github
/
k3s
mirror of https://github.com/k3s-io/k3s
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Fix incorrect procMount defaulting

k3s-v1.14.4
Jordan Liggitt 2019-06-10 21:47:00 -04:00
parent 0020140bf3
commit 702f00c2af
17 changed files with 45 additions and 153 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
pkg/api/pod/util.go
View File

@ -406,12 +406,22 @@ func dropDisabledProcMountField(podSpec, oldPodSpec *api.PodSpec) {
defaultProcMount := api.DefaultProcMount defaultProcMount := api.DefaultProcMount
for i := range podSpec.Containers { for i := range podSpec.Containers {
if podSpec.Containers[i].SecurityContext != nil { if podSpec.Containers[i].SecurityContext != nil {
podSpec.Containers[i].SecurityContext.ProcMount = &defaultProcMount if podSpec.Containers[i].SecurityContext.ProcMount != nil {
// The ProcMount field was improperly forced to non-nil in 1.12.
// If the feature is disabled, and the existing object is not using any non-default values, and the ProcMount field is present in the incoming object, force to the default value.
// Note: we cannot force the field to nil when the feature is disabled because it causes a diff against previously persisted data.
podSpec.Containers[i].SecurityContext.ProcMount = &defaultProcMount
}
} }
} }
for i := range podSpec.InitContainers { for i := range podSpec.InitContainers {
if podSpec.InitContainers[i].SecurityContext != nil { if podSpec.InitContainers[i].SecurityContext != nil {
podSpec.InitContainers[i].SecurityContext.ProcMount = &defaultProcMount if podSpec.InitContainers[i].SecurityContext.ProcMount != nil {
// The ProcMount field was improperly forced to non-nil in 1.12.
// If the feature is disabled, and the existing object is not using any non-default values, and the ProcMount field is present in the incoming object, force to the default value.
// Note: we cannot force the field to nil when the feature is disabled because it causes a diff against previously persisted data.
podSpec.InitContainers[i].SecurityContext.ProcMount = &defaultProcMount
}
} }
} }
} }
@ -473,7 +483,7 @@ func runtimeClassInUse(podSpec *api.PodSpec) bool {
return false return false
} }
// procMountInUse returns true if the pod spec is non-nil and has a SecurityContext's ProcMount field set // procMountInUse returns true if the pod spec is non-nil and has a SecurityContext's ProcMount field set to a non-default value
func procMountInUse(podSpec *api.PodSpec) bool { func procMountInUse(podSpec *api.PodSpec) bool {
if podSpec == nil { if podSpec == nil {
return false return false

20
pkg/api/pod/util_test.go
View File

@ -616,7 +616,7 @@ func TestDropProcMount(t *testing.T) {
}, },
} }
} }
podWithoutProcMount := func() *api.Pod { podWithDefaultProcMount := func() *api.Pod {
return &api.Pod{ return &api.Pod{
Spec: api.PodSpec{ Spec: api.PodSpec{
RestartPolicy: api.RestartPolicyNever, RestartPolicy: api.RestartPolicyNever,
@ -625,6 +625,15 @@ func TestDropProcMount(t *testing.T) {
}, },
} }
} }
podWithoutProcMount := func() *api.Pod {
return &api.Pod{
Spec: api.PodSpec{
RestartPolicy: api.RestartPolicyNever,
Containers: []api.Container{{Name: "container1", Image: "testimage", SecurityContext: &api.SecurityContext{ProcMount: nil}}},
InitContainers: []api.Container{{Name: "container1", Image: "testimage", SecurityContext: &api.SecurityContext{ProcMount: nil}}},
},
}
}
podInfo := []struct { podInfo := []struct {
description string description string
@ -636,6 +645,11 @@ func TestDropProcMount(t *testing.T) {
hasProcMount: true, hasProcMount: true,
pod: podWithProcMount, pod: podWithProcMount,
}, },
{
description: "has default ProcMount",
hasProcMount: false,
pod: podWithDefaultProcMount,
},
{ {
description: "does not have ProcMount", description: "does not have ProcMount",
hasProcMount: false, hasProcMount: false,
@ -683,8 +697,8 @@ func TestDropProcMount(t *testing.T) {
t.Errorf("new pod was not changed") t.Errorf("new pod was not changed")
} }
// new pod should not have ProcMount // new pod should not have ProcMount
if !reflect.DeepEqual(newPod, podWithoutProcMount()) { if procMountInUse(&newPod.Spec) {
t.Errorf("new pod had ProcMount: %v", diff.ObjectReflectDiff(newPod, podWithoutProcMount())) t.Errorf("new pod had ProcMount: %#v", &newPod.Spec)
} }
default: default:
// new pod should not need to be changed // new pod should not need to be changed

