github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #63717 from ingvagabund/promote-sysctl-annotations-to-fields

Browse Source 
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Promote sysctl annotations to fields

#


**What this PR does / why we need it**:

Promoting experimental sysctl feature from annotations to API fields.

**Special notes for your reviewer**:

Following sysctl KEP: https://github.com/kubernetes/community/pull/2093

**Release note**:

```release-note
The Sysctls experimental feature has been promoted to beta (enabled by default via the `Sysctls` feature flag). PodSecurityPolicy and Pod objects now have fields for specifying and controlling sysctls. Alpha sysctl annotations will be ignored by 1.11+ kubelets. All alpha sysctl annotations in existing deployments must be converted to API fields to be effective.
```

**TODO**:

* [x] - Promote sysctl annotation in Pod spec
* [x] - Promote sysctl annotation in PodSecuritySpec spec
* [x] - Feature gate the sysctl
* [x] - Promote from alpha to beta
* [x] - docs PR - https://github.com/kubernetes/website/pull/8804
This commit is contained in:
Kubernetes Submit Queue 2018-06-06 00:47:36 -07:00 committed by GitHub
commit b6f75ac30e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
80 changed files with 2904 additions and 2120 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
api/openapi-spec/swagger.json generated
View File

@ -79360,6 +79360,13 @@
"type": "integer",
"format": "int64"
}
},
"sysctls": {
"description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch.",
"type": "array",
"items": {
"$ref": "#/definitions/io.k8s.api.core.v1.Sysctl"
}
}
}
},
@ -80881,6 +80888,23 @@
}
}
},
"io.k8s.api.core.v1.Sysctl": {
"description": "Sysctl defines a kernel parameter to be set",
"required": [
"name",
"value"
],
"properties": {
"name": {
"description": "Name of a property to set",
"type": "string"
},
"value": {
"description": "Value of a property to set",
"type": "string"
}
}
},
"io.k8s.api.core.v1.TCPSocketAction": {
"description": "TCPSocketAction describes an action based on opening a socket",
"required": [
@ -82345,6 +82369,13 @@
"$ref": "#/definitions/io.k8s.api.extensions.v1beta1.AllowedHostPath"
}
},
"allowedUnsafeSysctls": {
"description": "allowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none. Each entry is either a plain sysctl name or ends in \"*\" in which case it is considered as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed. Kubelet has to whitelist all allowed unsafe sysctls explicitly to avoid rejection.\n\nExamples: e.g. \"foo/*\" allows \"foo/bar\", \"foo/baz\", etc. e.g. \"foo.*\" allows \"foo.bar\", \"foo.baz\", etc.",
"type": "array",
"items": {
"type": "string"
}
},
"defaultAddCapabilities": {
"description": "defaultAddCapabilities is the default set of capabilities that will be added to the container unless the pod spec specifically drops the capability. You may not list a capability in both defaultAddCapabilities and requiredDropCapabilities. Capabilities added here are implicitly allowed, and need not be included in the allowedCapabilities list.",
"type": "array",
@ -82356,6 +82387,13 @@
"description": "defaultAllowPrivilegeEscalation controls the default setting for whether a process can gain more privileges than its parent process.",
"type": "boolean"
},
"forbiddenSysctls": {
"description": "forbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none. Each entry is either a plain sysctl name or ends in \"*\" in which case it is considered as a prefix of forbidden sysctls. Single * means all sysctls are forbidden.\n\nExamples: e.g. \"foo/*\" forbids \"foo/bar\", \"foo/baz\", etc. e.g. \"foo.*\" forbids \"foo.bar\", \"foo.baz\", etc.",
"type": "array",
"items": {
"type": "string"
}
},
"fsGroup": {
"description": "fsGroup is the strategy that will dictate what fs group is used by the SecurityContext.",
"$ref": "#/definitions/io.k8s.api.extensions.v1beta1.FSGroupStrategyOptions"
@ -83233,6 +83271,13 @@
"$ref": "#/definitions/io.k8s.api.policy.v1beta1.AllowedHostPath"
}
},
"allowedUnsafeSysctls": {
"description": "allowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none. Each entry is either a plain sysctl name or ends in \"*\" in which case it is considered as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed. Kubelet has to whitelist all allowed unsafe sysctls explicitly to avoid rejection.\n\nExamples: e.g. \"foo/*\" allows \"foo/bar\", \"foo/baz\", etc. e.g. \"foo.*\" allows \"foo.bar\", \"foo.baz\", etc.",
"type": "array",
"items": {
"type": "string"
}
},
"defaultAddCapabilities": {
"description": "defaultAddCapabilities is the default set of capabilities that will be added to the container unless the pod spec specifically drops the capability. You may not list a capability in both defaultAddCapabilities and requiredDropCapabilities. Capabilities added here are implicitly allowed, and need not be included in the allowedCapabilities list.",
"type": "array",
@ -83244,6 +83289,13 @@
"description": "defaultAllowPrivilegeEscalation controls the default setting for whether a process can gain more privileges than its parent process.",
"type": "boolean"
},
"forbiddenSysctls": {
"description": "forbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none. Each entry is either a plain sysctl name or ends in \"*\" in which case it is considered as a prefix of forbidden sysctls. Single * means all sysctls are forbidden.\n\nExamples: e.g. \"foo/*\" forbids \"foo/bar\", \"foo/baz\", etc. e.g. \"foo.*\" forbids \"foo.bar\", \"foo.baz\", etc.",
"type": "array",
"items": {
"type": "string"
}
},
"fsGroup": {
"description": "fsGroup is the strategy that will dictate what fs group is used by the SecurityContext.",
"$ref": "#/definitions/io.k8s.api.policy.v1beta1.FSGroupStrategyOptions"

25
api/swagger-spec/apps_v1.json generated
View File

@ -8421,6 +8421,31 @@
"type": "integer",
"format": "int64",
"description": "A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to change the ownership of that volume to be owned by the pod:\n\n1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 3. The permission bits are OR'd with rw-rw "
},
"sysctls": {
"type": "array",
"items": {
"$ref": "v1.Sysctl"
},
"description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch."
}
}
},
"v1.Sysctl": {
"id": "v1.Sysctl",
"description": "Sysctl defines a kernel parameter to be set",
"required": [
"name",
"value"
],
"properties": {
"name": {
"type": "string",
"description": "Name of a property to set"
},
"value": {
"type": "string",
"description": "Value of a property to set"
}
}
},

25
api/swagger-spec/apps_v1beta1.json generated
View File

@ -6055,6 +6055,31 @@
"type": "integer",
"format": "int64",
"description": "A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to change the ownership of that volume to be owned by the pod:\n\n1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 3. The permission bits are OR'd with rw-rw "
},
"sysctls": {
"type": "array",
"items": {
"$ref": "v1.Sysctl"
},
"description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch."
}
}
},
"v1.Sysctl": {
"id": "v1.Sysctl",
"description": "Sysctl defines a kernel parameter to be set",
"required": [
"name",
"value"
],
"properties": {
"name": {
"type": "string",
"description": "Name of a property to set"
},
"value": {
"type": "string",
"description": "Value of a property to set"
}
}
},

25
api/swagger-spec/apps_v1beta2.json generated
View File

@ -8421,6 +8421,31 @@
"type": "integer",
"format": "int64",
"description": "A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to change the ownership of that volume to be owned by the pod:\n\n1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 3. The permission bits are OR'd with rw-rw "
},
"sysctls": {
"type": "array",
"items": {
"$ref": "v1.Sysctl"
},
"description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch."
}
}
},
"v1.Sysctl": {
"id": "v1.Sysctl",
"description": "Sysctl defines a kernel parameter to be set",
"required": [
"name",
"value"
],
"properties": {
"name": {
"type": "string",
"description": "Name of a property to set"
},
"value": {
"type": "string",
"description": "Value of a property to set"
}
}
},

25
api/swagger-spec/batch_v1.json generated
View File

@ -3395,6 +3395,31 @@
"type": "integer",
"format": "int64",
"description": "A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to change the ownership of that volume to be owned by the pod:\n\n1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 3. The permission bits are OR'd with rw-rw "
},
"sysctls": {
"type": "array",
"items": {
"$ref": "v1.Sysctl"
},
"description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch."
}
}
},
"v1.Sysctl": {
"id": "v1.Sysctl",
"description": "Sysctl defines a kernel parameter to be set",
"required": [
"name",
"value"
],
"properties": {
"name": {
"type": "string",
"description": "Name of a property to set"
},
"value": {
"type": "string",
"description": "Value of a property to set"
}
}
},

25
api/swagger-spec/batch_v1beta1.json generated
View File

@ -3450,6 +3450,31 @@
"type": "integer",
"format": "int64",
"description": "A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to change the ownership of that volume to be owned by the pod:\n\n1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 3. The permission bits are OR'd with rw-rw "
},
"sysctls": {
"type": "array",
"items": {
"$ref": "v1.Sysctl"
},
"description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch."
}
}
},
"v1.Sysctl": {
"id": "v1.Sysctl",
"description": "Sysctl defines a kernel parameter to be set",
"required": [
"name",
"value"
],
"properties": {
"name": {
"type": "string",
"description": "Name of a property to set"
},
"value": {
"type": "string",
"description": "Value of a property to set"
}
}
},

25
api/swagger-spec/batch_v2alpha1.json generated
View File

@ -3450,6 +3450,31 @@
"type": "integer",
"format": "int64",
"description": "A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to change the ownership of that volume to be owned by the pod:\n\n1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 3. The permission bits are OR'd with rw-rw "
},
"sysctls": {
"type": "array",
"items": {
"$ref": "v1.Sysctl"
},
"description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch."
}
}
},
"v1.Sysctl": {
"id": "v1.Sysctl",
"description": "Sysctl defines a kernel parameter to be set",
"required": [
"name",
"value"
],
"properties": {
"name": {
"type": "string",
"description": "Name of a property to set"
},
"value": {
"type": "string",
"description": "Value of a property to set"
}
}
},

39
api/swagger-spec/extensions_v1beta1.json generated
View File

@ -9063,6 +9063,31 @@
"type": "integer",
"format": "int64",
"description": "A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to change the ownership of that volume to be owned by the pod:\n\n1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 3. The permission bits are OR'd with rw-rw "
},
"sysctls": {
"type": "array",
"items": {
"$ref": "v1.Sysctl"
},
"description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch."
}
}
},
"v1.Sysctl": {
"id": "v1.Sysctl",
"description": "Sysctl defines a kernel parameter to be set",
"required": [
"name",
"value"
],
"properties": {
"name": {
"type": "string",
"description": "Name of a property to set"
},
"value": {
"type": "string",
"description": "Value of a property to set"
}
}
},
@ -10392,6 +10417,20 @@
"$ref": "v1beta1.AllowedFlexVolume"
},
"description": "allowedFlexVolumes is a whitelist of allowed Flexvolumes. Empty or nil indicates that all Flexvolumes may be used. This parameter is effective only when the usage of the Flexvolumes is allowed in the \"volumes\" field."
},
"allowedUnsafeSysctls": {
"type": "array",
"items": {
"type": "string"
},
"description": "allowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none. Each entry is either a plain sysctl name or ends in \"*\" in which case it is considered as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed. Kubelet has to whitelist all allowed unsafe sysctls explicitly to avoid rejection.\n\nExamples: e.g. \"foo/*\" allows \"foo/bar\", \"foo/baz\", etc. e.g. \"foo.*\" allows \"foo.bar\", \"foo.baz\", etc."
},
"forbiddenSysctls": {
"type": "array",
"items": {
"type": "string"
},
"description": "forbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none. Each entry is either a plain sysctl name or ends in \"*\" in which case it is considered as a prefix of forbidden sysctls. Single * means all sysctls are forbidden.\n\nExamples: e.g. \"foo/*\" forbids \"foo/bar\", \"foo/baz\", etc. e.g. \"foo.*\" forbids \"foo.bar\", \"foo.baz\", etc."
}
}
},

14
api/swagger-spec/policy_v1beta1.json generated
View File

@ -2499,6 +2499,20 @@
"$ref": "v1beta1.AllowedFlexVolume"
},
"description": "allowedFlexVolumes is a whitelist of allowed Flexvolumes. Empty or nil indicates that all Flexvolumes may be used. This parameter is effective only when the usage of the Flexvolumes is allowed in the \"volumes\" field."
},
"allowedUnsafeSysctls": {
"type": "array",
"items": {
"type": "string"
},
"description": "allowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none. Each entry is either a plain sysctl name or ends in \"*\" in which case it is considered as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed. Kubelet has to whitelist all allowed unsafe sysctls explicitly to avoid rejection.\n\nExamples: e.g. \"foo/*\" allows \"foo/bar\", \"foo/baz\", etc. e.g. \"foo.*\" allows \"foo.bar\", \"foo.baz\", etc."
},
"forbiddenSysctls": {
"type": "array",
"items": {
"type": "string"
},
"description": "forbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none. Each entry is either a plain sysctl name or ends in \"*\" in which case it is considered as a prefix of forbidden sysctls. Single * means all sysctls are forbidden.\n\nExamples: e.g. \"foo/*\" forbids \"foo/bar\", \"foo/baz\", etc. e.g. \"foo.*\" forbids \"foo.bar\", \"foo.baz\", etc."
}
}
},

25
api/swagger-spec/v1.json generated
View File

@ -21725,6 +21725,31 @@
"type": "integer",
"format": "int64",
"description": "A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to change the ownership of that volume to be owned by the pod:\n\n1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 3. The permission bits are OR'd with rw-rw "
},
"sysctls": {
"type": "array",
"items": {
"$ref": "v1.Sysctl"
},
"description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch."
}
}
},
"v1.Sysctl": {
"id": "v1.Sysctl",
"description": "Sysctl defines a kernel parameter to be set",
"required": [
"name",
"value"
],
"properties": {
"name": {
"type": "string",
"description": "Name of a property to set"
},
"value": {
"type": "string",
"description": "Value of a property to set"
}
}
},

2
cmd/kubelet/app/options/options.go
View File

@ -387,7 +387,7 @@ func (f *KubeletFlags) AddFlags(mainfs *pflag.FlagSet) {
// EXPERIMENTAL FLAGS
fs.StringVar(&f.ExperimentalMounterPath, "experimental-mounter-path", f.ExperimentalMounterPath, "[Experimental] Path of mounter binary. Leave empty to use the default mount.")
fs.StringSliceVar(&f.AllowedUnsafeSysctls, "experimental-allowed-unsafe-sysctls", f.AllowedUnsafeSysctls, "Comma-separated whitelist of unsafe sysctls or unsafe sysctl patterns (ending in *). Use these at your own risk.")
fs.StringSliceVar(&f.AllowedUnsafeSysctls, "allowed-unsafe-sysctls", f.AllowedUnsafeSysctls, "Comma-separated whitelist of unsafe sysctls or unsafe sysctl patterns (ending in *). Use these at your own risk. Sysctls feature gate is enabled by default.")
fs.BoolVar(&f.ExperimentalKernelMemcgNotification, "experimental-kernel-memcg-notification", f.ExperimentalKernelMemcgNotification, "If enabled, the kubelet will integrate with the kernel memcg notification to determine if memory eviction thresholds are crossed rather than polling.")
fs.StringVar(&f.RemoteRuntimeEndpoint, "container-runtime-endpoint", f.RemoteRuntimeEndpoint, "[Experimental] The endpoint of remote runtime service. Currently unix socket is supported on Linux, and tcp is supported on windows. Examples:'unix:///var/run/dockershim.sock', 'tcp://localhost:3735'")
fs.StringVar(&f.RemoteImageEndpoint, "image-service-endpoint", f.RemoteImageEndpoint, "[Experimental] The endpoint of remote image service. If not specified, it will be the same with container-runtime-endpoint by default. Currently unix socket is supported on Linux, and tcp is supported on windows. Examples:'unix:///var/run/dockershim.sock', 'tcp://localhost:3735'")

48
docs/api-reference/apps/v1/definitions.html generated
View File

@ -5788,6 +5788,13 @@ Examples:<br>
<td class="tableblock halign-left valign-top"><p class="tableblock">integer (int64)</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">sysctls</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_v1_sysctl">v1.Sysctl</a> array</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
</tbody>
</table>
@ -7491,6 +7498,47 @@ The StatefulSet guarantees that a given network identity will always map to the
</tbody>
</table>
</div>
<div class="sect2">
<h3 id="_v1_sysctl">v1.Sysctl</h3>
<div class="paragraph">
<p>Sysctl defines a kernel parameter to be set</p>
</div>
<table class="tableblock frame-all grid-all" style="width:100%; ">
<colgroup>
<col style="width:20%;">
<col style="width:20%;">
<col style="width:20%;">
<col style="width:20%;">
<col style="width:20%;">
</colgroup>
<thead>
<tr>
<th class="tableblock halign-left valign-top">Name</th>
<th class="tableblock halign-left valign-top">Description</th>
<th class="tableblock halign-left valign-top">Required</th>
<th class="tableblock halign-left valign-top">Schema</th>
<th class="tableblock halign-left valign-top">Default</th>
</tr>
</thead>
<tbody>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">name</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Name of a property to set</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">true</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">value</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Value of a property to set</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">true</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
</tbody>
</table>
</div>
<div class="sect2">
<h3 id="_v1_deploymentspec">v1.DeploymentSpec</h3>

48
docs/api-reference/apps/v1beta1/definitions.html generated
View File

@ -5923,6 +5923,13 @@ Examples:<br>
<td class="tableblock halign-left valign-top"><p class="tableblock">integer (int64)</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">sysctls</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_v1_sysctl">v1.Sysctl</a> array</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
</tbody>
</table>
@ -6949,6 +6956,47 @@ Examples:<br>
</tbody>
</table>
</div>
<div class="sect2">
<h3 id="_v1_sysctl">v1.Sysctl</h3>
<div class="paragraph">
<p>Sysctl defines a kernel parameter to be set</p>
</div>
<table class="tableblock frame-all grid-all" style="width:100%; ">
<colgroup>
<col style="width:20%;">
<col style="width:20%;">
<col style="width:20%;">
<col style="width:20%;">
<col style="width:20%;">
</colgroup>
<thead>
<tr>
<th class="tableblock halign-left valign-top">Name</th>
<th class="tableblock halign-left valign-top">Description</th>
<th class="tableblock halign-left valign-top">Required</th>
<th class="tableblock halign-left valign-top">Schema</th>
<th class="tableblock halign-left valign-top">Default</th>
</tr>
</thead>
<tbody>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">name</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Name of a property to set</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">true</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">value</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Value of a property to set</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">true</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
</tbody>
</table>
</div>
<div class="sect2">
<h3 id="_v1_patch">v1.Patch</h3>

48
docs/api-reference/apps/v1beta2/definitions.html generated
View File

@ -6257,6 +6257,13 @@ Examples:<br>
<td class="tableblock halign-left valign-top"><p class="tableblock">integer (int64)</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">sysctls</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_v1_sysctl">v1.Sysctl</a> array</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
</tbody>
</table>
@ -7482,6 +7489,47 @@ Examples:<br>
</tbody>
</table>
</div>
<div class="sect2">
<h3 id="_v1_sysctl">v1.Sysctl</h3>
<div class="paragraph">
<p>Sysctl defines a kernel parameter to be set</p>
</div>
<table class="tableblock frame-all grid-all" style="width:100%; ">
<colgroup>
<col style="width:20%;">
<col style="width:20%;">
<col style="width:20%;">
<col style="width:20%;">
<col style="width:20%;">
</colgroup>
<thead>
<tr>
<th class="tableblock halign-left valign-top">Name</th>
<th class="tableblock halign-left valign-top">Description</th>
<th class="tableblock halign-left valign-top">Required</th>
<th class="tableblock halign-left valign-top">Schema</th>
<th class="tableblock halign-left valign-top">Default</th>
</tr>
</thead>
<tbody>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">name</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Name of a property to set</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">true</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">value</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Value of a property to set</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">true</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
</tbody>
</table>
</div>
<div class="sect2">
<h3 id="_v1_patch">v1.Patch</h3>

48
docs/api-reference/batch/v1/definitions.html generated
View File

@ -4728,6 +4728,13 @@ Examples:<br>
<td class="tableblock halign-left valign-top"><p class="tableblock">integer (int64)</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">sysctls</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_v1_sysctl">v1.Sysctl</a> array</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
</tbody>
</table>
@ -5881,6 +5888,47 @@ Examples:<br>
</tbody>
</table>
</div>
<div class="sect2">
<h3 id="_v1_sysctl">v1.Sysctl</h3>
<div class="paragraph">
<p>Sysctl defines a kernel parameter to be set</p>
</div>
<table class="tableblock frame-all grid-all" style="width:100%; ">
<colgroup>
<col style="width:20%;">
<col style="width:20%;">
<col style="width:20%;">
<col style="width:20%;">
<col style="width:20%;">
</colgroup>
<thead>
<tr>
<th class="tableblock halign-left valign-top">Name</th>
<th class="tableblock halign-left valign-top">Description</th>
<th class="tableblock halign-left valign-top">Required</th>
<th class="tableblock halign-left valign-top">Schema</th>
<th class="tableblock halign-left valign-top">Default</th>
</tr>
</thead>
<tbody>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">name</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Name of a property to set</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">true</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">value</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Value of a property to set</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">true</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
</tbody>
</table>
</div>
<div class="sect2">
<h3 id="_v1_patch">v1.Patch</h3>

144
docs/api-reference/batch/v1beta1/definitions.html generated
View File

@ -4097,6 +4097,54 @@ Examples:<br>
</tbody>
</table>
</div>
<div class="sect2">
<h3 id="_v1_poddnsconfig">v1.PodDNSConfig</h3>
<div class="paragraph">
<p>PodDNSConfig defines the DNS parameters of a pod in addition to those generated from DNSPolicy.</p>
</div>
<table class="tableblock frame-all grid-all" style="width:100%; ">
<colgroup>
<col style="width:20%;">
<col style="width:20%;">
<col style="width:20%;">
<col style="width:20%;">
<col style="width:20%;">
</colgroup>
<thead>
<tr>
<th class="tableblock halign-left valign-top">Name</th>
<th class="tableblock halign-left valign-top">Description</th>
<th class="tableblock halign-left valign-top">Required</th>
<th class="tableblock halign-left valign-top">Schema</th>
<th class="tableblock halign-left valign-top">Default</th>
</tr>
</thead>
<tbody>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">nameservers</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">A list of DNS name server IP addresses. This will be appended to the base nameservers generated from DNSPolicy. Duplicated nameservers will be removed.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">string array</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">searches</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">A list of DNS search domains for host-name lookup. This will be appended to the base search paths generated from DNSPolicy. Duplicated search paths will be removed.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">string array</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">options</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">A list of DNS resolver options. This will be merged with the base options generated from DNSPolicy. Duplicated entries will be removed. Resolution options given in Options will override those that appear in the base DNSPolicy.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_v1_poddnsconfigoption">v1.PodDNSConfigOption</a> array</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
</tbody>
</table>
</div>
<div class="sect2">
<h3 id="_v1_status">v1.Status</h3>
@ -4180,54 +4228,6 @@ Examples:<br>
</tbody>
</table>
</div>
<div class="sect2">
<h3 id="_v1_poddnsconfig">v1.PodDNSConfig</h3>
<div class="paragraph">
<p>PodDNSConfig defines the DNS parameters of a pod in addition to those generated from DNSPolicy.</p>
</div>
<table class="tableblock frame-all grid-all" style="width:100%; ">
<colgroup>
<col style="width:20%;">
<col style="width:20%;">
<col style="width:20%;">
<col style="width:20%;">
<col style="width:20%;">
</colgroup>
<thead>
<tr>
<th class="tableblock halign-left valign-top">Name</th>
<th class="tableblock halign-left valign-top">Description</th>
<th class="tableblock halign-left valign-top">Required</th>
<th class="tableblock halign-left valign-top">Schema</th>
<th class="tableblock halign-left valign-top">Default</th>
</tr>
</thead>
<tbody>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">nameservers</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">A list of DNS name server IP addresses. This will be appended to the base nameservers generated from DNSPolicy. Duplicated nameservers will be removed.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">string array</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">searches</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">A list of DNS search domains for host-name lookup. This will be appended to the base search paths generated from DNSPolicy. Duplicated search paths will be removed.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">string array</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">options</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">A list of DNS resolver options. This will be merged with the base options generated from DNSPolicy. Duplicated entries will be removed. Resolution options given in Options will override those that appear in the base DNSPolicy.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_v1_poddnsconfigoption">v1.PodDNSConfigOption</a> array</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
</tbody>
</table>
</div>
<div class="sect2">
<h3 id="_v1_nfsvolumesource">v1.NFSVolumeSource</h3>
@ -4879,6 +4879,13 @@ Examples:<br>
<td class="tableblock halign-left valign-top"><p class="tableblock">integer (int64)</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">sysctls</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_v1_sysctl">v1.Sysctl</a> array</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
</tbody>
</table>
@ -5901,6 +5908,47 @@ Examples:<br>
</tbody>
</table>
</div>
<div class="sect2">
<h3 id="_v1_sysctl">v1.Sysctl</h3>
<div class="paragraph">
<p>Sysctl defines a kernel parameter to be set</p>
</div>
<table class="tableblock frame-all grid-all" style="width:100%; ">
<colgroup>
<col style="width:20%;">
<col style="width:20%;">
<col style="width:20%;">
<col style="width:20%;">
<col style="width:20%;">
</colgroup>
<thead>
<tr>
<th class="tableblock halign-left valign-top">Name</th>
<th class="tableblock halign-left valign-top">Description</th>
<th class="tableblock halign-left valign-top">Required</th>
<th class="tableblock halign-left valign-top">Schema</th>
<th class="tableblock halign-left valign-top">Default</th>
</tr>
</thead>
<tbody>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">name</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Name of a property to set</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">true</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">value</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Value of a property to set</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">true</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
</tbody>
</table>
</div>
<div class="sect2">
<h3 id="_v1_patch">v1.Patch</h3>

144
docs/api-reference/batch/v2alpha1/definitions.html generated
View File

@ -3994,6 +3994,54 @@ Examples:<br>
</tbody>
</table>
</div>
<div class="sect2">
<h3 id="_v1_poddnsconfig">v1.PodDNSConfig</h3>
<div class="paragraph">
<p>PodDNSConfig defines the DNS parameters of a pod in addition to those generated from DNSPolicy.</p>
</div>
<table class="tableblock frame-all grid-all" style="width:100%; ">
<colgroup>
<col style="width:20%;">
<col style="width:20%;">
<col style="width:20%;">
<col style="width:20%;">
<col style="width:20%;">
</colgroup>
<thead>
<tr>
<th class="tableblock halign-left valign-top">Name</th>
<th class="tableblock halign-left valign-top">Description</th>
<th class="tableblock halign-left valign-top">Required</th>
<th class="tableblock halign-left valign-top">Schema</th>
<th class="tableblock halign-left valign-top">Default</th>
</tr>
</thead>
<tbody>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">nameservers</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">A list of DNS name server IP addresses. This will be appended to the base nameservers generated from DNSPolicy. Duplicated nameservers will be removed.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">string array</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">searches</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">A list of DNS search domains for host-name lookup. This will be appended to the base search paths generated from DNSPolicy. Duplicated search paths will be removed.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">string array</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">options</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">A list of DNS resolver options. This will be merged with the base options generated from DNSPolicy. Duplicated entries will be removed. Resolution options given in Options will override those that appear in the base DNSPolicy.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_v1_poddnsconfigoption">v1.PodDNSConfigOption</a> array</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
</tbody>
</table>
</div>
<div class="sect2">
<h3 id="_v1_status">v1.Status</h3>
@ -4077,54 +4125,6 @@ Examples:<br>
</tbody>
</table>
</div>
<div class="sect2">
<h3 id="_v1_poddnsconfig">v1.PodDNSConfig</h3>
<div class="paragraph">
<p>PodDNSConfig defines the DNS parameters of a pod in addition to those generated from DNSPolicy.</p>
</div>
<table class="tableblock frame-all grid-all" style="width:100%; ">
<colgroup>
<col style="width:20%;">
<col style="width:20%;">
<col style="width:20%;">
<col style="width:20%;">
<col style="width:20%;">
</colgroup>
<thead>
<tr>
<th class="tableblock halign-left valign-top">Name</th>
<th class="tableblock halign-left valign-top">Description</th>
<th class="tableblock halign-left valign-top">Required</th>
<th class="tableblock halign-left valign-top">Schema</th>
<th class="tableblock halign-left valign-top">Default</th>
</tr>
</thead>
<tbody>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">nameservers</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">A list of DNS name server IP addresses. This will be appended to the base nameservers generated from DNSPolicy. Duplicated nameservers will be removed.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">string array</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">searches</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">A list of DNS search domains for host-name lookup. This will be appended to the base search paths generated from DNSPolicy. Duplicated search paths will be removed.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">string array</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">options</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">A list of DNS resolver options. This will be merged with the base options generated from DNSPolicy. Duplicated entries will be removed. Resolution options given in Options will override those that appear in the base DNSPolicy.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_v1_poddnsconfigoption">v1.PodDNSConfigOption</a> array</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
</tbody>
</table>
</div>
<div class="sect2">
<h3 id="_v1_nfsvolumesource">v1.NFSVolumeSource</h3>
@ -4735,6 +4735,13 @@ Examples:<br>
<td class="tableblock halign-left valign-top"><p class="tableblock">integer (int64)</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">sysctls</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_v1_sysctl">v1.Sysctl</a> array</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
</tbody>
</table>
@ -5784,6 +5791,47 @@ Examples:<br>
</tbody>
</table>
</div>
<div class="sect2">
<h3 id="_v1_sysctl">v1.Sysctl</h3>
<div class="paragraph">
<p>Sysctl defines a kernel parameter to be set</p>
</div>
<table class="tableblock frame-all grid-all" style="width:100%; ">
<colgroup>
<col style="width:20%;">
<col style="width:20%;">
<col style="width:20%;">
<col style="width:20%;">
<col style="width:20%;">
</colgroup>
<thead>
<tr>
<th class="tableblock halign-left valign-top">Name</th>
<th class="tableblock halign-left valign-top">Description</th>
<th class="tableblock halign-left valign-top">Required</th>
<th class="tableblock halign-left valign-top">Schema</th>
<th class="tableblock halign-left valign-top">Default</th>
</tr>
</thead>
<tbody>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">name</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Name of a property to set</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">true</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">value</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Value of a property to set</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">true</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
</tbody>
</table>
</div>
<div class="sect2">
<h3 id="_v1_patch">v1.Patch</h3>

66
docs/api-reference/extensions/v1beta1/definitions.html generated
View File

@ -6649,6 +6649,13 @@ If PodSelector is also set, then the NetworkPolicyPeer as a whole selects the Po
<td class="tableblock halign-left valign-top"><p class="tableblock">integer (int64)</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">sysctls</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_v1_sysctl">v1.Sysctl</a> array</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
</tbody>
</table>
@ -7970,6 +7977,47 @@ If PodSelector is also set, then the NetworkPolicyPeer as a whole selects the Po
</tbody>
</table>
</div>
<div class="sect2">
<h3 id="_v1_sysctl">v1.Sysctl</h3>
<div class="paragraph">
<p>Sysctl defines a kernel parameter to be set</p>
</div>
<table class="tableblock frame-all grid-all" style="width:100%; ">
<colgroup>
<col style="width:20%;">
<col style="width:20%;">
<col style="width:20%;">
<col style="width:20%;">
<col style="width:20%;">
</colgroup>
<thead>
<tr>
<th class="tableblock halign-left valign-top">Name</th>
<th class="tableblock halign-left valign-top">Description</th>
<th class="tableblock halign-left valign-top">Required</th>
<th class="tableblock halign-left valign-top">Schema</th>
<th class="tableblock halign-left valign-top">Default</th>
</tr>
</thead>
<tbody>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">name</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Name of a property to set</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">true</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">value</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Value of a property to set</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">true</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
</tbody>
</table>
</div>
<div class="sect2">
<h3 id="_v1beta1_networkpolicyport">v1beta1.NetworkPolicyPort</h3>
@ -8167,6 +8215,24 @@ If PodSelector is also set, then the NetworkPolicyPeer as a whole selects the Po
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_v1beta1_allowedflexvolume">v1beta1.AllowedFlexVolume</a> array</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">allowedUnsafeSysctls</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">allowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none. Each entry is either a plain sysctl name or ends in "<strong>" in which case it is considered as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed. Kubelet has to whitelist all allowed unsafe sysctls explicitly to avoid rejection.<br>
<br>
Examples: e.g. "foo/</strong>" allows "foo/bar", "foo/baz", etc. e.g. "foo.*" allows "foo.bar", "foo.baz", etc.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">string array</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">forbiddenSysctls</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">forbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none. Each entry is either a plain sysctl name or ends in "<strong>" in which case it is considered as a prefix of forbidden sysctls. Single * means all sysctls are forbidden.<br>
<br>
Examples: e.g. "foo/</strong>" forbids "foo/bar", "foo/baz", etc. e.g. "foo.*" forbids "foo.bar", "foo.baz", etc.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">string array</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
</tbody>
</table>

18
docs/api-reference/policy/v1beta1/definitions.html generated
View File

@ -1483,6 +1483,24 @@ Examples: <code>/foo</code> would allow <code>/foo</code>, <code>/foo/</code> an
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_v1beta1_allowedflexvolume">v1beta1.AllowedFlexVolume</a> array</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">allowedUnsafeSysctls</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">allowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none. Each entry is either a plain sysctl name or ends in "<strong>" in which case it is considered as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed. Kubelet has to whitelist all allowed unsafe sysctls explicitly to avoid rejection.<br>
<br>
Examples: e.g. "foo/</strong>" allows "foo/bar", "foo/baz", etc. e.g. "foo.*" allows "foo.bar", "foo.baz", etc.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">string array</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">forbiddenSysctls</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">forbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none. Each entry is either a plain sysctl name or ends in "<strong>" in which case it is considered as a prefix of forbidden sysctls. Single * means all sysctls are forbidden.<br>
<br>
Examples: e.g. "foo/</strong>" forbids "foo/bar", "foo/baz", etc. e.g. "foo.*" forbids "foo.bar", "foo.baz", etc.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">string array</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
</tbody>
</table>

124
docs/api-reference/v1/definitions.html generated
View File

@ -4358,6 +4358,13 @@ Examples:<br>
<td class="tableblock halign-left valign-top"><p class="tableblock">integer (int64)</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">sysctls</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_v1_sysctl">v1.Sysctl</a> array</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
</tbody>
</table>
@ -5727,6 +5734,47 @@ Examples:<br>
</tbody>
</table>
</div>
<div class="sect2">
<h3 id="_v1_sysctl">v1.Sysctl</h3>
<div class="paragraph">
<p>Sysctl defines a kernel parameter to be set</p>
</div>
<table class="tableblock frame-all grid-all" style="width:100%; ">
<colgroup>
<col style="width:20%;">
<col style="width:20%;">
<col style="width:20%;">
<col style="width:20%;">
<col style="width:20%;">
</colgroup>
<thead>
<tr>
<th class="tableblock halign-left valign-top">Name</th>
<th class="tableblock halign-left valign-top">Description</th>
<th class="tableblock halign-left valign-top">Required</th>
<th class="tableblock halign-left valign-top">Schema</th>
<th class="tableblock halign-left valign-top">Default</th>
</tr>
</thead>
<tbody>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">name</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Name of a property to set</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">true</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">value</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Value of a property to set</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">true</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
</tbody>
</table>
</div>
<div class="sect2">
<h3 id="_v1_patch">v1.Patch</h3>
@ -10951,44 +10999,6 @@ More info: <a href="https://kubernetes.io/docs/concepts/workloads/pods/pod-lifec
</tbody>
</table>
</div>
<div class="sect2">
<h3 id="_v1_watchevent">v1.WatchEvent</h3>
<table class="tableblock frame-all grid-all" style="width:100%; ">
<colgroup>
<col style="width:20%;">
<col style="width:20%;">
<col style="width:20%;">
<col style="width:20%;">
<col style="width:20%;">
</colgroup>
<thead>
<tr>
<th class="tableblock halign-left valign-top">Name</th>
<th class="tableblock halign-left valign-top">Description</th>
<th class="tableblock halign-left valign-top">Required</th>
<th class="tableblock halign-left valign-top">Schema</th>
<th class="tableblock halign-left valign-top">Default</th>
</tr>
</thead>
<tbody>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">type</p></td>
<td class="tableblock halign-left valign-top"></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">true</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">object</p></td>
<td class="tableblock halign-left valign-top"></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">true</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
</tbody>
</table>
</div>
<div class="sect2">
<h3 id="_v1_secret">v1.Secret</h3>
@ -11058,6 +11068,44 @@ More info: <a href="https://kubernetes.io/docs/concepts/workloads/pods/pod-lifec
</tbody>
</table>
</div>
<div class="sect2">
<h3 id="_v1_watchevent">v1.WatchEvent</h3>
<table class="tableblock frame-all grid-all" style="width:100%; ">
<colgroup>
<col style="width:20%;">
<col style="width:20%;">
<col style="width:20%;">
<col style="width:20%;">
<col style="width:20%;">
</colgroup>
<thead>
<tr>
<th class="tableblock halign-left valign-top">Name</th>
<th class="tableblock halign-left valign-top">Description</th>
<th class="tableblock halign-left valign-top">Required</th>
<th class="tableblock halign-left valign-top">Schema</th>
<th class="tableblock halign-left valign-top">Default</th>
</tr>
</thead>
<tbody>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">type</p></td>
<td class="tableblock halign-left valign-top"></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">true</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">object</p></td>
<td class="tableblock halign-left valign-top"></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">true</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
</tbody>
</table>
</div>
<div class="sect2">
<h3 id="_v1_labelselectorrequirement">v1.LabelSelectorRequirement</h3>

14
pkg/apis/core/annotation_key_constants.go
View File

@ -56,20 +56,6 @@ const (
// in the Annotations of a Node.
PreferAvoidPodsAnnotationKey string = "scheduler.alpha.kubernetes.io/preferAvoidPods"
// SysctlsPodAnnotationKey represents the key of sysctls which are set for the infrastructure
// container of a pod. The annotation value is a comma separated list of sysctl_name=value
// key-value pairs. Only a limited set of whitelisted and isolated sysctls is supported by
// the kubelet. Pods with other sysctls will fail to launch.
SysctlsPodAnnotationKey string = "security.alpha.kubernetes.io/sysctls"
// UnsafeSysctlsPodAnnotationKey represents the key of sysctls which are set for the infrastructure
// container of a pod. The annotation value is a comma separated list of sysctl_name=value
// key-value pairs. Unsafe sysctls must be explicitly enabled for a kubelet. They are properly
// namespaced to a pod or a container, but their isolation is usually unclear or weak. Their use
// is at-your-own-risk. Pods that attempt to set an unsafe sysctl that is not enabled for a kubelet
// will fail to launch.
UnsafeSysctlsPodAnnotationKey string = "security.alpha.kubernetes.io/unsafe-sysctls"
// ObjectTTLAnnotations represents a suggestion for kubelet for how long it can cache
// an object (e.g. secret, config map) before fetching it again from apiserver.
// This annotation can be attached to node.

48
pkg/apis/core/helper/helpers.go
View File

@ -499,54 +499,6 @@ func GetTaintsFromNodeAnnotations(annotations map[string]string) ([]core.Taint,
return taints, nil
}
// SysctlsFromPodAnnotations parses the sysctl annotations into a slice of safe Sysctls
// and a slice of unsafe Sysctls. This is only a convenience wrapper around
// SysctlsFromPodAnnotation.
func SysctlsFromPodAnnotations(a map[string]string) ([]core.Sysctl, []core.Sysctl, error) {
safe, err := SysctlsFromPodAnnotation(a[core.SysctlsPodAnnotationKey])
if err != nil {
return nil, nil, err
}
unsafe, err := SysctlsFromPodAnnotation(a[core.UnsafeSysctlsPodAnnotationKey])
if err != nil {
return nil, nil, err
}
return safe, unsafe, nil
}
// SysctlsFromPodAnnotation parses an annotation value into a slice of Sysctls.
func SysctlsFromPodAnnotation(annotation string) ([]core.Sysctl, error) {
if len(annotation) == 0 {
return nil, nil
}
kvs := strings.Split(annotation, ",")
sysctls := make([]core.Sysctl, len(kvs))
for i, kv := range kvs {
cs := strings.Split(kv, "=")
if len(cs) != 2 || len(cs[0]) == 0 {
return nil, fmt.Errorf("sysctl %q not of the format sysctl_name=value", kv)
}
sysctls[i].Name = cs[0]
sysctls[i].Value = cs[1]
}
return sysctls, nil
}
// PodAnnotationsFromSysctls creates an annotation value for a slice of Sysctls.
func PodAnnotationsFromSysctls(sysctls []core.Sysctl) string {
if len(sysctls) == 0 {
return ""
}
kvs := make([]string, len(sysctls))
for i := range sysctls {
kvs[i] = fmt.Sprintf("%s=%s", sysctls[i].Name, sysctls[i].Value)
}
return strings.Join(kvs, ",")
}
// GetPersistentVolumeClass returns StorageClassName.
func GetPersistentVolumeClass(volume *core.PersistentVolume) string {
// Use beta annotation first

47
pkg/apis/core/helper/helpers_test.go
View File

@ -239,53 +239,6 @@ func TestNodeSelectorRequirementsAsSelector(t *testing.T) {
}
}
func TestSysctlsFromPodAnnotation(t *testing.T) {
type Test struct {
annotation string
expectValue []core.Sysctl
expectErr bool
}
for i, test := range []Test{
{
annotation: "",
expectValue: nil,
},
{
annotation: "foo.bar",
expectErr: true,
},
{
annotation: "=123",
expectErr: true,
},
{
annotation: "foo.bar=",
expectValue: []core.Sysctl{{Name: "foo.bar", Value: ""}},
},
{
annotation: "foo.bar=42",
expectValue: []core.Sysctl{{Name: "foo.bar", Value: "42"}},
},
{
annotation: "foo.bar=42,",
expectErr: true,
},
{
annotation: "foo.bar=42,abc.def=1",
expectValue: []core.Sysctl{{Name: "foo.bar", Value: "42"}, {Name: "abc.def", Value: "1"}},
},
} {
sysctls, err := SysctlsFromPodAnnotation(test.annotation)
if test.expectErr && err == nil {
t.Errorf("[%v]expected error but got none", i)
} else if !test.expectErr && err != nil {
t.Errorf("[%v]did not expect error but got: %v", i, err)
} else if !reflect.DeepEqual(sysctls, test.expectValue) {
t.Errorf("[%v]expect value %v but got %v", i, test.expectValue, sysctls)
}
}
}
func TestIsHugePageResourceName(t *testing.T) {
testCases := []struct {
name core.ResourceName

4
pkg/apis/core/types.go
View File

@ -2657,6 +2657,10 @@ type PodSecurityContext struct {
// If unset, the Kubelet will not modify the ownership and permissions of any volume.
// +optional
FSGroup *int64
// Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
// sysctls (by the container runtime) might fail to launch.
// +optional
Sysctls []Sysctl
}
// PodQOSClass defines the supported qos classes of Pods.

17
pkg/apis/core/v1/conversion.go
View File

@ -495,6 +495,14 @@ func Convert_core_PodSecurityContext_To_v1_PodSecurityContext(in *core.PodSecuri
out.RunAsGroup = in.RunAsGroup
out.RunAsNonRoot = in.RunAsNonRoot
out.FSGroup = in.FSGroup
if in.Sysctls != nil {
out.Sysctls = make([]v1.Sysctl, len(in.Sysctls))
for i, sysctl := range in.Sysctls {
if err := Convert_core_Sysctl_To_v1_Sysctl(&sysctl, &out.Sysctls[i], s); err != nil {
return err
}
}
}
return nil
}
@ -512,6 +520,15 @@ func Convert_v1_PodSecurityContext_To_core_PodSecurityContext(in *v1.PodSecurity
out.RunAsGroup = in.RunAsGroup
out.RunAsNonRoot = in.RunAsNonRoot
out.FSGroup = in.FSGroup
if in.Sysctls != nil {
out.Sysctls = make([]core.Sysctl, len(in.Sysctls))
for i, sysctl := range in.Sysctls {
if err := Convert_v1_Sysctl_To_core_Sysctl(&sysctl, &out.Sysctls[i], s); err != nil {
return err
}
}
}
return nil
}

48
pkg/apis/core/v1/helper/helpers.go
View File

@ -462,54 +462,6 @@ func GetAvoidPodsFromNodeAnnotations(annotations map[string]string) (v1.AvoidPod
return avoidPods, nil
}
// SysctlsFromPodAnnotations parses the sysctl annotations into a slice of safe Sysctls
// and a slice of unsafe Sysctls. This is only a convenience wrapper around
// SysctlsFromPodAnnotation.
func SysctlsFromPodAnnotations(a map[string]string) ([]v1.Sysctl, []v1.Sysctl, error) {
safe, err := SysctlsFromPodAnnotation(a[v1.SysctlsPodAnnotationKey])
if err != nil {
return nil, nil, err
}
unsafe, err := SysctlsFromPodAnnotation(a[v1.UnsafeSysctlsPodAnnotationKey])
if err != nil {
return nil, nil, err
}
return safe, unsafe, nil
}
// SysctlsFromPodAnnotation parses an annotation value into a slice of Sysctls.
func SysctlsFromPodAnnotation(annotation string) ([]v1.Sysctl, error) {
if len(annotation) == 0 {
return nil, nil
}
kvs := strings.Split(annotation, ",")
sysctls := make([]v1.Sysctl, len(kvs))
for i, kv := range kvs {
cs := strings.Split(kv, "=")
if len(cs) != 2 || len(cs[0]) == 0 {
return nil, fmt.Errorf("sysctl %q not of the format sysctl_name=value", kv)
}
sysctls[i].Name = cs[0]
sysctls[i].Value = cs[1]
}
return sysctls, nil
}
// PodAnnotationsFromSysctls creates an annotation value for a slice of Sysctls.
func PodAnnotationsFromSysctls(sysctls []v1.Sysctl) string {
if len(sysctls) == 0 {
return ""
}
kvs := make([]string, len(sysctls))
for i := range sysctls {
kvs[i] = fmt.Sprintf("%s=%s", sysctls[i].Name, sysctls[i].Value)
}
return strings.Join(kvs, ",")
}
// GetPersistentVolumeClass returns StorageClassName.
func GetPersistentVolumeClass(volume *v1.PersistentVolume) string {
// Use beta annotation first

47
pkg/apis/core/v1/helper/helpers_test.go
View File

@ -582,53 +582,6 @@ func TestGetAvoidPodsFromNode(t *testing.T) {
}
}
func TestSysctlsFromPodAnnotation(t *testing.T) {
type Test struct {
annotation string
expectValue []v1.Sysctl
expectErr bool
}
for i, test := range []Test{
{
annotation: "",
expectValue: nil,
},
{
annotation: "foo.bar",
expectErr: true,
},
{
annotation: "=123",
expectErr: true,
},
{
annotation: "foo.bar=",
expectValue: []v1.Sysctl{{Name: "foo.bar", Value: ""}},
},
{
annotation: "foo.bar=42",
expectValue: []v1.Sysctl{{Name: "foo.bar", Value: "42"}},
},
{
annotation: "foo.bar=42,",
expectErr: true,
},
{
annotation: "foo.bar=42,abc.def=1",
expectValue: []v1.Sysctl{{Name: "foo.bar", Value: "42"}, {Name: "abc.def", Value: "1"}},
},
} {
sysctls, err := SysctlsFromPodAnnotation(test.annotation)
if test.expectErr && err == nil {
t.Errorf("[%v]expected error but got none", i)
} else if !test.expectErr && err != nil {
t.Errorf("[%v]did not expect error but got: %v", i, err)
} else if !reflect.DeepEqual(sysctls, test.expectValue) {
t.Errorf("[%v]expect value %v but got %v", i, test.expectValue, sysctls)
}
}
}
func TestMatchNodeSelectorTerms(t *testing.T) {
type args struct {
nodeSelectorTerms []v1.NodeSelectorTerm

2
pkg/apis/core/v1/zz_generated.conversion.go generated
View File

@ -3782,6 +3782,7 @@ func autoConvert_v1_PodSecurityContext_To_core_PodSecurityContext(in *v1.PodSecu
out.RunAsNonRoot = (*bool)(unsafe.Pointer(in.RunAsNonRoot))
out.SupplementalGroups = *(*[]int64)(unsafe.Pointer(&in.SupplementalGroups))
out.FSGroup = (*int64)(unsafe.Pointer(in.FSGroup))
out.Sysctls = *(*[]core.Sysctl)(unsafe.Pointer(&in.Sysctls))
return nil
}
@ -3796,6 +3797,7 @@ func autoConvert_core_PodSecurityContext_To_v1_PodSecurityContext(in *core.PodSe
out.RunAsNonRoot = (*bool)(unsafe.Pointer(in.RunAsNonRoot))
out.SupplementalGroups = *(*[]int64)(unsafe.Pointer(&in.SupplementalGroups))
out.FSGroup = (*int64)(unsafe.Pointer(in.FSGroup))
out.Sysctls = *(*[]v1.Sysctl)(unsafe.Pointer(&in.Sysctls))
return nil
}

43
pkg/apis/core/validation/validation.go
View File

@ -129,23 +129,6 @@ func ValidatePodSpecificAnnotations(annotations map[string]string, spec *core.Po
allErrs = append(allErrs, ValidateSeccompPodAnnotations(annotations, fldPath)...)
allErrs = append(allErrs, ValidateAppArmorPodAnnotations(annotations, spec, fldPath)...)
sysctls, err := helper.SysctlsFromPodAnnotation(annotations[core.SysctlsPodAnnotationKey])
if err != nil {
allErrs = append(allErrs, field.Invalid(fldPath.Key(core.SysctlsPodAnnotationKey), annotations[core.SysctlsPodAnnotationKey], err.Error()))
} else {
allErrs = append(allErrs, validateSysctls(sysctls, fldPath.Key(core.SysctlsPodAnnotationKey))...)
}
unsafeSysctls, err := helper.SysctlsFromPodAnnotation(annotations[core.UnsafeSysctlsPodAnnotationKey])
if err != nil {
allErrs = append(allErrs, field.Invalid(fldPath.Key(core.UnsafeSysctlsPodAnnotationKey), annotations[core.UnsafeSysctlsPodAnnotationKey], err.Error()))
} else {
allErrs = append(allErrs, validateSysctls(unsafeSysctls, fldPath.Key(core.UnsafeSysctlsPodAnnotationKey))...)
}
inBoth := sysctlIntersection(sysctls, unsafeSysctls)
if len(inBoth) > 0 {
allErrs = append(allErrs, field.Invalid(fldPath.Key(core.UnsafeSysctlsPodAnnotationKey), strings.Join(inBoth, ", "), "can not be safe and unsafe"))
}
return allErrs
}
@ -3364,12 +3347,16 @@ func IsValidSysctlName(name string) bool {
func validateSysctls(sysctls []core.Sysctl, fldPath *field.Path) field.ErrorList {
allErrs := field.ErrorList{}
names := make(map[string]struct{})
for i, s := range sysctls {
if len(s.Name) == 0 {
allErrs = append(allErrs, field.Required(fldPath.Index(i).Child("name"), ""))
} else if !IsValidSysctlName(s.Name) {
allErrs = append(allErrs, field.Invalid(fldPath.Index(i).Child("name"), s.Name, fmt.Sprintf("must have at most %d characters and match regex %s", SysctlMaxLength, SysctlFmt)))
} else if _, ok := names[s.Name]; ok {
allErrs = append(allErrs, field.Duplicate(fldPath.Index(i).Child("name"), s.Name))
}
names[s.Name] = struct{}{}
}
return allErrs
}
@ -3408,6 +3395,14 @@ func ValidatePodSecurityContext(securityContext *core.PodSecurityContext, spec *
allErrs = append(allErrs, field.Invalid(fldPath.Child("shareProcessNamespace"), *securityContext.ShareProcessNamespace, "ShareProcessNamespace and HostPID cannot both be enabled"))
}
}
if len(securityContext.Sysctls) != 0 {
if utilfeature.DefaultFeatureGate.Enabled(features.Sysctls) {
allErrs = append(allErrs, validateSysctls(securityContext.Sysctls, fldPath.Child("sysctls"))...)
} else {
allErrs = append(allErrs, field.Forbidden(fldPath.Child("sysctls"), "Sysctls are disabled by Sysctls feature-gate"))
}
}
}
return allErrs
@ -5279,20 +5274,6 @@ func ValidateLoadBalancerStatus(status *core.LoadBalancerStatus, fldPath *field.
return allErrs
}
func sysctlIntersection(a []core.Sysctl, b []core.Sysctl) []string {
lookup := make(map[string]struct{}, len(a))
result := []string{}
for i := range a {
lookup[a[i].Name] = struct{}{}
}
for i := range b {
if _, found := lookup[b[i].Name]; found {
result = append(result, b[i].Name)
}
}
return result
}
// validateVolumeNodeAffinity tests that the PersistentVolume.NodeAffinity has valid data
// returns:
// - true if volumeNodeAffinity is set

93
pkg/apis/core/validation/validation_test.go
View File

@ -6778,12 +6778,28 @@ func TestValidatePod(t *testing.T) {
ObjectMeta: metav1.ObjectMeta{
Name: "123",
Namespace: "ns",
Annotations: map[string]string{
core.SysctlsPodAnnotationKey: "kernel.shmmni=32768,kernel.shmmax=1000000000",
core.UnsafeSysctlsPodAnnotationKey: "knet.ipv4.route.min_pmtu=1000",
},
Spec: core.PodSpec{
Containers: []core.Container{{Name: "ctr", Image: "image", ImagePullPolicy: "IfNotPresent", TerminationMessagePolicy: "File"}},
RestartPolicy: core.RestartPolicyAlways,
DNSPolicy: core.DNSClusterFirst,
SecurityContext: &core.PodSecurityContext{
Sysctls: []core.Sysctl{
{
Name: "kernel.shmmni",
Value: "32768",
},
{
Name: "kernel.shmmax",
Value: "1000000000",
},
{
Name: "knet.ipv4.route.min_pmtu",
Value: "1000",
},
},
},
},
Spec: validPodSpec(nil),
},
{ // valid extended resources for init container
ObjectMeta: metav1.ObjectMeta{Name: "valid-extended", Namespace: "ns"},
@ -7464,59 +7480,6 @@ func TestValidatePod(t *testing.T) {
Spec: validPodSpec(nil),
},
},
"invalid sysctl annotation": {
expectedError: "metadata.annotations[security.alpha.kubernetes.io/sysctls]",
spec: core.Pod{
ObjectMeta: metav1.ObjectMeta{
Name: "123",
Namespace: "ns",
Annotations: map[string]string{
core.SysctlsPodAnnotationKey: "foo:",
},
},
Spec: validPodSpec(nil),
},
},
"invalid comma-separated sysctl annotation": {
expectedError: "not of the format sysctl_name=value",
spec: core.Pod{
ObjectMeta: metav1.ObjectMeta{
Name: "123",
Namespace: "ns",
Annotations: map[string]string{
core.SysctlsPodAnnotationKey: "kernel.msgmax,",
},
},
Spec: validPodSpec(nil),
},
},
"invalid unsafe sysctl annotation": {
expectedError: "metadata.annotations[security.alpha.kubernetes.io/sysctls]",
spec: core.Pod{
ObjectMeta: metav1.ObjectMeta{
Name: "123",
Namespace: "ns",
Annotations: map[string]string{
core.SysctlsPodAnnotationKey: "foo:",
},
},
Spec: validPodSpec(nil),
},
},
"intersecting safe sysctls and unsafe sysctls annotations": {
expectedError: "can not be safe and unsafe",
spec: core.Pod{
ObjectMeta: metav1.ObjectMeta{
Name: "123",
Namespace: "ns",
Annotations: map[string]string{
core.SysctlsPodAnnotationKey: "kernel.shmmax=10000000",
core.UnsafeSysctlsPodAnnotationKey: "kernel.shmmax=10000000",
},
},
Spec: validPodSpec(nil),
},
},
"invalid extended resource requirement: request must be == limit": {
expectedError: "must be equal to example.com/a",
spec: core.Pod{
@ -12805,6 +12768,11 @@ func TestValidateSysctls(t *testing.T) {
"_invalid",
}
duplicates := []string{
"kernel.shmmax",
"kernel.shmmax",
}
sysctls := make([]core.Sysctl, len(valid))
for i, sysctl := range valid {
sysctls[i].Name = sysctl
@ -12829,6 +12797,17 @@ func TestValidateSysctls(t *testing.T) {
t.Errorf("unexpected errors: expected=%q, got=%q", expected, got)
}
}
sysctls = make([]core.Sysctl, len(duplicates))
for i, sysctl := range duplicates {
sysctls[i].Name = sysctl
}
errs = validateSysctls(sysctls, field.NewPath("foo"))
if len(errs) != 1 {
t.Errorf("unexpected validation errors: %v", errs)
} else if errs[0].Type != field.ErrorTypeDuplicate {
t.Errorf("expected error type %v, got %v", field.ErrorTypeDuplicate, errs[0].Type)
}
}
func newNodeNameEndpoint(nodeName string) *core.Endpoints {

5
pkg/apis/core/zz_generated.deepcopy.go generated
View File

@ -3831,6 +3831,11 @@ func (in *PodSecurityContext) DeepCopyInto(out *PodSecurityContext) {
**out = **in
}
}
if in.Sysctls != nil {
in, out := &in.Sysctls, &out.Sysctls
*out = make([]Sysctl, len(*in))
copy(*out, *in)
}
return
}

4
pkg/apis/extensions/v1beta1/zz_generated.conversion.go generated
View File

@ -1123,6 +1123,8 @@ func autoConvert_v1beta1_PodSecurityPolicySpec_To_policy_PodSecurityPolicySpec(i
}
out.AllowedHostPaths = *(*[]policy.AllowedHostPath)(unsafe.Pointer(&in.AllowedHostPaths))
out.AllowedFlexVolumes = *(*[]policy.AllowedFlexVolume)(unsafe.Pointer(&in.AllowedFlexVolumes))
out.AllowedUnsafeSysctls = *(*[]string)(unsafe.Pointer(&in.AllowedUnsafeSysctls))
out.ForbiddenSysctls = *(*[]string)(unsafe.Pointer(&in.ForbiddenSysctls))
return nil
}
@ -1160,6 +1162,8 @@ func autoConvert_policy_PodSecurityPolicySpec_To_v1beta1_PodSecurityPolicySpec(i
}
out.AllowedHostPaths = *(*[]v1beta1.AllowedHostPath)(unsafe.Pointer(&in.AllowedHostPaths))
out.AllowedFlexVolumes = *(*[]v1beta1.AllowedFlexVolume)(unsafe.Pointer(&in.AllowedFlexVolumes))
out.AllowedUnsafeSysctls = *(*[]string)(unsafe.Pointer(&in.AllowedUnsafeSysctls))
out.ForbiddenSysctls = *(*[]string)(unsafe.Pointer(&in.ForbiddenSysctls))
return nil
}

8
pkg/apis/policy/BUILD
View File

@ -3,14 +3,12 @@ package(default_visibility = ["//visibility:public"])
load(
"@io_bazel_rules_go//go:def.bzl",
"go_library",
"go_test",
)
go_library(
name = "go_default_library",
srcs = [
"doc.go",
"helpers.go",
"register.go",
"types.go",
"zz_generated.deepcopy.go",
@ -43,9 +41,3 @@ filegroup(
],
tags = ["automanaged"],
)
go_test(
name = "go_default_test",
srcs = ["helpers_test.go"],
embed = [":go_default_library"],
)

37
pkg/apis/policy/helpers.go
View File

@ -1,37 +0,0 @@
/*
Copyright 2016 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package policy
import (
"strings"
)
// SysctlsFromPodSecurityPolicyAnnotation parses an annotation value of the key
// SysctlsSecurityPolicyAnnotationKey into a slice of sysctls. An empty slice
// is returned if annotation is the empty string.
func SysctlsFromPodSecurityPolicyAnnotation(annotation string) ([]string, error) {
if len(annotation) == 0 {
return []string{}, nil
}
return strings.Split(annotation, ","), nil
}
// PodAnnotationsFromSysctls creates an annotation value for a slice of Sysctls.
func PodAnnotationsFromSysctls(sysctls []string) string {
return strings.Join(sysctls, ",")
}

62
pkg/apis/policy/helpers_test.go
View File

@ -1,62 +0,0 @@
/*
Copyright 2016 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package policy
import (
"reflect"
"testing"
)
func TestPodAnnotationsFromSysctls(t *testing.T) {
type Test struct {
sysctls []string
expectedValue string
}
for _, test := range []Test{
{sysctls: []string{"a.b"}, expectedValue: "a.b"},
{sysctls: []string{"a.b", "c.d"}, expectedValue: "a.b,c.d"},
{sysctls: []string{"a.b", "a.b"}, expectedValue: "a.b,a.b"},
{sysctls: []string{}, expectedValue: ""},
{sysctls: nil, expectedValue: ""},
} {
a := PodAnnotationsFromSysctls(test.sysctls)
if a != test.expectedValue {
t.Errorf("wrong value for %v: got=%q wanted=%q", test.sysctls, a, test.expectedValue)
}
}
}
func TestSysctlsFromPodSecurityPolicyAnnotation(t *testing.T) {
type Test struct {
expectedValue []string
annotation string
}
for _, test := range []Test{
{annotation: "a.b", expectedValue: []string{"a.b"}},
{annotation: "a.b,c.d", expectedValue: []string{"a.b", "c.d"}},
{annotation: "a.b,a.b", expectedValue: []string{"a.b", "a.b"}},
{annotation: "", expectedValue: []string{}},
} {
sysctls, err := SysctlsFromPodSecurityPolicyAnnotation(test.annotation)
if err != nil {
t.Errorf("error for %q: %v", test.annotation, err)
}
if !reflect.DeepEqual(sysctls, test.expectedValue) {
t.Errorf("wrong value for %q: got=%v wanted=%v", test.annotation, sysctls, test.expectedValue)
}
}
}

26
pkg/apis/policy/types.go
View File

@ -22,13 +22,6 @@ import (
api "k8s.io/kubernetes/pkg/apis/core"
)
const (
// SysctlsPodSecurityPolicyAnnotationKey represents the key of a whitelist of
// allowed safe and unsafe sysctls in a pod spec. It's a comma-separated list of plain sysctl
// names or sysctl patterns (which end in *). The string "*" matches all sysctls.
SysctlsPodSecurityPolicyAnnotationKey string = "security.alpha.kubernetes.io/sysctls"
)
// PodDisruptionBudgetSpec is a description of a PodDisruptionBudget.
type PodDisruptionBudgetSpec struct {
// An eviction is allowed if at least "minAvailable" pods selected by
@ -215,6 +208,25 @@ type PodSecurityPolicySpec struct {
// is allowed in the "Volumes" field.
// +optional
AllowedFlexVolumes []AllowedFlexVolume
// AllowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none.
// Each entry is either a plain sysctl name or ends in "*" in which case it is considered
// as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed.
// Kubelet has to whitelist all allowed unsafe sysctls explicitly to avoid rejection.
//
// Examples:
// e.g. "foo/*" allows "foo/bar", "foo/baz", etc.
// e.g. "foo.*" allows "foo.bar", "foo.baz", etc.
// +optional
AllowedUnsafeSysctls []string
// ForbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none.
// Each entry is either a plain sysctl name or ends in "*" in which case it is considered
// as a prefix of forbidden sysctls. Single * means all sysctls are forbidden.
//
// Examples:
// e.g. "foo/*" forbids "foo/bar", "foo/baz", etc.
// e.g. "foo.*" forbids "foo.bar", "foo.baz", etc.
// +optional
ForbiddenSysctls []string
}
// AllowedHostPath defines the host volume conditions that will be enabled by a policy

4
pkg/apis/policy/v1beta1/zz_generated.conversion.go generated
View File

@ -411,6 +411,8 @@ func autoConvert_v1beta1_PodSecurityPolicySpec_To_policy_PodSecurityPolicySpec(i
}
out.AllowedHostPaths = *(*[]policy.AllowedHostPath)(unsafe.Pointer(&in.AllowedHostPaths))
out.AllowedFlexVolumes = *(*[]policy.AllowedFlexVolume)(unsafe.Pointer(&in.AllowedFlexVolumes))
out.AllowedUnsafeSysctls = *(*[]string)(unsafe.Pointer(&in.AllowedUnsafeSysctls))
out.ForbiddenSysctls = *(*[]string)(unsafe.Pointer(&in.ForbiddenSysctls))
return nil
}
@ -448,6 +450,8 @@ func autoConvert_policy_PodSecurityPolicySpec_To_v1beta1_PodSecurityPolicySpec(i
}
out.AllowedHostPaths = *(*[]v1beta1.AllowedHostPath)(unsafe.Pointer(&in.AllowedHostPaths))
out.AllowedFlexVolumes = *(*[]v1beta1.AllowedFlexVolume)(unsafe.Pointer(&in.AllowedFlexVolumes))
out.AllowedUnsafeSysctls = *(*[]string)(unsafe.Pointer(&in.AllowedUnsafeSysctls))
out.ForbiddenSysctls = *(*[]string)(unsafe.Pointer(&in.ForbiddenSysctls))
return nil
}

2
pkg/apis/policy/validation/BUILD
View File

@ -15,12 +15,14 @@ go_library(
"//pkg/apis/core/validation:go_default_library",
"//pkg/apis/extensions/validation:go_default_library",
"//pkg/apis/policy:go_default_library",
"//pkg/features:go_default_library",
"//pkg/security/apparmor:go_default_library",
"//pkg/security/podsecuritypolicy/seccomp:go_default_library",
"//pkg/security/podsecuritypolicy/util:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/apis/meta/v1/validation:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/util/sets:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
"//vendor/k8s.io/apiserver/pkg/util/feature:go_default_library",
],
)

76
pkg/apis/policy/validation/validation.go
View File

@ -30,9 +30,12 @@ import (
apivalidation "k8s.io/kubernetes/pkg/apis/core/validation"
extensionsvalidation "k8s.io/kubernetes/pkg/apis/extensions/validation"
"k8s.io/kubernetes/pkg/apis/policy"
"k8s.io/kubernetes/pkg/features"
"k8s.io/kubernetes/pkg/security/apparmor"
"k8s.io/kubernetes/pkg/security/podsecuritypolicy/seccomp"
psputil "k8s.io/kubernetes/pkg/security/podsecuritypolicy/util"
utilfeature "k8s.io/apiserver/pkg/util/feature"
)
func ValidatePodDisruptionBudget(pdb *policy.PodDisruptionBudget) field.ErrorList {
@ -118,6 +121,9 @@ func ValidatePodSecurityPolicySpec(spec *policy.PodSecurityPolicySpec, fldPath *
allErrs = append(allErrs, validatePSPDefaultAllowPrivilegeEscalation(fldPath.Child("defaultAllowPrivilegeEscalation"), spec.DefaultAllowPrivilegeEscalation, spec.AllowPrivilegeEscalation)...)
allErrs = append(allErrs, validatePSPAllowedHostPaths(fldPath.Child("allowedHostPaths"), spec.AllowedHostPaths)...)
allErrs = append(allErrs, validatePSPAllowedFlexVolumes(fldPath.Child("allowedFlexVolumes"), spec.AllowedFlexVolumes)...)
allErrs = append(allErrs, validatePodSecurityPolicySysctls(fldPath.Child("allowedUnsafeSysctls"), spec.AllowedUnsafeSysctls)...)
allErrs = append(allErrs, validatePodSecurityPolicySysctls(fldPath.Child("forbiddenSysctls"), spec.ForbiddenSysctls)...)
allErrs = append(allErrs, validatePodSecurityPolicySysctlListsDoNotOverlap(fldPath.Child("allowedUnsafeSysctls"), fldPath.Child("forbiddenSysctls"), spec.AllowedUnsafeSysctls, spec.ForbiddenSysctls)...)
return allErrs
}
@ -138,15 +144,6 @@ func ValidatePodSecurityPolicySpecificAnnotations(annotations map[string]string,
}
}
sysctlAnnotation := annotations[policy.SysctlsPodSecurityPolicyAnnotationKey]
sysctlFldPath := fldPath.Key(policy.SysctlsPodSecurityPolicyAnnotationKey)
sysctls, err := policy.SysctlsFromPodSecurityPolicyAnnotation(sysctlAnnotation)
if err != nil {
allErrs = append(allErrs, field.Invalid(sysctlFldPath, sysctlAnnotation, err.Error()))
} else {
allErrs = append(allErrs, validatePodSecurityPolicySysctls(sysctlFldPath, sysctls)...)
}
if p := annotations[seccomp.DefaultProfileAnnotationKey]; p != "" {
allErrs = append(allErrs, apivalidation.ValidateSeccompProfile(p, fldPath.Key(seccomp.DefaultProfileAnnotationKey))...)
}
@ -307,11 +304,64 @@ func IsValidSysctlPattern(name string) bool {
return sysctlPatternRegexp.MatchString(name)
}
func validatePodSecurityPolicySysctlListsDoNotOverlap(allowedSysctlsFldPath, forbiddenSysctlsFldPath *field.Path, allowedUnsafeSysctls, forbiddenSysctls []string) field.ErrorList {
allErrs := field.ErrorList{}
for i, allowedSysctl := range allowedUnsafeSysctls {
isAllowedSysctlPattern := false
allowedSysctlPrefix := ""
if strings.HasSuffix(allowedSysctl, "*") {
isAllowedSysctlPattern = true
allowedSysctlPrefix = strings.TrimSuffix(allowedSysctl, "*")
}
for j, forbiddenSysctl := range forbiddenSysctls {
isForbiddenSysctlPattern := false
forbiddenSysctlPrefix := ""
if strings.HasSuffix(forbiddenSysctl, "*") {
isForbiddenSysctlPattern = true
forbiddenSysctlPrefix = strings.TrimSuffix(forbiddenSysctl, "*")
}
switch {
case isAllowedSysctlPattern && isForbiddenSysctlPattern:
if strings.HasPrefix(allowedSysctlPrefix, forbiddenSysctlPrefix) {
allErrs = append(allErrs, field.Invalid(allowedSysctlsFldPath.Index(i), allowedUnsafeSysctls[i], fmt.Sprintf("sysctl overlaps with %v", forbiddenSysctl)))
} else if strings.HasPrefix(forbiddenSysctlPrefix, allowedSysctlPrefix) {
allErrs = append(allErrs, field.Invalid(forbiddenSysctlsFldPath.Index(j), forbiddenSysctls[j], fmt.Sprintf("sysctl overlaps with %v", allowedSysctl)))
}
case isAllowedSysctlPattern:
if strings.HasPrefix(forbiddenSysctl, allowedSysctlPrefix) {
allErrs = append(allErrs, field.Invalid(forbiddenSysctlsFldPath.Index(j), forbiddenSysctls[j], fmt.Sprintf("sysctl overlaps with %v", allowedSysctl)))
}
case isForbiddenSysctlPattern:
if strings.HasPrefix(allowedSysctl, forbiddenSysctlPrefix) {
allErrs = append(allErrs, field.Invalid(allowedSysctlsFldPath.Index(i), allowedUnsafeSysctls[i], fmt.Sprintf("sysctl overlaps with %v", forbiddenSysctl)))
}
default:
if allowedSysctl == forbiddenSysctl {
allErrs = append(allErrs, field.Invalid(allowedSysctlsFldPath.Index(i), allowedUnsafeSysctls[i], fmt.Sprintf("sysctl overlaps with %v", forbiddenSysctl)))
}
}
}
}
return allErrs
}
// validatePodSecurityPolicySysctls validates the sysctls fields of PodSecurityPolicy.
func validatePodSecurityPolicySysctls(fldPath *field.Path, sysctls []string) field.ErrorList {
allErrs := field.ErrorList{}
if len(sysctls) == 0 {
return allErrs
}
if !utilfeature.DefaultFeatureGate.Enabled(features.Sysctls) {
return append(allErrs, field.Forbidden(fldPath, "Sysctls are disabled by Sysctls feature-gate"))
}
coversAll := false
for i, s := range sysctls {
if !IsValidSysctlPattern(string(s)) {
if len(s) == 0 {
allErrs = append(allErrs, field.Invalid(fldPath.Index(i), sysctls[i], fmt.Sprintf("empty sysctl not allowed")))
} else if !IsValidSysctlPattern(string(s)) {
allErrs = append(
allErrs,
field.Invalid(fldPath.Index(i), sysctls[i], fmt.Sprintf("must have at most %d characters and match regex %s",
@ -319,9 +369,15 @@ func validatePodSecurityPolicySysctls(fldPath *field.Path, sysctls []string) fie
SysctlPatternFmt,
)),
)
} else if s[0] == '*' {
coversAll = true
}
}
if coversAll && len(sysctls) > 1 {
allErrs = append(allErrs, field.Forbidden(fldPath.Child("items"), fmt.Sprintf("if '*' is present, must not specify other sysctls")))
}
return allErrs
}

