Introduce PodSecurityPolicy in the policy/v1beta1 API group

[php-coder]

Types/constants are completely the same as in extensions/v1beta1 except that they are located outside of the extensions API group.

What this PR does / why we need it:
This is the first step for migrating PSP-related stuff away of extensions group. See #43214 for more information.

Also it related to kubernetes/enhancements#5

Example:

$ cat restricted2.yaml 
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: restricted2
...
$ kubectl create -f restricted.yaml 
podsecuritypolicy "restricted2" created
$ kubectl get psp restricted2 -o yaml
apiVersion: extensions/v1beta1
kind: PodSecurityPolicy
...

Release note:

The `PodSecurityPolicy` API has been moved to the `policy/v1beta1` API group. The `PodSecurityPolicy` API in the `extensions/v1beta1` API group is deprecated and will be removed in a future release. Authorizations for using pod security policy resources should change to reference the `policy` API group after upgrading to 1.11.

[dims]

/ok-to-test

@php-coder you should apply for membership to the kubernetes org :)

[php-coder]

@sttts I'm not sure whether I need this line or not. My theory is that it should generate conversions from/to extensions to psp types but I'm not sure. Could you tell me what it does?

[sttts]

From Makefile.generated_files:

#
# Conversion generation
#
# Any package that wants conversion functions generated must include one or
# more comment-tags in any .go file, in column 0, of the form:
#     // +k8s:conversion-gen=<CONVERSION_TARGET_DIR>
#
# The CONVERSION_TARGET_DIR is a project-local path to another directory which
# should be considered when evaluating peer types for conversions.  Types which
# are found in the source package (where conversions are being generated)
# but do not have a peer in one of the target directories will not have
# conversions generated.

[sttts]

I expect that you don't need this if all your types are in the new pkg/apis directory. But if you share the internal types with pkg/apis/extensions, you will need this tag.

[php-coder]

I copied OWNERS file from pkg/apis/extensions/OWNERS. Is it OK or we should start an empty OWNERS file?

[sttts]

that's a huge list. OWNERS should be more focused.

[php-coder]

May I just remove OWNERS files?

[sttts]

If it does not exist, the everything from the parent dir is inherited. But having a handful or less of reviewers here makes certainly sense.

[php-coder]

@sttts Ok, thanks!

I decided to include only myself as a reviewer because I don't know who also want to be a reviewer for this stuff.

@pweil- @simo5 @adelton @enj Let me know if you want to be reviewers and I'll add you to this list.

[pweil-]

Sure. Please include @liggitt @tallclair as well.

[php-coder]

Thanks! Added.

[php-coder]

make update fails with the following error:

Running update-generated-protobuf
Running update-codegen
Running update-generated-docs
# k8s.io/kubernetes/vendor/k8s.io/client-go/kubernetes
vendor/k8s.io/client-go/kubernetes/clientset.go:90: duplicate method PolicyV1beta1
vendor/k8s.io/client-go/kubernetes/clientset.go:95: duplicate method Policy
vendor/k8s.io/client-go/kubernetes/clientset.go:135: duplicate field policyV1beta1
vendor/k8s.io/client-go/kubernetes/clientset.go:292: ambiguous selector c.policyV1beta1
vendor/k8s.io/client-go/kubernetes/clientset.go:298: ambiguous selector c.policyV1beta1
vendor/k8s.io/client-go/kubernetes/clientset.go:302: (*Clientset).PolicyV1beta1 redeclared in this block
	previous declaration at vendor/k8s.io/client-go/kubernetes/clientset.go:291
vendor/k8s.io/client-go/kubernetes/clientset.go:303: ambiguous selector c.policyV1beta1
vendor/k8s.io/client-go/kubernetes/clientset.go:308: (*Clientset).Policy redeclared in this block
	previous declaration at vendor/k8s.io/client-go/kubernetes/clientset.go:297
vendor/k8s.io/client-go/kubernetes/clientset.go:309: ambiguous selector c.policyV1beta1
vendor/k8s.io/client-go/kubernetes/clientset.go:455: ambiguous selector cs.policyV1beta1
vendor/k8s.io/client-go/kubernetes/clientset.go:455: too many errors
# k8s.io/kubernetes/vendor/k8s.io/client-go/listers/policy/v1beta1
vendor/k8s.io/client-go/listers/policy/v1beta1/eviction.go:34: undefined: EvictionListerExpansion
# k8s.io/kubernetes/pkg/client/listers/policy/internalversion
pkg/client/listers/policy/internalversion/eviction.go:34: undefined: EvictionListerExpansion
!!! [1101 12:47:43] Call tree:
!!! [1101 12:47:43]  1: /home/coder/git/src/home/kubernetes/hack/lib/golang.sh:705 kube::golang::build_binaries_for_platform(...)
!!! [1101 12:47:43]  2: hack/make-rules/build.sh:27 kube::golang::build_binaries(...)
!!! [1101 12:47:43] Call tree:
!!! [1101 12:47:43]  1: hack/make-rules/build.sh:27 kube::golang::build_binaries(...)
!!! [1101 12:47:43] Call tree:
!!! [1101 12:47:43]  1: hack/make-rules/build.sh:27 kube::golang::build_binaries(...)
make[1]: *** [all] Error 1

