Replace godep with dep

vendor/k8s.io/kubernetes/plugin/pkg/admission/exec/BUILD

@@ -0,0 +1,49 @@
+package(default_visibility = ["//visibility:public"])
+
+load(
+    "@io_bazel_rules_go//go:def.bzl",
+    "go_library",
+    "go_test",
+)
+
+go_library(
+    name = "go_default_library",
+    srcs = ["admission.go"],
+    deps = [
+        "//pkg/api:go_default_library",
+        "//pkg/client/clientset_generated/internalclientset:go_default_library",
+        "//pkg/kubeapiserver/admission:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/api/errors:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
+        "//vendor/k8s.io/apiserver/pkg/admission:go_default_library",
+        "//vendor/k8s.io/apiserver/pkg/registry/rest:go_default_library",
+    ],
+)
+
+go_test(
+    name = "go_default_test",
+    srcs = ["admission_test.go"],
+    library = ":go_default_library",
+    deps = [
+        "//pkg/api:go_default_library",
+        "//pkg/client/clientset_generated/internalclientset/fake:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/runtime:go_default_library",
+        "//vendor/k8s.io/apiserver/pkg/admission:go_default_library",
+        "//vendor/k8s.io/apiserver/pkg/registry/rest:go_default_library",
+        "//vendor/k8s.io/client-go/testing:go_default_library",
+    ],
+)
+
+filegroup(
+    name = "package-srcs",
+    srcs = glob(["**"]),
+    tags = ["automanaged"],
+    visibility = ["//visibility:private"],
+)
+
+filegroup(
+    name = "all-srcs",
+    srcs = [":package-srcs"],
+    tags = ["automanaged"],
+)

vendor/k8s.io/kubernetes/plugin/pkg/admission/exec/admission.go

@@ -0,0 +1,141 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package exec
+
+import (
+	"fmt"
+	"io"
+
+	"k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apiserver/pkg/admission"
+	"k8s.io/apiserver/pkg/registry/rest"
+	"k8s.io/kubernetes/pkg/api"
+	"k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset"
+	kubeapiserveradmission "k8s.io/kubernetes/pkg/kubeapiserver/admission"
+)
+
+// Register registers a plugin
+func Register(plugins *admission.Plugins) {
+	plugins.Register("DenyEscalatingExec", func(config io.Reader) (admission.Interface, error) {
+		return NewDenyEscalatingExec(), nil
+	})
+
+	// This is for legacy support of the DenyExecOnPrivileged admission controller.  Most
+	// of the time DenyEscalatingExec should be preferred.
+	plugins.Register("DenyExecOnPrivileged", func(config io.Reader) (admission.Interface, error) {
+		return NewDenyExecOnPrivileged(), nil
+	})
+}
+
+// denyExec is an implementation of admission.Interface which says no to a pod/exec on
+// a pod using host based configurations.
+type denyExec struct {
+	*admission.Handler
+	client internalclientset.Interface
+
+	// these flags control which items will be checked to deny exec/attach
+	hostIPC    bool
+	hostPID    bool
+	privileged bool
+}
+
+var _ = kubeapiserveradmission.WantsInternalKubeClientSet(&denyExec{})
+
+// NewDenyEscalatingExec creates a new admission controller that denies an exec operation on a pod
+// using host based configurations.
+func NewDenyEscalatingExec() admission.Interface {
+	return &denyExec{
+		Handler:    admission.NewHandler(admission.Connect),
+		hostIPC:    true,
+		hostPID:    true,
+		privileged: true,
+	}
+}
+
+// NewDenyExecOnPrivileged creates a new admission controller that is only checking the privileged
+// option.  This is for legacy support of the DenyExecOnPrivileged admission controller.  Most
+// of the time NewDenyEscalatingExec should be preferred.
+func NewDenyExecOnPrivileged() admission.Interface {
+	return &denyExec{
+		Handler:    admission.NewHandler(admission.Connect),
+		hostIPC:    false,
+		hostPID:    false,
+		privileged: true,
+	}
+}
+
+func (d *denyExec) Admit(a admission.Attributes) (err error) {
+	connectRequest, ok := a.GetObject().(*rest.ConnectRequest)
+	if !ok {
+		return errors.NewBadRequest("a connect request was received, but could not convert the request object.")
+	}
+	// Only handle exec or attach requests on pods
+	if connectRequest.ResourcePath != "pods/exec" && connectRequest.ResourcePath != "pods/attach" {
+		return nil
+	}
+	pod, err := d.client.Core().Pods(a.GetNamespace()).Get(connectRequest.Name, metav1.GetOptions{})
+	if err != nil {
+		return admission.NewForbidden(a, err)
+	}
+
+	if d.hostPID && pod.Spec.SecurityContext != nil && pod.Spec.SecurityContext.HostPID {
+		return admission.NewForbidden(a, fmt.Errorf("cannot exec into or attach to a container using host pid"))
+	}
+
+	if d.hostIPC && pod.Spec.SecurityContext != nil && pod.Spec.SecurityContext.HostIPC {
+		return admission.NewForbidden(a, fmt.Errorf("cannot exec into or attach to a container using host ipc"))
+	}
+
+	if d.privileged && isPrivileged(pod) {
+		return admission.NewForbidden(a, fmt.Errorf("cannot exec into or attach to a privileged container"))
+	}
+
+	return nil
+}
+
+// isPrivileged will return true a pod has any privileged containers
+func isPrivileged(pod *api.Pod) bool {
+	for _, c := range pod.Spec.InitContainers {
+		if c.SecurityContext == nil || c.SecurityContext.Privileged == nil {
+			continue
+		}
+		if *c.SecurityContext.Privileged {
+			return true
+		}
+	}
+	for _, c := range pod.Spec.Containers {
+		if c.SecurityContext == nil || c.SecurityContext.Privileged == nil {
+			continue
+		}
+		if *c.SecurityContext.Privileged {
+			return true
+		}
+	}
+	return false
+}
+
+func (d *denyExec) SetInternalKubeClientSet(client internalclientset.Interface) {
+	d.client = client
+}
+
+func (d *denyExec) Validate() error {
+	if d.client == nil {
+		return fmt.Errorf("missing client")
+	}
+	return nil
+}

vendor/k8s.io/kubernetes/plugin/pkg/admission/exec/admission_test.go

@@ -0,0 +1,211 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package exec
+
+import (
+	"testing"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apiserver/pkg/admission"
+	"k8s.io/apiserver/pkg/registry/rest"
+	core "k8s.io/client-go/testing"
+	"k8s.io/kubernetes/pkg/api"
+	"k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/fake"
+)
+
+// newAllowEscalatingExec returns `admission.Interface` that allows execution on
+// "hostIPC", "hostPID" and "privileged".
+func newAllowEscalatingExec() admission.Interface {
+	return &denyExec{
+		Handler:    admission.NewHandler(admission.Connect),
+		hostIPC:    false,
+		hostPID:    false,
+		privileged: false,
+	}
+}
+
+func TestAdmission(t *testing.T) {
+	privPod := validPod("privileged")
+	priv := true
+	privPod.Spec.Containers[0].SecurityContext = &api.SecurityContext{
+		Privileged: &priv,
+	}
+
+	hostPIDPod := validPod("hostPID")
+	hostPIDPod.Spec.SecurityContext = &api.PodSecurityContext{}
+	hostPIDPod.Spec.SecurityContext.HostPID = true
+
+	hostIPCPod := validPod("hostIPC")
+	hostIPCPod.Spec.SecurityContext = &api.PodSecurityContext{}
+	hostIPCPod.Spec.SecurityContext.HostIPC = true
+
+	testCases := map[string]struct {
+		pod          *api.Pod
+		shouldAccept bool
+	}{
+		"priv": {
+			shouldAccept: false,
+			pod:          privPod,
+		},
+		"hostPID": {
+			shouldAccept: false,
+			pod:          hostPIDPod,
+		},
+		"hostIPC": {
+			shouldAccept: false,
+			pod:          hostIPCPod,
+		},
+		"non privileged": {
+			shouldAccept: true,
+			pod:          validPod("nonPrivileged"),
+		},
+	}
+
+	// Get the direct object though to allow testAdmission to inject the client
+	handler := NewDenyEscalatingExec().(*denyExec)
+
+	for _, tc := range testCases {
+		testAdmission(t, tc.pod, handler, tc.shouldAccept)
+	}
+
+	// run with a permissive config and all cases should pass
+	handler = newAllowEscalatingExec().(*denyExec)
+
+	for _, tc := range testCases {
+		testAdmission(t, tc.pod, handler, true)
+	}
+
+	// run against an init container
+	handler = NewDenyEscalatingExec().(*denyExec)
+
+	for _, tc := range testCases {
+		tc.pod.Spec.InitContainers = tc.pod.Spec.Containers
+		tc.pod.Spec.Containers = nil
+		testAdmission(t, tc.pod, handler, tc.shouldAccept)
+	}
+
+	// run with a permissive config and all cases should pass
+	handler = newAllowEscalatingExec().(*denyExec)
+
+	for _, tc := range testCases {
+		testAdmission(t, tc.pod, handler, true)
+	}
+}
+
+func testAdmission(t *testing.T, pod *api.Pod, handler *denyExec, shouldAccept bool) {
+	mockClient := &fake.Clientset{}
+	mockClient.AddReactor("get", "pods", func(action core.Action) (bool, runtime.Object, error) {
+		if action.(core.GetAction).GetName() == pod.Name {
+			return true, pod, nil
+		}
+		t.Errorf("Unexpected API call: %#v", action)
