Commit 24271c4c authored by Josh Horwitz's avatar Josh Horwitz

staging client

parent 0fc75d5f
...@@ -884,6 +884,10 @@ type PodSecurityPolicySpec struct { ...@@ -884,6 +884,10 @@ type PodSecurityPolicySpec struct {
// will not be forced to. // will not be forced to.
// +optional // +optional
ReadOnlyRootFilesystem bool ReadOnlyRootFilesystem bool
// AllowedHostPaths is a white list of allowed host path prefixes. Empty indicates that all
// host paths may be used.
// +optional
AllowedHostPaths []string
} }
// HostPortRange defines a range of host ports that will be enabled by a policy // HostPortRange defines a range of host ports that will be enabled by a policy
......
...@@ -710,6 +710,11 @@ message PodSecurityPolicySpec { ...@@ -710,6 +710,11 @@ message PodSecurityPolicySpec {
// will not be forced to. // will not be forced to.
// +optional // +optional
optional bool readOnlyRootFilesystem = 14; optional bool readOnlyRootFilesystem = 14;
// AllowedHostPaths is a white list of allowed host path prefixes. Empty indicates that all
// host paths may be used.
// +optional
repeated string allowedHostPaths = 15;
} }
// ReplicaSet represents the configuration of a ReplicaSet. // ReplicaSet represents the configuration of a ReplicaSet.
......
...@@ -909,6 +909,10 @@ type PodSecurityPolicySpec struct { ...@@ -909,6 +909,10 @@ type PodSecurityPolicySpec struct {
// will not be forced to. // will not be forced to.
// +optional // +optional
ReadOnlyRootFilesystem bool `json:"readOnlyRootFilesystem,omitempty" protobuf:"varint,14,opt,name=readOnlyRootFilesystem"` ReadOnlyRootFilesystem bool `json:"readOnlyRootFilesystem,omitempty" protobuf:"varint,14,opt,name=readOnlyRootFilesystem"`
// AllowedHostPaths is a white list of allowed host path prefixes. Empty indicates that all
// host paths may be used.
// +optional
AllowedHostPaths []string `json:"allowedHostPaths,omitempty" protobuf:"bytes,15,opt,name=allowedHostPaths"`
} }
// FS Type gives strong typing to different file systems that are used by volumes. // FS Type gives strong typing to different file systems that are used by volumes.
......
...@@ -423,6 +423,7 @@ var map_PodSecurityPolicySpec = map[string]string{ ...@@ -423,6 +423,7 @@ var map_PodSecurityPolicySpec = map[string]string{
"supplementalGroups": "SupplementalGroups is the strategy that will dictate what supplemental groups are used by the SecurityContext.", "supplementalGroups": "SupplementalGroups is the strategy that will dictate what supplemental groups are used by the SecurityContext.",
"fsGroup": "FSGroup is the strategy that will dictate what fs group is used by the SecurityContext.", "fsGroup": "FSGroup is the strategy that will dictate what fs group is used by the SecurityContext.",
"readOnlyRootFilesystem": "ReadOnlyRootFilesystem when set to true will force containers to run with a read only root file system. If the container specifically requests to run with a non-read only root file system the PSP should deny the pod. If set to false the container may run with a read only root file system if it wishes but it will not be forced to.", "readOnlyRootFilesystem": "ReadOnlyRootFilesystem when set to true will force containers to run with a read only root file system. If the container specifically requests to run with a non-read only root file system the PSP should deny the pod. If set to false the container may run with a read only root file system if it wishes but it will not be forced to.",
"allowedHostPaths": "AllowedHostPaths is a white list of allowed host path prefixes. Empty indicates that all host paths may be used.",
} }
func (PodSecurityPolicySpec) SwaggerDoc() map[string]string { func (PodSecurityPolicySpec) SwaggerDoc() map[string]string {
......
...@@ -1215,6 +1215,7 @@ func autoConvert_v1beta1_PodSecurityPolicySpec_To_extensions_PodSecurityPolicySp ...@@ -1215,6 +1215,7 @@ func autoConvert_v1beta1_PodSecurityPolicySpec_To_extensions_PodSecurityPolicySp
return err return err
} }
out.ReadOnlyRootFilesystem = in.ReadOnlyRootFilesystem out.ReadOnlyRootFilesystem = in.ReadOnlyRootFilesystem
out.AllowedHostPaths = *(*[]string)(unsafe.Pointer(&in.AllowedHostPaths))
return nil return nil
} }
...@@ -1256,6 +1257,7 @@ func autoConvert_extensions_PodSecurityPolicySpec_To_v1beta1_PodSecurityPolicySp ...@@ -1256,6 +1257,7 @@ func autoConvert_extensions_PodSecurityPolicySpec_To_v1beta1_PodSecurityPolicySp
return err return err
} }
out.ReadOnlyRootFilesystem = in.ReadOnlyRootFilesystem out.ReadOnlyRootFilesystem = in.ReadOnlyRootFilesystem
out.AllowedHostPaths = *(*[]string)(unsafe.Pointer(&in.AllowedHostPaths))
return nil return nil
} }
......
...@@ -826,6 +826,11 @@ func DeepCopy_v1beta1_PodSecurityPolicySpec(in interface{}, out interface{}, c * ...@@ -826,6 +826,11 @@ func DeepCopy_v1beta1_PodSecurityPolicySpec(in interface{}, out interface{}, c *
if err := DeepCopy_v1beta1_FSGroupStrategyOptions(&in.FSGroup, &out.FSGroup, c); err != nil { if err := DeepCopy_v1beta1_FSGroupStrategyOptions(&in.FSGroup, &out.FSGroup, c); err != nil {
return err return err
} }
if in.AllowedHostPaths != nil {
in, out := &in.AllowedHostPaths, &out.AllowedHostPaths
*out = make([]string, len(*in))
copy(*out, *in)
}
return nil return nil
} }
} }
......
...@@ -818,6 +818,11 @@ func DeepCopy_extensions_PodSecurityPolicySpec(in interface{}, out interface{}, ...@@ -818,6 +818,11 @@ func DeepCopy_extensions_PodSecurityPolicySpec(in interface{}, out interface{},
if err := DeepCopy_extensions_FSGroupStrategyOptions(&in.FSGroup, &out.FSGroup, c); err != nil { if err := DeepCopy_extensions_FSGroupStrategyOptions(&in.FSGroup, &out.FSGroup, c); err != nil {
return err return err
} }
if in.AllowedHostPaths != nil {
in, out := &in.AllowedHostPaths, &out.AllowedHostPaths
*out = make([]string, len(*in))
copy(*out, *in)
}
return nil return nil
} }
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment