vendor/k8s.io/kubernetes/pkg/apis/policy/validation/validation.go - cloudstack-kubernetes-provider - Git at Google

 /*
 Copyright 2016 The Kubernetes Authors.

 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at

     http://www.apache.org/licenses/LICENSE-2.0

 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */

 package validation

 import (
 	"fmt"
 	"path/filepath"
 	"reflect"
 	"regexp"
 	"strings"

 	apimachineryvalidation "k8s.io/apimachinery/pkg/api/validation"
 	unversionedvalidation "k8s.io/apimachinery/pkg/apis/meta/v1/validation"
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	appsvalidation "k8s.io/kubernetes/pkg/apis/apps/validation"
 	core "k8s.io/kubernetes/pkg/apis/core"
 	apivalidation "k8s.io/kubernetes/pkg/apis/core/validation"
 	"k8s.io/kubernetes/pkg/apis/policy"
 	"k8s.io/kubernetes/pkg/features"
 	"k8s.io/kubernetes/pkg/security/apparmor"
 	"k8s.io/kubernetes/pkg/security/podsecuritypolicy/seccomp"
 	psputil "k8s.io/kubernetes/pkg/security/podsecuritypolicy/util"

 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 )

 func ValidatePodDisruptionBudget(pdb *policy.PodDisruptionBudget) field.ErrorList {
 	allErrs := ValidatePodDisruptionBudgetSpec(pdb.Spec, field.NewPath("spec"))
 	allErrs = append(allErrs, ValidatePodDisruptionBudgetStatus(pdb.Status, field.NewPath("status"))...)
 	return allErrs
 }

 func ValidatePodDisruptionBudgetUpdate(pdb, oldPdb *policy.PodDisruptionBudget) field.ErrorList {
 	allErrs := field.ErrorList{}

 	restoreGeneration := pdb.Generation
 	pdb.Generation = oldPdb.Generation

 	if !reflect.DeepEqual(pdb.Spec, oldPdb.Spec) {
 		allErrs = append(allErrs, field.Forbidden(field.NewPath("spec"), "updates to poddisruptionbudget spec are forbidden."))
 	}
 	allErrs = append(allErrs, ValidatePodDisruptionBudgetStatus(pdb.Status, field.NewPath("status"))...)

 	pdb.Generation = restoreGeneration
 	return allErrs
 }

 func ValidatePodDisruptionBudgetSpec(spec policy.PodDisruptionBudgetSpec, fldPath *field.Path) field.ErrorList {
 	allErrs := field.ErrorList{}

 	if spec.MinAvailable != nil && spec.MaxUnavailable != nil {
 		allErrs = append(allErrs, field.Invalid(fldPath, spec, "minAvailable and maxUnavailable cannot be both set"))
 	}

 	if spec.MinAvailable != nil {
 		allErrs = append(allErrs, appsvalidation.ValidatePositiveIntOrPercent(*spec.MinAvailable, fldPath.Child("minAvailable"))...)
 		allErrs = append(allErrs, appsvalidation.IsNotMoreThan100Percent(*spec.MinAvailable, fldPath.Child("minAvailable"))...)
 	}

 	if spec.MaxUnavailable != nil {
 		allErrs = append(allErrs, appsvalidation.ValidatePositiveIntOrPercent(*spec.MaxUnavailable, fldPath.Child("maxUnavailable"))...)
 		allErrs = append(allErrs, appsvalidation.IsNotMoreThan100Percent(*spec.MaxUnavailable, fldPath.Child("maxUnavailable"))...)
 	}

 	allErrs = append(allErrs, unversionedvalidation.ValidateLabelSelector(spec.Selector, fldPath.Child("selector"))...)

 	return allErrs
 }

 func ValidatePodDisruptionBudgetStatus(status policy.PodDisruptionBudgetStatus, fldPath *field.Path) field.ErrorList {
 	allErrs := field.ErrorList{}
 	allErrs = append(allErrs, apivalidation.ValidateNonnegativeField(int64(status.PodDisruptionsAllowed), fldPath.Child("podDisruptionsAllowed"))...)
 	allErrs = append(allErrs, apivalidation.ValidateNonnegativeField(int64(status.CurrentHealthy), fldPath.Child("currentHealthy"))...)
 	allErrs = append(allErrs, apivalidation.ValidateNonnegativeField(int64(status.DesiredHealthy), fldPath.Child("desiredHealthy"))...)
 	allErrs = append(allErrs, apivalidation.ValidateNonnegativeField(int64(status.ExpectedPods), fldPath.Child("expectedPods"))...)
 	return allErrs
 }

 // ValidatePodSecurityPolicyName can be used to check whether the given
 // pod security policy name is valid.
 // Prefix indicates this name will be used as part of generation, in which case
 // trailing dashes are allowed.
 var ValidatePodSecurityPolicyName = apimachineryvalidation.NameIsDNSSubdomain

 func ValidatePodSecurityPolicy(psp *policy.PodSecurityPolicy) field.ErrorList {
 	allErrs := field.ErrorList{}
 	allErrs = append(allErrs, apivalidation.ValidateObjectMeta(&psp.ObjectMeta, false, ValidatePodSecurityPolicyName, field.NewPath("metadata"))...)
 	allErrs = append(allErrs, ValidatePodSecurityPolicySpecificAnnotations(psp.Annotations, field.NewPath("metadata").Child("annotations"))...)
 	allErrs = append(allErrs, ValidatePodSecurityPolicySpec(&psp.Spec, field.NewPath("spec"))...)
 	return allErrs
 }

 func ValidatePodSecurityPolicySpec(spec *policy.PodSecurityPolicySpec, fldPath *field.Path) field.ErrorList {
 	allErrs := field.ErrorList{}

 	allErrs = append(allErrs, validatePSPRunAsUser(fldPath.Child("runAsUser"), &spec.RunAsUser)...)
 	allErrs = append(allErrs, validatePSPRunAsGroup(fldPath.Child("runAsGroup"), spec.RunAsGroup)...)
 	allErrs = append(allErrs, validatePSPSELinux(fldPath.Child("seLinux"), &spec.SELinux)...)
 	allErrs = append(allErrs, validatePSPSupplementalGroup(fldPath.Child("supplementalGroups"), &spec.SupplementalGroups)...)
 	allErrs = append(allErrs, validatePSPFSGroup(fldPath.Child("fsGroup"), &spec.FSGroup)...)
 	allErrs = append(allErrs, validatePodSecurityPolicyVolumes(fldPath, spec.Volumes)...)
 	if len(spec.RequiredDropCapabilities) > 0 && hasCap(policy.AllowAllCapabilities, spec.AllowedCapabilities) {
 		allErrs = append(allErrs, field.Invalid(field.NewPath("requiredDropCapabilities"), spec.RequiredDropCapabilities,
 			"must be empty when all capabilities are allowed by a wildcard"))
 	}
 	allErrs = append(allErrs, validatePSPCapsAgainstDrops(spec.RequiredDropCapabilities, spec.DefaultAddCapabilities, field.NewPath("defaultAddCapabilities"))...)
 	allErrs = append(allErrs, validatePSPCapsAgainstDrops(spec.RequiredDropCapabilities, spec.AllowedCapabilities, field.NewPath("allowedCapabilities"))...)
 	allErrs = append(allErrs, validatePSPDefaultAllowPrivilegeEscalation(fldPath.Child("defaultAllowPrivilegeEscalation"), spec.DefaultAllowPrivilegeEscalation, spec.AllowPrivilegeEscalation)...)
 	allErrs = append(allErrs, validatePSPAllowedHostPaths(fldPath.Child("allowedHostPaths"), spec.AllowedHostPaths)...)
 	allErrs = append(allErrs, validatePSPAllowedFlexVolumes(fldPath.Child("allowedFlexVolumes"), spec.AllowedFlexVolumes)...)
 	allErrs = append(allErrs, validatePodSecurityPolicySysctls(fldPath.Child("allowedUnsafeSysctls"), spec.AllowedUnsafeSysctls)...)
 	allErrs = append(allErrs, validatePodSecurityPolicySysctls(fldPath.Child("forbiddenSysctls"), spec.ForbiddenSysctls)...)
 	allErrs = append(allErrs, validatePodSecurityPolicySysctlListsDoNotOverlap(fldPath.Child("allowedUnsafeSysctls"), fldPath.Child("forbiddenSysctls"), spec.AllowedUnsafeSysctls, spec.ForbiddenSysctls)...)

 	return allErrs
 }

 func ValidatePodSecurityPolicySpecificAnnotations(annotations map[string]string, fldPath *field.Path) field.ErrorList {
 	allErrs := field.ErrorList{}

 	if p := annotations[apparmor.DefaultProfileAnnotationKey]; p != "" {
 		if err := apparmor.ValidateProfileFormat(p); err != nil {
 			allErrs = append(allErrs, field.Invalid(fldPath.Key(apparmor.DefaultProfileAnnotationKey), p, err.Error()))
 		}
 	}
 	if allowed := annotations[apparmor.AllowedProfilesAnnotationKey]; allowed != "" {
 		for _, p := range strings.Split(allowed, ",") {
 			if err := apparmor.ValidateProfileFormat(p); err != nil {
 				allErrs = append(allErrs, field.Invalid(fldPath.Key(apparmor.AllowedProfilesAnnotationKey), allowed, err.Error()))
 			}
 		}
 	}

 	if p := annotations[seccomp.DefaultProfileAnnotationKey]; p != "" {
 		allErrs = append(allErrs, apivalidation.ValidateSeccompProfile(p, fldPath.Key(seccomp.DefaultProfileAnnotationKey))...)
 	}
 	if allowed := annotations[seccomp.AllowedProfilesAnnotationKey]; allowed != "" {
 		for _, p := range strings.Split(allowed, ",") {
 			if p == seccomp.AllowAny {
 				continue
 			}
 			allErrs = append(allErrs, apivalidation.ValidateSeccompProfile(p, fldPath.Key(seccomp.AllowedProfilesAnnotationKey))...)
 		}
 	}
 	return allErrs
 }

 // validatePSPAllowedHostPaths makes sure all allowed host paths follow:
 // 1. path prefix is required
 // 2. path prefix does not have any element which is ".."
 func validatePSPAllowedHostPaths(fldPath *field.Path, allowedHostPaths []policy.AllowedHostPath) field.ErrorList {
 	allErrs := field.ErrorList{}

 	for i, target := range allowedHostPaths {
 		if target.PathPrefix == "" {
 			allErrs = append(allErrs, field.Required(fldPath.Index(i), "is required"))
 			break
 		}
 		parts := strings.Split(filepath.ToSlash(target.PathPrefix), "/")
 		for _, item := range parts {
 			if item == ".." {
 				allErrs = append(allErrs, field.Invalid(fldPath.Index(i), target.PathPrefix, "must not contain '..'"))
 				break // even for `../../..`, one error is sufficient to make the point
 			}
 		}
 	}

 	return allErrs
 }

 func validatePSPAllowedFlexVolumes(fldPath *field.Path, flexVolumes []policy.AllowedFlexVolume) field.ErrorList {
 	allErrs := field.ErrorList{}
 	if len(flexVolumes) > 0 {
 		for idx, fv := range flexVolumes {
 			if len(fv.Driver) == 0 {
 				allErrs = append(allErrs, field.Required(fldPath.Child("allowedFlexVolumes").Index(idx).Child("driver"),
 					"must specify a driver"))
 			}
 		}
 	}
 	return allErrs
 }

 // validatePSPSELinux validates the SELinux fields of PodSecurityPolicy.
 func validatePSPSELinux(fldPath *field.Path, seLinux *policy.SELinuxStrategyOptions) field.ErrorList {
 	allErrs := field.ErrorList{}

 	// ensure the selinux strategy has a valid rule
 	supportedSELinuxRules := sets.NewString(
 		string(policy.SELinuxStrategyMustRunAs),
 		string(policy.SELinuxStrategyRunAsAny),
 	)
 	if !supportedSELinuxRules.Has(string(seLinux.Rule)) {
 		allErrs = append(allErrs, field.NotSupported(fldPath.Child("rule"), seLinux.Rule, supportedSELinuxRules.List()))
 	}

 	return allErrs
 }

 // validatePSPRunAsUser validates the RunAsUser fields of PodSecurityPolicy.
 func validatePSPRunAsUser(fldPath *field.Path, runAsUser *policy.RunAsUserStrategyOptions) field.ErrorList {
 	allErrs := field.ErrorList{}

 	// ensure the user strategy has a valid rule
 	supportedRunAsUserRules := sets.NewString(
 		string(policy.RunAsUserStrategyMustRunAs),
 		string(policy.RunAsUserStrategyMustRunAsNonRoot),
 		string(policy.RunAsUserStrategyRunAsAny),
 	)
 	if !supportedRunAsUserRules.Has(string(runAsUser.Rule)) {
 		allErrs = append(allErrs, field.NotSupported(fldPath.Child("rule"), runAsUser.Rule, supportedRunAsUserRules.List()))
 	}

