Promote sysctl annotations to fields

[ingvagabund]

What this PR does / why we need it:

Promoting experimental sysctl feature from annotations to API fields.

Special notes for your reviewer:

Following sysctl KEP: kubernetes/community#2093

Release note:

The Sysctls experimental feature has been promoted to beta (enabled by default via the `Sysctls` feature flag). PodSecurityPolicy and Pod objects now have fields for specifying and controlling sysctls. Alpha sysctl annotations will be ignored by 1.11+ kubelets. All alpha sysctl annotations in existing deployments must be converted to API fields to be effective.

TODO:

• - Promote sysctl annotation in Pod spec
• - Promote sysctl annotation in PodSecuritySpec spec
• - Feature gate the sysctl
• - Promote from alpha to beta
• - docs PR - Promote sysctls to Beta website#8804

[sttts]

proto tags are missing

[liggitt]

they got added automatically in the generation commit, but having them in this commit makes them easier to review

[ingvagabund]

Moved from the generated code.

[php-coder]

It shouldn't be empty, right?

[ingvagabund]

Updated

[php-coder]

Make member name lowercase as it will appear in the api doc: s/Sysctls/sysctls/

[php-coder]

If we don't support old annotations, perhaps, we don't have to support PSP in the extensions API Group?

[sttts]

What is the semantics of empty lists vs. nil in the annotations? Does empty list mean "no sysctls allowed at all" vs. nil "use the default set" ?

[ingvagabund]

The original functionality is respected. So

• If the list is empty -> No sysctls are allowed
• If the list is nil -> Use the default sysctls patterns

[ingvagabund]

Make member name lowercase as it will appear in the api doc: s/Sysctls/sysctls/

Done

[liggitt]

The nil/empty distinction is lost when roundtripping via serialized protobuf, and makes for a fairly confusing API

[sttts]

The nil/empty distinction is lost

Don't we test this in roundtrip tests? We should.

If we change the API semantics (I don't feel strongly, I tend to agree that it is confusing), we should doc that. Do we want to?

[php-coder]

Make member name lowercase as it will appear in the api doc: s/Sysctls/sysctls/

[ingvagabund]

Done

[ncdc]

/uncc

[ingvagabund]

Expected
    <string>: kernel.shm_rmid_forced = 0
    
to contain substring
    <string>: kernel.shm_rmid_forced = 1

Hmm, for some reason the pod.securityContext.Sysctl list is not decoded correctly. The body before decoding in the apiserver:

k8s\x00\n\t\n\x02v1\x12\x03Pod\x12\xe8\x01\n=\n+sysctl-fff5b3b8-562c-11e8-8c1d-507b9deefa09\x12\x00\x1a\x00\"\x00*\x002\x008\x00B\x00z\x00\x12\x96\x01\x12R\n\x0etest-container\x12\abusybox\x1a\v/bin/sysctl\x1a\x16kernel.shm_rmid_forced*\x00B\x00j\x00r\x00\x80\x01\x00\x88\x01\x00\x90\x01\x00\xa2\x01\x00\x1a\x05Never2\x00B\x00J\x00R\x00X\x00`\x00h\x00r\x1f:\x1d\n\x16kernel.shm_rmid_forced\x12\x011\x18\x00\x82\x01\x00\x8a\x01\x00\x9a\x01\x00\xc2\x01\x00\x1a\x0e\n\x00\x1a\x00\"\x00*\x002\x00J\x00Z\x00\x1a\x00\"\x00

Once can notice the kernel.shm_rmid_forced string is contained twice. One corresponding to the command, the other one to the sysctl.

After decoding the Sysctls:[]core.Sysctl(nil)

EDIT: So the byte stream is properly unmarshalled into v1.Pod. Though, v1.Pod -> core.Pod drops the Sysctls :-|

EDIT2. Grrr, forgot to update Convert_core_PodSecurityContext_To_v1_PodSecurityContext and Convert_v1_PodSecurityContext_To_core_PodSecurityContext methods :-|

[liggitt]

no json tags on internal types

[ingvagabund]

Removed

[liggitt]

remove json tags from internal types

[ingvagabund]

Removed

[sttts]

lgtm also from my side.

[sjenning]

/lgtm

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: derekwaynecarr, ingvagabund, liggitt, sjenning

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• api/OWNERS [liggitt]
• cmd/kubelet/OWNERS [derekwaynecarr]
• docs/api-reference/OWNERS [liggitt]
• pkg/apis/OWNERS [liggitt]
• pkg/features/OWNERS [derekwaynecarr,liggitt]
• pkg/kubelet/OWNERS [derekwaynecarr]
• pkg/security/podsecuritypolicy/OWNERS [liggitt]
• plugin/pkg/admission/security/podsecuritypolicy/OWNERS [derekwaynecarr,liggitt]
• staging/src/k8s.io/api/OWNERS [liggitt]
• test/OWNERS [liggitt]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[k8s-github-robot]

[MILESTONENOTIFIER] Milestone Pull Request: Up-to-date for process

@derekwaynecarr @ingvagabund @liggitt @sjenning @tallclair @vishh

Pull Request Labels

• sig/auth sig/node: Pull Request will be escalated to these SIGs if needed.
• priority/critical-urgent: Never automatically move pull request out of a release milestone; continually escalate to contributor and SIG through all available channels.
• kind/feature: New functionality.

Help

• Additional instructions
• Commands for setting labels

[k8s-ci-robot]

New changes are detected. LGTM label has been removed.

[ingvagabund]

/test pull-kubernetes-e2e-gce

[liggitt]

/retest

[liggitt]

/retest

[k8s-github-robot]

/test all [submit-queue is verifying that this PR is safe to merge]

[k8s-github-robot]

Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here.