externalize psp admission controller

pkg/security/podsecuritypolicy/BUILD

@@ -17,7 +17,6 @@ go_library(
     importpath = "k8s.io/kubernetes/pkg/security/podsecuritypolicy",
     deps = [
         "//pkg/apis/core:go_default_library",
-        "//pkg/apis/policy:go_default_library",
         "//pkg/features:go_default_library",
         "//pkg/security/podsecuritypolicy/apparmor:go_default_library",
         "//pkg/security/podsecuritypolicy/capabilities:go_default_library",
@@ -28,6 +27,8 @@ go_library(
         "//pkg/security/podsecuritypolicy/user:go_default_library",
         "//pkg/security/podsecuritypolicy/util:go_default_library",
         "//pkg/securitycontext:go_default_library",
+        "//staging/src/k8s.io/api/core/v1:go_default_library",
+        "//staging/src/k8s.io/api/policy/v1beta1:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/util/errors:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
         "//staging/src/k8s.io/apiserver/pkg/util/feature:go_default_library",
@@ -41,11 +42,11 @@ go_test(
     deps = [
         "//pkg/apis/core:go_default_library",
         "//pkg/apis/core/v1:go_default_library",
-        "//pkg/apis/policy:go_default_library",
         "//pkg/security/apparmor:go_default_library",
         "//pkg/security/podsecuritypolicy/seccomp:go_default_library",
         "//pkg/security/podsecuritypolicy/util:go_default_library",
         "//staging/src/k8s.io/api/core/v1:go_default_library",
+        "//staging/src/k8s.io/api/policy/v1beta1:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/util/diff:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",

pkg/security/podsecuritypolicy/capabilities/BUILD

@@ -16,7 +16,8 @@ go_library(
     importpath = "k8s.io/kubernetes/pkg/security/podsecuritypolicy/capabilities",
     deps = [
         "//pkg/apis/core:go_default_library",
-        "//pkg/apis/policy:go_default_library",
+        "//staging/src/k8s.io/api/core/v1:go_default_library",
+        "//staging/src/k8s.io/api/policy/v1beta1:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/util/sets:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
     ],
@@ -28,7 +29,8 @@ go_test(
     embed = [":go_default_library"],
     deps = [
         "//pkg/apis/core:go_default_library",
-        "//pkg/apis/policy:go_default_library",
+        "//staging/src/k8s.io/api/core/v1:go_default_library",
+        "//staging/src/k8s.io/api/policy/v1beta1:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
     ],
 )

pkg/security/podsecuritypolicy/capabilities/capabilities.go

@@ -19,10 +19,11 @@ package capabilities
 import (
 	"fmt"
 
+	corev1 "k8s.io/api/core/v1"
+	policy "k8s.io/api/policy/v1beta1"
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	api "k8s.io/kubernetes/pkg/apis/core"
-	"k8s.io/kubernetes/pkg/apis/policy"
 )
 
 // defaultCapabilities implements the Strategy interface
@@ -36,11 +37,23 @@ var _ Strategy = &defaultCapabilities{}
 
 // NewDefaultCapabilities creates a new defaultCapabilities strategy that will provide defaults and validation
 // based on the configured initial caps and allowed caps.
-func NewDefaultCapabilities(defaultAddCapabilities, requiredDropCapabilities, allowedCaps []api.Capability) (Strategy, error) {
+func NewDefaultCapabilities(defaultAddCapabilities, requiredDropCapabilities, allowedCaps []corev1.Capability) (Strategy, error) {
+	internalDefaultAddCaps := make([]api.Capability, len(defaultAddCapabilities))
+	for i, capability := range defaultAddCapabilities {
+		internalDefaultAddCaps[i] = api.Capability(capability)
+	}
+	internalRequiredDropCaps := make([]api.Capability, len(requiredDropCapabilities))
+	for i, capability := range requiredDropCapabilities {
+		internalRequiredDropCaps[i] = api.Capability(capability)
+	}
+	internalAllowedCaps := make([]api.Capability, len(allowedCaps))
+	for i, capability := range allowedCaps {
+		internalAllowedCaps[i] = api.Capability(capability)
+	}
 	return &defaultCapabilities{
-		defaultAddCapabilities:   defaultAddCapabilities,
+		defaultAddCapabilities:   internalDefaultAddCaps,
-		requiredDropCapabilities: requiredDropCapabilities,
+		requiredDropCapabilities: internalRequiredDropCaps,
-		allowedCaps:              allowedCaps,
+		allowedCaps:              internalAllowedCaps,
 	}, nil
 }
 

pkg/security/podsecuritypolicy/capabilities/capabilities_test.go

@@ -20,14 +20,15 @@ import (
 	"reflect"
 	"testing"
 
+	corev1 "k8s.io/api/core/v1"
+	policy "k8s.io/api/policy/v1beta1"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	api "k8s.io/kubernetes/pkg/apis/core"
-	"k8s.io/kubernetes/pkg/apis/policy"
 )
 
 func TestGenerateAdds(t *testing.T) {
 	tests := map[string]struct {
-		defaultAddCaps []api.Capability
+		defaultAddCaps []corev1.Capability
 		containerCaps  *api.Capabilities
 		expectedCaps   *api.Capabilities
 	}{
@@ -37,13 +38,13 @@ func TestGenerateAdds(t *testing.T) {
 			expectedCaps:  &api.Capabilities{},
 		},
 		"required, no container requests": {
-			defaultAddCaps: []api.Capability{"foo"},
+			defaultAddCaps: []corev1.Capability{"foo"},
 			expectedCaps: &api.Capabilities{
 				Add: []api.Capability{"foo"},
 			},
 		},
 		"required, container requests add required": {
-			defaultAddCaps: []api.Capability{"foo"},
+			defaultAddCaps: []corev1.Capability{"foo"},
 			containerCaps: &api.Capabilities{
 				Add: []api.Capability{"foo"},
 			},
@@ -52,7 +53,7 @@ func TestGenerateAdds(t *testing.T) {
 			},
 		},
 		"multiple required, container requests add required": {
-			defaultAddCaps: []api.Capability{"foo", "bar", "baz"},
+			defaultAddCaps: []corev1.Capability{"foo", "bar", "baz"},
 			containerCaps: &api.Capabilities{
 				Add: []api.Capability{"foo"},
 			},
@@ -61,7 +62,7 @@ func TestGenerateAdds(t *testing.T) {
 			},
 		},
 		"required, container requests add non-required": {
-			defaultAddCaps: []api.Capability{"foo"},
+			defaultAddCaps: []corev1.Capability{"foo"},
 			containerCaps: &api.Capabilities{
 				Add: []api.Capability{"bar"},
 			},
@@ -70,7 +71,7 @@ func TestGenerateAdds(t *testing.T) {
 			},
 		},
 		"generation does not mutate unnecessarily": {
-			defaultAddCaps: []api.Capability{"foo", "bar"},
+			defaultAddCaps: []corev1.Capability{"foo", "bar"},
 			containerCaps: &api.Capabilities{
 				Add: []api.Capability{"foo", "foo", "bar", "baz"},
 			},
@@ -79,7 +80,7 @@ func TestGenerateAdds(t *testing.T) {
 			},
 		},
 		"generation dedupes": {
-			defaultAddCaps: []api.Capability{"foo", "bar"},
+			defaultAddCaps: []corev1.Capability{"foo", "bar"},
 			containerCaps: &api.Capabilities{
 				Add: []api.Capability{"foo", "baz"},
 			},
@@ -88,7 +89,7 @@ func TestGenerateAdds(t *testing.T) {
 			},
 		},
 		"generation is case sensitive - will not dedupe": {
-			defaultAddCaps: []api.Capability{"foo"},
+			defaultAddCaps: []corev1.Capability{"foo"},
 			containerCaps: &api.Capabilities{
 				Add: []api.Capability{"FOO"},
 			},
@@ -127,8 +128,8 @@ func TestGenerateAdds(t *testing.T) {
 
 func TestGenerateDrops(t *testing.T) {
 	tests := map[string]struct {
-		defaultAddCaps   []api.Capability
+		defaultAddCaps   []corev1.Capability
-		requiredDropCaps []api.Capability
+		requiredDropCaps []corev1.Capability
 		containerCaps    *api.Capabilities
 		expectedCaps     *api.Capabilities
 	}{
@@ -140,13 +141,13 @@ func TestGenerateDrops(t *testing.T) {
 			expectedCaps:  &api.Capabilities{},
 		},
 		"required drops are defaulted": {
-			requiredDropCaps: []api.Capability{"foo"},
+			requiredDropCaps: []corev1.Capability{"foo"},
 			expectedCaps: &api.Capabilities{
 				Drop: []api.Capability{"foo"},
 			},
 		},
 		"required drops are defaulted when making container requests": {
-			requiredDropCaps: []api.Capability{"baz"},
+			requiredDropCaps: []corev1.Capability{"baz"},
 			containerCaps: &api.Capabilities{
 				Drop: []api.Capability{"foo", "bar"},
 			},
@@ -155,7 +156,7 @@ func TestGenerateDrops(t *testing.T) {
 			},
 		},
 		"required drops do not mutate unnecessarily": {
-			requiredDropCaps: []api.Capability{"baz"},
+			requiredDropCaps: []corev1.Capability{"baz"},
 			containerCaps: &api.Capabilities{
 				Drop: []api.Capability{"foo", "bar", "baz"},
 			},
@@ -164,7 +165,7 @@ func TestGenerateDrops(t *testing.T) {
 			},
 		},
 		"can drop a required add": {
-			defaultAddCaps: []api.Capability{"foo"},
+			defaultAddCaps: []corev1.Capability{"foo"},
 			containerCaps: &api.Capabilities{
 				Drop: []api.Capability{"foo"},
 			},
@@ -173,7 +174,7 @@ func TestGenerateDrops(t *testing.T) {
 			},
 		},
 		"can drop non-required add": {
-			defaultAddCaps: []api.Capability{"foo"},
+			defaultAddCaps: []corev1.Capability{"foo"},
 			containerCaps: &api.Capabilities{
 				Drop: []api.Capability{"bar"},
 			},
@@ -183,8 +184,8 @@ func TestGenerateDrops(t *testing.T) {
 			},
 		},
 		"defaulting adds and drops, dropping a required add": {
-			defaultAddCaps:   []api.Capability{"foo", "bar", "baz"},
+			defaultAddCaps:   []corev1.Capability{"foo", "bar", "baz"},
-			requiredDropCaps: []api.Capability{"abc"},
+			requiredDropCaps: []corev1.Capability{"abc"},
 			containerCaps: &api.Capabilities{
 				Drop: []api.Capability{"foo"},
 			},
@@ -194,7 +195,7 @@ func TestGenerateDrops(t *testing.T) {
 			},
 		},
 		"generation dedupes": {
-			requiredDropCaps: []api.Capability{"baz", "foo"},
+			requiredDropCaps: []corev1.Capability{"baz", "foo"},
 			containerCaps: &api.Capabilities{
 				Drop: []api.Capability{"bar", "foo"},
 			},
@@ -203,7 +204,7 @@ func TestGenerateDrops(t *testing.T) {
 			},
 		},
 		"generation is case sensitive - will not dedupe": {
-			requiredDropCaps: []api.Capability{"bar"},
+			requiredDropCaps: []corev1.Capability{"bar"},
 			containerCaps: &api.Capabilities{
 				Drop: []api.Capability{"BAR"},
 			},
@@ -241,30 +242,30 @@ func TestGenerateDrops(t *testing.T) {
 
 func TestValidateAdds(t *testing.T) {
 	tests := map[string]struct {
-		defaultAddCaps []api.Capability
+		defaultAddCaps []corev1.Capability
-		allowedCaps    []api.Capability
+		allowedCaps    []corev1.Capability
 		containerCaps  *api.Capabilities
 		expectedError  string
 	}{
 		// no container requests
 		"no required, no allowed, no container requests": {},
 		"no required, allowed, no container requests": {
-			allowedCaps: []api.Capability{"foo"},
+			allowedCaps: []corev1.Capability{"foo"},
 		},
 		"required, no allowed, no container requests": {
-			defaultAddCaps: []api.Capability{"foo"},
+			defaultAddCaps: []corev1.Capability{"foo"},
 			expectedError:  `capabilities: Invalid value: "null": required capabilities are not set on the securityContext`,
 		},
 
 		// container requests match required
 		"required, no allowed, container requests valid": {
-			defaultAddCaps: []api.Capability{"foo"},
+			defaultAddCaps: []corev1.Capability{"foo"},
 			containerCaps: &api.Capabilities{
 				Add: []api.Capability{"foo"},
 			},
 		},
 		"required, no allowed, container requests invalid": {
-			defaultAddCaps: []api.Capability{"foo"},
+			defaultAddCaps: []corev1.Capability{"foo"},
 			containerCaps: &api.Capabilities{
 				Add: []api.Capability{"bar"},
 			},
@@ -273,19 +274,19 @@ func TestValidateAdds(t *testing.T) {
 
 		// container requests match allowed
 		"no required, allowed, container requests valid": {
-			allowedCaps: []api.Capability{"foo"},
+			allowedCaps: []corev1.Capability{"foo"},
 			containerCaps: &api.Capabilities{
 				Add: []api.Capability{"foo"},
 			},
 		},
 		"no required, all allowed, container requests valid": {
-			allowedCaps: []api.Capability{policy.AllowAllCapabilities},
+			allowedCaps: []corev1.Capability{policy.AllowAllCapabilities},
 			containerCaps: &api.Capabilities{
 				Add: []api.Capability{"foo"},
 			},
 		},
 		"no required, allowed, container requests invalid": {
-			allowedCaps: []api.Capability{"foo"},
+			allowedCaps: []corev1.Capability{"foo"},
 			containerCaps: &api.Capabilities{
 				Add: []api.Capability{"bar"},
 			},
@@ -294,29 +295,29 @@ func TestValidateAdds(t *testing.T) {
 
 		// required and allowed
 		"required, allowed, container requests valid required": {
-			defaultAddCaps: []api.Capability{"foo"},
+			defaultAddCaps: []corev1.Capability{"foo"},
-			allowedCaps:    []api.Capability{"bar"},
+			allowedCaps:    []corev1.Capability{"bar"},
 			containerCaps: &api.Capabilities{
 				Add: []api.Capability{"foo"},
 			},
 		},
 		"required, allowed, container requests valid allowed": {
-			defaultAddCaps: []api.Capability{"foo"},
+			defaultAddCaps: []corev1.Capability{"foo"},
-			allowedCaps:    []api.Capability{"bar"},
+			allowedCaps:    []corev1.Capability{"bar"},
 			containerCaps: &api.Capabilities{
 				Add: []api.Capability{"bar"},
 			},
 		},
 		"required, allowed, container requests invalid": {
-			defaultAddCaps: []api.Capability{"foo"},
+			defaultAddCaps: []corev1.Capability{"foo"},
-			allowedCaps:    []api.Capability{"bar"},
+			allowedCaps:    []corev1.Capability{"bar"},
 			containerCaps: &api.Capabilities{
 				Add: []api.Capability{"baz"},
 			},
 			expectedError: `capabilities.add: Invalid value: "baz": capability may not be added`,
 		},
 		"validation is case sensitive": {
-			defaultAddCaps: []api.Capability{"foo"},
+			defaultAddCaps: []corev1.Capability{"foo"},
 			containerCaps: &api.Capabilities{
 				Add: []api.Capability{"FOO"},
 			},
@@ -351,33 +352,33 @@ func TestValidateAdds(t *testing.T) {
 
 func TestValidateDrops(t *testing.T) {
 	tests := map[string]struct {
-		requiredDropCaps []api.Capability
+		requiredDropCaps []corev1.Capability
 		containerCaps    *api.Capabilities
 		expectedError    string
 	}{
 		// no container requests
 		"no required, no container requests": {},
 		"required, no container requests": {
-			requiredDropCaps: []api.Capability{"foo"},
+			requiredDropCaps: []corev1.Capability{"foo"},
 			expectedError:    `capabilities: Invalid value: "null": required capabilities are not set on the securityContext`,
 		},
 
