Update go dependencies

vendor/k8s.io/kubernetes/pkg/security/podsecuritypolicy/seccomp/BUILD

@@ -1,29 +0,0 @@
-package(default_visibility = ["//visibility:public"])
-
-licenses(["notice"])
-
-load(
-    "@io_bazel_rules_go//go:def.bzl",
-    "go_binary",
-    "go_library",
-    "go_test",
-    "cgo_library",
-)
-
-go_library(
-    name = "go_default_library",
-    srcs = ["strategy.go"],
-    tags = ["automanaged"],
-    deps = [
-        "//pkg/api:go_default_library",
-        "//pkg/util/validation/field:go_default_library",
-    ],
-)
-
-go_test(
-    name = "go_default_test",
-    srcs = ["strategy_test.go"],
-    library = "go_default_library",
-    tags = ["automanaged"],
-    deps = ["//pkg/api:go_default_library"],
-)

vendor/k8s.io/kubernetes/pkg/security/podsecuritypolicy/seccomp/strategy.go

@@ -1,149 +0,0 @@
-/*
-Copyright 2016 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package seccomp
-
-import (
-	"fmt"
-	"strings"
-
-	"k8s.io/kubernetes/pkg/api"
-	"k8s.io/kubernetes/pkg/util/validation/field"
-)
-
-const (
-	// AllowAny is the wildcard used to allow any profile.
-	AllowAny = "*"
-	// The annotation key specifying the default seccomp profile.
-	DefaultProfileAnnotationKey = "seccomp.security.alpha.kubernetes.io/defaultProfileName"
-	// The annotation key specifying the allowed seccomp profiles.
-	AllowedProfilesAnnotationKey = "seccomp.security.alpha.kubernetes.io/allowedProfileNames"
-)
-
-// Strategy defines the interface for all seccomp constraint strategies.
-type Strategy interface {
-	// Generate returns a profile based on constraint rules.
-	Generate(annotations map[string]string, pod *api.Pod) (string, error)
-	// Validate ensures that the specified values fall within the range of the strategy.
-	ValidatePod(pod *api.Pod) field.ErrorList
-	// Validate ensures that the specified values fall within the range of the strategy.
-	ValidateContainer(pod *api.Pod, container *api.Container) field.ErrorList
-}
-
-type strategy struct {
-	defaultProfile  string
-	allowedProfiles map[string]bool
-	// For printing error messages (preserves order).
-	allowedProfilesString string
-	// does the strategy allow any profile (wildcard)
-	allowAnyProfile bool
-}
-
-var _ Strategy = &strategy{}
-
-// NewStrategy creates a new strategy that enforces seccomp profile constraints.
-func NewStrategy(pspAnnotations map[string]string) Strategy {
-	var allowedProfiles map[string]bool
-	allowAnyProfile := false
-	if allowed, ok := pspAnnotations[AllowedProfilesAnnotationKey]; ok {
-		profiles := strings.Split(allowed, ",")
-		allowedProfiles = make(map[string]bool, len(profiles))
-		for _, p := range profiles {
-			if p == AllowAny {
-				allowAnyProfile = true
-				continue
-			}
-			allowedProfiles[p] = true
-		}
-	}
-	return &strategy{
-		defaultProfile:        pspAnnotations[DefaultProfileAnnotationKey],
-		allowedProfiles:       allowedProfiles,
-		allowedProfilesString: pspAnnotations[AllowedProfilesAnnotationKey],
-		allowAnyProfile:       allowAnyProfile,
-	}
-}
-
-// Generate returns a profile based on constraint rules.
-func (s *strategy) Generate(annotations map[string]string, pod *api.Pod) (string, error) {
-	if annotations[api.SeccompPodAnnotationKey] != "" {
-		// Profile already set, nothing to do.
-		return annotations[api.SeccompPodAnnotationKey], nil
-	}
-	return s.defaultProfile, nil
-}
-
-// ValidatePod ensures that the specified values on the pod fall within the range
-// of the strategy.
-func (s *strategy) ValidatePod(pod *api.Pod) field.ErrorList {
-	allErrs := field.ErrorList{}
-	podSpecFieldPath := field.NewPath("pod", "metadata", "annotations").Key(api.SeccompPodAnnotationKey)
-	podProfile := pod.Annotations[api.SeccompPodAnnotationKey]
-
-	if !s.allowAnyProfile && len(s.allowedProfiles) == 0 && podProfile != "" {
-		allErrs = append(allErrs, field.Forbidden(podSpecFieldPath, "seccomp may not be set"))
-		return allErrs
-	}
-
-	if !s.profileAllowed(podProfile) {
-		msg := fmt.Sprintf("%s is not an allowed seccomp profile. Valid values are %v", podProfile, s.allowedProfilesString)
-		allErrs = append(allErrs, field.Forbidden(podSpecFieldPath, msg))
-	}
-
-	return allErrs
-}
-
-// ValidateContainer ensures that the specified values on the container fall within
-// the range of the strategy.
-func (s *strategy) ValidateContainer(pod *api.Pod, container *api.Container) field.ErrorList {
-	allErrs := field.ErrorList{}
-	fieldPath := field.NewPath("pod", "metadata", "annotations").Key(api.SeccompContainerAnnotationKeyPrefix + container.Name)
-	containerProfile := profileForContainer(pod, container)
-
-	if !s.allowAnyProfile && len(s.allowedProfiles) == 0 && containerProfile != "" {
-		allErrs = append(allErrs, field.Forbidden(fieldPath, "seccomp may not be set"))
-		return allErrs
-	}
-
-	if !s.profileAllowed(containerProfile) {
-		msg := fmt.Sprintf("%s is not an allowed seccomp profile. Valid values are %v", containerProfile, s.allowedProfilesString)
-		allErrs = append(allErrs, field.Forbidden(fieldPath, msg))
-	}
-
-	return allErrs
-}
-
-// profileAllowed checks if profile is in allowedProfiles or if allowedProfiles
-// contains the wildcard.
-func (s *strategy) profileAllowed(profile string) bool {
-	// for backwards compatibility and PSPs without a defined list of allowed profiles.
-	// If a PSP does not have allowedProfiles set then we should allow an empty profile.
-	// This will mean that the runtime default is used.
-	if len(s.allowedProfiles) == 0 && profile == "" {
-		return true
-	}
-
-	return s.allowAnyProfile || s.allowedProfiles[profile]
-}
-
-// profileForContainer returns the container profile if set, otherwise the pod profile.
-func profileForContainer(pod *api.Pod, container *api.Container) string {
-	containerProfile, ok := pod.Annotations[api.SeccompContainerAnnotationKeyPrefix+container.Name]
-	if ok {
-		return containerProfile
-	}
-	return pod.Annotations[api.SeccompPodAnnotationKey]
-}