 	// validate range settings
 	for idx, rng := range runAsUser.Ranges {
 		allErrs = append(allErrs, validateUserIDRange(fldPath.Child("ranges").Index(idx), rng)...)
 	}

 	return allErrs
 }

 // validatePSPRunAsGroup validates the RunAsGroup fields of PodSecurityPolicy.
 func validatePSPRunAsGroup(fldPath *field.Path, runAsGroup *policy.RunAsGroupStrategyOptions) field.ErrorList {
 	var allErrs field.ErrorList

 	if runAsGroup == nil {
 		return allErrs
 	}

 	switch runAsGroup.Rule {
 	case policy.RunAsGroupStrategyRunAsAny:
 		if len(runAsGroup.Ranges) != 0 {
 			allErrs = append(allErrs, field.Invalid(fldPath.Child("ranges"), runAsGroup.Ranges, "Ranges must be empty"))
 		}
 	case policy.RunAsGroupStrategyMustRunAs, policy.RunAsGroupStrategyMayRunAs:
 		if len(runAsGroup.Ranges) == 0 {
 			allErrs = append(allErrs, field.Invalid(fldPath.Child("ranges"), runAsGroup.Ranges, "must provide at least one range"))
 		}
 		// validate range settings
 		for idx, rng := range runAsGroup.Ranges {
 			allErrs = append(allErrs, validateGroupIDRange(fldPath.Child("ranges").Index(idx), rng)...)
 		}
 	default:
 		supportedRunAsGroupRules := []string{
 			string(policy.RunAsGroupStrategyMustRunAs),
 			string(policy.RunAsGroupStrategyRunAsAny),
 			string(policy.RunAsGroupStrategyMayRunAs),
 		}
 		allErrs = append(allErrs, field.NotSupported(fldPath.Child("rule"), runAsGroup.Rule, supportedRunAsGroupRules))
 	}
 	return allErrs
 }

 // validatePSPFSGroup validates the FSGroupStrategyOptions fields of the PodSecurityPolicy.
 func validatePSPFSGroup(fldPath *field.Path, groupOptions *policy.FSGroupStrategyOptions) field.ErrorList {
 	allErrs := field.ErrorList{}

 	supportedRules := sets.NewString(
 		string(policy.FSGroupStrategyMustRunAs),
 		string(policy.FSGroupStrategyMayRunAs),
 		string(policy.FSGroupStrategyRunAsAny),
 	)
 	if !supportedRules.Has(string(groupOptions.Rule)) {
 		allErrs = append(allErrs, field.NotSupported(fldPath.Child("rule"), groupOptions.Rule, supportedRules.List()))
 	}

 	for idx, rng := range groupOptions.Ranges {
 		allErrs = append(allErrs, validateGroupIDRange(fldPath.Child("ranges").Index(idx), rng)...)
 	}
 	return allErrs
 }

 // validatePSPSupplementalGroup validates the SupplementalGroupsStrategyOptions fields of the PodSecurityPolicy.
 func validatePSPSupplementalGroup(fldPath *field.Path, groupOptions *policy.SupplementalGroupsStrategyOptions) field.ErrorList {
 	allErrs := field.ErrorList{}

 	supportedRules := sets.NewString(
 		string(policy.SupplementalGroupsStrategyRunAsAny),
 		string(policy.SupplementalGroupsStrategyMayRunAs),
 		string(policy.SupplementalGroupsStrategyMustRunAs),
 	)
 	if !supportedRules.Has(string(groupOptions.Rule)) {
 		allErrs = append(allErrs, field.NotSupported(fldPath.Child("rule"), groupOptions.Rule, supportedRules.List()))
 	}

 	for idx, rng := range groupOptions.Ranges {
 		allErrs = append(allErrs, validateGroupIDRange(fldPath.Child("ranges").Index(idx), rng)...)
 	}
 	return allErrs
 }

 // validatePodSecurityPolicyVolumes validates the volume fields of PodSecurityPolicy.
 func validatePodSecurityPolicyVolumes(fldPath *field.Path, volumes []policy.FSType) field.ErrorList {
 	allErrs := field.ErrorList{}
 	allowed := psputil.GetAllFSTypesAsSet()
 	// add in the * value since that is a pseudo type that is not included by default
 	allowed.Insert(string(policy.All))
 	for _, v := range volumes {
 		if !allowed.Has(string(v)) {
 			allErrs = append(allErrs, field.NotSupported(fldPath.Child("volumes"), v, allowed.List()))
 		}
 	}
 	return allErrs
 }

 // validatePSPDefaultAllowPrivilegeEscalation validates the DefaultAllowPrivilegeEscalation field against the AllowPrivilegeEscalation field of a PodSecurityPolicy.
 func validatePSPDefaultAllowPrivilegeEscalation(fldPath *field.Path, defaultAllowPrivilegeEscalation *bool, allowPrivilegeEscalation bool) field.ErrorList {
 	allErrs := field.ErrorList{}
 	if defaultAllowPrivilegeEscalation != nil && *defaultAllowPrivilegeEscalation && !allowPrivilegeEscalation {
 		allErrs = append(allErrs, field.Invalid(fldPath, defaultAllowPrivilegeEscalation, "Cannot set DefaultAllowPrivilegeEscalation to true without also setting AllowPrivilegeEscalation to true"))
 	}

 	return allErrs
 }

 const sysctlPatternSegmentFmt string = "([a-z0-9][-_a-z0-9]*)?[a-z0-9*]"
 const SysctlPatternFmt string = "(" + apivalidation.SysctlSegmentFmt + "\\.)*" + sysctlPatternSegmentFmt

 var sysctlPatternRegexp = regexp.MustCompile("^" + SysctlPatternFmt + "$")

 func IsValidSysctlPattern(name string) bool {
 	if len(name) > apivalidation.SysctlMaxLength {
 		return false
 	}
 	return sysctlPatternRegexp.MatchString(name)
 }

