update PSP review APIS

pkg/scheduler/admission/podnodeconstraints/admission.go

@@ -167,11 +167,11 @@ func (o *podNodeConstraints) getPodSpec(attr admission.Attributes) (kapi.PodSpec
 	case *deployapi.DeploymentConfig:
 		return r.Spec.Template.Spec, nil
 	case *securityapi.PodSecurityPolicySubjectReview:
-		return r.Spec.PodSpec, nil
+		return r.Spec.Template.Spec, nil
 	case *securityapi.PodSecurityPolicySelfSubjectReview:
-		return r.Spec.PodSpec, nil
+		return r.Spec.Template.Spec, nil
 	case *securityapi.PodSecurityPolicyReview:
-		return r.Spec.PodSpec, nil
+		return r.Spec.Template.Spec, nil
 	}
 	return kapi.PodSpec{}, kapierrors.NewInternalError(fmt.Errorf("No PodSpec available for supplied admission attribute"))
 }

pkg/scheduler/admission/podnodeconstraints/admission_test.go

@@ -391,19 +391,19 @@ func deploymentConfig(setNodeSelector bool) runtime.Object {
 
 func podSecurityPolicySubjectReview(setNodeSelector bool) runtime.Object {
 	pspsr := &securityapi.PodSecurityPolicySubjectReview{}
-	pspsr.Spec.PodSpec = *podSpec(setNodeSelector)
+	pspsr.Spec.Template.Spec = *podSpec(setNodeSelector)
 	return pspsr
 }
 
 func podSecurityPolicySelfSubjectReview(setNodeSelector bool) runtime.Object {
 	pspssr := &securityapi.PodSecurityPolicySelfSubjectReview{}
-	pspssr.Spec.PodSpec = *podSpec(setNodeSelector)
+	pspssr.Spec.Template.Spec = *podSpec(setNodeSelector)
 	return pspssr
 }
 
 func podSecurityPolicyReview(setNodeSelector bool) runtime.Object {
 	pspr := &securityapi.PodSecurityPolicyReview{}
-	pspr.Spec.PodSpec = *podSpec(setNodeSelector)
+	pspr.Spec.Template.Spec = *podSpec(setNodeSelector)
 	return pspr
 }
 

pkg/security/api/deep_copy_generated.go

@@ -41,7 +41,7 @@ func DeepCopy_api_PodSecurityPolicyReview(in PodSecurityPolicyReview, out *PodSe
 }
 
 func DeepCopy_api_PodSecurityPolicyReviewSpec(in PodSecurityPolicyReviewSpec, out *PodSecurityPolicyReviewSpec, c *conversion.Cloner) error {
-	if err := api.DeepCopy_api_PodSpec(in.PodSpec, &out.PodSpec, c); err != nil {
+	if err := api.DeepCopy_api_PodTemplateSpec(in.Template, &out.Template, c); err != nil {
 		return err
 	}
 	if in.ServiceAccountNames != nil {
@@ -83,7 +83,7 @@ func DeepCopy_api_PodSecurityPolicySelfSubjectReview(in PodSecurityPolicySelfSub
 }
 
 func DeepCopy_api_PodSecurityPolicySelfSubjectReviewSpec(in PodSecurityPolicySelfSubjectReviewSpec, out *PodSecurityPolicySelfSubjectReviewSpec, c *conversion.Cloner) error {
-	if err := api.DeepCopy_api_PodSpec(in.PodSpec, &out.PodSpec, c); err != nil {
+	if err := api.DeepCopy_api_PodTemplateSpec(in.Template, &out.Template, c); err != nil {
 		return err
 	}
 	return nil
@@ -103,7 +103,7 @@ func DeepCopy_api_PodSecurityPolicySubjectReview(in PodSecurityPolicySubjectRevi
 }
 
 func DeepCopy_api_PodSecurityPolicySubjectReviewSpec(in PodSecurityPolicySubjectReviewSpec, out *PodSecurityPolicySubjectReviewSpec, c *conversion.Cloner) error {
-	if err := api.DeepCopy_api_PodSpec(in.PodSpec, &out.PodSpec, c); err != nil {
+	if err := api.DeepCopy_api_PodTemplateSpec(in.Template, &out.Template, c); err != nil {
 		return err
 	}
 	out.User = in.User
@@ -128,7 +128,7 @@ func DeepCopy_api_PodSecurityPolicySubjectReviewStatus(in PodSecurityPolicySubje
 		out.AllowedBy = nil
 	}
 	out.Reason = in.Reason
-	if err := api.DeepCopy_api_PodSpec(in.PodSpec, &out.PodSpec, c); err != nil {
+	if err := api.DeepCopy_api_PodTemplateSpec(in.Template, &out.Template, c); err != nil {
 		return err
 	}
 	return nil

pkg/security/api/types.go

@@ -7,7 +7,7 @@ import (
 
 // +genclient=true
 
-// PodSecurityPolicySubjectReview checks whether a particular user/SA tuple can create the PodSpec.
+// PodSecurityPolicySubjectReview checks whether a particular user/SA tuple can create the PodTemplateSpec.
 type PodSecurityPolicySubjectReview struct {
 	unversioned.TypeMeta
 
