...
|
...
|
@@ -1,66 +1,93 @@
|
1
|
|
-From 9ae5383c8a058587af04bae626082c1d41b0d87f Mon Sep 17 00:00:00 2001
|
2
|
|
-From: DheerajSShetty <dheerajs@vmware.com>
|
3
|
|
-Date: Mon, 26 Nov 2018 15:50:22 -0800
|
4
|
|
-Subject: [PATCH] VKE patch for k8s 1.10.11 (2bf7a01b)
|
|
1
|
+From 707e516775cae4844ec9671eb2b5e8c8a9f914f3 Mon Sep 17 00:00:00 2001
|
|
2
|
+From: Emil John <ejohn@vmware.com>
|
|
3
|
+Date: Fri, 11 Jan 2019 19:55:58 +0530
|
|
4
|
+Subject: [PATCH] VCP patch for K8s v1.10.12 (4b83a6d)
|
5
|
5
|
|
6
|
6
|
---
|
7
|
|
- api/swagger-spec/apps_v1alpha1.json | 21 +
|
8
|
|
- api/swagger-spec/apps_v1beta1.json | 21 +
|
9
|
|
- api/swagger-spec/apps_v1beta2.json | 21 +
|
10
|
|
- api/swagger-spec/batch_v1.json | 21 +
|
11
|
|
- api/swagger-spec/batch_v1beta1.json | 21 +
|
12
|
|
- api/swagger-spec/batch_v2alpha1.json | 21 +
|
13
|
|
- api/swagger-spec/extensions_v1beta1.json | 21 +
|
14
|
|
- api/swagger-spec/settings.k8s.io_v1alpha1.json | 21 +
|
15
|
|
- api/swagger-spec/v1.json | 25 +
|
16
|
|
- cmd/kube-controller-manager/app/BUILD | 1 +
|
17
|
|
- cmd/kube-controller-manager/app/plugins.go | 4 +
|
18
|
|
- cmd/kubelet/app/BUILD | 1 +
|
19
|
|
- cmd/kubelet/app/plugins.go | 2 +
|
20
|
|
- pkg/apis/core/types.go | 14 +
|
21
|
|
- pkg/apis/core/validation/validation.go | 25 +
|
22
|
|
- pkg/apis/extensions/types.go | 1 +
|
23
|
|
- pkg/cloudprovider/providers/BUILD | 2 +
|
24
|
|
- pkg/cloudprovider/providers/cascade/BUILD | 56 ++
|
25
|
|
- pkg/cloudprovider/providers/cascade/OWNERS | 3 +
|
26
|
|
- pkg/cloudprovider/providers/cascade/apitypes.go | 230 +++++
|
27
|
|
- pkg/cloudprovider/providers/cascade/auth.go | 145 ++++
|
28
|
|
- pkg/cloudprovider/providers/cascade/cascade.go | 219 +++++
|
29
|
|
- .../providers/cascade/cascade_disks.go | 253 ++++++
|
30
|
|
- .../providers/cascade/cascade_instances.go | 125 +++
|
31
|
|
- .../providers/cascade/cascade_instances_test.go | 44 +
|
32
|
|
- .../providers/cascade/cascade_loadbalancer.go | 295 +++++++
|
33
|
|
- pkg/cloudprovider/providers/cascade/client.go | 400 +++++++++
|
34
|
|
- pkg/cloudprovider/providers/cascade/oidcclient.go | 297 +++++++
|
35
|
|
- pkg/cloudprovider/providers/cascade/restclient.go | 262 ++++++
|
36
|
|
- pkg/cloudprovider/providers/cascade/tests_owed | 5 +
|
37
|
|
- pkg/cloudprovider/providers/cascade/utils.go | 29 +
|
38
|
|
- pkg/cloudprovider/providers/providers.go | 1 +
|
39
|
|
- pkg/kubeapiserver/authorizer/config.go | 7 +
|
40
|
|
- pkg/kubeapiserver/authorizer/modes/modes.go | 3 +-
|
41
|
|
- pkg/kubeapiserver/options/plugins.go | 3 +
|
42
|
|
- pkg/printers/internalversion/describe.go | 11 +
|
43
|
|
- pkg/security/podsecuritypolicy/util/util.go | 3 +
|
44
|
|
- pkg/volume/cascade_disk/BUILD | 43 +
|
45
|
|
- pkg/volume/cascade_disk/OWNERS | 2 +
|
46
|
|
- pkg/volume/cascade_disk/attacher.go | 264 ++++++
|
47
|
|
- pkg/volume/cascade_disk/azure_disk_util.go | 135 +++
|
48
|
|
- pkg/volume/cascade_disk/cascade_disk.go | 399 +++++++++
|
49
|
|
- pkg/volume/cascade_disk/cascade_util.go | 217 +++++
|
50
|
|
- .../admission/persistentvolume/label/admission.go | 54 ++
|
51
|
|
- plugin/pkg/admission/vke/BUILD | 61 ++
|
52
|
|
- plugin/pkg/admission/vke/admission.go | 628 ++++++++++++++
|
53
|
|
- plugin/pkg/admission/vke/admission_test.go | 960 +++++++++++++++++++++
|
54
|
|
- plugin/pkg/auth/authorizer/vke/BUILD | 40 +
|
55
|
|
- plugin/pkg/auth/authorizer/vke/OWNERS | 2 +
|
56
|
|
- plugin/pkg/auth/authorizer/vke/vke_authorizer.go | 123 +++
|
57
|
|
- .../pkg/auth/authorizer/vke/vke_authorizer_test.go | 230 +++++
|
58
|
|
- staging/src/k8s.io/api/core/v1/generated.pb.go | 310 ++++++-
|
59
|
|
- staging/src/k8s.io/api/core/v1/types.go | 24 +-
|
60
|
|
- 53 files changed, 6098 insertions(+), 28 deletions(-)
|
|
7
|
+ api/swagger-spec/apps_v1alpha1.json | 21 +
|
|
8
|
+ api/swagger-spec/apps_v1beta1.json | 21 +
|
|
9
|
+ api/swagger-spec/apps_v1beta2.json | 21 +
|
|
10
|
+ api/swagger-spec/batch_v1.json | 21 +
|
|
11
|
+ api/swagger-spec/batch_v1beta1.json | 21 +
|
|
12
|
+ api/swagger-spec/batch_v2alpha1.json | 21 +
|
|
13
|
+ api/swagger-spec/extensions_v1beta1.json | 21 +
|
|
14
|
+ .../settings.k8s.io_v1alpha1.json | 21 +
|
|
15
|
+ api/swagger-spec/v1.json | 25 +
|
|
16
|
+ cmd/kube-controller-manager/app/BUILD | 1 +
|
|
17
|
+ cmd/kube-controller-manager/app/plugins.go | 4 +
|
|
18
|
+ cmd/kubelet/app/BUILD | 1 +
|
|
19
|
+ cmd/kubelet/app/plugins.go | 2 +
|
|
20
|
+ pkg/apis/core/types.go | 14 +
|
|
21
|
+ pkg/apis/core/validation/validation.go | 77 +-
|
|
22
|
+ pkg/apis/extensions/types.go | 1 +
|
|
23
|
+ pkg/cloudprovider/providers/BUILD | 2 +
|
|
24
|
+ pkg/cloudprovider/providers/cascade/BUILD | 56 +
|
|
25
|
+ pkg/cloudprovider/providers/cascade/OWNERS | 3 +
|
|
26
|
+ .../providers/cascade/apitypes.go | 230 ++++
|
|
27
|
+ pkg/cloudprovider/providers/cascade/auth.go | 145 +++
|
|
28
|
+ .../providers/cascade/cascade.go | 219 ++++
|
|
29
|
+ .../providers/cascade/cascade_disks.go | 253 +++++
|
|
30
|
+ .../providers/cascade/cascade_instances.go | 125 +++
|
|
31
|
+ .../cascade/cascade_instances_test.go | 44 +
|
|
32
|
+ .../providers/cascade/cascade_loadbalancer.go | 295 ++++++
|
|
33
|
+ pkg/cloudprovider/providers/cascade/client.go | 400 +++++++
|
|
34
|
+ .../providers/cascade/oidcclient.go | 297 ++++++
|
|
35
|
+ .../providers/cascade/restclient.go | 262 +++++
|
|
36
|
+ .../providers/cascade/tests_owed | 5 +
|
|
37
|
+ pkg/cloudprovider/providers/cascade/utils.go | 29 +
|
|
38
|
+ pkg/cloudprovider/providers/providers.go | 1 +
|
|
39
|
+ pkg/kubeapiserver/authorizer/config.go | 7 +
|
|
40
|
+ pkg/kubeapiserver/authorizer/modes/modes.go | 3 +-