 func validatePodSecurityPolicySysctlListsDoNotOverlap(allowedSysctlsFldPath, forbiddenSysctlsFldPath *field.Path, allowedUnsafeSysctls, forbiddenSysctls []string) field.ErrorList {
 	allErrs := field.ErrorList{}
 	for i, allowedSysctl := range allowedUnsafeSysctls {
 		isAllowedSysctlPattern := false
 		allowedSysctlPrefix := ""
 		if strings.HasSuffix(allowedSysctl, "*") {
 			isAllowedSysctlPattern = true
 			allowedSysctlPrefix = strings.TrimSuffix(allowedSysctl, "*")
 		}
 		for j, forbiddenSysctl := range forbiddenSysctls {
 			isForbiddenSysctlPattern := false
 			forbiddenSysctlPrefix := ""
 			if strings.HasSuffix(forbiddenSysctl, "*") {
 				isForbiddenSysctlPattern = true
 				forbiddenSysctlPrefix = strings.TrimSuffix(forbiddenSysctl, "*")
 			}
 			switch {
 			case isAllowedSysctlPattern && isForbiddenSysctlPattern:
 				if strings.HasPrefix(allowedSysctlPrefix, forbiddenSysctlPrefix) {
 					allErrs = append(allErrs, field.Invalid(allowedSysctlsFldPath.Index(i), allowedUnsafeSysctls[i], fmt.Sprintf("sysctl overlaps with %v", forbiddenSysctl)))
 				} else if strings.HasPrefix(forbiddenSysctlPrefix, allowedSysctlPrefix) {
 					allErrs = append(allErrs, field.Invalid(forbiddenSysctlsFldPath.Index(j), forbiddenSysctls[j], fmt.Sprintf("sysctl overlaps with %v", allowedSysctl)))
 				}
 			case isAllowedSysctlPattern:
 				if strings.HasPrefix(forbiddenSysctl, allowedSysctlPrefix) {
 					allErrs = append(allErrs, field.Invalid(forbiddenSysctlsFldPath.Index(j), forbiddenSysctls[j], fmt.Sprintf("sysctl overlaps with %v", allowedSysctl)))
 				}
 			case isForbiddenSysctlPattern:
 				if strings.HasPrefix(allowedSysctl, forbiddenSysctlPrefix) {
 					allErrs = append(allErrs, field.Invalid(allowedSysctlsFldPath.Index(i), allowedUnsafeSysctls[i], fmt.Sprintf("sysctl overlaps with %v", forbiddenSysctl)))
 				}
 			default:
 				if allowedSysctl == forbiddenSysctl {
 					allErrs = append(allErrs, field.Invalid(allowedSysctlsFldPath.Index(i), allowedUnsafeSysctls[i], fmt.Sprintf("sysctl overlaps with %v", forbiddenSysctl)))
 				}
 			}
 		}
 	}
 	return allErrs
 }

 // validatePodSecurityPolicySysctls validates the sysctls fields of PodSecurityPolicy.
 func validatePodSecurityPolicySysctls(fldPath *field.Path, sysctls []string) field.ErrorList {
 	allErrs := field.ErrorList{}

 	if len(sysctls) == 0 {
 		return allErrs
 	}

 	if !utilfeature.DefaultFeatureGate.Enabled(features.Sysctls) {
 		return append(allErrs, field.Forbidden(fldPath, "Sysctls are disabled by Sysctls feature-gate"))
 	}

 	coversAll := false
 	for i, s := range sysctls {
 		if len(s) == 0 {
 			allErrs = append(allErrs, field.Invalid(fldPath.Index(i), sysctls[i], fmt.Sprintf("empty sysctl not allowed")))
 		} else if !IsValidSysctlPattern(string(s)) {
 			allErrs = append(
 				allErrs,
 				field.Invalid(fldPath.Index(i), sysctls[i], fmt.Sprintf("must have at most %d characters and match regex %s",
 					apivalidation.SysctlMaxLength,
 					SysctlPatternFmt,
 				)),
 			)
 		} else if s[0] == '*' {
 			coversAll = true
 		}
 	}

 	if coversAll && len(sysctls) > 1 {
 		allErrs = append(allErrs, field.Forbidden(fldPath.Child("items"), fmt.Sprintf("if '*' is present, must not specify other sysctls")))
 	}

 	return allErrs
 }

 func validateUserIDRange(fldPath *field.Path, rng policy.IDRange) field.ErrorList {
 	return validateIDRanges(fldPath, rng.Min, rng.Max)
 }

 func validateGroupIDRange(fldPath *field.Path, rng policy.IDRange) field.ErrorList {
 	return validateIDRanges(fldPath, rng.Min, rng.Max)
 }

 // validateIDRanges ensures the range is valid.
 func validateIDRanges(fldPath *field.Path, min, max int64) field.ErrorList {
 	allErrs := field.ErrorList{}

 	// if 0 <= Min <= Max then we do not need to validate max.  It is always greater than or
 	// equal to 0 and Min.
 	if min < 0 {
 		allErrs = append(allErrs, field.Invalid(fldPath.Child("min"), min, "min cannot be negative"))
 	}
 	if max < 0 {
 		allErrs = append(allErrs, field.Invalid(fldPath.Child("max"), max, "max cannot be negative"))
 	}
 	if min > max {
 		allErrs = append(allErrs, field.Invalid(fldPath.Child("min"), min, "min cannot be greater than max"))
 	}

 	return allErrs
 }

 // validatePSPCapsAgainstDrops ensures an allowed cap is not listed in the required drops.
 func validatePSPCapsAgainstDrops(requiredDrops []core.Capability, capsToCheck []core.Capability, fldPath *field.Path) field.ErrorList {
 	allErrs := field.ErrorList{}
 	if requiredDrops == nil {
 		return allErrs
 	}
 	for _, cap := range capsToCheck {
 		if hasCap(cap, requiredDrops) {
 			allErrs = append(allErrs, field.Invalid(fldPath, cap,
 				fmt.Sprintf("capability is listed in %s and requiredDropCapabilities", fldPath.String())))
 		}
 	}
 	return allErrs
 }

 // ValidatePodSecurityPolicyUpdate validates a PSP for updates.
 func ValidatePodSecurityPolicyUpdate(old *policy.PodSecurityPolicy, new *policy.PodSecurityPolicy) field.ErrorList {
 	allErrs := field.ErrorList{}
 	allErrs = append(allErrs, apivalidation.ValidateObjectMetaUpdate(&new.ObjectMeta, &old.ObjectMeta, field.NewPath("metadata"))...)
 	allErrs = append(allErrs, ValidatePodSecurityPolicySpecificAnnotations(new.Annotations, field.NewPath("metadata").Child("annotations"))...)
 	allErrs = append(allErrs, ValidatePodSecurityPolicySpec(&new.Spec, field.NewPath("spec"))...)
 	return allErrs
 }

 // hasCap checks for needle in haystack.
 func hasCap(needle core.Capability, haystack []core.Capability) bool {
 	for _, c := range haystack {
 		if needle == c {
 			return true
 		}
 	}
 	return false
 }
	/*
	Copyright 2016 The Kubernetes Authors.