24
pkg/apis/apps/v1/zz_generated.defaults.go generated
View File

@ -136,9 +136,6 @@ func SetObjectDefaults_DaemonSet(in *v1.DaemonSet) {
} }
} }
} }
if a.SecurityContext != nil {
corev1.SetDefaults_SecurityContext(a.SecurityContext)
}
} }
for i := range in.Spec.Template.Spec.Containers { for i := range in.Spec.Template.Spec.Containers {
a := &in.Spec.Template.Spec.Containers[i] a := &in.Spec.Template.Spec.Containers[i]
@ -181,9 +178,6 @@ func SetObjectDefaults_DaemonSet(in *v1.DaemonSet) {
} }
} }
} }
if a.SecurityContext != nil {
corev1.SetDefaults_SecurityContext(a.SecurityContext)
}
} }
} }
@ -289,9 +283,6 @@ func SetObjectDefaults_Deployment(in *v1.Deployment) {
} }
} }
} }
if a.SecurityContext != nil {
corev1.SetDefaults_SecurityContext(a.SecurityContext)
}
} }
for i := range in.Spec.Template.Spec.Containers { for i := range in.Spec.Template.Spec.Containers {
a := &in.Spec.Template.Spec.Containers[i] a := &in.Spec.Template.Spec.Containers[i]
@ -334,9 +325,6 @@ func SetObjectDefaults_Deployment(in *v1.Deployment) {
} }
} }
} }
if a.SecurityContext != nil {
corev1.SetDefaults_SecurityContext(a.SecurityContext)
}
} }
} }
@ -442,9 +430,6 @@ func SetObjectDefaults_ReplicaSet(in *v1.ReplicaSet) {
} }
} }
} }
if a.SecurityContext != nil {
corev1.SetDefaults_SecurityContext(a.SecurityContext)
}
} }
for i := range in.Spec.Template.Spec.Containers { for i := range in.Spec.Template.Spec.Containers {
a := &in.Spec.Template.Spec.Containers[i] a := &in.Spec.Template.Spec.Containers[i]
@ -487,9 +472,6 @@ func SetObjectDefaults_ReplicaSet(in *v1.ReplicaSet) {
} }
} }
} }
if a.SecurityContext != nil {
corev1.SetDefaults_SecurityContext(a.SecurityContext)
}
} }
} }
@ -595,9 +577,6 @@ func SetObjectDefaults_StatefulSet(in *v1.StatefulSet) {
} }
} }
} }
if a.SecurityContext != nil {
corev1.SetDefaults_SecurityContext(a.SecurityContext)
}
} }
for i := range in.Spec.Template.Spec.Containers { for i := range in.Spec.Template.Spec.Containers {
a := &in.Spec.Template.Spec.Containers[i] a := &in.Spec.Template.Spec.Containers[i]
@ -640,9 +619,6 @@ func SetObjectDefaults_StatefulSet(in *v1.StatefulSet) {
} }
} }
} }
if a.SecurityContext != nil {
corev1.SetDefaults_SecurityContext(a.SecurityContext)
}
} }
for i := range in.Spec.VolumeClaimTemplates { for i := range in.Spec.VolumeClaimTemplates {
a := &in.Spec.VolumeClaimTemplates[i] a := &in.Spec.VolumeClaimTemplates[i]

