in pkg/k8s-client/eks-deprecate/deprecate.go [458:658]
func ConvertExtensionsV1beta1ToPolicyV1beta1PodSecurityPolicy(obj extensions_v1beta1.PodSecurityPolicy) (rs policy_v1beta1.PodSecurityPolicy, err error) {
copied := obj.DeepCopy()
cs := copied.Spec.DeepCopy()
rs = policy_v1beta1.PodSecurityPolicy{
TypeMeta: metav1.TypeMeta{
APIVersion: "policy/v1beta1",
Kind: "PodSecurityPolicy",
},
ObjectMeta: metav1.ObjectMeta{
Name: copied.GetObjectMeta().GetName(),
GenerateName: copied.GetObjectMeta().GetGenerateName(),
Namespace: copied.GetObjectMeta().GetNamespace(),
ClusterName: copied.GetObjectMeta().GetClusterName(),
Labels: copied.GetObjectMeta().GetLabels(),
Annotations: copied.GetObjectMeta().GetAnnotations(),
ManagedFields: copied.GetObjectMeta().GetManagedFields(),
DeletionGracePeriodSeconds: copied.GetObjectMeta().GetDeletionGracePeriodSeconds(),
},
Spec: policy_v1beta1.PodSecurityPolicySpec{
Privileged: cs.Privileged,
DefaultAddCapabilities: cs.DefaultAddCapabilities,
RequiredDropCapabilities: cs.RequiredDropCapabilities,
AllowedCapabilities: cs.AllowedCapabilities,
HostNetwork: cs.HostNetwork,
HostPID: cs.HostPID,
HostIPC: cs.HostIPC,
ReadOnlyRootFilesystem: cs.ReadOnlyRootFilesystem,
DefaultAllowPrivilegeEscalation: cs.DefaultAllowPrivilegeEscalation,
AllowPrivilegeEscalation: cs.AllowPrivilegeEscalation,
AllowedUnsafeSysctls: cs.AllowedUnsafeSysctls,
ForbiddenSysctls: cs.ForbiddenSysctls,
AllowedProcMountTypes: cs.AllowedProcMountTypes,
},
}
for _, vv := range cs.Volumes {
switch vv {
case extensions_v1beta1.AzureFile:
rs.Spec.Volumes = append(rs.Spec.Volumes, policy_v1beta1.AzureFile)
case extensions_v1beta1.Flocker:
rs.Spec.Volumes = append(rs.Spec.Volumes, policy_v1beta1.Flocker)
case extensions_v1beta1.FlexVolume:
rs.Spec.Volumes = append(rs.Spec.Volumes, policy_v1beta1.FlexVolume)
case extensions_v1beta1.HostPath:
rs.Spec.Volumes = append(rs.Spec.Volumes, policy_v1beta1.HostPath)
case extensions_v1beta1.EmptyDir:
rs.Spec.Volumes = append(rs.Spec.Volumes, policy_v1beta1.EmptyDir)
case extensions_v1beta1.GCEPersistentDisk:
rs.Spec.Volumes = append(rs.Spec.Volumes, policy_v1beta1.GCEPersistentDisk)
case extensions_v1beta1.AWSElasticBlockStore:
rs.Spec.Volumes = append(rs.Spec.Volumes, policy_v1beta1.AWSElasticBlockStore)
case extensions_v1beta1.GitRepo:
rs.Spec.Volumes = append(rs.Spec.Volumes, policy_v1beta1.GitRepo)
case extensions_v1beta1.Secret:
rs.Spec.Volumes = append(rs.Spec.Volumes, policy_v1beta1.Secret)
case extensions_v1beta1.NFS:
rs.Spec.Volumes = append(rs.Spec.Volumes, policy_v1beta1.NFS)
case extensions_v1beta1.ISCSI:
rs.Spec.Volumes = append(rs.Spec.Volumes, policy_v1beta1.ISCSI)
case extensions_v1beta1.Glusterfs:
rs.Spec.Volumes = append(rs.Spec.Volumes, policy_v1beta1.Glusterfs)
case extensions_v1beta1.PersistentVolumeClaim:
rs.Spec.Volumes = append(rs.Spec.Volumes, policy_v1beta1.PersistentVolumeClaim)
case extensions_v1beta1.RBD:
rs.Spec.Volumes = append(rs.Spec.Volumes, policy_v1beta1.RBD)
case extensions_v1beta1.Cinder:
rs.Spec.Volumes = append(rs.Spec.Volumes, policy_v1beta1.Cinder)
case extensions_v1beta1.CephFS:
rs.Spec.Volumes = append(rs.Spec.Volumes, policy_v1beta1.CephFS)
case extensions_v1beta1.DownwardAPI:
rs.Spec.Volumes = append(rs.Spec.Volumes, policy_v1beta1.DownwardAPI)
case extensions_v1beta1.FC:
rs.Spec.Volumes = append(rs.Spec.Volumes, policy_v1beta1.FC)
case extensions_v1beta1.ConfigMap:
rs.Spec.Volumes = append(rs.Spec.Volumes, policy_v1beta1.ConfigMap)
case extensions_v1beta1.Quobyte:
rs.Spec.Volumes = append(rs.Spec.Volumes, policy_v1beta1.Quobyte)
case extensions_v1beta1.AzureDisk:
rs.Spec.Volumes = append(rs.Spec.Volumes, policy_v1beta1.AzureDisk)
case extensions_v1beta1.CSI:
rs.Spec.Volumes = append(rs.Spec.Volumes, policy_v1beta1.CSI)
case extensions_v1beta1.All:
