vendor: update buildkit to v0.19.0-rc1

Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>

vendor/k8s.io/api/authorization/v1/generated.proto

@@ -37,6 +37,60 @@ message ExtraValue {
   repeated string items = 1;
 }
 
+// FieldSelectorAttributes indicates a field limited access.
+// Webhook authors are encouraged to
+// * ensure rawSelector and requirements are not both set
+// * consider the requirements field if set
+// * not try to parse or consider the rawSelector field if set. This is to avoid another CVE-2022-2880 (i.e. getting different systems to agree on how exactly to parse a query is not something we want), see https://www.oxeye.io/resources/golang-parameter-smuggling-attack for more details.
+// For the *SubjectAccessReview endpoints of the kube-apiserver:
+// * If rawSelector is empty and requirements are empty, the request is not limited.
+// * If rawSelector is present and requirements are empty, the rawSelector will be parsed and limited if the parsing succeeds.
+// * If rawSelector is empty and requirements are present, the requirements should be honored
+// * If rawSelector is present and requirements are present, the request is invalid.
+message FieldSelectorAttributes {
+  // rawSelector is the serialization of a field selector that would be included in a query parameter.
+  // Webhook implementations are encouraged to ignore rawSelector.
+  // The kube-apiserver's *SubjectAccessReview will parse the rawSelector as long as the requirements are not present.
+  // +optional
+  optional string rawSelector = 1;
+
+  // requirements is the parsed interpretation of a field selector.
+  // All requirements must be met for a resource instance to match the selector.
+  // Webhook implementations should handle requirements, but how to handle them is up to the webhook.
+  // Since requirements can only limit the request, it is safe to authorize as unlimited request if the requirements
+  // are not understood.
+  // +optional
+  // +listType=atomic
+  repeated .k8s.io.apimachinery.pkg.apis.meta.v1.FieldSelectorRequirement requirements = 2;
+}
+
+// LabelSelectorAttributes indicates a label limited access.
+// Webhook authors are encouraged to
+// * ensure rawSelector and requirements are not both set
+// * consider the requirements field if set
+// * not try to parse or consider the rawSelector field if set. This is to avoid another CVE-2022-2880 (i.e. getting different systems to agree on how exactly to parse a query is not something we want), see https://www.oxeye.io/resources/golang-parameter-smuggling-attack for more details.
+// For the *SubjectAccessReview endpoints of the kube-apiserver:
+// * If rawSelector is empty and requirements are empty, the request is not limited.
+// * If rawSelector is present and requirements are empty, the rawSelector will be parsed and limited if the parsing succeeds.
+// * If rawSelector is empty and requirements are present, the requirements should be honored
+// * If rawSelector is present and requirements are present, the request is invalid.
+message LabelSelectorAttributes {
+  // rawSelector is the serialization of a field selector that would be included in a query parameter.
+  // Webhook implementations are encouraged to ignore rawSelector.
+  // The kube-apiserver's *SubjectAccessReview will parse the rawSelector as long as the requirements are not present.
+  // +optional
+  optional string rawSelector = 1;
+
+  // requirements is the parsed interpretation of a label selector.
+  // All requirements must be met for a resource instance to match the selector.
+  // Webhook implementations should handle requirements, but how to handle them is up to the webhook.
+  // Since requirements can only limit the request, it is safe to authorize as unlimited request if the requirements
+  // are not understood.
+  // +optional
+  // +listType=atomic
+  repeated .k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelectorRequirement requirements = 2;
+}
+
 // LocalSubjectAccessReview checks whether or not a user or group can perform an action in a given namespace.
 // Having a namespace scoped resource makes it much easier to grant namespace scoped policy that includes permissions
 // checking.
@@ -44,7 +98,7 @@ message LocalSubjectAccessReview {
   // Standard list metadata.
   // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
   // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+  optional .k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
 
   // Spec holds information about the request being evaluated.  spec.namespace must be equal to the namespace
   // you made the request against.  If empty, it is defaulted.
@@ -69,11 +123,13 @@ message NonResourceAttributes {
 // NonResourceRule holds information that describes a rule for the non-resource
 message NonResourceRule {
   // Verb is a list of kubernetes non-resource API verbs, like: get, post, put, delete, patch, head, options.  "*" means all.
+  // +listType=atomic
   repeated string verbs = 1;
 
