github
/
k3s
mirror of https://github.com/k3s-io/k3s
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request #77147 from wk8/wk8/win_sec_opts 

Adding a new `WindowsSecurityOptions` struct
k3s-v1.15.3
Kubernetes Prow Robot 2019-05-02 16:22:44 -07:00 committed by GitHub
parent 0b10d1b830 03907a3bf6
commit 1adaf2cd5b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
9 changed files with 1429 additions and 1099 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
api/openapi-spec/swagger.json generated
View File

@ -9221,6 +9221,10 @@
"$ref": "#/definitions/io.k8s.api.core.v1.Sysctl"
},
"type": "array"
},
"windowsOptions": {
"$ref": "#/definitions/io.k8s.api.core.v1.WindowsSecurityContextOptions",
"description": "Windows security options."
}
},
"type": "object"
@ -10456,6 +10460,10 @@
"seLinuxOptions": {
"$ref": "#/definitions/io.k8s.api.core.v1.SELinuxOptions",
"description": "The SELinux context to be applied to the container. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence."
},
"windowsOptions": {
"$ref": "#/definitions/io.k8s.api.core.v1.WindowsSecurityContextOptions",
"description": "Windows security options."
}
},
"type": "object"
@ -11208,6 +11216,10 @@
],
"type": "object"
},
"io.k8s.api.core.v1.WindowsSecurityContextOptions": {
"description": "WindowsSecurityContextOptions contain Windows-specific options and credentials.",
"type": "object"
},
"io.k8s.api.events.v1beta1.Event": {
"description": "Event is a report of an event somewhere in the cluster. It generally denotes some state change in the system.",
"properties": {

11
pkg/apis/core/types.go
View File

@ -2730,6 +2730,9 @@ type PodSecurityContext struct {
// takes precedence for that container.
// +optional
SELinuxOptions *SELinuxOptions
// Windows security options.
// +optional
WindowsOptions *WindowsSecurityContextOptions
// The UID to run the entrypoint of the container process.
// Defaults to user specified in image metadata if unspecified.
// May also be set in SecurityContext. If set in both SecurityContext and
@ -4655,6 +4658,9 @@ type SecurityContext struct {
// PodSecurityContext, the value specified in SecurityContext takes precedence.
// +optional
SELinuxOptions *SELinuxOptions
// Windows security options.
// +optional
WindowsOptions *WindowsSecurityContextOptions
// The UID to run the entrypoint of the container process.
// Defaults to user specified in image metadata if unspecified.
// May also be set in PodSecurityContext. If set in both SecurityContext and
@ -4721,6 +4727,11 @@ type SELinuxOptions struct {
Level string
}
// WindowsSecurityContextOptions contain Windows-specific options and credentials.
type WindowsSecurityContextOptions struct {
// intentionally left empty for now
}
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// RangeAllocation is an opaque API object (not exposed to end users) that can be persisted to record

