From 246e16070e13ce332b1fd20ba4b90edc82e38ffd Mon Sep 17 00:00:00 2001 From: Tim Allclair Date: Fri, 13 Oct 2017 11:41:08 -0700 Subject: [PATCH 1/2] Clarify DefaultAddCapabilities behavior Kubernetes-commit: 72196b9a33600ab78e2dbe01cf3fa5c88f6a17d2 --- extensions/v1beta1/types.go | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/extensions/v1beta1/types.go b/extensions/v1beta1/types.go index 6e666b205b..d4ca1832ca 100644 --- a/extensions/v1beta1/types.go +++ b/extensions/v1beta1/types.go @@ -882,8 +882,9 @@ type PodSecurityPolicySpec struct { // +optional Privileged bool `json:"privileged,omitempty" protobuf:"varint,1,opt,name=privileged"` // DefaultAddCapabilities is the default set of capabilities that will be added to the container - // unless the pod spec specifically drops the capability. You may not list a capabiility in both - // DefaultAddCapabilities and RequiredDropCapabilities. + // unless the pod spec specifically drops the capability. You may not list a capability in both + // DefaultAddCapabilities and RequiredDropCapabilities. Capabilities added here are implicitly + // allowed, and need not be included in the AllowedCapabilities list. // +optional DefaultAddCapabilities []v1.Capability `json:"defaultAddCapabilities,omitempty" protobuf:"bytes,2,rep,name=defaultAddCapabilities,casttype=k8s.io/api/core/v1.Capability"` // RequiredDropCapabilities are the capabilities that will be dropped from the container. These From 6cbc4fad61de9fd04306fc72b48ed8b890db2866 Mon Sep 17 00:00:00 2001 From: Tim Allclair Date: Fri, 13 Oct 2017 11:54:21 -0700 Subject: [PATCH 2/2] generated code Kubernetes-commit: 0b4e8f9b3a1ecb80daa0d9a4f0b951f704e07f75 --- extensions/v1beta1/generated.proto | 5 +++-- extensions/v1beta1/types_swagger_doc_generated.go | 2 +- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/extensions/v1beta1/generated.proto b/extensions/v1beta1/generated.proto index c5414616ae..f6898bce64 100644 --- a/extensions/v1beta1/generated.proto +++ b/extensions/v1beta1/generated.proto @@ -772,8 +772,9 @@ message PodSecurityPolicySpec { optional bool privileged = 1; // DefaultAddCapabilities is the default set of capabilities that will be added to the container - // unless the pod spec specifically drops the capability. You may not list a capabiility in both - // DefaultAddCapabilities and RequiredDropCapabilities. + // unless the pod spec specifically drops the capability. You may not list a capability in both + // DefaultAddCapabilities and RequiredDropCapabilities. Capabilities added here are implicitly + // allowed, and need not be included in the AllowedCapabilities list. // +optional repeated string defaultAddCapabilities = 2; diff --git a/extensions/v1beta1/types_swagger_doc_generated.go b/extensions/v1beta1/types_swagger_doc_generated.go index 20f529d871..b98d117952 100644 --- a/extensions/v1beta1/types_swagger_doc_generated.go +++ b/extensions/v1beta1/types_swagger_doc_generated.go @@ -449,7 +449,7 @@ func (PodSecurityPolicyList) SwaggerDoc() map[string]string { var map_PodSecurityPolicySpec = map[string]string{ "": "Pod Security Policy Spec defines the policy enforced.", "privileged": "privileged determines if a pod can request to be run as privileged.", - "defaultAddCapabilities": "DefaultAddCapabilities is the default set of capabilities that will be added to the container unless the pod spec specifically drops the capability. You may not list a capabiility in both DefaultAddCapabilities and RequiredDropCapabilities.", + "defaultAddCapabilities": "DefaultAddCapabilities is the default set of capabilities that will be added to the container unless the pod spec specifically drops the capability. You may not list a capability in both DefaultAddCapabilities and RequiredDropCapabilities. Capabilities added here are implicitly allowed, and need not be included in the AllowedCapabilities list.", "requiredDropCapabilities": "RequiredDropCapabilities are the capabilities that will be dropped from the container. These are required to be dropped and cannot be added.", "allowedCapabilities": "AllowedCapabilities is a list of capabilities that can be requested to add to the container. Capabilities in this field may be added at the pod author's discretion. You must not list a capability in both AllowedCapabilities and RequiredDropCapabilities.", "volumes": "volumes is a white list of allowed volume plugins. Empty indicates that all plugins may be used.",