From 794752bc25baa79496d1dd85a70ebc1a29a024e4 Mon Sep 17 00:00:00 2001 From: Yann Hamon Date: Fri, 31 May 2024 10:32:48 +0000 Subject: [PATCH] Adding new schemas --- master-local/_definitions.json | 51 +++++- master-local/all.json | 6 + master-local/containerstatus-v1.json | 4 + master-local/containerstatus.json | 4 + master-local/containeruser-v1.json | 11 ++ master-local/containeruser.json | 11 ++ master-local/linuxcontaineruser-v1.json | 42 +++++ master-local/linuxcontaineruser.json | 42 +++++ master-local/podsecuritycontext-v1.json | 9 +- master-local/podsecuritycontext.json | 9 +- master-local/podspec-v1.json | 2 +- master-local/podspec.json | 2 +- master-standalone-strict/_definitions.json | 53 +++++- master-standalone-strict/all.json | 6 + .../containerstatus-v1.json | 49 ++++++ master-standalone-strict/containerstatus.json | 49 ++++++ .../containeruser-v1.json | 47 ++++++ master-standalone-strict/containeruser.json | 47 ++++++ .../cronjob-batch-v1.json | 9 +- master-standalone-strict/cronjob.json | 9 +- .../cronjoblist-batch-v1.json | 9 +- master-standalone-strict/cronjoblist.json | 9 +- .../cronjobspec-batch-v1.json | 9 +- master-standalone-strict/cronjobspec.json | 9 +- .../daemonset-apps-v1.json | 9 +- master-standalone-strict/daemonset.json | 9 +- .../daemonsetlist-apps-v1.json | 9 +- master-standalone-strict/daemonsetlist.json | 9 +- .../daemonsetspec-apps-v1.json | 9 +- master-standalone-strict/daemonsetspec.json | 9 +- .../deployment-apps-v1.json | 9 +- master-standalone-strict/deployment.json | 9 +- .../deploymentlist-apps-v1.json | 9 +- master-standalone-strict/deploymentlist.json | 9 +- .../deploymentspec-apps-v1.json | 9 +- master-standalone-strict/deploymentspec.json | 9 +- master-standalone-strict/job-batch-v1.json | 9 +- master-standalone-strict/job.json | 9 +- .../joblist-batch-v1.json | 9 +- master-standalone-strict/joblist.json | 9 +- .../jobspec-batch-v1.json | 9 +- master-standalone-strict/jobspec.json | 9 +- .../jobtemplatespec-batch-v1.json | 9 +- master-standalone-strict/jobtemplatespec.json | 9 +- .../linuxcontaineruser-v1.json | 43 +++++ .../linuxcontaineruser.json | 43 +++++ master-standalone-strict/pod-v1.json | 156 +++++++++++++++++- master-standalone-strict/pod.json | 156 +++++++++++++++++- master-standalone-strict/podlist-v1.json | 156 +++++++++++++++++- master-standalone-strict/podlist.json | 156 +++++++++++++++++- .../podsecuritycontext-v1.json | 9 +- .../podsecuritycontext.json | 9 +- master-standalone-strict/podspec-v1.json | 9 +- master-standalone-strict/podspec.json | 9 +- master-standalone-strict/podstatus-v1.json | 147 +++++++++++++++++ master-standalone-strict/podstatus.json | 147 +++++++++++++++++ master-standalone-strict/podtemplate-v1.json | 9 +- master-standalone-strict/podtemplate.json | 9 +- .../podtemplatelist-v1.json | 9 +- master-standalone-strict/podtemplatelist.json | 9 +- .../podtemplatespec-v1.json | 9 +- master-standalone-strict/podtemplatespec.json | 9 +- .../replicaset-apps-v1.json | 9 +- master-standalone-strict/replicaset.json | 9 +- .../replicasetlist-apps-v1.json | 9 +- master-standalone-strict/replicasetlist.json | 9 +- .../replicasetspec-apps-v1.json | 9 +- master-standalone-strict/replicasetspec.json | 9 +- .../replicationcontroller-v1.json | 9 +- .../replicationcontroller.json | 9 +- .../replicationcontrollerlist-v1.json | 9 +- .../replicationcontrollerlist.json | 9 +- .../replicationcontrollerspec-v1.json | 9 +- .../replicationcontrollerspec.json | 9 +- .../statefulset-apps-v1.json | 9 +- master-standalone-strict/statefulset.json | 9 +- .../statefulsetlist-apps-v1.json | 9 +- master-standalone-strict/statefulsetlist.json | 9 +- .../statefulsetspec-apps-v1.json | 9 +- master-standalone-strict/statefulsetspec.json | 9 +- master-standalone/_definitions.json | 51 +++++- master-standalone/all.json | 6 + master-standalone/containerstatus-v1.json | 47 ++++++ master-standalone/containerstatus.json | 47 ++++++ master-standalone/containeruser-v1.json | 45 +++++ master-standalone/containeruser.json | 45 +++++ master-standalone/cronjob-batch-v1.json | 9 +- master-standalone/cronjob.json | 9 +- master-standalone/cronjoblist-batch-v1.json | 9 +- master-standalone/cronjoblist.json | 9 +- master-standalone/cronjobspec-batch-v1.json | 9 +- master-standalone/cronjobspec.json | 9 +- master-standalone/daemonset-apps-v1.json | 9 +- master-standalone/daemonset.json | 9 +- master-standalone/daemonsetlist-apps-v1.json | 9 +- master-standalone/daemonsetlist.json | 9 +- master-standalone/daemonsetspec-apps-v1.json | 9 +- master-standalone/daemonsetspec.json | 9 +- master-standalone/deployment-apps-v1.json | 9 +- master-standalone/deployment.json | 9 +- master-standalone/deploymentlist-apps-v1.json | 9 +- master-standalone/deploymentlist.json | 9 +- master-standalone/deploymentspec-apps-v1.json | 9 +- master-standalone/deploymentspec.json | 9 +- master-standalone/job-batch-v1.json | 9 +- master-standalone/job.json | 9 +- master-standalone/joblist-batch-v1.json | 9 +- master-standalone/joblist.json | 9 +- master-standalone/jobspec-batch-v1.json | 9 +- master-standalone/jobspec.json | 9 +- .../jobtemplatespec-batch-v1.json | 9 +- master-standalone/jobtemplatespec.json | 9 +- master-standalone/linuxcontaineruser-v1.json | 42 +++++ master-standalone/linuxcontaineruser.json | 42 +++++ master-standalone/pod-v1.json | 150 ++++++++++++++++- master-standalone/pod.json | 150 ++++++++++++++++- master-standalone/podlist-v1.json | 150 ++++++++++++++++- master-standalone/podlist.json | 150 ++++++++++++++++- master-standalone/podsecuritycontext-v1.json | 9 +- master-standalone/podsecuritycontext.json | 9 +- master-standalone/podspec-v1.json | 9 +- master-standalone/podspec.json | 9 +- master-standalone/podstatus-v1.json | 141 ++++++++++++++++ master-standalone/podstatus.json | 141 ++++++++++++++++ master-standalone/podtemplate-v1.json | 9 +- master-standalone/podtemplate.json | 9 +- master-standalone/podtemplatelist-v1.json | 9 +- master-standalone/podtemplatelist.json | 9 +- master-standalone/podtemplatespec-v1.json | 9 +- master-standalone/podtemplatespec.json | 9 +- master-standalone/replicaset-apps-v1.json | 9 +- master-standalone/replicaset.json | 9 +- master-standalone/replicasetlist-apps-v1.json | 9 +- master-standalone/replicasetlist.json | 9 +- master-standalone/replicasetspec-apps-v1.json | 9 +- master-standalone/replicasetspec.json | 9 +- .../replicationcontroller-v1.json | 9 +- master-standalone/replicationcontroller.json | 9 +- .../replicationcontrollerlist-v1.json | 9 +- .../replicationcontrollerlist.json | 9 +- .../replicationcontrollerspec-v1.json | 9 +- .../replicationcontrollerspec.json | 9 +- master-standalone/statefulset-apps-v1.json | 9 +- master-standalone/statefulset.json | 9 +- .../statefulsetlist-apps-v1.json | 9 +- master-standalone/statefulsetlist.json | 9 +- .../statefulsetspec-apps-v1.json | 9 +- master-standalone/statefulsetspec.json | 9 +- master/_definitions.json | 51 +++++- master/all.json | 6 + master/containerstatus-v1.json | 4 + master/containerstatus.json | 4 + master/containeruser-v1.json | 11 ++ master/containeruser.json | 11 ++ master/linuxcontaineruser-v1.json | 42 +++++ master/linuxcontaineruser.json | 42 +++++ master/podsecuritycontext-v1.json | 9 +- master/podsecuritycontext.json | 9 +- master/podspec-v1.json | 2 +- master/podspec.json | 2 +- 160 files changed, 3688 insertions(+), 132 deletions(-) create mode 100644 master-local/containeruser-v1.json create mode 100644 master-local/containeruser.json create mode 100644 master-local/linuxcontaineruser-v1.json create mode 100644 master-local/linuxcontaineruser.json create mode 100644 master-standalone-strict/containeruser-v1.json create mode 100644 master-standalone-strict/containeruser.json create mode 100644 master-standalone-strict/linuxcontaineruser-v1.json create mode 100644 master-standalone-strict/linuxcontaineruser.json create mode 100644 master-standalone/containeruser-v1.json create mode 100644 master-standalone/containeruser.json create mode 100644 master-standalone/linuxcontaineruser-v1.json create mode 100644 master-standalone/linuxcontaineruser.json create mode 100644 master/containeruser-v1.json create mode 100644 master/containeruser.json create mode 100644 master/linuxcontaineruser-v1.json create mode 100644 master/linuxcontaineruser.json diff --git a/master-local/_definitions.json b/master-local/_definitions.json index 0a1c717273..a99c388b13 100644 --- a/master-local/_definitions.json +++ b/master-local/_definitions.json @@ -6690,6 +6690,10 @@ "$ref": "#/definitions/io.k8s.api.core.v1.ContainerState", "description": "State holds details about the container's current condition." }, + "user": { + "$ref": "#/definitions/io.k8s.api.core.v1.ContainerUser", + "description": "User represents user identity information initially attached to the first process of the container" + }, "volumeMounts": { "description": "Status of volume mounts.", "items": { @@ -6713,6 +6717,16 @@ ], "type": "object" }, + "io.k8s.api.core.v1.ContainerUser": { + "description": "ContainerUser represents user identity information", + "properties": { + "linux": { + "$ref": "#/definitions/io.k8s.api.core.v1.LinuxContainerUser", + "description": "Linux holds user identity information initially attached to the first process of the containers in Linux. Note that the actual running identity can be changed if the process has enough privilege to do so." + } + }, + "type": "object" + }, "io.k8s.api.core.v1.DaemonEndpoint": { "description": "DaemonEndpoint contains information about a single Daemon endpoint.", "properties": { @@ -7998,6 +8012,35 @@ ], "type": "object" }, + "io.k8s.api.core.v1.LinuxContainerUser": { + "description": "LinuxContainerUser represents user identity information in Linux containers", + "properties": { + "gid": { + "description": "GID is the primary gid initially attached to the first process in the container", + "format": "int64", + "type": "integer" + }, + "supplementalGroups": { + "description": "SupplementalGroups are the supplemental groups initially attached to the first process in the container", + "items": { + "format": "int64", + "type": "integer" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" + }, + "uid": { + "description": "UID is the primary uid initially attached to the first process in the container", + "format": "int64", + "type": "integer" + } + }, + "required": [ + "uid", + "gid" + ], + "type": "object" + }, "io.k8s.api.core.v1.LoadBalancerIngress": { "description": "LoadBalancerIngress represents the status of a load-balancer ingress point: traffic intended for the service should be sent to an ingress point.", "properties": { @@ -9632,7 +9675,7 @@ "description": "The seccomp options to use by the containers in this pod. Note that this field cannot be set when spec.os.name is windows." }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": "integer" @@ -9640,6 +9683,10 @@ "type": "array", "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": "string" + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { @@ -9782,7 +9829,7 @@ }, "os": { "$ref": "#/definitions/io.k8s.api.core.v1.PodOS", - "description": "Specifies the OS of the containers in the pod. Some pod and container fields are restricted if this is set.\n\nIf the OS field is set to linux, the following fields must be unset: -securityContext.windowsOptions\n\nIf the OS field is set to windows, following fields must be unset: - spec.hostPID - spec.hostIPC - spec.hostUsers - spec.securityContext.appArmorProfile - spec.securityContext.seLinuxOptions - spec.securityContext.seccompProfile - spec.securityContext.fsGroup - spec.securityContext.fsGroupChangePolicy - spec.securityContext.sysctls - spec.shareProcessNamespace - spec.securityContext.runAsUser - spec.securityContext.runAsGroup - spec.securityContext.supplementalGroups - spec.containers[*].securityContext.appArmorProfile - spec.containers[*].securityContext.seLinuxOptions - spec.containers[*].securityContext.seccompProfile - spec.containers[*].securityContext.capabilities - spec.containers[*].securityContext.readOnlyRootFilesystem - spec.containers[*].securityContext.privileged - spec.containers[*].securityContext.allowPrivilegeEscalation - spec.containers[*].securityContext.procMount - spec.containers[*].securityContext.runAsUser - spec.containers[*].securityContext.runAsGroup" + "description": "Specifies the OS of the containers in the pod. Some pod and container fields are restricted if this is set.\n\nIf the OS field is set to linux, the following fields must be unset: -securityContext.windowsOptions\n\nIf the OS field is set to windows, following fields must be unset: - spec.hostPID - spec.hostIPC - spec.hostUsers - spec.securityContext.appArmorProfile - spec.securityContext.seLinuxOptions - spec.securityContext.seccompProfile - spec.securityContext.fsGroup - spec.securityContext.fsGroupChangePolicy - spec.securityContext.sysctls - spec.shareProcessNamespace - spec.securityContext.runAsUser - spec.securityContext.runAsGroup - spec.securityContext.supplementalGroups - spec.securityContext.supplementalGroupsPolicy - spec.containers[*].securityContext.appArmorProfile - spec.containers[*].securityContext.seLinuxOptions - spec.containers[*].securityContext.seccompProfile - spec.containers[*].securityContext.capabilities - spec.containers[*].securityContext.readOnlyRootFilesystem - spec.containers[*].securityContext.privileged - spec.containers[*].securityContext.allowPrivilegeEscalation - spec.containers[*].securityContext.procMount - spec.containers[*].securityContext.runAsUser - spec.containers[*].securityContext.runAsGroup" }, "overhead": { "additionalProperties": { diff --git a/master-local/all.json b/master-local/all.json index e40386d82e..a9150cc693 100644 --- a/master-local/all.json +++ b/master-local/all.json @@ -660,6 +660,9 @@ { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.ContainerStatus" }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.ContainerUser" + }, { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.DaemonEndpoint" }, @@ -789,6 +792,9 @@ { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.LimitRangeSpec" }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.LinuxContainerUser" + }, { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.LoadBalancerIngress" }, diff --git a/master-local/containerstatus-v1.json b/master-local/containerstatus-v1.json index a7e140a8f9..71e03ae54e 100644 --- a/master-local/containerstatus-v1.json +++ b/master-local/containerstatus-v1.json @@ -73,6 +73,10 @@ "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.ContainerState", "description": "State holds details about the container's current condition." }, + "user": { + "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.ContainerUser", + "description": "User represents user identity information initially attached to the first process of the container" + }, "volumeMounts": { "description": "Status of volume mounts.", "items": { diff --git a/master-local/containerstatus.json b/master-local/containerstatus.json index a7e140a8f9..71e03ae54e 100644 --- a/master-local/containerstatus.json +++ b/master-local/containerstatus.json @@ -73,6 +73,10 @@ "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.ContainerState", "description": "State holds details about the container's current condition." }, + "user": { + "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.ContainerUser", + "description": "User represents user identity information initially attached to the first process of the container" + }, "volumeMounts": { "description": "Status of volume mounts.", "items": { diff --git a/master-local/containeruser-v1.json b/master-local/containeruser-v1.json new file mode 100644 index 0000000000..871d1296f0 --- /dev/null +++ b/master-local/containeruser-v1.json @@ -0,0 +1,11 @@ +{ + "description": "ContainerUser represents user identity information", + "properties": { + "linux": { + "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.LinuxContainerUser", + "description": "Linux holds user identity information initially attached to the first process of the containers in Linux. Note that the actual running identity can be changed if the process has enough privilege to do so." + } + }, + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-local/containeruser.json