make update

parent 40d238b9
...@@ -84180,6 +84180,10 @@ ...@@ -84180,6 +84180,10 @@
"description": "Run container in privileged mode. Processes in privileged containers are essentially equivalent to root on the host. Defaults to false.", "description": "Run container in privileged mode. Processes in privileged containers are essentially equivalent to root on the host. Defaults to false.",
"type": "boolean" "type": "boolean"
}, },
"procMount": {
"description": "procMount denotes the type of proc mount to use for the containers. The default is DefaultProcMount which uses the container runtime defaults for readonly paths and masked paths. This requires the ProcMountType feature flag to be enabled.",
"type": "string"
},
"readOnlyRootFilesystem": { "readOnlyRootFilesystem": {
"description": "Whether this container has a read-only root filesystem. Default is false.", "description": "Whether this container has a read-only root filesystem. Default is false.",
"type": "boolean" "type": "boolean"
...@@ -86042,6 +86046,13 @@ ...@@ -86042,6 +86046,13 @@
"$ref": "#/definitions/io.k8s.api.extensions.v1beta1.AllowedHostPath" "$ref": "#/definitions/io.k8s.api.extensions.v1beta1.AllowedHostPath"
} }
}, },
"allowedProcMountTypes": {
"description": "AllowedProcMountTypes is a whitelist of allowed ProcMountTypes. Empty or nil indicates that only the DefaultProcMountType may be used. This requires the ProcMountType feature flag to be enabled.",
"type": "array",
"items": {
"type": "string"
}
},
"allowedUnsafeSysctls": { "allowedUnsafeSysctls": {
"description": "allowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none. Each entry is either a plain sysctl name or ends in \"*\" in which case it is considered as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed. Kubelet has to whitelist all allowed unsafe sysctls explicitly to avoid rejection.\n\nExamples: e.g. \"foo/*\" allows \"foo/bar\", \"foo/baz\", etc. e.g. \"foo.*\" allows \"foo.bar\", \"foo.baz\", etc.", "description": "allowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none. Each entry is either a plain sysctl name or ends in \"*\" in which case it is considered as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed. Kubelet has to whitelist all allowed unsafe sysctls explicitly to avoid rejection.\n\nExamples: e.g. \"foo/*\" allows \"foo/bar\", \"foo/baz\", etc. e.g. \"foo.*\" allows \"foo.bar\", \"foo.baz\", etc.",
"type": "array", "type": "array",
...@@ -86943,6 +86954,13 @@ ...@@ -86943,6 +86954,13 @@
"$ref": "#/definitions/io.k8s.api.policy.v1beta1.AllowedHostPath" "$ref": "#/definitions/io.k8s.api.policy.v1beta1.AllowedHostPath"
} }
}, },
"allowedProcMountTypes": {
"description": "AllowedProcMountTypes is a whitelist of allowed ProcMountTypes. Empty or nil indicates that only the DefaultProcMountType may be used. This requires the ProcMountType feature flag to be enabled.",
"type": "array",
"items": {
"type": "string"
}
},
"allowedUnsafeSysctls": { "allowedUnsafeSysctls": {
"description": "allowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none. Each entry is either a plain sysctl name or ends in \"*\" in which case it is considered as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed. Kubelet has to whitelist all allowed unsafe sysctls explicitly to avoid rejection.\n\nExamples: e.g. \"foo/*\" allows \"foo/bar\", \"foo/baz\", etc. e.g. \"foo.*\" allows \"foo.bar\", \"foo.baz\", etc.", "description": "allowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none. Each entry is either a plain sysctl name or ends in \"*\" in which case it is considered as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed. Kubelet has to whitelist all allowed unsafe sysctls explicitly to avoid rejection.\n\nExamples: e.g. \"foo/*\" allows \"foo/bar\", \"foo/baz\", etc. e.g. \"foo.*\" allows \"foo.bar\", \"foo.baz\", etc.",
"type": "array", "type": "array",
...@@ -8381,6 +8381,9 @@ ...@@ -8381,6 +8381,9 @@
"v1.SecurityContext": { "v1.SecurityContext": {
"id": "v1.SecurityContext", "id": "v1.SecurityContext",
"description": "SecurityContext holds security configuration that will be applied to a container. Some fields are present in both SecurityContext and PodSecurityContext. When both are set, the values in SecurityContext take precedence.", "description": "SecurityContext holds security configuration that will be applied to a container. Some fields are present in both SecurityContext and PodSecurityContext. When both are set, the values in SecurityContext take precedence.",
"required": [
"procMount"
],
"properties": { "properties": {
"capabilities": { "capabilities": {
"$ref": "v1.Capabilities", "$ref": "v1.Capabilities",
...@@ -8415,6 +8418,10 @@ ...@@ -8415,6 +8418,10 @@
"allowPrivilegeEscalation": { "allowPrivilegeEscalation": {
"type": "boolean", "type": "boolean",
"description": "AllowPrivilegeEscalation controls whether a process can gain more privileges than its parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN" "description": "AllowPrivilegeEscalation controls whether a process can gain more privileges than its parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN"
},
"procMount": {
"$ref": "v1.ProcMountType",
"description": "procMount denotes the type of proc mount to use for the containers. The default is DefaultProcMount which uses the container runtime defaults for readonly paths and masked paths. This requires the ProcMountType feature flag to be enabled."
} }
} }
}, },
...@@ -8464,6 +8471,10 @@ ...@@ -8464,6 +8471,10 @@
} }
} }
}, },
"v1.ProcMountType": {
"id": "v1.ProcMountType",
"properties": {}
},
"v1.PodSecurityContext": { "v1.PodSecurityContext": {
"id": "v1.PodSecurityContext", "id": "v1.PodSecurityContext",
"description": "PodSecurityContext holds pod-level security attributes and common container settings. Some fields are also present in container.securityContext. Field values of container.securityContext take precedence over field values of PodSecurityContext.", "description": "PodSecurityContext holds pod-level security attributes and common container settings. Some fields are also present in container.securityContext. Field values of container.securityContext take precedence over field values of PodSecurityContext.",
......
...@@ -5989,6 +5989,9 @@ ...@@ -5989,6 +5989,9 @@
"v1.SecurityContext": { "v1.SecurityContext": {
"id": "v1.SecurityContext", "id": "v1.SecurityContext",
"description": "SecurityContext holds security configuration that will be applied to a container. Some fields are present in both SecurityContext and PodSecurityContext. When both are set, the values in SecurityContext take precedence.", "description": "SecurityContext holds security configuration that will be applied to a container. Some fields are present in both SecurityContext and PodSecurityContext. When both are set, the values in SecurityContext take precedence.",
"required": [
"procMount"
],
"properties": { "properties": {
"capabilities": { "capabilities": {
"$ref": "v1.Capabilities", "$ref": "v1.Capabilities",
...@@ -6023,6 +6026,10 @@ ...@@ -6023,6 +6026,10 @@
"allowPrivilegeEscalation": { "allowPrivilegeEscalation": {
"type": "boolean", "type": "boolean",
"description": "AllowPrivilegeEscalation controls whether a process can gain more privileges than its parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN" "description": "AllowPrivilegeEscalation controls whether a process can gain more privileges than its parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN"
},
"procMount": {
"$ref": "v1.ProcMountType",
"description": "procMount denotes the type of proc mount to use for the containers. The default is DefaultProcMount which uses the container runtime defaults for readonly paths and masked paths. This requires the ProcMountType feature flag to be enabled."
} }
} }
}, },
...@@ -6072,6 +6079,10 @@ ...@@ -6072,6 +6079,10 @@
} }
} }
}, },
"v1.ProcMountType": {
"id": "v1.ProcMountType",
"properties": {}
},
"v1.PodSecurityContext": { "v1.PodSecurityContext": {
"id": "v1.PodSecurityContext", "id": "v1.PodSecurityContext",
"description": "PodSecurityContext holds pod-level security attributes and common container settings. Some fields are also present in container.securityContext. Field values of container.securityContext take precedence over field values of PodSecurityContext.", "description": "PodSecurityContext holds pod-level security attributes and common container settings. Some fields are also present in container.securityContext. Field values of container.securityContext take precedence over field values of PodSecurityContext.",
......
...@@ -8381,6 +8381,9 @@ ...@@ -8381,6 +8381,9 @@
"v1.SecurityContext": { "v1.SecurityContext": {
"id": "v1.SecurityContext", "id": "v1.SecurityContext",
"description": "SecurityContext holds security configuration that will be applied to a container. Some fields are present in both SecurityContext and PodSecurityContext. When both are set, the values in SecurityContext take precedence.", "description": "SecurityContext holds security configuration that will be applied to a container. Some fields are present in both SecurityContext and PodSecurityContext. When both are set, the values in SecurityContext take precedence.",
"required": [
"procMount"
],
"properties": { "properties": {
"capabilities": { "capabilities": {
"$ref": "v1.Capabilities", "$ref": "v1.Capabilities",
...@@ -8415,6 +8418,10 @@ ...@@ -8415,6 +8418,10 @@
"allowPrivilegeEscalation": { "allowPrivilegeEscalation": {
"type": "boolean", "type": "boolean",
"description": "AllowPrivilegeEscalation controls whether a process can gain more privileges than its parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN" "description": "AllowPrivilegeEscalation controls whether a process can gain more privileges than its parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN"
},
"procMount": {
"$ref": "v1.ProcMountType",
"description": "procMount denotes the type of proc mount to use for the containers. The default is DefaultProcMount which uses the container runtime defaults for readonly paths and masked paths. This requires the ProcMountType feature flag to be enabled."