 		// container requests match required
 		"required, container requests valid": {
-			requiredDropCaps: []api.Capability{"foo"},
+			requiredDropCaps: []corev1.Capability{"foo"},
 			containerCaps: &api.Capabilities{
 				Drop: []api.Capability{"foo"},
 			},
 		},
 		"required, container requests invalid": {
-			requiredDropCaps: []api.Capability{"foo"},
+			requiredDropCaps: []corev1.Capability{"foo"},
 			containerCaps: &api.Capabilities{
 				Drop: []api.Capability{"bar"},
 			},
 			expectedError: `capabilities.drop: Invalid value: []core.Capability{"bar"}: foo is required to be dropped but was not found`,
 		},
 		"validation is case sensitive": {
-			requiredDropCaps: []api.Capability{"foo"},
+			requiredDropCaps: []corev1.Capability{"foo"},
 			containerCaps: &api.Capabilities{
 				Drop: []api.Capability{"FOO"},
 			},

pkg/security/podsecuritypolicy/factory.go

@@ -22,9 +22,9 @@ import (
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	"k8s.io/kubernetes/pkg/features"
 
+	corev1 "k8s.io/api/core/v1"
+	policy "k8s.io/api/policy/v1beta1"
 	"k8s.io/apimachinery/pkg/util/errors"
-	api "k8s.io/kubernetes/pkg/apis/core"
-	"k8s.io/kubernetes/pkg/apis/policy"
 	"k8s.io/kubernetes/pkg/security/podsecuritypolicy/apparmor"
 	"k8s.io/kubernetes/pkg/security/podsecuritypolicy/capabilities"
 	"k8s.io/kubernetes/pkg/security/podsecuritypolicy/group"
@@ -191,7 +191,7 @@ func createSupplementalGroupStrategy(opts *policy.SupplementalGroupsStrategyOpti
 }
 
 // createCapabilitiesStrategy creates a new capabilities strategy.
-func createCapabilitiesStrategy(defaultAddCaps, requiredDropCaps, allowedCaps []api.Capability) (capabilities.Strategy, error) {
+func createCapabilitiesStrategy(defaultAddCaps, requiredDropCaps, allowedCaps []corev1.Capability) (capabilities.Strategy, error) {
 	return capabilities.NewDefaultCapabilities(defaultAddCaps, requiredDropCaps, allowedCaps)
 }
 

pkg/security/podsecuritypolicy/group/BUILD

@@ -19,8 +19,8 @@ go_library(
     importpath = "k8s.io/kubernetes/pkg/security/podsecuritypolicy/group",
     deps = [
         "//pkg/apis/core:go_default_library",
-        "//pkg/apis/policy:go_default_library",
         "//pkg/security/podsecuritypolicy/util:go_default_library",
+        "//staging/src/k8s.io/api/policy/v1beta1:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
     ],
 )
@@ -34,7 +34,7 @@ go_test(
     ],
     embed = [":go_default_library"],
     deps = [
-        "//pkg/apis/policy:go_default_library",
+        "//staging/src/k8s.io/api/policy/v1beta1:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
     ],
 )

pkg/security/podsecuritypolicy/group/helpers.go

@@ -19,8 +19,8 @@ package group
 import (
 	"fmt"
 
+	policy "k8s.io/api/policy/v1beta1"
 	"k8s.io/apimachinery/pkg/util/validation/field"
-	"k8s.io/kubernetes/pkg/apis/policy"
 	psputil "k8s.io/kubernetes/pkg/security/podsecuritypolicy/util"
 )
 

pkg/security/podsecuritypolicy/group/mayrunas.go

@@ -19,9 +19,9 @@ package group
 import (
 	"fmt"
 
+	policy "k8s.io/api/policy/v1beta1"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	api "k8s.io/kubernetes/pkg/apis/core"
-	"k8s.io/kubernetes/pkg/apis/policy"
 )
 
 // mayRunAs implements the GroupStrategy interface.

pkg/security/podsecuritypolicy/group/mayrunas_test.go

@@ -21,8 +21,8 @@ import (
 	"strings"
 	"testing"
 
+	policy "k8s.io/api/policy/v1beta1"
 	"k8s.io/apimachinery/pkg/util/validation/field"
-	"k8s.io/kubernetes/pkg/apis/policy"
 )
 
 func TestMayRunAsOptions(t *testing.T) {

pkg/security/podsecuritypolicy/group/mustrunas.go

@@ -19,9 +19,9 @@ package group
 import (
 	"fmt"
 
+	policy "k8s.io/api/policy/v1beta1"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	api "k8s.io/kubernetes/pkg/apis/core"
-	"k8s.io/kubernetes/pkg/apis/policy"
 )
 
 // mustRunAs implements the GroupStrategy interface

pkg/security/podsecuritypolicy/group/mustrunas_test.go

@@ -20,8 +20,8 @@ import (
 	"strings"
 	"testing"
 
+	policy "k8s.io/api/policy/v1beta1"
 	"k8s.io/apimachinery/pkg/util/validation/field"
-	"k8s.io/kubernetes/pkg/apis/policy"
 )
 
 func TestMustRunAsOptions(t *testing.T) {

pkg/security/podsecuritypolicy/provider.go

@@ -20,10 +20,11 @@ import (
 	"fmt"
 	"strings"
 
+	corev1 "k8s.io/api/core/v1"
+	policy "k8s.io/api/policy/v1beta1"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	api "k8s.io/kubernetes/pkg/apis/core"
-	"k8s.io/kubernetes/pkg/apis/policy"
 	"k8s.io/kubernetes/pkg/features"
 	psputil "k8s.io/kubernetes/pkg/security/podsecuritypolicy/util"
 	"k8s.io/kubernetes/pkg/securitycontext"
@@ -174,9 +175,9 @@ func (s *simpleProvider) DefaultContainerSecurityContext(pod *api.Pod, container
 		sc.SetAllowPrivilegeEscalation(s.psp.Spec.DefaultAllowPrivilegeEscalation)
 	}
 
-	// if the PSP sets psp.AllowPrivilegeEscalation to false set that as the default
+	// if the PSP sets psp.AllowPrivilegeEscalation to false, set that as the default
-	if !s.psp.Spec.AllowPrivilegeEscalation && sc.AllowPrivilegeEscalation() == nil {
+	if !*s.psp.Spec.AllowPrivilegeEscalation && sc.AllowPrivilegeEscalation() == nil {
-		sc.SetAllowPrivilegeEscalation(&s.psp.Spec.AllowPrivilegeEscalation)
+		sc.SetAllowPrivilegeEscalation(s.psp.Spec.AllowPrivilegeEscalation)
 	}
 
 	pod.Annotations = annotations
@@ -313,14 +314,15 @@ func (s *simpleProvider) ValidateContainer(pod *api.Pod, container *api.Containe
 	procMount := sc.ProcMount()
 	allowedProcMounts := s.psp.Spec.AllowedProcMountTypes
 	if len(allowedProcMounts) == 0 {
-		allowedProcMounts = []api.ProcMountType{api.DefaultProcMount}
+		allowedProcMounts = []corev1.ProcMountType{corev1.DefaultProcMount}
 	}
 	foundProcMountType := false
 	for _, pm := range allowedProcMounts {
-		if pm == procMount {
+		if string(pm) == string(procMount) {
 			foundProcMountType = true
 		}
 	}
+
 	if !foundProcMountType {
 		allErrs = append(allErrs, field.Invalid(scPath.Child("procMount"), procMount, "ProcMountType is not allowed"))
 	}
@@ -339,14 +341,10 @@ func (s *simpleProvider) ValidateContainer(pod *api.Pod, container *api.Containe
 	}
 
 	allowEscalation := sc.AllowPrivilegeEscalation()
-	if !s.psp.Spec.AllowPrivilegeEscalation && allowEscalation == nil {
+	if !*s.psp.Spec.AllowPrivilegeEscalation && (allowEscalation == nil || *allowEscalation) {
 		allErrs = append(allErrs, field.Invalid(scPath.Child("allowPrivilegeEscalation"), allowEscalation, "Allowing privilege escalation for containers is not allowed"))
 	}
 
