ../api
Expand Down
8 changes: 2 additions & 6 deletions staging/src/k8s.io/api/go.sum
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

16 changes: 10 additions & 6 deletions staging/src/k8s.io/apiextensions-apiserver/go.mod
View file
Open in desktop
Expand Up @@ -12,18 +12,18 @@ require (
github.com/google/gofuzz v1.1.0
github.com/google/uuid v1.1.2
github.com/googleapis/gnostic v0.4.1
github.com/openshift/api v0.0.0-20210422150128-d8a48168c81c
github.com/openshift/api v0.0.0-20210521075222-e273a339932a
github.com/spf13/cobra v1.1.1
github.com/spf13/pflag v1.0.5
github.com/stretchr/testify v1.6.1
go.etcd.io/etcd v0.5.0-alpha.5.0.20200910180754-dd1b699fc489
google.golang.org/grpc v1.27.1
gopkg.in/yaml.v2 v2.4.0
k8s.io/api v0.21.0-rc.0
k8s.io/apimachinery v0.21.0-rc.0
k8s.io/apiserver v0.21.0-rc.0
k8s.io/client-go v0.21.0-rc.0
k8s.io/code-generator v0.21.0-rc.0
k8s.io/api v0.21.1
k8s.io/apimachinery v0.21.1
k8s.io/apiserver v0.21.1
k8s.io/client-go v0.21.1
k8s.io/code-generator v0.21.1
k8s.io/component-base v0.21.0-rc.0
k8s.io/klog/v2 v2.8.0
k8s.io/kube-openapi v0.0.0-20210305001622-591a79e4bda7
Expand All @@ -39,6 +39,10 @@ replace (
github.com/mattn/go-colorable => github.com/mattn/go-colorable v0.0.9
github.com/onsi/ginkgo => github.com/openshift/ginkgo v4.7.0-origin.0+incompatible
github.com/opencontainers/runc => github.com/openshift/opencontainers-runc v1.0.0-rc95.0.20210608002938-1f5126fe967e
github.com/openshift/api => github.com/openshift/api v0.0.0-20210422150128-d8a48168c81c
github.com/openshift/build-machinery-go => github.com/openshift/build-machinery-go v0.0.0-20210209125900-0da259a2c359
github.com/openshift/client-go => github.com/openshift/client-go v0.0.0-20210422153130-25c8450d1535
github.com/openshift/library-go => github.com/openshift/library-go v0.0.0-20210407092538-7021fda6f427
github.com/robfig/cron => github.com/robfig/cron v1.1.0
go.uber.org/multierr => go.uber.org/multierr v1.1.0
k8s.io/api => ../api
Expand Down