@@ -20,13 +20,13 @@ type PodSecurityPolicySubjectReview struct {
 
 // PodSecurityPolicySubjectReviewSpec defines specification for PodSecurityPolicySubjectReview
 type PodSecurityPolicySubjectReviewSpec struct {
-	// PodSpec is the PodSpec to check. If PodSpec.ServiceAccountName is empty it will not be defaulted.
+	// Template is the PodTemplateSpec to check. If PodTemplateSpec.Spec.ServiceAccountName is empty it will not be defaulted.
 	// If its non-empty, it will be checked.
-	PodSpec kapi.PodSpec
+	Template kapi.PodTemplateSpec
 
 	// User is the user you're testing for.
 	// If you specify "User" but not "Group", then is it interpreted as "What if User were not a member of any groups.
-	// If User and Groups are empty, then the check is performed using *only* the ServiceAccountName in the PodSpec.
+	// If User and Groups are empty, then the check is performed using *only* the ServiceAccountName in the PodTemplateSpec.
 	User string
 
 	// Groups is the groups you're testing for.
@@ -35,7 +35,7 @@ type PodSecurityPolicySubjectReviewSpec struct {
 
 // PodSecurityPolicySubjectReviewStatus contains information/status for PodSecurityPolicySubjectReview.
 type PodSecurityPolicySubjectReviewStatus struct {
-	// AllowedBy is a reference to the rule that allows the PodSpec.
+	// AllowedBy is a reference to the rule that allows the PodTemplateSpec.
 	// A rule can be a SecurityContextConstraint or a PodSecurityPolicy
 	// A `nil`, indicates that it was denied.
 	AllowedBy *kapi.ObjectReference
@@ -45,11 +45,11 @@ type PodSecurityPolicySubjectReviewStatus struct {
 	// is no information available.
 	Reason string
 
-	// PodSpec is the PodSpec after the defaulting is applied.
-	PodSpec kapi.PodSpec
+	// Template is the PodTemplateSpec after the defaulting is applied.
+	Template kapi.PodTemplateSpec
 }
 
-// PodSecurityPolicySelfSubjectReview checks whether this user/SA tuple can create the PodSpec.
+// PodSecurityPolicySelfSubjectReview checks whether this user/SA tuple can create the PodTemplateSpec.
 type PodSecurityPolicySelfSubjectReview struct {
 	unversioned.TypeMeta
 
@@ -62,11 +62,11 @@ type PodSecurityPolicySelfSubjectReview struct {
 
 // PodSecurityPolicySelfSubjectReviewSpec contains specification for PodSecurityPolicySelfSubjectReview.
 type PodSecurityPolicySelfSubjectReviewSpec struct {
-	// PodSpec is the PodSpec to check.
-	PodSpec kapi.PodSpec
+	// Template is the PodTemplateSpec to check.
+	Template kapi.PodTemplateSpec
 }
 
-// PodSecurityPolicyReview checks which service accounts (not users, since that would be cluster-wide) can create the `PodSpec` in question.
+// PodSecurityPolicyReview checks which service accounts (not users, since that would be cluster-wide) can create the `PodTemplateSpec` in question.
 type PodSecurityPolicyReview struct {
 	unversioned.TypeMeta
 
@@ -79,22 +79,22 @@ type PodSecurityPolicyReview struct {
 
 // PodSecurityPolicyReviewSpec defines specification for PodSecurityPolicyReview
 type PodSecurityPolicyReviewSpec struct {
-	// PodSpec is the PodSpec to check. The PodSpec.ServiceAccountName field is used
-	// if ServiceAccountNames is empty, unless the PodSpec.ServiceAccountName is empty,
+	// Template is the PodTemplateSpec to check. The PodTemplateSpec.Spec.ServiceAccountName field is used
+	// if ServiceAccountNames is empty, unless the PodTemplateSpec.Spec.ServiceAccountName is empty,
 	// in which case "default" is used.
-	// If ServiceAccountNames is specified, PodSpec.ServiceAccountName is ignored.
-	PodSpec kapi.PodSpec
+	// If ServiceAccountNames is specified, PodTemplateSpec.Spec.ServiceAccountName is ignored.
+	Template kapi.PodTemplateSpec
 
