From 6947432fcaf605f132ff030c409d7f49273905f9 Mon Sep 17 00:00:00 2001 From: Nikita Vaniasin Date: Thu, 23 Nov 2023 10:27:34 +0100 Subject: [PATCH 1/2] Add fields for ML Storage CRD - copy/move a few security-related constants into shared package --- docs/api/ArangoDeployment.V1.md | 182 +++++++++--------- docs/api/ArangoMLStorage.V1Alpha1.md | 66 +++++++ .../v1/server_group_security_context_spec.go | 13 +- ...server_group_security_context_spec_test.go | 13 +- .../server_group_security_context_spec.go | 13 +- ...server_group_security_context_spec_test.go | 13 +- pkg/apis/ml/v1alpha1/storage_s3_spec.go | 58 ++++++ pkg/apis/ml/v1alpha1/storage_spec.go | 43 +++++ pkg/apis/ml/v1alpha1/storage_spec_test.go | 47 +++++ pkg/apis/ml/v1alpha1/zz_generated.deepcopy.go | 29 ++- pkg/apis/shared/constants.go | 5 + pkg/crd/crds/ml-storage.schema.generated.yaml | 41 ++++ 12 files changed, 401 insertions(+), 122 deletions(-) create mode 100644 pkg/apis/ml/v1alpha1/storage_s3_spec.go create mode 100644 pkg/apis/ml/v1alpha1/storage_spec_test.go diff --git a/docs/api/ArangoDeployment.V1.md b/docs/api/ArangoDeployment.V1.md index d5bd79cc7..6339c8a65 100644 --- a/docs/api/ArangoDeployment.V1.md +++ b/docs/api/ArangoDeployment.V1.md @@ -603,7 +603,7 @@ SchedulerName define scheduler name used for group ### .spec.agents.securityContext.addCapabilities -Type: `[]core.Capability` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L46) +Type: `[]core.Capability` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L41) AddCapabilities add new capabilities to containers @@ -611,7 +611,7 @@ AddCapabilities add new capabilities to containers ### .spec.agents.securityContext.allowPrivilegeEscalation -Type: `boolean` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L49) +Type: `boolean` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L44) AllowPrivilegeEscalation Controls whether a process can gain more privileges than its parent process. @@ -619,7 +619,7 @@ AllowPrivilegeEscalation Controls whether a process can gain more privileges tha ### .spec.agents.securityContext.dropAllCapabilities -Type: `boolean` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L43) +Type: `boolean` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L38) DropAllCapabilities specifies if capabilities should be dropped for this pod containers Deprecated: This field is added for backward compatibility. Will be removed in 1.1.0. @@ -628,7 +628,7 @@ Deprecated: This field is added for backward compatibility. Will be removed in 1 ### .spec.agents.securityContext.fsGroup -Type: `integer` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L66) +Type: `integer` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L61) FSGroup is a special supplemental group that applies to all containers in a pod. @@ -636,7 +636,7 @@ FSGroup is a special supplemental group that applies to all containers in a pod. ### .spec.agents.securityContext.privileged -Type: `boolean` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L52) +Type: `boolean` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L47) Privileged If true, runs container in privileged mode. Processes in privileged containers are essentially equivalent to root on the host. @@ -645,7 +645,7 @@ essentially equivalent to root on the host. ### .spec.agents.securityContext.readOnlyRootFilesystem -Type: `boolean` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L54) +Type: `boolean` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L49) ReadOnlyRootFilesystem if true, mounts the container's root filesystem as read-only. @@ -653,7 +653,7 @@ ReadOnlyRootFilesystem if true, mounts the container's root filesystem as read-o ### .spec.agents.securityContext.runAsGroup -Type: `integer` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L60) +Type: `integer` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L55) RunAsGroup is the GID to run the entrypoint of the container process. @@ -661,7 +661,7 @@ RunAsGroup is the GID to run the entrypoint of the container process. ### .spec.agents.securityContext.runAsNonRoot -Type: `boolean` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L56) +Type: `boolean` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L51) RunAsNonRoot if true, indicates that the container must run as a non-root user. @@ -669,7 +669,7 @@ RunAsNonRoot if true, indicates that the container must run as a non-root user. ### .spec.agents.securityContext.runAsUser -Type: `integer` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L58) +Type: `integer` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L53) RunAsUser is the UID to run the entrypoint of the container process. @@ -677,7 +677,7 @@ RunAsUser is the UID to run the entrypoint of the container process. ### .spec.agents.securityContext.seccompProfile -Type: `core.SeccompProfile` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L82) +Type: `core.SeccompProfile` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L77) SeccompProfile defines a pod/container's seccomp profile settings. Only one profile source may be set. @@ -688,7 +688,7 @@ Links: ### .spec.agents.securityContext.seLinuxOptions -Type: `core.SELinuxOptions` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L87) +Type: `core.SELinuxOptions` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L82) SELinuxOptions are the labels to be applied to the container @@ -699,7 +699,7 @@ Links: ### .spec.agents.securityContext.supplementalGroups -Type: `array` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L64) +Type: `array` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L59) SupplementalGroups is a list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. @@ -708,7 +708,7 @@ the fsGroup (if specified), and group memberships defined in the container image ### .spec.agents.securityContext.sysctls -Type: `map[string]intstr.IntOrString` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L77) +Type: `map[string]intstr.IntOrString` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L72) Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. @@ -1651,7 +1651,7 @@ SchedulerName define scheduler name used for group ### .spec.coordinators.securityContext.addCapabilities -Type: `[]core.Capability` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L46) +Type: `[]core.Capability` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L41) AddCapabilities add new capabilities to containers @@ -1659,7 +1659,7 @@ AddCapabilities add new capabilities to containers ### .spec.coordinators.securityContext.allowPrivilegeEscalation -Type: `boolean` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L49) +Type: `boolean` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L44) AllowPrivilegeEscalation