48
pkg/apis/policy/validation/validation_test.go
View File

@ -323,8 +323,19 @@ func TestValidatePodSecurityPolicy(t *testing.T) {
apparmor.AllowedProfilesAnnotationKey: apparmor.ProfileRuntimeDefault + ",not-good",
}
invalidSysctlPattern := validPSP()
invalidSysctlPattern.Annotations[policy.SysctlsPodSecurityPolicyAnnotationKey] = "a.*.b"
invalidAllowedUnsafeSysctlPattern := validPSP()
invalidAllowedUnsafeSysctlPattern.Spec.AllowedUnsafeSysctls = []string{"a.*.b"}
invalidForbiddenSysctlPattern := validPSP()
invalidForbiddenSysctlPattern.Spec.ForbiddenSysctls = []string{"a.*.b"}
invalidOverlappingSysctls := validPSP()
invalidOverlappingSysctls.Spec.ForbiddenSysctls = []string{"kernel.*", "net.ipv4.ip_local_port_range"}
invalidOverlappingSysctls.Spec.AllowedUnsafeSysctls = []string{"kernel.shmmax", "net.ipv4.ip_local_port_range"}
invalidDuplicatedSysctls := validPSP()
invalidDuplicatedSysctls.Spec.ForbiddenSysctls = []string{"net.ipv4.ip_local_port_range"}
invalidDuplicatedSysctls.Spec.AllowedUnsafeSysctls = []string{"net.ipv4.ip_local_port_range"}
invalidSeccompDefault := validPSP()
invalidSeccompDefault.Annotations = map[string]string{
@ -456,11 +467,26 @@ func TestValidatePodSecurityPolicy(t *testing.T) {
errorType: field.ErrorTypeInvalid,
errorDetail: "invalid AppArmor profile name: \"not-good\"",
},
"invalid sysctl pattern": {
psp: invalidSysctlPattern,
"invalid allowed unsafe sysctl pattern": {
psp: invalidAllowedUnsafeSysctlPattern,
errorType: field.ErrorTypeInvalid,
errorDetail: fmt.Sprintf("must have at most 253 characters and match regex %s", SysctlPatternFmt),
},
"invalid forbidden sysctl pattern": {
psp: invalidForbiddenSysctlPattern,
errorType: field.ErrorTypeInvalid,
errorDetail: fmt.Sprintf("must have at most 253 characters and match regex %s", SysctlPatternFmt),
},
"invalid overlapping sysctl pattern": {
psp: invalidOverlappingSysctls,
errorType: field.ErrorTypeInvalid,
errorDetail: fmt.Sprintf("sysctl overlaps with %s", invalidOverlappingSysctls.Spec.ForbiddenSysctls[0]),
},
"invalid duplicated sysctls": {
psp: invalidDuplicatedSysctls,
errorType: field.ErrorTypeInvalid,
errorDetail: fmt.Sprintf("sysctl overlaps with %s", invalidDuplicatedSysctls.Spec.AllowedUnsafeSysctls[0]),
},
"invalid seccomp default profile": {
psp: invalidSeccompDefault,
errorType: field.ErrorTypeInvalid,
@ -561,8 +587,11 @@ func TestValidatePodSecurityPolicy(t *testing.T) {
apparmor.AllowedProfilesAnnotationKey: apparmor.ProfileRuntimeDefault + "," + apparmor.ProfileNamePrefix + "foo",
}
withSysctl := validPSP()
withSysctl.Annotations[policy.SysctlsPodSecurityPolicyAnnotationKey] = "net.*"
withForbiddenSysctl := validPSP()
withForbiddenSysctl.Spec.ForbiddenSysctls = []string{"net.*"}
withAllowedUnsafeSysctl := validPSP()
withAllowedUnsafeSysctl.Spec.AllowedUnsafeSysctls = []string{"net.ipv4.tcp_max_syn_backlog"}
validSeccomp := validPSP()
validSeccomp.Annotations = map[string]string{
@ -607,8 +636,11 @@ func TestValidatePodSecurityPolicy(t *testing.T) {
"valid AppArmor annotations": {
psp: validAppArmor,
},
"with network sysctls": {
psp: withSysctl,
"with network sysctls forbidden": {
psp: withForbiddenSysctl,
},
"with unsafe net.ipv4.tcp_max_syn_backlog sysctl allowed": {
psp: withAllowedUnsafeSysctl,
},
"valid seccomp annotations": {
psp: validSeccomp,

10
pkg/apis/policy/zz_generated.deepcopy.go generated
View File

@ -385,6 +385,16 @@ func (in *PodSecurityPolicySpec) DeepCopyInto(out *PodSecurityPolicySpec) {
*out = make([]AllowedFlexVolume, len(*in))
copy(*out, *in)
}
if in.AllowedUnsafeSysctls != nil {
in, out := &in.AllowedUnsafeSysctls, &out.AllowedUnsafeSysctls
*out = make([]string, len(*in))
copy(*out, *in)
}
if in.ForbiddenSysctls != nil {
in, out := &in.ForbiddenSysctls, &out.ForbiddenSysctls
*out = make([]string, len(*in))
copy(*out, *in)
}
return
}

7
pkg/features/kube_features.go
View File

@ -160,6 +160,12 @@ const (
// Enable pods to consume pre-allocated huge pages of varying page sizes
HugePages utilfeature.Feature = "HugePages"
// owner: @sjenning
// beta: v1.11
//
// Enable pods to set sysctls on a pod
Sysctls utilfeature.Feature = "Sysctls"
// owner @brendandburns
// alpha: v1.9
//
@ -352,6 +358,7 @@ var defaultKubernetesFeatureGates = map[utilfeature.Feature]utilfeature.FeatureS
PersistentLocalVolumes: {Default: true, PreRelease: utilfeature.Beta},
LocalStorageCapacityIsolation: {Default: true, PreRelease: utilfeature.Beta},
HugePages: {Default: true, PreRelease: utilfeature.Beta},
Sysctls: {Default: true, PreRelease: utilfeature.Beta},
DebugContainers: {Default: false, PreRelease: utilfeature.Alpha},
PodShareProcessNamespace: {Default: false, PreRelease: utilfeature.Alpha},
PodPriority: {Default: true, PreRelease: utilfeature.Beta},

1
pkg/kubelet/BUILD
View File

@ -92,6 +92,7 @@ go_library(
"//pkg/scheduler/algorithm:go_default_library",
"//pkg/scheduler/algorithm/predicates:go_default_library",
"//pkg/security/apparmor:go_default_library",
"//pkg/security/podsecuritypolicy/sysctl:go_default_library",
"//pkg/securitycontext:go_default_library",
"//pkg/util/dbus:go_default_library",
"//pkg/util/file:go_default_library",

35
pkg/kubelet/kubelet.go
View File

@ -100,6 +100,7 @@ import (
"k8s.io/kubernetes/pkg/kubelet/volumemanager"
"k8s.io/kubernetes/pkg/scheduler/algorithm/predicates"
"k8s.io/kubernetes/pkg/security/apparmor"
sysctlwhitelist "k8s.io/kubernetes/pkg/security/podsecuritypolicy/sysctl"
utildbus "k8s.io/kubernetes/pkg/util/dbus"
kubeio "k8s.io/kubernetes/pkg/util/io"
utilipt "k8s.io/kubernetes/pkg/util/iptables"
@ -832,25 +833,23 @@ func NewMainKubelet(kubeCfg *kubeletconfiginternal.KubeletConfiguration,
klet.evictionManager = evictionManager
klet.admitHandlers.AddPodAdmitHandler(evictionAdmitHandler)
// add sysctl admission
runtimeSupport, err := sysctl.NewRuntimeAdmitHandler(klet.containerRuntime)
if err != nil {
return nil, err
if utilfeature.DefaultFeatureGate.Enabled(features.Sysctls) {
// add sysctl admission
runtimeSupport, err := sysctl.NewRuntimeAdmitHandler(klet.containerRuntime)
if err != nil {
return nil, err
}
// Safe, whitelisted sysctls can always be used as unsafe sysctls in the spec.
// Hence, we concatenate those two lists.
safeAndUnsafeSysctls := append(sysctlwhitelist.SafeSysctlWhitelist(), allowedUnsafeSysctls...)
sysctlsWhitelist, err := sysctl.NewWhitelist(safeAndUnsafeSysctls)
if err != nil {
return nil, err
}
klet.admitHandlers.AddPodAdmitHandler(runtimeSupport)
klet.admitHandlers.AddPodAdmitHandler(sysctlsWhitelist)
}
safeWhitelist, err := sysctl.NewWhitelist(sysctl.SafeSysctlWhitelist(), v1.SysctlsPodAnnotationKey)
if err != nil {
return nil, err
}
// Safe, whitelisted sysctls can always be used as unsafe sysctls in the spec
// Hence, we concatenate those two lists.
safeAndUnsafeSysctls := append(sysctl.SafeSysctlWhitelist(), allowedUnsafeSysctls...)
unsafeWhitelist, err := sysctl.NewWhitelist(safeAndUnsafeSysctls, v1.UnsafeSysctlsPodAnnotationKey)
if err != nil {
return nil, err
}
klet.admitHandlers.AddPodAdmitHandler(runtimeSupport)
klet.admitHandlers.AddPodAdmitHandler(safeWhitelist)
klet.admitHandlers.AddPodAdmitHandler(unsafeWhitelist)
// enable active deadline handler
activeDeadlineHandler, err := newActiveDeadlineHandler(klet.statusManager, kubeDeps.Recorder, klet.clock)

1
pkg/kubelet/kuberuntime/BUILD
View File

@ -72,7 +72,6 @@ go_library(
importpath = "k8s.io/kubernetes/pkg/kubelet/kuberuntime",
deps = [
"//pkg/api/legacyscheme:go_default_library",
"//pkg/apis/core/v1/helper:go_default_library",
"//pkg/credentialprovider:go_default_library",
"//pkg/credentialprovider/secrets:go_default_library",
"//pkg/features:go_default_library",

19
pkg/kubelet/kuberuntime/helpers.go
View File

@ -26,7 +26,6 @@ import (
"k8s.io/api/core/v1"
"k8s.io/apimachinery/pkg/types"
utilfeature "k8s.io/apiserver/pkg/util/feature"
v1helper "k8s.io/kubernetes/pkg/apis/core/v1/helper"
"k8s.io/kubernetes/pkg/features"
runtimeapi "k8s.io/kubernetes/pkg/kubelet/apis/cri/runtime/v1alpha2"
kubecontainer "k8s.io/kubernetes/pkg/kubelet/container"
@ -191,24 +190,6 @@ func toKubeRuntimeStatus(status *runtimeapi.RuntimeStatus) *kubecontainer.Runtim
return &kubecontainer.RuntimeStatus{Conditions: conditions}
}
// getSysctlsFromAnnotations gets sysctls and unsafeSysctls from annotations.
func getSysctlsFromAnnotations(annotations map[string]string) (map[string]string, error) {
apiSysctls, apiUnsafeSysctls, err := v1helper.SysctlsFromPodAnnotations(annotations)
if err != nil {
return nil, err
}
sysctls := make(map[string]string)
for _, c := range apiSysctls {
sysctls[c.Name] = c.Value
}
for _, c := range apiUnsafeSysctls {
sysctls[c.Name] = c.Value
}
return sysctls, nil
}
// getSeccompProfileFromAnnotations gets seccomp profile from annotations.
// It gets pod's profile if containerName is empty.
func (m *kubeGenericRuntimeManager) getSeccompProfileFromAnnotations(annotations map[string]string, containerName string) string {

40
pkg/kubelet/kuberuntime/helpers_test.go
View File

@ -56,46 +56,6 @@ func TestStableKey(t *testing.T) {
assert.NotEqual(t, oldKey, newKey)
}
// TestGetSystclsFromAnnotations tests the logic of getting sysctls from annotations.
func TestGetSystclsFromAnnotations(t *testing.T) {
tests := []struct {
annotations map[string]string
expectedSysctls map[string]string
}{{
annotations: map[string]string{
v1.SysctlsPodAnnotationKey: "kernel.shmmni=32768,kernel.shmmax=1000000000",
v1.UnsafeSysctlsPodAnnotationKey: "knet.ipv4.route.min_pmtu=1000",
},
expectedSysctls: map[string]string{
"kernel.shmmni": "32768",
"kernel.shmmax": "1000000000",
"knet.ipv4.route.min_pmtu": "1000",
},
}, {
annotations: map[string]string{
v1.SysctlsPodAnnotationKey: "kernel.shmmni=32768,kernel.shmmax=1000000000",
},
expectedSysctls: map[string]string{
"kernel.shmmni": "32768",
"kernel.shmmax": "1000000000",
},
}, {
annotations: map[string]string{
v1.UnsafeSysctlsPodAnnotationKey: "knet.ipv4.route.min_pmtu=1000",
},
expectedSysctls: map[string]string{
"knet.ipv4.route.min_pmtu": "1000",
},
}}
for i, test := range tests {
actualSysctls, err := getSysctlsFromAnnotations(test.annotations)
assert.NoError(t, err, "TestCase[%d]", i)
assert.Len(t, actualSysctls, len(test.expectedSysctls), "TestCase[%d]", i)
assert.Equal(t, test.expectedSysctls, actualSysctls, "TestCase[%d]", i)
}
}
func TestToKubeContainer(t *testing.T) {
c := &runtimeapi.Container{
Id: "test-id",

13
pkg/kubelet/kuberuntime/kuberuntime_sandbox.go
View File

@ -25,6 +25,8 @@ import (
"github.com/golang/glog"
"k8s.io/api/core/v1"
kubetypes "k8s.io/apimachinery/pkg/types"
utilfeature "k8s.io/apiserver/pkg/util/feature"
"k8s.io/kubernetes/pkg/features"
runtimeapi "k8s.io/kubernetes/pkg/kubelet/apis/cri/runtime/v1alpha2"
kubecontainer "k8s.io/kubernetes/pkg/kubelet/container"
"k8s.io/kubernetes/pkg/kubelet/types"
@ -134,10 +136,15 @@ func (m *kubeGenericRuntimeManager) generatePodSandboxLinuxConfig(pod *v1.Pod) (
},
}
sysctls, err := getSysctlsFromAnnotations(pod.Annotations)
if err != nil {
return nil, fmt.Errorf("failed to get sysctls from annotations %v for pod %q: %v", pod.Annotations, format.Pod(pod), err)
sysctls := make(map[string]string)
if utilfeature.DefaultFeatureGate.Enabled(features.Sysctls) {
if pod.Spec.SecurityContext != nil {
for _, c := range pod.Spec.SecurityContext.Sysctls {
sysctls[c.Name] = c.Value
}
}
}
lc.Sysctls = sysctls
if pod.Spec.SecurityContext != nil {

3
pkg/kubelet/sysctl/BUILD
View File

@ -15,7 +15,6 @@ go_library(
],
importpath = "k8s.io/kubernetes/pkg/kubelet/sysctl",
deps = [
"//pkg/apis/core/v1/helper:go_default_library",
"//pkg/apis/core/validation:go_default_library",
"//pkg/apis/policy/validation:go_default_library",
"//pkg/kubelet/container:go_default_library",
@ -30,7 +29,7 @@ go_test(
"whitelist_test.go",
],
embed = [":go_default_library"],
deps = ["//vendor/k8s.io/api/core/v1:go_default_library"],
deps = ["//pkg/security/podsecuritypolicy/sysctl:go_default_library"],
)
filegroup(

15
pkg/kubelet/sysctl/runtime.go
View File

@ -19,7 +19,6 @@ package sysctl
import (
"fmt"
v1helper "k8s.io/kubernetes/pkg/apis/core/v1/helper"
"k8s.io/kubernetes/pkg/kubelet/container"
"k8s.io/kubernetes/pkg/kubelet/lifecycle"
)
@ -83,17 +82,11 @@ func NewRuntimeAdmitHandler(runtime container.Runtime) (*runtimeAdmitHandler, er
// Admit checks whether the runtime supports sysctls.
func (w *runtimeAdmitHandler) Admit(attrs *lifecycle.PodAdmitAttributes) lifecycle.PodAdmitResult {
sysctls, unsafeSysctls, err := v1helper.SysctlsFromPodAnnotations(attrs.Pod.Annotations)
if err != nil {
return lifecycle.PodAdmitResult{
Admit: false,
Reason: AnnotationInvalidReason,
Message: fmt.Sprintf("invalid sysctl annotation: %v", err),
}
}
if attrs.Pod.Spec.SecurityContext != nil {
if len(sysctls)+len(unsafeSysctls) > 0 {
return w.result
if len(attrs.Pod.Spec.SecurityContext.Sysctls) > 0 {
return w.result
}
}
return lifecycle.PodAdmitResult{

42
pkg/kubelet/sysctl/whitelist.go
View File

@ -20,7 +20,6 @@ import (
"fmt"
"strings"
v1helper "k8s.io/kubernetes/pkg/apis/core/v1/helper"
"k8s.io/kubernetes/pkg/apis/core/validation"
policyvalidation "k8s.io/kubernetes/pkg/apis/policy/validation"
"k8s.io/kubernetes/pkg/kubelet/lifecycle"
@ -31,36 +30,21 @@ const (
ForbiddenReason = "SysctlForbidden"
)
// SafeSysctlWhitelist returns the whitelist of safe sysctls and safe sysctl patterns (ending in *).
//
// A sysctl is called safe iff
// - it is namespaced in the container or the pod
// - it is isolated, i.e. has no influence on any other pod on the same node.
func SafeSysctlWhitelist() []string {
return []string{
"kernel.shm_rmid_forced",
"net.ipv4.ip_local_port_range",
"net.ipv4.tcp_syncookies",
}
}
// patternWhitelist takes a list of sysctls or sysctl patterns (ending in *) and
// checks validity via a sysctl and prefix map, rejecting those which are not known
// to be namespaced.
type patternWhitelist struct {
sysctls map[string]Namespace
prefixes map[string]Namespace
annotationKey string
sysctls map[string]Namespace
prefixes map[string]Namespace
}
var _ lifecycle.PodAdmitHandler = &patternWhitelist{}
// NewWhitelist creates a new Whitelist from a list of sysctls and sysctl pattern (ending in *).
func NewWhitelist(patterns []string, annotationKey string) (*patternWhitelist, error) {
func NewWhitelist(patterns []string) (*patternWhitelist, error) {
w := &patternWhitelist{
sysctls: map[string]Namespace{},
prefixes: map[string]Namespace{},
annotationKey: annotationKey,
sysctls: map[string]Namespace{},
prefixes: map[string]Namespace{},
}
for _, s := range patterns {
@ -121,32 +105,22 @@ func (w *patternWhitelist) validateSysctl(sysctl string, hostNet, hostIPC bool)
return fmt.Errorf("%q not whitelisted", sysctl)
}
// Admit checks that all sysctls given in annotations v1.SysctlsPodAnnotationKey and v1.UnsafeSysctlsPodAnnotationKey
// Admit checks that all sysctls given in pod's security context
// are valid according to the whitelist.
func (w *patternWhitelist) Admit(attrs *lifecycle.PodAdmitAttributes) lifecycle.PodAdmitResult {
pod := attrs.Pod
a := pod.Annotations[w.annotationKey]
if a == "" {
if pod.Spec.SecurityContext == nil || len(pod.Spec.SecurityContext.Sysctls) == 0 {
return lifecycle.PodAdmitResult{
Admit: true,
}
}
sysctls, err := v1helper.SysctlsFromPodAnnotation(a)
if err != nil {
return lifecycle.PodAdmitResult{
Admit: false,
Reason: AnnotationInvalidReason,
Message: fmt.Sprintf("invalid %s annotation: %v", w.annotationKey, err),
}
}
var hostNet, hostIPC bool
if pod.Spec.SecurityContext != nil {
hostNet = pod.Spec.HostNetwork
hostIPC = pod.Spec.HostIPC
}
for _, s := range sysctls {
for _, s := range pod.Spec.SecurityContext.Sysctls {
if err := w.validateSysctl(s.Name, hostNet, hostIPC); err != nil {
return lifecycle.PodAdmitResult{
Admit: false,

6
pkg/kubelet/sysctl/whitelist_test.go
View File

@ -19,7 +19,7 @@ package sysctl
import (
"testing"
"k8s.io/api/core/v1"
"k8s.io/kubernetes/pkg/security/podsecuritypolicy/sysctl"
)
func TestNewWhitelist(t *testing.T) {
@ -35,7 +35,7 @@ func TestNewWhitelist(t *testing.T) {
{sysctls: []string{"net.*.foo"}, err: true},
{sysctls: []string{"foo"}, err: true},
} {
_, err := NewWhitelist(append(SafeSysctlWhitelist(), test.sysctls...), v1.SysctlsPodAnnotationKey)
_, err := NewWhitelist(append(sysctl.SafeSysctlWhitelist(), test.sysctls...))
if test.err && err == nil {
t.Errorf("expected an error creating a whitelist for %v", test.sysctls)
} else if !test.err && err != nil {
@ -65,7 +65,7 @@ func TestWhitelist(t *testing.T) {
{sysctl: "kernel.sem", hostIPC: true},
}
w, err := NewWhitelist(append(SafeSysctlWhitelist(), "kernel.msg*", "kernel.sem"), v1.SysctlsPodAnnotationKey)
w, err := NewWhitelist(append(sysctl.SafeSysctlWhitelist(), "kernel.msg*", "kernel.sem"))
if err != nil {
t.Fatalf("failed to create whitelist: %v", err)
}

16
pkg/security/podsecuritypolicy/factory.go
View File

@ -77,15 +77,7 @@ func (f *simpleStrategyFactory) CreateStrategies(psp *policy.PodSecurityPolicy,
errs = append(errs, err)
}
var unsafeSysctls []string
if ann, found := psp.Annotations[policy.SysctlsPodSecurityPolicyAnnotationKey]; found {
var err error
unsafeSysctls, err = policy.SysctlsFromPodSecurityPolicyAnnotation(ann)
if err != nil {
errs = append(errs, err)
}
}
sysctlsStrat := createSysctlsStrategy(unsafeSysctls)
sysctlsStrat := createSysctlsStrategy(sysctl.SafeSysctlWhitelist(), psp.Spec.AllowedUnsafeSysctls, psp.Spec.ForbiddenSysctls)
if len(errs) > 0 {
return nil, errors.NewAggregate(errs)
@ -170,7 +162,7 @@ func createCapabilitiesStrategy(defaultAddCaps, requiredDropCaps, allowedCaps []
return capabilities.NewDefaultCapabilities(defaultAddCaps, requiredDropCaps, allowedCaps)
}
// createSysctlsStrategy creates a new unsafe sysctls strategy.
func createSysctlsStrategy(sysctlsPatterns []string) sysctl.SysctlsStrategy {
return sysctl.NewMustMatchPatterns(sysctlsPatterns)
// createSysctlsStrategy creates a new sysctls strategy.
func createSysctlsStrategy(safeWhitelist, allowedUnsafeSysctls, forbiddenSysctls []string) sysctl.SysctlsStrategy {
return sysctl.NewMustMatchPatterns(safeWhitelist, allowedUnsafeSysctls, forbiddenSysctls)
}

109
pkg/security/podsecuritypolicy/provider_test.go
View File

@ -267,17 +267,34 @@ func TestValidatePodSecurityContextFailures(t *testing.T) {
},
}
failOtherSysctlsAllowedPSP := defaultPSP()
failOtherSysctlsAllowedPSP.Annotations[policy.SysctlsPodSecurityPolicyAnnotationKey] = "bar,abc"
failSysctlDisallowedPSP := defaultPSP()
failSysctlDisallowedPSP.Spec.ForbiddenSysctls = []string{"kernel.shm_rmid_forced"}
failNoSysctlAllowedPSP := defaultPSP()
failNoSysctlAllowedPSP.Annotations[policy.SysctlsPodSecurityPolicyAnnotationKey] = ""
failNoSafeSysctlAllowedPSP := defaultPSP()
failNoSafeSysctlAllowedPSP.Spec.ForbiddenSysctls = []string{"*"}
failSafeSysctlFooPod := defaultPod()
failSafeSysctlFooPod.Annotations[api.SysctlsPodAnnotationKey] = "foo=1"
failAllUnsafeSysctlsPSP := defaultPSP()
failAllUnsafeSysctlsPSP.Spec.AllowedUnsafeSysctls = []string{}
failUnsafeSysctlFooPod := defaultPod()
failUnsafeSysctlFooPod.Annotations[api.UnsafeSysctlsPodAnnotationKey] = "foo=1"
failSafeSysctlKernelPod := defaultPod()
failSafeSysctlKernelPod.Spec.SecurityContext = &api.PodSecurityContext{
Sysctls: []api.Sysctl{
{
Name: "kernel.shm_rmid_forced",
Value: "1",
},
},
}
failUnsafeSysctlPod := defaultPod()
failUnsafeSysctlPod.Spec.SecurityContext = &api.PodSecurityContext{
Sysctls: []api.Sysctl{
{
Name: "kernel.sem",
Value: "32000",
},
},
}
failSeccompProfilePod := defaultPod()
failSeccompProfilePod.Annotations = map[string]string{api.SeccompPodAnnotationKey: "foo"}
@ -359,25 +376,20 @@ func TestValidatePodSecurityContextFailures(t *testing.T) {
psp: failHostPathReadOnlyPSP,
expectedError: "must be read-only",
},
"failSafeSysctlFooPod with failNoSysctlAllowedSCC": {
pod: failSafeSysctlFooPod,
psp: failNoSysctlAllowedPSP,
expectedError: "sysctls are not allowed",
"failSafeSysctlKernelPod with failNoSafeSysctlAllowedPSP": {
pod: failSafeSysctlKernelPod,
psp: failNoSafeSysctlAllowedPSP,
expectedError: "sysctl \"kernel.shm_rmid_forced\" is not allowed",
},
"failUnsafeSysctlFooPod with failNoSysctlAllowedSCC": {
pod: failUnsafeSysctlFooPod,
psp: failNoSysctlAllowedPSP,
expectedError: "sysctls are not allowed",
"failSafeSysctlKernelPod with failSysctlDisallowedPSP": {
pod: failSafeSysctlKernelPod,
psp: failSysctlDisallowedPSP,
expectedError: "sysctl \"kernel.shm_rmid_forced\" is not allowed",
},
"failSafeSysctlFooPod with failOtherSysctlsAllowedSCC": {
pod: failSafeSysctlFooPod,
psp: failOtherSysctlsAllowedPSP,
expectedError: "sysctl \"foo\" is not allowed",
},
"failUnsafeSysctlFooPod with failOtherSysctlsAllowedSCC": {
pod: failUnsafeSysctlFooPod,
psp: failOtherSysctlsAllowedPSP,
expectedError: "sysctl \"foo\" is not allowed",
"failUnsafeSysctlPod with failAllUnsafeSysctlsPSP": {
pod: failUnsafeSysctlPod,
psp: failAllUnsafeSysctlsPSP,
expectedError: "unsafe sysctl \"kernel.sem\" is not allowed",
},
"failInvalidSeccomp": {
pod: failSeccompProfilePod,
@ -707,14 +719,29 @@ func TestValidatePodSecurityContextSuccess(t *testing.T) {
{PathPrefix: "/foo"},
}
sysctlAllowFooPSP := defaultPSP()
sysctlAllowFooPSP.Annotations[policy.SysctlsPodSecurityPolicyAnnotationKey] = "foo"
sysctlAllowAllPSP := defaultPSP()
sysctlAllowAllPSP.Spec.ForbiddenSysctls = []string{}
sysctlAllowAllPSP.Spec.AllowedUnsafeSysctls = []string{"*"}
safeSysctlFooPod := defaultPod()
safeSysctlFooPod.Annotations[api.SysctlsPodAnnotationKey] = "foo=1"
safeSysctlKernelPod := defaultPod()
safeSysctlKernelPod.Spec.SecurityContext = &api.PodSecurityContext{
Sysctls: []api.Sysctl{
{
Name: "kernel.shm_rmid_forced",
Value: "1",
},
},
}
unsafeSysctlFooPod := defaultPod()
unsafeSysctlFooPod.Annotations[api.UnsafeSysctlsPodAnnotationKey] = "foo=1"
unsafeSysctlKernelPod := defaultPod()
unsafeSysctlKernelPod.Spec.SecurityContext = &api.PodSecurityContext{
Sysctls: []api.Sysctl{
{
Name: "kernel.sem",
Value: "32000",
},
},
}
seccompPSP := defaultPSP()
seccompPSP.Annotations = map[string]string{
@ -766,21 +793,13 @@ func TestValidatePodSecurityContextSuccess(t *testing.T) {
pod: seLinuxPod,
psp: seLinuxPSP,
},
"pass sysctl specific profile with safe sysctl": {
pod: safeSysctlFooPod,
psp: sysctlAllowFooPSP,
"pass sysctl specific profile with safe kernel sysctl": {
pod: safeSysctlKernelPod,
psp: sysctlAllowAllPSP,
},
"pass sysctl specific profile with unsafe sysctl": {
pod: unsafeSysctlFooPod,
psp: sysctlAllowFooPSP,
},
"pass empty profile with safe sysctl": {
pod: safeSysctlFooPod,
psp: defaultPSP(),
},
"pass empty profile with unsafe sysctl": {
pod: unsafeSysctlFooPod,
psp: defaultPSP(),
"pass sysctl specific profile with unsafe kernel sysctl": {
pod: unsafeSysctlKernelPod,
psp: sysctlAllowAllPSP,
},
"pass hostDir allowed directory validating PSP": {
pod: hostPathDirPod,

6
pkg/security/podsecuritypolicy/sysctl/BUILD
View File

@ -15,7 +15,6 @@ go_library(
importpath = "k8s.io/kubernetes/pkg/security/podsecuritypolicy/sysctl",
deps = [
"//pkg/apis/core:go_default_library",
"//pkg/apis/core/helper:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
],
)
@ -24,10 +23,7 @@ go_test(
name = "go_default_test",
srcs = ["mustmatchpatterns_test.go"],
embed = [":go_default_library"],
deps = [
"//pkg/apis/core:go_default_library",
"//pkg/apis/core/helper:go_default_library",
],
deps = ["//pkg/apis/core:go_default_library"],
)
filegroup(

113
pkg/security/podsecuritypolicy/sysctl/mustmatchpatterns.go
View File

@ -22,12 +22,26 @@ import (
"k8s.io/apimachinery/pkg/util/validation/field"
api "k8s.io/kubernetes/pkg/apis/core"
"k8s.io/kubernetes/pkg/apis/core/helper"
)
// SafeSysctlWhitelist returns the whitelist of safe sysctls and safe sysctl patterns (ending in *).
//
// A sysctl is called safe iff
// - it is namespaced in the container or the pod
// - it is isolated, i.e. has no influence on any other pod on the same node.
func SafeSysctlWhitelist() []string {
return []string{
"kernel.shm_rmid_forced",
"net.ipv4.ip_local_port_range",
"net.ipv4.tcp_syncookies",
}
}
// mustMatchPatterns implements the SysctlsStrategy interface
type mustMatchPatterns struct {
patterns []string
safeWhitelist []string
allowedUnsafeSysctls []string
forbiddenSysctls []string
}
var (
@ -38,56 +52,75 @@ var (
// NewMustMatchPatterns creates a new mustMatchPatterns strategy that will provide validation.
// Passing nil means the default pattern, passing an empty list means to disallow all sysctls.
func NewMustMatchPatterns(patterns []string) SysctlsStrategy {
if patterns == nil {
patterns = defaultSysctlsPatterns
}
func NewMustMatchPatterns(safeWhitelist, allowedUnsafeSysctls, forbiddenSysctls []string) SysctlsStrategy {
return &mustMatchPatterns{
patterns: patterns,
safeWhitelist: safeWhitelist,
allowedUnsafeSysctls: allowedUnsafeSysctls,
forbiddenSysctls: forbiddenSysctls,
}
}
func (s *mustMatchPatterns) isForbidden(sysctlName string) bool {
// Is the sysctl forbidden?
for _, s := range s.forbiddenSysctls {
if strings.HasSuffix(s, "*") {
prefix := strings.TrimSuffix(s, "*")
if strings.HasPrefix(sysctlName, prefix) {
return true
}
} else if sysctlName == s {
return true
}
}
return false
}
func (s *mustMatchPatterns) isSafe(sysctlName string) bool {
for _, ws := range s.safeWhitelist {
if sysctlName == ws {
return true
}
}
return false
}
func (s *mustMatchPatterns) isAllowedUnsafe(sysctlName string) bool {
for _, s := range s.allowedUnsafeSysctls {
if strings.HasSuffix(s, "*") {
prefix := strings.TrimSuffix(s, "*")
if strings.HasPrefix(sysctlName, prefix) {
return true
}
} else if sysctlName == s {
return true
}
}
return false
}
// Validate ensures that the specified values fall within the range of the strategy.
func (s *mustMatchPatterns) Validate(pod *api.Pod) field.ErrorList {
allErrs := field.ErrorList{}
allErrs = append(allErrs, s.validateAnnotation(pod, api.SysctlsPodAnnotationKey)...)
allErrs = append(allErrs, s.validateAnnotation(pod, api.UnsafeSysctlsPodAnnotationKey)...)
return allErrs
}
func (s *mustMatchPatterns) validateAnnotation(pod *api.Pod, key string) field.ErrorList {
allErrs := field.ErrorList{}
fieldPath := field.NewPath("pod", "metadata", "annotations").Key(key)
sysctls, err := helper.SysctlsFromPodAnnotation(pod.Annotations[key])
if err != nil {
allErrs = append(allErrs, field.Invalid(fieldPath, pod.Annotations[key], err.Error()))
var sysctls []api.Sysctl
if pod.Spec.SecurityContext != nil {
sysctls = pod.Spec.SecurityContext.Sysctls
}
if len(sysctls) > 0 {
if len(s.patterns) == 0 {
allErrs = append(allErrs, field.Invalid(fieldPath, pod.Annotations[key], "sysctls are not allowed"))
} else {
for i, sysctl := range sysctls {
allErrs = append(allErrs, s.ValidateSysctl(sysctl.Name, fieldPath.Index(i))...)
}
fieldPath := field.NewPath("pod", "spec", "securityContext").Child("sysctls")
for i, sysctl := range sysctls {
switch {
case s.isForbidden(sysctl.Name):
allErrs = append(allErrs, field.ErrorList{field.Forbidden(fieldPath.Index(i), fmt.Sprintf("sysctl %q is not allowed", sysctl.Name))}...)
case s.isSafe(sysctl.Name):
continue
case s.isAllowedUnsafe(sysctl.Name):
continue
default:
allErrs = append(allErrs, field.ErrorList{field.Forbidden(fieldPath.Index(i), fmt.Sprintf("unsafe sysctl %q is not allowed", sysctl.Name))}...)
}
}
return allErrs
}
func (s *mustMatchPatterns) ValidateSysctl(sysctlName string, fldPath *field.Path) field.ErrorList {
for _, s := range s.patterns {
if s[len(s)-1] == '*' {
prefix := s[:len(s)-1]
if strings.HasPrefix(sysctlName, string(prefix)) {
return nil
}
} else if sysctlName == s {
return nil
}
}
return field.ErrorList{field.Forbidden(fldPath, fmt.Sprintf("sysctl %q is not allowed", sysctlName))}
}

82
pkg/security/podsecuritypolicy/sysctl/mustmatchpatterns_test.go
View File

@ -17,48 +17,47 @@ limitations under the License.
package sysctl
import (
api "k8s.io/kubernetes/pkg/apis/core"
"k8s.io/kubernetes/pkg/apis/core/helper"
"testing"
api "k8s.io/kubernetes/pkg/apis/core"
)
func TestValidate(t *testing.T) {
tests := map[string]struct {
patterns []string
allowed []string
disallowed []string
whitelist []string
forbiddenSafe []string
allowedUnsafe []string
allowed []string
disallowed []string
}{
// no container requests
"nil": {
patterns: nil,
allowed: []string{"foo"},
"with allow all": {
whitelist: []string{"foo"},
allowed: []string{"foo"},
},
"empty": {
patterns: []string{},
disallowed: []string{"foo"},
whitelist: []string{"foo"},
forbiddenSafe: []string{"*"},
disallowed: []string{"foo"},
},
"without wildcard": {
patterns: []string{"a", "a.b"},
whitelist: []string{"a", "a.b"},
allowed: []string{"a", "a.b"},
disallowed: []string{"b"},
},
"with catch-all wildcard": {
patterns: []string{"*"},
allowed: []string{"a", "a.b"},
},
"with catch-all wildcard and non-wildcard": {
patterns: []string{"a.b.c", "*"},
allowed: []string{"a", "a.b", "a.b.c", "b"},
allowedUnsafe: []string{"a.b.c", "*"},
allowed: []string{"a", "a.b", "a.b.c", "b"},
},
"without catch-all wildcard": {
patterns: []string{"a.*", "b.*", "c.d.e", "d.e.f.*"},
allowed: []string{"a.b", "b.c", "c.d.e", "d.e.f.g.h"},
disallowed: []string{"a", "b", "c", "c.d", "d.e", "d.e.f"},
allowedUnsafe: []string{"a.*", "b.*", "c.d.e", "d.e.f.*"},
allowed: []string{"a.b", "b.c", "c.d.e", "d.e.f.g.h"},
disallowed: []string{"a", "b", "c", "c.d", "d.e", "d.e.f"},
},
}
for k, v := range tests {
strategy := NewMustMatchPatterns(v.patterns)
strategy := NewMustMatchPatterns(v.whitelist, v.allowedUnsafe, v.forbiddenSafe)
pod := &api.Pod{}
errs := strategy.Validate(pod)
@ -66,37 +65,40 @@ func TestValidate(t *testing.T) {
t.Errorf("%s: unexpected validaton errors for empty sysctls: %v", k, errs)
}
sysctls := []api.Sysctl{}
for _, s := range v.allowed {
sysctls = append(sysctls, api.Sysctl{
Name: s,
Value: "dummy",
})
}
testAllowed := func(key string, category string) {
pod.Annotations = map[string]string{
key: helper.PodAnnotationsFromSysctls(sysctls),
testAllowed := func() {
sysctls := []api.Sysctl{}
for _, s := range v.allowed {
sysctls = append(sysctls, api.Sysctl{
Name: s,
Value: "dummy",
})
}
pod.Spec.SecurityContext = &api.PodSecurityContext{
Sysctls: sysctls,
}
errs = strategy.Validate(pod)
if len(errs) != 0 {
t.Errorf("%s: unexpected validaton errors for %s sysctls: %v", k, category, errs)
t.Errorf("%s: unexpected validaton errors for sysctls: %v", k, errs)
}
}
testDisallowed := func(key string, category string) {
testDisallowed := func() {
for _, s := range v.disallowed {
pod.Annotations = map[string]string{
key: helper.PodAnnotationsFromSysctls([]api.Sysctl{{Name: s, Value: "dummy"}}),
pod.Spec.SecurityContext = &api.PodSecurityContext{
Sysctls: []api.Sysctl{
{
Name: s,
Value: "dummy",
},
},
}
errs = strategy.Validate(pod)
if len(errs) == 0 {
t.Errorf("%s: expected error for %s sysctl %q", k, category, s)
t.Errorf("%s: expected error for sysctl %q", k, s)
}
}
}
testAllowed(api.SysctlsPodAnnotationKey, "safe")
testAllowed(api.UnsafeSysctlsPodAnnotationKey, "unsafe")
testDisallowed(api.SysctlsPodAnnotationKey, "safe")
testDisallowed(api.UnsafeSysctlsPodAnnotationKey, "unsafe")
testAllowed()
testDisallowed()
}
}

