From 3838b1f4a1ec6177fcee764d1bd1588a1ec97c30 Mon Sep 17 00:00:00 2001 From: Maho Takara Date: Fri, 17 May 2024 05:04:19 +0000 Subject: [PATCH 01/23] update for k8s 1.30.1 --- .github/workflows/ci.yaml | 12 ++++++------ .github/workflows/release.yaml | 10 +++++----- Makefile | 2 +- go.mod | 22 +++++++++++----------- 4 files changed, 23 insertions(+), 23 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 46beef4..5959380 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -9,8 +9,8 @@ jobs: name: Small test runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@v3 - - uses: actions/setup-go@v3 + - uses: actions/checkout@v4 + - uses: actions/setup-go@v5 with: go-version-file: go.mod - uses: ./.github/actions/aqua @@ -24,13 +24,13 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: fetch-depth: 0 - - uses: docker/setup-qemu-action@v2 - - uses: docker/setup-buildx-action@v2 + - uses: docker/setup-qemu-action@v3 + - uses: docker/setup-buildx-action@v3 - name: Setup go - uses: actions/setup-go@v3 + uses: actions/setup-go@v5 with: go-version-file: go.mod - uses: ./.github/actions/aqua diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 7f884e9..8e00577 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -8,19 +8,19 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: fetch-depth: 0 - - uses: docker/setup-qemu-action@v2 - - uses: docker/setup-buildx-action@v2 + - uses: docker/setup-qemu-action@v3 + - uses: docker/setup-buildx-action@v3 - name: GHCR Login - uses: docker/login-action@v2 + uses: docker/login-action@v3 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - name: Setup go - uses: actions/setup-go@v3 + uses: actions/setup-go@v5 with: go-version-file: go.mod - uses: ./.github/actions/aqua diff --git a/Makefile b/Makefile index bddcc4c..b79957b 100644 --- a/Makefile +++ b/Makefile @@ -1,4 +1,4 @@ -ENVTEST_K8S_VERSION = 1.27.1 +ENVTEST_K8S_VERSION = 1.30.1 # Set the shell used to bash for better error handling. SHELL = /bin/bash diff --git a/go.mod b/go.mod index 85fa1bc..1a0c755 100644 --- a/go.mod +++ b/go.mod @@ -1,19 +1,19 @@ module github.com/cybozu-go/pod-security-admission -go 1.20 +go 1.22.3 require ( - github.com/go-logr/logr v1.2.4 - github.com/onsi/ginkgo/v2 v2.11.0 + github.com/go-logr/logr v1.4.1 + github.com/onsi/ginkgo/v2 v2.17.3 github.com/onsi/gomega v1.27.10 - github.com/spf13/cobra v1.7.0 - k8s.io/api v0.27.9 - k8s.io/apimachinery v0.27.9 - k8s.io/client-go v0.27.9 - k8s.io/klog/v2 v2.100.1 - k8s.io/utils v0.0.0-20240102154912-e7106e64919e - sigs.k8s.io/controller-runtime v0.15.1 - sigs.k8s.io/yaml v1.3.0 + github.com/spf13/cobra v1.8.0 + k8s.io/api v0.30.1 + k8s.io/apimachinery v0.30.1 + k8s.io/client-go v0.30.1 + k8s.io/klog/v2 v2.120.1 + k8s.io/utils v0.0.0-20240502163921-fe8a2dddb1d0 + sigs.k8s.io/controller-runtime v0.18.2 + sigs.k8s.io/yaml v1.4.0 ) require ( From 51188dd11fe6ea82714340a5babf9d5da2224462 Mon Sep 17 00:00:00 2001 From: Maho Takara Date: Fri, 17 May 2024 05:06:30 +0000 Subject: [PATCH 02/23] update go modules --- go.mod | 59 +++++++------ go.sum | 264 +++++++++++++++++++-------------------------------------- 2 files changed, 116 insertions(+), 207 deletions(-) diff --git a/go.mod b/go.mod index 1a0c755..8819667 100644 --- a/go.mod +++ b/go.mod @@ -5,7 +5,7 @@ go 1.22.3 require ( github.com/go-logr/logr v1.4.1 github.com/onsi/ginkgo/v2 v2.17.3 - github.com/onsi/gomega v1.27.10 + github.com/onsi/gomega v1.33.0 github.com/spf13/cobra v1.8.0 k8s.io/api v0.30.1 k8s.io/apimachinery v0.30.1 @@ -20,21 +20,21 @@ require ( github.com/beorn7/perks v1.0.1 // indirect github.com/cespare/xxhash/v2 v2.2.0 // indirect github.com/davecgh/go-spew v1.1.1 // indirect - github.com/emicklei/go-restful/v3 v3.9.0 // indirect - github.com/evanphx/json-patch/v5 v5.6.0 // indirect - github.com/fsnotify/fsnotify v1.6.0 // indirect - github.com/go-logr/zapr v1.2.4 // indirect + github.com/emicklei/go-restful/v3 v3.11.0 // indirect + github.com/evanphx/json-patch/v5 v5.9.0 // indirect + github.com/fsnotify/fsnotify v1.7.0 // indirect + github.com/go-logr/zapr v1.3.0 // indirect github.com/go-openapi/jsonpointer v0.19.6 // indirect - github.com/go-openapi/jsonreference v0.20.1 // indirect + github.com/go-openapi/jsonreference v0.20.2 // indirect github.com/go-openapi/swag v0.22.3 // indirect - github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect + github.com/go-task/slim-sprig/v3 v3.0.0 // indirect github.com/gogo/protobuf v1.3.2 // indirect github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect - github.com/golang/protobuf v1.5.3 // indirect - github.com/google/gnostic v0.5.7-v3refs // indirect - github.com/google/go-cmp v0.5.9 // indirect - github.com/google/gofuzz v1.1.0 // indirect - github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 // indirect + github.com/golang/protobuf v1.5.4 // indirect + github.com/google/gnostic-models v0.6.8 // indirect + github.com/google/go-cmp v0.6.0 // indirect + github.com/google/gofuzz v1.2.0 // indirect + github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6 // indirect github.com/google/uuid v1.3.0 // indirect github.com/imdario/mergo v0.3.6 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect @@ -46,30 +46,29 @@ require ( github.com/modern-go/reflect2 v1.0.2 // indirect github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect github.com/pkg/errors v0.9.1 // indirect - github.com/prometheus/client_golang v1.15.1 // indirect + github.com/prometheus/client_golang v1.16.0 // indirect github.com/prometheus/client_model v0.4.0 // indirect - github.com/prometheus/common v0.42.0 // indirect - github.com/prometheus/procfs v0.9.0 // indirect + github.com/prometheus/common v0.44.0 // indirect + github.com/prometheus/procfs v0.12.0 // indirect github.com/spf13/pflag v1.0.5 // indirect - go.uber.org/atomic v1.7.0 // indirect - go.uber.org/multierr v1.6.0 // indirect - go.uber.org/zap v1.24.0 // indirect - golang.org/x/net v0.17.0 // indirect - golang.org/x/oauth2 v0.7.0 // indirect - golang.org/x/sys v0.13.0 // indirect - golang.org/x/term v0.13.0 // indirect - golang.org/x/text v0.13.0 // indirect + go.uber.org/multierr v1.11.0 // indirect + go.uber.org/zap v1.26.0 // indirect + golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e // indirect + golang.org/x/net v0.24.0 // indirect + golang.org/x/oauth2 v0.12.0 // indirect + golang.org/x/sys v0.19.0 // indirect + golang.org/x/term v0.19.0 // indirect + golang.org/x/text v0.14.0 // indirect golang.org/x/time v0.3.0 // indirect - golang.org/x/tools v0.12.0 // indirect - gomodules.xyz/jsonpatch/v2 v2.3.0 // indirect + golang.org/x/tools v0.20.0 // indirect + gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect google.golang.org/appengine v1.6.7 // indirect - google.golang.org/protobuf v1.31.0 // indirect + google.golang.org/protobuf v1.33.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect - k8s.io/apiextensions-apiserver v0.27.2 // indirect - k8s.io/component-base v0.27.2 // indirect - k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f // indirect + k8s.io/apiextensions-apiserver v0.30.0 // indirect + k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 // indirect sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect - sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect + sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect ) diff --git a/go.sum b/go.sum index f1dabc4..a276177 100644 --- a/go.sum +++ b/go.sum @@ -1,95 +1,65 @@ -cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= -github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= -github.com/benbjohnson/clock v1.1.0 h1:Q92kusRqC1XV2MjkWETPvjJVqKetz1OzxZB7mHJLju8= -github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= -github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44= github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= -github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= -github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI= -github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= -github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= -github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= +github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE= -github.com/emicklei/go-restful/v3 v3.9.0 h1:XwGDlfxEnQZzuopoqxwSEllNcCOM9DhhFyhFIIGKwxE= -github.com/emicklei/go-restful/v3 v3.9.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= -github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= -github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= +github.com/emicklei/go-restful/v3 v3.11.0 h1:rAQeMHw1c7zTmncogyy8VvRZwtkmkZ4FxERmMY4rD+g= +github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= github.com/evanphx/json-patch v4.12.0+incompatible h1:4onqiflcdA9EOZ4RxV643DvftH5pOlLGNtQ5lPWQu84= -github.com/evanphx/json-patch/v5 v5.6.0 h1:b91NhWfaz02IuVxO9faSllyAtNXHMPkC5J8sJCLunww= -github.com/evanphx/json-patch/v5 v5.6.0/go.mod h1:G79N1coSVB93tBe7j6PhzjmR3/2VvlbKOFpnXhI9Bw4= -github.com/fsnotify/fsnotify v1.6.0 h1:n+5WquG0fcWoWp6xPWfHdbskMCQaFnG6PfBrh1Ky4HY= -github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbSClcnxKAGw= -github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= -github.com/go-logr/logr v1.2.4 h1:g01GSCwiDw2xSZfjJ2/T9M+S6pFdcNtFYsp+Y43HYDQ= -github.com/go-logr/logr v1.2.4/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= -github.com/go-logr/zapr v1.2.4 h1:QHVo+6stLbfJmYGkQ7uGHUCu5hnAFAj6mDe6Ea0SeOo= -github.com/go-logr/zapr v1.2.4/go.mod h1:FyHWQIzQORZ0QVE1BtVHv3cKtNLuXsbNLtpuhNapBOA= +github.com/evanphx/json-patch v4.12.