	Licensed under the Apache License, Version 2.0 (the "License");
	you may not use this file except in compliance with the License.
	You may obtain a copy of the License at

	http://www.apache.org/licenses/LICENSE-2.0

	Unless required by applicable law or agreed to in writing, software
	distributed under the License is distributed on an "AS IS" BASIS,
	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	See the License for the specific language governing permissions and
	limitations under the License.
	*/

	package validation

	import (
	"fmt"
	"path/filepath"
	"reflect"
	"regexp"
	"strings"

	apimachineryvalidation "k8s.io/apimachinery/pkg/api/validation"
	unversionedvalidation "k8s.io/apimachinery/pkg/apis/meta/v1/validation"
	"k8s.io/apimachinery/pkg/util/sets"
	"k8s.io/apimachinery/pkg/util/validation/field"
	appsvalidation "k8s.io/kubernetes/pkg/apis/apps/validation"
	core "k8s.io/kubernetes/pkg/apis/core"
	apivalidation "k8s.io/kubernetes/pkg/apis/core/validation"
	"k8s.io/kubernetes/pkg/apis/policy"
	"k8s.io/kubernetes/pkg/features"
	"k8s.io/kubernetes/pkg/security/apparmor"
	"k8s.io/kubernetes/pkg/security/podsecuritypolicy/seccomp"
	psputil "k8s.io/kubernetes/pkg/security/podsecuritypolicy/util"

	utilfeature "k8s.io/apiserver/pkg/util/feature"
	)

	func ValidatePodDisruptionBudget(pdb *policy.PodDisruptionBudget) field.ErrorList {
	allErrs := ValidatePodDisruptionBudgetSpec(pdb.Spec, field.NewPath("spec"))
	allErrs = append(allErrs, ValidatePodDisruptionBudgetStatus(pdb.Status, field.NewPath("status"))...)
	return allErrs
	}

	func ValidatePodDisruptionBudgetUpdate(pdb, oldPdb *policy.PodDisruptionBudget) field.ErrorList {
	allErrs := field.ErrorList{}

	restoreGeneration := pdb.Generation
	pdb.Generation = oldPdb.Generation

	if !reflect.DeepEqual(pdb.Spec, oldPdb.Spec) {
	allErrs = append(allErrs, field.Forbidden(field.NewPath("spec"), "updates to poddisruptionbudget spec are forbidden."))
	}
	allErrs = append(allErrs, ValidatePodDisruptionBudgetStatus(pdb.Status, field.NewPath("status"))...)

	pdb.Generation = restoreGeneration
	return allErrs
	}

	func ValidatePodDisruptionBudgetSpec(spec policy.PodDisruptionBudgetSpec, fldPath *field.Path) field.ErrorList {
	allErrs := field.ErrorList{}

	if spec.MinAvailable != nil && spec.MaxUnavailable != nil {
	allErrs = append(allErrs, field.Invalid(fldPath, spec, "minAvailable and maxUnavailable cannot be both set"))
	}

	if spec.MinAvailable != nil {
	allErrs = append(allErrs, appsvalidation.ValidatePositiveIntOrPercent(*spec.MinAvailable, fldPath.Child("minAvailable"))...)
	allErrs = append(allErrs, appsvalidation.IsNotMoreThan100Percent(*spec.MinAvailable, fldPath.Child("minAvailable"))...)
	}

	if spec.MaxUnavailable != nil {
	allErrs = append(allErrs, appsvalidation.ValidatePositiveIntOrPercent(*spec.MaxUnavailable, fldPath.Child("maxUnavailable"))...)
	allErrs = append(allErrs, appsvalidation.IsNotMoreThan100Percent(*spec.MaxUnavailable, fldPath.Child("maxUnavailable"))...)
	}

	allErrs = append(allErrs, unversionedvalidation.ValidateLabelSelector(spec.Selector, fldPath.Child("selector"))...)

	return allErrs
	}

	func ValidatePodDisruptionBudgetStatus(status policy.PodDisruptionBudgetStatus, fldPath *field.Path) field.ErrorList {
	allErrs := field.ErrorList{}
	allErrs = append(allErrs, apivalidation.ValidateNonnegativeField(int64(status.PodDisruptionsAllowed), fldPath.Child("podDisruptionsAllowed"))...)
	allErrs = append(allErrs, apivalidation.ValidateNonnegativeField(int64(status.CurrentHealthy), fldPath.Child("currentHealthy"))...)
	allErrs = append(allErrs, apivalidation.ValidateNonnegativeField(int64(status.DesiredHealthy), fldPath.Child("desiredHealthy"))...)
	allErrs = append(allErrs, apivalidation.ValidateNonnegativeField(int64(status.ExpectedPods), fldPath.Child("expectedPods"))...)
	return allErrs
	}

	// ValidatePodSecurityPolicyName can be used to check whether the given
	// pod security policy name is valid.
	// Prefix indicates this name will be used as part of generation, in which case
	// trailing dashes are allowed.
	var ValidatePodSecurityPolicyName = apimachineryvalidation.NameIsDNSSubdomain

	func ValidatePodSecurityPolicy(psp *policy.PodSecurityPolicy) field.ErrorList {
	allErrs := field.ErrorList{}
	allErrs = append(allErrs, apivalidation.ValidateObjectMeta(&psp.ObjectMeta, false, ValidatePodSecurityPolicyName, field.NewPath("metadata"))...)
	allErrs = append(allErrs, ValidatePodSecurityPolicySpecificAnnotations(psp.Annotations, field.NewPath("metadata").Child("annotations"))...)
	allErrs = append(allErrs, ValidatePodSecurityPolicySpec(&psp.Spec, field.NewPath("spec"))...)
	return allErrs
	}

	func ValidatePodSecurityPolicySpec(spec policy.PodSecurityPolicySpec, fldPath field.Path) field.ErrorList {
	allErrs := field.ErrorList{}

