Skip to content

Scc check only api #8941

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Jun 3, 2016
Merged

Scc check only api #8941

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions pkg/api/install/install.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ import (
_ "github.com/openshift/origin/pkg/project/api/install"
_ "github.com/openshift/origin/pkg/route/api/install"
_ "github.com/openshift/origin/pkg/sdn/api/install"
_ "github.com/openshift/origin/pkg/security/api/install"
_ "github.com/openshift/origin/pkg/template/api/install"
_ "github.com/openshift/origin/pkg/user/api/install"
)
1 change: 1 addition & 0 deletions pkg/api/register.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ import (
_ "github.com/openshift/origin/pkg/project/api"
_ "github.com/openshift/origin/pkg/route/api"
_ "github.com/openshift/origin/pkg/sdn/api"
_ "github.com/openshift/origin/pkg/security/api"
_ "github.com/openshift/origin/pkg/template/api"
_ "github.com/openshift/origin/pkg/user/api"
)
Expand Down
1 change: 1 addition & 0 deletions pkg/api/v1/register.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ import (
_ "github.com/openshift/origin/pkg/project/api/v1"
_ "github.com/openshift/origin/pkg/route/api/v1"
_ "github.com/openshift/origin/pkg/sdn/api/v1"
_ "github.com/openshift/origin/pkg/security/api/v1"
_ "github.com/openshift/origin/pkg/template/api/v1"
_ "github.com/openshift/origin/pkg/user/api/v1"
)
Expand Down
6 changes: 6 additions & 0 deletions pkg/api/validation/register.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ import (
projectvalidation "github.com/openshift/origin/pkg/project/api/validation"
routevalidation "github.com/openshift/origin/pkg/route/api/validation"
sdnvalidation "github.com/openshift/origin/pkg/sdn/api/validation"
securityvalidation "github.com/openshift/origin/pkg/security/api/validation"
templatevalidation "github.com/openshift/origin/pkg/template/api/validation"
uservalidation "github.com/openshift/origin/pkg/user/api/validation"
extvalidation "k8s.io/kubernetes/pkg/apis/extensions/validation"
Expand All @@ -23,6 +24,7 @@ import (
projectapi "github.com/openshift/origin/pkg/project/api"
routeapi "github.com/openshift/origin/pkg/route/api"
sdnapi "github.com/openshift/origin/pkg/sdn/api"
securityapi "github.com/openshift/origin/pkg/security/api"
templateapi "github.com/openshift/origin/pkg/template/api"
userapi "github.com/openshift/origin/pkg/user/api"
"k8s.io/kubernetes/pkg/apis/extensions"
Expand Down Expand Up @@ -88,4 +90,8 @@ func registerAll() {
Validator.MustRegister(&userapi.Identity{}, uservalidation.ValidateIdentity, uservalidation.ValidateIdentityUpdate)
Validator.MustRegister(&userapi.UserIdentityMapping{}, uservalidation.ValidateUserIdentityMapping, uservalidation.ValidateUserIdentityMappingUpdate)
Validator.MustRegister(&userapi.Group{}, uservalidation.ValidateGroup, uservalidation.ValidateGroupUpdate)

Validator.MustRegister(&securityapi.PodSecurityPolicySubjectReview{}, securityvalidation.ValidatePodSecurityPolicySubjectReview, nil)
Validator.MustRegister(&securityapi.PodSecurityPolicySelfSubjectReview{}, securityvalidation.ValidatePodSecurityPolicySelfSubjectReview, nil)
Validator.MustRegister(&securityapi.PodSecurityPolicyReview{}, securityvalidation.ValidatePodSecurityPolicyReview, nil)
}
4 changes: 4 additions & 0 deletions pkg/cmd/cli/describe/describer_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ import (
oauthapi "github.com/openshift/origin/pkg/oauth/api"
projectapi "github.com/openshift/origin/pkg/project/api"
sdnapi "github.com/openshift/origin/pkg/sdn/api"
securityapi "github.com/openshift/origin/pkg/security/api"

// install all APIs
_ "github.com/openshift/origin/pkg/api/install"
Expand Down Expand Up @@ -65,6 +66,9 @@ var DescriberCoverageExceptions = []reflect.Type{
reflect.TypeOf(&authorizationapi.LocalSubjectAccessReview{}),
reflect.TypeOf(&authorizationapi.LocalResourceAccessReview{}),
reflect.TypeOf(&authorizationapi.SelfSubjectRulesReview{}),
reflect.TypeOf(&securityapi.PodSecurityPolicySubjectReview{}),
reflect.TypeOf(&securityapi.PodSecurityPolicySelfSubjectReview{}),
reflect.TypeOf(&securityapi.PodSecurityPolicyReview{}),
}

