コード例 #1
0
ファイル: reconcile_sccs.go プロジェクト: johnmccawley/origin
// computeUpdatedSCC determines if the expected SCC looks like the actual SCC
// it does this by making the expected SCC mirror the actual SCC for items that
// we are not reconciling and performing a diff (ignoring changes to metadata).
// If a diff is produced then the expected SCC is submitted as needing an update.
func (o *ReconcileSCCOptions) computeUpdatedSCC(expected kapi.SecurityContextConstraints, actual kapi.SecurityContextConstraints) (*kapi.SecurityContextConstraints, bool) {
	needsUpdate := false

	// if unioning old and new groups/users then make the expected contain all
	// also preserve and set priorities
	if o.Union {
		groupSet := sets.NewString(actual.Groups...)
		groupSet.Insert(expected.Groups...)
		expected.Groups = groupSet.List()

		userSet := sets.NewString(actual.Users...)
		userSet.Insert(expected.Users...)
		expected.Users = userSet.List()

		if actual.Priority != nil {
			expected.Priority = actual.Priority
		}
	}

	// sort users and groups to remove any variants in order when diffing
	sort.StringSlice(actual.Groups).Sort()
	sort.StringSlice(actual.Users).Sort()
	sort.StringSlice(expected.Groups).Sort()
	sort.StringSlice(expected.Users).Sort()

	// make a copy of the expected scc here so we can ignore metadata diffs.
	updated := expected
	expected.ObjectMeta = actual.ObjectMeta

	if !kapi.Semantic.DeepEqual(expected, actual) {
		needsUpdate = true
	}

	return &updated, needsUpdate
}
コード例 #2
0
ファイル: reconcile_sccs.go プロジェクト: php-coder/origin
// computeUpdatedSCC determines if the expected SCC looks like the actual SCC
// it does this by making the expected SCC mirror the actual SCC for items that
// we are not reconciling and performing a diff (ignoring changes to metadata).
// If a diff is produced then the expected SCC is submitted as needing an update.
func (o *ReconcileSCCOptions) computeUpdatedSCC(expected kapi.SecurityContextConstraints, actual kapi.SecurityContextConstraints) (*kapi.SecurityContextConstraints, bool) {
	needsUpdate := false

	// if unioning old and new groups/users then make the expected contain all
	// also preserve and set priorities
	if o.Union {
		groupSet := sets.NewString(actual.Groups...)
		groupSet.Insert(expected.Groups...)
		expected.Groups = groupSet.List()

		userSet := sets.NewString(actual.Users...)
		userSet.Insert(expected.Users...)
		expected.Users = userSet.List()

		if actual.Priority != nil {
			expected.Priority = actual.Priority
		}

		// preserve labels and annotations
		expected.Labels = MergeMaps(expected.Labels, actual.Labels)
		expected.Annotations = MergeMaps(expected.Annotations, actual.Annotations)
	}

	// sort volumes to remove variants in order
	sortVolumes(&expected)
	sortVolumes(&actual)

	// sort users and groups to remove any variants in order when diffing
	sort.StringSlice(actual.Groups).Sort()
	sort.StringSlice(actual.Users).Sort()
	sort.StringSlice(expected.Groups).Sort()
	sort.StringSlice(expected.Users).Sort()

	// compute the updated scc as follows:
	// 1. start with the expected scc
	// 2. take the objectmeta from the actual scc (preserves the resource version and uid)
	// 3. add back the labels and annotations from the expected scc (which were already merged if unioning was desired)
	updated := expected
	updated.ObjectMeta = actual.ObjectMeta
	updated.ObjectMeta.Labels = expected.Labels
	updated.ObjectMeta.Annotations = expected.Annotations