} }
} }
}, },
...@@ -8464,6 +8471,10 @@ ...@@ -8464,6 +8471,10 @@
} }
} }
}, },
"v1.ProcMountType": {
"id": "v1.ProcMountType",
"properties": {}
},
"v1.PodSecurityContext": { "v1.PodSecurityContext": {
"id": "v1.PodSecurityContext", "id": "v1.PodSecurityContext",
"description": "PodSecurityContext holds pod-level security attributes and common container settings. Some fields are also present in container.securityContext. Field values of container.securityContext take precedence over field values of PodSecurityContext.", "description": "PodSecurityContext holds pod-level security attributes and common container settings. Some fields are also present in container.securityContext. Field values of container.securityContext take precedence over field values of PodSecurityContext.",
......
...@@ -3296,6 +3296,9 @@ ...@@ -3296,6 +3296,9 @@
"v1.SecurityContext": { "v1.SecurityContext": {
"id": "v1.SecurityContext", "id": "v1.SecurityContext",
"description": "SecurityContext holds security configuration that will be applied to a container. Some fields are present in both SecurityContext and PodSecurityContext. When both are set, the values in SecurityContext take precedence.", "description": "SecurityContext holds security configuration that will be applied to a container. Some fields are present in both SecurityContext and PodSecurityContext. When both are set, the values in SecurityContext take precedence.",
"required": [
"procMount"
],
"properties": { "properties": {
"capabilities": { "capabilities": {
"$ref": "v1.Capabilities", "$ref": "v1.Capabilities",
...@@ -3330,6 +3333,10 @@ ...@@ -3330,6 +3333,10 @@
"allowPrivilegeEscalation": { "allowPrivilegeEscalation": {
"type": "boolean", "type": "boolean",
"description": "AllowPrivilegeEscalation controls whether a process can gain more privileges than its parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN" "description": "AllowPrivilegeEscalation controls whether a process can gain more privileges than its parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN"
},
"procMount": {
"$ref": "v1.ProcMountType",
"description": "procMount denotes the type of proc mount to use for the containers. The default is DefaultProcMount which uses the container runtime defaults for readonly paths and masked paths. This requires the ProcMountType feature flag to be enabled."
} }
} }
}, },
...@@ -3379,6 +3386,10 @@ ...@@ -3379,6 +3386,10 @@
} }
} }
}, },
"v1.ProcMountType": {
"id": "v1.ProcMountType",
"properties": {}
},
"v1.PodSecurityContext": { "v1.PodSecurityContext": {
"id": "v1.PodSecurityContext", "id": "v1.PodSecurityContext",
"description": "PodSecurityContext holds pod-level security attributes and common container settings. Some fields are also present in container.securityContext. Field values of container.securityContext take precedence over field values of PodSecurityContext.", "description": "PodSecurityContext holds pod-level security attributes and common container settings. Some fields are also present in container.securityContext. Field values of container.securityContext take precedence over field values of PodSecurityContext.",
......
...@@ -3351,6 +3351,9 @@ ...@@ -3351,6 +3351,9 @@
"v1.SecurityContext": { "v1.SecurityContext": {
"id": "v1.SecurityContext", "id": "v1.SecurityContext",
"description": "SecurityContext holds security configuration that will be applied to a container. Some fields are present in both SecurityContext and PodSecurityContext. When both are set, the values in SecurityContext take precedence.", "description": "SecurityContext holds security configuration that will be applied to a container. Some fields are present in both SecurityContext and PodSecurityContext. When both are set, the values in SecurityContext take precedence.",
"required": [
"procMount"
],
"properties": { "properties": {
"capabilities": { "capabilities": {
"$ref": "v1.Capabilities", "$ref": "v1.Capabilities",
...@@ -3385,6 +3388,10 @@ ...@@ -3385,6 +3388,10 @@
"allowPrivilegeEscalation": { "allowPrivilegeEscalation": {
"type": "boolean", "type": "boolean",
"description": "AllowPrivilegeEscalation controls whether a process can gain more privileges than its parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN" "description": "AllowPrivilegeEscalation controls whether a process can gain more privileges than its parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN"
},
"procMount": {
"$ref": "v1.ProcMountType",
"description": "procMount denotes the type of proc mount to use for the containers. The default is DefaultProcMount which uses the container runtime defaults for readonly paths and masked paths. This requires the ProcMountType feature flag to be enabled."
} }
} }
}, },
...@@ -3434,6 +3441,10 @@ ...@@ -3434,6 +3441,10 @@
} }
} }
}, },
"v1.ProcMountType": {
"id": "v1.ProcMountType",
"properties": {}
},
"v1.PodSecurityContext": { "v1.PodSecurityContext": {
"id": "v1.PodSecurityContext", "id": "v1.PodSecurityContext",
"description": "PodSecurityContext holds pod-level security attributes and common container settings. Some fields are also present in container.securityContext. Field values of container.securityContext take precedence over field values of PodSecurityContext.", "description": "PodSecurityContext holds pod-level security attributes and common container settings. Some fields are also present in container.securityContext. Field values of container.securityContext take precedence over field values of PodSecurityContext.",
......
...@@ -3351,6 +3351,9 @@ ...@@ -3351,6 +3351,9 @@
"v1.SecurityContext": { "v1.SecurityContext": {
"id": "v1.SecurityContext", "id": "v1.SecurityContext",
"description": "SecurityContext holds security configuration that will be applied to a container. Some fields are present in both SecurityContext and PodSecurityContext. When both are set, the values in SecurityContext take precedence.", "description": "SecurityContext holds security configuration that will be applied to a container. Some fields are present in both SecurityContext and PodSecurityContext. When both are set, the values in SecurityContext take precedence.",
"required": [
"procMount"
],
"properties": { "properties": {
"capabilities": { "capabilities": {
"$ref": "v1.Capabilities", "$ref": "v1.Capabilities",
...@@ -3385,6 +3388,10 @@ ...@@ -3385,6 +3388,10 @@
"allowPrivilegeEscalation": { "allowPrivilegeEscalation": {
"type": "boolean", "type": "boolean",
"description": "AllowPrivilegeEscalation controls whether a process can gain more privileges than its parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN" "description": "AllowPrivilegeEscalation controls whether a process can gain more privileges than its parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN"
},
"procMount": {
"$ref": "v1.ProcMountType",
"description": "procMount denotes the type of proc mount to use for the containers. The default is DefaultProcMount which uses the container runtime defaults for readonly paths and masked paths. This requires the ProcMountType feature flag to be enabled."
} }
} }
}, },
...@@ -3434,6 +3441,10 @@ ...@@ -3434,6 +3441,10 @@
} }
} }
}, },
"v1.ProcMountType": {
"id": "v1.ProcMountType",
"properties": {}
},
"v1.PodSecurityContext": { "v1.PodSecurityContext": {
"id": "v1.PodSecurityContext", "id": "v1.PodSecurityContext",
"description": "PodSecurityContext holds pod-level security attributes and common container settings. Some fields are also present in container.securityContext. Field values of container.securityContext take precedence over field values of PodSecurityContext.", "description": "PodSecurityContext holds pod-level security attributes and common container settings. Some fields are also present in container.securityContext. Field values of container.securityContext take precedence over field values of PodSecurityContext.",
......
...@@ -9029,6 +9029,9 @@ ...@@ -9029,6 +9029,9 @@
"v1.SecurityContext": { "v1.SecurityContext": {
"id": "v1.SecurityContext", "id": "v1.SecurityContext",
"description": "SecurityContext holds security configuration that will be applied to a container. Some fields are present in both SecurityContext and PodSecurityContext. When both are set, the values in SecurityContext take precedence.", "description": "SecurityContext holds security configuration that will be applied to a container. Some fields are present in both SecurityContext and PodSecurityContext. When both are set, the values in SecurityContext take precedence.",
"required": [
"procMount"
],
"properties": { "properties": {
"capabilities": { "capabilities": {
"$ref": "v1.Capabilities", "$ref": "v1.Capabilities",
...@@ -9063,6 +9066,10 @@ ...@@ -9063,6 +9066,10 @@
"allowPrivilegeEscalation": { "allowPrivilegeEscalation": {
"type": "boolean", "type": "boolean",
"description": "AllowPrivilegeEscalation controls whether a process can gain more privileges than its parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN" "description": "AllowPrivilegeEscalation controls whether a process can gain more privileges than its parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN"
},
"procMount": {
"$ref": "v1.ProcMountType",
"description": "procMount denotes the type of proc mount to use for the containers. The default is DefaultProcMount which uses the container runtime defaults for readonly paths and masked paths. This requires the ProcMountType feature flag to be enabled."
} }
} }
}, },
...@@ -9112,6 +9119,10 @@ ...@@ -9112,6 +9119,10 @@
} }
} }
}, },
"v1.ProcMountType": {
"id": "v1.ProcMountType",
"properties": {}
},
"v1.PodSecurityContext": { "v1.PodSecurityContext": {
"id": "v1.PodSecurityContext", "id": "v1.PodSecurityContext",
"description": "PodSecurityContext holds pod-level security attributes and common container settings. Some fields are also present in container.securityContext. Field values of container.securityContext take precedence over field values of PodSecurityContext.", "description": "PodSecurityContext holds pod-level security attributes and common container settings. Some fields are also present in container.securityContext. Field values of container.securityContext take precedence over field values of PodSecurityContext.",
...@@ -10520,6 +10531,13 @@ ...@@ -10520,6 +10531,13 @@
"type": "string" "type": "string"
}, },
"description": "forbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none. Each entry is either a plain sysctl name or ends in \"*\" in which case it is considered as a prefix of forbidden sysctls. Single * means all sysctls are forbidden.\n\nExamples: e.g. \"foo/*\" forbids \"foo/bar\", \"foo/baz\", etc. e.g. \"foo.*\" forbids \"foo.bar\", \"foo.baz\", etc." "description": "forbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none. Each entry is either a plain sysctl name or ends in \"*\" in which case it is considered as a prefix of forbidden sysctls. Single * means all sysctls are forbidden.\n\nExamples: e.g. \"foo/*\" forbids \"foo/bar\", \"foo/baz\", etc. e.g. \"foo.*\" forbids \"foo.bar\", \"foo.baz\", etc."