32
pkg/apis/core/v1/zz_generated.conversion.go generated
View File

@ -2010,6 +2010,16 @@ func RegisterConversions(s *runtime.Scheme) error {
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*v1.WindowsSecurityContextOptions)(nil), (*core.WindowsSecurityContextOptions)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1_WindowsSecurityContextOptions_To_core_WindowsSecurityContextOptions(a.(*v1.WindowsSecurityContextOptions), b.(*core.WindowsSecurityContextOptions), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*core.WindowsSecurityContextOptions)(nil), (*v1.WindowsSecurityContextOptions)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_core_WindowsSecurityContextOptions_To_v1_WindowsSecurityContextOptions(a.(*core.WindowsSecurityContextOptions), b.(*v1.WindowsSecurityContextOptions), scope)
}); err != nil {
return err
}
if err := s.AddConversionFunc((*apps.ReplicaSetSpec)(nil), (*v1.ReplicationControllerSpec)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_apps_ReplicaSetSpec_To_v1_ReplicationControllerSpec(a.(*apps.ReplicaSetSpec), b.(*v1.ReplicationControllerSpec), scope)
}); err != nil {
@ -5481,6 +5491,7 @@ func Convert_core_PodReadinessGate_To_v1_PodReadinessGate(in *core.PodReadinessG
func autoConvert_v1_PodSecurityContext_To_core_PodSecurityContext(in *v1.PodSecurityContext, out *core.PodSecurityContext, s conversion.Scope) error {
out.SELinuxOptions = (*core.SELinuxOptions)(unsafe.Pointer(in.SELinuxOptions))
out.WindowsOptions = (*core.WindowsSecurityContextOptions)(unsafe.Pointer(in.WindowsOptions))
out.RunAsUser = (*int64)(unsafe.Pointer(in.RunAsUser))
out.RunAsGroup = (*int64)(unsafe.Pointer(in.RunAsGroup))
out.RunAsNonRoot = (*bool)(unsafe.Pointer(in.RunAsNonRoot))
@ -5501,6 +5512,7 @@ func autoConvert_core_PodSecurityContext_To_v1_PodSecurityContext(in *core.PodSe
// INFO: in.HostIPC opted out of conversion generation
// INFO: in.ShareProcessNamespace opted out of conversion generation
out.SELinuxOptions = (*v1.SELinuxOptions)(unsafe.Pointer(in.SELinuxOptions))
out.WindowsOptions = (*v1.WindowsSecurityContextOptions)(unsafe.Pointer(in.WindowsOptions))
out.RunAsUser = (*int64)(unsafe.Pointer(in.RunAsUser))
out.RunAsGroup = (*int64)(unsafe.Pointer(in.RunAsGroup))
out.RunAsNonRoot = (*bool)(unsafe.Pointer(in.RunAsNonRoot))
@ -6738,6 +6750,7 @@ func autoConvert_v1_SecurityContext_To_core_SecurityContext(in *v1.SecurityConte
out.Capabilities = (*core.Capabilities)(unsafe.Pointer(in.Capabilities))
out.Privileged = (*bool)(unsafe.Pointer(in.Privileged))
out.SELinuxOptions = (*core.SELinuxOptions)(unsafe.Pointer(in.SELinuxOptions))
out.WindowsOptions = (*core.WindowsSecurityContextOptions)(unsafe.Pointer(in.WindowsOptions))
out.RunAsUser = (*int64)(unsafe.Pointer(in.RunAsUser))
out.RunAsGroup = (*int64)(unsafe.Pointer(in.RunAsGroup))
out.RunAsNonRoot = (*bool)(unsafe.Pointer(in.RunAsNonRoot))
@ -6756,6 +6769,7 @@ func autoConvert_core_SecurityContext_To_v1_SecurityContext(in *core.SecurityCon
out.Capabilities = (*v1.Capabilities)(unsafe.Pointer(in.Capabilities))
out.Privileged = (*bool)(unsafe.Pointer(in.Privileged))
out.SELinuxOptions = (*v1.SELinuxOptions)(unsafe.Pointer(in.SELinuxOptions))
out.WindowsOptions = (*v1.WindowsSecurityContextOptions)(unsafe.Pointer(in.WindowsOptions))
out.RunAsUser = (*int64)(unsafe.Pointer(in.RunAsUser))
out.RunAsGroup = (*int64)(unsafe.Pointer(in.RunAsGroup))
out.RunAsNonRoot = (*bool)(unsafe.Pointer(in.RunAsNonRoot))
@ -7581,3 +7595,21 @@ func autoConvert_core_WeightedPodAffinityTerm_To_v1_WeightedPodAffinityTerm(in *
func Convert_core_WeightedPodAffinityTerm_To_v1_WeightedPodAffinityTerm(in *core.WeightedPodAffinityTerm, out *v1.WeightedPodAffinityTerm, s conversion.Scope) error {
return autoConvert_core_WeightedPodAffinityTerm_To_v1_WeightedPodAffinityTerm(in, out, s)
}
func autoConvert_v1_WindowsSecurityContextOptions_To_core_WindowsSecurityContextOptions(in *v1.WindowsSecurityContextOptions, out *core.WindowsSecurityContextOptions, s conversion.Scope) error {
return nil
}
// Convert_v1_WindowsSecurityContextOptions_To_core_WindowsSecurityContextOptions is an autogenerated conversion function.
func Convert_v1_WindowsSecurityContextOptions_To_core_WindowsSecurityContextOptions(in *v1.WindowsSecurityContextOptions, out *core.WindowsSecurityContextOptions, s conversion.Scope) error {
return autoConvert_v1_WindowsSecurityContextOptions_To_core_WindowsSecurityContextOptions(in, out, s)
}
func autoConvert_core_WindowsSecurityContextOptions_To_v1_WindowsSecurityContextOptions(in *core.WindowsSecurityContextOptions, out *v1.WindowsSecurityContextOptions, s conversion.Scope) error {
return nil
}
// Convert_core_WindowsSecurityContextOptions_To_v1_WindowsSecurityContextOptions is an autogenerated conversion function.
func Convert_core_WindowsSecurityContextOptions_To_v1_WindowsSecurityContextOptions(in *core.WindowsSecurityContextOptions, out *v1.WindowsSecurityContextOptions, s conversion.Scope) error {
return autoConvert_core_WindowsSecurityContextOptions_To_v1_WindowsSecurityContextOptions(in, out, s)
}