1
plugin/pkg/admission/security/podsecuritypolicy/BUILD
View File

@ -39,7 +39,6 @@ go_test(
deps = [
"//pkg/api/legacyscheme:go_default_library",
"//pkg/apis/core:go_default_library",
"//pkg/apis/core/helper:go_default_library",
"//pkg/apis/policy:go_default_library",
"//pkg/client/informers/informers_generated/internalversion:go_default_library",
"//pkg/controller:go_default_library",

160
plugin/pkg/admission/security/podsecuritypolicy/admission_test.go
View File

@ -35,7 +35,6 @@ import (
"k8s.io/apiserver/pkg/authorization/authorizerfactory"
"k8s.io/kubernetes/pkg/api/legacyscheme"
kapi "k8s.io/kubernetes/pkg/apis/core"
"k8s.io/kubernetes/pkg/apis/core/helper"
"k8s.io/kubernetes/pkg/apis/policy"
informers "k8s.io/kubernetes/pkg/client/informers/informers_generated/internalversion"
"k8s.io/kubernetes/pkg/controller"
@ -1608,37 +1607,40 @@ func TestAdmitSysctls(t *testing.T) {
}
return sysctls
}
pod.Annotations[kapi.SysctlsPodAnnotationKey] = helper.PodAnnotationsFromSysctls(dummySysctls(safeSysctls))
pod.Annotations[kapi.UnsafeSysctlsPodAnnotationKey] = helper.PodAnnotationsFromSysctls(dummySysctls(unsafeSysctls))
pod.Spec.SecurityContext = &kapi.PodSecurityContext{
Sysctls: dummySysctls(append(safeSysctls, unsafeSysctls...)),
}
return pod
}
noSysctls := restrictivePSP()
noSysctls.Name = "no sysctls"
safeSysctls := restrictivePSP()
safeSysctls.Name = "no sysctls"
emptySysctls := restrictivePSP()
emptySysctls.Name = "empty sysctls"
emptySysctls.Annotations[policy.SysctlsPodSecurityPolicyAnnotationKey] = ""
noSysctls := restrictivePSP()
noSysctls.Name = "empty sysctls"
noSysctls.Spec.ForbiddenSysctls = []string{"*"}
mixedSysctls := restrictivePSP()
mixedSysctls.Name = "wildcard sysctls"
mixedSysctls.Annotations[policy.SysctlsPodSecurityPolicyAnnotationKey] = "a.*,b.*,c,d.e.f"
mixedSysctls.Spec.ForbiddenSysctls = []string{"net.*"}
mixedSysctls.Spec.AllowedUnsafeSysctls = []string{"a.*", "b.*"}
aSysctl := restrictivePSP()
aSysctl.Name = "a sysctl"
aSysctl.Annotations[policy.SysctlsPodSecurityPolicyAnnotationKey] = "a"
aUnsafeSysctl := restrictivePSP()
aUnsafeSysctl.Name = "a sysctl"
aUnsafeSysctl.Spec.AllowedUnsafeSysctls = []string{"a"}
bSysctl := restrictivePSP()
bSysctl.Name = "b sysctl"
bSysctl.Annotations[policy.SysctlsPodSecurityPolicyAnnotationKey] = "b"
bUnsafeSysctl := restrictivePSP()
bUnsafeSysctl.Name = "b sysctl"
bUnsafeSysctl.Spec.AllowedUnsafeSysctls = []string{"b"}
cSysctl := restrictivePSP()
cSysctl.Name = "c sysctl"
cSysctl.Annotations[policy.SysctlsPodSecurityPolicyAnnotationKey] = "c"
cUnsafeSysctl := restrictivePSP()
cUnsafeSysctl.Name = "c sysctl"
cUnsafeSysctl.Spec.AllowedUnsafeSysctls = []string{"c"}
catchallSysctls := restrictivePSP()
catchallSysctls.Name = "catchall sysctl"
catchallSysctls.Annotations[policy.SysctlsPodSecurityPolicyAnnotationKey] = "*"
catchallSysctls.Spec.AllowedUnsafeSysctls = []string{"*"}
tests := map[string]struct {
pod *kapi.Pod
@ -1647,148 +1649,102 @@ func TestAdmitSysctls(t *testing.T) {
shouldPassValidate bool
expectedPSP string
}{
"pod without unsafe sysctls request allowed under noSysctls PSP": {
"pod without any sysctls request allowed under safeSysctls PSP": {
pod: goodPod(),
psps: []*policy.PodSecurityPolicy{safeSysctls},
shouldPassAdmit: true,
shouldPassValidate: true,
expectedPSP: safeSysctls.Name,
},
"pod without any sysctls request allowed under noSysctls PSP": {
pod: goodPod(),
psps: []*policy.PodSecurityPolicy{noSysctls},
shouldPassAdmit: true,
shouldPassValidate: true,
expectedPSP: noSysctls.Name,
},
"pod without any sysctls request allowed under emptySysctls PSP": {
pod: goodPod(),
psps: []*policy.PodSecurityPolicy{emptySysctls},
"pod with safe sysctls request allowed under safeSysctls PSP": {
pod: podWithSysctls([]string{"kernel.shm_rmid_forced", "net.ipv4.tcp_syncookies"}, []string{}),
psps: []*policy.PodSecurityPolicy{safeSysctls},
shouldPassAdmit: true,
shouldPassValidate: true,
expectedPSP: emptySysctls.Name,
expectedPSP: safeSysctls.Name,
},
"pod with safe sysctls request allowed under noSysctls PSP": {
pod: podWithSysctls([]string{"a", "b"}, []string{}),
psps: []*policy.PodSecurityPolicy{noSysctls},
shouldPassAdmit: true,
shouldPassValidate: true,
expectedPSP: noSysctls.Name,
},
"pod with unsafe sysctls request allowed under noSysctls PSP": {
"pod with unsafe sysctls request disallowed under noSysctls PSP": {
pod: podWithSysctls([]string{}, []string{"a", "b"}),
psps: []*policy.PodSecurityPolicy{noSysctls},
shouldPassAdmit: true,
shouldPassValidate: true,
shouldPassAdmit: false,
shouldPassValidate: false,
expectedPSP: noSysctls.Name,
},
"pod with safe sysctls request disallowed under emptySysctls PSP": {
pod: podWithSysctls([]string{"a", "b"}, []string{}),
psps: []*policy.PodSecurityPolicy{emptySysctls},
"pod with unsafe sysctls a, b request disallowed under aUnsafeSysctl SCC": {
pod: podWithSysctls([]string{}, []string{"a", "b"}),
psps: []*policy.PodSecurityPolicy{aUnsafeSysctl},
shouldPassAdmit: false,
shouldPassValidate: false,
},
"pod with unsafe sysctls a, b request disallowed under aSysctls SCC": {
pod: podWithSysctls([]string{}, []string{"a", "b"}),
psps: []*policy.PodSecurityPolicy{aSysctl},
shouldPassAdmit: false,
shouldPassValidate: false,
},
"pod with unsafe sysctls b request disallowed under aSysctls SCC": {
"pod with unsafe sysctls b request disallowed under aUnsafeSysctl SCC": {
pod: podWithSysctls([]string{}, []string{"b"}),
psps: []*policy.PodSecurityPolicy{aSysctl},
psps: []*policy.PodSecurityPolicy{aUnsafeSysctl},
shouldPassAdmit: false,
shouldPassValidate: false,
},
"pod with unsafe sysctls a request allowed under aSysctls SCC": {
"pod with unsafe sysctls a request allowed under aUnsafeSysctl SCC": {
pod: podWithSysctls([]string{}, []string{"a"}),
psps: []*policy.PodSecurityPolicy{aSysctl},
psps: []*policy.PodSecurityPolicy{aUnsafeSysctl},
shouldPassAdmit: true,
shouldPassValidate: true,
expectedPSP: aSysctl.Name,
expectedPSP: aUnsafeSysctl.Name,
},
"pod with safe sysctls a, b request disallowed under aSysctls SCC": {
pod: podWithSysctls([]string{"a", "b"}, []string{}),
psps: []*policy.PodSecurityPolicy{aSysctl},
shouldPassAdmit: false,
shouldPassValidate: false,
},
"pod with safe sysctls b request disallowed under aSysctls SCC": {
pod: podWithSysctls([]string{"b"}, []string{}),
psps: []*policy.PodSecurityPolicy{aSysctl},
shouldPassAdmit: false,
shouldPassValidate: false,
},
"pod with safe sysctls a request allowed under aSysctls SCC": {
pod: podWithSysctls([]string{"a"}, []string{}),
psps: []*policy.PodSecurityPolicy{aSysctl},
"pod with safe net sysctl request allowed under aUnsafeSysctl SCC": {
pod: podWithSysctls([]string{"net.ipv4.ip_local_port_range"}, []string{}),
psps: []*policy.PodSecurityPolicy{aUnsafeSysctl},
shouldPassAdmit: true,
shouldPassValidate: true,
expectedPSP: aSysctl.Name,
expectedPSP: aUnsafeSysctl.Name,
},
"pod with unsafe sysctls request disallowed under emptySysctls PSP": {
pod: podWithSysctls([]string{}, []string{"a", "b"}),
psps: []*policy.PodSecurityPolicy{emptySysctls},
"pod with safe sysctls request disallowed under noSysctls PSP": {
pod: podWithSysctls([]string{"net.ipv4.ip_local_port_range"}, []string{}),
psps: []*policy.PodSecurityPolicy{noSysctls},
shouldPassAdmit: false,
shouldPassValidate: false,
},
"pod with matching sysctls request allowed under mixedSysctls PSP": {
pod: podWithSysctls([]string{"a.b", "b.c"}, []string{"c", "d.e.f"}),
pod: podWithSysctls([]string{"kernel.shm_rmid_forced"}, []string{"a.b", "b.a"}),
psps: []*policy.PodSecurityPolicy{mixedSysctls},
shouldPassAdmit: true,
shouldPassValidate: true,
expectedPSP: mixedSysctls.Name,
},
"pod with not-matching unsafe sysctls request disallowed under mixedSysctls PSP": {
pod: podWithSysctls([]string{"a.b", "b.c", "c", "d.e.f"}, []string{"e"}),
pod: podWithSysctls([]string{}, []string{"e"}),
psps: []*policy.PodSecurityPolicy{mixedSysctls},
shouldPassAdmit: false,
shouldPassValidate: false,
},
"pod with not-matching safe sysctls request disallowed under mixedSysctls PSP": {
pod: podWithSysctls([]string{"a.b", "b.c", "c", "d.e.f", "e"}, []string{}),
pod: podWithSysctls([]string{"net.ipv4.ip_local_port_range"}, []string{}),
psps: []*policy.PodSecurityPolicy{mixedSysctls},
shouldPassAdmit: false,
shouldPassValidate: false,
},
"pod with sysctls request allowed under catchallSysctls PSP": {
pod: podWithSysctls([]string{"e"}, []string{"f"}),
pod: podWithSysctls([]string{"net.ipv4.ip_local_port_range"}, []string{"f"}),
psps: []*policy.PodSecurityPolicy{catchallSysctls},
shouldPassAdmit: true,
shouldPassValidate: true,
expectedPSP: catchallSysctls.Name,
},
"pod with sysctls request allowed under catchallSysctls PSP, not under mixedSysctls or emptySysctls PSP": {
pod: podWithSysctls([]string{"e"}, []string{"f"}),
psps: []*policy.PodSecurityPolicy{mixedSysctls, catchallSysctls, emptySysctls},
shouldPassAdmit: true,
shouldPassValidate: true,
expectedPSP: catchallSysctls.Name,
},
"pod with safe c sysctl request allowed under cSysctl PSP, not under aSysctl or bSysctl PSP": {
pod: podWithSysctls([]string{}, []string{"c"}),
psps: []*policy.PodSecurityPolicy{aSysctl, bSysctl, cSysctl},
shouldPassAdmit: true,
shouldPassValidate: true,
expectedPSP: cSysctl.Name,
},
"pod with unsafe c sysctl request allowed under cSysctl PSP, not under aSysctl or bSysctl PSP": {
pod: podWithSysctls([]string{"c"}, []string{}),
psps: []*policy.PodSecurityPolicy{aSysctl, bSysctl, cSysctl},
shouldPassAdmit: true,
shouldPassValidate: true,
expectedPSP: cSysctl.Name,
},
}
for k, v := range tests {
origSafeSysctls, origUnsafeSysctls, err := helper.SysctlsFromPodAnnotations(v.pod.Annotations)
if err != nil {
t.Fatalf("invalid sysctl annotation: %v", err)
}
origSysctl := v.pod.Spec.SecurityContext.Sysctls
testPSPAdmit(k, v.psps, v.pod, v.shouldPassAdmit, v.shouldPassValidate, v.expectedPSP, t)
if v.shouldPassAdmit {
safeSysctls, unsafeSysctls, _ := helper.SysctlsFromPodAnnotations(v.pod.Annotations)
if !reflect.DeepEqual(safeSysctls, origSafeSysctls) {
t.Errorf("%s: wrong safe sysctls: expected=%v, got=%v", k, origSafeSysctls, safeSysctls)
}
if !reflect.DeepEqual(unsafeSysctls, origUnsafeSysctls) {
t.Errorf("%s: wrong unsafe sysctls: expected=%v, got=%v", k, origSafeSysctls, safeSysctls)
if !reflect.DeepEqual(v.pod.Spec.SecurityContext.Sysctls, origSysctl) {
t.Errorf("%s: wrong sysctls: expected=%v, got=%v", k, origSysctl, v.pod.Spec.SecurityContext.Sysctls)
}
}
}

14
staging/src/k8s.io/api/core/v1/annotation_key_constants.go
View File

@ -56,20 +56,6 @@ const (
// in the Annotations of a Node.
PreferAvoidPodsAnnotationKey string = "scheduler.alpha.kubernetes.io/preferAvoidPods"
// SysctlsPodAnnotationKey represents the key of sysctls which are set for the infrastructure
// container of a pod. The annotation value is a comma separated list of sysctl_name=value
// key-value pairs. Only a limited set of whitelisted and isolated sysctls is supported by
// the kubelet. Pods with other sysctls will fail to launch.
SysctlsPodAnnotationKey string = "security.alpha.kubernetes.io/sysctls"
// UnsafeSysctlsPodAnnotationKey represents the key of sysctls which are set for the infrastructure
// container of a pod. The annotation value is a comma separated list of sysctl_name=value
// key-value pairs. Unsafe sysctls must be explicitly enabled for a kubelet. They are properly
// namespaced to a pod or a container, but their isolation is usually unclear or weak. Their use
// is at-your-own-risk. Pods that attempt to set an unsafe sysctl that is not enabled for a kubelet
// will fail to launch.
UnsafeSysctlsPodAnnotationKey string = "security.alpha.kubernetes.io/unsafe-sysctls"
// ObjectTTLAnnotations represents a suggestion for kubelet for how long it can cache
// an object (e.g. secret, config map) before fetching it again from apiserver.
// This annotation can be attached to node.

1627
staging/src/k8s.io/api/core/v1/generated.pb.go generated
View File

File diff suppressed because it is too large Load Diff

5
staging/src/k8s.io/api/core/v1/generated.proto
View File

@ -2893,6 +2893,11 @@ message PodSecurityContext {
// If unset, the Kubelet will not modify the ownership and permissions of any volume.
// +optional
optional int64 fsGroup = 5;
// Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
// sysctls (by the container runtime) might fail to launch.
// +optional
repeated Sysctl sysctls = 7;
}
// Describes the class of pods that should avoid this node.

8
staging/src/k8s.io/api/core/v1/types.go
View File

@ -2919,6 +2919,10 @@ type PodSecurityContext struct {
// If unset, the Kubelet will not modify the ownership and permissions of any volume.
// +optional
FSGroup *int64 `json:"fsGroup,omitempty" protobuf:"varint,5,opt,name=fsGroup"`
// Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
// sysctls (by the container runtime) might fail to launch.
// +optional
Sysctls []Sysctl `json:"sysctls,omitempty" protobuf:"bytes,7,rep,name=sysctls"`
}
// PodQOSClass defines the supported qos classes of Pods.
@ -5203,9 +5207,9 @@ const (
// Sysctl defines a kernel parameter to be set
type Sysctl struct {
// Name of a property to set
Name string `protobuf:"bytes,1,opt,name=name"`
Name string `json:"name" protobuf:"bytes,1,opt,name=name"`
// Value of a property to set
Value string `protobuf:"bytes,2,opt,name=value"`
Value string `json:"value" protobuf:"bytes,2,opt,name=value"`
}
// NodeResources is an object for conveying resource information about a node.

5
staging/src/k8s.io/api/core/v1/types_swagger_doc_generated.go generated
View File

@ -1479,6 +1479,7 @@ var map_PodSecurityContext = map[string]string{
"runAsNonRoot": "Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.",
"supplementalGroups": "A list of groups applied to the first process run in each container, in addition to the container's primary GID. If unspecified, no groups will be added to any container.",
"fsGroup": "A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to change the ownership of that volume to be owned by the pod:\n\n1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 3. The permission bits are OR'd with rw-rw ",
"sysctls": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch.",
}
func (PodSecurityContext) SwaggerDoc() map[string]string {
@ -2142,8 +2143,8 @@ func (StorageOSVolumeSource) SwaggerDoc() map[string]string {
var map_Sysctl = map[string]string{
"": "Sysctl defines a kernel parameter to be set",
"Name": "Name of a property to set",
"Value": "Value of a property to set",
"name": "Name of a property to set",
"value": "Value of a property to set",
}
func (Sysctl) SwaggerDoc() map[string]string {

5
staging/src/k8s.io/api/core/v1/zz_generated.deepcopy.go generated
View File

@ -3818,6 +3818,11 @@ func (in *PodSecurityContext) DeepCopyInto(out *PodSecurityContext) {
**out = **in
}
}
if in.Sysctls != nil {
in, out := &in.Sysctls, &out.Sysctls
*out = make([]Sysctl, len(*in))
copy(*out, *in)
}
return
}

561
staging/src/k8s.io/api/extensions/v1beta1/generated.pb.go generated
View File

