Skip to content

Commit

Permalink
Merge pull request kubernetes#842 from stlaz/48_scc_projected_volumes
Browse files Browse the repository at this point in the history 
Bug 1977924: [release-4.8] Ensure scc compatibility with BoundServiceAccountTokenVolume
  • Loading branch information
@mfojtik
mfojtik authored Jul 2, 2021
2 parents 1622f87 + 77f51a6 commit 66b664d
Show file tree
Hide file tree
Showing 36 changed files with 240 additions and 134 deletions.
26 changes: 13 additions & 13 deletions go.mod
View file
Original file line number Diff line number Diff line change
Expand Up @@ -70,7 +70,7 @@ require (
github.com/opencontainers/runc v1.0.0-rc95.0.20210608002938-1f5126fe967e
github.com/opencontainers/selinux v1.8.0
github.com/openshift/api v0.0.0-20210521075222-e273a339932a
github.com/openshift/apiserver-library-go v0.0.0-20210521113822-91c23a9a7ddf
github.com/openshift/apiserver-library-go v0.0.0-20210701141342-9877d4ce2e6d
github.com/openshift/client-go v0.0.0-20210521082421-73d9475a9142
github.com/openshift/library-go v0.0.0-20210521084623-7392ea9b02ca
github.com/pkg/errors v0.9.1
Expand Down Expand Up @@ -103,16 +103,16 @@ require (
gopkg.in/natefinch/lumberjack.v2 v2.0.0
gopkg.in/square/go-jose.v2 v2.2.2
gopkg.in/yaml.v2 v2.4.0
k8s.io/api v0.21.0-rc.0
k8s.io/api v0.21.1
k8s.io/apiextensions-apiserver v0.21.0-rc.0
k8s.io/apimachinery v0.21.0-rc.0
k8s.io/apiserver v0.21.0-rc.0
k8s.io/apimachinery v0.21.1
k8s.io/apiserver v0.21.1
k8s.io/cli-runtime v0.0.0
k8s.io/client-go v0.21.0-rc.0
k8s.io/client-go v0.21.1
k8s.io/cloud-provider v0.0.0
k8s.io/cluster-bootstrap v0.0.0
k8s.io/code-generator v0.21.0-rc.0
k8s.io/component-base v0.21.0-rc.0
k8s.io/code-generator v0.21.1
k8s.io/component-base v0.21.1
k8s.io/component-helpers v0.0.0
k8s.io/controller-manager v0.0.0
k8s.io/cri-api v0.0.0
Expand Down Expand Up @@ -397,7 +397,7 @@ replace (
github.com/opencontainers/runtime-spec => github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417
github.com/opencontainers/selinux => github.com/opencontainers/selinux v1.8.0
github.com/openshift/api => github.com/openshift/api v0.0.0-20210422150128-d8a48168c81c
github.com/openshift/apiserver-library-go => github.com/openshift/apiserver-library-go v0.0.0-20210426120049-59b0e972bfb7
github.com/openshift/apiserver-library-go => github.com/openshift/apiserver-library-go v0.0.0-20210701141342-9877d4ce2e6d
github.com/openshift/build-machinery-go => github.com/openshift/build-machinery-go v0.0.0-20210209125900-0da259a2c359
github.com/openshift/client-go => github.com/openshift/client-go v0.0.0-20210422153130-25c8450d1535
github.com/openshift/library-go => github.com/openshift/library-go v0.0.0-20210407092538-7021fda6f427
