zouy414
diff --git a/‎pkg/api/pod/util.go‎
Lines changed: 13 additions & 3 deletions b/‎pkg/api/pod/util.go‎
Lines changed: 13 additions & 3 deletions
diff --git a/‎pkg/api/pod/util_test.go‎
Lines changed: 17 additions & 3 deletions b/‎pkg/api/pod/util_test.go‎
Lines changed: 17 additions & 3 deletions
diff --git a/‎pkg/apis/apps/v1/zz_generated.defaults.go‎
Lines changed: 0 additions & 24 deletions b/‎pkg/apis/apps/v1/zz_generated.defaults.go‎
Lines changed: 0 additions & 24 deletions
diff --git a/‎pkg/apis/apps/v1beta1/zz_generated.defaults.go‎
Lines changed: 0 additions & 12 deletions b/‎pkg/apis/apps/v1beta1/zz_generated.defaults.go‎
Lines changed: 0 additions & 12 deletions
diff --git a/‎pkg/apis/apps/v1beta2/zz_generated.defaults.go‎
Lines changed: 0 additions & 24 deletions b/‎pkg/apis/apps/v1beta2/zz_generated.defaults.go‎
Lines changed: 0 additions & 24 deletions
diff --git a/‎pkg/apis/batch/v1/zz_generated.defaults.go‎
Lines changed: 0 additions & 6 deletions b/‎pkg/apis/batch/v1/zz_generated.defaults.go‎
Lines changed: 0 additions & 6 deletions
diff --git a/‎pkg/apis/batch/v1beta1/zz_generated.defaults.go‎
Lines changed: 0 additions & 12 deletions b/‎pkg/apis/batch/v1beta1/zz_generated.defaults.go‎
Lines changed: 0 additions & 12 deletions
diff --git a/‎pkg/apis/batch/v2alpha1/zz_generated.defaults.go‎
Lines changed: 0 additions & 12 deletions b/‎pkg/apis/batch/v2alpha1/zz_generated.defaults.go‎
Lines changed: 0 additions & 12 deletions
diff --git a/‎pkg/apis/core/fuzzer/fuzzer.go‎
Lines changed: 0 additions & 4 deletions b/‎pkg/apis/core/fuzzer/fuzzer.go‎
Lines changed: 0 additions & 4 deletions
@@ -447,12 +447,22 @@ func dropDisabledProcMountField(podSpec, oldPodSpec *api.PodSpec) {
 		defaultProcMount := api.DefaultProcMount
 		for i := range podSpec.Containers {
 			if podSpec.Containers[i].SecurityContext != nil {
-				podSpec.Containers[i].SecurityContext.ProcMount = &defaultProcMount
+				if podSpec.Containers[i].SecurityContext.ProcMount != nil {
+					// The ProcMount field was improperly forced to non-nil in 1.12.
+					// If the feature is disabled, and the existing object is not using any non-default values, and the ProcMount field is present in the incoming object, force to the default value.
+					// Note: we cannot force the field to nil when the feature is disabled because it causes a diff against previously persisted data.
+					podSpec.Containers[i].SecurityContext.ProcMount = &defaultProcMount
+				}
 			}
 		}
 		for i := range podSpec.InitContainers {
 			if podSpec.InitContainers[i].SecurityContext != nil {
-				podSpec.InitContainers[i].SecurityContext.ProcMount = &defaultProcMount
+				if podSpec.InitContainers[i].SecurityContext.ProcMount != nil {
+					// The ProcMount field was improperly forced to non-nil in 1.12.
+					// If the feature is disabled, and the existing object is not using any non-default values, and the ProcMount field is present in the incoming object, force to the default value.
+					// Note: we cannot force the field to nil when the feature is disabled because it causes a diff against previously persisted data.
+					podSpec.InitContainers[i].SecurityContext.ProcMount = &defaultProcMount
+				}
 			}
 		}
 	}
@@ -514,7 +524,7 @@ func runtimeClassInUse(podSpec *api.PodSpec) bool {
 	return false
 }
 
-// procMountInUse returns true if the pod spec is non-nil and has a SecurityContext's ProcMount field set
+// procMountInUse returns true if the pod spec is non-nil and has a SecurityContext's ProcMount field set to a non-default value
 func procMountInUse(podSpec *api.PodSpec) bool {
 	if podSpec == nil {
 		return false
 