@ -2257,6 +2257,40 @@ func (m *PodSecurityPolicySpec) MarshalTo(dAtA []byte) (int, error) {
i += n
}
}
if len(m.AllowedUnsafeSysctls) > 0 {
for _, s := range m.AllowedUnsafeSysctls {
dAtA[i] = 0x9a
i++
dAtA[i] = 0x1
i++
l = len(s)
for l >= 1<<7 {
dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
l >>= 7
i++
}
dAtA[i] = uint8(l)
i++
i += copy(dAtA[i:], s)
}
}
if len(m.ForbiddenSysctls) > 0 {
for _, s := range m.ForbiddenSysctls {
dAtA[i] = 0xa2
i++
dAtA[i] = 0x1
i++
l = len(s)
for l >= 1<<7 {
dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
l >>= 7
i++
}
dAtA[i] = uint8(l)
i++
i += copy(dAtA[i:], s)
}
}
return i, nil
}
@ -3466,6 +3500,18 @@ func (m *PodSecurityPolicySpec) Size() (n int) {
n += 2 + l + sovGenerated(uint64(l))
}
}
if len(m.AllowedUnsafeSysctls) > 0 {
for _, s := range m.AllowedUnsafeSysctls {
l = len(s)
n += 2 + l + sovGenerated(uint64(l))
}
}
if len(m.ForbiddenSysctls) > 0 {
for _, s := range m.ForbiddenSysctls {
l = len(s)
n += 2 + l + sovGenerated(uint64(l))
}
}
return n
}
@ -4199,6 +4245,8 @@ func (this *PodSecurityPolicySpec) String() string {
`AllowPrivilegeEscalation:` + valueToStringGenerated(this.AllowPrivilegeEscalation) + `,`,
`AllowedHostPaths:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.AllowedHostPaths), "AllowedHostPath", "AllowedHostPath", 1), `&`, ``, 1) + `,`,
`AllowedFlexVolumes:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.AllowedFlexVolumes), "AllowedFlexVolume", "AllowedFlexVolume", 1), `&`, ``, 1) + `,`,
`AllowedUnsafeSysctls:` + fmt.Sprintf("%v", this.AllowedUnsafeSysctls) + `,`,
`ForbiddenSysctls:` + fmt.Sprintf("%v", this.ForbiddenSysctls) + `,`,
`}`,
}, "")
return s
@ -10336,6 +10384,64 @@ func (m *PodSecurityPolicySpec) Unmarshal(dAtA []byte) error {
return err
}
iNdEx = postIndex
case 19:
if wireType != 2 {
return fmt.Errorf("proto: wrong wireType = %d for field AllowedUnsafeSysctls", wireType)
}
var stringLen uint64
for shift := uint(0); ; shift += 7 {
if shift >= 64 {
return ErrIntOverflowGenerated
}
if iNdEx >= l {
return io.ErrUnexpectedEOF
}
b := dAtA[iNdEx]
iNdEx++
stringLen |= (uint64(b) & 0x7F) << shift
if b < 0x80 {
break
}
}
intStringLen := int(stringLen)
if intStringLen < 0 {
return ErrInvalidLengthGenerated
}
postIndex := iNdEx + intStringLen
if postIndex > l {
return io.ErrUnexpectedEOF
}
m.AllowedUnsafeSysctls = append(m.AllowedUnsafeSysctls, string(dAtA[iNdEx:postIndex]))
iNdEx = postIndex
case 20:
if wireType != 2 {
return fmt.Errorf("proto: wrong wireType = %d for field ForbiddenSysctls", wireType)
}
var stringLen uint64
for shift := uint(0); ; shift += 7 {
if shift >= 64 {
return ErrIntOverflowGenerated
}
if iNdEx >= l {
return io.ErrUnexpectedEOF
}
b := dAtA[iNdEx]
iNdEx++
stringLen |= (uint64(b) & 0x7F) << shift
if b < 0x80 {
break
}
}
intStringLen := int(stringLen)
if intStringLen < 0 {
return ErrInvalidLengthGenerated
}
postIndex := iNdEx + intStringLen
if postIndex > l {
return io.ErrUnexpectedEOF
}
m.ForbiddenSysctls = append(m.ForbiddenSysctls, string(dAtA[iNdEx:postIndex]))
iNdEx = postIndex
default:
iNdEx = preIndex
skippy, err := skipGenerated(dAtA[iNdEx:])
@ -12315,230 +12421,233 @@ func init() {
}
var fileDescriptorGenerated = []byte{
// 3588 bytes of a gzipped FileDescriptorProto
0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xec, 0x5b, 0xcd, 0x6f, 0x1c, 0x47,
0x76, 0x57, 0xcf, 0x0c, 0x39, 0xc3, 0x47, 0xf1, 0xab, 0x28, 0x93, 0x63, 0xca, 0xe2, 0xc8, 0x6d,
0x40, 0x91, 0x1c, 0x69, 0xc6, 0x92, 0x2d, 0x59, 0xb1, 0x10, 0x3b, 0x1c, 0x52, 0x1f, 0x74, 0xf8,
0xa5, 0x1a, 0x52, 0x71, 0x8c, 0xc8, 0x71, 0x73, 0xa6, 0x38, 0x6c, 0xb1, 0xa7, 0xbb, 0xdd, 0x5d,
0x4d, 0x73, 0x80, 0x20, 0xc8, 0x21, 0x08, 0x10, 0x20, 0x41, 0x92, 0x83, 0xf3, 0x71, 0x8b, 0x2f,
0x39, 0x25, 0x48, 0x6e, 0xc9, 0xc1, 0x30, 0x10, 0xc0, 0x0b, 0x08, 0x0b, 0x2f, 0xe0, 0xdb, 0xfa,
0x44, 0xac, 0xe9, 0xd3, 0x62, 0xff, 0x81, 0x85, 0x0e, 0x8b, 0x45, 0x55, 0x57, 0x7f, 0x77, 0x73,
0x66, 0x68, 0x89, 0x58, 0x2c, 0xf6, 0xc6, 0xa9, 0xf7, 0xde, 0xef, 0xbd, 0x7a, 0xf5, 0xea, 0xbd,
0xd7, 0x55, 0x45, 0xb8, 0xb7, 0x77, 0xdb, 0xae, 0xaa, 0x46, 0x6d, 0xcf, 0xd9, 0x26, 0x96, 0x4e,
0x28, 0xb1, 0x6b, 0xfb, 0x44, 0x6f, 0x19, 0x56, 0x4d, 0x10, 0x14, 0x53, 0xad, 0x91, 0x03, 0x4a,
0x74, 0x5b, 0x35, 0x74, 0xbb, 0xb6, 0x7f, 0x7d, 0x9b, 0x50, 0xe5, 0x7a, 0xad, 0x4d, 0x74, 0x62,
0x29, 0x94, 0xb4, 0xaa, 0xa6, 0x65, 0x50, 0x03, 0x5d, 0x70, 0xd9, 0xab, 0x8a, 0xa9, 0x56, 0x03,
0xf6, 0xaa, 0x60, 0x9f, 0xbb, 0xd6, 0x56, 0xe9, 0xae, 0xb3, 0x5d, 0x6d, 0x1a, 0x9d, 0x5a, 0xdb,
0x68, 0x1b, 0x35, 0x2e, 0xb5, 0xed, 0xec, 0xf0, 0x5f, 0xfc, 0x07, 0xff, 0xcb, 0x45, 0x9b, 0x93,
0x43, 0xca, 0x9b, 0x86, 0x45, 0x6a, 0xfb, 0x09, 0x8d, 0x73, 0x57, 0x42, 0x3c, 0xa6, 0xa1, 0xa9,
0xcd, 0x6e, 0x96, 0x71, 0x73, 0x6f, 0x05, 0xac, 0x1d, 0xa5, 0xb9, 0xab, 0xea, 0xc4, 0xea, 0xd6,
0xcc, 0xbd, 0x36, 0x97, 0xb5, 0x88, 0x6d, 0x38, 0x56, 0x93, 0x0c, 0x24, 0x65, 0xd7, 0x3a, 0x84,
0x2a, 0x69, 0x66, 0xd5, 0xb2, 0xa4, 0x2c, 0x47, 0xa7, 0x6a, 0x27, 0xa9, 0xe6, 0x56, 0x2f, 0x01,
0xbb, 0xb9, 0x4b, 0x3a, 0x4a, 0x42, 0xee, 0xcd, 0x2c, 0x39, 0x87, 0xaa, 0x5a, 0x4d, 0xd5, 0xa9,
0x4d, 0xad, 0xb8, 0x90, 0x7c, 0x07, 0xa6, 0x16, 0x34, 0xcd, 0xf8, 0x94, 0xb4, 0xee, 0x69, 0xe4,
0xe0, 0x91, 0xa1, 0x39, 0x1d, 0x82, 0x2e, 0xc1, 0x70, 0xcb, 0x52, 0xf7, 0x89, 0x55, 0x96, 0x2e,
0x4a, 0x97, 0x47, 0xea, 0xe3, 0x4f, 0x0f, 0x2b, 0x67, 0x8e, 0x0e, 0x2b, 0xc3, 0x4b, 0x7c, 0x14,
0x0b, 0xaa, 0x6c, 0xc3, 0x84, 0x10, 0x7e, 0x60, 0xd8, 0x74, 0x43, 0xa1, 0xbb, 0xe8, 0x06, 0x80,
0xa9, 0xd0, 0xdd, 0x0d, 0x8b, 0xec, 0xa8, 0x07, 0x42, 0x1c, 0x09, 0x71, 0xd8, 0xf0, 0x29, 0x38,
0xc4, 0x85, 0xae, 0x42, 0xc9, 0x22, 0x4a, 0x6b, 0x5d, 0xd7, 0xba, 0xe5, 0xdc, 0x45, 0xe9, 0x72,
0xa9, 0x3e, 0x29, 0x24, 0x4a, 0x58, 0x8c, 0x63, 0x9f, 0x43, 0xfe, 0x37, 0x09, 0x5e, 0x5e, 0x74,
0x6c, 0x6a, 0x74, 0x56, 0x09, 0xb5, 0xd4, 0xe6, 0xa2, 0x63, 0x59, 0x44, 0xa7, 0x0d, 0xaa, 0x50,
0xc7, 0x46, 0x17, 0xa1, 0xa0, 0x2b, 0x1d, 0x22, 0x34, 0x9f, 0x15, 0x38, 0x85, 0x35, 0xa5, 0x43,
0x30, 0xa7, 0xa0, 0x0f, 0x61, 0x68, 0x5f, 0xd1, 0x1c, 0xc2, 0x55, 0x8d, 0xde, 0xa8, 0x56, 0x83,
0x40, 0xf5, 0xdd, 0x56, 0x35, 0xf7, 0xda, 0x3c, 0x72, 0xbd, 0x58, 0xa8, 0x3e, 0x74, 0x14, 0x9d,
0xaa, 0xb4, 0x5b, 0x3f, 0x27, 0x20, 0xcf, 0x0a, 0xbd, 0x8f, 0x18, 0x16, 0x76, 0x21, 0xe5, 0xbf,
0x84, 0x0b, 0x99, 0xa6, 0xad, 0xa8, 0x36, 0x45, 0x8f, 0x61, 0x48, 0xa5, 0xa4, 0x63, 0x97, 0xa5,
0x8b, 0xf9, 0xcb, 0xa3, 0x37, 0x6e, 0x57, 0x8f, 0xdd, 0x25, 0xd5, 0x4c, 0xb0, 0xfa, 0x98, 0x30,
0x63, 0x68, 0x99, 0xc1, 0x61, 0x17, 0x55, 0xfe, 0x27, 0x09, 0x50, 0x58, 0x66, 0x53, 0xb1, 0xda,
0x84, 0xf6, 0xe1, 0x94, 0x3f, 0xfd, 0x61, 0x4e, 0x99, 0x16, 0x90, 0xa3, 0xae, 0xc2, 0x88, 0x4f,
0x4c, 0x98, 0x49, 0x9a, 0xc4, 0x9d, 0xf1, 0x28, 0xea, 0x8c, 0xeb, 0x03, 0x38, 0xc3, 0x45, 0xc9,
0xf0, 0xc2, 0x67, 0x39, 0x18, 0x59, 0x52, 0x48, 0xc7, 0xd0, 0x1b, 0x84, 0xa2, 0x8f, 0xa1, 0xc4,
0xb6, 0x66, 0x4b, 0xa1, 0x0a, 0x77, 0xc0, 0xe8, 0x8d, 0x37, 0x8e, 0x9b, 0x9d, 0x5d, 0x65, 0xdc,
0xd5, 0xfd, 0xeb, 0xd5, 0xf5, 0xed, 0x27, 0xa4, 0x49, 0x57, 0x09, 0x55, 0x82, 0x08, 0x0e, 0xc6,
0xb0, 0x8f, 0x8a, 0xd6, 0xa0, 0x60, 0x9b, 0xa4, 0x29, 0x7c, 0x77, 0xb5, 0xc7, 0x34, 0x7c, 0xcb,
0x1a, 0x26, 0x69, 0x06, 0x8b, 0xc1, 0x7e, 0x61, 0x8e, 0x83, 0x1e, 0xc1, 0xb0, 0xcd, 0x57, 0xb9,
0x9c, 0x4f, 0xac, 0xc6, 0xf1, 0x88, 0x6e, 0x6c, 0xf8, 0xdb, 0xd5, 0xfd, 0x8d, 0x05, 0x9a, 0xfc,
0xf3, 0x1c, 0x20, 0x9f, 0x77, 0xd1, 0xd0, 0x5b, 0x2a, 0x55, 0x0d, 0x1d, 0xbd, 0x03, 0x05, 0xda,
0x35, 0xbd, 0xe8, 0xb8, 0xe4, 0x19, 0xb4, 0xd9, 0x35, 0xc9, 0xb3, 0xc3, 0xca, 0x4c, 0x52, 0x82,
0x51, 0x30, 0x97, 0x41, 0x2b, 0xbe, 0xa9, 0x39, 0x2e, 0xfd, 0x56, 0x54, 0xf5, 0xb3, 0xc3, 0x4a,
0x4a, 0xe6, 0xae, 0xfa, 0x48, 0x51, 0x03, 0xd1, 0x3e, 0x20, 0x4d, 0xb1, 0xe9, 0xa6, 0xa5, 0xe8,
0xb6, 0xab, 0x49, 0xed, 0x10, 0xe1, 0x84, 0xd7, 0xfb, 0x5b, 0x34, 0x26, 0x51, 0x9f, 0x13, 0x56,
0xa0, 0x95, 0x04, 0x1a, 0x4e, 0xd1, 0xc0, 0xf2, 0x9d, 0x45, 0x14, 0xdb, 0xd0, 0xcb, 0x85, 0x68,
0xbe, 0xc3, 0x7c, 0x14, 0x0b, 0x2a, 0xba, 0x02, 0xc5, 0x0e, 0xb1, 0x6d, 0xa5, 0x4d, 0xca, 0x43,
0x9c, 0x71, 0x42, 0x30, 0x16, 0x57, 0xdd, 0x61, 0xec, 0xd1, 0xe5, 0x2f, 0x24, 0x18, 0xf3, 0x3d,
0xc7, 0xa3, 0xfd, 0xcf, 0x12, 0x71, 0x58, 0xed, 0x6f, 0x4a, 0x4c, 0x9a, 0x47, 0xa1, 0x9f, 0x15,
0xbd, 0x91, 0x50, 0x0c, 0xae, 0x7a, 0x7b, 0x29, 0xc7, 0xf7, 0xd2, 0xe5, 0x7e, 0x43, 0x26, 0x63,
0x0b, 0xfd, 0x73, 0x21, 0x64, 0x3e, 0x0b, 0x4d, 0xf4, 0x18, 0x4a, 0x36, 0xd1, 0x48, 0x93, 0x1a,
0x96, 0x30, 0xff, 0xcd, 0x3e, 0xcd, 0x57, 0xb6, 0x89, 0xd6, 0x10, 0xa2, 0xf5, 0xb3, 0xcc, 0x7e,
0xef, 0x17, 0xf6, 0x21, 0xd1, 0x43, 0x28, 0x51, 0xd2, 0x31, 0x35, 0x85, 0x7a, 0x39, 0xe8, 0xb5,
0xf0, 0x14, 0x58, 0xe4, 0x30, 0xb0, 0x0d, 0xa3, 0xb5, 0x29, 0xd8, 0xf8, 0xf6, 0xf1, 0x5d, 0xe2,
0x8d, 0x62, 0x1f, 0x06, 0xed, 0xc3, 0xb8, 0x63, 0xb6, 0x18, 0x27, 0x65, 0x15, 0xaf, 0xdd, 0x15,
0x91, 0x74, 0xab, 0x5f, 0xdf, 0x6c, 0x45, 0xa4, 0xeb, 0x33, 0x42, 0xd7, 0x78, 0x74, 0x1c, 0xc7,
0xb4, 0xa0, 0x05, 0x98, 0xe8, 0xa8, 0x3a, 0xab, 0x5c, 0xdd, 0x06, 0x69, 0x1a, 0x7a, 0xcb, 0xe6,
0x61, 0x35, 0x54, 0x9f, 0x15, 0x00, 0x13, 0xab, 0x51, 0x32, 0x8e, 0xf3, 0xa3, 0xf7, 0x01, 0x79,
0xd3, 0xb8, 0xef, 0x16, 0x6c, 0xd5, 0xd0, 0x79, 0xcc, 0xe5, 0x83, 0xe0, 0xde, 0x4c, 0x70, 0xe0,
0x14, 0x29, 0xb4, 0x02, 0xe7, 0x2c, 0xb2, 0xaf, 0xb2, 0x39, 0x3e, 0x50, 0x6d, 0x6a, 0x58, 0xdd,
0x15, 0xb5, 0xa3, 0xd2, 0xf2, 0x30, 0xb7, 0xa9, 0x7c, 0x74, 0x58, 0x39, 0x87, 0x53, 0xe8, 0x38,
0x55, 0x4a, 0xfe, 0x97, 0x61, 0x98, 0x88, 0xe5, 0x1b, 0xf4, 0x08, 0x66, 0x9a, 0x6e, 0x71, 0x5a,
0x73, 0x3a, 0xdb, 0xc4, 0x6a, 0x34, 0x77, 0x49, 0xcb, 0xd1, 0x48, 0x8b, 0x07, 0xca, 0x50, 0x7d,
0x5e, 0x58, 0x3c, 0xb3, 0x98, 0xca, 0x85, 0x33, 0xa4, 0x99, 0x17, 0x74, 0x3e, 0xb4, 0xaa, 0xda,
0xb6, 0x8f, 0x99, 0xe3, 0x98, 0xbe, 0x17, 0xd6, 0x12, 0x1c, 0x38, 0x45, 0x8a, 0xd9, 0xd8, 0x22,
0xb6, 0x6a, 0x91, 0x56, 0xdc, 0xc6, 0x7c, 0xd4, 0xc6, 0xa5, 0x54, 0x2e, 0x9c, 0x21, 0x8d, 0x6e,
0xc2, 0xa8, 0xab, 0x8d, 0xaf, 0x9f, 0x58, 0x68, 0xbf, 0x1c, 0xae, 0x05, 0x24, 0x1c, 0xe6, 0x63,
0x53, 0x33, 0xb6, 0x6d, 0x62, 0xed, 0x93, 0x56, 0xf6, 0x02, 0xaf, 0x27, 0x38, 0x70, 0x8a, 0x14,
0x9b, 0x9a, 0x1b, 0x81, 0x89, 0xa9, 0x0d, 0x47, 0xa7, 0xb6, 0x95, 0xca, 0x85, 0x33, 0xa4, 0x59,
0x1c, 0xbb, 0x26, 0x2f, 0xec, 0x2b, 0xaa, 0xa6, 0x6c, 0x6b, 0xa4, 0x5c, 0x8c, 0xc6, 0xf1, 0x5a,
0x94, 0x8c, 0xe3, 0xfc, 0xe8, 0x3e, 0x4c, 0xb9, 0x43, 0x5b, 0xba, 0xe2, 0x83, 0x94, 0x38, 0xc8,
0xcb, 0x02, 0x64, 0x6a, 0x2d, 0xce, 0x80, 0x93, 0x32, 0xe8, 0x1d, 0x18, 0x6f, 0x1a, 0x9a, 0xc6,
0xe3, 0x71, 0xd1, 0x70, 0x74, 0x5a, 0x1e, 0xe1, 0x28, 0x88, 0xed, 0xc7, 0xc5, 0x08, 0x05, 0xc7,
0x38, 0x11, 0x01, 0x68, 0x7a, 0x05, 0xc7, 0x2e, 0x43, 0x5f, 0xbd, 0x46, 0xb2, 0xe8, 0x05, 0x3d,
0x80, 0x3f, 0x64, 0xe3, 0x10, 0xb0, 0xfc, 0x63, 0x09, 0x66, 0x33, 0x52, 0x07, 0x7a, 0x2f, 0x52,
0x62, 0x7f, 0x3f, 0x56, 0x62, 0xcf, 0x67, 0x88, 0x85, 0xea, 0xac, 0x0e, 0x63, 0x16, 0x9b, 0x95,
0xde, 0x76, 0x59, 0x44, 0x8e, 0xbc, 0xd9, 0x63, 0x1a, 0x38, 0x2c, 0x13, 0xe4, 0xfc, 0xa9, 0xa3,
0xc3, 0xca, 0x58, 0x84, 0x86, 0xa3, 0xf0, 0xf2, 0xbf, 0xe6, 0x00, 0x96, 0x88, 0xa9, 0x19, 0xdd,
0x0e, 0xd1, 0x4f, 0xa3, 0x87, 0x5a, 0x8f, 0xf4, 0x50, 0xd7, 0x7a, 0x2d, 0x8f, 0x6f, 0x5a, 0x66,
0x13, 0xf5, 0x27, 0xb1, 0x26, 0xaa, 0xd6, 0x3f, 0xe4, 0xf1, 0x5d, 0xd4, 0x4f, 0xf3, 0x30, 0x1d,
0x30, 0x07, 0x6d, 0xd4, 0x9d, 0xc8, 0x1a, 0xff, 0x5e, 0x6c, 0x8d, 0x67, 0x53, 0x44, 0x5e, 0x58,
0x1f, 0xf5, 0xfc, 0xfb, 0x19, 0xf4, 0x04, 0xc6, 0x59, 0xe3, 0xe4, 0x86, 0x07, 0x6f, 0xcb, 0x86,
0x07, 0x6e, 0xcb, 0xfc, 0x02, 0xba, 0x12, 0x41, 0xc2, 0x31, 0xe4, 0x8c, 0x36, 0xb0, 0xf8, 0xa2,
0xdb, 0x40, 0xf9, 0x4b, 0x09, 0xc6, 0x83, 0x65, 0x3a, 0x85, 0xa6, 0x6d, 0x2d, 0xda, 0xb4, 0x5d,
0xe9, 0x3b, 0x44, 0x33, 0xba, 0xb6, 0x5f, 0xb2, 0x06, 0xdf, 0x67, 0x62, 0x1b, 0x7c, 0x5b, 0x69,
0xee, 0xf5, 0xf1, 0xf9, 0xf7, 0x99, 0x04, 0x48, 0x54, 0x81, 0x05, 0x5d, 0x37, 0xa8, 0xe2, 0xe6,
0x4a, 0xd7, 0xac, 0xe5, 0xbe, 0xcd, 0xf2, 0x34, 0x56, 0xb7, 0x12, 0x58, 0x77, 0x75, 0x6a, 0x75,
0x83, 0x15, 0x49, 0x32, 0xe0, 0x14, 0x03, 0x90, 0x02, 0x60, 0x09, 0xcc, 0x4d, 0x43, 0x6c, 0xe4,
0x6b, 0x7d, 0xe4, 0x3c, 0x26, 0xb0, 0x68, 0xe8, 0x3b, 0x6a, 0x3b, 0x48, 0x3b, 0xd8, 0x07, 0xc2,
0x21, 0xd0, 0xb9, 0xbb, 0x30, 0x9b, 0x61, 0x2d, 0x9a, 0x84, 0xfc, 0x1e, 0xe9, 0xba, 0x6e, 0xc3,
0xec, 0x4f, 0x74, 0x2e, 0xfc, 0x99, 0x3c, 0x22, 0xbe, 0x70, 0xdf, 0xc9, 0xdd, 0x96, 0xe4, 0x2f,
0x86, 0xc2, 0xb1, 0xc3, 0x3b, 0xe6, 0xcb, 0x50, 0xb2, 0x88, 0xa9, 0xa9, 0x4d, 0xc5, 0x16, 0x8d,
0xd0, 0x59, 0xf7, 0x48, 0xc3, 0x1d, 0xc3, 0x3e, 0x35, 0xd2, 0x5b, 0xe7, 0x5e, 0x6c, 0x6f, 0x9d,
0x7f, 0x3e, 0xbd, 0xf5, 0x9f, 0x43, 0xc9, 0xf6, 0xba, 0xea, 0x02, 0x87, 0xbc, 0x3e, 0x40, 0x7e,
0x15, 0x0d, 0xb5, 0xaf, 0xc0, 0x6f, 0xa5, 0x7d, 0xd0, 0xb4, 0x26, 0x7a, 0x68, 0xc0, 0x26, 0xfa,
0xb9, 0x36, 0xbe, 0x2c, 0xa7, 0x9a, 0x8a, 0x63, 0x93, 0x16, 0x4f, 0x44, 0xa5, 0x20, 0xa7, 0x6e,
0xf0, 0x51, 0x2c, 0xa8, 0xe8, 0x71, 0x24, 0x64, 0x4b, 0x27, 0x09, 0xd9, 0xf1, 0xec, 0x70, 0x45,
0x5b, 0x30, 0x6b, 0x5a, 0x46, 0xdb, 0x22, 0xb6, 0xbd, 0x44, 0x94, 0x96, 0xa6, 0xea, 0xc4, 0xf3,
0x8f, 0xdb, 0x11, 0x9d, 0x3f, 0x3a, 0xac, 0xcc, 0x6e, 0xa4, 0xb3, 0xe0, 0x2c, 0x59, 0xf9, 0x69,
0x01, 0x26, 0xe3, 0x15, 0x30, 0xa3, 0x49, 0x95, 0x4e, 0xd4, 0xa4, 0x5e, 0x0d, 0x6d, 0x06, 0xb7,
0x83, 0x0f, 0x9d, 0xf1, 0x25, 0x36, 0xc4, 0x02, 0x4c, 0x88, 0x6c, 0xe0, 0x11, 0x45, 0x9b, 0xee,
0xaf, 0xfe, 0x56, 0x94, 0x8c, 0xe3, 0xfc, 0xac, 0xf5, 0x0c, 0x3a, 0x4a, 0x0f, 0xa4, 0x10, 0x6d,
0x3d, 0x17, 0xe2, 0x0c, 0x38, 0x29, 0x83, 0x56, 0x61, 0xda, 0xd1, 0x93, 0x50, 0x6e, 0x34, 0x9e,
0x17, 0x50, 0xd3, 0x5b, 0x49, 0x16, 0x9c, 0x26, 0x87, 0x76, 0x22, 0xdd, 0xe8, 0x30, 0xcf, 0xb0,
0x37, 0xfa, 0xde, 0x3b, 0x7d, 0xb7, 0xa3, 0xe8, 0x0e, 0x8c, 0x59, 0xfc, 0xbb, 0xc3, 0x33, 0xd8,
0xed, 0xdd, 0x5f, 0x12, 0x62, 0x63, 0x38, 0x4c, 0xc4, 0x51, 0xde, 0x94, 0x76, 0xbb, 0xd4, 0x6f,
0xbb, 0x2d, 0xff, 0xbf, 0x14, 0x2e, 0x42, 0x7e, 0x0b, 0xdc, 0xeb, 0x94, 0x29, 0x21, 0x11, 0xea,
0x8e, 0x8c, 0xf4, 0xee, 0xf7, 0xd6, 0x40, 0xdd, 0x6f, 0x50, 0x3c, 0x7b, 0xb7, 0xbf, 0x9f, 0x4b,
0x30, 0x73, 0xaf, 0x71, 0xdf, 0x32, 0x1c, 0xd3, 0x33, 0x67, 0xdd, 0x74, 0xfd, 0xfa, 0x36, 0x14,
0x2c, 0x47, 0xf3, 0xe6, 0xf1, 0x9a, 0x37, 0x0f, 0xec, 0x68, 0x6c, 0x1e, 0xd3, 0x31, 0x29, 0x77,
0x12, 0x4c, 0x00, 0xad, 0xc1, 0xb0, 0xa5, 0xe8, 0x6d, 0xe2, 0x95, 0xd5, 0x4b, 0x3d, 0xac, 0x5f,
0x5e, 0xc2, 0x8c, 0x3d, 0xd4, 0xbc, 0x71, 0x69, 0x2c, 0x50, 0xe4, 0xbf, 0x97, 0x60, 0xe2, 0xc1,
0xe6, 0xe6, 0xc6, 0xb2, 0xce, 0x77, 0x34, 0x3f, 0x7d, 0xbf, 0x08, 0x05, 0x53, 0xa1, 0xbb, 0xf1,
0x4a, 0xcf, 0x68, 0x98, 0x53, 0xd0, 0x07, 0x50, 0x64, 0x99, 0x84, 0xe8, 0xad, 0x3e, 0x5b, 0x6d,
0x01, 0x5f, 0x77, 0x85, 0x82, 0x0e, 0x51, 0x0c, 0x60, 0x0f, 0x4e, 0xde, 0x83, 0x73, 0x21, 0x73,
0x98, 0x3f, 0xf8, 0x31, 0x30, 0x6a, 0xc0, 0x10, 0xd3, 0xec, 0x9d, 0xf2, 0xf6, 0x3a, 0xcc, 0x8c,
0x4d, 0x29, 0xe8, 0x74, 0xd8, 0x2f, 0x1b, 0xbb, 0x58, 0xf2, 0x2a, 0x8c, 0xf1, 0x2b, 0x07, 0xc3,
0xa2, 0xdc, 0x2d, 0xe8, 0x02, 0xe4, 0x3b, 0xaa, 0x2e, 0xea, 0xec, 0xa8, 0x90, 0xc9, 0xb3, 0x1a,
0xc1, 0xc6, 0x39, 0x59, 0x39, 0x10, 0x99, 0x27, 0x20, 0x2b, 0x07, 0x98, 0x8d, 0xcb, 0xf7, 0xa1,
0x28, 0xdc, 0x1d, 0x06, 0xca, 0x1f, 0x0f, 0x94, 0x4f, 0x01, 0x5a, 0x87, 0xe2, 0xf2, 0x46, 0x5d,
0x33, 0xdc, 0xae, 0xab, 0xa9, 0xb6, 0xac, 0xf8, 0x5a, 0x2c, 0x2e, 0x2f, 0x61, 0xcc, 0x29, 0x48,
0x86, 0x61, 0x72, 0xd0, 0x24, 0x26, 0xe5, 0x11, 0x31, 0x52, 0x07, 0xb6, 0xca, 0x77, 0xf9, 0x08,
0x16, 0x14, 0xf9, 0x1f, 0x72, 0x50, 0x14, 0xee, 0x38, 0x85, 0xaf, 0xb0, 0x95, 0xc8, 0x57, 0xd8,
0xeb, 0xfd, 0x85, 0x46, 0xe6, 0x27, 0xd8, 0x66, 0xec, 0x13, 0xec, 0x6a, 0x9f, 0x78, 0xc7, 0x7f,
0x7f, 0xfd, 0x8f, 0x04, 0xe3, 0xd1, 0xa0, 0x44, 0x37, 0x61, 0x94, 0x15, 0x1c, 0xb5, 0x49, 0xd6,
0x82, 0x3e, 0xd7, 0x3f, 0x84, 0x69, 0x04, 0x24, 0x1c, 0xe6, 0x43, 0x6d, 0x5f, 0x8c, 0xc5, 0x91,
0x98, 0x74, 0xb6, 0x4b, 0x1d, 0xaa, 0x6a, 0x55, 0xf7, 0x1a, 0xad, 0xba, 0xac, 0xd3, 0x75, 0xab,
0x41, 0x2d, 0x55, 0x6f, 0x27, 0x14, 0xf1, 0xa0, 0x0c, 0x23, 0xcb, 0xff, 0x27, 0xc1, 0xa8, 0x30,
0xf9, 0x14, 0xbe, 0x2a, 0xfe, 0x38, 0xfa, 0x55, 0x71, 0xa9, 0xcf, 0x0d, 0x9e, 0xfe, 0x49, 0xf1,
0x1f, 0x81, 0xe9, 0x6c, 0x4b, 0xb3, 0xa8, 0xde, 0x35, 0x6c, 0x1a, 0x8f, 0x6a, 0xb6, 0x19, 0x31,
0xa7, 0x20, 0x07, 0x26, 0xd5, 0x58, 0x0e, 0x10, 0xae, 0xad, 0xf5, 0x67, 0x89, 0x2f, 0x56, 0x2f,
0x0b, 0xf8, 0xc9, 0x38, 0x05, 0x27, 0x54, 0xc8, 0x04, 0x12, 0x5c, 0xe8, 0x21, 0x14, 0x76, 0x29,
0x35, 0x53, 0xce, 0xab, 0x7b, 0x64, 0x9e, 0xc0, 0x84, 0x12, 0x9f, 0xdd, 0xe6, 0xe6, 0x06, 0xe6,
0x50, 0xf2, 0xaf, 0x02, 0x7f, 0x34, 0xdc, 0x18, 0xf7, 0xf3, 0xa9, 0x74, 0x92, 0x7c, 0x3a, 0x9a,
0x96, 0x4b, 0xd1, 0x03, 0xc8, 0x53, 0xad, 0xdf, 0xcf, 0x42, 0x81, 0xb8, 0xb9, 0xd2, 0x08, 0x12,
0xd2, 0xe6, 0x4a, 0x03, 0x33, 0x08, 0xb4, 0x0e, 0x43, 0xac, 0xfa, 0xb0, 0x2d, 0x98, 0xef, 0x7f,
0x4b, 0xb3, 0xf9, 0x07, 0x01, 0xc1, 0x7e, 0xd9, 0xd8, 0xc5, 0x91, 0x3f, 0x81, 0xb1, 0xc8, 0x3e,
0x45, 0x1f, 0xc3, 0x59, 0xcd, 0x50, 0x5a, 0x75, 0x45, 0x53, 0xf4, 0x26, 0xf1, 0x2e, 0x07, 0x2e,
0xa5, 0x7d, 0x61, 0xac, 0x84, 0xf8, 0xc4, 0x2e, 0xf7, 0xaf, 0x53, 0xc3, 0x34, 0x1c, 0x41, 0x94,
0x15, 0x80, 0x60, 0x8e, 0xa8, 0x02, 0x43, 0x2c, 0xce, 0xdc, 0x7a, 0x32, 0x52, 0x1f, 0x61, 0x16,
0xb2, 0xf0, 0xb3, 0xb1, 0x3b, 0x8e, 0x6e, 0x00, 0xd8, 0xa4, 0x69, 0x11, 0xca, 0x93, 0x41, 0x2e,
0x7a, 0x05, 0xdd, 0xf0, 0x29, 0x38, 0xc4, 0x25, 0xff, 0x48, 0x82, 0xb1, 0x35, 0x42, 0x3f, 0x35,
0xac, 0xbd, 0x0d, 0xfe, 0x74, 0xe0, 0x14, 0x92, 0x2d, 0x8e, 0x24, 0xdb, 0x37, 0x7a, 0xac, 0x4c,
0xc4, 0xba, 0xac, 0x94, 0x2b, 0x7f, 0x29, 0xc1, 0x6c, 0x84, 0xf3, 0x6e, 0xb0, 0x75, 0xb7, 0x60,
0xc8, 0x34, 0x2c, 0xea, 0x15, 0xe2, 0x81, 0x14, 0xb2, 0x34, 0x16, 0x2a, 0xc5, 0x0c, 0x06, 0xbb,
0x68, 0x68, 0x05, 0x72, 0xd4, 0x10, 0xa1, 0x3a, 0x18, 0x26, 0x21, 0x56, 0x1d, 0x04, 0x66, 0x6e,
0xd3, 0xc0, 0x39, 0x6a, 0xb0, 0x85, 0x28, 0x47, 0xb8, 0xc2, 0xc9, 0xe7, 0x05, 0xcd, 0x00, 0x43,
0x61, 0xc7, 0x32, 0x3a, 0x27, 0x9e, 0x83, 0xbf, 0x10, 0xf7, 0x2c, 0xa3, 0x83, 0x39, 0x96, 0xfc,
0x95, 0x04, 0x53, 0x11, 0xce, 0x53, 0x48, 0xfc, 0x0f, 0xa3, 0x89, 0xff, 0xea, 0x20, 0x13, 0xc9,
0x48, 0xff, 0x5f, 0xe5, 0x62, 0xd3, 0x60, 0x13, 0x46, 0x3b, 0x30, 0x6a, 0x1a, 0xad, 0xc6, 0x73,
0xb8, 0x0e, 0x9c, 0x60, 0x75, 0x73, 0x23, 0xc0, 0xc2, 0x61, 0x60, 0x74, 0x00, 0x53, 0xba, 0xd2,
0x21, 0xb6, 0xa9, 0x34, 0x49, 0xe3, 0x39, 0x1c, 0x90, 0xbc, 0xc4, 0xef, 0x1b, 0xe2, 0x88, 0x38,
0xa9, 0x04, 0xad, 0x42, 0x51, 0x35, 0x79, 0x1f, 0x27, 0x7a, 0x97, 0x9e, 0x55, 0xd4, 0xed, 0xfa,
0xdc, 0x7c, 0x2e, 0x7e, 0x60, 0x0f, 0x43, 0xfe, 0xcf, 0x78, 0x34, 0xb0, 0xf8, 0x43, 0xf7, 0xa1,
0xc4, 0x1f, 0xe1, 0x34, 0x0d, 0xcd, 0xbb, 0x19, 0x60, 0x2b, 0xbb, 0x21, 0xc6, 0x9e, 0x1d, 0x56,
0xce, 0xa7, 0x1c, 0xfa, 0x7a, 0x64, 0xec, 0x0b, 0xa3, 0x35, 0x28, 0x98, 0x3f, 0xa4, 0x83, 0xe1,
0x45, 0x8e, 0xb7, 0x2d, 0x1c, 0x47, 0xfe, 0xeb, 0x7c, 0xcc, 0x5c, 0x5e, 0xea, 0x9e, 0x3c, 0xb7,
0x55, 0xf7, 0x3b, 0xa6, 0xcc, 0x95, 0xdf, 0x86, 0xa2, 0xa8, 0xf0, 0x22, 0x98, 0xdf, 0x1e, 0x24,
0x98, 0xc3, 0x55, 0xcc, 0xff, 0x60, 0xf1, 0x06, 0x3d, 0x60, 0xf4, 0x11, 0x0c, 0x13, 0x57, 0x85,
0x5b, 0x1b, 0x6f, 0x0d, 0xa2, 0x22, 0xc8, 0xab, 0x41, 0xa3, 0x2a, 0xc6, 0x04, 0x2a, 0x7a, 0x8f,
0xf9, 0x8b, 0xf1, 0xb2, 0x8f, 0x40, 0xbb, 0x5c, 0xe0, 0xe5, 0xea, 0x82, 0x3b, 0x6d, 0x7f, 0xf8,
0xd9, 0x61, 0x05, 0x82, 0x9f, 0x38, 0x2c, 0x21, 0xff, 0x44, 0x82, 0x29, 0xee, 0xa1, 0xa6, 0x63,
0xa9, 0xb4, 0x7b, 0x6a, 0x85, 0xe9, 0x51, 0xa4, 0x30, 0xbd, 0xd5, 0xc3, 0x2d, 0x09, 0x0b, 0x33,
0x8b, 0xd3, 0xd7, 0x12, 0xbc, 0x94, 0xe0, 0x3e, 0x85, 0xbc, 0xb8, 0x15, 0xcd, 0x8b, 0x6f, 0x0c,
0x3a, 0xa1, 0xac, 0x37, 0x12, 0x63, 0x29, 0xd3, 0xe1, 0x3b, 0xe5, 0x06, 0x80, 0x69, 0xa9, 0xfb,
0xaa, 0x46, 0xda, 0xe2, 0x12, 0xbc, 0x14, 0x7a, 0x04, 0xe7, 0x53, 0x70, 0x88, 0x0b, 0xd9, 0x30,
0xd3, 0x22, 0x3b, 0x8a, 0xa3, 0xd1, 0x85, 0x56, 0x6b, 0x51, 0x31, 0x95, 0x6d, 0x55, 0x53, 0xa9,
0x2a, 0x8e, 0x0b, 0x46, 0xea, 0x77, 0xdc, 0xcb, 0xe9, 0x34, 0x8e, 0x67, 0x87, 0x95, 0x0b, 0x69,
0xb7, 0x43, 0x1e, 0x4b, 0x17, 0x67, 0x40, 0xa3, 0x2e, 0x94, 0x2d, 0xf2, 0x89, 0xa3, 0x5a, 0xa4,
0xb5, 0x64, 0x19, 0x66, 0x44, 0x6d, 0x9e, 0xab, 0xfd, 0xc3, 0xa3, 0xc3, 0x4a, 0x19, 0x67, 0xf0,
0xf4, 0x56, 0x9c, 0x09, 0x8f, 0x9e, 0xc0, 0xb4, 0xe2, 0xbe, 0x1d, 0x8c, 0x68, 0x75, 0x77, 0xc9,
0xed, 0xa3, 0xc3, 0xca, 0xf4, 0x42, 0x92, 0xdc, 0x5b, 0x61, 0x1a, 0x28, 0xaa, 0x41, 0x71, 0x9f,
0xbf, 0x6c, 0xb4, 0xcb, 0x43, 0x1c, 0x9f, 0x15, 0x82, 0xa2, 0xfb, 0xd8, 0x91, 0x61, 0x0e, 0xdf,
0x6b, 0xf0, 0xdd, 0xe7, 0x71, 0xb1, 0x0f, 0x4a, 0xd6, 0x4b, 0x8a, 0x1d, 0xcf, 0x4f, 0x8c, 0x4b,
0x41, 0xd6, 0x7a, 0x10, 0x90, 0x70, 0x98, 0x0f, 0x3d, 0x86, 0x91, 0x5d, 0x71, 0x2a, 0x61, 0x97,
0x8b, 0x7d, 0x15, 0xe1, 0xc8, 0x29, 0x46, 0x7d, 0x4a, 0xa8, 0x18, 0xf1, 0x86, 0x6d, 0x1c, 0x20,
0xa2, 0x2b, 0x50, 0xe4, 0x3f, 0x96, 0x97, 0xf8, 0x71, 0x5c, 0x29, 0xc8, 0x6d, 0x0f, 0xdc, 0x61,
0xec, 0xd1, 0x3d, 0xd6, 0xe5, 0x8d, 0x45, 0x7e, 0x2c, 0x1c, 0x63, 0x5d, 0xde, 0x58, 0xc4, 0x1e,
0x1d, 0x7d, 0x0c, 0x45, 0x9b, 0xac, 0xa8, 0xba, 0x73, 0x50, 0x86, 0xbe, 0x2e, 0x95, 0x1b, 0x77,
0x39, 0x77, 0xec, 0x60, 0x2c, 0xd0, 0x20, 0xe8, 0xd8, 0x83, 0x45, 0xbb, 0x30, 0x62, 0x39, 0xfa,
0x82, 0xbd, 0x65, 0x13, 0xab, 0x3c, 0xca, 0x75, 0xf4, 0x4a, 0xe7, 0xd8, 0xe3, 0x8f, 0x6b, 0xf1,
0x3d, 0xe4, 0x73, 0xe0, 0x00, 0x1c, 0xfd, 0x9d, 0x04, 0xc8, 0x76, 0x4c, 0x53, 0x23, 0x1d, 0xa2,
0x53, 0x45, 0xe3, 0x67, 0x71, 0x76, 0xf9, 0x2c, 0xd7, 0xf9, 0x47, 0xbd, 0xe6, 0x95, 0x10, 0x8c,
0x2b, 0xf7, 0x0f, 0xbd, 0x93, 0xac, 0x38, 0x45, 0x2f, 0x73, 0xed, 0x8e, 0xcd, 0xff, 0x2e, 0x8f,
0xf5, 0xe5, 0xda, 0xf4, 0x33, 0xc7, 0xc0, 0xb5, 0x82, 0x8e, 0x3d, 0x58, 0xf4, 0x08, 0x66, 0xbc,
0x87, 0xb1, 0xd8, 0x30, 0xe8, 0x3d, 0x55, 0x23, 0x76, 0xd7, 0xa6, 0xa4, 0x53, 0x1e, 0xe7, 0xcb,
0xee, 0xbf, 0xfd, 0xc0, 0xa9, 0x5c, 0x38, 0x43, 0x1a, 0x75, 0xa0, 0xe2, 0xa5, 0x0c, 0xb6, 0x9f,
0xfc, 0x9c, 0x75, 0xd7, 0x6e, 0x2a, 0x9a, 0x7b, 0x0f, 0x30, 0xc1, 0x15, 0xbc, 0x76, 0x74, 0x58,
0xa9, 0x2c, 0x1d, 0xcf, 0x8a, 0x7b, 0x61, 0xa1, 0x0f, 0xa0, 0xac, 0x64, 0xe9, 0x99, 0xe4, 0x7a,
0x5e, 0x61, 0x79, 0x28, 0x53, 0x41, 0xa6, 0x34, 0xa2, 0x30, 0xa9, 0x44, 0x9f, 0x28, 0xdb, 0xe5,
0xa9, 0xbe, 0x0e, 0x22, 0x63, 0x2f, 0x9b, 0x83, 0xc3, 0x88, 0x18, 0xc1, 0xc6, 0x09, 0x0d, 0xe8,
0x2f, 0x00, 0x29, 0xf1, 0x57, 0xd5, 0x76, 0x19, 0xf5, 0x55, 0x7e, 0x12, 0xcf, 0xb1, 0x83, 0xb0,
0x4b, 0x90, 0x6c, 0x9c, 0xa2, 0x87, 0x3f, 0xde, 0x10, 0x47, 0xf9, 0xa7, 0xf3, 0x00, 0x76, 0xb0,
0xc7, 0x1b, 0x81, 0x69, 0xcf, 0xed, 0xf1, 0x46, 0x08, 0xf2, 0xf8, 0xc3, 0xc3, 0x5f, 0xe4, 0x60,
0x3a, 0x60, 0xee, 0xfb, 0xf1, 0x46, 0x8a, 0xc8, 0xef, 0x1e, 0xc1, 0xf6, 0x7e, 0x04, 0xfb, 0xa5,
0x04, 0xe3, 0x81, 0xeb, 0x7e, 0xf3, 0x1e, 0x54, 0x04, 0xb6, 0x65, 0xb4, 0x78, 0xff, 0x9d, 0x0b,
0x4f, 0xe0, 0xb7, 0xfe, 0x56, 0xff, 0x87, 0xbf, 0x5c, 0x95, 0xbf, 0xce, 0xc3, 0x64, 0x7c, 0x37,
0x46, 0x2e, 0x7f, 0xa5, 0x9e, 0x97, 0xbf, 0x1b, 0x70, 0x6e, 0xc7, 0xd1, 0xb4, 0x2e, 0x77, 0x43,
0xe8, 0x06, 0xd8, 0xbd, 0xbc, 0x79, 0x45, 0x48, 0x9e, 0xbb, 0x97, 0xc2, 0x83, 0x53, 0x25, 0x33,
0x2e, 0xb2, 0xf3, 0x27, 0xba, 0xc8, 0x4e, 0xdc, 0xab, 0x16, 0x06, 0xb8, 0x57, 0x4d, 0xbd, 0x94,
0x1e, 0x3a, 0xc1, 0xa5, 0xf4, 0x49, 0x6e, 0x91, 0x53, 0x92, 0x58, 0xcf, 0x47, 0x8d, 0xaf, 0xc0,
0x9c, 0x10, 0xa3, 0xfc, 0x82, 0x57, 0xa7, 0x96, 0xa1, 0x69, 0xc4, 0x5a, 0x72, 0x3a, 0x9d, 0xae,
0xfc, 0x2e, 0x8c, 0x47, 0x9f, 0x2e, 0xb8, 0x2b, 0xed, 0xbe, 0x9e, 0x10, 0x57, 0x68, 0xa1, 0x95,
0x76, 0xc7, 0xb1, 0xcf, 0x21, 0xff, 0x8d, 0x04, 0x33, 0xe9, 0x4f, 0x14, 0x91, 0x06, 0xe3, 0x1d,
0xe5, 0x20, 0xfc, 0x6c, 0x54, 0x3a, 0xe1, 0xe1, 0x06, 0xbf, 0xb3, 0x5e, 0x8d, 0x60, 0xe1, 0x18,
0xb6, 0xfc, 0xbd, 0x04, 0xb3, 0x19, 0xb7, 0xc5, 0xa7, 0x6b, 0x09, 0xfa, 0x10, 0x4a, 0x1d, 0xe5,
0xa0, 0xe1, 0x58, 0x6d, 0x72, 0xe2, 0xe3, 0x1c, 0x9e, 0x31, 0x56, 0x05, 0x0a, 0xf6, 0xf1, 0xe4,