},
"allowedProcMountTypes": {
"type": "array",
"items": {
"$ref": "v1.ProcMountType"
},
"description": "AllowedProcMountTypes is a whitelist of allowed ProcMountTypes. Empty or nil indicates that only the DefaultProcMountType may be used. This requires the ProcMountType feature flag to be enabled."
} }
} }
}, },
......
...@@ -2545,6 +2545,13 @@ ...@@ -2545,6 +2545,13 @@
"type": "string" "type": "string"
}, },
"description": "forbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none. Each entry is either a plain sysctl name or ends in \"*\" in which case it is considered as a prefix of forbidden sysctls. Single * means all sysctls are forbidden.\n\nExamples: e.g. \"foo/*\" forbids \"foo/bar\", \"foo/baz\", etc. e.g. \"foo.*\" forbids \"foo.bar\", \"foo.baz\", etc." "description": "forbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none. Each entry is either a plain sysctl name or ends in \"*\" in which case it is considered as a prefix of forbidden sysctls. Single * means all sysctls are forbidden.\n\nExamples: e.g. \"foo/*\" forbids \"foo/bar\", \"foo/baz\", etc. e.g. \"foo.*\" forbids \"foo.bar\", \"foo.baz\", etc."
},
"allowedProcMountTypes": {
"type": "array",
"items": {
"$ref": "v1.ProcMountType"
},
"description": "AllowedProcMountTypes is a whitelist of allowed ProcMountTypes. Empty or nil indicates that only the DefaultProcMountType may be used. This requires the ProcMountType feature flag to be enabled."
} }
} }
}, },
...@@ -2716,6 +2723,10 @@ ...@@ -2716,6 +2723,10 @@
} }
} }
}, },
"v1.ProcMountType": {
"id": "v1.ProcMountType",
"properties": {}
},
"v1.APIResourceList": { "v1.APIResourceList": {
"id": "v1.APIResourceList", "id": "v1.APIResourceList",
"description": "APIResourceList is a list of APIResource, it is used to expose the name of the resources supported in a specific group and version, and if the resource is namespaced.", "description": "APIResourceList is a list of APIResource, it is used to expose the name of the resources supported in a specific group and version, and if the resource is namespaced.",
......
...@@ -21845,6 +21845,9 @@ ...@@ -21845,6 +21845,9 @@
"v1.SecurityContext": { "v1.SecurityContext": {
"id": "v1.SecurityContext", "id": "v1.SecurityContext",
"description": "SecurityContext holds security configuration that will be applied to a container. Some fields are present in both SecurityContext and PodSecurityContext. When both are set, the values in SecurityContext take precedence.", "description": "SecurityContext holds security configuration that will be applied to a container. Some fields are present in both SecurityContext and PodSecurityContext. When both are set, the values in SecurityContext take precedence.",
"required": [
"procMount"
],
"properties": { "properties": {
"capabilities": { "capabilities": {
"$ref": "v1.Capabilities", "$ref": "v1.Capabilities",
...@@ -21879,6 +21882,10 @@ ...@@ -21879,6 +21882,10 @@
"allowPrivilegeEscalation": { "allowPrivilegeEscalation": {
"type": "boolean", "type": "boolean",
"description": "AllowPrivilegeEscalation controls whether a process can gain more privileges than its parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN" "description": "AllowPrivilegeEscalation controls whether a process can gain more privileges than its parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN"
},
"procMount": {
"$ref": "v1.ProcMountType",
"description": "procMount denotes the type of proc mount to use for the containers. The default is DefaultProcMount which uses the container runtime defaults for readonly paths and masked paths. This requires the ProcMountType feature flag to be enabled."
} }
} }
}, },
...@@ -21928,6 +21935,10 @@ ...@@ -21928,6 +21935,10 @@
} }
} }
}, },
"v1.ProcMountType": {
"id": "v1.ProcMountType",
"properties": {}
},
"v1.PodSecurityContext": { "v1.PodSecurityContext": {
"id": "v1.PodSecurityContext", "id": "v1.PodSecurityContext",
"description": "PodSecurityContext holds pod-level security attributes and common container settings. Some fields are also present in container.securityContext. Field values of container.securityContext take precedence over field values of PodSecurityContext.", "description": "PodSecurityContext holds pod-level security attributes and common container settings. Some fields are also present in container.securityContext. Field values of container.securityContext take precedence over field values of PodSecurityContext.",
......
...@@ -6747,6 +6747,13 @@ Examples:<br> ...@@ -6747,6 +6747,13 @@ Examples:<br>
<td class="tableblock halign-left valign-top"><p class="tableblock">boolean</p></td> <td class="tableblock halign-left valign-top"><p class="tableblock">boolean</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td> <td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
</tr> </tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">procMount</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">procMount denotes the type of proc mount to use for the containers. The default is DefaultProcMount which uses the container runtime defaults for readonly paths and masked paths. This requires the ProcMountType feature flag to be enabled.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">true</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_v1_procmounttype">v1.ProcMountType</a></p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
</tbody> </tbody>
</table> </table>
...@@ -7943,10 +7950,6 @@ The StatefulSet guarantees that a given network identity will always map to the ...@@ -7943,10 +7950,6 @@ The StatefulSet guarantees that a given network identity will always map to the
</div> </div>
<div class="sect2"> <div class="sect2">
<h3 id="_v1_azuredatadiskkind">v1.AzureDataDiskKind</h3>
</div>
<div class="sect2">
<h3 id="_v1_preferredschedulingterm">v1.PreferredSchedulingTerm</h3> <h3 id="_v1_preferredschedulingterm">v1.PreferredSchedulingTerm</h3>
<div class="paragraph"> <div class="paragraph">
<p>An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it&#8217;s a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).</p> <p>An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it&#8217;s a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).</p>
...@@ -7988,6 +7991,10 @@ The StatefulSet guarantees that a given network identity will always map to the ...@@ -7988,6 +7991,10 @@ The StatefulSet guarantees that a given network identity will always map to the
</div> </div>
<div class="sect2"> <div class="sect2">
<h3 id="_v1_azuredatadiskkind">v1.AzureDataDiskKind</h3>
</div>
<div class="sect2">
<h3 id="_v1_configmapkeyselector">v1.ConfigMapKeySelector</h3> <h3 id="_v1_configmapkeyselector">v1.ConfigMapKeySelector</h3>
<div class="paragraph"> <div class="paragraph">
<p>Selects a key from a ConfigMap.</p> <p>Selects a key from a ConfigMap.</p>
...@@ -8040,6 +8047,10 @@ The StatefulSet guarantees that a given network identity will always map to the ...@@ -8040,6 +8047,10 @@ The StatefulSet guarantees that a given network identity will always map to the
</div> </div>
<div class="sect2"> <div class="sect2">
<h3 id="_v1_procmounttype">v1.ProcMountType</h3>
</div>
<div class="sect2">
<h3 id="_any">any</h3> <h3 id="_any">any</h3>
<div class="paragraph"> <div class="paragraph">
<p>Represents an untyped JSON map - see the description of the field for more info about the structure of this object.</p> <p>Represents an untyped JSON map - see the description of the field for more info about the structure of this object.</p>
......
...@@ -6607,6 +6607,13 @@ Examples:<br> ...@@ -6607,6 +6607,13 @@ Examples:<br>
<td class="tableblock halign-left valign-top"><p class="tableblock">boolean</p></td> <td class="tableblock halign-left valign-top"><p class="tableblock">boolean</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td> <td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
</tr> </tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">procMount</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">procMount denotes the type of proc mount to use for the containers. The default is DefaultProcMount which uses the container runtime defaults for readonly paths and masked paths. This requires the ProcMountType feature flag to be enabled.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">true</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_v1_procmounttype">v1.ProcMountType</a></p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
</tbody> </tbody>
</table> </table>
...@@ -7331,10 +7338,6 @@ Examples:<br> ...@@ -7331,10 +7338,6 @@ Examples:<br>
</div> </div>
<div class="sect2"> <div class="sect2">
<h3 id="_v1_azuredatadiskkind">v1.AzureDataDiskKind</h3>
</div>
<div class="sect2">
<h3 id="_v1_preferredschedulingterm">v1.PreferredSchedulingTerm</h3> <h3 id="_v1_preferredschedulingterm">v1.PreferredSchedulingTerm</h3>
<div class="paragraph"> <div class="paragraph">
<p>An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it&#8217;s a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).</p> <p>An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it&#8217;s a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).</p>
...@@ -7376,6 +7379,10 @@ Examples:<br> ...@@ -7376,6 +7379,10 @@ Examples:<br>
</div> </div>
<div class="sect2"> <div class="sect2">
<h3 id="_v1_azuredatadiskkind">v1.AzureDataDiskKind</h3>
</div>
<div class="sect2">
<h3 id="_v1_configmapkeyselector">v1.ConfigMapKeySelector</h3> <h3 id="_v1_configmapkeyselector">v1.ConfigMapKeySelector</h3>
<div class="paragraph"> <div class="paragraph">
<p>Selects a key from a ConfigMap.</p> <p>Selects a key from a ConfigMap.</p>
...@@ -7428,6 +7435,10 @@ Examples:<br> ...@@ -7428,6 +7435,10 @@ Examples:<br>
</div> </div>
<div class="sect2"> <div class="sect2">
<h3 id="_v1_procmounttype">v1.ProcMountType</h3>
</div>
<div class="sect2">
<h3 id="_any">any</h3> <h3 id="_any">any</h3>
<div class="paragraph"> <div class="paragraph">
<p>Represents an untyped JSON map - see the description of the field for more info about the structure of this object.</p> <p>Represents an untyped JSON map - see the description of the field for more info about the structure of this object.</p>
......