-	if !s.psp.Spec.AllowPrivilegeEscalation && allowEscalation != nil && *allowEscalation {
-		allErrs = append(allErrs, field.Invalid(scPath.Child("allowPrivilegeEscalation"), *allowEscalation, "Allowing privilege escalation for containers is not allowed"))
-	}
-
 	return allErrs
 }
 

pkg/security/podsecuritypolicy/provider_test.go

@@ -28,12 +28,12 @@ import (
 	"github.com/stretchr/testify/require"
 
 	"k8s.io/api/core/v1"
+	policy "k8s.io/api/policy/v1beta1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/diff"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	api "k8s.io/kubernetes/pkg/apis/core"
 	k8s_api_v1 "k8s.io/kubernetes/pkg/apis/core/v1"
-	"k8s.io/kubernetes/pkg/apis/policy"
 	"k8s.io/kubernetes/pkg/security/apparmor"
 	"k8s.io/kubernetes/pkg/security/podsecuritypolicy/seccomp"
 	psputil "k8s.io/kubernetes/pkg/security/podsecuritypolicy/util"
@@ -52,6 +52,7 @@ func TestDefaultPodSecurityContextNonmutating(t *testing.T) {
 	}
 
 	// Create a PSP with strategies that will populate a blank psc
+	allowPrivilegeEscalation := true
 	createPSP := func() *policy.PodSecurityPolicy {
 		return &policy.PodSecurityPolicy{
 			ObjectMeta: metav1.ObjectMeta{
@@ -61,7 +62,7 @@ func TestDefaultPodSecurityContextNonmutating(t *testing.T) {
 				},
 			},
 			Spec: policy.PodSecurityPolicySpec{
-				AllowPrivilegeEscalation: true,
+				AllowPrivilegeEscalation: &allowPrivilegeEscalation,
 				RunAsUser: policy.RunAsUserStrategyOptions{
 					Rule: policy.RunAsUserStrategyRunAsAny,
 				},
@@ -126,6 +127,7 @@ func TestDefaultContainerSecurityContextNonmutating(t *testing.T) {
 		}
 
 		// Create a PSP with strategies that will populate a blank security context
+		allowPrivilegeEscalation := true
 		createPSP := func() *policy.PodSecurityPolicy {
 			return &policy.PodSecurityPolicy{
 				ObjectMeta: metav1.ObjectMeta{
@@ -136,7 +138,7 @@ func TestDefaultContainerSecurityContextNonmutating(t *testing.T) {
 					},
 				},
 				Spec: policy.PodSecurityPolicySpec{
-					AllowPrivilegeEscalation: true,
+					AllowPrivilegeEscalation: &allowPrivilegeEscalation,
 					RunAsUser: policy.RunAsUserStrategyOptions{
 						Rule: policy.RunAsUserStrategyRunAsAny,
 					},
@@ -231,7 +233,7 @@ func TestValidatePodSecurityContextFailures(t *testing.T) {
 	failNilSELinuxPod := defaultPod()
 	failSELinuxPSP := defaultPSP()
 	failSELinuxPSP.Spec.SELinux.Rule = policy.SELinuxStrategyMustRunAs
-	failSELinuxPSP.Spec.SELinux.SELinuxOptions = &api.SELinuxOptions{
+	failSELinuxPSP.Spec.SELinux.SELinuxOptions = &v1.SELinuxOptions{
 		Level: "foo",
 	}
 
@@ -497,7 +499,7 @@ func TestValidateContainerFailures(t *testing.T) {
 	failSELinuxPSP := defaultPSP()
 	failSELinuxPSP.Spec.SELinux = policy.SELinuxStrategyOptions{
 		Rule: policy.SELinuxStrategyMustRunAs,
-		SELinuxOptions: &api.SELinuxOptions{
+		SELinuxOptions: &v1.SELinuxOptions{
 			Level: "foo",
 		},
 	}
@@ -693,7 +695,7 @@ func TestValidatePodSecurityContextSuccess(t *testing.T) {
 	}
 	seLinuxPSP := defaultPSP()
 	seLinuxPSP.Spec.SELinux.Rule = policy.SELinuxStrategyMustRunAs
-	seLinuxPSP.Spec.SELinux.SELinuxOptions = &api.SELinuxOptions{
+	seLinuxPSP.Spec.SELinux.SELinuxOptions = &v1.SELinuxOptions{
 		User:  "user",
 		Role:  "role",
 		Type:  "type",
@@ -934,7 +936,7 @@ func TestValidateContainerSuccess(t *testing.T) {
 	seLinuxPSP := defaultPSP()
 	seLinuxPSP.Spec.SELinux = policy.SELinuxStrategyOptions{
 		Rule: policy.SELinuxStrategyMustRunAs,
-		SELinuxOptions: &api.SELinuxOptions{
+		SELinuxOptions: &v1.SELinuxOptions{
 			Level: "foo",
 		},
 	}
@@ -959,7 +961,7 @@ func TestValidateContainerSuccess(t *testing.T) {
 	privPod.Spec.Containers[0].SecurityContext.Privileged = &priv
 
 	capsPSP := defaultPSP()
-	capsPSP.Spec.AllowedCapabilities = []api.Capability{"foo"}
+	capsPSP.Spec.AllowedCapabilities = []v1.Capability{"foo"}
 	capsPod := defaultPod()
 	capsPod.Spec.Containers[0].SecurityContext.Capabilities = &api.Capabilities{
 		Add: []api.Capability{"foo"},
@@ -967,7 +969,7 @@ func TestValidateContainerSuccess(t *testing.T) {
 
 	// pod should be able to request caps that are in the required set even if not specified in the allowed set
 	requiredCapsPSP := defaultPSP()
-	requiredCapsPSP.Spec.DefaultAddCapabilities = []api.Capability{"foo"}
+	requiredCapsPSP.Spec.DefaultAddCapabilities = []v1.Capability{"foo"}
 	requiredCapsPod := defaultPod()
 	requiredCapsPod.Spec.Containers[0].SecurityContext.Capabilities = &api.Capabilities{
 		Add: []api.Capability{"foo"},
@@ -1165,6 +1167,7 @@ func TestGenerateContainerSecurityContextReadOnlyRootFS(t *testing.T) {
 }
 
 func defaultPSP() *policy.PodSecurityPolicy {
+	allowPrivilegeEscalation := true
 	return &policy.PodSecurityPolicy{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:        "psp-sa",
@@ -1186,7 +1189,7 @@ func defaultPSP() *policy.PodSecurityPolicy {
 			SupplementalGroups: policy.SupplementalGroupsStrategyOptions{
 				Rule: policy.SupplementalGroupsStrategyRunAsAny,
 			},
-			AllowPrivilegeEscalation: true,
+			AllowPrivilegeEscalation: &allowPrivilegeEscalation,
 		},
 	}
 }
@@ -1342,7 +1345,7 @@ func TestAllowPrivilegeEscalation(t *testing.T) {
 			pod.Spec.Containers[0].SecurityContext.AllowPrivilegeEscalation = test.podAPE
 