Expand Down Expand Up @@ -508,15 +508,15 @@ replace (
gotest.tools => gotest.tools v2.2.0+incompatible
gotest.tools/v3 => gotest.tools/v3 v3.0.3
honnef.co/go/tools => honnef.co/go/tools v0.0.1-2020.1.3
k8s.io/api => k8s.io/api v0.21.0-rc.0
k8s.io/api => k8s.io/api v0.21.1
k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.21.0-rc.0
k8s.io/apimachinery => k8s.io/apimachinery v0.21.0-rc.0
k8s.io/apiserver => k8s.io/apiserver v0.21.0-rc.0
k8s.io/apimachinery => k8s.io/apimachinery v0.21.1
k8s.io/apiserver => k8s.io/apiserver v0.21.1
k8s.io/cli-runtime => ./staging/src/k8s.io/cli-runtime
k8s.io/client-go => k8s.io/client-go v0.21.0-rc.0
k8s.io/client-go => k8s.io/client-go v0.21.1
k8s.io/cloud-provider => ./staging/src/k8s.io/cloud-provider
k8s.io/cluster-bootstrap => ./staging/src/k8s.io/cluster-bootstrap
k8s.io/code-generator => k8s.io/code-generator v0.21.0-rc.0
k8s.io/code-generator => k8s.io/code-generator v0.21.1
k8s.io/component-base => k8s.io/component-base v0.21.0-rc.0
k8s.io/component-helpers => ./staging/src/k8s.io/component-helpers
k8s.io/controller-manager => ./staging/src/k8s.io/controller-manager
Expand Down
26 changes: 13 additions & 13 deletions go.sum
View file
Original file line number Diff line number Diff line change
Expand Up @@ -402,8 +402,8 @@ github.com/opencontainers/selinux v1.8.0 h1:+77ba4ar4jsCbL1GLbFL8fFM57w6suPfSS9P
github.com/opencontainers/selinux v1.8.0/go.mod h1:RScLhm78qiWa2gbVCcGkC7tCGdgk3ogry1nUQF8Evvo=
github.com/openshift/api v0.0.0-20210422150128-d8a48168c81c h1:vEOCkpisFTnbTtDfC313LEVmA+d38KEEroN/iABOSlw=
github.com/openshift/api v0.0.0-20210422150128-d8a48168c81c/go.mod h1:dZ4kytOo3svxJHNYd0J55hwe/6IQG5gAUHUE0F3Jkio=
github.com/openshift/apiserver-library-go v0.0.0-20210426120049-59b0e972bfb7 h1:eJDIx4xV8J+9Zg1W8UJPv5SME0pGNmXttWIUU5Fg6O4=
github.com/openshift/apiserver-library-go v0.0.0-20210426120049-59b0e972bfb7/go.mod h1:nqn2IWld2A+Q9Lp/xGsbmUr2RyDCQixRU83yqAbymUM=
github.com/openshift/apiserver-library-go v0.0.0-20210701141342-9877d4ce2e6d h1:57mUjJJEP/ZtqmuuEpxDnrx60LUpIZmHWFj3syeJbbY=
github.com/openshift/apiserver-library-go v0.0.0-20210701141342-9877d4ce2e6d/go.mod h1:hmRcqTWiLRXXEnVLhCNoZBfmciZD2N2NrHTEzcRqhK8=
github.com/openshift/build-machinery-go v0.0.0-20210209125900-0da259a2c359/go.mod h1:b1BuldmJlbA/xYtdZvKi+7j5YGB44qJUJDZ9zwiNCfE=
github.com/openshift/client-go v0.0.0-20210422153130-25c8450d1535 h1:JGSJhDJiQxqUETyqseqeXD7X/hgA6V/F3WW/2dN4QCs=
github.com/openshift/client-go v0.0.0-20210422153130-25c8450d1535/go.mod h1:v5/AYttPCjfqMGC1Ed/vutuDpuXmgWc5O+W9nwQ7EtE=
Expand Down Expand Up @@ -605,18 +605,18 @@ gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81