...@@ -6886,6 +6886,13 @@ Examples:<br> ...@@ -6886,6 +6886,13 @@ Examples:<br>
<td class="tableblock halign-left valign-top"><p class="tableblock">boolean</p></td> <td class="tableblock halign-left valign-top"><p class="tableblock">boolean</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td> <td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
</tr> </tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">procMount</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">procMount denotes the type of proc mount to use for the containers. The default is DefaultProcMount which uses the container runtime defaults for readonly paths and masked paths. This requires the ProcMountType feature flag to be enabled.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">true</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_v1_procmounttype">v1.ProcMountType</a></p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
</tbody> </tbody>
</table> </table>
...@@ -7912,10 +7919,6 @@ Examples:<br> ...@@ -7912,10 +7919,6 @@ Examples:<br>
</div> </div>
<div class="sect2"> <div class="sect2">
<h3 id="_v1_azuredatadiskkind">v1.AzureDataDiskKind</h3>
</div>
<div class="sect2">
<h3 id="_v1_preferredschedulingterm">v1.PreferredSchedulingTerm</h3> <h3 id="_v1_preferredschedulingterm">v1.PreferredSchedulingTerm</h3>
<div class="paragraph"> <div class="paragraph">
<p>An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it&#8217;s a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).</p> <p>An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it&#8217;s a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).</p>
...@@ -7957,6 +7960,10 @@ Examples:<br> ...@@ -7957,6 +7960,10 @@ Examples:<br>
</div> </div>
<div class="sect2"> <div class="sect2">
<h3 id="_v1_azuredatadiskkind">v1.AzureDataDiskKind</h3>
</div>
<div class="sect2">
<h3 id="_v1_configmapkeyselector">v1.ConfigMapKeySelector</h3> <h3 id="_v1_configmapkeyselector">v1.ConfigMapKeySelector</h3>
<div class="paragraph"> <div class="paragraph">
<p>Selects a key from a ConfigMap.</p> <p>Selects a key from a ConfigMap.</p>
...@@ -8050,6 +8057,10 @@ Examples:<br> ...@@ -8050,6 +8057,10 @@ Examples:<br>
</div> </div>
<div class="sect2"> <div class="sect2">
<h3 id="_v1_procmounttype">v1.ProcMountType</h3>
</div>
<div class="sect2">
<h3 id="_any">any</h3> <h3 id="_any">any</h3>
<div class="paragraph"> <div class="paragraph">
<p>Represents an untyped JSON map - see the description of the field for more info about the structure of this object.</p> <p>Represents an untyped JSON map - see the description of the field for more info about the structure of this object.</p>
......
...@@ -5146,12 +5146,9 @@ Examples:<br> ...@@ -5146,12 +5146,9 @@ Examples:<br>
</div> </div>
<div class="sect2"> <div class="sect2">
<h3 id="_v1_secretprojection">v1.SecretProjection</h3> <h3 id="_v1_poddnsconfigoption">v1.PodDNSConfigOption</h3>
<div class="paragraph">
<p>Adapts a secret into a projected volume.</p>
</div>
<div class="paragraph"> <div class="paragraph">
<p>The contents of the target Secret&#8217;s Data field will be presented in a projected volume as files using the keys in the Data field as the file names. Note that this is identical to a secret volume source without the default mode.</p> <p>PodDNSConfigOption defines DNS resolver options of a pod.</p>
</div> </div>
<table class="tableblock frame-all grid-all" style="width:100%; "> <table class="tableblock frame-all grid-all" style="width:100%; ">
<colgroup> <colgroup>
...@@ -5173,33 +5170,29 @@ Examples:<br> ...@@ -5173,33 +5170,29 @@ Examples:<br>
<tbody> <tbody>
<tr> <tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">name</p></td> <td class="tableblock halign-left valign-top"><p class="tableblock">name</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Name of the referent. More info: <a href="https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names">https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names</a></p></td> <td class="tableblock halign-left valign-top"><p class="tableblock">Required.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td> <td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">string</p></td> <td class="tableblock halign-left valign-top"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-top"></td> <td class="tableblock halign-left valign-top"></td>
</tr> </tr>
<tr> <tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">items</p></td> <td class="tableblock halign-left valign-top"><p class="tableblock">value</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">If unspecified, each key-value pair in the Data field of the referenced Secret will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the Secret, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the <em>..</em> path or start with <em>..</em>.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_v1_keytopath">v1.KeyToPath</a> array</p></td>
<td class="tableblock halign-left valign-top"></td> <td class="tableblock halign-left valign-top"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">optional</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Specify whether the Secret or its key must be defined</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">boolean</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td> <td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</div> </div>
<div class="sect2"> <div class="sect2">
<h3 id="_v1_poddnsconfigoption">v1.PodDNSConfigOption</h3> <h3 id="_v1_secretprojection">v1.SecretProjection</h3>
<div class="paragraph"> <div class="paragraph">
<p>PodDNSConfigOption defines DNS resolver options of a pod.</p> <p>Adapts a secret into a projected volume.</p>
</div>
<div class="paragraph">
<p>The contents of the target Secret&#8217;s Data field will be presented in a projected volume as files using the keys in the Data field as the file names. Note that this is identical to a secret volume source without the default mode.</p>
</div> </div>
<table class="tableblock frame-all grid-all" style="width:100%; "> <table class="tableblock frame-all grid-all" style="width:100%; ">
<colgroup> <colgroup>
...@@ -5221,18 +5214,25 @@ Examples:<br> ...@@ -5221,18 +5214,25 @@ Examples:<br>
<tbody> <tbody>
<tr> <tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">name</p></td> <td class="tableblock halign-left valign-top"><p class="tableblock">name</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Required.</p></td> <td class="tableblock halign-left valign-top"><p class="tableblock">Name of the referent. More info: <a href="https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names">https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names</a></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td> <td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">string</p></td> <td class="tableblock halign-left valign-top"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-top"></td> <td class="tableblock halign-left valign-top"></td>
</tr> </tr>
<tr> <tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">value</p></td> <td class="tableblock halign-left valign-top"><p class="tableblock">items</p></td>
<td class="tableblock halign-left valign-top"></td> <td class="tableblock halign-left valign-top"><p class="tableblock">If unspecified, each key-value pair in the Data field of the referenced Secret will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the Secret, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the <em>..</em> path or start with <em>..</em>.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td> <td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">string</p></td> <td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_v1_keytopath">v1.KeyToPath</a> array</p></td>
<td class="tableblock halign-left valign-top"></td> <td class="tableblock halign-left valign-top"></td>
</tr> </tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">optional</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Specify whether the Secret or its key must be defined</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">boolean</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
</tr>
</tbody> </tbody>
</table> </table>
...@@ -5371,6 +5371,13 @@ Examples:<br> ...@@ -5371,6 +5371,13 @@ Examples:<br>
<td class="tableblock halign-left valign-top"><p class="tableblock">boolean</p></td> <td class="tableblock halign-left valign-top"><p class="tableblock">boolean</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td> <td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
</tr> </tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">procMount</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">procMount denotes the type of proc mount to use for the containers. The default is DefaultProcMount which uses the container runtime defaults for readonly paths and masked paths. This requires the ProcMountType feature flag to be enabled.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">true</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_v1_procmounttype">v1.ProcMountType</a></p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
</tbody> </tbody>
</table> </table>
...@@ -6195,6 +6202,10 @@ Examples:<br> ...@@ -6195,6 +6202,10 @@ Examples:<br>
</div> </div>
<div class="sect2"> <div class="sect2">
<h3 id="_v1_procmounttype">v1.ProcMountType</h3>
</div>
<div class="sect2">
<h3 id="_any">any</h3> <h3 id="_any">any</h3>
<div class="paragraph"> <div class="paragraph">
<p>Represents an untyped JSON map - see the description of the field for more info about the structure of this object.</p> <p>Represents an untyped JSON map - see the description of the field for more info about the structure of this object.</p>
......
...@@ -5508,6 +5508,13 @@ Examples:<br> ...@@ -5508,6 +5508,13 @@ Examples:<br>
<td class="tableblock halign-left valign-top"><p class="tableblock">boolean</p></td> <td class="tableblock halign-left valign-top"><p class="tableblock">boolean</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td> <td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
</tr> </tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">procMount</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">procMount denotes the type of proc mount to use for the containers. The default is DefaultProcMount which uses the container runtime defaults for readonly paths and masked paths. This requires the ProcMountType feature flag to be enabled.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">true</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_v1_procmounttype">v1.ProcMountType</a></p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
</tbody> </tbody>
</table> </table>
...@@ -6291,6 +6298,10 @@ Examples:<br> ...@@ -6291,6 +6298,10 @@ Examples:<br>
</div> </div>
<div class="sect2"> <div class="sect2">
<h3 id="_v1_procmounttype">v1.ProcMountType</h3>
</div>
<div class="sect2">
<h3 id="_any">any</h3> <h3 id="_any">any</h3>
<div class="paragraph"> <div class="paragraph">
<p>Represents an untyped JSON map - see the description of the field for more info about the structure of this object.</p> <p>Represents an untyped JSON map - see the description of the field for more info about the structure of this object.</p>
......
...@@ -5309,6 +5309,13 @@ Examples:<br> ...@@ -5309,6 +5309,13 @@ Examples:<br>
<td class="tableblock halign-left valign-top"><p class="tableblock">boolean</p></td> <td class="tableblock halign-left valign-top"><p class="tableblock">boolean</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td> <td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
</tr> </tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">procMount</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">procMount denotes the type of proc mount to use for the containers. The default is DefaultProcMount which uses the container runtime defaults for readonly paths and masked paths. This requires the ProcMountType feature flag to be enabled.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">true</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_v1_procmounttype">v1.ProcMountType</a></p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
</tbody> </tbody>
</table> </table>
...@@ -6291,6 +6298,10 @@ Examples:<br> ...@@ -6291,6 +6298,10 @@ Examples:<br>
</div> </div>
<div class="sect2"> <div class="sect2">
<h3 id="_v1_procmounttype">v1.ProcMountType</h3>
</div>
<div class="sect2">
<h3 id="_any">any</h3> <h3 id="_any">any</h3>
<div class="paragraph"> <div class="paragraph">
<p>Represents an untyped JSON map - see the description of the field for more info about the structure of this object.</p> <p>Represents an untyped JSON map - see the description of the field for more info about the structure of this object.</p>
......