b/master-local/containeruser.json new file mode 100644 index 0000000000..871d1296f0 --- /dev/null +++ b/master-local/containeruser.json @@ -0,0 +1,11 @@ +{ + "description": "ContainerUser represents user identity information", + "properties": { + "linux": { + "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.LinuxContainerUser", + "description": "Linux holds user identity information initially attached to the first process of the containers in Linux. Note that the actual running identity can be changed if the process has enough privilege to do so." + } + }, + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-local/linuxcontaineruser-v1.json b/master-local/linuxcontaineruser-v1.json new file mode 100644 index 0000000000..3f198ab63c --- /dev/null +++ b/master-local/linuxcontaineruser-v1.json @@ -0,0 +1,42 @@ +{ + "description": "LinuxContainerUser represents user identity information in Linux containers", + "properties": { + "gid": { + "description": "GID is the primary gid initially attached to the first process in the container", + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "supplementalGroups": { + "description": "SupplementalGroups are the supplemental groups initially attached to the first process in the container", + "items": { + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "uid": { + "description": "UID is the primary uid initially attached to the first process in the container", + "format": "int64", + "type": [ + "integer", + "null" + ] + } + }, + "required": [ + "uid", + "gid" + ], + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-local/linuxcontaineruser.json b/master-local/linuxcontaineruser.json new file mode 100644 index 0000000000..3f198ab63c --- /dev/null +++ b/master-local/linuxcontaineruser.json @@ -0,0 +1,42 @@ +{ + "description": "LinuxContainerUser represents user identity information in Linux containers", + "properties": { + "gid": { + "description": "GID is the primary gid initially attached to the first process in the container", + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "supplementalGroups": { + "description": "SupplementalGroups are the supplemental groups initially attached to the first process in the container", + "items": { + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "uid": { + "description": "UID is the primary uid initially attached to the first process in the container", + "format": "int64", + "type": [ + "integer", + "null" + ] + } + }, + "required": [ + "uid", + "gid" + ], + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-local/podsecuritycontext-v1.json b/master-local/podsecuritycontext-v1.json index 3f8a4cab7a..cd2f82e6d8 100644 --- a/master-local/podsecuritycontext-v1.json +++ b/master-local/podsecuritycontext-v1.json @@ -52,7 +52,7 @@ "description": "The seccomp options to use by the containers in this pod. Note that this field cannot be set when spec.os.name is windows." }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -66,6 +66,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-local/podsecuritycontext.json b/master-local/podsecuritycontext.json index 3f8a4cab7a..cd2f82e6d8 100644 --- a/master-local/podsecuritycontext.json +++ b/master-local/podsecuritycontext.json @@ -52,7 +52,7 @@ "description": "The seccomp options to use by the containers in this pod. Note that this field cannot be set when spec.os.name is windows." }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -66,6 +66,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-local/podspec-v1.json b/master-local/podspec-v1.json index 7a1eaf707c..d36c3ce5e1 100644 --- a/master-local/podspec-v1.json +++ b/master-local/podspec-v1.json @@ -176,7 +176,7 @@ }, "os": { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.PodOS", - "description": "Specifies the OS of the containers in the pod. Some pod and container fields are restricted if this is set.\n\nIf the OS field is set to linux, the following fields must be unset: -securityContext.windowsOptions\n\nIf the OS field is set to windows, following fields must be unset: - spec.hostPID - spec.hostIPC - spec.hostUsers - spec.securityContext.appArmorProfile - spec.securityContext.seLinuxOptions - spec.securityContext.seccompProfile - spec.securityContext.fsGroup - spec.securityContext.fsGroupChangePolicy - spec.securityContext.sysctls - spec.shareProcessNamespace - spec.securityContext.runAsUser - spec.securityContext.runAsGroup - spec.securityContext.supplementalGroups - spec.containers[*].securityContext.appArmorProfile - spec.containers[*].securityContext.seLinuxOptions - spec.containers[*].securityContext.seccompProfile - spec.containers[*].securityContext.capabilities - spec.containers[*].securityContext.readOnlyRootFilesystem - spec.containers[*].securityContext.privileged - spec.containers[*].securityContext.allowPrivilegeEscalation - spec.containers[*].securityContext.procMount - spec.containers[*].securityContext.runAsUser - spec.containers[*].securityContext.runAsGroup" + "description": "Specifies the OS of the containers in the pod. Some pod and container fields are restricted if this is set.\n\nIf the OS field is set to linux, the following fields must be unset: -securityContext.windowsOptions\n\nIf the OS field is set to windows, following fields must be unset: - spec.hostPID - spec.hostIPC - spec.hostUsers - spec.securityContext.appArmorProfile - spec.securityContext.seLinuxOptions - spec.securityContext.seccompProfile - spec.securityContext.fsGroup - spec.securityContext.fsGroupChangePolicy - spec.securityContext.sysctls - spec.shareProcessNamespace - spec.securityContext.runAsUser - spec.securityContext.runAsGroup - spec.securityContext.supplementalGroups - spec.securityContext.supplementalGroupsPolicy - spec.containers[*].securityContext.appArmorProfile - spec.containers[*].securityContext.seLinuxOptions - spec.containers[*].securityContext.seccompProfile - spec.containers[*].securityContext.capabilities - spec.containers[*].securityContext.readOnlyRootFilesystem - spec.containers[*].securityContext.privileged - spec.containers[*].securityContext.allowPrivilegeEscalation - spec.containers[*].securityContext.procMount - spec.containers[*].securityContext.runAsUser - spec.containers[*].securityContext.runAsGroup" }, "overhead": { "additionalProperties": { diff --git a/master-local/podspec.json b/master-local/podspec.json index 7a1eaf707c..d36c3ce5e1 100644 --- a/master-local/podspec.json +++ b/master-local/podspec.json @@ -176,7 +176,7 @@ }, "os": { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.PodOS", - "description": "Specifies the OS of the containers in the pod. Some pod and container fields are restricted if this is set.\n\nIf the OS field is set to linux, the following fields must be unset: -securityContext.windowsOptions\n\nIf the OS field is set to windows, following fields must be unset: - spec.hostPID - spec.hostIPC - spec.hostUsers - spec.securityContext.appArmorProfile - spec.securityContext.seLinuxOptions - spec.securityContext.seccompProfile - spec.securityContext.fsGroup - spec.securityContext.fsGroupChangePolicy - spec.securityContext.sysctls - spec.shareProcessNamespace - spec.securityContext.runAsUser - spec.securityContext.runAsGroup - spec.securityContext.supplementalGroups - spec.containers[*].securityContext.appArmorProfile - spec.containers[*].securityContext.seLinuxOptions - spec.containers[*].securityContext.seccompProfile - spec.containers[*].securityContext.capabilities - spec.containers[*].securityContext.readOnlyRootFilesystem - spec.containers[*].securityContext.privileged - spec.containers[*].securityContext.allowPrivilegeEscalation - spec.containers[*].securityContext.procMount - spec.containers[*].securityContext.runAsUser - spec.containers[*].securityContext.runAsGroup" + "description": "Specifies the OS of the containers in the pod. Some pod and container fields are restricted if this is set.\n\nIf the OS field is set to linux, the following fields must be unset: -securityContext.windowsOptions\n\nIf the OS field is set to windows, following fields must be unset: - spec.hostPID - spec.hostIPC - spec.hostUsers - spec.securityContext.appArmorProfile - spec.securityContext.seLinuxOptions - spec.securityContext.seccompProfile - spec.securityContext.fsGroup - spec.securityContext.fsGroupChangePolicy - spec.securityContext.sysctls - spec.shareProcessNamespace - spec.securityContext.runAsUser - spec.securityContext.runAsGroup - spec.securityContext.supplementalGroups - spec.securityContext.supplementalGroupsPolicy - spec.containers[*].securityContext.appArmorProfile - spec.containers[*].securityContext.seLinuxOptions - spec.containers[*].securityContext.seccompProfile - spec.containers[*].securityContext.capabilities - spec.containers[*].securityContext.readOnlyRootFilesystem - spec.containers[*].securityContext.privileged - spec.containers[*].securityContext.allowPrivilegeEscalation - spec.containers[*].securityContext.procMount - spec.containers[*].securityContext.runAsUser - spec.containers[*].securityContext.runAsGroup" }, "overhead": { "additionalProperties": { diff --git a/master-standalone-strict/_definitions.json b/master-standalone-strict/_definitions.json index 54e9fc9035..35da0fef66 100644 --- a/master-standalone-strict/_definitions.json +++ b/master-standalone-strict/_definitions.json @@ -6908,6 +6908,10 @@ "$ref": "#/definitions/io.k8s.api.core.v1.ContainerState", "description": "State holds details about the container's current condition." }, + "user": { + "$ref": "#/definitions/io.k8s.api.core.v1.ContainerUser", + "description": "User represents user identity information initially attached to the first process of the container" + }, "volumeMounts": { "description": "Status of volume mounts.", "items": { @@ -6932,6 +6936,17 @@ "type": "object", "additionalProperties": false }, + "io.k8s.api.core.v1.ContainerUser": { + "description": "ContainerUser represents user identity information", + "properties": { + "linux": { + "$ref": "#/definitions/io.k8s.api.core.v1.LinuxContainerUser", + "description": "Linux holds user identity information initially attached to the first process of the containers in Linux. Note that the actual running identity can be changed if the process has enough privilege to do so." + } + }, + "type": "object", + "additionalProperties": false + }, "io.k8s.api.core.v1.DaemonEndpoint": { "description": "DaemonEndpoint contains information about a single Daemon endpoint.", "properties": { @@ -8260,6 +8275,36 @@ "type": "object", "additionalProperties": false }, + "io.k8s.api.core.v1.LinuxContainerUser": { + "description": "LinuxContainerUser represents user identity information in Linux containers", + "properties": { + "gid": { + "description": "GID is the primary gid initially attached to the first process in the container", + "format": "int64", + "type": "integer" + }, + "supplementalGroups": { + "description": "SupplementalGroups are the supplemental groups initially attached to the first process in the container", + "items": { + "format": "int64", + "type": "integer" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" + }, + "uid": { + "description": "UID is the primary uid initially attached to the first process in the container", + "format": "int64", + "type": "integer" + } + }, + "required": [ + "uid", + "gid" + ], + "type": "object", + "additionalProperties": false + }, "io.k8s.api.core.v1.LoadBalancerIngress": { "description": "LoadBalancerIngress represents the status of a load-balancer ingress point: traffic intended for the service should be sent to an ingress point.", "properties": { @@ -9949,7 +9994,7 @@ "description": "The seccomp options to use by the containers in this pod. Note that this field cannot be set when spec.os.name is windows." }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": "integer" @@ -9957,6 +10002,10 @@ "type": "array", "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": "string" + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { @@ -10100,7 +10149,7 @@ }, "os": { "$ref": "#/definitions/io.k8s.api.core.v1.PodOS", - "description": "Specifies the OS of the containers in the pod. Some pod and container fields are restricted if this is set.\n\nIf the OS field is set to linux, the following fields must be unset: -securityContext.windowsOptions\n\nIf the OS field is set to windows, following fields must be unset: - spec.hostPID - spec.hostIPC - spec.hostUsers - spec.securityContext.appArmorProfile - spec.securityContext.seLinuxOptions - spec.securityContext.seccompProfile - spec.securityContext.fsGroup - spec.securityContext.fsGroupChangePolicy - spec.securityContext.sysctls - spec.shareProcessNamespace - spec.securityContext.runAsUser - spec.securityContext.runAsGroup - spec.securityContext.supplementalGroups - spec.containers[*].securityContext.appArmorProfile - spec.containers[*].securityContext.seLinuxOptions - spec.containers[*].securityContext.seccompProfile - spec.containers[*].securityContext.capabilities - spec.containers[*].securityContext.readOnlyRootFilesystem - spec.containers[*].securityContext.privileged - spec.containers[*].securityContext.allowPrivilegeEscalation - spec.containers[*].securityContext.procMount - spec.containers[*].securityContext.runAsUser - spec.containers[*].securityContext.runAsGroup" + "description": "Specifies the OS of the containers in the pod. Some pod and container fields are restricted if this is set.\n\nIf the OS field is set to linux, the following fields must be unset: -securityContext.windowsOptions\n\nIf the OS field is set to windows, following fields must be unset: - spec.hostPID - spec.hostIPC - spec.hostUsers - spec.securityContext.appArmorProfile - spec.securityContext.seLinuxOptions - spec.securityContext.seccompProfile - spec.securityContext.fsGroup - spec.securityContext.fsGroupChangePolicy - spec.securityContext.sysctls - spec.shareProcessNamespace - spec.securityContext.runAsUser - spec.securityContext.runAsGroup - spec.securityContext.supplementalGroups - spec.securityContext.supplementalGroupsPolicy - spec.containers[*].securityContext.appArmorProfile - spec.containers[*].securityContext.seLinuxOptions - spec.containers[*].securityContext.seccompProfile - spec.containers[*].securityContext.capabilities - spec.containers[*].securityContext.readOnlyRootFilesystem - spec.containers[*].securityContext.privileged - spec.containers[*].securityContext.allowPrivilegeEscalation - spec.containers[*].securityContext.procMount - spec.containers[*].securityContext.runAsUser - spec.containers[*].securityContext.runAsGroup" }, "overhead": { "additionalProperties": { diff --git a/master-standalone-strict/all.json b/master-standalone-strict/all.json index e40386d82e..a9150cc693 100644 --- a/master-standalone-strict/all.json +++ b/master-standalone-strict/all.json @@ -660,6 +660,9 @@ { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.ContainerStatus" }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.ContainerUser" + }, { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.DaemonEndpoint" }, @@ -789,6 +792,9 @@ { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.LimitRangeSpec" }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.LinuxContainerUser" + }, { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.LoadBalancerIngress" }, diff --git a/master-standalone-strict/containerstatus-v1.json b/master-standalone-strict/containerstatus-v1.json index b7812430d1..56f79ac32c 100644 --- a/master-standalone-strict/containerstatus-v1.json +++ b/master-standalone-strict/containerstatus-v1.json @@ -388,6 +388,55 @@ ], "additionalProperties": false }, + "user": { + "description": "ContainerUser represents user identity information", + "properties": { + "linux": { + "description": "LinuxContainerUser represents user identity information in Linux containers", + "properties": { + "gid": { + "description": "GID is the primary gid initially attached to the first process in the container", + "format": "int64", + "type": "integer" + }, + "supplementalGroups": { + "description": "SupplementalGroups are the supplemental groups initially attached to the first process in the container", + "items": { + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "uid": { + "description": "UID is the primary uid initially attached to the