vendor/k8s.io/kubernetes/pkg/security/podsecuritypolicy/util/BUILD

@@ -1,36 +0,0 @@
-package(default_visibility = ["//visibility:public"])
-
-licenses(["notice"])
-
-load(
-    "@io_bazel_rules_go//go:def.bzl",
-    "go_binary",
-    "go_library",
-    "go_test",
-    "cgo_library",
-)
-
-go_library(
-    name = "go_default_library",
-    srcs = [
-        "doc.go",
-        "util.go",
-    ],
-    tags = ["automanaged"],
-    deps = [
-        "//pkg/api:go_default_library",
-        "//pkg/apis/extensions:go_default_library",
-        "//pkg/util/sets:go_default_library",
-    ],
-)
-
-go_test(
-    name = "go_default_test",
-    srcs = ["util_test.go"],
-    library = "go_default_library",
-    tags = ["automanaged"],
-    deps = [
-        "//pkg/api:go_default_library",
-        "//pkg/apis/extensions:go_default_library",
-    ],
-)

vendor/k8s.io/kubernetes/pkg/security/podsecuritypolicy/util/doc.go

@@ -1,19 +0,0 @@
-/*
-Copyright 2016 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-// Package util contains utility code shared amongst different parts of the
-// pod security policy apparatus.
-package util