	if !kapi.Semantic.DeepEqual(updated, actual) {
		needsUpdate = true
	}

	return &updated, needsUpdate
}
コード例 #3
0
ファイル: conversion.go プロジェクト: RomainVabre/origin
func convert_v1beta3_SecurityContextConstraints_To_api_SecurityContextConstraints(in *SecurityContextConstraints, out *api.SecurityContextConstraints, s conversion.Scope) error {
	if defaulting, found := s.DefaultingInterface(reflect.TypeOf(*in)); found {
		defaulting.(func(*SecurityContextConstraints))(in)
	}

	if err := convert_v1beta3_ObjectMeta_To_api_ObjectMeta(&in.ObjectMeta, &out.ObjectMeta, s); err != nil {
		return err
	}
	if in.Priority != nil {
		out.Priority = new(int)
		*out.Priority = *in.Priority
	} else {
		out.Priority = nil
	}
	out.AllowPrivilegedContainer = in.AllowPrivilegedContainer
	if in.AllowedCapabilities != nil {
		out.AllowedCapabilities = make([]api.Capability, len(in.AllowedCapabilities))
		for i := range in.AllowedCapabilities {
			out.AllowedCapabilities[i] = api.Capability(in.AllowedCapabilities[i])
		}
	} else {
		out.AllowedCapabilities = nil
	}

	// for v1beta3 -> api volume conversion we must assume that all volumes were allowed.
	// the only volume you could turn off is the host path volume so we'll remove that based
	// on the v1beta3 setting.
	if !in.AllowHostDirVolumePlugin {
		for _, v := range sccutil.GetAllFSTypesExcept(string(api.FSTypeHostPath)).List() {
			out.Volumes = append(out.Volumes, api.FSType(v))
		}
	} else {
		out.Volumes = []api.FSType{api.FSTypeAll}
	}

	out.AllowHostNetwork = in.AllowHostNetwork
	out.AllowHostPorts = in.AllowHostPorts
	out.AllowHostPID = in.AllowHostPID
	out.AllowHostIPC = in.AllowHostIPC
	if err := convert_v1beta3_SELinuxContextStrategyOptions_To_api_SELinuxContextStrategyOptions(&in.SELinuxContext, &out.SELinuxContext, s); err != nil {
		return err
	}
	if err := convert_v1beta3_RunAsUserStrategyOptions_To_api_RunAsUserStrategyOptions(&in.RunAsUser, &out.RunAsUser, s); err != nil {
		return err
	}
	if err := convert_v1beta3_FSGroupStrategyOptions_To_api_FSGroupStrategyOptions(&in.FSGroup, &out.FSGroup, s); err != nil {
		return err
	}
	if err := convert_v1beta3_SupplementalGroupsStrategyOptions_To_api_SupplementalGroupsStrategyOptions(&in.SupplementalGroups, &out.SupplementalGroups, s); err != nil {
		return err
	}
	if in.DefaultAddCapabilities != nil {
		out.DefaultAddCapabilities = make([]api.Capability, len(in.DefaultAddCapabilities))
		for i := range in.DefaultAddCapabilities {
			out.DefaultAddCapabilities[i] = api.Capability(in.DefaultAddCapabilities[i])
		}
	} else {
		out.DefaultAddCapabilities = nil
	}
	if in.RequiredDropCapabilities != nil {
		out.RequiredDropCapabilities = make([]api.Capability, len(in.RequiredDropCapabilities))
		for i := range in.RequiredDropCapabilities {
			out.RequiredDropCapabilities[i] = api.Capability(in.RequiredDropCapabilities[i])
		}
	} else {
		out.RequiredDropCapabilities = nil
	}
	out.ReadOnlyRootFilesystem = in.ReadOnlyRootFilesystem
	if in.Users != nil {
		out.Users = make([]string, len(in.Users))
		for i := range in.Users {
			out.Users[i] = in.Users[i]
		}
	} else {
		out.Users = nil
	}
	if in.Groups != nil {
		out.Groups = make([]string, len(in.Groups))
		for i := range in.Groups {
			out.Groups[i] = in.Groups[i]
		}
	} else {
		out.Groups = nil
	}
	return nil
}