12
pkg/apis/apps/v1beta1/zz_generated.defaults.go generated
View File

@ -132,9 +132,6 @@ func SetObjectDefaults_Deployment(in *v1beta1.Deployment) {
} }
} }
} }
if a.SecurityContext != nil {
v1.SetDefaults_SecurityContext(a.SecurityContext)
}
} }
for i := range in.Spec.Template.Spec.Containers { for i := range in.Spec.Template.Spec.Containers {
a := &in.Spec.Template.Spec.Containers[i] a := &in.Spec.Template.Spec.Containers[i]
@ -177,9 +174,6 @@ func SetObjectDefaults_Deployment(in *v1beta1.Deployment) {
} }
} }
} }
if a.SecurityContext != nil {
v1.SetDefaults_SecurityContext(a.SecurityContext)
}
} }
} }
@ -285,9 +279,6 @@ func SetObjectDefaults_StatefulSet(in *v1beta1.StatefulSet) {
} }
} }
} }
if a.SecurityContext != nil {
v1.SetDefaults_SecurityContext(a.SecurityContext)
}
} }
for i := range in.Spec.Template.Spec.Containers { for i := range in.Spec.Template.Spec.Containers {
a := &in.Spec.Template.Spec.Containers[i] a := &in.Spec.Template.Spec.Containers[i]
@ -330,9 +321,6 @@ func SetObjectDefaults_StatefulSet(in *v1beta1.StatefulSet) {
} }
} }
} }
if a.SecurityContext != nil {
v1.SetDefaults_SecurityContext(a.SecurityContext)
}
} }
for i := range in.Spec.VolumeClaimTemplates { for i := range in.Spec.VolumeClaimTemplates {
a := &in.Spec.VolumeClaimTemplates[i] a := &in.Spec.VolumeClaimTemplates[i]

24
pkg/apis/apps/v1beta2/zz_generated.defaults.go generated
View File

@ -136,9 +136,6 @@ func SetObjectDefaults_DaemonSet(in *v1beta2.DaemonSet) {
} }
} }
} }
if a.SecurityContext != nil {
v1.SetDefaults_SecurityContext(a.SecurityContext)
}
} }
for i := range in.Spec.Template.Spec.Containers { for i := range in.Spec.Template.Spec.Containers {
a := &in.Spec.Template.Spec.Containers[i] a := &in.Spec.Template.Spec.Containers[i]
@ -181,9 +178,6 @@ func SetObjectDefaults_DaemonSet(in *v1beta2.DaemonSet) {
} }
} }
} }
if a.SecurityContext != nil {
v1.SetDefaults_SecurityContext(a.SecurityContext)
}
} }
} }
@ -289,9 +283,6 @@ func SetObjectDefaults_Deployment(in *v1beta2.Deployment) {
} }
} }
} }
if a.SecurityContext != nil {
v1.SetDefaults_SecurityContext(a.SecurityContext)
}
} }
for i := range in.Spec.Template.Spec.Containers { for i := range in.Spec.Template.Spec.Containers {
a := &in.Spec.Template.Spec.Containers[i] a := &in.Spec.Template.Spec.Containers[i]
@ -334,9 +325,6 @@ func SetObjectDefaults_Deployment(in *v1beta2.Deployment) {
} }
} }
} }
if a.SecurityContext != nil {
v1.SetDefaults_SecurityContext(a.SecurityContext)
}
} }
} }
@ -442,9 +430,6 @@ func SetObjectDefaults_ReplicaSet(in *v1beta2.ReplicaSet) {
} }
} }
} }
if a.SecurityContext != nil {
v1.SetDefaults_SecurityContext(a.SecurityContext)
}
} }
for i := range in.Spec.Template.Spec.Containers { for i := range in.Spec.Template.Spec.Containers {
a := &in.Spec.Template.Spec.Containers[i] a := &in.Spec.Template.Spec.Containers[i]
@ -487,9 +472,6 @@ func SetObjectDefaults_ReplicaSet(in *v1beta2.ReplicaSet) {
} }
} }
} }
if a.SecurityContext != nil {
v1.SetDefaults_SecurityContext(a.SecurityContext)
}
} }
} }
@ -595,9 +577,6 @@ func SetObjectDefaults_StatefulSet(in *v1beta2.StatefulSet) {
} }
} }
} }
if a.SecurityContext != nil {
v1.SetDefaults_SecurityContext(a.SecurityContext)
}
} }
for i := range in.Spec.Template.Spec.Containers { for i := range in.Spec.Template.Spec.Containers {
a := &in.Spec.Template.Spec.Containers[i] a := &in.Spec.Template.Spec.Containers[i]
@ -640,9 +619,6 @@ func SetObjectDefaults_StatefulSet(in *v1beta2.StatefulSet) {
} }
} }
} }
if a.SecurityContext != nil {
v1.SetDefaults_SecurityContext(a.SecurityContext)
}
} }
for i := range in.Spec.VolumeClaimTemplates { for i := range in.Spec.VolumeClaimTemplates {
a := &in.Spec.VolumeClaimTemplates[i] a := &in.Spec.VolumeClaimTemplates[i]

