Inline some SecurityContext fields into PodSecurityContext
This commit is contained in:
Paul Morie
@@ -789,7 +789,8 @@ type Container struct {
|
||||
TerminationMessagePath string `json:"terminationMessagePath,omitempty"`
|
||||
// Required: Policy for pulling images for this container
|
||||
ImagePullPolicy PullPolicy `json:"imagePullPolicy"`
|
||||
// Optional: SecurityContext defines the security options the pod should be run with
|
||||
// Optional: SecurityContext defines the security options the container should be run with.
|
||||
// If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext.
|
||||
SecurityContext *SecurityContext `json:"securityContext,omitempty"`
|
||||
|
||||
// Variables for interactive containers, these have very specialized use-cases (e.g. debugging)
|
||||
@@ -987,7 +988,8 @@ type PodSpec struct {
|
||||
// the scheduler simply schedules this pod onto that node, assuming that it fits resource
|
||||
// requirements.
|
||||
NodeName string `json:"nodeName,omitempty"`
|
||||
// SecurityContext holds pod-level security attributes and common container settings
|
||||
// SecurityContext holds pod-level security attributes and common container settings.
|
||||
// Optional: Defaults to empty. See type description for default values of each field.
|
||||
SecurityContext *PodSecurityContext `json:"securityContext,omitempty"`
|
||||
// ImagePullSecrets is an optional list of references to secrets in the same namespace to use for pulling any of the images used by this PodSpec.
|
||||
// If specified, these secrets will be passed to individual puller implementations for them to use. For example,
|
||||
@@ -996,12 +998,13 @@ type PodSpec struct {
|
||||
}
|
||||
|
||||
// PodSecurityContext holds pod-level security attributes and common container settings.
|
||||
// Some fields are also present in SecurityContext. Field values of SecurityContext take
|
||||
// precedence over field values of PodSecurityContext.
|
||||
type PodSecurityContext struct {
|
||||
// Use the host's network namespace. If this option is set, the ports that will be
|
||||
// used must be specified.
|
||||
// Optional: Default to false
|
||||
HostNetwork bool `json:"hostNetwork,omitempty"`
|
||||
|
||||
// Use the host's pid namespace.
|
||||
// Optional: Default to false.
|
||||
HostPID bool `json:"hostPID,omitempty"`
|
||||
@@ -1014,6 +1017,25 @@ type PodSecurityContext struct {
|
||||
// as. This will be applied to all containers in the pod in
|
||||
// addition to the primary group of the container.
|
||||
SupplementalGroups []int64 `json:"supplementalGroups,omitempty"`
|
||||
// The SELinux context to be applied to all containers.
|
||||
// If unspecified, the container runtime will allocate a random SELinux context for each
|
||||
// container. May also be set in SecurityContext. If set in
|
||||
// both SecurityContext and PodSecurityContext, the value specified in SecurityContext
|
||||
// takes precedence for that container.
|
||||
SELinuxOptions *SELinuxOptions `json:"seLinuxOptions,omitempty"`
|
||||
// The UID to run the entrypoint of the container process.
|
||||
// Defaults to user specified in image metadata if unspecified.
|
||||
// May also be set in SecurityContext. If set in both SecurityContext and
|
||||
// PodSecurityContext, the value specified in SecurityContext takes precedence
|
||||
// for that container.
|
||||
RunAsUser *int64 `json:"runAsUser,omitempty"`
|
||||
// Indicates that the container must run as a non-root user.
|
||||
// If true, the Kubelet will validate the image at runtime to ensure that it
|
||||
// does not run as UID 0 (root) and fail to start the container if it does.
|
||||
// If unset or false, no such validation will be performed.
|
||||
// May also be set in SecurityContext. If set in both SecurityContext and
|
||||
// PodSecurityContext, the value specified in SecurityContext takes precedence.
|
||||
RunAsNonRoot *bool `json:"runAsNonRoot,omitempty"`
|
||||
}
|
||||
|
||||
// PodStatus represents information about the status of a pod. Status may trail the actual
|
||||
@@ -2037,41 +2059,44 @@ type ComponentStatusList struct {
|
||||
Items []ComponentStatus `json:"items"`
|
||||
}
|
||||
|
||||
// SecurityContext holds security configuration that will be applied to a container. SecurityContext
|
||||
// contains duplication of some existing fields from the Container resource. These duplicate fields
|
||||
// will be populated based on the Container configuration if they are not set. Defining them on
|
||||
// both the Container AND the SecurityContext will result in an error.
|
||||
// SecurityContext holds security configuration that will be applied to a container.
|
||||
// Some fields are present in both SecurityContext and PodSecurityContext. When both
|
||||
// are set, the values in SecurityContext take precedence.
|
||||
type SecurityContext struct {
|
||||
// Capabilities are the capabilities to add/drop when running the container
|
||||
// The capabilities to add/drop when running containers.
|
||||
// Defaults to the default set of capabilities granted by the container runtime.
|
||||
Capabilities *Capabilities `json:"capabilities,omitempty"`
|
||||
|
||||
// Run the container in privileged mode
|
||||
// Run container in privileged mode.
|
||||
// Processes in privileged containers are essentially equivalent to root on the host.
|
||||
// Defaults to false.
|
||||
Privileged *bool `json:"privileged,omitempty"`
|
||||
|
||||
// SELinuxOptions are the labels to be applied to the container
|
||||
// and volumes
|
||||
// The SELinux context to be applied to the container.
|
||||
// If unspecified, the container runtime will allocate a random SELinux context for each
|
||||
// container. May also be set in PodSecurityContext. If set in both SecurityContext and
|
||||
// PodSecurityContext, the value specified in SecurityContext takes precedence.
|
||||
SELinuxOptions *SELinuxOptions `json:"seLinuxOptions,omitempty"`
|
||||
|
||||
// RunAsUser is the UID to run the entrypoint of the container process.
|
||||
// The UID to run the entrypoint of the container process.
|
||||
// Defaults to user specified in image metadata if unspecified.
|
||||
// May also be set in PodSecurityContext. If set in both SecurityContext and
|
||||
// PodSecurityContext, the value specified in SecurityContext takes precedence.
|
||||
RunAsUser *int64 `json:"runAsUser,omitempty"`
|
||||
|
||||
// RunAsNonRoot indicates that the container should be run as a non-root user. If the RunAsUser
|
||||
// field is not explicitly set then the kubelet may check the image for a specified user or
|
||||
// perform defaulting to specify a user.
|
||||
RunAsNonRoot bool
|
||||
// Indicates that the container must run as a non-root user.
|
||||
// If true, the Kubelet will validate the image at runtime to ensure that it
|
||||
// does not run as UID 0 (root) and fail to start the container if it does.
|
||||
// If unset or false, no such validation will be performed.
|
||||
// May also be set in PodSecurityContext. If set in both SecurityContext and
|
||||
// PodSecurityContext, the value specified in SecurityContext takes precedence.
|
||||
RunAsNonRoot *bool `json:"runAsNonRoot,omitempty"`
|
||||
}
|
||||
|
||||
// SELinuxOptions are the labels to be applied to the container.
|
||||
type SELinuxOptions struct {
|
||||
// SELinux user label
|
||||
User string `json:"user,omitempty"`
|
||||
|
||||
// SELinux role label
|
||||
Role string `json:"role,omitempty"`
|
||||
|
||||
// SELinux type label
|
||||
Type string `json:"type,omitempty"`
|
||||
|
||||
// SELinux level label.
|
||||
Level string `json:"level,omitempty"`
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user