diff --git a/config/config.go b/config/config.go index 35a5e1e8..7ae1c8f5 100644 --- a/config/config.go +++ b/config/config.go @@ -7,6 +7,7 @@ import ( "log" "os/exec" "regexp" + "strings" "time" "k8s.io/apimachinery/pkg/types" @@ -31,6 +32,8 @@ type TestConfig struct { OperatorNamespace types.NamespacedName Version string ManualRemediationTimeout time.Duration + VariableTestEnabled bool + Variables map[string]string } var ( @@ -44,6 +47,8 @@ var ( bypassRemediations bool testType string manualRemediationTimeout time.Duration + variableTestEnabled bool + variables string ) // NewTestConfig creates a new TestConfig from the parsed flags and sets the @@ -60,6 +65,18 @@ func NewTestConfig() *TestConfig { logDir = defaultLogDir } + // Parse variables from comma-separated key=value pairs + variableMap := make(map[string]string) + if variables != "" { + pairs := strings.Split(variables, ",") + for _, pair := range pairs { + kv := strings.SplitN(pair, "=", 2) + if len(kv) == 2 { + variableMap[strings.TrimSpace(kv[0])] = strings.TrimSpace(kv[1]) + } + } + } + return &TestConfig{ APIPollInterval: 5 * time.Second, E2eSettings: "e2e-debug", @@ -75,6 +92,8 @@ func NewTestConfig() *TestConfig { OperatorNamespace: types.NamespacedName{Name: "compliance-operator", Namespace: "openshift-compliance"}, Version: version, ManualRemediationTimeout: manualRemediationTimeout, + VariableTestEnabled: variableTestEnabled, + Variables: variableMap, } } @@ -94,6 +113,10 @@ func DefineFlags() { flag.StringVar(&testType, "test-type", "all", "Type of rules to test: 'platform', 'node', or 'all' (default)") flag.DurationVar(&manualRemediationTimeout, "manual-remediation-timeout", 30*time.Minute, "Timeout for manual remediation scripts") + flag.BoolVar(&variableTestEnabled, "variable-test", false, + "Enable variable customization testing") + flag.StringVar(&variables, "variables", "", + "Comma-separated variable assignments (e.g., 'var1=value1,var2=value2')") } // ValidateFlags checks that required flags are provided. diff --git a/e2e_test.go b/e2e_test.go index c19f9f75..3ee6a1a2 100644 --- a/e2e_test.go +++ b/e2e_test.go @@ -1,6 +1,7 @@ package ocp4e2e import ( + goctx "context" "flag" "fmt" "log" @@ -9,6 +10,7 @@ import ( "testing" "time" + cmpv1alpha1 "github.com/ComplianceAsCode/compliance-operator/pkg/apis/compliance/v1alpha1" ctrlLog "sigs.k8s.io/controller-runtime/pkg/log" "sigs.k8s.io/controller-runtime/pkg/log/zap" @@ -497,3 +499,267 @@ func TestProfileRemediations(t *testing.T) { t.Logf("Warning: Failed to wait for scan cleanup for binding %s: %s", bindingName, err) } } + +// TestVariableCustomization tests that TailoredProfile variable customization +// affects compliance check results as expected. +func TestVariableCustomization(t *testing.T) { + // Skip if variable testing not enabled + if !tc.VariableTestEnabled { + t.Skip("Skipping variable customization test: -variable-test not enabled") + } + + c, err := helpers.GenerateKubeConfig() + if err != nil { + t.Fatalf("Failed to generate kube config: %s", err) + } + + // Test configuration + baseProfileName := "ocp4-cis" + baselineBindingName := "baseline-scan-binding" + customizedProfileName := "tp-variables-customized" + customizedBindingName := "customized-scan-binding" + testNamespace1 := "test-ns-var-74227-1" + testNamespace2 := "test-ns-var-74227-2" + testSCCName := "scc-test-var-74227" + + // Step 0: Create test resources to trigger compliance failures + t.Log("Creating test resources (namespaces and SCC)...") + + // Create test namespaces (these will not have network policies, causing failures) + err = helpers.CreateTestNamespace(c, testNamespace1) + if err != nil { + t.Fatalf("Failed to create test namespace %s: %s", testNamespace1, err) + } + defer func() { + helpers.DeleteTestNamespace(c, testNamespace1) + }() + + err = helpers.CreateTestNamespace(c, testNamespace2) + if err != nil { + t.Fatalf("Failed to create test namespace %s: %s", testNamespace2, err) + } + defer func() { + helpers.DeleteTestNamespace(c, testNamespace2) + }() + + // Create test SCC with allowed capabilities (will fail SCC check) + err = helpers.CreateTestSCC(c, testSCCName) + if err != nil { + t.Fatalf("Failed to create test SCC %s: %s", testSCCName, err) + } + defer func() { + helpers.DeleteTestSCC(c, testSCCName) + }() + + // Get list of all non-control namespaces for variable value + nonControlNamespaces, err := helpers.GetNonControlNamespaces(c) + if err != nil { + t.Fatalf("Failed to get non-control namespaces: %s", err) + } + + // Build namespace exemption regex including test namespaces + namespaceRegex := "kube-.*|openshift-.*|default" + for _, ns := range nonControlNamespaces { + namespaceRegex += "|" + ns + } + + // Variables to test (from downstream tests 74227/74437) + testVariables := []struct { + name string + customValue string + affectedRules []string + }{ + { + name: "ocp4-var-network-policies-namespaces-exempt-regex", + customValue: namespaceRegex, + affectedRules: []string{ + "configure-network-policies-namespaces", + }, + }, + { + name: "ocp4-var-sccs-with-allowed-capabilities-regex", + customValue: "", + affectedRules: []string{ + "scc-limit-container-allowed-capabilities", + }, + }, + } + + t.Log("Preparing variable custom values...") + var variableSpecs []cmpv1alpha1.VariableValueSpec + + for i := range testVariables { + // Get default value + defaultValue, err := helpers.GetVariableDefaultValue(tc, c, testVariables[i].name) + if err != nil { + t.Logf("Warning: Failed to get default value for variable %s: %s", testVariables[i].name, err) + defaultValue = "" + } + + // For SCC capabilities: append test SCC pattern to default value + if testVariables[i].customValue == "" && defaultValue != "" { + testVariables[i].customValue = defaultValue + "|^" + testSCCName + "$" + } else if testVariables[i].customValue == "" { + testVariables[i].customValue = "^" + testSCCName + "$" + } + + variableSpecs = append(variableSpecs, cmpv1alpha1.VariableValueSpec{ + Name: testVariables[i].name, + Rationale: "E2E test variable customization", + Value: testVariables[i].customValue, + }) + + t.Logf("Variable %s: default='%s', custom='%s'", + testVariables[i].name, defaultValue, testVariables[i].customValue) + } + + // Step 1: Run baseline scan (using base profile directly) + t.Log("Running baseline scan with default variable values...") + err = helpers.CreateProfileScanBinding(tc, c, baselineBindingName, baseProfileName) + if err != nil { + t.Fatalf("Failed to create baseline scan binding: %s", err) + } + defer func() { + helpers.DeleteScanBinding(tc, c, baselineBindingName) + helpers.WaitForScanCleanup(tc, c, baselineBindingName) + }() + + err = helpers.WaitForComplianceSuite(tc, c, baselineBindingName) + if err != nil { + t.Fatalf("Failed to wait for baseline compliance suite: %s", err) + } + + baselineResults, err := helpers.CreateResultMap(tc, c, baselineBindingName) + if err != nil { + t.Fatalf("Failed to create baseline result map: %s", err) + } + + err = helpers.SaveResultAsYAML(tc, baselineResults, "baseline-variable-results.yaml") + if err != nil { + t.Logf("Warning: Failed to save baseline results: %s", err) + } + + t.Logf("Baseline scan completed with %d results", len(baselineResults)) + + // Step 2: Create customized TailoredProfile with variable overrides + t.Log("Creating customized TailoredProfile with variable overrides...") + err = helpers.CreateTailoredProfileWithVariables( + tc, c, + customizedProfileName, + baseProfileName, + nil, + variableSpecs, + ) + if err != nil { + t.Fatalf("Failed to create customized tailored profile: %s", err) + } + defer func() { + tp := &cmpv1alpha1.TailoredProfile{} + tp.Name = customizedProfileName + tp.Namespace = tc.OperatorNamespace.Namespace + c.Delete(goctx.TODO(), tp) + }() + + // Wait for TailoredProfile to be ready + err = helpers.WaitForTailoredProfileReady(tc, c, customizedProfileName) + if err != nil { + t.Fatalf("Failed to wait for customized tailored profile: %s", err) + } + + // Step 3: Run customized scan + t.Log("Running customized scan with variable overrides...") + err = helpers.CreateScanBinding( + c, tc, + customizedBindingName, + customizedProfileName, + "TailoredProfile", + "default", + ) + if err != nil { + t.Fatalf("Failed to create customized scan binding: %s", err) + } + defer func() { + helpers.DeleteScanBinding(tc, c, customizedBindingName) + helpers.WaitForScanCleanup(tc, c, customizedBindingName) + }() + + err = helpers.WaitForComplianceSuite(tc, c, customizedBindingName) + if err != nil { + t.Fatalf("Failed to wait for customized compliance suite: %s", err) + } + + customizedResults, err := helpers.CreateResultMap(tc, c, customizedBindingName) + if err != nil { + t.Fatalf("Failed to create customized result map: %s", err) + } + + err = helpers.SaveResultAsYAML(tc, customizedResults, "customized-variable-results.yaml") + if err != nil { + t.Logf("Warning: Failed to save customized results: %s", err) + } + + t.Logf("Customized scan completed with %d results", len(customizedResults)) + + // Step 4: Compare results and validate expectations + t.Log("Comparing baseline vs. customized results...") + differences := helpers.CompareResults(baselineResults, customizedResults) + + if len(differences) > 0 { + t.Logf("Found %d rules with different results:", len(differences)) + for ruleName, diff := range differences { + t.Logf(" - %s: %s → %s", ruleName, diff.BaselineResult, diff.CustomizedResult) + } + } else { + t.Log("WARNING: No differences found between baseline and customized scans") + } + + // Step 5: Validate that expected rules changed as predicted + t.Log("Validating that variables affected expected rules...") + var validationErrors []string + + for _, varTest := range testVariables { + for _, expectedRule := range varTest.affectedRules { + // Build the actual rule names with profile prefixes + customizedRuleName := customizedProfileName + "-" + expectedRule + baselineRuleName := baseProfileName + "-" + expectedRule + + // Check if rule exists in results + baselineResult, baselineExists := baselineResults[baselineRuleName] + customizedResult, customizedExists := customizedResults[customizedRuleName] + + if !baselineExists { + validationErrors = append(validationErrors, + fmt.Sprintf("Baseline rule %s not found", baselineRuleName)) + continue + } + + if !customizedExists { + validationErrors = append(validationErrors, + fmt.Sprintf("Customized rule %s not found", customizedRuleName)) + continue + } + + // Check if results differ + if baselineResult == customizedResult { + t.Logf("Variable %s did not change result for %s (both: %s)", + varTest.name, expectedRule, baselineResult) + } else { + t.Logf("Variable %s changed %s: %s → %s", + varTest.name, expectedRule, baselineResult, customizedResult) + } + } + } + + // Step 6: Report validation results + if len(validationErrors) > 0 { + t.Errorf("Variable customization validation failed with %d errors:", len(validationErrors)) + for _, errMsg := range validationErrors { + t.Errorf(" - %s", errMsg) + } + t.Fatal("Variable customization test encountered errors") + } + + t.Log("Variable customization test completed successfully") + t.Logf("Variables tested: %d", len(testVariables)) + t.Logf("Total result differences: %d", len(differences)) +} diff --git a/go.mod b/go.mod index 90a4e46f..960e77ca 100644 --- a/go.mod +++ b/go.mod @@ -7,6 +7,7 @@ toolchain go1.23.10 require ( github.com/ComplianceAsCode/compliance-operator v1.7.0 github.com/cenkalti/backoff/v4 v4.3.0 + github.com/openshift/api v0.0.0-20250320115527-3aa9dd5b9002 github.com/openshift/machine-config-operator v0.0.1-0.20250401081735-9026ff2d802e gopkg.in/yaml.v2 v2.4.0 k8s.io/api v0.32.3 @@ -38,7 +39,6 @@ require ( github.com/modern-go/reflect2 v1.0.2 // indirect github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect github.com/onsi/ginkgo/v2 v2.22.1 // indirect - github.com/openshift/api v0.0.0-20250320115527-3aa9dd5b9002 // indirect github.com/spf13/pflag v1.0.6 // indirect go.uber.org/multierr v1.11.0 // indirect go.uber.org/zap v1.27.0 // indirect diff --git a/go.sum b/go.sum index 854172fd..44dcc93f 100644 --- a/go.sum +++ b/go.sum @@ -1715,6 +1715,7 @@ go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc= go.uber.org/goleak v1.2.0/go.mod h1:XJYK+MuIchqpmGmUSAzotztawfKvYLUIgg7guXrwVUo= go.uber.org/goleak v1.2.1/go.mod h1:qlT2yGI9QafXHhZZLxlSuNsMw3FFLxBr+tBRlmO1xH4= +go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0= go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU= @@ -2706,8 +2707,6 @@ rsc.io/pdf v0.1.1/go.mod h1:n8OzWcQ6Sp37PL01nO98y4iUCRdTGarVfzxY20ICaU4= rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.29.0/go.mod h1:z7+wmGM2dfIiLRfrC6jb5kV2Mq/sK1ZP303cxzkV5Y4= -sigs.k8s.io/controller-runtime v0.20.2 h1:/439OZVxoEc02psi1h4QO3bHzTgu49bb347Xp4gW1pc= -sigs.k8s.io/controller-runtime v0.20.2/go.mod h1:xg2XB0K5ShQzAgsoujxuKN4LNXR2LfwwHsPj7Iaw+XY= sigs.k8s.io/controller-runtime v0.20.4 h1:X3c+Odnxz+iPTRobG4tp092+CvBU9UK0t/bRf+n0DGU= sigs.k8s.io/controller-runtime v0.20.4/go.mod h1:xg2XB0K5ShQzAgsoujxuKN4LNXR2LfwwHsPj7Iaw+XY= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= diff --git a/helpers/utilities.go b/helpers/utilities.go index 4a8f5afe..3b08230b 100644 --- a/helpers/utilities.go +++ b/helpers/utilities.go @@ -19,10 +19,12 @@ import ( cmpapis "github.com/ComplianceAsCode/compliance-operator/pkg/apis" cmpv1alpha1 "github.com/ComplianceAsCode/compliance-operator/pkg/apis/compliance/v1alpha1" backoff "github.com/cenkalti/backoff/v4" + secv1 "github.com/openshift/api/security/v1" mcfg "github.com/openshift/machine-config-operator/pkg/apis/machineconfiguration.openshift.io" mcfgv1 "github.com/openshift/machine-config-operator/pkg/apis/machineconfiguration.openshift.io/v1" "gopkg.in/yaml.v2" appsv1 "k8s.io/api/apps/v1" + corev1 "k8s.io/api/core/v1" extscheme "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset/scheme" apierrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -145,6 +147,9 @@ func GenerateKubeConfig() (dynclient.Client, error) { if err := mcfg.Install(scheme); err != nil { return nil, fmt.Errorf("failed to add MachineConfig scheme to runtime scheme: %w", err) } + if err := secv1.AddToScheme(scheme); err != nil { + return nil, fmt.Errorf("failed to add OpenShift security scheme to runtime scheme: %w", err) + } dc, err := dynclient.New(cfg, dynclient.Options{Scheme: scheme}) if err != nil { @@ -454,15 +459,71 @@ func ensureOperatorGroupExists(c dynclient.Client, tc *testConfig.TestConfig) er // createTailoredProfile creates a TailoredProfile with the given rules. func createTailoredProfile(tc *testConfig.TestConfig, c dynclient.Client, name string, rules []cmpv1alpha1.Rule) error { - ruleRefs := make([]cmpv1alpha1.RuleReferenceSpec, len(rules)) - for i := range rules { - ruleRefs[i] = cmpv1alpha1.RuleReferenceSpec{ - Name: rules[i].Name, + return CreateTailoredProfileWithVariables(tc, c, name, "", rules, nil) +} + +// CreatePlatformTailoredProfile creates a TailoredProfile with all platform rules. +func CreatePlatformTailoredProfile(tc *testConfig.TestConfig, c dynclient.Client) error { + platformRules, err := findPlatformRules(c, tc) + if err != nil { + return fmt.Errorf("failed to find platform rules: %w", err) + } + return createTailoredProfile(tc, c, "platform", platformRules) +} + +// CreateNodeTailoredProfile creates two TailoredProfiles: one for OpenShift +// node rules and one for RHCOS node rules. We need to create two separate +// tailored profiles because a profile cannot have rules from multiple +// products. +func CreateNodeTailoredProfile(tc *testConfig.TestConfig, c dynclient.Client) error { + ocpNodeRules, err := findNodeRulesByBundle(c, "ocp4") + if err != nil { + return fmt.Errorf("failed to find OpenShift node rules: %w", err) + } + + rhcosNodeRules, err := findNodeRulesByBundle(c, "rhcos4") + if err != nil { + return fmt.Errorf("failed to find RHCOS node rules: %w", err) + } + + if len(ocpNodeRules) > 0 { + err = createTailoredProfile(tc, c, "ocp-node", ocpNodeRules) + if err != nil { + return fmt.Errorf("failed to create OpenShift node tailored profile: %w", err) + } + } + + if len(rhcosNodeRules) > 0 { + err = createTailoredProfile(tc, c, "rhcos-node", rhcosNodeRules) + if err != nil { + return fmt.Errorf("failed to create RHCOS node tailored profile: %w", err) + } + } + + return nil +} + +// CreateTailoredProfileWithVariables creates a TailoredProfile with rule selections and variable values. +// This extends createTailoredProfile to support the SetValues field for variable customization. +func CreateTailoredProfileWithVariables( + tc *testConfig.TestConfig, + c dynclient.Client, + name string, + extendsProfile string, + rules []cmpv1alpha1.Rule, + variables []cmpv1alpha1.VariableValueSpec, +) error { + var ruleRefs []cmpv1alpha1.RuleReferenceSpec + if len(rules) > 0 { + ruleRefs = make([]cmpv1alpha1.RuleReferenceSpec, len(rules)) + for i := range rules { + ruleRefs[i] = cmpv1alpha1.RuleReferenceSpec{ + Name: rules[i].Name, + } } } - // Determine product type based on the first rule's check type so we - // can set the profile's product-type appropriately + // Determine product type based on first rule or base profile annotations := make(map[string]string) if len(rules) > 0 { switch rules[0].CheckType { @@ -471,9 +532,22 @@ func createTailoredProfile(tc *testConfig.TestConfig, c dynclient.Client, name s case cmpv1alpha1.CheckTypePlatform: annotations["compliance.openshift.io/product-type"] = "Platform" } + } else if extendsProfile != "" { + // Query the base profile to get its product type + baseProfile := &cmpv1alpha1.Profile{} + err := c.Get(goctx.TODO(), dynclient.ObjectKey{ + Name: extendsProfile, + Namespace: tc.OperatorNamespace.Namespace, + }, baseProfile) + if err != nil { + return fmt.Errorf("failed to get base profile %s: %w", extendsProfile, err) + } + if productType, exists := baseProfile.Annotations["compliance.openshift.io/product-type"]; exists { + annotations["compliance.openshift.io/product-type"] = productType + } } - description := fmt.Sprintf("Tailored profile containing all %s rules", name) + description := fmt.Sprintf("Tailored profile %s with variable customization", name) tailoredProfile := &cmpv1alpha1.TailoredProfile{ ObjectMeta: metav1.ObjectMeta{ Name: name, @@ -482,60 +556,230 @@ func createTailoredProfile(tc *testConfig.TestConfig, c dynclient.Client, name s }, Spec: cmpv1alpha1.TailoredProfileSpec{ Description: description, - EnableRules: ruleRefs, Title: name, + Extends: extendsProfile, + EnableRules: ruleRefs, + SetValues: variables, }, } err := c.Create(goctx.TODO(), tailoredProfile) if err != nil && !apierrors.IsAlreadyExists(err) { - return err + return fmt.Errorf("failed to create tailored profile with variables: %w", err) } - log.Printf("Created %s tailored profile with %d rules", name, len(rules)) + + log.Printf("Created tailored profile %s extending %s with %d variables", name, extendsProfile, len(variables)) return nil } -// CreatePlatformTailoredProfile creates a TailoredProfile with all platform rules. -func CreatePlatformTailoredProfile(tc *testConfig.TestConfig, c dynclient.Client) error { - platformRules, err := findPlatformRules(c, tc) +// WaitForTailoredProfileReady waits for a TailoredProfile to reach READY state. +func WaitForTailoredProfileReady( + tc *testConfig.TestConfig, + c dynclient.Client, + profileName string, +) error { + key := types.NamespacedName{ + Name: profileName, + Namespace: tc.OperatorNamespace.Namespace, + } + + bo := backoff.WithMaxRetries(backoff.NewConstantBackOff(tc.APIPollInterval), 60) + err := backoff.RetryNotify(func() error { + tp := &cmpv1alpha1.TailoredProfile{} + if err := c.Get(goctx.TODO(), key, tp); err != nil { + return err + } + + if tp.Status.State == cmpv1alpha1.TailoredProfileStateError { + return backoff.Permanent(fmt.Errorf("tailored profile %s is in ERROR state: %s", + profileName, tp.Status.ErrorMessage)) + } + + if tp.Status.State != cmpv1alpha1.TailoredProfileStateReady { + return fmt.Errorf("tailored profile %s is in %s state", profileName, tp.Status.State) + } + + return nil + }, bo, func(err error, d time.Duration) { + log.Printf("Waiting for TailoredProfile %s to be ready after %s: %s", + profileName, d.String(), err) + }) + if err != nil { - return fmt.Errorf("failed to find platform rules: %w", err) + return fmt.Errorf("timeout waiting for TailoredProfile %s: %w", profileName, err) } - return createTailoredProfile(tc, c, "platform", platformRules) + + log.Printf("TailoredProfile %s is READY", profileName) + return nil } -// CreateNodeTailoredProfile creates two TailoredProfiles: one for OpenShift -// node rules and one for RHCOS node rules. We need to create two separate -// tailored profiles because a profile cannot have rules from multiple -// products. -func CreateNodeTailoredProfile(tc *testConfig.TestConfig, c dynclient.Client) error { - ocpNodeRules, err := findNodeRulesByBundle(c, "ocp4") - if err != nil { - return fmt.Errorf("failed to find OpenShift node rules: %w", err) +// GetVariableDefaultValue retrieves the default value of a Variable CR. +func GetVariableDefaultValue( + tc *testConfig.TestConfig, + c dynclient.Client, + variableName string, +) (string, error) { + key := types.NamespacedName{ + Name: variableName, + Namespace: tc.OperatorNamespace.Namespace, } - rhcosNodeRules, err := findNodeRulesByBundle(c, "rhcos4") + variable := &cmpv1alpha1.Variable{} + err := c.Get(goctx.TODO(), key, variable) if err != nil { - return fmt.Errorf("failed to find RHCOS node rules: %w", err) + return "", fmt.Errorf("failed to get variable %s: %w", variableName, err) } - if len(ocpNodeRules) > 0 { - err = createTailoredProfile(tc, c, "ocp-node", ocpNodeRules) - if err != nil { - return fmt.Errorf("failed to create OpenShift node tailored profile: %w", err) + return variable.Value, nil +} + +// ResultDifference represents a difference in compliance check results between two scans. +type ResultDifference struct { + BaselineResult string + CustomizedResult string +} + +// CompareResults compares two result maps and returns differences. +func CompareResults( + baselineResults map[string]string, + customizedResults map[string]string, +) map[string]ResultDifference { + differences := make(map[string]ResultDifference) + + // Find rules that exist in both and have different results + for ruleName, baselineResult := range baselineResults { + if customizedResult, exists := customizedResults[ruleName]; exists { + if baselineResult != customizedResult { + differences[ruleName] = ResultDifference{ + BaselineResult: baselineResult, + CustomizedResult: customizedResult, + } + } } } - if len(rhcosNodeRules) > 0 { - err = createTailoredProfile(tc, c, "rhcos-node", rhcosNodeRules) - if err != nil { - return fmt.Errorf("failed to create RHCOS node tailored profile: %w", err) - } + return differences +} + +// CreateTestNamespace creates a test namespace for variable testing. +func CreateTestNamespace(c dynclient.Client, name string) error { + ns := &corev1.Namespace{ + ObjectMeta: metav1.ObjectMeta{ + Name: name, + }, } + err := c.Create(goctx.TODO(), ns) + if err != nil && !apierrors.IsAlreadyExists(err) { + return fmt.Errorf("failed to create namespace %s: %w", name, err) + } + + log.Printf("Created test namespace: %s", name) return nil } +// DeleteTestNamespace deletes a test namespace. +func DeleteTestNamespace(c dynclient.Client, name string) error { + ns := &corev1.Namespace{ + ObjectMeta: metav1.ObjectMeta{ + Name: name, + }, + } + + err := c.Delete(goctx.TODO(), ns) + if err != nil && !apierrors.IsNotFound(err) { + return fmt.Errorf("failed to delete namespace %s: %w", name, err) + } + + log.Printf("Deleted test namespace: %s", name) + return nil +} + +// CreateTestSCC creates a test SecurityContextConstraints with allowed capabilities. +func CreateTestSCC(c dynclient.Client, name string) error { + scc := &secv1.SecurityContextConstraints{ + ObjectMeta: metav1.ObjectMeta{ + Name: name, + }, + AllowPrivilegedContainer: false, + AllowHostDirVolumePlugin: false, + AllowHostNetwork: false, + AllowHostPorts: false, + AllowHostPID: false, + AllowHostIPC: false, + ReadOnlyRootFilesystem: false, + RequiredDropCapabilities: []corev1.Capability{}, + DefaultAddCapabilities: []corev1.Capability{}, + AllowedCapabilities: []corev1.Capability{ + "NET_ADMIN", + "SYS_TIME", + }, + RunAsUser: secv1.RunAsUserStrategyOptions{ + Type: secv1.RunAsUserStrategyMustRunAsRange, + }, + SELinuxContext: secv1.SELinuxContextStrategyOptions{ + Type: secv1.SELinuxStrategyMustRunAs, + }, + FSGroup: secv1.FSGroupStrategyOptions{ + Type: secv1.FSGroupStrategyMustRunAs, + }, + SupplementalGroups: secv1.SupplementalGroupsStrategyOptions{ + Type: secv1.SupplementalGroupsStrategyMustRunAs, + }, + Users: []string{}, + Groups: []string{}, + } + + err := c.Create(goctx.TODO(), scc) + if err != nil && !apierrors.IsAlreadyExists(err) { + return fmt.Errorf("failed to create SCC %s: %w", name, err) + } + + log.Printf("Created test SCC: %s with allowed capabilities", name) + return nil +} + +// DeleteTestSCC deletes a test SecurityContextConstraints. +func DeleteTestSCC(c dynclient.Client, name string) error { + scc := &secv1.SecurityContextConstraints{ + ObjectMeta: metav1.ObjectMeta{ + Name: name, + }, + } + + err := c.Delete(goctx.TODO(), scc) + if err != nil && !apierrors.IsNotFound(err) { + return fmt.Errorf("failed to delete SCC %s: %w", name, err) + } + + log.Printf("Deleted test SCC: %s", name) + return nil +} + +// GetNonControlNamespaces returns a list of non-control-plane namespace names. +// This excludes kube-* and openshift-* namespaces. +func GetNonControlNamespaces(c dynclient.Client) ([]string, error) { + nsList := &corev1.NamespaceList{} + err := c.List(goctx.TODO(), nsList) + if err != nil { + return nil, fmt.Errorf("failed to list namespaces: %w", err) + } + + var nonControlNamespaces []string + for _, ns := range nsList.Items { + name := ns.Name + // Skip control plane namespaces + if strings.HasPrefix(name, "kube-") || + strings.HasPrefix(name, "openshift-") || + name == "default" { + continue + } + nonControlNamespaces = append(nonControlNamespaces, name) + } + + return nonControlNamespaces, nil +} + // findPlatformRules finds all Rule custom resources of type Platform and returns them. func findPlatformRules(c dynclient.Client, tc *testConfig.TestConfig) ([]cmpv1alpha1.Rule, error) { ruleList := &cmpv1alpha1.RuleList{} diff --git a/vendor/github.com/openshift/api/security/v1/Makefile b/vendor/github.com/openshift/api/security/v1/Makefile new file mode 100644 index 00000000..096e6fa2 --- /dev/null +++ b/vendor/github.com/openshift/api/security/v1/Makefile @@ -0,0 +1,3 @@ +.PHONY: test +test: + make -C ../../tests test GINKGO_EXTRA_ARGS=--focus="security.openshift.io/v1" diff --git a/vendor/github.com/openshift/api/security/v1/consts.go b/vendor/github.com/openshift/api/security/v1/consts.go new file mode 100644 index 00000000..92147d3c --- /dev/null +++ b/vendor/github.com/openshift/api/security/v1/consts.go @@ -0,0 +1,21 @@ +package v1 + +const ( + UIDRangeAnnotation = "openshift.io/sa.scc.uid-range" + // SupplementalGroupsAnnotation contains a comma delimited list of allocated supplemental groups + // for the namespace. Groups are in the form of a Block which supports {start}/{length} or {start}-{end} + SupplementalGroupsAnnotation = "openshift.io/sa.scc.supplemental-groups" + MCSAnnotation = "openshift.io/sa.scc.mcs" + ValidatedSCCAnnotation = "openshift.io/scc" + // This annotation pins required SCCs for core OpenShift workloads to prevent preemption of custom SCCs. + // It is being used in the SCC admission plugin. + RequiredSCCAnnotation = "openshift.io/required-scc" + + // MinimallySufficientPodSecurityStandard indicates the PodSecurityStandard that matched the SCCs available to the users of the namespace. + MinimallySufficientPodSecurityStandard = "security.openshift.io/MinimallySufficientPodSecurityStandard" + + // ValidatedSCCSubjectTypeAnnotation indicates the subject type that allowed the + // SCC admission. This can be used by controllers to detect potential issues + // between user-driven SCC usage and the ServiceAccount-driven SCC usage. + ValidatedSCCSubjectTypeAnnotation = "security.openshift.io/validated-scc-subject-type" +) diff --git a/vendor/github.com/openshift/api/security/v1/doc.go b/vendor/github.com/openshift/api/security/v1/doc.go new file mode 100644 index 00000000..44fe37eb --- /dev/null +++ b/vendor/github.com/openshift/api/security/v1/doc.go @@ -0,0 +1,8 @@ +// +k8s:deepcopy-gen=package,register +// +k8s:conversion-gen=github.com/openshift/origin/pkg/security/apis/security +// +k8s:defaulter-gen=TypeMeta +// +k8s:openapi-gen=true + +// +groupName=security.openshift.io +// Package v1 is the v1 version of the API. +package v1 diff --git a/vendor/github.com/openshift/api/security/v1/generated.pb.go b/vendor/github.com/openshift/api/security/v1/generated.pb.go new file mode 100644 index 00000000..e28b5958 --- /dev/null +++ b/vendor/github.com/openshift/api/security/v1/generated.pb.go @@ -0,0 +1,5466 @@ +// Code generated by protoc-gen-gogo. DO NOT EDIT. +// source: github.com/openshift/api/security/v1/generated.proto + +package v1 + +import ( + fmt "fmt" + + io "io" + + proto "github.com/gogo/protobuf/proto" + k8s_io_api_core_v1 "k8s.io/api/core/v1" + v11 "k8s.io/api/core/v1" + + math "math" + math_bits "math/bits" + reflect "reflect" + strings "strings" +) + +// Reference imports to suppress errors if they are not otherwise used. +var _ = proto.Marshal +var _ = fmt.Errorf +var _ = math.Inf + +// This is a compile-time assertion to ensure that this generated file +// is compatible with the proto package it is being compiled against. +// A compilation error at this line likely means your copy of the +// proto package needs to be updated. +const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package + +func (m *AllowedFlexVolume) Reset() { *m = AllowedFlexVolume{} } +func (*AllowedFlexVolume) ProtoMessage() {} +func (*AllowedFlexVolume) Descriptor() ([]byte, []int) { + return fileDescriptor_af65d9655aa67551, []int{0} +} +func (m *AllowedFlexVolume) XXX_Unmarshal(b []byte) error { + return m.Unmarshal(b) +} +func (m *AllowedFlexVolume) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + b = b[:cap(b)] + n, err := m.MarshalToSizedBuffer(b) + if err != nil { + return nil, err + } + return b[:n], nil +} +func (m *AllowedFlexVolume) XXX_Merge(src proto.Message) { + xxx_messageInfo_AllowedFlexVolume.Merge(m, src) +} +func (m *AllowedFlexVolume) XXX_Size() int { + return m.Size() +} +func (m *AllowedFlexVolume) XXX_DiscardUnknown() { + xxx_messageInfo_AllowedFlexVolume.DiscardUnknown(m) +} + +var xxx_messageInfo_AllowedFlexVolume proto.InternalMessageInfo + +func (m *FSGroupStrategyOptions) Reset() { *m = FSGroupStrategyOptions{} } +func (*FSGroupStrategyOptions) ProtoMessage() {} +func (*FSGroupStrategyOptions) Descriptor() ([]byte, []int) { + return fileDescriptor_af65d9655aa67551, []int{1} +} +func (m *FSGroupStrategyOptions) XXX_Unmarshal(b []byte) error { + return m.Unmarshal(b) +} +func (m *FSGroupStrategyOptions) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + b = b[:cap(b)] + n, err := m.MarshalToSizedBuffer(b) + if err != nil { + return nil, err + } + return b[:n], nil +} +func (m *FSGroupStrategyOptions) XXX_Merge(src proto.Message) { + xxx_messageInfo_FSGroupStrategyOptions.Merge(m, src) +} +func (m *FSGroupStrategyOptions) XXX_Size() int { + return m.Size() +} +func (m *FSGroupStrategyOptions) XXX_DiscardUnknown() { + xxx_messageInfo_FSGroupStrategyOptions.DiscardUnknown(m) +} + +var xxx_messageInfo_FSGroupStrategyOptions proto.InternalMessageInfo + +func (m *IDRange) Reset() { *m = IDRange{} } +func (*IDRange) ProtoMessage() {} +func (*IDRange) Descriptor() ([]byte, []int) { + return fileDescriptor_af65d9655aa67551, []int{2} +} +func (m *IDRange) XXX_Unmarshal(b []byte) error { + return m.Unmarshal(b) +} +func (m *IDRange) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + b = b[:cap(b)] + n, err := m.MarshalToSizedBuffer(b) + if err != nil { + return nil, err + } + return b[:n], nil +} +func (m *IDRange) XXX_Merge(src proto.Message) { + xxx_messageInfo_IDRange.Merge(m, src) +} +func (m *IDRange) XXX_Size() int { + return m.Size() +} +func (m *IDRange) XXX_DiscardUnknown() { + xxx_messageInfo_IDRange.DiscardUnknown(m) +} + +var xxx_messageInfo_IDRange proto.InternalMessageInfo + +func (m *PodSecurityPolicyReview) Reset() { *m = PodSecurityPolicyReview{} } +func (*PodSecurityPolicyReview) ProtoMessage() {} +func (*PodSecurityPolicyReview) Descriptor() ([]byte, []int) { + return fileDescriptor_af65d9655aa67551, []int{3} +} +func (m *PodSecurityPolicyReview) XXX_Unmarshal(b []byte) error { + return m.Unmarshal(b) +} +func (m *PodSecurityPolicyReview) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + b = b[:cap(b)] + n, err := m.MarshalToSizedBuffer(b) + if err != nil { + return nil, err + } + return b[:n], nil +} +func (m *PodSecurityPolicyReview) XXX_Merge(src proto.Message) { + xxx_messageInfo_PodSecurityPolicyReview.Merge(m, src) +} +func (m *PodSecurityPolicyReview) XXX_Size() int { + return m.Size() +} +func (m *PodSecurityPolicyReview) XXX_DiscardUnknown() { + xxx_messageInfo_PodSecurityPolicyReview.DiscardUnknown(m) +} + +var xxx_messageInfo_PodSecurityPolicyReview proto.InternalMessageInfo + +func (m *PodSecurityPolicyReviewSpec) Reset() { *m = PodSecurityPolicyReviewSpec{} } +func (*PodSecurityPolicyReviewSpec) ProtoMessage() {} +func (*PodSecurityPolicyReviewSpec) Descriptor() ([]byte, []int) { + return fileDescriptor_af65d9655aa67551, []int{4} +} +func (m *PodSecurityPolicyReviewSpec) XXX_Unmarshal(b []byte) error { + return m.Unmarshal(b) +} +func (m *PodSecurityPolicyReviewSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + b = b[:cap(b)] + n, err := m.MarshalToSizedBuffer(b) + if err != nil { + return nil, err + } + return b[:n], nil +} +func (m *PodSecurityPolicyReviewSpec) XXX_Merge(src proto.Message) { + xxx_messageInfo_PodSecurityPolicyReviewSpec.Merge(m, src) +} +func (m *PodSecurityPolicyReviewSpec) XXX_Size() int { + return m.Size() +} +func (m *PodSecurityPolicyReviewSpec) XXX_DiscardUnknown() { + xxx_messageInfo_PodSecurityPolicyReviewSpec.DiscardUnknown(m) +} + +var xxx_messageInfo_PodSecurityPolicyReviewSpec proto.InternalMessageInfo + +func (m *PodSecurityPolicyReviewStatus) Reset() { *m = PodSecurityPolicyReviewStatus{} } +func (*PodSecurityPolicyReviewStatus) ProtoMessage() {} +func (*PodSecurityPolicyReviewStatus) Descriptor() ([]byte, []int) { + return fileDescriptor_af65d9655aa67551, []int{5} +} +func (m *PodSecurityPolicyReviewStatus) XXX_Unmarshal(b []byte) error { + return m.Unmarshal(b) +} +func (m *PodSecurityPolicyReviewStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + b = b[:cap(b)] + n, err := m.MarshalToSizedBuffer(b) + if err != nil { + return nil, err + } + return b[:n], nil +} +func (m *PodSecurityPolicyReviewStatus) XXX_Merge(src proto.Message) { + xxx_messageInfo_PodSecurityPolicyReviewStatus.Merge(m, src) +} +func (m *PodSecurityPolicyReviewStatus) XXX_Size() int { + return m.Size() +} +func (m *PodSecurityPolicyReviewStatus) XXX_DiscardUnknown() { + xxx_messageInfo_PodSecurityPolicyReviewStatus.DiscardUnknown(m) +} + +var xxx_messageInfo_PodSecurityPolicyReviewStatus proto.InternalMessageInfo + +func (m *PodSecurityPolicySelfSubjectReview) Reset() { *m = PodSecurityPolicySelfSubjectReview{} } +func (*PodSecurityPolicySelfSubjectReview) ProtoMessage() {} +func (*PodSecurityPolicySelfSubjectReview) Descriptor() ([]byte, []int) { + return fileDescriptor_af65d9655aa67551, []int{6} +} +func (m *PodSecurityPolicySelfSubjectReview) XXX_Unmarshal(b []byte) error { + return m.Unmarshal(b) +} +func (m *PodSecurityPolicySelfSubjectReview) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + b = b[:cap(b)] + n, err := m.MarshalToSizedBuffer(b) + if err != nil { + return nil, err + } + return b[:n], nil +} +func (m *PodSecurityPolicySelfSubjectReview) XXX_Merge(src proto.Message) { + xxx_messageInfo_PodSecurityPolicySelfSubjectReview.Merge(m, src) +} +func (m *PodSecurityPolicySelfSubjectReview) XXX_Size() int { + return m.Size() +} +func (m *PodSecurityPolicySelfSubjectReview) XXX_DiscardUnknown() { + xxx_messageInfo_PodSecurityPolicySelfSubjectReview.DiscardUnknown(m) +} + +var xxx_messageInfo_PodSecurityPolicySelfSubjectReview proto.InternalMessageInfo + +func (m *PodSecurityPolicySelfSubjectReviewSpec) Reset() { + *m = PodSecurityPolicySelfSubjectReviewSpec{} +} +func (*PodSecurityPolicySelfSubjectReviewSpec) ProtoMessage() {} +func (*PodSecurityPolicySelfSubjectReviewSpec) Descriptor() ([]byte, []int) { + return fileDescriptor_af65d9655aa67551, []int{7} +} +func (m *PodSecurityPolicySelfSubjectReviewSpec) XXX_Unmarshal(b []byte) error { + return m.Unmarshal(b) +} +func (m *PodSecurityPolicySelfSubjectReviewSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + b = b[:cap(b)] + n, err := m.MarshalToSizedBuffer(b) + if err != nil { + return nil, err + } + return b[:n], nil +} +func (m *PodSecurityPolicySelfSubjectReviewSpec) XXX_Merge(src proto.Message) { + xxx_messageInfo_PodSecurityPolicySelfSubjectReviewSpec.Merge(m, src) +} +func (m *PodSecurityPolicySelfSubjectReviewSpec) XXX_Size() int { + return m.Size() +} +func (m *PodSecurityPolicySelfSubjectReviewSpec) XXX_DiscardUnknown() { + xxx_messageInfo_PodSecurityPolicySelfSubjectReviewSpec.DiscardUnknown(m) +} + +var xxx_messageInfo_PodSecurityPolicySelfSubjectReviewSpec proto.InternalMessageInfo + +func (m *PodSecurityPolicySubjectReview) Reset() { *m = PodSecurityPolicySubjectReview{} } +func (*PodSecurityPolicySubjectReview) ProtoMessage() {} +func (*PodSecurityPolicySubjectReview) Descriptor() ([]byte, []int) { + return fileDescriptor_af65d9655aa67551, []int{8} +} +func (m *PodSecurityPolicySubjectReview) XXX_Unmarshal(b []byte) error { + return m.Unmarshal(b) +} +func (m *PodSecurityPolicySubjectReview) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + b = b[:cap(b)] + n, err := m.MarshalToSizedBuffer(b) + if err != nil { + return nil, err + } + return b[:n], nil +} +func (m *PodSecurityPolicySubjectReview) XXX_Merge(src proto.Message) { + xxx_messageInfo_PodSecurityPolicySubjectReview.Merge(m, src) +} +func (m *PodSecurityPolicySubjectReview) XXX_Size() int { + return m.Size() +} +func (m *PodSecurityPolicySubjectReview) XXX_DiscardUnknown() { + xxx_messageInfo_PodSecurityPolicySubjectReview.DiscardUnknown(m) +} + +var xxx_messageInfo_PodSecurityPolicySubjectReview proto.InternalMessageInfo + +func (m *PodSecurityPolicySubjectReviewSpec) Reset() { *m = PodSecurityPolicySubjectReviewSpec{} } +func (*PodSecurityPolicySubjectReviewSpec) ProtoMessage() {} +func (*PodSecurityPolicySubjectReviewSpec) Descriptor() ([]byte, []int) { + return fileDescriptor_af65d9655aa67551, []int{9} +} +func (m *PodSecurityPolicySubjectReviewSpec) XXX_Unmarshal(b []byte) error { + return m.Unmarshal(b) +} +func (m *PodSecurityPolicySubjectReviewSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + b = b[:cap(b)] + n, err := m.MarshalToSizedBuffer(b) + if err != nil { + return nil, err + } + return b[:n], nil +} +func (m *PodSecurityPolicySubjectReviewSpec) XXX_Merge(src proto.Message) { + xxx_messageInfo_PodSecurityPolicySubjectReviewSpec.Merge(m, src) +} +func (m *PodSecurityPolicySubjectReviewSpec) XXX_Size() int { + return m.Size() +} +func (m *PodSecurityPolicySubjectReviewSpec) XXX_DiscardUnknown() { + xxx_messageInfo_PodSecurityPolicySubjectReviewSpec.DiscardUnknown(m) +} + +var xxx_messageInfo_PodSecurityPolicySubjectReviewSpec proto.InternalMessageInfo + +func (m *PodSecurityPolicySubjectReviewStatus) Reset() { *m = PodSecurityPolicySubjectReviewStatus{} } +func (*PodSecurityPolicySubjectReviewStatus) ProtoMessage() {} +func (*PodSecurityPolicySubjectReviewStatus) Descriptor() ([]byte, []int) { + return fileDescriptor_af65d9655aa67551, []int{10} +} +func (m *PodSecurityPolicySubjectReviewStatus) XXX_Unmarshal(b []byte) error { + return m.Unmarshal(b) +} +func (m *PodSecurityPolicySubjectReviewStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + b = b[:cap(b)] + n, err := m.MarshalToSizedBuffer(b) + if err != nil { + return nil, err + } + return b[:n], nil +} +func (m *PodSecurityPolicySubjectReviewStatus) XXX_Merge(src proto.Message) { + xxx_messageInfo_PodSecurityPolicySubjectReviewStatus.Merge(m, src) +} +func (m *PodSecurityPolicySubjectReviewStatus) XXX_Size() int { + return m.Size() +} +func (m *PodSecurityPolicySubjectReviewStatus) XXX_DiscardUnknown() { + xxx_messageInfo_PodSecurityPolicySubjectReviewStatus.DiscardUnknown(m) +} + +var xxx_messageInfo_PodSecurityPolicySubjectReviewStatus proto.InternalMessageInfo + +func (m *RangeAllocation) Reset() { *m = RangeAllocation{} } +func (*RangeAllocation) ProtoMessage() {} +func (*RangeAllocation) Descriptor() ([]byte, []int) { + return fileDescriptor_af65d9655aa67551, []int{11} +} +func (m *RangeAllocation) XXX_Unmarshal(b []byte) error { + return m.Unmarshal(b) +} +func (m *RangeAllocation) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + b = b[:cap(b)] + n, err := m.MarshalToSizedBuffer(b) + if err != nil { + return nil, err + } + return b[:n], nil +} +func (m *RangeAllocation) XXX_Merge(src proto.Message) { + xxx_messageInfo_RangeAllocation.Merge(m, src) +} +func (m *RangeAllocation) XXX_Size() int { + return m.Size() +} +func (m *RangeAllocation) XXX_DiscardUnknown() { + xxx_messageInfo_RangeAllocation.DiscardUnknown(m) +} + +var xxx_messageInfo_RangeAllocation proto.InternalMessageInfo + +func (m *RangeAllocationList) Reset() { *m = RangeAllocationList{} } +func (*RangeAllocationList) ProtoMessage() {} +func (*RangeAllocationList) Descriptor() ([]byte, []int) { + return fileDescriptor_af65d9655aa67551, []int{12} +} +func (m *RangeAllocationList) XXX_Unmarshal(b []byte) error { + return m.Unmarshal(b) +} +func (m *RangeAllocationList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + b = b[:cap(b)] + n, err := m.MarshalToSizedBuffer(b) + if err != nil { + return nil, err + } + return b[:n], nil +} +func (m *RangeAllocationList) XXX_Merge(src proto.Message) { + xxx_messageInfo_RangeAllocationList.Merge(m, src) +} +func (m *RangeAllocationList) XXX_Size() int { + return m.Size() +} +func (m *RangeAllocationList) XXX_DiscardUnknown() { + xxx_messageInfo_RangeAllocationList.DiscardUnknown(m) +} + +var xxx_messageInfo_RangeAllocationList proto.InternalMessageInfo + +func (m *RunAsUserStrategyOptions) Reset() { *m = RunAsUserStrategyOptions{} } +func (*RunAsUserStrategyOptions) ProtoMessage() {} +func (*RunAsUserStrategyOptions) Descriptor() ([]byte, []int) { + return fileDescriptor_af65d9655aa67551, []int{13} +} +func (m *RunAsUserStrategyOptions) XXX_Unmarshal(b []byte) error { + return m.Unmarshal(b) +} +func (m *RunAsUserStrategyOptions) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + b = b[:cap(b)] + n, err := m.MarshalToSizedBuffer(b) + if err != nil { + return nil, err + } + return b[:n], nil +} +func (m *RunAsUserStrategyOptions) XXX_Merge(src proto.Message) { + xxx_messageInfo_RunAsUserStrategyOptions.Merge(m, src) +} +func (m *RunAsUserStrategyOptions) XXX_Size() int { + return m.Size() +} +func (m *RunAsUserStrategyOptions) XXX_DiscardUnknown() { + xxx_messageInfo_RunAsUserStrategyOptions.DiscardUnknown(m) +} + +var xxx_messageInfo_RunAsUserStrategyOptions proto.InternalMessageInfo + +func (m *SELinuxContextStrategyOptions) Reset() { *m = SELinuxContextStrategyOptions{} } +func (*SELinuxContextStrategyOptions) ProtoMessage() {} +func (*SELinuxContextStrategyOptions) Descriptor() ([]byte, []int) { + return fileDescriptor_af65d9655aa67551, []int{14} +} +func (m *SELinuxContextStrategyOptions) XXX_Unmarshal(b []byte) error { + return m.Unmarshal(b) +} +func (m *SELinuxContextStrategyOptions) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + b = b[:cap(b)] + n, err := m.MarshalToSizedBuffer(b) + if err != nil { + return nil, err + } + return b[:n], nil +} +func (m *SELinuxContextStrategyOptions) XXX_Merge(src proto.Message) { + xxx_messageInfo_SELinuxContextStrategyOptions.Merge(m, src) +} +func (m *SELinuxContextStrategyOptions) XXX_Size() int { + return m.Size() +} +func (m *SELinuxContextStrategyOptions) XXX_DiscardUnknown() { + xxx_messageInfo_SELinuxContextStrategyOptions.DiscardUnknown(m) +} + +var xxx_messageInfo_SELinuxContextStrategyOptions proto.InternalMessageInfo + +func (m *SecurityContextConstraints) Reset() { *m = SecurityContextConstraints{} } +func (*SecurityContextConstraints) ProtoMessage() {} +func (*SecurityContextConstraints) Descriptor() ([]byte, []int) { + return fileDescriptor_af65d9655aa67551, []int{15} +} +func (m *SecurityContextConstraints) XXX_Unmarshal(b []byte) error { + return m.Unmarshal(b) +} +func (m *SecurityContextConstraints) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + b = b[:cap(b)] + n, err := m.MarshalToSizedBuffer(b) + if err != nil { + return nil, err + } + return b[:n], nil +} +func (m *SecurityContextConstraints) XXX_Merge(src proto.Message) { + xxx_messageInfo_SecurityContextConstraints.Merge(m, src) +} +func (m *SecurityContextConstraints) XXX_Size() int { + return m.Size() +} +func (m *SecurityContextConstraints) XXX_DiscardUnknown() { + xxx_messageInfo_SecurityContextConstraints.DiscardUnknown(m) +} + +var xxx_messageInfo_SecurityContextConstraints proto.InternalMessageInfo + +func (m *SecurityContextConstraintsList) Reset() { *m = SecurityContextConstraintsList{} } +func (*SecurityContextConstraintsList) ProtoMessage() {} +func (*SecurityContextConstraintsList) Descriptor() ([]byte, []int) { + return fileDescriptor_af65d9655aa67551, []int{16} +} +func (m *SecurityContextConstraintsList) XXX_Unmarshal(b []byte) error { + return m.Unmarshal(b) +} +func (m *SecurityContextConstraintsList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + b = b[:cap(b)] + n, err := m.MarshalToSizedBuffer(b) + if err != nil { + return nil, err + } + return b[:n], nil +} +func (m *SecurityContextConstraintsList) XXX_Merge(src proto.Message) { + xxx_messageInfo_SecurityContextConstraintsList.Merge(m, src) +} +func (m *SecurityContextConstraintsList) XXX_Size() int { + return m.Size() +} +func (m *SecurityContextConstraintsList) XXX_DiscardUnknown() { + xxx_messageInfo_SecurityContextConstraintsList.DiscardUnknown(m) +} + +var xxx_messageInfo_SecurityContextConstraintsList proto.InternalMessageInfo + +func (m *ServiceAccountPodSecurityPolicyReviewStatus) Reset() { + *m = ServiceAccountPodSecurityPolicyReviewStatus{} +} +func (*ServiceAccountPodSecurityPolicyReviewStatus) ProtoMessage() {} +func (*ServiceAccountPodSecurityPolicyReviewStatus) Descriptor() ([]byte, []int) { + return fileDescriptor_af65d9655aa67551, []int{17} +} +func (m *ServiceAccountPodSecurityPolicyReviewStatus) XXX_Unmarshal(b []byte) error { + return m.Unmarshal(b) +} +func (m *ServiceAccountPodSecurityPolicyReviewStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + b = b[:cap(b)] + n, err := m.MarshalToSizedBuffer(b) + if err != nil { + return nil, err + } + return b[:n], nil +} +func (m *ServiceAccountPodSecurityPolicyReviewStatus) XXX_Merge(src proto.Message) { + xxx_messageInfo_ServiceAccountPodSecurityPolicyReviewStatus.Merge(m, src) +} +func (m *ServiceAccountPodSecurityPolicyReviewStatus) XXX_Size() int { + return m.Size() +} +func (m *ServiceAccountPodSecurityPolicyReviewStatus) XXX_DiscardUnknown() { + xxx_messageInfo_ServiceAccountPodSecurityPolicyReviewStatus.DiscardUnknown(m) +} + +var xxx_messageInfo_ServiceAccountPodSecurityPolicyReviewStatus proto.InternalMessageInfo + +func (m *SupplementalGroupsStrategyOptions) Reset() { *m = SupplementalGroupsStrategyOptions{} } +func (*SupplementalGroupsStrategyOptions) ProtoMessage() {} +func (*SupplementalGroupsStrategyOptions) Descriptor() ([]byte, []int) { + return fileDescriptor_af65d9655aa67551, []int{18} +} +func (m *SupplementalGroupsStrategyOptions) XXX_Unmarshal(b []byte) error { + return m.Unmarshal(b) +} +func (m *SupplementalGroupsStrategyOptions) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + b = b[:cap(b)] + n, err := m.MarshalToSizedBuffer(b) + if err != nil { + return nil, err + } + return b[:n], nil +} +func (m *SupplementalGroupsStrategyOptions) XXX_Merge(src proto.Message) { + xxx_messageInfo_SupplementalGroupsStrategyOptions.Merge(m, src) +} +func (m *SupplementalGroupsStrategyOptions) XXX_Size() int { + return m.Size() +} +func (m *SupplementalGroupsStrategyOptions) XXX_DiscardUnknown() { + xxx_messageInfo_SupplementalGroupsStrategyOptions.DiscardUnknown(m) +} + +var xxx_messageInfo_SupplementalGroupsStrategyOptions proto.InternalMessageInfo + +func init() { + proto.RegisterType((*AllowedFlexVolume)(nil), "github.com.openshift.api.security.v1.AllowedFlexVolume") + proto.RegisterType((*FSGroupStrategyOptions)(nil), "github.com.openshift.api.security.v1.FSGroupStrategyOptions") + proto.RegisterType((*IDRange)(nil), "github.com.openshift.api.security.v1.IDRange") + proto.RegisterType((*PodSecurityPolicyReview)(nil), "github.com.openshift.api.security.v1.PodSecurityPolicyReview") + proto.RegisterType((*PodSecurityPolicyReviewSpec)(nil), "github.com.openshift.api.security.v1.PodSecurityPolicyReviewSpec") + proto.RegisterType((*PodSecurityPolicyReviewStatus)(nil), "github.com.openshift.api.security.v1.PodSecurityPolicyReviewStatus") + proto.RegisterType((*PodSecurityPolicySelfSubjectReview)(nil), "github.com.openshift.api.security.v1.PodSecurityPolicySelfSubjectReview") + proto.RegisterType((*PodSecurityPolicySelfSubjectReviewSpec)(nil), "github.com.openshift.api.security.v1.PodSecurityPolicySelfSubjectReviewSpec") + proto.RegisterType((*PodSecurityPolicySubjectReview)(nil), "github.com.openshift.api.security.v1.PodSecurityPolicySubjectReview") + proto.RegisterType((*PodSecurityPolicySubjectReviewSpec)(nil), "github.com.openshift.api.security.v1.PodSecurityPolicySubjectReviewSpec") + proto.RegisterType((*PodSecurityPolicySubjectReviewStatus)(nil), "github.com.openshift.api.security.v1.PodSecurityPolicySubjectReviewStatus") + proto.RegisterType((*RangeAllocation)(nil), "github.com.openshift.api.security.v1.RangeAllocation") + proto.RegisterType((*RangeAllocationList)(nil), "github.com.openshift.api.security.v1.RangeAllocationList") + proto.RegisterType((*RunAsUserStrategyOptions)(nil), "github.com.openshift.api.security.v1.RunAsUserStrategyOptions") + proto.RegisterType((*SELinuxContextStrategyOptions)(nil), "github.com.openshift.api.security.v1.SELinuxContextStrategyOptions") + proto.RegisterType((*SecurityContextConstraints)(nil), "github.com.openshift.api.security.v1.SecurityContextConstraints") + proto.RegisterType((*SecurityContextConstraintsList)(nil), "github.com.openshift.api.security.v1.SecurityContextConstraintsList") + proto.RegisterType((*ServiceAccountPodSecurityPolicyReviewStatus)(nil), "github.com.openshift.api.security.v1.ServiceAccountPodSecurityPolicyReviewStatus") + proto.RegisterType((*SupplementalGroupsStrategyOptions)(nil), "github.com.openshift.api.security.v1.SupplementalGroupsStrategyOptions") +} + +func init() { + proto.RegisterFile("github.com/openshift/api/security/v1/generated.proto", fileDescriptor_af65d9655aa67551) +} + +var fileDescriptor_af65d9655aa67551 = []byte{ + // 1803 bytes of a gzipped FileDescriptorProto + 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xcc, 0x59, 0xcd, 0x6f, 0x1b, 0xc7, + 0x15, 0xd7, 0x8a, 0xfa, 0xe2, 0x48, 0x96, 0xe4, 0x91, 0x2c, 0x4f, 0xd4, 0x98, 0x54, 0xd7, 0x6e, + 0x60, 0xb4, 0xcd, 0x32, 0x36, 0xd2, 0xc6, 0x45, 0x1a, 0x23, 0x5c, 0x31, 0x72, 0x14, 0xc8, 0x31, + 0x33, 0x8c, 0x82, 0x22, 0x08, 0x8a, 0x8c, 0x96, 0x43, 0x7a, 0xac, 0xe5, 0xee, 0x76, 0x67, 0x56, + 0x16, 0xd1, 0x4b, 0x81, 0xfe, 0x03, 0x05, 0x7a, 0xef, 0xb9, 0xfd, 0x07, 0x7a, 0x29, 0xda, 0x5e, + 0x0d, 0xb4, 0x45, 0x73, 0x2a, 0x72, 0x22, 0x6a, 0x16, 0xbd, 0xf4, 0xda, 0x9b, 0x0f, 0x45, 0x31, + 0xc3, 0xe1, 0xc7, 0x2e, 0x77, 0xe9, 0x4d, 0x6a, 0x0b, 0xbd, 0x69, 0xdf, 0xc7, 0xef, 0xfd, 0xde, + 0xcc, 0xbc, 0x37, 0x6f, 0x28, 0xf0, 0x66, 0x9b, 0x89, 0x87, 0xd1, 0x89, 0xe5, 0xf8, 0x9d, 0x8a, + 0x1f, 0x50, 0x8f, 0x3f, 0x64, 0x2d, 0x51, 0x21, 0x01, 0xab, 0x70, 0xea, 0x44, 0x21, 0x13, 0xdd, + 0xca, 0xd9, 0xad, 0x4a, 0x9b, 0x7a, 0x34, 0x24, 0x82, 0x36, 0xad, 0x20, 0xf4, 0x85, 0x0f, 0x6f, + 0x8c, 0xbd, 0xac, 0x91, 0x97, 0x45, 0x02, 0x66, 0x0d, 0xbd, 0xac, 0xb3, 0x5b, 0xbb, 0xaf, 0x4f, + 0x60, 0xb7, 0xfd, 0xb6, 0x5f, 0x51, 0xce, 0x27, 0x51, 0x4b, 0x7d, 0xa9, 0x0f, 0xf5, 0xd7, 0x00, + 0x74, 0xd7, 0x3c, 0xbd, 0xc3, 0x2d, 0xe6, 0xab, 0xe0, 0x8e, 0x1f, 0xd2, 0x94, 0xc0, 0xbb, 0x6f, + 0x8e, 0x6d, 0x3a, 0xc4, 0x79, 0xc8, 0x3c, 0x1a, 0x76, 0x2b, 0xc1, 0x69, 0x5b, 0x0a, 0x78, 0xa5, + 0x43, 0x05, 0x49, 0xf3, 0xfa, 0x7e, 0x96, 0x57, 0x18, 0x79, 0x82, 0x75, 0x68, 0x85, 0x3b, 0x0f, + 0x69, 0x87, 0x24, 0xfd, 0xcc, 0xb7, 0xc1, 0xe5, 0xaa, 0xeb, 0xfa, 0x8f, 0x69, 0xf3, 0xc0, 0xa5, + 0xe7, 0x9f, 0xf8, 0x6e, 0xd4, 0xa1, 0xf0, 0x35, 0xb0, 0xd4, 0x0c, 0xd9, 0x19, 0x0d, 0x91, 0xb1, + 0x67, 0xdc, 0x2c, 0xda, 0xeb, 0x4f, 0x7a, 0xe5, 0xb9, 0x7e, 0xaf, 0xbc, 0x54, 0x53, 0x52, 0xac, + 0xb5, 0xe6, 0xaf, 0x0d, 0xb0, 0x73, 0xd0, 0xb8, 0x17, 0xfa, 0x51, 0xd0, 0x10, 0x12, 0xb5, 0xdd, + 0x7d, 0x10, 0x08, 0xe6, 0x7b, 0x1c, 0xbe, 0x05, 0x16, 0x44, 0x37, 0xa0, 0x1a, 0xe0, 0xba, 0x06, + 0x58, 0xf8, 0xb8, 0x1b, 0xd0, 0x67, 0xbd, 0xf2, 0x56, 0xc2, 0x4b, 0x8a, 0xb1, 0x72, 0x80, 0xc7, + 0x60, 0x29, 0x24, 0x5e, 0x9b, 0x72, 0x34, 0xbf, 0x57, 0xb8, 0xb9, 0x7a, 0xfb, 0x75, 0x2b, 0xcf, + 0x46, 0x58, 0x87, 0x35, 0x2c, 0xbd, 0xc6, 0x54, 0xd5, 0x27, 0xc7, 0x1a, 0xcc, 0xbc, 0x07, 0x96, + 0xb5, 0x09, 0xbc, 0x06, 0x0a, 0x1d, 0xe6, 0x29, 0x66, 0x05, 0x7b, 0x55, 0xdb, 0x17, 0xee, 0x33, + 0x0f, 0x4b, 0xb9, 0x52, 0x93, 0x73, 0x34, 0x9f, 0x50, 0x93, 0x73, 0x2c, 0xe5, 0xe6, 0x5f, 0xe6, + 0xc1, 0xd5, 0xba, 0xdf, 0x6c, 0xe8, 0xd8, 0x75, 0xdf, 0x65, 0x4e, 0x17, 0xd3, 0x33, 0x46, 0x1f, + 0xc3, 0xcf, 0xc1, 0x8a, 0xdc, 0x9f, 0x26, 0x11, 0x04, 0x15, 0xf6, 0x8c, 0x9b, 0xab, 0xb7, 0xdf, + 0xb0, 0x06, 0xfb, 0x62, 0x4d, 0xee, 0x8b, 0x15, 0x9c, 0xb6, 0xa5, 0x80, 0x5b, 0xd2, 0x5a, 0xb2, + 0x7f, 0x70, 0xf2, 0x88, 0x3a, 0xe2, 0x3e, 0x15, 0xc4, 0x86, 0x3a, 0x22, 0x18, 0xcb, 0xf0, 0x08, + 0x15, 0x3a, 0x60, 0x81, 0x07, 0xd4, 0x51, 0xe4, 0x57, 0x6f, 0x57, 0xf3, 0xad, 0x4d, 0x06, 0xdd, + 0x46, 0x40, 0x1d, 0x7b, 0x6d, 0xb8, 0x33, 0xf2, 0x0b, 0x2b, 0x70, 0x78, 0x0a, 0x96, 0xb8, 0x20, + 0x22, 0xe2, 0x6a, 0x11, 0x56, 0x6f, 0xef, 0xff, 0x6f, 0x61, 0x14, 0xd4, 0x78, 0x63, 0x06, 0xdf, + 0x58, 0x87, 0x30, 0x7f, 0x67, 0x80, 0x6f, 0xcc, 0x20, 0x08, 0x3f, 0x02, 0x2b, 0x82, 0x76, 0x02, + 0x97, 0x08, 0xaa, 0xb3, 0xbe, 0x3e, 0xb1, 0xa6, 0x96, 0xac, 0x22, 0x1d, 0xfc, 0x63, 0x6d, 0xa6, + 0xf2, 0xda, 0xd4, 0xe1, 0x56, 0x86, 0x52, 0x3c, 0x82, 0x81, 0x87, 0x60, 0x8b, 0xd3, 0xf0, 0x8c, + 0x39, 0xb4, 0xea, 0x38, 0x7e, 0xe4, 0x89, 0x0f, 0x49, 0x47, 0x9f, 0xb7, 0xa2, 0x7d, 0xb5, 0xdf, + 0x2b, 0x6f, 0x35, 0xa6, 0xd5, 0x38, 0xcd, 0xc7, 0xfc, 0x93, 0x01, 0xae, 0xcd, 0xcc, 0x1b, 0xfe, + 0xc6, 0x00, 0x3b, 0x64, 0x50, 0x61, 0x71, 0x54, 0x8e, 0x0c, 0x75, 0xc0, 0x3f, 0xca, 0xb7, 0xba, + 0x71, 0xe7, 0xd9, 0x6b, 0x5d, 0xd2, 0xc9, 0xef, 0x54, 0x53, 0x03, 0xe3, 0x0c, 0x42, 0xe6, 0xbf, + 0xe6, 0x81, 0x39, 0x85, 0xdc, 0xa0, 0x6e, 0xab, 0x11, 0xa9, 0xc3, 0x78, 0x61, 0xc7, 0xdc, 0x8b, + 0x1d, 0xf3, 0xa3, 0xaf, 0x79, 0xfe, 0xa6, 0x98, 0x67, 0x9e, 0xf8, 0x30, 0x71, 0xe2, 0x3f, 0xf8, + 0xba, 0x11, 0x63, 0xd1, 0x66, 0x1f, 0xfc, 0x9f, 0x82, 0xd7, 0xf2, 0x31, 0x7e, 0x09, 0x25, 0x60, + 0xf6, 0xe7, 0x41, 0x69, 0x36, 0xfb, 0x0b, 0xd8, 0xe5, 0x47, 0xb1, 0x5d, 0x7e, 0xff, 0x85, 0xac, + 0xf9, 0xff, 0xd3, 0x0e, 0xff, 0xde, 0x48, 0x2b, 0xa7, 0x0b, 0xd8, 0x5e, 0xb8, 0x07, 0x16, 0x22, + 0x4e, 0x43, 0x95, 0x6b, 0x71, 0xbc, 0x1e, 0xc7, 0x9c, 0x86, 0x58, 0x69, 0xa0, 0x09, 0x96, 0xda, + 0xf2, 0x06, 0xe6, 0xa8, 0xa0, 0xda, 0x1e, 0x90, 0xfc, 0xd5, 0x9d, 0xcc, 0xb1, 0xd6, 0x98, 0xff, + 0x36, 0xc0, 0x8d, 0x3c, 0x0b, 0x00, 0xeb, 0xa0, 0xa8, 0x3b, 0x8a, 0xdd, 0x9d, 0x95, 0xc2, 0x03, + 0xed, 0xda, 0xa2, 0x21, 0xf5, 0x1c, 0x6a, 0x5f, 0xea, 0xf7, 0xca, 0xc5, 0xea, 0xd0, 0x13, 0x8f, + 0x41, 0xe4, 0x04, 0x12, 0x52, 0xc2, 0x7d, 0x4f, 0xa7, 0x30, 0xbe, 0xd6, 0x95, 0x14, 0x6b, 0x6d, + 0x6c, 0xed, 0x0a, 0x2f, 0xa6, 0x34, 0x7e, 0x6b, 0x80, 0x0d, 0x35, 0x28, 0x48, 0x62, 0x0e, 0x91, + 0xe3, 0x4c, 0xac, 0x16, 0x8c, 0x97, 0x52, 0x0b, 0xd7, 0xc1, 0xa2, 0x9a, 0x54, 0x74, 0xbe, 0x97, + 0xb4, 0xf1, 0xa2, 0x62, 0x82, 0x07, 0x3a, 0xf8, 0x2a, 0x58, 0x18, 0x95, 0xe3, 0x9a, 0xbd, 0x22, + 0xb7, 0xb4, 0x46, 0x04, 0xc1, 0x4a, 0x6a, 0xfe, 0xd5, 0x00, 0x5b, 0x09, 0xe2, 0x47, 0x8c, 0x0b, + 0xf8, 0xd9, 0x14, 0x79, 0x2b, 0x1f, 0x79, 0xe9, 0xad, 0xa8, 0x8f, 0x96, 0x6b, 0x28, 0x99, 0x20, + 0xfe, 0x29, 0x58, 0x64, 0x82, 0x76, 0x86, 0xe3, 0xda, 0xf7, 0xf2, 0xd5, 0x55, 0x82, 0xe7, 0x38, + 0xdf, 0x43, 0x89, 0x85, 0x07, 0x90, 0xe6, 0xdf, 0x0c, 0x80, 0x70, 0xe4, 0x55, 0xb9, 0x3c, 0xb8, + 0xc9, 0x09, 0xf3, 0x07, 0xb1, 0x09, 0xf3, 0x5b, 0x89, 0x09, 0xf3, 0xca, 0x94, 0xdf, 0xc4, 0x8c, + 0xf9, 0x0a, 0x28, 0x44, 0xac, 0xa9, 0x47, 0xbc, 0x65, 0x39, 0xde, 0x1d, 0x1f, 0xd6, 0xb0, 0x94, + 0xc1, 0x5b, 0x60, 0x35, 0x62, 0x4d, 0x45, 0xef, 0x3e, 0xf3, 0xd4, 0x4a, 0x17, 0xec, 0x8d, 0x7e, + 0xaf, 0xbc, 0x7a, 0xac, 0xe7, 0x47, 0x39, 0x28, 0x4e, 0xda, 0xc4, 0x5c, 0xc8, 0x39, 0x5a, 0x48, + 0x71, 0x21, 0xe7, 0x78, 0xd2, 0xc6, 0xfc, 0xa3, 0x01, 0xae, 0x35, 0xde, 0x3b, 0x62, 0x5e, 0x74, + 0xbe, 0xef, 0x7b, 0x82, 0x9e, 0x8b, 0x64, 0x76, 0x77, 0x63, 0xd9, 0x7d, 0x3b, 0x91, 0xdd, 0x6e, + 0xba, 0xf3, 0x44, 0x8a, 0x3f, 0x06, 0xeb, 0x9c, 0x2a, 0x1b, 0x8d, 0xa8, 0xfb, 0x9e, 0x99, 0x56, + 0x1e, 0x1a, 0x4d, 0x5b, 0xda, 0xb0, 0xdf, 0x2b, 0xaf, 0xc7, 0x65, 0x38, 0x81, 0x66, 0xfe, 0xe7, + 0x32, 0xd8, 0x1d, 0x36, 0x06, 0xcd, 0x62, 0xdf, 0xf7, 0xb8, 0x08, 0x09, 0xf3, 0x04, 0xbf, 0x80, + 0x82, 0xb9, 0x09, 0x56, 0x82, 0x90, 0xf9, 0x32, 0xbe, 0x4a, 0x6d, 0xd1, 0x5e, 0x93, 0x27, 0xb4, + 0xae, 0x65, 0x78, 0xa4, 0x85, 0x9f, 0x01, 0xa4, 0x1a, 0x4b, 0x3d, 0x64, 0x67, 0xcc, 0xa5, 0x6d, + 0xda, 0x94, 0x84, 0x89, 0x24, 0xa0, 0xf6, 0x77, 0xc5, 0xde, 0xd3, 0x91, 0x50, 0x35, 0xc3, 0x0e, + 0x67, 0x22, 0x40, 0x0e, 0x76, 0x9a, 0xb4, 0x45, 0x22, 0x57, 0x54, 0x9b, 0xcd, 0x7d, 0x12, 0x90, + 0x13, 0xe6, 0x32, 0xc1, 0x28, 0x47, 0x0b, 0xaa, 0xb1, 0xbe, 0x2d, 0xe7, 0xb0, 0x5a, 0xaa, 0xc5, + 0xb3, 0x5e, 0xf9, 0xda, 0xf4, 0x83, 0xd0, 0x1a, 0x99, 0x74, 0x71, 0x06, 0x34, 0xec, 0x02, 0x14, + 0xd2, 0x9f, 0x44, 0x2c, 0xa4, 0xcd, 0x5a, 0xe8, 0x07, 0xb1, 