Merge pull request #53460 from liggitt/automated-cherry-pick-of-#5344…

…3-upstream-release-1.8

Automatic merge from submit-queue.

Automated cherry pick of #53443

Cherry pick of #53443 on release-1.8.

Fixes an API compatibility issue in PodSecurityPolicy

#53443: Use pointer for PSP allow escalation

api/openapi-spec/swagger.json

@@ -68790,7 +68790,7 @@
     ],
     "properties": {
      "allowPrivilegeEscalation": {
-      "description": "AllowPrivilegeEscalation determines if a pod can request to allow privilege escalation.",
+      "description": "AllowPrivilegeEscalation determines if a pod can request to allow privilege escalation. If unspecified, defaults to true.",
       "type": "boolean"
      },
      "allowedCapabilities": {

api/swagger-spec/extensions_v1beta1.json

@@ -10062,7 +10062,7 @@
      },
      "allowPrivilegeEscalation": {
       "type": "boolean",
-      "description": "AllowPrivilegeEscalation determines if a pod can request to allow privilege escalation."
+      "description": "AllowPrivilegeEscalation determines if a pod can request to allow privilege escalation. If unspecified, defaults to true."
      },
      "allowedHostPaths": {
       "type": "array",

docs/api-reference/extensions/v1beta1/definitions.html

@@ -7809,7 +7809,7 @@ <h3 id="_v1beta1_podsecuritypolicyspec">v1beta1.PodSecurityPolicySpec</h3>
 </tr>
 <tr>
 <td class="tableblock halign-left valign-top"><p class="tableblock">allowPrivilegeEscalation</p></td>
-<td class="tableblock halign-left valign-top"><p class="tableblock">AllowPrivilegeEscalation determines if a pod can request to allow privilege escalation.</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">AllowPrivilegeEscalation determines if a pod can request to allow privilege escalation. If unspecified, defaults to true.</p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock">boolean</p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>

pkg/api/defaulting_test.go

@@ -105,6 +105,8 @@ func TestDefaulting(t *testing.T) {
 		{Group: "apps", Version: "v1beta1", Kind: "DeploymentList"}:                                                  {},
 		{Group: "apps", Version: "v1beta2", Kind: "Deployment"}:                                                      {},
 		{Group: "apps", Version: "v1beta2", Kind: "DeploymentList"}:                                                  {},
+		{Group: "extensions", Version: "v1beta1", Kind: "PodSecurityPolicy"}:                                         {},
+		{Group: "extensions", Version: "v1beta1", Kind: "PodSecurityPolicyList"}:                                     {},
 		{Group: "apps", Version: "v1beta2", Kind: "ReplicaSet"}:                                                      {},
 		{Group: "apps", Version: "v1beta2", Kind: "ReplicaSetList"}:                                                  {},
 		{Group: "extensions", Version: "v1beta1", Kind: "ReplicaSet"}:                                                {},

pkg/apis/extensions/types.go

@@ -937,7 +937,7 @@ type PodSecurityPolicySpec struct {
 	// +optional
 	DefaultAllowPrivilegeEscalation *bool
 	// AllowPrivilegeEscalation determines if a pod can request to allow
-	// privilege escalation.
+	// privilege escalation. If unspecified, defaults to true.
 	// +optional
 	AllowPrivilegeEscalation bool
 	// AllowedHostPaths is a white list of allowed host paths. Empty indicates that all host paths may be used.

pkg/apis/extensions/v1beta1/defaults.go

@@ -63,6 +63,15 @@ func SetDefaults_DaemonSet(obj *extensionsv1beta1.DaemonSet) {
 	}
 }
 
+func SetDefaults_PodSecurityPolicySpec(obj *extensionsv1beta1.PodSecurityPolicySpec) {
+	// This field was added after PodSecurityPolicy was released.
+	// Policies that do not include this field must remain as permissive as they were prior to the introduction of this field.
+	if obj.AllowPrivilegeEscalation == nil {
+		t := true
+		obj.AllowPrivilegeEscalation = &t
+	}
+}
+
 func SetDefaults_Deployment(obj *extensionsv1beta1.Deployment) {
 	// Default labels and selector to labels from pod template spec.
 	labels := obj.Spec.Template.Labels

pkg/apis/extensions/v1beta1/defaults_test.go

@@ -509,6 +509,15 @@ func TestDefaultRequestIsNotSetForReplicaSet(t *testing.T) {
 	}
 }
 