first process in the container", + "format": "int64", + "type": "integer" + } + }, + "required": [ + "uid", + "gid" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, "volumeMounts": { "description": "Status of volume mounts.", "items": { diff --git a/master-standalone-strict/containerstatus.json b/master-standalone-strict/containerstatus.json index b7812430d1..56f79ac32c 100644 --- a/master-standalone-strict/containerstatus.json +++ b/master-standalone-strict/containerstatus.json @@ -388,6 +388,55 @@ ], "additionalProperties": false }, + "user": { + "description": "ContainerUser represents user identity information", + "properties": { + "linux": { + "description": "LinuxContainerUser represents user identity information in Linux containers", + "properties": { + "gid": { + "description": "GID is the primary gid initially attached to the first process in the container", + "format": "int64", + "type": "integer" + }, + "supplementalGroups": { + "description": "SupplementalGroups are the supplemental groups initially attached to the first process in the container", + "items": { + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "uid": { + "description": "UID is the primary uid initially attached to the first process in the container", + "format": "int64", + "type": "integer" + } + }, + "required": [ + "uid", + "gid" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, "volumeMounts": { "description": "Status of volume mounts.", "items": { diff --git a/master-standalone-strict/containeruser-v1.json b/master-standalone-strict/containeruser-v1.json new file mode 100644 index 0000000000..11eed4bb36 --- /dev/null +++ b/master-standalone-strict/containeruser-v1.json @@ -0,0 +1,47 @@ +{ + "description": "ContainerUser represents user identity information", + "properties": { + "linux": { + "description": "LinuxContainerUser represents user identity information in Linux containers", + "properties": { + "gid": { + "description": "GID is the primary gid initially attached to the first process in the container", + "format": "int64", + "type": "integer" + }, + "supplementalGroups": { + "description": "SupplementalGroups are the supplemental groups initially attached to the first process in the container", + "items": { + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "uid": { + "description": "UID is the primary uid initially attached to the first process in the container", + "format": "int64", + "type": "integer" + } + }, + "required": [ + "uid", + "gid" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + } + }, + "type": "object", + "additionalProperties": false, + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-standalone-strict/containeruser.json b/master-standalone-strict/containeruser.json new file mode 100644 index 0000000000..11eed4bb36 --- /dev/null +++ b/master-standalone-strict/containeruser.json @@ -0,0 +1,47 @@ +{ + "description": "ContainerUser represents user identity information", + "properties": { + "linux": { + "description": "LinuxContainerUser represents user identity information in Linux containers", + "properties": { + "gid": { + "description": "GID is the primary gid initially attached to the first process in the container", + "format": "int64", + "type": "integer" + }, + "supplementalGroups": { + "description": "SupplementalGroups are the supplemental groups initially attached to the first process in the container", + "items": { + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "uid": { + "description": "UID is the primary uid initially attached to the first process in the container", + "format": "int64", + "type": "integer" + } + }, + "required": [ + "uid", + "gid" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + } + }, + "type": "object", + "additionalProperties": false, + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-standalone-strict/cronjob-batch-v1.json b/master-standalone-strict/cronjob-batch-v1.json index 5636644783..b2bc51c44a 100644 --- a/master-standalone-strict/cronjob-batch-v1.json +++ b/master-standalone-strict/cronjob-batch-v1.json @@ -8506,7 +8506,7 @@ "additionalProperties": false }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -8520,6 +8520,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone-strict/cronjob.json b/master-standalone-strict/cronjob.json index 2cd595a31a..bf4ff21063 100644 --- a/master-standalone-strict/cronjob.json +++ b/master-standalone-strict/cronjob.json @@ -8503,7 +8503,7 @@ "additionalProperties": false }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -8517,6 +8517,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone-strict/cronjoblist-batch-v1.json b/master-standalone-strict/cronjoblist-batch-v1.json index 804136ccc5..1bcc3693df 100644 --- a/master-standalone-strict/cronjoblist-batch-v1.json +++ b/master-standalone-strict/cronjoblist-batch-v1.json @@ -8521,7 +8521,7 @@ "additionalProperties": false }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -8535,6 +8535,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone-strict/cronjoblist.json b/master-standalone-strict/cronjoblist.json index 3bbda42fce..15cc247eba 100644 --- a/master-standalone-strict/cronjoblist.json +++ b/master-standalone-strict/cronjoblist.json @@ -8515,7 +8515,7 @@ "additionalProperties": false }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -8529,6 +8529,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone-strict/cronjobspec-batch-v1.json b/master-standalone-strict/cronjobspec-batch-v1.json index 9d36ae9c5f..1b289d4085 100644 --- a/master-standalone-strict/cronjobspec-batch-v1.json +++ b/master-standalone-strict/cronjobspec-batch-v1.json @@ -8230,7 +8230,7 @@ "additionalProperties": false }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -8244,6 +8244,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone-strict/cronjobspec.json b/master-standalone-strict/cronjobspec.json index 9d36ae9c5f..1b289d4085 100644 --- a/master-standalone-strict/cronjobspec.json +++ b/master-standalone-strict/cronjobspec.json @@ -8230,7 +8230,7 @@ "additionalProperties": false }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -8244,6 +8244,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone-strict/daemonset-apps-v1.json b/master-standalone-strict/daemonset-apps-v1.json index 001345b34c..789e326d8b 100644 --- a/master-standalone-strict/daemonset-apps-v1.json +++ b/master-standalone-strict/daemonset-apps-v1.json @@ -8017,7 +8017,7 @@ "additionalProperties": false }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -8031,6 +8031,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone-strict/daemonset.json b/master-standalone-strict/daemonset.json index 8a4b453981..3924a27336 100644 --- a/master-standalone-strict/daemonset.json +++ b/master-standalone-strict/daemonset.json @@ -8014,7 +8014,7 @@ "additionalProperties": false }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -8028,6 +8028,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone-strict/daemonsetlist-apps-v1.json b/master-standalone-strict/daemonsetlist-apps-v1.json index 2c742817e3..28b556091a 100644 --- a/master-standalone-strict/daemonsetlist-apps-v1.json +++ b/master-standalone-strict/daemonsetlist-apps-v1.json @@ -8032,7 +8032,7 @@ "additionalProperties": false }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -8046,6 +8046,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone-strict/daemonsetlist.json b/master-standalone-strict/daemonsetlist.json index f10de4bc3a..fe4f8c0517 100644 --- a/master-standalone-strict/daemonsetlist.json +++ b/master-standalone-strict/daemonsetlist.json @@ -8026,7 +8026,7 @@ "additionalProperties": false }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -8040,6 +8040,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone-strict/daemonsetspec-apps-v1.json b/master-standalone-strict/daemonsetspec-apps-v1.json index 5a87364bb4..b8c4c1d5d0 100644 --- a/master-standalone-strict/daemonsetspec-apps-v1.json +++ b/master-standalone-strict/daemonsetspec-apps-v1.json @@ -7744,7 +7744,7 @@ "additionalProperties": false }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -7758,6 +7758,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone-strict/daemonsetspec.json b/master-standalone-strict/daemonsetspec.json index 5a87364bb4..b8c4c1d5d0 100644 --- a/master-standalone-strict/daemonsetspec.json +++ b/master-standalone-strict/daemonsetspec.json @@ -7744,7 +7744,7 @@ "additionalProperties": false }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -7758,6 +7758,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone-strict/deployment-apps-v1.json b/master-standalone-strict/deployment-apps-v1.json index ddffe8603e..5672b9ca62 100644 --- a/master-standalone-strict/deployment-apps-v1.json +++ b/master-standalone-strict/deployment-apps-v1.json @@ -8099,7 +8099,7 @@ "additionalProperties": false }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -8113,6 +8113,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone-strict/deployment.json b/master-standalone-strict/deployment.json index 73eaa8d8c0..000fc44728 100644 --- a/master-standalone-strict/deployment.json +++ b/master-standalone-strict/deployment.json @@ -8096,7 +8096,7 @@ "additionalProperties": false }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -8110,6 +8110,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone-strict/deploymentlist-apps-v1.json b/master-standalone-strict/deploymentlist-apps-v1.json index 414eab4b73..7c98f5d141 100644 --- a/master-standalone-strict/deploymentlist-apps-v1.json +++ b/master-standalone-strict/deploymentlist-apps-v1.json @@ -8114,7 +8114,7 @@ "additionalProperties": false }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -8128,6 +8128,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone-strict/deploymentlist.json b/master-standalone-strict/deploymentlist.json index fa5e9bc355..a9689faa9e 100644 --- a/master-standalone-strict/deploymentlist.json +++ b/master-standalone-strict/deploymentlist.json @@ -8108,7 +8108,7 @@ "additionalProperties": false }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -8122,6 +8122,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone-strict/deploymentspec-apps-v1.json b/master-standalone-strict/deploymentspec-apps-v1.json index baa39ceff3..9601ead733 100644 --- a/master-standalone-strict/deploymentspec-apps-v1.json +++ b/master-standalone-strict/deploymentspec-apps-v1.json @@ -7826,7 +7826,7 @@ "additionalProperties": false }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -7840,6 +7840,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone-strict/deploymentspec.json b/master-standalone-strict/deploymentspec.json index baa39ceff3..9601ead733 100644 --- a/master-standalone-strict/deploymentspec.json +++ b/master-standalone-strict/deploymentspec.json @@ -7826,7 +7826,7 @@ "additionalProperties": false }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -7840,6 +7840,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone-strict/job-batch-v1.json b/master-standalone-strict/job-batch-v1.json index 6da4889b1a..203c09a7e2 100644 --- a/master-standalone-strict/job-batch-v1.json +++ b/master-standalone-strict/job-batch-v1.json @@ -8232,7 +8232,7 @@ "additionalProperties": false }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -8246,6 +8246,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone-strict/job.json b/master-standalone-strict/job.json index b543aa1b37..1f0aaa8161 100644 --- a/master-standalone-strict/job.json +++ b/master-standalone-strict/job.json @@ -8229,7 +8229,7 @@ "additionalProperties": false }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -8243,6 +8243,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone-strict/joblist-batch-v1.json b/master-standalone-strict/joblist-batch-v1.json index 74d2f1333e..e1206b82cc 100644 --- a/master-standalone-strict/joblist-batch-v1.json +++ b/master-standalone-strict/joblist-batch-v1.json @@ -8247,7 +8247,7 @@ "additionalProperties": false }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -8261,6 +8261,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone-strict/joblist.json b/master-standalone-strict/joblist.json index bba233fe73..87b18b870e 100644 --- a/master-standalone-strict/joblist.json +++ b/master-standalone-strict/joblist.json @@ -8241,7 +8241,7 @@ "additionalProperties": false }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -8255,6 +8255,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone-strict/jobspec-batch-v1.json b/master-standalone-strict/jobspec-batch-v1.json index f113dd5a34..668f3fd794 100644 --- a/master-standalone-strict/jobspec-batch-v1.json +++ b/master-standalone-strict/jobspec-batch-v1.json @@ -7956,7 +7956,7 @@ "additionalProperties": false }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -7970,6 +7970,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone-strict/jobspec.json b/master-standalone-strict/jobspec.json index f113dd5a34..668f3fd794 100644 --- a/master-standalone-strict/jobspec.json +++ b/master-standalone-strict/jobspec.json @@ -7956,7 +7956,7 @@ "additionalProperties": false }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -7970,6 +7970,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone-strict/jobtemplatespec-batch-v1.json b/master-standalone-strict/jobtemplatespec-batch-v1.json index 713ea577b3..f01359e28f 100644 --- a/master-standalone-strict/jobtemplatespec-batch-v1.json +++ b/master-standalone-strict/jobtemplatespec-batch-v1.json @@ -8212,7 +8212,7 @@ "additionalProperties": false }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -8226,6 +8226,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone-strict/jobtemplatespec.json b/master-standalone-strict/jobtemplatespec.json index 713ea577b3..f01359e28f 100644 --- a/master-standalone-strict/jobtemplatespec.json +++ b/master-standalone-strict/jobtemplatespec.json @@ -8212,7 +8212,7 @@ "additionalProperties": false }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -8226,6 +8226,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone-strict/linuxcontaineruser-v1.json b/master-standalone-strict/linuxcontaineruser-v1.json new file mode 100644 index 0000000000..059c92f64a --- /dev/null +++ b/master-standalone-strict/linuxcontaineruser-v1.json @@ -0,0 +1,43 @@ +{ + "description": "LinuxContainerUser represents user identity information in Linux containers", + "properties": { + "gid": { + "description": "GID is the primary gid initially attached to the first process in the container", + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "supplementalGroups": { + "description": "SupplementalGroups are the supplemental groups initially attached to the first process in the container", + "items": { + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "uid": { + "description": "UID is the primary uid initially attached to the first process in the container", + "format": "int64", + "type": [ + "integer", + "null" + ] + } + }, + "required": [ + "uid", + "gid" + ], + "type": "object", + "additionalProperties": false, + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-standalone-strict/linuxcontaineruser.json b/master-standalone-strict/linuxcontaineruser.json new file mode 100644 index 0000000000..059c92f64a --- /dev/null +++ b/master-standalone-strict/linuxcontaineruser.json @@ -0,0 +1,43 @@ +{ + "description": "LinuxContainerUser represents user identity information in Linux containers", + "properties": { + "gid": { + "description": "GID is the primary gid initially attached to the first process in the container", + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "supplementalGroups": { + "description": "SupplementalGroups are the supplemental groups initially attached to the first process in the container", + "items": { + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "uid": { + "description": "UID is the primary uid initially attached to the first process in the container", + "format": "int64", + "type": [ + "integer", + "null" + ] + } + }, + "required": [ + "uid", + "gid" + ], + "type": "object", + "additionalProperties": false, + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-standalone-strict/pod-v1.json b/master-standalone-strict/pod-v1.json index acdc658018..9b7ddec419 100644 --- a/master-standalone-strict/pod-v1.json +++ b/master-standalone-strict/pod-v1.json @@ -7677,7 +7677,7 @@ "additionalProperties": false }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -7691,6 +7691,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { @@ -10796,6 +10803,55 @@ ], "additionalProperties": false }, + "user": { + "description": "ContainerUser represents user identity information", + "properties": { + "linux": { + "description": "LinuxContainerUser represents user identity information in Linux containers", + "properties": { + "gid": { + "description": "GID is the primary gid initially attached to the first process in the container", + "format": "int64", + "type": "integer" + }, + "supplementalGroups": { + "description": "SupplementalGroups are the supplemental groups initially attached to the first process in the container", + "items": { + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "uid": { + "description": "UID is the primary uid initially attached to the first process in the container", + "format": "int64", + "type": "integer" + } + }, + "required": [ + "uid", + "gid" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, "volumeMounts": { "description": "Status of volume mounts.", "items": { @@ -11242,6 +11298,55 @@ ], "additionalProperties": false }, + "user": { + "description": "ContainerUser represents user identity information", + "properties": { + "linux": { + "description": "LinuxContainerUser represents user identity information in Linux containers", + "properties": { + "gid": { + "description": "GID is the primary gid initially attached to the first process in the container", + "format": "int64", + "type": "integer" + }, + "supplementalGroups": { + "description": "SupplementalGroups are the supplemental groups initially attached to the first process in the container", + "items": { + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "uid": { + "description": "UID is the primary uid initially attached to the first process in the container", + "format": "int64", + "type": "integer" + } + }, + "required": [ + "uid", + "gid" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, "volumeMounts": { "description": "Status of volume mounts.", "items": { @@ -11722,6 +11827,55 @@ ], "additionalProperties": false }, + "user": { + "description": "ContainerUser represents user identity information", + "properties": { + "linux": { + "description": "LinuxContainerUser represents user identity information in Linux containers", + "properties": { + "gid": { + "description": "GID is the primary gid initially attached to the first process in the container", + "format": "int64", + "type": "integer" + }, + "supplementalGroups": { + "description": "SupplementalGroups are the supplemental groups initially attached to the first process in the container", + "items": { + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "uid": { + "description": "UID is the primary uid initially attached to the first process in the container", + "format": "int64", + "type": "integer" + } + }, + "required": [ + "uid", + "gid" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, "volumeMounts": { "description": "Status of volume mounts.", "items": { diff --git a/master-standalone-strict/pod.json b/master-standalone-strict/pod.json index e49b5e1c6d..c2541b1403 100644 --- a/master-standalone-strict/pod.json +++ b/master-standalone-strict/pod.json @@ -7674,7 +7674,7 @@ "additionalProperties": false }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -7688,6 +7688,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { @@ -10793,6 +10800,55 @@ ], "additionalProperties": false }, + "user": { + "description": "ContainerUser represents user identity information", + "properties": { + "linux": { + "description": "LinuxContainerUser represents user identity information in Linux containers", + "properties": { + "gid": { + "description": "GID is the primary gid initially attached to the first process in the container", + "format": "int64", + "type": "integer" + }, + "supplementalGroups": { + "description": "SupplementalGroups are the supplemental groups initially attached to the first process in the container", + "items": { + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "uid": { + "description": "UID is the primary uid initially attached to the first process in the container", + "format": "int64", + "type": "integer" + } + }, + "required": [ + "uid", + "gid" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, "volumeMounts": { "description": "Status of volume mounts.", "items": { @@ -11239,6 +11295,55 @@ ], "additionalProperties": false }, + "user": { + "description": "ContainerUser represents user identity information", + "properties": { + "linux": { + "description": "LinuxContainerUser represents user identity information in Linux containers", + "properties": { + "gid": { + "description": "GID is the primary gid initially attached to the first process in the container", + "format": "int64", + "type": "integer" + }, + "supplementalGroups": { + "description": "SupplementalGroups are the supplemental groups initially attached to the first process in the container", + "items": { + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "uid": { + "description": "UID is the primary uid initially attached to the first process in the container", + "format": "int64", + "type": "integer" + } + }, + "required": [ + "uid", + "gid" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, "volumeMounts": { "description": "Status of volume mounts.", "items": { @@ -11719,6 +11824,55 @@ ], "additionalProperties": false }, + "user": { + "description": "ContainerUser represents user identity information", + "properties": { + "linux": { + "description": "LinuxContainerUser represents user identity information in Linux containers", + "properties": { + "gid": { + "description": "GID is the primary gid initially attached to the first process in the container", + "format": "int64", + "type": "integer" + }, + "supplementalGroups": { + "description": "SupplementalGroups are the supplemental groups initially attached to the first process in the container", + "items": { + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "uid": { + "description": "UID is the primary uid initially attached to the first process in the container", + "format": "int64", + "type": "integer" + } + }, + "required": [ + "uid", + "gid" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, "volumeMounts": { "description": "Status of volume mounts.", "items": { diff --git a/master-standalone-strict/podlist-v1.json b/master-standalone-strict/podlist-v1.json index b2262f46d4..ebbd0dca33 100644 --- a/master-standalone-strict/podlist-v1.json +++ b/master-standalone-strict/podlist-v1.json @@ -7692,7 +7692,7 @@ "additionalProperties": false }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -7706,6 +7706,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { @@ -10811,6 +10818,55 @@ ], "additionalProperties": false }, + "user": { + "description": "ContainerUser represents user identity information", + "properties": { + "linux": { + "description": "LinuxContainerUser represents user identity information in Linux containers", + "properties": { + "gid": { + "description": "GID is the primary gid initially attached to the first process in the container", + "format": "int64", + "type": "integer" + }, + "supplementalGroups": { + "description": "SupplementalGroups are the supplemental groups initially attached to the first process in the container", + "items": { + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "uid": { + "description": "UID is the primary uid initially attached to the first process in the container", + "format": "int64", + "type": "integer" + } + }, + "required": [ + "uid", + "gid" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, "volumeMounts": { "description": "Status of volume mounts.", "items": { @@ -11257,6 +11313,55 @@ ], "additionalProperties": false }, + "user": { + "description": "ContainerUser represents user identity information", + "properties": { + "linux": { + "description": "LinuxContainerUser represents user identity information in Linux containers", + "properties": { + "gid": { + "description": "GID is the primary gid initially attached to the first process in the container", + "format": "int64", + "type": "integer" + }, + "supplementalGroups": { + "description": "SupplementalGroups are the supplemental groups initially attached to the first process in the container", + "items": { + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "uid": { + "description": "UID is the primary uid initially attached to the first process in the container", + "format": "int64", + "type": "integer" + } + }, + "required": [ + "uid", + "gid" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, "volumeMounts": { "description": "Status of volume mounts.", "items": { @@ -11737,6 +11842,55 @@ ], "additionalProperties": false }, + "user": { + "description": "ContainerUser represents user identity information", + "properties": { + "linux": { + "description": "LinuxContainerUser represents user identity information in Linux containers", + "properties": { + "gid": { + "description": "GID is the primary gid initially attached to the first process in the container", + "format": "int64", + "type": "integer" + }, + "supplementalGroups": { + "description": "SupplementalGroups are the supplemental groups initially attached to the first process in the container", + "items": { + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "uid": { + "description": "UID is the primary uid initially attached to the first process in the container", + "format": "int64", + "type": "integer" + } + }, + "required": [ + "uid", + "gid" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, "volumeMounts": { "description": "Status of volume mounts.", "items": { diff --git a/master-standalone-strict/podlist.json b/master-standalone-strict/podlist.json index 6f332e7332..54ea744302 100644 --- a/master-standalone-strict/podlist.json +++ b/master-standalone-strict/podlist.json @@ -7686,7 +7686,7 @@ "additionalProperties": false }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -7700,6 +7700,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { @@ -10805,6 +10812,55 @@ ], "additionalProperties": false }, + "user": { + "description": "ContainerUser represents user identity information", + "properties": { + "linux": { + "description": "LinuxContainerUser represents user identity information in Linux containers", + "properties": { + "gid": { + "description": "GID is the primary gid initially attached to the first process in the container", + "format": "int64", + "type": "integer" + }, + "supplementalGroups": { + "description": "SupplementalGroups are the supplemental groups initially attached to the first process in the container", + "items": { + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "uid": { + "description": "UID is the primary uid initially attached to the first process in the container", + "format": "int64", + "type": "integer" + } + }, + "required": [ + "uid", + "gid" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, "volumeMounts": { "description": "Status of volume mounts.", "items": { @@ -11251,6 +11307,55 @@ ], "additionalProperties": false }, + "user": { + "description": "ContainerUser represents user identity information", + "properties": { + "linux": { + "description": "LinuxContainerUser represents user identity information in Linux containers", + "properties": { + "gid": { + "description": "GID is the primary gid initially attached to the first process in the container", + "format": "int64", + "type": "integer" + }, + "supplementalGroups": { + "description": "SupplementalGroups are the supplemental groups initially attached to the first process in the container", + "items": { + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "uid": { + "description": "UID is the primary uid initially attached to the first process in the container", + "format": "int64", + "type": "integer" + } + }, + "required": [ + "uid", + "gid" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, "volumeMounts": { "description": "Status of volume mounts.", "items": { @@ -11731,6 +11836,55 @@ ], "additionalProperties": false }, + "user": { + "description": "ContainerUser represents user identity information", + "properties": { + "linux": { + "description": "LinuxContainerUser represents user identity information in Linux containers", + "properties": { + "gid": { + "description": "GID is the primary gid initially attached to the first process in the container", + "format": "int64", + "type": "integer" + }, + "supplementalGroups": { + "description": "SupplementalGroups are the supplemental groups initially attached to the first process in the container", + "items": { + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "uid": { + "description": "UID is the primary uid initially attached to the first process in the container", + "format": "int64", + "type": "integer" + } + }, + "required": [ + "uid", + "gid" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, "volumeMounts": { "description": "Status of volume mounts.", "items": { diff --git a/master-standalone-strict/podsecuritycontext-v1.json b/master-standalone-strict/podsecuritycontext-v1.json index 61519db3d0..c5e306f130 100644 --- a/master-standalone-strict/podsecuritycontext-v1.json +++ b/master-standalone-strict/podsecuritycontext-v1.json @@ -142,7 +142,7 @@ "additionalProperties": false }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -156,6 +156,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone-strict/podsecuritycontext.json b/master-standalone-strict/podsecuritycontext.json index 61519db3d0..c5e306f130 100644 --- a/master-standalone-strict/podsecuritycontext.json +++ b/master-standalone-strict/podsecuritycontext.json @@ -142,7 +142,7 @@ "additionalProperties": false }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -156,6 +156,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone-strict/podspec-v1.json b/master-standalone-strict/podspec-v1.json index 7424b06061..b42cc4eb6a 100644 --- a/master-standalone-strict/podspec-v1.json +++ b/master-standalone-strict/podspec-v1.json @@ -7404,7 +7404,7 @@ "additionalProperties": false }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -7418,6 +7418,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone-strict/podspec.json b/master-standalone-strict/podspec.json index 7424b06061..b42cc4eb6a 100644 --- a/master-standalone-strict/podspec.json +++ b/master-standalone-strict/podspec.json @@ -7404,7 +7404,7 @@ "additionalProperties": false }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -7418,6 +7418,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone-strict/podstatus-v1.json b/master-standalone-strict/podstatus-v1.json index 28b456f02b..1a3e62ee24 100644 --- a/master-standalone-strict/podstatus-v1.json +++ b/master-standalone-strict/podstatus-v1.json @@ -443,6 +443,55 @@ ], "additionalProperties": false }, + "user": { + "description": "ContainerUser represents user identity information", + "properties": { + "linux": { + "description": "LinuxContainerUser represents user identity information in Linux containers", + "properties": { + "gid": { + "description": "GID is the primary gid initially attached to the first process in the container", + "format": "int64", + "type": "integer" + }, + "supplementalGroups": { + "description": "SupplementalGroups are the supplemental groups initially attached to the first process in the container", + "items": { + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "uid": { + "description": "UID is the primary uid initially attached to the first process in the container", + "format": "int64", + "type": "integer" + } + }, + "required": [ + "uid", + "gid" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, "volumeMounts": { "description": "Status of volume mounts.", "items": { @@ -889,6 +938,55 @@ ], "additionalProperties": false }, + "user": { + "description": "ContainerUser represents user identity information", + "properties": { + "linux": { + "description": "LinuxContainerUser represents user identity information in Linux containers", + "properties": { + "gid": { + "description": "GID is the primary gid initially attached to the first process in the container", + "format": "int64", + "type": "integer" + }, + "supplementalGroups": { + "description": "SupplementalGroups