Update godeps

vendor/k8s.io/kubernetes/pkg/security/podsecuritypolicy/seccomp/BUILD

@@ -0,0 +1,29 @@
+package(default_visibility = ["//visibility:public"])
+
+licenses(["notice"])
+
+load(
+    "@io_bazel_rules_go//go:def.bzl",
+    "go_binary",
+    "go_library",
+    "go_test",
+    "cgo_library",
+)
+
+go_library(
+    name = "go_default_library",
+    srcs = ["strategy.go"],
+    tags = ["automanaged"],
+    deps = [
+        "//pkg/api:go_default_library",
+        "//pkg/util/validation/field:go_default_library",
+    ],
+)
+
+go_test(
+    name = "go_default_test",
+    srcs = ["strategy_test.go"],
+    library = "go_default_library",
+    tags = ["automanaged"],
+    deps = ["//pkg/api:go_default_library"],
+)

vendor/k8s.io/kubernetes/pkg/security/podsecuritypolicy/seccomp/strategy.go

@@ -0,0 +1,149 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package seccomp
+
+import (
+	"fmt"
+	"strings"
+
+	"k8s.io/kubernetes/pkg/api"
+	"k8s.io/kubernetes/pkg/util/validation/field"
+)
+
+const (
+	// AllowAny is the wildcard used to allow any profile.
+	AllowAny = "*"
+	// The annotation key specifying the default seccomp profile.
+	DefaultProfileAnnotationKey = "seccomp.security.alpha.kubernetes.io/defaultProfileName"
+	// The annotation key specifying the allowed seccomp profiles.
+	AllowedProfilesAnnotationKey = "seccomp.security.alpha.kubernetes.io/allowedProfileNames"
+)
+
+// Strategy defines the interface for all seccomp constraint strategies.
+type Strategy interface {
+	// Generate returns a profile based on constraint rules.
+	Generate(annotations map[string]string, pod *api.Pod) (string, error)
+	// Validate ensures that the specified values fall within the range of the strategy.
+	ValidatePod(pod *api.Pod) field.ErrorList
+	// Validate ensures that the specified values fall within the range of the strategy.
+	ValidateContainer(pod *api.Pod, container *api.Container) field.ErrorList
+}
+
+type strategy struct {
+	defaultProfile  string
+	allowedProfiles map[string]bool
+	// For printing error messages (preserves order).
+	allowedProfilesString string
+	// does the strategy allow any profile (wildcard)
+	allowAnyProfile bool
+}
+
+var _ Strategy = &strategy{}
+
+// NewStrategy creates a new strategy that enforces seccomp profile constraints.
+func NewStrategy(pspAnnotations map[string]string) Strategy {
+	var allowedProfiles map[string]bool
+	allowAnyProfile := false
+	if allowed, ok := pspAnnotations[AllowedProfilesAnnotationKey]; ok {
+		profiles := strings.Split(allowed, ",")
+		allowedProfiles = make(map[string]bool, len(profiles))
+		for _, p := range profiles {
+			if p == AllowAny {
+				allowAnyProfile = true
+				continue
+			}
+			allowedProfiles[p] = true
+		}
+	}
+	return &strategy{
+		defaultProfile:        pspAnnotations[DefaultProfileAnnotationKey],
+		allowedProfiles:       allowedProfiles,
+		allowedProfilesString: pspAnnotations[AllowedProfilesAnnotationKey],
+		allowAnyProfile:       allowAnyProfile,
+	}
+}
+
+// Generate returns a profile based on constraint rules.
+func (s *strategy) Generate(annotations map[string]string, pod *api.Pod) (string, error) {
+	if annotations[api.SeccompPodAnnotationKey] != "" {
+		// Profile already set, nothing to do.
+		return annotations[api.SeccompPodAnnotationKey], nil
+	}
+	return s.defaultProfile, nil
+}
+
+// ValidatePod ensures that the specified values on the pod fall within the range
+// of the strategy.
+func (s *strategy) ValidatePod(pod *api.Pod) field.ErrorList {
+	allErrs := field.ErrorList{}
+	podSpecFieldPath := field.NewPath("pod", "metadata", "annotations").Key(api.SeccompPodAnnotationKey)
+	podProfile := pod.Annotations[api.SeccompPodAnnotationKey]
+
+	if !s.allowAnyProfile && len(s.allowedProfiles) == 0 && podProfile != "" {
+		allErrs = append(allErrs, field.Forbidden(podSpecFieldPath, "seccomp may not be set"))
+		return allErrs
+	}
+
+	if !s.profileAllowed(podProfile) {
+		msg := fmt.Sprintf("%s is not an allowed seccomp profile. Valid values are %v", podProfile, s.allowedProfilesString)
+		allErrs = append(allErrs, field.Forbidden(podSpecFieldPath, msg))
+	}
+
+	return allErrs
+}
+
+// ValidateContainer ensures that the specified values on the container fall within
+// the range of the strategy.
+func (s *strategy) ValidateContainer(pod *api.Pod, container *api.Container) field.ErrorList {
+	allErrs := field.ErrorList{}
+	fieldPath := field.NewPath("pod", "metadata", "annotations").Key(api.SeccompContainerAnnotationKeyPrefix + container.Name)
+	containerProfile := profileForContainer(pod, container)
+
+	if !s.allowAnyProfile && len(s.allowedProfiles) == 0 && containerProfile != "" {
+		allErrs = append(allErrs, field.Forbidden(fieldPath, "seccomp may not be set"))
+		return allErrs
+	}
+
+	if !s.profileAllowed(containerProfile) {
+		msg := fmt.Sprintf("%s is not an allowed seccomp profile. Valid values are %v", containerProfile, s.allowedProfilesString)
+		allErrs = append(allErrs, field.Forbidden(fieldPath, msg))
+	}
+
+	return allErrs
+}
+
+// profileAllowed checks if profile is in allowedProfiles or if allowedProfiles
+// contains the wildcard.
+func (s *strategy) profileAllowed(profile string) bool {
+	// for backwards compatibility and PSPs without a defined list of allowed profiles.
+	// If a PSP does not have allowedProfiles set then we should allow an empty profile.
+	// This will mean that the runtime default is used.
+	if len(s.allowedProfiles) == 0 && profile == "" {
+		return true
+	}
+
+	return s.allowAnyProfile || s.allowedProfiles[profile]
+}
+
+// profileForContainer returns the container profile if set, otherwise the pod profile.
+func profileForContainer(pod *api.Pod, container *api.Container) string {
+	containerProfile, ok := pod.Annotations[api.SeccompContainerAnnotationKeyPrefix+container.Name]
+	if ok {
+		return containerProfile
+	}
+	return pod.Annotations[api.SeccompPodAnnotationKey]
+}