...@@ -7245,12 +7245,9 @@ If PodSelector is also set, then the NetworkPolicyPeer as a whole selects the Po ...@@ -7245,12 +7245,9 @@ If PodSelector is also set, then the NetworkPolicyPeer as a whole selects the Po
</div> </div>
<div class="sect2"> <div class="sect2">
<h3 id="_v1_secretprojection">v1.SecretProjection</h3> <h3 id="_v1_poddnsconfigoption">v1.PodDNSConfigOption</h3>
<div class="paragraph">
<p>Adapts a secret into a projected volume.</p>
</div>
<div class="paragraph"> <div class="paragraph">
<p>The contents of the target Secret&#8217;s Data field will be presented in a projected volume as files using the keys in the Data field as the file names. Note that this is identical to a secret volume source without the default mode.</p> <p>PodDNSConfigOption defines DNS resolver options of a pod.</p>
</div> </div>
<table class="tableblock frame-all grid-all" style="width:100%; "> <table class="tableblock frame-all grid-all" style="width:100%; ">
<colgroup> <colgroup>
...@@ -7272,33 +7269,29 @@ If PodSelector is also set, then the NetworkPolicyPeer as a whole selects the Po ...@@ -7272,33 +7269,29 @@ If PodSelector is also set, then the NetworkPolicyPeer as a whole selects the Po
<tbody> <tbody>
<tr> <tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">name</p></td> <td class="tableblock halign-left valign-top"><p class="tableblock">name</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Name of the referent. More info: <a href="https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names">https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names</a></p></td> <td class="tableblock halign-left valign-top"><p class="tableblock">Required.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td> <td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">string</p></td> <td class="tableblock halign-left valign-top"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-top"></td> <td class="tableblock halign-left valign-top"></td>
</tr> </tr>
<tr> <tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">items</p></td> <td class="tableblock halign-left valign-top"><p class="tableblock">value</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">If unspecified, each key-value pair in the Data field of the referenced Secret will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the Secret, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the <em>..</em> path or start with <em>..</em>.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_v1_keytopath">v1.KeyToPath</a> array</p></td>
<td class="tableblock halign-left valign-top"></td> <td class="tableblock halign-left valign-top"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">optional</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Specify whether the Secret or its key must be defined</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">boolean</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td> <td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</div> </div>
<div class="sect2"> <div class="sect2">
<h3 id="_v1_poddnsconfigoption">v1.PodDNSConfigOption</h3> <h3 id="_v1_secretprojection">v1.SecretProjection</h3>
<div class="paragraph"> <div class="paragraph">
<p>PodDNSConfigOption defines DNS resolver options of a pod.</p> <p>Adapts a secret into a projected volume.</p>
</div>
<div class="paragraph">
<p>The contents of the target Secret&#8217;s Data field will be presented in a projected volume as files using the keys in the Data field as the file names. Note that this is identical to a secret volume source without the default mode.</p>
</div> </div>
<table class="tableblock frame-all grid-all" style="width:100%; "> <table class="tableblock frame-all grid-all" style="width:100%; ">
<colgroup> <colgroup>
...@@ -7320,18 +7313,25 @@ If PodSelector is also set, then the NetworkPolicyPeer as a whole selects the Po ...@@ -7320,18 +7313,25 @@ If PodSelector is also set, then the NetworkPolicyPeer as a whole selects the Po
<tbody> <tbody>
<tr> <tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">name</p></td> <td class="tableblock halign-left valign-top"><p class="tableblock">name</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Required.</p></td> <td class="tableblock halign-left valign-top"><p class="tableblock">Name of the referent. More info: <a href="https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names">https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names</a></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td> <td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">string</p></td> <td class="tableblock halign-left valign-top"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-top"></td> <td class="tableblock halign-left valign-top"></td>
</tr> </tr>
<tr> <tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">value</p></td> <td class="tableblock halign-left valign-top"><p class="tableblock">items</p></td>
<td class="tableblock halign-left valign-top"></td> <td class="tableblock halign-left valign-top"><p class="tableblock">If unspecified, each key-value pair in the Data field of the referenced Secret will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the Secret, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the <em>..</em> path or start with <em>..</em>.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td> <td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">string</p></td> <td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_v1_keytopath">v1.KeyToPath</a> array</p></td>
<td class="tableblock halign-left valign-top"></td> <td class="tableblock halign-left valign-top"></td>
</tr> </tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">optional</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Specify whether the Secret or its key must be defined</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">boolean</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
</tr>
</tbody> </tbody>
</table> </table>
...@@ -7532,6 +7532,13 @@ If PodSelector is also set, then the NetworkPolicyPeer as a whole selects the Po ...@@ -7532,6 +7532,13 @@ If PodSelector is also set, then the NetworkPolicyPeer as a whole selects the Po
<td class="tableblock halign-left valign-top"><p class="tableblock">boolean</p></td> <td class="tableblock halign-left valign-top"><p class="tableblock">boolean</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td> <td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
</tr> </tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">procMount</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">procMount denotes the type of proc mount to use for the containers. The default is DefaultProcMount which uses the container runtime defaults for readonly paths and masked paths. This requires the ProcMountType feature flag to be enabled.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">true</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_v1_procmounttype">v1.ProcMountType</a></p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
</tbody> </tbody>
</table> </table>
...@@ -8247,6 +8254,13 @@ Examples: e.g. "foo/</strong>" forbids "foo/bar", "foo/baz", etc. e.g. "foo.*" f ...@@ -8247,6 +8254,13 @@ Examples: e.g. "foo/</strong>" forbids "foo/bar", "foo/baz", etc. e.g. "foo.*" f
<td class="tableblock halign-left valign-top"><p class="tableblock">string array</p></td> <td class="tableblock halign-left valign-top"><p class="tableblock">string array</p></td>
<td class="tableblock halign-left valign-top"></td> <td class="tableblock halign-left valign-top"></td>
</tr> </tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">allowedProcMountTypes</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">AllowedProcMountTypes is a whitelist of allowed ProcMountTypes. Empty or nil indicates that only the DefaultProcMountType may be used. This requires the ProcMountType feature flag to be enabled.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_v1_procmounttype">v1.ProcMountType</a> array</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
</tbody> </tbody>
</table> </table>
...@@ -8775,6 +8789,10 @@ Examples: e.g. "foo/</strong>" forbids "foo/bar", "foo/baz", etc. e.g. "foo.*" f ...@@ -8775,6 +8789,10 @@ Examples: e.g. "foo/</strong>" forbids "foo/bar", "foo/baz", etc. e.g. "foo.*" f
</div> </div>
<div class="sect2"> <div class="sect2">
<h3 id="_v1_procmounttype">v1.ProcMountType</h3>
</div>
<div class="sect2">
<h3 id="_any">any</h3> <h3 id="_any">any</h3>
<div class="paragraph"> <div class="paragraph">
<p>Represents an untyped JSON map - see the description of the field for more info about the structure of this object.</p> <p>Represents an untyped JSON map - see the description of the field for more info about the structure of this object.</p>
......
...@@ -1508,6 +1508,13 @@ Examples: e.g. "foo/</strong>" forbids "foo/bar", "foo/baz", etc. e.g. "foo.*" f ...@@ -1508,6 +1508,13 @@ Examples: e.g. "foo/</strong>" forbids "foo/bar", "foo/baz", etc. e.g. "foo.*" f
<td class="tableblock halign-left valign-top"><p class="tableblock">string array</p></td> <td class="tableblock halign-left valign-top"><p class="tableblock">string array</p></td>
<td class="tableblock halign-left valign-top"></td> <td class="tableblock halign-left valign-top"></td>
</tr> </tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">allowedProcMountTypes</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">AllowedProcMountTypes is a whitelist of allowed ProcMountTypes. Empty or nil indicates that only the DefaultProcMountType may be used. This requires the ProcMountType feature flag to be enabled.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_v1_procmounttype">v1.ProcMountType</a> array</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
</tbody> </tbody>
</table> </table>
...@@ -2237,6 +2244,10 @@ Examples:<br> ...@@ -2237,6 +2244,10 @@ Examples:<br>
</div> </div>
<div class="sect2"> <div class="sect2">
<h3 id="_v1_procmounttype">v1.ProcMountType</h3>
</div>
<div class="sect2">
<h3 id="_any">any</h3> <h3 id="_any">any</h3>
<div class="paragraph"> <div class="paragraph">
<p>Represents an untyped JSON map - see the description of the field for more info about the structure of this object.</p> <p>Represents an untyped JSON map - see the description of the field for more info about the structure of this object.</p>
......
...@@ -5080,6 +5080,13 @@ Examples:<br> ...@@ -5080,6 +5080,13 @@ Examples:<br>
<td class="tableblock halign-left valign-top"><p class="tableblock">boolean</p></td> <td class="tableblock halign-left valign-top"><p class="tableblock">boolean</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td> <td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
</tr> </tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">procMount</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">procMount denotes the type of proc mount to use for the containers. The default is DefaultProcMount which uses the container runtime defaults for readonly paths and masked paths. This requires the ProcMountType feature flag to be enabled.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">true</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_v1_procmounttype">v1.ProcMountType</a></p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
</tbody> </tbody>
</table> </table>
...@@ -6386,6 +6393,10 @@ Examples:<br> ...@@ -6386,6 +6393,10 @@ Examples:<br>
</div> </div>
<div class="sect2"> <div class="sect2">
<h3 id="_v1_procmounttype">v1.ProcMountType</h3>
</div>
<div class="sect2">
<h3 id="_v1_apiresourcelist">v1.APIResourceList</h3> <h3 id="_v1_apiresourcelist">v1.APIResourceList</h3>
<div class="paragraph"> <div class="paragraph">
<p>APIResourceList is a list of APIResource, it is used to expose the name of the resources supported in a specific group and version, and if the resource is namespaced.</p> <p>APIResourceList is a list of APIResource, it is used to expose the name of the resources supported in a specific group and version, and if the resource is namespaced.</p>
......