// MissingDescriberCoverageExceptions is the list of types that were missing describer methods when I started
Expand Down
4 changes: 4 additions & 0 deletions pkg/cmd/cli/describe/printer_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ import (
deployapi "github.com/openshift/origin/pkg/deploy/api"
imageapi "github.com/openshift/origin/pkg/image/api"
projectapi "github.com/openshift/origin/pkg/project/api"
securityapi "github.com/openshift/origin/pkg/security/api"
)

// PrinterCoverageExceptions is the list of API types that do NOT have corresponding printers
Expand All @@ -44,6 +45,9 @@ var PrinterCoverageExceptions = []reflect.Type{
reflect.TypeOf(&buildapi.BinaryBuildRequestOptions{}),
reflect.TypeOf(&buildapi.BuildRequest{}),
reflect.TypeOf(&buildapi.BuildLogOptions{}),
reflect.TypeOf(&securityapi.PodSecurityPolicySubjectReview{}),
reflect.TypeOf(&securityapi.PodSecurityPolicySelfSubjectReview{}),
reflect.TypeOf(&securityapi.PodSecurityPolicyReview{}),
}

// MissingPrinterCoverageExceptions is the list of types that were missing printer methods when I started
Expand Down
4 changes: 4 additions & 0 deletions pkg/scheduler/admission/podnodeconstraints/admission.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ import (
configlatest "github.com/openshift/origin/pkg/cmd/server/api/latest"
deployapi "github.com/openshift/origin/pkg/deploy/api"
"github.com/openshift/origin/pkg/scheduler/admission/podnodeconstraints/api"
securityapi "github.com/openshift/origin/pkg/security/api"
)

func init() {
Expand Down Expand Up @@ -77,6 +78,9 @@ var resourcesToCheck = map[unversioned.GroupResource]unversioned.GroupKind{
// we choose not to handle in this plugin
var resourcesToIgnore = []unversioned.GroupKind{
extensions.Kind("DaemonSet"),
securityapi.Kind("PodSecurityPolicySelfSubjectReview"), // TODO: should this go through admission?
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, let's run these. The rejection messages will help users figure what's happening to their pods that are being created indirectly.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, let's run these. The rejection messages will help users figure what's happening to their pods that are being created indirectly.

I still see this as outstanding. You should just need to provide a way to get the podspec.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK. I'm going to do. For some reasons I thought this could be done in the next PR.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK. I'm going to do. For some reasons I thought this could be done in the next PR.

If its small, I'd like it here, if its not, we can defer. Just let me know.

securityapi.Kind("PodSecurityPolicySubjectReview"), // TODO: should this go through admission?
securityapi.Kind("PodSecurityPolicyReview"), // TODO: should this go through admission?
}

func shouldCheckResource(resource unversioned.GroupResource, kind unversioned.GroupKind) (bool, error) {
Expand Down
2 changes: 1 addition & 1 deletion pkg/scheduler/admission/podnodeconstraints/admission_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -450,7 +450,7 @@ func hasPodSpec(t reflect.Type) bool {
if t == podSpecType {
return true
}
for i := 1; i < t.NumField(); i++ {
for i := 0; i < t.NumField(); i++ {
if hasPodSpec(t.Field(i).Type) {
return true
}
Expand Down
143 changes: 143 additions & 0 deletions pkg/security/api/deep_copy_generated.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,143 @@
// +build !ignore_autogenerated

// This file was autogenerated by deepcopy-gen. Do not edit it manually!

package api

import (
api "k8s.io/kubernetes/pkg/api"
unversioned "k8s.io/kubernetes/pkg/api/unversioned"
conversion "k8s.io/kubernetes/pkg/conversion"
)

func init() {
if err := api.Scheme.AddGeneratedDeepCopyFuncs(
DeepCopy_api_PodSecurityPolicyReview,
DeepCopy_api_PodSecurityPolicyReviewSpec,
DeepCopy_api_PodSecurityPolicyReviewStatus,
DeepCopy_api_PodSecurityPolicySelfSubjectReview,
DeepCopy_api_PodSecurityPolicySelfSubjectReviewSpec,
DeepCopy_api_PodSecurityPolicySubjectReview,
DeepCopy_api_PodSecurityPolicySubjectReviewSpec,
DeepCopy_api_PodSecurityPolicySubjectReviewStatus,
DeepCopy_api_ServiceAccountPodSecurityPolicyReviewStatus,
); err != nil {
// if one of the deep copy functions is malformed, detect it immediately.
panic(err)
}
}