   // NonResourceURLs is a set of partial urls that a user should have access to.  *s are allowed, but only as the full,
   // final step in the path.  "*" means all.
   // +optional
+  // +listType=atomic
   repeated string nonResourceURLs = 2;
 }
 
@@ -109,26 +165,44 @@ message ResourceAttributes {
   // Name is the name of the resource being requested for a "get" or deleted for a "delete". "" (empty) means all.
   // +optional
   optional string name = 7;
+
+  // fieldSelector describes the limitation on access based on field.  It can only limit access, not broaden it.
+  //
+  // This field  is alpha-level. To use this field, you must enable the
+  // `AuthorizeWithSelectors` feature gate (disabled by default).
+  // +optional
+  optional FieldSelectorAttributes fieldSelector = 8;
+
+  // labelSelector describes the limitation on access based on labels.  It can only limit access, not broaden it.
+  //
+  // This field  is alpha-level. To use this field, you must enable the
+  // `AuthorizeWithSelectors` feature gate (disabled by default).
+  // +optional
+  optional LabelSelectorAttributes labelSelector = 9;
 }
 
 // ResourceRule is the list of actions the subject is allowed to perform on resources. The list ordering isn't significant,
 // may contain duplicates, and possibly be incomplete.
 message ResourceRule {
   // Verb is a list of kubernetes resource API verbs, like: get, list, watch, create, update, delete, proxy.  "*" means all.
+  // +listType=atomic
   repeated string verbs = 1;
 
   // APIGroups is the name of the APIGroup that contains the resources.  If multiple API groups are specified, any action requested against one of
   // the enumerated resources in any API group will be allowed.  "*" means all.
   // +optional
+  // +listType=atomic
   repeated string apiGroups = 2;
 
   // Resources is a list of resources this rule applies to.  "*" means all in the specified apiGroups.
   //  "*/foo" represents the subresource 'foo' for all resources in the specified apiGroups.
   // +optional
+  // +listType=atomic
   repeated string resources = 3;
 
   // ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.  "*" means all.
   // +optional
+  // +listType=atomic
   repeated string resourceNames = 4;
 }
 
@@ -139,7 +213,7 @@ message SelfSubjectAccessReview {
   // Standard list metadata.
   // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
   // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+  optional .k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
 
   // Spec holds information about the request being evaluated.  user and groups must be empty
   optional SelfSubjectAccessReviewSpec spec = 2;
@@ -171,7 +245,7 @@ message SelfSubjectRulesReview {
   // Standard list metadata.
   // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
   // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+  optional .k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
 
   // Spec holds information about the request being evaluated.
   optional SelfSubjectRulesReviewSpec spec = 2;
@@ -192,7 +266,7 @@ message SubjectAccessReview {
   // Standard list metadata.
   // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
   // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+  optional .k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
 
   // Spec holds information about the request being evaluated
   optional SubjectAccessReviewSpec spec = 2;
@@ -220,6 +294,7 @@ message SubjectAccessReviewSpec {
 
   // Groups is the groups you're testing for.
   // +optional
+  // +listType=atomic
   repeated string groups = 4;
 
   // Extra corresponds to the user.Info.GetExtra() method from the authenticator.  Since that is input to the authorizer
@@ -262,10 +337,12 @@ message SubjectAccessReviewStatus {
 message SubjectRulesReviewStatus {
   // ResourceRules is the list of actions the subject is allowed to perform on resources.
   // The list ordering isn't significant, may contain duplicates, and possibly be incomplete.
+  // +listType=atomic
   repeated ResourceRule resourceRules = 1;
 
   // NonResourceRules is the list of actions the subject is allowed to perform on non-resources.
   // The list ordering isn't significant, may contain duplicates, and possibly be incomplete.
+  // +listType=atomic
   repeated NonResourceRule nonResourceRules = 2;
 
   // Incomplete is true when the rules returned by this call are incomplete. This is most commonly