sysctl value `net.ipv4.ping_group_range` can be used for allowing `ping`
command without `CAP_NET_RAW` capability.
e.g. `net.ipv4.ping_group_range="0 42"` to allow ping for users with
GID 0-GID 42.
This sysctl value was introduced in kernel 3.0 and has been namespaced
since its birth.
c319b4d76b (diff-5b536a7a92abed603bbb4caa61613270R57)
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Adds "MayRunAs" value among other group strategies. This strategy
allows to define a certain range of GIDs for FSGroupStrategy and
SupplementalGroupStrategy in a PSP.
This new strategy works similarly to the "MustRunAs" one, except that
when no GID is specified in a pod/container security context then no
GID is generated for the respective containers.
Resolves#56173
Automatic merge from submit-queue (batch tested with PRs 65251, 67255, 67224, 67297, 68105). If you want to cherry-pick this change to another branch, please follow the instructions here: https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md.
Cleanup PodSecurityPolicy AllowPrivEsc tests
**What this PR does / why we need it**:
Old tests were confusing and missing a lot of combinations. The new test is a simple table-driven test with all valid combinations.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes ##67387
**Special notes for your reviewer**:
Alternative to https://github.com/kubernetes/kubernetes/pull/67388
**Release note**:
```release-note
NONE
```
We had IDRange in both types prior 9440a68744 commit that splitted it
into UserIDRange/GroupIDRange. Later, in c91a12d205 commit we had to
revert this changes because they broke backward compatibility but
UserIDRange/GroupIDRange struct left in the internal type.
This commit removes these leftovers and reduces the differences
between internal and external types.
In order to make it compilable I had to remove these files manually:
pkg/client/listers/extensions/internalversion/podsecuritypolicy.go
pkg/client/informers/informers_generated/internalversion/extensions/internalversion/podsecuritypolicy.go
pkg/client/clientset_generated/internalclientset/typed/extensions/internalversion/podsecuritypolicy.go
pkg/client/clientset_generated/internalclientset/typed/extensions/internalversion/fake/fake_podsecuritypolicy.go
Automatic merge from submit-queue (batch tested with PRs 61644, 61624, 61743, 61019, 61287). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add a sceneo UT test to TestMustRunAsOptions
**What this PR does / why we need it**:
Add a sceneo UT test to TestMustRunAsOptions when the opts is nil
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
PSP: fix strategy name in the error messages
**What this PR does / why we need it**:
This PR corrects strategy names in the error messages.