	allErrs = append(allErrs, validatePSPRunAsUser(fldPath.Child("runAsUser"), &spec.RunAsUser)...)
	allErrs = append(allErrs, validatePSPRunAsGroup(fldPath.Child("runAsGroup"), spec.RunAsGroup)...)
	allErrs = append(allErrs, validatePSPSELinux(fldPath.Child("seLinux"), &spec.SELinux)...)
	allErrs = append(allErrs, validatePSPSupplementalGroup(fldPath.Child("supplementalGroups"), &spec.SupplementalGroups)...)
	allErrs = append(allErrs, validatePSPFSGroup(fldPath.Child("fsGroup"), &spec.FSGroup)...)
	allErrs = append(allErrs, validatePodSecurityPolicyVolumes(fldPath, spec.Volumes)...)
	if len(spec.RequiredDropCapabilities) > 0 && hasCap(policy.AllowAllCapabilities, spec.AllowedCapabilities) {
	allErrs = append(allErrs, field.Invalid(field.NewPath("requiredDropCapabilities"), spec.RequiredDropCapabilities,
	"must be empty when all capabilities are allowed by a wildcard"))
	}
	allErrs = append(allErrs, validatePSPCapsAgainstDrops(spec.RequiredDropCapabilities, spec.DefaultAddCapabilities, field.NewPath("defaultAddCapabilities"))...)
	allErrs = append(allErrs, validatePSPCapsAgainstDrops(spec.RequiredDropCapabilities, spec.AllowedCapabilities, field.NewPath("allowedCapabilities"))...)
	allErrs = append(allErrs, validatePSPDefaultAllowPrivilegeEscalation(fldPath.Child("defaultAllowPrivilegeEscalation"), spec.DefaultAllowPrivilegeEscalation, spec.AllowPrivilegeEscalation)...)
	allErrs = append(allErrs, validatePSPAllowedHostPaths(fldPath.Child("allowedHostPaths"), spec.AllowedHostPaths)...)
	allErrs = append(allErrs, validatePSPAllowedFlexVolumes(fldPath.Child("allowedFlexVolumes"), spec.AllowedFlexVolumes)...)
	allErrs = append(allErrs, validatePodSecurityPolicySysctls(fldPath.Child("allowedUnsafeSysctls"), spec.AllowedUnsafeSysctls)...)
	allErrs = append(allErrs, validatePodSecurityPolicySysctls(fldPath.Child("forbiddenSysctls"), spec.ForbiddenSysctls)...)
	allErrs = append(allErrs, validatePodSecurityPolicySysctlListsDoNotOverlap(fldPath.Child("allowedUnsafeSysctls"), fldPath.Child("forbiddenSysctls"), spec.AllowedUnsafeSysctls, spec.ForbiddenSysctls)...)

	return allErrs
	}

	func ValidatePodSecurityPolicySpecificAnnotations(annotations map[string]string, fldPath *field.Path) field.ErrorList {
	allErrs := field.ErrorList{}

	if p := annotations[apparmor.DefaultProfileAnnotationKey]; p != "" {
	if err := apparmor.ValidateProfileFormat(p); err != nil {
	allErrs = append(allErrs, field.Invalid(fldPath.Key(apparmor.DefaultProfileAnnotationKey), p, err.Error()))
	}
	}
	if allowed := annotations[apparmor.AllowedProfilesAnnotationKey]; allowed != "" {
	for _, p := range strings.Split(allowed, ",") {
	if err := apparmor.ValidateProfileFormat(p); err != nil {
	allErrs = append(allErrs, field.Invalid(fldPath.Key(apparmor.AllowedProfilesAnnotationKey), allowed, err.Error()))
	}
	}
	}

	if p := annotations[seccomp.DefaultProfileAnnotationKey]; p != "" {
	allErrs = append(allErrs, apivalidation.ValidateSeccompProfile(p, fldPath.Key(seccomp.DefaultProfileAnnotationKey))...)
	}
	if allowed := annotations[seccomp.AllowedProfilesAnnotationKey]; allowed != "" {
	for _, p := range strings.Split(allowed, ",") {
	if p == seccomp.AllowAny {
	continue
	}
	allErrs = append(allErrs, apivalidation.ValidateSeccompProfile(p, fldPath.Key(seccomp.AllowedProfilesAnnotationKey))...)
	}
	}
	return allErrs
	}

	// validatePSPAllowedHostPaths makes sure all allowed host paths follow:
	// 1. path prefix is required
	// 2. path prefix does not have any element which is ".."
	func validatePSPAllowedHostPaths(fldPath *field.Path, allowedHostPaths []policy.AllowedHostPath) field.ErrorList {
	allErrs := field.ErrorList{}

	for i, target := range allowedHostPaths {
	if target.PathPrefix == "" {
	allErrs = append(allErrs, field.Required(fldPath.Index(i), "is required"))
	break
	}
	parts := strings.Split(filepath.ToSlash(target.PathPrefix), "/")
	for _, item := range parts {
	if item == ".." {
	allErrs = append(allErrs, field.Invalid(fldPath.Index(i), target.PathPrefix, "must not contain '..'"))
	break // even for `../../..`, one error is sufficient to make the point
	}
	}
	}

	return allErrs
	}

	func validatePSPAllowedFlexVolumes(fldPath *field.Path, flexVolumes []policy.AllowedFlexVolume) field.ErrorList {
	allErrs := field.ErrorList{}
	if len(flexVolumes) > 0 {
	for idx, fv := range flexVolumes {
	if len(fv.Driver) == 0 {
	allErrs = append(allErrs, field.Required(fldPath.Child("allowedFlexVolumes").Index(idx).Child("driver"),
	"must specify a driver"))
	}
	}
	}
	return allErrs
	}

	// validatePSPSELinux validates the SELinux fields of PodSecurityPolicy.
	func validatePSPSELinux(fldPath field.Path, seLinux policy.SELinuxStrategyOptions) field.ErrorList {
	allErrs := field.ErrorList{}

	// ensure the selinux strategy has a valid rule
	supportedSELinuxRules := sets.NewString(
	string(policy.SELinuxStrategyMustRunAs),
	string(policy.SELinuxStrategyRunAsAny),
	)
	if !supportedSELinuxRules.Has(string(seLinux.Rule)) {
	allErrs = append(allErrs, field.NotSupported(fldPath.Child("rule"), seLinux.Rule, supportedSELinuxRules.List()))
	}

	return allErrs
	}

	// validatePSPRunAsUser validates the RunAsUser fields of PodSecurityPolicy.
	func validatePSPRunAsUser(fldPath field.Path, runAsUser policy.RunAsUserStrategyOptions) field.ErrorList {
	allErrs := field.ErrorList{}