vendor/k8s.io/kubernetes/pkg/security/podsecuritypolicy/util/BUILD

@@ -0,0 +1,36 @@
+package(default_visibility = ["//visibility:public"])
+
+licenses(["notice"])
+
+load(
+    "@io_bazel_rules_go//go:def.bzl",
+    "go_binary",
+    "go_library",
+    "go_test",
+    "cgo_library",
+)
+
+go_library(
+    name = "go_default_library",
+    srcs = [
+        "doc.go",
+        "util.go",
+    ],
+    tags = ["automanaged"],
+    deps = [
+        "//pkg/api:go_default_library",
+        "//pkg/apis/extensions:go_default_library",
+        "//pkg/util/sets:go_default_library",
+    ],
+)
+
+go_test(
+    name = "go_default_test",
+    srcs = ["util_test.go"],
+    library = "go_default_library",
+    tags = ["automanaged"],
+    deps = [
+        "//pkg/api:go_default_library",
+        "//pkg/apis/extensions:go_default_library",
+    ],
+)

vendor/k8s.io/kubernetes/pkg/security/podsecuritypolicy/util/util.go

@@ -60,7 +60,8 @@ func GetAllFSTypesAsSet() sets.String {
 		string(extensions.ConfigMap),
 		string(extensions.VsphereVolume),
 		string(extensions.Quobyte),
-		string(extensions.AzureDisk))
+		string(extensions.AzureDisk),
+		string(extensions.PhotonPersistentDisk))
 	return fstypes
 }
 
@@ -111,6 +112,8 @@ func GetVolumeFSType(v api.Volume) (extensions.FSType, error) {
 		return extensions.Quobyte, nil
 	case v.AzureDisk != nil:
 		return extensions.AzureDisk, nil
+	case v.PhotonPersistentDisk != nil:
+		return extensions.PhotonPersistentDisk, nil
 	}
 
 	return "", fmt.Errorf("unknown volume type for volume: %#v", v)