gotest.tools/v3 v3.0.3 h1:4AuOwCGf4lLR9u3YOe2awrHygurzhO/HeQ6laiA6Sx0=
gotest.tools/v3 v3.0.3/go.mod h1:Z7Lb0S5l+klDB31fvDQX8ss/FlKDxtlFlw3Oa8Ymbl8=
honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
k8s.io/api v0.21.0-rc.0 h1:t/kW96KdNJNamYNqxaxRirahK+FaWJQ6BJPbXm5Jb+o=
k8s.io/api v0.21.0-rc.0/go.mod h1:Dkc/ZauWJrgZhjOjeBgW89xZQiTBJA2RaBKYHXPsi2Y=
k8s.io/api v0.21.1 h1:94bbZ5NTjdINJEdzOkpS4vdPhkb1VFpTYC9zh43f75c=
k8s.io/api v0.21.1/go.mod h1:FstGROTmsSHBarKc8bylzXih8BLNYTiS3TZcsoEDg2s=
k8s.io/apiextensions-apiserver v0.21.0-rc.0 h1:gxeak4PvTBhuiZagZRFv9WyNnAdG39/VCmI9XTwVCRk=
k8s.io/apiextensions-apiserver v0.21.0-rc.0/go.mod h1:ItIoMBJU1gy93Qwr/B2699r4b0VmZqAOU+15BvozxMY=
k8s.io/apimachinery v0.21.0-rc.0 h1:m9dyzHb8QZAHOZKIz2SiabSif1oLsfgrnwiago/9xJA=
k8s.io/apimachinery v0.21.0-rc.0/go.mod h1:jbreFvJo3ov9rj7eWT7+sYiRx+qZuCYXwWT1bcDswPY=
k8s.io/apiserver v0.21.0-rc.0 h1:Ecvg4oAoQn5dK8V7W0TQIQqA4r+B/DH83HKSY4SuMSs=
k8s.io/apiserver v0.21.0-rc.0/go.mod h1:QlW7+1CZTZtAcKvJ34/n4DIb8sC93FeQpkd1KSU+Sok=
k8s.io/client-go v0.21.0-rc.0 h1:lsPZHT1ZniXJcwg2udlaTOhAT8wf7BE0rn9Vj0+LWMA=
k8s.io/client-go v0.21.0-rc.0/go.mod h1:zU5HY/bSOKH3YOqoge9nFvICgrpeSdJu8DQ4fkjKIZk=
k8s.io/code-generator v0.21.0-rc.0 h1:5XqZwy0dHr3LssJ9ImpO8dCjdTvZ8Bw84b90dZ46kPk=
k8s.io/code-generator v0.21.0-rc.0/go.mod h1:hUlps5+9QaTrKx+jiM4rmq7YmH8wPOIko64uZCHDh6Q=
k8s.io/apimachinery v0.21.1 h1:Q6XuHGlj2xc+hlMCvqyYfbv3H7SRGn2c8NycxJquDVs=
k8s.io/apimachinery v0.21.1/go.mod h1:jbreFvJo3ov9rj7eWT7+sYiRx+qZuCYXwWT1bcDswPY=
k8s.io/apiserver v0.21.1 h1:wTRcid53IhxhbFt4KTrFSw8tAncfr01EP91lzfcygVg=
k8s.io/apiserver v0.21.1/go.mod h1:nLLYZvMWn35glJ4/FZRhzLG/3MPxAaZTgV4FJZdr+tY=
k8s.io/client-go v0.21.1 h1:bhblWYLZKUu+pm50plvQF8WpY6TXdRRtcS/K9WauOj4=
k8s.io/client-go v0.21.1/go.mod h1:/kEw4RgW+3xnBGzvp9IWxKSNA+lXn3A7AuH3gdOAzLs=
k8s.io/code-generator v0.21.1 h1:jvcxHpVu5dm/LMXr3GOj/jroiP8+v2YnJE9i2OVRenk=
k8s.io/code-generator v0.21.1/go.mod h1:hUlps5+9QaTrKx+jiM4rmq7YmH8wPOIko64uZCHDh6Q=
k8s.io/component-base v0.21.0-rc.0 h1:8YgFPDsIhRx7zCOxikZn77nYRnwxrc9aMiuQDJtK1+g=
k8s.io/component-base v0.21.0-rc.0/go.mod h1:XlP0bM7QJFWRGZYPc5NmphkvsYQ+o7804HWH3GTGjDY=
k8s.io/gengo v0.0.0-20201214224949-b6c5ce23f027 h1:Uusb3oh8XcdzDF/ndlI4ToKTYVlkCSJP39SRY2mfRAw=
Expand All @@ -631,7 +631,7 @@ k8s.io/kube-aggregator v0.21.0-rc.0 h1:PxnBqTgEQHCOhWl3J6EX2OKbfx0epwgKF4phlhgNy
k8s.io/kube-aggregator v0.21.0-rc.0/go.mod h1:M+whOmsAeQf8ObJ0/eO9Af1Dz2UQEB9OW9BWmt9b2sU=
k8s.io/kube-openapi v0.0.0-20210305001622-591a79e4bda7 h1:vEx13qjvaZ4yfObSSXW7BrMc/KQBBT/Jyee8XtLf4x0=
k8s.io/kube-openapi v0.0.0-20210305001622-591a79e4bda7/go.mod h1:wXW5VT87nVfh/iLV8FpR2uDvrFyomxbtb1KivDbvPTE=
