Merge pull request #101 from bertinatto/bump-k8s-1.27

STOR-1263: Bump k8s 1.27

.ci-operator.yaml

@@ -1,4 +1,4 @@
 build_root_image:
   name: release
   namespace: openshift
-  tag: rhel-8-release-golang-1.19-openshift-4.13
+  tag: rhel-8-release-golang-1.20-openshift-4.14

go.mod

@@ -1,23 +1,23 @@
 module github.com/openshift/apiserver-library-go
 
-go 1.19
+go 1.20
 
 require (
 	github.com/google/go-cmp v0.5.9
 	github.com/hashicorp/golang-lru v0.5.1
-	github.com/openshift/api v0.0.0-20230120195050-6ba31fa438f2
+	github.com/openshift/api v0.0.0-20230503133300-8bbcb7ca7183
 	github.com/openshift/build-machinery-go v0.0.0-20220913142420-e25cf57ea46d
-	github.com/openshift/client-go v0.0.0-20230120202327-72f107311084
-	github.com/openshift/library-go v0.0.0-20230120214501-9bc305884fcb
-	github.com/stretchr/testify v1.8.0
-	k8s.io/api v0.26.1
-	k8s.io/apimachinery v0.26.1
-	k8s.io/apiserver v0.26.1
-	k8s.io/client-go v0.26.1
-	k8s.io/code-generator v0.26.1
-	k8s.io/klog/v2 v2.80.1
-	k8s.io/kubernetes v1.26.1
-	k8s.io/utils v0.0.0-20221107191617-1a15be271d1d
+	github.com/openshift/client-go v0.0.0-20230503144108-75015d2347cb
+	github.com/openshift/library-go v0.0.0-20230503173034-95ca3c14e50a
+	github.com/stretchr/testify v1.8.1
+	k8s.io/api v0.27.1
+	k8s.io/apimachinery v0.27.1
+	k8s.io/apiserver v0.27.1
+	k8s.io/client-go v0.27.1
+	k8s.io/code-generator v0.27.1
+	k8s.io/klog/v2 v2.90.1
+	k8s.io/kubernetes v1.27.1
+	k8s.io/utils v0.0.0-20230406110748-d93618cff8a2
 )
 
 require (
@@ -30,17 +30,17 @@ require (
 	github.com/emicklei/go-restful/v3 v3.9.0 // indirect
 	github.com/evanphx/json-patch v4.12.0+incompatible // indirect
 	github.com/go-logr/logr v1.2.3 // indirect
-	github.com/go-openapi/jsonpointer v0.19.5 // indirect
-	github.com/go-openapi/jsonreference v0.20.0 // indirect
-	github.com/go-openapi/swag v0.19.14 // indirect
+	github.com/go-openapi/jsonpointer v0.19.6 // indirect
+	github.com/go-openapi/jsonreference v0.20.1 // indirect
+	github.com/go-openapi/swag v0.22.3 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/golang/protobuf v1.5.2 // indirect
+	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/google/gnostic v0.5.7-v3refs // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
-	github.com/google/uuid v1.1.2 // indirect
+	github.com/google/uuid v1.3.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
-	github.com/mailru/easyjson v0.7.6 // indirect
+	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/matttproud/golang_protobuf_extensions v1.0.2 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
@@ -53,24 +53,24 @@ require (
 	github.com/prometheus/common v0.37.0 // indirect
 	github.com/prometheus/procfs v0.8.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
-	golang.org/x/mod v0.6.0 // indirect
-	golang.org/x/net v0.3.1-0.20221206200815-1e63c2f08a10 // indirect
+	golang.org/x/mod v0.9.0 // indirect
+	golang.org/x/net v0.8.0 // indirect
 	golang.org/x/oauth2 v0.0.0-20220411215720-9780585627b5 // indirect
-	golang.org/x/sys v0.3.0 // indirect
-	golang.org/x/term v0.3.0 // indirect
-	golang.org/x/text v0.5.0 // indirect
+	golang.org/x/sys v0.6.0 // indirect
+	golang.org/x/term v0.6.0 // indirect
+	golang.org/x/text v0.8.0 // indirect
 	golang.org/x/time v0.0.0-20220210224613-90d013bbcef8 // indirect
-	golang.org/x/tools v0.2.0 // indirect
+	golang.org/x/tools v0.7.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/protobuf v1.28.1 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/component-base v0.26.1 // indirect
+	k8s.io/component-base v0.27.1 // indirect
 	k8s.io/component-helpers v0.25.0 // indirect
 	k8s.io/gengo v0.0.0-20220902162205-c0856e24416d // indirect
-	k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280 // indirect
-	sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 // indirect
+	k8s.io/kube-openapi v0.0.0-20230308215209-15aac26d736a // indirect
+	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
 	sigs.k8s.io/yaml v1.3.0 // indirect
 )