are the supplemental groups initially attached to the first process in the container", + "items": { + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "uid": { + "description": "UID is the primary uid initially attached to the first process in the container", + "format": "int64", + "type": "integer" + } + }, + "required": [ + "uid", + "gid" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, "volumeMounts": { "description": "Status of volume mounts.", "items": { @@ -1369,6 +1467,55 @@ ], "additionalProperties": false }, + "user": { + "description": "ContainerUser represents user identity information", + "properties": { + "linux": { + "description": "LinuxContainerUser represents user identity information in Linux containers", + "properties": { + "gid": { + "description": "GID is the primary gid initially attached to the first process in the container", + "format": "int64", + "type": "integer" + }, + "supplementalGroups": { + "description": "SupplementalGroups are the supplemental groups initially attached to the first process in the container", + "items": { + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "uid": { + "description": "UID is the primary uid initially attached to the first process in the container", + "format": "int64", + "type": "integer" + } + }, + "required": [ + "uid", + "gid" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, "volumeMounts": { "description": "Status of volume mounts.", "items": { diff --git a/master-standalone-strict/podstatus.json b/master-standalone-strict/podstatus.json index 28b456f02b..1a3e62ee24 100644 --- a/master-standalone-strict/podstatus.json +++ b/master-standalone-strict/podstatus.json @@ -443,6 +443,55 @@ ], "additionalProperties": false }, + "user": { + "description": "ContainerUser represents user identity information", + "properties": { + "linux": { + "description": "LinuxContainerUser represents user identity information in Linux containers", + "properties": { + "gid": { + "description": "GID is the primary gid initially attached to the first process in the container", + "format": "int64", + "type": "integer" + }, + "supplementalGroups": { + "description": "SupplementalGroups are the supplemental groups initially attached to the first process in the container", + "items": { + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "uid": { + "description": "UID is the primary uid initially attached to the first process in the container", + "format": "int64", + "type": "integer" + } + }, + "required": [ + "uid", + "gid" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, "volumeMounts": { "description": "Status of volume mounts.", "items": { @@ -889,6 +938,55 @@ ], "additionalProperties": false }, + "user": { + "description": "ContainerUser represents user identity information", + "properties": { + "linux": { + "description": "LinuxContainerUser represents user identity information in Linux containers", + "properties": { + "gid": { + "description": "GID is the primary gid initially attached to the first process in the container", + "format": "int64", + "type": "integer" + }, + "supplementalGroups": { + "description": "SupplementalGroups are the supplemental groups initially attached to the first process in the container", + "items": { + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "uid": { + "description": "UID is the primary uid initially attached to the first process in the container", + "format": "int64", + "type": "integer" + } + }, + "required": [ + "uid", + "gid" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, "volumeMounts": { "description": "Status of volume mounts.", "items": { @@ -1369,6 +1467,55 @@ ], "additionalProperties": false }, + "user": { + "description": "ContainerUser represents user identity information", + "properties": { + "linux": { + "description": "LinuxContainerUser represents user identity information in Linux containers", + "properties": { + "gid": { + "description": "GID is the primary gid initially attached to the first process in the container", + "format": "int64", + "type": "integer" + }, + "supplementalGroups": { + "description": "SupplementalGroups are the supplemental groups initially attached to the first process in the container", + "items": { + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "uid": { + "description": "UID is the primary uid initially attached to the first process in the container", + "format": "int64", + "type": "integer" + } + }, + "required": [ + "uid", + "gid" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, "volumeMounts": { "description": "Status of volume mounts.", "items": { diff --git a/master-standalone-strict/podtemplate-v1.json b/master-standalone-strict/podtemplate-v1.json index eb99b7f820..10f27dea40 100644 --- a/master-standalone-strict/podtemplate-v1.json +++ b/master-standalone-strict/podtemplate-v1.json @@ -7933,7 +7933,7 @@ "additionalProperties": false }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -7947,6 +7947,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone-strict/podtemplate.json b/master-standalone-strict/podtemplate.json index 5f3a77f4db..a8ea667bf0 100644 --- a/master-standalone-strict/podtemplate.json +++ b/master-standalone-strict/podtemplate.json @@ -7930,7 +7930,7 @@ "additionalProperties": false }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -7944,6 +7944,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone-strict/podtemplatelist-v1.json b/master-standalone-strict/podtemplatelist-v1.json index dede0c68a1..7afc850833 100644 --- a/master-standalone-strict/podtemplatelist-v1.json +++ b/master-standalone-strict/podtemplatelist-v1.json @@ -7948,7 +7948,7 @@ "additionalProperties": false }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -7962,6 +7962,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone-strict/podtemplatelist.json b/master-standalone-strict/podtemplatelist.json index f81c3b6798..30d6bb8444 100644 --- a/master-standalone-strict/podtemplatelist.json +++ b/master-standalone-strict/podtemplatelist.json @@ -7942,7 +7942,7 @@ "additionalProperties": false }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -7956,6 +7956,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone-strict/podtemplatespec-v1.json b/master-standalone-strict/podtemplatespec-v1.json index 74b1adec69..cfe10810b0 100644 --- a/master-standalone-strict/podtemplatespec-v1.json +++ b/master-standalone-strict/podtemplatespec-v1.json @@ -7657,7 +7657,7 @@ "additionalProperties": false }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -7671,6 +7671,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone-strict/podtemplatespec.json b/master-standalone-strict/podtemplatespec.json index 74b1adec69..cfe10810b0 100644 --- a/master-standalone-strict/podtemplatespec.json +++ b/master-standalone-strict/podtemplatespec.json @@ -7657,7 +7657,7 @@ "additionalProperties": false }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -7671,6 +7671,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone-strict/replicaset-apps-v1.json b/master-standalone-strict/replicaset-apps-v1.json index 9197a2e44a..7bdc398b01 100644 --- a/master-standalone-strict/replicaset-apps-v1.json +++ b/master-standalone-strict/replicaset-apps-v1.json @@ -8017,7 +8017,7 @@ "additionalProperties": false }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -8031,6 +8031,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone-strict/replicaset.json b/master-standalone-strict/replicaset.json index 8a882fa5a8..33d5b8be0a 100644 --- a/master-standalone-strict/replicaset.json +++ b/master-standalone-strict/replicaset.json @@ -8014,7 +8014,7 @@ "additionalProperties": false }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -8028,6 +8028,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone-strict/replicasetlist-apps-v1.json b/master-standalone-strict/replicasetlist-apps-v1.json index 4701a74089..462cfe5b95 100644 --- a/master-standalone-strict/replicasetlist-apps-v1.json +++ b/master-standalone-strict/replicasetlist-apps-v1.json @@ -8032,7 +8032,7 @@ "additionalProperties": false }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -8046,6 +8046,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone-strict/replicasetlist.json b/master-standalone-strict/replicasetlist.json index 3b91908d55..7528733f7a 100644 --- a/master-standalone-strict/replicasetlist.json +++ b/master-standalone-strict/replicasetlist.json @@ -8026,7 +8026,7 @@ "additionalProperties": false }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -8040,6 +8040,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone-strict/replicasetspec-apps-v1.json b/master-standalone-strict/replicasetspec-apps-v1.json index d1bbc0bf5b..62f002eae0 100644 --- a/master-standalone-strict/replicasetspec-apps-v1.json +++ b/master-standalone-strict/replicasetspec-apps-v1.json @@ -7744,7 +7744,7 @@ "additionalProperties": false }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -7758,6 +7758,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone-strict/replicasetspec.json b/master-standalone-strict/replicasetspec.json index d1bbc0bf5b..62f002eae0 100644 --- a/master-standalone-strict/replicasetspec.json +++ b/master-standalone-strict/replicasetspec.json @@ -7744,7 +7744,7 @@ "additionalProperties": false }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -7758,6 +7758,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone-strict/replicationcontroller-v1.json b/master-standalone-strict/replicationcontroller-v1.json index 42c916bc41..6ad7d23add 100644 --- a/master-standalone-strict/replicationcontroller-v1.json +++ b/master-standalone-strict/replicationcontroller-v1.json @@ -7966,7 +7966,7 @@ "additionalProperties": false }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -7980,6 +7980,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone-strict/replicationcontroller.json b/master-standalone-strict/replicationcontroller.json index 0dc1c81b53..1b577304a7 100644 --- a/master-standalone-strict/replicationcontroller.json +++ b/master-standalone-strict/replicationcontroller.json @@ -7963,7 +7963,7 @@ "additionalProperties": false }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -7977,6 +7977,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone-strict/replicationcontrollerlist-v1.json b/master-standalone-strict/replicationcontrollerlist-v1.json index 2e242abd2b..1736f4d0b5 100644 --- a/master-standalone-strict/replicationcontrollerlist-v1.json +++ b/master-standalone-strict/replicationcontrollerlist-v1.json @@ -7981,7 +7981,7 @@ "additionalProperties": false }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -7995,6 +7995,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone-strict/replicationcontrollerlist.json b/master-standalone-strict/replicationcontrollerlist.json index ff1de2c09b..9470606f78 100644 --- a/master-standalone-strict/replicationcontrollerlist.json +++ b/master-standalone-strict/replicationcontrollerlist.json @@ -7975,7 +7975,7 @@ "additionalProperties": false }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -7989,6 +7989,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone-strict/replicationcontrollerspec-v1.json b/master-standalone-strict/replicationcontrollerspec-v1.json index c0f0cf2bd9..88a6529d1a 100644 --- a/master-standalone-strict/replicationcontrollerspec-v1.json +++ b/master-standalone-strict/replicationcontrollerspec-v1.json @@ -7690,7 +7690,7 @@ "additionalProperties": false }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -7704,6 +7704,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone-strict/replicationcontrollerspec.json b/master-standalone-strict/replicationcontrollerspec.json index c0f0cf2bd9..88a6529d1a 100644 --- a/master-standalone-strict/replicationcontrollerspec.json +++ b/master-standalone-strict/replicationcontrollerspec.json @@ -7690,7 +7690,7 @@ "additionalProperties": false }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -7704,6 +7704,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone-strict/statefulset-apps-v1.json b/master-standalone-strict/statefulset-apps-v1.json index 6762e2dde1..8f448cd262 100644 --- a/master-standalone-strict/statefulset-apps-v1.json +++ b/master-standalone-strict/statefulset-apps-v1.json @@ -8078,7 +8078,7 @@ "additionalProperties": false }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -8092,6 +8092,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone-strict/statefulset.json b/master-standalone-strict/statefulset.json index a8c7509c31..b62e90bfcd 100644 --- a/master-standalone-strict/statefulset.json +++ b/master-standalone-strict/statefulset.json @@ -8075,7 +8075,7 @@ "additionalProperties": false }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -8089,6 +8089,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone-strict/statefulsetlist-apps-v1.json b/master-standalone-strict/statefulsetlist-apps-v1.json index 2b7bfb8f71..2db5128181 100644 --- a/master-standalone-strict/statefulsetlist-apps-v1.json +++ b/master-standalone-strict/statefulsetlist-apps-v1.json @@ -8093,7 +8093,7 @@ "additionalProperties": false }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -8107,6 +8107,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone-strict/statefulsetlist.json b/master-standalone-strict/statefulsetlist.json index ad16d94f3f..ae1b466a10 100644 --- a/master-standalone-strict/statefulsetlist.json +++ b/master-standalone-strict/statefulsetlist.json @@ -8087,7 +8087,7 @@ "additionalProperties": false }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -8101,6 +8101,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone-strict/statefulsetspec-apps-v1.json b/master-standalone-strict/statefulsetspec-apps-v1.json index c809e2a3c9..d1146da7fb 100644 --- a/master-standalone-strict/statefulsetspec-apps-v1.json +++ b/master-standalone-strict/statefulsetspec-apps-v1.json @@ -7808,7 +7808,7 @@ "additionalProperties": false }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -7822,6 +7822,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone-strict/statefulsetspec.json b/master-standalone-strict/statefulsetspec.json index df345c6c7f..139a220d71 100644 --- a/master-standalone-strict/statefulsetspec.json +++ b/master-standalone-strict/statefulsetspec.json @@ -7808,7 +7808,7 @@ "additionalProperties": false }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -7822,6 +7822,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone/_definitions.json b/master-standalone/_definitions.json index 0a1c717273..a99c388b13 100644 --- a/master-standalone/_definitions.json +++ b/master-standalone/_definitions.json @@ -6690,6 +6690,10 @@ "$ref": "#/definitions/io.k8s.api.core.v1.ContainerState", "description": "State holds details about the container's current condition." }, + "user": { + "$ref": "#/definitions/io.k8s.api.core.v1.ContainerUser", + "description": "User represents user identity information initially attached to the first process of the container" + }, "volumeMounts": { "description": "Status of volume mounts.", "items": { @@ -6713,6 +6717,16 @@ ], "type": "object" }, + "io.k8s.api.core.v1.ContainerUser": { + "description": "ContainerUser represents user identity information", + "properties": { + "linux": { + "$ref": "#/definitions/io.k8s.api.core.v1.LinuxContainerUser", + "description": "Linux holds user identity information initially attached to the first process of the containers in Linux. Note that the actual running identity can be changed if the process has enough privilege to do so." + } + }, + "type": "object" + }, "io.k8s.api.core.v1.DaemonEndpoint": { "description": "DaemonEndpoint contains information about a single Daemon endpoint.", "properties": { @@ -7998,6 +8012,35 @@ ], "type": "object" }, + "io.k8s.api.core.v1.LinuxContainerUser": { + "description": "LinuxContainerUser represents user identity information in Linux containers", + "properties": { + "gid": { + "description": "GID is the primary gid initially attached to the first process in the container", + "format": "int64", + "type": "integer" + }, + "supplementalGroups": { + "description": "SupplementalGroups are the supplemental groups initially attached to the first process in the container", + "items": { + "format": "int64", + "type": "integer" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" + }, + "uid": { + "description": "UID is the primary uid initially attached to the first process in the container", + "format": "int64", + "type": "integer" + } + }, + "required": [ + "uid", + "gid" + ], + "type": "object" + }, "io.k8s.api.core.v1.LoadBalancerIngress": { "description": "LoadBalancerIngress represents the status of a load-balancer ingress point: traffic intended for the service should be sent to an ingress point.", "properties": { @@ -9632,7 +9675,7 @@ "description": "The seccomp options to use by the containers in this pod. Note that this field cannot be set when spec.os.name is windows." }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": "integer" @@ -9640,6 +9683,10 @@ "type": "array", "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": "string" + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { @@ -9782,7 +9829,7 @@ }, "os": { "$ref": "#/definitions/io.k8s.api.core.v1.PodOS", - "description": "Specifies the OS of the containers in the pod. Some pod and container fields are restricted if this is set.