diff --git a/deps.diff b/deps.diff new file mode 100644 index 000000000..2644b62e4 --- /dev/null +++ b/deps.diff @@ -0,0 +1,997 @@ +diff --no-dereference -N -r current/vendor/github.com/openshift/api/security/v1/generated.pb.go updated/vendor/github.com/openshift/api/security/v1/generated.pb.go +398,453d397 +< func (m *RunAsGroupIDRange) Reset() { *m = RunAsGroupIDRange{} } +< func (*RunAsGroupIDRange) ProtoMessage() {} +< func (*RunAsGroupIDRange) Descriptor() ([]byte, []int) { +< return fileDescriptor_af65d9655aa67551, []int{13} +< } +< func (m *RunAsGroupIDRange) XXX_Unmarshal(b []byte) error { +< return m.Unmarshal(b) +< } +< func (m *RunAsGroupIDRange) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { +< b = b[:cap(b)] +< n, err := m.MarshalToSizedBuffer(b) +< if err != nil { +< return nil, err +< } +< return b[:n], nil +< } +< func (m *RunAsGroupIDRange) XXX_Merge(src proto.Message) { +< xxx_messageInfo_RunAsGroupIDRange.Merge(m, src) +< } +< func (m *RunAsGroupIDRange) XXX_Size() int { +< return m.Size() +< } +< func (m *RunAsGroupIDRange) XXX_DiscardUnknown() { +< xxx_messageInfo_RunAsGroupIDRange.DiscardUnknown(m) +< } +< +< var xxx_messageInfo_RunAsGroupIDRange proto.InternalMessageInfo +< +< func (m *RunAsGroupStrategyOptions) Reset() { *m = RunAsGroupStrategyOptions{} } +< func (*RunAsGroupStrategyOptions) ProtoMessage() {} +< func (*RunAsGroupStrategyOptions) Descriptor() ([]byte, []int) { +< return fileDescriptor_af65d9655aa67551, []int{14} +< } +< func (m *RunAsGroupStrategyOptions) XXX_Unmarshal(b []byte) error { +< return m.Unmarshal(b) +< } +< func (m *RunAsGroupStrategyOptions) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { +< b = b[:cap(b)] +< n, err := m.MarshalToSizedBuffer(b) +< if err != nil { +< return nil, err +< } +< return b[:n], nil +< } +< func (m *RunAsGroupStrategyOptions) XXX_Merge(src proto.Message) { +< xxx_messageInfo_RunAsGroupStrategyOptions.Merge(m, src) +< } +< func (m *RunAsGroupStrategyOptions) XXX_Size() int { +< return m.Size() +< } +< func (m *RunAsGroupStrategyOptions) XXX_DiscardUnknown() { +< xxx_messageInfo_RunAsGroupStrategyOptions.DiscardUnknown(m) +< } +< +< var xxx_messageInfo_RunAsGroupStrategyOptions proto.InternalMessageInfo +< +457c401 +< return fileDescriptor_af65d9655aa67551, []int{15} +--- +> return fileDescriptor_af65d9655aa67551, []int{13} +485c429 +< return fileDescriptor_af65d9655aa67551, []int{16} +--- +> return fileDescriptor_af65d9655aa67551, []int{14} +513c457 +< return fileDescriptor_af65d9655aa67551, []int{17} +--- +> return fileDescriptor_af65d9655aa67551, []int{15} +541c485 +< return fileDescriptor_af65d9655aa67551, []int{18} +--- +> return fileDescriptor_af65d9655aa67551, []int{16} +571c515 +< return fileDescriptor_af65d9655aa67551, []int{19} +--- +> return fileDescriptor_af65d9655aa67551, []int{17} +599c543 +< return fileDescriptor_af65d9655aa67551, []int{20} +--- +> return fileDescriptor_af65d9655aa67551, []int{18} +638,639d581 +< proto.RegisterType((*RunAsGroupIDRange)(nil), "github.com.openshift.api.security.v1.RunAsGroupIDRange") +< proto.RegisterType((*RunAsGroupStrategyOptions)(nil), "github.com.openshift.api.security.v1.RunAsGroupStrategyOptions") +653c595 +< // 1909 bytes of a gzipped FileDescriptorProto +--- +> // 1803 bytes of a gzipped FileDescriptorProto +655,773c597,708 +< 0x15, 0xd7, 0x8a, 0xfa, 0xe2, 0x93, 0x2c, 0xc9, 0x23, 0x59, 0x5e, 0x29, 0x31, 0xa9, 0xae, 0x5d, +< 0xc3, 0x68, 0x1b, 0x32, 0x36, 0xd2, 0xc6, 0x6d, 0x1a, 0x37, 0x5c, 0x31, 0x52, 0x14, 0xc8, 0x31, +< 0x33, 0x8c, 0x82, 0x22, 0x08, 0xda, 0x8c, 0x96, 0x43, 0x7a, 0xad, 0xe5, 0xee, 0x76, 0x67, 0x56, +< 0x16, 0xd1, 0x4b, 0x81, 0xfe, 0x03, 0x05, 0x7a, 0xef, 0xb9, 0xfd, 0x07, 0x0a, 0x14, 0x45, 0xdb, +< 0xab, 0x81, 0xb6, 0x68, 0x4e, 0x45, 0x4e, 0x44, 0xcd, 0xa2, 0x97, 0x5e, 0x73, 0xf3, 0xa9, 0x98, +< 0xe1, 0x90, 0xdc, 0x5d, 0xee, 0xca, 0x54, 0x6a, 0x0b, 0xb9, 0x71, 0xdf, 0xc7, 0xef, 0x7d, 0xcd, +< 0xbc, 0x79, 0x33, 0x84, 0x37, 0x5a, 0x36, 0x7f, 0x18, 0x1e, 0x95, 0x2c, 0xaf, 0x5d, 0xf6, 0x7c, +< 0xea, 0xb2, 0x87, 0x76, 0x93, 0x97, 0x89, 0x6f, 0x97, 0x19, 0xb5, 0xc2, 0xc0, 0xe6, 0x9d, 0xf2, +< 0xc9, 0xed, 0x72, 0x8b, 0xba, 0x34, 0x20, 0x9c, 0x36, 0x4a, 0x7e, 0xe0, 0x71, 0x0f, 0xdd, 0x18, +< 0x69, 0x95, 0x86, 0x5a, 0x25, 0xe2, 0xdb, 0xa5, 0x81, 0x56, 0xe9, 0xe4, 0xf6, 0xd6, 0x6b, 0x11, +< 0xec, 0x96, 0xd7, 0xf2, 0xca, 0x52, 0xf9, 0x28, 0x6c, 0xca, 0x2f, 0xf9, 0x21, 0x7f, 0xf5, 0x41, +< 0xb7, 0x8c, 0xe3, 0xbb, 0xac, 0x64, 0x7b, 0xd2, 0xb8, 0xe5, 0x05, 0x34, 0xc5, 0xf0, 0xd6, 0x1b, +< 0x23, 0x99, 0x36, 0xb1, 0x1e, 0xda, 0x2e, 0x0d, 0x3a, 0x65, 0xff, 0xb8, 0x25, 0x08, 0xac, 0xdc, +< 0xa6, 0x9c, 0xa4, 0x69, 0x7d, 0x2f, 0x4b, 0x2b, 0x08, 0x5d, 0x6e, 0xb7, 0x69, 0x99, 0x59, 0x0f, +< 0x69, 0x9b, 0x24, 0xf5, 0x8c, 0xb7, 0xe0, 0x72, 0xc5, 0x71, 0xbc, 0xc7, 0xb4, 0xb1, 0xeb, 0xd0, +< 0xd3, 0x8f, 0x3d, 0x27, 0x6c, 0x53, 0x74, 0x13, 0xe6, 0x1a, 0x81, 0x7d, 0x42, 0x03, 0x5d, 0xdb, +< 0xd6, 0x6e, 0xe5, 0xcd, 0xe5, 0x27, 0xdd, 0xe2, 0x54, 0xaf, 0x5b, 0x9c, 0xab, 0x4a, 0x2a, 0x56, +< 0x5c, 0xe3, 0xb7, 0x1a, 0x6c, 0xec, 0xd6, 0xf7, 0x02, 0x2f, 0xf4, 0xeb, 0x5c, 0xa0, 0xb6, 0x3a, +< 0x0f, 0x7c, 0x6e, 0x7b, 0x2e, 0x43, 0x6f, 0xc2, 0x0c, 0xef, 0xf8, 0x54, 0x01, 0x5c, 0x57, 0x00, +< 0x33, 0x1f, 0x75, 0x7c, 0xfa, 0xac, 0x5b, 0x5c, 0x4b, 0x68, 0x09, 0x32, 0x96, 0x0a, 0xe8, 0x10, +< 0xe6, 0x02, 0xe2, 0xb6, 0x28, 0xd3, 0xa7, 0xb7, 0x73, 0xb7, 0x16, 0xef, 0xbc, 0x56, 0x9a, 0xa4, +< 0x10, 0xa5, 0xfd, 0x2a, 0x16, 0x5a, 0x23, 0x57, 0xe5, 0x27, 0xc3, 0x0a, 0xcc, 0xd8, 0x83, 0x79, +< 0x25, 0x82, 0xae, 0x41, 0xae, 0x6d, 0xbb, 0xd2, 0xb3, 0x9c, 0xb9, 0xa8, 0xe4, 0x73, 0xf7, 0x6d, +< 0x17, 0x0b, 0xba, 0x64, 0x93, 0x53, 0x7d, 0x3a, 0xc1, 0x26, 0xa7, 0x58, 0xd0, 0x8d, 0xbf, 0x4f, +< 0xc3, 0xd5, 0x9a, 0xd7, 0xa8, 0x2b, 0xdb, 0x35, 0xcf, 0xb1, 0xad, 0x0e, 0xa6, 0x27, 0x36, 0x7d, +< 0x8c, 0x3e, 0x83, 0x05, 0x51, 0x9f, 0x06, 0xe1, 0x44, 0xcf, 0x6d, 0x6b, 0xb7, 0x16, 0xef, 0xbc, +< 0x5e, 0xea, 0xd7, 0xa5, 0x14, 0xad, 0x4b, 0xc9, 0x3f, 0x6e, 0x09, 0x02, 0x2b, 0x09, 0x69, 0xe1, +< 0xfd, 0x83, 0xa3, 0x47, 0xd4, 0xe2, 0xf7, 0x29, 0x27, 0x26, 0x52, 0x16, 0x61, 0x44, 0xc3, 0x43, +< 0x54, 0x64, 0xc1, 0x0c, 0xf3, 0xa9, 0x25, 0x9d, 0x5f, 0xbc, 0x53, 0x99, 0x2c, 0x37, 0x19, 0xee, +< 0xd6, 0x7d, 0x6a, 0x99, 0x4b, 0x83, 0xca, 0x88, 0x2f, 0x2c, 0xc1, 0xd1, 0x31, 0xcc, 0x31, 0x4e, +< 0x78, 0xc8, 0x64, 0x12, 0x16, 0xef, 0xec, 0xfc, 0x7f, 0x66, 0x24, 0xd4, 0xa8, 0x30, 0xfd, 0x6f, +< 0xac, 0x4c, 0x18, 0x7f, 0xd4, 0xe0, 0x95, 0x33, 0x1c, 0x44, 0x1f, 0xc2, 0x02, 0xa7, 0x6d, 0xdf, +< 0x21, 0x9c, 0xaa, 0xa8, 0xaf, 0x47, 0x72, 0x5a, 0x12, 0xbb, 0x48, 0x19, 0xff, 0x48, 0x89, 0xc9, +< 0xb8, 0x56, 0x95, 0xb9, 0x85, 0x01, 0x15, 0x0f, 0x61, 0xd0, 0x3e, 0xac, 0x31, 0x1a, 0x9c, 0xd8, +< 0x16, 0xad, 0x58, 0x96, 0x17, 0xba, 0xfc, 0x03, 0xd2, 0x56, 0xeb, 0x2d, 0x6f, 0x5e, 0xed, 0x75, +< 0x8b, 0x6b, 0xf5, 0x71, 0x36, 0x4e, 0xd3, 0x31, 0xfe, 0xaa, 0xc1, 0xb5, 0x33, 0xe3, 0x46, 0xbf, +< 0xd3, 0x60, 0x83, 0xf4, 0x77, 0x58, 0x1c, 0x95, 0xe9, 0x9a, 0x5c, 0xe0, 0x1f, 0x4e, 0x96, 0xdd, +< 0xb8, 0xf2, 0xd9, 0xb9, 0x2e, 0xa8, 0xe0, 0x37, 0x2a, 0xa9, 0x86, 0x71, 0x86, 0x43, 0xc6, 0x7f, +< 0xa7, 0xc1, 0x18, 0x43, 0xae, 0x53, 0xa7, 0x59, 0x0f, 0xe5, 0x62, 0xbc, 0xb0, 0x65, 0xee, 0xc6, +< 0x96, 0xf9, 0xc1, 0x57, 0x5c, 0x7f, 0x63, 0x9e, 0x67, 0xae, 0xf8, 0x20, 0xb1, 0xe2, 0xdf, 0xff, +< 0xaa, 0x16, 0x63, 0xd6, 0xce, 0x5e, 0xf8, 0x3f, 0x87, 0x9b, 0x93, 0x79, 0xfc, 0x12, 0xb6, 0x80, +< 0xd1, 0x9b, 0x86, 0xc2, 0xd9, 0xde, 0x5f, 0x40, 0x95, 0x1f, 0xc5, 0xaa, 0xfc, 0xde, 0x0b, 0xc9, +< 0xf9, 0xd7, 0xa9, 0xc2, 0x7f, 0xd2, 0xd2, 0xb6, 0xd3, 0x05, 0x94, 0x17, 0x6d, 0xc3, 0x4c, 0xc8, +< 0x68, 0x20, 0x63, 0xcd, 0x8f, 0xf2, 0x71, 0xc8, 0x68, 0x80, 0x25, 0x07, 0x19, 0x30, 0xd7, 0x12, +< 0x27, 0x30, 0xd3, 0x73, 0xb2, 0xed, 0x81, 0xf0, 0x5f, 0x9e, 0xc9, 0x0c, 0x2b, 0x8e, 0xf1, 0xa5, +< 0x06, 0x37, 0x26, 0x49, 0x00, 0xaa, 0x41, 0x5e, 0x75, 0x14, 0xb3, 0x73, 0x56, 0x08, 0x0f, 0x94, +< 0x6a, 0x93, 0x06, 0xd4, 0xb5, 0xa8, 0x79, 0xa9, 0xd7, 0x2d, 0xe6, 0x2b, 0x03, 0x4d, 0x3c, 0x02, +< 0x11, 0x13, 0x48, 0x40, 0x09, 0xf3, 0x5c, 0x15, 0xc2, 0xe8, 0x58, 0x97, 0x54, 0xac, 0xb8, 0xb1, +< 0xdc, 0xe5, 0x5e, 0xcc, 0xd6, 0xf8, 0xbd, 0x06, 0x2b, 0x72, 0x50, 0x10, 0x8e, 0x59, 0x44, 0x8c, +< 0x33, 0xb1, 0xbd, 0xa0, 0xbd, 0x94, 0xbd, 0x70, 0x1d, 0x66, 0xe5, 0xa4, 0xa2, 0xe2, 0xbd, 0xa4, +< 0x84, 0x67, 0xa5, 0x27, 0xb8, 0xcf, 0x43, 0xaf, 0xc2, 0xcc, 0x70, 0x3b, 0x2e, 0x99, 0x0b, 0xa2, +< 0xa4, 0x55, 0xc2, 0x09, 0x96, 0x54, 0xe3, 0x1f, 0x1a, 0xac, 0x25, 0x1c, 0x3f, 0xb0, 0x19, 0x47, +< 0x9f, 0x8e, 0x39, 0x5f, 0x9a, 0xcc, 0x79, 0xa1, 0x2d, 0x5d, 0x1f, 0xa6, 0x6b, 0x40, 0x89, 0x38, +< 0xfe, 0x09, 0xcc, 0xda, 0x9c, 0xb6, 0x07, 0xe3, 0xda, 0x77, 0x27, 0xdb, 0x57, 0x09, 0x3f, 0x47, +< 0xf1, 0xee, 0x0b, 0x2c, 0xdc, 0x87, 0x34, 0xf6, 0xe1, 0x32, 0x0e, 0xdd, 0x0a, 0x93, 0xeb, 0x72, +< 0x30, 0xbe, 0x6d, 0x46, 0xc7, 0xb7, 0xf9, 0xd8, 0xe8, 0xb6, 0x19, 0x1d, 0xdd, 0xe6, 0x63, 0x63, +< 0xdb, 0x1f, 0xa6, 0x61, 0x73, 0x84, 0x95, 0x9c, 0x56, 0x7f, 0x10, 0x9b, 0x56, 0x6f, 0x26, 0xa6, +< 0xd5, 0x8d, 0x71, 0xc5, 0xc8, 0xc0, 0xba, 0x09, 0xb9, 0x96, 0xdd, 0x88, 0x1a, 0xdd, 0xdb, 0xaf, +< 0x62, 0x41, 0x43, 0xb7, 0x61, 0xb1, 0x65, 0x37, 0xa4, 0xdb, 0xf7, 0x6d, 0x57, 0x96, 0x2d, 0x67, +< 0xae, 0xf4, 0xba, 0xc5, 0xc5, 0x3d, 0x15, 0x8d, 0x70, 0x3d, 0x2a, 0x13, 0x53, 0x21, 0xa7, 0xfa, +< 0x4c, 0x8a, 0x0a, 0x39, 0xc5, 0x51, 0x19, 0xf4, 0xd3, 0xe1, 0xc4, 0x3c, 0x2b, 0x4b, 0xf0, 0xe6, +< 0x84, 0x25, 0x48, 0x66, 0x36, 0x73, 0x76, 0xfe, 0xa7, 0x06, 0xba, 0x94, 0x16, 0xfd, 0x23, 0x99, +< 0xba, 0xef, 0xc7, 0x52, 0xf7, 0xcd, 0x44, 0xea, 0xae, 0x8c, 0xe9, 0xc5, 0x33, 0x17, 0xc6, 0x33, +< 0x77, 0x28, 0x32, 0x17, 0xf6, 0x33, 0x17, 0xa6, 0x67, 0xee, 0x30, 0x9a, 0xb9, 0x30, 0x9e, 0xb9, +< 0x30, 0x3d, 0x73, 0x87, 0xd1, 0xcc, 0x45, 0x64, 0x8c, 0xbf, 0x68, 0x70, 0xad, 0xfe, 0xee, 0x81, +< 0xed, 0x86, 0xa7, 0x3b, 0x9e, 0xcb, 0xe9, 0x29, 0x4f, 0x46, 0x77, 0x2f, 0x16, 0xdd, 0xb7, 0x12, +< 0xd1, 0x6d, 0xa5, 0x2b, 0x47, 0x42, 0xfc, 0x09, 0x2c, 0x33, 0x2a, 0x65, 0x14, 0xa2, 0x3a, 0x7e, +< 0x8c, 0xb4, 0x2e, 0xa5, 0xd0, 0x94, 0xa4, 0x89, 0x7a, 0xdd, 0xe2, 0x72, 0x9c, 0x86, 0x13, 0x68, +< 0xc6, 0x97, 0x08, 0xb6, 0x06, 0xfd, 0x59, 0x79, 0xb1, 0xe3, 0xb9, 0x8c, 0x07, 0xc4, 0x76, 0x39, +< 0xbb, 0x80, 0xbe, 0x75, 0x0b, 0x16, 0xfc, 0xc0, 0xf6, 0x84, 0x7d, 0x19, 0xda, 0xac, 0xb9, 0x24, +< 0x1a, 0x45, 0x4d, 0xd1, 0xf0, 0x90, 0x8b, 0x3e, 0x05, 0x5d, 0xf6, 0xf7, 0x5a, 0x60, 0x9f, 0xd8, +< 0x0e, 0x6d, 0xd1, 0x86, 0x70, 0x98, 0x08, 0x07, 0x64, 0x7d, 0x17, 0xcc, 0x6d, 0x65, 0x49, 0xaf, +< 0x64, 0xc8, 0xe1, 0x4c, 0x04, 0xc4, 0x60, 0xa3, 0x41, 0x9b, 0x24, 0x74, 0x78, 0xa5, 0xd1, 0xd8, +< 0x21, 0x3e, 0x39, 0xb2, 0x1d, 0x9b, 0xdb, 0x94, 0xe9, 0x33, 0xf2, 0x7c, 0x7b, 0x4b, 0x8c, 0xc3, +< 0xd5, 0x54, 0x89, 0x67, 0xdd, 0xe2, 0xb5, 0xf1, 0x7b, 0x79, 0x69, 0x28, 0xd2, 0xc1, 0x19, 0xd0, +< 0xa8, 0x03, 0x7a, 0x40, 0x7f, 0x16, 0xda, 0x01, 0x6d, 0x54, 0x03, 0xcf, 0x8f, 0x99, 0x9d, 0x95, +< 0x66, 0xdf, 0x16, 0xe1, 0xe0, 0x0c, 0x99, 0xe7, 0x1b, 0xce, 0x84, 0x47, 0x8f, 0x60, 0x4d, 0x9d, +< 0x96, 0x31, 0xab, 0x73, 0xd2, 0xea, 0x5d, 0x71, 0x87, 0xa9, 0x8c, 0xb3, 0x9f, 0x6f, 0x30, 0x0d, +< 0x74, 0x58, 0xb9, 0xf7, 0x3c, 0xc6, 0xab, 0x76, 0xd0, 0x7f, 0x24, 0xa8, 0x39, 0x61, 0xcb, 0x76, +< 0xf5, 0xf9, 0x94, 0xca, 0xa5, 0xc8, 0xe1, 0x4c, 0x04, 0x54, 0x86, 0xf9, 0x13, 0xf9, 0xcd, 0xf4, +< 0x05, 0xe9, 0xfd, 0x95, 0x5e, 0xb7, 0x38, 0xdf, 0x17, 0x11, 0x1e, 0xcf, 0xed, 0xd6, 0xe5, 0x86, +< 0x1a, 0x48, 0xa1, 0x5f, 0x6a, 0x80, 0x48, 0xf2, 0xcd, 0x82, 0xe9, 0x57, 0xce, 0xd3, 0xfc, 0xc6, +< 0xde, 0x3c, 0xcc, 0x2d, 0x15, 0x02, 0x1a, 0x63, 0x31, 0x9c, 0x62, 0x0e, 0x55, 0x61, 0x75, 0x18, +< 0xd2, 0x07, 0x94, 0x3f, 0xf6, 0x82, 0x63, 0x3d, 0x2f, 0x93, 0xa1, 0x2b, 0xa4, 0xd5, 0x4a, 0x82, +< 0x8f, 0xc7, 0x34, 0xd0, 0x3d, 0x58, 0x1e, 0xd2, 0x6a, 0x5e, 0xc0, 0x99, 0x0e, 0x12, 0x63, 0x43, +< 0x61, 0x2c, 0x57, 0x62, 0x5c, 0x9c, 0x90, 0x46, 0x77, 0x61, 0x69, 0x44, 0xd9, 0xaf, 0xea, 0x8b, +< 0x52, 0x7b, 0x5d, 0x69, 0x2f, 0x55, 0x22, 0x3c, 0x1c, 0x93, 0x8c, 0x69, 0xee, 0xd7, 0x76, 0xf4, +< 0xa5, 0x0c, 0xcd, 0xfd, 0xda, 0x0e, 0x8e, 0x49, 0xa2, 0xcf, 0x00, 0x89, 0x11, 0x52, 0x5e, 0x80, +< 0x7d, 0x62, 0xd1, 0x03, 0x7a, 0x42, 0x1d, 0x7d, 0x4b, 0x76, 0xc8, 0xd7, 0x07, 0x59, 0x3c, 0x1c, +< 0x93, 0x78, 0xd6, 0x2d, 0xa2, 0x38, 0x45, 0x96, 0x35, 0x05, 0x0b, 0xb5, 0xa1, 0x38, 0xd8, 0x71, +< 0xb1, 0xfd, 0xfe, 0x2e, 0xb3, 0x88, 0x23, 0x07, 0x06, 0x7d, 0x43, 0xba, 0x7b, 0xbd, 0xd7, 0x2d, +< 0x16, 0xab, 0x67, 0x8b, 0xe2, 0xe7, 0x61, 0xa1, 0x1f, 0x27, 0x3b, 0x53, 0xc4, 0xce, 0x55, 0x69, +< 0xe7, 0xd5, 0xf1, 0xae, 0x14, 0x31, 0x90, 0xa9, 0x2d, 0x96, 0xea, 0xa0, 0x63, 0xab, 0xee, 0xac, +< 0x5f, 0x3a, 0xcf, 0x93, 0xca, 0x99, 0x87, 0xd3, 0x68, 0x91, 0xc4, 0xc5, 0x70, 0xc2, 0x24, 0xf2, +< 0x20, 0x1f, 0x0c, 0x8e, 0x61, 0x7d, 0x59, 0xda, 0xbf, 0x77, 0x8e, 0x19, 0x21, 0xe5, 0xd4, 0x37, +< 0x2f, 0x2b, 0xd3, 0xf9, 0xa1, 0x04, 0x1e, 0xd9, 0x40, 0xbf, 0xd6, 0x00, 0xb1, 0xd0, 0xf7, 0x1d, +< 0xda, 0xa6, 0x2e, 0x27, 0x4e, 0xff, 0x5e, 0xa1, 0xaf, 0x48, 0xd3, 0x7b, 0x13, 0x86, 0x3e, 0xa6, +< 0x9f, 0xf4, 0x61, 0xb8, 0x63, 0xc7, 0x45, 0x71, 0x8a, 0x79, 0xd4, 0x82, 0xf9, 0x66, 0x7f, 0xe0, +< 0xd1, 0x57, 0xa5, 0x27, 0x3f, 0x9c, 0xcc, 0x93, 0xf4, 0x17, 0x4e, 0x73, 0x45, 0x99, 0x9f, 0x57, +< 0x7c, 0x3c, 0x40, 0x47, 0x0c, 0x20, 0x18, 0x0e, 0x57, 0xfa, 0x2b, 0xd2, 0xd6, 0x8f, 0xce, 0x3b, +< 0x94, 0x25, 0xcd, 0x0d, 0x8f, 0xe1, 0x91, 0x08, 0x8e, 0x98, 0x41, 0x1f, 0xc3, 0x46, 0x40, 0x49, +< 0xe3, 0x81, 0xeb, 0x74, 0xb0, 0xe7, 0xf1, 0x5d, 0xdb, 0xa1, 0xac, 0xc3, 0x38, 0x6d, 0xeb, 0x97, +< 0xe5, 0x12, 0x1e, 0xbe, 0x09, 0xe1, 0x54, 0x29, 0x9c, 0xa1, 0x8d, 0x8a, 0x30, 0x2b, 0x76, 0x28, +< 0xd3, 0x91, 0x6c, 0xce, 0x79, 0x31, 0xa4, 0x8b, 0x22, 0x33, 0xdc, 0xa7, 0x47, 0x6e, 0x92, 0x6b, +< 0x59, 0x37, 0x49, 0xf4, 0x36, 0xac, 0x30, 0x6a, 0x59, 0x5e, 0xdb, 0xaf, 0x05, 0x5e, 0x53, 0x80, +< 0xeb, 0xeb, 0x52, 0x78, 0xad, 0xd7, 0x2d, 0xae, 0xd4, 0xe3, 0x2c, 0x9c, 0x94, 0x45, 0x07, 0xb0, +< 0xae, 0x3a, 0xf0, 0xa1, 0xcb, 0x48, 0x93, 0xd6, 0x3b, 0xcc, 0xe2, 0x0e, 0xd3, 0x75, 0x89, 0xa1, +< 0xf7, 0xba, 0xc5, 0xf5, 0x4a, 0x0a, 0x1f, 0xa7, 0x6a, 0xa1, 0x77, 0x60, 0xb5, 0xe9, 0x05, 0x47, +< 0x76, 0xa3, 0x41, 0xdd, 0x01, 0xd2, 0xa6, 0x44, 0x5a, 0x17, 0x5d, 0x7b, 0x37, 0xc1, 0xc3, 0x63, +< 0xd2, 0xc6, 0x7f, 0x34, 0x28, 0x64, 0x4f, 0x5d, 0x17, 0x70, 0xe9, 0xa2, 0xf1, 0x4b, 0xd7, 0x3b, +< 0x93, 0x3e, 0x21, 0x66, 0xb9, 0x9c, 0x71, 0xff, 0xfa, 0xcd, 0x34, 0x7c, 0xfb, 0x1c, 0xef, 0x8e, +< 0xe8, 0x6f, 0x1a, 0xdc, 0xf0, 0x27, 0x78, 0x30, 0x50, 0x19, 0x79, 0x91, 0x6f, 0x30, 0xdf, 0x51, +< 0x01, 0x4c, 0xf4, 0x60, 0x81, 0x27, 0xf2, 0x12, 0x6d, 0xc3, 0x8c, 0x4b, 0xda, 0x34, 0xf9, 0x8a, +< 0x22, 0x0e, 0x2b, 0x2c, 0x39, 0xc6, 0x9f, 0x35, 0xf8, 0xc6, 0x73, 0x1b, 0x15, 0x32, 0x63, 0x97, +< 0x88, 0x52, 0xe2, 0x12, 0x51, 0xc8, 0x06, 0x78, 0xe9, 0x7f, 0x8b, 0x98, 0xef, 0x3f, 0x79, 0x5a, +< 0x98, 0xfa, 0xfc, 0x69, 0x61, 0xea, 0x8b, 0xa7, 0x85, 0xa9, 0x5f, 0xf4, 0x0a, 0xda, 0x93, 0x5e, +< 0x41, 0xfb, 0xbc, 0x57, 0xd0, 0xbe, 0xe8, 0x15, 0xb4, 0x7f, 0xf5, 0x0a, 0xda, 0xaf, 0xfe, 0x5d, +< 0x98, 0xfa, 0xe4, 0xc6, 0x24, 0xff, 0xa0, 0xfd, 0x2f, 0x00, 0x00, 0xff, 0xff, 0xd9, 0x2d, 0x41, +< 0x78, 0x68, 0x1b, 0x00, 0x00, +--- +> 0x15, 0xd7, 0x8a, 0xfa, 0xe2, 0x48, 0x96, 0xe4, 0x91, 0x2c, 0x4f, 0xd4, 0x98, 0x54, 0xd7, 0x6e, +> 0x60, 0xb4, 0xcd, 0x32, 0x36, 0xd2, 0xc6, 0x45, 0x1a, 0x23, 0x5c, 0x31, 0x72, 0x14, 0xc8, 0x31, +> 0x33, 0x8c, 0x82, 0x22, 0x08, 0x8a, 0x8c, 0x96, 0x43, 0x7a, 0xac, 0xe5, 0xee, 0x76, 0x67, 0x56, +> 0x16, 0xd1, 0x4b, 0x81, 0xfe, 0x03, 0x05, 0x7a, 0xef, 0xb9, 0xfd, 0x07, 0x7a, 0x29, 0xda, 0x5e, +> 0x0d, 0xb4, 0x45, 0x73, 0x2a, 0x72, 0x22, 0x6a, 0x16, 0xbd, 0xf4, 0xda, 0x9b, 0x0f, 0x45, 0x31, +> 0xc3, 0xe1, 0xc7, 0x2e, 0x77, 0xe9, 0x4d, 0x6a, 0x0b, 0xbd, 0x69, 0xdf, 0xc7, 0xef, 0xfd, 0xde, +> 0xcc, 0xbc, 0x37, 0x6f, 0x28, 0xf0, 0x66, 0x9b, 0x89, 0x87, 0xd1, 0x89, 0xe5, 0xf8, 0x9d, 0x8a, +> 0x1f, 0x50, 0x8f, 0x3f, 0x64, 0x2d, 0x51, 0x21, 0x01, 0xab, 0x70, 0xea, 0x44, 0x21, 0x13, 0xdd, +> 0xca, 0xd9, 0xad, 0x4a, 0x9b, 0x7a, 0x34, 0x24, 0x82, 0x36, 0xad, 0x20, 0xf4, 0x85, 0x0f, 0x6f, +> 0x8c, 0xbd, 0xac, 0x91, 0x97, 0x45, 0x02, 0x66, 0x0d, 0xbd, 0xac, 0xb3, 0x5b, 0xbb, 0xaf, 0x4f, +> 0x60, 0xb7, 0xfd, 0xb6, 0x5f, 0x51, 0xce, 0x27, 0x51, 0x4b, 0x7d, 0xa9, 0x0f, 0xf5, 0xd7, 0x00, +> 0x74, 0xd7, 0x3c, 0xbd, 0xc3, 0x2d, 0xe6, 0xab, 0xe0, 0x8e, 0x1f, 0xd2, 0x94, 0xc0, 0xbb, 0x6f, +> 0x8e, 0x6d, 0x3a, 0xc4, 0x79, 0xc8, 0x3c, 0x1a, 0x76, 0x2b, 0xc1, 0x69, 0x5b, 0x0a, 0x78, 0xa5, +> 0x43, 0x05, 0x49, 0xf3, 0xfa, 0x7e, 0x96, 0x57, 0x18, 0x79, 0x82, 0x75, 0x68, 0x85, 0x3b, 0x0f, +> 0x69, 0x87, 0x24, 0xfd, 0xcc, 0xb7, 0xc1, 0xe5, 0xaa, 0xeb, 0xfa, 0x8f, 0x69, 0xf3, 0xc0, 0xa5, +> 0xe7, 0x9f, 0xf8, 0x6e, 0xd4, 0xa1, 0xf0, 0x35, 0xb0, 0xd4, 0x0c, 0xd9, 0x19, 0x0d, 0x91, 0xb1, +> 0x67, 0xdc, 0x2c, 0xda, 0xeb, 0x4f, 0x7a, 0xe5, 0xb9, 0x7e, 0xaf, 0xbc, 0x54, 0x53, 0x52, 0xac, +> 0xb5, 0xe6, 0xaf, 0x0d, 0xb0, 0x73, 0xd0, 0xb8, 0x17, 0xfa, 0x51, 0xd0, 0x10, 0x12, 0xb5, 0xdd, +> 0x7d, 0x10, 0x08, 0xe6, 0x7b, 0x1c, 0xbe, 0x05, 0x16, 0x44, 0x37, 0xa0, 0x1a, 0xe0, 0xba, 0x06, +> 0x58, 0xf8, 0xb8, 0x1b, 0xd0, 0x67, 0xbd, 0xf2, 0x56, 0xc2, 0x4b, 0x8a, 0xb1, 0x72, 0x80, 0xc7, +> 0x60, 0x29, 0x24, 0x5e, 0x9b, 0x72, 0x34, 0xbf, 0x57, 0xb8, 0xb9, 0x7a, 0xfb, 0x75, 0x2b, 0xcf, +> 0x46, 0x58, 0x87, 0x35, 0x2c, 0xbd, 0xc6, 0x54, 0xd5, 0x27, 0xc7, 0x1a, 0xcc, 0xbc, 0x07, 0x96, +> 0xb5, 0x09, 0xbc, 0x06, 0x0a, 0x1d, 0xe6, 0x29, 0x66, 0x05, 0x7b, 0x55, 0xdb, 0x17, 0xee, 0x33, +> 0x0f, 0x4b, 0xb9, 0x52, 0x93, 0x73, 0x34, 0x9f, 0x50, 0x93, 0x73, 0x2c, 0xe5, 0xe6, 0x5f, 0xe6, +> 0xc1, 0xd5, 0xba, 0xdf, 0x6c, 0xe8, 0xd8, 0x75, 0xdf, 0x65, 0x4e, 0x17, 0xd3, 0x33, 0x46, 0x1f, +> 0xc3, 0xcf, 0xc1, 0x8a, 0xdc, 0x9f, 0x26, 0x11, 0x04, 0x15, 0xf6, 0x8c, 0x9b, 0xab, 0xb7, 0xdf, +> 0xb0, 0x06, 0xfb, 0x62, 0x4d, 0xee, 0x8b, 0x15, 0x9c, 0xb6, 0xa5, 0x80, 0x5b, 0xd2, 0x5a, 0xb2, +> 0x7f, 0x70, 0xf2, 0x88, 0x3a, 0xe2, 0x3e, 0x15, 0xc4, 0x86, 0x3a, 0x22, 0x18, 0xcb, 0xf0, 0x08, +> 0x15, 0x3a, 0x60, 0x81, 0x07, 0xd4, 0x51, 0xe4, 0x57, 0x6f, 0x57, 0xf3, 0xad, 0x4d, 0x06, 0xdd, +> 0x46, 0x40, 0x1d, 0x7b, 0x6d, 0xb8, 0x33, 0xf2, 0x0b, 0x2b, 0x70, 0x78, 0x0a, 0x96, 0xb8, 0x20, +> 0x22, 0xe2, 0x6a, 0x11, 0x56, 0x6f, 0xef, 0xff, 0x6f, 0x61, 0x14, 0xd4, 0x78, 0x63, 0x06, 0xdf, +> 0x58, 0x87, 0x30, 0x7f, 0x67, 0x80, 0x6f, 0xcc, 0x20, 0x08, 0x3f, 0x02, 0x2b, 0x82, 0x76, 0x02, +> 0x97, 0x08, 0xaa, 0xb3, 0xbe, 0x3e, 0xb1, 0xa6, 0x96, 0xac, 0x22, 0x1d, 0xfc, 0x63, 0x6d, 0xa6, +> 0xf2, 0xda, 0xd4, 0xe1, 0x56, 0x86, 0x52, 0x3c, 0x82, 0x81, 0x87, 0x60, 0x8b, 0xd3, 0xf0, 0x8c, +> 0x39, 0xb4, 0xea, 0x38, 0x7e, 0xe4, 0x89, 0x0f, 0x49, 0x47, 0x9f, 0xb7, 0xa2, 0x7d, 0xb5, 0xdf, +> 0x2b, 0x6f, 0x35, 0xa6, 0xd5, 0x38, 0xcd, 0xc7, 0xfc, 0x93, 0x01, 0xae, 0xcd, 0xcc, 0x1b, 0xfe, +> 0xc6, 0x00, 0x3b, 0x64, 0x50, 0x61, 0x71, 0x54, 0x8e, 0x0c, 0x75, 0xc0, 0x3f, 0xca, 0xb7, 0xba, +> 0x71, 0xe7, 0xd9, 0x6b, 0x5d, 0xd2, 0xc9, 0xef, 0x54, 0x53, 0x03, 0xe3, 0x0c, 0x42, 0xe6, 0xbf, +> 0xe6, 0x81, 0x39, 0x85, 0xdc, 0xa0, 0x6e, 0xab, 0x11, 0xa9, 0xc3, 0x78, 0x61, 0xc7, 0xdc, 0x8b, +> 0x1d, 0xf3, 0xa3, 0xaf, 0x79, 0xfe, 0xa6, 0x98, 0x67, 0x9e, 0xf8, 0x30, 0x71, 0xe2, 0x3f, 0xf8, +> 0xba, 0x11, 0x63, 0xd1, 0x66, 0x1f, 0xfc, 0x9f, 0x82, 0xd7, 0xf2, 0x31, 0x7e, 0x09, 0x25, 0x60, +> 0xf6, 0xe7, 0x41, 0x69, 0x36, 0xfb, 0x0b, 0xd8, 0xe5, 0x47, 0xb1, 0x5d, 0x7e, 0xff, 0x85, 0xac, +> 0xf9, 0xff, 0xd3, 0x0e, 0xff, 0xde, 0x48, 0x2b, 0xa7, 0x0b, 0xd8, 0x5e, 0xb8, 0x07, 0x16, 0x22, +> 0x4e, 0x43, 0x95, 0x6b, 0x71, 0xbc, 0x1e, 0xc7, 0x9c, 0x86, 0x58, 0x69, 0xa0, 0x09, 0x96, 0xda, +> 0xf2, 0x06, 0xe6, 0xa8, 0xa0, 0xda, 0x1e, 0x90, 0xfc, 0xd5, 0x9d, 0xcc, 0xb1, 0xd6, 0x98, 0xff, +> 0x36, 0xc0, 0x8d, 0x3c, 0x0b, 0x00, 0xeb, 0xa0, 0xa8, 0x3b, 0x8a, 0xdd, 0x9d, 0x95, 0xc2, 0x03, +> 0xed, 0xda, 0xa2, 0x21, 0xf5, 0x1c, 0x6a, 0x5f, 0xea, 0xf7, 0xca, 0xc5, 0xea, 0xd0, 0x13, 0x8f, +> 0x41, 0xe4, 0x04, 0x12, 0x52, 0xc2, 0x7d, 0x4f, 0xa7, 0x30, 0xbe, 0xd6, 0x95, 0x14, 0x6b, 0x6d, +> 0x6c, 0xed, 0x0a, 0x2f, 0xa6, 0x34, 0x7e, 0x6b, 0x80, 0x0d, 0x35, 0x28, 0x48, 0x62, 0x0e, 0x91, +> 0xe3, 0x4c, 0xac, 0x16, 0x8c, 0x97, 0x52, 0x0b, 0xd7, 0xc1, 0xa2, 0x9a, 0x54, 