pkg/admission/imagepolicy/imagereferencemutators/pods.go

@@ -44,8 +44,6 @@ func GetPodSpec(obj runtime.Object) (*core.PodSpec, *field.Path, error) {
 		return &r.Spec.Template.Spec, field.NewPath("spec", "template", "spec"), nil
 	case *batch.CronJob:
 		return &r.Spec.JobTemplate.Spec.Template.Spec, field.NewPath("spec", "jobTemplate", "spec", "template", "spec"), nil
-	case *batch.JobTemplate:
-		return &r.Template.Spec.Template.Spec, field.NewPath("template", "spec", "template", "spec"), nil
 	case *apps.StatefulSet:
 		return &r.Spec.Template.Spec, field.NewPath("spec", "template", "spec"), nil
 	}
@@ -100,9 +98,6 @@ func GetPodSpecV1(obj runtime.Object) (*corev1.PodSpec, *field.Path, error) {
 	case *batchv1.CronJob:
 		return &r.Spec.JobTemplate.Spec.Template.Spec, field.NewPath("spec", "jobTemplate", "spec", "template", "spec"), nil
 
-	case *batchv1beta1.JobTemplate:
-		return &r.Template.Spec.Template.Spec, field.NewPath("template", "spec", "template", "spec"), nil
-
 	case *kappsv1.StatefulSet:
 		return &r.Spec.Template.Spec, field.NewPath("spec", "template", "spec"), nil
 	case *kappsv1beta1.StatefulSet:
@@ -157,9 +152,6 @@ func GetTemplateMetaObject(obj runtime.Object) (metav1.Object, bool) {
 	case *batchv1.CronJob:
 		return &r.Spec.JobTemplate.Spec.Template.ObjectMeta, true
 
-	case *batchv1beta1.JobTemplate:
-		return &r.Template.Spec.Template.ObjectMeta, true
-
 	case *kappsv1.StatefulSet:
 		return &r.Spec.Template.ObjectMeta, true
 	case *kappsv1beta1.StatefulSet:
@@ -183,8 +175,6 @@ func GetTemplateMetaObject(obj runtime.Object) (metav1.Object, bool) {
 		return &r.Spec.Template.ObjectMeta, true
 	case *batch.CronJob:
 		return &r.Spec.JobTemplate.Spec.Template.ObjectMeta, true
-	case *batch.JobTemplate:
-		return &r.Template.Spec.Template.ObjectMeta, true
 	case *apps.StatefulSet:
 		return &r.Spec.Template.ObjectMeta, true
 	}

pkg/securitycontextconstraints/sccmatching/provider.go

@@ -9,7 +9,6 @@ import (
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	api "k8s.io/kubernetes/pkg/apis/core"
 	"k8s.io/kubernetes/pkg/securitycontext"
-	"k8s.io/kubernetes/pkg/util/maps"
 
 	securityv1 "github.com/openshift/api/security/v1"
 	"github.com/openshift/apiserver-library-go/pkg/securitycontextconstraints/capabilities"
@@ -102,7 +101,7 @@ func NewSimpleProvider(scc *securityv1.SecurityContextConstraints) (SecurityCont
 func (s *simpleProvider) CreatePodSecurityContext(pod *api.Pod) (*api.PodSecurityContext, map[string]string, error) {
 	sc := NewPodSecurityContextMutator(pod.Spec.SecurityContext)
 