	// ensure the user strategy has a valid rule
	supportedRunAsUserRules := sets.NewString(
	string(policy.RunAsUserStrategyMustRunAs),
	string(policy.RunAsUserStrategyMustRunAsNonRoot),
	string(policy.RunAsUserStrategyRunAsAny),
	)
	if !supportedRunAsUserRules.Has(string(runAsUser.Rule)) {
	allErrs = append(allErrs, field.NotSupported(fldPath.Child("rule"), runAsUser.Rule, supportedRunAsUserRules.List()))
	}

	// validate range settings
	for idx, rng := range runAsUser.Ranges {
	allErrs = append(allErrs, validateUserIDRange(fldPath.Child("ranges").Index(idx), rng)...)
	}

	return allErrs
	}

	// validatePSPRunAsGroup validates the RunAsGroup fields of PodSecurityPolicy.
	func validatePSPRunAsGroup(fldPath field.Path, runAsGroup policy.RunAsGroupStrategyOptions) field.ErrorList {
	var allErrs field.ErrorList

	if runAsGroup == nil {
	return allErrs
	}

	switch runAsGroup.Rule {
	case policy.RunAsGroupStrategyRunAsAny:
	if len(runAsGroup.Ranges) != 0 {
	allErrs = append(allErrs, field.Invalid(fldPath.Child("ranges"), runAsGroup.Ranges, "Ranges must be empty"))
	}
	case policy.RunAsGroupStrategyMustRunAs, policy.RunAsGroupStrategyMayRunAs:
	if len(runAsGroup.Ranges) == 0 {
	allErrs = append(allErrs, field.Invalid(fldPath.Child("ranges"), runAsGroup.Ranges, "must provide at least one range"))
	}
	// validate range settings
	for idx, rng := range runAsGroup.Ranges {
	allErrs = append(allErrs, validateGroupIDRange(fldPath.Child("ranges").Index(idx), rng)...)
	}
	default:
	supportedRunAsGroupRules := []string{
	string(policy.RunAsGroupStrategyMustRunAs),
	string(policy.RunAsGroupStrategyRunAsAny),
	string(policy.RunAsGroupStrategyMayRunAs),
	}
	allErrs = append(allErrs, field.NotSupported(fldPath.Child("rule"), runAsGroup.Rule, supportedRunAsGroupRules))
	}
	return allErrs
	}

	// validatePSPFSGroup validates the FSGroupStrategyOptions fields of the PodSecurityPolicy.
	func validatePSPFSGroup(fldPath field.Path, groupOptions policy.FSGroupStrategyOptions) field.ErrorList {
	allErrs := field.ErrorList{}

	supportedRules := sets.NewString(
	string(policy.FSGroupStrategyMustRunAs),
	string(policy.FSGroupStrategyMayRunAs),
	string(policy.FSGroupStrategyRunAsAny),
	)
	if !supportedRules.Has(string(groupOptions.Rule)) {
	allErrs = append(allErrs, field.NotSupported(fldPath.Child("rule"), groupOptions.Rule, supportedRules.List()))
	}

	for idx, rng := range groupOptions.Ranges {
	allErrs = append(allErrs, validateGroupIDRange(fldPath.Child("ranges").Index(idx), rng)...)
	}
	return allErrs
	}

	// validatePSPSupplementalGroup validates the SupplementalGroupsStrategyOptions fields of the PodSecurityPolicy.
	func validatePSPSupplementalGroup(fldPath field.Path, groupOptions policy.SupplementalGroupsStrategyOptions) field.ErrorList {
	allErrs := field.ErrorList{}

	supportedRules := sets.NewString(
	string(policy.SupplementalGroupsStrategyRunAsAny),
	string(policy.SupplementalGroupsStrategyMayRunAs),
	string(policy.SupplementalGroupsStrategyMustRunAs),
	)
	if !supportedRules.Has(string(groupOptions.Rule)) {
	allErrs = append(allErrs, field.NotSupported(fldPath.Child("rule"), groupOptions.Rule, supportedRules.List()))
	}

	for idx, rng := range groupOptions.Ranges {
	allErrs = append(allErrs, validateGroupIDRange(fldPath.Child("ranges").Index(idx), rng)...)
	}
	return allErrs
	}

	// validatePodSecurityPolicyVolumes validates the volume fields of PodSecurityPolicy.
	func validatePodSecurityPolicyVolumes(fldPath *field.Path, volumes []policy.FSType) field.ErrorList {
	allErrs := field.ErrorList{}
	allowed := psputil.GetAllFSTypesAsSet()
	// add in the * value since that is a pseudo type that is not included by default
	allowed.Insert(string(policy.All))
	for _, v := range volumes {
	if !allowed.Has(string(v)) {
	allErrs = append(allErrs, field.NotSupported(fldPath.Child("volumes"), v, allowed.List()))
	}
	}
	return allErrs
	}

	// validatePSPDefaultAllowPrivilegeEscalation validates the DefaultAllowPrivilegeEscalation field against the AllowPrivilegeEscalation field of a PodSecurityPolicy.
	func validatePSPDefaultAllowPrivilegeEscalation(fldPath field.Path, defaultAllowPrivilegeEscalation bool, allowPrivilegeEscalation bool) field.ErrorList {
	allErrs := field.ErrorList{}
	if defaultAllowPrivilegeEscalation != nil && *defaultAllowPrivilegeEscalation && !allowPrivilegeEscalation {
	allErrs = append(allErrs, field.Invalid(fldPath, defaultAllowPrivilegeEscalation, "Cannot set DefaultAllowPrivilegeEscalation to true without also setting AllowPrivilegeEscalation to true"))
	}

	return allErrs
	}

	const sysctlPatternSegmentFmt string = "([a-z0-9][-_a-z0-9])?[a-z0-9]"
	const SysctlPatternFmt string = "(" + apivalidation.SysctlSegmentFmt + "\\.)*" + sysctlPatternSegmentFmt

	var sysctlPatternRegexp = regexp.MustCompile("^" + SysctlPatternFmt + "$")

	func IsValidSysctlPattern(name string) bool {
	if len(name) > apivalidation.SysctlMaxLength {
	return false
	}
	return sysctlPatternRegexp.MatchString(name)
	}

