Merge pull request #53911 from tallclair/psp-docs

Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Clarify DefaultAddCapabilities behavior Clarify that capabilities listed in `DefaultAddCapabilities` in the `PodSecurityPolicySpec` need not be repeated in `AllowedCapabilities`. **Release note**: ```release-note NONE ``` Kubernetes-commit: 95038553d7c41ce11ee631e096b773c6756d59a2
sttts · Nov 28, 2017 · 1438cb3 · 1438cb3
2 parents e1e8775 + 6cbc4fa
commit 1438cb3
Show file tree

Hide file tree

Showing 4 changed files with 32 additions and 30 deletions.
diff --git a/Godeps/Godeps.json b/Godeps/Godeps.json
diff --git a/extensions/v1beta1/generated.proto b/extensions/v1beta1/generated.proto
diff --git a/extensions/v1beta1/types.go b/extensions/v1beta1/types.go
@@ -882,8 +882,9 @@ type PodSecurityPolicySpec struct {
 	// +optional
 	Privileged bool `json:"privileged,omitempty" protobuf:"varint,1,opt,name=privileged"`
 	// DefaultAddCapabilities is the default set of capabilities that will be added to the container
-	// unless the pod spec specifically drops the capability.  You may not list a capabiility in both
-	// DefaultAddCapabilities and RequiredDropCapabilities.
+	// unless the pod spec specifically drops the capability.  You may not list a capability in both
+	// DefaultAddCapabilities and RequiredDropCapabilities. Capabilities added here are implicitly
+	// allowed, and need not be included in the AllowedCapabilities list.
 	// +optional
 	DefaultAddCapabilities []v1.Capability `json:"defaultAddCapabilities,omitempty" protobuf:"bytes,2,rep,name=defaultAddCapabilities,casttype=k8s.io/api/core/v1.Capability"`
 	// RequiredDropCapabilities are the capabilities that will be dropped from the container.  These

diff --git a/extensions/v1beta1/types_swagger_doc_generated.go b/extensions/v1beta1/types_swagger_doc_generated.go
@@ -449,7 +449,7 @@ func (PodSecurityPolicyList) SwaggerDoc() map[string]string {
 var map_PodSecurityPolicySpec = map[string]string{
 	"":                                "Pod Security Policy Spec defines the policy enforced.",
 	"privileged":                      "privileged determines if a pod can request to be run as privileged.",
-	"defaultAddCapabilities":          "DefaultAddCapabilities is the default set of capabilities that will be added to the container unless the pod spec specifically drops the capability.  You may not list a capabiility in both DefaultAddCapabilities and RequiredDropCapabilities.",
+	"defaultAddCapabilities":          "DefaultAddCapabilities is the default set of capabilities that will be added to the container unless the pod spec specifically drops the capability.  You may not list a capability in both DefaultAddCapabilities and RequiredDropCapabilities. Capabilities added here are implicitly allowed, and need not be included in the AllowedCapabilities list.",
 	"requiredDropCapabilities":        "RequiredDropCapabilities are the capabilities that will be dropped from the container.  These are required to be dropped and cannot be added.",
 	"allowedCapabilities":             "AllowedCapabilities is a list of capabilities that can be requested to add to the container. Capabilities in this field may be added at the pod author's discretion. You must not list a capability in both AllowedCapabilities and RequiredDropCapabilities.",
 	"volumes":                         "volumes is a white list of allowed volume plugins.  Empty indicates that all plugins may be used.",