k8s.io/kubernetes v1.21.0-rc.0/go.mod h1:Yx6XZ8zalyqEk7but+j4+5SvLzdyH1eeqZ4cwO+5dD4=
k8s.io/kubernetes v1.21.1/go.mod h1:ef++isEL1PW0taH6z7DXrSztPglrZ7jQhyvcMEtm0gQ=
k8s.io/system-validators v1.4.0 h1:8ruXIHkuTAGfv9rHJproNWFW8oLASThFkCOxeHPYkNU=
k8s.io/system-validators v1.4.0/go.mod h1:bPldcLgkIUK22ALflnsXk8pvkTEndYdNuaHH6gRrl0Q=
k8s.io/utils v0.0.0-20210521133846-da695404a2bc h1:dx6VGe+PnOW/kD/2UV4aUSsRfJGd7+lcqgJ6Xg0HwUs=
Expand Down
40 changes: 31 additions & 9 deletions pkg/security/podsecuritypolicy/util/util_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -259,7 +259,7 @@ func TestIsOnlyServiceAccountTokenSources(t *testing.T) {
Path: "token",
ExpirationSeconds: serviceaccount.WarnOnlyBoundTokenExpirationSeconds,
}}
configMap := api.VolumeProjection{
rootConfigMap := api.VolumeProjection{
ConfigMap: &api.ConfigMapProjection{
LocalObjectReference: api.LocalObjectReference{
Name: "kube-root-ca.crt",
Expand All @@ -272,6 +272,19 @@ func TestIsOnlyServiceAccountTokenSources(t *testing.T) {
},
},
}
serviceCAConfigMap := api.VolumeProjection{
ConfigMap: &api.ConfigMapProjection{
LocalObjectReference: api.LocalObjectReference{
Name: "openshift-service-ca.crt",
},
Items: []api.KeyToPath{
{
Key: "service-ca.crt",
Path: "service-ca.crt",
},
},
},
}
downwardAPI := api.VolumeProjection{
DownwardAPI: &api.DownwardAPIProjection{
Items: []api.DownwardAPIVolumeFile{
Expand Down Expand Up @@ -299,7 +312,8 @@ func TestIsOnlyServiceAccountTokenSources(t *testing.T) {
Path: "notatoken",
ExpirationSeconds: serviceaccount.WarnOnlyBoundTokenExpirationSeconds,
}},
configMap,
rootConfigMap,
serviceCAConfigMap,
downwardAPI,
},
},
Expand All @@ -313,7 +327,8 @@ func TestIsOnlyServiceAccountTokenSources(t *testing.T) {
Audience: "not api server",
ExpirationSeconds: serviceaccount.WarnOnlyBoundTokenExpirationSeconds,
}},
configMap,
rootConfigMap,
serviceCAConfigMap,
downwardAPI,
},
},
Expand All @@ -336,6 +351,7 @@ func TestIsOnlyServiceAccountTokenSources(t *testing.T) {
},
},
},
serviceCAConfigMap,
downwardAPI,
},
},
Expand All @@ -345,7 +361,8 @@ func TestIsOnlyServiceAccountTokenSources(t *testing.T) {
volume: &api.ProjectedVolumeSource{
Sources: []api.VolumeProjection{
serviceAccountToken,
configMap,
rootConfigMap,
serviceCAConfigMap,
{
DownwardAPI: &api.DownwardAPIProjection{
Items: []api.DownwardAPIVolumeFile{
Expand All @@ -367,7 +384,8 @@ func TestIsOnlyServiceAccountTokenSources(t *testing.T) {
volume: &api.ProjectedVolumeSource{
Sources: []api.VolumeProjection{
serviceAccountToken,
configMap,
rootConfigMap,
serviceCAConfigMap,
{
DownwardAPI: &api.DownwardAPIProjection{
Items: []api.DownwardAPIVolumeFile{
Expand All @@ -385,7 +403,8 @@ func TestIsOnlyServiceAccountTokenSources(t *testing.T) {