0xb0, 0x8b, 0x2a, 0xec, 0x3b, 0x32, + 0x1d, 0x9c, 0x61, 0xf3, 0xfc, 0xc0, 0x99, 0xf0, 0xf0, 0x11, 0xd8, 0xd2, 0x6d, 0x3a, 0x16, 0x75, + 0x49, 0x45, 0xbd, 0x23, 0x87, 0xe7, 0xea, 0xb4, 0xfa, 0xf9, 0x01, 0xd3, 0x40, 0x47, 0x3b, 0xf7, + 0xbe, 0xcf, 0x45, 0x8d, 0x85, 0x83, 0xd7, 0x69, 0xdd, 0x8d, 0xda, 0xcc, 0x43, 0xcb, 0x29, 0x3b, + 0x97, 0x62, 0x87, 0x33, 0x11, 0x60, 0x05, 0x2c, 0x9f, 0xa9, 0x6f, 0x8e, 0x56, 0x14, 0xfb, 0x2b, + 0xfd, 0x5e, 0x79, 0x79, 0x60, 0x22, 0x19, 0x2f, 0x1d, 0x34, 0x54, 0x41, 0x0d, 0xad, 0xe0, 0xcf, + 0x0d, 0x00, 0x49, 0xf2, 0xb1, 0xcc, 0xd1, 0x15, 0xd5, 0xf8, 0xde, 0xca, 0xd7, 0xf8, 0xa6, 0x1e, + 0xdb, 0xf6, 0xae, 0x4e, 0x01, 0x4e, 0xa9, 0x38, 0x4e, 0x09, 0x07, 0x6b, 0x60, 0x73, 0x94, 0xd2, + 0x87, 0x54, 0x3c, 0xf6, 0xc3, 0x53, 0x54, 0x54, 0x8b, 0x81, 0x34, 0xd2, 0x66, 0x35, 0xa1, 0xc7, + 0x53, 0x1e, 0xf0, 0x2e, 0x58, 0x1f, 0xc9, 0xea, 0x7e, 0x28, 0x38, 0x02, 0x0a, 0x63, 0x47, 0x63, + 0xac, 0x57, 0x63, 0x5a, 0x9c, 0xb0, 0x86, 0x77, 0xc0, 0xda, 0x58, 0x72, 0x58, 0x43, 0xab, 0xca, + 0x7b, 0x5b, 0x7b, 0xaf, 0x55, 0x27, 0x74, 0x38, 0x66, 0x19, 0xf3, 0x3c, 0xac, 0xef, 0xa3, 0xb5, + 0x0c, 0xcf, 0xc3, 0xfa, 0x3e, 0x8e, 0x59, 0xc2, 0xcf, 0x01, 0x94, 0xb3, 0x8b, 0x7a, 0x79, 0x05, + 0xc4, 0xa1, 0x47, 0xf4, 0x8c, 0xba, 0x68, 0x57, 0x75, 0xc8, 0x37, 0x86, 0xab, 0x78, 0x3c, 0x65, + 0xf1, 0xac, 0x57, 0x86, 0x71, 0x89, 0xda, 0xd6, 0x14, 0x2c, 0xd8, 0x01, 0xe5, 0x61, 0xc5, 0xc5, + 0xea, 0xfd, 0x3d, 0xee, 0x10, 0x57, 0xdd, 0x54, 0x68, 0x47, 0xd1, 0xbd, 0xde, 0xef, 0x95, 0xcb, + 0xb5, 0xd9, 0xa6, 0xf8, 0x79, 0x58, 0xf0, 0x47, 0xc9, 0xce, 0x34, 0x11, 0xe7, 0xaa, 0x8a, 0xf3, + 0xea, 0x74, 0x57, 0x9a, 0x08, 0x90, 0xe9, 0x2d, 0x8f, 0xea, 0xb0, 0x63, 0xeb, 0xee, 0x8c, 0x2e, + 0x7d, 0x95, 0xb7, 0xfc, 0xcc, 0xcb, 0x69, 0x7c, 0x48, 0xe2, 0x66, 0x38, 0x11, 0x12, 0xfa, 0xa0, + 0x18, 0x0e, 0xaf, 0x61, 0xb4, 0xae, 0xe2, 0xdf, 0xcd, 0x39, 0x1f, 0x64, 0xdc, 0xfa, 0xf6, 0x65, + 0x1d, 0xba, 0x38, 0xb2, 0xc0, 0xe3, 0x18, 0xf0, 0x97, 0x06, 0x80, 0x3c, 0x0a, 0x02, 0x97, 0x76, + 0xa8, 0x27, 0x88, 0x3b, 0x18, 0x68, 0xd1, 0x86, 0x0a, 0x7d, 0x2f, 0x67, 0xea, 0x53, 0xfe, 0x49, + 0x0e, 0xa3, 0x8a, 0x9d, 0x36, 0xc5, 0x29, 0xe1, 0x61, 0x1b, 0x2c, 0xb7, 0xb8, 0xfa, 0x1b, 0x6d, + 0x2a, 0x26, 0x3f, 0xcc, 0xc7, 0x24, 0xfd, 0xa7, 0x35, 0x7b, 0x43, 0x87, 0x5f, 0xd6, 0x7a, 0x3c, + 0x44, 0x87, 0x9f, 0x80, 0x9d, 0x90, 0x92, 0xe6, 0x03, 0xcf, 0xed, 0x62, 0xdf, 0x17, 0x07, 0xcc, + 0xa5, 0xbc, 0xcb, 0x05, 0xed, 0xa0, 0xcb, 0xea, 0x34, 0x8d, 0x7e, 0x17, 0xc0, 0xa9, 0x56, 0x38, + 0xc3, 0x1b, 0x96, 0xc1, 0xa2, 0x2c, 0x16, 0x8e, 0xa0, 0xea, 0x93, 0x45, 0x39, 0xa8, 0xc9, 0xf5, + 0xe6, 0x78, 0x20, 0x9f, 0x78, 0x4d, 0x6c, 0x65, 0xbd, 0x26, 0xe0, 0x3b, 0x60, 0x83, 0x53, 0xc7, + 0xf1, 0x3b, 0x41, 0x3d, 0xf4, 0x5b, 0x12, 0x1c, 0x6d, 0x2b, 0xe3, 0xad, 0x7e, 0xaf, 0xbc, 0xd1, + 0x88, 0xab, 0x70, 0xd2, 0x16, 0x1e, 0x81, 0x6d, 0xdd, 0x0c, 0x8f, 0x3d, 0x4e, 0x5a, 0xb4, 0xd1, + 0xe5, 0x8e, 0x70, 0x39, 0x42, 0x0a, 0x03, 0xf5, 0x7b, 0xe5, 0xed, 0x6a, 0x8a, 0x1e, 0xa7, 0x7a, + 0xc1, 0x77, 0xc1, 0x66, 0xcb, 0x0f, 0x4f, 0x58, 0xb3, 0x49, 0xbd, 0x21, 0xd2, 0x2b, 0x0a, 0x69, + 0x5b, 0x36, 0xd0, 0x83, 0x84, 0x0e, 0x4f, 0x59, 0x9b, 0xff, 0x34, 0x40, 0x29, 0x7b, 0x00, 0xba, + 0x80, 0xc1, 0x9b, 0xc6, 0x07, 0xef, 0x77, 0xf3, 0xfe, 0x8c, 0x94, 0x45, 0x39, 0x63, 0x06, 0xff, + 0xd5, 0x3c, 0xf8, 0xce, 0x57, 0xf8, 0xed, 0x09, 0xfe, 0xd9, 0x00, 0x37, 0x82, 0x1c, 0x8f, 0x46, + 0xbd, 0x22, 0x2f, 0xf2, 0x1d, 0xfe, 0x5d, 0x9d, 0x40, 0xae, 0x47, 0x2b, 0xce, 0xc5, 0x52, 0xbe, + 0xa4, 0x3d, 0xd2, 0xa1, 0xc9, 0x97, 0xb4, 0xbc, 0x37, 0xb0, 0xd2, 0x98, 0x7f, 0x30, 0xc0, 0x37, + 0x9f, 0xdb, 0x33, 0xa0, 0x1d, 0x9b, 0xe7, 0xad, 0xc4, 0x3c, 0x5f, 0xca, 0x06, 0x78, 0xe9, 0x3f, + 0x8d, 0xdb, 0x1f, 0x3c, 0x79, 0x5a, 0x9a, 0xfb, 0xe2, 0x69, 0x69, 0xee, 0xcb, 0xa7, 0xa5, 0xb9, + 0x9f, 0xf5, 0x4b, 0xc6, 0x93, 0x7e, 0xc9, 0xf8, 0xa2, 0x5f, 0x32, 0xbe, 0xec, 0x97, 0x8c, 0xbf, + 0xf7, 0x4b, 0xc6, 0x2f, 0xfe, 0x51, 0x9a, 0xfb, 0xf4, 0x46, 0x9e, 0xff, 0xa2, 0xfc, 0x37, 0x00, + 0x00, 0xff, 0xff, 0xb7, 0xb2, 0xaf, 0x36, 0x6c, 0x19, 0x00, 0x00, +} + +func (m *AllowedFlexVolume) Marshal() (dAtA []byte, err error) { + size := m.Size() + dAtA = make([]byte, size) + n, err := m.MarshalToSizedBuffer(dAtA[:size]) + if err != nil { + return nil, err + } + return dAtA[:n], nil +} + +func (m *AllowedFlexVolume) MarshalTo(dAtA []byte) (int, error) { + size := m.Size() + return m.MarshalToSizedBuffer(dAtA[:size]) +} + +func (m *AllowedFlexVolume) MarshalToSizedBuffer(dAtA []byte) (int, error) { + i := len(dAtA) + _ = i + var l int + _ = l + i -= len(m.Driver) + copy(dAtA[i:], m.Driver) + i = encodeVarintGenerated(dAtA, i, uint64(len(m.Driver))) + i-- + dAtA[i] = 0xa + return len(dAtA) - i, nil +} + +func (m *FSGroupStrategyOptions) Marshal() (dAtA []byte, err error) { + size := m.Size() + dAtA = make([]byte, size) + n, err := m.MarshalToSizedBuffer(dAtA[:size]) + if err != nil { + return nil, err + } + return dAtA[:n], nil +} + +func (m *FSGroupStrategyOptions) MarshalTo(dAtA []byte) (int, error) { + size := m.Size() + return m.MarshalToSizedBuffer(dAtA[:size]) +} + +func (m *FSGroupStrategyOptions) MarshalToSizedBuffer(dAtA []byte) (int, error) { + i := len(dAtA) + _ = i + var l int + _ = l + if len(m.Ranges) > 0 { + for iNdEx := len(m.Ranges) - 1; iNdEx >= 0; iNdEx-- { + { + size, err := m.Ranges[iNdEx].MarshalToSizedBuffer(dAtA[:i]) + if err != nil { + return 0, err + } + i -= size + i = encodeVarintGenerated(dAtA, i, uint64(size)) + } + i-- + dAtA[i] = 0x12 + } + } + i -= len(m.Type) + copy(dAtA[i:], m.Type) + i = encodeVarintGenerated(dAtA, i, uint64(len(m.Type))) + i-- + dAtA[i] = 0xa + return len(dAtA) - i, nil +} + +func (m *IDRange) Marshal() (dAtA []byte, err error) { + size := m.Size() + dAtA = make([]byte, size) + n, err := m.MarshalToSizedBuffer(dAtA[:size]) + if err != nil { + return nil, err + } + return dAtA[:n], nil +} + +func (m *IDRange) MarshalTo(dAtA []byte) (int, error) { + size := m.Size() + return m.MarshalToSizedBuffer(dAtA[:size]) +} + +func (m *IDRange) MarshalToSizedBuffer(dAtA []byte) (int, error) { + i := len(dAtA) + _ = i + var l int + _ = l + i = encodeVarintGenerated(dAtA, i, uint64(m.Max)) + i-- + dAtA[i] = 0x10 + i = encodeVarintGenerated(dAtA, i, uint64(m.Min)) + i-- + dAtA[i] = 0x8 + return len(dAtA) - i, nil +} + +func (m *PodSecurityPolicyReview) Marshal() (dAtA []byte, err error) { + size := m.Size() + dAtA = make([]byte, size) + n, err := m.MarshalToSizedBuffer(dAtA[:size]) + if err != nil { + return nil, err + } + return dAtA[:n], nil +} + +func (m *PodSecurityPolicyReview) MarshalTo(dAtA []byte) (int, error) { + size := m.Size() + return m.MarshalToSizedBuffer(dAtA[:size]) +} + +func (m *PodSecurityPolicyReview) MarshalToSizedBuffer(dAtA []byte) (int, error) { + i := len(dAtA) + _ = i + var l int + _ = l + { + size, err := m.ObjectMeta.MarshalToSizedBuffer(dAtA[:i]) + if err != nil { + return 0, err + } + i -= size + i = encodeVarintGenerated(dAtA, i, uint64(size)) + } + i-- + dAtA[i] = 0x1a + { + size, err := m.Status.MarshalToSizedBuffer(dAtA[:i]) + if err != nil { + return 0, err + } + i -= size + i = encodeVarintGenerated(dAtA, i, uint64(size)) + } + i-- + dAtA[i] = 0x12 + { + size, err := m.Spec.MarshalToSizedBuffer(dAtA[:i]) + if err != nil { + return 0, err + } + i -= size + i = encodeVarintGenerated(dAtA, i, uint64(size)) + } + i-- + dAtA[i] = 0xa + return len(dAtA) - i, nil +} + +func (m *PodSecurityPolicyReviewSpec) Marshal() (dAtA []byte, err error) { + size := m.Size() + dAtA = make([]byte, size) + n, err := m.MarshalToSizedBuffer(dAtA[:size]) + if err != nil { + return nil, err + } + return dAtA[:n], nil +} + +func (m *PodSecurityPolicyReviewSpec) MarshalTo(dAtA []byte) (int, error) { + size := m.Size() + return m.MarshalToSizedBuffer(dAtA[:size]) +} + +func (m *PodSecurityPolicyReviewSpec) MarshalToSizedBuffer(dAtA []byte) (int, error) { + i := len(dAtA) + _ = i + var l int + _ = l + if len(m.ServiceAccountNames) > 0 { + for iNdEx := len(m.ServiceAccountNames) - 1; iNdEx >= 0; iNdEx-- { + i -= len(m.ServiceAccountNames[iNdEx]) + copy(dAtA[i:], m.ServiceAccountNames[iNdEx]) + i = encodeVarintGenerated(dAtA, i, uint64(len(m.ServiceAccountNames[iNdEx]))) + i-- + dAtA[i] = 0x12 + } + } + { + size, err := m.Template.MarshalToSizedBuffer(dAtA[:i]) + if err != nil { + return 0, err + } + i -= size + i = encodeVarintGenerated(dAtA, i, uint64(size)) + } + i-- + dAtA[i] = 0xa + return len(dAtA) - i, nil +} + +func (m *PodSecurityPolicyReviewStatus) Marshal() (dAtA []byte, err error) { + size := m.Size() + dAtA = make([]byte, size) + n, err := m.MarshalToSizedBuffer(dAtA[:size]) + if err != nil { + return nil, err + } + return dAtA[:n], nil +} + +func (m *PodSecurityPolicyReviewStatus) MarshalTo(dAtA []byte) (int, error) { + size := m.Size() + return m.MarshalToSizedBuffer(dAtA[:size]) +} + +func (m *PodSecurityPolicyReviewStatus) MarshalToSizedBuffer(dAtA []byte) (int, error) { + i := len(dAtA) + _ = i + var l int + _ = l + if len(m.AllowedServiceAccounts) > 0 { + for iNdEx := len(m.AllowedServiceAccounts) - 1; iNdEx >= 0; iNdEx-- { + { + size, err := m.AllowedServiceAccounts[iNdEx].MarshalToSizedBuffer(dAtA[:i]) + if err != nil { + return 0, err + } + i -= size + i = encodeVarintGenerated(dAtA, i, uint64(size)) + } + i-- + dAtA[i] = 0xa + } + } + return len(dAtA) - i, nil +} + +func (m *PodSecurityPolicySelfSubjectReview) Marshal() (dAtA []byte, err error) { + size := m.Size() + dAtA = make([]byte, size) + n, err := m.MarshalToSizedBuffer(dAtA[:size]) + if err != nil { + return nil, err + } + return dAtA[:n], nil +} + +func (m *PodSecurityPolicySelfSubjectReview) MarshalTo(dAtA []byte) (int, error) { + size := m.Size() + return m.MarshalToSizedBuffer(dAtA[:size]) +} + +func (m *PodSecurityPolicySelfSubjectReview) MarshalToSizedBuffer(dAtA []byte) (int, error) { + i := len(dAtA) + _ = i + var l int + _ = l + { + size, err := m.ObjectMeta.MarshalToSizedBuffer(dAtA[:i]) + if err != nil { + return 0, err + } + i -= size + i = encodeVarintGenerated(dAtA, i, uint64(size)) + } + i-- + dAtA[i] = 0x1a + { + size, err := m.Status.MarshalToSizedBuffer(dAtA[:i]) + if err != nil { + return 0, err + } + i -= size + i = encodeVarintGenerated(dAtA, i, uint64(size)) + } + i-- + dAtA[i] = 0x12 + { + size, err := m.Spec.MarshalToSizedBuffer(dAtA[:i]) + if err != nil { + return 0, err + } + i -= size + i = encodeVarintGenerated(dAtA, i, uint64(size)) + } + i-- + dAtA[i] = 0xa + return len(dAtA) - i, nil +} + +func (m *PodSecurityPolicySelfSubjectReviewSpec) Marshal() (dAtA []byte, err error) { + size := m.Size() + dAtA = make([]byte, size) + n, err := m.MarshalToSizedBuffer(dAtA[:size]) + if err != nil { + return nil, err + } + return dAtA[:n], nil +} + +func (m *PodSecurityPolicySelfSubjectReviewSpec) MarshalTo(dAtA []byte) (int, error) { + size := m.Size() + return m.MarshalToSizedBuffer(dAtA[:size]) +} + +func (m *PodSecurityPolicySelfSubjectReviewSpec) MarshalToSizedBuffer(dAtA []byte) (int, error) { + i := len(dAtA) + _ = i + var l int + _ = l + { + size, err := m.Template.MarshalToSizedBuffer(dAtA[:i]) + if err != nil { + return 0, err + } + i -= size + i = encodeVarintGenerated(dAtA, i, uint64(size)) + } + i-- + dAtA[i] = 0xa + return len(dAtA) - i, nil +} + +func (m *PodSecurityPolicySubjectReview) Marshal() (dAtA []byte, err error) { + size := m.Size() + dAtA = make([]byte, size) + n, err := m.MarshalToSizedBuffer(dAtA[:size]) + if err != nil { + return nil, err + } + return dAtA[:n], nil +} + +func (m *PodSecurityPolicySubjectReview) MarshalTo(dAtA []byte) (int, error) { + size := m.Size() + return m.MarshalToSizedBuffer(dAtA[:size]) +} + +func (m *PodSecurityPolicySubjectReview) MarshalToSizedBuffer(dAtA []byte) (int, error) { + i := len(dAtA) + _ = i + var l int + _ = l + { + size, err := m.ObjectMeta.MarshalToSizedBuffer(dAtA[:i]) + if err != nil { + return 0, err + } + i -= size + i = encodeVarintGenerated(dAtA, i, uint64(size)) + } + i-- + dAtA[i] = 0x1a + { + size, err := m.Status.MarshalToSizedBuffer(dAtA[:i]) + if err != nil { + return 0, err + } + i -= size + i = encodeVarintGenerated(dAtA, i, uint64(size)) + } + i-- + dAtA[i] = 0x12 + { + size, err := m.Spec.MarshalToSizedBuffer(dAtA[:i]) + if err != nil { + return 0, err + } + i -= size + i = encodeVarintGenerated(dAtA, i, uint64(size)) + } + i-- + dAtA[i] = 0xa + return len(dAtA) - i, nil +} + +func (m *PodSecurityPolicySubjectReviewSpec) Marshal() (dAtA []byte, err error) { + size := m.Size() + dAtA = make([]byte, size) + n, err := m.MarshalToSizedBuffer(dAtA[:size]) + if err != nil { + return nil, err + } + return dAtA[:n], nil +} + +func (m *PodSecurityPolicySubjectReviewSpec) MarshalTo(dAtA []byte) (int, error) { + size := m.Size() + return m.MarshalToSizedBuffer(dAtA[:size]) +} + +func (m *PodSecurityPolicySubjectReviewSpec) MarshalToSizedBuffer(dAtA []byte) (int, error) { + i := len(dAtA) + _ = i + var l int + _ = l + if len(m.Groups) > 0 { + for iNdEx := len(m.Groups) - 1; iNdEx >= 0; iNdEx-- { + i -= len(m.Groups[iNdEx]) + copy(dAtA[i:], m.Groups[iNdEx]) + i = encodeVarintGenerated(dAtA, i, uint64(len(m.Groups[iNdEx]))) + i-- + dAtA[i] = 0x1a + } + } + i -= len(m.User) + copy(dAtA[i:], m.User) + i = encodeVarintGenerated(dAtA, i, uint64(len(m.User))) + i-- + dAtA[i] = 0x12 + { + size, err := m.Template.MarshalToSizedBuffer(dAtA[:i]) + if err != nil { + return 0, err + } + i -= size + i = encodeVarintGenerated(dAtA, i, uint64(size)) + } + i-- + dAtA[i] = 0xa + return len(dAtA) - i, nil +} + +func (m *PodSecurityPolicySubjectReviewStatus) Marshal() (dAtA []byte, err error) { + size := m.Size() + dAtA = make([]byte, size) + n, err := m.MarshalToSizedBuffer(dAtA[:size]) + if err != nil { + return nil, err + } + return dAtA[:n], nil +} + +func (m *PodSecurityPolicySubjectReviewStatus) MarshalTo(dAtA []byte) (int, error) { + size := m.Size() + return m.MarshalToSizedBuffer(dAtA[:size]) +} + +func (m *PodSecurityPolicySubjectReviewStatus) MarshalToSizedBuffer(dAtA []byte) (int, error) { + i := len(dAtA) + _ = i + var l int + _ = l + { + size, err := m.Template.MarshalToSizedBuffer(dAtA[:i]) + if err != nil { + return 0, err + } + i -= size + i = encodeVarintGenerated(dAtA, i, uint64(size)) + } + i-- + dAtA[i] = 0x1a + i -= len(m.Reason) + copy(dAtA[i:], m.Reason) + i = encodeVarintGenerated(dAtA, i, uint64(len(m.Reason))) + i-- + dAtA[i] = 0x12 + if m.AllowedBy != nil { + { + size, err := m.AllowedBy.MarshalToSizedBuffer(dAtA[:i]) + if err != nil { + return 0, err + } + i -= size + i = encodeVarintGenerated(dAtA, i, uint64(size)) + } + i-- + dAtA[i] = 0xa + } + return len(dAtA) - i, nil +} + +func (m *RangeAllocation) Marshal() (dAtA []byte, err error) { + size := m.Size() + dAtA = make([]byte, size) + n, err := m.MarshalToSizedBuffer(dAtA[:size]) + if err != nil { + return nil, err + } + return dAtA[:n], nil +} + +func (m *RangeAllocation) MarshalTo(dAtA []byte) (int, error) { + size := m.Size() + return m.MarshalToSizedBuffer(dAtA[:size]) +} + +func (m *RangeAllocation) MarshalToSizedBuffer(dAtA []byte) (int, error) { + i := len(dAtA) + _ = i + var l int + _ = l + if m.Data != nil { + i -= len(m.Data) + copy(dAtA[i:], m.Data) + i = encodeVarintGenerated(dAtA, i, uint64(len(m.Data))) + i-- + dAtA[i] = 0x1a + } + i -= len(m.Range) + copy(dAtA[i:], m.Range) + i = encodeVarintGenerated(dAtA, i, uint64(len(m.Range))) + i-- + dAtA[i] = 0x12 + { + size, err := m.ObjectMeta.MarshalToSizedBuffer(dAtA[:i]) + if err != nil { + return 0, err + } + i -= size + i = encodeVarintGenerated(dAtA, i, uint64(size)) + } + i-- + dAtA[i] = 0xa + return len(dAtA) - i, nil +} + +func (m *RangeAllocationList) Marshal() (dAtA []byte, err error) { + size := m.Size() + dAtA = make([]byte, size) + n, err := m.MarshalToSizedBuffer(dAtA[:size]) + if err != nil { + return nil, err + } + return dAtA[:n], nil +} + +func (m *RangeAllocationList) MarshalTo(dAtA []byte) (int, error) { + size := m.Size() + return m.MarshalToSizedBuffer(dAtA[:size]) +} + +func (m *RangeAllocationList) MarshalToSizedBuffer(dAtA []byte) (int, error) { + i := len(dAtA) + _ = i + var l int + _ = l + if len(m.Items) > 0 { + for iNdEx := len(m.Items) - 1; iNdEx >= 0; iNdEx-- { + { + size, err := m.Items[iNdEx].MarshalToSizedBuffer(dAtA[:i]) + if err != nil { + return 0, err + } + i -= size + i = encodeVarintGenerated(dAtA, i, uint64(size)) + } + i-- + dAtA[i] = 0x12 + } + } + { + size, err := m.ListMeta.MarshalToSizedBuffer(dAtA[:i]) + if err != nil { + return 0, err + } + i -= size + i = encodeVarintGenerated(dAtA, i, uint64(size)) + } + i-- + dAtA[i] = 0xa + return len(dAtA) - i, nil +} + +func (m *RunAsUserStrategyOptions) Marshal() (dAtA []byte, err error) { + size := m.Size() + dAtA = make([]byte, size) + n, err := m.MarshalToSizedBuffer(dAtA[:size]) + if err != nil { + return nil, err + } + return dAtA[:n], nil +} + +func (m *RunAsUserStrategyOptions) MarshalTo(dAtA []byte) (int, error) { + size := m.Size() + return m.MarshalToSizedBuffer(dAtA[:size]) +} + +func (m *RunAsUserStrategyOptions) MarshalToSizedBuffer(dAtA []byte) (int, error) { + i := len(dAtA) + _ = i + var l int + _ = l + if m.UIDRangeMax != nil { + i = encodeVarintGenerated(dAtA, i, uint64(*m.UIDRangeMax)) + i-- + dAtA[i] = 0x20 + } + if m.UIDRangeMin != nil { + i = encodeVarintGenerated(dAtA, i, uint64(*m.UIDRangeMin)) + i-- + dAtA[i] = 0x18 + } + if m.UID != nil { + i = encodeVarintGenerated(dAtA, i, uint64(*m.UID)) + i-- + dAtA[i] = 0x10 + } + i -= len(m.Type) + copy(dAtA[i:], m.Type) + i = encodeVarintGenerated(dAtA, i, uint64(len(m.Type))) + i-- + dAtA[i] = 0xa + return len(dAtA) - i, nil +} + +func (m *SELinuxContextStrategyOptions) Marshal() (dAtA []byte, err error) { + size := m.Size() + dAtA = make([]byte, size) + n, err := m.MarshalToSizedBuffer(dAtA[:size]) + if err != nil { + return nil, err + } + return dAtA[:n], nil +} + +func (m *SELinuxContextStrategyOptions) MarshalTo(dAtA []byte) (int, error) { + size := m.Size() + return m.MarshalToSizedBuffer(dAtA[:size]) +} + +func (m *SELinuxContextStrategyOptions) MarshalToSizedBuffer(dAtA []byte) (int, error) { + i := len(dAtA) + _ = i + var l int + _ = l + if m.SELinuxOptions != nil { + { + size, err := m.SELinuxOptions.MarshalToSizedBuffer(dAtA[:i]) + if err != nil { + return 0, err + } + i -= size + i = encodeVarintGenerated(dAtA, i, uint64(size)) + } + i-- + dAtA[i] = 0x12 + } + i -= len(m.Type) + copy(dAtA[i:], m.Type) + i = encodeVarintGenerated(dAtA, i, uint64(len(m.Type))) + i-- + dAtA[i] = 0xa + return len(dAtA) - i, nil +} + +func (m *SecurityContextConstraints) Marshal() (dAtA []byte, err error) { + size := m.Size() + dAtA = make([]byte, size) + n, err := m.MarshalToSizedBuffer(dAtA[:size]) + if err != nil { + return nil, err + } + return dAtA[:n], nil +} + +func (m *SecurityContextConstraints) MarshalTo(dAtA []byte) (int, error) { + size := m.Size() + return m.MarshalToSizedBuffer(dAtA[:size]) +} + +func (m *SecurityContextConstraints) MarshalToSizedBuffer(dAtA []byte) (int, error) { + i := len(dAtA) + _ = i + var l int + _ = l + i -= len(m.UserNamespaceLevel) + copy(dAtA[i:], m.UserNamespaceLevel) + i = encodeVarintGenerated(dAtA, i, uint64(len(m.UserNamespaceLevel))) + i-- + dAtA[i] = 0x1 + i-- + dAtA[i] = 0xd2 + if len(m.ForbiddenSysctls) > 0 { + for iNdEx := len(m.ForbiddenSysctls) - 1; iNdEx >= 0; iNdEx-- { + i -= len(m.ForbiddenSysctls[iNdEx]) + copy(dAtA[i:], m.ForbiddenSysctls[iNdEx]) + i = encodeVarintGenerated(dAtA, i, uint64(len(m.ForbiddenSysctls[iNdEx]))) + i-- + dAtA[i] = 0x1 + i-- + dAtA[i] = 0xca + } + } + if len(m.AllowedUnsafeSysctls) > 0 { + for iNdEx := len(m.AllowedUnsafeSysctls) - 1; iNdEx >= 0; iNdEx-- { + i -= len(m.AllowedUnsafeSysctls[iNdEx]) + copy(dAtA[i:], m.AllowedUnsafeSysctls[iNdEx]) + i = encodeVarintGenerated(dAtA, i, uint64(len(m.AllowedUnsafeSysctls[iNdEx]))) + i-- + dAtA[i] = 0x1 + i-- + dAtA[i] = 0xc2 + } + } + if m.AllowPrivilegeEscalation != nil { + i-- + if *m.AllowPrivilegeEscalation { + dAtA[i] = 1 + } else { + dAtA[i] = 0 + } + i-- + dAtA[i] = 0x1 + i-- + dAtA[i] = 0xb8 + } + if m.DefaultAllowPrivilegeEscalation != nil { + i-- + if *m.DefaultAllowPrivilegeEscalation { + dAtA[i] = 1 + } else { + dAtA[i] = 0 + } + i-- + dAtA[i] = 0x1 + i-- + dAtA[i] = 0xb0 + } + if len(m.AllowedFlexVolumes) > 0 { + for iNdEx := len(m.AllowedFlexVolumes) - 1; iNdEx >= 0; iNdEx-- { + { + size, err := m.AllowedFlexVolumes[iNdEx].MarshalToSizedBuffer(dAtA[:i]) + if err != nil { + return 0, err + } + i -= size + i = encodeVarintGenerated(dAtA, i, uint64(size)) + } + i-- + dAtA[i] = 0x1 + i-- + dAtA[i] = 0xaa + } + } + if len(m.SeccompProfiles) > 0 { + for iNdEx := len(m.SeccompProfiles) - 1; iNdEx >= 0; iNdEx-- { + i -= len(m.SeccompProfiles[iNdEx]) + copy(dAtA[i:], m.SeccompProfiles[iNdEx]) + i = encodeVarintGenerated(dAtA, i, uint64(len(m.SeccompProfiles[iNdEx]))) + i-- + dAtA[i] = 0x1 + i-- + dAtA[i] = 0xa2 + } + } + if len(m.Groups) > 0 { + for iNdEx := len(m.Groups) - 1; iNdEx >= 0; iNdEx-- { + i -= len(m.Groups[iNdEx]) + copy(dAtA[i:], m.Groups[iNdEx]) + i = encodeVarintGenerated(dAtA, i, uint64(len(m.Groups[iNdEx]))) + i-- + dAtA[i] = 0x1 + i-- + dAtA[i] = 0x9a + } + } + if len(m.Users) > 0 { + for iNdEx := len(m.Users) - 1; iNdEx >= 0; iNdEx-- { + i -= len(m.Users[iNdEx]) + copy(dAtA[i:], m.Users[iNdEx]) + i = encodeVarintGenerated(dAtA, i, uint64(len(m.Users[iNdEx]))) + i-- + dAtA[i] = 0x1 + i-- + dAtA[i] = 0x92 + } + } + i-- + if m.ReadOnlyRootFilesystem { + dAtA[i] = 1 + } else { + dAtA[i] = 0 + } + i-- + dAtA[i] = 0x1 + i-- + dAtA[i] = 0x88 + { + size, err := m.FSGroup.MarshalToSizedBuffer(dAtA[:i]) + if err != nil { + return 0, err + } + i -= size + i = encodeVarintGenerated(dAtA, i, uint64(size)) + } + i-- + dAtA[i] = 0x1 + i-- + dAtA[i] = 0x82 + { + size, err := m.SupplementalGroups.MarshalToSizedBuffer(dAtA[:i]) + if err != nil { + return 0, err + } + i -= size + i = encodeVarintGenerated(dAtA, i, uint64(size)) + } + i-- + dAtA[i] = 0x7a + { + size, err := m.RunAsUser.MarshalToSizedBuffer(dAtA[:i]) + if err != nil { + return 0, err + } + i -= size + i = encodeVarintGenerated(dAtA, i, uint64(size)) + } + i-- + dAtA[i] = 0x72 + { + size, err := m.SELinuxContext.MarshalToSizedBuffer(dAtA[:i]) + if err != nil { + return 0, err + } + i -= size + i = encodeVarintGenerated(dAtA, i, uint64(size)) + } + i-- + dAtA[i] = 0x6a + i-- + if m.AllowHostIPC { + dAtA[i] = 1 + } else { + dAtA[i] = 0 + } + i-- + dAtA[i] = 0x60 + i-- + if m.AllowHostPID { + dAtA[i] = 1 + } else { + dAtA[i] = 0 + } + i-- + dAtA[i] = 0x58 + i-- + if m.AllowHostPorts { + dAtA[i] = 1 + } else { + dAtA[i] = 0 + } + i-- + dAtA[i] = 0x50 + i-- + if m.AllowHostNetwork { + dAtA[i] = 1 + } else { + dAtA[i] = 0 + } + i-- + dAtA[i] = 0x48 + if len(m.Volumes) > 0 { + for iNdEx := len(m.Volumes) - 1; iNdEx >= 0; iNdEx-- { + i -= len(m.Volumes[iNdEx]) + copy(dAtA[i:], m.Volumes[iNdEx]) + i = encodeVarintGenerated(dAtA, i, uint64(len(m.Volumes[iNdEx]))) + i-- + dAtA[i] = 0x42 + } + } + i-- + if m.AllowHostDirVolumePlugin { + dAtA[i] = 1 + } else { + dAtA[i] = 0 + } + i-- + dAtA[i] = 0x38 + if len(m.AllowedCapabilities) > 0 { + for iNdEx := len(m.AllowedCapabilities) - 1; iNdEx >= 0; iNdEx-- { + i -= len(m.AllowedCapabilities[iNdEx]) + copy(dAtA[i:], m.AllowedCapabilities[iNdEx]) + i = encodeVarintGenerated(dAtA, i, uint64(len(m.AllowedCapabilities[iNdEx]))) + i-- + dAtA[i] = 0x32 + } + } + if len(m.RequiredDropCapabilities) > 0 { + for iNdEx := len(m.RequiredDropCapabilities) - 1; iNdEx >= 0; iNdEx-- { + i -= len(m.RequiredDropCapabilities[iNdEx]) + copy(dAtA[i:], m.RequiredDropCapabilities[iNdEx]) + i = encodeVarintGenerated(dAtA, i, uint64(len(m.RequiredDropCapabilities[iNdEx]))) + i-- + dAtA[i] = 0x2a + } + } + if len(m.DefaultAddCapabilities) > 0 { + for iNdEx := len(m.DefaultAddCapabilities) - 1; iNdEx >= 0; iNdEx-- { + i -= len(m.DefaultAddCapabilities[iNdEx]) + copy(dAtA[i:], m.DefaultAddCapabilities[iNdEx]) + i = encodeVarintGenerated(dAtA, i, uint64(len(m.DefaultAddCapabilities[iNdEx]))) + i-- + dAtA[i] = 0x22 + } + } + i-- + if m.AllowPrivilegedContainer { + dAtA[i] = 1 + } else { + dAtA[i] = 0 + } + i-- + dAtA[i] = 0x18 + if m.Priority != nil { + i = encodeVarintGenerated(dAtA, i, uint64(*m.Priority)) + i-- + dAtA[i] = 0x10 + } + { + size, err := m.ObjectMeta.MarshalToSizedBuffer(dAtA[:i]) + if err != nil { + return 0, err + } + i -= size + i = encodeVarintGenerated(dAtA, i, uint64(size)) + } + i-- + dAtA[i] = 0xa + return len(dAtA) - i, nil +} + +func (m *SecurityContextConstraintsList) Marshal() (dAtA []byte, err error) { + size := m.Size() + dAtA = make([]byte, size) + n, err := m.MarshalToSizedBuffer(dAtA[:size]) + if err != nil { + return nil, err + } + return dAtA[:n], nil +} + +func (m *SecurityContextConstraintsList) MarshalTo(dAtA []byte) (int, error) { + size := m.Size() + return m.MarshalToSizedBuffer(dAtA[:size]) +} + +func (m *SecurityContextConstraintsList) MarshalToSizedBuffer(dAtA []byte) (int, error) { + i := len(dAtA) + _ = i + var l int + _ = l + if len(m.Items) > 0 { + for iNdEx := len(m.Items) - 1; iNdEx >= 0; iNdEx-- { + { + size, err := m.Items[iNdEx].MarshalToSizedBuffer(dAtA[:i]) + if err != nil { + return 0, err + } + i -= size + i = encodeVarintGenerated(dAtA, i, uint64(size)) + } + i-- + dAtA[i] = 0x12 + } + } + { + size, err := m.ListMeta.MarshalToSizedBuffer(dAtA[:i]) + if err != nil { + return 0, err + } + i -= size + i = encodeVarintGenerated(dAtA, i, uint64(size)) + } + i-- + dAtA[i] = 0xa + return len(dAtA) - i, nil +} + +func (m *ServiceAccountPodSecurityPolicyReviewStatus) Marshal() (dAtA []byte, err error) { + size := m.Size() + dAtA = make([]byte, size) + n, err := m.MarshalToSizedBuffer(dAtA[:size]) + if err != nil { + return nil, err + } + return dAtA[:n], nil +} + +func (m *ServiceAccountPodSecurityPolicyReviewStatus) MarshalTo(dAtA []byte) (int, error) { + size := m.Size() + return m.MarshalToSizedBuffer(dAtA[:size]) +} + +func (m *ServiceAccountPodSecurityPolicyReviewStatus) MarshalToSizedBuffer(dAtA []byte) (int, error) { + i := len(dAtA) + _ = i + var l int + _ = l + i -= len(m.Name) + copy(dAtA[i:], m.Name) + i = encodeVarintGenerated(dAtA, i, uint64(len(m.Name))) + i-- + dAtA[i] = 0x12 + { + size, err := m.PodSecurityPolicySubjectReviewStatus.MarshalToSizedBuffer(dAtA[:i]) + if err != nil { + return 0, err + } + i -= size + i = encodeVarintGenerated(dAtA, i, uint64(size)) + } + i-- + dAtA[i] = 0xa + return len(dAtA) - i, nil +} + +func (m *SupplementalGroupsStrategyOptions) Marshal() (dAtA []byte, err error) { + size := m.Size() + dAtA = make([]byte, size) + n, err := m.MarshalToSizedBuffer(dAtA[:size]) + if err != nil { + return nil, err + } + return dAtA[:n], nil +} + +func (m *SupplementalGroupsStrategyOptions) MarshalTo(dAtA []byte) (int, error) { + size := m.Size() + return m.MarshalToSizedBuffer(dAtA[:size]) +} + +func (m *SupplementalGroupsStrategyOptions) MarshalToSizedBuffer(dAtA []byte) (int, error) { + i := len(dAtA) + _ = i + var l int + _ = l + if len(m.Ranges) > 0 { + for iNdEx := len(m.Ranges) - 1; iNdEx >= 0; iNdEx-- { + { + size, err := m.Ranges[iNdEx].MarshalToSizedBuffer(dAtA[:i]) + if err != nil { + return 0, err + } + i -= size + i = encodeVarintGenerated(dAtA, i, uint64(size)) + } + i-- + dAtA[i] = 0x12 + } + } + i -= len(m.Type) + copy(dAtA[i:], m.Type) + i = encodeVarintGenerated(dAtA, i, uint64(len(m.Type))) + i-- + dAtA[i] = 0xa + return len(dAtA) - i, nil +} + +func encodeVarintGenerated(dAtA []byte, offset int, v uint64) int { + offset -= sovGenerated(v) + base := offset + for v >= 1<<7 { + dAtA[offset] = uint8(v&0x7f | 0x80) + v >>= 7 + offset++ + } + dAtA[offset] = uint8(v) + return base +} +func (m *AllowedFlexVolume) Size() (n int) { + if m == nil { + return 0 + } + var l int + _ = l + l = len(m.Driver) + n += 1 + l + sovGenerated(uint64(l)) + return n +} + +func (m *FSGroupStrategyOptions) Size() (n int) { + if m == nil { + return 0 + } + var l int + _ = l + l = len(m.Type) + n += 1 + l + sovGenerated(uint64(l)) + if len(m.Ranges) > 0 { + for _, e := range m.Ranges { + l = e.Size() + n += 1 + l + sovGenerated(uint64(l)) + } + } + return n +} + +func (m *IDRange) Size() (n int) { + if m == nil { + return 0 + } + var l int + _ = l + n += 1 + sovGenerated(uint64(m.Min)) + n += 1 + sovGenerated(uint64(m.Max)) + return n +} + +func (m *PodSecurityPolicyReview) Size() (n int) { + if m == nil { + return 0 + } + var l int + _ = l + l = m.Spec.Size() + n += 1 + l + sovGenerated(uint64(l)) + l = m.Status.Size() + n += 1 + l + sovGenerated(uint64(l)) + l = m.ObjectMeta.Size() + n += 1 + l + sovGenerated(uint64(l)) + return n +} + +func (m *PodSecurityPolicyReviewSpec) Size() (n int) { + if m == nil { + return 0 + } + var l int + _ = l + l = m.Template.Size() + n += 1 + l + sovGenerated(uint64(l)) + if len(m.ServiceAccountNames) > 0 { + for _, s := range m.ServiceAccountNames { + l = len(s) + n += 1 + l + sovGenerated(uint64(l)) + } + } + return n +} + +func (m *PodSecurityPolicyReviewStatus) Size() (n int) { + if m == nil { + return 0 + } + var l int + _ = l + if len(m.AllowedServiceAccounts) > 0 { + for _, e := range m.AllowedServiceAccounts { + l = e.Size() + n += 1 + l + sovGenerated(uint64(l)) + } + } + return n +} + +func (m *PodSecurityPolicySelfSubjectReview) Size() (n int) { + if m == nil { + return 0 + } + var l int + _ = l + l = m.Spec.Size() + n += 1 + l + sovGenerated(uint64(l)) + l = m.Status.Size() + n += 1 + l + sovGenerated(uint64(l)) + l = m.ObjectMeta.Size() + n += 1 + l + sovGenerated(uint64(l)) + return n +} + +func (m *PodSecurityPolicySelfSubjectReviewSpec) Size() (n int) { + if m == nil { + return 0 + } + var l int + _ = l + l = m.Template.Size() + n += 1 + l + sovGenerated(uint64(l)) + return n +} + +func (m *PodSecurityPolicySubjectReview) Size() (n int) { + if m == nil { + return 0 + } + var l int + _ = l + l = m.Spec.Size() + n += 1 + l + sovGenerated(uint64(l)) + l = m.Status.Size() + n += 1 + l + sovGenerated(uint64(l)) + l = m.ObjectMeta.Size() + n += 1 + l + sovGenerated(uint64(l)) + return n +} + +func (m *PodSecurityPolicySubjectReviewSpec) Size() (n int) { + if m == nil { + return 0 + } + var l int + _ = l + l = m.Template.Size() + n += 1 + l + sovGenerated(uint64(l)) + l = len(m.User) + n += 1 + l + sovGenerated(uint64(l)) + if len(m.Groups) > 0 { + for _, s := range m.Groups { + l = len(s) + n += 1 + l + sovGenerated(uint64(l)) + } + } + return n +} + +func (m *PodSecurityPolicySubjectReviewStatus) Size() (n int) { + if m == nil { + return 0 + } + var l int + _ = l + if m.AllowedBy != nil { + l = m.AllowedBy.Size() + n += 1 + l + sovGenerated(uint64(l)) + } + l = len(m.Reason) + n += 1 + l + sovGenerated(uint64(l)) + l = m.Template.Size() + n += 1 + l + sovGenerated(uint64(l)) + return n +} + +func (m *RangeAllocation) Size() (n int) { + if m == nil { + return 0 + } + var l int + _ = l + l = m.ObjectMeta.Size() + n += 1 + l + sovGenerated(uint64(l)) + l = len(m.Range) + n += 1 + l + sovGenerated(uint64(l)) + if m.Data != nil { + l = len(m.Data) + n += 1 + l + sovGenerated(uint64(l)) + } + return n +} + +func (m *RangeAllocationList) Size() (n int) { + if m == nil { + return 0 + } + var l int + _ = l + l = m.ListMeta.Size() + n += 1 + l + sovGenerated(uint64(l)) + if len(m.Items) > 0 { + for _, e := range m.Items { + l = e.Size() + n += 1 + l + sovGenerated(uint64(l)) + } + } + return n +} + +func (m *RunAsUserStrategyOptions) Size() (n int) { + if m == nil { + return 0 + } + var l int + _ = l + l = len(m.Type) + n += 1 + l + sovGenerated(uint64(l)) + if m.UID != nil { + n += 1 + sovGenerated(uint64(*m.UID)) + } + if m.UIDRangeMin != nil { + n += 1 + sovGenerated(uint64(*m.UIDRangeMin)) + } + if m.UIDRangeMax != nil { + n += 1 + sovGenerated(uint64(*m.UIDRangeMax)) + } + return n +} + +func (m *SELinuxContextStrategyOptions) Size() (n int) { + if m == nil { + return 0 + } + var l int + _ = l + l = len(m.Type) + n += 1 + l + sovGenerated(uint64(l)) + if m.SELinuxOptions != nil { + l = m.SELinuxOptions.Size() + n += 1 + l + sovGenerated(uint64(l)) + } + return n +} + +func (m *SecurityContextConstraints) Size() (n int) { + if m == nil { + return 0 + } + var l int + _ = l + l = m.ObjectMeta.Size() + n += 1 + l + sovGenerated(uint64(l)) + if m.Priority != nil { + n += 1 + sovGenerated(uint64(*m.Priority)) + } + n += 2 + if len(m.DefaultAddCapabilities) > 0 { + for _, s := range m.DefaultAddCapabilities { + l = len(s) + n += 1 + l + sovGenerated(uint64(l)) + } + } + if len(m.RequiredDropCapabilities) > 0 { + for _, s := range m.RequiredDropCapabilities { + l = len(s) + n += 1 + l + sovGenerated(uint64(l)) + } + } + if len(m.AllowedCapabilities) > 0 { + for _, s := range m.AllowedCapabilities { + l = len(s) + n += 1 + l + sovGenerated(uint64(l)) + } + } + n += 2 + if len(m.Volumes) > 0 { + for _, s := range m.Volumes { + l = len(s) + n += 1 + l + sovGenerated(uint64(l)) + } + } + n += 2 + n += 2 + n += 2 + n += 2 + l = m.SELinuxContext.Size() + n += 1 + l + sovGenerated(uint64(l)) + l = m.RunAsUser.Size() + n += 1 + l + sovGenerated(uint64(l)) + l = m.SupplementalGroups.Size() + n += 1 + l + sovGenerated(uint64(l)) + l = m.FSGroup.Size() + n += 2 + l + sovGenerated(uint64(l)) + n += 3 + if len(m.Users) > 0 { + for _, s := range m.Users { + l = len(s) + n += 2 + l + sovGenerated(uint64(l)) + } + } + if len(m.Groups) > 0 { + for _, s := range m.Groups { + l = len(s) + n += 2 + l + sovGenerated(uint64(l)) + } + } + if len(m.SeccompProfiles) > 0 { + for _, s := range m.SeccompProfiles { + l = len(s) + n += 2 + l + sovGenerated(uint64(l)) + } + } + if len(m.AllowedFlexVolumes) > 0 { + for _, e := range m.AllowedFlexVolumes { + l = e.Size() + n += 2 + l + sovGenerated(uint64(l)) + } + } + if m.DefaultAllowPrivilegeEscalation != nil { + n += 3 + } + if m.AllowPrivilegeEscalation != nil { + n += 3 + } + if len(m.AllowedUnsafeSysctls) > 0 { + for _, s := range m.AllowedUnsafeSysctls { + l = len(s) + n += 2 + l + sovGenerated(uint64(l)) + } + } + if len(m.ForbiddenSysctls) > 0 { + for _, s := range m.ForbiddenSysctls { + l = len(s) + n += 2 + l + sovGenerated(uint64(l)) + } + } + l = len(m.UserNamespaceLevel) + n += 2 + l + sovGenerated(uint64(l)) + return n +} + +func (m *SecurityContextConstraintsList) Size() (n int) { + if m == nil { + return 0 + } + var l int + _ = l + l = m.ListMeta.Size() + n += 1 + l + sovGenerated(uint64(l)) + if len(m.Items) > 0 { + for _, e := range m.Items { + l = e.Size() + n += 1 + l + sovGenerated(uint64(l)) + } + } + return n +} + +func (m *ServiceAccountPodSecurityPolicyReviewStatus) Size() (n int) { + if m == nil { + return 0 + } + var l int + _ = l + l = m.PodSecurityPolicySubjectReviewStatus.Size() + n += 1 + l + sovGenerated(uint64(l)) + l = len(m.Name) + n += 1 + l + sovGenerated(uint64(l)) + return n +} + +func (m *SupplementalGroupsStrategyOptions) Size() (n int) { + if m == nil { + return 0 + } + var l int + _ = l + l = len(m.Type) + n += 1 + l + sovGenerated(uint64(l)) + if len(m.Ranges) > 0 { + for _, e := range m.Ranges { + l = e.Size() + n += 1 + l + sovGenerated(uint64(l)) + } + } + return n +} + +func sovGenerated(x uint64) (n int) { + return (math_bits.Len64(x|1) + 6) / 7 +} +func sozGenerated(x uint64) (n int) { + return sovGenerated(uint64((x << 1) ^ uint64((int64(x) >> 63)))) +} +func (this *AllowedFlexVolume) String() string { + if this == nil { + return "nil" + } + s := strings.Join([]string{`&AllowedFlexVolume{`, + `Driver:` + fmt.Sprintf("%v", this.Driver) + `,`, + `}`, + }, "") + return s +} +func (this *FSGroupStrategyOptions) String() string { + if this == nil { + return "nil" + } + repeatedStringForRanges := "[]IDRange{" + for _, f := range this.Ranges { + repeatedStringForRanges += strings.Replace(strings.Replace(f.String(), "IDRange", "IDRange", 1), `&`, ``, 1) + "," + } + repeatedStringForRanges += "}" + s := strings.Join([]string{`&FSGroupStrategyOptions{`, + `Type:` + fmt.Sprintf("%v", this.Type) + `,`, + `Ranges:` + repeatedStringForRanges + `,`, + `}`, + }, "") + return s +} +func (this *IDRange) String() string { + if this == nil { + return "nil" + } + s := strings.Join([]string{`&IDRange{`, + `Min:` + fmt.Sprintf("%v", this.Min) + `,`, + `Max:` + fmt.Sprintf("%v", this.Max) + `,`, + `}`, + }, "") + return s +} +func (this *PodSecurityPolicyReview) String() string { + if this == nil { + return "nil" + } + s := strings.Join([]string{`&PodSecurityPolicyReview{`, + `Spec:` + strings.Replace(strings.Replace(this.Spec.String(), "PodSecurityPolicyReviewSpec", "PodSecurityPolicyReviewSpec", 1), `&`, ``, 1) + `,`, + `Status:` + strings.Replace(strings.Replace(this.Status.String(), "PodSecurityPolicyReviewStatus", "PodSecurityPolicyReviewStatus", 1), `&`, ``, 1) + `,`, + `ObjectMeta:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.ObjectMeta), "ObjectMeta", "v1.ObjectMeta", 1), `&`, ``, 1) + `,`, + `}`, + }, "") + return s +} +func (this *PodSecurityPolicyReviewSpec) String() string { + if this == nil { + return "nil" + } + s := strings.Join([]string{`&PodSecurityPolicyReviewSpec{`, + `Template:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Template), "PodTemplateSpec", "v11.PodTemplateSpec", 1), `&`, ``, 1) + `,`, + `ServiceAccountNames:` + fmt.Sprintf("%v", this.ServiceAccountNames) + `,`, + `}`, + }, "") + return s +} +func (this *PodSecurityPolicyReviewStatus) String() string { + if this == nil { + return "nil" + } + repeatedStringForAllowedServiceAccounts := "[]ServiceAccountPodSecurityPolicyReviewStatus{" + for _, f := range this.AllowedServiceAccounts { + repeatedStringForAllowedServiceAccounts += strings.Replace(strings.Replace(f.String(), "ServiceAccountPodSecurityPolicyReviewStatus", "ServiceAccountPodSecurityPolicyReviewStatus", 1), `&`, ``, 1) + "," + } + repeatedStringForAllowedServiceAccounts += "}" + s := strings.Join([]string{`&PodSecurityPolicyReviewStatus{`, + `AllowedServiceAccounts:` + repeatedStringForAllowedServiceAccounts + `,`, + `}`, + }, "") + return s +} +func (this *PodSecurityPolicySelfSubjectReview) String() string { + if this == nil { + return "nil" + } + s := strings.Join([]string{`&PodSecurityPolicySelfSubjectReview{`, + `Spec:` + strings.Replace(strings.Replace(this.Spec.String(), "PodSecurityPolicySelfSubjectReviewSpec", "PodSecurityPolicySelfSubjectReviewSpec", 1), `&`, ``, 1) + `,`, + `Status:` + strings.Replace(strings.Replace(this.Status.String(), "PodSecurityPolicySubjectReviewStatus", "PodSecurityPolicySubjectReviewStatus", 1), `&`, ``, 1) + `,`, + `ObjectMeta:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.ObjectMeta), "ObjectMeta", "v1.ObjectMeta", 1), `&`, ``, 1) + `,`, + `}`, + }, "") + return s +} +func (this *PodSecurityPolicySelfSubjectReviewSpec) String() string { + if this == nil { + return "nil" + } + s := strings.Join([]string{`&PodSecurityPolicySelfSubjectReviewSpec{`, + `Template:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Template), "PodTemplateSpec", "v11.PodTemplateSpec", 1), `&`, ``, 1) + `,`, + `}`, + }, "") + return s +} +func (this *PodSecurityPolicySubjectReview) String() string { + if this == nil { + return "nil" + } + s := strings.Join([]string{`&PodSecurityPolicySubjectReview{`, + `Spec:` + strings.Replace(strings.Replace(this.Spec.String(), "PodSecurityPolicySubjectReviewSpec", "PodSecurityPolicySubjectReviewSpec", 1), `&`, ``, 1) + `,`, + `Status:` + strings.Replace(strings.Replace(this.Status.String(), "PodSecurityPolicySubjectReviewStatus", "PodSecurityPolicySubjectReviewStatus", 1), `&`, ``, 1) + `,`, + `ObjectMeta:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.ObjectMeta), "ObjectMeta", "v1.ObjectMeta", 1), `&`, ``, 1) + `,`, + `}`, + }, "") + return s +} +func (this *PodSecurityPolicySubjectReviewSpec) String() string { + if this == nil { + return "nil" + } + s := strings.Join([]string{`&PodSecurityPolicySubjectReviewSpec{`, + `Template:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Template), "PodTemplateSpec", "v11.PodTemplateSpec", 1), `&`, ``, 1) + `,`, + `User:` + fmt.Sprintf("%v", this.User) + `,`, + `Groups:` + fmt.Sprintf("%v", this.Groups) + `,`, + `}`, + }, "") + return s +} +func (this *PodSecurityPolicySubjectReviewStatus) String() string { + if this == nil { + return "nil" + } + s := strings.Join([]string{`&PodSecurityPolicySubjectReviewStatus{`, + `AllowedBy:` + strings.Replace(fmt.Sprintf("%v", this.AllowedBy), "ObjectReference", "v11.ObjectReference", 1) + `,`, + `Reason:` + fmt.Sprintf("%v", this.Reason) + `,`, + `Template:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Template), "PodTemplateSpec", "v11.PodTemplateSpec", 1), `&`, ``, 1) + `,`, + `}`, + }, "") + return s +} +func (this *RangeAllocation) String() string { + if this == nil { + return "nil" + } + s := strings.Join([]string{`&RangeAllocation{`, + `ObjectMeta:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.ObjectMeta), "ObjectMeta", "v1.ObjectMeta", 1), `&`, ``, 1) + `,`, + `Range:` + fmt.Sprintf("%v", this.Range) + `,`, + `Data:` + valueToStringGenerated(this.Data) + `,`, + `}`, + }, "") + return s +} +func (this *RangeAllocationList) String() string { + if this == nil { + return "nil" + } + repeatedStringForItems := "[]RangeAllocation{" + for _, f := range this.Items { + repeatedStringForItems += strings.Replace(strings.Replace(f.String(), "RangeAllocation", "RangeAllocation", 1), `&`, ``, 1) + "," + } + repeatedStringForItems += "}" + s := strings.Join([]string{`&RangeAllocationList{`, + `ListMeta:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.ListMeta), "ListMeta", "v1.ListMeta", 1), `&`, ``, 1) + `,`, + `Items:` + repeatedStringForItems + `,`, + `}`, + }, "") + return s +} +func (this *RunAsUserStrategyOptions) String() string { + if this == nil { + return "nil" + } + s := strings.Join([]string{`&RunAsUserStrategyOptions{`, + `Type:` + fmt.Sprintf("%v", this.Type) + `,`, + `UID:` + valueToStringGenerated(this.UID) + `,`, + `UIDRangeMin:` + valueToStringGenerated(this.UIDRangeMin) + `,`, + `UIDRangeMax:` + valueToStringGenerated(this.UIDRangeMax) + `,`, + `}`, + }, "") + return s +} +func (this *SELinuxContextStrategyOptions) String() string { + if this == nil { + return "nil" + } + s := strings.Join([]string{`&SELinuxContextStrategyOptions{`, + `Type:` + fmt.Sprintf("%v", this.Type) + `,`, + `SELinuxOptions:` + strings.Replace(fmt.Sprintf("%v", this.SELinuxOptions), "SELinuxOptions", "v11.SELinuxOptions", 1) + `,`, + `}`, + }, "") + return s +} +func (this *SecurityContextConstraints) String() string { + if this == nil { + return "nil" + } + repeatedStringForAllowedFlexVolumes := "[]AllowedFlexVolume{" + for _, f := range this.AllowedFlexVolumes { + repeatedStringForAllowedFlexVolumes += strings.Replace(strings.Replace(f.String(), "AllowedFlexVolume", "AllowedFlexVolume", 1), `&`, ``, 1) + "," + } + repeatedStringForAllowedFlexVolumes += "}" + s := strings.Join([]string{`&SecurityContextConstraints{`, + `ObjectMeta:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.ObjectMeta), "ObjectMeta", "v1.ObjectMeta", 1), `&`, ``, 1) + `,`, + `Priority:` + valueToStringGenerated(this.Priority) + `,`, + `AllowPrivilegedContainer:` + fmt.Sprintf("%v", this.AllowPrivilegedContainer) + `,`, + `DefaultAddCapabilities:` + fmt.Sprintf("%v", this.DefaultAddCapabilities) + `,`, + `RequiredDropCapabilities:` + fmt.Sprintf("%v", this.RequiredDropCapabilities) + `,`, + `AllowedCapabilities:` + fmt.Sprintf("%v", this.AllowedCapabilities) + `,`, + `AllowHostDirVolumePlugin:` + fmt.Sprintf("%v", this.AllowHostDirVolumePlugin) + `,`, + `Volumes:` + fmt.Sprintf("%v", this.Volumes) + `,`, + `AllowHostNetwork:` + fmt.Sprintf("%v", this.AllowHostNetwork) + `,`, + `AllowHostPorts:` + fmt.Sprintf("%v", this.AllowHostPorts) + `,`, + `AllowHostPID:` + fmt.Sprintf("%v", this.AllowHostPID) + `,`, + `AllowHostIPC:` + fmt.Sprintf("%v", this.AllowHostIPC) + `,`, + `SELinuxContext:` + strings.Replace(strings.Replace(this.SELinuxContext.String(), "SELinuxContextStrategyOptions", "SELinuxContextStrategyOptions", 1), `&`, ``, 1) + `,`, + `RunAsUser:` + strings.Replace(strings.Replace(this.RunAsUser.String(), "RunAsUserStrategyOptions", "RunAsUserStrategyOptions", 1), `&`, ``, 1) + `,`, + `SupplementalGroups:` + strings.Replace(strings.Replace(this.SupplementalGroups.String(), "SupplementalGroupsStrategyOptions", "SupplementalGroupsStrategyOptions", 1), `&`, ``, 1) + `,`, + `FSGroup:` + strings.Replace(strings.Replace(this.FSGroup.String(), "FSGroupStrategyOptions", "FSGroupStrategyOptions", 1), `&`, ``, 1) + `,`, + `ReadOnlyRootFilesystem:` + fmt.Sprintf("%v", this.ReadOnlyRootFilesystem) + `,`, + `Users:` + fmt.Sprintf("%v", this.Users) + `,`, + `Groups:` + fmt.Sprintf("%v", this.Groups) + `,`, + `SeccompProfiles:` + fmt.Sprintf("%v", this.SeccompProfiles) + `,`, + `AllowedFlexVolumes:` + repeatedStringForAllowedFlexVolumes + `,`, + `DefaultAllowPrivilegeEscalation:` + valueToStringGenerated(this.DefaultAllowPrivilegeEscalation) + `,`, + `AllowPrivilegeEscalation:` + valueToStringGenerated(this.AllowPrivilegeEscalation) + `,`, + `AllowedUnsafeSysctls:` + fmt.Sprintf("%v", this.AllowedUnsafeSysctls) + `,`, + `ForbiddenSysctls:` + fmt.Sprintf("%v", this.ForbiddenSysctls) + `,`, + `UserNamespaceLevel:` + fmt.Sprintf("%v", this.UserNamespaceLevel) + `,`, + `}`, + }, "") + return s +} +func (this *SecurityContextConstraintsList) String() string { + if this == nil { + return "nil" + } + repeatedStringForItems := "[]SecurityContextConstraints{" + for _, f := range this.Items { + repeatedStringForItems += strings.Replace(strings.Replace(f.String(), "SecurityContextConstraints", "SecurityContextConstraints", 1), `&`, ``, 1) + "," + } + repeatedStringForItems += "}" + s := strings.Join([]string{`&SecurityContextConstraintsList{`, + `ListMeta:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.ListMeta), "ListMeta", "v1.ListMeta", 1), `&`, ``, 1) + `,`, + `Items:` + repeatedStringForItems + `,`, + `}`, + }, "") + return s +} +func (this *ServiceAccountPodSecurityPolicyReviewStatus) String() string { + if this == nil { + return "nil" + } + s := strings.Join([]string{`&ServiceAccountPodSecurityPolicyReviewStatus{`, + `PodSecurityPolicySubjectReviewStatus:` + strings.Replace(strings.Replace(this.PodSecurityPolicySubjectReviewStatus.String(), "PodSecurityPolicySubjectReviewStatus", "PodSecurityPolicySubjectReviewStatus", 1), `&`, ``, 1) + `,`, + `Name:` + fmt.Sprintf("%v", this.Name) + `,`, + `}`, + }, "") + return s +} +func (this *SupplementalGroupsStrategyOptions) String() string { + if this == nil { + return "nil" + } + repeatedStringForRanges := "[]IDRange{" + for _, f := range this.Ranges { + repeatedStringForRanges += strings.Replace(strings.Replace(f.String(), "IDRange", "IDRange", 1), `&`, ``, 1) + "," + } + repeatedStringForRanges += "}" + s := strings.Join([]string{`&SupplementalGroupsStrategyOptions{`, + `Type:` + fmt.Sprintf("%v", this.Type) + `,`, + `Ranges:` + repeatedStringForRanges + `,`, + `}`, + }, "") + return s +} +func valueToStringGenerated(v interface{}) string { + rv := reflect.ValueOf(v) + if rv.IsNil() { + return "nil" + } + pv := reflect.Indirect(rv).Interface() + return fmt.Sprintf("*%v", pv) +} +func (m *AllowedFlexVolume) Unmarshal(dAtA []byte) error { + l := len(dAtA) + iNdEx := 0 + for iNdEx < l { + preIndex := iNdEx + var wire uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + wire |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + fieldNum := int32(wire >> 3) + wireType := int(wire & 0x7) + if wireType == 4 { + return fmt.Errorf("proto: AllowedFlexVolume: wiretype end group for non-group") + } + if fieldNum <= 0 { + return fmt.Errorf("proto: AllowedFlexVolume: illegal tag %d (wire type %d)", fieldNum, wire) + } + switch fieldNum { + case 1: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Driver", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + intStringLen + if postIndex < 0 { + return ErrInvalidLengthGenerated + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.Driver = string(dAtA[iNdEx:postIndex]) + iNdEx = postIndex + default: + iNdEx = preIndex + skippy, err := skipGenerated(dAtA[iNdEx:]) + if err != nil { + return err + } + if (skippy < 0) || (iNdEx+skippy) < 0 { + return ErrInvalidLengthGenerated + } + if (iNdEx + skippy) > l { + return io.ErrUnexpectedEOF + } + iNdEx += skippy + } + } + + if iNdEx > l { + return io.ErrUnexpectedEOF + } + return nil +} +func (m *FSGroupStrategyOptions) Unmarshal(dAtA []byte) error { + l := len(dAtA) + iNdEx := 0 + for iNdEx < l { + preIndex := iNdEx + var wire uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + wire |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + fieldNum := int32(wire >> 3) + wireType := int(wire & 0x7) + if wireType == 4 { + return fmt.Errorf("proto: FSGroupStrategyOptions: wiretype end group for non-group") + } + if fieldNum <= 0 { + return fmt.Errorf("proto: FSGroupStrategyOptions: illegal tag %d (wire type %d)", fieldNum, wire) + } + switch fieldNum { + case 1: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Type", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + intStringLen + if postIndex < 0 { + return ErrInvalidLengthGenerated + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.Type = FSGroupStrategyType(dAtA[iNdEx:postIndex]) + iNdEx = postIndex + case 2: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Ranges", wireType) + } + var msglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + msglen |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + if msglen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + msglen + if postIndex < 0 { + return ErrInvalidLengthGenerated + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.Ranges = append(m.Ranges, IDRange{}) + if err := m.Ranges[len(m.Ranges)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } + iNdEx = postIndex + default: + iNdEx = preIndex + skippy, err := skipGenerated(dAtA[iNdEx:]) + if err != nil { + return err + } + if (skippy < 0) || (iNdEx+skippy) < 0 { + return ErrInvalidLengthGenerated + } + if (iNdEx + skippy) > l { + return io.ErrUnexpectedEOF + } + iNdEx += skippy + } + } + + if iNdEx > l { + return io.ErrUnexpectedEOF + } + return nil +} +func (m *IDRange) Unmarshal(dAtA []byte) error { + l := len(dAtA) + iNdEx := 0 + for iNdEx < l { + preIndex := iNdEx + var wire uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + wire |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + fieldNum := int32(wire >> 3) + wireType := int(wire & 0x7) + if wireType == 4 { + return fmt.Errorf("proto: IDRange: wiretype end group for non-group") + } + if fieldNum <= 0 { + return fmt.Errorf("proto: IDRange: illegal tag %d (wire type %d)", fieldNum, wire) + } + switch fieldNum { + case 1: + if wireType != 0 { + return fmt.Errorf("proto: wrong wireType = %d for field Min", wireType) + } + m.Min = 0 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + m.Min |= int64(b&0x7F) << shift + if b < 0x80 { + break + } + } + case 2: + if wireType != 0 { + return fmt.Errorf("proto: wrong wireType = %d for field Max", wireType) + } + m.Max = 0 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + m.Max |= int64(b&0x7F) << shift + if b < 0x80 { + break + } + } + default: + iNdEx = preIndex + skippy, err := skipGenerated(dAtA[iNdEx:]) + if err != nil { + return err + } + if (skippy < 0) || (iNdEx+skippy) < 0 { + return ErrInvalidLengthGenerated + } + if (iNdEx + skippy) > l { + return io.ErrUnexpectedEOF + } + iNdEx += skippy + } + } + + if iNdEx > l { + return io.ErrUnexpectedEOF + } + return nil +} +func (m *PodSecurityPolicyReview) Unmarshal(dAtA []byte) error { + l := len(dAtA) + iNdEx := 0 + for iNdEx < l { + preIndex := iNdEx + var wire uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + wire |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + fieldNum := int32(wire >> 3) + wireType := int(wire & 0x7) + if wireType == 4 { + return fmt.Errorf("proto: PodSecurityPolicyReview: wiretype end group for non-group") + } + if fieldNum <= 0 { + return fmt.Errorf("proto: PodSecurityPolicyReview: illegal tag %d (wire type %d)", fieldNum, wire) + } + switch fieldNum { + case 1: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Spec", wireType) + } + var msglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + msglen |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + if msglen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + msglen + if postIndex < 0 { + return ErrInvalidLengthGenerated + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + if err := m.Spec.Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } + iNdEx = postIndex + case 2: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Status", wireType) + } + var msglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + msglen |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + if msglen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + msglen + if postIndex < 0 { + return ErrInvalidLengthGenerated + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + if err := m.Status.Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } + iNdEx = postIndex + case 3: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType) + } + var msglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + msglen |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + if msglen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + msglen + if postIndex < 0 { + return ErrInvalidLengthGenerated + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } + iNdEx = postIndex + default: + iNdEx = preIndex + skippy, err := skipGenerated(dAtA[iNdEx:]) + if err != nil { + return err + } + if (skippy < 0) || (iNdEx+skippy) < 0 { + return ErrInvalidLengthGenerated + } + if (iNdEx + skippy) > l { + return io.ErrUnexpectedEOF + } + iNdEx += skippy + } + } + + if iNdEx > l { + return io.ErrUnexpectedEOF + } + return nil +} +func (m *PodSecurityPolicyReviewSpec) Unmarshal(dAtA []byte) error { + l := len(dAtA) + iNdEx := 0 + for iNdEx < l { + preIndex := iNdEx + var wire uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + wire |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + fieldNum := int32(wire >> 3) + wireType := int(wire & 0x7) + if wireType == 4 { + return fmt.Errorf("proto: PodSecurityPolicyReviewSpec: wiretype end group for non-group") + } + if fieldNum <= 0 { + return fmt.Errorf("proto: PodSecurityPolicyReviewSpec: illegal tag %d (wire type %d)", fieldNum, wire) + } + switch fieldNum { + case 1: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Template", wireType) + } + var msglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + msglen |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + if msglen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + msglen + if postIndex < 0 { + return ErrInvalidLengthGenerated + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + if err := m.Template.Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } + iNdEx = postIndex + case 2: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field ServiceAccountNames", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + intStringLen + if postIndex < 0 { + return ErrInvalidLengthGenerated + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.ServiceAccountNames = append(m.ServiceAccountNames, string(dAtA[iNdEx:postIndex])) + iNdEx = postIndex + default: + iNdEx = preIndex + skippy, err := skipGenerated(dAtA[iNdEx:]) + if err != nil { + return err + } + if (skippy < 0) || (iNdEx+skippy) < 0 { + return ErrInvalidLengthGenerated + } + if (iNdEx + skippy) > l { + return io.ErrUnexpectedEOF + } + iNdEx += skippy + } + } + + if iNdEx > l { + return io.ErrUnexpectedEOF + } + return nil +} +func (m *PodSecurityPolicyReviewStatus) Unmarshal(dAtA []byte) error { + l := len(dAtA) + iNdEx := 0 + for iNdEx < l { + preIndex := iNdEx + var wire uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + wire |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + fieldNum := int32(wire >> 3) + wireType := int(wire & 0x7) + if wireType == 4 { + return fmt.Errorf("proto: PodSecurityPolicyReviewStatus: wiretype end group for non-group") + } + if fieldNum <= 0 { + return fmt.Errorf("proto: PodSecurityPolicyReviewStatus: illegal tag %d (wire type %d)", fieldNum, wire) + } + switch fieldNum { + case 1: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field AllowedServiceAccounts", wireType) + } + var msglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + msglen |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + if msglen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + msglen + if postIndex < 0 { + return ErrInvalidLengthGenerated + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.AllowedServiceAccounts = append(m.AllowedServiceAccounts, ServiceAccountPodSecurityPolicyReviewStatus{}) + if err := m.AllowedServiceAccounts[len(m.AllowedServiceAccounts)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } + iNdEx = postIndex + default: + iNdEx = preIndex + skippy, err := skipGenerated(dAtA[iNdEx:]) + if err != nil { + return err + } + if (skippy < 0) || (iNdEx+skippy) < 0 { + return ErrInvalidLengthGenerated + } + if (iNdEx + skippy) > l { + return io.ErrUnexpectedEOF + } + iNdEx += skippy + } + } + + if iNdEx > l { + return io.ErrUnexpectedEOF + } + return nil +} +func (m *PodSecurityPolicySelfSubjectReview) Unmarshal(dAtA []byte) error { + l := len(dAtA) + iNdEx := 0 + for iNdEx < l { + preIndex := iNdEx + var wire uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + wire |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + fieldNum := int32(wire >> 3) + wireType := int(wire & 0x7) + if wireType == 4 { + return fmt.Errorf("proto: PodSecurityPolicySelfSubjectReview: wiretype end group for non-group") + } + if fieldNum <= 0 { + return fmt.Errorf("proto: PodSecurityPolicySelfSubjectReview: illegal tag %d (wire type %d)", fieldNum, wire) + } + switch fieldNum { + case 1: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Spec", wireType) + } + var msglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + msglen |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + if msglen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + msglen + if postIndex < 0 { + return ErrInvalidLengthGenerated + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + if err := m.Spec.Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } + iNdEx = postIndex + case 2: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Status", wireType) + } + var msglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + msglen |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + if msglen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + msglen + if postIndex < 0 { + return ErrInvalidLengthGenerated + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + if err := m.Status.Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } + iNdEx = postIndex + case 3: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType) + } + var msglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + msglen |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + if msglen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + msglen + if postIndex < 0 { + return ErrInvalidLengthGenerated + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } + iNdEx = postIndex + default: + iNdEx = preIndex + skippy, err := skipGenerated(dAtA[iNdEx:]) + if err != nil { + return err + } + if (skippy < 0) || (iNdEx+skippy) < 0 { + return ErrInvalidLengthGenerated + } + if (iNdEx + skippy) > l { + return io.ErrUnexpectedEOF + } + iNdEx += skippy + } + } + + if iNdEx > l { + return io.ErrUnexpectedEOF + } + return nil +} +func (m *PodSecurityPolicySelfSubjectReviewSpec) Unmarshal(dAtA []byte) error { + l := len(dAtA) + iNdEx := 0 + for iNdEx < l { + preIndex := iNdEx + var wire uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + wire |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + fieldNum := int32(wire >> 3) + wireType := int(wire & 0x7) + if wireType == 4 { + return fmt.Errorf("proto: PodSecurityPolicySelfSubjectReviewSpec: wiretype end group for non-group") + } + if fieldNum <= 0 { + return fmt.Errorf("proto: PodSecurityPolicySelfSubjectReviewSpec: illegal tag %d (wire type %d)", fieldNum, wire) + } + switch fieldNum { + case 1: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Template", wireType) + } + var msglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + msglen |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + if msglen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + msglen + if postIndex < 0 { + return ErrInvalidLengthGenerated + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + if err := m.Template.Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } + iNdEx = postIndex + default: + iNdEx = preIndex + skippy, err := skipGenerated(dAtA[iNdEx:]) + if err != nil { + return err + } + if (skippy < 0) || (iNdEx+skippy) < 0 { + return ErrInvalidLengthGenerated + } + if (iNdEx + skippy) > l { + return io.ErrUnexpectedEOF + } + iNdEx += skippy + } + } + + if iNdEx > l { + return io.ErrUnexpectedEOF + } + return nil +} +func (m *PodSecurityPolicySubjectReview) Unmarshal(dAtA []byte) error { + l := len(dAtA) + iNdEx := 0 + for iNdEx < l { + preIndex := iNdEx + var wire uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + wire |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + fieldNum := int32(wire >> 3) + wireType := int(wire & 0x7) + if wireType == 4 { + return fmt.Errorf("proto: PodSecurityPolicySubjectReview: wiretype end group for non-group") + } + if fieldNum <= 0 { + return fmt.Errorf("proto: PodSecurityPolicySubjectReview: illegal tag %d (wire type %d)", fieldNum, wire) + } + switch fieldNum { + case 1: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Spec", wireType) + } + var msglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + msglen |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + if msglen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + msglen + if postIndex < 0 { + return ErrInvalidLengthGenerated + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + if err := m.Spec.Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } + iNdEx = postIndex + case 2: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Status", wireType) + } + var msglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + msglen |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + if msglen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + msglen + if postIndex < 0 { + return ErrInvalidLengthGenerated + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + if err := m.Status.Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } + iNdEx = postIndex + case 3: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType) + } + var msglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + msglen |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + if msglen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + msglen + if postIndex < 0 { + return ErrInvalidLengthGenerated + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } + iNdEx = postIndex + default: + iNdEx = preIndex + skippy, err := skipGenerated(dAtA[iNdEx:]) + if err != nil { + return err + } + if (skippy < 0) || (iNdEx+skippy) < 0 { + return ErrInvalidLengthGenerated + } + if (iNdEx + skippy) > l { + return io.ErrUnexpectedEOF + } + iNdEx += skippy + } + } + + if iNdEx > l { + return io.ErrUnexpectedEOF + } + return nil +} +func (m *PodSecurityPolicySubjectReviewSpec) Unmarshal(dAtA []byte) error { + l := len(dAtA) + iNdEx := 0 + for iNdEx < l { + preIndex := iNdEx + var wire uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + wire |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + fieldNum := int32(wire >> 3) + wireType := int(wire & 0x7) + if wireType == 4 { + return fmt.Errorf("proto: PodSecurityPolicySubjectReviewSpec: wiretype end group for non-group") + } + if fieldNum <= 0 { + return fmt.Errorf("proto: PodSecurityPolicySubjectReviewSpec: illegal tag %d (wire type %d)", fieldNum, wire) + } + switch fieldNum { + case 1: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Template", wireType) + } + var msglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + msglen |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + if msglen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + msglen + if postIndex < 0 { + return ErrInvalidLengthGenerated + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + if err := m.Template.Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } + iNdEx = postIndex + case 2: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field User", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + intStringLen + if postIndex < 0 { + return ErrInvalidLengthGenerated + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.User = string(dAtA[iNdEx:postIndex]) + iNdEx = postIndex + case 3: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Groups", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + intStringLen + if postIndex < 0 { + return ErrInvalidLengthGenerated + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.Groups = append(m.Groups, string(dAtA[iNdEx:postIndex])) + iNdEx = postIndex + default: + iNdEx = preIndex + skippy, err := skipGenerated(dAtA[iNdEx:]) + if err != nil { + return err + } + if (skippy < 0) || (iNdEx+skippy) < 0 { + return ErrInvalidLengthGenerated + } + if (iNdEx + skippy) > l { + return io.ErrUnexpectedEOF + } + iNdEx += skippy + } + } + + if iNdEx > l { + return io.ErrUnexpectedEOF + } + return nil +} +func (m *PodSecurityPolicySubjectReviewStatus) Unmarshal(dAtA []byte) error { + l := len(dAtA) + iNdEx := 0 + for iNdEx < l { + preIndex := iNdEx + var wire uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + wire |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + fieldNum := int32(wire >> 3) + wireType := int(wire & 0x7) + if wireType == 4 { + return fmt.Errorf("proto: PodSecurityPolicySubjectReviewStatus: wiretype end group for non-group") + } + if fieldNum <= 0 { + return fmt.Errorf("proto: PodSecurityPolicySubjectReviewStatus: illegal tag %d (wire type %d)", fieldNum, wire) + } + switch fieldNum { + case 1: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field AllowedBy", wireType) + } + var msglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + msglen |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + if msglen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + msglen + if postIndex < 0 { + return ErrInvalidLengthGenerated + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + if m.AllowedBy == nil { + m.AllowedBy = &v11.ObjectReference{} + } + if err := m.AllowedBy.Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } + iNdEx = postIndex + case 2: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Reason", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + intStringLen + if postIndex < 0 { + return ErrInvalidLengthGenerated + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.Reason = string(dAtA[iNdEx:postIndex]) + iNdEx = postIndex + case 3: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Template", wireType) + } + var msglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + msglen |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + if msglen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + msglen + if postIndex < 0 { + return ErrInvalidLengthGenerated + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + if err := m.Template.Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } + iNdEx = postIndex + default: + iNdEx = preIndex + skippy, err := skipGenerated(dAtA[iNdEx:]) + if err != nil { + return err + } + if (skippy < 0) || (iNdEx+skippy) < 0 { + return ErrInvalidLengthGenerated + } + if (iNdEx + skippy) > l { + return io.ErrUnexpectedEOF + } + iNdEx += skippy + } + } + + if iNdEx > l { + return io.ErrUnexpectedEOF + } + return nil +} +func (m *RangeAllocation) Unmarshal(dAtA []byte) error { + l := len(dAtA) + iNdEx := 0 + for iNdEx < l { + preIndex := iNdEx + var wire uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + wire |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + fieldNum := int32(wire >> 3) + wireType := int(wire & 0x7) + if wireType == 4 { + return fmt.Errorf("proto: RangeAllocation: wiretype end group for non-group") + } + if fieldNum <= 0 { + return fmt.Errorf("proto: RangeAllocation: illegal tag %d (wire type %d)", fieldNum, wire) + } + switch fieldNum { + case 1: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType) + } + var msglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + msglen |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + if msglen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + msglen + if postIndex < 0 { + return ErrInvalidLengthGenerated + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } + iNdEx = postIndex + case 2: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Range", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + intStringLen + if postIndex < 0 { + return ErrInvalidLengthGenerated + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.Range = string(dAtA[iNdEx:postIndex]) + iNdEx = postIndex + case 3: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Data", wireType) + } + var byteLen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + byteLen |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + if byteLen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + byteLen + if postIndex < 0 { + return ErrInvalidLengthGenerated + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.Data = append(m.Data[:0], dAtA[iNdEx:postIndex]...) + if m.Data == nil { + m.Data = []byte{} + } + iNdEx = postIndex + default: + iNdEx = preIndex + skippy, err := skipGenerated(dAtA[iNdEx:]) + if err != nil { + return err + } + if (skippy < 0) || (iNdEx+skippy) < 0 { + return ErrInvalidLengthGenerated + } + if (iNdEx + skippy) > l { + return io.ErrUnexpectedEOF + } + iNdEx += skippy + } + } + + if iNdEx > l { + return io.ErrUnexpectedEOF + } + return nil +} +func (m *RangeAllocationList) Unmarshal(dAtA []byte) error { + l := len(dAtA) + iNdEx := 0 + for iNdEx < l { + preIndex := iNdEx + var wire uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + wire |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + fieldNum := int32(wire >> 3) + wireType := int(wire & 0x7) + if wireType == 4 { + return fmt.Errorf("proto: RangeAllocationList: wiretype end group for non-group") + } + if fieldNum <= 0 { + return fmt.Errorf("proto: RangeAllocationList: illegal tag %d (wire type %d)", fieldNum, wire) + } + switch fieldNum { + case 1: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field ListMeta", wireType) + } + var msglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + msglen |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + if msglen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + msglen + if postIndex < 0 { + return ErrInvalidLengthGenerated + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + if err := m.ListMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } + iNdEx = postIndex + case 2: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType) + } + var msglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + msglen |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + if msglen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + msglen + if postIndex < 0 { + return ErrInvalidLengthGenerated + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.Items = append(m.Items, RangeAllocation{}) + if err := m.Items[len(m.Items)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } + iNdEx = postIndex + default: + iNdEx = preIndex + skippy, err := skipGenerated(dAtA[iNdEx:]) + if err != nil { + return err + } + if (skippy < 0) || (iNdEx+skippy) < 0 { + return ErrInvalidLengthGenerated + } + if (iNdEx + skippy) > l { + return io.ErrUnexpectedEOF + } + iNdEx += skippy + } + } + + if iNdEx > l { + return io.ErrUnexpectedEOF + } + return nil +} +func (m *RunAsUserStrategyOptions) Unmarshal(dAtA []byte) error { + l := len(dAtA) + iNdEx := 0 + for iNdEx < l { + preIndex := iNdEx + var wire uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + wire |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + fieldNum := int32(wire >> 3) + wireType := int(wire & 0x7) + if wireType == 4 { + return fmt.Errorf("proto: RunAsUserStrategyOptions: wiretype end group for non-group") + } + if fieldNum <= 0 { + return fmt.Errorf("proto: RunAsUserStrategyOptions: illegal tag %d (wire type %d)", fieldNum, wire) + } + switch fieldNum { + case 1: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Type", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + intStringLen + if postIndex < 0 { + return ErrInvalidLengthGenerated + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.Type = RunAsUserStrategyType(dAtA[iNdEx:postIndex]) + iNdEx = postIndex + case 2: + if wireType != 0 { + return fmt.Errorf("proto: wrong wireType = %d for field UID", wireType) + } + var v int64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + v |= int64(b&0x7F) << shift + if b < 0x80 { + break + } + } + m.UID = &v + case 3: + if wireType != 0 { + return fmt.Errorf("proto: wrong wireType = %d for field UIDRangeMin", wireType) + } + var v int64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + v |= int64(b&0x7F) << shift + if b < 0x80 { + break + } + } + m.UIDRangeMin = &v + case 4: + if wireType != 0 { + return fmt.Errorf("proto: wrong wireType = %d for field UIDRangeMax", wireType) + } + var v int64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + v |= int64(b&0x7F) << shift + if b < 0x80 { + break + } + } + m.UIDRangeMax = &v + default: + iNdEx = preIndex + skippy, err := skipGenerated(dAtA[iNdEx:]) + if err != nil { + return err + } + if (skippy < 0) || (iNdEx+skippy) < 0 { + return ErrInvalidLengthGenerated + } + if (iNdEx + skippy) > l { + return io.ErrUnexpectedEOF + } + iNdEx += skippy + } + } + + if iNdEx > l { + return io.ErrUnexpectedEOF + } + return nil +} +func (m *SELinuxContextStrategyOptions) Unmarshal(dAtA []byte) error { + l := len(dAtA) + iNdEx := 0 + for iNdEx < l { + preIndex := iNdEx + var wire uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + wire |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + fieldNum := int32(wire >> 3) + wireType := int(wire & 0x7) + if wireType == 4 { + return fmt.Errorf("proto: SELinuxContextStrategyOptions: wiretype end group for non-group") + } + if fieldNum <= 0 { + return fmt.Errorf("proto: SELinuxContextStrategyOptions: illegal tag %d (wire type %d)", fieldNum, wire) + } + switch fieldNum { + case 1: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Type", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + intStringLen + if postIndex < 0 { + return ErrInvalidLengthGenerated + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.Type = SELinuxContextStrategyType(dAtA[iNdEx:postIndex]) + iNdEx = postIndex + case 2: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field SELinuxOptions", wireType) + } + var msglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + msglen |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + if msglen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + msglen + if postIndex < 0 { + return ErrInvalidLengthGenerated + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + if m.SELinuxOptions == nil { + m.SELinuxOptions = &v11.SELinuxOptions{} + } + if err := m.SELinuxOptions.Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } + iNdEx = postIndex + default: + iNdEx = preIndex + skippy, err := skipGenerated(dAtA[iNdEx:]) + if err != nil { + return err + } + if (skippy < 0) || (iNdEx+skippy) < 0 { + return ErrInvalidLengthGenerated + } + if (iNdEx + skippy) > l { + return io.ErrUnexpectedEOF + } + iNdEx += skippy + } + } + + if iNdEx > l { + return io.ErrUnexpectedEOF + } + return nil +} +func (m *SecurityContextConstraints) Unmarshal(dAtA []byte) error { + l := len(dAtA) + iNdEx := 0 + for iNdEx < l { + preIndex := iNdEx + var wire uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + wire |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + fieldNum := int32(wire >> 3) + wireType := int(wire & 0x7) + if wireType == 4 { + return fmt.Errorf("proto: SecurityContextConstraints: wiretype end group for non-group") + } + if fieldNum <= 0 { + return fmt.Errorf("proto: SecurityContextConstraints: illegal tag %d (wire type %d)", fieldNum, wire) + } + switch fieldNum { + case 1: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType) + } + var msglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + msglen |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + if msglen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + msglen + if postIndex < 0 { + return ErrInvalidLengthGenerated + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } + iNdEx = postIndex + case 2: + if wireType != 0 { + return fmt.Errorf("proto: wrong wireType = %d for field Priority", wireType) + } + var v int32 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + v |= int32(b&0x7F) << shift + if b < 0x80 { + break + } + } + m.Priority = &v + case 3: + if wireType != 0 { + return fmt.Errorf("proto: wrong wireType = %d for field AllowPrivilegedContainer", wireType) + } + var v int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + v |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + m.AllowPrivilegedContainer = bool(v != 0) + case 4: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field DefaultAddCapabilities", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + intStringLen + if postIndex < 0 { + return ErrInvalidLengthGenerated + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.DefaultAddCapabilities = append(m.DefaultAddCapabilities, k8s_io_api_core_v1.Capability(dAtA[iNdEx:postIndex])) + iNdEx = postIndex + case 5: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field RequiredDropCapabilities", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + intStringLen + if postIndex < 0 { + return ErrInvalidLengthGenerated + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.RequiredDropCapabilities = append(m.RequiredDropCapabilities, k8s_io_api_core_v1.Capability(dAtA[iNdEx:postIndex])) + iNdEx = postIndex + case 6: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field AllowedCapabilities", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + intStringLen + if postIndex < 0 { + return ErrInvalidLengthGenerated + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.AllowedCapabilities = append(m.AllowedCapabilities, k8s_io_api_core_v1.Capability(dAtA[iNdEx:postIndex])) + iNdEx = postIndex + case 7: + if wireType != 0 { + return fmt.Errorf("proto: wrong wireType = %d for field AllowHostDirVolumePlugin", wireType) + } + var v int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + v |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + m.AllowHostDirVolumePlugin = bool(v != 0) + case 8: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Volumes", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + intStringLen + if postIndex < 0 { + return ErrInvalidLengthGenerated + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.Volumes = append(m.Volumes, FSType(dAtA[iNdEx:postIndex])) + iNdEx = postIndex + case 9: + if wireType != 0 { + return fmt.Errorf("proto: wrong wireType = %d for field AllowHostNetwork", wireType) + } + var v int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + v |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + m.AllowHostNetwork = bool(v != 0) + case 10: + if wireType != 0 { + return fmt.Errorf("proto: wrong wireType = %d for field AllowHostPorts", wireType) + } + var v int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + v |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + m.AllowHostPorts = bool(v != 0) + case 11: + if wireType != 0 { + return fmt.Errorf("proto: wrong wireType = %d for field AllowHostPID", wireType) + } + var v int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + v |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + m.AllowHostPID = bool(v != 0) + case 12: + if wireType != 0 { + return fmt.Errorf("proto: wrong wireType = %d for field AllowHostIPC", wireType) + } + var v int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + v |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + m.AllowHostIPC = bool(v != 0) + case 13: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field SELinuxContext", wireType) + } + var msglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + msglen |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + if msglen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + msglen + if postIndex < 0 { + return ErrInvalidLengthGenerated + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + if err := m.SELinuxContext.Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } + iNdEx = postIndex + case 14: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field RunAsUser", wireType) + } + var msglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + msglen |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + if msglen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + msglen + if postIndex < 0 { + return ErrInvalidLengthGenerated + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + if err := m.RunAsUser.Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } + iNdEx = postIndex + case 15: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field SupplementalGroups", wireType) + } + var msglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + msglen |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + if msglen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + msglen + if postIndex < 0 { + return ErrInvalidLengthGenerated + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + if err := m.SupplementalGroups.Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } + iNdEx = postIndex + case 16: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field FSGroup", wireType) + } + var msglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + msglen |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + if msglen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + msglen + if postIndex < 0 { + return ErrInvalidLengthGenerated + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + if err := m.FSGroup.Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } + iNdEx = postIndex + case 17: + if wireType != 0 { + return fmt.Errorf("proto: wrong wireType = %d for field ReadOnlyRootFilesystem", wireType) + } + var v int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + v |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + m.ReadOnlyRootFilesystem = bool(v != 0) + case 18: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Users", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + intStringLen + if postIndex < 0 { + return ErrInvalidLengthGenerated + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.Users = append(m.Users, string(dAtA[iNdEx:postIndex])) + iNdEx = postIndex + case 19: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Groups", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + intStringLen + if postIndex < 0 { + return ErrInvalidLengthGenerated + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.Groups = append(m.Groups, string(dAtA[iNdEx:postIndex])) + iNdEx = postIndex + case 20: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field SeccompProfiles", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + intStringLen + if postIndex < 0 { + return ErrInvalidLengthGenerated + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.SeccompProfiles = append(m.SeccompProfiles, string(dAtA[iNdEx:postIndex])) + iNdEx = postIndex + case 21: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field AllowedFlexVolumes", wireType) + } + var msglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + msglen |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + if msglen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + msglen + if postIndex < 0 { + return ErrInvalidLengthGenerated + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.AllowedFlexVolumes = append(m.AllowedFlexVolumes, AllowedFlexVolume{}) + if err := m.AllowedFlexVolumes[len(m.AllowedFlexVolumes)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } + iNdEx = postIndex + case 22: + if wireType != 0 { + return fmt.Errorf("proto: wrong wireType = %d for field DefaultAllowPrivilegeEscalation", wireType) + } + var v int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + v |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + b := bool(v != 0) + m.DefaultAllowPrivilegeEscalation = &b + case 23: + if wireType != 0 { + return fmt.Errorf("proto: wrong wireType = %d for field AllowPrivilegeEscalation", wireType) + } + var v int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + v |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + b := bool(v != 0) + m.AllowPrivilegeEscalation = &b + case 24: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field AllowedUnsafeSysctls", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + intStringLen + if postIndex < 0 { + return ErrInvalidLengthGenerated + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.AllowedUnsafeSysctls = append(m.AllowedUnsafeSysctls, string(dAtA[iNdEx:postIndex])) + iNdEx = postIndex + case 25: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field ForbiddenSysctls", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + intStringLen + if postIndex < 0 { + return ErrInvalidLengthGenerated + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.ForbiddenSysctls = append(m.ForbiddenSysctls, string(dAtA[iNdEx:postIndex])) + iNdEx = postIndex + case 26: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field UserNamespaceLevel", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + intStringLen + if postIndex < 0 { + return ErrInvalidLengthGenerated + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.UserNamespaceLevel = NamespaceLevelType(dAtA[iNdEx:postIndex]) + iNdEx = postIndex + default: + iNdEx = preIndex + skippy, err := skipGenerated(dAtA[iNdEx:]) + if err != nil { + return err + } + if (skippy < 0) || (iNdEx+skippy) < 0 { + return ErrInvalidLengthGenerated + } + if (iNdEx + skippy) > l { + return io.ErrUnexpectedEOF + } + iNdEx += skippy + } + } + + if iNdEx > l { + return io.ErrUnexpectedEOF + } + return nil +} +func (m *SecurityContextConstraintsList) Unmarshal(dAtA []byte) error { + l := len(dAtA) + iNdEx := 0 + for iNdEx < l { + preIndex := iNdEx + var wire uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + wire |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + fieldNum := int32(wire >> 3) + wireType := int(wire & 0x7) + if wireType == 4 { + return fmt.Errorf("proto: SecurityContextConstraintsList: wiretype end group for non-group") + } + if fieldNum <= 0 { + return fmt.Errorf("proto: SecurityContextConstraintsList: illegal tag %d (wire type %d)", fieldNum, wire) + } + switch fieldNum { + case 1: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field ListMeta", wireType) + } + var msglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + msglen |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + if msglen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + msglen + if postIndex < 0 { + return ErrInvalidLengthGenerated + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + if err := m.ListMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } + iNdEx = postIndex + case 2: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType) + } + var msglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + msglen |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + if msglen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + msglen + if postIndex < 0 { + return ErrInvalidLengthGenerated + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.Items = append(m.Items, SecurityContextConstraints{}) + if err := m.Items[len(m.Items)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } + iNdEx = postIndex + default: + iNdEx = preIndex + skippy, err := skipGenerated(dAtA[iNdEx:]) + if err != nil { + return err + } + if (skippy < 0) || (iNdEx+skippy) < 0 { + return ErrInvalidLengthGenerated + } + if (iNdEx + skippy) > l { + return io.ErrUnexpectedEOF + } + iNdEx += skippy + } + } + + if iNdEx > l { + return io.ErrUnexpectedEOF + } + return nil +} +func (m *ServiceAccountPodSecurityPolicyReviewStatus) Unmarshal(dAtA []byte) error { + l := len(dAtA) + iNdEx := 0 + for iNdEx < l { + preIndex := iNdEx + var wire uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + wire |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + fieldNum := int32(wire >> 3) + wireType := int(wire & 0x7) + if wireType == 4 { + return fmt.Errorf("proto: ServiceAccountPodSecurityPolicyReviewStatus: wiretype end group for non-group") + } + if fieldNum <= 0 { + return fmt.Errorf("proto: ServiceAccountPodSecurityPolicyReviewStatus: illegal tag %d (wire type %d)", fieldNum, wire) + } + switch fieldNum { + case 1: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field PodSecurityPolicySubjectReviewStatus", wireType) + } + var msglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + msglen |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + if msglen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + msglen + if postIndex < 0 { + return ErrInvalidLengthGenerated + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + if err := m.PodSecurityPolicySubjectReviewStatus.Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } + iNdEx = postIndex + case 2: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Name", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + intStringLen + if postIndex < 0 { + return ErrInvalidLengthGenerated + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.Name = string(dAtA[iNdEx:postIndex]) + iNdEx = postIndex + default: + iNdEx = preIndex + skippy, err := skipGenerated(dAtA[iNdEx:]) + if err != nil { + return err + } + if (skippy < 0) || (iNdEx+skippy) < 0 { + return ErrInvalidLengthGenerated + } + if (iNdEx + skippy) > l { + return io.ErrUnexpectedEOF + } + iNdEx += skippy + } + } + + if iNdEx > l { + return io.ErrUnexpectedEOF + } + return nil +} +func (m *SupplementalGroupsStrategyOptions) Unmarshal(dAtA []byte) error { + l := len(dAtA) + iNdEx := 0 + for iNdEx < l { + preIndex := iNdEx + var wire uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + wire |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + fieldNum := int32(wire >> 3) + wireType := int(wire & 0x7) + if wireType == 4 { + return fmt.Errorf("proto: SupplementalGroupsStrategyOptions: wiretype end group for non-group") + } + if fieldNum <= 0 { + return fmt.Errorf("proto: SupplementalGroupsStrategyOptions: illegal tag %d (wire type %d)", fieldNum, wire) + } + switch fieldNum { + case 1: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Type", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + intStringLen + if postIndex < 0 { + return ErrInvalidLengthGenerated + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.Type = SupplementalGroupsStrategyType(dAtA[iNdEx:postIndex]) + iNdEx = postIndex + case 2: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Ranges", wireType) + } + var msglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + msglen |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + if msglen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + msglen + if postIndex < 0 { + return ErrInvalidLengthGenerated + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.Ranges = append(m.Ranges, IDRange{}) + if err := m.Ranges[len(m.Ranges)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } + iNdEx = postIndex + default: + iNdEx = preIndex + skippy, err := skipGenerated(dAtA[iNdEx:]) + if err != nil { + return err + } + if (skippy < 0) || (iNdEx+skippy) < 0 { + return ErrInvalidLengthGenerated + } + if (iNdEx + skippy) > l { + return io.ErrUnexpectedEOF + } + iNdEx += skippy + } + } + + if iNdEx > l { + return io.ErrUnexpectedEOF + } + return nil +} +func skipGenerated(dAtA []byte) (n int, err error) { + l := len(dAtA) + iNdEx := 0 + depth := 0 + for iNdEx < l { + var wire uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return 0, ErrIntOverflowGenerated + } + if iNdEx >= l { + return 0, io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + wire |= (uint64(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + wireType := int(wire & 0x7) + switch wireType { + case 0: + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return 0, ErrIntOverflowGenerated + } + if iNdEx >= l { + return 0, io.ErrUnexpectedEOF + } + iNdEx++ + if dAtA[iNdEx-1] < 0x80 { + break + } + } + case 1: + iNdEx += 8 + case 2: + var length int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return 0, ErrIntOverflowGenerated + } + if iNdEx >= l { + return 0, io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + length |= (int(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + if length < 0 { + return 0, ErrInvalidLengthGenerated + } + iNdEx += length + case 3: + depth++ + case 4: + if depth == 0 { + return 0, ErrUnexpectedEndOfGroupGenerated + } + depth-- + case 5: + iNdEx += 4 + default: + return 0, fmt.Errorf("proto: illegal wireType %d", wireType) + } + if iNdEx < 0 { + return 0, ErrInvalidLengthGenerated + } + if depth == 0 { + return iNdEx, nil + } + } + return 0, io.ErrUnexpectedEOF +} + +var ( + ErrInvalidLengthGenerated = fmt.Errorf("proto: negative length found during unmarshaling") + ErrIntOverflowGenerated = fmt.Errorf("proto: integer overflow") + ErrUnexpectedEndOfGroupGenerated = fmt.Errorf("proto: unexpected end of group") +) diff --git a/vendor/github.com/openshift/api/security/v1/generated.proto b/vendor/github.com/openshift/api/security/v1/generated.proto new file mode 100644 index 00000000..0e6bb094 --- /dev/null +++ b/vendor/github.com/openshift/api/security/v1/generated.proto @@ -0,0 +1,421 @@ + +// This file was autogenerated by go-to-protobuf. Do not edit it manually! + +syntax = "proto2"; + +package github.com.openshift.api.security.v1; + +import "k8s.io/api/core/v1/generated.proto"; +import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto"; +import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto"; + +// Package-wide variables from generator "generated". +option go_package = "github.com/openshift/api/security/v1"; + +// AllowedFlexVolume represents a single Flexvolume that is allowed to be used. +message AllowedFlexVolume { + // driver is the name of the Flexvolume driver. + optional string driver = 1; +} + +// FSGroupStrategyOptions defines the strategy type and options used to create the strategy. +message FSGroupStrategyOptions { + // type is the strategy that will dictate what FSGroup is used in the SecurityContext. + optional string type = 1; + + // ranges are the allowed ranges of fs groups. If you would like to force a single + // fs group then supply a single range with the same start and end. + // +listType=atomic + repeated IDRange ranges = 2; +} + +// IDRange provides a min/max of an allowed range of IDs. +// TODO: this could be reused for UIDs. +message IDRange { + // min is the start of the range, inclusive. + optional int64 min = 1; + + // max is the end of the range, inclusive. + optional int64 max = 2; +} + +// PodSecurityPolicyReview checks which service accounts (not users, since that would be cluster-wide) can create the `PodTemplateSpec` in question. +// +// Compatibility level 2: Stable within a major release for a minimum of 9 months or 3 minor releases (whichever is longer). +// +openshift:compatibility-gen:level=2 +message PodSecurityPolicyReview { + // metadata is the standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + optional .k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 3; + + // spec is the PodSecurityPolicy to check. + optional PodSecurityPolicyReviewSpec spec = 1; + + // status represents the current information/status for the PodSecurityPolicyReview. + optional PodSecurityPolicyReviewStatus status = 2; +} + +// PodSecurityPolicyReviewSpec defines specification for PodSecurityPolicyReview +message PodSecurityPolicyReviewSpec { + // template is the PodTemplateSpec to check. The template.spec.serviceAccountName field is used + // if serviceAccountNames is empty, unless the template.spec.serviceAccountName is empty, + // in which case "default" is used. + // If serviceAccountNames is specified, template.spec.serviceAccountName is ignored. + optional .k8s.io.api.core.v1.PodTemplateSpec template = 1; + + // serviceAccountNames is an optional set of ServiceAccounts to run the check with. + // If serviceAccountNames is empty, the template.spec.serviceAccountName is used, + // unless it's empty, in which case "default" is used instead. + // If serviceAccountNames is specified, template.spec.serviceAccountName is ignored. + repeated string serviceAccountNames = 2; +} + +// PodSecurityPolicyReviewStatus represents the status of PodSecurityPolicyReview. +message PodSecurityPolicyReviewStatus { + // allowedServiceAccounts returns the list of service accounts in *this* namespace that have the power to create the PodTemplateSpec. + repeated ServiceAccountPodSecurityPolicyReviewStatus allowedServiceAccounts = 1; +} + +// PodSecurityPolicySelfSubjectReview checks whether this user/SA tuple can create the PodTemplateSpec +// +// Compatibility level 2: Stable within a major release for a minimum of 9 months or 3 minor releases (whichever is longer). +// +openshift:compatibility-gen:level=2 +message PodSecurityPolicySelfSubjectReview { + // metadata is the standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + optional .k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 3; + + // spec defines specification the PodSecurityPolicySelfSubjectReview. + optional PodSecurityPolicySelfSubjectReviewSpec spec = 1; + + // status represents the current information/status for the PodSecurityPolicySelfSubjectReview. + optional PodSecurityPolicySubjectReviewStatus status = 2; +} + +// PodSecurityPolicySelfSubjectReviewSpec contains specification for PodSecurityPolicySelfSubjectReview. +message PodSecurityPolicySelfSubjectReviewSpec { + // template is the PodTemplateSpec to check. + optional .k8s.io.api.core.v1.PodTemplateSpec template = 1; +} + +// PodSecurityPolicySubjectReview checks whether a particular user/SA tuple can create the PodTemplateSpec. +// +// Compatibility level 2: Stable within a major release for a minimum of 9 months or 3 minor releases (whichever is longer). +// +openshift:compatibility-gen:level=2 +message PodSecurityPolicySubjectReview { + // metadata is the standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + optional .k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 3; + + // spec defines specification for the PodSecurityPolicySubjectReview. + optional PodSecurityPolicySubjectReviewSpec spec = 1; + + // status represents the current information/status for the PodSecurityPolicySubjectReview. + optional PodSecurityPolicySubjectReviewStatus status = 2; +} + +// PodSecurityPolicySubjectReviewSpec defines specification for PodSecurityPolicySubjectReview +message PodSecurityPolicySubjectReviewSpec { + // template is the PodTemplateSpec to check. If template.spec.serviceAccountName is empty it will not be defaulted. + // If its non-empty, it will be checked. + optional .k8s.io.api.core.v1.PodTemplateSpec template = 1; + + // user is the user you're testing for. + // If you specify "user" but not "group", then is it interpreted as "What if user were not a member of any groups. + // If user and groups are empty, then the check is performed using *only* the serviceAccountName in the template. + optional string user = 2; + + // groups is the groups you're testing for. + repeated string groups = 3; +} + +// PodSecurityPolicySubjectReviewStatus contains information/status for PodSecurityPolicySubjectReview. +message PodSecurityPolicySubjectReviewStatus { + // allowedBy is a reference to the rule that allows the PodTemplateSpec. + // A rule can be a SecurityContextConstraint or a PodSecurityPolicy + // A `nil`, indicates that it was denied. + optional .k8s.io.api.core.v1.ObjectReference allowedBy = 1; + + // A machine-readable description of why this operation is in the + // "Failure" status. If this value is empty there + // is no information available. + optional string reason = 2; + + // template is the PodTemplateSpec after the defaulting is applied. + optional .k8s.io.api.core.v1.PodTemplateSpec template = 3; +} + +// RangeAllocation is used so we can easily expose a RangeAllocation typed for security group +// +// Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. +// +openshift:compatibility-gen:level=4 +message RangeAllocation { + // metadata is the standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + optional .k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1; + + // range is a string representing a unique label for a range of uids, "1000000000-2000000000/10000". + optional string range = 2; + + // data is a byte array representing the serialized state of a range allocation. It is a bitmap + // with each bit set to one to represent a range is taken. + optional bytes data = 3; +} + +// RangeAllocationList is a list of RangeAllocations objects +// +// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). +// +openshift:compatibility-gen:level=1 +message RangeAllocationList { + // metadata is the standard list's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + optional .k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1; + + // List of RangeAllocations. + repeated RangeAllocation items = 2; +} + +// RunAsUserStrategyOptions defines the strategy type and any options used to create the strategy. +message RunAsUserStrategyOptions { + // type is the strategy that will dictate what RunAsUser is used in the SecurityContext. + optional string type = 1; + + // uid is the user id that containers must run as. Required for the MustRunAs strategy if not using + // namespace/service account allocated uids. + optional int64 uid = 2; + + // uidRangeMin defines the min value for a strategy that allocates by range. + optional int64 uidRangeMin = 3; + + // uidRangeMax defines the max value for a strategy that allocates by range. + optional int64 uidRangeMax = 4; +} + +// SELinuxContextStrategyOptions defines the strategy type and any options used to create the strategy. +message SELinuxContextStrategyOptions { + // type is the strategy that will dictate what SELinux context is used in the SecurityContext. + optional string type = 1; + + // seLinuxOptions required to run as; required for MustRunAs + optional .k8s.io.api.core.v1.SELinuxOptions seLinuxOptions = 2; +} + +// SecurityContextConstraints governs the ability to make requests that affect the SecurityContext +// that will be applied to a container. +// For historical reasons SCC was exposed under the core Kubernetes API group. +// That exposure is deprecated and will be removed in a future release - users +// should instead use the security.openshift.io group to manage +// SecurityContextConstraints. +// +// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). +// +kubebuilder:object:root=true +// +kubebuilder:resource:path=securitycontextconstraints,scope=Cluster +// +openshift:api-approved.openshift.io=https://github.com/openshift/api/pull/470 +// +openshift:file-pattern=cvoRunLevel=0000_03,operatorName=config-operator,operatorOrdering=01 +// +kubebuilder:printcolumn:name="Priv",type=string,JSONPath=.allowPrivilegedContainer,description="Determines if a container can request to be run as privileged" +// +kubebuilder:printcolumn:name="Caps",type=string,JSONPath=.allowedCapabilities,description="A list of capabilities that can be requested to add to the container" +// +kubebuilder:printcolumn:name="SELinux",type=string,JSONPath=.seLinuxContext.type,description="Strategy that will dictate what labels will be set in the SecurityContext" +// +kubebuilder:printcolumn:name="RunAsUser",type=string,JSONPath=.runAsUser.type,description="Strategy that will dictate what RunAsUser is used in the SecurityContext" +// +kubebuilder:printcolumn:name="FSGroup",type=string,JSONPath=.fsGroup.type,description="Strategy that will dictate what fs group is used by the SecurityContext" +// +kubebuilder:printcolumn:name="SupGroup",type=string,JSONPath=.supplementalGroups.type,description="Strategy that will dictate what supplemental groups are used by the SecurityContext" +// +kubebuilder:printcolumn:name="Priority",type=string,JSONPath=.priority,description="Sort order of SCCs" +// +kubebuilder:printcolumn:name="ReadOnlyRootFS",type=string,JSONPath=.readOnlyRootFilesystem,description="Force containers to run with a read only root file system" +// +kubebuilder:printcolumn:name="Volumes",type=string,JSONPath=.volumes,description="White list of allowed volume plugins" +// +kubebuilder:singular=securitycontextconstraint +// +openshift:compatibility-gen:level=1 +// +kubebuilder:metadata:annotations=release.openshift.io/bootstrap-required=true +message SecurityContextConstraints { + // metadata is the standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + optional .k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1; + + // priority influences the sort order of SCCs when evaluating which SCCs to try first for + // a given pod request based on access in the Users and Groups fields. The higher the int, the + // higher priority. An unset value is considered a 0 priority. If scores + // for multiple SCCs are equal they will be sorted from most restrictive to + // least restrictive. If both priorities and restrictions are equal the + // SCCs will be sorted by name. + // +nullable + optional int32 priority = 2; + + // allowPrivilegedContainer determines if a container can request to be run as privileged. + optional bool allowPrivilegedContainer = 3; + + // defaultAddCapabilities is the default set of capabilities that will be added to the container + // unless the pod spec specifically drops the capability. You may not list a capabiility in both + // DefaultAddCapabilities and RequiredDropCapabilities. + // +nullable + // +listType=atomic + repeated string defaultAddCapabilities = 4; + + // requiredDropCapabilities are the capabilities that will be dropped from the container. These + // are required to be dropped and cannot be added. + // +nullable + // +listType=atomic + repeated string requiredDropCapabilities = 5; + + // allowedCapabilities is a list of capabilities that can be requested to add to the container. + // Capabilities in this field maybe added at the pod author's discretion. + // You must not list a capability in both AllowedCapabilities and RequiredDropCapabilities. + // To allow all capabilities you may use '*'. + // +nullable + // +listType=atomic + repeated string allowedCapabilities = 6; + + // allowHostDirVolumePlugin determines if the policy allow containers to use the HostDir volume plugin + // +k8s:conversion-gen=false + optional bool allowHostDirVolumePlugin = 7; + + // volumes is a white list of allowed volume plugins. FSType corresponds directly with the field names + // of a VolumeSource (azureFile, configMap, emptyDir). To allow all volumes you may use "*". + // To allow no volumes, set to ["none"]. + // +nullable + // +listType=atomic + repeated string volumes = 8; + + // allowedFlexVolumes is a whitelist of allowed Flexvolumes. Empty or nil indicates that all + // Flexvolumes may be used. This parameter is effective only when the usage of the Flexvolumes + // is allowed in the "Volumes" field. + // +optional + // +nullable + // +listType=atomic + repeated AllowedFlexVolume allowedFlexVolumes = 21; + + // allowHostNetwork determines if the policy allows the use of HostNetwork in the pod spec. + optional bool allowHostNetwork = 9; + + // allowHostPorts determines if the policy allows host ports in the containers. + optional bool allowHostPorts = 10; + + // allowHostPID determines if the policy allows host pid in the containers. + optional bool allowHostPID = 11; + + // allowHostIPC determines if the policy allows host ipc in the containers. + optional bool allowHostIPC = 12; + + // userNamespaceLevel determines if the policy allows host users in containers. + // Valid values are "AllowHostLevel", "RequirePodLevel", and omitted. + // When "AllowHostLevel" is set, a pod author may set `hostUsers` to either `true` or `false`. + // When "RequirePodLevel" is set, a pod author must set `hostUsers` to `false`. + // When omitted, the default value is "AllowHostLevel". + // +openshift:enable:FeatureGate=UserNamespacesPodSecurityStandards + // +kubebuilder:validation:Enum="AllowHostLevel";"RequirePodLevel" + // +kubebuilder:default:="AllowHostLevel" + // +default="AllowHostLevel" + // +optional + optional string userNamespaceLevel = 26; + + // defaultAllowPrivilegeEscalation controls the default setting for whether a + // process can gain more privileges than its parent process. + // +optional + // +nullable + optional bool defaultAllowPrivilegeEscalation = 22; + + // allowPrivilegeEscalation determines if a pod can request to allow + // privilege escalation. If unspecified, defaults to true. + // +optional + // +nullable + optional bool allowPrivilegeEscalation = 23; + + // seLinuxContext is the strategy that will dictate what labels will be set in the SecurityContext. + // +nullable + optional SELinuxContextStrategyOptions seLinuxContext = 13; + + // runAsUser is the strategy that will dictate what RunAsUser is used in the SecurityContext. + // +nullable + optional RunAsUserStrategyOptions runAsUser = 14; + + // supplementalGroups is the strategy that will dictate what supplemental groups are used by the SecurityContext. + // +nullable + optional SupplementalGroupsStrategyOptions supplementalGroups = 15; + + // fsGroup is the strategy that will dictate what fs group is used by the SecurityContext. + // +nullable + optional FSGroupStrategyOptions fsGroup = 16; + + // readOnlyRootFilesystem when set to true will force containers to run with a read only root file + // system. If the container specifically requests to run with a non-read only root file system + // the SCC should deny the pod. + // If set to false the container may run with a read only root file system if it wishes but it + // will not be forced to. + optional bool readOnlyRootFilesystem = 17; + + // The users who have permissions to use this security context constraints + // +optional + // +nullable + // +listType=atomic + repeated string users = 18; + + // The groups that have permission to use this security context constraints + // +optional + // +nullable + // +listType=atomic + repeated string groups = 19; + + // seccompProfiles lists the allowed profiles that may be set for the pod or + // container's seccomp annotations. An unset (nil) or empty value means that no profiles may + // be specifid by the pod or container. The wildcard '*' may be used to allow all profiles. When + // used to generate a value for a pod the first non-wildcard profile will be used as + // the default. + // +nullable + // +listType=atomic + repeated string seccompProfiles = 20; + + // allowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none. + // Each entry is either a plain sysctl name or ends in "*" in which case it is considered + // as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed. + // Kubelet has to whitelist all allowed unsafe sysctls explicitly to avoid rejection. + // + // Examples: + // e.g. "foo/*" allows "foo/bar", "foo/baz", etc. + // e.g. "foo.*" allows "foo.bar", "foo.baz", etc. + // +optional + // +nullable + // +listType=atomic + repeated string allowedUnsafeSysctls = 24; + + // forbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none. + // Each entry is either a plain sysctl name or ends in "*" in which case it is considered + // as a prefix of forbidden sysctls. Single * means all sysctls are forbidden. + // + // Examples: + // e.g. "foo/*" forbids "foo/bar", "foo/baz", etc. + // e.g. "foo.*" forbids "foo.bar", "foo.baz", etc. + // +optional + // +nullable + // +listType=atomic + repeated string forbiddenSysctls = 25; +} + +// SecurityContextConstraintsList is a list of SecurityContextConstraints objects +// +// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). +// +openshift:compatibility-gen:level=1 +message SecurityContextConstraintsList { + // metadata is the standard list's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + optional .k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1; + + // List of security context constraints. + repeated SecurityContextConstraints items = 2; +} + +// ServiceAccountPodSecurityPolicyReviewStatus represents ServiceAccount name and related review status +message ServiceAccountPodSecurityPolicyReviewStatus { + optional PodSecurityPolicySubjectReviewStatus podSecurityPolicySubjectReviewStatus = 1; + + // name contains the allowed and the denied ServiceAccount name + optional string name = 2; +} + +// SupplementalGroupsStrategyOptions defines the strategy type and options used to create the strategy. +message SupplementalGroupsStrategyOptions { + // type is the strategy that will dictate what supplemental groups is used in the SecurityContext. + optional string type = 1; + + // ranges are the allowed ranges of supplemental groups. If you would like to force a single + // supplemental group then supply a single range with the same start and end. + // +listType=atomic + repeated IDRange ranges = 2; +} + diff --git a/vendor/github.com/openshift/api/security/v1/legacy.go b/vendor/github.com/openshift/api/security/v1/legacy.go new file mode 100644 index 00000000..34f609a0 --- /dev/null +++ b/vendor/github.com/openshift/api/security/v1/legacy.go @@ -0,0 +1,25 @@ +package v1 + +import ( + corev1 "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" +) + +var ( + legacyGroupVersion = schema.GroupVersion{Group: "", Version: "v1"} + legacySchemeBuilder = runtime.NewSchemeBuilder(addLegacyKnownTypes, corev1.AddToScheme) + DeprecatedInstallWithoutGroup = legacySchemeBuilder.AddToScheme +) + +func addLegacyKnownTypes(scheme *runtime.Scheme) error { + types := []runtime.Object{ + &SecurityContextConstraints{}, + &SecurityContextConstraintsList{}, + &PodSecurityPolicySubjectReview{}, + &PodSecurityPolicySelfSubjectReview{}, + &PodSecurityPolicyReview{}, + } + scheme.AddKnownTypes(legacyGroupVersion, types...) + return nil +} diff --git a/vendor/github.com/openshift/api/security/v1/register.go b/vendor/github.com/openshift/api/security/v1/register.go new file mode 100644 index 00000000..431c3b53 --- /dev/null +++ b/vendor/github.com/openshift/api/security/v1/register.go @@ -0,0 +1,44 @@ +package v1 + +import ( + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" +) + +var ( + GroupName = "security.openshift.io" + GroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1"} + schemeBuilder = runtime.NewSchemeBuilder(addKnownTypes, corev1.AddToScheme) + // Install is a function which adds this version to a scheme + Install = schemeBuilder.AddToScheme + + // SchemeGroupVersion generated code relies on this name + // Deprecated + SchemeGroupVersion = GroupVersion + // AddToScheme exists solely to keep the old generators creating valid code + // DEPRECATED + AddToScheme = schemeBuilder.AddToScheme +) + +// Resource generated code relies on this being here, but it logically belongs to the group +// DEPRECATED +func Resource(resource string) schema.GroupResource { + return schema.GroupResource{Group: GroupName, Resource: resource} +} + +// Adds the list of known types to api.Scheme. +func addKnownTypes(scheme *runtime.Scheme) error { + scheme.AddKnownTypes(GroupVersion, + &SecurityContextConstraints{}, + &SecurityContextConstraintsList{}, + &PodSecurityPolicySubjectReview{}, + &PodSecurityPolicySelfSubjectReview{}, + &PodSecurityPolicyReview{}, + &RangeAllocation{}, + &RangeAllocationList{}, + ) + metav1.AddToGroupVersion(scheme, GroupVersion) + return nil +} diff --git a/vendor/github.com/openshift/api/security/v1/types.go b/vendor/github.com/openshift/api/security/v1/types.go new file mode 100644 index 00000000..18585e97 --- /dev/null +++ b/vendor/github.com/openshift/api/security/v1/types.go @@ -0,0 +1,517 @@ +package v1 + +import ( + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +// AllowAllCapabilities can be used as a value for the +// SecurityContextConstraints.AllowAllCapabilities field and means that any +// capabilities are allowed to be requested. +var AllowAllCapabilities corev1.Capability = "*" + +// +genclient +// +genclient:nonNamespaced +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +// SecurityContextConstraints governs the ability to make requests that affect the SecurityContext +// that will be applied to a container. +// For historical reasons SCC was exposed under the core Kubernetes API group. +// That exposure is deprecated and will be removed in a future release - users +// should instead use the security.openshift.io group to