\n\nIf the OS field is set to linux, the following fields must be unset: -securityContext.windowsOptions\n\nIf the OS field is set to windows, following fields must be unset: - spec.hostPID - spec.hostIPC - spec.hostUsers - spec.securityContext.appArmorProfile - spec.securityContext.seLinuxOptions - spec.securityContext.seccompProfile - spec.securityContext.fsGroup - spec.securityContext.fsGroupChangePolicy - spec.securityContext.sysctls - spec.shareProcessNamespace - spec.securityContext.runAsUser - spec.securityContext.runAsGroup - spec.securityContext.supplementalGroups - spec.containers[*].securityContext.appArmorProfile - spec.containers[*].securityContext.seLinuxOptions - spec.containers[*].securityContext.seccompProfile - spec.containers[*].securityContext.capabilities - spec.containers[*].securityContext.readOnlyRootFilesystem - spec.containers[*].securityContext.privileged - spec.containers[*].securityContext.allowPrivilegeEscalation - spec.containers[*].securityContext.procMount - spec.containers[*].securityContext.runAsUser - spec.containers[*].securityContext.runAsGroup" + "description": "Specifies the OS of the containers in the pod. Some pod and container fields are restricted if this is set.\n\nIf the OS field is set to linux, the following fields must be unset: -securityContext.windowsOptions\n\nIf the OS field is set to windows, following fields must be unset: - spec.hostPID - spec.hostIPC - spec.hostUsers - spec.securityContext.appArmorProfile - spec.securityContext.seLinuxOptions - spec.securityContext.seccompProfile - spec.securityContext.fsGroup - spec.securityContext.fsGroupChangePolicy - spec.securityContext.sysctls - spec.shareProcessNamespace - spec.securityContext.runAsUser - spec.securityContext.runAsGroup - spec.securityContext.supplementalGroups - spec.securityContext.supplementalGroupsPolicy - spec.containers[*].securityContext.appArmorProfile - spec.containers[*].securityContext.seLinuxOptions - spec.containers[*].securityContext.seccompProfile - spec.containers[*].securityContext.capabilities - spec.containers[*].securityContext.readOnlyRootFilesystem - spec.containers[*].securityContext.privileged - spec.containers[*].securityContext.allowPrivilegeEscalation - spec.containers[*].securityContext.procMount - spec.containers[*].securityContext.runAsUser - spec.containers[*].securityContext.runAsGroup" }, "overhead": { "additionalProperties": { diff --git a/master-standalone/all.json b/master-standalone/all.json index e40386d82e..a9150cc693 100644 --- a/master-standalone/all.json +++ b/master-standalone/all.json @@ -660,6 +660,9 @@ { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.ContainerStatus" }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.ContainerUser" + }, { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.DaemonEndpoint" }, @@ -789,6 +792,9 @@ { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.LimitRangeSpec" }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.LinuxContainerUser" + }, { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.LoadBalancerIngress" }, diff --git a/master-standalone/containerstatus-v1.json b/master-standalone/containerstatus-v1.json index 5763ea2c8f..7ea867372d 100644 --- a/master-standalone/containerstatus-v1.json +++ b/master-standalone/containerstatus-v1.json @@ -378,6 +378,53 @@ "null" ] }, + "user": { + "description": "ContainerUser represents user identity information", + "properties": { + "linux": { + "description": "LinuxContainerUser represents user identity information in Linux containers", + "properties": { + "gid": { + "description": "GID is the primary gid initially attached to the first process in the container", + "format": "int64", + "type": "integer" + }, + "supplementalGroups": { + "description": "SupplementalGroups are the supplemental groups initially attached to the first process in the container", + "items": { + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "uid": { + "description": "UID is the primary uid initially attached to the first process in the container", + "format": "int64", + "type": "integer" + } + }, + "required": [ + "uid", + "gid" + ], + "type": [ + "object", + "null" + ] + } + }, + "type": [ + "object", + "null" + ] + }, "volumeMounts": { "description": "Status of volume mounts.", "items": { diff --git a/master-standalone/containerstatus.json b/master-standalone/containerstatus.json index 5763ea2c8f..7ea867372d 100644 --- a/master-standalone/containerstatus.json +++ b/master-standalone/containerstatus.json @@ -378,6 +378,53 @@ "null" ] }, + "user": { + "description": "ContainerUser represents user identity information", + "properties": { + "linux": { + "description": "LinuxContainerUser represents user identity information in Linux containers", + "properties": { + "gid": { + "description": "GID is the primary gid initially attached to the first process in the container", + "format": "int64", + "type": "integer" + }, + "supplementalGroups": { + "description": "SupplementalGroups are the supplemental groups initially attached to the first process in the container", + "items": { + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "uid": { + "description": "UID is the primary uid initially attached to the first process in the container", + "format": "int64", + "type": "integer" + } + }, + "required": [ + "uid", + "gid" + ], + "type": [ + "object", + "null" + ] + } + }, + "type": [ + "object", + "null" + ] + }, "volumeMounts": { "description": "Status of volume mounts.", "items": { diff --git a/master-standalone/containeruser-v1.json b/master-standalone/containeruser-v1.json new file mode 100644 index 0000000000..5601de1705 --- /dev/null +++ b/master-standalone/containeruser-v1.json @@ -0,0 +1,45 @@ +{ + "description": "ContainerUser represents user identity information", + "properties": { + "linux": { + "description": "LinuxContainerUser represents user identity information in Linux containers", + "properties": { + "gid": { + "description": "GID is the primary gid initially attached to the first process in the container", + "format": "int64", + "type": "integer" + }, + "supplementalGroups": { + "description": "SupplementalGroups are the supplemental groups initially attached to the first process in the container", + "items": { + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "uid": { + "description": "UID is the primary uid initially attached to the first process in the container", + "format": "int64", + "type": "integer" + } + }, + "required": [ + "uid", + "gid" + ], + "type": [ + "object", + "null" + ] + } + }, + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-standalone/containeruser.json b/master-standalone/containeruser.json new file mode 100644 index 0000000000..5601de1705 --- /dev/null +++ b/master-standalone/containeruser.json @@ -0,0 +1,45 @@ +{ + "description": "ContainerUser represents user identity information", + "properties": { + "linux": { + "description": "LinuxContainerUser represents user identity information in Linux containers", + "properties": { + "gid": { + "description": "GID is the primary gid initially attached to the first process in the container", + "format": "int64", + "type": "integer" + }, + "supplementalGroups": { + "description": "SupplementalGroups are the supplemental groups initially attached to the first process in the container", + "items": { + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "uid": { + "description": "UID is the primary uid initially attached to the first process in the container", + "format": "int64", + "type": "integer" + } + }, + "required": [ + "uid", + "gid" + ], + "type": [ + "object", + "null" + ] + } + }, + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-standalone/cronjob-batch-v1.json b/master-standalone/cronjob-batch-v1.json index 733f69231b..7c4f827a7d 100644 --- a/master-standalone/cronjob-batch-v1.json +++ b/master-standalone/cronjob-batch-v1.json @@ -8284,7 +8284,7 @@ ] }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -8298,6 +8298,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone/cronjob.json b/master-standalone/cronjob.json index dc5d550ccb..5ef50e72e6 100644 --- a/master-standalone/cronjob.json +++ b/master-standalone/cronjob.json @@ -8281,7 +8281,7 @@ ] }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -8295,6 +8295,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone/cronjoblist-batch-v1.json b/master-standalone/cronjoblist-batch-v1.json index 61fe9c98d3..c2d6f24bfc 100644 --- a/master-standalone/cronjoblist-batch-v1.json +++ b/master-standalone/cronjoblist-batch-v1.json @@ -8299,7 +8299,7 @@ ] }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -8313,6 +8313,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone/cronjoblist.json b/master-standalone/cronjoblist.json index 4e75c78e2a..f2aa1754b2 100644 --- a/master-standalone/cronjoblist.json +++ b/master-standalone/cronjoblist.json @@ -8293,7 +8293,7 @@ ] }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -8307,6 +8307,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone/cronjobspec-batch-v1.json b/master-standalone/cronjobspec-batch-v1.json index ebe4924b82..797d3e1bb2 100644 --- a/master-standalone/cronjobspec-batch-v1.json +++ b/master-standalone/cronjobspec-batch-v1.json @@ -8011,7 +8011,7 @@ ] }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -8025,6 +8025,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone/cronjobspec.json b/master-standalone/cronjobspec.json index ebe4924b82..797d3e1bb2 100644 --- a/master-standalone/cronjobspec.json +++ b/master-standalone/cronjobspec.json @@ -8011,7 +8011,7 @@ ] }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -8025,6 +8025,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone/daemonset-apps-v1.json b/master-standalone/daemonset-apps-v1.json index cbcf5eb8f9..e6854c95e2 100644 --- a/master-standalone/daemonset-apps-v1.json +++ b/master-standalone/daemonset-apps-v1.json @@ -7804,7 +7804,7 @@ ] }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -7818,6 +7818,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone/daemonset.json b/master-standalone/daemonset.json index e5d37285eb..e27c230d0e 100644 --- a/master-standalone/daemonset.json +++ b/master-standalone/daemonset.json @@ -7801,7 +7801,7 @@ ] }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -7815,6 +7815,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone/daemonsetlist-apps-v1.json b/master-standalone/daemonsetlist-apps-v1.json index a09a89213c..94da5b32ec 100644 --- a/master-standalone/daemonsetlist-apps-v1.json +++ b/master-standalone/daemonsetlist-apps-v1.json @@ -7819,7 +7819,7 @@ ] }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -7833,6 +7833,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone/daemonsetlist.json b/master-standalone/daemonsetlist.json index c854204a81..2c1c12582b 100644 --- a/master-standalone/daemonsetlist.json +++ b/master-standalone/daemonsetlist.json @@ -7813,7 +7813,7 @@ ] }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -7827,6 +7827,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone/daemonsetspec-apps-v1.json b/master-standalone/daemonsetspec-apps-v1.json index 6913b40507..ce45c2d5f8 100644 --- a/master-standalone/daemonsetspec-apps-v1.json +++ b/master-standalone/daemonsetspec-apps-v1.json @@ -7534,7 +7534,7 @@ ] }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -7548,6 +7548,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone/daemonsetspec.json b/master-standalone/daemonsetspec.json index 6913b40507..ce45c2d5f8 100644 --- a/master-standalone/daemonsetspec.json +++ b/master-standalone/daemonsetspec.json @@ -7534,7 +7534,7 @@ ] }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -7548,6 +7548,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone/deployment-apps-v1.json b/master-standalone/deployment-apps-v1.json index b9bca85443..09189abf5c 100644 --- a/master-standalone/deployment-apps-v1.json +++ b/master-standalone/deployment-apps-v1.json @@ -7884,7 +7884,7 @@ ] }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -7898,6 +7898,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone/deployment.json b/master-standalone/deployment.json index e757cb00a9..187e53349b 100644 --- a/master-standalone/deployment.json +++ b/master-standalone/deployment.json @@ -7881,7 +7881,7 @@ ] }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -7895,6 +7895,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone/deploymentlist-apps-v1.json b/master-standalone/deploymentlist-apps-v1.json index 778af9a6f3..71d0955d76 100644 --- a/master-standalone/deploymentlist-apps-v1.json +++ b/master-standalone/deploymentlist-apps-v1.json @@ -7899,7 +7899,7 @@ ] }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -7913,6 +7913,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone/deploymentlist.json b/master-standalone/deploymentlist.json index 132f59bc83..1378bf8333 100644 --- a/master-standalone/deploymentlist.json +++ b/master-standalone/deploymentlist.json @@ -7893,7 +7893,7 @@ ] }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -7907,6 +7907,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone/deploymentspec-apps-v1.json b/master-standalone/deploymentspec-apps-v1.json index 21f2398f84..cf186db571 100644 --- a/master-standalone/deploymentspec-apps-v1.json +++ b/master-standalone/deploymentspec-apps-v1.json @@ -7614,7 +7614,7 @@ ] }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -7628,6 +7628,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone/deploymentspec.json b/master-standalone/deploymentspec.json index 21f2398f84..cf186db571 100644 --- a/master-standalone/deploymentspec.json +++ b/master-standalone/deploymentspec.json @@ -7614,7 +7614,7 @@ ] }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -7628,6 +7628,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone/job-batch-v1.json b/master-standalone/job-batch-v1.json index 5656df6c74..9d1c29040c 100644 --- a/master-standalone/job-batch-v1.json +++ b/master-standalone/job-batch-v1.json @@ -8013,7 +8013,7 @@ ] }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -8027,6 +8027,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone/job.json b/master-standalone/job.json index 0c0cda14d8..47ecebb49f 100644 --- a/master-standalone/job.json +++ b/master-standalone/job.json @@ -8010,7 +8010,7 @@ ] }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -8024,6 +8024,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone/joblist-batch-v1.json b/master-standalone/joblist-batch-v1.json index ef114a2452..221ac019cd 100644 --- a/master-standalone/joblist-batch-v1.json +++ b/master-standalone/joblist-batch-v1.json @@ -8028,7 +8028,7 @@ ] }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -8042,6 +8042,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone/joblist.json b/master-standalone/joblist.json index 12466bf089..3cfd8fc43d 100644 --- a/master-standalone/joblist.json +++ b/master-standalone/joblist.json @@ -8022,7 +8022,7 @@ ] }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -8036,6 +8036,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone/jobspec-batch-v1.json b/master-standalone/jobspec-batch-v1.json index ad322c2213..297607589b 100644 --- a/master-standalone/jobspec-batch-v1.json +++ b/master-standalone/jobspec-batch-v1.json @@ -7740,7 +7740,7 @@ ] }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -7754,6 +7754,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone/jobspec.json b/master-standalone/jobspec.json index ad322c2213..297607589b 100644 --- a/master-standalone/jobspec.json +++ b/master-standalone/jobspec.json @@ -7740,7 +7740,7 @@ ] }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -7754,6 +7754,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone/jobtemplatespec-batch-v1.json b/master-standalone/jobtemplatespec-batch-v1.json index d5dd2fde1c..f0d18ea4d7 100644 --- a/master-standalone/jobtemplatespec-batch-v1.json +++ b/master-standalone/jobtemplatespec-batch-v1.json @@ -7993,7 +7993,7 @@ ] }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -8007,6 +8007,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone/jobtemplatespec.json b/master-standalone/jobtemplatespec.json index d5dd2fde1c..f0d18ea4d7 100644 --- a/master-standalone/jobtemplatespec.json +++ b/master-standalone/jobtemplatespec.json @@ -7993,7 +7993,7 @@ ] }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -8007,6 +8007,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone/linuxcontaineruser-v1.json b/master-standalone/linuxcontaineruser-v1.json new file mode 100644 index 0000000000..3f198ab63c --- /dev/null +++ b/master-standalone/linuxcontaineruser-v1.json @@ -0,0 +1,42 @@ +{ + "description": "LinuxContainerUser represents user identity information in Linux containers", + "properties": { + "gid": { + "description": "GID is the primary gid initially attached to the first process in the container", + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "supplementalGroups": { + "description": "SupplementalGroups are the supplemental groups initially attached to the first process in the container", + "items": { + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "uid": { + "description": "UID is the primary uid initially attached to the first process in the container", + "format": "int64", + "type": [ + "integer", + "null" + ] + } + }, + "required": [ + "uid", + "gid" + ], + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-standalone/linuxcontaineruser.json b/master-standalone/linuxcontaineruser.json new file mode 100644 index 0000000000..3f198ab63c --- /dev/null +++ b/master-standalone/linuxcontaineruser.json @@ -0,0 +1,42 @@ +{ + "description": "LinuxContainerUser represents user identity information in Linux containers", + "properties": { + "gid": { + "description": "GID is the primary gid initially attached to the first process in the container", + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "supplementalGroups": { + "description": "SupplementalGroups are the supplemental groups initially attached to the first process in the container", + "items": { + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "uid": { + "description": "UID is the primary uid initially attached to the first process in the container", + "format": "int64", + "type": [ + "integer", + "null" + ] + } + }, + "required": [ + "uid", + "gid" + ], + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-standalone/pod-v1.json b/master-standalone/pod-v1.json index 5b9b071480..6af794e873 100644 --- a/master-standalone/pod-v1.json +++ b/master-standalone/pod-v1.json @@ -7469,7 +7469,7 @@ ] }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -7483,6 +7483,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { @@ -10503,6 +10510,53 @@ "null" ] }, + "user": { + "description": "ContainerUser represents user identity information", + "properties": { + "linux": { + "description": "LinuxContainerUser represents user identity information in Linux containers", + "properties": { + "gid": { + "description": "GID is the primary gid initially attached to the first process in the container", + "format": "int64", + "type": "integer" + }, + "supplementalGroups": { + "description": "SupplementalGroups are the supplemental groups initially attached to the first process in the container", + "items": { + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "uid": { + "description": "UID is the primary uid initially attached to the first process in the container", + "format": "int64", + "type": "integer" + } + }, + "required": [ + "uid", + "gid" + ], + "type": [ + "object", + "null" + ] + } + }, + "type": [ + "object", + "null" + ] + }, "volumeMounts": { "description": "Status of volume mounts.", "items": { @@ -10937,6 +10991,53 @@ "null" ] }, + "user": { + "description": "ContainerUser represents user identity information", + "properties": { + "linux": { + "description": "LinuxContainerUser represents user identity information in Linux containers", + "properties": { + "gid": { + "description": "GID is the primary gid initially attached to the first process in the container", + "format": "int64", + "type": "integer" + }, + "supplementalGroups": { + "description": "SupplementalGroups are the supplemental groups initially attached to the first process in the container", + "items": { + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "uid": { + "description": "UID is the primary uid initially attached to the first process in the container", + "format": "int64", + "type": "integer" + } + }, + "required": [ + "uid", + "gid" + ], + "type": [ + "object", + "null" + ] + } + }, + "type": [ + "object", + "null" + ] + }, "volumeMounts": { "description": "Status of volume mounts.", "items": { @@ -11404,6 +11505,53 @@ "null" ] }, + "user": { + "description": "ContainerUser represents user identity information", + "properties": { + "linux": { + "description": "LinuxContainerUser represents user identity information in Linux containers", + "properties": { + "gid": { + "description": "GID is the primary gid initially attached to the first process in the container", + "format": "int64", + "type": "integer" + }, + "supplementalGroups": { + "description": "SupplementalGroups are the supplemental groups initially attached to the first process in the container", + "items": { + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "uid": { + "description": "UID is the primary uid initially attached to the first process in the container", + "format": "int64", + "type": "integer" + } + }, + "required": [ + "uid", + "gid" + ], + "type": [ + "object", + "null" + ] + } + }, + "type": [ + "object", + "null" + ] + }, "volumeMounts": { "description": "Status of volume mounts.", "items": { diff --git a/master-standalone/pod.json b/master-standalone/pod.json index 48778eedae..48b1f56c45 100644 --- a/master-standalone/pod.json +++ b/master-standalone/pod.json @@ -7466,7 +7466,7 @@ ] }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -7480,6 +7480,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { @@ -10500,6 +10507,53 @@ "null" ] }, + "user": { + "description": "ContainerUser represents user identity information", + "properties": { + "linux": { + "description": "LinuxContainerUser represents user identity information in Linux containers", + "properties": { + "gid": { + "description": "GID is the primary gid initially attached to the first process in the container", + "format": "int64", + "type": "integer" + }, + "supplementalGroups": { + "description": "SupplementalGroups are the supplemental groups initially attached to the first process in the container", + "items": { + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "uid": { + "description": "UID is the primary uid initially attached to the first process in the container", + "format": "int64", + "type": "integer" + } + }, + "required": [ + "uid", + "gid" + ], + "type": [ + "object", + "null" + ] + } + }, + "type": [ + "object", + "null" + ] + }, "volumeMounts": { "description": "Status of volume mounts.", "items": { @@ -10934,6 +10988,53 @@ "null" ] }, + "user": { + "description": "ContainerUser represents user identity information", + "properties": { + "linux": { + "description": "LinuxContainerUser represents user identity information in Linux containers", + "properties": { + "gid": { + "description": "GID is the primary gid initially attached to the first process in the container", + "format": "int64", + "type": "integer" + }, + "supplementalGroups": { + "description": "SupplementalGroups are the supplemental groups initially attached to the first process in the container", + "items": { + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "uid": { + "description": "UID is the primary uid initially attached to the first process in the container", + "format": "int64", + "type": "integer" + } + }, + "required": [ + "uid", + "gid" + ], + "type": [ + "object", + "null" + ] + } + }, + "type": [ + "object", + "null" + ] + }, "volumeMounts": { "description": "Status of volume mounts.", "items": { @@ -11401,6 +11502,53 @@ "null" ] }, + "user": { + "description": "ContainerUser represents user identity information", + "properties": { + "linux": { + "description": "LinuxContainerUser represents user identity information in Linux containers", + "properties": { + "gid": { + "description": "GID is the primary gid initially attached to the first process in the container", + "format": "int64", + "type": "integer" + }, + "supplementalGroups": { + "description": "SupplementalGroups are the supplemental groups initially attached to the first process in the container", + "items": { + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "uid": { + "description": "UID is the primary uid initially attached to the first process in the container", + "format": "int64", + "type": "integer" + } + }, + "required": [ + "uid", + "gid" + ], + "type": [ + "object", + "null" + ] + } + }, + "type": [ + "object", + "null" + ] + }, "volumeMounts": { "description": "Status of volume mounts.", "items": { diff --git a/master-standalone/podlist-v1.json b/master-standalone/podlist-v1.json index 0954115368..4626010db9 100644 --- a/master-standalone/podlist-v1.json +++ b/master-standalone/podlist-v1.json @@ -7484,7 +7484,7 @@ ] }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -7498,6 +7498,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { @@ -10518,6 +10525,53 @@ "null" ] }, + "user": { + "description": "ContainerUser represents user identity information", + "properties": { + "linux": { + "description": "LinuxContainerUser represents user identity information in Linux containers", + "properties": { + "gid": { + "description": "GID is the primary gid initially attached to the first process in the container", + "format": "int64", + "type": "integer" + }, + "supplementalGroups": { + "description": "SupplementalGroups are the supplemental groups initially attached to the first process in the container", + "items": { + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "uid": { + "description": "UID is the primary uid initially attached to the first process in the container", + "format": "int64", + "type": "integer" + } + }, + "required": [ + "uid", + "gid" + ], + "type": [ + "object", + "null" + ] + } + }, + "type": [ + "object", + "null" + ] + }, "volumeMounts": { "description": "Status of volume mounts.", "items": { @@ -10952,6 +11006,53 @@ "null" ] }, + "user": { + "description": "ContainerUser represents user identity information", + "properties": { + "linux": { + "description": "LinuxContainerUser represents user identity information in Linux containers", + "properties": { + "gid": { + "description": "GID is the primary gid initially attached to the first process in the container", + "format": "int64", + "type": "integer" + }, + "supplementalGroups": { + "description": "SupplementalGroups are the supplemental groups initially attached to the first process in the container", + "items": { + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "uid": { + "description": "UID is the primary uid initially attached to the first process in the container", + "format": "int64", + "type": "integer" + } + }, + "required": [ + "uid", + "gid" + ], + "type": [ + "object", + "null" + ] + } + }, + "type": [ + "object", + "null" + ] + }, "volumeMounts": { "description": "Status of volume mounts.", "items": { @@ -11419,6 +11520,53 @@ "null" ] }, + "user": { + "description": "ContainerUser represents user identity information", + "properties": { + "linux": { + "description": "LinuxContainerUser represents user identity information in Linux containers", + "properties": { + "gid": { + "description": "GID is the primary gid initially attached to the first process in the container", + "format": "int64", + "type": "integer" + }, + "supplementalGroups": { + "description": "SupplementalGroups are the supplemental groups initially attached to the first process in the container", + "items": { + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "uid": { + "description": "UID is the primary uid initially attached to the first process in the container", + "format": "int64", + "type": "integer" + } + }, + "required": [ + "uid", + "gid" + ], + "type": [ + "object", + "null" + ] + } + }, + "type": [ + "object", + "null" + ] + }, "volumeMounts": { "description": "Status of volume mounts.", "items": { diff --git a/master-standalone/podlist.json b/master-standalone/podlist.json index 400e8ec558..adc86b5d41 100644 --- a/master-standalone/podlist.json +++ b/master-standalone/podlist.json @@ -7478,7 +7478,7 @@ ] }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -7492,6 +7492,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { @@ -10512,6 +10519,53 @@ "null" ] }, + "user": { + "description": "ContainerUser represents user identity information", + "properties": { + "linux": { + "description": "LinuxContainerUser represents user identity information in Linux containers", + "properties": { + "gid": { + "description": "GID is the primary gid initially attached to the first process in the container", + "format": "int64", + "type": "integer" + }, + "supplementalGroups": { + "description": "SupplementalGroups are the supplemental groups initially attached to the first process in the container", + "items": { + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "uid": { + "description": "UID is the primary uid initially attached to the first process in the container", + "format": "int64", + "type": "integer" + } + }, + "required": [ + "uid", + "gid" + ], + "type": [ + "object", + "null" + ] + } + }, + "type": [ + "object", + "null" + ] + }, "volumeMounts": { "description": "Status of volume mounts.", "items": { @@ -10946,6 +11000,53 @@ "null" ] }, + "user": { + "description": "ContainerUser represents user identity information", + "properties": { + "linux": { + "description": "LinuxContainerUser represents user identity information in Linux containers", + "properties": { + "gid": { + "description": "GID is the primary gid initially attached to the first process in the container", + "format": "int64", + "type": "integer" + }, + "supplementalGroups": { + "description": "SupplementalGroups are the supplemental groups initially attached to the first process in the container", + "items": { + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "uid": { + "description": "UID is the primary uid initially attached to the first process in the container", + "format": "int64", + "type": "integer" + } + }, + "required": [ + "uid", + "gid" + ], + "type": [ + "object", + "null" + ] + } + }, + "type": [ + "object", + "null" + ] + }, "volumeMounts": { "description": "Status of volume mounts.", "items": { @@ -11413,6 +11514,53 @@ "null" ] }, + "user": { + "description": "ContainerUser represents user identity information", + "properties": { + "linux": { + "description": "LinuxContainerUser represents user identity information in Linux containers", + "properties": { + "gid": { + "description": "GID is the primary gid initially attached to the first process in the container", + "format": "int64", + "type": "integer" + }, + "supplementalGroups": { + "description": "SupplementalGroups are the supplemental groups initially attached to the first process in the container", + "items": { + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "uid": { + "description": "UID is the primary uid initially attached to the first process in the container", + "format": "int64", + "type": "integer" + } + }, + "required": [ + "uid", + "gid" + ], + "type": [ + "object", + "null" + ] + } + }, + "type": [ + "object", + "null" + ] + }, "volumeMounts": { "description": "Status