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= +github.com/evanphx/json-patch/v5 v5.9.0 h1:kcBlZQbplgElYIlo/n1hJbls2z/1awpXxpRi0/FOJfg= +github.com/evanphx/json-patch/v5 v5.9.0/go.mod h1:VNkHZ/282BpEyt/tObQO8s5CMPmYYq14uClGH4abBuQ= +github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA= +github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM= +github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ= +github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= +github.com/go-logr/zapr v1.3.0 h1:XGdV8XW8zdwFiwOA2Dryh1gj2KRQyOOoNmBy4EplIcQ= +github.com/go-logr/zapr v1.3.0/go.mod h1:YKepepNBd1u/oyhd/yQmtjVXmm9uML4IXUgMOwR8/Gg= github.com/go-openapi/jsonpointer v0.19.6 h1:eCs3fxoIi3Wh6vtgmLTOjdhSpiqphQ+DaPn38N2ZdrE= github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs= -github.com/go-openapi/jsonreference v0.20.1 h1:FBLnyygC4/IZZr893oiomc9XaghoveYTrLC1F86HID8= -github.com/go-openapi/jsonreference v0.20.1/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k= +github.com/go-openapi/jsonreference v0.20.2 h1:3sVjiK66+uXK/6oQ8xgcRKcFgQ5KXa2KvnJRumpMGbE= +github.com/go-openapi/jsonreference v0.20.2/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k= github.com/go-openapi/swag v0.22.3 h1:yMBqmnQ0gyZvEb/+KzuWZOXgllrXT4SADYbvDaXHv/g= github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14= -github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI= -github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls= +github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI= +github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= -github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE= github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= -github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= -github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= -github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8= -github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA= -github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs= -github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w= -github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0= -github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8= -github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= -github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= -github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg= -github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= -github.com/google/gnostic v0.5.7-v3refs h1:FhTMOKj2VhjpouxvWJAV1TL304uMlb9zcDqkl6cEI54= -github.com/google/gnostic v0.5.7-v3refs/go.mod h1:73MKFl6jIHelAJNaBGFzt3SPtZULs9dYrGFt8OiIsHQ= -github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= -github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= -github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= -github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= +github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= +github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= +github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I= +github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U= github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= +github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= -github.com/google/gofuzz v1.1.0 h1:Hsa8mG0dQ46ij8Sl2AYJDUv1oA9/d6Vk+3LG99Oe02g= -github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= -github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 h1:K6RDEckDVWvDI9JAJYCmNdQXq6neHJOYx3V6jnqNEec= -github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= +github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= +github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6 h1:k7nVchz72niMH6YLQNvHSdIE7iqsQxK1P41mySCvssg= +github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6/go.mod h1:kf6iHlnVGwgKolg33glAes7Yg/8iWP8ukqeldJSO7jw= github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I= github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= -github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= github.com/imdario/mergo v0.3.6 h1:xTNEAn+kxVO7dTZGu0CegyqKZmoWFI0rF8UxjlB2d28= github.com/imdario/mergo v0.3.6/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= -github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI= github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY= github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y= github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM= github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo= github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= -github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= -github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= +github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= @@ -105,186 +75,126 @@ github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9G github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= -github.com/onsi/ginkgo/v2 v2.11.0 h1:WgqUCUt/lT6yXoQ8Wef0fsNn5cAuMK7+KT9UFRz2tcU= -github.com/onsi/ginkgo/v2 v2.11.0/go.mod h1:ZhrRA5XmEE3x3rhlzamx/JJvujdZoJ2uvgI7kR0iZvM= -github.com/onsi/gomega v1.27.10 h1:naR28SdDFlqrG6kScpT8VWpu1xWY5nJRCF3XaYyBjhI= -github.com/onsi/gomega v1.27.10/go.mod h1:RsS8tutOdbdgzbPtzzATp12yT7kM5I5aElG3evPbQ0M= -github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/onsi/ginkgo/v2 v2.17.3 h1:oJcvKpIb7/8uLpDDtnQuf18xVnwKp8DTD7DQ6gTd/MU= +github.com/onsi/ginkgo/v2 v2.17.3/go.mod h1:nP2DPOQoNsQmsVyv5rDA8JkXQoCs6goXIvr/PRJ1eCc= +github.com/onsi/gomega v1.33.0 h1:snPCflnZrpMsy94p4lXVEkHo12lmPnc3vY5XBbreexE= +github.com/onsi/gomega v1.33.0/go.mod h1:+925n5YtiFsLzzafLUHzVMBpvvRAzrydIBiSIxjX3wY= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= -github.com/prometheus/client_golang v1.15.1 h1:8tXpTmJbyH5lydzFPoxSIJ0J46jdh3tylbvM1xCv0LI= -github.com/prometheus/client_golang v1.15.1/go.mod h1:e9yaBhRPU2pPNsZwE+JdQl0KEt1N9XgF6zxWmaC0xOk= -github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= +github.com/prometheus/client_golang v1.16.0 h1:yk/hx9hDbrGHovbci4BY+pRMfSuuat626eFsHb7tmT8= +github.com/prometheus/client_golang v1.16.0/go.mod h1:Zsulrv/L9oM40tJ7T815tM89lFEugiJ9HzIqaAx4LKc= github.com/prometheus/client_model v0.4.0 h1:5lQXD3cAg1OXBf4Wq03gTrXHeaV0TQvGfUooCfx1yqY= github.com/prometheus/client_model v0.4.0/go.mod h1:oMQmHW1/JoDwqLtg57MGgP/Fb1CJEYF2imWWhWtMkYU= -github.com/prometheus/common v0.42.0 h1:EKsfXEYo4JpWMHH5cg+KOUWeuJSov1Id8zGR8eeI1YM= -github.com/prometheus/common v0.42.0/go.mod h1:xBwqVerjNdUDjgODMpudtOMwlOwf2SaTr1yjz4b7Zbc= -github.com/prometheus/procfs v0.9.0 h1:wzCHvIvM5SxWqYvwgVL7yJY8Lz3PKn49KQtpgMYJfhI= -github.com/prometheus/procfs v0.9.0/go.mod h1:+pB4zwohETzFnmlpe6yd2lSc+0/46IYZRB/chUwxUZY= -github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8= +github.com/prometheus/common v0.44.0 h1:+5BrQJwiBB9xsMygAB3TNvpQKOwlkc25LbISbrdOOfY= +github.com/prometheus/common v0.44.0/go.mod h1:ofAIvZbQ1e/nugmZGz4/qCb9Ap1VoSTIO7x0VV9VvuY= +github.com/prometheus/procfs v0.12.0 h1:jluTpSng7V9hY0O2R9DzzJHYb2xULk9VTR1V1R/k6Bo= +github.com/prometheus/procfs v0.12.0/go.mod h1:pcuDEFsWDnvcgNzo4EEweacyhjeA9Zk3cnaOZAZEfOo= +github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ= +github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= -github.com/spf13/cobra v1.7.0 h1:hyqWnYt1ZQShIddO5kBpj3vu05/++x6tJ6dg8EC572I= -github.com/spf13/cobra v1.7.0/go.mod h1:uLxZILRyS/50WlhOIKD7W6V5bgeIt+4sICxh6uRMrb0= +github.com/spf13/cobra v1.8.0 h1:7aJaZx1B85qltLMc546zn58BxxfZdR/W22ej9CFoEf0= +github.com/spf13/cobra v1.8.0/go.mod h1:WXLWApfZ71AjXPya3WOlMsY9yMs7YeiHhFVlvLyhcho= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= -github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= -github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= -github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= -github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= -github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk= github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= +github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk= +github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= -github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= -go.uber.org/atomic v1.7.0 h1:ADUqmZGgLDDfbSL9ZmPxKTybcoEYHgpYfELNoN+7hsw= -go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc= -go.uber.org/goleak v1.1.11/go.mod h1:cwTWslyiVhfpKIDGSZEM2HlOvcqm+tG4zioyIeLoqMQ= -go.uber.org/goleak v1.2.1 h1:NBol2c7O1ZokfZ0LEU9K6Whx/KnwvepVetCUhtKja4A= -go.uber.org/multierr v1.6.0 h1:y6IPFStTAIT5Ytl7/XYmHvzXQ7S3g/IeZW9hyZ5thw4= -go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU= -go.uber.org/zap v1.24.0 h1:FiJd5l1UOLj0wCgbSE0rwwXHzEdAZS6hiiSnxJN/D60= -go.uber.org/zap v1.24.0/go.mod h1:2kMP+WWQ8aoFoedH3T2sq6iJ2yDWpHbP0f6MQbS9Gkg= +go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= +go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= +go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0= +go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y= +go.uber.org/zap v1.26.0 h1:sI7k6L95XOKS281NhVKOFCUNIvv9e0w4BF8N3u+tCRo= +go.uber.org/zap v1.26.0/go.mod h1:dtElttAiwGvoJ/vj4IwHBS/gXsEu/pZ50mUIRWuG0so= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= -golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= -golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= -golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= -golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= -golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= +golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e h1:+WEEuIdZHnUeJJmEUjyYC2gfUMj69yZXw17EnHg/otA= +golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e/go.mod h1:Kr81I6Kryrl9sr8s2FK3vxD90NdsKWRuOIl2O4CvYbA= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/mod v0.12.0 h1:rmsUpXtvNzj340zd98LZ4KntptpfRHwpFOHG188oHXc= -golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM= -golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM= -golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE= -golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= -golang.org/x/oauth2 v0.7.0 h1:qe6s0zUXlPX80/dITx3440hWZ7GwMwgDDyrSGTPJG/g= -golang.org/x/oauth2 v0.7.0/go.mod h1:hPLQkd9LyjfXTiRohC/41GhcFqxisoUQ99sCUOHO9x4= -golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/net v0.24.0 h1:1PcaxkF854Fu3+lvBIx5SYn9wRlBzzcnHZSiaFFAb0w= +golang.org/x/net v0.24.0/go.mod h1:2Q7sJY5mzlzWjKtYUEXSlBWCdyaioyXzRB2RtU8KVE8= +golang.org/x/oauth2 v0.12.0 h1:smVPGxink+n1ZI5pkQa8y6fZT0RW0MgCO5bFpepy4B4= +golang.org/x/oauth2 v0.12.0/go.mod h1:A74bZ3aGXgCY0qaIC9Ahg6Lglin4AMAco8cIv9baba4= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE= -golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= -golang.org/x/term v0.13.0 h1:bb+I9cTfFazGW51MZqBVmZy7+JEJMouUHTUSKVQLBek= -golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U= +golang.org/x/sys v0.19.0 h1:q5f1RH2jigJ1MoAWp2KTp3gm5zAGFUTarQZ5U386+4o= +golang.org/x/sys v0.19.