0x74, 0xbe, 0x97, +> 0xb4, 0xf1, 0xa2, 0x62, 0x82, 0x07, 0x3a, 0xf8, 0x2a, 0x58, 0x18, 0x95, 0xe3, 0x9a, 0xbd, 0x22, +> 0xb7, 0xb4, 0x46, 0x04, 0xc1, 0x4a, 0x6a, 0xfe, 0xd5, 0x00, 0x5b, 0x09, 0xe2, 0x47, 0x8c, 0x0b, +> 0xf8, 0xd9, 0x14, 0x79, 0x2b, 0x1f, 0x79, 0xe9, 0xad, 0xa8, 0x8f, 0x96, 0x6b, 0x28, 0x99, 0x20, +> 0xfe, 0x29, 0x58, 0x64, 0x82, 0x76, 0x86, 0xe3, 0xda, 0xf7, 0xf2, 0xd5, 0x55, 0x82, 0xe7, 0x38, +> 0xdf, 0x43, 0x89, 0x85, 0x07, 0x90, 0xe6, 0xdf, 0x0c, 0x80, 0x70, 0xe4, 0x55, 0xb9, 0x3c, 0xb8, +> 0xc9, 0x09, 0xf3, 0x07, 0xb1, 0x09, 0xf3, 0x5b, 0x89, 0x09, 0xf3, 0xca, 0x94, 0xdf, 0xc4, 0x8c, +> 0xf9, 0x0a, 0x28, 0x44, 0xac, 0xa9, 0x47, 0xbc, 0x65, 0x39, 0xde, 0x1d, 0x1f, 0xd6, 0xb0, 0x94, +> 0xc1, 0x5b, 0x60, 0x35, 0x62, 0x4d, 0x45, 0xef, 0x3e, 0xf3, 0xd4, 0x4a, 0x17, 0xec, 0x8d, 0x7e, +> 0xaf, 0xbc, 0x7a, 0xac, 0xe7, 0x47, 0x39, 0x28, 0x4e, 0xda, 0xc4, 0x5c, 0xc8, 0x39, 0x5a, 0x48, +> 0x71, 0x21, 0xe7, 0x78, 0xd2, 0xc6, 0xfc, 0xa3, 0x01, 0xae, 0x35, 0xde, 0x3b, 0x62, 0x5e, 0x74, +> 0xbe, 0xef, 0x7b, 0x82, 0x9e, 0x8b, 0x64, 0x76, 0x77, 0x63, 0xd9, 0x7d, 0x3b, 0x91, 0xdd, 0x6e, +> 0xba, 0xf3, 0x44, 0x8a, 0x3f, 0x06, 0xeb, 0x9c, 0x2a, 0x1b, 0x8d, 0xa8, 0xfb, 0x9e, 0x99, 0x56, +> 0x1e, 0x1a, 0x4d, 0x5b, 0xda, 0xb0, 0xdf, 0x2b, 0xaf, 0xc7, 0x65, 0x38, 0x81, 0x66, 0xfe, 0xe7, +> 0x32, 0xd8, 0x1d, 0x36, 0x06, 0xcd, 0x62, 0xdf, 0xf7, 0xb8, 0x08, 0x09, 0xf3, 0x04, 0xbf, 0x80, +> 0x82, 0xb9, 0x09, 0x56, 0x82, 0x90, 0xf9, 0x32, 0xbe, 0x4a, 0x6d, 0xd1, 0x5e, 0x93, 0x27, 0xb4, +> 0xae, 0x65, 0x78, 0xa4, 0x85, 0x9f, 0x01, 0xa4, 0x1a, 0x4b, 0x3d, 0x64, 0x67, 0xcc, 0xa5, 0x6d, +> 0xda, 0x94, 0x84, 0x89, 0x24, 0xa0, 0xf6, 0x77, 0xc5, 0xde, 0xd3, 0x91, 0x50, 0x35, 0xc3, 0x0e, +> 0x67, 0x22, 0x40, 0x0e, 0x76, 0x9a, 0xb4, 0x45, 0x22, 0x57, 0x54, 0x9b, 0xcd, 0x7d, 0x12, 0x90, +> 0x13, 0xe6, 0x32, 0xc1, 0x28, 0x47, 0x0b, 0xaa, 0xb1, 0xbe, 0x2d, 0xe7, 0xb0, 0x5a, 0xaa, 0xc5, +> 0xb3, 0x5e, 0xf9, 0xda, 0xf4, 0x83, 0xd0, 0x1a, 0x99, 0x74, 0x71, 0x06, 0x34, 0xec, 0x02, 0x14, +> 0xd2, 0x9f, 0x44, 0x2c, 0xa4, 0xcd, 0x5a, 0xe8, 0x07, 0xb1, 0xb0, 0x8b, 0x2a, 0xec, 0x3b, 0x32, +> 0x1d, 0x9c, 0x61, 0xf3, 0xfc, 0xc0, 0x99, 0xf0, 0xf0, 0x11, 0xd8, 0xd2, 0x6d, 0x3a, 0x16, 0x75, +> 0x49, 0x45, 0xbd, 0x23, 0x87, 0xe7, 0xea, 0xb4, 0xfa, 0xf9, 0x01, 0xd3, 0x40, 0x47, 0x3b, 0xf7, +> 0xbe, 0xcf, 0x45, 0x8d, 0x85, 0x83, 0xd7, 0x69, 0xdd, 0x8d, 0xda, 0xcc, 0x43, 0xcb, 0x29, 0x3b, +> 0x97, 0x62, 0x87, 0x33, 0x11, 0x60, 0x05, 0x2c, 0x9f, 0xa9, 0x6f, 0x8e, 0x56, 0x14, 0xfb, 0x2b, +> 0xfd, 0x5e, 0x79, 0x79, 0x60, 0x22, 0x19, 0x2f, 0x1d, 0x34, 0x54, 0x41, 0x0d, 0xad, 0xe0, 0xcf, +> 0x0d, 0x00, 0x49, 0xf2, 0xb1, 0xcc, 0xd1, 0x15, 0xd5, 0xf8, 0xde, 0xca, 0xd7, 0xf8, 0xa6, 0x1e, +> 0xdb, 0xf6, 0xae, 0x4e, 0x01, 0x4e, 0xa9, 0x38, 0x4e, 0x09, 0x07, 0x6b, 0x60, 0x73, 0x94, 0xd2, +> 0x87, 0x54, 0x3c, 0xf6, 0xc3, 0x53, 0x54, 0x54, 0x8b, 0x81, 0x34, 0xd2, 0x66, 0x35, 0xa1, 0xc7, +> 0x53, 0x1e, 0xf0, 0x2e, 0x58, 0x1f, 0xc9, 0xea, 0x7e, 0x28, 0x38, 0x02, 0x0a, 0x63, 0x47, 0x63, +> 0xac, 0x57, 0x63, 0x5a, 0x9c, 0xb0, 0x86, 0x77, 0xc0, 0xda, 0x58, 0x72, 0x58, 0x43, 0xab, 0xca, +> 0x7b, 0x5b, 0x7b, 0xaf, 0x55, 0x27, 0x74, 0x38, 0x66, 0x19, 0xf3, 0x3c, 0xac, 0xef, 0xa3, 0xb5, +> 0x0c, 0xcf, 0xc3, 0xfa, 0x3e, 0x8e, 0x59, 0xc2, 0xcf, 0x01, 0x94, 0xb3, 0x8b, 0x7a, 0x79, 0x05, +> 0xc4, 0xa1, 0x47, 0xf4, 0x8c, 0xba, 0x68, 0x57, 0x75, 0xc8, 0x37, 0x86, 0xab, 0x78, 0x3c, 0x65, +> 0xf1, 0xac, 0x57, 0x86, 0x71, 0x89, 0xda, 0xd6, 0x14, 0x2c, 0xd8, 0x01, 0xe5, 0x61, 0xc5, 0xc5, +> 0xea, 0xfd, 0x3d, 0xee, 0x10, 0x57, 0xdd, 0x54, 0x68, 0x47, 0xd1, 0xbd, 0xde, 0xef, 0x95, 0xcb, +> 0xb5, 0xd9, 0xa6, 0xf8, 0x79, 0x58, 0xf0, 0x47, 0xc9, 0xce, 0x34, 0x11, 0xe7, 0xaa, 0x8a, 0xf3, +> 0xea, 0x74, 0x57, 0x9a, 0x08, 0x90, 0xe9, 0x2d, 0x8f, 0xea, 0xb0, 0x63, 0xeb, 0xee, 0x8c, 0x2e, +> 0x7d, 0x95, 0xb7, 0xfc, 0xcc, 0xcb, 0x69, 0x7c, 0x48, 0xe2, 0x66, 0x38, 0x11, 0x12, 0xfa, 0xa0, +> 0x18, 0x0e, 0xaf, 0x61, 0xb4, 0xae, 0xe2, 0xdf, 0xcd, 0x39, 0x1f, 0x64, 0xdc, 0xfa, 0xf6, 0x65, +> 0x1d, 0xba, 0x38, 0xb2, 0xc0, 0xe3, 0x18, 0xf0, 0x97, 0x06, 0x80, 0x3c, 0x0a, 0x02, 0x97, 0x76, +> 0xa8, 0x27, 0x88, 0x3b, 0x18, 0x68, 0xd1, 0x86, 0x0a, 0x7d, 0x2f, 0x67, 0xea, 0x53, 0xfe, 0x49, +> 0x0e, 0xa3, 0x8a, 0x9d, 0x36, 0xc5, 0x29, 0xe1, 0x61, 0x1b, 0x2c, 0xb7, 0xb8, 0xfa, 0x1b, 0x6d, +> 0x2a, 0x26, 0x3f, 0xcc, 0xc7, 0x24, 0xfd, 0xa7, 0x35, 0x7b, 0x43, 0x87, 0x5f, 0xd6, 0x7a, 0x3c, +> 0x44, 0x87, 0x9f, 0x80, 0x9d, 0x90, 0x92, 0xe6, 0x03, 0xcf, 0xed, 0x62, 0xdf, 0x17, 0x07, 0xcc, +> 0xa5, 0xbc, 0xcb, 0x05, 0xed, 0xa0, 0xcb, 0xea, 0x34, 0x8d, 0x7e, 0x17, 0xc0, 0xa9, 0x56, 0x38, +> 0xc3, 0x1b, 0x96, 0xc1, 0xa2, 0x2c, 0x16, 0x8e, 0xa0, 0xea, 0x93, 0x45, 0x39, 0xa8, 0xc9, 0xf5, +> 0xe6, 0x78, 0x20, 0x9f, 0x78, 0x4d, 0x6c, 0x65, 0xbd, 0x26, 0xe0, 0x3b, 0x60, 0x83, 0x53, 0xc7, +> 0xf1, 0x3b, 0x41, 0x3d, 0xf4, 0x5b, 0x12, 0x1c, 0x6d, 0x2b, 0xe3, 0xad, 0x7e, 0xaf, 0xbc, 0xd1, +> 0x88, 0xab, 0x70, 0xd2, 0x16, 0x1e, 0x81, 0x6d, 0xdd, 0x0c, 0x8f, 0x3d, 0x4e, 0x5a, 0xb4, 0xd1, +> 0xe5, 0x8e, 0x70, 0x39, 0x42, 0x0a, 0x03, 0xf5, 0x7b, 0xe5, 0xed, 0x6a, 0x8a, 0x1e, 0xa7, 0x7a, +> 0xc1, 0x77, 0xc1, 0x66, 0xcb, 0x0f, 0x4f, 0x58, 0xb3, 0x49, 0xbd, 0x21, 0xd2, 0x2b, 0x0a, 0x69, +> 0x5b, 0x36, 0xd0, 0x83, 0x84, 0x0e, 0x4f, 0x59, 0x9b, 0xff, 0x34, 0x40, 0x29, 0x7b, 0x00, 0xba, +> 0x80, 0xc1, 0x9b, 0xc6, 0x07, 0xef, 0x77, 0xf3, 0xfe, 0x8c, 0x94, 0x45, 0x39, 0x63, 0x06, 0xff, +> 0xd5, 0x3c, 0xf8, 0xce, 0x57, 0xf8, 0xed, 0x09, 0xfe, 0xd9, 0x00, 0x37, 0x82, 0x1c, 0x8f, 0x46, +> 0xbd, 0x22, 0x2f, 0xf2, 0x1d, 0xfe, 0x5d, 0x9d, 0x40, 0xae, 0x47, 0x2b, 0xce, 0xc5, 0x52, 0xbe, +> 0xa4, 0x3d, 0xd2, 0xa1, 0xc9, 0x97, 0xb4, 0xbc, 0x37, 0xb0, 0xd2, 0x98, 0x7f, 0x30, 0xc0, 0x37, +> 0x9f, 0xdb, 0x33, 0xa0, 0x1d, 0x9b, 0xe7, 0xad, 0xc4, 0x3c, 0x5f, 0xca, 0x06, 0x78, 0xe9, 0x3f, +> 0x8d, 0xdb, 0x1f, 0x3c, 0x79, 0x5a, 0x9a, 0xfb, 0xe2, 0x69, 0x69, 0xee, 0xcb, 0xa7, 0xa5, 0xb9, +> 0x9f, 0xf5, 0x4b, 0xc6, 0x93, 0x7e, 0xc9, 0xf8, 0xa2, 0x5f, 0x32, 0xbe, 0xec, 0x97, 0x8c, 0xbf, +> 0xf7, 0x4b, 0xc6, 0x2f, 0xfe, 0x51, 0x9a, 0xfb, 0xf4, 0x46, 0x9e, 0xff, 0xa2, 0xfc, 0x37, 0x00, +> 0x00, 0xff, 0xff, 0xb7, 0xb2, 0xaf, 0x36, 0x6c, 0x19, 0x00, 0x00, +1335,1424d1269 +< func (m *RunAsGroupIDRange) Marshal() (dAtA []byte, err error) { +< size := m.Size() +< dAtA = make([]byte, size) +< n, err := m.MarshalToSizedBuffer(dAtA[:size]) +< if err != nil { +< return nil, err +< } +< return dAtA[:n], nil +< } +< +< func (m *RunAsGroupIDRange) MarshalTo(dAtA []byte) (int, error) { +< size := m.Size() +< return m.MarshalToSizedBuffer(dAtA[:size]) +< } +< +< func (m *RunAsGroupIDRange) MarshalToSizedBuffer(dAtA []byte) (int, error) { +< i := len(dAtA) +< _ = i +< var l int +< _ = l +< if m.Max != nil { +< i = encodeVarintGenerated(dAtA, i, uint64(*m.Max)) +< i-- +< dAtA[i] = 0x10 +< } +< if m.Min != nil { +< i = encodeVarintGenerated(dAtA, i, uint64(*m.Min)) +< i-- +< dAtA[i] = 0x8 +< } +< return len(dAtA) - i, nil +< } +< +< func (m *RunAsGroupStrategyOptions) Marshal() (dAtA []byte, err error) { +< size := m.Size() +< dAtA = make([]byte, size) +< n, err := m.MarshalToSizedBuffer(dAtA[:size]) +< if err != nil { +< return nil, err +< } +< return dAtA[:n], nil +< } +< +< func (m *RunAsGroupStrategyOptions) MarshalTo(dAtA []byte) (int, error) { +< size := m.Size() +< return m.MarshalToSizedBuffer(dAtA[:size]) +< } +< +< func (m *RunAsGroupStrategyOptions) MarshalToSizedBuffer(dAtA []byte) (int, error) { +< i := len(dAtA) +< _ = i +< var l int +< _ = l +< if len(m.Ranges) > 0 { +< for iNdEx := len(m.Ranges) - 1; iNdEx >= 0; iNdEx-- { +< { +< size, err := m.Ranges[iNdEx].MarshalToSizedBuffer(dAtA[:i]) +< if err != nil { +< return 0, err +< } +< i -= size +< i = encodeVarintGenerated(dAtA, i, uint64(size)) +< } +< i-- +< dAtA[i] = 0x2a +< } +< } +< if m.GIDRangeMax != nil { +< i = encodeVarintGenerated(dAtA, i, uint64(*m.GIDRangeMax)) +< i-- +< dAtA[i] = 0x20 +< } +< if m.GIDRangeMin != nil { +< i = encodeVarintGenerated(dAtA, i, uint64(*m.GIDRangeMin)) +< i-- +< dAtA[i] = 0x18 +< } +< if m.GID != nil { +< i = encodeVarintGenerated(dAtA, i, uint64(*m.GID)) +< i-- +< dAtA[i] = 0x10 +< } +< i -= len(m.Type) +< copy(dAtA[i:], m.Type) +< i = encodeVarintGenerated(dAtA, i, uint64(len(m.Type))) +< i-- +< dAtA[i] = 0xa +< return len(dAtA) - i, nil +< } +< +1528,1539d1372 +< { +< size, err := m.RunAsGroup.MarshalToSizedBuffer(dAtA[:i]) +< if err != nil { +< return 0, err +< } +< i -= size +< i = encodeVarintGenerated(dAtA, i, uint64(size)) +< } +< i-- +< dAtA[i] = 0x1 +< i-- +< dAtA[i] = 0xda +2131,2171d1963 +< func (m *RunAsGroupIDRange) Size() (n int) { +< if m == nil { +< return 0 +< } +< var l int +< _ = l +< if m.Min != nil { +< n += 1 + sovGenerated(uint64(*m.Min)) +< } +< if m.Max != nil { +< n += 1 + sovGenerated(uint64(*m.Max)) +< } +< return n +< } +< +< func (m *RunAsGroupStrategyOptions) Size() (n int) { +< if m == nil { +< return 0 +< } +< var l int +< _ = l +< l = len(m.Type) +< n += 1 + l + sovGenerated(uint64(l)) +< if m.GID != nil { +< n += 1 + sovGenerated(uint64(*m.GID)) +< } +< if m.GIDRangeMin != nil { +< n += 1 + sovGenerated(uint64(*m.GIDRangeMin)) +< } +< if m.GIDRangeMax != nil { +< n += 1 + sovGenerated(uint64(*m.GIDRangeMax)) +< } +< if len(m.Ranges) > 0 { +< for _, e := range m.Ranges { +< l = e.Size() +< n += 1 + l + sovGenerated(uint64(l)) +< } +< } +< return n +< } +< +2301,2302d2092 +< l = m.RunAsGroup.Size() +< n += 2 + l + sovGenerated(uint64(l)) +2520,2549d2309 +< func (this *RunAsGroupIDRange) String() string { +< if this == nil { +< return "nil" +< } +< s := strings.Join([]string{`&RunAsGroupIDRange{`, +< `Min:` + valueToStringGenerated(this.Min) + `,`, +< `Max:` + valueToStringGenerated(this.Max) + `,`, +< `}`, +< }, "") +< return s +< } +< func (this *RunAsGroupStrategyOptions) String() string { +< if this == nil { +< return "nil" +< } +< repeatedStringForRanges := "[]RunAsGroupIDRange{" +< for _, f := range this.Ranges { +< repeatedStringForRanges += strings.Replace(strings.Replace(f.String(), "RunAsGroupIDRange", "RunAsGroupIDRange", 1), `&`, ``, 1) + "," +< } +< repeatedStringForRanges += "}" +< s := strings.Join([]string{`&RunAsGroupStrategyOptions{`, +< `Type:` + fmt.Sprintf("%v", this.Type) + `,`, +< `GID:` + valueToStringGenerated(this.GID) + `,`, +< `GIDRangeMin:` + valueToStringGenerated(this.GIDRangeMin) + `,`, +< `GIDRangeMax:` + valueToStringGenerated(this.GIDRangeMax) + `,`, +< `Ranges:` + repeatedStringForRanges + `,`, +< `}`, +< }, "") +< return s +< } +2610d2369 +< `RunAsGroup:` + strings.Replace(strings.Replace(this.RunAsGroup.String(), "RunAsGroupStrategyOptions", "RunAsGroupStrategyOptions", 1), `&`, ``, 1) + `,`, +4245,4510d4003 +< func (m *RunAsGroupIDRange) Unmarshal(dAtA []byte) error { +< l := len(dAtA) +< iNdEx := 0 +< for iNdEx < l { +< preIndex := iNdEx +< var wire uint64 +< for shift := uint(0); ; shift += 7 { +< if shift >= 64 { +< return ErrIntOverflowGenerated +< } +< if iNdEx >= l { +< return io.ErrUnexpectedEOF +< } +< b := dAtA[iNdEx] +< iNdEx++ +< wire |= uint64(b&0x7F) << shift +< if b < 0x80 { +< break +< } +< } +< fieldNum := int32(wire >> 3) +< wireType := int(wire & 0x7) +< if wireType == 4 { +< return fmt.Errorf("proto: RunAsGroupIDRange: wiretype end group for non-group") +< } +< if fieldNum <= 0 { +< return fmt.Errorf("proto: RunAsGroupIDRange: illegal tag %d (wire type %d)", fieldNum, wire) +< } +< switch fieldNum { +< case 1: +< if wireType != 0 { +< return fmt.Errorf("proto: wrong wireType = %d for field Min", wireType) +< } +< var v int64 +< for shift := uint(0); ; shift += 7 { +< if shift >= 64 { +< return ErrIntOverflowGenerated +< } +< if iNdEx >= l { +< return io.ErrUnexpectedEOF +< } +< b := dAtA[iNdEx] +< iNdEx++ +< v |= int64(b&0x7F) << shift +< if b < 0x80 { +< break +< } +< } +< m.Min = &v +< case 2: +< if wireType != 0 { +< return fmt.Errorf("proto: wrong wireType = %d for field Max", wireType) +< } +< var v int64 +< for shift := uint(0); ; shift += 7 { +< if shift >= 64 { +< return ErrIntOverflowGenerated +< } +< if iNdEx >= l { +< return io.ErrUnexpectedEOF +< } +< b := dAtA[iNdEx] +< iNdEx++ +< v |= int64(b&0x7F) << shift +< if b < 0x80 { +< break +< } +< } +< m.Max = &v +< default: +< iNdEx = preIndex +< skippy, err := skipGenerated(dAtA[iNdEx:]) +< if err != nil { +< return err +< } +< if (skippy < 0) || (iNdEx+skippy) < 0 { +< return ErrInvalidLengthGenerated +< } +< if (iNdEx + skippy) > l { +< return io.ErrUnexpectedEOF +< } +< iNdEx += skippy +< } +< } +< +< if iNdEx > l { +< return io.ErrUnexpectedEOF +< } +< return nil +< } +< func (m *RunAsGroupStrategyOptions) Unmarshal(dAtA []byte) error { +< l := len(dAtA) +< iNdEx := 0 +< for iNdEx < l { +< preIndex := iNdEx +< var wire uint64 +< for shift := uint(0); ; shift += 7 { +< if shift >= 64 { +< return ErrIntOverflowGenerated +< } +< if iNdEx >= l { +< return io.ErrUnexpectedEOF +< } +< b := dAtA[iNdEx] +< iNdEx++ +< wire |= uint64(b&0x7F) << shift +< if b < 0x80 { +< break +< } +< } +< fieldNum := int32(wire >> 3) +< wireType := int(wire & 0x7) +< if wireType == 4 { +< return fmt.Errorf("proto: RunAsGroupStrategyOptions: wiretype end group for non-group") +< } +< if fieldNum <= 0 { +< return fmt.Errorf("proto: RunAsGroupStrategyOptions: illegal tag %d (wire type %d)", fieldNum, wire) +< } +< switch fieldNum { +< case 1: +< if wireType != 2 { +< return fmt.Errorf("proto: wrong wireType = %d for field Type", wireType) +< } +< var stringLen uint64 +< for shift := uint(0); ; shift += 7 { +< if shift >= 64 { +< return ErrIntOverflowGenerated +< } +< if iNdEx >= l { +< return io.ErrUnexpectedEOF +< } +< b := dAtA[iNdEx] +< iNdEx++ +< stringLen |= uint64(b&0x7F) << shift +< if b < 0x80 { +< break +< } +< } +< intStringLen := int(stringLen) +< if intStringLen < 0 { +< return ErrInvalidLengthGenerated +< } +< postIndex := iNdEx + intStringLen +< if postIndex < 0 { +< return ErrInvalidLengthGenerated +< } +< if postIndex > l { +< return io.ErrUnexpectedEOF +< } +< m.Type = RunAsGroupStrategyType(dAtA[iNdEx:postIndex]) +< iNdEx = postIndex +< case 2: +< if wireType != 0 { +< return fmt.Errorf("proto: wrong wireType = %d for field GID", wireType) +< } +< var v int64 +< for shift := uint(0); ; shift += 7 { +< if shift >= 64 { +< return ErrIntOverflowGenerated +< } +< if iNdEx >= l { +< return io.ErrUnexpectedEOF +< } +< b := dAtA[iNdEx] +< iNdEx++ +< v |= int64(b&0x7F) << shift +< if b < 0x80 { +< break +< } +< } +< m.GID = &v +< case 3: +< if wireType != 0 { +< return fmt.Errorf("proto: wrong wireType = %d for field GIDRangeMin", wireType) +< } +< var v int64 +< for shift := uint(0); ; shift += 7 { +< if shift >= 64 { +< return ErrIntOverflowGenerated +< } +< if iNdEx >= l { +< return io.ErrUnexpectedEOF +< } +< b := dAtA[iNdEx] +< iNdEx++ +< v |= int64(b&0x7F) << shift +< if b < 0x80 { +< break +< } +< } +< m.GIDRangeMin = &v +< case 4: +< if wireType != 0 { +< return fmt.Errorf("proto: wrong wireType = %d for field GIDRangeMax", wireType) +< } +< var v int64 +< for shift := uint(0); ; shift += 7 { +< if shift >= 64 { +< return ErrIntOverflowGenerated +< } +< if iNdEx >= l { +< return io.ErrUnexpectedEOF +< } +< b := dAtA[iNdEx] +< iNdEx++ +< v |= int64(b&0x7F) << shift +< if b < 0x80 { +< break +< } +< } +< m.GIDRangeMax = &v +< case 5: +< if wireType != 2 { +< return fmt.Errorf("proto: wrong wireType = %d for field Ranges", wireType) +< } +< var msglen int +< for shift := uint(0); ; shift += 7 { +< if shift >= 64 { +< return ErrIntOverflowGenerated +< } +< if iNdEx >= l { +< return io.ErrUnexpectedEOF +< } +< b := dAtA[iNdEx] +< iNdEx++ +< msglen |= int(b&0x7F) << shift +< if b < 0x80 { +< break +< } +< } +< if msglen < 0 { +< return ErrInvalidLengthGenerated +< } +< postIndex := iNdEx + msglen +< if postIndex < 0 { +< return ErrInvalidLengthGenerated +< } +< if postIndex > l { +< return io.ErrUnexpectedEOF +< } +< m.Ranges = append(m.Ranges, RunAsGroupIDRange{}) +< if err := m.Ranges[len(m.Ranges)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil { +< return err +< } +< iNdEx = postIndex +< default: +< iNdEx = preIndex +< skippy, err := skipGenerated(dAtA[iNdEx:]) +< if err != nil { +< return err +< } +< if (skippy < 0) || (iNdEx+skippy) < 0 { +< return ErrInvalidLengthGenerated +< } +< if (iNdEx + skippy) > l { +< return io.ErrUnexpectedEOF +< } +< iNdEx += skippy +< } +< } +< +< if iNdEx > l { +< return io.ErrUnexpectedEOF +< } +< return nil +< } +5520,5552d5012 +< iNdEx = postIndex +< case 27: +< if wireType != 2 { +< return fmt.Errorf("proto: wrong wireType = %d for field RunAsGroup", wireType) +< } +< var msglen int +< for shift := uint(0); ; shift += 7 { +< if shift >= 64 { +< return ErrIntOverflowGenerated +< } +< if iNdEx >= l { +< return io.ErrUnexpectedEOF +< } +< b := dAtA[iNdEx] +< iNdEx++ +< msglen |= int(b&0x7F) << shift +< if b < 0x80 { +< break +< } +< } +< if msglen < 0 { +< return ErrInvalidLengthGenerated +< } +< postIndex := iNdEx + msglen +< if postIndex < 0 { +< return ErrInvalidLengthGenerated +< } +< if postIndex > l { +< return io.ErrUnexpectedEOF +< } +< if err := m.RunAsGroup.Unmarshal(dAtA[iNdEx:postIndex]); err != nil { +< return err +< } +diff --no-dereference -N -r current/vendor/github.com/openshift/api/security/v1/generated.proto updated/vendor/github.com/openshift/api/security/v1/generated.proto +182,222d181 +< // RunAsGroupIDRange provides a min/max of an allowed range of group IDs for RunAsGroup strategy. +< message RunAsGroupIDRange { +< // min is the start of the range, inclusive. +< // +required +< optional int64 min = 1; +< +< // max is the end of the range, inclusive. +< // +required +< optional int64 max = 2; +< } +< +< // RunAsGroupStrategyOptions defines the strategy type and options used to create the strategy. +< message RunAsGroupStrategyOptions { +< // type is the strategy that will dictate what RunAsGroup is used in the SecurityContext. +< // Valid values are "MustRunAs", "MustRunAsRange", and "RunAsAny". +< // +required +< // +kubebuilder:validation:Enum=MustRunAs;MustRunAsRange;RunAsAny +< optional string type = 1; +< +< // gid is the group id that containers must run as. Required for the MustRunAs strategy if not using +< // namespace/service account allocated gids. +< // +optional +< optional int64 gid = 2; +< +< // gidRangeMin defines the min value for a strategy that allocates by range. +< // +optional +< optional int64 gidRangeMin = 3; +< +< // gidRangeMax defines the max value for a strategy that allocates by range. +< // +optional +< optional int64 gidRangeMax = 4; +< +< // ranges are the allowed ranges of gids. If you would like to force a single +< // gid then supply a single range with the same start and end. +< // When omitted, any gid is allowed (equivalent to RunAsAny strategy). +< // +optional +< // +listType=atomic +< // +kubebuilder:validation:MaxItems=256 +< repeated RunAsGroupIDRange ranges = 5; +< } +< +265d223 +< // +kubebuilder:printcolumn:name="RunAsGroup",type=string,JSONPath=.runAsGroup.type,description="Strategy that will dictate what RunAsGroup is used by the SecurityContext" +381,385d338 +< +< // runAsGroup is the strategy that will dictate what RunAsGroup is used in the SecurityContext. +< // When omitted, the RunAsGroup strategy will not be enforced and containers may run with any group ID. +< // +optional +< optional RunAsGroupStrategyOptions runAsGroup = 27; +diff --no-dereference -N -r current/vendor/github.com/openshift/api/security/v1/types.go updated/vendor/github.com/openshift/api/security/v1/types.go +34d33 +< // +kubebuilder:printcolumn:name="RunAsGroup",type=string,JSONPath=.runAsGroup.type,description="Strategy that will dictate what RunAsGroup is used by the SecurityContext" +135,138d133 +< // runAsGroup is the strategy that will dictate what RunAsGroup is used in the SecurityContext. +< // When omitted, the RunAsGroup strategy will not be enforced and containers may run with any group ID. +< // +optional +< RunAsGroup RunAsGroupStrategyOptions `json:"runAsGroup,omitzero" protobuf:"bytes,27,opt,name=runAsGroup"` +276,311d270 +< // RunAsGroupStrategyOptions defines the strategy type and options used to create the strategy. +< type RunAsGroupStrategyOptions struct { +< // type is the strategy that will dictate what RunAsGroup is used in the SecurityContext. +< // Valid values are "MustRunAs", "MustRunAsRange", and "RunAsAny". +< // +required +< // +kubebuilder:validation:Enum=MustRunAs;MustRunAsRange;RunAsAny +< Type RunAsGroupStrategyType `json:"type,omitempty" protobuf:"bytes,1,opt,name=type,casttype=RunAsGroupStrategyType"` +< // gid is the group id that containers must run as. Required for the MustRunAs strategy if not using +< // namespace/service account allocated gids. +< // +optional +< GID *int64 `json:"gid,omitempty" protobuf:"varint,2,opt,name=gid"` +< // gidRangeMin defines the min value for a strategy that allocates by range. +< // +optional +< GIDRangeMin *int64 `json:"gidRangeMin,omitempty" protobuf:"varint,3,opt,name=gidRangeMin"` +< // gidRangeMax defines the max value for a strategy that allocates by range. +< // +optional +< GIDRangeMax *int64 `json:"gidRangeMax,omitempty" protobuf:"varint,4,opt,name=gidRangeMax"` +< // ranges are the allowed ranges of gids. If you would like to force a single +< // gid then supply a single range with the same start and end. +< // When omitted, any gid is allowed (equivalent to RunAsAny strategy). +< // +optional +< // +listType=atomic +< // +kubebuilder:validation:MaxItems=256 +< Ranges []RunAsGroupIDRange `json:"ranges,omitempty" protobuf:"bytes,5,rep,name=ranges"` +< } +< +< // RunAsGroupIDRange provides a min/max of an allowed range of group IDs for RunAsGroup strategy. +< type RunAsGroupIDRange struct { +< // min is the start of the range, inclusive. +< // +required +< Min *int64 `json:"min,omitempty" protobuf:"varint,1,opt,name=min"` +< // max is the end of the range, inclusive. +< // +required +< Max *int64 `json:"max,omitempty" protobuf:"varint,2,opt,name=max"` +< } +< +340,343d298 +< // RunAsGroupStrategyType denotes strategy types for generating RunAsGroup values for a +< // SecurityContext +< type RunAsGroupStrategyType string +< +368,374d322 +< +< // container must have RunAsGroup of X applied. +< RunAsGroupStrategyMustRunAs RunAsGroupStrategyType = "MustRunAs" +< // container must run with a gid in a range. +< RunAsGroupStrategyMustRunAsRange RunAsGroupStrategyType = "MustRunAsRange" +< // container may make requests for any RunAsGroup. +< RunAsGroupStrategyRunAsAny RunAsGroupStrategyType = "RunAsAny" +diff --no-dereference -N -r current/vendor/github.com/openshift/api/security/v1/zz_generated.deepcopy.go updated/vendor/github.com/openshift/api/security/v1/zz_generated.deepcopy.go +321,372d320 +< func (in *RunAsGroupIDRange) DeepCopyInto(out *RunAsGroupIDRange) { +< *out = *in +< return +< } +< +< // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RunAsGroupIDRange. +< func (in *RunAsGroupIDRange) DeepCopy() *RunAsGroupIDRange { +< if in == nil { +< return nil +< } +< out := new(RunAsGroupIDRange) +< in.DeepCopyInto(out) +< return out +< } +< +< // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +< func (in *RunAsGroupStrategyOptions) DeepCopyInto(out *RunAsGroupStrategyOptions) { +< *out = *in +< if in.GID != nil { +< in, out := &in.GID, &out.GID +< *out = new(int64) +< **out = **in +< } +< if in.GIDRangeMin != nil { +< in, out := &in.GIDRangeMin, &out.GIDRangeMin +< *out = new(int64) +< **out = **in +< } +< if in.GIDRangeMax != nil { +< in, out := &in.GIDRangeMax, &out.GIDRangeMax +< *out = new(int64) +< **out = **in +< } +< if in.Ranges != nil { +< in, out := &in.Ranges, &out.Ranges +< *out = make([]RunAsGroupIDRange, len(*in)) +< copy(*out, *in) +< } +< return +< } +< +< // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RunAsGroupStrategyOptions. +< func (in *RunAsGroupStrategyOptions) DeepCopy() *RunAsGroupStrategyOptions { +< if in == nil { +< return nil +< } +< out := new(RunAsGroupStrategyOptions) +< in.DeepCopyInto(out) +< return out +< } +< +< // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +473d420 +< in.RunAsGroup.DeepCopyInto(&out.RunAsGroup) +diff --no-dereference -N -r current/vendor/github.com/openshift/api/security/v1/zz_generated.swagger_doc_generated.go updated/vendor/github.com/openshift/api/security/v1/zz_generated.swagger_doc_generated.go +147,169d146 +< var map_RunAsGroupIDRange = map[string]string{ +< "": "RunAsGroupIDRange provides a min/max of an allowed range of group IDs for RunAsGroup strategy.", +< "min": "min is the start of the range, inclusive.", +< "max": "max is the end of the range, inclusive.", +< } +< +< func (RunAsGroupIDRange) SwaggerDoc() map[string]string { +< return map_RunAsGroupIDRange +< } +< +< var map_RunAsGroupStrategyOptions = map[string]string{ +< "": "RunAsGroupStrategyOptions defines the strategy type and options used to create the strategy.", +< "type": "type is the strategy that will dictate what RunAsGroup is used in the SecurityContext. Valid values are \"MustRunAs\", \"MustRunAsRange\", and \"RunAsAny\".", +< "gid": "gid is the group id that containers must run as. Required for the MustRunAs strategy if not using namespace/service account allocated gids.", +< "gidRangeMin": "gidRangeMin defines the min value for a strategy that allocates by range.", +< "gidRangeMax": "gidRangeMax defines the max value for a strategy that allocates by range.", +< "ranges": "ranges are the allowed ranges of gids. If you would like to force a single gid then supply a single range with the same start and end. When omitted, any gid is allowed (equivalent to RunAsAny strategy).", +< } +< +< func (RunAsGroupStrategyOptions) SwaggerDoc() map[string]string { +< return map_RunAsGroupStrategyOptions +< } +< +214d190 +< "runAsGroup": "runAsGroup is the strategy that will dictate what RunAsGroup is used in the SecurityContext. When omitted, the RunAsGroup strategy will not be enforced and containers may run with any group ID.", diff --git a/pkg/securitycontextconstraints/group/mustrunas.go b/pkg/securitycontextconstraints/group/mustrunas.go index 14d3f06ee..c170fa474 100644 --- a/pkg/securitycontextconstraints/group/mustrunas.go +++ b/pkg/securitycontextconstraints/group/mustrunas.go @@ -54,8 +54,9 @@ func (s *mustRunAs) Validate(fldPath *field.Path, _ *api.Pod, groups []int64) fi for _, group := range groups { if !s.isGroupValid(group) { - detail := fmt.Sprintf("%d is not an allowed group", group) - allErrs = append(allErrs, field.Invalid(fldPath.Child(s.field), groups, detail)) + rangesStr := formatRanges(s.ranges) // e.g., "[1000, 65534]" + detail := fmt.Sprintf("must be in the ranges: %s", rangesStr) + allErrs = append(allErrs, field.Invalid(fldPath.Child(s.field), group, detail)) } } @@ -74,3 +75,14 @@ func (s *mustRunAs) isGroupValid(group int64) bool { func fallsInRange(group int64, rng securityv1.IDRange) bool { return group >= rng.Min && group <= rng.Max } + +func formatRanges(ranges []securityv1.IDRange) string { + rangesStr := "" + for i, rng := range ranges { + if i > 0 { + rangesStr += ", " + } + rangesStr += fmt.Sprintf("[%d, %d]", rng.Min, rng.Max) + } + return rangesStr +} diff --git a/pkg/securitycontextconstraints/runasgroup/integration_verification_test.go b/pkg/securitycontextconstraints/runasgroup/integration_verification_test.go new file mode 100644 index 000000000..a4d951404 --- /dev/null +++ b/pkg/securitycontextconstraints/runasgroup/integration_verification_test.go @@ -0,0 +1,371 @@ +package runasgroup + +import ( + "testing" + + securityv1 "github.com/openshift/api/security/v1" +) + +// TestAllStrategyImplementations verifies that all three runAsGroup strategies +// properly implement the RunAsGroupSecurityContextConstraintsStrategy interface +// and work correctly with the new RunAsGroupIDRange pointer types +func TestAllStrategyImplementations(t *testing.T) { + tests := []struct { + name string + strategyType string + opts *securityv1.RunAsGroupStrategyOptions + testGID *int64 + shouldPass bool + }{ + { + name: "MustRunAs with single GID - valid", + strategyType: "MustRunAs", + opts: &securityv1.RunAsGroupStrategyOptions{ + Type: securityv1.RunAsGroupStrategyMustRunAs, + Ranges: []securityv1.RunAsGroupIDRange{ + {Min: int64Ptr(1000), Max: int64Ptr(1000)}, + }, + }, + testGID: int64Ptr(1000), + shouldPass: true, + }, + { + name: "MustRunAs with single GID - invalid", + strategyType: "MustRunAs", + opts: &securityv1.RunAsGroupStrategyOptions{ + Type: securityv1.RunAsGroupStrategyMustRunAs, + Ranges: []securityv1.RunAsGroupIDRange{ + {Min: int64Ptr(1000), Max: int64Ptr(1000)}, + }, + }, + testGID: int64Ptr(2000), + shouldPass: false, + }, + { + name: "MustRunAsRange with single range - valid min", + strategyType: "MustRunAsRange", + opts: &securityv1.RunAsGroupStrategyOptions{ + Type: securityv1.RunAsGroupStrategyMustRunAsRange, + Ranges: []securityv1.RunAsGroupIDRange{ + {Min: int64Ptr(1000), Max: int64Ptr(2000)}, + }, + }, + testGID: int64Ptr(1000), + shouldPass: true, + }, + { + name: "MustRunAsRange with single range - valid mid", + strategyType: "MustRunAsRange", + opts: &securityv1.RunAsGroupStrategyOptions{ + Type: securityv1.RunAsGroupStrategyMustRunAsRange, + Ranges: []securityv1.RunAsGroupIDRange{ + {Min: int64Ptr(1000), Max: int64Ptr(2000)}, + }, + }, + testGID: int64Ptr(1500), + shouldPass: true, + }, + { + name: "MustRunAsRange with single range - valid max", + strategyType: "MustRunAsRange", + opts: &securityv1.RunAsGroupStrategyOptions{ + Type: securityv1.RunAsGroupStrategyMustRunAsRange, + Ranges: []securityv1.RunAsGroupIDRange{ + {Min: int64Ptr(1000), Max: int64Ptr(2000)}, + }, + }, + testGID: int64Ptr(2000), + shouldPass: true, + }, + { + name: "MustRunAsRange with single range - invalid below", + strategyType: "MustRunAsRange", + opts: &securityv1.RunAsGroupStrategyOptions{ + Type: securityv1.RunAsGroupStrategyMustRunAsRange, + Ranges: []securityv1.RunAsGroupIDRange{ + {Min: int64Ptr(1000), Max: int64Ptr(2000)}, + }, + }, + testGID: int64Ptr(999), + shouldPass: false, + }, + { + name: "MustRunAsRange with single range - invalid above", + strategyType: "MustRunAsRange", + opts: &securityv1.RunAsGroupStrategyOptions{ + Type: securityv1.RunAsGroupStrategyMustRunAsRange, + Ranges: []securityv1.RunAsGroupIDRange{ + {Min: int64Ptr(1000), Max: int64Ptr(2000)}, + }, + }, + testGID: int64Ptr(2001), + shouldPass: false, + }, + { + name: "MustRunAsRange with multiple ranges - valid in first", + strategyType: "MustRunAsRange", + opts: &securityv1.RunAsGroupStrategyOptions{ + Type: securityv1.RunAsGroupStrategyMustRunAsRange, + Ranges: []securityv1.RunAsGroupIDRange{ + {Min: int64Ptr(1000), Max: int64Ptr(2000)}, + {Min: int64Ptr(5000), Max: int64Ptr(6000)}, + }, + }, + testGID: int64Ptr(1500), + shouldPass: true, + }, + { + name: "MustRunAsRange with multiple ranges - valid in second", + strategyType: "MustRunAsRange", + opts: &securityv1.RunAsGroupStrategyOptions{ + Type: securityv1.RunAsGroupStrategyMustRunAsRange, + Ranges: []securityv1.RunAsGroupIDRange{ + {Min: int64Ptr(1000), Max: int64Ptr(2000)}, + {Min: int64Ptr(5000), Max: int64Ptr(6000)}, + }, + }, + testGID: int64Ptr(5500), + shouldPass: true, + }, + { + name: "MustRunAsRange with multiple ranges - invalid between ranges", + strategyType: "MustRunAsRange", + opts: &securityv1.RunAsGroupStrategyOptions{ + Type: securityv1.RunAsGroupStrategyMustRunAsRange, + Ranges: []securityv1.RunAsGroupIDRange{ + {Min: int64Ptr(1000), Max: int64Ptr(2000)}, + {Min: int64Ptr(5000), Max: int64Ptr(6000)}, + }, + }, + testGID: int64Ptr(3000), + shouldPass: false, + }, + { + name: "RunAsAny - accepts any GID", + strategyType: "RunAsAny", + opts: &securityv1.RunAsGroupStrategyOptions{ + Type: securityv1.RunAsGroupStrategyRunAsAny, + }, + testGID: int64Ptr(9999), + shouldPass: true, + }, + { + name: "RunAsAny - accepts zero", + strategyType: "RunAsAny", + opts: &securityv1.RunAsGroupStrategyOptions{ + Type: securityv1.RunAsGroupStrategyRunAsAny, + }, + testGID: int64Ptr(0), + shouldPass: true, + }, + { + name: "RunAsAny - accepts nil", + strategyType: "RunAsAny", + opts: &securityv1.RunAsGroupStrategyOptions{ + Type: securityv1.RunAsGroupStrategyRunAsAny, + }, + testGID: nil, + shouldPass: true, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + var strategy RunAsGroupSecurityContextConstraintsStrategy + var err error + + // Create the appropriate strategy + switch tt.strategyType { + case "MustRunAs": + strategy, err = NewMustRunAs(tt.opts) + case "MustRunAsRange": + strategy, err = NewMustRunAsRange(tt.opts) + case "RunAsAny": + strategy, err = NewRunAsAny(tt.opts) + default: + t.Fatalf("Unknown strategy type: %s", tt.strategyType) + } + + if err != nil { + t.Fatalf("Failed to create strategy: %v", err) + } + + // Test Generate function + generated, err := strategy.Generate(nil, nil) + if err != nil { + t.Errorf("Generate failed: %v", err) + } + // For RunAsAny, generated should be nil + if tt.strategyType == "RunAsAny" && generated != nil { + t.Errorf("RunAsAny should generate nil, got %v", *generated) + } + // For MustRunAs and MustRunAsRange, generated should be non-nil + if tt.strategyType != "RunAsAny" && generated == nil { + t.Errorf("%s should generate a non-nil GID", tt.strategyType) + } + + // Test Validate function + errs := strategy.Validate(nil, nil, nil, tt.testGID) + hasErrors := len(errs) > 0 + + if tt.shouldPass && hasErrors { + t.Errorf("Validation should pass but got errors: %v", errs) + } + if !tt.shouldPass && !hasErrors { + t.Errorf("Validation should fail but got no errors") + } + }) + } +} + +// TestPointerHandling verifies that all strategies properly handle pointer types +// from RunAsGroupIDRange +func TestPointerHandling(t *testing.T) { + t.Run("MustRunAs handles pointer Min/Max correctly", func(t *testing.T) { + opts := &securityv1.RunAsGroupStrategyOptions{ + Type: securityv1.RunAsGroupStrategyMustRunAs, + Ranges: []securityv1.RunAsGroupIDRange{ + {Min: int64Ptr(100), Max: int64Ptr(100)}, + }, + } + strategy, err := NewMustRunAs(opts) + if err != nil { + t.Fatalf("NewMustRunAs failed: %v", err) + } + + generated, err := strategy.Generate(nil, nil) + if err != nil { + t.Fatalf("Generate failed: %v", err) + } + if generated == nil { + t.Fatal("Generated GID should not be nil") + } + if *generated != 100 { + t.Errorf("Generated GID = %d, want 100", *generated) + } + }) + + t.Run("MustRunAsRange handles pointer Min/Max correctly", func(t *testing.T) { + opts := &securityv1.RunAsGroupStrategyOptions{ + Type: securityv1.RunAsGroupStrategyMustRunAsRange, + Ranges: []securityv1.RunAsGroupIDRange{ + {Min: int64Ptr(200), Max: int64Ptr(300)}, + }, + } + strategy, err := NewMustRunAsRange(opts) + if err != nil { + t.Fatalf("NewMustRunAsRange failed: %v", err) + } + + generated, err := strategy.Generate(nil, nil) + if err != nil { + t.Fatalf("Generate failed: %v", err) + } + if generated == nil { + t.Fatal("Generated GID should not be nil") + } + if *generated != 200 { + t.Errorf("Generated GID = %d, want 200 (min of range)", *generated) + } + + // Test validation with GID in range + gid := int64Ptr(250) + errs := strategy.Validate(nil, nil, nil, gid) + if len(errs) > 0 { + t.Errorf("Validation failed for GID in range: %v", errs) + } + }) + + t.Run("validateIDRange handles nil pointers", func(t *testing.T) { + // Test with nil Min + rng := securityv1.RunAsGroupIDRange{Min: nil, Max: int64Ptr(100)} + err := validateIDRange(rng) + if err == nil { + t.Error("validateIDRange should fail with nil Min") + } + + // Test with nil Max + rng = securityv1.RunAsGroupIDRange{Min: int64Ptr(100), Max: nil} + err = validateIDRange(rng) + if err == nil { + t.Error("validateIDRange should fail with nil Max") + } + + // Test with both nil + rng = securityv1.RunAsGroupIDRange{Min: nil, Max: nil} + err = validateIDRange(rng) + if err == nil { + t.Error("validateIDRange should fail with both nil") + } + }) +} + +// TestEdgeCases verifies edge cases and boundary conditions +func TestEdgeCases(t *testing.T) { + t.Run("Zero GID handling", func(t *testing.T) { + opts := &securityv1.RunAsGroupStrategyOptions{ + Type: securityv1.RunAsGroupStrategyMustRunAs, + Ranges: []securityv1.RunAsGroupIDRange{ + {Min: int64Ptr(0), Max: int64Ptr(0)}, + }, + } + strategy, err := NewMustRunAs(opts) + if err != nil { + t.Fatalf("NewMustRunAs failed with zero GID: %v", err) + } + + generated, err := strategy.Generate(nil, nil) + if err != nil { + t.Fatalf("Generate failed: %v", err) + } + if *generated != 0 { + t.Errorf("Generated GID = %d, want 0", *generated) + } + + gid := int64Ptr(0) + errs := strategy.Validate(nil, nil, nil, gid) + if len(errs) > 0 { + t.Errorf("Validation failed for zero GID: %v", errs) + } + }) + + t.Run("Large GID values", func(t *testing.T) { + var largeGID int64 = 2147483647 // Max int32 + opts := &securityv1.RunAsGroupStrategyOptions{ + Type: securityv1.RunAsGroupStrategyMustRunAsRange, + Ranges: []securityv1.RunAsGroupIDRange{ + {Min: int64Ptr(largeGID), Max: int64Ptr(largeGID)}, + }, + } + strategy, err := NewMustRunAsRange(opts) + if err != nil { + t.Fatalf("NewMustRunAsRange failed with large GID: %v", err) + } + + gid := int64Ptr(largeGID) + errs := strategy.Validate(nil, nil, nil, gid) + if len(errs) > 0 { + t.Errorf("Validation failed for large GID: %v", errs) + } + }) + + t.Run("Negative GID values (allowed)", func(t *testing.T) { + var negGID int64 = -1 + opts := &securityv1.RunAsGroupStrategyOptions{ + Type: securityv1.RunAsGroupStrategyMustRunAsRange, + Ranges: []securityv1.RunAsGroupIDRange{ + {Min: int64Ptr(-10), Max: int64Ptr(10)}, + }, + } + strategy, err := NewMustRunAsRange(opts) + if err != nil { + t.Fatalf("NewMustRunAsRange failed with negative GIDs: %v", err) + } + + gid := int64Ptr(negGID) + errs := strategy.Validate(nil, nil, nil, gid) + if len(errs) > 0 { + t.Errorf("Validation failed for negative GID in valid range: %v", errs) + } + }) +} diff --git a/pkg/securitycontextconstraints/runasgroup/mustrunas.go b/pkg/securitycontextconstraints/runasgroup/mustrunas.go new file mode 100644 index 000000000..93555d830 --- /dev/null +++ b/pkg/securitycontextconstraints/runasgroup/mustrunas.go @@ -0,0 +1,61 @@ +package runasgroup + +import ( + "fmt" + + "k8s.io/apimachinery/pkg/util/validation/field" + api "k8s.io/kubernetes/pkg/apis/core" + + securityv1 "github.com/openshift/api/security/v1" +) + +// mustRunAs implements the RunAsGroupSecurityContextConstraintsStrategy interface +type mustRunAs struct { + opts *securityv1.RunAsGroupStrategyOptions +} + +var _ RunAsGroupSecurityContextConstraintsStrategy = &mustRunAs{} + +// NewMustRunAs provides a strategy that requires the container to run as a specific GID. +func NewMustRunAs(options *securityv1.RunAsGroupStrategyOptions) (RunAsGroupSecurityContextConstraintsStrategy, error) { + if options == nil { + return nil, fmt.Errorf("MustRunAs requires run as group options") + } + if len(options.Ranges) == 0 { + return nil, fmt.Errorf("MustRunAs requires at least one range") + } + // Validate the range is valid (min <= max) + if err := validateIDRange(options.Ranges[0]); err != nil { + return nil, fmt.Errorf("MustRunAs has invalid range: %v", err) + } + if *options.Ranges[0].Min != *options.Ranges[0].Max { + return nil, fmt.Errorf("MustRunAs requires the first range to have the same min and max GID") + } + return &mustRunAs{ + opts: options, + }, nil +} + +// Generate creates the gid based on policy rules. MustRunAs returns the GID it is initialized with. +func (s *mustRunAs) Generate(pod *api.Pod, container *api.Container) (*int64, error) { + return s.opts.Ranges[0].Min, nil +} + +// Validate ensures that the specified values fall within the range of the strategy. +func (s *mustRunAs) Validate(fldPath *field.Path, _ *api.Pod, _ *api.Container, runAsGroup *int64) field.ErrorList { + allErrs := field.ErrorList{} + + if runAsGroup == nil { + allErrs = append(allErrs, field.Required(fldPath.Child("runAsGroup"), "")) + return allErrs + } + + requiredGID := *s.opts.Ranges[0].Min + if requiredGID != *runAsGroup { + detail := fmt.Sprintf("must be in the ranges: [%d, %d]", requiredGID, requiredGID) + allErrs = append(allErrs, field.Invalid(fldPath.Child("runAsGroup"), *runAsGroup, detail)) + return allErrs + } + + return allErrs +} diff --git a/pkg/securitycontextconstraints/runasgroup/mustrunas_test.go b/pkg/securitycontextconstraints/runasgroup/mustrunas_test.go new file mode 100644 index 000000000..e7730dd4c --- /dev/null +++ b/pkg/securitycontextconstraints/runasgroup/mustrunas_test.go @@ -0,0 +1,151 @@ +package runasgroup + +import ( + "fmt" + "strings" + "testing" + + securityv1 "github.com/openshift/api/security/v1" +) + +func TestMustRunAsOptions(t *testing.T) { + tests := map[string]struct { + opts *securityv1.RunAsGroupStrategyOptions + pass bool + }{ + "nil opts": { + opts: nil, + pass: false, + }, + "empty opts": { + opts: &securityv1.RunAsGroupStrategyOptions{}, + pass: false, + }, + "no ranges": { + opts: &securityv1.RunAsGroupStrategyOptions{ + Ranges: []securityv1.RunAsGroupIDRange{}, + }, + pass: false, + }, + "range with different min and max": { + opts: &securityv1.RunAsGroupStrategyOptions{ + Ranges: []securityv1.RunAsGroupIDRange{ + {Min: int64Ptr(1), Max: int64Ptr(10)}, + }, + }, + pass: false, + }, + "valid single GID (min == max)": { + opts: &securityv1.RunAsGroupStrategyOptions{ + Ranges: []securityv1.RunAsGroupIDRange{ + {Min: int64Ptr(5), Max: int64Ptr(5)}, + }, + }, + pass: true, + }, + "valid single GID zero": { + opts: &securityv1.RunAsGroupStrategyOptions{ + Ranges: []securityv1.RunAsGroupIDRange{ + {Min: int64Ptr(0), Max: int64Ptr(0)}, + }, + }, + pass: true, + }, + } + for name, tc := range tests { + _, err := NewMustRunAs(tc.opts) + if err != nil && tc.pass { + t.Errorf("%s expected to pass but received error %v", name, err) + } + if err == nil && !tc.pass { + t.Errorf("%s expected to fail but did not receive an error", name) + } + } +} + +func TestMustRunAsGenerate(t *testing.T) { + var gid int64 = 100 + opts := &securityv1.RunAsGroupStrategyOptions{ + Ranges: []securityv1.RunAsGroupIDRange{ + {Min: int64Ptr(gid), Max: int64Ptr(gid)}, + }, + } + mustRunAs, err := NewMustRunAs(opts) + if err != nil { + t.Fatalf("unexpected error initializing NewMustRunAs %v", err) + } + generated, err := mustRunAs.Generate(nil, nil) + if err != nil { + t.Fatalf("unexpected error generating gid %v", err) + } + if generated == nil { + t.Fatal("expected generated gid but got nil") + } + if *generated != gid { + t.Errorf("generated gid %d does not equal configured gid %d", *generated, gid) + } +} + +func TestMustRunAsValidate(t *testing.T) { + var gid int64 = 100 + var badGID int64 = 200 + opts := &securityv1.RunAsGroupStrategyOptions{ + Ranges: []securityv1.RunAsGroupIDRange{ + {Min: int64Ptr(gid), Max: int64Ptr(gid)}, + }, + } + mustRunAs, err := NewMustRunAs(opts) + if err != nil { + t.Fatalf("unexpected error initializing NewMustRunAs %v", err) + } + + // Test nil runAsGroup + errs := mustRunAs.Validate(nil, nil, nil, nil) + expectedMessage := "runAsGroup: Required value" + if len(errs) == 0 { + t.Errorf("expected errors from nil runAsGroup but got none") + } else if !strings.Contains(errs[0].Error(), expectedMessage) { + t.Errorf("expected error to contain %q but it did not: %v", expectedMessage, errs) + } + + // Test mismatched GID + errs = mustRunAs.Validate(nil, nil, nil, &badGID) + expectedMessage = fmt.Sprintf("runAsGroup: Invalid value: %d: must be in the ranges: [%d, %d]", badGID, gid, gid) + if len(errs) == 0 { + t.Errorf("expected errors from mismatch gid but got none") + } else if !strings.Contains(errs[0].Error(), expectedMessage) { + t.Errorf("expected error to contain %q but it did not: %v", expectedMessage, errs) + } + + // Test matching GID + errs = mustRunAs.Validate(nil, nil, nil, &gid) + if len(errs) != 0 { + t.Errorf("expected no errors from matching gid but got %v", errs) + } +} + +func TestMustRunAsValidateZeroGID(t *testing.T) { + var gid int64 = 0 + opts := &securityv1.RunAsGroupStrategyOptions{ + Ranges: []securityv1.RunAsGroupIDRange{ + {Min: int64Ptr(gid), Max: int64Ptr(gid)}, + }, + } + mustRunAs, err := NewMustRunAs(opts) + if err != nil { + t.Fatalf("unexpected error initializing NewMustRunAs with zero GID %v", err) + } + + // Test that zero GID is accepted when required + errs := mustRunAs.Validate(nil, nil, nil, &gid) + if len(errs) != 0 { + t.Errorf("expected no errors from matching zero gid but got %v", errs) + } + + // Test that non-zero GID is rejected + var nonZeroGID int64 = 1 + errs = mustRunAs.Validate(nil, nil, nil, &nonZeroGID) + if len(errs) == 0 { + t.Errorf("expected errors from non-zero gid when zero is required but got none") + } +} diff --git a/pkg/securitycontextconstraints/runasgroup/mustrunasrange.go b/pkg/securitycontextconstraints/runasgroup/mustrunasrange.go new file mode 100644 index 000000000..135a87b30 --- /dev/null +++ b/pkg/securitycontextconstraints/runasgroup/mustrunasrange.go @@ -0,0 +1,71 @@ +package runasgroup + +import ( + "fmt" + + "k8s.io/apimachinery/pkg/util/validation/field" + api "k8s.io/kubernetes/pkg/apis/core" + + securityv1 "github.com/openshift/api/security/v1" +) + +// mustRunAsRange implements the RunAsGroupSecurityContextConstraintsStrategy interface +type mustRunAsRange struct { + opts *securityv1.RunAsGroupStrategyOptions +} + +var _ RunAsGroupSecurityContextConstraintsStrategy = &mustRunAsRange{} + +// NewMustRunAsRange provides a strategy that requires the container to run as a specific GID in a range. +func NewMustRunAsRange(options *securityv1.RunAsGroupStrategyOptions) (RunAsGroupSecurityContextConstraintsStrategy, error) { + if options == nil { + return nil, fmt.Errorf("MustRunAsRange requires run as group options") + } + if len(options.Ranges) == 0 { + return nil, fmt.Errorf("MustRunAsRange requires at least one range") + } + // Validate all ranges are valid (min <= max for each range) + for i, rng := range options.Ranges { + if err := validateIDRange(rng); err != nil { + return nil, fmt.Errorf("MustRunAsRange has invalid range at index %d: %v", i, err) + } + } + return &mustRunAsRange{ + opts: options, + }, nil +} + +// Generate creates the gid based on policy rules. MustRunAsRange returns the minimum GID of the first range. +func (s *mustRunAsRange) Generate(pod *api.Pod, container *api.Container) (*int64, error) { + return s.opts.Ranges[0].Min, nil +} + +// Validate ensures that the specified values fall within the range of the strategy. +func (s *mustRunAsRange) Validate(fldPath *field.Path, _ *api.Pod, _ *api.Container, runAsGroup *int64) field.ErrorList { + allErrs := field.ErrorList{} + + if runAsGroup == nil { + allErrs = append(allErrs, field.Required(fldPath.Child("runAsGroup"), "")) + return allErrs + } + + // Check if the GID falls within any of the allowed ranges + for _, rng := range s.opts.Ranges { + if *runAsGroup >= *rng.Min && *runAsGroup <= *rng.Max { + return allErrs + } + } + + // Build error message with all allowed ranges + rangesStr := "" + for i, rng := range s.opts.Ranges { + if i > 0 { + rangesStr += ", " + } + rangesStr += fmt.Sprintf("[%d, %d]", *rng.Min, *rng.Max) + } + detail := fmt.Sprintf("must be in the ranges: %s", rangesStr) + allErrs = append(allErrs, field.Invalid(fldPath.Child("runAsGroup"), *runAsGroup, detail)) + + return allErrs +} diff --git a/pkg/securitycontextconstraints/runasgroup/mustrunasrange_test.go b/pkg/securitycontextconstraints/runasgroup/mustrunasrange_test.go new file mode 100644 index 000000000..e685cf2ec --- /dev/null +++ b/pkg/securitycontextconstraints/runasgroup/mustrunasrange_test.go @@ -0,0 +1,294 @@ +package runasgroup + +import ( + "fmt" + "strings" + "testing" + + securityv1 "github.com/openshift/api/security/v1" +) + +func TestMustRunAsRangeOptions(t *testing.T) { + tests := map[string]struct { + opts *securityv1.RunAsGroupStrategyOptions + pass bool + }{ + "nil opts": { + opts: nil, + pass: false, + }, + "empty opts": { + opts: &securityv1.RunAsGroupStrategyOptions{}, + pass: false, + }, + "no ranges": { + opts: &securityv1.RunAsGroupStrategyOptions{ + Ranges: []securityv1.RunAsGroupIDRange{}, + }, + pass: false, + }, + "valid single range": { + opts: &securityv1.RunAsGroupStrategyOptions{ + Ranges: []securityv1.RunAsGroupIDRange{ + {Min: int64Ptr(1), Max: int64Ptr(10)}, + }, + }, + pass: true, + }, + "valid single range with min == max": { + opts: &securityv1.RunAsGroupStrategyOptions{ + Ranges: []securityv1.RunAsGroupIDRange{ + {Min: int64Ptr(5), Max: int64Ptr(5)}, + }, + }, + pass: true, + }, + "valid multiple ranges": { + opts: &securityv1.RunAsGroupStrategyOptions{ + Ranges: []securityv1.RunAsGroupIDRange{ + {Min: int64Ptr(1), Max: int64Ptr(10)}, + {Min: int64Ptr(100), Max: int64Ptr(200)}, + }, + }, + pass: true, + }, + "valid range starting at zero": { + opts: &securityv1.RunAsGroupStrategyOptions{ + Ranges: []securityv1.RunAsGroupIDRange{ + {Min: int64Ptr(0), Max: int64Ptr(100)}, + }, + }, + pass: true, + }, + } + for name, tc := range tests { + _, err := NewMustRunAsRange(tc.opts) + if err != nil && tc.pass { + t.Errorf("%s expected to pass but received error %v", name, err) + } + if err == nil && !tc.pass { + t.Errorf("%s expected to fail but did not receive an error", name) + } + } +} + +func TestMustRunAsRangeGenerate(t *testing.T) { + var gidMin int64 = 10 + var gidMax int64 = 20 + opts := &securityv1.RunAsGroupStrategyOptions{ + Ranges: []securityv1.RunAsGroupIDRange{ + {Min: int64Ptr(gidMin), Max: int64Ptr(gidMax)}, + }, + } + mustRunAsRange, err := NewMustRunAsRange(opts) + if err != nil { + t.Fatalf("unexpected error initializing NewMustRunAsRange %v", err) + } + generated, err := mustRunAsRange.Generate(nil, nil) + if err != nil { + t.Fatalf("unexpected error generating gid %v", err) + } + if generated == nil { + t.Fatal("expected generated gid but got nil") + } + if *generated != gidMin { + t.Errorf("generated gid %d does not equal expected min gid %d", *generated, gidMin) + } +} + +func TestMustRunAsRangeGenerateMultipleRanges(t *testing.T) { + opts := &securityv1.RunAsGroupStrategyOptions{ + Ranges: []securityv1.RunAsGroupIDRange{ + {Min: int64Ptr(10), Max: int64Ptr(20)}, + {Min: int64Ptr(100), Max: int64Ptr(200)}, + }, + } + mustRunAsRange, err := NewMustRunAsRange(opts) + if err != nil { + t.Fatalf("unexpected error initializing NewMustRunAsRange %v", err) + } + generated, err := mustRunAsRange.Generate(nil, nil) + if err != nil { + t.Fatalf("unexpected error generating gid %v", err) + } + if generated == nil { + t.Fatal("expected generated gid but got nil") + } + // Should return the min of the first range + if *generated != 10 { + t.Errorf("generated gid %d does not equal expected min of first range 10", *generated) + } +} + +func TestMustRunAsRangeValidate(t *testing.T) { + var gidMin int64 = 10 + var gidMax int64 = 20 + opts := &securityv1.RunAsGroupStrategyOptions{ + Ranges: []securityv1.RunAsGroupIDRange{ + {Min: int64Ptr(gidMin), Max: int64Ptr(gidMax)}, + }, + } + mustRunAsRange, err := NewMustRunAsRange(opts) + if err != nil { + t.Fatalf("unexpected error initializing NewMustRunAsRange %v", err) + } + + // Test nil runAsGroup + errs := mustRunAsRange.Validate(nil, nil, nil, nil) + expectedMessage := "runAsGroup: Required value" + if len(errs) == 0 { + t.Errorf("expected errors from nil runAsGroup but got none") + } else if !strings.Contains(errs[0].Error(), expectedMessage) { + t.Errorf("expected error to contain %q but it did not: %v", expectedMessage, errs) + } + + // Test GID below range + var lowGID int64 = 5 + errs = mustRunAsRange.Validate(nil, nil, nil, &lowGID) + expectedMessage = fmt.Sprintf("runAsGroup: Invalid value: %d: must be in the ranges: [%d, %d]", lowGID, gidMin, gidMax) + if len(errs) == 0 { + t.Errorf("expected errors from low gid but got none") + } else if !strings.Contains(errs[0].Error(), expectedMessage) { + t.Errorf("expected error to contain %q but it did not: %v", expectedMessage, errs) + } + + // Test GID above range + var highGID int64 = 25 + errs = mustRunAsRange.Validate(nil, nil, nil, &highGID) + expectedMessage = fmt.Sprintf("runAsGroup: Invalid value: %d: must be in the ranges: [%d, %d]", highGID, gidMin, gidMax) + if len(errs) == 0 { + t.Errorf("expected errors from high gid but got none") + } else if !strings.Contains(errs[0].Error(), expectedMessage) { + t.Errorf("expected error to contain %q but it did not: %v", expectedMessage, errs) + } + + // Test GID at minimum boundary + errs = mustRunAsRange.Validate(nil, nil, nil, &gidMin) + if len(errs) != 0 { + t.Errorf("expected no errors from min boundary gid but got %v", errs) + } + + // Test GID at maximum boundary + errs = mustRunAsRange.Validate(nil, nil, nil, &gidMax) + if len(errs) != 0 { + t.Errorf("expected no errors from max boundary gid but got %v", errs) + } + + // Test GID in middle of range + var midGID int64 = 15 + errs = mustRunAsRange.Validate(nil, nil, nil, &midGID) + if len(errs) != 0 { + t.Errorf("expected no errors from mid-range gid but got %v", errs) + } +} + +func TestMustRunAsRangeValidateMultipleRanges(t *testing.T) { + opts := &securityv1.RunAsGroupStrategyOptions{ + Ranges: []securityv1.RunAsGroupIDRange{ + {Min: int64Ptr(10), Max: int64Ptr(20)}, + {Min: int64Ptr(100), Max: int64Ptr(200)}, + {Min: int64Ptr(1000), Max: int64Ptr(2000)}, + }, + } + mustRunAsRange, err := NewMustRunAsRange(opts) + if err != nil { + t.Fatalf("unexpected error initializing NewMustRunAsRange %v", err) + } + + tests := []struct { + name string + gid int64 + shouldPass bool + description string + }{ + {"first range min", 10, true, "minimum of first range"}, + {"first range mid", 15, true, "middle of first range"}, + {"first range max", 20, true, "maximum of first range"}, + {"second range min", 100, true, "minimum of second range"}, + {"second range mid", 150, true, "middle of second range"}, + {"second range max", 200, true, "maximum of second range"}, + {"third range min", 1000, true, "minimum of third range"}, + {"third range mid", 1500, true, "middle of third range"}, + {"third range max", 2000, true, "maximum of third range"}, + {"before first range", 5, false, "before first range"}, + {"between first and second", 50, false, "between first and second range"}, + {"between second and third", 500, false, "between second and third range"}, + {"after third range", 3000, false, "after third range"}, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + errs := mustRunAsRange.Validate(nil, nil, nil, &tt.gid) + if tt.shouldPass && len(errs) != 0 { + t.Errorf("expected no errors for %s (gid %d) but got %v", tt.description, tt.gid, errs) + } + if !tt.shouldPass && len(errs) == 0 { + t.Errorf("expected errors for %s (gid %d) but got none", tt.description, tt.gid) + } + }) + } +} + +func TestMustRunAsRangeValidateErrorMessage(t *testing.T) { + opts := &securityv1.RunAsGroupStrategyOptions{ + Ranges: []securityv1.RunAsGroupIDRange{ + {Min: int64Ptr(10), Max: int64Ptr(20)}, + {Min: int64Ptr(100), Max: int64Ptr(200)}, + }, + } + mustRunAsRange, err := NewMustRunAsRange(opts) + if err != nil { + t.Fatalf("unexpected error initializing NewMustRunAsRange %v", err) + } + + var invalidGID int64 = 50 + errs := mustRunAsRange.Validate(nil, nil, nil, &invalidGID) + if len(errs) == 0 { + t.Fatal("expected error but got none") + } + + errorMsg := errs[0].Error() + // Error message should contain both ranges + if !strings.Contains(errorMsg, "[10, 20]") { + t.Errorf("expected error message to contain first range '[10, 20]' but got: %s", errorMsg) + } + if !strings.Contains(errorMsg, "[100, 200]") { + t.Errorf("expected error message to contain second range '[100, 200]' but got: %s", errorMsg) + } + if !strings.Contains(errorMsg, "must be in the ranges:") { + t.Errorf("expected error message to contain 'must be in the ranges:' but got: %s", errorMsg) + } +} + +func TestMustRunAsRangeSingleGIDRange(t *testing.T) { + // Test that a range with min == max works correctly + var gid int64 = 100 + opts := &securityv1.RunAsGroupStrategyOptions{ + Ranges: []securityv1.RunAsGroupIDRange{ + {Min: int64Ptr(gid), Max: int64Ptr(gid)}, + }, + } + mustRunAsRange, err := NewMustRunAsRange(opts) + if err != nil { + t.Fatalf("unexpected error initializing NewMustRunAsRange with single GID %v", err) + } + + // Should accept the exact GID + errs := mustRunAsRange.Validate(nil, nil, nil, &gid) + if len(errs) != 0 { + t.Errorf("expected no errors for exact gid %d but got %v", gid, errs) + } + + // Should reject any other GID + var otherGID int64 = 99 + errs = mustRunAsRange.Validate(nil, nil, nil, &otherGID) + if len(errs) == 0 { + t.Errorf("expected errors for gid %d when only %d is allowed but got none", otherGID, gid) + } + + otherGID = 101 + errs = mustRunAsRange.Validate(nil, nil, nil, &otherGID) + if len(errs) == 0 { + t.Errorf("expected errors for gid %d when only %d is allowed but got none", otherGID, gid) + } +} diff --git a/pkg/securitycontextconstraints/runasgroup/runasany.go b/pkg/securitycontextconstraints/runasgroup/runasany.go new file mode 100644 index 000000000..c3e901d05 --- /dev/null +++ b/pkg/securitycontextconstraints/runasgroup/runasany.go @@ -0,0 +1,28 @@ +package runasgroup + +import ( + "k8s.io/apimachinery/pkg/util/validation/field" + api "k8s.io/kubernetes/pkg/apis/core" + + securityv1 "github.com/openshift/api/security/v1" +) + +// runAsAny implements the interface RunAsGroupSecurityContextConstraintsStrategy. +type runAsAny struct{} + +var _ RunAsGroupSecurityContextConstraintsStrategy = &runAsAny{} + +// NewRunAsAny provides a strategy that will return nil. +func NewRunAsAny(options *securityv1.RunAsGroupStrategyOptions) (RunAsGroupSecurityContextConstraintsStrategy, error) { + return &runAsAny{}, nil +} + +// Generate creates the gid based on policy rules. +func (s *runAsAny) Generate(pod *api.Pod, container *api.Container) (*int64, error) { + return nil, nil +} + +// Validate ensures that the specified values fall within the range of the strategy. +func (s *runAsAny) Validate(fldPath *field.Path, _ *api.Pod, _ *api.Container, runAsGroup *int64) field.ErrorList { + return field.ErrorList{} +} diff --git a/pkg/securitycontextconstraints/runasgroup/runasany_test.go b/pkg/securitycontextconstraints/runasgroup/runasany_test.go new file mode 100644 index 000000000..bb9e2f1c9 --- /dev/null +++ b/pkg/securitycontextconstraints/runasgroup/runasany_test.go @@ -0,0 +1,88 @@ +package runasgroup + +import ( + "testing" + + securityv1 "github.com/openshift/api/security/v1" +) + +func TestRunAsAnyOptions(t *testing.T) { + tests := map[string]struct { + opts *securityv1.RunAsGroupStrategyOptions + pass bool + }{ + "nil opts": { + opts: nil, + pass: true, + }, + "empty opts": { + opts: &securityv1.RunAsGroupStrategyOptions{}, + pass: true, + }, + "opts with ranges": { + opts: &securityv1.RunAsGroupStrategyOptions{ + Ranges: []securityv1.RunAsGroupIDRange{ + {Min: int64Ptr(1), Max: int64Ptr(10)}, + }, + }, + pass: true, + }, + } + for name, tc := range tests { + _, err := NewRunAsAny(tc.opts) + if err != nil && tc.pass { + t.Errorf("%s expected to pass but received error %v", name, err) + } + if err == nil && !tc.pass { + t.Errorf("%s expected to fail but did not receive an error", name) + } + } +} + +func TestRunAsAnyGenerate(t *testing.T) { + opts := &securityv1.RunAsGroupStrategyOptions{} + runAsAny, err := NewRunAsAny(opts) + if err != nil { + t.Fatalf("unexpected error initializing NewRunAsAny %v", err) + } + generated, err := runAsAny.Generate(nil, nil) + if err != nil { + t.Fatalf("unexpected error generating gid %v", err) + } + if generated != nil { + t.Errorf("expected nil gid from RunAsAny but got %v", *generated) + } +} + +func TestRunAsAnyValidate(t *testing.T) { + opts := &securityv1.RunAsGroupStrategyOptions{} + runAsAny, err := NewRunAsAny(opts) + if err != nil { + t.Fatalf("unexpected error initializing NewRunAsAny %v", err) + } + + // RunAsAny should accept nil + errs := runAsAny.Validate(nil, nil, nil, nil) + if len(errs) != 0 { + t.Errorf("expected no errors from nil runAsGroup but got %v", errs) + } + + // RunAsAny should accept any GID + var gid int64 = 0 + errs = runAsAny.Validate(nil, nil, nil, &gid) + if len(errs) != 0 { + t.Errorf("expected no errors from gid 0 but got %v", errs) + } + + gid = 999 + errs = runAsAny.Validate(nil, nil, nil, &gid) + if len(errs) != 0 { + t.Errorf("expected no errors from gid 999 but got %v", errs) + } + + gid = -1 + errs = runAsAny.Validate(nil, nil, nil, &gid) + if len(errs) != 0 { + t.Errorf("expected no errors from negative gid but got %v", errs) + } +} diff --git a/pkg/securitycontextconstraints/runasgroup/test_helpers.go b/pkg/securitycontextconstraints/runasgroup/test_helpers.go new file mode 100644 index 000000000..31056c42f --- /dev/null +++ b/pkg/securitycontextconstraints/runasgroup/test_helpers.go @@ -0,0 +1,7 @@ +package runasgroup + +// int64Ptr returns a pointer to an int64 +// This is a test helper function used across multiple test files +func int64Ptr(v int64) *int64 { + return &v +} diff --git a/pkg/securitycontextconstraints/runasgroup/types.go b/pkg/securitycontextconstraints/runasgroup/types.go new file mode 100644 index 000000000..fae151be0 --- /dev/null +++ b/pkg/securitycontextconstraints/runasgroup/types.go @@ -0,0 +1,14 @@ +package runasgroup + +import ( + "k8s.io/apimachinery/pkg/util/validation/field" + api "k8s.io/kubernetes/pkg/apis/core" +) + +// RunAsGroupSecurityContextConstraintsStrategy defines the interface for all gid constraint strategies. +type RunAsGroupSecurityContextConstraintsStrategy interface { + // Generate creates the gid based on policy rules. + Generate(pod *api.Pod, container *api.Container) (*int64, error) + // Validate ensures that the specified values fall within the range of the strategy. + Validate(fldPath *field.Path, pod *api.Pod, container *api.Container, runAsGroup *int64) field.ErrorList +} diff --git a/pkg/securitycontextconstraints/runasgroup/util.go b/pkg/securitycontextconstraints/runasgroup/util.go new file mode 100644 index 000000000..a27a479a9 --- /dev/null +++ b/pkg/securitycontextconstraints/runasgroup/util.go @@ -0,0 +1,24 @@ +package runasgroup + +import ( + "fmt" + + securityv1 "github.com/openshift/api/security/v1" +) + +// validateIDRange validates that a RunAsGroupIDRange has valid min/max values. +// It ensures that Min and Max are set and Min <= Max to prevent invalid range configurations. +func validateIDRange(rng securityv1.RunAsGroupIDRange) error { + if rng.Min == nil { + return fmt.Errorf("min must be specified") + } + if rng.Max == nil { + return fmt.Errorf("max must be specified") + } + if *rng.Min > *rng.Max { + return fmt.Errorf("min (%d) must be less than or equal to max (%d)", *rng.Min, *rng.Max) + } + // Note: Negative GID values are allowed as they may be used in some systems + // If validation for non-negative values is needed, it should be added here + return nil +} diff --git a/pkg/securitycontextconstraints/runasgroup/util_test.go b/pkg/securitycontextconstraints/runasgroup/util_test.go new file mode 100644 index 000000000..62a0a0ca2 --- /dev/null +++ b/pkg/securitycontextconstraints/runasgroup/util_test.go @@ -0,0 +1,197 @@ +package runasgroup + +import ( + "strings" + "testing" + + securityv1 "github.com/openshift/api/security/v1" +) + +func TestValidateIDRange(t *testing.T) { + tests := []struct { + name string + rng securityv1.RunAsGroupIDRange + expectError bool + errorMsg string + }{ + { + name: "valid range with min < max", + rng: securityv1.RunAsGroupIDRange{Min: int64Ptr(10), Max: int64Ptr(20)}, + expectError: false, + }, + { + name: "valid range with min == max", + rng: securityv1.RunAsGroupIDRange{Min: int64Ptr(100), Max: int64Ptr(100)}, + expectError: false, + }, + { + name: "invalid range with min > max", + rng: securityv1.RunAsGroupIDRange{Min: int64Ptr(200), Max: int64Ptr(100)}, + expectError: true, + errorMsg: "min (200) must be less than or equal to max (100)", + }, + { + name: "valid range with zero values", + rng: securityv1.RunAsGroupIDRange{Min: int64Ptr(0), Max: int64Ptr(0)}, + expectError: false, + }, + { + name: "valid range starting at zero", + rng: securityv1.RunAsGroupIDRange{Min: int64Ptr(0), Max: int64Ptr(1000)}, + expectError: false, + }, + { + name: "valid range with negative values (allowed)", + rng: securityv1.RunAsGroupIDRange{Min: int64Ptr(-10), Max: int64Ptr(10)}, + expectError: false, + }, + { + name: "invalid range with negative max less than negative min", + rng: securityv1.RunAsGroupIDRange{Min: int64Ptr(-5), Max: int64Ptr(-10)}, + expectError: true, + errorMsg: "min (-5) must be less than or equal to max (-10)", + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + err := validateIDRange(tt.rng) + if tt.expectError { + if err == nil { + t.Errorf("expected error but got none") + } else if !strings.Contains(err.Error(), tt.errorMsg) { + t.Errorf("expected error to contain %q but got %q", tt.errorMsg, err.Error()) + } + } else { + if err != nil { + t.Errorf("expected no error but got: %v", err) + } + } + }) + } +} + +func TestMustRunAsWithInvalidRange(t *testing.T) { + tests := []struct { + name string + opts *securityv1.RunAsGroupStrategyOptions + expectError bool + errorMsg string + }{ + { + name: "invalid range with min > max", + opts: &securityv1.RunAsGroupStrategyOptions{ + Ranges: []securityv1.RunAsGroupIDRange{ + {Min: int64Ptr(200), Max: int64Ptr(100)}, + }, + }, + expectError: true, + errorMsg: "invalid range", + }, + { + name: "valid range with min == max", + opts: &securityv1.RunAsGroupStrategyOptions{ + Ranges: []securityv1.RunAsGroupIDRange{ + {Min: int64Ptr(100), Max: int64Ptr(100)}, + }, + }, + expectError: false, + }, + { + name: "invalid range with negative max less than min", + opts: &securityv1.RunAsGroupStrategyOptions{ + Ranges: []securityv1.RunAsGroupIDRange{ + {Min: int64Ptr(10), Max: int64Ptr(-10)}, + }, + }, + expectError: true, + errorMsg: "invalid range", + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + _, err := NewMustRunAs(tt.opts) + if tt.expectError { + if err == nil { + t.Errorf("expected error but got none") + } else if !strings.Contains(err.Error(), tt.errorMsg) { + t.Errorf("expected error to contain %q but got %q", tt.errorMsg, err.Error()) + } + } else { + if err != nil { + t.Errorf("expected no error but got: %v", err) + } + } + }) + } +} + +func TestMustRunAsRangeWithInvalidRanges(t *testing.T) { + tests := []struct { + name string + opts *securityv1.RunAsGroupStrategyOptions + expectError bool + errorMsg string + }{ + { + name: "single invalid range with min > max", + opts: &securityv1.RunAsGroupStrategyOptions{ + Ranges: []securityv1.RunAsGroupIDRange{ + {Min: int64Ptr(200), Max: int64Ptr(100)}, + }, + }, + expectError: true, + errorMsg: "invalid range at index 0", + }, + { + name: "multiple ranges with one invalid", + opts: &securityv1.RunAsGroupStrategyOptions{ + Ranges: []securityv1.RunAsGroupIDRange{ + {Min: int64Ptr(10), Max: int64Ptr(20)}, + {Min: int64Ptr(100), Max: int64Ptr(50)}, // Invalid + }, + }, + expectError: true, + errorMsg: "invalid range at index 1", + }, + { + name: "multiple valid ranges", + opts: &securityv1.RunAsGroupStrategyOptions{ + Ranges: []securityv1.RunAsGroupIDRange{ + {Min: int64Ptr(10), Max: int64Ptr(20)}, + {Min: int64Ptr(100), Max: int64Ptr(200)}, + }, + }, + expectError: false, + }, + { + name: "all ranges invalid", + opts: &securityv1.RunAsGroupStrategyOptions{ + Ranges: []securityv1.RunAsGroupIDRange{ + {Min: int64Ptr(200), Max: int64Ptr(100)}, + {Min: int64Ptr(1000), Max: int64Ptr(500)}, + }, + }, + expectError: true, + errorMsg: "invalid range at index 0", + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + _, err := NewMustRunAsRange(tt.opts) + if tt.expectError { + if err == nil { + t.Errorf("expected error but got none") + } else if !strings.Contains(err.Error(), tt.errorMsg) { + t.Errorf("expected error to contain %q but got %q", tt.errorMsg, err.Error()) + } + } else { + if err != nil { + t.Errorf("expected no error but got: %v", err) + } + } + }) + } +} diff --git a/pkg/securitycontextconstraints/sccadmission/admission_test.go b/pkg/securitycontextconstraints/sccadmission/admission_test.go index e100aab3a..68703e955 100644 --- a/pkg/securitycontextconstraints/sccadmission/admission_test.go +++ b/pkg/securitycontextconstraints/sccadmission/admission_test.go @@ -1964,6 +1964,9 @@ func laxSCC() *securityv1.SecurityContextConstraints { RunAsUser: securityv1.RunAsUserStrategyOptions{ Type: securityv1.RunAsUserStrategyRunAsAny, }, + RunAsGroup: securityv1.RunAsGroupStrategyOptions{ + Type: securityv1.RunAsGroupStrategyRunAsAny, + }, SELinuxContext: securityv1.SELinuxContextStrategyOptions{ Type: securityv1.SELinuxStrategyRunAsAny, }, @@ -1979,6 +1982,7 @@ func laxSCC() *securityv1.SecurityContextConstraints { func restrictiveSCC() *securityv1.SecurityContextConstraints { var exactUID int64 = 999 + var exactGID int64 = 999 return &securityv1.SecurityContextConstraints{ ObjectMeta: metav1.ObjectMeta{ Name: "restrictive", @@ -1987,6 +1991,12 @@ func restrictiveSCC() *securityv1.SecurityContextConstraints { Type: securityv1.RunAsUserStrategyMustRunAs, UID: &exactUID, }, + RunAsGroup: securityv1.RunAsGroupStrategyOptions{ + Type: securityv1.RunAsGroupStrategyMustRunAs, + Ranges: []securityv1.RunAsGroupIDRange{ + {Min: &exactGID, Max: &exactGID}, + }, + }, SELinuxContext: securityv1.SELinuxContextStrategyOptions{ Type: securityv1.SELinuxStrategyMustRunAs, SELinuxOptions: &corev1.SELinuxOptions{ @@ -2042,6 +2052,9 @@ func saSCC() *securityv1.SecurityContextConstraints { RunAsUser: securityv1.RunAsUserStrategyOptions{ Type: securityv1.RunAsUserStrategyMustRunAsRange, }, + RunAsGroup: securityv1.RunAsGroupStrategyOptions{ + Type: securityv1.RunAsGroupStrategyRunAsAny, + }, SELinuxContext: securityv1.SELinuxContextStrategyOptions{ Type: securityv1.SELinuxStrategyMustRunAs, }, @@ -2065,6 +2078,9 @@ func saExactSCC() *securityv1.SecurityContextConstraints { Type: securityv1.RunAsUserStrategyMustRunAs, UID: &exactUID, }, + RunAsGroup: securityv1.RunAsGroupStrategyOptions{ + Type: securityv1.RunAsGroupStrategyRunAsAny, + }, SELinuxContext: securityv1.SELinuxContextStrategyOptions{ Type: securityv1.SELinuxStrategyMustRunAs, SELinuxOptions: &corev1.SELinuxOptions{ diff --git a/pkg/securitycontextconstraints/sccmatching/provider.go b/pkg/securitycontextconstraints/sccmatching/provider.go index 6acd3913d..d5b84349c 100644 --- a/pkg/securitycontextconstraints/sccmatching/provider.go +++ b/pkg/securitycontextconstraints/sccmatching/provider.go @@ -13,6 +13,7 @@ import ( securityv1 "github.com/openshift/api/security/v1" "github.com/openshift/apiserver-library-go/pkg/securitycontextconstraints/capabilities" "github.com/openshift/apiserver-library-go/pkg/securitycontextconstraints/group" + "github.com/openshift/apiserver-library-go/pkg/securitycontextconstraints/runasgroup" "github.com/openshift/apiserver-library-go/pkg/securitycontextconstraints/seccomp" "github.com/openshift/apiserver-library-go/pkg/securitycontextconstraints/selinux" "github.com/openshift/apiserver-library-go/pkg/securitycontextconstraints/sysctl" @@ -32,6 +33,7 @@ const ( type simpleProvider struct { scc *securityv1.SecurityContextConstraints runAsUserStrategy user.RunAsUserSecurityContextConstraintsStrategy + runAsGroupStrategy runasgroup.RunAsGroupSecurityContextConstraintsStrategy seLinuxStrategy selinux.SELinuxSecurityContextConstraintsStrategy fsGroupStrategy group.GroupSecurityContextConstraintsStrategy supplementalGroupStrategy group.GroupSecurityContextConstraintsStrategy @@ -54,6 +56,11 @@ func NewSimpleProvider(scc *securityv1.SecurityContextConstraints) (SecurityCont return nil, err } + groupStrat, err := createRunAsGroupStrategy(&scc.RunAsGroup) + if err != nil { + return nil, err + } + seLinuxStrat, err := createSELinuxStrategy(&scc.SELinuxContext) if err != nil { return nil, err @@ -87,6 +94,7 @@ func NewSimpleProvider(scc *securityv1.SecurityContextConstraints) (SecurityCont return &simpleProvider{ scc: scc, runAsUserStrategy: userStrat, + runAsGroupStrategy: groupStrat, seLinuxStrategy: seLinuxStrat, fsGroupStrategy: fsGroupStrat, supplementalGroupStrategy: supGroupStrat, @@ -161,6 +169,14 @@ func (s *simpleProvider) CreateContainerSecurityContext(pod *api.Pod, container sc.SetRunAsUser(uid) } + if sc.RunAsGroup() == nil { + gid, err := s.runAsGroupStrategy.Generate(pod, container) + if err != nil { + return nil, err + } + sc.SetRunAsGroup(gid) + } + if sc.SELinuxOptions() == nil { seLinux, err := s.seLinuxStrategy.Generate(pod, container) if err != nil { @@ -337,6 +353,7 @@ func (s *simpleProvider) ValidateContainerSecurityContext(pod *api.Pod, containe sc := securitycontext.NewEffectiveContainerSecurityContextAccessor(podSC, securitycontext.NewContainerSecurityContextMutator(container.SecurityContext)) allErrs = append(allErrs, s.runAsUserStrategy.Validate(fldPath, pod, container, sc.RunAsNonRoot(), sc.RunAsUser())...) + allErrs = append(allErrs, s.runAsGroupStrategy.Validate(fldPath, pod, container, sc.RunAsGroup())...) allErrs = append(allErrs, s.seLinuxStrategy.Validate(fldPath.Child("seLinuxOptions"), pod, container, sc.SELinuxOptions())...) allErrs = append(allErrs, s.seccompStrategy.ValidateContainer(pod, container)...) @@ -433,6 +450,48 @@ func createUserStrategy(opts *securityv1.RunAsUserStrategyOptions) (user.RunAsUs } } +// createRunAsGroupStrategy creates a new group strategy. +func createRunAsGroupStrategy(opts *securityv1.RunAsGroupStrategyOptions) (runasgroup.RunAsGroupSecurityContextConstraintsStrategy, error) { + // If no strategy is specified, default to MustRunAs with ranges [1000, 65534] + if opts.Type == "" { + min := int64(1000) + max := int64(65534) + defaultOpts := &securityv1.RunAsGroupStrategyOptions{ + Type: securityv1.RunAsGroupStrategyMustRunAs, + Ranges: []securityv1.RunAsGroupIDRange{ + { + Min: &min, + Max: &max, + }, + }, + } + return runasgroup.NewMustRunAsRange(defaultOpts) + } + + switch opts.Type { + case securityv1.RunAsGroupStrategyMustRunAs: + // The MustRunAs strategy type can be used in two ways: + // 1. Single GID: exactly one range with min==max (enforces a specific GID) + // 2. Range(s): one or more ranges where GID can vary within the range(s) + // + // We use different implementations for these two cases: + // - NewMustRunAs: validates against a single required GID + // - NewMustRunAsRange: validates against one or more allowed ranges + if len(opts.Ranges) == 1 && opts.Ranges[0].Min != nil && opts.Ranges[0].Max != nil && *opts.Ranges[0].Min == *opts.Ranges[0].Max { + // Exactly one range with min==max means a single required GID + return runasgroup.NewMustRunAs(opts) + } + // Multiple ranges, or a single range with min!=max + return runasgroup.NewMustRunAsRange(opts) + case securityv1.RunAsGroupStrategyMustRunAsRange: + return runasgroup.NewMustRunAsRange(opts) + case securityv1.RunAsGroupStrategyRunAsAny: + return runasgroup.NewRunAsAny(opts) + default: + return nil, fmt.Errorf("Unrecognized RunAsGroup strategy type %s", opts.Type) + } +} + // createSELinuxStrategy creates a new selinux strategy. func createSELinuxStrategy(opts *securityv1.SELinuxContextStrategyOptions) (selinux.SELinuxSecurityContextConstraintsStrategy, error) { switch opts.Type { diff --git a/pkg/securitycontextconstraints/sccmatching/provider_runasgroup_test.go b/pkg/securitycontextconstraints/sccmatching/provider_runasgroup_test.go new file mode 100644 index 000000000..fca22a2e6 --- /dev/null +++ b/pkg/securitycontextconstraints/sccmatching/provider_runasgroup_test.go @@ -0,0 +1,294 @@ +package sccmatching + +import ( + "testing" + + securityv1 "github.com/openshift/api/security/v1" +) + +// int64Ptr is a helper function that returns a pointer to an int64 +func int64Ptr(v int64) *int64 { + return &v +} + +// TestCreateRunAsGroupStrategy verifies that the createRunAsGroupStrategy function +// properly creates the correct strategy based on RunAsGroupStrategyOptions +func TestCreateRunAsGroupStrategy(t *testing.T) { + tests := []struct { + name string + opts *securityv1.RunAsGroupStrategyOptions + expectError bool + strategyType string + }{ + { + name: "Empty type defaults to MustRunAsRange", + opts: &securityv1.RunAsGroupStrategyOptions{ + Type: "", + }, + expectError: false, + strategyType: "MustRunAsRange", + }, + { + name: "RunAsAny strategy", + opts: &securityv1.RunAsGroupStrategyOptions{ + Type: securityv1.RunAsGroupStrategyRunAsAny, + }, + expectError: false, + strategyType: "RunAsAny", + }, + { + name: "MustRunAs with single GID (min==max)", + opts: &securityv1.RunAsGroupStrategyOptions{ + Type: securityv1.RunAsGroupStrategyMustRunAs, + Ranges: []securityv1.RunAsGroupIDRange{ + {Min: int64Ptr(1000), Max: int64Ptr(1000)}, + }, + }, + expectError: false, + strategyType: "MustRunAs", + }, + { + name: "MustRunAs with range (min!=max) - uses MustRunAsRange", + opts: &securityv1.RunAsGroupStrategyOptions{ + Type: securityv1.RunAsGroupStrategyMustRunAs, + Ranges: []securityv1.RunAsGroupIDRange{ + {Min: int64Ptr(1000), Max: int64Ptr(2000)}, + }, + }, + expectError: false, + strategyType: "MustRunAsRange", + }, + { + name: "MustRunAs with multiple ranges - uses MustRunAsRange", + opts: &securityv1.RunAsGroupStrategyOptions{ + Type: securityv1.RunAsGroupStrategyMustRunAs, + Ranges: []securityv1.RunAsGroupIDRange{ + {Min: int64Ptr(1000), Max: int64Ptr(1000)}, + {Min: int64Ptr(2000), Max: int64Ptr(2000)}, + }, + }, + expectError: false, + strategyType: "MustRunAsRange", + }, + { + name: "MustRunAsRange strategy", + opts: &securityv1.RunAsGroupStrategyOptions{ + Type: securityv1.RunAsGroupStrategyMustRunAsRange, + Ranges: []securityv1.RunAsGroupIDRange{ + {Min: int64Ptr(1000), Max: int64Ptr(2000)}, + }, + }, + expectError: false, + strategyType: "MustRunAsRange", + }, + { + name: "MustRunAsRange with multiple ranges", + opts: &securityv1.RunAsGroupStrategyOptions{ + Type: securityv1.RunAsGroupStrategyMustRunAsRange, + Ranges: []securityv1.RunAsGroupIDRange{ + {Min: int64Ptr(1000), Max: int64Ptr(2000)}, + {Min: int64Ptr(5000), Max: int64Ptr(6000)}, + }, + }, + expectError: false, + strategyType: "MustRunAsRange", + }, + { + name: "Invalid: MustRunAs with nil Min", + opts: &securityv1.RunAsGroupStrategyOptions{ + Type: securityv1.RunAsGroupStrategyMustRunAs, + Ranges: []securityv1.RunAsGroupIDRange{ + {Min: nil, Max: int64Ptr(1000)}, + }, + }, + expectError: true, + }, + { + name: "Invalid: MustRunAs with nil Max", + opts: &securityv1.RunAsGroupStrategyOptions{ + Type: securityv1.RunAsGroupStrategyMustRunAs, + Ranges: []securityv1.RunAsGroupIDRange{ + {Min: int64Ptr(1000), Max: nil}, + }, + }, + expectError: true, + }, + { + name: "Invalid: MustRunAs with min > max", + opts: &securityv1.RunAsGroupStrategyOptions{ + Type: securityv1.RunAsGroupStrategyMustRunAs, + Ranges: []securityv1.RunAsGroupIDRange{ + {Min: int64Ptr(2000), Max: int64Ptr(1000)}, + }, + }, + expectError: true, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + strategy, err := createRunAsGroupStrategy(tt.opts) + + if tt.expectError { + if err == nil { + t.Errorf("Expected error but got none") + } + return + } + + if err != nil { + t.Errorf("Unexpected error: %v", err) + return + } + + if strategy == nil { + t.Error("Strategy should not be nil") + return + } + + // Verify the strategy works by testing Generate + generated, err := strategy.Generate(nil, nil) + if err != nil { + t.Errorf("Generate failed: %v", err) + } + + // For RunAsAny, generated should be nil + if tt.strategyType == "RunAsAny" && generated != nil { + t.Errorf("RunAsAny should generate nil, got %v", *generated) + } + // For MustRunAs and MustRunAsRange, generated should be non-nil + if tt.strategyType != "RunAsAny" && generated == nil { + t.Errorf("%s should generate a non-nil GID", tt.strategyType) + } + }) + } +} + +// TestProviderIntegration verifies the full integration of runAsGroup with the provider +func TestProviderIntegration(t *testing.T) { + tests := []struct { + name string + scc *securityv1.SecurityContextConstraints + expectError bool + }{ + { + name: "SCC with RunAsGroup RunAsAny", + scc: &securityv1.SecurityContextConstraints{ + RunAsUser: securityv1.RunAsUserStrategyOptions{ + Type: securityv1.RunAsUserStrategyRunAsAny, + }, + SELinuxContext: securityv1.SELinuxContextStrategyOptions{ + Type: securityv1.SELinuxStrategyRunAsAny, + }, + FSGroup: securityv1.FSGroupStrategyOptions{ + Type: securityv1.FSGroupStrategyRunAsAny, + }, + SupplementalGroups: securityv1.SupplementalGroupsStrategyOptions{ + Type: securityv1.SupplementalGroupsStrategyRunAsAny, + }, + RunAsGroup: securityv1.RunAsGroupStrategyOptions{ + Type: securityv1.RunAsGroupStrategyRunAsAny, + }, + }, + expectError: false, + }, + { + name: "SCC with RunAsGroup MustRunAs", + scc: &securityv1.SecurityContextConstraints{ + RunAsUser: securityv1.RunAsUserStrategyOptions{ + Type: securityv1.RunAsUserStrategyRunAsAny, + }, + SELinuxContext: securityv1.SELinuxContextStrategyOptions{ + Type: securityv1.SELinuxStrategyRunAsAny, + }, + FSGroup: securityv1.FSGroupStrategyOptions{ + Type: securityv1.FSGroupStrategyRunAsAny, + }, + SupplementalGroups: securityv1.SupplementalGroupsStrategyOptions{ + Type: securityv1.SupplementalGroupsStrategyRunAsAny, + }, + RunAsGroup: securityv1.RunAsGroupStrategyOptions{ + Type: securityv1.RunAsGroupStrategyMustRunAs, + Ranges: []securityv1.RunAsGroupIDRange{ + {Min: int64Ptr(5000), Max: int64Ptr(5000)}, + }, + }, + }, + expectError: false, + }, + { + name: "SCC with RunAsGroup MustRunAsRange", + scc: &securityv1.SecurityContextConstraints{ + RunAsUser: securityv1.RunAsUserStrategyOptions{ + Type: securityv1.RunAsUserStrategyRunAsAny, + }, + SELinuxContext: securityv1.SELinuxContextStrategyOptions{ + Type: securityv1.SELinuxStrategyRunAsAny, + }, + FSGroup: securityv1.FSGroupStrategyOptions{ + Type: securityv1.FSGroupStrategyRunAsAny, + }, + SupplementalGroups: securityv1.SupplementalGroupsStrategyOptions{ + Type: securityv1.SupplementalGroupsStrategyRunAsAny, + }, + RunAsGroup: securityv1.RunAsGroupStrategyOptions{ + Type: securityv1.RunAsGroupStrategyMustRunAsRange, + Ranges: []securityv1.RunAsGroupIDRange{ + {Min: int64Ptr(1000), Max: int64Ptr(2000)}, + {Min: int64Ptr(5000), Max: int64Ptr(6000)}, + }, + }, + }, + expectError: false, + }, + { + name: "SCC with empty RunAsGroup (defaults to RunAsAny)", + scc: &securityv1.SecurityContextConstraints{ + RunAsUser: securityv1.RunAsUserStrategyOptions{ + Type: securityv1.RunAsUserStrategyRunAsAny, + }, + SELinuxContext: securityv1.SELinuxContextStrategyOptions{ + Type: securityv1.SELinuxStrategyRunAsAny, + }, + FSGroup: securityv1.FSGroupStrategyOptions{ + Type: securityv1.FSGroupStrategyRunAsAny, + }, + SupplementalGroups: securityv1.SupplementalGroupsStrategyOptions{ + Type: securityv1.SupplementalGroupsStrategyRunAsAny, + }, + RunAsGroup: securityv1.RunAsGroupStrategyOptions{ + Type: "", + }, + }, + expectError: false, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + provider, err := NewSimpleProvider(tt.scc) + + if tt.expectError { + if err == nil { + t.Errorf("Expected error but got none") + } + return + } + + if err != nil { + t.Errorf("Failed to create provider: %v", err) + return + } + + if provider == nil { + t.Error("Provider should not be nil") + return + } + + // Verify we can create a container security context + // Note: Passing nil for pod and container is acceptable for this basic test + // as we're just verifying the provider can be created successfully + _ = provider + }) + } +} diff --git a/pkg/securitycontextconstraints/sccmatching/provider_test.go b/pkg/securitycontextconstraints/sccmatching/provider_test.go index 9e96ea4c7..a16a4fe93 100644 --- a/pkg/securitycontextconstraints/sccmatching/provider_test.go +++ b/pkg/securitycontextconstraints/sccmatching/provider_test.go @@ -41,6 +41,9 @@ func TestCreatePodSecurityContextNonmutating(t *testing.T) { RunAsUser: securityv1.RunAsUserStrategyOptions{ Type: securityv1.RunAsUserStrategyRunAsAny, }, + RunAsGroup: securityv1.RunAsGroupStrategyOptions{ + Type: securityv1.RunAsGroupStrategyRunAsAny, + }, SELinuxContext: securityv1.SELinuxContextStrategyOptions{ Type: securityv1.SELinuxStrategyRunAsAny, }, @@ -98,6 +101,9 @@ func TestCreateContainerSecurityContextNonmutating(t *testing.T) { RunAsUser: securityv1.RunAsUserStrategyOptions{ Type: securityv1.RunAsUserStrategyRunAsAny, }, + RunAsGroup: securityv1.RunAsGroupStrategyOptions{ + Type: securityv1.RunAsGroupStrategyRunAsAny, + }, SELinuxContext: securityv1.SELinuxContextStrategyOptions{ Type: securityv1.SELinuxStrategyRunAsAny, }, @@ -266,7 +272,7 @@ func TestValidatePodSecurityContextFailures(t *testing.T) { "failSupplementalGroupOutOfRange": { pod: failSupplementalGroupPod, scc: failSupplementalGroupSCC, - expectedError: "999 is not an allowed group", + expectedError: "must be in the ranges: [1, 1]", }, "failSupplementalGroupEmpty": { pod: defaultPod(), @@ -276,7 +282,7 @@ func TestValidatePodSecurityContextFailures(t *testing.T) { "failFSGroupOutOfRange": { pod: failFSGroupPod, scc: failFSGroupSCC, - expectedError: "999 is not an allowed group", + expectedError: "must be in the ranges: [1, 1]", }, "failFSGroupEmpty": { pod: defaultPod(), @@ -1133,6 +1139,9 @@ func defaultSCC() *securityv1.SecurityContextConstraints { RunAsUser: securityv1.RunAsUserStrategyOptions{ Type: securityv1.RunAsUserStrategyRunAsAny, }, + RunAsGroup: securityv1.RunAsGroupStrategyOptions{ + Type: securityv1.RunAsGroupStrategyRunAsAny, + }, SELinuxContext: securityv1.SELinuxContextStrategyOptions{ Type: securityv1.SELinuxStrategyRunAsAny, }, diff --git a/vendor/github.com/openshift/api/security/v1/generated.pb.go b/vendor/github.com/openshift/api/security/v1/generated.pb.go index e28b59584..0f69f6f5c 100644 --- a/vendor/github.com/openshift/api/security/v1/generated.pb.go +++ b/vendor/github.com/openshift/api/security/v1/generated.pb.go @@ -395,10 +395,66 @@ func (m *RangeAllocationList) XXX_DiscardUnknown() { var xxx_messageInfo_RangeAllocationList proto.InternalMessageInfo +func (m *RunAsGroupIDRange) Reset() { *m = RunAsGroupIDRange{} } +func (*RunAsGroupIDRange) ProtoMessage() {} +func (*RunAsGroupIDRange) Descriptor() ([]byte, []int) { + return fileDescriptor_af65d9655aa67551, []int{13} +} +func (m *RunAsGroupIDRange) XXX_Unmarshal(b []byte) error { + return m.Unmarshal(b) +} +func (m *RunAsGroupIDRange) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + b = b[:cap(b)] + n, err := m.MarshalToSizedBuffer(b) + if err != nil { + return nil, err + } + return b[:n], nil +} +func (m *RunAsGroupIDRange) XXX_Merge(src proto.Message) { + xxx_messageInfo_RunAsGroupIDRange.Merge(m, src) +} +func (m *RunAsGroupIDRange) XXX_Size() int { + return m.Size() +} +func (m *RunAsGroupIDRange) XXX_DiscardUnknown() { + xxx_messageInfo_RunAsGroupIDRange.DiscardUnknown(m) +} + +var xxx_messageInfo_RunAsGroupIDRange proto.InternalMessageInfo + +func (m *RunAsGroupStrategyOptions) Reset() { *m = RunAsGroupStrategyOptions{} } +func (*RunAsGroupStrategyOptions) ProtoMessage() {} +func (*RunAsGroupStrategyOptions) Descriptor() ([]byte, []int) { + return fileDescriptor_af65d9655aa67551, []int{14} +} +func (m *RunAsGroupStrategyOptions) XXX_Unmarshal(b []byte) error { + return m.Unmarshal(b) +} +func (m *RunAsGroupStrategyOptions) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + b = b[:cap(b)] + n, err := m.MarshalToSizedBuffer(b) + if err != nil { + return nil, err + } + return b[:n], nil +} +func (m *RunAsGroupStrategyOptions) XXX_Merge(src proto.Message) { + xxx_messageInfo_RunAsGroupStrategyOptions.Merge(m, src) +} +func (m *RunAsGroupStrategyOptions) XXX_Size() int { + return m.Size() +} +func (m *RunAsGroupStrategyOptions) XXX_DiscardUnknown() { + xxx_messageInfo_RunAsGroupStrategyOptions.DiscardUnknown(m) +} + +var xxx_messageInfo_RunAsGroupStrategyOptions proto.InternalMessageInfo + func (m *RunAsUserStrategyOptions) Reset() { *m = RunAsUserStrategyOptions{} } func (*RunAsUserStrategyOptions) ProtoMessage() {} func (*RunAsUserStrategyOptions) Descriptor() ([]byte, []int) { - return fileDescriptor_af65d9655aa67551, []int{13} + return fileDescriptor_af65d9655aa67551, []int{15} } func (m *RunAsUserStrategyOptions) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -426,7 +482,7 @@ var xxx_messageInfo_RunAsUserStrategyOptions proto.InternalMessageInfo func (m *SELinuxContextStrategyOptions) Reset() { *m = SELinuxContextStrategyOptions{} } func (*SELinuxContextStrategyOptions) ProtoMessage() {} func (*SELinuxContextStrategyOptions) Descriptor() ([]byte, []int) { - return fileDescriptor_af65d9655aa67551, []int{14} + return fileDescriptor_af65d9655aa67551, []int{16} } func (m *SELinuxContextStrategyOptions) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -454,7 +510,7 @@ var xxx_messageInfo_SELinuxContextStrategyOptions proto.InternalMessageInfo func (m *SecurityContextConstraints) Reset() { *m = SecurityContextConstraints{} } func (*SecurityContextConstraints) ProtoMessage() {} func (*SecurityContextConstraints) Descriptor() ([]byte, []int) { - return fileDescriptor_af65d9655aa67551, []int{15} + return fileDescriptor_af65d9655aa67551, []int{17} } func (m *SecurityContextConstraints) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -482,7 +538,7 @@ var xxx_messageInfo_SecurityContextConstraints proto.InternalMessageInfo func (m *SecurityContextConstraintsList) Reset() { *m = SecurityContextConstraintsList{} } func (*SecurityContextConstraintsList) ProtoMessage() {} func (*SecurityContextConstraintsList) Descriptor() ([]byte, []int) { - return fileDescriptor_af65d9655aa67551, []int{16} + return fileDescriptor_af65d9655aa67551, []int{18} } func (m *SecurityContextConstraintsList) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -512,7 +568,7 @@ func (m *ServiceAccountPodSecurityPolicyReviewStatus) Reset() { } func (*ServiceAccountPodSecurityPolicyReviewStatus) ProtoMessage() {} func (*ServiceAccountPodSecurityPolicyReviewStatus) Descriptor() ([]byte, []int) { - return fileDescriptor_af65d9655aa67551, []int{17} + return fileDescriptor_af65d9655aa67551, []int{19} } func (m *ServiceAccountPodSecurityPolicyReviewStatus) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -540,7 +596,7 @@ var xxx_messageInfo_ServiceAccountPodSecurityPolicyReviewStatus proto.InternalMe func (m *SupplementalGroupsStrategyOptions) Reset() { *m = SupplementalGroupsStrategyOptions{} } func (*SupplementalGroupsStrategyOptions) ProtoMessage() {} func (*SupplementalGroupsStrategyOptions) Descriptor() ([]byte, []int) { - return fileDescriptor_af65d9655aa67551, []int{18} + return fileDescriptor_af65d9655aa67551, []int{20} } func (m *SupplementalGroupsStrategyOptions) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -579,6 +635,8 @@ func init() { proto.RegisterType((*PodSecurityPolicySubjectReviewStatus)(nil), "github.com.openshift.api.security.v1.PodSecurityPolicySubjectReviewStatus") proto.RegisterType((*RangeAllocation)(nil), "github.com.openshift.api.security.v1.RangeAllocation") proto.RegisterType((*RangeAllocationList)(nil), "github.com.openshift.api.security.v1.RangeAllocationList") + proto.RegisterType((*RunAsGroupIDRange)(nil), "github.com.openshift.api.security.v1.RunAsGroupIDRange") + proto.RegisterType((*RunAsGroupStrategyOptions)(nil), "github.com.openshift.api.security.v1.RunAsGroupStrategyOptions") proto.RegisterType((*RunAsUserStrategyOptions)(nil), "github.com.openshift.api.security.v1.RunAsUserStrategyOptions") proto.RegisterType((*SELinuxContextStrategyOptions)(nil), "github.com.openshift.api.security.v1.SELinuxContextStrategyOptions") proto.RegisterType((*SecurityContextConstraints)(nil), "github.com.openshift.api.security.v1.SecurityContextConstraints") @@ -592,120 +650,127 @@ func init() { } var fileDescriptor_af65d9655aa67551 = []byte{ - // 1803 bytes of a gzipped FileDescriptorProto + // 1909 bytes of a gzipped FileDescriptorProto 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xcc, 0x59, 0xcd, 0x6f, 0x1b, 0xc7, - 0x15, 0xd7, 0x8a, 0xfa, 0xe2, 0x48, 0x96, 0xe4, 0x91, 0x2c, 0x4f, 0xd4, 0x98, 0x54, 0xd7, 0x6e, - 0x60, 0xb4, 0xcd, 0x32, 0x36, 0xd2, 0xc6, 0x45, 0x1a, 0x23, 0x5c, 0x31, 0x72, 0x14, 0xc8, 0x31, - 0x33, 0x8c, 0x82, 0x22, 0x08, 0x8a, 0x8c, 0x96, 0x43, 0x7a, 0xac, 0xe5, 0xee, 0x76, 0x67, 0x56, - 0x16, 0xd1, 0x4b, 0x81, 0xfe, 0x03, 0x05, 0x7a, 0xef, 0xb9, 0xfd, 0x07, 0x7a, 0x29, 0xda, 0x5e, - 0x0d, 0xb4, 0x45, 0x73, 0x2a, 0x72, 0x22, 0x6a, 0x16, 0xbd, 0xf4, 0xda, 0x9b, 0x0f, 0x45, 0x31, - 0xc3, 0xe1, 0xc7, 0x2e, 0x77, 0xe9, 0x4d, 0x6a, 0x0b, 0xbd, 0x69, 0xdf, 0xc7, 0xef, 0xfd, 0xde, - 0xcc, 0xbc, 0x37, 0x6f, 0x28, 0xf0, 0x66, 0x9b, 0x89, 0x87, 0xd1, 0x89, 0xe5, 0xf8, 0x9d, 0x8a, - 0x1f, 0x50, 0x8f, 0x3f, 0x64, 0x2d, 0x51, 0x21, 0x01, 0xab, 0x70, 0xea, 0x44, 0x21, 0x13, 0xdd, - 0xca, 0xd9, 0xad, 0x4a, 0x9b, 0x7a, 0x34, 0x24, 0x82, 0x36, 0xad, 0x20, 0xf4, 0x85, 0x0f, 0x6f, - 0x8c, 0xbd, 0xac, 0x91, 0x97, 0x45, 0x02, 0x66, 0x0d, 0xbd, 0xac, 0xb3, 0x5b, 0xbb, 0xaf, 0x4f, - 0x60, 0xb7, 0xfd, 0xb6, 0x5f, 0x51, 0xce, 0x27, 0x51, 0x4b, 0x7d, 0xa9, 0x0f, 0xf5, 0xd7, 0x00, - 0x74, 0xd7, 0x3c, 0xbd, 0xc3, 0x2d, 0xe6, 0xab, 0xe0, 0x8e, 0x1f, 0xd2, 0x94, 0xc0, 0xbb, 0x6f, - 0x8e, 0x6d, 0x3a, 0xc4, 0x79, 0xc8, 0x3c, 0x1a, 0x76, 0x2b, 0xc1, 0x69, 0x5b, 0x0a, 0x78, 0xa5, - 0x43, 0x05, 0x49, 0xf3, 0xfa, 0x7e, 0x96, 0x57, 0x18, 0x79, 0x82, 0x75, 0x68, 0x85, 0x3b, 0x0f, - 0x69, 0x87, 0x24, 0xfd, 0xcc, 0xb7, 0xc1, 0xe5, 0xaa, 0xeb, 0xfa, 0x8f, 0x69, 0xf3, 0xc0, 0xa5, - 0xe7, 0x9f, 0xf8, 0x6e, 0xd4, 0xa1, 0xf0, 0x35, 0xb0, 0xd4, 0x0c, 0xd9, 0x19, 0x0d, 0x91, 0xb1, - 0x67, 0xdc, 0x2c, 0xda, 0xeb, 0x4f, 0x7a, 0xe5, 0xb9, 0x7e, 0xaf, 0xbc, 0x54, 0x53, 0x52, 0xac, - 0xb5, 0xe6, 0xaf, 0x0d, 0xb0, 0x73, 0xd0, 0xb8, 0x17, 0xfa, 0x51, 0xd0, 0x10, 0x12, 0xb5, 0xdd, - 0x7d, 0x10, 0x08, 0xe6, 0x7b, 0x1c, 0xbe, 0x05, 0x16, 0x44, 0x37, 0xa0, 0x1a, 0xe0, 0xba, 0x06, - 0x58, 0xf8, 0xb8, 0x1b, 0xd0, 0x67, 0xbd, 0xf2, 0x56, 0xc2, 0x4b, 0x8a, 0xb1, 0x72, 0x80, 0xc7, - 0x60, 0x29, 0x24, 0x5e, 0x9b, 0x72, 0x34, 0xbf, 0x57, 0xb8, 0xb9, 0x7a, 0xfb, 0x75, 0x2b, 0xcf, - 0x46, 0x58, 0x87, 0x35, 0x2c, 0xbd, 0xc6, 0x54, 0xd5, 0x27, 0xc7, 0x1a, 0xcc, 0xbc, 0x07, 0x96, - 0xb5, 0x09, 0xbc, 0x06, 0x0a, 0x1d, 0xe6, 0x29, 0x66, 0x05, 0x7b, 0x55, 0xdb, 0x17, 0xee, 0x33, - 0x0f, 0x4b, 0xb9, 0x52, 0x93, 0x73, 0x34, 0x9f, 0x50, 0x93, 0x73, 0x2c, 0xe5, 0xe6, 0x5f, 0xe6, - 0xc1, 0xd5, 0xba, 0xdf, 0x6c, 0xe8, 0xd8, 0x75, 0xdf, 0x65, 0x4e, 0x17, 0xd3, 0x33, 0x46, 0x1f, - 0xc3, 0xcf, 0xc1, 0x8a, 0xdc, 0x9f, 0x26, 0x11, 0x04, 0x15, 0xf6, 0x8c, 0x9b, 0xab, 0xb7, 0xdf, - 0xb0, 0x06, 0xfb, 0x62, 0x4d, 0xee, 0x8b, 0x15, 0x9c, 0xb6, 0xa5, 0x80, 0x5b, 0xd2, 0x5a, 0xb2, - 0x7f, 0x70, 0xf2, 0x88, 0x3a, 0xe2, 0x3e, 0x15, 0xc4, 0x86, 0x3a, 0x22, 0x18, 0xcb, 0xf0, 0x08, - 0x15, 0x3a, 0x60, 0x81, 0x07, 0xd4, 0x51, 0xe4, 0x57, 0x6f, 0x57, 0xf3, 0xad, 0x4d, 0x06, 0xdd, - 0x46, 0x40, 0x1d, 0x7b, 0x6d, 0xb8, 0x33, 0xf2, 0x0b, 0x2b, 0x70, 0x78, 0x0a, 0x96, 0xb8, 0x20, - 0x22, 0xe2, 0x6a, 0x11, 0x56, 0x6f, 0xef, 0xff, 0x6f, 0x61, 0x14, 0xd4, 0x78, 0x63, 0x06, 0xdf, - 0x58, 0x87, 0x30, 0x7f, 0x67, 0x80, 0x6f, 0xcc, 0x20, 0x08, 0x3f, 0x02, 0x2b, 0x82, 0x76, 0x02, - 0x97, 0x08, 0xaa, 0xb3, 0xbe, 0x3e, 0xb1, 0xa6, 0x96, 0xac, 0x22, 0x1d, 0xfc, 0x63, 0x6d, 0xa6, - 0xf2, 0xda, 0xd4, 0xe1, 0x56, 0x86, 0x52, 0x3c, 0x82, 0x81, 0x87, 0x60, 0x8b, 0xd3, 0xf0, 0x8c, - 0x39, 0xb4, 0xea, 0x38, 0x7e, 0xe4, 0x89, 0x0f, 0x49, 0x47, 0x9f, 0xb7, 0xa2, 0x7d, 0xb5, 0xdf, - 0x2b, 0x6f, 0x35, 0xa6, 0xd5, 0x38, 0xcd, 0xc7, 0xfc, 0x93, 0x01, 0xae, 0xcd, 0xcc, 0x1b, 0xfe, - 0xc6, 0x00, 0x3b, 0x64, 0x50, 0x61, 0x71, 0x54, 0x8e, 0x0c, 0x75, 0xc0, 0x3f, 0xca, 0xb7, 0xba, - 0x71, 0xe7, 0xd9, 0x6b, 0x5d, 0xd2, 0xc9, 0xef, 0x54, 0x53, 0x03, 0xe3, 0x0c, 0x42, 0xe6, 0xbf, - 0xe6, 0x81, 0x39, 0x85, 0xdc, 0xa0, 0x6e, 0xab, 0x11, 0xa9, 0xc3, 0x78, 0x61, 0xc7, 0xdc, 0x8b, - 0x1d, 0xf3, 0xa3, 0xaf, 0x79, 0xfe, 0xa6, 0x98, 0x67, 0x9e, 0xf8, 0x30, 0x71, 0xe2, 0x3f, 0xf8, - 0xba, 0x11, 0x63, 0xd1, 0x66, 0x1f, 0xfc, 0x9f, 0x82, 0xd7, 0xf2, 0x31, 0x7e, 0x09, 0x25, 0x60, - 0xf6, 0xe7, 0x41, 0x69, 0x36, 0xfb, 0x0b, 0xd8, 0xe5, 0x47, 0xb1, 0x5d, 0x7e, 0xff, 0x85, 0xac, - 0xf9, 0xff, 0xd3, 0x0e, 0xff, 0xde, 0x48, 0x2b, 0xa7, 0x0b, 0xd8, 0x5e, 0xb8, 0x07, 0x16, 0x22, - 0x4e, 0x43, 0x95, 0x6b, 0x71, 0xbc, 0x1e, 0xc7, 0x9c, 0x86, 0x58, 0x69, 0xa0, 0x09, 0x96, 0xda, - 0xf2, 0x06, 0xe6, 0xa8, 0xa0, 0xda, 0x1e, 0x90, 0xfc, 0xd5, 0x9d, 0xcc, 0xb1, 0xd6, 0x98, 0xff, - 0x36, 0xc0, 0x8d, 0x3c, 0x0b, 0x00, 0xeb, 0xa0, 0xa8, 0x3b, 0x8a, 0xdd, 0x9d, 0x95, 0xc2, 0x03, - 0xed, 0xda, 0xa2, 0x21, 0xf5, 0x1c, 0x6a, 0x5f, 0xea, 0xf7, 0xca, 0xc5, 0xea, 0xd0, 0x13, 0x8f, - 0x41, 0xe4, 0x04, 0x12, 0x52, 0xc2, 0x7d, 0x4f, 0xa7, 0x30, 0xbe, 0xd6, 0x95, 0x14, 0x6b, 0x6d, - 0x6c, 0xed, 0x0a, 0x2f, 0xa6, 0x34, 0x7e, 0x6b, 0x80, 0x0d, 0x35, 0x28, 0x48, 0x62, 0x0e, 0x91, - 0xe3, 0x4c, 0xac, 0x16, 0x8c, 0x97, 0x52, 0x0b, 0xd7, 0xc1, 0xa2, 0x9a, 0x54, 0x74, 0xbe, 0x97, - 0xb4, 0xf1, 0xa2, 0x62, 0x82, 0x07, 0x3a, 0xf8, 0x2a, 0x58, 0x18, 0x95, 0xe3, 0x9a, 0xbd, 0x22, - 0xb7, 0xb4, 0x46, 0x04, 0xc1, 0x4a, 0x6a, 0xfe, 0xd5, 0x00, 0x5b, 0x09, 0xe2, 0x47, 0x8c, 0x0b, - 0xf8, 0xd9, 0x14, 0x79, 0x2b, 0x1f, 0x79, 0xe9, 0xad, 0xa8, 0x8f, 0x96, 0x6b, 0x28, 0x99, 0x20, - 0xfe, 0x29, 0x58, 0x64, 0x82, 0x76, 0x86, 0xe3, 0xda, 0xf7, 0xf2, 0xd5, 0x55, 0x82, 0xe7, 0x38, - 0xdf, 0x43, 0x89, 0x85, 0x07, 0x90, 0xe6, 0xdf, 0x0c, 0x80, 0x70, 0xe4, 0x55, 0xb9, 0x3c, 0xb8, - 0xc9, 0x09, 0xf3, 0x07, 0xb1, 0x09, 0xf3, 0x5b, 0x89, 0x09, 0xf3, 0xca, 0x94, 0xdf, 0xc4, 0x8c, - 0xf9, 0x0a, 0x28, 0x44, 0xac, 0xa9, 0x47, 0xbc, 0x65, 0x39, 0xde, 0x1d, 0x1f, 0xd6, 0xb0, 0x94, - 0xc1, 0x5b, 0x60, 0x35, 0x62, 0x4d, 0x45, 0xef, 0x3e, 0xf3, 0xd4, 0x4a, 0x17, 0xec, 0x8d, 0x7e, - 0xaf, 0xbc, 0x7a, 0xac, 0xe7, 0x47, 0x39, 0x28, 0x4e, 0xda, 0xc4, 0x5c, 0xc8, 0x39, 0x5a, 0x48, - 0x71, 0x21, 0xe7, 0x78, 0xd2, 0xc6, 0xfc, 0xa3, 0x01, 0xae, 0x35, 0xde, 0x3b, 0x62, 0x5e, 0x74, - 0xbe, 0xef, 0x7b, 0x82, 0x9e, 0x8b, 0x64, 0x76, 0x77, 0x63, 0xd9, 0x7d, 0x3b, 0x91, 0xdd, 0x6e, - 0xba, 0xf3, 0x44, 0x8a, 0x3f, 0x06, 0xeb, 0x9c, 0x2a, 0x1b, 0x8d, 0xa8, 0xfb, 0x9e, 0x99, 0x56, - 0x1e, 0x1a, 0x4d, 0x5b, 0xda, 0xb0, 0xdf, 0x2b, 0xaf, 0xc7, 0x65, 0x38, 0x81, 0x66, 0xfe, 0xe7, - 0x32, 0xd8, 0x1d, 0x36, 0x06, 0xcd, 0x62, 0xdf, 0xf7, 0xb8, 0x08, 0x09, 0xf3, 0x04, 0xbf, 0x80, - 0x82, 0xb9, 0x09, 0x56, 0x82, 0x90, 0xf9, 0x32, 0xbe, 0x4a, 0x6d, 0xd1, 0x5e, 0x93, 0x27, 0xb4, - 0xae, 0x65, 0x78, 0xa4, 0x85, 0x9f, 0x01, 0xa4, 0x1a, 0x4b, 0x3d, 0x64, 0x67, 0xcc, 0xa5, 0x6d, - 0xda, 0x94, 0x84, 0x89, 0x24, 0xa0, 0xf6, 0x77, 0xc5, 0xde, 0xd3, 0x91, 0x50, 0x35, 0xc3, 0x0e, - 0x67, 0x22, 0x40, 0x0e, 0x76, 0x9a, 0xb4, 0x45, 0x22, 0x57, 0x54, 0x9b, 0xcd, 0x7d, 0x12, 0x90, - 0x13, 0xe6, 0x32, 0xc1, 0x28, 0x47, 0x0b, 0xaa, 0xb1, 0xbe, 0x2d, 0xe7, 0xb0, 0x5a, 0xaa, 0xc5, - 0xb3, 0x5e, 0xf9, 0xda, 0xf4, 0x83, 0xd0, 0x1a, 0x99, 0x74, 0x71, 0x06, 0x34, 0xec, 0x02, 0x14, - 0xd2, 0x9f, 0x44, 0x2c, 0xa4, 0xcd, 0x5a, 0xe8, 0x07, 0xb1, 0xb0, 0x8b, 0x2a, 0xec, 0x3b, 0x32, - 0x1d, 0x9c, 0x61, 0xf3, 0xfc, 0xc0, 0x99, 0xf0, 0xf0, 0x11, 0xd8, 0xd2, 0x6d, 0x3a, 0x16, 0x75, - 0x49, 0x45, 0xbd, 0x23, 0x87, 0xe7, 0xea, 0xb4, 0xfa, 0xf9, 0x01, 0xd3, 0x40, 0x47, 0x3b, 0xf7, - 0xbe, 0xcf, 0x45, 0x8d, 0x85, 0x83, 0xd7, 0x69, 0xdd, 0x8d, 0xda, 0xcc, 0x43, 0xcb, 0x29, 0x3b, - 0x97, 0x62, 0x87, 0x33, 0x11, 0x60, 0x05, 0x2c, 0x9f, 0xa9, 0x6f, 0x8e, 0x56, 0x14, 0xfb, 0x2b, - 0xfd, 0x5e, 0x79, 0x79, 0x60, 0x22, 0x19, 0x2f, 0x1d, 0x34, 0x54, 0x41, 0x0d, 0xad, 0xe0, 0xcf, - 0x0d, 0x00, 0x49, 0xf2, 0xb1, 0xcc, 0xd1, 0x15, 0xd5, 0xf8, 0xde, 0xca, 0xd7, 0xf8, 0xa6, 0x1e, - 0xdb, 0xf6, 0xae, 0x4e, 0x01, 0x4e, 0xa9, 0x38, 0x4e, 0x09, 0x07, 0x6b, 0x60, 0x73, 0x94, 0xd2, - 0x87, 0x54, 0x3c, 0xf6, 0xc3, 0x53, 0x54, 0x54, 0x8b, 0x81, 0x34, 0xd2, 0x66, 0x35, 0xa1, 0xc7, - 0x53, 0x1e, 0xf0, 0x2e, 0x58, 0x1f, 0xc9, 0xea, 0x7e, 0x28, 0x38, 0x02, 0x0a, 0x63, 0x47, 0x63, - 0xac, 0x57, 0x63, 0x5a, 0x9c, 0xb0, 0x86, 0x77, 0xc0, 0xda, 0x58, 