6
pkg/apis/batch/v1/zz_generated.defaults.go generated
View File

@ -130,9 +130,6 @@ func SetObjectDefaults_Job(in *v1.Job) {
} }
} }
} }
if a.SecurityContext != nil {
corev1.SetDefaults_SecurityContext(a.SecurityContext)
}
} }
for i := range in.Spec.Template.Spec.Containers { for i := range in.Spec.Template.Spec.Containers {
a := &in.Spec.Template.Spec.Containers[i] a := &in.Spec.Template.Spec.Containers[i]
@ -175,9 +172,6 @@ func SetObjectDefaults_Job(in *v1.Job) {
} }
} }
} }
if a.SecurityContext != nil {
corev1.SetDefaults_SecurityContext(a.SecurityContext)
}
} }
} }

12
pkg/apis/batch/v1beta1/zz_generated.defaults.go generated
View File

@ -131,9 +131,6 @@ func SetObjectDefaults_CronJob(in *v1beta1.CronJob) {
} }
} }
} }
if a.SecurityContext != nil {
v1.SetDefaults_SecurityContext(a.SecurityContext)
}
} }
for i := range in.Spec.JobTemplate.Spec.Template.Spec.Containers { for i := range in.Spec.JobTemplate.Spec.Template.Spec.Containers {
a := &in.Spec.JobTemplate.Spec.Template.Spec.Containers[i] a := &in.Spec.JobTemplate.Spec.Template.Spec.Containers[i]
@ -176,9 +173,6 @@ func SetObjectDefaults_CronJob(in *v1beta1.CronJob) {
} }
} }
} }
if a.SecurityContext != nil {
v1.SetDefaults_SecurityContext(a.SecurityContext)
}
} }
} }
@ -283,9 +277,6 @@ func SetObjectDefaults_JobTemplate(in *v1beta1.JobTemplate) {
} }
} }
} }
if a.SecurityContext != nil {
v1.SetDefaults_SecurityContext(a.SecurityContext)
}
} }
for i := range in.Template.Spec.Template.Spec.Containers { for i := range in.Template.Spec.Template.Spec.Containers {
a := &in.Template.Spec.Template.Spec.Containers[i] a := &in.Template.Spec.Template.Spec.Containers[i]
@ -328,8 +319,5 @@ func SetObjectDefaults_JobTemplate(in *v1beta1.JobTemplate) {
} }
} }
} }
if a.SecurityContext != nil {
v1.SetDefaults_SecurityContext(a.SecurityContext)
}
} }
} }

12
pkg/apis/batch/v2alpha1/zz_generated.defaults.go generated
View File

@ -131,9 +131,6 @@ func SetObjectDefaults_CronJob(in *v2alpha1.CronJob) {
} }
} }
} }
if a.SecurityContext != nil {
v1.SetDefaults_SecurityContext(a.SecurityContext)
}
} }
for i := range in.Spec.JobTemplate.Spec.Template.Spec.Containers { for i := range in.Spec.JobTemplate.Spec.Template.Spec.Containers {
a := &in.Spec.JobTemplate.Spec.Template.Spec.Containers[i] a := &in.Spec.JobTemplate.Spec.Template.Spec.Containers[i]
@ -176,9 +173,6 @@ func SetObjectDefaults_CronJob(in *v2alpha1.CronJob) {
} }
} }
} }
if a.SecurityContext != nil {
v1.SetDefaults_SecurityContext(a.SecurityContext)
}
} }
} }
@ -283,9 +277,6 @@ func SetObjectDefaults_JobTemplate(in *v2alpha1.JobTemplate) {
} }
} }
} }
if a.SecurityContext != nil {
v1.SetDefaults_SecurityContext(a.SecurityContext)
}
} }
for i := range in.Template.Spec.Template.Spec.Containers { for i := range in.Template.Spec.Template.Spec.Containers {
a := &in.Template.Spec.Template.Spec.Containers[i] a := &in.Template.Spec.Template.Spec.Containers[i]
@ -328,8 +319,5 @@ func SetObjectDefaults_JobTemplate(in *v2alpha1.JobTemplate) {
} }
} }
} }
if a.SecurityContext != nil {
v1.SetDefaults_SecurityContext(a.SecurityContext)
}
} }
} }

4
pkg/apis/core/fuzzer/fuzzer.go
View File

@ -354,10 +354,6 @@ var Funcs = func(codecs runtimeserializer.CodecFactory) []interface{} {
c.Fuzz(&sc.Capabilities.Add) c.Fuzz(&sc.Capabilities.Add)
c.Fuzz(&sc.Capabilities.Drop) c.Fuzz(&sc.Capabilities.Drop)
} }
if sc.ProcMount == nil {
defProcMount := core.DefaultProcMount
sc.ProcMount = &defProcMount
}
}, },
func(s *core.Secret, c fuzz.Continue) { func(s *core.Secret, c fuzz.Continue) {
c.FuzzNoCustom(s) // fuzz self without calling this function again c.FuzzNoCustom(s) // fuzz self without calling this function again

7
pkg/apis/core/v1/defaults.go
View File

@ -421,10 +421,3 @@ func SetDefaults_HostPathVolumeSource(obj *v1.HostPathVolumeSource) {
obj.Type = &typeVol obj.Type = &typeVol
} }
} }
func SetDefaults_SecurityContext(obj *v1.SecurityContext) {
if obj.ProcMount == nil {
defProcMount := v1.DefaultProcMount
obj.ProcMount = &defProcMount
}
}

18
pkg/apis/core/v1/zz_generated.defaults.go generated
View File

@ -263,9 +263,6 @@ func SetObjectDefaults_Pod(in *v1.Pod) {
} }
} }
} }
if a.SecurityContext != nil {
SetDefaults_SecurityContext(a.SecurityContext)
}
} }
for i := range in.Spec.Containers { for i := range in.Spec.Containers {
a := &in.Spec.Containers[i] a := &in.Spec.Containers[i]
@ -308,9 +305,6 @@ func SetObjectDefaults_Pod(in *v1.Pod) {
} }
} }
} }
if a.SecurityContext != nil {
SetDefaults_SecurityContext(a.SecurityContext)
}
} }
} }
@ -415,9 +409,6 @@ func SetObjectDefaults_PodTemplate(in *v1.PodTemplate) {
} }
} }
} }
if a.SecurityContext != nil {
SetDefaults_SecurityContext(a.SecurityContext)
}
} }
for i := range in.Template.Spec.Containers { for i := range in.Template.Spec.Containers {
a := &in.Template.Spec.Containers[i] a := &in.Template.Spec.Containers[i]
@ -460,9 +451,6 @@ func SetObjectDefaults_PodTemplate(in *v1.PodTemplate) {
} }
} }
} }
if a.SecurityContext != nil {
SetDefaults_SecurityContext(a.SecurityContext)
}
} }
} }
@ -569,9 +557,6 @@ func SetObjectDefaults_ReplicationController(in *v1.ReplicationController) {
} }
} }
} }
if a.SecurityContext != nil {
SetDefaults_SecurityContext(a.SecurityContext)
}
} }
for i := range in.Spec.Template.Spec.Containers { for i := range in.Spec.Template.Spec.Containers {
a := &in.Spec.Template.Spec.Containers[i] a := &in.Spec.Template.Spec.Containers[i]
@ -614,9 +599,6 @@ func SetObjectDefaults_ReplicationController(in *v1.ReplicationController) {
} }
} }
} }
if a.SecurityContext != nil {
SetDefaults_SecurityContext(a.SecurityContext)
}
} }
} }
} }