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/term v0.19.0 h1:+ThwsDv+tYfnJFhF4L8jITxu1tdTWRTZpdsWgEgjL6Q= +golang.org/x/term v0.19.0/go.mod h1:2CuTdWZ7KHSQwUzKva0cbMg6q2DMI3Mmxp+gKJbskEk= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k= -golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= +golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= +golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4= golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= -golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= -golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= -golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= -golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= -golang.org/x/tools v0.12.0 h1:YW6HUoUmYBpwSgyaGaZq1fHjrBjX1rlpZ54T6mu2kss= -golang.org/x/tools v0.12.0/go.mod h1:Sc0INKfu04TlqNoRA1hgpFZbhYXHPr4V5DzpSBTPqQM= +golang.org/x/tools v0.20.0 h1:hz/CVckiOxybQvFw6h7b/q80NTr9IUQb4s1IIzW7KNY= +golang.org/x/tools v0.20.0/go.mod h1:WvitBU7JJf6A4jOdg4S1tviW9bhUxkgeCui/0JHctQg= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -gomodules.xyz/jsonpatch/v2 v2.3.0 h1:8NFhfS6gzxNqjLIYnZxg319wZ5Qjnx4m/CcX+Klzazc= -gomodules.xyz/jsonpatch/v2 v2.3.0/go.mod h1:AH3dM2RI6uoBZxn3LVrfvJ3E0/9dG4cSrbuBJT4moAY= -google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= -google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= +gomodules.xyz/jsonpatch/v2 v2.4.0 h1:Ci3iUJyx9UeRx7CeFN8ARgGbkESwJK+KB9lLcWxY/Zw= +gomodules.xyz/jsonpatch/v2 v2.4.0/go.mod h1:AH3dM2RI6uoBZxn3LVrfvJ3E0/9dG4cSrbuBJT4moAY= google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c= google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= -google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= -google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= -google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= -google.golang.org/genproto v0.0.0-20201019141844-1ed22bb0c154/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= -google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= -google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= -google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= -google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= -google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= -google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE= -google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo= -google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= -google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= -google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4= -google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= -google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= -google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8= -google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= +google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI= +google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= -gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= -gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= -gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= -honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= -k8s.io/api v0.27.9 h1:zelL2mPSOAgcItlCwIzy75/wl4Rt9kSKLMQYhAE2tA4= -k8s.io/api v0.27.9/go.mod h1:H6ZBAkYZ3B/BbyS6Us85MJas3OJp4xteQF4+kZHaw6g= -k8s.io/apiextensions-apiserver v0.27.2 h1:iwhyoeS4xj9Y7v8YExhUwbVuBhMr3Q4bd/laClBV6Bo= -k8s.io/apiextensions-apiserver v0.27.2/go.mod h1:Oz9UdvGguL3ULgRdY9QMUzL2RZImotgxvGjdWRq6ZXQ= -k8s.io/apimachinery v0.27.9 h1:IOGjTX8IiPVpl7qOVOvXiiTQ+0G4k68/t5OMTWZkdas= -k8s.io/apimachinery v0.27.9/go.mod h1:EIXLxLt/b1muPITiF5zlrcm7I+YnXsIgM+0GdnPTQvA= -k8s.io/client-go v0.27.9 h1:eSGXZbMVyrFXQ7VZBtyJ1bPtnsApO/U/oJq0arkZ27c= -k8s.io/client-go v0.27.9/go.mod h1:I3POCgjLe2aLPpBSME+WQq64IGjOZ3CQUxp0MQdpVE8= -k8s.io/component-base v0.27.2 h1:neju+7s/r5O4x4/txeUONNTS9r1HsPbyoPBAtHsDCpo= -k8s.io/component-base v0.27.2/go.mod h1:5UPk7EjfgrfgRIuDBFtsEFAe4DAvP3U+M8RTzoSJkpo= -k8s.io/klog/v2 v2.100.1 h1:7WCHKK6K8fNhTqfBhISHQ97KrnJNFZMcQvKp7gP/tmg= -k8s.io/klog/v2 v2.100.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= -k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f h1:2kWPakN3i/k81b0gvD5C5FJ2kxm1WrQFanWchyKuqGg= -k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f/go.mod h1:byini6yhqGC14c3ebc/QwanvYwhuMWF6yz2F8uwW8eg= -k8s.io/utils v0.0.0-20240102154912-e7106e64919e h1:eQ/4ljkx21sObifjzXwlPKpdGLrCfRziVtos3ofG/sQ= -k8s.io/utils v0.0.0-20240102154912-e7106e64919e/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= -sigs.k8s.io/controller-runtime v0.15.1 h1:9UvgKD4ZJGcj24vefUFgZFP3xej/3igL9BsOUTb/+4c= -sigs.k8s.io/controller-runtime v0.15.1/go.mod h1:7ngYvp1MLT+9GeZ+6lH3LOlcHkp/+tzA/fmHa4iq9kk= +k8s.io/api v0.30.1 h1:kCm/6mADMdbAxmIh0LBjS54nQBE+U4KmbCfIkF5CpJY= +k8s.io/api v0.30.1/go.mod h1:ddbN2C0+0DIiPntan/bye3SW3PdwLa11/0yqwvuRrJM= +k8s.io/apiextensions-apiserver v0.30.0 h1:jcZFKMqnICJfRxTgnC4E+Hpcq8UEhT8B2lhBcQ+6uAs= +k8s.io/apiextensions-apiserver v0.30.0/go.mod h1:N9ogQFGcrbWqAY9p2mUAL5mGxsLqwgtUce127VtRX5Y= +k8s.io/apimachinery v0.30.1 h1:ZQStsEfo4n65yAdlGTfP/uSHMQSoYzU/oeEbkmF7P2U= +k8s.io/apimachinery v0.30.1/go.mod h1:iexa2somDaxdnj7bha06bhb43Zpa6eWH8N8dbqVjTUc= +k8s.io/client-go v0.30.1 h1:uC/Ir6A3R46wdkgCV3vbLyNOYyCJ8oZnjtJGKfytl/Q= +k8s.io/client-go v0.30.1/go.mod h1:wrAqLNs2trwiCH/wxxmT/x3hKVH9PuV0GGW0oDoHVqc= +k8s.io/klog/v2 v2.120.1 h1:QXU6cPEOIslTGvZaXvFWiP9VKyeet3sawzTOvdXb4Vw= +k8s.io/klog/v2 v2.120.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= +k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 h1:BZqlfIlq5YbRMFko6/PM7FjZpUb45WallggurYhKGag= +k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340/go.mod h1:yD4MZYeKMBwQKVht279WycxKyM84kkAx2DPrTXaeb98= +k8s.io/utils v0.0.0-20240502163921-fe8a2dddb1d0 h1:jgGTlFYnhF1PM1Ax/lAlxUPE+KfCIXHaathvJg1C3ak= +k8s.io/utils v0.0.0-20240502163921-fe8a2dddb1d0/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +sigs.k8s.io/controller-runtime v0.18.2 h1:RqVW6Kpeaji67CY5nPEfRz6ZfFMk0lWQlNrLqlNpx+Q= +sigs.k8s.io/controller-runtime v0.18.2/go.mod h1:tuAt1+wbVsXIT8lPtk5RURxqAnq7xkpv2Mhttslg7Hw= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= -sigs.k8s.io/structured-merge-diff/v4 v4.2.3 h1:PRbqxJClWWYMNV1dhaG4NsibJbArud9kFxnAMREiWFE= -sigs.k8s.io/structured-merge-diff/v4 v4.2.3/go.mod h1:qjx8mGObPmV2aSZepjQjbmb2ihdVs8cGKBraizNC69E= -sigs.k8s.io/yaml v1.3.0 h1:a2VclLzOGrwOHDiV8EfBGhvjHvP46CtW5j6POvhYGGo= -sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8= +sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4= +sigs.k8s.io/structured-merge-diff/v4 v4.4.1/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08= +sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E= +sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY= From 4b9dd3434a0045101c9fea96bfd2d6e768898866 Mon Sep 17 00:00:00 2001 From: Maho Takara Date: Fri, 17 May 2024 05:12:50 +0000 Subject: [PATCH 03/23] update aqua 3.0.1 --- .github/actions/aqua/action.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/aqua/action.yaml b/.github/actions/aqua/action.yaml index d04d8ef..0ba6a6d 100644 --- a/.github/actions/aqua/action.yaml +++ b/.github/actions/aqua/action.yaml @@ -7,8 +7,8 @@ inputs: runs: using: composite steps: - - uses: aquaproj/aqua-installer@928a2ee4243a9ee8312d80dc8cbaca88fb602a91 # v2.2.0 + - uses: aquaproj/aqua-installer@6ce1f8848ec8e61f14d57bd5d7597057a6dd187c # v2.2.0 with: - aqua_version: v2.21.3 + aqua_version: v3.0.1 env: GITHUB_TOKEN: ${{ inputs.github_token }} From 9c91adf11ccb88206a37cb3939ac2a01e45a5a28 Mon Sep 17 00:00:00 2001 From: Maho Takara Date: Fri, 17 May 2024 05:15:34 +0000 Subject: [PATCH 04/23] update aqua --- .github/actions/aqua/action.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/aqua/action.yaml b/.github/actions/aqua/action.yaml index 0ba6a6d..57e48e9 100644 --- a/.github/actions/aqua/action.yaml +++ b/.github/actions/aqua/action.yaml @@ -7,8 +7,8 @@ inputs: runs: using: composite steps: - - uses: aquaproj/aqua-installer@6ce1f8848ec8e61f14d57bd5d7597057a6dd187c # v2.2.0 + - uses: aquaproj/aqua-installer@6ce1f8848ec8e61f14d57bd5d7597057a6dd187c # v2.28.0 with: - aqua_version: v3.0.1 + aqua_version: v2.28.0 env: GITHUB_TOKEN: ${{ inputs.github_token }} From ac1dfbd8e83dc6ea580043038729a999f44a8113 Mon Sep 17 00:00:00 2001 From: Maho Takara Date: Fri, 17 May 2024 06:08:01 +0000 Subject: [PATCH 05/23] update dep --- .github/actions/aqua/action.yaml | 4 ++-- cmd/sub/run.go | 16 +++++++++++----- hooks/suite_test.go | 16 +++++++++++----- 3 files changed, 24 insertions(+), 12 deletions(-) diff --git a/.github/actions/aqua/action.yaml b/.github/actions/aqua/action.yaml index 57e48e9..9887526 100644 --- a/.github/actions/aqua/action.yaml +++ b/.github/actions/aqua/action.yaml @@ -7,8 +7,8 @@ inputs: runs: using: composite steps: - - uses: aquaproj/aqua-installer@6ce1f8848ec8e61f14d57bd5d7597057a6dd187c # v2.28.0 + - uses: aquaproj/aqua-installer@4551ec64e21bf0f557c2525135ff0bd2cba40ec7 # v3.0.0 with: - aqua_version: v2.28.0 + aqua_version: v2.25.2 env: GITHUB_TOKEN: ${{ inputs.github_token }} diff --git a/cmd/sub/run.go b/cmd/sub/run.go index 97fa932..08d55c4 100644 --- a/cmd/sub/run.go +++ b/cmd/sub/run.go @@ -9,6 +9,8 @@ import ( "sigs.k8s.io/controller-runtime/pkg/healthz" "sigs.k8s.io/controller-runtime/pkg/log/zap" "sigs.k8s.io/controller-runtime/pkg/webhook/admission" + metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server" + "sigs.k8s.io/controller-runtime/pkg/webhook" ) var ( @@ -26,13 +28,17 @@ func run(addr string, port int, profs []hooks.SecurityProfile) error { ctrl.SetLogger(zap.New(zap.UseFlagOptions(&config.zapOpts))) mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{ - Scheme: scheme, - MetricsBindAddress: config.metricsAddr, + Scheme: scheme, + Metrics: metricsserver.Options{ + BindAddress: config.metricsAddr, + }, HealthProbeBindAddress: config.probeAddr, LeaderElection: false, - Host: addr, - Port: port, - CertDir: config.certDir, + WebhookServer: webhook.NewServer(webhook.Options{ + Host: addr, + Port: port, + CertDir: config.certDir, + }), }) if err != nil { setupLog.Error(err, "unable to start manager") diff --git a/hooks/suite_test.go b/hooks/suite_test.go index eff2af5..7ac268c 100644 --- a/hooks/suite_test.go +++ b/hooks/suite_test.go @@ -27,6 +27,8 @@ import ( "sigs.k8s.io/controller-runtime/pkg/envtest" logf "sigs.k8s.io/controller-runtime/pkg/log" "sigs.k8s.io/controller-runtime/pkg/log/zap" + metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server" + "sigs.k8s.io/controller-runtime/pkg/webhook" "sigs.k8s.io/controller-runtime/pkg/webhook/admission" ) @@ -95,11 +97,15 @@ var _ = BeforeSuite(func() { webhookInstallOptions := &testEnv.WebhookInstallOptions mgr, err := ctrl.NewManager(k8sConfig, ctrl.Options{ Scheme: scheme, - Host: webhookInstallOptions.LocalServingHost, - Port: webhookInstallOptions.LocalServingPort, - CertDir: webhookInstallOptions.LocalServingCertDir, - LeaderElection: false, - MetricsBindAddress: "0", + WebhookServer: webhook.NewServer(webhook.Options{ + Host: webhookInstallOptions.LocalServingHost, + Port: webhookInstallOptions.LocalServingPort, + CertDir: webhookInstallOptions.LocalServingCertDir, + }), + LeaderElection: false, + Metrics: metricsserver.Options{ + BindAddress: "0", + }, }) Expect(err).NotTo(HaveOccurred()) From 3e3722bd7cbac2e8f478d21866fc13953671cf84 Mon Sep 17 00:00:00 2001 From: Maho Takara Date: Fri, 17 May 2024 08:04:57 +0000 Subject: [PATCH 06/23] update for sigs.k8s.io/controller-runtime v0.18.2 --- cmd/sub/run.go | 7 ++++--- go.mod | 12 +++++++----- go.sum | 18 ++++++++---------- hooks/mutate_pod.go | 2 +- hooks/suite_test.go | 18 +++++++++--------- hooks/validate_pod.go | 2 +- hooks/validators/deny_unsafe_apparmor.go | 4 ++-- 7 files changed, 32 insertions(+), 31 deletions(-) diff --git a/cmd/sub/run.go b/cmd/sub/run.go index 08d55c4..6c141b3 100644 --- a/cmd/sub/run.go +++ b/cmd/sub/run.go @@ -8,9 +8,9 @@ import ( ctrl "sigs.k8s.io/controller-runtime" "sigs.k8s.io/controller-runtime/pkg/healthz" "sigs.k8s.io/controller-runtime/pkg/log/zap" - "sigs.k8s.io/controller-runtime/pkg/webhook/admission" metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server" "sigs.k8s.io/controller-runtime/pkg/webhook" + "sigs.k8s.io/controller-runtime/pkg/webhook/admission" ) var ( @@ -48,10 +48,11 @@ func run(addr string, port int, profs []hooks.SecurityProfile) error { // register webhook handlers // admission.NewDecoder never returns non-nil error dec := admission.NewDecoder(scheme) + wh := mgr.GetWebhookServer() for _, prof := range profs { - wh.Register("/mutate-"+prof.Name, hooks.NewPodMutator(mgr.GetClient(), ctrl.Log.WithName("mutate-"+prof.Name), dec, prof)) - wh.Register("/validate-"+prof.Name, hooks.NewPodValidator(mgr.GetClient(), ctrl.Log.WithName("validate-"+prof.Name), dec, prof)) + wh.Register("/mutate-"+prof.Name, hooks.NewPodMutator(mgr.GetClient(), ctrl.Log.WithName("mutate-"+prof.Name), &dec, prof)) + wh.Register("/validate-"+prof.Name, hooks.NewPodValidator(mgr.GetClient(), ctrl.Log.WithName("validate-"+prof.Name), &dec, prof)) } // +kubebuilder:scaffold:builder diff --git a/go.mod b/go.mod index 8819667..1c70f7b 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,8 @@ module github.com/cybozu-go/pod-security-admission -go 1.22.3 +go 1.22.0 + +toolchain go1.22.2 require ( github.com/go-logr/logr v1.4.1 @@ -41,14 +43,14 @@ require ( github.com/josharian/intern v1.0.0 // indirect github.com/json-iterator/go v1.1.12 // indirect github.com/mailru/easyjson v0.7.7 // indirect - github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect + github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 // indirect github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect github.com/modern-go/reflect2 v1.0.2 // indirect github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect github.com/pkg/errors v0.9.1 // indirect - github.com/prometheus/client_golang v1.16.0 // indirect - github.com/prometheus/client_model v0.4.0 // indirect - github.com/prometheus/common v0.44.0 // indirect + github.com/prometheus/client_golang v1.18.0 // indirect + github.com/prometheus/client_model v0.5.0 // indirect + github.com/prometheus/common v0.45.0 // indirect github.com/prometheus/procfs v0.12.0 // indirect github.com/spf13/pflag v1.0.5 // indirect go.uber.org/multierr v1.11.0 // indirect diff --git a/go.sum b/go.sum index a276177..70ffee7 100644 --- a/go.sum +++ b/go.sum @@ -31,7 +31,6 @@ github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE= github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= -github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= @@ -66,8 +65,8 @@ github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0= github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= -github.com/matttproud/golang_protobuf_extensions v1.0.4 h1:mmDVorXM7PCGKw94cs5zkfA9PSy5pEvNWRP0ET0TIVo= -github.com/matttproud/golang_protobuf_extensions v1.0.4/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4= +github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 h1:jWpvCLoY8Z/e3VKvlsiIGKtc+UG6U5vzxaoagmhXfyg= +github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0/go.mod h1:QUyp042oQthUoa9bqDv0ER0wrtXnBruoNd7aNjkbP+k= github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg= github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= @@ -83,12 +82,12 @@ github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= -github.com/prometheus/client_golang v1.16.0 h1:yk/hx9hDbrGHovbci4BY+pRMfSuuat626eFsHb7tmT8= -github.com/prometheus/client_golang v1.16.0/go.mod h1:Zsulrv/L9oM40tJ7T815tM89lFEugiJ9HzIqaAx4LKc= -github.com/prometheus/client_model v0.4.0 h1:5lQXD3cAg1OXBf4Wq03gTrXHeaV0TQvGfUooCfx1yqY= -github.com/prometheus/client_model v0.4.0/go.mod h1:oMQmHW1/JoDwqLtg57MGgP/Fb1CJEYF2imWWhWtMkYU= -github.com/prometheus/common v0.44.0 h1:+5BrQJwiBB9xsMygAB3TNvpQKOwlkc25LbISbrdOOfY= -github.com/prometheus/common v0.44.0/go.mod h1:ofAIvZbQ1e/nugmZGz4/qCb9Ap1VoSTIO7x0VV9VvuY= +github.com/prometheus/client_golang v1.18.0 h1:HzFfmkOzH5Q8L8G+kSJKUx5dtG87sewO+FoDDqP5Tbk= +github.com/prometheus/client_golang v1.18.0/go.mod h1:T+GXkCk5wSJyOqMIzVgvvjFDlkOQntgjkJWKrN5txjA= +github.com/prometheus/client_model v0.5.0 h1:VQw1hfvPvk3Uv6Qf29VrPF32JB6rtbgI6cYPYQjL0Qw= +github.com/prometheus/client_model v0.5.0/go.mod h1:dTiFglRmd66nLR9Pv9f0mZi7B7fk5Pm3gvsjB5tr+kI= +github.com/prometheus/common v0.45.0 h1:2BGz0eBc2hdMDLnO/8n0jeB3oPrt2D08CekT0lneoxM= +github.com/prometheus/common v0.45.0/go.mod h1:YJmSTw9BoKxJplESWWxlbyttQR4uaEcGyv9MZjVOJsY= github.com/prometheus/procfs v0.12.0 h1:jluTpSng7V9hY0O2R9DzzJHYb2xULk9VTR1V1R/k6Bo= github.com/prometheus/procfs v0.12.0/go.mod h1:pcuDEFsWDnvcgNzo4EEweacyhjeA9Zk3cnaOZAZEfOo= github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ= @@ -131,7 +130,6 @@ golang.org/x/net v0.24.0 h1:1PcaxkF854Fu3+lvBIx5SYn9wRlBzzcnHZSiaFFAb0w= golang.org/x/net v0.24.0/go.mod h1:2Q7sJY5mzlzWjKtYUEXSlBWCdyaioyXzRB2RtU8KVE8= golang.org/x/oauth2 v0.12.0 h1:smVPGxink+n1ZI5pkQa8y6fZT0RW0MgCO5bFpepy4B4= golang.org/x/oauth2 v0.12.0/go.mod h1:A74bZ3aGXgCY0qaIC9Ahg6Lglin4AMAco8cIv9baba4= -golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= diff --git a/hooks/mutate_pod.go b/hooks/mutate_pod.go index 725b510..a5b305f 100644 --- a/hooks/mutate_pod.go +++ b/hooks/mutate_pod.go @@ -50,7 +50,7 @@ func (m *podMutator) Handle(ctx context.Context, req admission.Request) admissio m.log.Info("mutating pod,", "name", namespacedName, "profile", m.profileName) po := &corev1.Pod{} - err := m.decoder.Decode(req, po) + err := admission.Decoder.Decode(*m.decoder, req, po) if err != nil { m.log.Error(err, "failed to decode pod", "name", namespacedName, "profile", m.profileName) return admission.Errored(http.StatusBadRequest, err) diff --git a/hooks/suite_test.go b/hooks/suite_test.go index 7ac268c..b05b6ae 100644 --- a/hooks/suite_test.go +++ b/hooks/suite_test.go @@ -96,7 +96,7 @@ var _ = BeforeSuite(func() { // start webhook server using Manager webhookInstallOptions := &testEnv.WebhookInstallOptions mgr, err := ctrl.NewManager(k8sConfig, ctrl.Options{ - Scheme: scheme, + Scheme: scheme, WebhookServer: webhook.NewServer(webhook.Options{ Host: webhookInstallOptions.LocalServingHost, Port: webhookInstallOptions.LocalServingPort, @@ -129,8 +129,8 @@ var _ = BeforeSuite(func() { AllowPrivilegeEscalation: true, RunAsRoot: true, } - wh.Register(baselineValidatingWebhookPath, NewPodValidator(mgr.GetClient(), ctrl.Log.WithName(baselineValidatingWebhookPath), dec, baselineProfile)) - wh.Register(baselineMutatingWebhookPath, NewPodMutator(mgr.GetClient(), ctrl.Log.WithName(baselineMutatingWebhookPath), dec, baselineProfile)) + wh.Register(baselineValidatingWebhookPath, NewPodValidator(mgr.GetClient(), ctrl.Log.WithName(baselineValidatingWebhookPath), &dec, baselineProfile)) + wh.Register(baselineMutatingWebhookPath, NewPodMutator(mgr.GetClient(), ctrl.Log.WithName(baselineMutatingWebhookPath), &dec, baselineProfile)) // "hostpath" profile = "baseline" profile + AllowedHostPaths hostpathProfile := SecurityProfile{ @@ -155,21 +155,21 @@ var _ = BeforeSuite(func() { AllowPrivilegeEscalation: true, RunAsRoot: true, } - wh.Register(hostpathValidatingWebhookPath, NewPodValidator(mgr.GetClient(), ctrl.Log.WithName(hostpathValidatingWebhookPath), dec, hostpathProfile)) - wh.Register(hostpathMutatingWebhookPath, NewPodMutator(mgr.GetClient(), ctrl.Log.WithName(hostpathMutatingWebhookPath), dec, hostpathProfile)) + wh.Register(hostpathValidatingWebhookPath, NewPodValidator(mgr.GetClient(), ctrl.Log.WithName(hostpathValidatingWebhookPath), &dec, hostpathProfile)) + wh.Register(hostpathMutatingWebhookPath, NewPodMutator(mgr.GetClient(), ctrl.Log.WithName(hostpathMutatingWebhookPath), &dec, hostpathProfile)) restrictedProfile := SecurityProfile{ Name: "restricted", } - wh.Register(restrictedValidatingWebhookPath, NewPodValidator(mgr.GetClient(), ctrl.Log.WithName(restrictedValidatingWebhookPath), dec, restrictedProfile)) - wh.Register(restrictedMutatingWebhookPath, NewPodMutator(mgr.GetClient(), ctrl.Log.WithName(restrictedMutatingWebhookPath), dec, restrictedProfile)) + wh.Register(restrictedValidatingWebhookPath, NewPodValidator(mgr.GetClient(), ctrl.Log.WithName(restrictedValidatingWebhookPath), &dec, restrictedProfile)) + wh.Register(restrictedMutatingWebhookPath, NewPodMutator(mgr.GetClient(), ctrl.Log.WithName(restrictedMutatingWebhookPath), &dec, restrictedProfile)) mutatingProfile := SecurityProfile{ Name: "mutating", ForceRunAsNonRoot: true, } - wh.Register(mutatingValidatingWebhookPath, NewPodValidator(mgr.GetClient(), ctrl.Log.WithName(mutatingValidatingWebhookPath), dec, mutatingProfile)) - wh.Register(mutatingMutatingWebhookPath, NewPodMutator(mgr.GetClient(), ctrl.Log.WithName(mutatingMutatingWebhookPath), dec, mutatingProfile)) + wh.Register(mutatingValidatingWebhookPath, NewPodValidator(mgr.GetClient(), ctrl.Log.WithName(mutatingValidatingWebhookPath), &dec, mutatingProfile)) + wh.Register(mutatingMutatingWebhookPath, NewPodMutator(mgr.GetClient(), ctrl.Log.WithName(mutatingMutatingWebhookPath), &dec, mutatingProfile)) //+kubebuilder:scaffold:webhook diff --git a/hooks/validate_pod.go b/hooks/validate_pod.go index e11b30a..7730e1a 100644 --- a/hooks/validate_pod.go +++ b/hooks/validate_pod.go @@ -89,7 +89,7 @@ func (v *podValidator) Handle(ctx context.Context, req admission.Request) admiss v.log.Info("validating pod", "name", namespacedName, "profile", v.profileName) po := &corev1.Pod{} - err := v.decoder.Decode(req, po) + err := admission.Decoder.Decode(*v.decoder, req, po) if err != nil { v.log.Error(err, "failed to decode pod", "name", namespacedName, "profile", v.profileName) return admission.Errored(http.StatusBadRequest, err) diff --git a/hooks/validators/deny_unsafe_apparmor.go b/hooks/validators/deny_unsafe_apparmor.go index bcb6460..24ccdfa 100644 --- a/hooks/validators/deny_unsafe_apparmor.go +++ b/hooks/validators/deny_unsafe_apparmor.go @@ -17,8 +17,8 @@ func (v DenyUnsafeAppArmor) Validate(ctx context.Context, pod *corev1.Pod) field var errs field.ErrorList for k, v := range pod.Annotations { - if strings.HasPrefix(k, corev1.AppArmorBetaContainerAnnotationKeyPrefix) && - v != corev1.AppArmorBetaProfileRuntimeDefault { + if strings.HasPrefix(k, corev1.DeprecatedAppArmorBetaContainerAnnotationKeyPrefix) && + v != corev1.DeprecatedAppArmorBetaProfileRuntimeDefault { errs = append(errs, field.Forbidden(p.Key(k), fmt.Sprintf("%s is not an allowed AppArmor profile", v))) } } From 2ba371cc625efabd1ac3587b5ee3dca1f19872a5 Mon Sep 17 00:00:00 2001 From: Maho Takara Date: Fri, 17 May 2024 08:30:14 +0000 Subject: [PATCH 07/23] update for ENVTEST_K8S_VERSION --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index b79957b..bddcc4c 100644 --- a/Makefile +++ b/Makefile @@ -1,4 +1,4 @@ -ENVTEST_K8S_VERSION = 1.30.1 +ENVTEST_K8S_VERSION = 1.27.1 # Set the shell used to bash for better error handling. SHELL = /bin/bash From c281b3fed45c452d5b7d48f80320f954c684fd5d Mon Sep 17 00:00:00 2001 From: Maho Takara Date: Fri, 17 May 2024 08:45:35 +0000 Subject: [PATCH 08/23] update aqua ver --- .github/actions/aqua/action.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/aqua/action.yaml b/.github/actions/aqua/action.yaml index 9887526..b89b57b 100644 --- a/.github/actions/aqua/action.yaml +++ b/.github/actions/aqua/action.yaml @@ -7,8 +7,8 @@ inputs: runs: using: composite steps: - - uses: aquaproj/aqua-installer@4551ec64e21bf0f557c2525135ff0bd2cba40ec7 # v3.0.0 + - uses: aquaproj/aqua-installer@v3.0.0 # v3.0.0 with: - aqua_version: v2.25.2 + aqua_version: v2.28.0 env: GITHUB_TOKEN: ${{ inputs.github_token }} From 2ef72ed407aef467a705ac3a672becd43d0ce80d Mon Sep 17 00:00:00 2001 From: Maho Takara Date: Fri, 17 May 2024 08:49:21 +0000 Subject: [PATCH 09/23] update aqua ver 2.27.4 --- .github/actions/aqua/action.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/aqua/action.yaml b/.github/actions/aqua/action.yaml index b89b57b..5995f3f 100644 --- a/.github/actions/aqua/action.yaml +++ b/.github/actions/aqua/action.yaml @@ -9,6 +9,6 @@ runs: steps: - uses: aquaproj/aqua-installer@v3.0.0 # v3.0.0 with: - aqua_version: v2.28.0 + aqua_version: v2.27.4 env: GITHUB_TOKEN: ${{ inputs.github_token }} From 9ffd6ece7cea5a2cb670ca87df2c7e0a62d8b48c Mon Sep 17 00:00:00 2001 From: Maho Takara Date: Fri, 17 May 2024 08:50:45 +0000 Subject: [PATCH 10/23] update aqua ver 2.25.1 --- .github/actions/aqua/action.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/aqua/action.yaml b/.github/actions/aqua/action.yaml index 5995f3f..a75ee20 100644 --- a/.github/actions/aqua/action.yaml +++ b/.github/actions/aqua/action.yaml @@ -9,6 +9,6 @@ runs: steps: - uses: aquaproj/aqua-installer@v3.0.0 # v3.0.0 with: - aqua_version: v2.27.4 + aqua_version: v2.25.1 env: GITHUB_TOKEN: ${{ inputs.github_token }} From b913430cef5d0ec166cb33bdeef786ac48467370 Mon Sep 17 00:00:00 2001 From: Maho Takara Date: Thu, 23 May 2024 04:37:18 +0000 Subject: [PATCH 11/23] update for review comment --- .github/actions/aqua/action.yaml | 2 +- hooks/mutate_pod.go | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/actions/aqua/action.yaml b/.github/actions/aqua/action.yaml index a75ee20..02f2e19 100644 --- a/.github/actions/aqua/action.yaml +++ b/.github/actions/aqua/action.yaml @@ -7,7 +7,7 @@ inputs: runs: using: composite steps: - - uses: aquaproj/aqua-installer@v3.0.0 # v3.0.0 + - uses: aquaproj/aqua-installer@6ce1f8848ec8e61f14d57bd5d7597057a6dd187c # v3.0.1 with: aqua_version: v2.25.1 env: diff --git a/hooks/mutate_pod.go b/hooks/mutate_pod.go index a5b305f..3dfa799 100644 --- a/hooks/mutate_pod.go +++ b/hooks/mutate_pod.go @@ -12,6 +12,7 @@ import ( "sigs.k8s.io/controller-runtime/pkg/client" "sigs.k8s.io/controller-runtime/pkg/webhook" "sigs.k8s.io/controller-runtime/pkg/webhook/admission" + "k8s.io/apimachinery/pkg/runtime" ) type podMutator struct { @@ -50,7 +51,7 @@ func (m *podMutator) Handle(ctx context.Context, req admission.Request) admissio m.log.Info("mutating pod,", "name", namespacedName, "profile", m.profileName) po := &corev1.Pod{} - err := admission.Decoder.Decode(*m.decoder, req, po) + err := admission.NewDecoder(runtime.NewScheme()).Decode(req, po) if err != nil { m.log.Error(err, "failed to decode pod", "name", namespacedName, "profile", m.profileName) return admission.Errored(http.StatusBadRequest, err) From 29ea0f32a1b7b721cee2d887bbb24c194bae73a5 Mon Sep 17 00:00:00 2001 From: Maho Takara Date: Thu, 23 May 2024 04:43:48 +0000 Subject: [PATCH 12/23] update by gofmt --- hooks/mutate_pod.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hooks/mutate_pod.go b/hooks/mutate_pod.go index 3dfa799..f4aa9bc 100644 --- a/hooks/mutate_pod.go +++ b/hooks/mutate_pod.go @@ -8,11 +8,11 @@ import ( "github.com/cybozu-go/pod-security-admission/hooks/mutators" "github.com/go-logr/logr" corev1 "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/types" "sigs.k8s.io/controller-runtime/pkg/client" "sigs.k8s.io/controller-runtime/pkg/webhook" "sigs.k8s.io/controller-runtime/pkg/webhook/admission" - "k8s.io/apimachinery/pkg/runtime" ) type podMutator struct { From db80933d11eb0f8bfd8ce57cbfe59cd61ff15f7b Mon Sep 17 00:00:00 2001 From: Maho Takara Date: Tue, 4 Jun 2024 06:36:22 +0000 Subject: [PATCH 13/23] Adapt k8s-1.30 PSS --- Makefile | 2 +- hooks/ephemeral_container_test.go | 1 + hooks/suite_test.go | 2 +- hooks/testdata/baseline/apparmor-profile.yaml | 20 ++++++++++ .../testdata/privileged/apparmor-profile.yaml | 22 ++++++++++ hooks/testdata/privileged/procmount1.yaml | 1 + hooks/testdata/privileged/procmount2.yaml | 1 + .../testdata/restricted/apparmor-profile.yaml | 21 ++++++++++ hooks/testdata/restricted/safe-sysctl2.yaml | 23 +++++++++++ hooks/validate_pod_test.go | 3 -- hooks/validators/deny_unsafe_apparmor.go | 40 +++++++++++++++++++ hooks/validators/deny_unsafe_sysctls.go | 5 +++ 12 files changed, 136 insertions(+), 5 deletions(-) create mode 100644 hooks/testdata/baseline/apparmor-profile.yaml create mode 100644 hooks/testdata/privileged/apparmor-profile.yaml create mode 100644 hooks/testdata/restricted/apparmor-profile.yaml create mode 100644 hooks/testdata/restricted/safe-sysctl2.yaml diff --git a/Makefile b/Makefile index bddcc4c..39e65d9 100644 --- a/Makefile +++ b/Makefile @@ -1,4 +1,4 @@ -ENVTEST_K8S_VERSION = 1.27.1 +ENVTEST_K8S_VERSION = 1.30.0 # Set the shell used to bash for better error handling. SHELL = /bin/bash diff --git a/hooks/ephemeral_container_test.go b/hooks/ephemeral_container_test.go index 7b80428..3baa717 100644 --- a/hooks/ephemeral_container_test.go +++ b/hooks/ephemeral_container_test.go @@ -26,6 +26,7 @@ metadata: namespace: %s name: %s spec: + hostUsers: false containers: - name: ubuntu image: ghcr.io/cybozu/ubuntu diff --git a/hooks/suite_test.go b/hooks/suite_test.go index b05b6ae..d57e907 100644 --- a/hooks/suite_test.go +++ b/hooks/suite_test.go @@ -72,7 +72,7 @@ var _ = BeforeSuite(func() { }, }, } - testEnv.ControlPlane.GetAPIServer().Configure().Append("feature-gates", "ProcMountType=true") + testEnv.ControlPlane.GetAPIServer().Configure().Append("feature-gates", "ProcMountType=true", "UserNamespacesSupport=true") var err error k8sConfig, err = testEnv.Start() diff --git a/hooks/testdata/baseline/apparmor-profile.yaml b/hooks/testdata/baseline/apparmor-profile.yaml new file mode 100644 index 0000000..bafc8e5 --- /dev/null +++ b/hooks/testdata/baseline/apparmor-profile.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: apparmorprofile0 +spec: + securityContext: + appArmorProfile: + type: RuntimeDefault + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + appArmorProfile: + type: RuntimeDefault + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + appArmorProfile: + type: RuntimeDefault diff --git a/hooks/testdata/privileged/apparmor-profile.yaml b/hooks/testdata/privileged/apparmor-profile.yaml new file mode 100644 index 0000000..0fa63cd --- /dev/null +++ b/hooks/testdata/privileged/apparmor-profile.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: apparmorprofile1 +spec: + securityContext: + runAsNonRoot: true + appArmorProfile: + type: RuntimeDefault + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + appArmorProfile: + type: RuntimeDefault + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + appArmorProfile: + type: Localhost + localhostProfile: k8s-apparmor-example-deny-write diff --git a/hooks/testdata/privileged/procmount1.yaml b/hooks/testdata/privileged/procmount1.yaml index ba9898c..f7c5f19 100644 --- a/hooks/testdata/privileged/procmount1.yaml +++ b/hooks/testdata/privileged/procmount1.yaml @@ -5,6 +5,7 @@ metadata: annotations: test.pod-security.cybozu.com/message: "denied the request: spec.containers[0].securityContext.procMount: Forbidden: ProcMountType Unmasked is not allowed" spec: + hostUsers: false securityContext: runAsNonRoot: true containers: diff --git a/hooks/testdata/privileged/procmount2.yaml b/hooks/testdata/privileged/procmount2.yaml index cbd8861..daf6b72 100644 --- a/hooks/testdata/privileged/procmount2.yaml +++ b/hooks/testdata/privileged/procmount2.yaml @@ -5,6 +5,7 @@ metadata: annotations: test.pod-security.cybozu.com/message: "denied the request: spec.initContainers[0].securityContext.procMount: Forbidden: ProcMountType Unmasked is not allowed" spec: + hostUsers: false securityContext: runAsNonRoot: true containers: diff --git a/hooks/testdata/restricted/apparmor-profile.yaml b/hooks/testdata/restricted/apparmor-profile.yaml new file mode 100644 index 0000000..a0a5661 --- /dev/null +++ b/hooks/testdata/restricted/apparmor-profile.