 	// ServiceAccountNames is an optional set of ServiceAccounts to run the check with.
-	// If ServiceAccountNames is empty, the PodSpec ServiceAccountName is used,
+	// If ServiceAccountNames is empty, the PodTemplateSpec.Spec.ServiceAccountName is used,
 	// unless it's empty, in which case "default" is used instead.
-	// If ServiceAccountNames is specified, PodSpec ServiceAccountName is ignored.
+	// If ServiceAccountNames is specified, PodTemplateSpec.Spec.ServiceAccountName is ignored.
 	ServiceAccountNames []string // TODO: find a way to express 'all service accounts'
 }
 
 // PodSecurityPolicyReviewStatus represents the status of PodSecurityPolicyReview.
 type PodSecurityPolicyReviewStatus struct {
-	// AllowedServiceAccounts returns the list of service accounts in *this* namespace that have the power to create the PodSpec.
+	// AllowedServiceAccounts returns the list of service accounts in *this* namespace that have the power to create the PodTemplateSpec.
 	AllowedServiceAccounts []ServiceAccountPodSecurityPolicyReviewStatus
 }
 

pkg/security/api/v1/conversion_generated.go

@@ -72,7 +72,7 @@ func Convert_api_PodSecurityPolicyReview_To_v1_PodSecurityPolicyReview(in *secur
 }
 
 func autoConvert_v1_PodSecurityPolicyReviewSpec_To_api_PodSecurityPolicyReviewSpec(in *PodSecurityPolicyReviewSpec, out *security_api.PodSecurityPolicyReviewSpec, s conversion.Scope) error {
-	if err := api_v1.Convert_v1_PodSpec_To_api_PodSpec(&in.PodSpec, &out.PodSpec, s); err != nil {
+	if err := api_v1.Convert_v1_PodTemplateSpec_To_api_PodTemplateSpec(&in.Template, &out.Template, s); err != nil {
 		return err
 	}
 	out.ServiceAccountNames = in.ServiceAccountNames
@@ -84,7 +84,7 @@ func Convert_v1_PodSecurityPolicyReviewSpec_To_api_PodSecurityPolicyReviewSpec(i
 }
 
 func autoConvert_api_PodSecurityPolicyReviewSpec_To_v1_PodSecurityPolicyReviewSpec(in *security_api.PodSecurityPolicyReviewSpec, out *PodSecurityPolicyReviewSpec, s conversion.Scope) error {
-	if err := api_v1.Convert_api_PodSpec_To_v1_PodSpec(&in.PodSpec, &out.PodSpec, s); err != nil {
+	if err := api_v1.Convert_api_PodTemplateSpec_To_v1_PodTemplateSpec(&in.Template, &out.Template, s); err != nil {
 		return err
 	}
 	out.ServiceAccountNames = in.ServiceAccountNames
@@ -168,7 +168,7 @@ func Convert_api_PodSecurityPolicySelfSubjectReview_To_v1_PodSecurityPolicySelfS
 }
 
 func autoConvert_v1_PodSecurityPolicySelfSubjectReviewSpec_To_api_PodSecurityPolicySelfSubjectReviewSpec(in *PodSecurityPolicySelfSubjectReviewSpec, out *security_api.PodSecurityPolicySelfSubjectReviewSpec, s conversion.Scope) error {
-	if err := api_v1.Convert_v1_PodSpec_To_api_PodSpec(&in.PodSpec, &out.PodSpec, s); err != nil {
+	if err := api_v1.Convert_v1_PodTemplateSpec_To_api_PodTemplateSpec(&in.Template, &out.Template, s); err != nil {
 		return err
 	}
 	return nil
@@ -179,7 +179,7 @@ func Convert_v1_PodSecurityPolicySelfSubjectReviewSpec_To_api_PodSecurityPolicyS
 }
 
 func autoConvert_api_PodSecurityPolicySelfSubjectReviewSpec_To_v1_PodSecurityPolicySelfSubjectReviewSpec(in *security_api.PodSecurityPolicySelfSubjectReviewSpec, out *PodSecurityPolicySelfSubjectReviewSpec, s conversion.Scope) error {
-	if err := api_v1.Convert_api_PodSpec_To_v1_PodSpec(&in.PodSpec, &out.PodSpec, s); err != nil {
+	if err := api_v1.Convert_api_PodTemplateSpec_To_v1_PodTemplateSpec(&in.Template, &out.Template, s); err != nil {
 		return err
 	}
 	return nil
@@ -224,7 +224,7 @@ func Convert_api_PodSecurityPolicySubjectReview_To_v1_PodSecurityPolicySubjectRe
 }
 
 func autoConvert_v1_PodSecurityPolicySubjectReviewSpec_To_api_PodSecurityPolicySubjectReviewSpec(in *PodSecurityPolicySubjectReviewSpec, out *security_api.PodSecurityPolicySubjectReviewSpec, s conversion.Scope) error {
-	if err := api_v1.Convert_v1_PodSpec_To_api_PodSpec(&in.PodSpec, &out.PodSpec, s); err != nil {
+	if err := api_v1.Convert_v1_PodTemplateSpec_To_api_PodTemplateSpec(&in.Template, &out.Template, s); err != nil {
 		return err
 	}
 	out.User = in.User
@@ -237,7 +237,7 @@ func Convert_v1_PodSecurityPolicySubjectReviewSpec_To_api_PodSecurityPolicySubje
 }
 