	func validatePodSecurityPolicySysctlListsDoNotOverlap(allowedSysctlsFldPath, forbiddenSysctlsFldPath *field.Path, allowedUnsafeSysctls, forbiddenSysctls []string) field.ErrorList {
	allErrs := field.ErrorList{}
	for i, allowedSysctl := range allowedUnsafeSysctls {
	isAllowedSysctlPattern := false
	allowedSysctlPrefix := ""
	if strings.HasSuffix(allowedSysctl, "*") {
	isAllowedSysctlPattern = true
	allowedSysctlPrefix = strings.TrimSuffix(allowedSysctl, "*")
	}
	for j, forbiddenSysctl := range forbiddenSysctls {
	isForbiddenSysctlPattern := false
	forbiddenSysctlPrefix := ""
	if strings.HasSuffix(forbiddenSysctl, "*") {
	isForbiddenSysctlPattern = true
	forbiddenSysctlPrefix = strings.TrimSuffix(forbiddenSysctl, "*")
	}
	switch {
	case isAllowedSysctlPattern && isForbiddenSysctlPattern:
	if strings.HasPrefix(allowedSysctlPrefix, forbiddenSysctlPrefix) {
	allErrs = append(allErrs, field.Invalid(allowedSysctlsFldPath.Index(i), allowedUnsafeSysctls[i], fmt.Sprintf("sysctl overlaps with %v", forbiddenSysctl)))
	} else if strings.HasPrefix(forbiddenSysctlPrefix, allowedSysctlPrefix) {
	allErrs = append(allErrs, field.Invalid(forbiddenSysctlsFldPath.Index(j), forbiddenSysctls[j], fmt.Sprintf("sysctl overlaps with %v", allowedSysctl)))
	}
	case isAllowedSysctlPattern:
	if strings.HasPrefix(forbiddenSysctl, allowedSysctlPrefix) {
	allErrs = append(allErrs, field.Invalid(forbiddenSysctlsFldPath.Index(j), forbiddenSysctls[j], fmt.Sprintf("sysctl overlaps with %v", allowedSysctl)))
	}
	case isForbiddenSysctlPattern:
	if strings.HasPrefix(allowedSysctl, forbiddenSysctlPrefix) {
	allErrs = append(allErrs, field.Invalid(allowedSysctlsFldPath.Index(i), allowedUnsafeSysctls[i], fmt.Sprintf("sysctl overlaps with %v", forbiddenSysctl)))
	}
	default:
	if allowedSysctl == forbiddenSysctl {
	allErrs = append(allErrs, field.Invalid(allowedSysctlsFldPath.Index(i), allowedUnsafeSysctls[i], fmt.Sprintf("sysctl overlaps with %v", forbiddenSysctl)))
	}
	}
	}
	}
	return allErrs
	}

	// validatePodSecurityPolicySysctls validates the sysctls fields of PodSecurityPolicy.
	func validatePodSecurityPolicySysctls(fldPath *field.Path, sysctls []string) field.ErrorList {
	allErrs := field.ErrorList{}

	if len(sysctls) == 0 {
	return allErrs
	}

	if !utilfeature.DefaultFeatureGate.Enabled(features.Sysctls) {
	return append(allErrs, field.Forbidden(fldPath, "Sysctls are disabled by Sysctls feature-gate"))
	}

	coversAll := false
	for i, s := range sysctls {
	if len(s) == 0 {
	allErrs = append(allErrs, field.Invalid(fldPath.Index(i), sysctls[i], fmt.Sprintf("empty sysctl not allowed")))
	} else if !IsValidSysctlPattern(string(s)) {
	allErrs = append(
	allErrs,
	field.Invalid(fldPath.Index(i), sysctls[i], fmt.Sprintf("must have at most %d characters and match regex %s",
	apivalidation.SysctlMaxLength,
	SysctlPatternFmt,
	)),
	)
	} else if s[0] == '*' {
	coversAll = true
	}
	}

	if coversAll && len(sysctls) > 1 {
	allErrs = append(allErrs, field.Forbidden(fldPath.Child("items"), fmt.Sprintf("if '*' is present, must not specify other sysctls")))
	}

	return allErrs
	}

	func validateUserIDRange(fldPath *field.Path, rng policy.IDRange) field.ErrorList {
	return validateIDRanges(fldPath, rng.Min, rng.Max)
	}

	func validateGroupIDRange(fldPath *field.Path, rng policy.IDRange) field.ErrorList {
	return validateIDRanges(fldPath, rng.Min, rng.Max)
	}

	// validateIDRanges ensures the range is valid.
	func validateIDRanges(fldPath *field.Path, min, max int64) field.ErrorList {
	allErrs := field.ErrorList{}

	// if 0 <= Min <= Max then we do not need to validate max. It is always greater than or
	// equal to 0 and Min.
	if min < 0 {
	allErrs = append(allErrs, field.Invalid(fldPath.Child("min"), min, "min cannot be negative"))
	}
	if max < 0 {
	allErrs = append(allErrs, field.Invalid(fldPath.Child("max"), max, "max cannot be negative"))
	}
	if min > max {
	allErrs = append(allErrs, field.Invalid(fldPath.Child("min"), min, "min cannot be greater than max"))
	}

	return allErrs
	}

	// validatePSPCapsAgainstDrops ensures an allowed cap is not listed in the required drops.
	func validatePSPCapsAgainstDrops(requiredDrops []core.Capability, capsToCheck []core.Capability, fldPath *field.Path) field.ErrorList {
	allErrs := field.ErrorList{}
	if requiredDrops == nil {
	return allErrs
	}
	for _, cap := range capsToCheck {
	if hasCap(cap, requiredDrops) {
	allErrs = append(allErrs, field.Invalid(fldPath, cap,
	fmt.Sprintf("capability is listed in %s and requiredDropCapabilities", fldPath.String())))
	}
	}
	return allErrs
	}

	// ValidatePodSecurityPolicyUpdate validates a PSP for updates.
	func ValidatePodSecurityPolicyUpdate(old policy.PodSecurityPolicy, new policy.PodSecurityPolicy) field.ErrorList {
	allErrs := field.ErrorList{}
	allErrs = append(allErrs, apivalidation.ValidateObjectMetaUpdate(&new.ObjectMeta, &old.ObjectMeta, field.NewPath("metadata"))...)
	allErrs = append(allErrs, ValidatePodSecurityPolicySpecificAnnotations(new.Annotations, field.NewPath("metadata").Child("annotations"))...)
	allErrs = append(allErrs, ValidatePodSecurityPolicySpec(&new.Spec, field.NewPath("spec"))...)
	return allErrs
	}

	// hasCap checks for needle in haystack.
	func hasCap(needle core.Capability, haystack []core.Capability) bool {
	for _, c := range haystack {
	if needle == c {
	return true
	}
	}
	return false
	}