// computeUpdatedSCC determines if the expected SCC looks like the actual SCC
// it does this by making the expected SCC mirror the actual SCC for items that
// we are not reconciling and performing a diff (ignoring changes to metadata).
// If a diff is produced then the expected SCC is submitted as needing an update.
func (o *ReconcileSCCOptions) computeUpdatedSCC(expected kapi.SecurityContextConstraints, actual kapi.SecurityContextConstraints) (*kapi.SecurityContextConstraints, bool) {
needsUpdate := false
// if unioning old and new groups/users then make the expected contain all
// also preserve and set priorities
if o.Union {
groupSet := sets.NewString(actual.Groups...)
groupSet.Insert(expected.Groups...)
expected.Groups = groupSet.List()
userSet := sets.NewString(actual.Users...)
userSet.Insert(expected.Users...)
expected.Users = userSet.List()
if actual.Priority != nil {
expected.Priority = actual.Priority
}
}
// sort users and groups to remove any variants in order when diffing
sort.StringSlice(actual.Groups).Sort()
sort.StringSlice(actual.Users).Sort()
sort.StringSlice(expected.Groups).Sort()
sort.StringSlice(expected.Users).Sort()
// make a copy of the expected scc here so we can ignore metadata diffs.
updated := expected
expected.ObjectMeta = actual.ObjectMeta
if !kapi.Semantic.DeepEqual(expected, actual) {
needsUpdate = true
}
return &updated, needsUpdate
}
// computeUpdatedSCC determines if the expected SCC looks like the actual SCC
// it does this by making the expected SCC mirror the actual SCC for items that
// we are not reconciling and performing a diff (ignoring changes to metadata).
// If a diff is produced then the expected SCC is submitted as needing an update.
func (o *ReconcileSCCOptions) computeUpdatedSCC(expected kapi.SecurityContextConstraints, actual kapi.SecurityContextConstraints) (*kapi.SecurityContextConstraints, bool) {
needsUpdate := false
// if unioning old and new groups/users then make the expected contain all
// also preserve and set priorities
if o.Union {
groupSet := sets.NewString(actual.Groups...)
groupSet.Insert(expected.Groups...)
expected.Groups = groupSet.List()
userSet := sets.NewString(actual.Users...)
userSet.Insert(expected.Users...)
expected.Users = userSet.List()
if actual.Priority != nil {
expected.Priority = actual.Priority
}
// preserve labels and annotations
expected.Labels = MergeMaps(expected.Labels, actual.Labels)
expected.Annotations = MergeMaps(expected.Annotations, actual.Annotations)
}
// sort volumes to remove variants in order
sortVolumes(&expected)
sortVolumes(&actual)
// sort users and groups to remove any variants in order when diffing
sort.StringSlice(actual.Groups).Sort()
sort.StringSlice(actual.Users).Sort()
sort.StringSlice(expected.Groups).Sort()
sort.StringSlice(expected.Users).Sort()
// compute the updated scc as follows:
// 1. start with the expected scc
// 2. take the objectmeta from the actual scc (preserves the resource version and uid)
// 3. add back the labels and annotations from the expected scc (which were already merged if unioning was desired)
updated := expected
updated.ObjectMeta = actual.ObjectMeta
updated.ObjectMeta.Labels = expected.Labels
updated.ObjectMeta.Annotations = expected.Annotations
if !kapi.Semantic.DeepEqual(updated, actual) {
needsUpdate = true
}
return &updated, needsUpdate
}
// sortVolumes sorts the volume slice of the SCC in place.
func sortVolumes(scc *kapi.SecurityContextConstraints) {
if scc.Volumes == nil || len(scc.Volumes) == 0 {
return
}
volumes := sccutil.FSTypeToStringSet(scc.Volumes).List()
sort.StringSlice(volumes).Sort()
scc.Volumes = sliceToFSType(volumes)
}
func convert_v1beta3_SecurityContextConstraints_To_api_SecurityContextConstraints(in *SecurityContextConstraints, out *api.SecurityContextConstraints, s conversion.Scope) error {
if defaulting, found := s.DefaultingInterface(reflect.TypeOf(*in)); found {
defaulting.(func(*SecurityContextConstraints))(in)
}
if err := convert_v1beta3_ObjectMeta_To_api_ObjectMeta(&in.ObjectMeta, &out.ObjectMeta, s); err != nil {
return err
}
if in.Priority != nil {
out.Priority = new(int)
*out.Priority = *in.Priority
} else {
out.Priority = nil
}
out.AllowPrivilegedContainer = in.AllowPrivilegedContainer
if in.AllowedCapabilities != nil {
out.AllowedCapabilities = make([]api.Capability, len(in.AllowedCapabilities))
for i := range in.AllowedCapabilities {
out.AllowedCapabilities[i] = api.Capability(in.AllowedCapabilities[i])
}
} else {
out.AllowedCapabilities = nil
}
// for v1beta3 -> api volume conversion we must assume that all volumes were allowed.
// the only volume you could turn off is the host path volume so we'll remove that based
// on the v1beta3 setting.
if !in.AllowHostDirVolumePlugin {
for _, v := range sccutil.GetAllFSTypesExcept(string(api.FSTypeHostPath)).List() {
out.Volumes = append(out.Volumes, api.FSType(v))
}
} else {
out.Volumes = []api.FSType{api.FSTypeAll}
}
out.AllowHostNetwork = in.AllowHostNetwork
out.AllowHostPorts = in.AllowHostPorts
out.AllowHostPID = in.AllowHostPID
out.AllowHostIPC = in.AllowHostIPC
if err := convert_v1beta3_SELinuxContextStrategyOptions_To_api_SELinuxContextStrategyOptions(&in.SELinuxContext, &out.SELinuxContext, s); err != nil {
return err
}
if err := convert_v1beta3_RunAsUserStrategyOptions_To_api_RunAsUserStrategyOptions(&in.RunAsUser, &out.RunAsUser, s); err != nil {
return err
}
if err := convert_v1beta3_FSGroupStrategyOptions_To_api_FSGroupStrategyOptions(&in.FSGroup, &out.FSGroup, s); err != nil {
return err
}
if err := convert_v1beta3_SupplementalGroupsStrategyOptions_To_api_SupplementalGroupsStrategyOptions(&in.SupplementalGroups, &out.SupplementalGroups, s); err != nil {
return err
}
if in.DefaultAddCapabilities != nil {
out.DefaultAddCapabilities = make([]api.Capability, len(in.DefaultAddCapabilities))
for i := range in.DefaultAddCapabilities {
out.DefaultAddCapabilities[i] = api.Capability(in.DefaultAddCapabilities[i])
}
} else {
out.DefaultAddCapabilities = nil
}
if in.RequiredDropCapabilities != nil {
out.RequiredDropCapabilities = make([]api.Capability, len(in.RequiredDropCapabilities))
for i := range in.RequiredDropCapabilities {
out.RequiredDropCapabilities[i] = api.Capability(in.RequiredDropCapabilities[i])
}
} else {
out.RequiredDropCapabilities = nil
}
out.ReadOnlyRootFilesystem = in.ReadOnlyRootFilesystem
if in.Users != nil {
out.Users = make([]string, len(in.Users))
for i := range in.Users {
out.Users[i] = in.Users[i]
}
} else {
out.Users = nil
}
if in.Groups != nil {
out.Groups = make([]string, len(in.Groups))
for i := range in.Groups {
out.Groups[i] = in.Groups[i]
}
} else {
out.Groups = nil
}
return nil
}
