Skip to content

Commit

Permalink
feat: add basic support for PodSecurityContext
Browse files Browse the repository at this point in the history
  • Loading branch information
@johnpoth
johnpoth authored and Adriano Machado committed Jun 3, 2022
1 parent 5ef7236 commit 477656a
Show file tree
Hide file tree
Showing 8 changed files with 342 additions and 3 deletions.
137 changes: 137 additions & 0 deletions config/crd/bases/camel.apache.org_integrations.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3958,6 +3958,143 @@ spec:
restartPolicy:
description: RestartPolicy
type: string
securityContext:
description: PodSecurityContext holds pod-level security attributes and
common container settings. Some fields are also present in
container.securityContext. Field values of container.securityContext
take precedence over field values of PodSecurityContext.
properties:
fsGroup:
description: |-
A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to change the ownership of that volume to be owned by the pod:
1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 3. The permission bits are OR'd with rw-rw----

If unset, the Kubelet will not modify the ownership and permissions of any volume.
format: int64
type: integer
fsGroupChangePolicy:
description: 'fsGroupChangePolicy defines behavior of changing ownership and permission of the volume before being exposed inside Pod. This field will only apply to volume types which support fsGroup based ownership(and permissions). It will have no effect on ephemeral volume types such as: secret, configmaps and emptydir. Valid values are "OnRootMismatch" and "Always". If not specified defaults to "Always".'
type: string
runAsGroup:
description: The GID to run the entrypoint of the
container process. Uses runtime default if unset.
May also be set in PodSecurityContext. If set
in both SecurityContext and PodSecurityContext,
the value specified in SecurityContext takes precedence.
format: int64
type: integer
runAsNonRoot:
description: Indicates that the container must run
as a non-root user. If true, the Kubelet will
validate the image at runtime to ensure that it
does not run as UID 0 (root) and fail to start
the container if it does. If unset or false, no
such validation will be performed. May also be
set in PodSecurityContext. If set in both SecurityContext
and PodSecurityContext, the value specified in
SecurityContext takes precedence.
type: boolean
runAsUser:
description: The UID to run the entrypoint of the
container process. Defaults to user specified
in image metadata if unspecified. May also be
set in PodSecurityContext. If set in both SecurityContext
and PodSecurityContext, the value specified in
SecurityContext takes precedence.
format: int64
type: integer
seLinuxOptions:
description: The SELinux context to be applied to
the container. If unspecified, the container runtime
will allocate a random SELinux context for each
container. May also be set in PodSecurityContext. If
set in both SecurityContext and PodSecurityContext,
the value specified in SecurityContext takes precedence.
properties:
level:
description: Level is SELinux level label that
applies to the container.
type: string
role:
description: Role is a SELinux role label that
applies to the container.
type: string
type:
description: Type is a SELinux type label that
applies to the container.
type: string
user:
description: User is a SELinux user label that
applies to the container.
type: string
type: object
supplementalGroups:
description: A list of groups applied to the first process run
in each container, in addition to the container's primary GID.
If unspecified, no groups will be added to any container.
items:
format: int64
type: integer
type: array
sysctls:
description: Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch.
items:
description: Sysctl defines a kernel parameter to be set
properties:
name:
description: Name of a property to set
type: string
value:
description: Value of a property to set
type: string
required:
- name
- value
type: object
type: array
windowsOptions:
description: The Windows specific settings applied
to all containers. If unspecified, the options
from the PodSecurityContext will be used. If set
in both SecurityContext and PodSecurityContext,
the value specified in SecurityContext takes precedence.
properties:
gmsaCredentialSpec:
description: GMSACredentialSpec is where the
GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa)
inlines the contents of the GMSA credential
spec named by the GMSACredentialSpecName field.
type: string
gmsaCredentialSpecName:
description: GMSACredentialSpecName is the name
of the GMSA credential spec to use.
type: string
hostProcess:
description: HostProcess determines if a container
should be run as a 'Host Process' container.
This field is alpha-level and will only be
honored by components that enable the WindowsHostProcessContainers
feature flag. Setting this field without the
feature flag will result in errors when validating
the Pod. All of a Pod's containers must have
the same effective HostProcess value (it is
not allowed to have a mix of HostProcess containers
and non-HostProcess containers). In addition,
if HostProcess is true then HostNetwork must
also be set to true.
type: boolean
runAsUserName:
description: The UserName in Windows to run
the entrypoint of the container process. Defaults
to the user specified in image metadata if
unspecified. May also be set in PodSecurityContext.
If set in both SecurityContext and PodSecurityContext,
the value specified in SecurityContext takes
precedence.
type: string
type: object
type: object
terminationGracePeriodSeconds:
description: TerminationGracePeriodSeconds
format: int64
Expand Down
105 changes: 104 additions & 1 deletion docs/modules/ROOT/attachments/schema/integration-schema.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3392,6 +3392,109 @@
"description": "RestartPolicy describes how the container should be restarted. Only one of the following restart policies may be specified. If none of the following policies is specified, the default one is RestartPolicyAlways.",
"type": "string"
},
"securityContext": {
"description": "PodSecurityContext holds pod-level security attributes and common container settings. Some fields are also present in container.securityContext. Field values of container.securityContext take precedence over field values of PodSecurityContext.",
"properties": {
"fsGroup": {
"description": "A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to change the ownership of that volume to be owned by the pod:\n\n1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 3. The permission bits are OR'd with rw-rw----\n\nIf unset, the Kubelet will not modify the ownership and permissions of any volume.",
"format": "int64",
"type": "integer"
},
"fsGroupChangePolicy": {
"description": "fsGroupChangePolicy defines behavior of changing ownership and permission of the volume before being exposed inside Pod. This field will only apply to volume types which support fsGroup based ownership(and permissions). It will have no effect on ephemeral volume types such as: secret, configmaps and emptydir. Valid values are \"OnRootMismatch\" and \"Always\". If not specified defaults to \"Always\".",
"type": "string"
},
"runAsGroup": {
"description": "The GID to run the entrypoint of the container process. Uses runtime default if unset. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.",
"format": "int64",
"type": "integer"
},
"runAsNonRoot": {
"description": "Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.",
"type": "boolean"
},
"runAsUser": {
"description": "The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.",
"format": "int64",
"type": "integer"
},
"seLinuxOptions": {
"description": "The SELinux context to be applied to the container. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.",
"properties": {
"level": {
"description": "Level is SELinux level label that applies to the container.",
"type": "string"
},
"role": {
"description": "Role is a SELinux role label that applies to the container.",
"type": "string"
},
"type": {
"description": "Type is a SELinux type label that applies to the container.",
"type": "string"
},
"user": {
"description": "User is a SELinux user label that applies to the container.",
"type": "string"
}
},
"type": "object"
},
"supplementalGroups": {
"description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID. If unspecified, no groups will be added to any container.",
"items": {
"format": "int64",
"type": "integer"
},
"type": "array"
},
"sysctls": {
"description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch.",
"items": {
"description": "Sysctl defines a kernel parameter to be set",
"properties": {
"name": {
"description": "Name of a property to set",
"type": "string"
},
"value": {
"description": "Value of a property to set",
"type": "string"
}
},
"required": [
"name",
"value"
],
"type": "object"
},
"type": "array"
},
"windowsOptions": {
"description": "The Windows specific settings applied to all containers. If unspecified, the options from the PodSecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.",
"properties": {
"gmsaCredentialSpec": {
"description": "GMSACredentialSpec is where the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the GMSA credential spec named by the GMSACredentialSpecName field.",
"type": "string"
},
"gmsaCredentialSpecName": {
"description": "GMSACredentialSpecName is the name of the GMSA credential spec to use.",
"type": "string"
},
"hostProcess": {
"description": "HostProcess determines if a container should be run as a 'Host Process' container. This field is alpha-level and will only be honored by components that enable the WindowsHostProcessContainers feature flag. Setting this field without the feature flag will result in errors when validating the Pod. All of a Pod's containers must have the same effective HostProcess value (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). In addition, if HostProcess is true then HostNetwork must also be set to true.",
"type": "boolean"
},
"runAsUserName": {
"description": "The UserName in Windows to run the entrypoint of the container process. Defaults to the user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.",
"type": "string"
}
},
"type": "object"
}
},
"type": "object"
},
"serviceAccount": {
"type": "string"
},
Expand Down Expand Up @@ -9269,4 +9372,4 @@
}
}
}
}
}
20 changes: 20 additions & 0 deletions e2e/common/traits/files/template-with-supplemental-groups.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
# ---------------------------------------------------------------------------
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# ---------------------------------------------------------------------------

securityContext:
supplementalGroups:
- 666
Loading

0 comments on commit 477656a

Please sign in to comment.