 			psp := defaultPSP()
-			psp.Spec.AllowPrivilegeEscalation = test.pspAPE
+			psp.Spec.AllowPrivilegeEscalation = &test.pspAPE
 			psp.Spec.DefaultAllowPrivilegeEscalation = test.pspDAPE
 
 			provider, err := NewSimpleProvider(psp, "namespace", NewSimpleStrategyFactory())

pkg/security/podsecuritypolicy/selinux/BUILD

@@ -17,8 +17,9 @@ go_library(
     importpath = "k8s.io/kubernetes/pkg/security/podsecuritypolicy/selinux",
     deps = [
         "//pkg/apis/core:go_default_library",
-        "//pkg/apis/policy:go_default_library",
+        "//pkg/apis/core/v1:go_default_library",
         "//pkg/security/podsecuritypolicy/util:go_default_library",
+        "//staging/src/k8s.io/api/policy/v1beta1:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
     ],
 )
@@ -32,7 +33,9 @@ go_test(
     embed = [":go_default_library"],
     deps = [
         "//pkg/apis/core:go_default_library",
-        "//pkg/apis/policy:go_default_library",
+        "//pkg/apis/core/v1:go_default_library",
+        "//staging/src/k8s.io/api/core/v1:go_default_library",
+        "//staging/src/k8s.io/api/policy/v1beta1:go_default_library",
     ],
 )
 

pkg/security/podsecuritypolicy/selinux/mustrunas.go

@@ -21,14 +21,15 @@ import (
 	"sort"
 	"strings"
 
+	policy "k8s.io/api/policy/v1beta1"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	api "k8s.io/kubernetes/pkg/apis/core"
-	"k8s.io/kubernetes/pkg/apis/policy"
+	"k8s.io/kubernetes/pkg/apis/core/v1"
 	"k8s.io/kubernetes/pkg/security/podsecuritypolicy/util"
 )
 
 type mustRunAs struct {
-	opts *policy.SELinuxStrategyOptions
+	opts *api.SELinuxOptions
 }
 
 var _ SELinuxStrategy = &mustRunAs{}
@@ -40,14 +41,19 @@ func NewMustRunAs(options *policy.SELinuxStrategyOptions) (SELinuxStrategy, erro
 	if options.SELinuxOptions == nil {
 		return nil, fmt.Errorf("MustRunAs requires SELinuxOptions")
 	}
+
+	internalSELinuxOptions := &api.SELinuxOptions{}
+	if err := v1.Convert_v1_SELinuxOptions_To_core_SELinuxOptions(options.SELinuxOptions, internalSELinuxOptions, nil); err != nil {
+		return nil, err
+	}
 	return &mustRunAs{
-		opts: options,
+		opts: internalSELinuxOptions,
 	}, nil
 }
 
 // Generate creates the SELinuxOptions based on constraint rules.
 func (s *mustRunAs) Generate(_ *api.Pod, _ *api.Container) (*api.SELinuxOptions, error) {
-	return s.opts.SELinuxOptions, nil
+	return s.opts, nil
 }
 
 // Validate ensures that the specified values fall within the range of the strategy.
@@ -58,20 +64,20 @@ func (s *mustRunAs) Validate(fldPath *field.Path, _ *api.Pod, _ *api.Container,
 		allErrs = append(allErrs, field.Required(fldPath, ""))
 		return allErrs
 	}
-	if !equalLevels(s.opts.SELinuxOptions.Level, seLinux.Level) {
+	if !equalLevels(s.opts.Level, seLinux.Level) {
-		detail := fmt.Sprintf("must be %s", s.opts.SELinuxOptions.Level)
+		detail := fmt.Sprintf("must be %s", s.opts.Level)
 		allErrs = append(allErrs, field.Invalid(fldPath.Child("level"), seLinux.Level, detail))
 	}
-	if seLinux.Role != s.opts.SELinuxOptions.Role {
+	if seLinux.Role != s.opts.Role {
-		detail := fmt.Sprintf("must be %s", s.opts.SELinuxOptions.Role)
+		detail := fmt.Sprintf("must be %s", s.opts.Role)
 		allErrs = append(allErrs, field.Invalid(fldPath.Child("role"), seLinux.Role, detail))
 	}
-	if seLinux.Type != s.opts.SELinuxOptions.Type {
+	if seLinux.Type != s.opts.Type {
-		detail := fmt.Sprintf("must be %s", s.opts.SELinuxOptions.Type)
+		detail := fmt.Sprintf("must be %s", s.opts.Type)
 		allErrs = append(allErrs, field.Invalid(fldPath.Child("type"), seLinux.Type, detail))
 	}
-	if seLinux.User != s.opts.SELinuxOptions.User {
+	if seLinux.User != s.opts.User {
-		detail := fmt.Sprintf("must be %s", s.opts.SELinuxOptions.User)
+		detail := fmt.Sprintf("must be %s", s.opts.User)
 		allErrs = append(allErrs, field.Invalid(fldPath.Child("user"), seLinux.User, detail))
 	}
 

pkg/security/podsecuritypolicy/selinux/mustrunas_test.go

@@ -17,8 +17,10 @@ limitations under the License.
 package selinux
 
 import (
+	corev1 "k8s.io/api/core/v1"
+	policy "k8s.io/api/policy/v1beta1"
 	api "k8s.io/kubernetes/pkg/apis/core"
-	"k8s.io/kubernetes/pkg/apis/policy"
+	"k8s.io/kubernetes/pkg/apis/core/v1"
 	"reflect"
 	"strings"
 	"testing"
@@ -38,7 +40,7 @@ func TestMustRunAsOptions(t *testing.T) {
 			pass: false,
 		},
 		"valid opts": {
-			opts: &policy.SELinuxStrategyOptions{SELinuxOptions: &api.SELinuxOptions{}},
+			opts: &policy.SELinuxStrategyOptions{SELinuxOptions: &corev1.SELinuxOptions{}},
 			pass: true,
 		},
 	}
@@ -55,7 +57,7 @@ func TestMustRunAsOptions(t *testing.T) {
 
 func TestMustRunAsGenerate(t *testing.T) {
 	opts := &policy.SELinuxStrategyOptions{
-		SELinuxOptions: &api.SELinuxOptions{
+		SELinuxOptions: &corev1.SELinuxOptions{
 			User:  "user",
 			Role:  "role",
 			Type:  "type",
@@ -70,14 +72,16 @@ func TestMustRunAsGenerate(t *testing.T) {
 	if err != nil {
 		t.Fatalf("unexpected error generating selinux %v", err)
 	}
-	if !reflect.DeepEqual(generated, opts.SELinuxOptions) {
+	internalSELinuxOptions := &api.SELinuxOptions{}
+	v1.Convert_v1_SELinuxOptions_To_core_SELinuxOptions(opts.SELinuxOptions, internalSELinuxOptions, nil)
+	if !reflect.DeepEqual(generated, internalSELinuxOptions) {
 		t.Errorf("generated selinux does not equal configured selinux")
 	}
 }
 
 func TestMustRunAsValidate(t *testing.T) {
-	newValidOpts := func() *api.SELinuxOptions {
+	newValidOpts := func() *corev1.SELinuxOptions {
-		return &api.SELinuxOptions{
+		return &corev1.SELinuxOptions{
 			User:  "user",
 			Role:  "role",
 			Level: "s0:c0,c6",
@@ -85,7 +89,7 @@ func TestMustRunAsValidate(t *testing.T) {
 		}
 	}
 