0xcf, 0x25, 0x28, 0x67, 0x35, 0xd6, 0xe8, 0x66, 0xe4, 0x5e, 0xfb, 0xd5, 0xd8, 0xbd, 0xf6, 0x54,
0x42, 0xee, 0x05, 0xdd, 0x6a, 0xff, 0x97, 0x04, 0x33, 0xe9, 0x1f, 0x18, 0xe8, 0xcd, 0x88, 0x85,
0x95, 0x98, 0x85, 0x13, 0x31, 0x29, 0x61, 0xdf, 0x47, 0x30, 0x2e, 0x3e, 0x43, 0x04, 0x8c, 0xf0,
0xaa, 0x9c, 0x96, 0x2b, 0x05, 0x84, 0xd7, 0x76, 0xf3, 0xf5, 0x8a, 0x8e, 0xe1, 0x18, 0x9a, 0xfc,
0xb7, 0x39, 0x18, 0x6a, 0x34, 0x15, 0x8d, 0x9c, 0x42, 0x9b, 0xf5, 0x7e, 0xa4, 0xcd, 0xea, 0xf5,
0x2f, 0x1e, 0xdc, 0xaa, 0xcc, 0x0e, 0x0b, 0xc7, 0x3a, 0xac, 0xd7, 0xfb, 0x42, 0x3b, 0xbe, 0xb9,
0xfa, 0x03, 0x18, 0xf1, 0x95, 0x0e, 0x96, 0xf3, 0xe5, 0x7f, 0xcf, 0xc1, 0x68, 0x48, 0xc5, 0x80,
0x15, 0x63, 0x27, 0x52, 0x69, 0xfb, 0xf9, 0xc7, 0xba, 0x90, 0xae, 0xaa, 0x57, 0x5b, 0xdd, 0x27,
0x8a, 0xc1, 0xa3, 0xb4, 0x64, 0xc9, 0x7d, 0x17, 0xc6, 0x29, 0xff, 0xc7, 0x33, 0xff, 0x10, 0x34,
0xcf, 0x63, 0xd1, 0x7f, 0xd8, 0xba, 0x19, 0xa1, 0xe2, 0x18, 0xf7, 0xdc, 0x1d, 0x18, 0x8b, 0x28,
0x1b, 0xe8, 0x85, 0xe1, 0xff, 0x4a, 0xf0, 0x6a, 0xcf, 0x4f, 0x54, 0x54, 0x8f, 0x6c, 0x92, 0x6a,
0x6c, 0x93, 0xcc, 0x67, 0x03, 0xbc, 0xb8, 0x97, 0x2a, 0xf5, 0x6b, 0x4f, 0xbf, 0x9b, 0x3f, 0xf3,
0xcd, 0x77, 0xf3, 0x67, 0xbe, 0xfd, 0x6e, 0xfe, 0xcc, 0x5f, 0x1d, 0xcd, 0x4b, 0x4f, 0x8f, 0xe6,
0xa5, 0x6f, 0x8e, 0xe6, 0xa5, 0x6f, 0x8f, 0xe6, 0xa5, 0x9f, 0x1d, 0xcd, 0x4b, 0xff, 0xf8, 0xfd,
0xfc, 0x99, 0x0f, 0x8b, 0x02, 0xee, 0xd7, 0x01, 0x00, 0x00, 0xff, 0xff, 0x26, 0xa2, 0x5e, 0xbc,
0x82, 0x3c, 0x00, 0x00,
// 3637 bytes of a gzipped FileDescriptorProto
0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xec, 0x5b, 0xcb, 0x6f, 0x1c, 0x47,
0x73, 0xd7, 0xec, 0x2e, 0xb9, 0xcb, 0xa2, 0xf8, 0x6a, 0xd2, 0xe4, 0x7e, 0x94, 0xc5, 0xd5, 0x37,
0x06, 0x14, 0xc9, 0x91, 0x76, 0x2d, 0xd9, 0xd2, 0xa7, 0x58, 0x88, 0x6d, 0x2e, 0x29, 0x4a, 0x74,
0xf8, 0x52, 0x2f, 0xa9, 0x38, 0x46, 0xe4, 0x78, 0xb8, 0xdb, 0x5c, 0x8e, 0x38, 0x3b, 0x33, 0x9e,
0xe9, 0xa1, 0xb9, 0x40, 0x10, 0xe4, 0x10, 0x04, 0x08, 0x90, 0x20, 0xc9, 0xc1, 0x79, 0xdc, 0xe2,
0x4b, 0x4e, 0x09, 0x92, 0x5b, 0x72, 0x30, 0x0c, 0x04, 0x70, 0x00, 0x21, 0x70, 0x00, 0xdf, 0xe2,
0x13, 0x11, 0xd3, 0xa7, 0x20, 0xff, 0x40, 0xa0, 0x43, 0x10, 0x74, 0x4f, 0xcf, 0x7b, 0x86, 0xbb,
0x4b, 0x4b, 0x44, 0x10, 0xe4, 0xc6, 0xed, 0xaa, 0xfa, 0x55, 0x75, 0x75, 0x75, 0x55, 0x4d, 0x77,
0x13, 0x56, 0x0e, 0xee, 0xd9, 0x55, 0xd5, 0xa8, 0x1d, 0x38, 0xbb, 0xc4, 0xd2, 0x09, 0x25, 0x76,
0xed, 0x90, 0xe8, 0x2d, 0xc3, 0xaa, 0x09, 0x82, 0x62, 0xaa, 0x35, 0x72, 0x44, 0x89, 0x6e, 0xab,
0x86, 0x6e, 0xd7, 0x0e, 0x6f, 0xed, 0x12, 0xaa, 0xdc, 0xaa, 0xb5, 0x89, 0x4e, 0x2c, 0x85, 0x92,
0x56, 0xd5, 0xb4, 0x0c, 0x6a, 0xa0, 0xcb, 0x2e, 0x7b, 0x55, 0x31, 0xd5, 0x6a, 0xc0, 0x5e, 0x15,
0xec, 0xf3, 0x37, 0xdb, 0x2a, 0xdd, 0x77, 0x76, 0xab, 0x4d, 0xa3, 0x53, 0x6b, 0x1b, 0x6d, 0xa3,
0xc6, 0xa5, 0x76, 0x9d, 0x3d, 0xfe, 0x8b, 0xff, 0xe0, 0x7f, 0xb9, 0x68, 0xf3, 0x72, 0x48, 0x79,
0xd3, 0xb0, 0x48, 0xed, 0x30, 0xa1, 0x71, 0xfe, 0x7a, 0x88, 0xc7, 0x34, 0x34, 0xb5, 0xd9, 0xcd,
0x32, 0x6e, 0xfe, 0x9d, 0x80, 0xb5, 0xa3, 0x34, 0xf7, 0x55, 0x9d, 0x58, 0xdd, 0x9a, 0x79, 0xd0,
0xe6, 0xb2, 0x16, 0xb1, 0x0d, 0xc7, 0x6a, 0x92, 0x81, 0xa4, 0xec, 0x5a, 0x87, 0x50, 0x25, 0xcd,
0xac, 0x5a, 0x96, 0x94, 0xe5, 0xe8, 0x54, 0xed, 0x24, 0xd5, 0xdc, 0xed, 0x25, 0x60, 0x37, 0xf7,
0x49, 0x47, 0x49, 0xc8, 0xbd, 0x9d, 0x25, 0xe7, 0x50, 0x55, 0xab, 0xa9, 0x3a, 0xb5, 0xa9, 0x15,
0x17, 0x92, 0xef, 0xc3, 0xd4, 0xa2, 0xa6, 0x19, 0x9f, 0x93, 0xd6, 0x8a, 0x46, 0x8e, 0x9e, 0x18,
0x9a, 0xd3, 0x21, 0xe8, 0x2a, 0x0c, 0xb7, 0x2c, 0xf5, 0x90, 0x58, 0x65, 0xe9, 0x8a, 0x74, 0x6d,
0xa4, 0x3e, 0xfe, 0xfc, 0xb8, 0x72, 0xe1, 0xe4, 0xb8, 0x32, 0xbc, 0xcc, 0x47, 0xb1, 0xa0, 0xca,
0x36, 0x4c, 0x08, 0xe1, 0x47, 0x86, 0x4d, 0xb7, 0x14, 0xba, 0x8f, 0x6e, 0x03, 0x98, 0x0a, 0xdd,
0xdf, 0xb2, 0xc8, 0x9e, 0x7a, 0x24, 0xc4, 0x91, 0x10, 0x87, 0x2d, 0x9f, 0x82, 0x43, 0x5c, 0xe8,
0x06, 0x94, 0x2c, 0xa2, 0xb4, 0x36, 0x75, 0xad, 0x5b, 0xce, 0x5d, 0x91, 0xae, 0x95, 0xea, 0x93,
0x42, 0xa2, 0x84, 0xc5, 0x38, 0xf6, 0x39, 0xe4, 0xbf, 0x94, 0xe0, 0x67, 0x4b, 0x8e, 0x4d, 0x8d,
0xce, 0x3a, 0xa1, 0x96, 0xda, 0x5c, 0x72, 0x2c, 0x8b, 0xe8, 0xb4, 0x41, 0x15, 0xea, 0xd8, 0xe8,
0x0a, 0x14, 0x74, 0xa5, 0x43, 0x84, 0xe6, 0x8b, 0x02, 0xa7, 0xb0, 0xa1, 0x74, 0x08, 0xe6, 0x14,
0xf4, 0x31, 0x0c, 0x1d, 0x2a, 0x9a, 0x43, 0xb8, 0xaa, 0xd1, 0xdb, 0xd5, 0x6a, 0x10, 0xa8, 0xbe,
0xdb, 0xaa, 0xe6, 0x41, 0x9b, 0x47, 0xae, 0x17, 0x0b, 0xd5, 0xc7, 0x8e, 0xa2, 0x53, 0x95, 0x76,
0xeb, 0x33, 0x02, 0xf2, 0xa2, 0xd0, 0xfb, 0x84, 0x61, 0x61, 0x17, 0x52, 0xfe, 0x1d, 0xb8, 0x9c,
0x69, 0xda, 0x9a, 0x6a, 0x53, 0xf4, 0x14, 0x86, 0x54, 0x4a, 0x3a, 0x76, 0x59, 0xba, 0x92, 0xbf,
0x36, 0x7a, 0xfb, 0x5e, 0xf5, 0xd4, 0x5d, 0x52, 0xcd, 0x04, 0xab, 0x8f, 0x09, 0x33, 0x86, 0x56,
0x19, 0x1c, 0x76, 0x51, 0xe5, 0x3f, 0x95, 0x00, 0x85, 0x65, 0xb6, 0x15, 0xab, 0x4d, 0x68, 0x1f,
0x4e, 0xf9, 0x8d, 0x9f, 0xe6, 0x94, 0x69, 0x01, 0x39, 0xea, 0x2a, 0x8c, 0xf8, 0xc4, 0x84, 0xd9,
0xa4, 0x49, 0xdc, 0x19, 0x4f, 0xa2, 0xce, 0xb8, 0x35, 0x80, 0x33, 0x5c, 0x94, 0x0c, 0x2f, 0x7c,
0x91, 0x83, 0x91, 0x65, 0x85, 0x74, 0x0c, 0xbd, 0x41, 0x28, 0xfa, 0x14, 0x4a, 0x6c, 0x6b, 0xb6,
0x14, 0xaa, 0x70, 0x07, 0x8c, 0xde, 0x7e, 0xeb, 0xb4, 0xd9, 0xd9, 0x55, 0xc6, 0x5d, 0x3d, 0xbc,
0x55, 0xdd, 0xdc, 0x7d, 0x46, 0x9a, 0x74, 0x9d, 0x50, 0x25, 0x88, 0xe0, 0x60, 0x0c, 0xfb, 0xa8,
0x68, 0x03, 0x0a, 0xb6, 0x49, 0x9a, 0xc2, 0x77, 0x37, 0x7a, 0x4c, 0xc3, 0xb7, 0xac, 0x61, 0x92,
0x66, 0xb0, 0x18, 0xec, 0x17, 0xe6, 0x38, 0xe8, 0x09, 0x0c, 0xdb, 0x7c, 0x95, 0xcb, 0xf9, 0xc4,
0x6a, 0x9c, 0x8e, 0xe8, 0xc6, 0x86, 0xbf, 0x5d, 0xdd, 0xdf, 0x58, 0xa0, 0xc9, 0xff, 0x91, 0x03,
0xe4, 0xf3, 0x2e, 0x19, 0x7a, 0x4b, 0xa5, 0xaa, 0xa1, 0xa3, 0x77, 0xa1, 0x40, 0xbb, 0xa6, 0x17,
0x1d, 0x57, 0x3d, 0x83, 0xb6, 0xbb, 0x26, 0x79, 0x71, 0x5c, 0x99, 0x4d, 0x4a, 0x30, 0x0a, 0xe6,
0x32, 0x68, 0xcd, 0x37, 0x35, 0xc7, 0xa5, 0xdf, 0x89, 0xaa, 0x7e, 0x71, 0x5c, 0x49, 0xc9, 0xdc,
0x55, 0x1f, 0x29, 0x6a, 0x20, 0x3a, 0x04, 0xa4, 0x29, 0x36, 0xdd, 0xb6, 0x14, 0xdd, 0x76, 0x35,
0xa9, 0x1d, 0x22, 0x9c, 0xf0, 0x66, 0x7f, 0x8b, 0xc6, 0x24, 0xea, 0xf3, 0xc2, 0x0a, 0xb4, 0x96,
0x40, 0xc3, 0x29, 0x1a, 0x58, 0xbe, 0xb3, 0x88, 0x62, 0x1b, 0x7a, 0xb9, 0x10, 0xcd, 0x77, 0x98,
0x8f, 0x62, 0x41, 0x45, 0xd7, 0xa1, 0xd8, 0x21, 0xb6, 0xad, 0xb4, 0x49, 0x79, 0x88, 0x33, 0x4e,
0x08, 0xc6, 0xe2, 0xba, 0x3b, 0x8c, 0x3d, 0xba, 0xfc, 0x95, 0x04, 0x63, 0xbe, 0xe7, 0x78, 0xb4,
0xff, 0x66, 0x22, 0x0e, 0xab, 0xfd, 0x4d, 0x89, 0x49, 0xf3, 0x28, 0xf4, 0xb3, 0xa2, 0x37, 0x12,
0x8a, 0xc1, 0x75, 0x6f, 0x2f, 0xe5, 0xf8, 0x5e, 0xba, 0xd6, 0x6f, 0xc8, 0x64, 0x6c, 0xa1, 0x3f,
0x2b, 0x84, 0xcc, 0x67, 0xa1, 0x89, 0x9e, 0x42, 0xc9, 0x26, 0x1a, 0x69, 0x52, 0xc3, 0x12, 0xe6,
0xbf, 0xdd, 0xa7, 0xf9, 0xca, 0x2e, 0xd1, 0x1a, 0x42, 0xb4, 0x7e, 0x91, 0xd9, 0xef, 0xfd, 0xc2,
0x3e, 0x24, 0x7a, 0x0c, 0x25, 0x4a, 0x3a, 0xa6, 0xa6, 0x50, 0x2f, 0x07, 0xbd, 0x11, 0x9e, 0x02,
0x8b, 0x1c, 0x06, 0xb6, 0x65, 0xb4, 0xb6, 0x05, 0x1b, 0xdf, 0x3e, 0xbe, 0x4b, 0xbc, 0x51, 0xec,
0xc3, 0xa0, 0x43, 0x18, 0x77, 0xcc, 0x16, 0xe3, 0xa4, 0xac, 0xe2, 0xb5, 0xbb, 0x22, 0x92, 0xee,
0xf6, 0xeb, 0x9b, 0x9d, 0x88, 0x74, 0x7d, 0x56, 0xe8, 0x1a, 0x8f, 0x8e, 0xe3, 0x98, 0x16, 0xb4,
0x08, 0x13, 0x1d, 0x55, 0x67, 0x95, 0xab, 0xdb, 0x20, 0x4d, 0x43, 0x6f, 0xd9, 0x3c, 0xac, 0x86,
0xea, 0x73, 0x02, 0x60, 0x62, 0x3d, 0x4a, 0xc6, 0x71, 0x7e, 0xf4, 0x21, 0x20, 0x6f, 0x1a, 0x0f,
0xdd, 0x82, 0xad, 0x1a, 0x3a, 0x8f, 0xb9, 0x7c, 0x10, 0xdc, 0xdb, 0x09, 0x0e, 0x9c, 0x22, 0x85,
0xd6, 0x60, 0xc6, 0x22, 0x87, 0x2a, 0x9b, 0xe3, 0x23, 0xd5, 0xa6, 0x86, 0xd5, 0x5d, 0x53, 0x3b,
0x2a, 0x2d, 0x0f, 0x73, 0x9b, 0xca, 0x27, 0xc7, 0x95, 0x19, 0x9c, 0x42, 0xc7, 0xa9, 0x52, 0xf2,
0x9f, 0x0f, 0xc3, 0x44, 0x2c, 0xdf, 0xa0, 0x27, 0x30, 0xdb, 0x74, 0x8b, 0xd3, 0x86, 0xd3, 0xd9,
0x25, 0x56, 0xa3, 0xb9, 0x4f, 0x5a, 0x8e, 0x46, 0x5a, 0x3c, 0x50, 0x86, 0xea, 0x0b, 0xc2, 0xe2,
0xd9, 0xa5, 0x54, 0x2e, 0x9c, 0x21, 0xcd, 0xbc, 0xa0, 0xf3, 0xa1, 0x75, 0xd5, 0xb6, 0x7d, 0xcc,
0x1c, 0xc7, 0xf4, 0xbd, 0xb0, 0x91, 0xe0, 0xc0, 0x29, 0x52, 0xcc, 0xc6, 0x16, 0xb1, 0x55, 0x8b,
0xb4, 0xe2, 0x36, 0xe6, 0xa3, 0x36, 0x2e, 0xa7, 0x72, 0xe1, 0x0c, 0x69, 0x74, 0x07, 0x46, 0x5d,
0x6d, 0x7c, 0xfd, 0xc4, 0x42, 0xfb, 0xe5, 0x70, 0x23, 0x20, 0xe1, 0x30, 0x1f, 0x9b, 0x9a, 0xb1,
0x6b, 0x13, 0xeb, 0x90, 0xb4, 0xb2, 0x17, 0x78, 0x33, 0xc1, 0x81, 0x53, 0xa4, 0xd8, 0xd4, 0xdc,
0x08, 0x4c, 0x4c, 0x6d, 0x38, 0x3a, 0xb5, 0x9d, 0x54, 0x2e, 0x9c, 0x21, 0xcd, 0xe2, 0xd8, 0x35,
0x79, 0xf1, 0x50, 0x51, 0x35, 0x65, 0x57, 0x23, 0xe5, 0x62, 0x34, 0x8e, 0x37, 0xa2, 0x64, 0x1c,
0xe7, 0x47, 0x0f, 0x61, 0xca, 0x1d, 0xda, 0xd1, 0x15, 0x1f, 0xa4, 0xc4, 0x41, 0x7e, 0x26, 0x40,
0xa6, 0x36, 0xe2, 0x0c, 0x38, 0x29, 0x83, 0xde, 0x85, 0xf1, 0xa6, 0xa1, 0x69, 0x3c, 0x1e, 0x97,
0x0c, 0x47, 0xa7, 0xe5, 0x11, 0x8e, 0x82, 0xd8, 0x7e, 0x5c, 0x8a, 0x50, 0x70, 0x8c, 0x13, 0x11,
0x80, 0xa6, 0x57, 0x70, 0xec, 0x32, 0xf4, 0xd5, 0x6b, 0x24, 0x8b, 0x5e, 0xd0, 0x03, 0xf8, 0x43,
0x36, 0x0e, 0x01, 0xcb, 0xff, 0x22, 0xc1, 0x5c, 0x46, 0xea, 0x40, 0xef, 0x47, 0x4a, 0xec, 0x2f,
0xc7, 0x4a, 0xec, 0xa5, 0x0c, 0xb1, 0x50, 0x9d, 0xd5, 0x61, 0xcc, 0x62, 0xb3, 0xd2, 0xdb, 0x2e,
0x8b, 0xc8, 0x91, 0x77, 0x7a, 0x4c, 0x03, 0x87, 0x65, 0x82, 0x9c, 0x3f, 0x75, 0x72, 0x5c, 0x19,
0x8b, 0xd0, 0x70, 0x14, 0x5e, 0xfe, 0x8b, 0x1c, 0xc0, 0x32, 0x31, 0x35, 0xa3, 0xdb, 0x21, 0xfa,
0x79, 0xf4, 0x50, 0x9b, 0x91, 0x1e, 0xea, 0x66, 0xaf, 0xe5, 0xf1, 0x4d, 0xcb, 0x6c, 0xa2, 0x7e,
0x3d, 0xd6, 0x44, 0xd5, 0xfa, 0x87, 0x3c, 0xbd, 0x8b, 0xfa, 0xb7, 0x3c, 0x4c, 0x07, 0xcc, 0x41,
0x1b, 0x75, 0x3f, 0xb2, 0xc6, 0xbf, 0x14, 0x5b, 0xe3, 0xb9, 0x14, 0x91, 0x57, 0xd6, 0x47, 0xbd,
0xfc, 0x7e, 0x06, 0x3d, 0x83, 0x71, 0xd6, 0x38, 0xb9, 0xe1, 0xc1, 0xdb, 0xb2, 0xe1, 0x81, 0xdb,
0x32, 0xbf, 0x80, 0xae, 0x45, 0x90, 0x70, 0x0c, 0x39, 0xa3, 0x0d, 0x2c, 0xbe, 0xea, 0x36, 0x50,
0xfe, 0x5a, 0x82, 0xf1, 0x60, 0x99, 0xce, 0xa1, 0x69, 0xdb, 0x88, 0x36, 0x6d, 0xd7, 0xfb, 0x0e,
0xd1, 0x8c, 0xae, 0xed, 0xbf, 0x58, 0x83, 0xef, 0x33, 0xb1, 0x0d, 0xbe, 0xab, 0x34, 0x0f, 0xfa,
0xf8, 0xfc, 0xfb, 0x42, 0x02, 0x24, 0xaa, 0xc0, 0xa2, 0xae, 0x1b, 0x54, 0x71, 0x73, 0xa5, 0x6b,
0xd6, 0x6a, 0xdf, 0x66, 0x79, 0x1a, 0xab, 0x3b, 0x09, 0xac, 0x07, 0x3a, 0xb5, 0xba, 0xc1, 0x8a,
0x24, 0x19, 0x70, 0x8a, 0x01, 0x48, 0x01, 0xb0, 0x04, 0xe6, 0xb6, 0x21, 0x36, 0xf2, 0xcd, 0x3e,
0x72, 0x1e, 0x13, 0x58, 0x32, 0xf4, 0x3d, 0xb5, 0x1d, 0xa4, 0x1d, 0xec, 0x03, 0xe1, 0x10, 0xe8,
0xfc, 0x03, 0x98, 0xcb, 0xb0, 0x16, 0x4d, 0x42, 0xfe, 0x80, 0x74, 0x5d, 0xb7, 0x61, 0xf6, 0x27,
0x9a, 0x09, 0x7f, 0x26, 0x8f, 0x88, 0x2f, 0xdc, 0x77, 0x73, 0xf7, 0x24, 0xf9, 0xab, 0xa1, 0x70,
0xec, 0xf0, 0x8e, 0xf9, 0x1a, 0x94, 0x2c, 0x62, 0x6a, 0x6a, 0x53, 0xb1, 0x45, 0x23, 0x74, 0xd1,
0x3d, 0xd2, 0x70, 0xc7, 0xb0, 0x4f, 0x8d, 0xf4, 0xd6, 0xb9, 0x57, 0xdb, 0x5b, 0xe7, 0x5f, 0x4e,
0x6f, 0xfd, 0x5b, 0x50, 0xb2, 0xbd, 0xae, 0xba, 0xc0, 0x21, 0x6f, 0x0d, 0x90, 0x5f, 0x45, 0x43,
0xed, 0x2b, 0xf0, 0x5b, 0x69, 0x1f, 0x34, 0xad, 0x89, 0x1e, 0x1a, 0xb0, 0x89, 0x7e, 0xa9, 0x8d,
0x2f, 0xcb, 0xa9, 0xa6, 0xe2, 0xd8, 0xa4, 0xc5, 0x13, 0x51, 0x29, 0xc8, 0xa9, 0x5b, 0x7c, 0x14,
0x0b, 0x2a, 0x7a, 0x1a, 0x09, 0xd9, 0xd2, 0x59, 0x42, 0x76, 0x3c, 0x3b, 0x5c, 0xd1, 0x0e, 0xcc,
0x99, 0x96, 0xd1, 0xb6, 0x88, 0x6d, 0x2f, 0x13, 0xa5, 0xa5, 0xa9, 0x3a, 0xf1, 0xfc, 0xe3, 0x76,
0x44, 0x97, 0x4e, 0x8e, 0x2b, 0x73, 0x5b, 0xe9, 0x2c, 0x38, 0x4b, 0x56, 0x7e, 0x5e, 0x80, 0xc9,
0x78, 0x05, 0xcc, 0x68, 0x52, 0xa5, 0x33, 0x35, 0xa9, 0x37, 0x42, 0x9b, 0xc1, 0xed, 0xe0, 0x43,
0x67, 0x7c, 0x89, 0x0d, 0xb1, 0x08, 0x13, 0x22, 0x1b, 0x78, 0x44, 0xd1, 0xa6, 0xfb, 0xab, 0xbf,
0x13, 0x25, 0xe3, 0x38, 0x3f, 0x6b, 0x3d, 0x83, 0x8e, 0xd2, 0x03, 0x29, 0x44, 0x5b, 0xcf, 0xc5,
0x38, 0x03, 0x4e, 0xca, 0xa0, 0x75, 0x98, 0x76, 0xf4, 0x24, 0x94, 0x1b, 0x8d, 0x97, 0x04, 0xd4,
0xf4, 0x4e, 0x92, 0x05, 0xa7, 0xc9, 0xa1, 0xbd, 0x48, 0x37, 0x3a, 0xcc, 0x33, 0xec, 0xed, 0xbe,
0xf7, 0x4e, 0xdf, 0xed, 0x28, 0xba, 0x0f, 0x63, 0x16, 0xff, 0xee, 0xf0, 0x0c, 0x76, 0x7b, 0xf7,
0xd7, 0x84, 0xd8, 0x18, 0x0e, 0x13, 0x71, 0x94, 0x37, 0xa5, 0xdd, 0x2e, 0xf5, 0xdb, 0x6e, 0xcb,
0xff, 0x24, 0x85, 0x8b, 0x90, 0xdf, 0x02, 0xf7, 0x3a, 0x65, 0x4a, 0x48, 0x84, 0xba, 0x23, 0x23,
0xbd, 0xfb, 0xbd, 0x3b, 0x50, 0xf7, 0x1b, 0x14, 0xcf, 0xde, 0xed, 0xef, 0x97, 0x12, 0xcc, 0xae,
0x34, 0x1e, 0x5a, 0x86, 0x63, 0x7a, 0xe6, 0x6c, 0x9a, 0xae, 0x5f, 0x7f, 0x01, 0x05, 0xcb, 0xd1,
0xbc, 0x79, 0xbc, 0xe1, 0xcd, 0x03, 0x3b, 0x1a, 0x9b, 0xc7, 0x74, 0x4c, 0xca, 0x9d, 0x04, 0x13,
0x40, 0x1b, 0x30, 0x6c, 0x29, 0x7a, 0x9b, 0x78, 0x65, 0xf5, 0x6a, 0x0f, 0xeb, 0x57, 0x97, 0x31,
0x63, 0x0f, 0x35, 0x6f, 0x5c, 0x1a, 0x0b, 0x14, 0xf9, 0x8f, 0x24, 0x98, 0x78, 0xb4, 0xbd, 0xbd,
0xb5, 0xaa, 0xf3, 0x1d, 0xcd, 0x4f, 0xdf, 0xaf, 0x40, 0xc1, 0x54, 0xe8, 0x7e, 0xbc, 0xd2, 0x33,
0x1a, 0xe6, 0x14, 0xf4, 0x11, 0x14, 0x59, 0x26, 0x21, 0x7a, 0xab, 0xcf, 0x56, 0x5b, 0xc0, 0xd7,
0x5d, 0xa1, 0xa0, 0x43, 0x14, 0x03, 0xd8, 0x83, 0x93, 0x0f, 0x60, 0x26, 0x64, 0x0e, 0xf3, 0x07,
0x3f, 0x06, 0x46, 0x0d, 0x18, 0x62, 0x9a, 0xbd, 0x53, 0xde, 0x5e, 0x87, 0x99, 0xb1, 0x29, 0x05,
0x9d, 0x0e, 0xfb, 0x65, 0x63, 0x17, 0x4b, 0x5e, 0x87, 0x31, 0x7e, 0xe5, 0x60, 0x58, 0x94, 0xbb,
0x05, 0x5d, 0x86, 0x7c, 0x47, 0xd5, 0x45, 0x9d, 0x1d, 0x15, 0x32, 0x79, 0x56, 0x23, 0xd8, 0x38,
0x27, 0x2b, 0x47, 0x22, 0xf3, 0x04, 0x64, 0xe5, 0x08, 0xb3, 0x71, 0xf9, 0x21, 0x14, 0x85, 0xbb,
0xc3, 0x40, 0xf9, 0xd3, 0x81, 0xf2, 0x29, 0x40, 0x9b, 0x50, 0x5c, 0xdd, 0xaa, 0x6b, 0x86, 0xdb,
0x75, 0x35, 0xd5, 0x96, 0x15, 0x5f, 0x8b, 0xa5, 0xd5, 0x65, 0x8c, 0x39, 0x05, 0xc9, 0x30, 0x4c,
0x8e, 0x9a, 0xc4, 0xa4, 0x3c, 0x22, 0x46, 0xea, 0xc0, 0x56, 0xf9, 0x01, 0x1f, 0xc1, 0x82, 0x22,
0xff, 0x71, 0x0e, 0x8a, 0xc2, 0x1d, 0xe7, 0xf0, 0x15, 0xb6, 0x16, 0xf9, 0x0a, 0x7b, 0xb3, 0xbf,
0xd0, 0xc8, 0xfc, 0x04, 0xdb, 0x8e, 0x7d, 0x82, 0xdd, 0xe8, 0x13, 0xef, 0xf4, 0xef, 0xaf, 0xbf,
0x97, 0x60, 0x3c, 0x1a, 0x94, 0xe8, 0x0e, 0x8c, 0xb2, 0x82, 0xa3, 0x36, 0xc9, 0x46, 0xd0, 0xe7,
0xfa, 0x87, 0x30, 0x8d, 0x80, 0x84, 0xc3, 0x7c, 0xa8, 0xed, 0x8b, 0xb1, 0x38, 0x12, 0x93, 0xce,
0x76, 0xa9, 0x43, 0x55, 0xad, 0xea, 0x5e, 0xa3, 0x55, 0x57, 0x75, 0xba, 0x69, 0x35, 0xa8, 0xa5,
0xea, 0xed, 0x84, 0x22, 0x1e, 0x94, 0x61, 0x64, 0xf9, 0x1f, 0x25, 0x18, 0x15, 0x26, 0x9f, 0xc3,
0x57, 0xc5, 0xaf, 0x45, 0xbf, 0x2a, 0xae, 0xf6, 0xb9, 0xc1, 0xd3, 0x3f, 0x29, 0xfe, 0x3a, 0x30,
0x9d, 0x6d, 0x69, 0x16, 0xd5, 0xfb, 0x86, 0x4d, 0xe3, 0x51, 0xcd, 0x36, 0x23, 0xe6, 0x14, 0xe4,
0xc0, 0xa4, 0x1a, 0xcb, 0x01, 0xc2, 0xb5, 0xb5, 0xfe, 0x2c, 0xf1, 0xc5, 0xea, 0x65, 0x01, 0x3f,
0x19, 0xa7, 0xe0, 0x84, 0x0a, 0x99, 0x40, 0x82, 0x0b, 0x3d, 0x86, 0xc2, 0x3e, 0xa5, 0x66, 0xca,
0x79, 0x75, 0x8f, 0xcc, 0x13, 0x98, 0x50, 0xe2, 0xb3, 0xdb, 0xde, 0xde, 0xc2, 0x1c, 0x4a, 0xfe,
0xef, 0xc0, 0x1f, 0x0d, 0x37, 0xc6, 0xfd, 0x7c, 0x2a, 0x9d, 0x25, 0x9f, 0x8e, 0xa6, 0xe5, 0x52,
0xf4, 0x08, 0xf2, 0x54, 0xeb, 0xf7, 0xb3, 0x50, 0x20, 0x6e, 0xaf, 0x35, 0x82, 0x84, 0xb4, 0xbd,
0xd6, 0xc0, 0x0c, 0x02, 0x6d, 0xc2, 0x10, 0xab, 0x3e, 0x6c, 0x0b, 0xe6, 0xfb, 0xdf, 0xd2, 0x6c,
0xfe, 0x41, 0x40, 0xb0, 0x5f, 0x36, 0x76, 0x71, 0xe4, 0xcf, 0x60, 0x2c, 0xb2, 0x4f, 0xd1, 0xa7,
0x70, 0x51, 0x33, 0x94, 0x56, 0x5d, 0xd1, 0x14, 0xbd, 0x49, 0xbc, 0xcb, 0x81, 0xab, 0x69, 0x5f,
0x18, 0x6b, 0x21, 0x3e, 0xb1, 0xcb, 0xfd, 0xeb, 0xd4, 0x30, 0x0d, 0x47, 0x10, 0x65, 0x05, 0x20,
0x98, 0x23, 0xaa, 0xc0, 0x10, 0x8b, 0x33, 0xb7, 0x9e, 0x8c, 0xd4, 0x47, 0x98, 0x85, 0x2c, 0xfc,
0x6c, 0xec, 0x8e, 0xa3, 0xdb, 0x00, 0x36, 0x69, 0x5a, 0x84, 0xf2, 0x64, 0x90, 0x8b, 0x5e, 0x41,
0x37, 0x7c, 0x0a, 0x0e, 0x71, 0xc9, 0xff, 0x2c, 0xc1, 0xd8, 0x06, 0xa1, 0x9f, 0x1b, 0xd6, 0xc1,
0x16, 0x7f, 0x3a, 0x70, 0x0e, 0xc9, 0x16, 0x47, 0x92, 0xed, 0x5b, 0x3d, 0x56, 0x26, 0x62, 0x5d,
0x56, 0xca, 0x95, 0xbf, 0x96, 0x60, 0x2e, 0xc2, 0xf9, 0x20, 0xd8, 0xba, 0x3b, 0x30, 0x64, 0x1a,
0x16, 0xf5, 0x0a, 0xf1, 0x40, 0x0a, 0x59, 0x1a, 0x0b, 0x95, 0x62, 0x06, 0x83, 0x5d, 0x34, 0xb4,
0x06, 0x39, 0x6a, 0x88, 0x50, 0x1d, 0x0c, 0x93, 0x10, 0xab, 0x0e, 0x02, 0x33, 0xb7, 0x6d, 0xe0,
0x1c, 0x35, 0xd8, 0x42, 0x94, 0x23, 0x5c, 0xe1, 0xe4, 0xf3, 0x8a, 0x66, 0x80, 0xa1, 0xb0, 0x67,
0x19, 0x9d, 0x33, 0xcf, 0xc1, 0x5f, 0x88, 0x15, 0xcb, 0xe8, 0x60, 0x8e, 0x25, 0x7f, 0x23, 0xc1,
0x54, 0x84, 0xf3, 0x1c, 0x12, 0xff, 0xe3, 0x68, 0xe2, 0xbf, 0x31, 0xc8, 0x44, 0x32, 0xd2, 0xff,
0x37, 0xb9, 0xd8, 0x34, 0xd8, 0x84, 0xd1, 0x1e, 0x8c, 0x9a, 0x46, 0xab, 0xf1, 0x12, 0xae, 0x03,
0x27, 0x58, 0xdd, 0xdc, 0x0a, 0xb0, 0x70, 0x18, 0x18, 0x1d, 0xc1, 0x94, 0xae, 0x74, 0x88, 0x6d,
0x2a, 0x4d, 0xd2, 0x78, 0x09, 0x07, 0x24, 0xaf, 0xf1, 0xfb, 0x86, 0x38, 0x22, 0x4e, 0x2a, 0x41,
0xeb, 0x50, 0x54, 0x4d, 0xde, 0xc7, 0x89, 0xde, 0xa5, 0x67, 0x15, 0x75, 0xbb, 0x3e, 0x37, 0x9f,
0x8b, 0x1f, 0xd8, 0xc3, 0x90, 0xff, 0x26, 0x1e, 0x0d, 0x2c, 0xfe, 0xd0, 0x43, 0x28, 0xf1, 0x47,
0x38, 0x4d, 0x43, 0xf3, 0x6e, 0x06, 0xd8, 0xca, 0x6e, 0x89, 0xb1, 0x17, 0xc7, 0x95, 0x4b, 0x29,
0x87, 0xbe, 0x1e, 0x19, 0xfb, 0xc2, 0x68, 0x03, 0x0a, 0xe6, 0x4f, 0xe9, 0x60, 0x78, 0x91, 0xe3,
0x6d, 0x0b, 0xc7, 0x91, 0x7f, 0x2f, 0x1f, 0x33, 0x97, 0x97, 0xba, 0x67, 0x2f, 0x6d, 0xd5, 0xfd,
0x8e, 0x29, 0x73, 0xe5, 0x77, 0xa1, 0x28, 0x2a, 0xbc, 0x08, 0xe6, 0x5f, 0x0c, 0x12, 0xcc, 0xe1,
0x2a, 0xe6, 0x7f, 0xb0, 0x78, 0x83, 0x1e, 0x30, 0xfa, 0x04, 0x86, 0x89, 0xab, 0xc2, 0xad, 0x8d,
0x77, 0x07, 0x51, 0x11, 0xe4, 0xd5, 0xa0, 0x51, 0x15, 0x63, 0x02, 0x15, 0xbd, 0xcf, 0xfc, 0xc5,
0x78, 0xd9, 0x47, 0xa0, 0x5d, 0x2e, 0xf0, 0x72, 0x75, 0xd9, 0x9d, 0xb6, 0x3f, 0xfc, 0xe2, 0xb8,
0x02, 0xc1, 0x4f, 0x1c, 0x96, 0x90, 0xff, 0x55, 0x82, 0x29, 0xee, 0xa1, 0xa6, 0x63, 0xa9, 0xb4,
0x7b, 0x6e, 0x85, 0xe9, 0x49, 0xa4, 0x30, 0xbd, 0xd3, 0xc3, 0x2d, 0x09, 0x0b, 0x33, 0x8b, 0xd3,
0xb7, 0x12, 0xbc, 0x96, 0xe0, 0x3e, 0x87, 0xbc, 0xb8, 0x13, 0xcd, 0x8b, 0x6f, 0x0d, 0x3a, 0xa1,
0xac, 0xd6, 0x78, 0x3c, 0x65, 0x3a, 0x7c, 0xa7, 0xdc, 0x06, 0x30, 0x2d, 0xf5, 0x50, 0xd5, 0x48,
0x5b, 0x5c, 0x82, 0x97, 0x42, 0x8f, 0xe0, 0x7c, 0x0a, 0x0e, 0x71, 0x21, 0x1b, 0x66, 0x5b, 0x64,
0x4f, 0x71, 0x34, 0xba, 0xd8, 0x6a, 0x2d, 0x29, 0xa6, 0xb2, 0xab, 0x6a, 0x2a, 0x55, 0xc5, 0x71,
0xc1, 0x48, 0xfd, 0xbe, 0x7b, 0x39, 0x9d, 0xc6, 0xf1, 0xe2, 0xb8, 0x72, 0x39, 0xed, 0x76, 0xc8,
0x63, 0xe9, 0xe2, 0x0c, 0x68, 0xd4, 0x85, 0xb2, 0x45, 0x3e, 0x73, 0x54, 0x8b, 0xb4, 0x96, 0x2d,
0xc3, 0x8c, 0xa8, 0xcd, 0x73, 0xb5, 0xbf, 0x7a, 0x72, 0x5c, 0x29, 0xe3, 0x0c, 0x9e, 0xde, 0x8a,
0x33, 0xe1, 0xd1, 0x33, 0x98, 0x56, 0xdc, 0xb7, 0x83, 0x11, 0xad, 0xee, 0x2e, 0xb9, 0x77, 0x72,
0x5c, 0x99, 0x5e, 0x4c, 0x92, 0x7b, 0x2b, 0x4c, 0x03, 0x45, 0x35, 0x28, 0x1e, 0xf2, 0x97, 0x8d,
0x76, 0x79, 0x88, 0xe3, 0xb3, 0x42, 0x50, 0x74, 0x1f, 0x3b, 0x32, 0xcc, 0xe1, 0x95, 0x06, 0xdf,
0x7d, 0x1e, 0x17, 0xfb, 0xa0, 0x64, 0xbd, 0xa4, 0xd8, 0xf1, 0xfc, 0xc4, 0xb8, 0x14, 0x64, 0xad,
0x47, 0x01, 0x09, 0x87, 0xf9, 0xd0, 0x53, 0x18, 0xd9, 0x17, 0xa7, 0x12, 0x76, 0xb9, 0xd8, 0x57,
0x11, 0x8e, 0x9c, 0x62, 0xd4, 0xa7, 0x84, 0x8a, 0x11, 0x6f, 0xd8, 0xc6, 0x01, 0x22, 0xba, 0x0e,
0x45, 0xfe, 0x63, 0x75, 0x99, 0x1f, 0xc7, 0x95, 0x82, 0xdc, 0xf6, 0xc8, 0x1d, 0xc6, 0x1e, 0xdd,
0x63, 0x5d, 0xdd, 0x5a, 0xe2, 0xc7, 0xc2, 0x31, 0xd6, 0xd5, 0xad, 0x25, 0xec, 0xd1, 0xd1, 0xa7,
0x50, 0xb4, 0xc9, 0x9a, 0xaa, 0x3b, 0x47, 0x65, 0xe8, 0xeb, 0x52, 0xb9, 0xf1, 0x80, 0x73, 0xc7,
0x0e, 0xc6, 0x02, 0x0d, 0x82, 0x8e, 0x3d, 0x58, 0xb4, 0x0f, 0x23, 0x96, 0xa3, 0x2f, 0xda, 0x3b,
0x36, 0xb1, 0xca, 0xa3, 0x5c, 0x47, 0xaf, 0x74, 0x8e, 0x3d, 0xfe, 0xb8, 0x16, 0xdf, 0x43, 0x3e,
0x07, 0x0e, 0xc0, 0xd1, 0x1f, 0x4a, 0x80, 0x6c, 0xc7, 0x34, 0x35, 0xd2, 0x21, 0x3a, 0x55, 0x34,
0x7e, 0x16, 0x67, 0x97, 0x2f, 0x72, 0x9d, 0x1f, 0xf4, 0x9a, 0x57, 0x42, 0x30, 0xae, 0xdc, 0x3f,
0xf4, 0x4e, 0xb2, 0xe2, 0x14, 0xbd, 0xcc, 0xb5, 0x7b, 0x36, 0xff, 0xbb, 0x3c, 0xd6, 0x97, 0x6b,
0xd3, 0xcf, 0x1c, 0x03, 0xd7, 0x0a, 0x3a, 0xf6, 0x60, 0xd1, 0x13, 0x98, 0xf5, 0x1e, 0xc6, 0x62,
0xc3, 0xa0, 0x2b, 0xaa, 0x46, 0xec, 0xae, 0x4d, 0x49, 0xa7, 0x3c, 0xce, 0x97, 0xdd, 0x7f, 0xfb,
0x81, 0x53, 0xb9, 0x70, 0x86, 0x34, 0xea, 0x40, 0xc5, 0x4b, 0x19, 0x6c, 0x3f, 0xf9, 0x39, 0xeb,
0x81, 0xdd, 0x54, 0x34, 0xf7, 0x1e, 0x60, 0x82, 0x2b, 0x78, 0xe3, 0xe4, 0xb8, 0x52, 0x59, 0x3e,
0x9d, 0x15, 0xf7, 0xc2, 0x42, 0x1f, 0x41, 0x59, 0xc9, 0xd2, 0x33, 0xc9, 0xf5, 0xbc, 0xce, 0xf2,
0x50, 0xa6, 0x82, 0x4c, 0x69, 0x44, 0x61, 0x52, 0x89, 0x3e, 0x51, 0xb6, 0xcb, 0x53, 0x7d, 0x1d,
0x44, 0xc6, 0x5e, 0x36, 0x07, 0x87, 0x11, 0x31, 0x82, 0x8d, 0x13, 0x1a, 0xd0, 0x6f, 0x03, 0x52,
0xe2, 0xaf, 0xaa, 0xed, 0x32, 0xea, 0xab, 0xfc, 0x24, 0x9e, 0x63, 0x07, 0x61, 0x97, 0x20, 0xd9,
0x38, 0x45, 0x0f, 0x5a, 0x83, 0x19, 0x31, 0xba, 0xa3, 0xdb, 0xca, 0x1e, 0x69, 0x74, 0xed, 0x26,
0xd5, 0xec, 0xf2, 0x34, 0xcf, 0x7d, 0xfc, 0xe2, 0x6b, 0x31, 0x85, 0x8e, 0x53, 0xa5, 0xd0, 0x07,
0x30, 0xb9, 0x67, 0x58, 0xbb, 0x6a, 0xab, 0x45, 0x74, 0x0f, 0x69, 0x86, 0x23, 0xcd, 0x30, 0x6f,
0xac, 0xc4, 0x68, 0x38, 0xc1, 0xcd, 0x1f, 0x93, 0x88, 0xab, 0x85, 0xf3, 0x79, 0x90, 0x3b, 0xd8,
0x63, 0x92, 0xc0, 0xb4, 0x97, 0xf6, 0x98, 0x24, 0x04, 0x79, 0xfa, 0x61, 0xe6, 0x7f, 0xe6, 0x60,
0x3a, 0x60, 0xee, 0xfb, 0x31, 0x49, 0x8a, 0xc8, 0xff, 0x3f, 0xca, 0xed, 0xfd, 0x28, 0xf7, 0x6b,
0x09, 0xc6, 0x03, 0xd7, 0xfd, 0xef, 0x7b, 0xe0, 0x11, 0xd8, 0x96, 0xd1, 0x72, 0xfe, 0x5d, 0x2e,
0x3c, 0x81, 0xff, 0xf3, 0xaf, 0x0c, 0x7e, 0xfa, 0x4b, 0x5a, 0xf9, 0xdb, 0x3c, 0x4c, 0xc6, 0x77,
0x63, 0xe4, 0x32, 0x5a, 0xea, 0x79, 0x19, 0xbd, 0x05, 0x33, 0x7b, 0x8e, 0xa6, 0x75, 0xb9, 0x1b,
0x42, 0x37, 0xd2, 0xee, 0x65, 0xd2, 0xeb, 0x42, 0x72, 0x66, 0x25, 0x85, 0x07, 0xa7, 0x4a, 0x66,
0x5c, 0xac, 0xe7, 0xcf, 0x74, 0xb1, 0x9e, 0xb8, 0xe7, 0x2d, 0x0c, 0x70, 0xcf, 0x9b, 0x7a, 0x49,
0x3e, 0x74, 0x86, 0x4b, 0xf2, 0xb3, 0xdc, 0x6a, 0xa7, 0x24, 0xb1, 0x9e, 0x8f, 0x2c, 0x5f, 0x87,
0x79, 0x21, 0x46, 0xf9, 0x85, 0xb3, 0x4e, 0x2d, 0x43, 0xd3, 0x88, 0xb5, 0xec, 0x74, 0x3a, 0x5d,
0xf9, 0x3d, 0x18, 0x8f, 0x3e, 0xa5, 0x70, 0x57, 0xda, 0x7d, 0xcd, 0x21, 0xae, 0xf4, 0x42, 0x2b,
0xed, 0x8e, 0x63, 0x9f, 0x43, 0xfe, 0x7d, 0x09, 0x66, 0xd3, 0x9f, 0x4c, 0x22, 0x0d, 0xc6, 0x3b,
0xca, 0x51, 0xf8, 0x19, 0xab, 0x74, 0xc6, 0xc3, 0x16, 0x7e, 0x87, 0xbe, 0x1e, 0xc1, 0xc2, 0x31,
0x6c, 0xf9, 0x47, 0x09, 0xe6, 0x32, 0x6e, 0xaf, 0xcf, 0xd7, 0x12, 0xf4, 0x31, 0x94, 0x3a, 0xca,
0x51, 0xc3, 0xb1, 0xda, 0xe4, 0xcc, 0xc7, 0x4b, 0x3c, 0x63, 0xac, 0x0b, 0x14, 0xec, 0xe3, 0xc9,
0x5f, 0x4a, 0x50, 0xce, 0x6a, 0xf4, 0xd1, 0x9d, 0xc8, 0x3d, 0xfb, 0xcf, 0x63, 0xf7, 0xec, 0x53,
0x09, 0xb9, 0x57, 0x74, 0xcb, 0xfe, 0xb7, 0x12, 0xcc, 0xa6, 0x7f, 0xf0, 0xa0, 0xb7, 0x23, 0x16,
0x56, 0x62, 0x16, 0x4e, 0xc4, 0xa4, 0x84, 0x7d, 0x9f, 0xc0, 0xb8, 0xf8, 0x2c, 0x12, 0x30, 0xc2,
0xab, 0x72, 0x5a, 0xae, 0x14, 0x10, 0xde, 0x67, 0x00, 0x5f, 0xaf, 0xe8, 0x18, 0x8e, 0xa1, 0xc9,
0x7f, 0x90, 0x83, 0xa1, 0x46, 0x53, 0xd1, 0xc8, 0x39, 0xb4, 0x59, 0x1f, 0x46, 0xda, 0xac, 0x5e,
0xff, 0x72, 0xc2, 0xad, 0xca, 0xec, 0xb0, 0x70, 0xac, 0xc3, 0x7a, 0xb3, 0x2f, 0xb4, 0xd3, 0x9b,
0xab, 0x5f, 0x81, 0x11, 0x5f, 0xe9, 0x60, 0x39, 0x5f, 0xfe, 0xab, 0x1c, 0x8c, 0x86, 0x54, 0x0c,
0x58, 0x31, 0xf6, 0x22, 0x95, 0xb6, 0x9f, 0x7f, 0xf4, 0x0b, 0xe9, 0xaa, 0x7a, 0xb5, 0xd5, 0x7d,
0x32, 0x19, 0x3c, 0x92, 0x4b, 0x96, 0xdc, 0xf7, 0x60, 0x9c, 0xf2, 0x7f, 0x84, 0xf3, 0x0f, 0x65,
0xf3, 0x3c, 0x16, 0xfd, 0x87, 0xb6, 0xdb, 0x11, 0x2a, 0x8e, 0x71, 0xcf, 0xdf, 0x87, 0xb1, 0x88,
0xb2, 0x81, 0x5e, 0x3c, 0xfe, 0x83, 0x04, 0x3f, 0xef, 0xf9, 0xc9, 0x8c, 0xea, 0x91, 0x4d, 0x52,
0x8d, 0x6d, 0x92, 0x85, 0x6c, 0x80, 0x57, 0xf7, 0x72, 0xa6, 0x7e, 0xf3, 0xf9, 0x0f, 0x0b, 0x17,
0xbe, 0xfb, 0x61, 0xe1, 0xc2, 0xf7, 0x3f, 0x2c, 0x5c, 0xf8, 0xdd, 0x93, 0x05, 0xe9, 0xf9, 0xc9,
0x82, 0xf4, 0xdd, 0xc9, 0x82, 0xf4, 0xfd, 0xc9, 0x82, 0xf4, 0xef, 0x27, 0x0b, 0xd2, 0x9f, 0xfc,
0xb8, 0x70, 0xe1, 0xe3, 0xa2, 0x80, 0xfb, 0x9f, 0x00, 0x00, 0x00, 0xff, 0xff, 0x7b, 0xc2, 0x4a,
0x40, 0x12, 0x3d, 0x00, 0x00,
}