...@@ -17,6 +17,7 @@ filegroup( ...@@ -17,6 +17,7 @@ filegroup(
"//pkg/api/persistentvolume:all-srcs", "//pkg/api/persistentvolume:all-srcs",
"//pkg/api/persistentvolumeclaim:all-srcs", "//pkg/api/persistentvolumeclaim:all-srcs",
"//pkg/api/pod:all-srcs", "//pkg/api/pod:all-srcs",
"//pkg/api/podsecuritypolicy:all-srcs",
"//pkg/api/ref:all-srcs", "//pkg/api/ref:all-srcs",
"//pkg/api/resource:all-srcs", "//pkg/api/resource:all-srcs",
"//pkg/api/service:all-srcs", "//pkg/api/service:all-srcs",
......
package(default_visibility = ["//visibility:public"])
load(
"@io_bazel_rules_go//go:def.bzl",
"go_library",
"go_test",
)
go_library(
name = "go_default_library",
srcs = ["util.go"],
importpath = "k8s.io/kubernetes/pkg/api/podsecuritypolicy",
deps = [
"//pkg/apis/policy:go_default_library",
"//pkg/features:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/util/feature:go_default_library",
],
)
filegroup(
name = "package-srcs",
srcs = glob(["**"]),
tags = ["automanaged"],
visibility = ["//visibility:private"],
)
filegroup(
name = "all-srcs",
srcs = [":package-srcs"],
tags = ["automanaged"],
)
go_test(
name = "go_default_test",
srcs = ["util_test.go"],
embed = [":go_default_library"],
deps = [
"//pkg/apis/core:go_default_library",
"//pkg/apis/policy:go_default_library",
"//pkg/features:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/util/feature:go_default_library",
],
)
...@@ -263,9 +263,6 @@ func SetObjectDefaults_Pod(in *v1.Pod) { ...@@ -263,9 +263,6 @@ func SetObjectDefaults_Pod(in *v1.Pod) {
} }
} }
} }
if a.SecurityContext != nil {
SetDefaults_SecurityContext(a.SecurityContext)
}
} }
for i := range in.Spec.Containers { for i := range in.Spec.Containers {
a := &in.Spec.Containers[i] a := &in.Spec.Containers[i]
...@@ -308,9 +305,6 @@ func SetObjectDefaults_Pod(in *v1.Pod) { ...@@ -308,9 +305,6 @@ func SetObjectDefaults_Pod(in *v1.Pod) {
} }
} }
} }
if a.SecurityContext != nil {
SetDefaults_SecurityContext(a.SecurityContext)
}
} }
} }
...@@ -415,9 +409,6 @@ func SetObjectDefaults_PodTemplate(in *v1.PodTemplate) { ...@@ -415,9 +409,6 @@ func SetObjectDefaults_PodTemplate(in *v1.PodTemplate) {
} }
} }
} }
if a.SecurityContext != nil {
SetDefaults_SecurityContext(a.SecurityContext)
}
} }
for i := range in.Template.Spec.Containers { for i := range in.Template.Spec.Containers {
a := &in.Template.Spec.Containers[i] a := &in.Template.Spec.Containers[i]
...@@ -460,9 +451,6 @@ func SetObjectDefaults_PodTemplate(in *v1.PodTemplate) { ...@@ -460,9 +451,6 @@ func SetObjectDefaults_PodTemplate(in *v1.PodTemplate) {
} }
} }
} }
if a.SecurityContext != nil {
SetDefaults_SecurityContext(a.SecurityContext)
}
} }
} }
...@@ -569,9 +557,6 @@ func SetObjectDefaults_ReplicationController(in *v1.ReplicationController) { ...@@ -569,9 +557,6 @@ func SetObjectDefaults_ReplicationController(in *v1.ReplicationController) {
} }
} }
} }
if a.SecurityContext != nil {
SetDefaults_SecurityContext(a.SecurityContext)
}
} }
for i := range in.Spec.Template.Spec.Containers { for i := range in.Spec.Template.Spec.Containers {
a := &in.Spec.Template.Spec.Containers[i] a := &in.Spec.Template.Spec.Containers[i]
...@@ -614,9 +599,6 @@ func SetObjectDefaults_ReplicationController(in *v1.ReplicationController) { ...@@ -614,9 +599,6 @@ func SetObjectDefaults_ReplicationController(in *v1.ReplicationController) {
} }
} }
} }
if a.SecurityContext != nil {
SetDefaults_SecurityContext(a.SecurityContext)
}
} }
} }
} }
......
...@@ -4589,6 +4589,11 @@ func (in *SecurityContext) DeepCopyInto(out *SecurityContext) { ...@@ -4589,6 +4589,11 @@ func (in *SecurityContext) DeepCopyInto(out *SecurityContext) {
*out = new(bool) *out = new(bool)
**out = **in **out = **in
} }
if in.ProcMount != nil {
in, out := &in.ProcMount, &out.ProcMount
*out = new(ProcMountType)
**out = **in
}
return return
} }
......
...@@ -1665,6 +1665,7 @@ func autoConvert_v1beta1_PodSecurityPolicySpec_To_policy_PodSecurityPolicySpec(i ...@@ -1665,6 +1665,7 @@ func autoConvert_v1beta1_PodSecurityPolicySpec_To_policy_PodSecurityPolicySpec(i
out.AllowedFlexVolumes = *(*[]policy.AllowedFlexVolume)(unsafe.Pointer(&in.AllowedFlexVolumes)) out.AllowedFlexVolumes = *(*[]policy.AllowedFlexVolume)(unsafe.Pointer(&in.AllowedFlexVolumes))
out.AllowedUnsafeSysctls = *(*[]string)(unsafe.Pointer(&in.AllowedUnsafeSysctls)) out.AllowedUnsafeSysctls = *(*[]string)(unsafe.Pointer(&in.AllowedUnsafeSysctls))
out.ForbiddenSysctls = *(*[]string)(unsafe.Pointer(&in.ForbiddenSysctls)) out.ForbiddenSysctls = *(*[]string)(unsafe.Pointer(&in.ForbiddenSysctls))
out.AllowedProcMountTypes = *(*[]core.ProcMountType)(unsafe.Pointer(&in.AllowedProcMountTypes))
return nil return nil
} }
...@@ -1704,6 +1705,7 @@ func autoConvert_policy_PodSecurityPolicySpec_To_v1beta1_PodSecurityPolicySpec(i ...@@ -1704,6 +1705,7 @@ func autoConvert_policy_PodSecurityPolicySpec_To_v1beta1_PodSecurityPolicySpec(i
out.AllowedFlexVolumes = *(*[]v1beta1.AllowedFlexVolume)(unsafe.Pointer(&in.AllowedFlexVolumes)) out.AllowedFlexVolumes = *(*[]v1beta1.AllowedFlexVolume)(unsafe.Pointer(&in.AllowedFlexVolumes))
out.AllowedUnsafeSysctls = *(*[]string)(unsafe.Pointer(&in.AllowedUnsafeSysctls)) out.AllowedUnsafeSysctls = *(*[]string)(unsafe.Pointer(&in.AllowedUnsafeSysctls))
out.ForbiddenSysctls = *(*[]string)(unsafe.Pointer(&in.ForbiddenSysctls)) out.ForbiddenSysctls = *(*[]string)(unsafe.Pointer(&in.ForbiddenSysctls))
out.AllowedProcMountTypes = *(*[]v1.ProcMountType)(unsafe.Pointer(&in.AllowedProcMountTypes))
return nil return nil
} }
......
...@@ -540,6 +540,7 @@ func autoConvert_v1beta1_PodSecurityPolicySpec_To_policy_PodSecurityPolicySpec(i ...@@ -540,6 +540,7 @@ func autoConvert_v1beta1_PodSecurityPolicySpec_To_policy_PodSecurityPolicySpec(i
out.AllowedFlexVolumes = *(*[]policy.AllowedFlexVolume)(unsafe.Pointer(&in.AllowedFlexVolumes)) out.AllowedFlexVolumes = *(*[]policy.AllowedFlexVolume)(unsafe.Pointer(&in.AllowedFlexVolumes))
out.AllowedUnsafeSysctls = *(*[]string)(unsafe.Pointer(&in.AllowedUnsafeSysctls)) out.AllowedUnsafeSysctls = *(*[]string)(unsafe.Pointer(&in.AllowedUnsafeSysctls))
out.ForbiddenSysctls = *(*[]string)(unsafe.Pointer(&in.ForbiddenSysctls)) out.ForbiddenSysctls = *(*[]string)(unsafe.Pointer(&in.ForbiddenSysctls))
out.AllowedProcMountTypes = *(*[]core.ProcMountType)(unsafe.Pointer(&in.AllowedProcMountTypes))
return nil return nil
} }
...@@ -579,6 +580,7 @@ func autoConvert_policy_PodSecurityPolicySpec_To_v1beta1_PodSecurityPolicySpec(i ...@@ -579,6 +580,7 @@ func autoConvert_policy_PodSecurityPolicySpec_To_v1beta1_PodSecurityPolicySpec(i
out.AllowedFlexVolumes = *(*[]v1beta1.AllowedFlexVolume)(unsafe.Pointer(&in.AllowedFlexVolumes)) out.AllowedFlexVolumes = *(*[]v1beta1.AllowedFlexVolume)(unsafe.Pointer(&in.AllowedFlexVolumes))
out.AllowedUnsafeSysctls = *(*[]string)(unsafe.Pointer(&in.AllowedUnsafeSysctls)) out.AllowedUnsafeSysctls = *(*[]string)(unsafe.Pointer(&in.AllowedUnsafeSysctls))
out.ForbiddenSysctls = *(*[]string)(unsafe.Pointer(&in.ForbiddenSysctls)) out.ForbiddenSysctls = *(*[]string)(unsafe.Pointer(&in.ForbiddenSysctls))
out.AllowedProcMountTypes = *(*[]corev1.ProcMountType)(unsafe.Pointer(&in.AllowedProcMountTypes))
return nil return nil
} }
......