-	newValidOptsWithLevel := func(level string) *api.SELinuxOptions {
+	newValidOptsWithLevel := func(level string) *corev1.SELinuxOptions {
 		opts := newValidOpts()
 		opts.Level = level
 		return opts
@@ -103,8 +107,8 @@ func TestMustRunAsValidate(t *testing.T) {
 	validOpts := newValidOpts()
 
 	tests := map[string]struct {
-		podSeLinux  *api.SELinuxOptions
+		podSeLinux  *corev1.SELinuxOptions
-		pspSeLinux  *api.SELinuxOptions
+		pspSeLinux  *corev1.SELinuxOptions
 		expectedMsg string
 	}{
 		"invalid role": {
@@ -154,7 +158,9 @@ func TestMustRunAsValidate(t *testing.T) {
 			continue
 		}
 
-		errs := mustRunAs.Validate(nil, nil, nil, tc.podSeLinux)
+		internalSELinuxOptions := api.SELinuxOptions{}
+		v1.Convert_v1_SELinuxOptions_To_core_SELinuxOptions(tc.podSeLinux, &internalSELinuxOptions, nil)
+		errs := mustRunAs.Validate(nil, nil, nil, &internalSELinuxOptions)
 		//should've passed but didn't
 		if len(tc.expectedMsg) == 0 && len(errs) > 0 {
 			t.Errorf("%s expected no errors but received %v", name, errs)

pkg/security/podsecuritypolicy/selinux/runasany.go

@@ -17,9 +17,9 @@ limitations under the License.
 package selinux
 
 import (
+	policy "k8s.io/api/policy/v1beta1"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	api "k8s.io/kubernetes/pkg/apis/core"
-	"k8s.io/kubernetes/pkg/apis/policy"
 )
 
 // runAsAny implements the SELinuxStrategy interface.

pkg/security/podsecuritypolicy/selinux/runasany_test.go

@@ -17,8 +17,8 @@ limitations under the License.
 package selinux
 
 import (
-	api "k8s.io/kubernetes/pkg/apis/core"
+	corev1 "k8s.io/api/core/v1"
-	"k8s.io/kubernetes/pkg/apis/policy"
+	policy "k8s.io/api/policy/v1beta1"
 	"testing"
 )
 
@@ -49,7 +49,7 @@ func TestRunAsAnyGenerate(t *testing.T) {
 
 func TestRunAsAnyValidate(t *testing.T) {
 	s, err := NewRunAsAny(&policy.SELinuxStrategyOptions{
-		SELinuxOptions: &api.SELinuxOptions{
+		SELinuxOptions: &corev1.SELinuxOptions{
 			Level: "foo",
 		},
 	},

pkg/security/podsecuritypolicy/types.go

@@ -17,9 +17,9 @@ limitations under the License.
 package podsecuritypolicy
 
 import (
+	policy "k8s.io/api/policy/v1beta1"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	api "k8s.io/kubernetes/pkg/apis/core"
-	"k8s.io/kubernetes/pkg/apis/policy"
 	"k8s.io/kubernetes/pkg/security/podsecuritypolicy/apparmor"
 	"k8s.io/kubernetes/pkg/security/podsecuritypolicy/capabilities"
 	"k8s.io/kubernetes/pkg/security/podsecuritypolicy/group"

pkg/security/podsecuritypolicy/user/BUILD

@@ -18,8 +18,8 @@ go_library(
     importpath = "k8s.io/kubernetes/pkg/security/podsecuritypolicy/user",
     deps = [
         "//pkg/apis/core:go_default_library",
-        "//pkg/apis/policy:go_default_library",
         "//pkg/security/podsecuritypolicy/util:go_default_library",
+        "//staging/src/k8s.io/api/policy/v1beta1:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
     ],
 )
@@ -34,7 +34,8 @@ go_test(
     embed = [":go_default_library"],
     deps = [
         "//pkg/apis/core:go_default_library",
-        "//pkg/apis/policy:go_default_library",
+        "//staging/src/k8s.io/api/core/v1:go_default_library",
+        "//staging/src/k8s.io/api/policy/v1beta1:go_default_library",
     ],
 )
 

pkg/security/podsecuritypolicy/user/mustrunas.go

@@ -19,9 +19,9 @@ package user
 import (
 	"fmt"
 
+	policy "k8s.io/api/policy/v1beta1"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	api "k8s.io/kubernetes/pkg/apis/core"
-	"k8s.io/kubernetes/pkg/apis/policy"
 	psputil "k8s.io/kubernetes/pkg/security/podsecuritypolicy/util"
 )
 

pkg/security/podsecuritypolicy/user/mustrunas_test.go

@@ -17,8 +17,8 @@ limitations under the License.
 package user
 
 import (
+	policy "k8s.io/api/policy/v1beta1"
 	api "k8s.io/kubernetes/pkg/apis/core"
-	"k8s.io/kubernetes/pkg/apis/policy"
 	"strings"
 	"testing"
 )

pkg/security/podsecuritypolicy/user/nonroot.go

@@ -17,9 +17,9 @@ limitations under the License.
 package user
 
 import (
+	policy "k8s.io/api/policy/v1beta1"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	api "k8s.io/kubernetes/pkg/apis/core"
-	"k8s.io/kubernetes/pkg/apis/policy"
 )
 
 type nonRoot struct{}

pkg/security/podsecuritypolicy/user/nonroot_test.go

@@ -17,8 +17,8 @@ limitations under the License.
 package user
 
 import (
-	api "k8s.io/kubernetes/pkg/apis/core"
+	api "k8s.io/api/core/v1"
-	"k8s.io/kubernetes/pkg/apis/policy"
+	policy "k8s.io/api/policy/v1beta1"
 	"testing"
 )
 

pkg/security/podsecuritypolicy/user/runasany.go

@@ -17,9 +17,9 @@ limitations under the License.
 package user
 
 import (
+	policy "k8s.io/api/policy/v1beta1"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	api "k8s.io/kubernetes/pkg/apis/core"
-	"k8s.io/kubernetes/pkg/apis/policy"
 )
 
 // runAsAny implements the interface RunAsUserStrategy.

pkg/security/podsecuritypolicy/user/runasany_test.go

@@ -19,7 +19,7 @@ package user
 import (
 	"testing"
 
-	"k8s.io/kubernetes/pkg/apis/policy"
+	policy "k8s.io/api/policy/v1beta1"
 )
 
 func TestRunAsAnyOptions(t *testing.T) {

pkg/security/podsecuritypolicy/util/BUILD

@@ -15,7 +15,7 @@ go_library(
     importpath = "k8s.io/kubernetes/pkg/security/podsecuritypolicy/util",
     deps = [
         "//pkg/apis/core:go_default_library",
-        "//pkg/apis/policy:go_default_library",
+        "//staging/src/k8s.io/api/policy/v1beta1:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/util/sets:go_default_library",
     ],
 )
@@ -26,7 +26,7 @@ go_test(
     embed = [":go_default_library"],
     deps = [
         "//pkg/apis/core:go_default_library",
-        "//pkg/apis/policy:go_default_library",
+        "//staging/src/k8s.io/api/policy/v1beta1:go_default_library",
     ],
 )
 

pkg/security/podsecuritypolicy/util/util.go

@@ -20,9 +20,9 @@ import (
 	"fmt"
 	"strings"
 
+	policy "k8s.io/api/policy/v1beta1"
 	"k8s.io/apimachinery/pkg/util/sets"
 	api "k8s.io/kubernetes/pkg/apis/core"
-	"k8s.io/kubernetes/pkg/apis/policy"
 )
 
 const (

pkg/security/podsecuritypolicy/util/util_test.go

@@ -20,8 +20,8 @@ import (
 	"reflect"
 	"testing"
 
+	policy "k8s.io/api/policy/v1beta1"
 	api "k8s.io/kubernetes/pkg/apis/core"
-	"k8s.io/kubernetes/pkg/apis/policy"
 )
 