+func TestDefaultAllowPrivilegeEscalationForPodSecurityPolicy(t *testing.T) {
+	psp := &extensionsv1beta1.PodSecurityPolicy{}
+	output := roundTrip(t, runtime.Object(psp))
+	psp2 := output.(*extensionsv1beta1.PodSecurityPolicy)
+	if psp2.Spec.AllowPrivilegeEscalation == nil || *psp2.Spec.AllowPrivilegeEscalation != true {
+		t.Errorf("Expected default to true, got: %#v", psp2.Spec.AllowPrivilegeEscalation)
+	}
+}
+
 func TestSetDefaultNetworkPolicy(t *testing.T) {
 	tests := []struct {
 		original *extensionsv1beta1.NetworkPolicy

pkg/apis/extensions/v1beta1/zz_generated.conversion.go

@@ -1075,7 +1075,9 @@ func autoConvert_v1beta1_PodSecurityPolicySpec_To_extensions_PodSecurityPolicySp
 	}
 	out.ReadOnlyRootFilesystem = in.ReadOnlyRootFilesystem
 	out.DefaultAllowPrivilegeEscalation = (*bool)(unsafe.Pointer(in.DefaultAllowPrivilegeEscalation))
-	out.AllowPrivilegeEscalation = in.AllowPrivilegeEscalation
+	if err := v1.Convert_Pointer_bool_To_bool(&in.AllowPrivilegeEscalation, &out.AllowPrivilegeEscalation, s); err != nil {
+		return err
+	}
 	out.AllowedHostPaths = *(*[]extensions.AllowedHostPath)(unsafe.Pointer(&in.AllowedHostPaths))
 	return nil
 }
@@ -1119,7 +1121,9 @@ func autoConvert_extensions_PodSecurityPolicySpec_To_v1beta1_PodSecurityPolicySp
 	}
 	out.ReadOnlyRootFilesystem = in.ReadOnlyRootFilesystem
 	out.DefaultAllowPrivilegeEscalation = (*bool)(unsafe.Pointer(in.DefaultAllowPrivilegeEscalation))
-	out.AllowPrivilegeEscalation = in.AllowPrivilegeEscalation
+	if err := v1.Convert_bool_To_Pointer_bool(&in.AllowPrivilegeEscalation, &out.AllowPrivilegeEscalation, s); err != nil {
+		return err
+	}
 	out.AllowedHostPaths = *(*[]v1beta1.AllowedHostPath)(unsafe.Pointer(&in.AllowedHostPaths))
 	return nil
 }

pkg/apis/extensions/v1beta1/zz_generated.defaults.go

@@ -36,6 +36,8 @@ func RegisterDefaults(scheme *runtime.Scheme) error {
 	scheme.AddTypeDefaultingFunc(&v1beta1.DeploymentList{}, func(obj interface{}) { SetObjectDefaults_DeploymentList(obj.(*v1beta1.DeploymentList)) })
 	scheme.AddTypeDefaultingFunc(&v1beta1.NetworkPolicy{}, func(obj interface{}) { SetObjectDefaults_NetworkPolicy(obj.(*v1beta1.NetworkPolicy)) })
 	scheme.AddTypeDefaultingFunc(&v1beta1.NetworkPolicyList{}, func(obj interface{}) { SetObjectDefaults_NetworkPolicyList(obj.(*v1beta1.NetworkPolicyList)) })
+	scheme.AddTypeDefaultingFunc(&v1beta1.PodSecurityPolicy{}, func(obj interface{}) { SetObjectDefaults_PodSecurityPolicy(obj.(*v1beta1.PodSecurityPolicy)) })
+	scheme.AddTypeDefaultingFunc(&v1beta1.PodSecurityPolicyList{}, func(obj interface{}) { SetObjectDefaults_PodSecurityPolicyList(obj.(*v1beta1.PodSecurityPolicyList)) })
 	scheme.AddTypeDefaultingFunc(&v1beta1.ReplicaSet{}, func(obj interface{}) { SetObjectDefaults_ReplicaSet(obj.(*v1beta1.ReplicaSet)) })
 	scheme.AddTypeDefaultingFunc(&v1beta1.ReplicaSetList{}, func(obj interface{}) { SetObjectDefaults_ReplicaSetList(obj.(*v1beta1.ReplicaSetList)) })
 	return nil
@@ -340,6 +342,17 @@ func SetObjectDefaults_NetworkPolicyList(in *v1beta1.NetworkPolicyList) {
 	}
 }
 
+func SetObjectDefaults_PodSecurityPolicy(in *v1beta1.PodSecurityPolicy) {
+	SetDefaults_PodSecurityPolicySpec(&in.Spec)
+}
+
+func SetObjectDefaults_PodSecurityPolicyList(in *v1beta1.PodSecurityPolicyList) {
+	for i := range in.Items {
+		a := &in.Items[i]
+		SetObjectDefaults_PodSecurityPolicy(a)
+	}
+}
+
 func SetObjectDefaults_ReplicaSet(in *v1beta1.ReplicaSet) {
 	SetDefaults_ReplicaSet(in)
 	v1.SetDefaults_PodSpec(&in.Spec.Template.Spec)