Controls whether a process can gain more privileges than its parent process. @@ -1667,7 +1667,7 @@ AllowPrivilegeEscalation Controls whether a process can gain more privileges tha ### .spec.coordinators.securityContext.dropAllCapabilities -Type: `boolean` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L43) +Type: `boolean` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L38) DropAllCapabilities specifies if capabilities should be dropped for this pod containers Deprecated: This field is added for backward compatibility. Will be removed in 1.1.0. @@ -1676,7 +1676,7 @@ Deprecated: This field is added for backward compatibility. Will be removed in 1 ### .spec.coordinators.securityContext.fsGroup -Type: `integer` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L66) +Type: `integer` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L61) FSGroup is a special supplemental group that applies to all containers in a pod. @@ -1684,7 +1684,7 @@ FSGroup is a special supplemental group that applies to all containers in a pod. ### .spec.coordinators.securityContext.privileged -Type: `boolean` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L52) +Type: `boolean` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L47) Privileged If true, runs container in privileged mode. Processes in privileged containers are essentially equivalent to root on the host. @@ -1693,7 +1693,7 @@ essentially equivalent to root on the host. ### .spec.coordinators.securityContext.readOnlyRootFilesystem -Type: `boolean` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L54) +Type: `boolean` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L49) ReadOnlyRootFilesystem if true, mounts the container's root filesystem as read-only. @@ -1701,7 +1701,7 @@ ReadOnlyRootFilesystem if true, mounts the container's root filesystem as read-o ### .spec.coordinators.securityContext.runAsGroup -Type: `integer` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L60) +Type: `integer` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L55) RunAsGroup is the GID to run the entrypoint of the container process. @@ -1709,7 +1709,7 @@ RunAsGroup is the GID to run the entrypoint of the container process. ### .spec.coordinators.securityContext.runAsNonRoot -Type: `boolean` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L56) +Type: `boolean` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L51) RunAsNonRoot if true, indicates that the container must run as a non-root user. @@ -1717,7 +1717,7 @@ RunAsNonRoot if true, indicates that the container must run as a non-root user. ### .spec.coordinators.securityContext.runAsUser -Type: `integer` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L58) +Type: `integer` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L53) RunAsUser is the UID to run the entrypoint of the container process. @@ -1725,7 +1725,7 @@ RunAsUser is the UID to run the entrypoint of the container process. ### .spec.coordinators.securityContext.seccompProfile -Type: `core.SeccompProfile` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L82) +Type: `core.SeccompProfile` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L77) SeccompProfile defines a pod/container's seccomp profile settings. Only one profile source may be set. @@ -1736,7 +1736,7 @@ Links: ### .spec.coordinators.securityContext.seLinuxOptions -Type: `core.SELinuxOptions` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L87) +Type: `core.SELinuxOptions` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L82) SELinuxOptions are the labels to be applied to the container @@ -1747,7 +1747,7 @@ Links: ### .spec.coordinators.securityContext.supplementalGroups -Type: `array` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L64) +Type: `array` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L59) SupplementalGroups is a list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. @@ -1756,7 +1756,7 @@ the fsGroup (if specified), and group memberships defined in the container image ### .spec.coordinators.securityContext.sysctls -Type: `map[string]intstr.IntOrString` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L77) +Type: `map[string]intstr.IntOrString` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L72) Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. @@ -2565,7 +2565,7 @@ SchedulerName define scheduler name used for group ### .spec.dbservers.securityContext.addCapabilities -Type: `[]core.Capability` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L46) +Type: `[]core.Capability` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L41) AddCapabilities add new capabilities to containers @@ -2573,7 +2573,7 @@ AddCapabilities add new capabilities to containers ### .spec.dbservers.securityContext.allowPrivilegeEscalation -Type: `boolean` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L49) +Type: `boolean` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L44) AllowPrivilegeEscalation Controls whether a process can gain more privileges than its parent process. @@ -2581,7 +2581,7 @@ AllowPrivilegeEscalation Controls whether a process can gain more privileges tha ### .spec.dbservers.securityContext.dropAllCapabilities -Type: `boolean` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L43) +Type: `boolean` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L38) DropAllCapabilities specifies if capabilities should be dropped for this pod containers Deprecated: This field is added for backward compatibility. Will be removed in 1.1.0. @@ -2590,7 +2590,7 @@ Deprecated: This field is added for backward compatibility. Will be removed in 1 ### .spec.dbservers.securityContext.fsGroup -Type: `integer` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L66) +Type: `integer` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L61) FSGroup is a special supplemental group that applies to all containers in a pod. @@ -2598,7 +2598,7 @@ FSGroup is a special supplemental group that applies to all containers in a pod. ### .spec.dbservers.securityContext.privileged -Type: `boolean` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L52) +Type: `boolean` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L47) Privileged If true, runs container in privileged mode. Processes in privileged containers are essentially equivalent to root on the host. @@ -2607,7 +2607,7 @@ essentially equivalent to root on the host. ### .spec.dbservers.securityContext.readOnlyRootFilesystem -Type: `boolean` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L54) +Type: `boolean` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L49) ReadOnlyRootFilesystem if true, mounts the container's root filesystem as read-only. @@ -2615,7 +2615,7 @@ ReadOnlyRootFilesystem if true, mounts the container's root filesystem as read-o ### .spec.dbservers.securityContext.runAsGroup -Type: `integer` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L60) +Type: `integer` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L55) RunAsGroup is the GID to run the entrypoint of the container process. @@ -2623,7 +2623,7 @@ RunAsGroup is the GID to run the entrypoint of the container process. ### .spec.dbservers.securityContext.runAsNonRoot -Type: `boolean` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L56) +Type: `boolean` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L51) RunAsNonRoot if true, indicates that the container must run as a non-root user. @@ -2631,7 +2631,7 @@ RunAsNonRoot if true, indicates that the container must run as a non-root user. ### .spec.dbservers.securityContext.runAsUser -Type: `integer` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L58) +Type: `integer` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L53) RunAsUser is the UID to run the entrypoint of the container process. @@ -2639,7 +2639,7 @@ RunAsUser is the UID to run the entrypoint of the container process. ### .spec.dbservers.securityContext.seccompProfile -Type: `core.SeccompProfile` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L82) +Type: `core.SeccompProfile` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L77) SeccompProfile defines a pod/container's seccomp profile settings. Only one profile source may be set. @@ -2650,7 +2650,7 @@ Links: ### .spec.dbservers.securityContext.seLinuxOptions -Type: `core.SELinuxOptions` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L87) +Type: `core.SELinuxOptions` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L82) SELinuxOptions are the labels to be applied to the container @@ -2661,7 +2661,7 @@ Links: ### .spec.dbservers.securityContext.supplementalGroups -Type: `array` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L64) +Type: `array` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L59) SupplementalGroups is a list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. @@ -2670,7 +2670,7 @@ the fsGroup (if specified), and group memberships defined in the container image ### .spec.dbservers.securityContext.sysctls -Type: `map[string]intstr.IntOrString` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L77) +Type: `map[string]intstr.IntOrString` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L72) Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. @@ -3049,7 +3049,7 @@ Links: ### .spec.id.securityContext.addCapabilities -Type: `[]core.Capability` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L46) +Type: `[]core.Capability` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L41) AddCapabilities add new capabilities to containers @@ -3057,7 +3057,7 @@ AddCapabilities add new capabilities to containers ### .spec.id.securityContext.allowPrivilegeEscalation -Type: `boolean` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L49) +Type: `boolean` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L44) AllowPrivilegeEscalation Controls whether a process can gain more privileges than its parent process. @@ -3065,7 +3065,7 @@ AllowPrivilegeEscalation Controls whether a process can gain more privileges tha ### .spec.id.securityContext.dropAllCapabilities -Type: `boolean` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L43) +Type: `boolean` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L38) DropAllCapabilities specifies if capabilities should be dropped for this pod containers Deprecated: This field is added for backward compatibility. Will be removed in 1.1.0. @@ -3074,7 +3074,7 @@ Deprecated: This field is added for backward compatibility. Will be removed in 1 ### .spec.id.securityContext.fsGroup -Type: `integer` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L66) +Type: `integer` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L61) FSGroup is a special supplemental group that applies to all containers in a pod. @@ -3082,7 +3082,7 @@ FSGroup is a special supplemental group that applies to all containers in a pod. ### .spec.id.securityContext.privileged -Type: `boolean` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L52) +Type: `boolean` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L47) Privileged If true, runs container in privileged mode. Processes in privileged containers are essentially equivalent to root on the host. @@ -3091,7 +3091,7 @@ essentially equivalent to root on the host. ### .spec.id.securityContext.readOnlyRootFilesystem -Type: `boolean` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L54) +Type: `boolean` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L49) ReadOnlyRootFilesystem if true, mounts the container's root filesystem as read-only. @@ -3099,7 +3099,7 @@ ReadOnlyRootFilesystem if true, mounts the container's root filesystem as read-o ### .spec.id.securityContext.runAsGroup -Type: `integer` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L60) +Type: `integer` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L55) RunAsGroup is the GID to run the entrypoint of the container process. @@ -3107,7 +3107,7 @@ RunAsGroup is the GID to run the entrypoint of the container process. ### .spec.id.securityContext.runAsNonRoot -Type: `boolean` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L56) +Type: `boolean` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L51) RunAsNonRoot if true, indicates that the container must run as a non-root user. @@ -3115,7 +3115,7 @@ RunAsNonRoot if true, indicates that the container must run as a non-root user. ### .spec.id.securityContext.runAsUser -Type: `integer` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L58) +Type: `integer` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L53) RunAsUser is the UID to run the entrypoint of the container process. @@ -3123,7 +3123,7 @@ RunAsUser is the UID to run the entrypoint of the container process. ### .spec.id.securityContext.seccompProfile -Type: `core.SeccompProfile` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L82) +Type: `core.SeccompProfile` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L77) SeccompProfile defines a pod/container's seccomp profile settings. Only one profile source may be set. @@ -3134,7 +3134,7 @@ Links: ### .spec.id.securityContext.seLinuxOptions -Type: `core.SELinuxOptions` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L87) +Type: `core.SELinuxOptions` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L82) SELinuxOptions are the labels to be applied to the container @@ -3145,7 +3145,7 @@ Links: ### .spec.id.securityContext.supplementalGroups -Type: `array` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L64) +Type: `array` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L59) SupplementalGroups is a list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. @@ -3154,7 +3154,7 @@ the fsGroup (if specified), and group memberships defined in the container image ### .spec.id.securityContext.sysctls -Type: `map[string]intstr.IntOrString` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L77) +Type: `map[string]intstr.IntOrString` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L72) Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. @@ -4083,7 +4083,7 @@ SchedulerName define scheduler name used for group ### .spec.single.securityContext.addCapabilities -Type: `[]core.Capability` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L46) +Type: `[]core.Capability` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L41) AddCapabilities add new capabilities to containers @@ -4091,7 +4091,7 @@ AddCapabilities add new capabilities to containers ### .spec.single.securityContext.allowPrivilegeEscalation -Type: `boolean` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L49) +Type: `boolean` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L44) AllowPrivilegeEscalation Controls whether a process can gain more privileges than its parent process. @@ -4099,7 +4099,7 @@ AllowPrivilegeEscalation Controls whether a process can gain more privileges tha ### .spec.single.securityContext.dropAllCapabilities -Type: `boolean` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L43) +Type: `boolean` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L38) DropAllCapabilities specifies if capabilities should be dropped for this pod containers Deprecated: This field is added for backward compatibility. Will be removed in 1.1.0. @@ -4108,7 +4108,7 @@ Deprecated: This field is added for backward compatibility. Will be removed in 1 ### .spec.single.securityContext.fsGroup -Type: `integer` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L66) +Type: `integer` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L61) FSGroup is a special supplemental group that applies to all containers in a pod. @@ -4116,7 +4116,7 @@ FSGroup is a special supplemental group that applies to all containers in a pod. ### .spec.single.securityContext.privileged -Type: `boolean` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L52) +Type: `boolean` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L47) Privileged If true, runs container in privileged mode. Processes in privileged containers are essentially equivalent to root on the host. @@ -4125,7 +4125,7 @@ essentially equivalent to root on the host. ### .spec.single.securityContext.readOnlyRootFilesystem -Type: `boolean` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L54) +Type: `boolean` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L49) ReadOnlyRootFilesystem if true, mounts the container's root filesystem as read-only. @@ -4133,7 +4133,7 @@ ReadOnlyRootFilesystem if true, mounts the container's root filesystem as read-o ### .spec.single.securityContext.runAsGroup -Type: `integer` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L60) +Type: `integer` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L55) RunAsGroup is the GID to run the entrypoint of the container process. @@ -4141,7 +4141,7 @@ RunAsGroup is the GID to run the entrypoint of the container process. ### .spec.single.securityContext.runAsNonRoot -Type: `boolean` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L56) +Type: `boolean` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L51) RunAsNonRoot if true, indicates that the container must run as a non-root user. @@ -4149,7 +4149,7 @@ RunAsNonRoot if true, indicates that the container must run as a non-root user. ### .spec.single.securityContext.runAsUser -Type: `integer` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L58) +Type: `integer` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L53) RunAsUser is the UID to run the entrypoint of the container process. @@ -4157,7 +4157,7 @@ RunAsUser is the UID to run the entrypoint of the container process. ### .spec.single.securityContext.seccompProfile -Type: `core.SeccompProfile` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L82) +Type: `core.SeccompProfile` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L77) SeccompProfile defines a pod/container's seccomp profile settings. Only one profile source may be set. @@ -4168,7 +4168,7 @@ Links: ### .spec.single.securityContext.seLinuxOptions -Type: `core.SELinuxOptions` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L87) +Type: `core.SELinuxOptions` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L82) SELinuxOptions are the labels to be applied to the container @@ -4179,7 +4179,7 @@ Links: ### .spec.single.securityContext.supplementalGroups -Type: `array` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L64) +Type: `array` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L59) SupplementalGroups is a list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. @@ -4188,7 +4188,7 @@ the fsGroup (if specified), and group memberships defined in the container image ### .spec.single.securityContext.sysctls -Type: `map[string]intstr.IntOrString` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L77) +Type: `map[string]intstr.IntOrString` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L72) Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. @@ -5198,7 +5198,7 @@ SchedulerName define scheduler name used for group ### .spec.syncmasters.securityContext.addCapabilities -Type: `[]core.Capability` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L46) +Type: `[]core.Capability` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L41) AddCapabilities add new capabilities to containers @@ -5206,7 +5206,7 @@ AddCapabilities add new capabilities to containers ### .spec.syncmasters.securityContext.allowPrivilegeEscalation -Type: `boolean` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L49) +Type: `boolean` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L44) AllowPrivilegeEscalation Controls whether a process can gain more privileges than its parent process. @@ -5214,7 +5214,7 @@ AllowPrivilegeEscalation Controls whether a process can gain more privileges tha ### .spec.syncmasters.securityContext.dropAllCapabilities -Type: `boolean` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L43) +Type: `boolean` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L38) DropAllCapabilities specifies if capabilities should be dropped for this pod containers Deprecated: This field is added for backward compatibility. Will be removed in 1.1.0. @@ -5223,7 +5223,7 @@ Deprecated: This field is added for backward compatibility. Will be removed in 1 ### .spec.syncmasters.securityContext.fsGroup -Type: `integer` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L66) +Type: `integer` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L61) FSGroup is a special supplemental group that applies to all containers in a pod. @@ -5231,7 +5231,7 @@ FSGroup is a special supplemental group that applies to all containers in a pod. ### .spec.syncmasters.securityContext.privileged -Type: `boolean` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L52) +Type: `boolean` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L47) Privileged If true, runs container in privileged mode. Processes in privileged containers are essentially equivalent to root on the host. @@ -5240,7 +5240,7 @@ essentially equivalent to root on the host. ### .spec.syncmasters.securityContext.readOnlyRootFilesystem -Type: `boolean` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L54) +Type: `boolean` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L49) ReadOnlyRootFilesystem if true, mounts the container's root filesystem as read-only. @@ -5248,7 +5248,7 @@ ReadOnlyRootFilesystem if true, mounts the container's root filesystem as read-o ### .spec.syncmasters.securityContext.runAsGroup -Type: `integer` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L60) +Type: `integer` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L55) RunAsGroup is the GID to run the entrypoint of the container process. @@ -5256,7 +5256,7 @@ RunAsGroup is the GID to run the entrypoint of the container process. ### .spec.syncmasters.securityContext.runAsNonRoot -Type: `boolean` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L56) +Type: `boolean` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L51) RunAsNonRoot if true, indicates that the container must run as a non-root user. @@ -5264,7 +5264,7 @@ RunAsNonRoot if true, indicates that the container must run as a non-root user. ### .spec.syncmasters.securityContext.runAsUser -Type: `integer` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L58) +Type: `integer` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L53) RunAsUser is the UID to run the entrypoint of the container process. @@ -5272,7 +5272,7 @@ RunAsUser is the UID to run the entrypoint of the container process. ### .spec.syncmasters.securityContext.seccompProfile -Type: `core.SeccompProfile` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L82) +Type: `core.SeccompProfile` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L77) SeccompProfile defines a pod/container's seccomp profile settings. Only one profile source may be set. @@ -5283,7 +5283,7 @@ Links: ### .spec.syncmasters.securityContext.seLinuxOptions -Type: `core.SELinuxOptions` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L87) +Type: `core.SELinuxOptions` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L82) SELinuxOptions are the labels to be applied to the container @@ -5294,7 +5294,7 @@ Links: ### .spec.syncmasters.securityContext.supplementalGroups -Type: `array` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L64) +Type: `array` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L59) SupplementalGroups is a list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. @@ -5303,7 +5303,7 @@ the fsGroup (if specified), and group memberships defined in the container image ### .spec.syncmasters.securityContext.sysctls -Type: `map[string]intstr.IntOrString` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L77) +Type: `map[string]intstr.IntOrString` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L72) Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. @@ -6104,7 +6104,7 @@ SchedulerName define scheduler name used for group ### .spec.syncworkers.securityContext.addCapabilities -Type: `[]core.Capability` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L46) +Type: `[]core.Capability` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L41) AddCapabilities add new capabilities to containers @@ -6112,7 +6112,7 @@ AddCapabilities add new capabilities to containers ### .spec.syncworkers.securityContext.allowPrivilegeEscalation -Type: `boolean` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L49) +Type: `boolean` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L44) AllowPrivilegeEscalation Controls whether a process can gain more privileges than its parent process. @@ -6120,7 +6120,7 @@ AllowPrivilegeEscalation Controls whether a process can gain more privileges tha ### .spec.syncworkers.securityContext.dropAllCapabilities -Type: `boolean` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L43) +Type: `boolean` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L38) DropAllCapabilities specifies if capabilities should be dropped for this pod containers Deprecated: This field is added for backward compatibility. Will be removed in 1.1.0. @@ -6129,7 +6129,7 @@ Deprecated: This field is added for backward compatibility. Will be removed in 1 ### .spec.syncworkers.securityContext.fsGroup -Type: `integer` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L66) +Type: `integer` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L61) FSGroup is a special supplemental group that applies to all containers in a pod. @@ -6137,7 +6137,7 @@ FSGroup is a special supplemental group that applies to all containers in a pod. ### .spec.syncworkers.securityContext.privileged -Type: `boolean` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L52) +Type: `boolean` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L47) Privileged If true, runs container in privileged mode. Processes in privileged containers are essentially equivalent to root on the host. @@ -6146,7 +6146,7 @@ essentially equivalent to root on the host. ### .spec.syncworkers.securityContext.readOnlyRootFilesystem -Type: `boolean` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L54) +Type: `boolean` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L49) ReadOnlyRootFilesystem if true, mounts the container's root filesystem as read-only. @@ -6154,7 +6154,7 @@ ReadOnlyRootFilesystem if true, mounts the container's root filesystem as read-o ### .spec.syncworkers.securityContext.runAsGroup -Type: `integer` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L60) +Type: `integer` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L55) RunAsGroup is the GID to run the entrypoint of the container process. @@ -6162,7 +6162,7 @@ RunAsGroup is the GID to run the entrypoint of the container process. ### .spec.syncworkers.securityContext.runAsNonRoot -Type: `boolean` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L56) +Type: `boolean` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L51) RunAsNonRoot if true, indicates that the container must run as a non-root user. @@ -6170,7 +6170,7 @@ RunAsNonRoot if true, indicates that the container must run as a non-root user. ### .spec.syncworkers.securityContext.runAsUser -Type: `integer` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L58) +Type: `integer` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L53) RunAsUser is the UID to run the entrypoint of the container process. @@ -6178,7 +6178,7 @@ RunAsUser is the UID to run the entrypoint of the container process. ### .spec.syncworkers.securityContext.seccompProfile -Type: `core.SeccompProfile` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L82) +Type: `core.SeccompProfile` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L77) SeccompProfile defines a pod/container's seccomp profile settings. Only one profile source may be set. @@ -6189,7 +6189,7 @@ Links: ### .spec.syncworkers.securityContext.seLinuxOptions -Type: `core.SELinuxOptions` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L87) +Type: `core.SELinuxOptions` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L82) SELinuxOptions are the labels to be applied to the container @@ -6200,7 +6200,7 @@ Links: ### .spec.syncworkers.securityContext.supplementalGroups -Type: `array` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L64) +Type: `array` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L59) SupplementalGroups is a list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. @@ -6209,7 +6209,7 @@ the fsGroup (if specified), and group memberships defined in the container image ### .spec.syncworkers.securityContext.sysctls -Type: `map[string]intstr.IntOrString` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L77) +Type: `map[string]intstr.IntOrString` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/server_group_security_context_spec.go#L72) Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. diff --git a/docs/api/ArangoMLStorage.V1Alpha1.md b/docs/api/ArangoMLStorage.V1Alpha1.md index e125506da..680fc16a2 100644 --- a/docs/api/ArangoMLStorage.V1Alpha1.md +++ b/docs/api/ArangoMLStorage.V1Alpha1.md @@ -2,5 +2,71 @@ ## Spec +### .spec.listenPort + +Type: `integer` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/ml/v1alpha1/storage_spec.go#L32) + +ListenPort defines on which port the sidecar container will be listening for connections + +Default Value: `9201` + +*** + +### .spec.resources + +Type: `core.ResourceRequirements` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/ml/v1alpha1/storage_spec.go#L37) + +Resources holds resource requests & limits for container running the S3 proxy + +Links: +* [Documentation of core.ResourceRequirements](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#resourcerequirements-v1-core) + +*** + +### .spec.s3.bucketName + +Type: `string` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/ml/v1alpha1/storage_s3_spec.go#L39) + +BucketName specifies the name of the bucket +Required + +*** + +### .spec.s3.credentialsSecret + +Type: `string` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/ml/v1alpha1/storage_s3_spec.go#L42) + +CredentialsSecretName specifies the name of the secret containing AccessKey and SecretKey for S3 API authorization +Required + +*** + +### .spec.s3.disableSSL + +Type: `boolean` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/ml/v1alpha1/storage_s3_spec.go#L33) + +DisableSSL if set to true, no certificate checks will be performed for Endpoint + +Default Value: `false` + +*** + +### .spec.s3.endpoint + +Type: `string` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/ml/v1alpha1/storage_s3_spec.go#L30) + +Endpoint specifies the S3 API-compatible endpoint which implements storage +Required + +*** + +### .spec.s3.region + +Type: `string` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/ml/v1alpha1/storage_s3_spec.go#L36) + +Region defines the availability zone name. If empty, defaults to 'us-east-1' + +Default Value: `""` + ## Status diff --git a/pkg/apis/deployment/v1/server_group_security_context_spec.go b/pkg/apis/deployment/v1/server_group_security_context_spec.go index 27759a1d6..2be7858c6 100644 --- a/pkg/apis/deployment/v1/server_group_security_context_spec.go +++ b/pkg/apis/deployment/v1/server_group_security_context_spec.go @@ -26,15 +26,10 @@ import ( core "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/util/intstr" + "github.com/arangodb/kube-arangodb/pkg/apis/shared" "github.com/arangodb/kube-arangodb/pkg/util" ) -const ( - defaultRunAsUser = 1000 - defaultRunAsGroup = 2000 - defaultFSGroup = 3000 -) - // ServerGroupSpecSecurityContext contains specification for pod security context type ServerGroupSpecSecurityContext struct { // DropAllCapabilities specifies if capabilities should be dropped for this pod containers @@ -147,7 +142,7 @@ func (s *ServerGroupSpecSecurityContext) NewPodSecurityContext(secured bool) *co } if psc.FSGroup == nil { - psc.FSGroup = util.NewType[int64](defaultFSGroup) + psc.FSGroup = util.NewType[int64](shared.DefaultFSGroup) } } @@ -186,10 +181,10 @@ func (s *ServerGroupSpecSecurityContext) NewSecurityContext(secured ...bool) *co if len(secured) > 0 && secured[0] { if r.RunAsUser == nil { - r.RunAsUser = util.NewType[int64](defaultRunAsUser) + r.RunAsUser = util.NewType[int64](shared.DefaultRunAsUser) } if r.RunAsGroup == nil { - r.RunAsGroup = util.NewType[int64](defaultRunAsGroup) + r.RunAsGroup = util.NewType[int64](shared.DefaultRunAsGroup) } if r.RunAsNonRoot == nil { r.RunAsNonRoot = util.NewType[bool](true) diff --git a/pkg/apis/deployment/v1/server_group_security_context_spec_test.go b/pkg/apis/deployment/v1/server_group_security_context_spec_test.go index b7d7a5d3f..4501999e2 100644 --- a/pkg/apis/deployment/v1/server_group_security_context_spec_test.go +++ b/pkg/apis/deployment/v1/server_group_security_context_spec_test.go @@ -29,6 +29,7 @@ import ( core "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/util/intstr" + "github.com/arangodb/kube-arangodb/pkg/apis/shared" "github.com/arangodb/kube-arangodb/pkg/util" ) @@ -46,7 +47,7 @@ func TestServerGroupSpecSecurityContext_NewPodSecurityContext(t *testing.T) { sc: nil, secured: true, want: &core.PodSecurityContext{ - FSGroup: util.NewType[int64](defaultFSGroup), + FSGroup: util.NewType[int64](shared.DefaultFSGroup), }, }, "user secured pod security takes precedence": { @@ -64,7 +65,7 @@ func TestServerGroupSpecSecurityContext_NewPodSecurityContext(t *testing.T) { }, secured: true, want: &core.PodSecurityContext{ - FSGroup: util.NewType[int64](defaultFSGroup), + FSGroup: util.NewType[int64](shared.DefaultFSGroup), SupplementalGroups: []int64{1}, }, }, @@ -168,9 +169,9 @@ func TestServerGroupSpecSecurityContext_NewSecurityContext(t *testing.T) { Drop: []core.Capability{"ALL"}, }, ReadOnlyRootFilesystem: util.NewType(true), - RunAsGroup: util.NewType[int64](defaultRunAsGroup), + RunAsGroup: util.NewType[int64](shared.DefaultRunAsGroup), RunAsNonRoot: util.NewType(true), - RunAsUser: util.NewType[int64](defaultRunAsUser), + RunAsUser: util.NewType[int64](shared.DefaultRunAsUser), }, }, "user unsecured context security": { @@ -195,7 +196,7 @@ func TestServerGroupSpecSecurityContext_NewSecurityContext(t *testing.T) { Drop: []core.Capability{"ALL"}, }, ReadOnlyRootFilesystem: util.NewType(true), - RunAsGroup: util.NewType[int64](defaultRunAsGroup), + RunAsGroup: util.NewType[int64](shared.DefaultRunAsGroup), RunAsNonRoot: util.NewType(true), RunAsUser: util.NewType[int64](3001), }, @@ -219,7 +220,7 @@ func TestServerGroupSpecSecurityContext_NewSecurityContext(t *testing.T) { }, Privileged: util.NewType(false), ReadOnlyRootFilesystem: util.NewType(true), - RunAsGroup: util.NewType[int64](defaultRunAsGroup), + RunAsGroup: util.NewType[int64](shared.DefaultRunAsGroup), RunAsNonRoot: util.NewType(false), RunAsUser: util.NewType[int64](3001), }, diff --git a/pkg/apis/deployment/v2alpha1/server_group_security_context_spec.go b/pkg/apis/deployment/v2alpha1/server_group_security_context_spec.go index 89507b75d..0ec453c45 100644 --- a/pkg/apis/deployment/v2alpha1/server_group_security_context_spec.go +++ b/pkg/apis/deployment/v2alpha1/server_group_security_context_spec.go @@ -26,15 +26,10 @@ import ( core "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/util/intstr" + "github.com/arangodb/kube-arangodb/pkg/apis/shared" "github.com/arangodb/kube-arangodb/pkg/util" ) -const ( - defaultRunAsUser = 1000 - defaultRunAsGroup = 2000 - defaultFSGroup = 3000 -) - // ServerGroupSpecSecurityContext contains specification for pod security context type ServerGroupSpecSecurityContext struct { // DropAllCapabilities specifies if capabilities should be dropped for this pod containers @@ -147,7 +142,7 @@ func (s *ServerGroupSpecSecurityContext) NewPodSecurityContext(secured bool) *co } if psc.FSGroup == nil { - psc.FSGroup = util.NewType[int64](defaultFSGroup) + psc.FSGroup = util.NewType[int64](shared.DefaultFSGroup) } } @@ -186,10 +181,10 @@ func (s *ServerGroupSpecSecurityContext) NewSecurityContext(secured ...bool) *co if len(secured) > 0 && secured[0] { if r.RunAsUser == nil { - r.RunAsUser = util.NewType[int64](defaultRunAsUser) + r.RunAsUser = util.NewType[int64](shared.DefaultRunAsUser) } if r.RunAsGroup == nil { - r.RunAsGroup = util.NewType[int64](defaultRunAsGroup) + r.RunAsGroup = util.NewType[int64](shared.DefaultRunAsGroup) } if r.RunAsNonRoot == nil { r.RunAsNonRoot = util.NewType[bool](true) diff --git a/pkg/apis/deployment/v2alpha1/server_group_security_context_spec_test.go b/pkg/apis/deployment/v2alpha1/server_group_security_context_spec_test.go index bb23b599b..018569ba3 100644 --- a/pkg/apis/deployment/v2alpha1/server_group_security_context_spec_test.go +++ b/pkg/apis/deployment/v2alpha1/server_group_security_context_spec_test.go @@ -29,6 +29,7 @@ import ( core "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/util/intstr" + "github.com/arangodb/kube-arangodb/pkg/apis/shared" "github.com/arangodb/kube-arangodb/pkg/util" ) @@ -46,7 +47,7 @@ func TestServerGroupSpecSecurityContext_NewPodSecurityContext(t *testing.T) { sc: nil, secured: true, want: &core.PodSecurityContext{ - FSGroup: util.NewType[int64](defaultFSGroup), + FSGroup: util.NewType[int64](shared.DefaultFSGroup), }, }, "user secured pod security takes precedence": { @@ -64,7 +65,7 @@ func TestServerGroupSpecSecurityContext_NewPodSecurityContext(t *testing.T) { }, secured: true, want: &core.PodSecurityContext{ - FSGroup: util.NewType[int64](defaultFSGroup), + FSGroup: util.NewType[int64](shared.DefaultFSGroup), SupplementalGroups: []int64{1}, }, }, @@ -168,9 +169,9 @@ func TestServerGroupSpecSecurityContext_NewSecurityContext(t *testing.T) { Drop: []core.Capability{"ALL"}, }, ReadOnlyRootFilesystem: util.NewType(true), - RunAsGroup: util.NewType[int64](defaultRunAsGroup), + RunAsGroup: util.NewType[int64](shared.DefaultRunAsGroup), RunAsNonRoot: util.NewType(true), - RunAsUser: util.NewType[int64](defaultRunAsUser), + RunAsUser: util.NewType[int64](shared.DefaultRunAsUser), }, }, "user unsecured context security": { @@ -195,7 +196,7 @@ func TestServerGroupSpecSecurityContext_NewSecurityContext(t *testing.T) { Drop: []core.Capability{"ALL"}, }, ReadOnlyRootFilesystem: util.NewType(true), - RunAsGroup: util.NewType[int64](defaultRunAsGroup), + RunAsGroup: util.NewType[int64](shared.DefaultRunAsGroup), RunAsNonRoot: util.NewType(true), RunAsUser: util.NewType[int64](3001), }, @@ -219,7 +220,7 @@ func TestServerGroupSpecSecurityContext_NewSecurityContext(t *testing.T) { }, Privileged: util.NewType(false), ReadOnlyRootFilesystem: util.NewType(true), - RunAsGroup: util.NewType[int64](defaultRunAsGroup), + RunAsGroup: util.NewType[int64](shared.DefaultRunAsGroup), RunAsNonRoot: util.NewType(false), RunAsUser: util.NewType[int64](3001), }, diff --git a/pkg/apis/ml/v1alpha1/storage_s3_spec.go b/pkg/apis/ml/v1alpha1/storage_s3_spec.go new file mode 100644 index 000000000..33340f048 --- /dev/null +++ b/pkg/apis/ml/v1alpha1/storage_s3_spec.go @@ -0,0 +1,58 @@ +// +// DISCLAIMER +// +// Copyright 2023 ArangoDB GmbH, Cologne, Germany +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +// Copyright holder is ArangoDB GmbH, Cologne, Germany +// + +package v1alpha1 + +import ( + "github.com/pkg/errors" +) + +type ArangoMLStorageS3Spec struct { + // Endpoint specifies the S3 API-compatible endpoint which implements storage + // Required + Endpoint string `json:"endpoint"` + // DisableSSL if set to true, no certificate checks will be performed for Endpoint + // +doc/default: false + DisableSSL bool `json:"disableSSL,omitempty"` + // Region defines the availability zone name. If empty, defaults to 'us-east-1' + // +doc/default: "" + Region string `json:"region,omitempty"` + // BucketName specifies the name of the bucket + // Required + BucketName string `json:"bucketName"` + // CredentialsSecretName specifies the name of the secret containing AccessKey and SecretKey for S3 API authorization + // Required + CredentialsSecretName string `json:"credentialsSecret"` +} + +func (s *ArangoMLStorageS3Spec) Validate() error { + if s.BucketName == "" { + return errors.New("S3 BucketName must be not empty") + } + + if s.Endpoint == "" { + return errors.New("S3 Endpoint must be not empty") + } + + if s.CredentialsSecretName == "" { + return errors.New("S3 CredentialsSecretName must be not empty") + } + return nil +} diff --git a/pkg/apis/ml/v1alpha1/storage_spec.go b/pkg/apis/ml/v1alpha1/storage_spec.go index ba83b484b..3e250cd70 100644 --- a/pkg/apis/ml/v1alpha1/storage_spec.go +++ b/pkg/apis/ml/v1alpha1/storage_spec.go @@ -20,5 +20,48 @@ package v1alpha1 +import ( + "github.com/pkg/errors" + core "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/api/resource" +) + type ArangoMLStorageSpec struct { + // ListenPort defines on which port the sidecar container will be listening for connections + // +doc/default: 9201 + ListenPort *uint16 `json:"listenPort,omitempty"` + + // Resources holds resource requests & limits for container running the S3 proxy + // +doc/type: core.ResourceRequirements + // +doc/link: Documentation of core.ResourceRequirements|https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#resourcerequirements-v1-core + Resources core.ResourceRequirements `json:"resources,omitempty"` + + S3 *ArangoMLStorageS3Spec `json:"s3,omitempty"` +} + +func (s *ArangoMLStorageSpec) Validate() error { + if s.S3 == nil { + return errors.New("Currently only s3 storage type is supported") + } + + return s.S3.Validate() +} + +// SetDefaults fills in missing defaults +func (s *ArangoMLStorageSpec) SetDefaults() { + if s == nil { + return + } + + resources := s.Resources + if len(resources.Requests) == 0 { + resources.Requests = make(core.ResourceList) + resources.Requests[core.ResourceCPU] = resource.MustParse("100m") + resources.Requests[core.ResourceMemory] = resource.MustParse("100m") + } + if len(resources.Limits) == 0 { + resources.Limits = make(core.ResourceList) + resources.Limits[core.ResourceCPU] = resource.MustParse("250m") + resources.Limits[core.ResourceMemory] = resource.MustParse("250m") + } } diff --git a/pkg/apis/ml/v1alpha1/storage_spec_test.go b/pkg/apis/ml/v1alpha1/storage_spec_test.go new file mode 100644 index 000000000..02e5d1f78 --- /dev/null +++ b/pkg/apis/ml/v1alpha1/storage_spec_test.go @@ -0,0 +1,47 @@ +// +// DISCLAIMER +// +// Copyright 2023 ArangoDB GmbH, Cologne, Germany +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +// Copyright holder is ArangoDB GmbH, Cologne, Germany +// + +package v1alpha1 + +import ( + "testing" + + "github.com/stretchr/testify/require" + core "k8s.io/api/core/v1" +) + +func Test_ArangoMLStorageSpec(t *testing.T) { + s := ArangoMLStorageSpec{ + ListenPort: nil, + Resources: core.ResourceRequirements{}, + S3: nil, + } + s.SetDefaults() + require.Error(t, s.Validate()) + + s.S3 = &ArangoMLStorageS3Spec{ + Endpoint: "some-endpoint", + DisableSSL: false, + Region: "", + BucketName: "test-bucket", + CredentialsSecretName: "some-secret", + } + require.NoError(t, s.Validate()) +} diff --git a/pkg/apis/ml/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/ml/v1alpha1/zz_generated.deepcopy.go index 5e818c669..5a0aab8cd 100644 --- a/pkg/apis/ml/v1alpha1/zz_generated.deepcopy.go +++ b/pkg/apis/ml/v1alpha1/zz_generated.deepcopy.go @@ -321,7 +321,7 @@ func (in *ArangoMLStorage) DeepCopyInto(out *ArangoMLStorage) { *out = *in out.TypeMeta = in.TypeMeta in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) - out.Spec = in.Spec + in.Spec.DeepCopyInto(&out.Spec) out.Status = in.Status return } @@ -377,9 +377,36 @@ func (in *ArangoMLStorageList) DeepCopyObject() runtime.Object { return nil } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ArangoMLStorageS3Spec) DeepCopyInto(out *ArangoMLStorageS3Spec) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ArangoMLStorageS3Spec. +func (in *ArangoMLStorageS3Spec) DeepCopy() *ArangoMLStorageS3Spec { + if in == nil { + return nil + } + out := new(ArangoMLStorageS3Spec) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ArangoMLStorageSpec) DeepCopyInto(out *ArangoMLStorageSpec) { *out = *in + if in.ListenPort != nil { + in, out := &in.ListenPort, &out.ListenPort + *out = new(uint16) + **out = **in + } + in.Resources.DeepCopyInto(&out.Resources) + if in.S3 != nil { + in, out := &in.S3, &out.S3 + *out = new(ArangoMLStorageS3Spec) + **out = **in + } return } diff --git a/pkg/apis/shared/constants.go b/pkg/apis/shared/constants.go index d7d1c3fdf..f0a63b412 100644 --- a/pkg/apis/shared/constants.go +++ b/pkg/apis/shared/constants.go @@ -65,6 +65,11 @@ const ( ExporterJWTVolumeMountDir = "/secrets/exporter/jwt" MasterJWTSecretVolumeMountDir = "/secrets/master/jwt" + // Security constants + DefaultRunAsUser = 1000 + DefaultRunAsGroup = 2000 + DefaultFSGroup = 3000 + ServerPortName = "server" ExporterPortName = "exporter" ) diff --git a/pkg/crd/crds/ml-storage.schema.generated.yaml b/pkg/crd/crds/ml-storage.schema.generated.yaml index c55dcae82..e18e9bbba 100644 --- a/pkg/crd/crds/ml-storage.schema.generated.yaml +++ b/pkg/crd/crds/ml-storage.schema.generated.yaml @@ -2,6 +2,47 @@ v1alpha1: openAPIV3Schema: properties: spec: + properties: + listenPort: + description: ListenPort defines on which port the sidecar container will be listening for connections + format: int32 + type: integer + resources: + description: Resources holds resource requests & limits for container running the S3 proxy + properties: + limits: + additionalProperties: + type: string + type: object + requests: + additionalProperties: + type: string + type: object + type: object + s3: + properties: + bucketName: + description: |- + BucketName specifies the name of the bucket + Required + type: string + credentialsSecret: + description: |- + CredentialsSecretName specifies the name of the secret containing AccessKey and SecretKey for S3 API authorization + Required + type: string + disableSSL: + description: DisableSSL if set to true, no certificate checks will be performed for Endpoint + type: boolean + endpoint: + description: |- + Endpoint specifies the S3 API-compatible endpoint which implements storage + Required + type: string + region: + description: Region defines the availability zone name. If empty, defaults to 'us-east-1' + type: string + type: object type: object type: object x-kubernetes-preserve-unknown-fields: true From bd2f4eefb0dc742f2a62ed79c3bd463f2b477f2e Mon Sep 17 00:00:00 2001 From: Nikita Vaniasin Date: Thu, 23 Nov 2023 10:44:01 +0100 Subject: [PATCH 2/2] Fix license year --- pkg/apis/shared/constants.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/apis/shared/constants.go b/pkg/apis/shared/constants.go index f0a63b412..3edb99657 100644 --- a/pkg/apis/shared/constants.go +++ b/pkg/apis/shared/constants.go @@ -1,7 +1,7 @@ // // DISCLAIMER // -// Copyright 2016-2022 ArangoDB GmbH, Cologne, Germany +// Copyright 2016-2023 ArangoDB GmbH, Cologne, Germany // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License.