21
staging/src/k8s.io/api/extensions/v1beta1/generated.proto
View File

@ -882,6 +882,27 @@ message PodSecurityPolicySpec {
// is allowed in the "volumes" field.
// +optional
repeated AllowedFlexVolume allowedFlexVolumes = 18;
// allowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none.
// Each entry is either a plain sysctl name or ends in "*" in which case it is considered
// as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed.
// Kubelet has to whitelist all allowed unsafe sysctls explicitly to avoid rejection.
//
// Examples:
// e.g. "foo/*" allows "foo/bar", "foo/baz", etc.
// e.g. "foo.*" allows "foo.bar", "foo.baz", etc.
// +optional
repeated string allowedUnsafeSysctls = 19;
// forbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none.
// Each entry is either a plain sysctl name or ends in "*" in which case it is considered
// as a prefix of forbidden sysctls. Single * means all sysctls are forbidden.
//
// Examples:
// e.g. "foo/*" forbids "foo/bar", "foo/baz", etc.
// e.g. "foo.*" forbids "foo.bar", "foo.baz", etc.
// +optional
repeated string forbiddenSysctls = 20;
}
// DEPRECATED - This group version of ReplicaSet is deprecated by apps/v1beta2/ReplicaSet. See the release notes for

19
staging/src/k8s.io/api/extensions/v1beta1/types.go
View File

@ -946,6 +946,25 @@ type PodSecurityPolicySpec struct {
// is allowed in the "volumes" field.
// +optional
AllowedFlexVolumes []AllowedFlexVolume `json:"allowedFlexVolumes,omitempty" protobuf:"bytes,18,rep,name=allowedFlexVolumes"`
// allowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none.
// Each entry is either a plain sysctl name or ends in "*" in which case it is considered
// as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed.
// Kubelet has to whitelist all allowed unsafe sysctls explicitly to avoid rejection.
//
// Examples:
// e.g. "foo/*" allows "foo/bar", "foo/baz", etc.
// e.g. "foo.*" allows "foo.bar", "foo.baz", etc.
// +optional
AllowedUnsafeSysctls []string `json:"allowedUnsafeSysctls,omitempty" protobuf:"bytes,19,rep,name=allowedUnsafeSysctls"`
// forbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none.
// Each entry is either a plain sysctl name or ends in "*" in which case it is considered
// as a prefix of forbidden sysctls. Single * means all sysctls are forbidden.
//
// Examples:
// e.g. "foo/*" forbids "foo/bar", "foo/baz", etc.
// e.g. "foo.*" forbids "foo.bar", "foo.baz", etc.
// +optional
ForbiddenSysctls []string `json:"forbiddenSysctls,omitempty" protobuf:"bytes,20,rep,name=forbiddenSysctls"`
}
// AllowedHostPath defines the host volume conditions that will be enabled by a policy

2
staging/src/k8s.io/api/extensions/v1beta1/types_swagger_doc_generated.go generated
View File

@ -479,6 +479,8 @@ var map_PodSecurityPolicySpec = map[string]string{
"allowPrivilegeEscalation": "allowPrivilegeEscalation determines if a pod can request to allow privilege escalation. If unspecified, defaults to true.",
"allowedHostPaths": "allowedHostPaths is a white list of allowed host paths. Empty indicates that all host paths may be used.",
"allowedFlexVolumes": "allowedFlexVolumes is a whitelist of allowed Flexvolumes. Empty or nil indicates that all Flexvolumes may be used. This parameter is effective only when the usage of the Flexvolumes is allowed in the \"volumes\" field.",
"allowedUnsafeSysctls": "allowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none. Each entry is either a plain sysctl name or ends in \"*\" in which case it is considered as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed. Kubelet has to whitelist all allowed unsafe sysctls explicitly to avoid rejection.\n\nExamples: e.g. \"foo/*\" allows \"foo/bar\", \"foo/baz\", etc. e.g. \"foo.*\" allows \"foo.bar\", \"foo.baz\", etc.",
"forbiddenSysctls": "forbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none. Each entry is either a plain sysctl name or ends in \"*\" in which case it is considered as a prefix of forbidden sysctls. Single * means all sysctls are forbidden.\n\nExamples: e.g. \"foo/*\" forbids \"foo/bar\", \"foo/baz\", etc. e.g. \"foo.*\" forbids \"foo.bar\", \"foo.baz\", etc.",
}
func (PodSecurityPolicySpec) SwaggerDoc() map[string]string {

10
staging/src/k8s.io/api/extensions/v1beta1/zz_generated.deepcopy.go generated
View File

@ -1204,6 +1204,16 @@ func (in *PodSecurityPolicySpec) DeepCopyInto(out *PodSecurityPolicySpec) {
*out = make([]AllowedFlexVolume, len(*in))
copy(*out, *in)
}
if in.AllowedUnsafeSysctls != nil {
in, out := &in.AllowedUnsafeSysctls, &out.AllowedUnsafeSysctls
*out = make([]string, len(*in))
copy(*out, *in)
}
if in.ForbiddenSysctls != nil {
in, out := &in.ForbiddenSysctls, &out.ForbiddenSysctls
*out = make([]string, len(*in))
copy(*out, *in)
}
return
}