manage +// SecurityContextConstraints. +// +// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). +// +kubebuilder:object:root=true +// +kubebuilder:resource:path=securitycontextconstraints,scope=Cluster +// +openshift:api-approved.openshift.io=https://github.com/openshift/api/pull/470 +// +openshift:file-pattern=cvoRunLevel=0000_03,operatorName=config-operator,operatorOrdering=01 +// +kubebuilder:printcolumn:name="Priv",type=string,JSONPath=.allowPrivilegedContainer,description="Determines if a container can request to be run as privileged" +// +kubebuilder:printcolumn:name="Caps",type=string,JSONPath=.allowedCapabilities,description="A list of capabilities that can be requested to add to the container" +// +kubebuilder:printcolumn:name="SELinux",type=string,JSONPath=.seLinuxContext.type,description="Strategy that will dictate what labels will be set in the SecurityContext" +// +kubebuilder:printcolumn:name="RunAsUser",type=string,JSONPath=.runAsUser.type,description="Strategy that will dictate what RunAsUser is used in the SecurityContext" +// +kubebuilder:printcolumn:name="FSGroup",type=string,JSONPath=.fsGroup.type,description="Strategy that will dictate what fs group is used by the SecurityContext" +// +kubebuilder:printcolumn:name="SupGroup",type=string,JSONPath=.supplementalGroups.type,description="Strategy that will dictate what supplemental groups are used by the SecurityContext" +// +kubebuilder:printcolumn:name="Priority",type=string,JSONPath=.priority,description="Sort order of SCCs" +// +kubebuilder:printcolumn:name="ReadOnlyRootFS",type=string,JSONPath=.readOnlyRootFilesystem,description="Force containers to run with a read only root file system" +// +kubebuilder:printcolumn:name="Volumes",type=string,JSONPath=.volumes,description="White list of allowed volume plugins" +// +kubebuilder:singular=securitycontextconstraint +// +openshift:compatibility-gen:level=1 +// +kubebuilder:metadata:annotations=release.openshift.io/bootstrap-required=true +type SecurityContextConstraints struct { + metav1.TypeMeta `json:",inline"` + + // metadata is the standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` + + // priority influences the sort order of SCCs when evaluating which SCCs to try first for + // a given pod request based on access in the Users and Groups fields. The higher the int, the + // higher priority. An unset value is considered a 0 priority. If scores + // for multiple SCCs are equal they will be sorted from most restrictive to + // least restrictive. If both priorities and restrictions are equal the + // SCCs will be sorted by name. + // +nullable + Priority *int32 `json:"priority" protobuf:"varint,2,opt,name=priority"` + + // allowPrivilegedContainer determines if a container can request to be run as privileged. + AllowPrivilegedContainer bool `json:"allowPrivilegedContainer" protobuf:"varint,3,opt,name=allowPrivilegedContainer"` + // defaultAddCapabilities is the default set of capabilities that will be added to the container + // unless the pod spec specifically drops the capability. You may not list a capabiility in both + // DefaultAddCapabilities and RequiredDropCapabilities. + // +nullable + // +listType=atomic + DefaultAddCapabilities []corev1.Capability `json:"defaultAddCapabilities" protobuf:"bytes,4,rep,name=defaultAddCapabilities,casttype=Capability"` + // requiredDropCapabilities are the capabilities that will be dropped from the container. These + // are required to be dropped and cannot be added. + // +nullable + // +listType=atomic + RequiredDropCapabilities []corev1.Capability `json:"requiredDropCapabilities" protobuf:"bytes,5,rep,name=requiredDropCapabilities,casttype=Capability"` + // allowedCapabilities is a list of capabilities that can be requested to add to the container. + // Capabilities in this field maybe added at the pod author's discretion. + // You must not list a capability in both AllowedCapabilities and RequiredDropCapabilities. + // To allow all capabilities you may use '*'. + // +nullable + // +listType=atomic + AllowedCapabilities []corev1.Capability `json:"allowedCapabilities" protobuf:"bytes,6,rep,name=allowedCapabilities,casttype=Capability"` + // allowHostDirVolumePlugin determines if the policy allow containers to use the HostDir volume plugin + // +k8s:conversion-gen=false + AllowHostDirVolumePlugin bool `json:"allowHostDirVolumePlugin" protobuf:"varint,7,opt,name=allowHostDirVolumePlugin"` + // volumes is a white list of allowed volume plugins. FSType corresponds directly with the field names + // of a VolumeSource (azureFile, configMap, emptyDir). To allow all volumes you may use "*". + // To allow no volumes, set to ["none"]. + // +nullable + // +listType=atomic + Volumes []FSType `json:"volumes" protobuf:"bytes,8,rep,name=volumes,casttype=FSType"` + // allowedFlexVolumes is a whitelist of allowed Flexvolumes. Empty or nil indicates that all + // Flexvolumes may be used. This parameter is effective only when the usage of the Flexvolumes + // is allowed in the "Volumes" field. + // +optional + // +nullable + // +listType=atomic + AllowedFlexVolumes []AllowedFlexVolume `json:"allowedFlexVolumes,omitempty" protobuf:"bytes,21,rep,name=allowedFlexVolumes"` + // allowHostNetwork determines if the policy allows the use of HostNetwork in the pod spec. + AllowHostNetwork bool `json:"allowHostNetwork" protobuf:"varint,9,opt,name=allowHostNetwork"` + // allowHostPorts determines if the policy allows host ports in the containers. + AllowHostPorts bool `json:"allowHostPorts" protobuf:"varint,10,opt,name=allowHostPorts"` + // allowHostPID determines if the policy allows host pid in the containers. + AllowHostPID bool `json:"allowHostPID" protobuf:"varint,11,opt,name=allowHostPID"` + // allowHostIPC determines if the policy allows host ipc in the containers. + AllowHostIPC bool `json:"allowHostIPC" protobuf:"varint,12,opt,name=allowHostIPC"` + // userNamespaceLevel determines if the policy allows host users in containers. + // Valid values are "AllowHostLevel", "RequirePodLevel", and omitted. + // When "AllowHostLevel" is set, a pod author may set `hostUsers` to either `true` or `false`. + // When "RequirePodLevel" is set, a pod author must set `hostUsers` to `false`. + // When omitted, the default value is "AllowHostLevel". + // +openshift:enable:FeatureGate=UserNamespacesPodSecurityStandards + // +kubebuilder:validation:Enum="AllowHostLevel";"RequirePodLevel" + // +kubebuilder:default:="AllowHostLevel" + // +default="AllowHostLevel" + // +optional + UserNamespaceLevel NamespaceLevelType `json:"userNamespaceLevel,omitempty" protobuf:"bytes,26,opt,name=userNamespaceLevel"` + // defaultAllowPrivilegeEscalation controls the default setting for whether a + // process can gain more privileges than its parent process. + // +optional + // +nullable + DefaultAllowPrivilegeEscalation *bool `json:"defaultAllowPrivilegeEscalation,omitempty" protobuf:"varint,22,rep,name=defaultAllowPrivilegeEscalation"` + // allowPrivilegeEscalation determines if a pod can request to allow + // privilege escalation. If unspecified, defaults to true. + // +optional + // +nullable + AllowPrivilegeEscalation *bool `json:"allowPrivilegeEscalation,omitempty" protobuf:"varint,23,rep,name=allowPrivilegeEscalation"` + // seLinuxContext is the strategy that will dictate what labels will be set in the SecurityContext. + // +nullable + SELinuxContext SELinuxContextStrategyOptions `json:"seLinuxContext,omitempty" protobuf:"bytes,13,opt,name=seLinuxContext"` + // runAsUser is the strategy that will dictate what RunAsUser is used in the SecurityContext. + // +nullable + RunAsUser RunAsUserStrategyOptions `json:"runAsUser,omitempty" protobuf:"bytes,14,opt,name=runAsUser"` + // supplementalGroups is the strategy that will dictate what supplemental groups are used by the SecurityContext. + // +nullable + SupplementalGroups SupplementalGroupsStrategyOptions `json:"supplementalGroups,omitempty" protobuf:"bytes,15,opt,name=supplementalGroups"` + // fsGroup is the strategy that will dictate what fs group is used by the SecurityContext. + // +nullable + FSGroup FSGroupStrategyOptions `json:"fsGroup,omitempty" protobuf:"bytes,16,opt,name=fsGroup"` + // readOnlyRootFilesystem when set to true will force containers to run with a read only root file + // system. If the container specifically requests to run with a non-read only root file system + // the SCC should deny the pod. + // If set to false the container may run with a read only root file system if it wishes but it + // will not be forced to. + ReadOnlyRootFilesystem bool `json:"readOnlyRootFilesystem" protobuf:"varint,17,opt,name=readOnlyRootFilesystem"` + + // The users who have permissions to use this security context constraints + // +optional + // +nullable + // +listType=atomic + Users []string `json:"users" protobuf:"bytes,18,rep,name=users"` + // The groups that have permission to use this security context constraints + // +optional + // +nullable + // +listType=atomic + Groups []string `json:"groups" protobuf:"bytes,19,rep,name=groups"` + + // seccompProfiles lists the allowed profiles that may be set for the pod or + // container's seccomp annotations. An unset (nil) or empty value means that no profiles may + // be specifid by the pod or container. The wildcard '*' may be used to allow all profiles. When + // used to generate a value for a pod the first non-wildcard profile will be used as + // the default. + // +nullable + // +listType=atomic + SeccompProfiles []string `json:"seccompProfiles,omitempty" protobuf:"bytes,20,opt,name=seccompProfiles"` + + // allowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none. + // Each entry is either a plain sysctl name or ends in "*" in which case it is considered + // as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed. + // Kubelet has to whitelist all allowed unsafe sysctls explicitly to avoid rejection. + // + // Examples: + // e.g. "foo/*" allows "foo/bar", "foo/baz", etc. + // e.g. "foo.*" allows "foo.bar", "foo.baz", etc. + // +optional + // +nullable + // +listType=atomic + AllowedUnsafeSysctls []string `json:"allowedUnsafeSysctls,omitempty" protobuf:"bytes,24,rep,name=allowedUnsafeSysctls"` + // forbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none. + // Each entry is either a plain sysctl name or ends in "*" in which case it is considered + // as a prefix of forbidden sysctls. Single * means all sysctls are forbidden. + // + // Examples: + // e.g. "foo/*" forbids "foo/bar", "foo/baz", etc. + // e.g. "foo.*" forbids "foo.bar", "foo.baz", etc. + // +optional + // +nullable + // +listType=atomic + ForbiddenSysctls []string `json:"forbiddenSysctls,omitempty" protobuf:"bytes,25,rep,name=forbiddenSysctls"` +} + +// FS Type gives strong typing to different file systems that are used by volumes. +type FSType string + +var ( + FSTypeAzureFile FSType = "azureFile" + FSTypeAzureDisk FSType = "azureDisk" + FSTypeFlocker FSType = "flocker" + FSTypeFlexVolume FSType = "flexVolume" + FSTypeHostPath FSType = "hostPath" + FSTypeEmptyDir FSType = "emptyDir" + FSTypeGCEPersistentDisk FSType = "gcePersistentDisk" + FSTypeAWSElasticBlockStore FSType = "awsElasticBlockStore" + FSTypeGitRepo FSType = "gitRepo" + FSTypeSecret FSType = "secret" + FSTypeNFS FSType = "nfs" + FSTypeISCSI FSType = "iscsi" + FSTypeGlusterfs FSType = "glusterfs" + FSTypePersistentVolumeClaim FSType = "persistentVolumeClaim" + FSTypeRBD FSType = "rbd" + FSTypeCinder FSType = "cinder" + FSTypeCephFS FSType = "cephFS" + FSTypeDownwardAPI FSType = "downwardAPI" + FSTypeFC FSType = "fc" + FSTypeConfigMap FSType = "configMap" + FSTypeVsphereVolume FSType = "vsphere" + FSTypeQuobyte FSType = "quobyte" + FSTypePhotonPersistentDisk FSType = "photonPersistentDisk" + FSProjected FSType = "projected" + FSPortworxVolume FSType = "portworxVolume" + FSScaleIO FSType = "scaleIO" + FSStorageOS FSType = "storageOS" + FSTypeCSI FSType = "csi" + FSTypeEphemeral FSType = "ephemeral" + FSTypeImage FSType = "image" + FSTypeAll FSType = "*" + FSTypeNone FSType = "none" +) + +// AllowedFlexVolume represents a single Flexvolume that is allowed to be used. +type AllowedFlexVolume struct { + // driver is the name of the Flexvolume driver. + Driver string `json:"driver" protobuf:"bytes,1,opt,name=driver"` +} + +// SELinuxContextStrategyOptions defines the strategy type and any options used to create the strategy. +type SELinuxContextStrategyOptions struct { + // type is the strategy that will dictate what SELinux context is used in the SecurityContext. + Type SELinuxContextStrategyType `json:"type,omitempty" protobuf:"bytes,1,opt,name=type,casttype=SELinuxContextStrategyType"` + // seLinuxOptions required to run as; required for MustRunAs + SELinuxOptions *corev1.SELinuxOptions `json:"seLinuxOptions,omitempty" protobuf:"bytes,2,opt,name=seLinuxOptions"` +} + +// RunAsUserStrategyOptions defines the strategy type and any options used to create the strategy. +type RunAsUserStrategyOptions struct { + // type is the strategy that will dictate what RunAsUser is used in the SecurityContext. + Type RunAsUserStrategyType `json:"type,omitempty" protobuf:"bytes,1,opt,name=type,casttype=RunAsUserStrategyType"` + // uid is the user id that containers must run as. Required for the MustRunAs strategy if not using + // namespace/service account allocated uids. + UID *int64 `json:"uid,omitempty" protobuf:"varint,2,opt,name=uid"` + // uidRangeMin defines the min value for a strategy that allocates by range. + UIDRangeMin *int64 `json:"uidRangeMin,omitempty" protobuf:"varint,3,opt,name=uidRangeMin"` + // uidRangeMax defines the max value for a strategy that allocates by range. + UIDRangeMax *int64 `json:"uidRangeMax,omitempty" protobuf:"varint,4,opt,name=uidRangeMax"` +} + +// FSGroupStrategyOptions defines the strategy type and options used to create the strategy. +type FSGroupStrategyOptions struct { + // type is the strategy that will dictate what FSGroup is used in the SecurityContext. + Type FSGroupStrategyType `json:"type,omitempty" protobuf:"bytes,1,opt,name=type,casttype=FSGroupStrategyType"` + // ranges are the allowed ranges of fs groups. If you would like to force a single + // fs group then supply a single range with the same start and end. + // +listType=atomic + Ranges []IDRange `json:"ranges,omitempty" protobuf:"bytes,2,rep,name=ranges"` +} + +// SupplementalGroupsStrategyOptions defines the strategy type and options used to create the strategy. +type SupplementalGroupsStrategyOptions struct { + // type is the strategy that will dictate what supplemental groups is used in the SecurityContext. + Type SupplementalGroupsStrategyType `json:"type,omitempty" protobuf:"bytes,1,opt,name=type,casttype=SupplementalGroupsStrategyType"` + // ranges are the allowed ranges of supplemental groups. If you would like to force a single + // supplemental group then supply a single range with the same start and end. + // +listType=atomic + Ranges []IDRange `json:"ranges,omitempty" protobuf:"bytes,2,rep,name=ranges"` +} + +// IDRange provides a min/max of an allowed range of IDs. +// TODO: this could be reused for UIDs. +type IDRange struct { + // min is the start of the range, inclusive. + Min int64 `json:"min,omitempty" protobuf:"varint,1,opt,name=min"` + // max is the end of the range, inclusive. + Max int64 `json:"max,omitempty" protobuf:"varint,2,opt,name=max"` +} + +// NamespaceLevelType shows the allowable values for the UserNamespaceLevel field. +type NamespaceLevelType string + +// SELinuxContextStrategyType denotes strategy types for generating SELinux options for a +// SecurityContext +type SELinuxContextStrategyType string + +// RunAsUserStrategyType denotes strategy types for generating RunAsUser values for a +// SecurityContext +type RunAsUserStrategyType string + +// SupplementalGroupsStrategyType denotes strategy types for determining valid supplemental +// groups for a SecurityContext. +type SupplementalGroupsStrategyType string + +// FSGroupStrategyType denotes strategy types for generating FSGroup values for a +// SecurityContext +type FSGroupStrategyType string + +const ( + // NamespaceLevelAllowHost allows a pod to set `hostUsers` field to either `true` or `false` + NamespaceLevelAllowHost NamespaceLevelType = "AllowHostLevel" + // NamespaceLevelRequirePod requires the `hostUsers` field be `false` in a pod. + NamespaceLevelRequirePod NamespaceLevelType = "RequirePodLevel" + + // container must have SELinux labels of X applied. + SELinuxStrategyMustRunAs SELinuxContextStrategyType = "MustRunAs" + // container may make requests for any SELinux context labels. + SELinuxStrategyRunAsAny SELinuxContextStrategyType = "RunAsAny" + + // container must run as a particular uid. + RunAsUserStrategyMustRunAs RunAsUserStrategyType = "MustRunAs" + // container must run as a particular uid. + RunAsUserStrategyMustRunAsRange RunAsUserStrategyType = "MustRunAsRange" + // container must run as a non-root uid + RunAsUserStrategyMustRunAsNonRoot RunAsUserStrategyType = "MustRunAsNonRoot" + // container may make requests for any uid. + RunAsUserStrategyRunAsAny RunAsUserStrategyType = "RunAsAny" + + // container must have FSGroup of X applied. + FSGroupStrategyMustRunAs FSGroupStrategyType = "MustRunAs" + // container may make requests for any FSGroup labels. + FSGroupStrategyRunAsAny FSGroupStrategyType = "RunAsAny" + + // container must run as a particular gid. + SupplementalGroupsStrategyMustRunAs SupplementalGroupsStrategyType = "MustRunAs" + // container may make requests for any gid. + SupplementalGroupsStrategyRunAsAny SupplementalGroupsStrategyType = "RunAsAny" +) + +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +// SecurityContextConstraintsList is a list of SecurityContextConstraints objects +// +// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). +// +openshift:compatibility-gen:level=1 +type SecurityContextConstraintsList struct { + metav1.TypeMeta `json:",inline"` + + // metadata is the standard list's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` + + // List of security context constraints. + Items []SecurityContextConstraints `json:"items" protobuf:"bytes,2,rep,name=items"` +} + +// +genclient +// +genclient:onlyVerbs=create +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +// PodSecurityPolicySubjectReview checks whether a particular user/SA tuple can create the PodTemplateSpec. +// +// Compatibility level 2: Stable within a major release for a minimum of 9 months or 3 minor releases (whichever is longer). +// +openshift:compatibility-gen:level=2 +type PodSecurityPolicySubjectReview struct { + metav1.TypeMeta `json:",inline"` + + // metadata is the standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,3,opt,name=metadata"` + + // spec defines specification for the PodSecurityPolicySubjectReview. + Spec PodSecurityPolicySubjectReviewSpec `json:"spec" protobuf:"bytes,1,opt,name=spec"` + + // status represents the current information/status for the PodSecurityPolicySubjectReview. + Status PodSecurityPolicySubjectReviewStatus `json:"status,omitempty" protobuf:"bytes,2,opt,name=status"` +} + +// PodSecurityPolicySubjectReviewSpec defines specification for PodSecurityPolicySubjectReview +type PodSecurityPolicySubjectReviewSpec struct { + // template is the PodTemplateSpec to check. If template.spec.serviceAccountName is empty it will not be defaulted. + // If its non-empty, it will be checked. + Template corev1.PodTemplateSpec `json:"template" protobuf:"bytes,1,opt,name=template"` + + // user is the user you're testing for. + // If you specify "user" but not "group", then is it interpreted as "What if user were not a member of any groups. + // If user and groups are empty, then the check is performed using *only* the serviceAccountName in the template. + User string `json:"user,omitempty" protobuf:"bytes,2,opt,name=user"` + + // groups is the groups you're testing for. + Groups []string `json:"groups,omitempty" protobuf:"bytes,3,rep,name=groups"` +} + +// PodSecurityPolicySubjectReviewStatus contains information/status for PodSecurityPolicySubjectReview. +type PodSecurityPolicySubjectReviewStatus struct { + // allowedBy is a reference to the rule that allows the PodTemplateSpec. + // A rule can be a SecurityContextConstraint or a PodSecurityPolicy + // A `nil`, indicates that it was denied. + AllowedBy *corev1.ObjectReference `json:"allowedBy,omitempty" protobuf:"bytes,1,opt,name=allowedBy"` + + // A machine-readable description of why this operation is in the + // "Failure" status. If this value is empty there + // is no information available. + Reason string `json:"reason,omitempty" protobuf:"bytes,2,opt,name=reason"` + + // template is the PodTemplateSpec after the defaulting is applied. + Template corev1.PodTemplateSpec `json:"template,omitempty" protobuf:"bytes,3,opt,name=template"` +} + +// +genclient +// +genclient:onlyVerbs=create +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +// PodSecurityPolicySelfSubjectReview checks whether this user/SA tuple can create the PodTemplateSpec +// +// Compatibility level 2: Stable within a major release for a minimum of 9 months or 3 minor releases (whichever is longer). +// +openshift:compatibility-gen:level=2 +type PodSecurityPolicySelfSubjectReview struct { + metav1.TypeMeta `json:",inline"` + + // metadata is the standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,3,opt,name=metadata"` + + // spec defines specification the PodSecurityPolicySelfSubjectReview. + Spec PodSecurityPolicySelfSubjectReviewSpec `json:"spec" protobuf:"bytes,1,opt,name=spec"` + + // status represents the current information/status for the PodSecurityPolicySelfSubjectReview. + Status PodSecurityPolicySubjectReviewStatus `json:"status,omitempty" protobuf:"bytes,2,opt,name=status"` +} + +// PodSecurityPolicySelfSubjectReviewSpec contains specification for PodSecurityPolicySelfSubjectReview. +type PodSecurityPolicySelfSubjectReviewSpec struct { + // template is the PodTemplateSpec to check. + Template corev1.PodTemplateSpec `json:"template" protobuf:"bytes,1,opt,name=template"` +} + +// +genclient +// +genclient:onlyVerbs=create +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +// PodSecurityPolicyReview checks which service accounts (not users, since that would be cluster-wide) can create the `PodTemplateSpec` in question. +// +// Compatibility level 2: Stable within a major release for a minimum of 9 months or 3 minor releases (whichever is longer). +// +openshift:compatibility-gen:level=2 +type PodSecurityPolicyReview struct { + metav1.TypeMeta `json:",inline"` + + // metadata is the standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,3,opt,name=metadata"` + + // spec is the PodSecurityPolicy to check. + Spec PodSecurityPolicyReviewSpec `json:"spec" protobuf:"bytes,1,opt,name=spec"` + + // status represents the current information/status for the PodSecurityPolicyReview. + Status PodSecurityPolicyReviewStatus `json:"status,omitempty" protobuf:"bytes,2,opt,name=status"` +} + +// PodSecurityPolicyReviewSpec defines specification for PodSecurityPolicyReview +type PodSecurityPolicyReviewSpec struct { + // template is the PodTemplateSpec to check. The template.spec.serviceAccountName field is used + // if serviceAccountNames is empty, unless the template.spec.serviceAccountName is empty, + // in which case "default" is used. + // If serviceAccountNames is specified, template.spec.serviceAccountName is ignored. + Template corev1.PodTemplateSpec `json:"template" protobuf:"bytes,1,opt,name=template"` + + // serviceAccountNames is an optional set of ServiceAccounts to run the check with. + // If serviceAccountNames is empty, the template.spec.serviceAccountName is used, + // unless it's empty, in which case "default" is used instead. + // If serviceAccountNames is specified, template.spec.serviceAccountName is ignored. + ServiceAccountNames []string `json:"serviceAccountNames,omitempty" protobuf:"bytes,2,rep,name=serviceAccountNames"` // TODO: find a way to express 'all service accounts' +} + +// PodSecurityPolicyReviewStatus represents the status of PodSecurityPolicyReview. +type PodSecurityPolicyReviewStatus struct { + // allowedServiceAccounts returns the list of service accounts in *this* namespace that have the power to create the PodTemplateSpec. + AllowedServiceAccounts []ServiceAccountPodSecurityPolicyReviewStatus `json:"allowedServiceAccounts" protobuf:"bytes,1,rep,name=allowedServiceAccounts"` +} + +// ServiceAccountPodSecurityPolicyReviewStatus represents ServiceAccount name and related review status +type ServiceAccountPodSecurityPolicyReviewStatus struct { + PodSecurityPolicySubjectReviewStatus `json:",inline" protobuf:"bytes,1,opt,name=podSecurityPolicySubjectReviewStatus"` + + // name contains the allowed and the denied ServiceAccount name + Name string `json:"name" protobuf:"bytes,2,opt,name=name"` +} + +// +genclient +// +genclient:nonNamespaced +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +// RangeAllocation is used so we can easily expose a RangeAllocation typed for security group +// +// Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. +// +openshift:compatibility-gen:level=4 +type RangeAllocation struct { + metav1.TypeMeta `json:",inline"` + + // metadata is the standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` + + // range is a string representing a unique label for a range of uids, "1000000000-2000000000/10000". + Range string `json:"range" protobuf:"bytes,2,opt,name=range"` + + // data is a byte array representing the serialized state of a range allocation. It is a bitmap + // with each bit set to one to represent a range is taken. + Data []byte `json:"data" protobuf:"bytes,3,opt,name=data"` +} + +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +// RangeAllocationList is a list of RangeAllocations objects +// +// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). +// +openshift:compatibility-gen:level=1 +type RangeAllocationList struct { + metav1.TypeMeta `json:",inline"` + + // metadata is the standard list's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` + + // List of RangeAllocations. + Items []RangeAllocation `json:"items" protobuf:"bytes,2,rep,name=items"` +} diff --git a/vendor/github.com/openshift/api/security/v1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/security/v1/zz_generated.deepcopy.go new file mode 100644 index 00000000..66e8b5a2 --- /dev/null +++ b/vendor/github.com/openshift/api/security/v1/zz_generated.deepcopy.go @@ -0,0 +1,536 @@ +//go:build !ignore_autogenerated +// +build !ignore_autogenerated + +// Code generated by deepcopy-gen. DO NOT EDIT. + +package v1 + +import ( + corev1 "k8s.io/api/core/v1" + runtime "k8s.io/apimachinery/pkg/runtime" +) + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *AllowedFlexVolume) DeepCopyInto(out *AllowedFlexVolume) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AllowedFlexVolume. +func (in *AllowedFlexVolume) DeepCopy() *AllowedFlexVolume { + if in == nil { + return nil + } + out := new(AllowedFlexVolume) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *FSGroupStrategyOptions) DeepCopyInto(out *FSGroupStrategyOptions) { + *out = *in + if in.Ranges != nil { + in, out := &in.Ranges, &out.Ranges + *out = make([]IDRange, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FSGroupStrategyOptions. +func (in *FSGroupStrategyOptions) DeepCopy() *FSGroupStrategyOptions { + if in == nil { + return nil + } + out := new(FSGroupStrategyOptions) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *IDRange) DeepCopyInto(out *IDRange) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IDRange. +func (in *IDRange) DeepCopy() *IDRange { + if in == nil { + return nil + } + out := new(IDRange) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PodSecurityPolicyReview) DeepCopyInto(out *PodSecurityPolicyReview) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + in.Status.DeepCopyInto(&out.Status) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodSecurityPolicyReview. +func (in *PodSecurityPolicyReview) DeepCopy() *PodSecurityPolicyReview { + if in == nil { + return nil + } + out := new(PodSecurityPolicyReview) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *PodSecurityPolicyReview) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PodSecurityPolicyReviewSpec) DeepCopyInto(out *PodSecurityPolicyReviewSpec) { + *out = *in + in.Template.DeepCopyInto(&out.Template) + if in.ServiceAccountNames != nil { + in, out := &in.ServiceAccountNames, &out.ServiceAccountNames + *out = make([]string, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodSecurityPolicyReviewSpec. +func (in *PodSecurityPolicyReviewSpec) DeepCopy() *PodSecurityPolicyReviewSpec { + if in == nil { + return nil + } + out := new(PodSecurityPolicyReviewSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PodSecurityPolicyReviewStatus) DeepCopyInto(out *PodSecurityPolicyReviewStatus) { + *out = *in + if in.AllowedServiceAccounts != nil { + in, out := &in.AllowedServiceAccounts, &out.AllowedServiceAccounts + *out = make([]ServiceAccountPodSecurityPolicyReviewStatus, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodSecurityPolicyReviewStatus. +func (in *PodSecurityPolicyReviewStatus) DeepCopy() *PodSecurityPolicyReviewStatus { + if in == nil { + return nil + } + out := new(PodSecurityPolicyReviewStatus) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PodSecurityPolicySelfSubjectReview) DeepCopyInto(out *PodSecurityPolicySelfSubjectReview) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + in.Status.DeepCopyInto(&out.Status) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodSecurityPolicySelfSubjectReview. +func (in *PodSecurityPolicySelfSubjectReview) DeepCopy() *PodSecurityPolicySelfSubjectReview { + if in == nil { + return nil + } + out := new(PodSecurityPolicySelfSubjectReview) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *PodSecurityPolicySelfSubjectReview) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PodSecurityPolicySelfSubjectReviewSpec) DeepCopyInto(out *PodSecurityPolicySelfSubjectReviewSpec) { + *out = *in + in.Template.DeepCopyInto(&out.Template) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodSecurityPolicySelfSubjectReviewSpec. +func (in *PodSecurityPolicySelfSubjectReviewSpec) DeepCopy() *PodSecurityPolicySelfSubjectReviewSpec { + if in == nil { + return nil + } + out := new(PodSecurityPolicySelfSubjectReviewSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PodSecurityPolicySubjectReview) DeepCopyInto(out *PodSecurityPolicySubjectReview) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + in.Status.DeepCopyInto(&out.Status) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodSecurityPolicySubjectReview. +func (in *PodSecurityPolicySubjectReview) DeepCopy() *PodSecurityPolicySubjectReview { + if in == nil { + return nil + } + out := new(PodSecurityPolicySubjectReview) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *PodSecurityPolicySubjectReview) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PodSecurityPolicySubjectReviewSpec) DeepCopyInto(out *PodSecurityPolicySubjectReviewSpec) { + *out = *in + in.Template.DeepCopyInto(&out.Template) + if in.Groups != nil { + in, out := &in.Groups, &out.Groups + *out = make([]string, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodSecurityPolicySubjectReviewSpec. +func (in *PodSecurityPolicySubjectReviewSpec) DeepCopy() *PodSecurityPolicySubjectReviewSpec { + if in == nil { + return nil + } + out := new(PodSecurityPolicySubjectReviewSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PodSecurityPolicySubjectReviewStatus) DeepCopyInto(out *PodSecurityPolicySubjectReviewStatus) { + *out = *in + if in.AllowedBy != nil { + in, out := &in.AllowedBy, &out.AllowedBy + *out = new(corev1.ObjectReference) + **out = **in + } + in.Template.DeepCopyInto(&out.Template) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodSecurityPolicySubjectReviewStatus. +func (in *PodSecurityPolicySubjectReviewStatus) DeepCopy() *PodSecurityPolicySubjectReviewStatus { + if in == nil { + return nil + } + out := new(PodSecurityPolicySubjectReviewStatus) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *RangeAllocation) DeepCopyInto(out *RangeAllocation) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + if in.Data != nil { + in, out := &in.Data, &out.Data + *out = make([]byte, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RangeAllocation. +func (in *RangeAllocation) DeepCopy() *RangeAllocation { + if in == nil { + return nil + } + out := new(RangeAllocation) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *RangeAllocation) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *RangeAllocationList) DeepCopyInto(out *RangeAllocationList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]RangeAllocation, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RangeAllocationList. +func (in *RangeAllocationList) DeepCopy() *RangeAllocationList { + if in == nil { + return nil + } + out := new(RangeAllocationList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *RangeAllocationList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *RunAsUserStrategyOptions) DeepCopyInto(out *RunAsUserStrategyOptions) { + *out = *in + if in.UID != nil { + in, out := &in.UID, &out.UID + *out = new(int64) + **out = **in + } + if in.UIDRangeMin != nil { + in, out := &in.UIDRangeMin, &out.UIDRangeMin + *out = new(int64) + **out = **in + } + if in.UIDRangeMax != nil { + in, out := &in.UIDRangeMax, &out.UIDRangeMax + *out = new(int64) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RunAsUserStrategyOptions. +func (in *RunAsUserStrategyOptions) DeepCopy() *RunAsUserStrategyOptions { + if in == nil { + return nil + } + out := new(RunAsUserStrategyOptions) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *SELinuxContextStrategyOptions) DeepCopyInto(out *SELinuxContextStrategyOptions) { + *out = *in + if in.SELinuxOptions != nil { + in, out := &in.SELinuxOptions, &out.SELinuxOptions + *out = new(corev1.SELinuxOptions) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SELinuxContextStrategyOptions. +func (in *SELinuxContextStrategyOptions) DeepCopy() *SELinuxContextStrategyOptions { + if in == nil { + return nil + } + out := new(SELinuxContextStrategyOptions) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *SecurityContextConstraints) DeepCopyInto(out *SecurityContextConstraints) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + if in.Priority != nil { + in, out := &in.Priority, &out.Priority + *out = new(int32) + **out = **in + } + if in.DefaultAddCapabilities != nil { + in, out := &in.DefaultAddCapabilities, &out.DefaultAddCapabilities + *out = make([]corev1.Capability, len(*in)) + copy(*out, *in) + } + if in.RequiredDropCapabilities != nil { + in, out := &in.RequiredDropCapabilities, &out.RequiredDropCapabilities + *out = make([]corev1.Capability, len(*in)) + copy(*out, *in) + } + if in.AllowedCapabilities != nil { + in, out := &in.AllowedCapabilities, &out.AllowedCapabilities + *out = make([]corev1.Capability, len(*in)) + copy(*out, *in) + } + if in.Volumes != nil { + in, out := &in.Volumes, &out.Volumes + *out = make([]FSType, len(*in)) + copy(*out, *in) + } + if in.AllowedFlexVolumes != nil { + in, out := &in.AllowedFlexVolumes, &out.AllowedFlexVolumes + *out = make([]AllowedFlexVolume, len(*in)) + copy(*out, *in) + } + if in.DefaultAllowPrivilegeEscalation != nil { + in, out := &in.DefaultAllowPrivilegeEscalation, &out.DefaultAllowPrivilegeEscalation + *out = new(bool) + **out = **in + } + if in.AllowPrivilegeEscalation != nil { + in, out := &in.AllowPrivilegeEscalation, &out.AllowPrivilegeEscalation + *out = new(bool) + **out = **in + } + in.SELinuxContext.DeepCopyInto(&out.SELinuxContext) + in.RunAsUser.DeepCopyInto(&out.RunAsUser) + in.SupplementalGroups.DeepCopyInto(&out.SupplementalGroups) + in.FSGroup.DeepCopyInto(&out.FSGroup) + if in.Users != nil { + in, out := &in.Users, &out.Users + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.Groups != nil { + in, out := &in.Groups, &out.Groups + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.SeccompProfiles != nil { + in, out := &in.SeccompProfiles, &out.SeccompProfiles + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.AllowedUnsafeSysctls != nil { + in, out := &in.AllowedUnsafeSysctls, &out.AllowedUnsafeSysctls + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.ForbiddenSysctls != nil { + in, out := &in.ForbiddenSysctls, &out.ForbiddenSysctls + *out = make([]string, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecurityContextConstraints. +func (in *SecurityContextConstraints) DeepCopy() *SecurityContextConstraints { + if in == nil { + return nil + } + out := new(SecurityContextConstraints) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *SecurityContextConstraints) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *SecurityContextConstraintsList) DeepCopyInto(out *SecurityContextConstraintsList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]SecurityContextConstraints, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecurityContextConstraintsList. +func (in *SecurityContextConstraintsList) DeepCopy() *SecurityContextConstraintsList { + if in == nil { + return nil + } + out := new(SecurityContextConstraintsList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *SecurityContextConstraintsList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ServiceAccountPodSecurityPolicyReviewStatus) DeepCopyInto(out *ServiceAccountPodSecurityPolicyReviewStatus) { + *out = *in + in.PodSecurityPolicySubjectReviewStatus.DeepCopyInto(&out.PodSecurityPolicySubjectReviewStatus) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServiceAccountPodSecurityPolicyReviewStatus. +func (in *ServiceAccountPodSecurityPolicyReviewStatus) DeepCopy() *ServiceAccountPodSecurityPolicyReviewStatus { + if in == nil { + return nil + } + out := new(ServiceAccountPodSecurityPolicyReviewStatus) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *SupplementalGroupsStrategyOptions) DeepCopyInto(out *SupplementalGroupsStrategyOptions) { + *out = *in + if in.Ranges != nil { + in, out := &in.Ranges, &out.Ranges + *out = make([]IDRange, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SupplementalGroupsStrategyOptions. +func (in *SupplementalGroupsStrategyOptions) DeepCopy() *SupplementalGroupsStrategyOptions { + if in == nil { + return nil + } + out := new(SupplementalGroupsStrategyOptions) + in.DeepCopyInto(out) + return out +} diff --git a/vendor/github.com/openshift/api/security/v1/zz_generated.featuregated-crd-manifests.yaml b/vendor/github.com/openshift/api/security/v1/zz_generated.featuregated-crd-manifests.yaml new file mode 100644 index 00000000..178c9707 --- /dev/null +++ b/vendor/github.com/openshift/api/security/v1/zz_generated.featuregated-crd-manifests.yaml @@ -0,0 +1,60 @@ +securitycontextconstraints.security.openshift.io: + Annotations: + release.openshift.io/bootstrap-required: "true" + ApprovedPRNumber: https://github.com/openshift/api/pull/470 + CRDName: securitycontextconstraints.security.openshift.io + Capability: "" + Category: "" + FeatureGates: + - UserNamespacesPodSecurityStandards + FilenameOperatorName: config-operator + FilenameOperatorOrdering: "01" + FilenameRunLevel: "0000_03" + GroupName: security.openshift.io + HasStatus: false + KindName: SecurityContextConstraints + Labels: {} + PluralName: securitycontextconstraints + PrinterColumns: + - description: Determines if a container can request to be run as privileged + jsonPath: .allowPrivilegedContainer + name: Priv + type: string + - description: A list of capabilities that can be requested to add to the container + jsonPath: .allowedCapabilities + name: Caps + type: string + - description: Strategy that will dictate what labels will be set in the SecurityContext + jsonPath: .seLinuxContext.type + name: SELinux + type: string + - description: Strategy that will dictate what RunAsUser is used in the SecurityContext + jsonPath: .runAsUser.type + name: RunAsUser + type: string + - description: Strategy that will dictate what fs group is used by the SecurityContext + jsonPath: .fsGroup.type + name: FSGroup + type: string + - description: Strategy that will dictate what supplemental groups are used by the + SecurityContext + jsonPath: .supplementalGroups.type + name: SupGroup + type: string + - description: Sort order of SCCs + jsonPath: .priority + name: Priority + type: string + - description: Force containers to run with a read only root file system + jsonPath: .readOnlyRootFilesystem + name: ReadOnlyRootFS + type: string + - description: White list of allowed volume plugins + jsonPath: .volumes + name: Volumes + type: string + Scope: Cluster + ShortNames: null + TopLevelFeatureGates: [] + Version: v1 + diff --git a/vendor/github.com/openshift/api/security/v1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/security/v1/zz_generated.swagger_doc_generated.go new file mode 100644 index 00000000..29cddf7e --- /dev/null +++ b/vendor/github.com/openshift/api/security/v1/zz_generated.swagger_doc_generated.go @@ -0,0 +1,232 @@ +package v1 + +// This file contains a collection of methods that can be used from go-restful to +// generate Swagger API documentation for its models. Please read this PR for more +// information on the implementation: https://github.com/emicklei/go-restful/pull/215 +// +// TODOs are ignored from the parser (e.g. TODO(andronat):... || TODO:...) if and only if +// they are on one line! For multiple line or blocks that you want to ignore use ---. +// Any context after a --- is ignored. +// +// Those methods can be generated by using hack/update-swagger-docs.sh + +// AUTO-GENERATED FUNCTIONS START HERE +var map_AllowedFlexVolume = map[string]string{ + "": "AllowedFlexVolume represents a single Flexvolume that is allowed to be used.", + "driver": "driver is the name of the Flexvolume driver.", +} + +func (AllowedFlexVolume) SwaggerDoc() map[string]string { + return map_AllowedFlexVolume +} + +var map_FSGroupStrategyOptions = map[string]string{ + "": "FSGroupStrategyOptions defines the strategy type and options used to create the strategy.", + "type": "type is the strategy that will dictate what FSGroup is used in the SecurityContext.", + "ranges": "ranges are the allowed ranges of fs groups. If you would like to force a single fs group then supply a single range with the same start and end.", +} + +func (FSGroupStrategyOptions) SwaggerDoc() map[string]string { + return map_FSGroupStrategyOptions +} + +var map_IDRange = map[string]string{ + "": "IDRange provides a min/max of an allowed range of IDs.", + "min": "min is the start of the range, inclusive.", + "max": "max is the end of the range, inclusive.", +} + +func (IDRange) SwaggerDoc() map[string]string { + return map_IDRange +} + +var map_PodSecurityPolicyReview = map[string]string{ + "": "PodSecurityPolicyReview checks which service accounts (not users, since that would be cluster-wide) can create the `PodTemplateSpec` in question.\n\nCompatibility level 2: Stable within a major release for a minimum of 9 months or 3 minor releases (whichever is longer).", + "metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + "spec": "spec is the PodSecurityPolicy to check.", + "status": "status represents the current information/status for the PodSecurityPolicyReview.", +} + +func (PodSecurityPolicyReview) SwaggerDoc() map[string]string { + return map_PodSecurityPolicyReview +} + +var map_PodSecurityPolicyReviewSpec = map[string]string{ + "": "PodSecurityPolicyReviewSpec defines specification for PodSecurityPolicyReview", + "template": "template is the PodTemplateSpec to check. The template.spec.serviceAccountName field is used if serviceAccountNames is empty, unless the template.spec.serviceAccountName is empty, in which case \"default\" is used. If serviceAccountNames is specified, template.spec.serviceAccountName is ignored.", + "serviceAccountNames": "serviceAccountNames is an optional set of ServiceAccounts to run the check with. If serviceAccountNames is empty, the template.spec.serviceAccountName is used, unless it's empty, in which case \"default\" is used instead. If serviceAccountNames is specified, template.spec.serviceAccountName is ignored.", +} + +func (PodSecurityPolicyReviewSpec) SwaggerDoc() map[string]string { + return map_PodSecurityPolicyReviewSpec +} + +var map_PodSecurityPolicyReviewStatus = map[string]string{ + "": "PodSecurityPolicyReviewStatus represents the status of PodSecurityPolicyReview.", + "allowedServiceAccounts": "allowedServiceAccounts returns the list of service accounts in *this* namespace that have the power to create the PodTemplateSpec.", +} + +func (PodSecurityPolicyReviewStatus) SwaggerDoc() map[string]string { + return map_PodSecurityPolicyReviewStatus +} + +var map_PodSecurityPolicySelfSubjectReview = map[string]string{ + "": "PodSecurityPolicySelfSubjectReview checks whether this user/SA tuple can create the PodTemplateSpec\n\nCompatibility level 2: Stable within a major release for a minimum of 9 months or 3 minor releases (whichever is longer).", + "metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + "spec": "spec defines specification the PodSecurityPolicySelfSubjectReview.", + "status": "status represents the current information/status for the PodSecurityPolicySelfSubjectReview.", +} + +func (PodSecurityPolicySelfSubjectReview) SwaggerDoc() map[string]string { + return map_PodSecurityPolicySelfSubjectReview +} + +var map_PodSecurityPolicySelfSubjectReviewSpec = map[string]string{ + "": "PodSecurityPolicySelfSubjectReviewSpec contains specification for PodSecurityPolicySelfSubjectReview.", + "template": "template is the PodTemplateSpec to check.", +} + +func (PodSecurityPolicySelfSubjectReviewSpec) SwaggerDoc() map[string]string { + return map_PodSecurityPolicySelfSubjectReviewSpec +} + +var map_PodSecurityPolicySubjectReview = map[string]string{ + "": "PodSecurityPolicySubjectReview checks whether a particular user/SA tuple can create the PodTemplateSpec.\n\nCompatibility level 2: Stable within a major release for a minimum of 9 months or 3 minor releases (whichever is longer).", + "metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + "spec": "spec defines specification for the PodSecurityPolicySubjectReview.", + "status": "status represents the current information/status for the PodSecurityPolicySubjectReview.", +} + +func (PodSecurityPolicySubjectReview) SwaggerDoc() map[string]string { + return map_PodSecurityPolicySubjectReview +} + +var map_PodSecurityPolicySubjectReviewSpec = map[string]string{ + "": "PodSecurityPolicySubjectReviewSpec defines specification for PodSecurityPolicySubjectReview", + "template": "template is the PodTemplateSpec to check. If template.spec.serviceAccountName is empty it will not be defaulted. If its non-empty, it will be checked.", + "user": "user is the user you're testing for. If you specify \"user\" but not \"group\", then is it interpreted as \"What if user were not a member of any groups. If user and groups are empty, then the check is performed using *only* the serviceAccountName in the template.", + "groups": "groups is the groups you're testing for.", +} + +func (PodSecurityPolicySubjectReviewSpec) SwaggerDoc() map[string]string { + return map_PodSecurityPolicySubjectReviewSpec +} + +var map_PodSecurityPolicySubjectReviewStatus = map[string]string{ + "": "PodSecurityPolicySubjectReviewStatus contains information/status for PodSecurityPolicySubjectReview.", + "allowedBy": "allowedBy is a reference to the rule that allows the PodTemplateSpec. A rule can be a SecurityContextConstraint or a PodSecurityPolicy A `nil`, indicates that it was denied.", + "reason": "A machine-readable description of why this operation is in the \"Failure\" status. If this value is empty there is no information available.", + "template": "template is the PodTemplateSpec after the defaulting is applied.", +} + +func (PodSecurityPolicySubjectReviewStatus) SwaggerDoc() map[string]string { + return map_PodSecurityPolicySubjectReviewStatus +} + +var map_RangeAllocation = map[string]string{ + "": "RangeAllocation is used so we can easily expose a RangeAllocation typed for security group\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", + "metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + "range": "range is a string representing a unique label for a range of uids, \"1000000000-2000000000/10000\".", + "data": "data is a byte array representing the serialized state of a range allocation. It is a bitmap with each bit set to one to represent a range is taken.", +} + +func (RangeAllocation) SwaggerDoc() map[string]string { + return map_RangeAllocation +} + +var map_RangeAllocationList = map[string]string{ + "": "RangeAllocationList is a list of RangeAllocations objects\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", + "metadata": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + "items": "List of RangeAllocations.", +} + +func (RangeAllocationList) SwaggerDoc() map[string]string { + return map_RangeAllocationList +} + +var map_RunAsUserStrategyOptions = map[string]string{ + "": "RunAsUserStrategyOptions defines the strategy type and any options used to create the strategy.", + "type": "type is the strategy that will dictate what RunAsUser is used in the SecurityContext.", + "uid": "uid is the user id that containers must run as. Required for the MustRunAs strategy if not using namespace/service account allocated uids.", + "uidRangeMin": "uidRangeMin defines the min value for a strategy that allocates by range.", + "uidRangeMax": "uidRangeMax defines the max value for a strategy that allocates by range.", +} + +func (RunAsUserStrategyOptions) SwaggerDoc() map[string]string { + return map_RunAsUserStrategyOptions +} + +var map_SELinuxContextStrategyOptions = map[string]string{ + "": "SELinuxContextStrategyOptions defines the strategy type and any options used to create the strategy.", + "type": "type is the strategy that will dictate what SELinux context is used in the SecurityContext.", + "seLinuxOptions": "seLinuxOptions required to run as; required for MustRunAs", +} + +func (SELinuxContextStrategyOptions) SwaggerDoc() map[string]string { + return map_SELinuxContextStrategyOptions +} + +var map_SecurityContextConstraints = map[string]string{ + "": "SecurityContextConstraints governs the ability to make requests that affect the SecurityContext that will be applied to a container. For historical reasons SCC was exposed under the core Kubernetes API group. That exposure is deprecated and will be removed in a future release - users should instead use the security.openshift.io group to manage SecurityContextConstraints.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", + "metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + "priority": "priority influences the sort order of SCCs when evaluating which SCCs to try first for a given pod request based on access in the Users and Groups fields. The higher the int, the higher priority. An unset value is considered a 0 priority. If scores for multiple SCCs are equal they will be sorted from most restrictive to least restrictive. If both priorities and restrictions are equal the SCCs will be sorted by name.", + "allowPrivilegedContainer": "allowPrivilegedContainer determines if a container can request to be run as privileged.", + "defaultAddCapabilities": "defaultAddCapabilities is the default set of capabilities that will be added to the container unless the pod spec specifically drops the capability. You may not list a capabiility in both DefaultAddCapabilities and RequiredDropCapabilities.", + "requiredDropCapabilities": "requiredDropCapabilities are the capabilities that will be dropped from the container. These are required to be dropped and cannot be added.", + "allowedCapabilities": "allowedCapabilities is a list of capabilities that can be requested to add to the container. Capabilities in this field maybe added at the pod author's discretion. You must not list a capability in both AllowedCapabilities and RequiredDropCapabilities. To allow all capabilities you may use '*'.", + "allowHostDirVolumePlugin": "allowHostDirVolumePlugin determines if the policy allow containers to use the HostDir volume plugin", + "volumes": "volumes is a white list of allowed volume plugins. FSType corresponds directly with the field names of a VolumeSource (azureFile, configMap, emptyDir). To allow all volumes you may use \"*\". To allow no volumes, set to [\"none\"].", + "allowedFlexVolumes": "allowedFlexVolumes is a whitelist of allowed Flexvolumes. Empty or nil indicates that all Flexvolumes may be used. This parameter is effective only when the usage of the Flexvolumes is allowed in the \"Volumes\" field.", + "allowHostNetwork": "allowHostNetwork determines if the policy allows the use of HostNetwork in the pod spec.", + "allowHostPorts": "allowHostPorts determines if the policy allows host ports in the containers.", + "allowHostPID": "allowHostPID determines if the policy allows host pid in the containers.", + "allowHostIPC": "allowHostIPC determines if the policy allows host ipc in the containers.", + "userNamespaceLevel": "userNamespaceLevel determines if the policy allows host users in containers. Valid values are \"AllowHostLevel\", \"RequirePodLevel\", and omitted. When \"AllowHostLevel\" is set, a pod author may set `hostUsers` to either `true` or `false`. When \"RequirePodLevel\" is set, a pod author must set `hostUsers` to `false`. When omitted, the default value is \"AllowHostLevel\".", + "defaultAllowPrivilegeEscalation": "defaultAllowPrivilegeEscalation controls the default setting for whether a process can gain more privileges than its parent process.", + "allowPrivilegeEscalation": "allowPrivilegeEscalation determines if a pod can request to allow privilege escalation. If unspecified, defaults to true.", + "seLinuxContext": "seLinuxContext is the strategy that will dictate what labels will be set in the SecurityContext.", + "runAsUser": "runAsUser is the strategy that will dictate what RunAsUser is used in the SecurityContext.", + "supplementalGroups": "supplementalGroups is the strategy that will dictate what supplemental groups are used by the SecurityContext.", + "fsGroup": "fsGroup is the strategy that will dictate what fs group is used by the SecurityContext.", + "readOnlyRootFilesystem": "readOnlyRootFilesystem when set to true will force containers to run with a read only root file system. If the container specifically requests to run with a non-read only root file system the SCC should deny the pod. If set to false the container may run with a read only root file system if it wishes but it will not be forced to.", + "users": "The users who have permissions to use this security context constraints", + "groups": "The groups that have permission to use this security context constraints", + "seccompProfiles": "seccompProfiles lists the allowed profiles that may be set for the pod or container's seccomp annotations. An unset (nil) or empty value means that no profiles may be specifid by the pod or container.\tThe wildcard '*' may be used to allow all profiles. When used to generate a value for a pod the first non-wildcard profile will be used as the default.", + "allowedUnsafeSysctls": "allowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none. Each entry is either a plain sysctl name or ends in \"*\" in which case it is considered as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed. Kubelet has to whitelist all allowed unsafe sysctls explicitly to avoid rejection.\n\nExamples: e.g. \"foo/*\" allows \"foo/bar\", \"foo/baz\", etc. e.g. \"foo.*\" allows \"foo.bar\", \"foo.baz\", etc.", + "forbiddenSysctls": "forbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none. Each entry is either a plain sysctl name or ends in \"*\" in which case it is considered as a prefix of forbidden sysctls. Single * means all sysctls are forbidden.\n\nExamples: e.g. \"foo/*\" forbids \"foo/bar\", \"foo/baz\", etc. e.g. \"foo.*\" forbids \"foo.bar\", \"foo.baz\", etc.", +} + +func (SecurityContextConstraints) SwaggerDoc() map[string]string { + return map_SecurityContextConstraints +} + +var map_SecurityContextConstraintsList = map[string]string{ + "": "SecurityContextConstraintsList is a list of SecurityContextConstraints objects\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", + "metadata": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + "items": "List of security context constraints.", +} + +func (SecurityContextConstraintsList) SwaggerDoc() map[string]string { + return map_SecurityContextConstraintsList +} + +var map_ServiceAccountPodSecurityPolicyReviewStatus = map[string]string{ + "": "ServiceAccountPodSecurityPolicyReviewStatus represents ServiceAccount name and related review status", + "name": "name contains the allowed and the denied ServiceAccount name", +} + +func (ServiceAccountPodSecurityPolicyReviewStatus) SwaggerDoc() map[string]string { + return map_ServiceAccountPodSecurityPolicyReviewStatus +} + +var map_SupplementalGroupsStrategyOptions = map[string]string{ + "": "SupplementalGroupsStrategyOptions defines the strategy type and options used to create the strategy.", + "type": "type is the strategy that will dictate what supplemental groups is used in the SecurityContext.", + "ranges": "ranges are the allowed ranges of supplemental groups. If you would like to force a single supplemental group then supply a single range with the same start and end.", +} + +func (SupplementalGroupsStrategyOptions) SwaggerDoc() map[string]string { + return map_SupplementalGroupsStrategyOptions +} + +// AUTO-GENERATED FUNCTIONS END HERE diff --git a/vendor/modules.txt b/vendor/modules.txt index 2f675c33..7ed8232d 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -82,6 +82,7 @@ github.com/munnerz/goautoneg # github.com/openshift/api v0.0.0-20250320115527-3aa9dd5b9002 ## explicit; go 1.23.0 github.com/openshift/api/config/v1 +github.com/openshift/api/security/v1 # github.com/openshift/machine-config-operator v0.0.1-0.20250401081735-9026ff2d802e => github.com/openshift/machine-config-operator v0.0.1-0.20200913004441-7eba765c69c9 ## explicit; go 1.13 github.com/openshift/machine-config-operator/pkg/apis/machineconfiguration.openshift.io