func DeepCopy_api_PodSecurityPolicyReview(in PodSecurityPolicyReview, out *PodSecurityPolicyReview, c *conversion.Cloner) error {
if err := unversioned.DeepCopy_unversioned_TypeMeta(in.TypeMeta, &out.TypeMeta, c); err != nil {
return err
}
if err := DeepCopy_api_PodSecurityPolicyReviewSpec(in.Spec, &out.Spec, c); err != nil {
return err
}
if err := DeepCopy_api_PodSecurityPolicyReviewStatus(in.Status, &out.Status, c); err != nil {
return err
}
return nil
}

func DeepCopy_api_PodSecurityPolicyReviewSpec(in PodSecurityPolicyReviewSpec, out *PodSecurityPolicyReviewSpec, c *conversion.Cloner) error {
if err := api.DeepCopy_api_PodSpec(in.PodSpec, &out.PodSpec, c); err != nil {
return err
}
if in.ServiceAccountNames != nil {
in, out := in.ServiceAccountNames, &out.ServiceAccountNames
*out = make([]string, len(in))
copy(*out, in)
} else {
out.ServiceAccountNames = nil
}
return nil
}

func DeepCopy_api_PodSecurityPolicyReviewStatus(in PodSecurityPolicyReviewStatus, out *PodSecurityPolicyReviewStatus, c *conversion.Cloner) error {
if in.AllowedServiceAccounts != nil {
in, out := in.AllowedServiceAccounts, &out.AllowedServiceAccounts
*out = make([]ServiceAccountPodSecurityPolicyReviewStatus, len(in))
for i := range in {
if err := DeepCopy_api_ServiceAccountPodSecurityPolicyReviewStatus(in[i], &(*out)[i], c); err != nil {
return err
}
}
} else {
out.AllowedServiceAccounts = nil
}
return nil
}

func DeepCopy_api_PodSecurityPolicySelfSubjectReview(in PodSecurityPolicySelfSubjectReview, out *PodSecurityPolicySelfSubjectReview, c *conversion.Cloner) error {
if err := unversioned.DeepCopy_unversioned_TypeMeta(in.TypeMeta, &out.TypeMeta, c); err != nil {
return err
}
if err := DeepCopy_api_PodSecurityPolicySelfSubjectReviewSpec(in.Spec, &out.Spec, c); err != nil {
return err
}
if err := DeepCopy_api_PodSecurityPolicySubjectReviewStatus(in.Status, &out.Status, c); err != nil {
return err
}
return nil
}

func DeepCopy_api_PodSecurityPolicySelfSubjectReviewSpec(in PodSecurityPolicySelfSubjectReviewSpec, out *PodSecurityPolicySelfSubjectReviewSpec, c *conversion.Cloner) error {
if err := api.DeepCopy_api_PodSpec(in.PodSpec, &out.PodSpec, c); err != nil {
return err
}
return nil
}

func DeepCopy_api_PodSecurityPolicySubjectReview(in PodSecurityPolicySubjectReview, out *PodSecurityPolicySubjectReview, c *conversion.Cloner) error {
if err := unversioned.DeepCopy_unversioned_TypeMeta(in.TypeMeta, &out.TypeMeta, c); err != nil {
return err
}
if err := DeepCopy_api_PodSecurityPolicySubjectReviewSpec(in.Spec, &out.Spec, c); err != nil {
return err
}
if err := DeepCopy_api_PodSecurityPolicySubjectReviewStatus(in.Status, &out.Status, c); err != nil {
return err
}
return nil
}

func DeepCopy_api_PodSecurityPolicySubjectReviewSpec(in PodSecurityPolicySubjectReviewSpec, out *PodSecurityPolicySubjectReviewSpec, c *conversion.Cloner) error {
if err := api.DeepCopy_api_PodSpec(in.PodSpec, &out.PodSpec, c); err != nil {
return err
}
out.User = in.User
if in.Groups != nil {
in, out := in.Groups, &out.Groups
*out = make([]string, len(in))
copy(*out, in)
} else {
out.Groups = nil
}
return nil
}