...@@ -375,6 +375,11 @@ func (in *PodSecurityPolicySpec) DeepCopyInto(out *PodSecurityPolicySpec) { ...@@ -375,6 +375,11 @@ func (in *PodSecurityPolicySpec) DeepCopyInto(out *PodSecurityPolicySpec) {
*out = make([]string, len(*in)) *out = make([]string, len(*in))
copy(*out, *in) copy(*out, *in)
} }
if in.AllowedProcMountTypes != nil {
in, out := &in.AllowedProcMountTypes, &out.AllowedProcMountTypes
*out = make([]core.ProcMountType, len(*in))
copy(*out, *in)
}
return return
} }
......
...@@ -14,6 +14,7 @@ go_library( ...@@ -14,6 +14,7 @@ go_library(
importpath = "k8s.io/kubernetes/pkg/registry/policy/podsecuritypolicy", importpath = "k8s.io/kubernetes/pkg/registry/policy/podsecuritypolicy",
deps = [ deps = [
"//pkg/api/legacyscheme:go_default_library", "//pkg/api/legacyscheme:go_default_library",
"//pkg/api/podsecuritypolicy:go_default_library",
"//pkg/apis/policy:go_default_library", "//pkg/apis/policy:go_default_library",
"//pkg/apis/policy/validation:go_default_library", "//pkg/apis/policy/validation:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/runtime:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/runtime:go_default_library",
......
This source diff could not be displayed because it is too large. You can view the blob instead.
...@@ -4040,6 +4040,13 @@ message SecurityContext { ...@@ -4040,6 +4040,13 @@ message SecurityContext {
// 2) has CAP_SYS_ADMIN // 2) has CAP_SYS_ADMIN
// +optional // +optional
optional bool allowPrivilegeEscalation = 7; optional bool allowPrivilegeEscalation = 7;
// procMount denotes the type of proc mount to use for the containers.
// The default is DefaultProcMount which uses the container runtime defaults for
// readonly paths and masked paths.
// This requires the ProcMountType feature flag to be enabled.
// +optional
optional string procMount = 9;
} }
// SerializedReference is a reference to serialized object. // SerializedReference is a reference to serialized object.
......
...@@ -1987,6 +1987,7 @@ var map_SecurityContext = map[string]string{ ...@@ -1987,6 +1987,7 @@ var map_SecurityContext = map[string]string{
"runAsNonRoot": "Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.", "runAsNonRoot": "Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.",
"readOnlyRootFilesystem": "Whether this container has a read-only root filesystem. Default is false.", "readOnlyRootFilesystem": "Whether this container has a read-only root filesystem. Default is false.",
"allowPrivilegeEscalation": "AllowPrivilegeEscalation controls whether a process can gain more privileges than its parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN", "allowPrivilegeEscalation": "AllowPrivilegeEscalation controls whether a process can gain more privileges than its parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN",
"procMount": "procMount denotes the type of proc mount to use for the containers. The default is DefaultProcMount which uses the container runtime defaults for readonly paths and masked paths. This requires the ProcMountType feature flag to be enabled.",
} }
func (SecurityContext) SwaggerDoc() map[string]string { func (SecurityContext) SwaggerDoc() map[string]string {
......
...@@ -4599,6 +4599,11 @@ func (in *SecurityContext) DeepCopyInto(out *SecurityContext) { ...@@ -4599,6 +4599,11 @@ func (in *SecurityContext) DeepCopyInto(out *SecurityContext) {
*out = new(bool) *out = new(bool)
**out = **in **out = **in
} }
if in.ProcMount != nil {
in, out := &in.ProcMount, &out.ProcMount
*out = new(ProcMountType)
**out = **in
}
return return
} }
......
...@@ -902,6 +902,12 @@ message PodSecurityPolicySpec { ...@@ -902,6 +902,12 @@ message PodSecurityPolicySpec {
// e.g. "foo.*" forbids "foo.bar", "foo.baz", etc. // e.g. "foo.*" forbids "foo.bar", "foo.baz", etc.
// +optional // +optional
repeated string forbiddenSysctls = 20; repeated string forbiddenSysctls = 20;
// AllowedProcMountTypes is a whitelist of allowed ProcMountTypes.
// Empty or nil indicates that only the DefaultProcMountType may be used.
// This requires the ProcMountType feature flag to be enabled.
// +optional
repeated string allowedProcMountTypes = 21;
} }
// DEPRECATED - This group version of ReplicaSet is deprecated by apps/v1beta2/ReplicaSet. See the release notes for // DEPRECATED - This group version of ReplicaSet is deprecated by apps/v1beta2/ReplicaSet. See the release notes for
......
...@@ -481,6 +481,7 @@ var map_PodSecurityPolicySpec = map[string]string{ ...@@ -481,6 +481,7 @@ var map_PodSecurityPolicySpec = map[string]string{
"allowedFlexVolumes": "allowedFlexVolumes is a whitelist of allowed Flexvolumes. Empty or nil indicates that all Flexvolumes may be used. This parameter is effective only when the usage of the Flexvolumes is allowed in the \"volumes\" field.", "allowedFlexVolumes": "allowedFlexVolumes is a whitelist of allowed Flexvolumes. Empty or nil indicates that all Flexvolumes may be used. This parameter is effective only when the usage of the Flexvolumes is allowed in the \"volumes\" field.",
"allowedUnsafeSysctls": "allowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none. Each entry is either a plain sysctl name or ends in \"*\" in which case it is considered as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed. Kubelet has to whitelist all allowed unsafe sysctls explicitly to avoid rejection.\n\nExamples: e.g. \"foo/*\" allows \"foo/bar\", \"foo/baz\", etc. e.g. \"foo.*\" allows \"foo.bar\", \"foo.baz\", etc.", "allowedUnsafeSysctls": "allowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none. Each entry is either a plain sysctl name or ends in \"*\" in which case it is considered as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed. Kubelet has to whitelist all allowed unsafe sysctls explicitly to avoid rejection.\n\nExamples: e.g. \"foo/*\" allows \"foo/bar\", \"foo/baz\", etc. e.g. \"foo.*\" allows \"foo.bar\", \"foo.baz\", etc.",
"forbiddenSysctls": "forbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none. Each entry is either a plain sysctl name or ends in \"*\" in which case it is considered as a prefix of forbidden sysctls. Single * means all sysctls are forbidden.\n\nExamples: e.g. \"foo/*\" forbids \"foo/bar\", \"foo/baz\", etc. e.g. \"foo.*\" forbids \"foo.bar\", \"foo.baz\", etc.", "forbiddenSysctls": "forbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none. Each entry is either a plain sysctl name or ends in \"*\" in which case it is considered as a prefix of forbidden sysctls. Single * means all sysctls are forbidden.\n\nExamples: e.g. \"foo/*\" forbids \"foo/bar\", \"foo/baz\", etc. e.g. \"foo.*\" forbids \"foo.bar\", \"foo.baz\", etc.",
"allowedProcMountTypes": "AllowedProcMountTypes is a whitelist of allowed ProcMountTypes. Empty or nil indicates that only the DefaultProcMountType may be used. This requires the ProcMountType feature flag to be enabled.",
} }
func (PodSecurityPolicySpec) SwaggerDoc() map[string]string { func (PodSecurityPolicySpec) SwaggerDoc() map[string]string {
......
...@@ -1134,6 +1134,11 @@ func (in *PodSecurityPolicySpec) DeepCopyInto(out *PodSecurityPolicySpec) { ...@@ -1134,6 +1134,11 @@ func (in *PodSecurityPolicySpec) DeepCopyInto(out *PodSecurityPolicySpec) {
*out = make([]string, len(*in)) *out = make([]string, len(*in))
copy(*out, *in) copy(*out, *in)
} }
if in.AllowedProcMountTypes != nil {
in, out := &in.AllowedProcMountTypes, &out.AllowedProcMountTypes
*out = make([]corev1.ProcMountType, len(*in))
copy(*out, *in)
}
return return
} }
......
...@@ -297,6 +297,12 @@ message PodSecurityPolicySpec { ...@@ -297,6 +297,12 @@ message PodSecurityPolicySpec {
// e.g. "foo.*" forbids "foo.bar", "foo.baz", etc. // e.g. "foo.*" forbids "foo.bar", "foo.baz", etc.
// +optional // +optional
repeated string forbiddenSysctls = 20; repeated string forbiddenSysctls = 20;
// AllowedProcMountTypes is a whitelist of allowed ProcMountTypes.
// Empty or nil indicates that only the DefaultProcMountType may be used.
// This requires the ProcMountType feature flag to be enabled.
// +optional
repeated string allowedProcMountTypes = 21;
} }
// RunAsUserStrategyOptions defines the strategy type and any options used to create the strategy. // RunAsUserStrategyOptions defines the strategy type and any options used to create the strategy.
......