+		return true, nil, nil
+	})
+
+	handler.SetInternalKubeClientSet(mockClient)
+	admission.Validate(handler)
+
+	// pods/exec
+	{
+		req := &rest.ConnectRequest{Name: pod.Name, ResourcePath: "pods/exec"}
+		err := handler.Admit(admission.NewAttributesRecord(req, nil, api.Kind("Pod").WithVersion("version"), "test", "name", api.Resource("pods").WithVersion("version"), "exec", admission.Connect, nil))
+		if shouldAccept && err != nil {
+			t.Errorf("Unexpected error returned from admission handler: %v", err)
+		}
+		if !shouldAccept && err == nil {
+			t.Errorf("An error was expected from the admission handler. Received nil")
+		}
+	}
+
+	// pods/attach
+	{
+		req := &rest.ConnectRequest{Name: pod.Name, ResourcePath: "pods/attach"}
+		err := handler.Admit(admission.NewAttributesRecord(req, nil, api.Kind("Pod").WithVersion("version"), "test", "name", api.Resource("pods").WithVersion("version"), "attach", admission.Connect, nil))
+		if shouldAccept && err != nil {
+			t.Errorf("Unexpected error returned from admission handler: %v", err)
+		}
+		if !shouldAccept && err == nil {
+			t.Errorf("An error was expected from the admission handler. Received nil")
+		}
+	}
+}
+
+// Test to ensure legacy admission controller works as expected.
+func TestDenyExecOnPrivileged(t *testing.T) {
+	privPod := validPod("privileged")
+	priv := true
+	privPod.Spec.Containers[0].SecurityContext = &api.SecurityContext{
+		Privileged: &priv,
+	}
+
+	hostPIDPod := validPod("hostPID")
+	hostPIDPod.Spec.SecurityContext = &api.PodSecurityContext{}
+	hostPIDPod.Spec.SecurityContext.HostPID = true
+
+	hostIPCPod := validPod("hostIPC")
+	hostIPCPod.Spec.SecurityContext = &api.PodSecurityContext{}
+	hostIPCPod.Spec.SecurityContext.HostIPC = true
+
+	testCases := map[string]struct {
+		pod          *api.Pod
+		shouldAccept bool
+	}{
+		"priv": {
+			shouldAccept: false,
+			pod:          privPod,
+		},
+		"hostPID": {
+			shouldAccept: true,
+			pod:          hostPIDPod,
+		},
+		"hostIPC": {
+			shouldAccept: true,
+			pod:          hostIPCPod,
+		},
+		"non privileged": {
+			shouldAccept: true,
+			pod:          validPod("nonPrivileged"),
+		},
+	}
+
+	// Get the direct object though to allow testAdmission to inject the client
+	handler := NewDenyExecOnPrivileged().(*denyExec)
+
+	for _, tc := range testCases {
+		testAdmission(t, tc.pod, handler, tc.shouldAccept)
+	}
+
+	// test init containers
+	for _, tc := range testCases {
+		tc.pod.Spec.InitContainers = tc.pod.Spec.Containers
+		tc.pod.Spec.Containers = nil
+		testAdmission(t, tc.pod, handler, tc.shouldAccept)
+	}
+}
+
+func validPod(name string) *api.Pod {
+	return &api.Pod{
+		ObjectMeta: metav1.ObjectMeta{Name: name, Namespace: "test"},
+		Spec: api.PodSpec{
+			Containers: []api.Container{
+				{Name: "ctr1", Image: "image"},
+				{Name: "ctr2", Image: "image2"},
+			},
+		},
+	}
+}