func DeepCopy_api_PodSecurityPolicySubjectReviewStatus(in PodSecurityPolicySubjectReviewStatus, out *PodSecurityPolicySubjectReviewStatus, c *conversion.Cloner) error {
if in.AllowedBy != nil {
in, out := in.AllowedBy, &out.AllowedBy
*out = new(api.ObjectReference)
if err := api.DeepCopy_api_ObjectReference(*in, *out, c); err != nil {
return err
}
} else {
out.AllowedBy = nil
}
out.Reason = in.Reason
if err := api.DeepCopy_api_PodSpec(in.PodSpec, &out.PodSpec, c); err != nil {
return err
}
return nil
}

func DeepCopy_api_ServiceAccountPodSecurityPolicyReviewStatus(in ServiceAccountPodSecurityPolicyReviewStatus, out *ServiceAccountPodSecurityPolicyReviewStatus, c *conversion.Cloner) error {
if err := DeepCopy_api_PodSecurityPolicySubjectReviewStatus(in.PodSecurityPolicySubjectReviewStatus, &out.PodSecurityPolicySubjectReviewStatus, c); err != nil {
return err
}
out.Name = in.Name
return nil
}
108 changes: 108 additions & 0 deletions pkg/security/api/install/install.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,108 @@
package install

import (
"fmt"

"github.com/golang/glog"

kapi "k8s.io/kubernetes/pkg/api"
"k8s.io/kubernetes/pkg/api/meta"
"k8s.io/kubernetes/pkg/api/unversioned"
"k8s.io/kubernetes/pkg/apimachinery"
"k8s.io/kubernetes/pkg/apimachinery/registered"
"k8s.io/kubernetes/pkg/runtime"
"k8s.io/kubernetes/pkg/util/sets"

"github.com/openshift/origin/pkg/security/api"
"github.com/openshift/origin/pkg/security/api/v1"
)

const importPrefix = "github.com/openshift/origin/pkg/security/api"

var accessor = meta.NewAccessor()

// availableVersions lists all known external versions for this group from most preferred to least preferred
var availableVersions = []unversioned.GroupVersion{v1.SchemeGroupVersion}

func init() {
registered.RegisterVersions(availableVersions)
externalVersions := []unversioned.GroupVersion{}
for _, v := range availableVersions {
if registered.IsAllowedVersion(v) {
externalVersions = append(externalVersions, v)
}
}
if len(externalVersions) == 0 {
glog.Infof("No version is registered for group %v", api.GroupName)
return
}

if err := registered.EnableVersions(externalVersions...); err != nil {
panic(err)
}
if err := enableVersions(externalVersions); err != nil {
panic(err)
}
}

// TODO: enableVersions should be centralized rather than spread in each API
// group.
// We can combine registered.RegisterVersions, registered.EnableVersions and
// registered.RegisterGroup once we have moved enableVersions there.
func enableVersions(externalVersions []unversioned.GroupVersion) error {
addVersionsToScheme(externalVersions...)
preferredExternalVersion := externalVersions[0]

groupMeta := apimachinery.GroupMeta{
GroupVersion: preferredExternalVersion,
GroupVersions: externalVersions,
RESTMapper: newRESTMapper(externalVersions),
SelfLinker: runtime.SelfLinker(accessor),
InterfacesFor: interfacesFor,
}

if err := registered.RegisterGroup(groupMeta); err != nil {
return err
}
kapi.RegisterRESTMapper(groupMeta.RESTMapper)
return nil
}

func addVersionsToScheme(externalVersions ...unversioned.GroupVersion) {
// add the internal version to Scheme
api.AddToScheme(kapi.Scheme)
// add the enabled external versions to Scheme
for _, v := range externalVersions {
if !registered.IsEnabledVersion(v) {
glog.Errorf("Version %s is not enabled, so it will not be added to the Scheme.", v)
continue
}
switch v {
case v1.SchemeGroupVersion:
v1.AddToScheme(kapi.Scheme)
default:
glog.Errorf("Version %s is not known, so it will not be added to the Scheme.", v)
continue
}
}
}

func newRESTMapper(externalVersions []unversioned.GroupVersion) meta.RESTMapper {
rootScoped := sets.NewString()
ignoredKinds := sets.NewString()
return kapi.NewDefaultRESTMapper(externalVersions, interfacesFor, importPrefix, ignoredKinds, rootScoped)
}

func interfacesFor(version unversioned.GroupVersion) (*meta.VersionInterfaces, error) {
switch version {
case v1.SchemeGroupVersion:
return &meta.VersionInterfaces{
ObjectConvertor: kapi.Scheme,
MetadataAccessor: accessor,
}, nil

default:
g, _ := registered.Group(api.GroupName)
return nil, fmt.Errorf("unsupported storage version: %s (valid: %v)", version, g.GroupVersions)
}
}
Loading