rs.Spec.Volumes = append(rs.Spec.Volumes, policy_v1beta1.All)
default:
return rs, fmt.Errorf("unknown Volume %q", vv)
}
}
for _, vv := range cs.HostPorts {
rs.Spec.HostPorts = append(rs.Spec.HostPorts, policy_v1beta1.HostPortRange{
Min: vv.Min,
Max: vv.Max,
})
}
switch cs.SELinux.Rule {
case extensions_v1beta1.SELinuxStrategyMustRunAs:
rs.Spec.SELinux.Rule = policy_v1beta1.SELinuxStrategyMustRunAs
case extensions_v1beta1.SELinuxStrategyRunAsAny:
rs.Spec.SELinux.Rule = policy_v1beta1.SELinuxStrategyRunAsAny
default:
return rs, fmt.Errorf("unknown SELinux.Rule %q", cs.SELinux.Rule)
}
rs.Spec.SELinux.SELinuxOptions = cs.SELinux.SELinuxOptions
switch cs.RunAsUser.Rule {
case extensions_v1beta1.RunAsUserStrategyMustRunAs:
rs.Spec.RunAsUser.Rule = policy_v1beta1.RunAsUserStrategyMustRunAs
case extensions_v1beta1.RunAsUserStrategyMustRunAsNonRoot:
rs.Spec.RunAsUser.Rule = policy_v1beta1.RunAsUserStrategyMustRunAsNonRoot
case extensions_v1beta1.RunAsUserStrategyRunAsAny:
rs.Spec.RunAsUser.Rule = policy_v1beta1.RunAsUserStrategyRunAsAny
default:
return rs, fmt.Errorf("unknown RunAsUser.Rule %q", cs.RunAsUser.Rule)
}
for _, vv := range cs.RunAsUser.Ranges {
rs.Spec.RunAsUser.Ranges = append(rs.Spec.RunAsUser.Ranges, policy_v1beta1.IDRange{
Min: vv.Min,
Max: vv.Max,
})
}
if cs.RunAsGroup != nil {
switch cs.RunAsGroup.Rule {
case extensions_v1beta1.RunAsGroupStrategyMayRunAs:
rs.Spec.RunAsGroup.Rule = policy_v1beta1.RunAsGroupStrategyMayRunAs
case extensions_v1beta1.RunAsGroupStrategyMustRunAs:
rs.Spec.RunAsGroup.Rule = policy_v1beta1.RunAsGroupStrategyMustRunAs
case extensions_v1beta1.RunAsGroupStrategyRunAsAny:
rs.Spec.RunAsGroup.Rule = policy_v1beta1.RunAsGroupStrategyRunAsAny
default:
return rs, fmt.Errorf("unknown RunAsGroup.Rule %q", cs.RunAsGroup.Rule)
}
for _, vv := range cs.RunAsGroup.Ranges {
rs.Spec.RunAsGroup.Ranges = append(rs.Spec.RunAsGroup.Ranges, policy_v1beta1.IDRange{
Min: vv.Min,
Max: vv.Max,
})
}
}
switch cs.SupplementalGroups.Rule {
case extensions_v1beta1.SupplementalGroupsStrategyMustRunAs:
rs.Spec.SupplementalGroups.Rule = policy_v1beta1.SupplementalGroupsStrategyMustRunAs
case extensions_v1beta1.SupplementalGroupsStrategyRunAsAny:
rs.Spec.SupplementalGroups.Rule = policy_v1beta1.SupplementalGroupsStrategyRunAsAny
default:
return rs, fmt.Errorf("unknown SupplementalGroups.Rule %q", cs.SupplementalGroups.Rule)
}
for _, vv := range cs.SupplementalGroups.Ranges {
rs.Spec.SupplementalGroups.Ranges = append(rs.Spec.SupplementalGroups.Ranges, policy_v1beta1.IDRange{
Min: vv.Min,
Max: vv.Max,
})
}
switch cs.FSGroup.Rule {
case extensions_v1beta1.FSGroupStrategyMustRunAs:
rs.Spec.FSGroup.Rule = policy_v1beta1.FSGroupStrategyMustRunAs
case extensions_v1beta1.FSGroupStrategyRunAsAny:
rs.Spec.FSGroup.Rule = policy_v1beta1.FSGroupStrategyRunAsAny
default:
return rs, fmt.Errorf("unknown FSGroup.Rule %q", cs.FSGroup.Rule)
}
for _, vv := range cs.FSGroup.Ranges {
rs.Spec.FSGroup.Ranges = append(rs.Spec.FSGroup.Ranges, policy_v1beta1.IDRange{
Min: vv.Min,
Max: vv.Max,
})
}
for _, vv := range cs.AllowedHostPaths {
rs.Spec.AllowedHostPaths = append(rs.Spec.AllowedHostPaths, policy_v1beta1.AllowedHostPath{
PathPrefix: vv.PathPrefix,
ReadOnly: vv.ReadOnly,
})
}
for _, vv := range cs.AllowedFlexVolumes {
rs.Spec.AllowedFlexVolumes = append(rs.Spec.AllowedFlexVolumes, policy_v1beta1.AllowedFlexVolume{
Driver: vv.Driver,
})
}
for _, vv := range cs.AllowedCSIDrivers {
rs.Spec.AllowedCSIDrivers = append(rs.Spec.AllowedCSIDrivers, policy_v1beta1.AllowedCSIDriver{
Name: vv.Name,
})
}
if cs.RuntimeClass != nil {
rs.Spec.RuntimeClass = &policy_v1beta1.RuntimeClassStrategyOptions{
AllowedRuntimeClassNames: cs.RuntimeClass.AllowedRuntimeClassNames,
DefaultRuntimeClassName: cs.RuntimeClass.DefaultRuntimeClassName,
}
}
return rs, nil
}