volume: &api.ProjectedVolumeSource{
Sources: []api.VolumeProjection{
serviceAccountToken,
configMap,
rootConfigMap,
serviceCAConfigMap,
{
DownwardAPI: &api.DownwardAPIProjection{
Items: []api.DownwardAPIVolumeFile{
Expand All @@ -407,7 +426,8 @@ func TestIsOnlyServiceAccountTokenSources(t *testing.T) {
volume: &api.ProjectedVolumeSource{
Sources: []api.VolumeProjection{
serviceAccountToken,
configMap,
rootConfigMap,
serviceCAConfigMap,
{
DownwardAPI: &api.DownwardAPIProjection{
Items: []api.DownwardAPIVolumeFile{
Expand All @@ -431,7 +451,8 @@ func TestIsOnlyServiceAccountTokenSources(t *testing.T) {
{
Secret: &api.SecretProjection{},
},
configMap,
rootConfigMap,
serviceCAConfigMap,
downwardAPI,
serviceAccountToken,
},
Expand All @@ -449,7 +470,8 @@ func TestIsOnlyServiceAccountTokenSources(t *testing.T) {
desc: "allow if any of ServiceAccountToken, ConfigMap and DownwardAPI matches",
volume: &api.ProjectedVolumeSource{
Sources: []api.VolumeProjection{
configMap,
rootConfigMap,
serviceCAConfigMap,
downwardAPI,
serviceAccountToken,
},
Expand Down
4 changes: 2 additions & 2 deletions staging/src/k8s.io/api/go.mod
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ go 1.16
require (
github.com/gogo/protobuf v1.3.2
github.com/stretchr/testify v1.6.1
k8s.io/apimachinery v0.21.0-rc.0
k8s.io/apimachinery v0.21.1
)

replace (
Expand All @@ -18,7 +18,7 @@ replace (
github.com/onsi/ginkgo => github.com/openshift/ginkgo v4.7.0-origin.0+incompatible
github.com/opencontainers/runc => github.com/openshift/opencontainers-runc v1.0.0-rc95.0.20210608002938-1f5126fe967e
github.com/openshift/api => github.com/openshift/api v0.0.0-20210422150128-d8a48168c81c
github.com/openshift/apiserver-library-go => github.com/openshift/apiserver-library-go v0.0.0-20210426120049-59b0e972bfb7
github.com/openshift/build-machinery-go => github.com/openshift/build-machinery-go v0.0.0-20210209125900-0da259a2c359
github.com/openshift/client-go => github.com/openshift/client-go v0.0.0-20210422153130-25c8450d1535
github.com/openshift/library-go => github.com/openshift/library-go v0.0.0-20210407092538-7021fda6f427
github.com/robfig/cron => github.com/robfig/cron v1.1.0
Expand Down
4 changes: 2 additions & 2 deletions staging/src/k8s.io/api/go.sum
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

12 changes: 6 additions & 6 deletions staging/src/k8s.io/apiextensions-apiserver/go.mod
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,11 +18,11 @@ require (
go.etcd.io/etcd v0.5.0-alpha.5.0.20200910180754-dd1b699fc489
google.golang.org/grpc v1.27.1
gopkg.in/yaml.v2 v2.4.0
k8s.io/api v0.21.0-rc.0
k8s.io/apimachinery v0.21.0-rc.0
k8s.io/apiserver v0.21.0-rc.0