@sttts Could you look at this PR and give me a hint what's wrong here? For some reason, generators adds generated code to the existing files and it leads to duplicated definitions. I couldn't find why they are doing this.

It also not clear where I should put the files for policy.authorization.k8s.io. The policy directory is already used, so I put the files into the psp directory. Is it correct?

[sttts]

will you delete the old internal types for PSPs?

[php-coder]

I'm following a roadmap that @soltysh gave me: in this Kubernetes release, I only need to introduce a new API that will be stored as old PSP types. So, in the current iteration, I won't remove anything from PSP.

[sttts]

Which doubles the code for the internal types. You can easily share them by removing the old extensions types and let the extensions group point to your new ones in the new group. Compare #50327.

[php-coder]

Maybe I'm missing something here, but I don't see how it doubles the code for the internal types. New API group is using the old internal types.

[sttts]

For some reason, generators adds generated code to the existing files and it leads to duplicated definitions. I couldn't find why they are doing this.

It also not clear where I should put the files for policy.authorization.k8s.io. The policy directory is already used, so I put the files into the psp directory. Is it correct?

Looks like clientgen uses the first segment of the group name for the identifiers in the clientset. @mfojtik can your exception file fix this?

[enj]

Is policy.authorization.k8s.io specific enough? RBAC could easily be thought to fit in this group (even though it does not).

[liggitt]

yeah, I'm unsure of the group as well. what would be the unifying characteristic of objects in the policy.authorization.k8s.io group? For example, the NetworkPolicy object is in the networking.k8s.io group.

some possibilities:

• the policy group: already contains PodDisruptionBudget objects which are policies around pod eviction
• podsecuritypolicy.admission.k8s.io - objects specific to this admission plugin

[php-coder]

podsecuritypolicy.admission.k8s.io - objects specific to this admission plugin

This sounds better to me. I'll do update on next Monday to use it, unless someone object against.

[sttts]

#54950 adds the missing support for non-unique GroupName prefixes to client-gen and informer-gen.

[sttts]

It also not clear where I should put the files for policy.authorization.k8s.io. The policy directory is already used, so I put the files into the psp directory. Is it correct?

There is no strict rule. Policy is for the pod policy types. Are PSPs the only types in the new group? Maybe authpolicy might make sense.

[liggitt]

nit, 2018 in all new files

[php-coder]

There was only one single file.

[liggitt]

one nit on copyright dates in new files, lgtm otherwise

cc @kubernetes/sig-auth-api-reviews @kubernetes/api-approvers

[php-coder]

@liggitt The comment was addressed. Thank you for guidance and patience!

[liggitt]

/lgtm
/hold for ack from @kubernetes/api-approvers

[bgrant0607]

@liggitt ACK that policy is fine. Thanks much

[liggitt]

/hold cancel

[php-coder]

@liggitt Are we waiting for someone else LGTM from API approvers or I can ask examples/ owners to review their part?

[smarterclayton]

/approve

examples

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: liggitt, php-coder, smarterclayton, soltysh

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• api/OWNERS [liggitt,smarterclayton]
• cmd/kube-apiserver/OWNERS [liggitt,smarterclayton]
• docs/api-reference/OWNERS [liggitt,smarterclayton]
• examples/OWNERS [smarterclayton]
• pkg/api/OWNERS [liggitt,smarterclayton]
• pkg/apis/policy/OWNERS [liggitt,smarterclayton]
• pkg/kubeapiserver/OWNERS [liggitt,smarterclayton]
• pkg/registry/OWNERS [liggitt,smarterclayton]
• staging/src/k8s.io/api/policy/OWNERS [liggitt,smarterclayton]
• staging/src/k8s.io/client-go/OWNERS [liggitt,smarterclayton]
• test/OWNERS [liggitt,smarterclayton,soltysh]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[k8s-github-robot]

/test all [submit-queue is verifying that this PR is safe to merge]

[k8s-github-robot]

Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here.