0x72, 0x58, 0x43, 0xab, 0xca, - 0x7b, 0x5b, 0x7b, 0xaf, 0x55, 0x27, 0x74, 0x38, 0x66, 0x19, 0xf3, 0x3c, 0xac, 0xef, 0xa3, 0xb5, - 0x0c, 0xcf, 0xc3, 0xfa, 0x3e, 0x8e, 0x59, 0xc2, 0xcf, 0x01, 0x94, 0xb3, 0x8b, 0x7a, 0x79, 0x05, - 0xc4, 0xa1, 0x47, 0xf4, 0x8c, 0xba, 0x68, 0x57, 0x75, 0xc8, 0x37, 0x86, 0xab, 0x78, 0x3c, 0x65, - 0xf1, 0xac, 0x57, 0x86, 0x71, 0x89, 0xda, 0xd6, 0x14, 0x2c, 0xd8, 0x01, 0xe5, 0x61, 0xc5, 0xc5, - 0xea, 0xfd, 0x3d, 0xee, 0x10, 0x57, 0xdd, 0x54, 0x68, 0x47, 0xd1, 0xbd, 0xde, 0xef, 0x95, 0xcb, - 0xb5, 0xd9, 0xa6, 0xf8, 0x79, 0x58, 0xf0, 0x47, 0xc9, 0xce, 0x34, 0x11, 0xe7, 0xaa, 0x8a, 0xf3, - 0xea, 0x74, 0x57, 0x9a, 0x08, 0x90, 0xe9, 0x2d, 0x8f, 0xea, 0xb0, 0x63, 0xeb, 0xee, 0x8c, 0x2e, - 0x7d, 0x95, 0xb7, 0xfc, 0xcc, 0xcb, 0x69, 0x7c, 0x48, 0xe2, 0x66, 0x38, 0x11, 0x12, 0xfa, 0xa0, - 0x18, 0x0e, 0xaf, 0x61, 0xb4, 0xae, 0xe2, 0xdf, 0xcd, 0x39, 0x1f, 0x64, 0xdc, 0xfa, 0xf6, 0x65, - 0x1d, 0xba, 0x38, 0xb2, 0xc0, 0xe3, 0x18, 0xf0, 0x97, 0x06, 0x80, 0x3c, 0x0a, 0x02, 0x97, 0x76, - 0xa8, 0x27, 0x88, 0x3b, 0x18, 0x68, 0xd1, 0x86, 0x0a, 0x7d, 0x2f, 0x67, 0xea, 0x53, 0xfe, 0x49, - 0x0e, 0xa3, 0x8a, 0x9d, 0x36, 0xc5, 0x29, 0xe1, 0x61, 0x1b, 0x2c, 0xb7, 0xb8, 0xfa, 0x1b, 0x6d, - 0x2a, 0x26, 0x3f, 0xcc, 0xc7, 0x24, 0xfd, 0xa7, 0x35, 0x7b, 0x43, 0x87, 0x5f, 0xd6, 0x7a, 0x3c, - 0x44, 0x87, 0x9f, 0x80, 0x9d, 0x90, 0x92, 0xe6, 0x03, 0xcf, 0xed, 0x62, 0xdf, 0x17, 0x07, 0xcc, - 0xa5, 0xbc, 0xcb, 0x05, 0xed, 0xa0, 0xcb, 0xea, 0x34, 0x8d, 0x7e, 0x17, 0xc0, 0xa9, 0x56, 0x38, - 0xc3, 0x1b, 0x96, 0xc1, 0xa2, 0x2c, 0x16, 0x8e, 0xa0, 0xea, 0x93, 0x45, 0x39, 0xa8, 0xc9, 0xf5, - 0xe6, 0x78, 0x20, 0x9f, 0x78, 0x4d, 0x6c, 0x65, 0xbd, 0x26, 0xe0, 0x3b, 0x60, 0x83, 0x53, 0xc7, - 0xf1, 0x3b, 0x41, 0x3d, 0xf4, 0x5b, 0x12, 0x1c, 0x6d, 0x2b, 0xe3, 0xad, 0x7e, 0xaf, 0xbc, 0xd1, - 0x88, 0xab, 0x70, 0xd2, 0x16, 0x1e, 0x81, 0x6d, 0xdd, 0x0c, 0x8f, 0x3d, 0x4e, 0x5a, 0xb4, 0xd1, - 0xe5, 0x8e, 0x70, 0x39, 0x42, 0x0a, 0x03, 0xf5, 0x7b, 0xe5, 0xed, 0x6a, 0x8a, 0x1e, 0xa7, 0x7a, - 0xc1, 0x77, 0xc1, 0x66, 0xcb, 0x0f, 0x4f, 0x58, 0xb3, 0x49, 0xbd, 0x21, 0xd2, 0x2b, 0x0a, 0x69, - 0x5b, 0x36, 0xd0, 0x83, 0x84, 0x0e, 0x4f, 0x59, 0x9b, 0xff, 0x34, 0x40, 0x29, 0x7b, 0x00, 0xba, - 0x80, 0xc1, 0x9b, 0xc6, 0x07, 0xef, 0x77, 0xf3, 0xfe, 0x8c, 0x94, 0x45, 0x39, 0x63, 0x06, 0xff, - 0xd5, 0x3c, 0xf8, 0xce, 0x57, 0xf8, 0xed, 0x09, 0xfe, 0xd9, 0x00, 0x37, 0x82, 0x1c, 0x8f, 0x46, - 0xbd, 0x22, 0x2f, 0xf2, 0x1d, 0xfe, 0x5d, 0x9d, 0x40, 0xae, 0x47, 0x2b, 0xce, 0xc5, 0x52, 0xbe, - 0xa4, 0x3d, 0xd2, 0xa1, 0xc9, 0x97, 0xb4, 0xbc, 0x37, 0xb0, 0xd2, 0x98, 0x7f, 0x30, 0xc0, 0x37, - 0x9f, 0xdb, 0x33, 0xa0, 0x1d, 0x9b, 0xe7, 0xad, 0xc4, 0x3c, 0x5f, 0xca, 0x06, 0x78, 0xe9, 0x3f, - 0x8d, 0xdb, 0x1f, 0x3c, 0x79, 0x5a, 0x9a, 0xfb, 0xe2, 0x69, 0x69, 0xee, 0xcb, 0xa7, 0xa5, 0xb9, - 0x9f, 0xf5, 0x4b, 0xc6, 0x93, 0x7e, 0xc9, 0xf8, 0xa2, 0x5f, 0x32, 0xbe, 0xec, 0x97, 0x8c, 0xbf, - 0xf7, 0x4b, 0xc6, 0x2f, 0xfe, 0x51, 0x9a, 0xfb, 0xf4, 0x46, 0x9e, 0xff, 0xa2, 0xfc, 0x37, 0x00, - 0x00, 0xff, 0xff, 0xb7, 0xb2, 0xaf, 0x36, 0x6c, 0x19, 0x00, 0x00, + 0x15, 0xd7, 0x8a, 0xfa, 0xe2, 0x93, 0x2c, 0xc9, 0x23, 0x59, 0x5e, 0x29, 0x31, 0xa9, 0xae, 0x5d, + 0xc3, 0x68, 0x1b, 0x32, 0x36, 0xd2, 0xc6, 0x6d, 0x1a, 0x37, 0x5c, 0x31, 0x52, 0x14, 0xc8, 0x31, + 0x33, 0x8c, 0x82, 0x22, 0x08, 0xda, 0x8c, 0x96, 0x43, 0x7a, 0xad, 0xe5, 0xee, 0x76, 0x67, 0x56, + 0x16, 0xd1, 0x4b, 0x81, 0xfe, 0x03, 0x05, 0x7a, 0xef, 0xb9, 0xfd, 0x07, 0x0a, 0x14, 0x45, 0xdb, + 0xab, 0x81, 0xb6, 0x68, 0x4e, 0x45, 0x4e, 0x44, 0xcd, 0xa2, 0x97, 0x5e, 0x73, 0xf3, 0xa9, 0x98, + 0xe1, 0x90, 0xdc, 0x5d, 0xee, 0xca, 0x54, 0x6a, 0x0b, 0xb9, 0x71, 0xdf, 0xc7, 0xef, 0x7d, 0xcd, + 0xbc, 0x79, 0x33, 0x84, 0x37, 0x5a, 0x36, 0x7f, 0x18, 0x1e, 0x95, 0x2c, 0xaf, 0x5d, 0xf6, 0x7c, + 0xea, 0xb2, 0x87, 0x76, 0x93, 0x97, 0x89, 0x6f, 0x97, 0x19, 0xb5, 0xc2, 0xc0, 0xe6, 0x9d, 0xf2, + 0xc9, 0xed, 0x72, 0x8b, 0xba, 0x34, 0x20, 0x9c, 0x36, 0x4a, 0x7e, 0xe0, 0x71, 0x0f, 0xdd, 0x18, + 0x69, 0x95, 0x86, 0x5a, 0x25, 0xe2, 0xdb, 0xa5, 0x81, 0x56, 0xe9, 0xe4, 0xf6, 0xd6, 0x6b, 0x11, + 0xec, 0x96, 0xd7, 0xf2, 0xca, 0x52, 0xf9, 0x28, 0x6c, 0xca, 0x2f, 0xf9, 0x21, 0x7f, 0xf5, 0x41, + 0xb7, 0x8c, 0xe3, 0xbb, 0xac, 0x64, 0x7b, 0xd2, 0xb8, 0xe5, 0x05, 0x34, 0xc5, 0xf0, 0xd6, 0x1b, + 0x23, 0x99, 0x36, 0xb1, 0x1e, 0xda, 0x2e, 0x0d, 0x3a, 0x65, 0xff, 0xb8, 0x25, 0x08, 0xac, 0xdc, + 0xa6, 0x9c, 0xa4, 0x69, 0x7d, 0x2f, 0x4b, 0x2b, 0x08, 0x5d, 0x6e, 0xb7, 0x69, 0x99, 0x59, 0x0f, + 0x69, 0x9b, 0x24, 0xf5, 0x8c, 0xb7, 0xe0, 0x72, 0xc5, 0x71, 0xbc, 0xc7, 0xb4, 0xb1, 0xeb, 0xd0, + 0xd3, 0x8f, 0x3d, 0x27, 0x6c, 0x53, 0x74, 0x13, 0xe6, 0x1a, 0x81, 0x7d, 0x42, 0x03, 0x5d, 0xdb, + 0xd6, 0x6e, 0xe5, 0xcd, 0xe5, 0x27, 0xdd, 0xe2, 0x54, 0xaf, 0x5b, 0x9c, 0xab, 0x4a, 0x2a, 0x56, + 0x5c, 0xe3, 0xb7, 0x1a, 0x6c, 0xec, 0xd6, 0xf7, 0x02, 0x2f, 0xf4, 0xeb, 0x5c, 0xa0, 0xb6, 0x3a, + 0x0f, 0x7c, 0x6e, 0x7b, 0x2e, 0x43, 0x6f, 0xc2, 0x0c, 0xef, 0xf8, 0x54, 0x01, 0x5c, 0x57, 0x00, + 0x33, 0x1f, 0x75, 0x7c, 0xfa, 0xac, 0x5b, 0x5c, 0x4b, 0x68, 0x09, 0x32, 0x96, 0x0a, 0xe8, 0x10, + 0xe6, 0x02, 0xe2, 0xb6, 0x28, 0xd3, 0xa7, 0xb7, 0x73, 0xb7, 0x16, 0xef, 0xbc, 0x56, 0x9a, 0xa4, + 0x10, 0xa5, 0xfd, 0x2a, 0x16, 0x5a, 0x23, 0x57, 0xe5, 0x27, 0xc3, 0x0a, 0xcc, 0xd8, 0x83, 0x79, + 0x25, 0x82, 0xae, 0x41, 0xae, 0x6d, 0xbb, 0xd2, 0xb3, 0x9c, 0xb9, 0xa8, 0xe4, 0x73, 0xf7, 0x6d, + 0x17, 0x0b, 0xba, 0x64, 0x93, 0x53, 0x7d, 0x3a, 0xc1, 0x26, 0xa7, 0x58, 0xd0, 0x8d, 0xbf, 0x4f, + 0xc3, 0xd5, 0x9a, 0xd7, 0xa8, 0x2b, 0xdb, 0x35, 0xcf, 0xb1, 0xad, 0x0e, 0xa6, 0x27, 0x36, 0x7d, + 0x8c, 0x3e, 0x83, 0x05, 0x51, 0x9f, 0x06, 0xe1, 0x44, 0xcf, 0x6d, 0x6b, 0xb7, 0x16, 0xef, 0xbc, + 0x5e, 0xea, 0xd7, 0xa5, 0x14, 0xad, 0x4b, 0xc9, 0x3f, 0x6e, 0x09, 0x02, 0x2b, 0x09, 0x69, 0xe1, + 0xfd, 0x83, 0xa3, 0x47, 0xd4, 0xe2, 0xf7, 0x29, 0x27, 0x26, 0x52, 0x16, 0x61, 0x44, 0xc3, 0x43, + 0x54, 0x64, 0xc1, 0x0c, 0xf3, 0xa9, 0x25, 0x9d, 0x5f, 0xbc, 0x53, 0x99, 0x2c, 0x37, 0x19, 0xee, + 0xd6, 0x7d, 0x6a, 0x99, 0x4b, 0x83, 0xca, 0x88, 0x2f, 0x2c, 0xc1, 0xd1, 0x31, 0xcc, 0x31, 0x4e, + 0x78, 0xc8, 0x64, 0x12, 0x16, 0xef, 0xec, 0xfc, 0x7f, 0x66, 0x24, 0xd4, 0xa8, 0x30, 0xfd, 0x6f, + 0xac, 0x4c, 0x18, 0x7f, 0xd4, 0xe0, 0x95, 0x33, 0x1c, 0x44, 0x1f, 0xc2, 0x02, 0xa7, 0x6d, 0xdf, + 0x21, 0x9c, 0xaa, 0xa8, 0xaf, 0x47, 0x72, 0x5a, 0x12, 0xbb, 0x48, 0x19, 0xff, 0x48, 0x89, 0xc9, + 0xb8, 0x56, 0x95, 0xb9, 0x85, 0x01, 0x15, 0x0f, 0x61, 0xd0, 0x3e, 0xac, 0x31, 0x1a, 0x9c, 0xd8, + 0x16, 0xad, 0x58, 0x96, 0x17, 0xba, 0xfc, 0x03, 0xd2, 0x56, 0xeb, 0x2d, 0x6f, 0x5e, 0xed, 0x75, + 0x8b, 0x6b, 0xf5, 0x71, 0x36, 0x4e, 0xd3, 0x31, 0xfe, 0xaa, 0xc1, 0xb5, 0x33, 0xe3, 0x46, 0xbf, + 0xd3, 0x60, 0x83, 0xf4, 0x77, 0x58, 0x1c, 0x95, 0xe9, 0x9a, 0x5c, 0xe0, 0x1f, 0x4e, 0x96, 0xdd, + 0xb8, 0xf2, 0xd9, 0xb9, 0x2e, 0xa8, 0xe0, 0x37, 0x2a, 0xa9, 0x86, 0x71, 0x86, 0x43, 0xc6, 0x7f, + 0xa7, 0xc1, 0x18, 0x43, 0xae, 0x53, 0xa7, 0x59, 0x0f, 0xe5, 0x62, 0xbc, 0xb0, 0x65, 0xee, 0xc6, + 0x96, 0xf9, 0xc1, 0x57, 0x5c, 0x7f, 0x63, 0x9e, 0x67, 0xae, 0xf8, 0x20, 0xb1, 0xe2, 0xdf, 0xff, + 0xaa, 0x16, 0x63, 0xd6, 0xce, 0x5e, 0xf8, 0x3f, 0x87, 0x9b, 0x93, 0x79, 0xfc, 0x12, 0xb6, 0x80, + 0xd1, 0x9b, 0x86, 0xc2, 0xd9, 0xde, 0x5f, 0x40, 0x95, 0x1f, 0xc5, 0xaa, 0xfc, 0xde, 0x0b, 0xc9, + 0xf9, 0xd7, 0xa9, 0xc2, 0x7f, 0xd2, 0xd2, 0xb6, 0xd3, 0x05, 0x94, 0x17, 0x6d, 0xc3, 0x4c, 0xc8, + 0x68, 0x20, 0x63, 0xcd, 0x8f, 0xf2, 0x71, 0xc8, 0x68, 0x80, 0x25, 0x07, 0x19, 0x30, 0xd7, 0x12, + 0x27, 0x30, 0xd3, 0x73, 0xb2, 0xed, 0x81, 0xf0, 0x5f, 0x9e, 0xc9, 0x0c, 0x2b, 0x8e, 0xf1, 0xa5, + 0x06, 0x37, 0x26, 0x49, 0x00, 0xaa, 0x41, 0x5e, 0x75, 0x14, 0xb3, 0x73, 0x56, 0x08, 0x0f, 0x94, + 0x6a, 0x93, 0x06, 0xd4, 0xb5, 0xa8, 0x79, 0xa9, 0xd7, 0x2d, 0xe6, 0x2b, 0x03, 0x4d, 0x3c, 0x02, + 0x11, 0x13, 0x48, 0x40, 0x09, 0xf3, 0x5c, 0x15, 0xc2, 0xe8, 0x58, 0x97, 0x54, 0xac, 0xb8, 0xb1, + 0xdc, 0xe5, 0x5e, 0xcc, 0xd6, 0xf8, 0xbd, 0x06, 0x2b, 0x72, 0x50, 0x10, 0x8e, 0x59, 0x44, 0x8c, + 0x33, 0xb1, 0xbd, 0xa0, 0xbd, 0x94, 0xbd, 0x70, 0x1d, 0x66, 0xe5, 0xa4, 0xa2, 0xe2, 0xbd, 0xa4, + 0x84, 0x67, 0xa5, 0x27, 0xb8, 0xcf, 0x43, 0xaf, 0xc2, 0xcc, 0x70, 0x3b, 0x2e, 0x99, 0x0b, 0xa2, + 0xa4, 0x55, 0xc2, 0x09, 0x96, 0x54, 0xe3, 0x1f, 0x1a, 0xac, 0x25, 0x1c, 0x3f, 0xb0, 0x19, 0x47, + 0x9f, 0x8e, 0x39, 0x5f, 0x9a, 0xcc, 0x79, 0xa1, 0x2d, 0x5d, 0x1f, 0xa6, 0x6b, 0x40, 0x89, 0x38, + 0xfe, 0x09, 0xcc, 0xda, 0x9c, 0xb6, 0x07, 0xe3, 0xda, 0x77, 0x27, 0xdb, 0x57, 0x09, 0x3f, 0x47, + 0xf1, 0xee, 0x0b, 0x2c, 0xdc, 0x87, 0x34, 0xf6, 0xe1, 0x32, 0x0e, 0xdd, 0x0a, 0x93, 0xeb, 0x72, + 0x30, 0xbe, 0x6d, 0x46, 0xc7, 0xb7, 0xf9, 0xd8, 0xe8, 0xb6, 0x19, 0x1d, 0xdd, 0xe6, 0x63, 0x63, + 0xdb, 0x1f, 0xa6, 0x61, 0x73, 0x84, 0x95, 0x9c, 0x56, 0x7f, 0x10, 0x9b, 0x56, 0x6f, 0x26, 0xa6, + 0xd5, 0x8d, 0x71, 0xc5, 0xc8, 0xc0, 0xba, 0x09, 0xb9, 0x96, 0xdd, 0x88, 0x1a, 0xdd, 0xdb, 0xaf, + 0x62, 0x41, 0x43, 0xb7, 0x61, 0xb1, 0x65, 0x37, 0xa4, 0xdb, 0xf7, 0x6d, 0x57, 0x96, 0x2d, 0x67, + 0xae, 0xf4, 0xba, 0xc5, 0xc5, 0x3d, 0x15, 0x8d, 0x70, 0x3d, 0x2a, 0x13, 0x53, 0x21, 0xa7, 0xfa, + 0x4c, 0x8a, 0x0a, 0x39, 0xc5, 0x51, 0x19, 0xf4, 0xd3, 0xe1, 0xc4, 0x3c, 0x2b, 0x4b, 0xf0, 0xe6, + 0x84, 0x25, 0x48, 0x66, 0x36, 0x73, 0x76, 0xfe, 0xa7, 0x06, 0xba, 0x94, 0x16, 0xfd, 0x23, 0x99, + 0xba, 0xef, 0xc7, 0x52, 0xf7, 0xcd, 0x44, 0xea, 0xae, 0x8c, 0xe9, 0xc5, 0x33, 0x17, 0xc6, 0x33, + 0x77, 0x28, 0x32, 0x17, 0xf6, 0x33, 0x17, 0xa6, 0x67, 0xee, 0x30, 0x9a, 0xb9, 0x30, 0x9e, 0xb9, + 0x30, 0x3d, 0x73, 0x87, 0xd1, 0xcc, 0x45, 0x64, 0x8c, 0xbf, 0x68, 0x70, 0xad, 0xfe, 0xee, 0x81, + 0xed, 0x86, 0xa7, 0x3b, 0x9e, 0xcb, 0xe9, 0x29, 0x4f, 0x46, 0x77, 0x2f, 0x16, 0xdd, 0xb7, 0x12, + 0xd1, 0x6d, 0xa5, 0x2b, 0x47, 0x42, 0xfc, 0x09, 0x2c, 0x33, 0x2a, 0x65, 0x14, 0xa2, 0x3a, 0x7e, + 0x8c, 0xb4, 0x2e, 0xa5, 0xd0, 0x94, 0xa4, 0x89, 0x7a, 0xdd, 0xe2, 0x72, 0x9c, 0x86, 0x13, 0x68, + 0xc6, 0x97, 0x08, 0xb6, 0x06, 0xfd, 0x59, 0x79, 0xb1, 0xe3, 0xb9, 0x8c, 0x07, 0xc4, 0x76, 0x39, + 0xbb, 0x80, 0xbe, 0x75, 0x0b, 0x16, 0xfc, 0xc0, 0xf6, 0x84, 0x7d, 0x19, 0xda, 0xac, 0xb9, 0x24, + 0x1a, 0x45, 0x4d, 0xd1, 0xf0, 0x90, 0x8b, 0x3e, 0x05, 0x5d, 0xf6, 0xf7, 0x5a, 0x60, 0x9f, 0xd8, + 0x0e, 0x6d, 0xd1, 0x86, 0x70, 0x98, 0x08, 0x07, 0x64, 0x7d, 0x17, 0xcc, 0x6d, 0x65, 0x49, 0xaf, + 0x64, 0xc8, 0xe1, 0x4c, 0x04, 0xc4, 0x60, 0xa3, 0x41, 0x9b, 0x24, 0x74, 0x78, 0xa5, 0xd1, 0xd8, + 0x21, 0x3e, 0x39, 0xb2, 0x1d, 0x9b, 0xdb, 0x94, 0xe9, 0x33, 0xf2, 0x7c, 0x7b, 0x4b, 0x8c, 0xc3, + 0xd5, 0x54, 0x89, 0x67, 0xdd, 0xe2, 0xb5, 0xf1, 0x7b, 0x79, 0x69, 0x28, 0xd2, 0xc1, 0x19, 0xd0, + 0xa8, 0x03, 0x7a, 0x40, 0x7f, 0x16, 0xda, 0x01, 0x6d, 0x54, 0x03, 0xcf, 0x8f, 0x99, 0x9d, 0x95, + 0x66, 0xdf, 0x16, 0xe1, 0xe0, 0x0c, 0x99, 0xe7, 0x1b, 0xce, 0x84, 0x47, 0x8f, 0x60, 0x4d, 0x9d, + 0x96, 0x31, 0xab, 0x73, 0xd2, 0xea, 0x5d, 0x71, 0x87, 0xa9, 0x8c, 0xb3, 0x9f, 0x6f, 0x30, 0x0d, + 0x74, 0x58, 0xb9, 0xf7, 0x3c, 0xc6, 0xab, 0x76, 0xd0, 0x7f, 0x24, 0xa8, 0x39, 0x61, 0xcb, 0x76, + 0xf5, 0xf9, 0x94, 0xca, 0xa5, 0xc8, 0xe1, 0x4c, 0x04, 0x54, 0x86, 0xf9, 0x13, 0xf9, 0xcd, 0xf4, + 0x05, 0xe9, 0xfd, 0x95, 0x5e, 0xb7, 0x38, 0xdf, 0x17, 0x11, 0x1e, 0xcf, 0xed, 0xd6, 0xe5, 0x86, + 0x1a, 0x48, 0xa1, 0x5f, 0x6a, 0x80, 0x48, 0xf2, 0xcd, 0x82, 0xe9, 0x57, 0xce, 0xd3, 0xfc, 0xc6, + 0xde, 0x3c, 0xcc, 0x2d, 0x15, 0x02, 0x1a, 0x63, 0x31, 0x9c, 0x62, 0x0e, 0x55, 0x61, 0x75, 0x18, + 0xd2, 0x07, 0x94, 0x3f, 0xf6, 0x82, 0x63, 0x3d, 0x2f, 0x93, 0xa1, 0x2b, 0xa4, 0xd5, 0x4a, 0x82, + 0x8f, 0xc7, 0x34, 0xd0, 0x3d, 0x58, 0x1e, 0xd2, 0x6a, 0x5e, 0xc0, 0x99, 0x0e, 0x12, 0x63, 0x43, + 0x61, 0x2c, 0x57, 0x62, 0x5c, 0x9c, 0x90, 0x46, 0x77, 0x61, 0x69, 0x44, 0xd9, 0xaf, 0xea, 0x8b, + 0x52, 0x7b, 0x5d, 0x69, 0x2f, 0x55, 0x22, 0x3c, 0x1c, 0x93, 0x8c, 0x69, 0xee, 0xd7, 0x76, 0xf4, + 0xa5, 0x0c, 0xcd, 0xfd, 0xda, 0x0e, 0x8e, 0x49, 0xa2, 0xcf, 0x00, 0x89, 0x11, 0x52, 0x5e, 0x80, + 0x7d, 0x62, 0xd1, 0x03, 0x7a, 0x42, 0x1d, 0x7d, 0x4b, 0x76, 0xc8, 0xd7, 0x07, 0x59, 0x3c, 0x1c, + 0x93, 0x78, 0xd6, 0x2d, 0xa2, 0x38, 0x45, 0x96, 0x35, 0x05, 0x0b, 0xb5, 0xa1, 0x38, 0xd8, 0x71, + 0xb1, 0xfd, 0xfe, 0x2e, 0xb3, 0x88, 0x23, 0x07, 0x06, 0x7d, 0x43, 0xba, 0x7b, 0xbd, 0xd7, 0x2d, + 0x16, 0xab, 0x67, 0x8b, 0xe2, 0xe7, 0x61, 0xa1, 0x1f, 0x27, 0x3b, 0x53, 0xc4, 0xce, 0x55, 0x69, + 0xe7, 0xd5, 0xf1, 0xae, 0x14, 0x31, 0x90, 0xa9, 0x2d, 0x96, 0xea, 0xa0, 0x63, 0xab, 0xee, 0xac, + 0x5f, 0x3a, 0xcf, 0x93, 0xca, 0x99, 0x87, 0xd3, 0x68, 0x91, 0xc4, 0xc5, 0x70, 0xc2, 0x24, 0xf2, + 0x20, 0x1f, 0x0c, 0x8e, 0x61, 0x7d, 0x59, 0xda, 0xbf, 0x77, 0x8e, 0x19, 0x21, 0xe5, 0xd4, 0x37, + 0x2f, 0x2b, 0xd3, 0xf9, 0xa1, 0x04, 0x1e, 0xd9, 0x40, 0xbf, 0xd6, 0x00, 0xb1, 0xd0, 0xf7, 0x1d, + 0xda, 0xa6, 0x2e, 0x27, 0x4e, 0xff, 0x5e, 0xa1, 0xaf, 0x48, 0xd3, 0x7b, 0x13, 0x86, 0x3e, 0xa6, + 0x9f, 0xf4, 0x61, 0xb8, 0x63, 0xc7, 0x45, 0x71, 0x8a, 0x79, 0xd4, 0x82, 0xf9, 0x66, 0x7f, 0xe0, + 0xd1, 0x57, 0xa5, 0x27, 0x3f, 0x9c, 0xcc, 0x93, 0xf4, 0x17, 0x4e, 0x73, 0x45, 0x99, 0x9f, 0x57, + 0x7c, 0x3c, 0x40, 0x47, 0x0c, 0x20, 0x18, 0x0e, 0x57, 0xfa, 0x2b, 0xd2, 0xd6, 0x8f, 0xce, 0x3b, + 0x94, 0x25, 0xcd, 0x0d, 0x8f, 0xe1, 0x91, 0x08, 0x8e, 0x98, 0x41, 0x1f, 0xc3, 0x46, 0x40, 0x49, + 0xe3, 0x81, 0xeb, 0x74, 0xb0, 0xe7, 0xf1, 0x5d, 0xdb, 0xa1, 0xac, 0xc3, 0x38, 0x6d, 0xeb, 0x97, + 0xe5, 0x12, 0x1e, 0xbe, 0x09, 0xe1, 0x54, 0x29, 0x9c, 0xa1, 0x8d, 0x8a, 0x30, 0x2b, 0x76, 0x28, + 0xd3, 0x91, 0x6c, 0xce, 0x79, 0x31, 0xa4, 0x8b, 0x22, 0x33, 0xdc, 0xa7, 0x47, 0x6e, 0x92, 0x6b, + 0x59, 0x37, 0x49, 0xf4, 0x36, 0xac, 0x30, 0x6a, 0x59, 0x5e, 0xdb, 0xaf, 0x05, 0x5e, 0x53, 0x80, + 0xeb, 0xeb, 0x52, 0x78, 0xad, 0xd7, 0x2d, 0xae, 0xd4, 0xe3, 0x2c, 0x9c, 0x94, 0x45, 0x07, 0xb0, + 0xae, 0x3a, 0xf0, 0xa1, 0xcb, 0x48, 0x93, 0xd6, 0x3b, 0xcc, 0xe2, 0x0e, 0xd3, 0x75, 0x89, 0xa1, + 0xf7, 0xba, 0xc5, 0xf5, 0x4a, 0x0a, 0x1f, 0xa7, 0x6a, 0xa1, 0x77, 0x60, 0xb5, 0xe9, 0x05, 0x47, + 0x76, 0xa3, 0x41, 0xdd, 0x01, 0xd2, 0xa6, 0x44, 0x5a, 0x17, 0x5d, 0x7b, 0x37, 0xc1, 0xc3, 0x63, + 0xd2, 0xc6, 0x7f, 0x34, 0x28, 0x64, 0x4f, 0x5d, 0x17, 0x70, 0xe9, 0xa2, 0xf1, 0x4b, 0xd7, 0x3b, + 0x93, 0x3e, 0x21, 0x66, 0xb9, 0x9c, 0x71, 0xff, 0xfa, 0xcd, 0x34, 0x7c, 0xfb, 0x1c, 0xef, 0x8e, + 0xe8, 0x6f, 0x1a, 0xdc, 0xf0, 0x27, 0x78, 0x30, 0x50, 0x19, 0x79, 0x91, 0x6f, 0x30, 0xdf, 0x51, + 0x01, 0x4c, 0xf4, 0x60, 0x81, 0x27, 0xf2, 0x12, 0x6d, 0xc3, 0x8c, 0x4b, 0xda, 0x34, 0xf9, 0x8a, + 0x22, 0x0e, 0x2b, 0x2c, 0x39, 0xc6, 0x9f, 0x35, 0xf8, 0xc6, 0x73, 0x1b, 0x15, 0x32, 0x63, 0x97, + 0x88, 0x52, 0xe2, 0x12, 0x51, 0xc8, 0x06, 0x78, 0xe9, 0x7f, 0x8b, 0x98, 0xef, 0x3f, 0x79, 0x5a, + 0x98, 0xfa, 0xfc, 0x69, 0x61, 0xea, 0x8b, 0xa7, 0x85, 0xa9, 0x5f, 0xf4, 0x0a, 0xda, 0x93, 0x5e, + 0x41, 0xfb, 0xbc, 0x57, 0xd0, 0xbe, 0xe8, 0x15, 0xb4, 0x7f, 0xf5, 0x0a, 0xda, 0xaf, 0xfe, 0x5d, + 0x98, 0xfa, 0xe4, 0xc6, 0x24, 0xff, 0xa0, 0xfd, 0x2f, 0x00, 0x00, 0xff, 0xff, 0xd9, 0x2d, 0x41, + 0x78, 0x68, 0x1b, 0x00, 0x00, } func (m *AllowedFlexVolume) Marshal() (dAtA []byte, err error) { @@ -1267,6 +1332,96 @@ func (m *RangeAllocationList) MarshalToSizedBuffer(dAtA []byte) (int, error) { return len(dAtA) - i, nil } +func (m *RunAsGroupIDRange) Marshal() (dAtA []byte, err error) { + size := m.Size() + dAtA = make([]byte, size) + n, err := m.MarshalToSizedBuffer(dAtA[:size]) + if err != nil { + return nil, err + } + return dAtA[:n], nil +} + +func (m *RunAsGroupIDRange) MarshalTo(dAtA []byte) (int, error) { + size := m.Size() + return m.MarshalToSizedBuffer(dAtA[:size]) +} + +func (m *RunAsGroupIDRange) MarshalToSizedBuffer(dAtA []byte) (int, error) { + i := len(dAtA) + _ = i + var l int + _ = l + if m.Max != nil { + i = encodeVarintGenerated(dAtA, i, uint64(*m.Max)) + i-- + dAtA[i] = 0x10 + } + if m.Min != nil { + i = encodeVarintGenerated(dAtA, i, uint64(*m.Min)) + i-- + dAtA[i] = 0x8 + } + return len(dAtA) - i, nil +} + +func (m *RunAsGroupStrategyOptions) Marshal() (dAtA []byte, err error) { + size := m.Size() + dAtA = make([]byte, size) + n, err := m.MarshalToSizedBuffer(dAtA[:size]) + if err != nil { + return nil, err + } + return dAtA[:n], nil +} + +func (m *RunAsGroupStrategyOptions) MarshalTo(dAtA []byte) (int, error) { + size := m.Size() + return m.MarshalToSizedBuffer(dAtA[:size]) +} + +func (m *RunAsGroupStrategyOptions) MarshalToSizedBuffer(dAtA []byte) (int, error) { + i := len(dAtA) + _ = i + var l int + _ = l + if len(m.Ranges) > 0 { + for iNdEx := len(m.Ranges) - 1; iNdEx >= 0; iNdEx-- { + { + size, err := m.Ranges[iNdEx].MarshalToSizedBuffer(dAtA[:i]) + if err != nil { + return 0, err + } + i -= size + i = encodeVarintGenerated(dAtA, i, uint64(size)) + } + i-- + dAtA[i] = 0x2a + } + } + if m.GIDRangeMax != nil { + i = encodeVarintGenerated(dAtA, i, uint64(*m.GIDRangeMax)) + i-- + dAtA[i] = 0x20 + } + if m.GIDRangeMin != nil { + i = encodeVarintGenerated(dAtA, i, uint64(*m.GIDRangeMin)) + i-- + dAtA[i] = 0x18 + } + if m.GID != nil { + i = encodeVarintGenerated(dAtA, i, uint64(*m.GID)) + i-- + dAtA[i] = 0x10 + } + i -= len(m.Type) + copy(dAtA[i:], m.Type) + i = encodeVarintGenerated(dAtA, i, uint64(len(m.Type))) + i-- + dAtA[i] = 0xa + return len(dAtA) - i, nil +} + func (m *RunAsUserStrategyOptions) Marshal() (dAtA []byte, err error) { size := m.Size() dAtA = make([]byte, size) @@ -1370,6 +1525,18 @@ func (m *SecurityContextConstraints) MarshalToSizedBuffer(dAtA []byte) (int, err _ = i var l int _ = l + { + size, err := m.RunAsGroup.MarshalToSizedBuffer(dAtA[:i]) + if err != nil { + return 0, err + } + i -= size + i = encodeVarintGenerated(dAtA, i, uint64(size)) + } + i-- + dAtA[i] = 0x1 + i-- + dAtA[i] = 0xda i -= len(m.UserNamespaceLevel) copy(dAtA[i:], m.UserNamespaceLevel) i = encodeVarintGenerated(dAtA, i, uint64(len(m.UserNamespaceLevel))) @@ -1961,6 +2128,47 @@ func (m *RangeAllocationList) Size() (n int) { return n } +func (m *RunAsGroupIDRange) Size() (n int) { + if m == nil { + return 0 + } + var l int + _ = l + if m.Min != nil { + n += 1 + sovGenerated(uint64(*m.Min)) + } + if m.Max != nil { + n += 1 + sovGenerated(uint64(*m.Max)) + } + return n +} + +func (m *RunAsGroupStrategyOptions) Size() (n int) { + if m == nil { + return 0 + } + var l int + _ = l + l = len(m.Type) + n += 1 + l + sovGenerated(uint64(l)) + if m.GID != nil { + n += 1 + sovGenerated(uint64(*m.GID)) + } + if m.GIDRangeMin != nil { + n += 1 + sovGenerated(uint64(*m.GIDRangeMin)) + } + if m.GIDRangeMax != nil { + n += 1 + sovGenerated(uint64(*m.GIDRangeMax)) + } + if len(m.Ranges) > 0 { + for _, e := range m.Ranges { + l = e.Size() + n += 1 + l + sovGenerated(uint64(l)) + } + } + return n +} + func (m *RunAsUserStrategyOptions) Size() (n int) { if m == nil { return 0 @@ -2090,6 +2298,8 @@ func (m *SecurityContextConstraints) Size() (n int) { } l = len(m.UserNamespaceLevel) n += 2 + l + sovGenerated(uint64(l)) + l = m.RunAsGroup.Size() + n += 2 + l + sovGenerated(uint64(l)) return n } @@ -2307,6 +2517,36 @@ func (this *RangeAllocationList) String() string { }, "") return s } +func (this *RunAsGroupIDRange) String() string { + if this == nil { + return "nil" + } + s := strings.Join([]string{`&RunAsGroupIDRange{`, + `Min:` + valueToStringGenerated(this.Min) + `,`, + `Max:` + valueToStringGenerated(this.Max) + `,`, + `}`, + }, "") + return s +} +func (this *RunAsGroupStrategyOptions) String() string { + if this == nil { + return "nil" + } + repeatedStringForRanges := "[]RunAsGroupIDRange{" + for _, f := range this.Ranges { + repeatedStringForRanges += strings.Replace(strings.Replace(f.String(), "RunAsGroupIDRange", "RunAsGroupIDRange", 1), `&`, ``, 1) + "," + } + repeatedStringForRanges += "}" + s := strings.Join([]string{`&RunAsGroupStrategyOptions{`, + `Type:` + fmt.Sprintf("%v", this.Type) + `,`, + `GID:` + valueToStringGenerated(this.GID) + `,`, + `GIDRangeMin:` + valueToStringGenerated(this.GIDRangeMin) + `,`, + `GIDRangeMax:` + valueToStringGenerated(this.GIDRangeMax) + `,`, + `Ranges:` + repeatedStringForRanges + `,`, + `}`, + }, "") + return s +} func (this *RunAsUserStrategyOptions) String() string { if this == nil { return "nil" @@ -2367,6 +2607,7 @@ func (this *SecurityContextConstraints) String() string { `AllowedUnsafeSysctls:` + fmt.Sprintf("%v", this.AllowedUnsafeSysctls) + `,`, `ForbiddenSysctls:` + fmt.Sprintf("%v", this.ForbiddenSysctls) + `,`, `UserNamespaceLevel:` + fmt.Sprintf("%v", this.UserNamespaceLevel) + `,`, + `RunAsGroup:` + strings.Replace(strings.Replace(this.RunAsGroup.String(), "RunAsGroupStrategyOptions", "RunAsGroupStrategyOptions", 1), `&`, ``, 1) + `,`, `}`, }, "") return s @@ -4001,6 +4242,272 @@ func (m *RangeAllocationList) Unmarshal(dAtA []byte) error { } return nil } +func (m *RunAsGroupIDRange) Unmarshal(dAtA []byte) error { + l := len(dAtA) + iNdEx := 0 + for iNdEx < l { + preIndex := iNdEx + var wire uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + wire |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + fieldNum := int32(wire >> 3) + wireType := int(wire & 0x7) + if wireType == 4 { + return fmt.Errorf("proto: RunAsGroupIDRange: wiretype end group for non-group") + } + if fieldNum <= 0 { + return fmt.Errorf("proto: RunAsGroupIDRange: illegal tag %d (wire type %d)", fieldNum, wire) + } + switch fieldNum { + case 1: + if wireType != 0 { + return fmt.Errorf("proto: wrong wireType = %d for field Min", wireType) + } + var v int64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + v |= int64(b&0x7F) << shift + if b < 0x80 { + break + } + } + m.Min = &v + case 2: + if wireType != 0 { + return fmt.Errorf("proto: wrong wireType = %d for field Max", wireType) + } + var v int64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + v |= int64(b&0x7F) << shift + if b < 0x80 { + break + } + } + m.Max = &v + default: + iNdEx = preIndex + skippy, err := skipGenerated(dAtA[iNdEx:]) + if err != nil { + return err + } + if (skippy < 0) || (iNdEx+skippy) < 0 { + return ErrInvalidLengthGenerated + } + if (iNdEx + skippy) > l { + return io.ErrUnexpectedEOF + } + iNdEx += skippy + } + } + + if iNdEx > l { + return io.ErrUnexpectedEOF + } + return nil +} +func (m *RunAsGroupStrategyOptions) Unmarshal(dAtA []byte) error { + l := len(dAtA) + iNdEx := 0 + for iNdEx < l { + preIndex := iNdEx + var wire uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + wire |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + fieldNum := int32(wire >> 3) + wireType := int(wire & 0x7) + if wireType == 4 { + return fmt.Errorf("proto: RunAsGroupStrategyOptions: wiretype end group for non-group") + } + if fieldNum <= 0 { + return fmt.Errorf("proto: RunAsGroupStrategyOptions: illegal tag %d (wire type %d)", fieldNum, wire) + } + switch fieldNum { + case 1: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Type", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + intStringLen + if postIndex < 0 { + return ErrInvalidLengthGenerated + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.Type = RunAsGroupStrategyType(dAtA[iNdEx:postIndex]) + iNdEx = postIndex + case 2: + if wireType != 0 { + return fmt.Errorf("proto: wrong wireType = %d for field GID", wireType) + } + var v int64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + v |= int64(b&0x7F) << shift + if b < 0x80 { + break + } + } + m.GID = &v + case 3: + if wireType != 0 { + return fmt.Errorf("proto: wrong wireType = %d for field GIDRangeMin", wireType) + } + var v int64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + v |= int64(b&0x7F) << shift + if b < 0x80 { + break + } + } + m.GIDRangeMin = &v + case 4: + if wireType != 0 { + return fmt.Errorf("proto: wrong wireType = %d for field GIDRangeMax", wireType) + } + var v int64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + v |= int64(b&0x7F) << shift + if b < 0x80 { + break + } + } + m.GIDRangeMax = &v + case 5: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Ranges", wireType) + } + var msglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + msglen |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + if msglen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + msglen + if postIndex < 0 { + return ErrInvalidLengthGenerated + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.Ranges = append(m.Ranges, RunAsGroupIDRange{}) + if err := m.Ranges[len(m.Ranges)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } + iNdEx = postIndex + default: + iNdEx = preIndex + skippy, err := skipGenerated(dAtA[iNdEx:]) + if err != nil { + return err + } + if (skippy < 0) || (iNdEx+skippy) < 0 { + return ErrInvalidLengthGenerated + } + if (iNdEx + skippy) > l { + return io.ErrUnexpectedEOF + } + iNdEx += skippy + } + } + + if iNdEx > l { + return io.ErrUnexpectedEOF + } + return nil +} func (m *RunAsUserStrategyOptions) Unmarshal(dAtA []byte) error { l := len(dAtA) iNdEx := 0 @@ -5011,6 +5518,39 @@ func (m *SecurityContextConstraints) Unmarshal(dAtA []byte) error { } m.UserNamespaceLevel = NamespaceLevelType(dAtA[iNdEx:postIndex]) iNdEx = postIndex + case 27: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field RunAsGroup", wireType) + } + var msglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + msglen |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + if msglen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + msglen + if postIndex < 0 { + return ErrInvalidLengthGenerated + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + if err := m.RunAsGroup.Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } + iNdEx = postIndex default: iNdEx = preIndex skippy, err := skipGenerated(dAtA[iNdEx:]) diff --git a/vendor/github.com/openshift/api/security/v1/generated.proto b/vendor/github.com/openshift/api/security/v1/generated.proto index 933de5450..2aea9b683 100644 --- a/vendor/github.com/openshift/api/security/v1/generated.proto +++ b/vendor/github.com/openshift/api/security/v1/generated.proto @@ -179,6 +179,47 @@ message RangeAllocationList { repeated RangeAllocation items = 2; } +// RunAsGroupIDRange provides a min/max of an allowed range of group IDs for RunAsGroup strategy. +message RunAsGroupIDRange { + // min is the start of the range, inclusive. + // +required + optional int64 min = 1; + + // max is the end of the range, inclusive. + // +required + optional int64 max = 2; +} + +// RunAsGroupStrategyOptions defines the strategy type and options used to create the strategy. +message RunAsGroupStrategyOptions { + // type is the strategy that will dictate what RunAsGroup is used in the SecurityContext. + // Valid values are "MustRunAs", "MustRunAsRange", and "RunAsAny". + // +required + // +kubebuilder:validation:Enum=MustRunAs;MustRunAsRange;RunAsAny + optional string type = 1; + + // gid is the group id that containers must run as. Required for the MustRunAs strategy if not using + // namespace/service account allocated gids. + // +optional + optional int64 gid = 2; + + // gidRangeMin defines the min value for a strategy that allocates by range. + // +optional + optional int64 gidRangeMin = 3; + + // gidRangeMax defines the max value for a strategy that allocates by range. + // +optional + optional int64 gidRangeMax = 4; + + // ranges are the allowed ranges of gids. If you would like to force a single + // gid then supply a single range with the same start and end. + // When omitted, any gid is allowed (equivalent to RunAsAny strategy). + // +optional + // +listType=atomic + // +kubebuilder:validation:MaxItems=256 + repeated RunAsGroupIDRange ranges = 5; +} + // RunAsUserStrategyOptions defines the strategy type and any options used to create the strategy. message RunAsUserStrategyOptions { // type is the strategy that will dictate what RunAsUser is used in the SecurityContext. @@ -221,6 +262,7 @@ message SELinuxContextStrategyOptions { // +kubebuilder:printcolumn:name="SELinux",type=string,JSONPath=.seLinuxContext.type,description="Strategy that will dictate what labels will be set in the SecurityContext" // +kubebuilder:printcolumn:name="RunAsUser",type=string,JSONPath=.runAsUser.type,description="Strategy that will dictate what RunAsUser is used in the SecurityContext" // +kubebuilder:printcolumn:name="FSGroup",type=string,JSONPath=.fsGroup.type,description="Strategy that will dictate what fs group is used by the SecurityContext" +// +kubebuilder:printcolumn:name="RunAsGroup",type=string,JSONPath=.runAsGroup.type,description="Strategy that will dictate what RunAsGroup is used by the SecurityContext" // +kubebuilder:printcolumn:name="SupGroup",type=string,JSONPath=.supplementalGroups.type,description="Strategy that will dictate what supplemental groups are used by the SecurityContext" // +kubebuilder:printcolumn:name="Priority",type=string,JSONPath=.priority,description="Sort order of SCCs" // +kubebuilder:printcolumn:name="ReadOnlyRootFS",type=string,JSONPath=.readOnlyRootFilesystem,description="Force containers to run with a read only root file system" @@ -337,6 +379,11 @@ message SecurityContextConstraints { // +nullable optional FSGroupStrategyOptions fsGroup = 16; + // runAsGroup is the strategy that will dictate what RunAsGroup is used in the SecurityContext. + // When omitted, the RunAsGroup strategy will not be enforced and containers may run with any group ID. + // +optional + optional RunAsGroupStrategyOptions runAsGroup = 27; + // readOnlyRootFilesystem when set to true will force containers to run with a read only root file // system. If the container specifically requests to run with a non-read only root file system // the SCC should deny the pod. diff --git a/vendor/github.com/openshift/api/security/v1/types.go b/vendor/github.com/openshift/api/security/v1/types.go index fb491480d..4e627d194 100644 --- a/vendor/github.com/openshift/api/security/v1/types.go +++ b/vendor/github.com/openshift/api/security/v1/types.go @@ -31,6 +31,7 @@ var AllowAllCapabilities corev1.Capability = "*" // +kubebuilder:printcolumn:name="SELinux",type=string,JSONPath=.seLinuxContext.type,description="Strategy that will dictate what labels will be set in the SecurityContext" // +kubebuilder:printcolumn:name="RunAsUser",type=string,JSONPath=.runAsUser.type,description="Strategy that will dictate what RunAsUser is used in the SecurityContext" // +kubebuilder:printcolumn:name="FSGroup",type=string,JSONPath=.fsGroup.type,description="Strategy that will dictate what fs group is used by the SecurityContext" +// +kubebuilder:printcolumn:name="RunAsGroup",type=string,JSONPath=.runAsGroup.type,description="Strategy that will dictate what RunAsGroup is used by the SecurityContext" // +kubebuilder:printcolumn:name="SupGroup",type=string,JSONPath=.supplementalGroups.type,description="Strategy that will dictate what supplemental groups are used by the SecurityContext" // +kubebuilder:printcolumn:name="Priority",type=string,JSONPath=.priority,description="Sort order of SCCs" // +kubebuilder:printcolumn:name="ReadOnlyRootFS",type=string,JSONPath=.readOnlyRootFilesystem,description="Force containers to run with a read only root file system" @@ -131,6 +132,10 @@ type SecurityContextConstraints struct { // fsGroup is the strategy that will dictate what fs group is used by the SecurityContext. // +nullable FSGroup FSGroupStrategyOptions `json:"fsGroup,omitempty" protobuf:"bytes,16,opt,name=fsGroup"` + // runAsGroup is the strategy that will dictate what RunAsGroup is used in the SecurityContext. + // When omitted, the RunAsGroup strategy will not be enforced and containers may run with any group ID. + // +optional + RunAsGroup RunAsGroupStrategyOptions `json:"runAsGroup,omitzero" protobuf:"bytes,27,opt,name=runAsGroup"` // readOnlyRootFilesystem when set to true will force containers to run with a read only root file // system. If the container specifically requests to run with a non-read only root file system // the SCC should deny the pod. @@ -268,6 +273,42 @@ type SupplementalGroupsStrategyOptions struct { Ranges []IDRange `json:"ranges,omitempty" protobuf:"bytes,2,rep,name=ranges"` } +// RunAsGroupStrategyOptions defines the strategy type and options used to create the strategy. +type RunAsGroupStrategyOptions struct { + // type is the strategy that will dictate what RunAsGroup is used in the SecurityContext. + // Valid values are "MustRunAs", "MustRunAsRange", and "RunAsAny". + // +required + // +kubebuilder:validation:Enum=MustRunAs;MustRunAsRange;RunAsAny + Type RunAsGroupStrategyType `json:"type,omitempty" protobuf:"bytes,1,opt,name=type,casttype=RunAsGroupStrategyType"` + // gid is the group id that containers must run as. Required for the MustRunAs strategy if not using + // namespace/service account allocated gids. + // +optional + GID *int64 `json:"gid,omitempty" protobuf:"varint,2,opt,name=gid"` + // gidRangeMin defines the min value for a strategy that allocates by range. + // +optional + GIDRangeMin *int64 `json:"gidRangeMin,omitempty" protobuf:"varint,3,opt,name=gidRangeMin"` + // gidRangeMax defines the max value for a strategy that allocates by range. + // +optional + GIDRangeMax *int64 `json:"gidRangeMax,omitempty" protobuf:"varint,4,opt,name=gidRangeMax"` + // ranges are the allowed ranges of gids. If you would like to force a single + // gid then supply a single range with the same start and end. + // When omitted, any gid is allowed (equivalent to RunAsAny strategy). + // +optional + // +listType=atomic + // +kubebuilder:validation:MaxItems=256 + Ranges []RunAsGroupIDRange `json:"ranges,omitempty" protobuf:"bytes,5,rep,name=ranges"` +} + +// RunAsGroupIDRange provides a min/max of an allowed range of group IDs for RunAsGroup strategy. +type RunAsGroupIDRange struct { + // min is the start of the range, inclusive. + // +required + Min *int64 `json:"min,omitempty" protobuf:"varint,1,opt,name=min"` + // max is the end of the range, inclusive. + // +required + Max *int64 `json:"max,omitempty" protobuf:"varint,2,opt,name=max"` +} + // IDRange provides a min/max of an allowed range of IDs. // TODO: this could be reused for UIDs. type IDRange struct { @@ -296,6 +337,10 @@ type SupplementalGroupsStrategyType string // SecurityContext type FSGroupStrategyType string +// RunAsGroupStrategyType denotes strategy types for generating RunAsGroup values for a +// SecurityContext +type RunAsGroupStrategyType string + const ( // NamespaceLevelAllowHost allows a pod to set `hostUsers` field to either `true` or `false` NamespaceLevelAllowHost NamespaceLevelType = "AllowHostLevel" @@ -321,6 +366,13 @@ const ( // container may make requests for any FSGroup labels. FSGroupStrategyRunAsAny FSGroupStrategyType = "RunAsAny" + // container must have RunAsGroup of X applied. + RunAsGroupStrategyMustRunAs RunAsGroupStrategyType = "MustRunAs" + // container must run with a gid in a range. + RunAsGroupStrategyMustRunAsRange RunAsGroupStrategyType = "MustRunAsRange" + // container may make requests for any RunAsGroup. + RunAsGroupStrategyRunAsAny RunAsGroupStrategyType = "RunAsAny" + // container must run as a particular gid. SupplementalGroupsStrategyMustRunAs SupplementalGroupsStrategyType = "MustRunAs" // container may make requests for any gid. diff --git a/vendor/github.com/openshift/api/security/v1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/security/v1/zz_generated.deepcopy.go index d6263fc02..74ae18bfe 100644 --- a/vendor/github.com/openshift/api/security/v1/zz_generated.deepcopy.go +++ b/vendor/github.com/openshift/api/security/v1/zz_generated.deepcopy.go @@ -317,6 +317,58 @@ func (in *RangeAllocationList) DeepCopyObject() runtime.Object { return nil } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *RunAsGroupIDRange) DeepCopyInto(out *RunAsGroupIDRange) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RunAsGroupIDRange. +func (in *RunAsGroupIDRange) DeepCopy() *RunAsGroupIDRange { + if in == nil { + return nil + } + out := new(RunAsGroupIDRange) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *RunAsGroupStrategyOptions) DeepCopyInto(out *RunAsGroupStrategyOptions) { + *out = *in + if in.GID != nil { + in, out := &in.GID, &out.GID + *out = new(int64) + **out = **in + } + if in.GIDRangeMin != nil { + in, out := &in.GIDRangeMin, &out.GIDRangeMin + *out = new(int64) + **out = **in + } + if in.GIDRangeMax != nil { + in, out := &in.GIDRangeMax, &out.GIDRangeMax + *out = new(int64) + **out = **in + } + if in.Ranges != nil { + in, out := &in.Ranges, &out.Ranges + *out = make([]RunAsGroupIDRange, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RunAsGroupStrategyOptions. +func (in *RunAsGroupStrategyOptions) DeepCopy() *RunAsGroupStrategyOptions { + if in == nil { + return nil + } + out := new(RunAsGroupStrategyOptions) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *RunAsUserStrategyOptions) DeepCopyInto(out *RunAsUserStrategyOptions) { *out = *in @@ -418,6 +470,7 @@ func (in *SecurityContextConstraints) DeepCopyInto(out *SecurityContextConstrain in.RunAsUser.DeepCopyInto(&out.RunAsUser) in.SupplementalGroups.DeepCopyInto(&out.SupplementalGroups) in.FSGroup.DeepCopyInto(&out.FSGroup) + in.RunAsGroup.DeepCopyInto(&out.RunAsGroup) if in.Users != nil { in, out := &in.Users, &out.Users *out = make([]string, len(*in)) diff --git a/vendor/github.com/openshift/api/security/v1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/security/v1/zz_generated.swagger_doc_generated.go index 29cddf7e6..80c40239e 100644 --- a/vendor/github.com/openshift/api/security/v1/zz_generated.swagger_doc_generated.go +++ b/vendor/github.com/openshift/api/security/v1/zz_generated.swagger_doc_generated.go @@ -144,6 +144,29 @@ func (RangeAllocationList) SwaggerDoc() map[string]string { return map_RangeAllocationList } +var map_RunAsGroupIDRange = map[string]string{ + "": "RunAsGroupIDRange provides a min/max of an allowed range of group IDs for RunAsGroup strategy.", + "min": "min is the start of the range, inclusive.", + "max": "max is the end of the range, inclusive.", +} + +func (RunAsGroupIDRange) SwaggerDoc() map[string]string { + return map_RunAsGroupIDRange +} + +var map_RunAsGroupStrategyOptions = map[string]string{ + "": "RunAsGroupStrategyOptions defines the strategy type and options used to create the strategy.", + "type": "type is the strategy that will dictate what RunAsGroup is used in the SecurityContext. Valid values are \"MustRunAs\", \"MustRunAsRange\", and \"RunAsAny\".", + "gid": "gid is the group id that containers must run as. Required for the MustRunAs strategy if not using namespace/service account allocated gids.", + "gidRangeMin": "gidRangeMin defines the min value for a strategy that allocates by range.", + "gidRangeMax": "gidRangeMax defines the max value for a strategy that allocates by range.", + "ranges": "ranges are the allowed ranges of gids. If you would like to force a single gid then supply a single range with the same start and end. When omitted, any gid is allowed (equivalent to RunAsAny strategy).", +} + +func (RunAsGroupStrategyOptions) SwaggerDoc() map[string]string { + return map_RunAsGroupStrategyOptions +} + var map_RunAsUserStrategyOptions = map[string]string{ "": "RunAsUserStrategyOptions defines the strategy type and any options used to create the strategy.", "type": "type is the strategy that will dictate what RunAsUser is used in the SecurityContext.", @@ -188,6 +211,7 @@ var map_SecurityContextConstraints = map[string]string{ "runAsUser": "runAsUser is the strategy that will dictate what RunAsUser is used in the SecurityContext.", "supplementalGroups": "supplementalGroups is the strategy that will dictate what supplemental groups are used by the SecurityContext.", "fsGroup": "fsGroup is the strategy that will dictate what fs group is used by the SecurityContext.", + "runAsGroup": "runAsGroup is the strategy that will dictate what RunAsGroup is used in the SecurityContext. When omitted, the RunAsGroup strategy will not be enforced and containers may run with any group ID.", "readOnlyRootFilesystem": "readOnlyRootFilesystem when set to true will force containers to run with a read only root file system. If the container specifically requests to run with a non-read only root file system the SCC should deny the pod. If set to false the container may run with a read only root file system if it wishes but it will not be forced to.", "users": "The users who have permissions to use this security context constraints", "groups": "The groups that have permission to use this security context constraints",