Use PSP from policy API group.

kubernetes · Mar 1, 2018 · 25cce34 · 25cce34
1 parent 857fee8
commit 25cce34
Show file tree

Hide file tree

Showing 7 changed files with 25 additions and 14 deletions.
diff --git a/docs/admin/authorization/index.md b/docs/admin/authorization/index.md
@@ -67,7 +67,7 @@ DELETE    | delete (for individual resources), deletecollection (for collections
 
 Kubernetes sometimes checks authorization for additional permissions using specialized verbs. For example:
 
-* [PodSecurityPolicy](/docs/concepts/policy/pod-security-policy/) checks for authorization of the `use` verb on `podsecuritypolicies` resources in the `extensions` API group.
+* [PodSecurityPolicy](/docs/concepts/policy/pod-security-policy/) checks for authorization of the `use` verb on `podsecuritypolicies` resources in the `policy` API group.
 * [RBAC](/docs/admin/authorization/rbac/#privilege-escalation-prevention-and-bootstrapping) checks for authorization 
 of the `bind` verb on `roles` and `clusterroles` resources in the `rbac.authorization.k8s.io` API group.
 * [Authentication](/docs/admin/authentication/) layer checks for authorization of the `impersonate` verb on `users`, `groups`, and `serviceaccounts` in the core API group, and the `userextras` in the `authentication.k8s.io` API group.

diff --git a/docs/concepts/policy/example-psp.yaml b/docs/concepts/policy/example-psp.yaml
@@ -1,4 +1,4 @@
-apiVersion: extensions/v1beta1
+apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
   name: example

diff --git a/docs/concepts/policy/pod-security-policy.md b/docs/concepts/policy/pod-security-policy.md
@@ -49,7 +49,7 @@ controller](/docs/admin/admission-controllers/#how-do-i-turn-on-an-admission-con
 but doing so without authorizing any policies **will prevent any pods from being
 created** in the cluster.
 
-Since the pod security policy API (`extensions/v1beta1/podsecuritypolicy`) is
+Since the pod security policy API (`policy/v1beta1/podsecuritypolicy`) is
 enabled independently of the admission controller, for existing clusters it is
 recommended that policies are added and authorized before enabling the admission
 controller.
@@ -84,7 +84,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: <role name>
 rules:
-- apiGroups: ['extensions']
+- apiGroups: ['policy']
   resources: ['podsecuritypolicies']
   verbs:     ['use']
   resourceNames:

diff --git a/docs/concepts/policy/privileged-psp.yaml b/docs/concepts/policy/privileged-psp.yaml
@@ -1,4 +1,4 @@
-apiVersion: extensions/v1beta1
+apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
   name: privileged

diff --git a/docs/concepts/policy/restricted-psp.yaml b/docs/concepts/policy/restricted-psp.yaml
@@ -1,4 +1,4 @@
-apiVersion: extensions/v1beta1
+apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
   name: restricted

diff --git a/docs/tutorials/clusters/apparmor.md b/docs/tutorials/clusters/apparmor.md
@@ -317,14 +317,13 @@ node with the required profile.
 ### Restricting profiles with the PodSecurityPolicy
 
 If the PodSecurityPolicy extension is enabled, cluster-wide AppArmor restrictions can be applied. To
-enable the PodSecurityPolicy, two flags must be set on the `apiserver`:
+enable the PodSecurityPolicy, the following flag must be set on the `apiserver`:
 
 ```
 --admission-control=PodSecurityPolicy[,others...]
---runtime-config=extensions/v1beta1/podsecuritypolicy[,others...]
 ```
 
-With the extension enabled, the AppArmor options can be specified as annotations on the PodSecurityPolicy:
+The AppArmor options can be specified as annotations on the PodSecurityPolicy:
 
 ```yaml
 apparmor.security.beta.kubernetes.io/defaultProfileName: <profile_ref>

diff --git a/test/examples_test.go b/test/examples_test.go
@@ -28,6 +28,7 @@ import (
 	"strings"
 	"testing"
 
+	policyv1beta1 "k8s.io/api/policy/v1beta1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/validation/field"
@@ -173,8 +174,8 @@ func validateObject(obj runtime.Object) (errors field.ErrorList) {
 			t.Namespace = api.NamespaceDefault
 		}
 		errors = ext_validation.ValidateIngress(t)
-	case *extensions.PodSecurityPolicy:
-		errors = ext_validation.ValidatePodSecurityPolicy(t)
+	case *policyv1beta1.PodSecurityPolicy:
+		errors = validatePodSecurityPolicy(t)
 	case *extensions.ReplicaSet:
 		if t.Namespace == "" {
 			t.Namespace = api.NamespaceDefault
@@ -312,9 +313,9 @@ func TestExampleObjectSchemas(t *testing.T) {
 			"nginx-deployment": {&extensions.Deployment{}},
 		},
 		"../docs/concepts/policy": {
-			"privileged-psp": {&extensions.PodSecurityPolicy{}},
-			"restricted-psp": {&extensions.PodSecurityPolicy{}},
-			"example-psp":    {&extensions.PodSecurityPolicy{}},
+			"privileged-psp": {&policyv1beta1.PodSecurityPolicy{}},
+			"restricted-psp": {&policyv1beta1.PodSecurityPolicy{}},
+			"example-psp":    {&policyv1beta1.PodSecurityPolicy{}},
 		},
 		"../docs/concepts/services-networking": {
 			"curlpod":          {&extensions.Deployment{}},
@@ -754,3 +755,14 @@ func TestReadme(t *testing.T) {
 		}
 	}
 }
+
+// TODO: remove type conversion when PSP validation will accept PSP from policy group
+func validatePodSecurityPolicy(newPsp *policy.PodSecurityPolicy) field.ErrorList {
+	oldPsp := &extensions.PodSecurityPolicy{}
+	if err := Convert_v1beta1_PodSecurityPolicy_To_extensions_PodSecurityPolicy(newPsp, oldPsp, nil); err != nil {
+		errs = field.ErrorList{}
+		errs = append(errors, field.InternalError(field.NewPath(""), fmt.Errorf("cannot convert PSP from policy to extensions group: %v", err)))
+		return errs
+	}
+	return ext_validation.ValidatePodSecurityPolicy(oldPsp)
+}