@@ -616,7 +616,7 @@ func TestDropProcMount(t *testing.T) {
 			},
 		}
 	}
-	podWithoutProcMount := func() *api.Pod {
+	podWithDefaultProcMount := func() *api.Pod {
 		return &api.Pod{
 			Spec: api.PodSpec{
 				RestartPolicy:  api.RestartPolicyNever,
@@ -625,6 +625,15 @@ func TestDropProcMount(t *testing.T) {
 			},
 		}
 	}
+	podWithoutProcMount := func() *api.Pod {
+		return &api.Pod{
+			Spec: api.PodSpec{
+				RestartPolicy:  api.RestartPolicyNever,
+				Containers:     []api.Container{{Name: "container1", Image: "testimage", SecurityContext: &api.SecurityContext{ProcMount: nil}}},
+				InitContainers: []api.Container{{Name: "container1", Image: "testimage", SecurityContext: &api.SecurityContext{ProcMount: nil}}},
+			},
+		}
+	}
 
 	podInfo := []struct {
 		description  string
@@ -636,6 +645,11 @@ func TestDropProcMount(t *testing.T) {
 			hasProcMount: true,
 			pod:          podWithProcMount,
 		},
+		{
+			description:  "has default ProcMount",
+			hasProcMount: false,
+			pod:          podWithDefaultProcMount,
+		},
 		{
 			description:  "does not have ProcMount",
 			hasProcMount: false,
@@ -683,8 +697,8 @@ func TestDropProcMount(t *testing.T) {
 							t.Errorf("new pod was not changed")
 						}
 						// new pod should not have ProcMount
-						if !reflect.DeepEqual(newPod, podWithoutProcMount()) {
-							t.Errorf("new pod had ProcMount: %v", diff.ObjectReflectDiff(newPod, podWithoutProcMount()))
+						if procMountInUse(&newPod.Spec) {
+							t.Errorf("new pod had ProcMount: %#v", &newPod.Spec)
 						}
 					default:
 						// new pod should not need to be changed
 
@@ -354,10 +354,6 @@ var Funcs = func(codecs runtimeserializer.CodecFactory) []interface{} {
 				c.Fuzz(&sc.Capabilities.Add)
 				c.Fuzz(&sc.Capabilities.Drop)
 			}
-			if sc.ProcMount == nil {
-				defProcMount := core.DefaultProcMount
-				sc.ProcMount = &defProcMount
-			}
 		},
 		func(s *core.Secret, c fuzz.Continue) {
 			c.FuzzNoCustom(s) // fuzz self without calling this function again
Original file line number	Diff line number	Diff line change
`@@ -447,12 +447,22 @@ func dropDisabledProcMountField(podSpec, oldPodSpec *api.PodSpec) {`
`447`	`447`	`defaultProcMount := api.DefaultProcMount`
`448`	`448`	`for i := range podSpec.Containers {`
`449`	`449`	`if podSpec.Containers[i].SecurityContext != nil {`
`450`		`- podSpec.Containers[i].SecurityContext.ProcMount = &defaultProcMount`
	`450`	`+ if podSpec.Containers[i].SecurityContext.ProcMount != nil {`
	`451`	`+ // The ProcMount field was improperly forced to non-nil in 1.12.`
	`452`	`+ // If the feature is disabled, and the existing object is not using any non-default values, and the ProcMount field is present in the incoming object, force to the default value.`
	`453`	`+ // Note: we cannot force the field to nil when the feature is disabled because it causes a diff against previously persisted data.`
	`454`	`+ podSpec.Containers[i].SecurityContext.ProcMount = &defaultProcMount`
	`455`	`+ }`
`451`	`456`	`}`
`452`	`457`	`}`
`453`	`458`	`for i := range podSpec.InitContainers {`
`454`	`459`	`if podSpec.InitContainers[i].SecurityContext != nil {`
`455`		`- podSpec.InitContainers[i].SecurityContext.ProcMount = &defaultProcMount`
	`460`	`+ if podSpec.InitContainers[i].SecurityContext.ProcMount != nil {`
	`461`	`+ // The ProcMount field was improperly forced to non-nil in 1.12.`
	`462`	`+ // If the feature is disabled, and the existing object is not using any non-default values, and the ProcMount field is present in the incoming object, force to the default value.`
	`463`	`+ // Note: we cannot force the field to nil when the feature is disabled because it causes a diff against previously persisted data.`
	`464`	`+ podSpec.InitContainers[i].SecurityContext.ProcMount = &defaultProcMount`
	`465`	`+ }`
`456`	`466`	`}`
`457`	`467`	`}`
`458`	`468`	`}`
`@@ -514,7 +524,7 @@ func runtimeClassInUse(podSpec *api.PodSpec) bool {`
`514`	`524`	`return false`
`515`	`525`	`}`
`516`	`526`
`517`		`-// procMountInUse returns true if the pod spec is non-nil and has a SecurityContext's ProcMount field set`
	`527`	`+// procMountInUse returns true if the pod spec is non-nil and has a SecurityContext's ProcMount field set to a non-default value`
`518`	`528`	`func procMountInUse(podSpec *api.PodSpec) bool {`
`519`	`529`	`if podSpec == nil {`
`520`	`530`	`return false`