github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Improve the description of PodSecurityContext.SupplementalGroups (including cri-api)

Browse Source 
so that it explicitly describe group information defined in the
container image will be kept. This also adds e2e test case of
SupplementalGroups with pre-defined groups in the container
image to make the behaivier clearer.
This commit is contained in:
Shingo Omura
2022-10-13 17:04:30 +09:00
parent c98aef484d
commit ac1d5fdf37
12 changed files with 72 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
pkg/apis/core/types.go
View File

@@ -3131,8 +3131,11 @@ type PodSecurityContext struct {
// +optional
RunAsNonRoot *bool
// A list of groups applied to the first process run in each container, in addition
// to the container's primary GID. If unspecified, no groups will be added to
// any container.
// to the container's primary GID, the fsGroup (if specified), and group memberships
// defined in the container image for the uid of the container process. If unspecified,
// no additional groups are added to any container. Note that group memberships
// defined in the container image for the uid of the container process are still effective,
// even if they are not included in this list.
// Note that this field cannot be set when spec.os.name is windows.
// +optional
SupplementalGroups []int64