vendor/k8s.io/kubernetes/pkg/security/podsecuritypolicy/util/util.go

@@ -1,154 +0,0 @@
-/*
-Copyright 2016 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package util
-
-import (
-	"fmt"
-
-	"k8s.io/kubernetes/pkg/api"
-	"k8s.io/kubernetes/pkg/apis/extensions"
-	"k8s.io/kubernetes/pkg/util/sets"
-)
-
-const (
-	ValidatedPSPAnnotation = "kubernetes.io/psp"
-)
-
-func GetAllFSTypesExcept(exceptions ...string) sets.String {
-	fstypes := GetAllFSTypesAsSet()
-	for _, e := range exceptions {
-		fstypes.Delete(e)
-	}
-	return fstypes
-}
-
-func GetAllFSTypesAsSet() sets.String {
-	fstypes := sets.NewString()
-	fstypes.Insert(
-		string(extensions.HostPath),
-		string(extensions.AzureFile),
-		string(extensions.Flocker),
-		string(extensions.FlexVolume),
-		string(extensions.EmptyDir),
-		string(extensions.GCEPersistentDisk),
-		string(extensions.AWSElasticBlockStore),
-		string(extensions.GitRepo),
-		string(extensions.Secret),
-		string(extensions.NFS),
-		string(extensions.ISCSI),
-		string(extensions.Glusterfs),
-		string(extensions.PersistentVolumeClaim),
-		string(extensions.RBD),
-		string(extensions.Cinder),
-		string(extensions.CephFS),
-		string(extensions.DownwardAPI),
-		string(extensions.FC),
-		string(extensions.ConfigMap),
-		string(extensions.VsphereVolume),
-		string(extensions.Quobyte),
-		string(extensions.AzureDisk),
-		string(extensions.PhotonPersistentDisk))
-	return fstypes
-}
-
-// getVolumeFSType gets the FSType for a volume.
-func GetVolumeFSType(v api.Volume) (extensions.FSType, error) {
-	switch {
-	case v.HostPath != nil:
-		return extensions.HostPath, nil
-	case v.EmptyDir != nil:
-		return extensions.EmptyDir, nil
-	case v.GCEPersistentDisk != nil:
-		return extensions.GCEPersistentDisk, nil
-	case v.AWSElasticBlockStore != nil:
-		return extensions.AWSElasticBlockStore, nil
-	case v.GitRepo != nil:
-		return extensions.GitRepo, nil
-	case v.Secret != nil:
-		return extensions.Secret, nil
-	case v.NFS != nil:
-		return extensions.NFS, nil
-	case v.ISCSI != nil:
-		return extensions.ISCSI, nil
-	case v.Glusterfs != nil:
-		return extensions.Glusterfs, nil
-	case v.PersistentVolumeClaim != nil:
-		return extensions.PersistentVolumeClaim, nil
-	case v.RBD != nil:
-		return extensions.RBD, nil
-	case v.FlexVolume != nil:
-		return extensions.FlexVolume, nil
-	case v.Cinder != nil:
-		return extensions.Cinder, nil
-	case v.CephFS != nil:
-		return extensions.CephFS, nil
-	case v.Flocker != nil:
-		return extensions.Flocker, nil
-	case v.DownwardAPI != nil:
-		return extensions.DownwardAPI, nil
-	case v.FC != nil:
-		return extensions.FC, nil
-	case v.AzureFile != nil:
-		return extensions.AzureFile, nil
-	case v.ConfigMap != nil:
-		return extensions.ConfigMap, nil
-	case v.VsphereVolume != nil:
-		return extensions.VsphereVolume, nil
-	case v.Quobyte != nil:
-		return extensions.Quobyte, nil
-	case v.AzureDisk != nil:
-		return extensions.AzureDisk, nil
-	case v.PhotonPersistentDisk != nil:
-		return extensions.PhotonPersistentDisk, nil
-	}
-
-	return "", fmt.Errorf("unknown volume type for volume: %#v", v)
-}
-
-// fsTypeToStringSet converts an FSType slice to a string set.
-func FSTypeToStringSet(fsTypes []extensions.FSType) sets.String {
-	set := sets.NewString()
-	for _, v := range fsTypes {
-		set.Insert(string(v))
-	}
-	return set
-}
-
-// PSPAllowsAllVolumes checks for FSTypeAll in the psp's allowed volumes.
-func PSPAllowsAllVolumes(psp *extensions.PodSecurityPolicy) bool {
-	return PSPAllowsFSType(psp, extensions.All)
-}
-
-// PSPAllowsFSType is a utility for checking if a PSP allows a particular FSType.
-// If all volumes are allowed then this will return true for any FSType passed.
-func PSPAllowsFSType(psp *extensions.PodSecurityPolicy, fsType extensions.FSType) bool {
-	if psp == nil {
-		return false
-	}
-
-	for _, v := range psp.Spec.Volumes {
-		if v == fsType || v == extensions.All {
-			return true
-		}
-	}
-	return false
-}
-
-// FallsInRange is a utility to determine it the id falls in the valid range.
-func FallsInRange(id int64, rng extensions.IDRange) bool {
-	return id >= rng.Min && id <= rng.Max
-}