...@@ -171,6 +171,7 @@ var map_PodSecurityPolicySpec = map[string]string{ ...@@ -171,6 +171,7 @@ var map_PodSecurityPolicySpec = map[string]string{
"allowedFlexVolumes": "allowedFlexVolumes is a whitelist of allowed Flexvolumes. Empty or nil indicates that all Flexvolumes may be used. This parameter is effective only when the usage of the Flexvolumes is allowed in the \"volumes\" field.", "allowedFlexVolumes": "allowedFlexVolumes is a whitelist of allowed Flexvolumes. Empty or nil indicates that all Flexvolumes may be used. This parameter is effective only when the usage of the Flexvolumes is allowed in the \"volumes\" field.",
"allowedUnsafeSysctls": "allowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none. Each entry is either a plain sysctl name or ends in \"*\" in which case it is considered as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed. Kubelet has to whitelist all allowed unsafe sysctls explicitly to avoid rejection.\n\nExamples: e.g. \"foo/*\" allows \"foo/bar\", \"foo/baz\", etc. e.g. \"foo.*\" allows \"foo.bar\", \"foo.baz\", etc.", "allowedUnsafeSysctls": "allowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none. Each entry is either a plain sysctl name or ends in \"*\" in which case it is considered as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed. Kubelet has to whitelist all allowed unsafe sysctls explicitly to avoid rejection.\n\nExamples: e.g. \"foo/*\" allows \"foo/bar\", \"foo/baz\", etc. e.g. \"foo.*\" allows \"foo.bar\", \"foo.baz\", etc.",
"forbiddenSysctls": "forbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none. Each entry is either a plain sysctl name or ends in \"*\" in which case it is considered as a prefix of forbidden sysctls. Single * means all sysctls are forbidden.\n\nExamples: e.g. \"foo/*\" forbids \"foo/bar\", \"foo/baz\", etc. e.g. \"foo.*\" forbids \"foo.bar\", \"foo.baz\", etc.", "forbiddenSysctls": "forbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none. Each entry is either a plain sysctl name or ends in \"*\" in which case it is considered as a prefix of forbidden sysctls. Single * means all sysctls are forbidden.\n\nExamples: e.g. \"foo/*\" forbids \"foo/bar\", \"foo/baz\", etc. e.g. \"foo.*\" forbids \"foo.bar\", \"foo.baz\", etc.",
"allowedProcMountTypes": "AllowedProcMountTypes is a whitelist of allowed ProcMountTypes. Empty or nil indicates that only the DefaultProcMountType may be used. This requires the ProcMountType feature flag to be enabled.",
} }
func (PodSecurityPolicySpec) SwaggerDoc() map[string]string { func (PodSecurityPolicySpec) SwaggerDoc() map[string]string {
......
...@@ -380,6 +380,11 @@ func (in *PodSecurityPolicySpec) DeepCopyInto(out *PodSecurityPolicySpec) { ...@@ -380,6 +380,11 @@ func (in *PodSecurityPolicySpec) DeepCopyInto(out *PodSecurityPolicySpec) {
*out = make([]string, len(*in)) *out = make([]string, len(*in))
copy(*out, *in) copy(*out, *in)
} }
if in.AllowedProcMountTypes != nil {
in, out := &in.AllowedProcMountTypes, &out.AllowedProcMountTypes
*out = make([]corev1.ProcMountType, len(*in))
copy(*out, *in)
}
return return
} }
......
...@@ -12,11 +12,11 @@ ...@@ -12,11 +12,11 @@
}, },
{ {
"ImportPath": "github.com/Azure/go-ansiterm", "ImportPath": "github.com/Azure/go-ansiterm",
"Rev": "19f72df4d05d31cbe1c56bfc8045c96babff6c7e" "Rev": "d6e3b3328b783f23731bc4d058875b0371ff8109"
}, },
{ {
"ImportPath": "github.com/Azure/go-ansiterm/winterm", "ImportPath": "github.com/Azure/go-ansiterm/winterm",
"Rev": "19f72df4d05d31cbe1c56bfc8045c96babff6c7e" "Rev": "d6e3b3328b783f23731bc4d058875b0371ff8109"
}, },
{ {
"ImportPath": "github.com/NYTimes/gziphandler", "ImportPath": "github.com/NYTimes/gziphandler",
...@@ -364,11 +364,11 @@ ...@@ -364,11 +364,11 @@
}, },
{ {
"ImportPath": "github.com/docker/docker/pkg/term", "ImportPath": "github.com/docker/docker/pkg/term",
"Rev": "4f3616fb1c112e206b88cb7a9922bf49067a7756" "Rev": "a9fbbdc8dd8794b20af358382ab780559bca589d"
}, },
{ {
"ImportPath": "github.com/docker/docker/pkg/term/windows", "ImportPath": "github.com/docker/docker/pkg/term/windows",
"Rev": "4f3616fb1c112e206b88cb7a9922bf49067a7756" "Rev": "a9fbbdc8dd8794b20af358382ab780559bca589d"
}, },
{ {
"ImportPath": "github.com/elazarl/go-bindata-assetfs", "ImportPath": "github.com/elazarl/go-bindata-assetfs",
......
...@@ -12,11 +12,11 @@ ...@@ -12,11 +12,11 @@
}, },
{ {
"ImportPath": "github.com/Azure/go-ansiterm", "ImportPath": "github.com/Azure/go-ansiterm",
"Rev": "19f72df4d05d31cbe1c56bfc8045c96babff6c7e" "Rev": "d6e3b3328b783f23731bc4d058875b0371ff8109"
}, },
{ {
"ImportPath": "github.com/Azure/go-ansiterm/winterm", "ImportPath": "github.com/Azure/go-ansiterm/winterm",
"Rev": "19f72df4d05d31cbe1c56bfc8045c96babff6c7e" "Rev": "d6e3b3328b783f23731bc4d058875b0371ff8109"
}, },
{ {
"ImportPath": "github.com/NYTimes/gziphandler", "ImportPath": "github.com/NYTimes/gziphandler",
...@@ -364,11 +364,11 @@ ...@@ -364,11 +364,11 @@
}, },
{ {
"ImportPath": "github.com/docker/docker/pkg/term", "ImportPath": "github.com/docker/docker/pkg/term",
"Rev": "4f3616fb1c112e206b88cb7a9922bf49067a7756" "Rev": "a9fbbdc8dd8794b20af358382ab780559bca589d"
}, },
{ {
"ImportPath": "github.com/docker/docker/pkg/term/windows", "ImportPath": "github.com/docker/docker/pkg/term/windows",
"Rev": "4f3616fb1c112e206b88cb7a9922bf49067a7756" "Rev": "a9fbbdc8dd8794b20af358382ab780559bca589d"
}, },
{ {
"ImportPath": "github.com/elazarl/go-bindata-assetfs", "ImportPath": "github.com/elazarl/go-bindata-assetfs",
......
...@@ -12,11 +12,11 @@ ...@@ -12,11 +12,11 @@
}, },
{ {
"ImportPath": "github.com/Azure/go-ansiterm", "ImportPath": "github.com/Azure/go-ansiterm",
"Rev": "19f72df4d05d31cbe1c56bfc8045c96babff6c7e" "Rev": "d6e3b3328b783f23731bc4d058875b0371ff8109"
}, },
{ {
"ImportPath": "github.com/Azure/go-ansiterm/winterm", "ImportPath": "github.com/Azure/go-ansiterm/winterm",
"Rev": "19f72df4d05d31cbe1c56bfc8045c96babff6c7e" "Rev": "d6e3b3328b783f23731bc4d058875b0371ff8109"
}, },
{ {
"ImportPath": "github.com/NYTimes/gziphandler", "ImportPath": "github.com/NYTimes/gziphandler",
...@@ -96,11 +96,11 @@ ...@@ -96,11 +96,11 @@
}, },
{ {
"ImportPath": "github.com/docker/docker/pkg/term", "ImportPath": "github.com/docker/docker/pkg/term",
"Rev": "4f3616fb1c112e206b88cb7a9922bf49067a7756" "Rev": "a9fbbdc8dd8794b20af358382ab780559bca589d"
}, },
{ {
"ImportPath": "github.com/docker/docker/pkg/term/windows", "ImportPath": "github.com/docker/docker/pkg/term/windows",
"Rev": "4f3616fb1c112e206b88cb7a9922bf49067a7756" "Rev": "a9fbbdc8dd8794b20af358382ab780559bca589d"
}, },
{ {
"ImportPath": "github.com/docker/spdystream", "ImportPath": "github.com/docker/spdystream",
......
...@@ -12,11 +12,11 @@ ...@@ -12,11 +12,11 @@
}, },
{ {
"ImportPath": "github.com/Azure/go-ansiterm", "ImportPath": "github.com/Azure/go-ansiterm",
"Rev": "19f72df4d05d31cbe1c56bfc8045c96babff6c7e" "Rev": "d6e3b3328b783f23731bc4d058875b0371ff8109"
}, },
{ {
"ImportPath": "github.com/Azure/go-ansiterm/winterm", "ImportPath": "github.com/Azure/go-ansiterm/winterm",
"Rev": "19f72df4d05d31cbe1c56bfc8045c96babff6c7e" "Rev": "d6e3b3328b783f23731bc4d058875b0371ff8109"
}, },
{ {
"ImportPath": "github.com/NYTimes/gziphandler", "ImportPath": "github.com/NYTimes/gziphandler",
...@@ -96,11 +96,11 @@ ...@@ -96,11 +96,11 @@
}, },
{ {
"ImportPath": "github.com/docker/docker/pkg/term", "ImportPath": "github.com/docker/docker/pkg/term",
"Rev": "4f3616fb1c112e206b88cb7a9922bf49067a7756" "Rev": "a9fbbdc8dd8794b20af358382ab780559bca589d"
}, },
{ {
"ImportPath": "github.com/docker/docker/pkg/term/windows", "ImportPath": "github.com/docker/docker/pkg/term/windows",
"Rev": "4f3616fb1c112e206b88cb7a9922bf49067a7756" "Rev": "a9fbbdc8dd8794b20af358382ab780559bca589d"
}, },
{ {
"ImportPath": "github.com/elazarl/go-bindata-assetfs", "ImportPath": "github.com/elazarl/go-bindata-assetfs",
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment