mirror of https://github.com/k3s-io/k3s
72c6251508
Automatic merge from submit-queue (batch tested with PRs 49651, 49707, 49662, 47019, 49747) Add support for `no_new_privs` via AllowPrivilegeEscalation **What this PR does / why we need it**: Implements kubernetes/community#639 Fixes #38417 Adds `AllowPrivilegeEscalation` and `DefaultAllowPrivilegeEscalation` to `PodSecurityPolicy`. Adds `AllowPrivilegeEscalation` to container `SecurityContext`. Adds the proposed behavior to `kuberuntime`, `dockershim`, and `rkt`. Adds a bunch of unit tests to ensure the desired default behavior and that when `DefaultAllowPrivilegeEscalation` is explicitly set. Tests pass locally with docker and rkt runtimes. There are also a few integration tests with a `setuid` binary for sanity. **Release note**: ```release-note Adds AllowPrivilegeEscalation to control whether a process can gain more privileges than it's parent process ``` |
||
|---|---|---|
| .. | ||
| src/k8s.io | ||
| OWNERS | ||
| README.md | ||
| godeps-json-updater.go | ||
| prime-apimachinery.sh | ||
README.md
This directory is the staging area for packages that have been split to their own repository. The content here will be periodically published to respective top-level k8s.io repositories.
The code in the staging/ directory is authoritative, i.e. the only copy of
the code. You can directly modify such code.
The vendor/k8s.io directory contains symlinks pointing to this staging area,
so to use a package in the staging area, you can import it as
k8s.io/<package-name>, as if the package were vendored. Packages will be
vendored from k8s.io/<package-name> for real after the test matrix is
converted to vendor k8s components.