 // TestVolumeSourceFSTypeDrift ensures that for every known type of volume source (by the fields on

plugin/pkg/admission/security/podsecuritypolicy/BUILD

@@ -14,13 +14,11 @@ go_library(
         "//pkg/apis/core:go_default_library",
         "//pkg/apis/extensions:go_default_library",
         "//pkg/apis/policy:go_default_library",
-        "//pkg/client/informers/informers_generated/internalversion:go_default_library",
-        "//pkg/client/listers/policy/internalversion:go_default_library",
-        "//pkg/kubeapiserver/admission:go_default_library",
         "//pkg/registry/rbac:go_default_library",
         "//pkg/security/podsecuritypolicy:go_default_library",
         "//pkg/security/podsecuritypolicy/util:go_default_library",
         "//pkg/serviceaccount:go_default_library",
+        "//staging/src/k8s.io/api/policy/v1beta1:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/api/equality:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/labels:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
@@ -28,6 +26,8 @@ go_library(
         "//staging/src/k8s.io/apiserver/pkg/admission/initializer:go_default_library",
         "//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library",
         "//staging/src/k8s.io/apiserver/pkg/authorization/authorizer:go_default_library",
+        "//staging/src/k8s.io/client-go/informers:go_default_library",
+        "//staging/src/k8s.io/client-go/listers/policy/v1beta1:go_default_library",
         "//vendor/github.com/golang/glog:go_default_library",
     ],
 )
@@ -39,14 +39,14 @@ go_test(
     deps = [
         "//pkg/api/legacyscheme:go_default_library",
         "//pkg/apis/core:go_default_library",
-        "//pkg/apis/policy:go_default_library",
+        "//pkg/apis/core/v1:go_default_library",
-        "//pkg/client/informers/informers_generated/internalversion:go_default_library",
         "//pkg/controller:go_default_library",
         "//pkg/security/apparmor:go_default_library",
         "//pkg/security/podsecuritypolicy:go_default_library",
         "//pkg/security/podsecuritypolicy/seccomp:go_default_library",
         "//pkg/security/podsecuritypolicy/util:go_default_library",
         "//staging/src/k8s.io/api/core/v1:go_default_library",
+        "//staging/src/k8s.io/api/policy/v1beta1:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/api/equality:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/util/diff:go_default_library",
@@ -55,6 +55,7 @@ go_test(
         "//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library",
         "//staging/src/k8s.io/apiserver/pkg/authorization/authorizer:go_default_library",
         "//staging/src/k8s.io/apiserver/pkg/authorization/authorizerfactory:go_default_library",
+        "//staging/src/k8s.io/client-go/informers:go_default_library",
         "//vendor/github.com/stretchr/testify/assert:go_default_library",
         "//vendor/k8s.io/utils/pointer:go_default_library",
     ],

plugin/pkg/admission/security/podsecuritypolicy/admission.go

@@ -24,6 +24,7 @@ import (
 
 	"github.com/golang/glog"
 
+	policyv1beta1 "k8s.io/api/policy/v1beta1"
 	apiequality "k8s.io/apimachinery/pkg/api/equality"
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/util/validation/field"
@@ -31,12 +32,11 @@ import (
 	genericadmissioninit "k8s.io/apiserver/pkg/admission/initializer"
 	"k8s.io/apiserver/pkg/authentication/user"
 	"k8s.io/apiserver/pkg/authorization/authorizer"
+	"k8s.io/client-go/informers"
+	policylisters "k8s.io/client-go/listers/policy/v1beta1"
 	api "k8s.io/kubernetes/pkg/apis/core"
 	"k8s.io/kubernetes/pkg/apis/extensions"
 	"k8s.io/kubernetes/pkg/apis/policy"
-	informers "k8s.io/kubernetes/pkg/client/informers/informers_generated/internalversion"
-	policylisters "k8s.io/kubernetes/pkg/client/listers/policy/internalversion"
-	kubeapiserveradmission "k8s.io/kubernetes/pkg/kubeapiserver/admission"
 	rbacregistry "k8s.io/kubernetes/pkg/registry/rbac"
 	psp "k8s.io/kubernetes/pkg/security/podsecuritypolicy"
 	psputil "k8s.io/kubernetes/pkg/security/podsecuritypolicy/util"
@@ -83,7 +83,7 @@ func (plugin *PodSecurityPolicyPlugin) ValidateInitialization() error {
 var _ admission.MutationInterface = &PodSecurityPolicyPlugin{}
 var _ admission.ValidationInterface = &PodSecurityPolicyPlugin{}
 var _ genericadmissioninit.WantsAuthorizer = &PodSecurityPolicyPlugin{}
-var _ kubeapiserveradmission.WantsInternalKubeInformerFactory = &PodSecurityPolicyPlugin{}
+var _ genericadmissioninit.WantsExternalKubeInformerFactory = &PodSecurityPolicyPlugin{}
 var auditKeyPrefix = strings.ToLower(PluginName) + "." + policy.GroupName + ".k8s.io"
 
 // newPlugin creates a new PSP admission plugin.
@@ -95,8 +95,8 @@ func newPlugin(strategyFactory psp.StrategyFactory, failOnNoPolicies bool) *PodS
 	}
 }
 
-func (a *PodSecurityPolicyPlugin) SetInternalKubeInformerFactory(f informers.SharedInformerFactory) {
+func (a *PodSecurityPolicyPlugin) SetExternalKubeInformerFactory(f informers.SharedInformerFactory) {
-	podSecurityPolicyInformer := f.Policy().InternalVersion().PodSecurityPolicies()
+	podSecurityPolicyInformer := f.Policy().V1beta1().PodSecurityPolicies()
 	a.lister = podSecurityPolicyInformer.Lister()
 	a.SetReadyFunc(podSecurityPolicyInformer.Informer().HasSynced)
 }
@@ -338,7 +338,7 @@ func assignSecurityContext(provider psp.Provider, pod *api.Pod) field.ErrorList
 }
 
 // createProvidersFromPolicies creates providers from the constraints supplied.
-func (c *PodSecurityPolicyPlugin) createProvidersFromPolicies(psps []*policy.PodSecurityPolicy, namespace string) ([]psp.Provider, []error) {
+func (c *PodSecurityPolicyPlugin) createProvidersFromPolicies(psps []*policyv1beta1.PodSecurityPolicy, namespace string) ([]psp.Provider, []error) {
 	var (
 		// collected providers
 		providers []psp.Provider

plugin/pkg/admission/security/podsecuritypolicy/admission_test.go

@@ -25,6 +25,7 @@ import (
 	"github.com/stretchr/testify/assert"
 