315
staging/src/k8s.io/api/policy/v1beta1/generated.pb.go generated
View File

@ -802,6 +802,40 @@ func (m *PodSecurityPolicySpec) MarshalTo(dAtA []byte) (int, error) {
i += n
}
}
if len(m.AllowedUnsafeSysctls) > 0 {
for _, s := range m.AllowedUnsafeSysctls {
dAtA[i] = 0x9a
i++
dAtA[i] = 0x1
i++
l = len(s)
for l >= 1<<7 {
dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
l >>= 7
i++
}
dAtA[i] = uint8(l)
i++
i += copy(dAtA[i:], s)
}
}
if len(m.ForbiddenSysctls) > 0 {
for _, s := range m.ForbiddenSysctls {
dAtA[i] = 0xa2
i++
dAtA[i] = 0x1
i++
l = len(s)
for l >= 1<<7 {
dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
l >>= 7
i++
}
dAtA[i] = uint8(l)
i++
i += copy(dAtA[i:], s)
}
}
return i, nil
}
@ -1143,6 +1177,18 @@ func (m *PodSecurityPolicySpec) Size() (n int) {
n += 2 + l + sovGenerated(uint64(l))
}
}
if len(m.AllowedUnsafeSysctls) > 0 {
for _, s := range m.AllowedUnsafeSysctls {
l = len(s)
n += 2 + l + sovGenerated(uint64(l))
}
}
if len(m.ForbiddenSysctls) > 0 {
for _, s := range m.ForbiddenSysctls {
l = len(s)
n += 2 + l + sovGenerated(uint64(l))
}
}
return n
}
@ -1369,6 +1415,8 @@ func (this *PodSecurityPolicySpec) String() string {
`AllowPrivilegeEscalation:` + valueToStringGenerated(this.AllowPrivilegeEscalation) + `,`,
`AllowedHostPaths:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.AllowedHostPaths), "AllowedHostPath", "AllowedHostPath", 1), `&`, ``, 1) + `,`,
`AllowedFlexVolumes:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.AllowedFlexVolumes), "AllowedFlexVolume", "AllowedFlexVolume", 1), `&`, ``, 1) + `,`,
`AllowedUnsafeSysctls:` + fmt.Sprintf("%v", this.AllowedUnsafeSysctls) + `,`,
`ForbiddenSysctls:` + fmt.Sprintf("%v", this.ForbiddenSysctls) + `,`,
`}`,
}, "")
return s
@ -3378,6 +3426,64 @@ func (m *PodSecurityPolicySpec) Unmarshal(dAtA []byte) error {
return err
}
iNdEx = postIndex
case 19:
if wireType != 2 {
return fmt.Errorf("proto: wrong wireType = %d for field AllowedUnsafeSysctls", wireType)
}
var stringLen uint64
for shift := uint(0); ; shift += 7 {
if shift >= 64 {
return ErrIntOverflowGenerated
}
if iNdEx >= l {
return io.ErrUnexpectedEOF
}
b := dAtA[iNdEx]
iNdEx++
stringLen |= (uint64(b) & 0x7F) << shift
if b < 0x80 {
break
}
}
intStringLen := int(stringLen)
if intStringLen < 0 {
return ErrInvalidLengthGenerated
}
postIndex := iNdEx + intStringLen
if postIndex > l {
return io.ErrUnexpectedEOF
}
m.AllowedUnsafeSysctls = append(m.AllowedUnsafeSysctls, string(dAtA[iNdEx:postIndex]))
iNdEx = postIndex
case 20:
if wireType != 2 {
return fmt.Errorf("proto: wrong wireType = %d for field ForbiddenSysctls", wireType)
}
var stringLen uint64
for shift := uint(0); ; shift += 7 {
if shift >= 64 {
return ErrIntOverflowGenerated
}
if iNdEx >= l {
return io.ErrUnexpectedEOF
}
b := dAtA[iNdEx]
iNdEx++
stringLen |= (uint64(b) & 0x7F) << shift
if b < 0x80 {
break
}
}
intStringLen := int(stringLen)
if intStringLen < 0 {
return ErrInvalidLengthGenerated
}
postIndex := iNdEx + intStringLen
if postIndex > l {
return io.ErrUnexpectedEOF
}
m.ForbiddenSysctls = append(m.ForbiddenSysctls, string(dAtA[iNdEx:postIndex]))
iNdEx = postIndex
default:
iNdEx = preIndex
skippy, err := skipGenerated(dAtA[iNdEx:])
@ -3841,107 +3947,110 @@ func init() {
}
var fileDescriptorGenerated = []byte{
// 1624 bytes of a gzipped FileDescriptorProto
0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xbc, 0x58, 0x5f, 0x6f, 0x1b, 0x4b,
0x15, 0xcf, 0xc6, 0x49, 0xec, 0x4c, 0x9c, 0x7f, 0x13, 0x12, 0xf6, 0x46, 0xd4, 0xbe, 0xd7, 0x57,
0x42, 0xe1, 0xaa, 0x5d, 0x37, 0x69, 0x0b, 0x11, 0x05, 0x44, 0x36, 0xce, 0xbf, 0xaa, 0x21, 0x66,
0xdc, 0x56, 0x80, 0x0a, 0x62, 0xec, 0x9d, 0xd8, 0xd3, 0xac, 0x77, 0x97, 0x99, 0x59, 0xd7, 0x7e,
0xe3, 0x81, 0x07, 0x1e, 0xf9, 0x02, 0x7c, 0x02, 0xc4, 0x13, 0x5f, 0x22, 0x48, 0x08, 0xf5, 0xb1,
0xe2, 0xc1, 0xa2, 0x46, 0x7c, 0x89, 0x3e, 0x5d, 0xed, 0x78, 0xd6, 0xf6, 0xee, 0xda, 0x4e, 0x53,
0xa9, 0x7d, 0xf3, 0xce, 0xf9, 0xfd, 0x7e, 0xe7, 0xcc, 0x99, 0x99, 0x33, 0x67, 0x0c, 0xcc, 0xab,
0x7d, 0x6e, 0x50, 0xb7, 0x78, 0xe5, 0x57, 0x09, 0x73, 0x88, 0x20, 0xbc, 0xd8, 0x22, 0x8e, 0xe5,
0xb2, 0xa2, 0x32, 0x60, 0x8f, 0x16, 0x3d, 0xd7, 0xa6, 0xb5, 0x4e, 0xb1, 0xb5, 0x5b, 0x25, 0x02,
0xef, 0x16, 0xeb, 0xc4, 0x21, 0x0c, 0x0b, 0x62, 0x19, 0x1e, 0x73, 0x85, 0x0b, 0xbf, 0xe8, 0x43,
0x0d, 0xec, 0x51, 0xa3, 0x0f, 0x35, 0x14, 0x74, 0xfb, 0x5e, 0x9d, 0x8a, 0x86, 0x5f, 0x35, 0x6a,
0x6e, 0xb3, 0x58, 0x77, 0xeb, 0x6e, 0x51, 0x32, 0xaa, 0xfe, 0xa5, 0xfc, 0x92, 0x1f, 0xf2, 0x57,
0x5f, 0x69, 0xbb, 0x30, 0xe2, 0xb4, 0xe6, 0x32, 0x52, 0x6c, 0x25, 0xbc, 0x6d, 0x3f, 0x1c, 0x62,
0x9a, 0xb8, 0xd6, 0xa0, 0x0e, 0x61, 0x9d, 0xa2, 0x77, 0x55, 0x0f, 0x06, 0x78, 0xb1, 0x49, 0x04,
0x1e, 0xc7, 0x2a, 0x4e, 0x62, 0x31, 0xdf, 0x11, 0xb4, 0x49, 0x12, 0x84, 0x1f, 0xde, 0x44, 0xe0,
0xb5, 0x06, 0x69, 0xe2, 0x04, 0xef, 0xc1, 0x24, 0x9e, 0x2f, 0xa8, 0x5d, 0xa4, 0x8e, 0xe0, 0x82,
0xc5, 0x49, 0x85, 0xc7, 0x60, 0xfd, 0xc0, 0xb6, 0xdd, 0xd7, 0xc4, 0x3a, 0xb6, 0x49, 0xfb, 0x85,
0x6b, 0xfb, 0x4d, 0x02, 0xbf, 0x0f, 0x16, 0x2c, 0x46, 0x5b, 0x84, 0xe9, 0xda, 0x97, 0xda, 0xce,
0xa2, 0xb9, 0x72, 0xdd, 0xcd, 0xcf, 0xf4, 0xba, 0xf9, 0x85, 0x92, 0x1c, 0x45, 0xca, 0x5a, 0xe0,
0x60, 0x55, 0x91, 0x4f, 0x5d, 0x2e, 0xca, 0x58, 0x34, 0xe0, 0x1e, 0x00, 0x1e, 0x16, 0x8d, 0x32,
0x23, 0x97, 0xb4, 0xad, 0xe8, 0x50, 0xd1, 0x41, 0x79, 0x60, 0x41, 0x23, 0x28, 0x78, 0x17, 0x64,
0x18, 0xc1, 0xd6, 0x85, 0x63, 0x77, 0xf4, 0xd9, 0x2f, 0xb5, 0x9d, 0x8c, 0xb9, 0xa6, 0x18, 0x19,
0xa4, 0xc6, 0xd1, 0x00, 0x51, 0xf8, 0x8f, 0x06, 0x32, 0x47, 0x2d, 0x5a, 0x13, 0xd4, 0x75, 0xe0,
0xef, 0x41, 0x26, 0xc8, 0xbb, 0x85, 0x05, 0x96, 0xce, 0x96, 0xf6, 0xee, 0x1b, 0xc3, 0x3d, 0x31,
0x48, 0x83, 0xe1, 0x5d, 0xd5, 0x83, 0x01, 0x6e, 0x04, 0x68, 0xa3, 0xb5, 0x6b, 0x5c, 0x54, 0x5f,
0x91, 0x9a, 0x38, 0x27, 0x02, 0x0f, 0xc3, 0x1b, 0x8e, 0xa1, 0x81, 0x2a, 0xb4, 0xc1, 0xb2, 0x45,
0x6c, 0x22, 0xc8, 0x85, 0x17, 0x78, 0xe4, 0x32, 0xc2, 0xa5, 0xbd, 0x07, 0x1f, 0xe6, 0xa6, 0x34,
0x4a, 0x35, 0xd7, 0x7b, 0xdd, 0xfc, 0x72, 0x64, 0x08, 0x45, 0xc5, 0x0b, 0x7f, 0xd5, 0xc0, 0xd6,
0x71, 0xe5, 0x84, 0xb9, 0xbe, 0x57, 0x11, 0xc1, 0x3a, 0xd5, 0x3b, 0xca, 0x04, 0x7f, 0x04, 0xe6,
0x98, 0x6f, 0x13, 0x95, 0xd3, 0xaf, 0x55, 0xd0, 0x73, 0xc8, 0xb7, 0xc9, 0xfb, 0x6e, 0x7e, 0x23,
0xc6, 0x7a, 0xd6, 0xf1, 0x08, 0x92, 0x04, 0xf8, 0x04, 0x2c, 0x30, 0xec, 0xd4, 0x49, 0x10, 0x7a,
0x6a, 0x67, 0x69, 0xaf, 0x60, 0x4c, 0x3c, 0x35, 0xc6, 0x59, 0x09, 0x05, 0xd0, 0xe1, 0x8a, 0xcb,
0x4f, 0x8e, 0x94, 0x42, 0xe1, 0x1c, 0x2c, 0xcb, 0xa5, 0x76, 0x99, 0x90, 0x16, 0x78, 0x07, 0xa4,
0x9a, 0xd4, 0x91, 0x41, 0xcd, 0x9b, 0x4b, 0x8a, 0x95, 0x3a, 0xa7, 0x0e, 0x0a, 0xc6, 0xa5, 0x19,
0xb7, 0x65, 0xce, 0x46, 0xcd, 0xb8, 0x8d, 0x82, 0xf1, 0xc2, 0x09, 0x48, 0x2b, 0x8f, 0xa3, 0x42,
0xa9, 0xe9, 0x42, 0xa9, 0x31, 0x42, 0x7f, 0x9b, 0x05, 0x1b, 0x65, 0xd7, 0x2a, 0x51, 0xce, 0x7c,
0x99, 0x2f, 0xd3, 0xb7, 0xea, 0x44, 0x7c, 0x86, 0xfd, 0xf1, 0x0c, 0xcc, 0x71, 0x8f, 0xd4, 0xd4,
0xb6, 0xd8, 0x9b, 0x92, 0xdb, 0x31, 0xf1, 0x55, 0x3c, 0x52, 0x33, 0xb3, 0xe1, 0x52, 0x06, 0x5f,
0x48, 0xaa, 0xc1, 0x97, 0x60, 0x81, 0x0b, 0x2c, 0x7c, 0xae, 0xa7, 0xa4, 0xee, 0xc3, 0x5b, 0xea,
0x4a, 0xee, 0x70, 0x15, 0xfb, 0xdf, 0x48, 0x69, 0x16, 0xfe, 0xa5, 0x81, 0xef, 0x8e, 0x61, 0x3d,
0xa5, 0x5c, 0xc0, 0x97, 0x89, 0x8c, 0x19, 0x1f, 0x96, 0xb1, 0x80, 0x2d, 0xf3, 0x35, 0x38, 0xbc,
0xe1, 0xc8, 0x48, 0xb6, 0x2a, 0x60, 0x9e, 0x0a, 0xd2, 0x0c, 0xb7, 0xa2, 0x71, 0xbb, 0x69, 0x99,
0xcb, 0x4a, 0x7a, 0xfe, 0x2c, 0x10, 0x41, 0x7d, 0xad, 0xc2, 0xbf, 0x67, 0xc7, 0x4e, 0x27, 0x48,
0x27, 0xbc, 0x04, 0xd9, 0x26, 0x75, 0x0e, 0x5a, 0x98, 0xda, 0xb8, 0xaa, 0x4e, 0xcf, 0xb4, 0x4d,
0x10, 0xd4, 0x4a, 0xa3, 0x5f, 0x2b, 0x8d, 0x33, 0x47, 0x5c, 0xb0, 0x8a, 0x60, 0xd4, 0xa9, 0x9b,
0x6b, 0xbd, 0x6e, 0x3e, 0x7b, 0x3e, 0xa2, 0x84, 0x22, 0xba, 0xf0, 0xb7, 0x20, 0xc3, 0x89, 0x4d,
0x6a, 0xc2, 0x65, 0xb7, 0xab, 0x10, 0x4f, 0x71, 0x95, 0xd8, 0x15, 0x45, 0x35, 0xb3, 0x41, 0xde,
0xc2, 0x2f, 0x34, 0x90, 0x84, 0x36, 0x58, 0x69, 0xe2, 0xf6, 0x73, 0x07, 0x0f, 0x26, 0x92, 0xfa,
0xc8, 0x89, 0xc0, 0x5e, 0x37, 0xbf, 0x72, 0x1e, 0xd1, 0x42, 0x31, 0xed, 0xc2, 0xff, 0xe7, 0xc0,
0x17, 0x13, 0x77, 0x15, 0x7c, 0x02, 0xa0, 0x5b, 0xe5, 0x84, 0xb5, 0x88, 0x75, 0xd2, 0xbf, 0x4d,
0xa8, 0x1b, 0x1e, 0xdc, 0x6d, 0xb5, 0x40, 0xf0, 0x22, 0x81, 0x40, 0x63, 0x58, 0xf0, 0x4f, 0x1a,
0x58, 0xb6, 0xfa, 0x6e, 0x88, 0x55, 0x76, 0xad, 0x70, 0x63, 0x9c, 0x7c, 0xcc, 0x7e, 0x37, 0x4a,
0xa3, 0x4a, 0x47, 0x8e, 0x60, 0x1d, 0x73, 0x53, 0x05, 0xb4, 0x1c, 0xb1, 0xa1, 0xa8, 0x53, 0x78,
0x0e, 0xa0, 0x35, 0x90, 0xe4, 0xea, 0x4e, 0x93, 0x29, 0x9e, 0x37, 0xef, 0x28, 0x85, 0xcd, 0x88,
0xdf, 0x10, 0x84, 0xc6, 0x10, 0xe1, 0xcf, 0xc0, 0x4a, 0xcd, 0x67, 0x8c, 0x38, 0xe2, 0x94, 0x60,
0x5b, 0x34, 0x3a, 0xfa, 0x9c, 0x94, 0xda, 0x52, 0x52, 0x2b, 0x87, 0x11, 0x2b, 0x8a, 0xa1, 0x03,
0xbe, 0x45, 0x38, 0x65, 0xc4, 0x0a, 0xf9, 0xf3, 0x51, 0x7e, 0x29, 0x62, 0x45, 0x31, 0x34, 0xdc,
0x07, 0x59, 0xd2, 0xf6, 0x48, 0x2d, 0xcc, 0xe9, 0x82, 0x64, 0x7f, 0x47, 0xb1, 0xb3, 0x47, 0x23,
0x36, 0x14, 0x41, 0x6e, 0xdb, 0x00, 0x26, 0x93, 0x08, 0xd7, 0x40, 0xea, 0x8a, 0x74, 0xfa, 0x37,
0x0f, 0x0a, 0x7e, 0xc2, 0x9f, 0x83, 0xf9, 0x16, 0xb6, 0x7d, 0xa2, 0xf6, 0xfa, 0x37, 0x1f, 0xb6,
0xd7, 0x9f, 0xd1, 0x26, 0x41, 0x7d, 0xe2, 0x8f, 0x67, 0xf7, 0xb5, 0xc2, 0x3f, 0x35, 0xb0, 0x5e,
0x76, 0xad, 0x0a, 0xa9, 0xf9, 0x8c, 0x8a, 0x4e, 0x59, 0xae, 0xf3, 0x67, 0xa8, 0xd9, 0x28, 0x52,
0xb3, 0xef, 0x4f, 0xdf, 0x6b, 0xd1, 0xe8, 0x26, 0x55, 0xec, 0xc2, 0xb5, 0x06, 0x36, 0x13, 0xe8,
0xcf, 0x50, 0x51, 0x7f, 0x19, 0xad, 0xa8, 0x77, 0x6f, 0x33, 0x99, 0x09, 0xf5, 0xf4, 0x7d, 0x76,
0xcc, 0x54, 0x64, 0x35, 0x0d, 0xba, 0x3b, 0x46, 0x5b, 0xd4, 0x26, 0x75, 0x62, 0xc9, 0xc9, 0x64,
0x46, 0xba, 0xbb, 0x81, 0x05, 0x8d, 0xa0, 0x20, 0x07, 0x5b, 0x16, 0xb9, 0xc4, 0xbe, 0x2d, 0x0e,
0x2c, 0xeb, 0x10, 0x7b, 0xb8, 0x4a, 0x6d, 0x2a, 0xa8, 0x6a, 0x47, 0x16, 0xcd, 0xc7, 0xbd, 0x6e,
0x7e, 0xab, 0x34, 0x16, 0xf1, 0xbe, 0x9b, 0xbf, 0x93, 0xec, 0xcb, 0x8d, 0x01, 0xa4, 0x83, 0x26,
0x48, 0xc3, 0x0e, 0xd0, 0x19, 0xf9, 0x83, 0x1f, 0x1c, 0x8a, 0x12, 0x73, 0xbd, 0x88, 0xdb, 0x94,
0x74, 0xfb, 0xd3, 0x5e, 0x37, 0xaf, 0xa3, 0x09, 0x98, 0x9b, 0x1d, 0x4f, 0x94, 0x87, 0xaf, 0xc0,
0x06, 0xee, 0xd7, 0x81, 0x88, 0xd7, 0x39, 0xe9, 0x75, 0xbf, 0xd7, 0xcd, 0x6f, 0x1c, 0x24, 0xcd,
0x37, 0x3b, 0x1c, 0x27, 0x0a, 0x8b, 0x20, 0xdd, 0x92, 0x2d, 0x3b, 0xd7, 0xe7, 0xa5, 0xfe, 0x66,
0xaf, 0x9b, 0x4f, 0xf7, 0xbb, 0xf8, 0x40, 0x73, 0xe1, 0xb8, 0x22, 0x1b, 0xc1, 0x10, 0x05, 0x1f,
0x81, 0xa5, 0x86, 0xcb, 0xc5, 0x2f, 0x88, 0x78, 0xed, 0xb2, 0x2b, 0x59, 0x18, 0x32, 0xe6, 0x86,
0x5a, 0xc1, 0xa5, 0xd3, 0xa1, 0x09, 0x8d, 0xe2, 0xe0, 0xaf, 0xc1, 0x62, 0x43, 0xb5, 0x7d, 0x5c,
0x4f, 0xcb, 0x8d, 0xb6, 0x33, 0x65, 0xa3, 0x45, 0x5a, 0x44, 0x73, 0x5d, 0xc9, 0x2f, 0x86, 0xc3,
0x1c, 0x0d, 0xd5, 0xe0, 0x0f, 0x40, 0x5a, 0x7e, 0x9c, 0x95, 0xf4, 0x8c, 0x8c, 0x66, 0x55, 0xc1,
0xd3, 0xa7, 0xfd, 0x61, 0x14, 0xda, 0x43, 0xe8, 0x59, 0xf9, 0x50, 0x5f, 0x4c, 0x42, 0xcf, 0xca,
0x87, 0x28, 0xb4, 0xc3, 0x97, 0x20, 0xcd, 0xc9, 0x53, 0xea, 0xf8, 0x6d, 0x1d, 0xc8, 0x23, 0xb7,
0x3b, 0x25, 0xdc, 0xca, 0x91, 0x44, 0xc6, 0x1a, 0xee, 0xa1, 0xba, 0xb2, 0xa3, 0x50, 0x12, 0x5a,
0x60, 0x91, 0xf9, 0xce, 0x01, 0x7f, 0xce, 0x09, 0xd3, 0x97, 0x12, 0xb7, 0x7d, 0x5c, 0x1f, 0x85,
0xd8, 0xb8, 0x87, 0x41, 0x66, 0x06, 0x08, 0x34, 0x14, 0x86, 0x7f, 0xd6, 0x00, 0xe4, 0xbe, 0xe7,
0xd9, 0xa4, 0x49, 0x1c, 0x81, 0x6d, 0xd9, 0xdf, 0x73, 0x3d, 0x2b, 0xfd, 0xfd, 0x64, 0xda, 0x7c,
0x12, 0xa4, 0xb8, 0xe3, 0xc1, 0x35, 0x9d, 0x84, 0xa2, 0x31, 0x3e, 0x83, 0x74, 0x5e, 0x72, 0xf9,
0x5b, 0x5f, 0xbe, 0x31, 0x9d, 0xe3, 0xdf, 0x2f, 0xc3, 0x74, 0x2a, 0x3b, 0x0a, 0x25, 0xe1, 0x0b,
0xb0, 0x15, 0xbe, 0xee, 0x90, 0xeb, 0x8a, 0x63, 0x6a, 0x13, 0xde, 0xe1, 0x82, 0x34, 0xf5, 0x15,
0xb9, 0xcc, 0x39, 0xc5, 0xdc, 0x42, 0x63, 0x51, 0x68, 0x02, 0x1b, 0x36, 0x41, 0x3e, 0x2c, 0x0f,
0xc1, 0xd9, 0x19, 0xd4, 0xa7, 0x23, 0x5e, 0xc3, 0x76, 0xbf, 0x6b, 0x59, 0x95, 0x0e, 0xbe, 0xee,
0x75, 0xf3, 0xf9, 0xd2, 0x74, 0x28, 0xba, 0x49, 0x0b, 0xfe, 0x0a, 0xe8, 0x78, 0x92, 0x9f, 0x35,
0xe9, 0xe7, 0x7b, 0x41, 0xcd, 0x99, 0xe8, 0x60, 0x22, 0x1b, 0x7a, 0x60, 0x0d, 0x47, 0xdf, 0xd9,
0x5c, 0x5f, 0x97, 0xa7, 0xf0, 0x9b, 0x29, 0xeb, 0x10, 0x7b, 0x9a, 0x9b, 0xba, 0x4a, 0xe3, 0x5a,
0xcc, 0xc0, 0x51, 0x42, 0x1d, 0xb6, 0x01, 0xc4, 0xf1, 0xbf, 0x05, 0xb8, 0x0e, 0x6f, 0xbc, 0x62,
0x12, 0xff, 0x25, 0x0c, 0xb7, 0x5a, 0xc2, 0xc4, 0xd1, 0x18, 0x1f, 0xc1, 0x0b, 0x58, 0x9f, 0x74,
0x60, 0xe0, 0xa3, 0xc8, 0x1b, 0xf8, 0xab, 0xd8, 0x1b, 0x78, 0x3d, 0xc1, 0xfb, 0x04, 0x2f, 0xe0,
0xbf, 0x6b, 0x60, 0x6b, 0x7c, 0xc1, 0x80, 0x0f, 0x22, 0xd1, 0xe5, 0x63, 0xd1, 0xad, 0xc6, 0x58,
0x2a, 0xb6, 0xdf, 0x81, 0x15, 0x55, 0x56, 0xa2, 0x7f, 0x30, 0x44, 0x62, 0x0c, 0xee, 0x83, 0xa0,
0x23, 0x50, 0x12, 0xe1, 0x91, 0x92, 0xbd, 0x7c, 0x74, 0x0c, 0xc5, 0xd4, 0x0a, 0xff, 0xd0, 0xc0,
0x57, 0x37, 0x16, 0x04, 0x68, 0x46, 0x42, 0x37, 0x62, 0xa1, 0xe7, 0x26, 0x0b, 0x7c, 0x9a, 0xff,
0x19, 0xcc, 0x7b, 0xd7, 0xef, 0x72, 0x33, 0x6f, 0xde, 0xe5, 0x66, 0xde, 0xbe, 0xcb, 0xcd, 0xfc,
0xb1, 0x97, 0xd3, 0xae, 0x7b, 0x39, 0xed, 0x4d, 0x2f, 0xa7, 0xbd, 0xed, 0xe5, 0xb4, 0xff, 0xf6,
0x72, 0xda, 0x5f, 0xfe, 0x97, 0x9b, 0xf9, 0x4d, 0x5a, 0xc9, 0x7d, 0x1b, 0x00, 0x00, 0xff, 0xff,
0x0a, 0x51, 0x58, 0x42, 0x4c, 0x14, 0x00, 0x00,
// 1679 bytes of a gzipped FileDescriptorProto
0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xbc, 0x58, 0x4f, 0x6f, 0x23, 0xb7,
0x15, 0xf7, 0xac, 0x6c, 0x4b, 0xa6, 0x6d, 0xad, 0x4d, 0x7b, 0xdd, 0x89, 0xd1, 0xd5, 0x24, 0x0a,
0x50, 0x6c, 0x83, 0x64, 0x14, 0x7b, 0x93, 0xd6, 0x68, 0xda, 0x22, 0x1e, 0xcb, 0xff, 0x02, 0xbb,
0x56, 0xa9, 0xdd, 0xa0, 0x2d, 0xb6, 0x45, 0x29, 0x0d, 0x2d, 0x31, 0x1e, 0xcd, 0x4c, 0x49, 0x8e,
0x22, 0xdd, 0x7a, 0xe8, 0xa1, 0xe8, 0xa9, 0x5f, 0xa0, 0x9f, 0xa0, 0xe8, 0xa9, 0x5f, 0xc2, 0x05,
0x8a, 0x22, 0xc7, 0xa0, 0x07, 0xa1, 0xab, 0xa2, 0x5f, 0x22, 0xa7, 0x62, 0x28, 0x8e, 0xa4, 0xf9,
0x23, 0x79, 0x1d, 0x60, 0xf7, 0xa6, 0xe1, 0xfb, 0xfd, 0x7e, 0xef, 0xf1, 0xf1, 0xf1, 0x91, 0x14,
0xb0, 0x6e, 0x0e, 0xb8, 0x49, 0xbd, 0xca, 0x4d, 0xd0, 0x20, 0xcc, 0x25, 0x82, 0xf0, 0x4a, 0x97,
0xb8, 0xb6, 0xc7, 0x2a, 0xca, 0x80, 0x7d, 0x5a, 0xf1, 0x3d, 0x87, 0x36, 0xfb, 0x95, 0xee, 0x5e,
0x83, 0x08, 0xbc, 0x57, 0x69, 0x11, 0x97, 0x30, 0x2c, 0x88, 0x6d, 0xfa, 0xcc, 0x13, 0x1e, 0x7c,
0x6b, 0x04, 0x35, 0xb1, 0x4f, 0xcd, 0x11, 0xd4, 0x54, 0xd0, 0xdd, 0x0f, 0x5a, 0x54, 0xb4, 0x83,
0x86, 0xd9, 0xf4, 0x3a, 0x95, 0x96, 0xd7, 0xf2, 0x2a, 0x92, 0xd1, 0x08, 0xae, 0xe5, 0x97, 0xfc,
0x90, 0xbf, 0x46, 0x4a, 0xbb, 0xe5, 0x29, 0xa7, 0x4d, 0x8f, 0x91, 0x4a, 0x37, 0xe5, 0x6d, 0xf7,
0xa3, 0x09, 0xa6, 0x83, 0x9b, 0x6d, 0xea, 0x12, 0xd6, 0xaf, 0xf8, 0x37, 0xad, 0x70, 0x80, 0x57,
0x3a, 0x44, 0xe0, 0x2c, 0x56, 0x65, 0x16, 0x8b, 0x05, 0xae, 0xa0, 0x1d, 0x92, 0x22, 0xfc, 0xe0,
0x2e, 0x02, 0x6f, 0xb6, 0x49, 0x07, 0xa7, 0x78, 0x4f, 0x67, 0xf1, 0x02, 0x41, 0x9d, 0x0a, 0x75,
0x05, 0x17, 0x2c, 0x49, 0x2a, 0x7f, 0x02, 0x36, 0x0f, 0x1d, 0xc7, 0xfb, 0x92, 0xd8, 0x27, 0x0e,
0xe9, 0x7d, 0xee, 0x39, 0x41, 0x87, 0xc0, 0xef, 0x81, 0x65, 0x9b, 0xd1, 0x2e, 0x61, 0xba, 0xf6,
0xb6, 0xf6, 0x64, 0xc5, 0x2a, 0xde, 0x0e, 0x8c, 0x85, 0xe1, 0xc0, 0x58, 0xae, 0xca, 0x51, 0xa4,
0xac, 0x65, 0x0e, 0x1e, 0x2a, 0xf2, 0x99, 0xc7, 0x45, 0x0d, 0x8b, 0x36, 0xdc, 0x07, 0xc0, 0xc7,
0xa2, 0x5d, 0x63, 0xe4, 0x9a, 0xf6, 0x14, 0x1d, 0x2a, 0x3a, 0xa8, 0x8d, 0x2d, 0x68, 0x0a, 0x05,
0xdf, 0x07, 0x05, 0x46, 0xb0, 0x7d, 0xe5, 0x3a, 0x7d, 0xfd, 0xc1, 0xdb, 0xda, 0x93, 0x82, 0xb5,
0xa1, 0x18, 0x05, 0xa4, 0xc6, 0xd1, 0x18, 0x51, 0xfe, 0xb7, 0x06, 0x0a, 0xc7, 0x5d, 0xda, 0x14,
0xd4, 0x73, 0xe1, 0x6f, 0x41, 0x21, 0xcc, 0xbb, 0x8d, 0x05, 0x96, 0xce, 0x56, 0xf7, 0x3f, 0x34,
0x27, 0x35, 0x31, 0x4e, 0x83, 0xe9, 0xdf, 0xb4, 0xc2, 0x01, 0x6e, 0x86, 0x68, 0xb3, 0xbb, 0x67,
0x5e, 0x35, 0xbe, 0x20, 0x4d, 0x71, 0x49, 0x04, 0x9e, 0x84, 0x37, 0x19, 0x43, 0x63, 0x55, 0xe8,
0x80, 0x75, 0x9b, 0x38, 0x44, 0x90, 0x2b, 0x3f, 0xf4, 0xc8, 0x65, 0x84, 0xab, 0xfb, 0x4f, 0x5f,
0xcd, 0x4d, 0x75, 0x9a, 0x6a, 0x6d, 0x0e, 0x07, 0xc6, 0x7a, 0x6c, 0x08, 0xc5, 0xc5, 0xcb, 0x7f,
0xd1, 0xc0, 0xce, 0x49, 0xfd, 0x94, 0x79, 0x81, 0x5f, 0x17, 0xe1, 0x3a, 0xb5, 0xfa, 0xca, 0x04,
0x7f, 0x08, 0x16, 0x59, 0xe0, 0x10, 0x95, 0xd3, 0x77, 0x55, 0xd0, 0x8b, 0x28, 0x70, 0xc8, 0x37,
0x03, 0x63, 0x2b, 0xc1, 0x7a, 0xd6, 0xf7, 0x09, 0x92, 0x04, 0xf8, 0x19, 0x58, 0x66, 0xd8, 0x6d,
0x91, 0x30, 0xf4, 0xdc, 0x93, 0xd5, 0xfd, 0xb2, 0x39, 0x73, 0xd7, 0x98, 0xe7, 0x55, 0x14, 0x42,
0x27, 0x2b, 0x2e, 0x3f, 0x39, 0x52, 0x0a, 0xe5, 0x4b, 0xb0, 0x2e, 0x97, 0xda, 0x63, 0x42, 0x5a,
0xe0, 0x63, 0x90, 0xeb, 0x50, 0x57, 0x06, 0xb5, 0x64, 0xad, 0x2a, 0x56, 0xee, 0x92, 0xba, 0x28,
0x1c, 0x97, 0x66, 0xdc, 0x93, 0x39, 0x9b, 0x36, 0xe3, 0x1e, 0x0a, 0xc7, 0xcb, 0xa7, 0x20, 0xaf,
0x3c, 0x4e, 0x0b, 0xe5, 0xe6, 0x0b, 0xe5, 0x32, 0x84, 0xfe, 0xfa, 0x00, 0x6c, 0xd5, 0x3c, 0xbb,
0x4a, 0x39, 0x0b, 0x64, 0xbe, 0xac, 0xc0, 0x6e, 0x11, 0xf1, 0x06, 0xea, 0xe3, 0x19, 0x58, 0xe4,
0x3e, 0x69, 0xaa, 0xb2, 0xd8, 0x9f, 0x93, 0xdb, 0x8c, 0xf8, 0xea, 0x3e, 0x69, 0x5a, 0x6b, 0xd1,
0x52, 0x86, 0x5f, 0x48, 0xaa, 0xc1, 0x17, 0x60, 0x99, 0x0b, 0x2c, 0x02, 0xae, 0xe7, 0xa4, 0xee,
0x47, 0xf7, 0xd4, 0x95, 0xdc, 0xc9, 0x2a, 0x8e, 0xbe, 0x91, 0xd2, 0x2c, 0xff, 0x53, 0x03, 0xdf,
0xc9, 0x60, 0x5d, 0x50, 0x2e, 0xe0, 0x8b, 0x54, 0xc6, 0xcc, 0x57, 0xcb, 0x58, 0xc8, 0x96, 0xf9,
0x1a, 0x6f, 0xde, 0x68, 0x64, 0x2a, 0x5b, 0x75, 0xb0, 0x44, 0x05, 0xe9, 0x44, 0xa5, 0x68, 0xde,
0x6f, 0x5a, 0xd6, 0xba, 0x92, 0x5e, 0x3a, 0x0f, 0x45, 0xd0, 0x48, 0xab, 0xfc, 0xaf, 0x07, 0x99,
0xd3, 0x09, 0xd3, 0x09, 0xaf, 0xc1, 0x5a, 0x87, 0xba, 0x87, 0x5d, 0x4c, 0x1d, 0xdc, 0x50, 0xbb,
0x67, 0x5e, 0x11, 0x84, 0xbd, 0xd2, 0x1c, 0xf5, 0x4a, 0xf3, 0xdc, 0x15, 0x57, 0xac, 0x2e, 0x18,
0x75, 0x5b, 0xd6, 0xc6, 0x70, 0x60, 0xac, 0x5d, 0x4e, 0x29, 0xa1, 0x98, 0x2e, 0xfc, 0x35, 0x28,
0x70, 0xe2, 0x90, 0xa6, 0xf0, 0xd8, 0xfd, 0x3a, 0xc4, 0x05, 0x6e, 0x10, 0xa7, 0xae, 0xa8, 0xd6,
0x5a, 0x98, 0xb7, 0xe8, 0x0b, 0x8d, 0x25, 0xa1, 0x03, 0x8a, 0x1d, 0xdc, 0x7b, 0xee, 0xe2, 0xf1,
0x44, 0x72, 0xdf, 0x72, 0x22, 0x70, 0x38, 0x30, 0x8a, 0x97, 0x31, 0x2d, 0x94, 0xd0, 0x2e, 0xff,
0x6f, 0x11, 0xbc, 0x35, 0xb3, 0xaa, 0xe0, 0x67, 0x00, 0x7a, 0x0d, 0x4e, 0x58, 0x97, 0xd8, 0xa7,
0xa3, 0xd3, 0x84, 0x7a, 0xd1, 0xc6, 0xdd, 0x55, 0x0b, 0x04, 0xaf, 0x52, 0x08, 0x94, 0xc1, 0x82,
0x7f, 0xd0, 0xc0, 0xba, 0x3d, 0x72, 0x43, 0xec, 0x9a, 0x67, 0x47, 0x85, 0x71, 0xfa, 0x6d, 0xea,
0xdd, 0xac, 0x4e, 0x2b, 0x1d, 0xbb, 0x82, 0xf5, 0xad, 0x47, 0x2a, 0xa0, 0xf5, 0x98, 0x0d, 0xc5,
0x9d, 0xc2, 0x4b, 0x00, 0xed, 0xb1, 0x24, 0x57, 0x67, 0x9a, 0x4c, 0xf1, 0x92, 0xf5, 0x58, 0x29,
0x3c, 0x8a, 0xf9, 0x8d, 0x40, 0x28, 0x83, 0x08, 0x7f, 0x0a, 0x8a, 0xcd, 0x80, 0x31, 0xe2, 0x8a,
0x33, 0x82, 0x1d, 0xd1, 0xee, 0xeb, 0x8b, 0x52, 0x6a, 0x47, 0x49, 0x15, 0x8f, 0x62, 0x56, 0x94,
0x40, 0x87, 0x7c, 0x9b, 0x70, 0xca, 0x88, 0x1d, 0xf1, 0x97, 0xe2, 0xfc, 0x6a, 0xcc, 0x8a, 0x12,
0x68, 0x78, 0x00, 0xd6, 0x48, 0xcf, 0x27, 0xcd, 0x28, 0xa7, 0xcb, 0x92, 0xbd, 0xad, 0xd8, 0x6b,
0xc7, 0x53, 0x36, 0x14, 0x43, 0xee, 0x3a, 0x00, 0xa6, 0x93, 0x08, 0x37, 0x40, 0xee, 0x86, 0xf4,
0x47, 0x27, 0x0f, 0x0a, 0x7f, 0xc2, 0x4f, 0xc1, 0x52, 0x17, 0x3b, 0x01, 0x51, 0xb5, 0xfe, 0xde,
0xab, 0xd5, 0xfa, 0x33, 0xda, 0x21, 0x68, 0x44, 0xfc, 0xd1, 0x83, 0x03, 0xad, 0xfc, 0x0f, 0x0d,
0x6c, 0xd6, 0x3c, 0xbb, 0x4e, 0x9a, 0x01, 0xa3, 0xa2, 0x5f, 0x93, 0xeb, 0xfc, 0x06, 0x7a, 0x36,
0x8a, 0xf5, 0xec, 0x0f, 0xe7, 0xd7, 0x5a, 0x3c, 0xba, 0x59, 0x1d, 0xbb, 0x7c, 0xab, 0x81, 0x47,
0x29, 0xf4, 0x1b, 0xe8, 0xa8, 0x3f, 0x8f, 0x77, 0xd4, 0xf7, 0xef, 0x33, 0x99, 0x19, 0xfd, 0xf4,
0x4f, 0xc5, 0x8c, 0xa9, 0xc8, 0x6e, 0x1a, 0xde, 0xee, 0x18, 0xed, 0x52, 0x87, 0xb4, 0x88, 0x2d,
0x27, 0x53, 0x98, 0xba, 0xdd, 0x8d, 0x2d, 0x68, 0x0a, 0x05, 0x39, 0xd8, 0xb1, 0xc9, 0x35, 0x0e,
0x1c, 0x71, 0x68, 0xdb, 0x47, 0xd8, 0xc7, 0x0d, 0xea, 0x50, 0x41, 0xd5, 0x75, 0x64, 0xc5, 0xfa,
0x64, 0x38, 0x30, 0x76, 0xaa, 0x99, 0x88, 0x6f, 0x06, 0xc6, 0xe3, 0xf4, 0xbd, 0xdc, 0x1c, 0x43,
0xfa, 0x68, 0x86, 0x34, 0xec, 0x03, 0x9d, 0x91, 0xdf, 0x05, 0xe1, 0xa6, 0xa8, 0x32, 0xcf, 0x8f,
0xb9, 0xcd, 0x49, 0xb7, 0x3f, 0x19, 0x0e, 0x0c, 0x1d, 0xcd, 0xc0, 0xdc, 0xed, 0x78, 0xa6, 0x3c,
0xfc, 0x02, 0x6c, 0xe1, 0x51, 0x1f, 0x88, 0x79, 0x5d, 0x94, 0x5e, 0x0f, 0x86, 0x03, 0x63, 0xeb,
0x30, 0x6d, 0xbe, 0xdb, 0x61, 0x96, 0x28, 0xac, 0x80, 0x7c, 0x57, 0x5e, 0xd9, 0xb9, 0xbe, 0x24,
0xf5, 0x1f, 0x0d, 0x07, 0x46, 0x7e, 0x74, 0x8b, 0x0f, 0x35, 0x97, 0x4f, 0xea, 0xf2, 0x22, 0x18,
0xa1, 0xe0, 0xc7, 0x60, 0xb5, 0xed, 0x71, 0xf1, 0x33, 0x22, 0xbe, 0xf4, 0xd8, 0x8d, 0x6c, 0x0c,
0x05, 0x6b, 0x4b, 0xad, 0xe0, 0xea, 0xd9, 0xc4, 0x84, 0xa6, 0x71, 0xf0, 0x97, 0x60, 0xa5, 0xad,
0xae, 0x7d, 0x5c, 0xcf, 0xcb, 0x42, 0x7b, 0x32, 0xa7, 0xd0, 0x62, 0x57, 0x44, 0x6b, 0x53, 0xc9,
0xaf, 0x44, 0xc3, 0x1c, 0x4d, 0xd4, 0xe0, 0xf7, 0x41, 0x5e, 0x7e, 0x9c, 0x57, 0xf5, 0x82, 0x8c,
0xe6, 0xa1, 0x82, 0xe7, 0xcf, 0x46, 0xc3, 0x28, 0xb2, 0x47, 0xd0, 0xf3, 0xda, 0x91, 0xbe, 0x92,
0x86, 0x9e, 0xd7, 0x8e, 0x50, 0x64, 0x87, 0x2f, 0x40, 0x9e, 0x93, 0x0b, 0xea, 0x06, 0x3d, 0x1d,
0xc8, 0x2d, 0xb7, 0x37, 0x27, 0xdc, 0xfa, 0xb1, 0x44, 0x26, 0x2e, 0xdc, 0x13, 0x75, 0x65, 0x47,
0x91, 0x24, 0xb4, 0xc1, 0x0a, 0x0b, 0xdc, 0x43, 0xfe, 0x9c, 0x13, 0xa6, 0xaf, 0xa6, 0x4e, 0xfb,
0xa4, 0x3e, 0x8a, 0xb0, 0x49, 0x0f, 0xe3, 0xcc, 0x8c, 0x11, 0x68, 0x22, 0x0c, 0xff, 0xa8, 0x01,
0xc8, 0x03, 0xdf, 0x77, 0x48, 0x87, 0xb8, 0x02, 0x3b, 0xf2, 0x7e, 0xcf, 0xf5, 0x35, 0xe9, 0xef,
0xc7, 0xf3, 0xe6, 0x93, 0x22, 0x25, 0x1d, 0x8f, 0x8f, 0xe9, 0x34, 0x14, 0x65, 0xf8, 0x0c, 0xd3,
0x79, 0xcd, 0xe5, 0x6f, 0x7d, 0xfd, 0xce, 0x74, 0x66, 0xbf, 0x5f, 0x26, 0xe9, 0x54, 0x76, 0x14,
0x49, 0xc2, 0xcf, 0xc1, 0x4e, 0xf4, 0xba, 0x43, 0x9e, 0x27, 0x4e, 0xa8, 0x43, 0x78, 0x9f, 0x0b,
0xd2, 0xd1, 0x8b, 0x72, 0x99, 0x4b, 0x8a, 0xb9, 0x83, 0x32, 0x51, 0x68, 0x06, 0x1b, 0x76, 0x80,
0x11, 0xb5, 0x87, 0x70, 0xef, 0x8c, 0xfb, 0xd3, 0x31, 0x6f, 0x62, 0x67, 0x74, 0x6b, 0x79, 0x28,
0x1d, 0xbc, 0x3b, 0x1c, 0x18, 0x46, 0x75, 0x3e, 0x14, 0xdd, 0xa5, 0x05, 0x7f, 0x01, 0x74, 0x3c,
0xcb, 0xcf, 0x86, 0xf4, 0xf3, 0xdd, 0xb0, 0xe7, 0xcc, 0x74, 0x30, 0x93, 0x0d, 0x7d, 0xb0, 0x81,
0xe3, 0xef, 0x6c, 0xae, 0x6f, 0xca, 0x5d, 0xf8, 0xde, 0x9c, 0x75, 0x48, 0x3c, 0xcd, 0x2d, 0x5d,
0xa5, 0x71, 0x23, 0x61, 0xe0, 0x28, 0xa5, 0x0e, 0x7b, 0x00, 0xe2, 0xe4, 0xdf, 0x02, 0x5c, 0x87,
0x77, 0x1e, 0x31, 0xa9, 0xff, 0x12, 0x26, 0xa5, 0x96, 0x32, 0x71, 0x94, 0xe1, 0x03, 0x5e, 0x80,
0x6d, 0x35, 0xfa, 0xdc, 0xe5, 0xf8, 0x9a, 0xd4, 0xfb, 0xbc, 0x29, 0x1c, 0xae, 0x6f, 0xc9, 0xfe,
0xa6, 0x0f, 0x07, 0xc6, 0xf6, 0x61, 0x86, 0x1d, 0x65, 0xb2, 0xe0, 0xa7, 0x60, 0xe3, 0xda, 0x63,
0x0d, 0x6a, 0xdb, 0xc4, 0x8d, 0x94, 0xb6, 0xa5, 0xd2, 0x76, 0x98, 0x89, 0x93, 0x84, 0x0d, 0xa5,
0xd0, 0xe1, 0x8b, 0x5c, 0x9f, 0xb5, 0x81, 0xe1, 0xc7, 0xb1, 0x37, 0xf9, 0x3b, 0x89, 0x37, 0xf9,
0x66, 0x8a, 0xf7, 0x1a, 0x5e, 0xe4, 0x7f, 0xd3, 0xc0, 0x4e, 0x76, 0x03, 0x83, 0x4f, 0x63, 0xd1,
0x19, 0x89, 0xe8, 0x1e, 0x26, 0x58, 0x2a, 0xb6, 0xdf, 0x80, 0xa2, 0x6a, 0x73, 0xf1, 0x3f, 0x3c,
0x62, 0x31, 0x86, 0xe7, 0x53, 0x78, 0x43, 0x51, 0x12, 0xd1, 0x16, 0x97, 0x6f, 0x8b, 0xf8, 0x18,
0x4a, 0xa8, 0x95, 0xff, 0xae, 0x81, 0x77, 0xee, 0x6c, 0x50, 0xd0, 0x8a, 0x85, 0x6e, 0x26, 0x42,
0x2f, 0xcd, 0x16, 0x78, 0x3d, 0xff, 0x7b, 0x58, 0x1f, 0xdc, 0xbe, 0x2c, 0x2d, 0x7c, 0xf5, 0xb2,
0xb4, 0xf0, 0xf5, 0xcb, 0xd2, 0xc2, 0xef, 0x87, 0x25, 0xed, 0x76, 0x58, 0xd2, 0xbe, 0x1a, 0x96,
0xb4, 0xaf, 0x87, 0x25, 0xed, 0x3f, 0xc3, 0x92, 0xf6, 0xe7, 0xff, 0x96, 0x16, 0x7e, 0x95, 0x57,
0x72, 0xff, 0x0f, 0x00, 0x00, 0xff, 0xff, 0xfc, 0x91, 0xe5, 0x7f, 0xdc, 0x14, 0x00, 0x00,
}

21
staging/src/k8s.io/api/policy/v1beta1/generated.proto
View File

@ -275,6 +275,27 @@ message PodSecurityPolicySpec {
// is allowed in the "volumes" field.
// +optional
repeated AllowedFlexVolume allowedFlexVolumes = 18;
// allowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none.
// Each entry is either a plain sysctl name or ends in "*" in which case it is considered
// as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed.
// Kubelet has to whitelist all allowed unsafe sysctls explicitly to avoid rejection.
//
// Examples:
// e.g. "foo/*" allows "foo/bar", "foo/baz", etc.
// e.g. "foo.*" allows "foo.bar", "foo.baz", etc.
// +optional
repeated string allowedUnsafeSysctls = 19;
// forbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none.
// Each entry is either a plain sysctl name or ends in "*" in which case it is considered
// as a prefix of forbidden sysctls. Single * means all sysctls are forbidden.
//
// Examples:
// e.g. "foo/*" forbids "foo/bar", "foo/baz", etc.
// e.g. "foo.*" forbids "foo.bar", "foo.baz", etc.
// +optional
repeated string forbiddenSysctls = 20;
}
// RunAsUserStrategyOptions defines the strategy type and any options used to create the strategy.

19
staging/src/k8s.io/api/policy/v1beta1/types.go
View File

@ -201,6 +201,25 @@ type PodSecurityPolicySpec struct {
// is allowed in the "volumes" field.
// +optional
AllowedFlexVolumes []AllowedFlexVolume `json:"allowedFlexVolumes,omitempty" protobuf:"bytes,18,rep,name=allowedFlexVolumes"`
// allowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none.
// Each entry is either a plain sysctl name or ends in "*" in which case it is considered
// as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed.
// Kubelet has to whitelist all allowed unsafe sysctls explicitly to avoid rejection.
//
// Examples:
// e.g. "foo/*" allows "foo/bar", "foo/baz", etc.
// e.g. "foo.*" allows "foo.bar", "foo.baz", etc.
// +optional
AllowedUnsafeSysctls []string `json:"allowedUnsafeSysctls,omitempty" protobuf:"bytes,19,rep,name=allowedUnsafeSysctls"`
// forbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none.
// Each entry is either a plain sysctl name or ends in "*" in which case it is considered
// as a prefix of forbidden sysctls. Single * means all sysctls are forbidden.
//
// Examples:
// e.g. "foo/*" forbids "foo/bar", "foo/baz", etc.
// e.g. "foo.*" forbids "foo.bar", "foo.baz", etc.
// +optional
ForbiddenSysctls []string `json:"forbiddenSysctls,omitempty" protobuf:"bytes,20,rep,name=forbiddenSysctls"`
}
// AllowedHostPath defines the host volume conditions that will be enabled by a policy

2
staging/src/k8s.io/api/policy/v1beta1/types_swagger_doc_generated.go generated
View File

@ -169,6 +169,8 @@ var map_PodSecurityPolicySpec = map[string]string{
"allowPrivilegeEscalation": "allowPrivilegeEscalation determines if a pod can request to allow privilege escalation. If unspecified, defaults to true.",
"allowedHostPaths": "allowedHostPaths is a white list of allowed host paths. Empty indicates that all host paths may be used.",
"allowedFlexVolumes": "allowedFlexVolumes is a whitelist of allowed Flexvolumes. Empty or nil indicates that all Flexvolumes may be used. This parameter is effective only when the usage of the Flexvolumes is allowed in the \"volumes\" field.",
"allowedUnsafeSysctls": "allowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none. Each entry is either a plain sysctl name or ends in \"*\" in which case it is considered as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed. Kubelet has to whitelist all allowed unsafe sysctls explicitly to avoid rejection.\n\nExamples: e.g. \"foo/*\" allows \"foo/bar\", \"foo/baz\", etc. e.g. \"foo.*\" allows \"foo.bar\", \"foo.baz\", etc.",
"forbiddenSysctls": "forbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none. Each entry is either a plain sysctl name or ends in \"*\" in which case it is considered as a prefix of forbidden sysctls. Single * means all sysctls are forbidden.\n\nExamples: e.g. \"foo/*\" forbids \"foo/bar\", \"foo/baz\", etc. e.g. \"foo.*\" forbids \"foo.bar\", \"foo.baz\", etc.",
}
func (PodSecurityPolicySpec) SwaggerDoc() map[string]string {

10
staging/src/k8s.io/api/policy/v1beta1/zz_generated.deepcopy.go generated
View File

@ -394,6 +394,16 @@ func (in *PodSecurityPolicySpec) DeepCopyInto(out *PodSecurityPolicySpec) {
*out = make([]AllowedFlexVolume, len(*in))
copy(*out, *in)
}
if in.AllowedUnsafeSysctls != nil {
in, out := &in.AllowedUnsafeSysctls, &out.AllowedUnsafeSysctls
*out = make([]string, len(*in))
copy(*out, *in)
}
if in.ForbiddenSysctls != nil {
in, out := &in.ForbiddenSysctls, &out.ForbiddenSysctls
*out = make([]string, len(*in))
copy(*out, *in)
}
return
}

1
test/e2e/common/BUILD
View File

@ -36,7 +36,6 @@ go_library(
deps = [
"//pkg/api/v1/pod:go_default_library",
"//pkg/apis/core:go_default_library",
"//pkg/apis/core/v1/helper:go_default_library",
"//pkg/client/clientset_generated/internalclientset:go_default_library",
"//pkg/client/conditions:go_default_library",
"//pkg/kubelet:go_default_library",

86
test/e2e/common/sysctl.go
View File

@ -20,7 +20,6 @@ import (
"k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/util/uuid"
v1helper "k8s.io/kubernetes/pkg/apis/core/v1/helper"
"k8s.io/kubernetes/pkg/kubelet/sysctl"
"k8s.io/kubernetes/test/e2e/framework"
@ -59,12 +58,14 @@ var _ = framework.KubeDescribe("Sysctls [NodeFeature:Sysctls]", func() {
It("should support sysctls", func() {
pod := testPod()
pod.Annotations[v1.SysctlsPodAnnotationKey] = v1helper.PodAnnotationsFromSysctls([]v1.Sysctl{
{
Name: "kernel.shm_rmid_forced",
Value: "1",
pod.Spec.SecurityContext = &v1.PodSecurityContext{
Sysctls: []v1.Sysctl{
{
Name: "kernel.shm_rmid_forced",
Value: "1",
},
},
})
}
pod.Spec.Containers[0].Command = []string{"/bin/sysctl", "kernel.shm_rmid_forced"}
By("Creating a pod with the kernel.shm_rmid_forced sysctl")
@ -100,12 +101,14 @@ var _ = framework.KubeDescribe("Sysctls [NodeFeature:Sysctls]", func() {
It("should support unsafe sysctls which are actually whitelisted", func() {
pod := testPod()
pod.Annotations[v1.UnsafeSysctlsPodAnnotationKey] = v1helper.PodAnnotationsFromSysctls([]v1.Sysctl{
{
Name: "kernel.shm_rmid_forced",
Value: "1",
pod.Spec.SecurityContext = &v1.PodSecurityContext{
Sysctls: []v1.Sysctl{
{
Name: "kernel.shm_rmid_forced",
Value: "1",
},
},
})
}
pod.Spec.Containers[0].Command = []string{"/bin/sysctl", "kernel.shm_rmid_forced"}
By("Creating a pod with the kernel.shm_rmid_forced sysctl")
@ -141,34 +144,27 @@ var _ = framework.KubeDescribe("Sysctls [NodeFeature:Sysctls]", func() {
It("should reject invalid sysctls", func() {
pod := testPod()
pod.Annotations[v1.SysctlsPodAnnotationKey] = v1helper.PodAnnotationsFromSysctls([]v1.Sysctl{
{
Name: "foo-",
Value: "bar",
pod.Spec.SecurityContext = &v1.PodSecurityContext{
Sysctls: []v1.Sysctl{
// Safe parameters
{
Name: "foo-",
Value: "bar",
},
{
Name: "kernel.shmmax",
Value: "100000000",
},
{
Name: "safe-and-unsafe",
Value: "100000000",
},
{
Name: "bar..",
Value: "42",
},
},
{
Name: "kernel.shmmax",
Value: "100000000",
},
{
Name: "safe-and-unsafe",
Value: "100000000",
},
})
pod.Annotations[v1.UnsafeSysctlsPodAnnotationKey] = v1helper.PodAnnotationsFromSysctls([]v1.Sysctl{
{
Name: "kernel.shmall",
Value: "100000000",
},
{
Name: "bar..",
Value: "42",
},
{
Name: "safe-and-unsafe",
Value: "100000000",
},
})
}
By("Creating a pod with one valid and two invalid sysctls")
client := f.ClientSet.CoreV1().Pods(f.Namespace.Name)
@ -177,18 +173,20 @@ var _ = framework.KubeDescribe("Sysctls [NodeFeature:Sysctls]", func() {
Expect(err).NotTo(BeNil())
Expect(err.Error()).To(ContainSubstring(`Invalid value: "foo-"`))
Expect(err.Error()).To(ContainSubstring(`Invalid value: "bar.."`))
Expect(err.Error()).To(ContainSubstring(`safe-and-unsafe`))
Expect(err.Error()).NotTo(ContainSubstring(`safe-and-unsafe`))
Expect(err.Error()).NotTo(ContainSubstring("kernel.shmmax"))
})
It("should not launch unsafe, but not explicitly enabled sysctls on the node", func() {
pod := testPod()
pod.Annotations[v1.SysctlsPodAnnotationKey] = v1helper.PodAnnotationsFromSysctls([]v1.Sysctl{
{
Name: "kernel.msgmax",
Value: "10000000000",
pod.Spec.SecurityContext = &v1.PodSecurityContext{
Sysctls: []v1.Sysctl{
{
Name: "kernel.msgmax",
Value: "10000000000",
},
},
})
}
By("Creating a pod with a greylisted, but not whitelisted sysctl on the node")
pod = podClient.Create(pod)

1
test/e2e/framework/psp_util.go
View File

@ -71,6 +71,7 @@ func PrivilegedPSP(name string) *extensionsv1beta1.PodSecurityPolicy {
Rule: extensionsv1beta1.FSGroupStrategyRunAsAny,
},
ReadOnlyRootFilesystem: false,
AllowedUnsafeSysctls: []string{"*"},
},
}
}

1
test/e2e/upgrades/BUILD
View File

@ -24,7 +24,6 @@ go_library(
],
importpath = "k8s.io/kubernetes/test/e2e/upgrades",
deps = [
"//pkg/apis/core/v1/helper:go_default_library",
"//pkg/kubelet/sysctl:go_default_library",
"//pkg/util/version:go_default_library",
"//test/e2e/common:go_default_library",

7
test/e2e/upgrades/sysctl.go
View File

@ -26,7 +26,6 @@ import (
"k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/util/uuid"
v1helper "k8s.io/kubernetes/pkg/apis/core/v1/helper"
"k8s.io/kubernetes/pkg/kubelet/sysctl"
"k8s.io/kubernetes/test/e2e/framework"
@ -123,9 +122,6 @@ func sysctlTestPod(name string, sysctls map[string]string) *v1.Pod {
return &v1.Pod{
ObjectMeta: metav1.ObjectMeta{
Name: name,
Annotations: map[string]string{
v1.SysctlsPodAnnotationKey: v1helper.PodAnnotationsFromSysctls(sysctlList),
},
},
Spec: v1.PodSpec{
Containers: []v1.Container{
@ -136,6 +132,9 @@ func sysctlTestPod(name string, sysctls map[string]string) *v1.Pod {
},
},
RestartPolicy: v1.RestartPolicyNever,
SecurityContext: &v1.PodSecurityContext{
Sysctls: sysctlList,
},
},
}
}