 func autoConvert_api_PodSecurityPolicySubjectReviewSpec_To_v1_PodSecurityPolicySubjectReviewSpec(in *security_api.PodSecurityPolicySubjectReviewSpec, out *PodSecurityPolicySubjectReviewSpec, s conversion.Scope) error {
-	if err := api_v1.Convert_api_PodSpec_To_v1_PodSpec(&in.PodSpec, &out.PodSpec, s); err != nil {
+	if err := api_v1.Convert_api_PodTemplateSpec_To_v1_PodTemplateSpec(&in.Template, &out.Template, s); err != nil {
 		return err
 	}
 	out.User = in.User
@@ -260,7 +260,7 @@ func autoConvert_v1_PodSecurityPolicySubjectReviewStatus_To_api_PodSecurityPolic
 		out.AllowedBy = nil
 	}
 	out.Reason = in.Reason
-	if err := api_v1.Convert_v1_PodSpec_To_api_PodSpec(&in.PodSpec, &out.PodSpec, s); err != nil {
+	if err := api_v1.Convert_v1_PodTemplateSpec_To_api_PodTemplateSpec(&in.Template, &out.Template, s); err != nil {
 		return err
 	}
 	return nil
@@ -281,7 +281,7 @@ func autoConvert_api_PodSecurityPolicySubjectReviewStatus_To_v1_PodSecurityPolic
 		out.AllowedBy = nil
 	}
 	out.Reason = in.Reason
-	if err := api_v1.Convert_api_PodSpec_To_v1_PodSpec(&in.PodSpec, &out.PodSpec, s); err != nil {
+	if err := api_v1.Convert_api_PodTemplateSpec_To_v1_PodTemplateSpec(&in.Template, &out.Template, s); err != nil {
 		return err
 	}
 	return nil

pkg/security/api/v1/deep_copy_generated.go

@@ -42,7 +42,7 @@ func DeepCopy_v1_PodSecurityPolicyReview(in PodSecurityPolicyReview, out *PodSec
 }
 
 func DeepCopy_v1_PodSecurityPolicyReviewSpec(in PodSecurityPolicyReviewSpec, out *PodSecurityPolicyReviewSpec, c *conversion.Cloner) error {
-	if err := api_v1.DeepCopy_v1_PodSpec(in.PodSpec, &out.PodSpec, c); err != nil {
+	if err := api_v1.DeepCopy_v1_PodTemplateSpec(in.Template, &out.Template, c); err != nil {
 		return err
 	}
 	if in.ServiceAccountNames != nil {
@@ -84,7 +84,7 @@ func DeepCopy_v1_PodSecurityPolicySelfSubjectReview(in PodSecurityPolicySelfSubj
 }
 
 func DeepCopy_v1_PodSecurityPolicySelfSubjectReviewSpec(in PodSecurityPolicySelfSubjectReviewSpec, out *PodSecurityPolicySelfSubjectReviewSpec, c *conversion.Cloner) error {
-	if err := api_v1.DeepCopy_v1_PodSpec(in.PodSpec, &out.PodSpec, c); err != nil {
+	if err := api_v1.DeepCopy_v1_PodTemplateSpec(in.Template, &out.Template, c); err != nil {
 		return err
 	}
 	return nil
@@ -104,7 +104,7 @@ func DeepCopy_v1_PodSecurityPolicySubjectReview(in PodSecurityPolicySubjectRevie
 }
 
 func DeepCopy_v1_PodSecurityPolicySubjectReviewSpec(in PodSecurityPolicySubjectReviewSpec, out *PodSecurityPolicySubjectReviewSpec, c *conversion.Cloner) error {
-	if err := api_v1.DeepCopy_v1_PodSpec(in.PodSpec, &out.PodSpec, c); err != nil {
+	if err := api_v1.DeepCopy_v1_PodTemplateSpec(in.Template, &out.Template, c); err != nil {
 		return err
 	}
 	out.User = in.User
@@ -129,7 +129,7 @@ func DeepCopy_v1_PodSecurityPolicySubjectReviewStatus(in PodSecurityPolicySubjec
 		out.AllowedBy = nil
 	}
 	out.Reason = in.Reason
-	if err := api_v1.DeepCopy_v1_PodSpec(in.PodSpec, &out.PodSpec, c); err != nil {
+	if err := api_v1.DeepCopy_v1_PodTemplateSpec(in.Template, &out.Template, c); err != nil {
 		return err
 	}
 	return nil