k8s.io/client-go v0.21.0-rc.0
k8s.io/code-generator v0.21.0-rc.0
k8s.io/api v0.21.1
k8s.io/apimachinery v0.21.1
k8s.io/apiserver v0.21.1
k8s.io/client-go v0.21.1
k8s.io/code-generator v0.21.1
k8s.io/component-base v0.21.0-rc.0
k8s.io/klog/v2 v2.8.0
k8s.io/kube-openapi v0.0.0-20210305001622-591a79e4bda7
Expand All @@ -39,7 +39,7 @@ replace (
github.com/onsi/ginkgo => github.com/openshift/ginkgo v4.7.0-origin.0+incompatible
github.com/opencontainers/runc => github.com/openshift/opencontainers-runc v1.0.0-rc95.0.20210608002938-1f5126fe967e
github.com/openshift/api => github.com/openshift/api v0.0.0-20210422150128-d8a48168c81c
github.com/openshift/apiserver-library-go => github.com/openshift/apiserver-library-go v0.0.0-20210426120049-59b0e972bfb7
github.com/openshift/build-machinery-go => github.com/openshift/build-machinery-go v0.0.0-20210209125900-0da259a2c359
github.com/openshift/client-go => github.com/openshift/client-go v0.0.0-20210422153130-25c8450d1535
github.com/openshift/library-go => github.com/openshift/library-go v0.0.0-20210407092538-7021fda6f427
github.com/robfig/cron => github.com/robfig/cron v1.1.0
Expand Down
4 changes: 2 additions & 2 deletions staging/src/k8s.io/apiextensions-apiserver/go.sum
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

8 changes: 4 additions & 4 deletions staging/src/k8s.io/apiserver/go.mod
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,9 +35,9 @@ require (
gopkg.in/natefinch/lumberjack.v2 v2.0.0
gopkg.in/square/go-jose.v2 v2.2.2
gopkg.in/yaml.v2 v2.4.0
k8s.io/api v0.21.0-rc.0
k8s.io/apimachinery v0.21.0-rc.0
k8s.io/client-go v0.21.0-rc.0
k8s.io/api v0.21.1
k8s.io/apimachinery v0.21.1
k8s.io/client-go v0.21.1
k8s.io/component-base v0.21.0-rc.0
k8s.io/klog/v2 v2.8.0
k8s.io/kube-openapi v0.0.0-20210305001622-591a79e4bda7
Expand All @@ -55,7 +55,7 @@ replace (
github.com/onsi/ginkgo => github.com/openshift/ginkgo v4.7.0-origin.0+incompatible
github.com/opencontainers/runc => github.com/openshift/opencontainers-runc v1.0.0-rc95.0.20210608002938-1f5126fe967e
github.com/openshift/api => github.com/openshift/api v0.0.0-20210422150128-d8a48168c81c
github.com/openshift/apiserver-library-go => github.com/openshift/apiserver-library-go v0.0.0-20210426120049-59b0e972bfb7
github.com/openshift/build-machinery-go => github.com/openshift/build-machinery-go v0.0.0-20210209125900-0da259a2c359
github.com/openshift/client-go => github.com/openshift/client-go v0.0.0-20210422153130-25c8450d1535
github.com/openshift/library-go => github.com/openshift/library-go v0.0.0-20210407092538-7021fda6f427
github.com/robfig/cron => github.com/robfig/cron v1.1.0
Expand Down
Loading

0 comments on commit 66b664d

Please sign in to comment.