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: apparmorprofile2 +spec: + securityContext: + runAsNonRoot: true + appArmorProfile: + type: RuntimeDefault + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + appArmorProfile: + type: RuntimeDefault + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + appArmorProfile: + type: RuntimeDefault diff --git a/hooks/testdata/restricted/safe-sysctl2.yaml b/hooks/testdata/restricted/safe-sysctl2.yaml new file mode 100644 index 0000000..d885b84 --- /dev/null +++ b/hooks/testdata/restricted/safe-sysctl2.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: safe-sysctl-2 +spec: + securityContext: + runAsNonRoot: true + sysctls: + - name: net.ipv4.ping_group_range + value: "100 100" + - name: net.ipv4.ip_local_reserved_ports + value: "8080,9148" + - name: net.ipv4.tcp_keepalive_time + value: "100" + - name: net.ipv4.tcp_fin_timeout + value: "10" + - name: net.ipv4.tcp_keepalive_intvl + value: "60" + - name: net.ipv4.tcp_keepalive_probes + value: "5" + containers: + - name: ubuntu + image: ghcr.io/cybozu/ubuntu diff --git a/hooks/validate_pod_test.go b/hooks/validate_pod_test.go index d44bbf9..d2a64d9 100644 --- a/hooks/validate_pod_test.go +++ b/hooks/validate_pod_test.go @@ -44,21 +44,18 @@ var _ = Describe("validate Pod webhook", func() { validatePod(filepath.Join("testdata", "baseline"), "privileged", true) validatePod(filepath.Join("testdata", "restricted"), "privileged", true) }) - It("should deny privileged pods in hostpath namespace", func() { validatePod(filepath.Join("testdata", "privileged"), "hostpath", false) validatePod(filepath.Join("testdata", "hostpath"), "hostpath", true) validatePod(filepath.Join("testdata", "baseline"), "hostpath", true) validatePod(filepath.Join("testdata", "restricted"), "hostpath", true) }) - It("should deny privileged and hostpath pods in baseline namespace", func() { validatePod(filepath.Join("testdata", "privileged"), "baseline", false) validatePod(filepath.Join("testdata", "hostpath"), "baseline", false) validatePod(filepath.Join("testdata", "baseline"), "baseline", true) validatePod(filepath.Join("testdata", "restricted"), "baseline", true) }) - It("should deny privileged, hostpath, and baseline pods in restricted namespace", func() { validatePod(filepath.Join("testdata", "privileged"), "restricted", false) validatePod(filepath.Join("testdata", "hostpath"), "restricted", false) diff --git a/hooks/validators/deny_unsafe_apparmor.go b/hooks/validators/deny_unsafe_apparmor.go index 24ccdfa..932d4c1 100644 --- a/hooks/validators/deny_unsafe_apparmor.go +++ b/hooks/validators/deny_unsafe_apparmor.go @@ -22,5 +22,45 @@ func (v DenyUnsafeAppArmor) Validate(ctx context.Context, pod *corev1.Pod) field errs = append(errs, field.Forbidden(p.Key(k), fmt.Sprintf("%s is not an allowed AppArmor profile", v))) } } + + p0 := field.NewPath("spec").Child("SecurityContext") + hasPodAppArmorProfile := pod.Spec.SecurityContext != nil && pod.Spec.SecurityContext.AppArmorProfile != nil + if hasPodAppArmorProfile { + isTypeUnconfined := pod.Spec.SecurityContext.AppArmorProfile.Type == corev1.AppArmorProfileTypeUnconfined + isTypeRuntimeDefault := pod.Spec.SecurityContext.AppArmorProfile.Type == corev1.AppArmorProfileTypeRuntimeDefault + isTypeLocalhost := pod.Spec.SecurityContext.AppArmorProfile.Type == corev1.AppArmorProfileTypeLocalhost + hasNotAllowedType := !(isTypeUnconfined || isTypeRuntimeDefault || isTypeLocalhost) + if hasNotAllowedType { + errs = append(errs, field.Forbidden(p0.Child("AppArmorProfile"), "not an allowed *** AppArmor *** profile")) + } + } + + p1 := p.Child("containers") + for i, co := range pod.Spec.Containers { + hasPodAppArmorProfile := co.SecurityContext != nil && co.SecurityContext.AppArmorProfile != nil + if hasPodAppArmorProfile { + isTypeUnconfined := co.SecurityContext.AppArmorProfile.Type == corev1.AppArmorProfileTypeUnconfined + isTypeRuntimeDefault := co.SecurityContext.AppArmorProfile.Type == corev1.AppArmorProfileTypeRuntimeDefault + isTypeLocalhost := co.SecurityContext.AppArmorProfile.Type == corev1.AppArmorProfileTypeLocalhost + hasNotAllowedType := !(isTypeUnconfined || isTypeRuntimeDefault || isTypeLocalhost) + if hasNotAllowedType { + errs = append(errs, field.Forbidden( p1.Index(i), fmt.Sprintf("%s not an allowed *** AppArmor *** profile", "any" ))) + } + } + } + + p2 := p.Child("initContainers") + for i, co := range pod.Spec.Containers { + hasPodAppArmorProfile := co.SecurityContext != nil && co.SecurityContext.AppArmorProfile != nil + if hasPodAppArmorProfile { + isTypeUnconfined := co.SecurityContext.AppArmorProfile.Type == corev1.AppArmorProfileTypeUnconfined + isTypeRuntimeDefault := co.SecurityContext.AppArmorProfile.Type == corev1.AppArmorProfileTypeRuntimeDefault + isTypeLocalhost := co.SecurityContext.AppArmorProfile.Type == corev1.AppArmorProfileTypeLocalhost + hasNotAllowedType := !(isTypeUnconfined || isTypeRuntimeDefault || isTypeLocalhost) + if hasNotAllowedType { + errs = append(errs, field.Forbidden( p2.Index(i), fmt.Sprintf("%s not an allowed *** AppArmor *** profile", "any" ))) + } + } + } return errs } diff --git a/hooks/validators/deny_unsafe_sysctls.go b/hooks/validators/deny_unsafe_sysctls.go index 00caf26..ba67d89 100644 --- a/hooks/validators/deny_unsafe_sysctls.go +++ b/hooks/validators/deny_unsafe_sysctls.go @@ -14,6 +14,11 @@ var allowedSysctls = map[string]struct{}{ "net.ipv4.tcp_syncookies": {}, "net.ipv4.ping_group_range": {}, "net.ipv4.ip_unprivileged_port_start": {}, + "net.ipv4.ip_local_reserved_ports": {}, // since Kubernetes 1.27 + "net.ipv4.tcp_keepalive_time": {}, // since Kubernetes 1.29 + "net.ipv4.tcp_fin_timeout": {}, // since Kubernetes 1.29 + "net.ipv4.tcp_keepalive_intvl": {}, // since Kubernetes 1.29 + "net.ipv4.tcp_keepalive_probes": {}, // since Kubernetes 1.29 } // DenyUnsafeSysctls is a Validator that denies usage of unsafe sysctls From c4f825fe193afc0e992fdd35916882eb8be2762e Mon Sep 17 00:00:00 2001 From: Maho Takara Date: Tue, 4 Jun 2024 06:39:26 +0000 Subject: [PATCH 14/23] Fix for gofmt --- hooks/validators/deny_unsafe_apparmor.go | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/hooks/validators/deny_unsafe_apparmor.go b/hooks/validators/deny_unsafe_apparmor.go index 932d4c1..bf33677 100644 --- a/hooks/validators/deny_unsafe_apparmor.go +++ b/hooks/validators/deny_unsafe_apparmor.go @@ -30,7 +30,7 @@ func (v DenyUnsafeAppArmor) Validate(ctx context.Context, pod *corev1.Pod) field isTypeRuntimeDefault := pod.Spec.SecurityContext.AppArmorProfile.Type == corev1.AppArmorProfileTypeRuntimeDefault isTypeLocalhost := pod.Spec.SecurityContext.AppArmorProfile.Type == corev1.AppArmorProfileTypeLocalhost hasNotAllowedType := !(isTypeUnconfined || isTypeRuntimeDefault || isTypeLocalhost) - if hasNotAllowedType { + if hasNotAllowedType { errs = append(errs, field.Forbidden(p0.Child("AppArmorProfile"), "not an allowed *** AppArmor *** profile")) } } @@ -39,12 +39,12 @@ func (v DenyUnsafeAppArmor) Validate(ctx context.Context, pod *corev1.Pod) field for i, co := range pod.Spec.Containers { hasPodAppArmorProfile := co.SecurityContext != nil && co.SecurityContext.AppArmorProfile != nil if hasPodAppArmorProfile { - isTypeUnconfined := co.SecurityContext.AppArmorProfile.Type == corev1.AppArmorProfileTypeUnconfined + isTypeUnconfined := co.SecurityContext.AppArmorProfile.Type == corev1.AppArmorProfileTypeUnconfined isTypeRuntimeDefault := co.SecurityContext.AppArmorProfile.Type == corev1.AppArmorProfileTypeRuntimeDefault isTypeLocalhost := co.SecurityContext.AppArmorProfile.Type == corev1.AppArmorProfileTypeLocalhost hasNotAllowedType := !(isTypeUnconfined || isTypeRuntimeDefault || isTypeLocalhost) - if hasNotAllowedType { - errs = append(errs, field.Forbidden( p1.Index(i), fmt.Sprintf("%s not an allowed *** AppArmor *** profile", "any" ))) + if hasNotAllowedType { + errs = append(errs, field.Forbidden(p1.Index(i), fmt.Sprintf("%s not an allowed *** AppArmor *** profile", "any"))) } } } @@ -57,8 +57,8 @@ func (v DenyUnsafeAppArmor) Validate(ctx context.Context, pod *corev1.Pod) field isTypeRuntimeDefault := co.SecurityContext.AppArmorProfile.Type == corev1.AppArmorProfileTypeRuntimeDefault isTypeLocalhost := co.SecurityContext.AppArmorProfile.Type == corev1.AppArmorProfileTypeLocalhost hasNotAllowedType := !(isTypeUnconfined || isTypeRuntimeDefault || isTypeLocalhost) - if hasNotAllowedType { - errs = append(errs, field.Forbidden( p2.Index(i), fmt.Sprintf("%s not an allowed *** AppArmor *** profile", "any" ))) + if hasNotAllowedType { + errs = append(errs, field.Forbidden(p2.Index(i), fmt.Sprintf("%s not an allowed *** AppArmor *** profile", "any"))) } } } From 5852d6676fc31dc9f49ed0b2117e4d6dcc9f7f57 Mon Sep 17 00:00:00 2001 From: Maho Takara Date: Tue, 4 Jun 2024 07:14:06 +0000 Subject: [PATCH 15/23] update error message --- hooks/validators/deny_unsafe_apparmor.go | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/hooks/validators/deny_unsafe_apparmor.go b/hooks/validators/deny_unsafe_apparmor.go index bf33677..47ed39b 100644 --- a/hooks/validators/deny_unsafe_apparmor.go +++ b/hooks/validators/deny_unsafe_apparmor.go @@ -23,7 +23,7 @@ func (v DenyUnsafeAppArmor) Validate(ctx context.Context, pod *corev1.Pod) field } } - p0 := field.NewPath("spec").Child("SecurityContext") + p = field.NewPath("spec").Child("SecurityContext") hasPodAppArmorProfile := pod.Spec.SecurityContext != nil && pod.Spec.SecurityContext.AppArmorProfile != nil if hasPodAppArmorProfile { isTypeUnconfined := pod.Spec.SecurityContext.AppArmorProfile.Type == corev1.AppArmorProfileTypeUnconfined @@ -31,11 +31,12 @@ func (v DenyUnsafeAppArmor) Validate(ctx context.Context, pod *corev1.Pod) field isTypeLocalhost := pod.Spec.SecurityContext.AppArmorProfile.Type == corev1.AppArmorProfileTypeLocalhost hasNotAllowedType := !(isTypeUnconfined || isTypeRuntimeDefault || isTypeLocalhost) if hasNotAllowedType { - errs = append(errs, field.Forbidden(p0.Child("AppArmorProfile"), "not an allowed *** AppArmor *** profile")) + // errs = append(errs, field.Forbidden(p.Child("AppArmorProfile"), fmt.Sprintf("%v is not an allowed AppArmor profile", pod.Spec.SecurityContext.AppArmorProfile.Type))) + errs = append(errs, field.Forbidden(p, fmt.Sprintf("%v is not an allowed AppArmor profile", pod.Spec.SecurityContext.AppArmorProfile.Type))) } } - p1 := p.Child("containers") + p = p.Child("containers") for i, co := range pod.Spec.Containers { hasPodAppArmorProfile := co.SecurityContext != nil && co.SecurityContext.AppArmorProfile != nil if hasPodAppArmorProfile { @@ -44,12 +45,12 @@ func (v DenyUnsafeAppArmor) Validate(ctx context.Context, pod *corev1.Pod) field isTypeLocalhost := co.SecurityContext.AppArmorProfile.Type == corev1.AppArmorProfileTypeLocalhost hasNotAllowedType := !