-	annotationsCopy := maps.CopySS(pod.Annotations)
+	annotationsCopy := copySS(pod.Annotations)
 
 	if sc.SupplementalGroups() == nil {
 		supGroups, err := s.supplementalGroupStrategy.Generate(pod)
@@ -535,3 +534,15 @@ func seccompFieldForAnnotation(annotation string) *api.SeccompProfile {
 	// length or if the annotation has an unrecognized value
 	return nil
 }
+
+// CopySS makes a shallow copy of a map.
+func copySS(m map[string]string) map[string]string {
+	if m == nil {
+		return nil
+	}
+	copy := make(map[string]string, len(m))
+	for k, v := range m {
+		copy[k] = v
+	}
+	return copy
+}

pkg/securitycontextconstraints/seccomp/strategy.go

@@ -5,7 +5,6 @@ import (
 
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/util/validation/field"
-	podutil "k8s.io/kubernetes/pkg/api/pod"
 	api "k8s.io/kubernetes/pkg/apis/core"
 )
 
@@ -68,7 +67,7 @@ func (s *strategy) Generate(podAnnotations map[string]string, pod *api.Pod) (str
 	}
 	if pod.Spec.SecurityContext != nil && pod.Spec.SecurityContext.SeccompProfile != nil {
 		// Profile field already set, translate to annotation.
-		return podutil.SeccompAnnotationForField(pod.Spec.SecurityContext.SeccompProfile), nil
+		return seccompAnnotationForField(pod.Spec.SecurityContext.SeccompProfile), nil
 	}
 
 	// return the first non-wildcard profile
@@ -89,7 +88,7 @@ func (s *strategy) ValidatePod(pod *api.Pod) field.ErrorList {
 	// We are keeping annotations for backward compatibility - in case the pod is
 	// running on an older node.
 	if len(podProfile) == 0 && pod.Spec.SecurityContext != nil && pod.Spec.SecurityContext.SeccompProfile != nil {
-		podProfile = podutil.SeccompAnnotationForField(pod.Spec.SecurityContext.SeccompProfile)
+		podProfile = seccompAnnotationForField(pod.Spec.SecurityContext.SeccompProfile)
 	}
 
 	if err := s.validateProfile(podSpecFieldPath, podProfile); err != nil {
@@ -154,7 +153,7 @@ func (s *strategy) validateProfile(fldPath *field.Path, profile string) *field.E
 func profileForContainer(pod *api.Pod, container *api.Container) string {
 	if container.SecurityContext != nil && container.SecurityContext.SeccompProfile != nil {
 		// derive the annotation value from the container field
-		return podutil.SeccompAnnotationForField(container.SecurityContext.SeccompProfile)
+		return seccompAnnotationForField(container.SecurityContext.SeccompProfile)
 	}
 	containerProfile, ok := pod.Annotations[api.SeccompContainerAnnotationKeyPrefix+container.Name]
 	if ok {
@@ -163,8 +162,36 @@ func profileForContainer(pod *api.Pod, container *api.Container) string {
 	}
 	if pod.Spec.SecurityContext != nil && pod.Spec.SecurityContext.SeccompProfile != nil {
 		// derive the annotation value from the pod field
-		return podutil.SeccompAnnotationForField(pod.Spec.SecurityContext.SeccompProfile)
+		return seccompAnnotationForField(pod.Spec.SecurityContext.SeccompProfile)
 	}
 	// return the existing pod annotation
 	return pod.Annotations[api.SeccompPodAnnotationKey]
 }
+
+// seccompAnnotationForField takes a pod seccomp profile field and returns the
+// converted annotation value.
+// DEPRECATED: this is originally from k8s.io/kubernetes/pkg/api pod module which has
+// been removed in upstream: https://github.com/kubernetes/kubernetes/pull/114947/files.
+// TODO(auth team): remove once we stop handling the annotation.
+func seccompAnnotationForField(field *api.SeccompProfile) string {
+	// If only seccomp fields are specified, add the corresponding annotations.
+	// This ensures that the fields are enforced even if the node version
+	// trails the API version
+	switch field.Type {
+	case api.SeccompProfileTypeUnconfined:
+		return v1.SeccompProfileNameUnconfined
+
+	case api.SeccompProfileTypeRuntimeDefault:
+		return v1.SeccompProfileRuntimeDefault
+
+	case api.SeccompProfileTypeLocalhost:
+		if field.LocalhostProfile != nil {
+			return v1.SeccompLocalhostProfileNamePrefix + *field.LocalhostProfile
+		}
+	}
+
+	// we can only reach this code path if the LocalhostProfile is nil but the
+	// provided field type is SeccompProfileTypeLocalhost or if an unrecognized
+	// type is specified
+	return ""
+}