26
pkg/apis/core/zz_generated.deepcopy.go generated
View File

@ -3456,6 +3456,11 @@ func (in *PodSecurityContext) DeepCopyInto(out *PodSecurityContext) {
*out = new(SELinuxOptions)
**out = **in
}
if in.WindowsOptions != nil {
in, out := &in.WindowsOptions, &out.WindowsOptions
*out = new(WindowsSecurityContextOptions)
**out = **in
}
if in.RunAsUser != nil {
in, out := &in.RunAsUser, &out.RunAsUser
*out = new(int64)
@ -4633,6 +4638,11 @@ func (in *SecurityContext) DeepCopyInto(out *SecurityContext) {
*out = new(SELinuxOptions)
**out = **in
}
if in.WindowsOptions != nil {
in, out := &in.WindowsOptions, &out.WindowsOptions
*out = new(WindowsSecurityContextOptions)
**out = **in
}
if in.RunAsUser != nil {
in, out := &in.RunAsUser, &out.RunAsUser
*out = new(int64)
@ -5456,3 +5466,19 @@ func (in *WeightedPodAffinityTerm) DeepCopy() *WeightedPodAffinityTerm {
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *WindowsSecurityContextOptions) DeepCopyInto(out *WindowsSecurityContextOptions) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WindowsSecurityContextOptions.
func (in *WindowsSecurityContextOptions) DeepCopy() *WindowsSecurityContextOptions {
if in == nil {
return nil
}
out := new(WindowsSecurityContextOptions)
in.DeepCopyInto(out)
return out
}

2388
staging/src/k8s.io/api/core/v1/generated.pb.go generated
View File

File diff suppressed because it is too large Load Diff

12
staging/src/k8s.io/api/core/v1/generated.proto
View File

@ -2927,6 +2927,10 @@ message PodSecurityContext {
// +optional
optional SELinuxOptions seLinuxOptions = 1;
// Windows security options.
// +optional
optional WindowsSecurityContextOptions windowsOptions = 8;
// The UID to run the entrypoint of the container process.
// Defaults to user specified in image metadata if unspecified.
// May also be set in SecurityContext. If set in both SecurityContext and
@ -4081,6 +4085,10 @@ message SecurityContext {
// +optional
optional SELinuxOptions seLinuxOptions = 3;
// Windows security options.
// +optional
optional WindowsSecurityContextOptions windowsOptions = 10;
// The UID to run the entrypoint of the container process.
// Defaults to user specified in image metadata if unspecified.
// May also be set in PodSecurityContext. If set in both SecurityContext and
@ -4843,3 +4851,7 @@ message WeightedPodAffinityTerm {
optional PodAffinityTerm podAffinityTerm = 2;
}
// WindowsSecurityContextOptions contain Windows-specific options and credentials.
message WindowsSecurityContextOptions {
}