|
|
41
|
+ pkg/kubeapiserver/options/plugins.go | 3 +
|
|
42
|
+ pkg/printers/internalversion/describe.go | 11 +
|
|
43
|
+ pkg/security/podsecuritypolicy/util/util.go | 3 +
|
|
44
|
+ pkg/volume/cascade_disk/BUILD | 43 +
|
|
45
|
+ pkg/volume/cascade_disk/OWNERS | 2 +
|
|
46
|
+ pkg/volume/cascade_disk/attacher.go | 264 +++++
|
|
47
|
+ pkg/volume/cascade_disk/azure_disk_util.go | 135 +++
|
|
48
|
+ pkg/volume/cascade_disk/cascade_disk.go | 399 +++++++
|
|
49
|
+ pkg/volume/cascade_disk/cascade_util.go | 217 ++++
|
|
50
|
+ .../persistentvolume/label/admission.go | 54 +
|
|
51
|
+ plugin/pkg/admission/vke/BUILD | 61 ++
|
|
52
|
+ plugin/pkg/admission/vke/admission.go | 661 ++++++++++++
|
|
53
|
+ plugin/pkg/admission/vke/admission_test.go | 995 ++++++++++++++++++
|
|
54
|
+ plugin/pkg/auth/authorizer/vke/BUILD | 40 +
|
|
55
|
+ plugin/pkg/auth/authorizer/vke/OWNERS | 2 +
|
|
56
|
+ .../pkg/auth/authorizer/vke/vke_authorizer.go | 123 +++
|
|
57
|
+ .../authorizer/vke/vke_authorizer_test.go | 230 ++++
|
|
58
|
+ .../src/k8s.io/api/core/v1/generated.pb.go | 310 +++++-
|
|
59
|
+ staging/src/k8s.io/api/core/v1/types.go | 24 +-
|
|
60
|
+ 53 files changed, 6210 insertions(+), 36 deletions(-)
|
|
61
|
+ create mode 100644 pkg/cloudprovider/providers/cascade/BUILD
|
|
62
|
+ create mode 100644 pkg/cloudprovider/providers/cascade/OWNERS
|
|
63
|
+ create mode 100644 pkg/cloudprovider/providers/cascade/apitypes.go
|
|
64
|
+ create mode 100644 pkg/cloudprovider/providers/cascade/auth.go
|
|
65
|
+ create mode 100644 pkg/cloudprovider/providers/cascade/cascade.go
|
|
66
|
+ create mode 100644 pkg/cloudprovider/providers/cascade/cascade_disks.go
|
|
67
|
+ create mode 100644 pkg/cloudprovider/providers/cascade/cascade_instances.go
|
|
68
|
+ create mode 100644 pkg/cloudprovider/providers/cascade/cascade_instances_test.go
|
|
69
|
+ create mode 100644 pkg/cloudprovider/providers/cascade/cascade_loadbalancer.go
|
|
70
|
+ create mode 100644 pkg/cloudprovider/providers/cascade/client.go
|
|
71
|
+ create mode 100644 pkg/cloudprovider/providers/cascade/oidcclient.go
|
|
72
|
+ create mode 100644 pkg/cloudprovider/providers/cascade/restclient.go
|
|
73
|
+ create mode 100644 pkg/cloudprovider/providers/cascade/tests_owed
|
|
74
|
+ create mode 100644 pkg/cloudprovider/providers/cascade/utils.go
|
|
75
|
+ create mode 100644 pkg/volume/cascade_disk/BUILD
|
|
76
|
+ create mode 100644 pkg/volume/cascade_disk/OWNERS
|
|
77
|
+ create mode 100644 pkg/volume/cascade_disk/attacher.go
|
|
78
|
+ create mode 100644 pkg/volume/cascade_disk/azure_disk_util.go
|
|
79
|
+ create mode 100644 pkg/volume/cascade_disk/cascade_disk.go
|
|
80
|
+ create mode 100644 pkg/volume/cascade_disk/cascade_util.go
|
|
81
|
+ create mode 100644 plugin/pkg/admission/vke/BUILD
|
|
82
|
+ create mode 100644 plugin/pkg/admission/vke/admission.go
|
|
83
|
+ create mode 100644 plugin/pkg/admission/vke/admission_test.go
|
|
84
|
+ create mode 100644 plugin/pkg/auth/authorizer/vke/BUILD
|
|
85
|
+ create mode 100644 plugin/pkg/auth/authorizer/vke/OWNERS
|
|
86
|
+ create mode 100644 plugin/pkg/auth/authorizer/vke/vke_authorizer.go
|
|
87
|
+ create mode 100644 plugin/pkg/auth/authorizer/vke/vke_authorizer_test.go
|
61
|
88
|
|
62
|
89
|
diff --git a/api/swagger-spec/apps_v1alpha1.json b/api/swagger-spec/apps_v1alpha1.json
|
63
|
|
-index 6f54662..0ce6f3f 100644
|
|
90
|
+index 6f546623de..0ce6f3f2fc 100644
|
64
|
91
|
--- a/api/swagger-spec/apps_v1alpha1.json
|
65
|
92
|
+++ b/api/swagger-spec/apps_v1alpha1.json
|
66
|
93
|
@@ -1459,6 +1459,10 @@
|
...
|
...
|
@@ -99,7 +126,7 @@ index 6f54662..0ce6f3f 100644
|
99
|
99
|
"id": "v1.Container",
|
100
|
100
|
"description": "A single application container that you want to run within a pod.",
|
101
|
101
|
diff --git a/api/swagger-spec/apps_v1beta1.json b/api/swagger-spec/apps_v1beta1.json
|
102
|
|
-index f2aa27c..0780075 100644
|
|
102
|
+index f2aa27c64d..0780075c2a 100644
|
103
|
103
|
--- a/api/swagger-spec/apps_v1beta1.json
|
104
|
104
|
+++ b/api/swagger-spec/apps_v1beta1.json
|
105
|
105
|
@@ -4483,6 +4483,10 @@
|
...
|
...
|
@@ -138,7 +165,7 @@ index f2aa27c..0780075 100644
|
138
|
138
|
"id": "v1.ProjectedVolumeSource",
|
139
|
139
|
"description": "Represents a projected volume source",
|
140
|
140
|
diff --git a/api/swagger-spec/apps_v1beta2.json b/api/swagger-spec/apps_v1beta2.json
|
141
|
|
-index 7d92e2b..c050ee8 100644
|
|
141
|
+index 7d92e2bf52..c050ee8473 100644
|
142
|
142
|
--- a/api/swagger-spec/apps_v1beta2.json
|
143
|
143
|
+++ b/api/swagger-spec/apps_v1beta2.json
|
144
|
144
|
@@ -6849,6 +6849,10 @@
|
...
|
...
|
@@ -177,7 +204,7 @@ index 7d92e2b..c050ee8 100644
|
177
|
177
|
"id": "v1.ProjectedVolumeSource",
|
178
|
178
|
"description": "Represents a projected volume source",
|
179
|
179
|
diff --git a/api/swagger-spec/batch_v1.json b/api/swagger-spec/batch_v1.json
|
180
|
|
-index e57104a..c3aa722 100644
|
|
180
|
+index e57104a996..c3aa722033 100644
|
181
|
181
|
--- a/api/swagger-spec/batch_v1.json
|
182
|
182
|
+++ b/api/swagger-spec/batch_v1.json
|
183
|
183
|
@@ -1823,6 +1823,10 @@
|
...
|
...
|
@@ -216,7 +243,7 @@ index e57104a..c3aa722 100644
|
216
|
216
|
"id": "v1.ProjectedVolumeSource",
|
217
|
217
|
"description": "Represents a projected volume source",
|
218
|
218
|
diff --git a/api/swagger-spec/batch_v1beta1.json b/api/swagger-spec/batch_v1beta1.json
|
219
|
|
-index 67b49f7..11f30a5 100644
|
|
219
|
+index 67b49f7b46..11f30a5aa4 100644
|
220
|
220
|
--- a/api/swagger-spec/batch_v1beta1.json
|
221
|
221
|
+++ b/api/swagger-spec/batch_v1beta1.json
|
222
|
222
|
@@ -1878,6 +1878,10 @@
|
...
|
...
|
@@ -255,7 +282,7 @@ index 67b49f7..11f30a5 100644
|
255
|
255
|
"id": "v1.ProjectedVolumeSource",
|
256
|
256
|
"description": "Represents a projected volume source",
|
257
|
257
|
diff --git a/api/swagger-spec/batch_v2alpha1.json b/api/swagger-spec/batch_v2alpha1.json
|
258
|
|
-index 8616a87..2e1a8f7 100644
|
|
258
|
+index 8616a875c1..2e1a8f7782 100644
|
259
|
259
|
--- a/api/swagger-spec/batch_v2alpha1.json
|
260
|
260
|
+++ b/api/swagger-spec/batch_v2alpha1.json
|
261
|
261
|
@@ -1893,6 +1893,10 @@
|
...
|
...
|
@@ -294,7 +321,7 @@ index 8616a87..2e1a8f7 100644
|
294
|
294
|
"id": "v1.Container",
|
295
|
295
|
"description": "A single application container that you want to run within a pod.",
|
296
|
296
|
diff --git a/api/swagger-spec/extensions_v1beta1.json b/api/swagger-spec/extensions_v1beta1.json
|
297
|
|
-index 76e3253..b79ca7a 100644
|
|
297
|
+index 76e32530dc..b79ca7acb4 100644
|
298
|
298
|
--- a/api/swagger-spec/extensions_v1beta1.json
|
299
|
299
|
+++ b/api/swagger-spec/extensions_v1beta1.json
|
300
|
300
|
@@ -7506,6 +7506,10 @@
|
...
|
...
|
@@ -333,7 +360,7 @@ index 76e3253..b79ca7a 100644
|
333
|
333
|
"id": "v1.ProjectedVolumeSource",
|
334
|
334
|
"description": "Represents a projected volume source",
|
335
|
335
|
diff --git a/api/swagger-spec/settings.k8s.io_v1alpha1.json b/api/swagger-spec/settings.k8s.io_v1alpha1.json
|
336
|
|
-index fa66976..5108c61 100644
|
|
336
|
+index fa66976a67..5108c61ab4 100644
|
337
|
337
|
--- a/api/swagger-spec/settings.k8s.io_v1alpha1.json
|
338
|
338
|
+++ b/api/swagger-spec/settings.k8s.io_v1alpha1.json
|
339
|
339
|
@@ -1676,6 +1676,10 @@
|
...
|
...
|
@@ -372,7 +399,7 @@ index fa66976..5108c61 100644
|
372
|
372
|
"id": "v1.ProjectedVolumeSource",
|
373
|
373
|
"description": "Represents a projected volume source",
|
374
|
374
|
diff --git a/api/swagger-spec/v1.json b/api/swagger-spec/v1.json
|
375
|
|
-index d3b6ea7..662614f 100644
|
|
375
|
+index d3b6ea7daf..662614f97c 100644
|
376
|
376
|
--- a/api/swagger-spec/v1.json
|
377
|
377
|
+++ b/api/swagger-spec/v1.json
|
378
|
378
|
@@ -19310,6 +19310,10 @@
|
...
|
...
|
@@ -422,7 +449,7 @@ index d3b6ea7..662614f 100644
|
422
|
422
|
}
|
423
|
423
|
},
|
424
|
424
|
diff --git a/cmd/kube-controller-manager/app/BUILD b/cmd/kube-controller-manager/app/BUILD
|
425
|
|
-index a3f98b1..3410214 100644
|
|
425
|
+index b5af7c5626..08c34f6138 100644
|
426
|
426
|
--- a/cmd/kube-controller-manager/app/BUILD
|
427
|
427
|
+++ b/cmd/kube-controller-manager/app/BUILD
|
428
|
428
|
@@ -88,6 +88,7 @@ go_library(
|
...
|
...
|
@@ -434,7 +461,7 @@ index a3f98b1..3410214 100644
|
434
|
434
|
"//pkg/volume/csi:go_default_library",
|
435
|
435
|
"//pkg/volume/fc:go_default_library",
|
436
|
436
|
diff --git a/cmd/kube-controller-manager/app/plugins.go b/cmd/kube-controller-manager/app/plugins.go
|
437
|
|
-index 42034d5..e729785 100644
|
|
437
|
+index 42034d5c6d..e729785006 100644
|
438
|
438
|
--- a/cmd/kube-controller-manager/app/plugins.go
|
439
|
439
|
+++ b/cmd/kube-controller-manager/app/plugins.go
|
440
|
440
|
@@ -34,6 +34,7 @@ import (
|
...
|
...
|
@@ -470,7 +497,7 @@ index 42034d5..e729785 100644
|
470
|
470
|
return allPlugins
|
471
|
471
|
}
|
472
|
472
|
diff --git a/cmd/kubelet/app/BUILD b/cmd/kubelet/app/BUILD
|
473
|
|
-index cbfb90f..6264d0c 100644
|
|
473
|
+index cbfb90ff13..6264d0ce53 100644
|
474
|
474
|
--- a/cmd/kubelet/app/BUILD
|
475
|
475
|
+++ b/cmd/kubelet/app/BUILD
|
476
|
476
|
@@ -117,6 +117,7 @@ go_library(
|
...
|
...
|
@@ -482,7 +509,7 @@ index cbfb90f..6264d0c 100644
|
482
|
482
|
"//pkg/volume/cinder:go_default_library",
|
483
|
483
|
"//pkg/volume/configmap:go_default_library",
|
484
|
484
|
diff --git a/cmd/kubelet/app/plugins.go b/cmd/kubelet/app/plugins.go
|
485
|
|
-index ef41bb8..c9806f7 100644
|
|
485
|
+index ef41bb8e90..c9806f7f75 100644
|
486
|
486
|
--- a/cmd/kubelet/app/plugins.go
|
487
|
487
|
+++ b/cmd/kubelet/app/plugins.go
|
488
|
488
|
@@ -32,6 +32,7 @@ import (
|
...
|
...
|
@@ -502,7 +529,7 @@ index ef41bb8..c9806f7 100644
|
502
|
502
|
allPlugins = append(allPlugins, csi.ProbeVolumePlugins()...)
|
503
|
503
|
}
|
504
|
504
|
diff --git a/pkg/apis/core/types.go b/pkg/apis/core/types.go
|
505
|
|
-index 7f37e3d..fc792ee 100644
|
|
505
|
+index 7f37e3d989..fc792ee119 100644
|
506
|
506
|
--- a/pkg/apis/core/types.go
|
507
|
507
|
+++ b/pkg/apis/core/types.go
|
508
|
508
|
@@ -316,6 +316,8 @@ type VolumeSource struct {
|
...
|
...
|
@@ -541,7 +568,7 @@ index 7f37e3d..fc792ee 100644
|
541
|
541
|
//
|
542
|
542
|
// The contents of the target ConfigMap's Data field will be presented in a
|
543
|
543
|
diff --git a/pkg/apis/core/validation/validation.go b/pkg/apis/core/validation/validation.go
|
544
|
|
-index 8d12dad..8bd89c6 100644
|
|
544
|
+index f7bc992d0d..8bd89c67e0 100644
|
545
|
545
|
--- a/pkg/apis/core/validation/validation.go
|
546
|
546
|
+++ b/pkg/apis/core/validation/validation.go
|
547
|
547
|
@@ -664,6 +664,14 @@ func validateVolumeSource(source *core.VolumeSource, fldPath *field.Path, volNam
|
...
|
...
|
@@ -590,8 +617,107 @@ index 8d12dad..8bd89c6 100644
|
590
|
590
|
if numVolumes == 0 {
|
591
|
591
|
allErrs = append(allErrs, field.Required(specPath, "must specify a volume type"))
|
592
|
592
|
}
|
|
593
|
+@@ -4764,16 +4789,50 @@ func ValidateNamespaceFinalizeUpdate(newNamespace, oldNamespace *core.Namespace)
|
|
594
|
+ return allErrs
|
|
595
|
+ }
|
|
596
|
+
|
|
597
|
++// Construct lookup map of old subset IPs to NodeNames.
|
|
598
|
++func updateEpAddrToNodeNameMap(ipToNodeName map[string]string, addresses []core.EndpointAddress) {
|
|
599
|
++ for n := range addresses {
|
|
600
|
++ if addresses[n].NodeName == nil {
|
|
601
|
++ continue
|
|
602
|
++ }
|
|
603
|
++ ipToNodeName[addresses[n].IP] = *addresses[n].NodeName
|
|
604
|
++ }
|
|
605
|
++}
|
|
606
|
++
|
|
607
|
++// Build a map across all subsets of IP -> NodeName
|
|
608
|
++func buildEndpointAddressNodeNameMap(subsets []core.EndpointSubset) map[string]string {
|
|
609
|
++ ipToNodeName := make(map[string]string)
|
|
610
|
++ for i := range subsets {
|
|
611
|
++ updateEpAddrToNodeNameMap(ipToNodeName, subsets[i].Addresses)
|
|
612
|
++ updateEpAddrToNodeNameMap(ipToNodeName, subsets[i].NotReadyAddresses)
|
|
613
|
++ }
|
|
614
|
++ return ipToNodeName
|
|
615
|
++}
|
|
616
|
++
|
|
617
|
++func validateEpAddrNodeNameTransition(addr *core.EndpointAddress, ipToNodeName map[string]string, fldPath *field.Path) field.ErrorList {
|
|
618
|
++ errList := field.ErrorList{}
|
|
619
|
++ existingNodeName, found := ipToNodeName[addr.IP]
|
|
620
|
++ if !found {
|
|
621
|
++ return errList
|
|
622
|
++ }
|
|
623
|
++ if addr.NodeName == nil || *addr.NodeName == existingNodeName {
|
|
624
|
++ return errList
|
|
625
|
++ }
|
|
626
|
++ // NodeName entry found for this endpoint IP, but user is attempting to change NodeName
|
|
627
|
++ return append(errList, field.Forbidden(fldPath, fmt.Sprintf("Cannot change NodeName for %s to %s", addr.IP, *addr.NodeName)))
|
|
628
|
++}
|
|
629
|
++
|
|
630
|
+ // ValidateEndpoints tests if required fields are set.
|
|
631
|
+ func ValidateEndpoints(endpoints *core.Endpoints) field.ErrorList {
|
|
632
|
+ allErrs := ValidateObjectMeta(&endpoints.ObjectMeta, true, ValidateEndpointsName, field.NewPath("metadata"))
|
|
633
|
+ allErrs = append(allErrs, ValidateEndpointsSpecificAnnotations(endpoints.Annotations, field.NewPath("annotations"))...)
|
|
634
|
+- allErrs = append(allErrs, validateEndpointSubsets(endpoints.Subsets, field.NewPath("subsets"))...)
|
|
635
|
++ allErrs = append(allErrs, validateEndpointSubsets(endpoints.Subsets, []core.EndpointSubset{}, field.NewPath("subsets"))...)
|
|
636
|
+ return allErrs
|
|
637
|
+ }
|
|
638
|
+
|
|
639
|
+-func validateEndpointSubsets(subsets []core.EndpointSubset, fldPath *field.Path) field.ErrorList {
|
|
640
|
++func validateEndpointSubsets(subsets []core.EndpointSubset, oldSubsets []core.EndpointSubset, fldPath *field.Path) field.ErrorList {
|
|
641
|
+ allErrs := field.ErrorList{}
|
|
642
|
++ ipToNodeName := buildEndpointAddressNodeNameMap(oldSubsets)
|
|
643
|
+ for i := range subsets {
|
|
644
|
+ ss := &subsets[i]
|
|
645
|
+ idxPath := fldPath.Index(i)
|
|
646
|
+@@ -4784,10 +4843,10 @@ func validateEndpointSubsets(subsets []core.EndpointSubset, fldPath *field.Path)
|
|
647
|
+ allErrs = append(allErrs, field.Required(idxPath, "must specify `addresses` or `notReadyAddresses`"))
|
|
648
|
+ }
|
|
649
|
+ for addr := range ss.Addresses {
|
|
650
|
+- allErrs = append(allErrs, validateEndpointAddress(&ss.Addresses[addr], idxPath.Child("addresses").Index(addr))...)
|
|
651
|
++ allErrs = append(allErrs, validateEndpointAddress(&ss.Addresses[addr], idxPath.Child("addresses").Index(addr), ipToNodeName)...)
|
|
652
|
+ }
|
|
653
|
+ for addr := range ss.NotReadyAddresses {
|
|
654
|
+- allErrs = append(allErrs, validateEndpointAddress(&ss.NotReadyAddresses[addr], idxPath.Child("notReadyAddresses").Index(addr))...)
|
|
655
|
++ allErrs = append(allErrs, validateEndpointAddress(&ss.NotReadyAddresses[addr], idxPath.Child("notReadyAddresses").Index(addr), ipToNodeName)...)
|
|
656
|
+ }
|
|
657
|
+ for port := range ss.Ports {
|
|
658
|
+ allErrs = append(allErrs, validateEndpointPort(&ss.Ports[port], len(ss.Ports) > 1, idxPath.Child("ports").Index(port))...)
|
|
659
|
+@@ -4797,7 +4856,7 @@ func validateEndpointSubsets(subsets []core.EndpointSubset, fldPath *field.Path)
|
|
660
|
+ return allErrs
|
|
661
|
+ }
|
|
662
|
+
|
|
663
|
+-func validateEndpointAddress(address *core.EndpointAddress, fldPath *field.Path) field.ErrorList {
|
|
664
|
++func validateEndpointAddress(address *core.EndpointAddress, fldPath *field.Path, ipToNodeName map[string]string) field.ErrorList {
|
|
665
|
+ allErrs := field.ErrorList{}
|
|
666
|
+ for _, msg := range validation.IsValidIP(address.IP) {
|
|
667
|
+ allErrs = append(allErrs, field.Invalid(fldPath.Child("ip"), address.IP, msg))
|
|
668
|
+@@ -4811,6 +4870,10 @@ func validateEndpointAddress(address *core.EndpointAddress, fldPath *field.Path)
|
|
669
|
+ allErrs = append(allErrs, field.Invalid(fldPath.Child("nodeName"), *address.NodeName, msg))
|
|
670
|
+ }
|
|
671
|
+ }
|
|
672
|
++ allErrs = append(allErrs, validateEpAddrNodeNameTransition(address, ipToNodeName, fldPath.Child("nodeName"))...)
|
|
673
|
++ if len(allErrs) > 0 {
|
|
674
|
++ return allErrs
|
|
675
|
++ }
|
|
676
|
+ allErrs = append(allErrs, validateNonSpecialIP(address.IP, fldPath.Child("ip"))...)
|
|
677
|
+ return allErrs
|
|
678
|
+ }
|
|
679
|
+@@ -4860,11 +4923,9 @@ func validateEndpointPort(port *core.EndpointPort, requireName bool, fldPath *fi
|
|
680
|
+ }
|
|
681
|
+
|
|
682
|
+ // ValidateEndpointsUpdate tests to make sure an endpoints update can be applied.
|
|
683
|
+-// NodeName changes are allowed during update to accommodate the case where nodeIP or PodCIDR is reused.
|
|
684
|
+-// An existing endpoint ip will have a different nodeName if this happens.
|
|
685
|
+ func ValidateEndpointsUpdate(newEndpoints, oldEndpoints *core.Endpoints) field.ErrorList {
|
|
686
|
+ allErrs := ValidateObjectMetaUpdate(&newEndpoints.ObjectMeta, &oldEndpoints.ObjectMeta, field.NewPath("metadata"))
|
|
687
|
+- allErrs = append(allErrs, validateEndpointSubsets(newEndpoints.Subsets, field.NewPath("subsets"))...)
|
|
688
|
++ allErrs = append(allErrs, validateEndpointSubsets(newEndpoints.Subsets, oldEndpoints.Subsets, field.NewPath("subsets"))...)
|
|
689
|
+ allErrs = append(allErrs, ValidateEndpointsSpecificAnnotations(newEndpoints.Annotations, field.NewPath("annotations"))...)
|
|
690
|
+ return allErrs
|
|
691
|
+ }
|
593
|
692
|
diff --git a/pkg/apis/extensions/types.go b/pkg/apis/extensions/types.go
|
594
|
|
-index e369728..a5406ab 100644
|
|
693
|
+index e36972846b..a5406ab60a 100644
|
595
|
694
|
--- a/pkg/apis/extensions/types.go
|
596
|
695
|
+++ b/pkg/apis/extensions/types.go
|
597
|
696
|
@@ -925,6 +925,7 @@ var (
|
...
|
...
|
@@ -603,7 +729,7 @@ index e369728..a5406ab 100644
|
603
|
603
|
)
|
604
|
604
|
|
605
|
605
|
diff --git a/pkg/cloudprovider/providers/BUILD b/pkg/cloudprovider/providers/BUILD
|
606
|
|
-index aeccfa1..4313576 100644
|
|
606
|
+index aeccfa1e5b..4313576203 100644
|
607
|
607
|
--- a/pkg/cloudprovider/providers/BUILD
|
608
|
608
|
+++ b/pkg/cloudprovider/providers/BUILD
|
609
|
609
|
@@ -12,6 +12,7 @@ go_library(
|
...
|
...
|
@@ -624,7 +750,7 @@ index aeccfa1..4313576 100644
|
624
|
624
|
"//pkg/cloudprovider/providers/gce:all-srcs",
|
625
|
625
|
diff --git a/pkg/cloudprovider/providers/cascade/BUILD b/pkg/cloudprovider/providers/cascade/BUILD
|
626
|
626
|
new file mode 100644
|
627
|
|
-index 0000000..4089166
|
|
627
|
+index 0000000000..4089166732
|
628
|
628
|
--- /dev/null
|
629
|
629
|
+++ b/pkg/cloudprovider/providers/cascade/BUILD
|
630
|
630
|
@@ -0,0 +1,56 @@
|
...
|
...
|
@@ -686,7 +812,7 @@ index 0000000..4089166
|
686
|
686
|
+)
|
687
|
687
|
diff --git a/pkg/cloudprovider/providers/cascade/OWNERS b/pkg/cloudprovider/providers/cascade/OWNERS
|
688
|
688
|
new file mode 100644
|
689
|
|
-index 0000000..70efc9d
|
|
689
|
+index 0000000000..70efc9dc1c
|
690
|
690
|
--- /dev/null
|
691
|
691
|
+++ b/pkg/cloudprovider/providers/cascade/OWNERS
|
692
|
692
|
@@ -0,0 +1,3 @@
|
...
|
...
|
@@ -695,7 +821,7 @@ index 0000000..70efc9d
|
695
|
695
|
+- ysheng
|
696
|
696
|
diff --git a/pkg/cloudprovider/providers/cascade/apitypes.go b/pkg/cloudprovider/providers/cascade/apitypes.go
|
697
|
697
|
new file mode 100644
|
698
|
|
-index 0000000..d437394
|
|
698
|
+index 0000000000..d437394462
|
699
|
699
|
--- /dev/null
|
700
|
700
|
+++ b/pkg/cloudprovider/providers/cascade/apitypes.go
|
701
|
701
|
@@ -0,0 +1,230 @@
|
...
|
...
|
@@ -931,7 +1057,7 @@ index 0000000..d437394
|
931
|
931
|
+}
|
932
|
932
|
diff --git a/pkg/cloudprovider/providers/cascade/auth.go b/pkg/cloudprovider/providers/cascade/auth.go
|
933
|
933
|
new file mode 100644
|
934
|
|
-index 0000000..fc92377
|
|
934
|
+index 0000000000..fc9237767f
|
935
|
935
|
--- /dev/null
|
936
|
936
|
+++ b/pkg/cloudprovider/providers/cascade/auth.go
|
937
|
937
|
@@ -0,0 +1,145 @@
|
...
|
...
|
@@ -1083,7 +1209,7 @@ index 0000000..fc92377
|
1083
|
1083
|
\ No newline at end of file
|
1084
|
1084
|
diff --git a/pkg/cloudprovider/providers/cascade/cascade.go b/pkg/cloudprovider/providers/cascade/cascade.go
|
1085
|
1085
|
new file mode 100644
|
1086
|
|
-index 0000000..b9fafb9
|
|
1086
|
+index 0000000000..b9fafb92e1
|
1087
|
1087
|
--- /dev/null
|
1088
|
1088
|
+++ b/pkg/cloudprovider/providers/cascade/cascade.go
|
1089
|
1089
|
@@ -0,0 +1,219 @@
|
...
|
...
|
@@ -1308,7 +1434,7 @@ index 0000000..b9fafb9
|
1308
|
1308
|
+}
|
1309
|
1309
|
diff --git a/pkg/cloudprovider/providers/cascade/cascade_disks.go b/pkg/cloudprovider/providers/cascade/cascade_disks.go
|
1310
|
1310
|
new file mode 100644
|
1311
|
|
-index 0000000..e889a28
|
|
1311
|
+index 0000000000..e889a28951
|
1312
|
1312
|
--- /dev/null
|
1313
|
1313
|
+++ b/pkg/cloudprovider/providers/cascade/cascade_disks.go
|
1314
|
1314
|
@@ -0,0 +1,253 @@
|
...
|
...
|
@@ -1567,7 +1693,7 @@ index 0000000..e889a28
|
1567
|
1567
|
+}
|
1568
|
1568
|
diff --git a/pkg/cloudprovider/providers/cascade/cascade_instances.go b/pkg/cloudprovider/providers/cascade/cascade_instances.go
|
1569
|
1569
|
new file mode 100644
|
1570
|
|
-index 0000000..957378b
|
|
1570
|
+index 0000000000..957378bf0a
|
1571
|
1571
|
--- /dev/null
|
1572
|
1572
|
+++ b/pkg/cloudprovider/providers/cascade/cascade_instances.go
|
1573
|
1573
|
@@ -0,0 +1,125 @@
|
...
|
...
|
@@ -1698,7 +1824,7 @@ index 0000000..957378b
|
1698
|
1698
|
+}
|
1699
|
1699
|
diff --git a/pkg/cloudprovider/providers/cascade/cascade_instances_test.go b/pkg/cloudprovider/providers/cascade/cascade_instances_test.go
|
1700
|
1700
|
new file mode 100644
|
1701
|
|
-index 0000000..8fb314d
|
|
1701
|
+index 0000000000..8fb314def1
|
1702
|
1702
|
--- /dev/null
|
1703
|
1703
|
+++ b/pkg/cloudprovider/providers/cascade/cascade_instances_test.go
|
1704
|
1704
|
@@ -0,0 +1,44 @@
|
...
|
...
|
@@ -1748,7 +1874,7 @@ index 0000000..8fb314d
|
1748
|
1748
|
+}
|
1749
|
1749
|
diff --git a/pkg/cloudprovider/providers/cascade/cascade_loadbalancer.go b/pkg/cloudprovider/providers/cascade/cascade_loadbalancer.go
|
1750
|
1750
|
new file mode 100644
|
1751
|
|
-index 0000000..c2a62c2
|
|
1751
|
+index 0000000000..c2a62c2ff7
|
1752
|
1752
|
--- /dev/null
|
1753
|
1753
|
+++ b/pkg/cloudprovider/providers/cascade/cascade_loadbalancer.go
|
1754
|
1754
|
@@ -0,0 +1,295 @@
|
...
|
...
|
@@ -2049,7 +2175,7 @@ index 0000000..c2a62c2
|
2049
|
2049
|
+}
|
2050
|
2050
|
diff --git a/pkg/cloudprovider/providers/cascade/client.go b/pkg/cloudprovider/providers/cascade/client.go
|
2051
|
2051
|
new file mode 100644
|
2052
|
|
-index 0000000..400e377
|
|
2052
|
+index 0000000000..400e3777d0
|
2053
|
2053
|
--- /dev/null
|
2054
|
2054
|
+++ b/pkg/cloudprovider/providers/cascade/client.go
|
2055
|
2055
|
@@ -0,0 +1,400 @@
|
...
|
...
|
@@ -2455,7 +2581,7 @@ index 0000000..400e377
|
2455
|
2455
|
+}
|
2456
|
2456
|
diff --git a/pkg/cloudprovider/providers/cascade/oidcclient.go b/pkg/cloudprovider/providers/cascade/oidcclient.go
|
2457
|
2457
|
new file mode 100644
|
2458
|
|
-index 0000000..6a71cc1
|
|
2458
|
+index 0000000000..6a71cc184f
|
2459
|
2459
|
--- /dev/null
|
2460
|
2460
|
+++ b/pkg/cloudprovider/providers/cascade/oidcclient.go
|
2461
|
2461
|
@@ -0,0 +1,297 @@
|
...
|
...
|
@@ -2758,7 +2884,7 @@ index 0000000..6a71cc1
|
2758
|
2758
|
+}
|
2759
|
2759
|
diff --git a/pkg/cloudprovider/providers/cascade/restclient.go b/pkg/cloudprovider/providers/cascade/restclient.go
|
2760
|
2760
|
new file mode 100644
|
2761
|
|
-index 0000000..71d8d1c
|
|
2761
|
+index 0000000000..71d8d1c164
|
2762
|
2762
|
--- /dev/null
|
2763
|
2763
|
+++ b/pkg/cloudprovider/providers/cascade/restclient.go
|
2764
|
2764
|
@@ -0,0 +1,262 @@
|
...
|
...
|
@@ -3026,7 +3152,7 @@ index 0000000..71d8d1c
|
3026
|
3026
|
+}
|
3027
|
3027
|
diff --git a/pkg/cloudprovider/providers/cascade/tests_owed b/pkg/cloudprovider/providers/cascade/tests_owed
|
3028
|
3028
|
new file mode 100644
|
3029
|
|
-index 0000000..dff5ab1
|
|
3029
|
+index 0000000000..dff5ab1dcd
|
3030
|
3030
|
--- /dev/null
|
3031
|
3031
|
+++ b/pkg/cloudprovider/providers/cascade/tests_owed
|
3032
|
3032
|
@@ -0,0 +1,5 @@
|
...
|
...
|
@@ -3037,7 +3163,7 @@ index 0000000..dff5ab1
|
3037
|
3037
|
+
|
3038
|
3038
|
diff --git a/pkg/cloudprovider/providers/cascade/utils.go b/pkg/cloudprovider/providers/cascade/utils.go
|
3039
|
3039
|
new file mode 100644
|
3040
|
|
-index 0000000..8ecde98
|
|
3040
|
+index 0000000000..8ecde989c5
|
3041
|
3041
|
--- /dev/null
|
3042
|
3042
|
+++ b/pkg/cloudprovider/providers/cascade/utils.go
|
3043
|
3043
|
@@ -0,0 +1,29 @@
|
...
|
...
|
@@ -3072,7 +3198,7 @@ index 0000000..8ecde98
|
3072
|
3072
|
+}
|
3073
|
3073
|
\ No newline at end of file
|
3074
|
3074
|
diff --git a/pkg/cloudprovider/providers/providers.go b/pkg/cloudprovider/providers/providers.go
|
3075
|
|
-index 7de9ca9..6d8a1d2 100644
|
|
3075
|
+index 7de9ca9a41..6d8a1d2226 100644
|
3076
|
3076
|
--- a/pkg/cloudprovider/providers/providers.go
|
3077
|
3077
|
+++ b/pkg/cloudprovider/providers/providers.go
|
3078
|
3078
|
@@ -20,6 +20,7 @@ import (
|
...
|
...
|
@@ -3084,7 +3210,7 @@ index 7de9ca9..6d8a1d2 100644
|
3084
|
3084
|
_ "k8s.io/kubernetes/pkg/cloudprovider/providers/gce"
|
3085
|
3085
|
_ "k8s.io/kubernetes/pkg/cloudprovider/providers/openstack"
|
3086
|
3086
|
diff --git a/pkg/kubeapiserver/authorizer/config.go b/pkg/kubeapiserver/authorizer/config.go
|
3087
|
|
-index 30661bc..4743432 100644
|
|
3087
|
+index 30661bc14f..4743432d4f 100644
|
3088
|
3088
|
--- a/pkg/kubeapiserver/authorizer/config.go
|
3089
|
3089
|
+++ b/pkg/kubeapiserver/authorizer/config.go
|
3090
|
3090
|
@@ -33,6 +33,7 @@ import (
|
...
|
...
|
@@ -3109,7 +3235,7 @@ index 30661bc..4743432 100644
|
3109
|
3109
|
alwaysAllowAuthorizer := authorizerfactory.NewAlwaysAllowAuthorizer()
|
3110
|
3110
|
authorizers = append(authorizers, alwaysAllowAuthorizer)
|
3111
|
3111
|
diff --git a/pkg/kubeapiserver/authorizer/modes/modes.go b/pkg/kubeapiserver/authorizer/modes/modes.go
|
3112
|
|
-index 54d0a62..73a763f 100644
|
|
3112
|
+index 54d0a62770..73a763ff14 100644
|
3113
|
3113
|
--- a/pkg/kubeapiserver/authorizer/modes/modes.go
|
3114
|
3114
|
+++ b/pkg/kubeapiserver/authorizer/modes/modes.go
|
3115
|
3115
|
@@ -25,9 +25,10 @@ const (
|
...
|
...
|
@@ -3125,7 +3251,7 @@ index 54d0a62..73a763f 100644
|
3125
|
3125
|
// IsValidAuthorizationMode returns true if the given authorization mode is a valid one for the apiserver
|
3126
|
3126
|
func IsValidAuthorizationMode(authzMode string) bool {
|
3127
|
3127
|
diff --git a/pkg/kubeapiserver/options/plugins.go b/pkg/kubeapiserver/options/plugins.go
|
3128
|
|
-index 75095b2..0914847 100644
|
|
3128
|
+index 75095b20d1..0914847d7a 100644
|
3129
|
3129
|
--- a/pkg/kubeapiserver/options/plugins.go
|
3130
|
3130
|
+++ b/pkg/kubeapiserver/options/plugins.go
|
3131
|
3131
|
@@ -58,6 +58,7 @@ import (
|
...
|
...
|
@@ -3153,7 +3279,7 @@ index 75095b2..0914847 100644
|
3153
|
3153
|
|
3154
|
3154
|
// DefaultOffAdmissionPlugins get admission plugins off by default for kube-apiserver.
|
3155
|
3155
|
diff --git a/pkg/printers/internalversion/describe.go b/pkg/printers/internalversion/describe.go
|
3156
|
|
-index 318148d..bd26dc6 100644
|
|
3156
|
+index 318148dfa1..bd26dc6179 100644
|
3157
|
3157
|
--- a/pkg/printers/internalversion/describe.go
|
3158
|
3158
|
+++ b/pkg/printers/internalversion/describe.go
|
3159
|
3159
|
@@ -754,6 +754,8 @@ func describeVolumes(volumes []api.Volume, w PrefixWriter, space string) {
|
...
|
...
|
@@ -3189,7 +3315,7 @@ index 318148d..bd26dc6 100644
|
3189
|
3189
|
w.Write(LEVEL_1, "<unknown>\n")
|
3190
|
3190
|
}
|
3191
|
3191
|
diff --git a/pkg/security/podsecuritypolicy/util/util.go b/pkg/security/podsecuritypolicy/util/util.go
|
3192
|
|
-index d581f50..bfd21b1 100644
|
|
3192
|
+index d581f5012a..bfd21b19a2 100644
|
3193
|
3193
|
--- a/pkg/security/podsecuritypolicy/util/util.go
|
3194
|
3194
|
+++ b/pkg/security/podsecuritypolicy/util/util.go
|
3195
|
3195
|
@@ -68,6 +68,7 @@ func GetAllFSTypesAsSet() sets.String {
|
...
|
...
|
@@ -3211,7 +3337,7 @@ index d581f50..bfd21b1 100644
|
3211
|
3211
|
return "", fmt.Errorf("unknown volume type for volume: %#v", v)
|
3212
|
3212
|
diff --git a/pkg/volume/cascade_disk/BUILD b/pkg/volume/cascade_disk/BUILD
|
3213
|
3213
|
new file mode 100644
|
3214
|
|
-index 0000000..3386612
|
|
3214
|
+index 0000000000..3386612450
|
3215
|
3215
|
--- /dev/null
|
3216
|
3216
|
+++ b/pkg/volume/cascade_disk/BUILD
|
3217
|
3217
|
@@ -0,0 +1,43 @@
|
...
|
...
|
@@ -3260,7 +3386,7 @@ index 0000000..3386612
|
3260
|
3260
|
+)
|
3261
|
3261
|
diff --git a/pkg/volume/cascade_disk/OWNERS b/pkg/volume/cascade_disk/OWNERS
|
3262
|
3262
|
new file mode 100644
|
3263
|
|
-index 0000000..c3a4ed7
|
|
3263
|
+index 0000000000..c3a4ed77dc
|
3264
|
3264
|
--- /dev/null
|
3265
|
3265
|
+++ b/pkg/volume/cascade_disk/OWNERS
|
3266
|
3266
|
@@ -0,0 +1,2 @@
|
...
|
...
|
@@ -3268,7 +3394,7 @@ index 0000000..c3a4ed7
|
3268
|
3268
|
+- ashokc
|
3269
|
3269
|
diff --git a/pkg/volume/cascade_disk/attacher.go b/pkg/volume/cascade_disk/attacher.go
|
3270
|
3270
|
new file mode 100644
|
3271
|
|
-index 0000000..c19c37c
|
|
3271
|
+index 0000000000..c19c37c965
|
3272
|
3272
|
--- /dev/null
|
3273
|
3273
|
+++ b/pkg/volume/cascade_disk/attacher.go
|
3274
|
3274
|
@@ -0,0 +1,264 @@
|
...
|
...
|
@@ -3538,7 +3664,7 @@ index 0000000..c19c37c
|
3538
|
3538
|
+}
|
3539
|
3539
|
diff --git a/pkg/volume/cascade_disk/azure_disk_util.go b/pkg/volume/cascade_disk/azure_disk_util.go
|
3540
|
3540
|
new file mode 100644
|
3541
|
|
-index 0000000..7f9812f
|
|
3541
|
+index 0000000000..7f9812f767
|
3542
|
3542
|
--- /dev/null
|
3543
|
3543
|
+++ b/pkg/volume/cascade_disk/azure_disk_util.go
|
3544
|
3544
|
@@ -0,0 +1,135 @@
|
...
|
...
|
@@ -3679,7 +3805,7 @@ index 0000000..7f9812f
|
3679
|
3679
|
+}
|
3680
|
3680
|
diff --git a/pkg/volume/cascade_disk/cascade_disk.go b/pkg/volume/cascade_disk/cascade_disk.go
|
3681
|
3681
|
new file mode 100644
|
3682
|
|
-index 0000000..d07e83b
|
|
3682
|
+index 0000000000..d07e83b3d3
|
3683
|
3683
|
--- /dev/null
|
3684
|
3684
|
+++ b/pkg/volume/cascade_disk/cascade_disk.go
|
3685
|
3685
|
@@ -0,0 +1,399 @@
|
...
|
...
|
@@ -4084,7 +4210,7 @@ index 0000000..d07e83b
|
4084
|
4084
|
+}
|
4085
|
4085
|
diff --git a/pkg/volume/cascade_disk/cascade_util.go b/pkg/volume/cascade_disk/cascade_util.go
|
4086
|
4086
|
new file mode 100644
|
4087
|
|
-index 0000000..5ad0bc9
|
|
4087
|
+index 0000000000..5ad0bc9316
|
4088
|
4088
|
--- /dev/null
|
4089
|
4089
|
+++ b/pkg/volume/cascade_disk/cascade_util.go
|
4090
|
4090
|
@@ -0,0 +1,217 @@
|
...
|
...
|
@@ -4306,7 +4432,7 @@ index 0000000..5ad0bc9
|
4306
|
4306
|
+ return "", err
|
4307
|
4307
|
+}
|
4308
|
4308
|
diff --git a/plugin/pkg/admission/persistentvolume/label/admission.go b/plugin/pkg/admission/persistentvolume/label/admission.go
|
4309
|
|
-index 819adae..3d55589 100644
|
|
4309
|
+index 819adae192..3d55589c89 100644
|
4310
|
4310
|
--- a/plugin/pkg/admission/persistentvolume/label/admission.go
|
4311
|
4311
|
+++ b/plugin/pkg/admission/persistentvolume/label/admission.go
|
4312
|
4312
|
@@ -27,6 +27,7 @@ import (
|
...
|
...
|
@@ -4390,7 +4516,7 @@ index 819adae..3d55589 100644
|
4390
|
4390
|
+}
|
4391
|
4391
|
diff --git a/plugin/pkg/admission/vke/BUILD b/plugin/pkg/admission/vke/BUILD
|
4392
|
4392
|
new file mode 100644
|
4393
|
|
-index 0000000..97c0856
|
|
4393
|
+index 0000000000..97c0856d39
|
4394
|
4394
|
--- /dev/null
|
4395
|
4395
|
+++ b/plugin/pkg/admission/vke/BUILD
|
4396
|
4396
|
@@ -0,0 +1,61 @@
|
...
|
...
|
@@ -4458,10 +4584,10 @@ index 0000000..97c0856
|
4458
|
4458
|
\ No newline at end of file
|
4459
|
4459
|
diff --git a/plugin/pkg/admission/vke/admission.go b/plugin/pkg/admission/vke/admission.go
|
4460
|
4460
|
new file mode 100644
|
4461
|
|
-index 0000000..5434f7d
|
|
4461
|
+index 0000000000..a3ac097295
|
4462
|
4462
|
--- /dev/null
|
4463
|
4463
|
+++ b/plugin/pkg/admission/vke/admission.go
|
4464
|
|
-@@ -0,0 +1,628 @@
|
|
4464
|
+@@ -0,0 +1,661 @@
|
4465
|
4465
|
+package vke
|
4466
|
4466
|
+
|
4467
|
4467
|
+import (
|
...
|
...
|
@@ -4515,6 +4641,7 @@ index 0000000..5434f7d
|
4515
|
4515
|
+ strategyFactory podsecuritypolicy.StrategyFactory
|
4516
|
4516
|
+ privilegedGroup string
|
4517
|
4517
|
+ clusterID string
|
|
4518
|
++ privilegedMode bool
|
4518
|
4519
|
+}
|
4519
|
4520
|
+
|
4520
|
4521
|
+// vmwareAdmissionControllerConfig holds config data for VMwareAdmissionController.
|
...
|
...
|
@@ -4579,6 +4706,8 @@ index 0000000..5434f7d
|
4579
|
4579
|
+ err = validateClusterRoles(a)
|
4580
|
4580
|
+ case rbac.Resource("clusterrolebindings"):
|
4581
|
4581
|
+ err = validateClusterRoleBindings(a)
|
|
4582
|
++ case api.Resource("persistentvolumes"):
|
|
4583
|
++ err = validatePersistentVolumes(vac, a)
|
4582
|
4584
|
+ }
|
4583
|
4585
|
+
|
4584
|
4586
|
+ return err
|
...
|
...
|
@@ -4606,9 +4735,11 @@ index 0000000..5434f7d
|
4606
|
4606
|
+ }
|
4607
|
4607
|
+
|
4608
|
4608
|
+ // Load PSP from file. If it fails, use default.
|
|
4609
|
++ privilegedMode := true
|
4609
|
4610
|
+ psp := getPSPFromFile(config.VMwareAdmissionController.PodSecurityPolicyFile)
|
4610
|
4611
|
+ if psp == nil {
|
4611
|
4612
|
+ psp = getDefaultPSP()
|
|
4613
|
++ privilegedMode = false
|
4612
|
4614
|
+ }
|
4613
|
4615
|
+
|
4614
|
4616
|
+ return &vmwareAdmissionController{
|
...
|
...
|
@@ -4616,6 +4747,7 @@ index 0000000..5434f7d
|
4616
|
4616
|
+ strategyFactory: podsecuritypolicy.NewSimpleStrategyFactory(),
|
4617
|
4617
|
+ privilegedGroup: config.VMwareAdmissionController.PrivilegedGroup,
|
4618
|
4618
|
+ clusterID: config.VMwareAdmissionController.ClusterID,
|
|
4619
|
++ privilegedMode: privilegedMode,
|
4619
|
4620
|
+ }, nil
|
4620
|
4621
|
+}
|
4621
|
4622
|
+
|
...
|
...
|
@@ -4923,6 +5055,33 @@ index 0000000..5434f7d
|
4923
|
4923
|
+ return checkReservedPrefix(clusterRoleBinding.Name, a)
|
4924
|
4924
|
+}
|
4925
|
4925
|
+
|
|
4926
|
++func validatePersistentVolumes(vac *vmwareAdmissionController, a admission.Attributes) error {
|
|
4927
|
++ // If the operation is not a Create operation, we allow. This is because Create is the only operation which can be
|
|
4928
|
++ // used to create a new PV of type hostPath to get access to the host file system. All the other operations
|
|
4929
|
++ // including Update cannot be used to gain access to host file system.
|
|
4930
|
++ if a.GetOperation() != admission.Create {
|
|
4931
|
++ return nil
|
|
4932
|
++ }
|
|
4933
|
++
|
|
4934
|
++ pv, ok := a.GetObject().(*api.PersistentVolume)
|
|
4935
|
++ // If we cannot get the PV object, fail.
|
|
4936
|
++ if !ok {
|
|
4937
|
++ return admission.NewForbidden(a,
|
|
4938
|
++ fmt.Errorf("%s validation failed: unexpected type %T", PluginName, a.GetObject()))
|
|
4939
|
++ }
|
|
4940
|
++
|
|
4941
|
++ // If we are running in non-privileged mode, then fail if the PV is of type hostPath. We want to do this to prevent
|
|
4942
|
++ // access to host file system on a non-privileged cluster.
|
|
4943
|
++ if !vac.privilegedMode {
|
|
4944
|
++ if pv.Spec.HostPath != nil {
|
|
4945
|
++ return admission.NewForbidden(a,
|
|
4946
|
++ fmt.Errorf("%s validation failed: cannot create a PersistentVolume of type hostPath", PluginName))
|
|
4947
|
++ }
|
|
4948
|
++ }
|
|
4949
|
++
|
|
4950
|
++ return nil
|
|
4951
|
++}
|
|
4952
|
++
|
4926
|
4953
|
+func validatePods(vac *vmwareAdmissionController, a admission.Attributes) error {
|
4927
|
4954
|
+ // If the request is acting on a sub resource of a pod then allow it. This request is not directly coming to a pod,
|
4928
|
4955
|
+ // but to a sub-resource like pods/foo/status. So, this does not have to be blocked.
|
...
|
...
|
@@ -5092,10 +5251,10 @@ index 0000000..5434f7d
|
5092
|
5092
|
+}
|
5093
|
5093
|
diff --git a/plugin/pkg/admission/vke/admission_test.go b/plugin/pkg/admission/vke/admission_test.go
|
5094
|
5094
|
new file mode 100644
|
5095
|
|
-index 0000000..689a22d
|
|
5095
|
+index 0000000000..1842253290
|
5096
|
5096
|
--- /dev/null
|
5097
|
5097
|
+++ b/plugin/pkg/admission/vke/admission_test.go
|
5098
|
|
-@@ -0,0 +1,960 @@
|
|
5098
|
+@@ -0,0 +1,995 @@
|
5099
|
5099
|
+package vke
|
5100
|
5100
|
+
|
5101
|
5101
|
+import (
|
...
|
...
|
@@ -5788,6 +5947,23 @@ index 0000000..689a22d
|
5788
|
5788
|
+ userInfo: newTestUserBuilder().withGroup(systemWorkerGroup).build(),
|
5789
|
5789
|
+ shouldPassValidate: false,
|
5790
|
5790
|
+ },
|
|
5791
|
++ "denied: regular lightwave user creates a PV of type hostPath": {
|
|
5792
|
++ operation: kadmission.Create,
|
|
5793
|
++ resource: "persistentvolumes",
|
|
5794
|
++ namespace: "",
|
|
5795
|
++ name: "test-pv",
|
|
5796
|
++ object: getHostPathPV(),
|
|
5797
|
++ userInfo: newTestUserBuilder().build(),
|
|
5798
|
++ shouldPassValidate: false,
|
|
5799
|
++ },
|
|
5800
|
++ "allowed: regular lightwave user deletes a PV": {
|
|
5801
|
++ operation: kadmission.Delete,
|
|
5802
|
++ resource: "persistentvolumes",
|
|
5803
|
++ namespace: "",
|
|
5804
|
++ name: "test-pv",
|
|
5805
|
++ userInfo: newTestUserBuilder().build(),
|
|
5806
|
++ shouldPassValidate: true,
|
|
5807
|
++ },
|
5791
|
5808
|
+ }
|
5792
|
5809
|
+ for k, v := range tests {
|
5793
|
5810
|
+ testResourceValidation(k, v.operation, v.resource, v.subresource, v.name, v.namespace, v.userInfo, v.object,
|
...
|
...
|
@@ -6056,9 +6232,27 @@ index 0000000..689a22d
|
6056
|
6056
|
+ n.node.Spec.Taints = taints
|
6057
|
6057
|
+ return n
|
6058
|
6058
|
+}
|
|
6059
|
++
|
|
6060
|
++func getHostPathPV() *kapi.PersistentVolume {
|
|
6061
|
++ return &kapi.PersistentVolume{
|
|
6062
|
++ ObjectMeta: metav1.ObjectMeta{
|
|
6063
|
++ Name: "test-pv",
|
|
6064
|
++ Namespace: "",
|
|
6065
|
++ Annotations: nil,
|
|
6066
|
++ },
|
|
6067
|
++ Spec: kapi.PersistentVolumeSpec{
|
|
6068
|
++ StorageClassName: "manual",
|
|
6069
|
++ PersistentVolumeSource: kapi.PersistentVolumeSource{
|
|
6070
|
++ HostPath: &kapi.HostPathVolumeSource{
|
|
6071
|
++ Path: "/",
|
|
6072
|
++ },
|
|
6073
|
++ },
|
|
6074
|
++ },
|
|
6075
|
++ }
|
|
6076
|
++}
|
6059
|
6077
|
diff --git a/plugin/pkg/auth/authorizer/vke/BUILD b/plugin/pkg/auth/authorizer/vke/BUILD
|
6060
|
6078
|
new file mode 100644
|
6061
|
|
-index 0000000..4b984f1
|
|
6079
|
+index 0000000000..4b984f14ec
|
6062
|
6080
|
--- /dev/null
|
6063
|
6081
|
+++ b/plugin/pkg/auth/authorizer/vke/BUILD
|
6064
|
6082
|
@@ -0,0 +1,40 @@
|
...
|
...
|
@@ -6104,7 +6298,7 @@ index 0000000..4b984f1
|
6104
|
6104
|
+)
|
6105
|
6105
|
diff --git a/plugin/pkg/auth/authorizer/vke/OWNERS b/plugin/pkg/auth/authorizer/vke/OWNERS
|
6106
|
6106
|
new file mode 100644
|
6107
|
|
-index 0000000..c3a4ed7
|
|
6107
|
+index 0000000000..c3a4ed77dc
|
6108
|
6108
|
--- /dev/null
|
6109
|
6109
|
+++ b/plugin/pkg/auth/authorizer/vke/OWNERS
|
6110
|
6110
|
@@ -0,0 +1,2 @@
|
...
|
...
|
@@ -6112,7 +6306,7 @@ index 0000000..c3a4ed7
|
6112
|
6112
|
+- ashokc
|
6113
|
6113
|
diff --git a/plugin/pkg/auth/authorizer/vke/vke_authorizer.go b/plugin/pkg/auth/authorizer/vke/vke_authorizer.go
|
6114
|
6114
|
new file mode 100644
|
6115
|
|
-index 0000000..5f3103b
|
|
6115
|
+index 0000000000..5f3103b0af
|
6116
|
6116
|
--- /dev/null
|
6117
|
6117
|
+++ b/plugin/pkg/auth/authorizer/vke/vke_authorizer.go
|
6118
|
6118
|
@@ -0,0 +1,123 @@
|
...
|
...
|
@@ -6241,7 +6435,7 @@ index 0000000..5f3103b
|
6241
|
6241
|
+}
|
6242
|
6242
|
diff --git a/plugin/pkg/auth/authorizer/vke/vke_authorizer_test.go b/plugin/pkg/auth/authorizer/vke/vke_authorizer_test.go
|
6243
|
6243
|
new file mode 100644
|
6244
|
|
-index 0000000..6aba9ec
|
|
6244
|
+index 0000000000..6aba9ecec9
|
6245
|
6245
|
--- /dev/null
|
6246
|
6246
|
+++ b/plugin/pkg/auth/authorizer/vke/vke_authorizer_test.go
|
6247
|
6247
|
@@ -0,0 +1,230 @@
|
...
|
...
|
@@ -6476,7 +6670,7 @@ index 0000000..6aba9ec
|
6476
|
6476
|
+ }
|
6477
|
6477
|
+}
|
6478
|
6478
|
diff --git a/staging/src/k8s.io/api/core/v1/generated.pb.go b/staging/src/k8s.io/api/core/v1/generated.pb.go
|
6479
|
|
-index 85c7b63..b97b2f1 100644
|
|
6479
|
+index 85c7b634b3..b97b2f1b5e 100644
|
6480
|
6480
|
--- a/staging/src/k8s.io/api/core/v1/generated.pb.go
|
6481
|
6481
|
+++ b/staging/src/k8s.io/api/core/v1/generated.pb.go
|
6482
|
6482
|
@@ -35,6 +35,7 @@ limitations under the License.
|
...
|
...
|
@@ -6979,7 +7173,7 @@ index 85c7b63..b97b2f1 100644
|
6979
|
6979
|
iNdEx = preIndex
|
6980
|
6980
|
skippy, err := skipGenerated(dAtA[iNdEx:])
|
6981
|
6981
|
diff --git a/staging/src/k8s.io/api/core/v1/types.go b/staging/src/k8s.io/api/core/v1/types.go
|
6982
|
|
-index 36f4567..7b280cd 100644
|
|
6982
|
+index 36f456702e..7b280cd460 100644
|
6983
|
6983
|
--- a/staging/src/k8s.io/api/core/v1/types.go
|
6984
|
6984
|
+++ b/staging/src/k8s.io/api/core/v1/types.go
|
6985
|
6985
|
@@ -333,9 +333,9 @@ type VolumeSource struct {
|
...
|
...
|
@@ -7044,5 +7238,5 @@ index 36f4567..7b280cd 100644
|
7044
|
7044
|
//
|
7045
|
7045
|
// The contents of the target ConfigMap's Data field will be presented in a
|
7046
|
7046
|
--
|
7047
|
|
-2.7.4
|
|
7047
|
+2.19.1
|
7048
|
7048
|
|