18
pkg/apis/extensions/v1beta1/zz_generated.defaults.go generated
View File

@ -138,9 +138,6 @@ func SetObjectDefaults_DaemonSet(in *v1beta1.DaemonSet) {
} }
} }
} }
if a.SecurityContext != nil {
v1.SetDefaults_SecurityContext(a.SecurityContext)
}
} }
for i := range in.Spec.Template.Spec.Containers { for i := range in.Spec.Template.Spec.Containers {
a := &in.Spec.Template.Spec.Containers[i] a := &in.Spec.Template.Spec.Containers[i]
@ -183,9 +180,6 @@ func SetObjectDefaults_DaemonSet(in *v1beta1.DaemonSet) {
} }
} }
} }
if a.SecurityContext != nil {
v1.SetDefaults_SecurityContext(a.SecurityContext)
}
} }
} }
@ -291,9 +285,6 @@ func SetObjectDefaults_Deployment(in *v1beta1.Deployment) {
} }
} }
} }
if a.SecurityContext != nil {
v1.SetDefaults_SecurityContext(a.SecurityContext)
}
} }
for i := range in.Spec.Template.Spec.Containers { for i := range in.Spec.Template.Spec.Containers {
a := &in.Spec.Template.Spec.Containers[i] a := &in.Spec.Template.Spec.Containers[i]
@ -336,9 +327,6 @@ func SetObjectDefaults_Deployment(in *v1beta1.Deployment) {
} }
} }
} }
if a.SecurityContext != nil {
v1.SetDefaults_SecurityContext(a.SecurityContext)
}
} }
} }
@ -466,9 +454,6 @@ func SetObjectDefaults_ReplicaSet(in *v1beta1.ReplicaSet) {
} }
} }
} }
if a.SecurityContext != nil {
v1.SetDefaults_SecurityContext(a.SecurityContext)
}
} }
for i := range in.Spec.Template.Spec.Containers { for i := range in.Spec.Template.Spec.Containers {
a := &in.Spec.Template.Spec.Containers[i] a := &in.Spec.Template.Spec.Containers[i]
@ -511,9 +496,6 @@ func SetObjectDefaults_ReplicaSet(in *v1beta1.ReplicaSet) {
} }
} }
} }
if a.SecurityContext != nil {
v1.SetDefaults_SecurityContext(a.SecurityContext)
}
} }
} }

5
test/e2e/framework/deployment_util.go
View File

@ -107,8 +107,9 @@ func NewDeployment(deploymentName string, replicas int32, podLabels map[string]s
TerminationGracePeriodSeconds: &zero, TerminationGracePeriodSeconds: &zero,
Containers: []v1.Container{ Containers: []v1.Container{
{ {
Name: imageName, Name: imageName,
Image: image, Image: image,
SecurityContext: &v1.SecurityContext{},
}, },
}, },
}, },

1
test/e2e/framework/jobs_util.go
View File

@ -83,6 +83,7 @@ func NewTestJob(behavior, name string, rPol v1.RestartPolicy, parallelism, compl
Name: "data", Name: "data",
}, },
}, },
SecurityContext: &v1.SecurityContext{},
}, },
}, },
}, },

5
test/e2e/framework/rs_util.go
View File

@ -148,8 +148,9 @@ func NewReplicaSet(name, namespace string, replicas int32, podLabels map[string]
Spec: v1.PodSpec{ Spec: v1.PodSpec{
Containers: []v1.Container{ Containers: []v1.Container{
{ {
Name: imageName, Name: imageName,
Image: image, Image: image,
SecurityContext: &v1.SecurityContext{},
}, },
}, },
}, },

7
test/e2e/framework/statefulset_utils.go
View File

@ -807,9 +807,10 @@ func NewStatefulSet(name, ns, governingSvcName string, replicas int32, statefulP
Spec: v1.PodSpec{ Spec: v1.PodSpec{
Containers: []v1.Container{ Containers: []v1.Container{
{ {
Name: "nginx", Name: "nginx",
Image: imageutils.GetE2EImage(imageutils.Nginx), Image: imageutils.GetE2EImage(imageutils.Nginx),
VolumeMounts: mounts, VolumeMounts: mounts,
SecurityContext: &v1.SecurityContext{},
}, },
}, },
Volumes: vols, Volumes: vols,

7
test/e2e/upgrades/apps/daemonsets.go
View File

@ -65,9 +65,10 @@ func (t *DaemonSetUpgradeTest) Setup(f *framework.Framework) {
}, },
Containers: []v1.Container{ Containers: []v1.Container{
{ {
Name: daemonSetName, Name: daemonSetName,
Image: image, Image: image,
Ports: []v1.ContainerPort{{ContainerPort: 9376}}, Ports: []v1.ContainerPort{{ContainerPort: 9376}},
SecurityContext: &v1.SecurityContext{},
}, },
}, },
}, },