 	"k8s.io/api/core/v1"
+	policy "k8s.io/api/policy/v1beta1"
 	apiequality "k8s.io/apimachinery/pkg/api/equality"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/diff"
@@ -33,10 +34,10 @@ import (
 	"k8s.io/apiserver/pkg/authentication/user"
 	"k8s.io/apiserver/pkg/authorization/authorizer"
 	"k8s.io/apiserver/pkg/authorization/authorizerfactory"
+	"k8s.io/client-go/informers"
 	"k8s.io/kubernetes/pkg/api/legacyscheme"
 	kapi "k8s.io/kubernetes/pkg/apis/core"
-	"k8s.io/kubernetes/pkg/apis/policy"
+	k8s_api_v1 "k8s.io/kubernetes/pkg/apis/core/v1"
-	informers "k8s.io/kubernetes/pkg/client/informers/informers_generated/internalversion"
 	"k8s.io/kubernetes/pkg/controller"
 	"k8s.io/kubernetes/pkg/security/apparmor"
 	kpsp "k8s.io/kubernetes/pkg/security/podsecuritypolicy"
@@ -50,11 +51,11 @@ const defaultContainerName = "test-c"
 // NewTestAdmission provides an admission plugin with test implementations of internal structs.
 func NewTestAdmission(psps []*policy.PodSecurityPolicy, authz authorizer.Authorizer) *PodSecurityPolicyPlugin {
 	informerFactory := informers.NewSharedInformerFactory(nil, controller.NoResyncPeriodFunc())
-	store := informerFactory.Policy().InternalVersion().PodSecurityPolicies().Informer().GetStore()
+	store := informerFactory.Policy().V1beta1().PodSecurityPolicies().Informer().GetStore()
 	for _, psp := range psps {
 		store.Add(psp)
 	}
-	lister := informerFactory.Policy().InternalVersion().PodSecurityPolicies().Lister()
+	lister := informerFactory.Policy().V1beta1().PodSecurityPolicies().Lister()
 	if authz == nil {
 		authz = &TestAuthorizer{}
 	}
@@ -502,19 +503,19 @@ func TestAdmitCaps(t *testing.T) {
 
 	allowsFooInAllowed := restrictivePSP()
 	allowsFooInAllowed.Name = "allowCapInAllowed"
-	allowsFooInAllowed.Spec.AllowedCapabilities = []kapi.Capability{"foo"}
+	allowsFooInAllowed.Spec.AllowedCapabilities = []v1.Capability{"foo"}
 
 	allowsFooInRequired := restrictivePSP()
 	allowsFooInRequired.Name = "allowCapInRequired"
-	allowsFooInRequired.Spec.DefaultAddCapabilities = []kapi.Capability{"foo"}
+	allowsFooInRequired.Spec.DefaultAddCapabilities = []v1.Capability{"foo"}
 
 	requiresFooToBeDropped := restrictivePSP()
 	requiresFooToBeDropped.Name = "requireDrop"
-	requiresFooToBeDropped.Spec.RequiredDropCapabilities = []kapi.Capability{"foo"}
+	requiresFooToBeDropped.Spec.RequiredDropCapabilities = []v1.Capability{"foo"}
 
 	allowAllInAllowed := restrictivePSP()
 	allowAllInAllowed.Name = "allowAllCapsInAllowed"
-	allowAllInAllowed.Spec.AllowedCapabilities = []kapi.Capability{policy.AllowAllCapabilities}
+	allowAllInAllowed.Spec.AllowedCapabilities = []v1.Capability{policy.AllowAllCapabilities}
 
 	tc := map[string]struct {
 		pod                  *kapi.Pod
@@ -959,12 +960,18 @@ func TestAdmitSELinux(t *testing.T) {
 	mustRunAs := permissivePSP()
 	mustRunAs.Name = "mustRunAs"
 	mustRunAs.Spec.SELinux.Rule = policy.SELinuxStrategyMustRunAs
-	mustRunAs.Spec.SELinux.SELinuxOptions = &kapi.SELinuxOptions{}
+	mustRunAs.Spec.SELinux.SELinuxOptions = &v1.SELinuxOptions{}
 	mustRunAs.Spec.SELinux.SELinuxOptions.Level = "level"
 	mustRunAs.Spec.SELinux.SELinuxOptions.Role = "role"
 	mustRunAs.Spec.SELinux.SELinuxOptions.Type = "type"
 	mustRunAs.Spec.SELinux.SELinuxOptions.User = "user"
 
+	getInternalSEOptions := func(policy *policy.PodSecurityPolicy) *kapi.SELinuxOptions {
+		opt := kapi.SELinuxOptions{}
+		k8s_api_v1.Convert_v1_SELinuxOptions_To_core_SELinuxOptions(policy.Spec.SELinux.SELinuxOptions, &opt, nil)
+		return &opt
+	}
+
 	tests := map[string]struct {
 		pod                 *kapi.Pod
 		psps                []*policy.PodSecurityPolicy
@@ -1047,7 +1054,7 @@ func TestAdmitSELinux(t *testing.T) {
 			psps:                []*policy.PodSecurityPolicy{mustRunAs},
 			shouldPassAdmit:     true,
 			shouldPassValidate:  true,
-			expectedPodSC:       &kapi.PodSecurityContext{SELinuxOptions: mustRunAs.Spec.SELinux.SELinuxOptions},
+			expectedPodSC:       &kapi.PodSecurityContext{SELinuxOptions: getInternalSEOptions(mustRunAs)},
 			expectedContainerSC: nil,
 			expectedPSP:         mustRunAs.Name,
 		},
@@ -1059,7 +1066,7 @@ func TestAdmitSELinux(t *testing.T) {
 			psps:                []*policy.PodSecurityPolicy{mustRunAs},
 			shouldPassAdmit:     true,
 			shouldPassValidate:  true,
-			expectedPodSC:       &kapi.PodSecurityContext{SELinuxOptions: mustRunAs.Spec.SELinux.SELinuxOptions},
+			expectedPodSC:       &kapi.PodSecurityContext{SELinuxOptions: getInternalSEOptions(mustRunAs)},
 			expectedContainerSC: nil,
 			expectedPSP:         mustRunAs.Name,
 		},
@@ -1071,7 +1078,7 @@ func TestAdmitSELinux(t *testing.T) {
 			psps:                []*policy.PodSecurityPolicy{mustRunAs},
 			shouldPassAdmit:     true,
 			shouldPassValidate:  true,
-			expectedPodSC:       &kapi.PodSecurityContext{SELinuxOptions: mustRunAs.Spec.SELinux.SELinuxOptions},
+			expectedPodSC:       &kapi.PodSecurityContext{SELinuxOptions: getInternalSEOptions(mustRunAs)},
 			expectedContainerSC: nil,
 			expectedPSP:         mustRunAs.Name,
 		},
@@ -2337,12 +2344,14 @@ func TestPreferValidatedPSP(t *testing.T) {
 }
 
 func restrictivePSP() *policy.PodSecurityPolicy {
+	allowPrivilegeEscalation := false
 	return &policy.PodSecurityPolicy{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:        "restrictive",
 			Annotations: map[string]string{},
 		},
 		Spec: policy.PodSecurityPolicySpec{
+			AllowPrivilegeEscalation: &allowPrivilegeEscalation,
 			RunAsUser: policy.RunAsUserStrategyOptions{
 				Rule: policy.RunAsUserStrategyMustRunAs,
 				Ranges: []policy.IDRange{
@@ -2357,7 +2366,7 @@ func restrictivePSP() *policy.PodSecurityPolicy {
 			},
 			SELinux: policy.SELinuxStrategyOptions{
 				Rule: policy.SELinuxStrategyMustRunAs,
-				SELinuxOptions: &kapi.SELinuxOptions{
+				SELinuxOptions: &v1.SELinuxOptions{
 					Level: "s9:z0,z1",
 				},
 			},
@@ -2378,19 +2387,20 @@ func restrictivePSP() *policy.PodSecurityPolicy {
 }
 
 func permissivePSP() *policy.PodSecurityPolicy {
+	allowPrivilegeEscalation := true
 	return &policy.PodSecurityPolicy{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:        "privileged",
 			Annotations: map[string]string{},
 		},
 		Spec: policy.PodSecurityPolicySpec{
-			AllowPrivilegeEscalation: true,
+			AllowPrivilegeEscalation: &allowPrivilegeEscalation,
 			HostIPC:                  true,
 			HostNetwork:              true,
 			HostPID:                  true,
 			HostPorts:                []policy.HostPortRange{{Min: 0, Max: 65536}},
 			Volumes:                  []policy.FSType{policy.All},
-			AllowedCapabilities:      []kapi.Capability{policy.AllowAllCapabilities},
+			AllowedCapabilities:      []v1.Capability{policy.AllowAllCapabilities},
 			RunAsUser: policy.RunAsUserStrategyOptions{
 				Rule: policy.RunAsUserStrategyRunAsAny,
 			},