11
staging/src/k8s.io/api/core/v1/types.go
View File

@ -3000,6 +3000,9 @@ type PodSecurityContext struct {
// takes precedence for that container.
// +optional
SELinuxOptions *SELinuxOptions `json:"seLinuxOptions,omitempty" protobuf:"bytes,1,opt,name=seLinuxOptions"`
// Windows security options.
// +optional
WindowsOptions *WindowsSecurityContextOptions `json:"windowsOptions,omitempty" protobuf:"bytes,8,opt,name=windowsOptions"`
// The UID to run the entrypoint of the container process.
// Defaults to user specified in image metadata if unspecified.
// May also be set in SecurityContext. If set in both SecurityContext and
@ -5267,6 +5270,9 @@ type SecurityContext struct {
// PodSecurityContext, the value specified in SecurityContext takes precedence.
// +optional
SELinuxOptions *SELinuxOptions `json:"seLinuxOptions,omitempty" protobuf:"bytes,3,opt,name=seLinuxOptions"`
// Windows security options.
// +optional
WindowsOptions *WindowsSecurityContextOptions `json:"windowsOptions,omitempty" protobuf:"bytes,10,opt,name=windowsOptions"`
// The UID to run the entrypoint of the container process.
// Defaults to user specified in image metadata if unspecified.
// May also be set in PodSecurityContext. If set in both SecurityContext and
@ -5337,6 +5343,11 @@ type SELinuxOptions struct {
Level string `json:"level,omitempty" protobuf:"bytes,4,opt,name=level"`
}
// WindowsSecurityContextOptions contain Windows-specific options and credentials.
type WindowsSecurityContextOptions struct {
// intentionally left empty for now
}
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// RangeAllocation is not a public type.

10
staging/src/k8s.io/api/core/v1/types_swagger_doc_generated.go generated
View File

@ -1501,6 +1501,7 @@ func (PodReadinessGate) SwaggerDoc() map[string]string {
var map_PodSecurityContext = map[string]string{
"": "PodSecurityContext holds pod-level security attributes and common container settings. Some fields are also present in container.securityContext. Field values of container.securityContext take precedence over field values of PodSecurityContext.",
"seLinuxOptions": "The SELinux context to be applied to all containers. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container.",
"windowsOptions": "Windows security options.",
"runAsUser": "The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container.",
"runAsGroup": "The GID to run the entrypoint of the container process. Uses runtime default if unset. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container.",
"runAsNonRoot": "Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.",
@ -2010,6 +2011,7 @@ var map_SecurityContext = map[string]string{
"capabilities": "The capabilities to add/drop when running containers. Defaults to the default set of capabilities granted by the container runtime.",
"privileged": "Run container in privileged mode. Processes in privileged containers are essentially equivalent to root on the host. Defaults to false.",
"seLinuxOptions": "The SELinux context to be applied to the container. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.",
"windowsOptions": "Windows security options.",
"runAsUser": "The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.",
"runAsGroup": "The GID to run the entrypoint of the container process. Uses runtime default if unset. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.",
"runAsNonRoot": "Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.",
@ -2359,4 +2361,12 @@ func (WeightedPodAffinityTerm) SwaggerDoc() map[string]string {
return map_WeightedPodAffinityTerm
}
var map_WindowsSecurityContextOptions = map[string]string{
"": "WindowsSecurityContextOptions contain Windows-specific options and credentials.",
}
func (WindowsSecurityContextOptions) SwaggerDoc() map[string]string {
return map_WindowsSecurityContextOptions
}
// AUTO-GENERATED FUNCTIONS END HERE

26
staging/src/k8s.io/api/core/v1/zz_generated.deepcopy.go generated
View File

@ -3449,6 +3449,11 @@ func (in *PodSecurityContext) DeepCopyInto(out *PodSecurityContext) {
*out = new(SELinuxOptions)
**out = **in
}
if in.WindowsOptions != nil {
in, out := &in.WindowsOptions, &out.WindowsOptions
*out = new(WindowsSecurityContextOptions)
**out = **in
}
if in.RunAsUser != nil {
in, out := &in.RunAsUser, &out.RunAsUser
*out = new(int64)
@ -4643,6 +4648,11 @@ func (in *SecurityContext) DeepCopyInto(out *SecurityContext) {
*out = new(SELinuxOptions)
**out = **in
}
if in.WindowsOptions != nil {
in, out := &in.WindowsOptions, &out.WindowsOptions
*out = new(WindowsSecurityContextOptions)
**out = **in
}
if in.RunAsUser != nil {
in, out := &in.RunAsUser, &out.RunAsUser
*out = new(int64)
@ -5471,3 +5481,19 @@ func (in *WeightedPodAffinityTerm) DeepCopy() *WeightedPodAffinityTerm {
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *WindowsSecurityContextOptions) DeepCopyInto(out *WindowsSecurityContextOptions) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WindowsSecurityContextOptions.
func (in *WindowsSecurityContextOptions) DeepCopy() *WindowsSecurityContextOptions {
if in == nil {
return nil
}
out := new(WindowsSecurityContextOptions)
in.DeepCopyInto(out)
return out
}