(isTypeUnconfined || isTypeRuntimeDefault || isTypeLocalhost) if hasNotAllowedType { - errs = append(errs, field.Forbidden(p1.Index(i), fmt.Sprintf("%s not an allowed *** AppArmor *** profile", "any"))) + errs = append(errs, field.Forbidden(p.Index(i), fmt.Sprintf("%v is not an allowed AppArmor profile", co.SecurityContext.AppArmorProfile.Type))) } } } - p2 := p.Child("initContainers") + p = p.Child("initContainers") for i, co := range pod.Spec.Containers { hasPodAppArmorProfile := co.SecurityContext != nil && co.SecurityContext.AppArmorProfile != nil if hasPodAppArmorProfile { @@ -58,7 +59,7 @@ func (v DenyUnsafeAppArmor) Validate(ctx context.Context, pod *corev1.Pod) field isTypeLocalhost := co.SecurityContext.AppArmorProfile.Type == corev1.AppArmorProfileTypeLocalhost hasNotAllowedType := !(isTypeUnconfined || isTypeRuntimeDefault || isTypeLocalhost) if hasNotAllowedType { - errs = append(errs, field.Forbidden(p2.Index(i), fmt.Sprintf("%s not an allowed *** AppArmor *** profile", "any"))) + errs = append(errs, field.Forbidden(p.Index(i), fmt.Sprintf("%v is not an allowed AppArmor profile", co.SecurityContext.AppArmorProfile.Type))) } } } From ca545850c2dafe47dbe0502761ca234ceb09d693 Mon Sep 17 00:00:00 2001 From: Maho Takara Date: Tue, 4 Jun 2024 08:40:28 +0000 Subject: [PATCH 16/23] update .... --- hooks/mutate_pod.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/hooks/mutate_pod.go b/hooks/mutate_pod.go index f4aa9bc..e88cf7a 100644 --- a/hooks/mutate_pod.go +++ b/hooks/mutate_pod.go @@ -51,7 +51,8 @@ func (m *podMutator) Handle(ctx context.Context, req admission.Request) admissio m.log.Info("mutating pod,", "name", namespacedName, "profile", m.profileName) po := &corev1.Pod{} - err := admission.NewDecoder(runtime.NewScheme()).Decode(req, po) + d := admission.NewDecoder(runtime.NewScheme()) + err:= d.Decode(req, po) if err != nil { m.log.Error(err, "failed to decode pod", "name", namespacedName, "profile", m.profileName) return admission.Errored(http.StatusBadRequest, err) From ce46f1d9000ca2043cbaf611e8623aaadc56e690 Mon Sep 17 00:00:00 2001 From: Maho Takara Date: Tue, 4 Jun 2024 09:07:48 +0000 Subject: [PATCH 17/23] change for API changing --- hooks/mutate_pod.go | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/hooks/mutate_pod.go b/hooks/mutate_pod.go index e88cf7a..ab33d31 100644 --- a/hooks/mutate_pod.go +++ b/hooks/mutate_pod.go @@ -8,7 +8,6 @@ import ( "github.com/cybozu-go/pod-security-admission/hooks/mutators" "github.com/go-logr/logr" corev1 "k8s.io/api/core/v1" - "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/types" "sigs.k8s.io/controller-runtime/pkg/client" "sigs.k8s.io/controller-runtime/pkg/webhook" @@ -18,13 +17,13 @@ import ( type podMutator struct { client client.Client log logr.Logger - decoder *admission.Decoder + decoder admission.Decoder profileName string mutators []mutators.Mutator } // NewPodMutator creates a webhook handler for Pod. -func NewPodMutator(c client.Client, log logr.Logger, dec *admission.Decoder, prof SecurityProfile) http.Handler { +func NewPodMutator(c client.Client, log logr.Logger, dec admission.Decoder, prof SecurityProfile) http.Handler { m := &podMutator{ client: c, log: log, @@ -51,8 +50,7 @@ func (m *podMutator) Handle(ctx context.Context, req admission.Request) admissio m.log.Info("mutating pod,", "name", namespacedName, "profile", m.profileName) po := &corev1.Pod{} - d := admission.NewDecoder(runtime.NewScheme()) - err:= d.Decode(req, po) + err:= m.decoder.Decode(req, po) if err != nil { m.log.Error(err, "failed to decode pod", "name", namespacedName, "profile", m.profileName) return admission.Errored(http.StatusBadRequest, err) From 8586c3626386025a164a574dd7fb0376ae3e48bf Mon Sep 17 00:00:00 2001 From: Maho Takara Date: Tue, 4 Jun 2024 09:15:31 +0000 Subject: [PATCH 18/23] fix syntax error --- hooks/mutate_pod.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hooks/mutate_pod.go b/hooks/mutate_pod.go index ab33d31..b1a0768 100644 --- a/hooks/mutate_pod.go +++ b/hooks/mutate_pod.go @@ -50,7 +50,7 @@ func (m *podMutator) Handle(ctx context.Context, req admission.Request) admissio m.log.Info("mutating pod,", "name", namespacedName, "profile", m.profileName) po := &corev1.Pod{} - err:= m.decoder.Decode(req, po) + err := m.decoder.Decode(req, po) if err != nil { m.log.Error(err, "failed to decode pod", "name", namespacedName, "profile", m.profileName) return admission.Errored(http.StatusBadRequest, err) From 17282b1ac85f5807507f38667ad2f06d3cdd0d5d Mon Sep 17 00:00:00 2001 From: Maho Takara Date: Tue, 4 Jun 2024 09:20:22 +0000 Subject: [PATCH 19/23] fix syntax error --- cmd/sub/run.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmd/sub/run.go b/cmd/sub/run.go index 6c141b3..6b8e0b9 100644 --- a/cmd/sub/run.go +++ b/cmd/sub/run.go @@ -51,7 +51,7 @@ func run(addr string, port int, profs []hooks.SecurityProfile) error { wh := mgr.GetWebhookServer() for _, prof := range profs { - wh.Register("/mutate-"+prof.Name, hooks.NewPodMutator(mgr.GetClient(), ctrl.Log.WithName("mutate-"+prof.Name), &dec, prof)) + wh.Register("/mutate-"+prof.Name, hooks.NewPodMutator(mgr.GetClient(), ctrl.Log.WithName("mutate-"+prof.Name), dec, prof)) wh.Register("/validate-"+prof.Name, hooks.NewPodValidator(mgr.GetClient(), ctrl.Log.WithName("validate-"+prof.Name), &dec, prof)) } From 2d8179d39f20d27dec6f1f9efbd0798e08f89f79 Mon Sep 17 00:00:00 2001 From: Maho Takara Date: Tue, 4 Jun 2024 09:22:14 +0000 Subject: [PATCH 20/23] fix syntax error --- hooks/suite_test.go | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/hooks/suite_test.go b/hooks/suite_test.go index d57e907..e9a66b1 100644 --- a/hooks/suite_test.go +++ b/hooks/suite_test.go @@ -130,7 +130,7 @@ var _ = BeforeSuite(func() { RunAsRoot: true, } wh.Register(baselineValidatingWebhookPath, NewPodValidator(mgr.GetClient(), ctrl.Log.WithName(baselineValidatingWebhookPath), &dec, baselineProfile)) - wh.Register(baselineMutatingWebhookPath, NewPodMutator(mgr.GetClient(), ctrl.Log.WithName(baselineMutatingWebhookPath), &dec, baselineProfile)) + wh.Register(baselineMutatingWebhookPath, NewPodMutator(mgr.GetClient(), ctrl.Log.WithName(baselineMutatingWebhookPath), dec, baselineProfile)) // "hostpath" profile = "baseline" profile + AllowedHostPaths hostpathProfile := SecurityProfile{ @@ -156,20 +156,20 @@ var _ = BeforeSuite(func() { RunAsRoot: true, } wh.Register(hostpathValidatingWebhookPath, NewPodValidator(mgr.GetClient(), ctrl.Log.WithName(hostpathValidatingWebhookPath), &dec, hostpathProfile)) - wh.Register(hostpathMutatingWebhookPath, NewPodMutator(mgr.GetClient(), ctrl.Log.WithName(hostpathMutatingWebhookPath), &dec, hostpathProfile)) + wh.Register(hostpathMutatingWebhookPath, NewPodMutator(mgr.GetClient(), ctrl.Log.WithName(hostpathMutatingWebhookPath), dec, hostpathProfile)) restrictedProfile := SecurityProfile{ Name: "restricted", } wh.Register(restrictedValidatingWebhookPath, NewPodValidator(mgr.GetClient(), ctrl.Log.WithName(restrictedValidatingWebhookPath), &dec, restrictedProfile)) - wh.Register(restrictedMutatingWebhookPath, NewPodMutator(mgr.GetClient(), ctrl.Log.WithName(restrictedMutatingWebhookPath), &dec, restrictedProfile)) + wh.Register(restrictedMutatingWebhookPath, NewPodMutator(mgr.GetClient(), ctrl.Log.WithName(restrictedMutatingWebhookPath), dec, restrictedProfile)) mutatingProfile := SecurityProfile{ Name: "mutating", ForceRunAsNonRoot: true, } wh.Register(mutatingValidatingWebhookPath, NewPodValidator(mgr.GetClient(), ctrl.Log.WithName(mutatingValidatingWebhookPath), &dec, mutatingProfile)) - wh.Register(mutatingMutatingWebhookPath, NewPodMutator(mgr.GetClient(), ctrl.Log.WithName(mutatingMutatingWebhookPath), &dec, mutatingProfile)) + wh.Register(mutatingMutatingWebhookPath, NewPodMutator(mgr.GetClient(), ctrl.Log.WithName(mutatingMutatingWebhookPath), dec, mutatingProfile)) //+kubebuilder:scaffold:webhook From 3f6ade1138b594b3d4987322fef900054f6a8f57 Mon Sep 17 00:00:00 2001 From: Maho Takara Date: Wed, 5 Jun 2024 07:50:21 +0000 Subject: [PATCH 21/23] fix miss understanding etc --- README.md | 2 +- cmd/sub/run.go | 2 +- hooks/ephemeral_container_test.go | 12 ++++++++++++ hooks/suite_test.go | 8 ++++---- hooks/validate_pod.go | 6 +++--- hooks/validators/deny_unsafe_apparmor.go | 10 +++------- 6 files changed, 24 insertions(+), 16 deletions(-) diff --git a/README.md b/README.md index ea84758..309e1c9 100644 --- a/README.md +++ b/README.md @@ -12,7 +12,7 @@ This project is just a stopgap until it is replaced. Pod Security Admission ====================== -pod-security-admission is a set of [Kubernetes Admission Webhooks](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/) to ensure [Pod Security Standards](https://kubernetes.io/docs/concepts/security/pod-security-standards/). +pod-security-admission is a set of [Kubernetes Admission Webhooks](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/) to ensure [Pod Security Standards v1.30](https://github.com/kubernetes/website/blob/snapshot-initial-v1.30/content/en/docs/concepts/security/pod-security-standards.md). pod-security-admission aims to be a simple [Pod Security Policy](https://kubernetes.io/docs/concepts/policy/pod-security-policy/) replacement. diff --git a/cmd/sub/run.go b/cmd/sub/run.go index 6b8e0b9..e9d47f2 100644 --- a/cmd/sub/run.go +++ b/cmd/sub/run.go @@ -52,7 +52,7 @@ func run(addr string, port int, profs []hooks.SecurityProfile) error { wh := mgr.GetWebhookServer() for _, prof := range profs { wh.Register("/mutate-"+prof.Name, hooks.NewPodMutator(mgr.GetClient(), ctrl.Log.WithName("mutate-"+prof.Name), dec, prof)) - wh.Register("/validate-"+prof.Name, hooks.NewPodValidator(mgr.GetClient(), ctrl.Log.WithName("validate-"+prof.Name), &dec, prof)) + wh.Register("/validate-"+prof.Name, hooks.NewPodValidator(mgr.GetClient(), ctrl.Log.WithName("validate-"+prof.Name), dec, prof)) } // +kubebuilder:scaffold:builder diff --git a/hooks/ephemeral_container_test.go b/hooks/ephemeral_container_test.go index 3baa717..7e146f6 100644 --- a/hooks/ephemeral_container_test.go +++ b/hooks/ephemeral_container_test.go @@ -157,6 +157,18 @@ spec: }, }, }, false, "denied the request: spec.ephemeralContainers[0].securityContext.selinuxOptions: Forbidden: Setting custom SELinux options is not allowed"), + Entry("AllowAppArmor Ephemeral Container", "restricted", "test-allowed-apparmor-ec", corev1.EphemeralContainer{ + EphemeralContainerCommon: corev1.EphemeralContainerCommon{ + Name: "debug", + Image: "ghcr.io/cybozu/ubuntu-debug", + SecurityContext: &corev1.SecurityContext{ + RunAsNonRoot: ptr.To(true), + AppArmorProfile: &corev1.AppArmorProfile{ + Type: "RuntimeDefault", + }, + }, + }, + }, true, ""), ) // runAsNonRoot of an ephemeral container will not be mutated until the following issue is completed. diff --git a/hooks/suite_test.go b/hooks/suite_test.go index e9a66b1..8ca6a1e 100644 --- a/hooks/suite_test.go +++ b/hooks/suite_test.go @@ -129,7 +129,7 @@ var _ = BeforeSuite(func() { AllowPrivilegeEscalation: true, RunAsRoot: true, } - wh.Register(baselineValidatingWebhookPath, NewPodValidator(mgr.GetClient(), ctrl.Log.WithName(baselineValidatingWebhookPath), &dec, baselineProfile)) + wh.Register(baselineValidatingWebhookPath, NewPodValidator(mgr.GetClient(), ctrl.Log.WithName(baselineValidatingWebhookPath), dec, baselineProfile)) wh.Register(baselineMutatingWebhookPath, NewPodMutator(mgr.GetClient(), ctrl.Log.WithName(baselineMutatingWebhookPath), dec, baselineProfile)) // "hostpath" profile = "baseline" profile + AllowedHostPaths @@ -155,20 +155,20 @@ var _ = BeforeSuite(func() { AllowPrivilegeEscalation: true, RunAsRoot: true, } - wh.Register(hostpathValidatingWebhookPath, NewPodValidator(mgr.GetClient(), ctrl.Log.WithName(hostpathValidatingWebhookPath), &dec, hostpathProfile)) + wh.Register(hostpathValidatingWebhookPath, NewPodValidator(mgr.GetClient(), ctrl.Log.WithName(hostpathValidatingWebhookPath), dec, hostpathProfile)) wh.Register(hostpathMutatingWebhookPath, NewPodMutator(mgr.GetClient(), ctrl.Log.WithName(hostpathMutatingWebhookPath), dec, hostpathProfile)) restrictedProfile := SecurityProfile{ Name: "restricted", } - wh.Register(restrictedValidatingWebhookPath, NewPodValidator(mgr.GetClient(), ctrl.Log.WithName(restrictedValidatingWebhookPath), &dec, restrictedProfile)) + wh.Register(restrictedValidatingWebhookPath, NewPodValidator(mgr.GetClient(), ctrl.Log.WithName(restrictedValidatingWebhookPath), dec, restrictedProfile)) wh.Register(restrictedMutatingWebhookPath, NewPodMutator(mgr.GetClient(), ctrl.Log.WithName(restrictedMutatingWebhookPath), dec, restrictedProfile)) mutatingProfile := SecurityProfile{ Name: "mutating", ForceRunAsNonRoot: true, } - wh.Register(mutatingValidatingWebhookPath, NewPodValidator(mgr.GetClient(), ctrl.Log.WithName(mutatingValidatingWebhookPath), &dec, mutatingProfile)) + wh.Register(mutatingValidatingWebhookPath, NewPodValidator(mgr.GetClient(), ctrl.Log.WithName(mutatingValidatingWebhookPath), dec, mutatingProfile)) wh.Register(mutatingMutatingWebhookPath, NewPodMutator(mgr.GetClient(), ctrl.Log.WithName(mutatingMutatingWebhookPath), dec, mutatingProfile)) //+kubebuilder:scaffold:webhook diff --git a/hooks/validate_pod.go b/hooks/validate_pod.go index 7730e1a..768e169 100644 --- a/hooks/validate_pod.go +++ b/hooks/validate_pod.go @@ -17,13 +17,13 @@ import ( type podValidator struct { client client.Client log logr.Logger - decoder *admission.Decoder + decoder admission.Decoder profileName string validators []validators.Validator } // NewPodValidator creates a webhook handler for Pod. -func NewPodValidator(c client.Client, log logr.Logger, dec *admission.Decoder, prof SecurityProfile) http.Handler { +func NewPodValidator(c client.Client, log logr.Logger, dec admission.Decoder, prof SecurityProfile) http.Handler { v := &podValidator{ client: c, log: log, @@ -89,7 +89,7 @@ func (v *podValidator) Handle(ctx context.Context, req admission.Request) admiss v.log.Info("validating pod", "name", namespacedName, "profile", v.profileName) po := &corev1.Pod{} - err := admission.Decoder.Decode(*v.decoder, req, po) + err := v.decoder.Decode(req, po) if err != nil { v.log.Error(err, "failed to decode pod", "name", namespacedName, "profile", v.profileName) return admission.Errored(http.StatusBadRequest, err) diff --git a/hooks/validators/deny_unsafe_apparmor.go b/hooks/validators/deny_unsafe_apparmor.go index 47ed39b..6585ded 100644 --- a/hooks/validators/deny_unsafe_apparmor.go +++ b/hooks/validators/deny_unsafe_apparmor.go @@ -26,12 +26,10 @@ func (v DenyUnsafeAppArmor) Validate(ctx context.Context, pod *corev1.Pod) field p = field.NewPath("spec").Child("SecurityContext") hasPodAppArmorProfile := pod.Spec.SecurityContext != nil && pod.Spec.SecurityContext.AppArmorProfile != nil if hasPodAppArmorProfile { - isTypeUnconfined := pod.Spec.SecurityContext.AppArmorProfile.Type == corev1.AppArmorProfileTypeUnconfined isTypeRuntimeDefault := pod.Spec.SecurityContext.AppArmorProfile.Type == corev1.AppArmorProfileTypeRuntimeDefault isTypeLocalhost := pod.Spec.SecurityContext.AppArmorProfile.Type == corev1.AppArmorProfileTypeLocalhost - hasNotAllowedType := !(isTypeUnconfined || isTypeRuntimeDefault || isTypeLocalhost) + hasNotAllowedType := !(isTypeRuntimeDefault || isTypeLocalhost) if hasNotAllowedType { - // errs = append(errs, field.Forbidden(p.Child("AppArmorProfile"), fmt.Sprintf("%v is not an allowed AppArmor profile", pod.Spec.SecurityContext.AppArmorProfile.Type))) errs = append(errs, field.Forbidden(p, fmt.Sprintf("%v is not an allowed AppArmor profile", pod.Spec.SecurityContext.AppArmorProfile.Type))) } } @@ -40,10 +38,9 @@ func (v DenyUnsafeAppArmor) Validate(ctx context.Context, pod *corev1.Pod) field for i, co := range pod.Spec.Containers { hasPodAppArmorProfile := co.SecurityContext != nil && co.SecurityContext.AppArmorProfile != nil if hasPodAppArmorProfile { - isTypeUnconfined := co.SecurityContext.AppArmorProfile.Type == corev1.AppArmorProfileTypeUnconfined isTypeRuntimeDefault := co.SecurityContext.AppArmorProfile.Type == corev1.AppArmorProfileTypeRuntimeDefault isTypeLocalhost := co.SecurityContext.AppArmorProfile.Type == corev1.AppArmorProfileTypeLocalhost - hasNotAllowedType := !(isTypeUnconfined || isTypeRuntimeDefault || isTypeLocalhost) + hasNotAllowedType := !(isTypeRuntimeDefault || isTypeLocalhost) if hasNotAllowedType { errs = append(errs, field.Forbidden(p.Index(i), fmt.Sprintf("%v is not an allowed AppArmor profile", co.SecurityContext.AppArmorProfile.Type))) } @@ -54,10 +51,9 @@ func (v DenyUnsafeAppArmor) Validate(ctx context.Context, pod *corev1.Pod) field for i, co := range pod.Spec.Containers { hasPodAppArmorProfile := co.SecurityContext != nil && co.SecurityContext.AppArmorProfile != nil if hasPodAppArmorProfile { - isTypeUnconfined := co.SecurityContext.AppArmorProfile.Type == corev1.AppArmorProfileTypeUnconfined isTypeRuntimeDefault := co.SecurityContext.AppArmorProfile.Type == corev1.AppArmorProfileTypeRuntimeDefault isTypeLocalhost := co.SecurityContext.AppArmorProfile.Type == corev1.AppArmorProfileTypeLocalhost - hasNotAllowedType := !(isTypeUnconfined || isTypeRuntimeDefault || isTypeLocalhost) + hasNotAllowedType := !(isTypeRuntimeDefault || isTypeLocalhost) if hasNotAllowedType { errs = append(errs, field.Forbidden(p.Index(i), fmt.Sprintf("%v is not an allowed AppArmor profile", co.SecurityContext.AppArmorProfile.Type))) } From 172a6644054b036632137685152cfc6bd4bc5f10 Mon Sep 17 00:00:00 2001 From: Maho Takara Date: Wed, 5 Jun 2024 08:01:25 +0000 Subject: [PATCH 22/23] fix deprecation for goleleaser --- .github/workflows/ci.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 5959380..696a6e9 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -40,4 +40,4 @@ jobs: uses: goreleaser/goreleaser-action@f82d6c1c344bcacabba2c841718984797f664a6b # v4.2.0 with: version: latest - args: --snapshot --skip-publish --clean + args: --snapshot --skip=publish --clean From e3ef5c4b18ec8abe926518ffd39afef8268fb035 Mon Sep 17 00:00:00 2001 From: Maho Takara Date: Thu, 6 Jun 2024 00:55:29 +0000 Subject: [PATCH 23/23] add error test case for ephemeralContainers appAromor profile --- hooks/ephemeral_container_test.go | 6 +++--- hooks/validators/deny_unsafe_apparmor.go | 15 ++++++++++++++- 2 files changed, 17 insertions(+), 4 deletions(-) diff --git a/hooks/ephemeral_container_test.go b/hooks/ephemeral_container_test.go index 7e146f6..3aceabf 100644 --- a/hooks/ephemeral_container_test.go +++ b/hooks/ephemeral_container_test.go @@ -157,18 +157,18 @@ spec: }, }, }, false, "denied the request: spec.ephemeralContainers[0].securityContext.selinuxOptions: Forbidden: Setting custom SELinux options is not allowed"), - Entry("AllowAppArmor Ephemeral Container", "restricted", "test-allowed-apparmor-ec", corev1.EphemeralContainer{ + Entry("AllowAppArmor Ephemeral Container", "restricted", "test-unsafe-apparmor-ec", corev1.EphemeralContainer{ EphemeralContainerCommon: corev1.EphemeralContainerCommon{ Name: "debug", Image: "ghcr.io/cybozu/ubuntu-debug", SecurityContext: &corev1.SecurityContext{ RunAsNonRoot: ptr.To(true), AppArmorProfile: &corev1.AppArmorProfile{ - Type: "RuntimeDefault", + Type: "Unconfined", }, }, }, - }, true, ""), + }, false, "denied the request: spec.SecurityContext.containers.initContainers.ephemeralContainers[0]: Forbidden: Unconfined is not an allowed AppArmor profile"), ) // runAsNonRoot of an ephemeral container will not be mutated until the following issue is completed. diff --git a/hooks/validators/deny_unsafe_apparmor.go b/hooks/validators/deny_unsafe_apparmor.go index 6585ded..4cbdcce 100644 --- a/hooks/validators/deny_unsafe_apparmor.go +++ b/hooks/validators/deny_unsafe_apparmor.go @@ -48,7 +48,20 @@ func (v DenyUnsafeAppArmor) Validate(ctx context.Context, pod *corev1.Pod) field } p = p.Child("initContainers") - for i, co := range pod.Spec.Containers { + for i, co := range pod.Spec.InitContainers { + hasPodAppArmorProfile := co.SecurityContext != nil && co.SecurityContext.AppArmorProfile != nil + if hasPodAppArmorProfile { + isTypeRuntimeDefault := co.SecurityContext.AppArmorProfile.Type == corev1.AppArmorProfileTypeRuntimeDefault + isTypeLocalhost := co.SecurityContext.AppArmorProfile.Type == corev1.AppArmorProfileTypeLocalhost + hasNotAllowedType := !(isTypeRuntimeDefault || isTypeLocalhost) + if hasNotAllowedType { + errs = append(errs, field.Forbidden(p.Index(i), fmt.Sprintf("%v is not an allowed AppArmor profile", co.SecurityContext.AppArmorProfile.Type))) + } + } + } + + p = p.Child("ephemeralContainers") + for i, co := range pod.Spec.EphemeralContainers { hasPodAppArmorProfile := co.SecurityContext != nil && co.SecurityContext.AppArmorProfile != nil if hasPodAppArmorProfile { isTypeRuntimeDefault := co.SecurityContext.AppArmorProfile.Type == corev1.AppArmorProfileTypeRuntimeDefault