of volume mounts.", "items": { diff --git a/master-standalone/podsecuritycontext-v1.json b/master-standalone/podsecuritycontext-v1.json index a55feac8ba..d9c6afc81d 100644 --- a/master-standalone/podsecuritycontext-v1.json +++ b/master-standalone/podsecuritycontext-v1.json @@ -139,7 +139,7 @@ ] }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -153,6 +153,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone/podsecuritycontext.json b/master-standalone/podsecuritycontext.json index a55feac8ba..d9c6afc81d 100644 --- a/master-standalone/podsecuritycontext.json +++ b/master-standalone/podsecuritycontext.json @@ -139,7 +139,7 @@ ] }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -153,6 +153,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone/podspec-v1.json b/master-standalone/podspec-v1.json index 957df3d917..0bdca6af3e 100644 --- a/master-standalone/podspec-v1.json +++ b/master-standalone/podspec-v1.json @@ -7199,7 +7199,7 @@ ] }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -7213,6 +7213,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone/podspec.json b/master-standalone/podspec.json index 957df3d917..0bdca6af3e 100644 --- a/master-standalone/podspec.json +++ b/master-standalone/podspec.json @@ -7199,7 +7199,7 @@ ] }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -7213,6 +7213,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone/podstatus-v1.json b/master-standalone/podstatus-v1.json index 24a0149054..a994438cd9 100644 --- a/master-standalone/podstatus-v1.json +++ b/master-standalone/podstatus-v1.json @@ -432,6 +432,53 @@ "null" ] }, + "user": { + "description": "ContainerUser represents user identity information", + "properties": { + "linux": { + "description": "LinuxContainerUser represents user identity information in Linux containers", + "properties": { + "gid": { + "description": "GID is the primary gid initially attached to the first process in the container", + "format": "int64", + "type": "integer" + }, + "supplementalGroups": { + "description": "SupplementalGroups are the supplemental groups initially attached to the first process in the container", + "items": { + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "uid": { + "description": "UID is the primary uid initially attached to the first process in the container", + "format": "int64", + "type": "integer" + } + }, + "required": [ + "uid", + "gid" + ], + "type": [ + "object", + "null" + ] + } + }, + "type": [ + "object", + "null" + ] + }, "volumeMounts": { "description": "Status of volume mounts.", "items": { @@ -866,6 +913,53 @@ "null" ] }, + "user": { + "description": "ContainerUser represents user identity information", + "properties": { + "linux": { + "description": "LinuxContainerUser represents user identity information in Linux containers", + "properties": { + "gid": { + "description": "GID is the primary gid initially attached to the first process in the container", + "format": "int64", + "type": "integer" + }, + "supplementalGroups": { + "description": "SupplementalGroups are the supplemental groups initially attached to the first process in the container", + "items": { + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "uid": { + "description": "UID is the primary uid initially attached to the first process in the container", + "format": "int64", + "type": "integer" + } + }, + "required": [ + "uid", + "gid" + ], + "type": [ + "object", + "null" + ] + } + }, + "type": [ + "object", + "null" + ] + }, "volumeMounts": { "description": "Status of volume mounts.", "items": { @@ -1333,6 +1427,53 @@ "null" ] }, + "user": { + "description": "ContainerUser represents user identity information", + "properties": { + "linux": { + "description": "LinuxContainerUser represents user identity information in Linux containers", + "properties": { + "gid": { + "description": "GID is the primary gid initially attached to the first process in the container", + "format": "int64", + "type": "integer" + }, + "supplementalGroups": { + "description": "SupplementalGroups are the supplemental groups initially attached to the first process in the container", + "items": { + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "uid": { + "description": "UID is the primary uid initially attached to the first process in the container", + "format": "int64", + "type": "integer" + } + }, + "required": [ + "uid", + "gid" + ], + "type": [ + "object", + "null" + ] + } + }, + "type": [ + "object", + "null" + ] + }, "volumeMounts": { "description": "Status of volume mounts.", "items": { diff --git a/master-standalone/podstatus.json b/master-standalone/podstatus.json index 24a0149054..a994438cd9 100644 --- a/master-standalone/podstatus.json +++ b/master-standalone/podstatus.json @@ -432,6 +432,53 @@ "null" ] }, + "user": { + "description": "ContainerUser represents user identity information", + "properties": { + "linux": { + "description": "LinuxContainerUser represents user identity information in Linux containers", + "properties": { + "gid": { + "description": "GID is the primary gid initially attached to the first process in the container", + "format": "int64", + "type": "integer" + }, + "supplementalGroups": { + "description": "SupplementalGroups are the supplemental groups initially attached to the first process in the container", + "items": { + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "uid": { + "description": "UID is the primary uid initially attached to the first process in the container", + "format": "int64", + "type": "integer" + } + }, + "required": [ + "uid", + "gid" + ], + "type": [ + "object", + "null" + ] + } + }, + "type": [ + "object", + "null" + ] + }, "volumeMounts": { "description": "Status of volume mounts.", "items": { @@ -866,6 +913,53 @@ "null" ] }, + "user": { + "description": "ContainerUser represents user identity information", + "properties": { + "linux": { + "description": "LinuxContainerUser represents user identity information in Linux containers", + "properties": { + "gid": { + "description": "GID is the primary gid initially attached to the first process in the container", + "format": "int64", + "type": "integer" + }, + "supplementalGroups": { + "description": "SupplementalGroups are the supplemental groups initially attached to the first process in the container", + "items": { + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "uid": { + "description": "UID is the primary uid initially attached to the first process in the container", + "format": "int64", + "type": "integer" + } + }, + "required": [ + "uid", + "gid" + ], + "type": [ + "object", + "null" + ] + } + }, + "type": [ + "object", + "null" + ] + }, "volumeMounts": { "description": "Status of volume mounts.", "items": { @@ -1333,6 +1427,53 @@ "null" ] }, + "user": { + "description": "ContainerUser represents user identity information", + "properties": { + "linux": { + "description": "LinuxContainerUser represents user identity information in Linux containers", + "properties": { + "gid": { + "description": "GID is the primary gid initially attached to the first process in the container", + "format": "int64", + "type": "integer" + }, + "supplementalGroups": { + "description": "SupplementalGroups are the supplemental groups initially attached to the first process in the container", + "items": { + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "uid": { + "description": "UID is the primary uid initially attached to the first process in the container", + "format": "int64", + "type": "integer" + } + }, + "required": [ + "uid", + "gid" + ], + "type": [ + "object", + "null" + ] + } + }, + "type": [ + "object", + "null" + ] + }, "volumeMounts": { "description": "Status of volume mounts.", "items": { diff --git a/master-standalone/podtemplate-v1.json b/master-standalone/podtemplate-v1.json index b4b313f74f..64995e0de5 100644 --- a/master-standalone/podtemplate-v1.json +++ b/master-standalone/podtemplate-v1.json @@ -7722,7 +7722,7 @@ ] }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -7736,6 +7736,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone/podtemplate.json b/master-standalone/podtemplate.json index fba4ff1954..b131e5bcf7 100644 --- a/master-standalone/podtemplate.json +++ b/master-standalone/podtemplate.json @@ -7719,7 +7719,7 @@ ] }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -7733,6 +7733,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone/podtemplatelist-v1.json b/master-standalone/podtemplatelist-v1.json index 093e2860bd..1cc7eeb2c5 100644 --- a/master-standalone/podtemplatelist-v1.json +++ b/master-standalone/podtemplatelist-v1.json @@ -7737,7 +7737,7 @@ ] }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -7751,6 +7751,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone/podtemplatelist.json b/master-standalone/podtemplatelist.json index 09a66a2729..fa81c113c2 100644 --- a/master-standalone/podtemplatelist.json +++ b/master-standalone/podtemplatelist.json @@ -7731,7 +7731,7 @@ ] }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -7745,6 +7745,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone/podtemplatespec-v1.json b/master-standalone/podtemplatespec-v1.json index 9169dc1ec5..3767ff2dc6 100644 --- a/master-standalone/podtemplatespec-v1.json +++ b/master-standalone/podtemplatespec-v1.json @@ -7449,7 +7449,7 @@ ] }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -7463,6 +7463,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone/podtemplatespec.json b/master-standalone/podtemplatespec.json index 9169dc1ec5..3767ff2dc6 100644 --- a/master-standalone/podtemplatespec.json +++ b/master-standalone/podtemplatespec.json @@ -7449,7 +7449,7 @@ ] }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -7463,6 +7463,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone/replicaset-apps-v1.json b/master-standalone/replicaset-apps-v1.json index 958f4b4144..f973aea2da 100644 --- a/master-standalone/replicaset-apps-v1.json +++ b/master-standalone/replicaset-apps-v1.json @@ -7804,7 +7804,7 @@ ] }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -7818,6 +7818,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone/replicaset.json b/master-standalone/replicaset.json index 6f0e5ffc11..26f066c9d2 100644 --- a/master-standalone/replicaset.json +++ b/master-standalone/replicaset.json @@ -7801,7 +7801,7 @@ ] }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -7815,6 +7815,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone/replicasetlist-apps-v1.json b/master-standalone/replicasetlist-apps-v1.json index 016c0d519c..9eaa4aaafb 100644 --- a/master-standalone/replicasetlist-apps-v1.json +++ b/master-standalone/replicasetlist-apps-v1.json @@ -7819,7 +7819,7 @@ ] }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -7833,6 +7833,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone/replicasetlist.json b/master-standalone/replicasetlist.json index 45e96d34eb..2ba69d3571 100644 --- a/master-standalone/replicasetlist.json +++ b/master-standalone/replicasetlist.json @@ -7813,7 +7813,7 @@ ] }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -7827,6 +7827,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone/replicasetspec-apps-v1.json b/master-standalone/replicasetspec-apps-v1.json index aa3d8b25e9..ab2414dd37 100644 --- a/master-standalone/replicasetspec-apps-v1.json +++ b/master-standalone/replicasetspec-apps-v1.json @@ -7534,7 +7534,7 @@ ] }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -7548,6 +7548,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone/replicasetspec.json b/master-standalone/replicasetspec.json index aa3d8b25e9..ab2414dd37 100644 --- a/master-standalone/replicasetspec.json +++ b/master-standalone/replicasetspec.json @@ -7534,7 +7534,7 @@ ] }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -7548,6 +7548,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone/replicationcontroller-v1.json b/master-standalone/replicationcontroller-v1.json index 62939f53fd..b86fa95d2a 100644 --- a/master-standalone/replicationcontroller-v1.json +++ b/master-standalone/replicationcontroller-v1.json @@ -7755,7 +7755,7 @@ ] }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -7769,6 +7769,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone/replicationcontroller.json b/master-standalone/replicationcontroller.json index a81bbaf334..c46705460f 100644 --- a/master-standalone/replicationcontroller.json +++ b/master-standalone/replicationcontroller.json @@ -7752,7 +7752,7 @@ ] }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -7766,6 +7766,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone/replicationcontrollerlist-v1.json b/master-standalone/replicationcontrollerlist-v1.json index 0581ca7ca1..0442ef1c04 100644 --- a/master-standalone/replicationcontrollerlist-v1.json +++ b/master-standalone/replicationcontrollerlist-v1.json @@ -7770,7 +7770,7 @@ ] }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -7784,6 +7784,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone/replicationcontrollerlist.json b/master-standalone/replicationcontrollerlist.json index d06492fbec..fb44b9016b 100644 --- a/master-standalone/replicationcontrollerlist.json +++ b/master-standalone/replicationcontrollerlist.json @@ -7764,7 +7764,7 @@ ] }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -7778,6 +7778,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone/replicationcontrollerspec-v1.json b/master-standalone/replicationcontrollerspec-v1.json index da758bd6e3..b677f2875a 100644 --- a/master-standalone/replicationcontrollerspec-v1.json +++ b/master-standalone/replicationcontrollerspec-v1.json @@ -7482,7 +7482,7 @@ ] }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -7496,6 +7496,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone/replicationcontrollerspec.json b/master-standalone/replicationcontrollerspec.json index da758bd6e3..b677f2875a 100644 --- a/master-standalone/replicationcontrollerspec.json +++ b/master-standalone/replicationcontrollerspec.json @@ -7482,7 +7482,7 @@ ] }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -7496,6 +7496,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone/statefulset-apps-v1.json b/master-standalone/statefulset-apps-v1.json index f61a302d54..1152e1a561 100644 --- a/master-standalone/statefulset-apps-v1.json +++ b/master-standalone/statefulset-apps-v1.json @@ -7863,7 +7863,7 @@ ] }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -7877,6 +7877,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone/statefulset.json b/master-standalone/statefulset.json index b5cf99d468..30e7748d6a 100644 --- a/master-standalone/statefulset.json +++ b/master-standalone/statefulset.json @@ -7860,7 +7860,7 @@ ] }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -7874,6 +7874,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone/statefulsetlist-apps-v1.json b/master-standalone/statefulsetlist-apps-v1.json index 92b644d856..fde7ce005c 100644 --- a/master-standalone/statefulsetlist-apps-v1.json +++ b/master-standalone/statefulsetlist-apps-v1.json @@ -7878,7 +7878,7 @@ ] }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -7892,6 +7892,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone/statefulsetlist.json b/master-standalone/statefulsetlist.json index 5da72337c7..3f0483016e 100644 --- a/master-standalone/statefulsetlist.json +++ b/master-standalone/statefulsetlist.json @@ -7872,7 +7872,7 @@ ] }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -7886,6 +7886,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone/statefulsetspec-apps-v1.json b/master-standalone/statefulsetspec-apps-v1.json index 556dc31156..6115df171a 100644 --- a/master-standalone/statefulsetspec-apps-v1.json +++ b/master-standalone/statefulsetspec-apps-v1.json @@ -7596,7 +7596,7 @@ ] }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -7610,6 +7610,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master-standalone/statefulsetspec.json b/master-standalone/statefulsetspec.json index 2d78a4a1a4..067cc71699 100644 --- a/master-standalone/statefulsetspec.json +++ b/master-standalone/statefulsetspec.json @@ -7596,7 +7596,7 @@ ] }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -7610,6 +7610,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master/_definitions.json b/master/_definitions.json index 0a1c717273..a99c388b13 100644 --- a/master/_definitions.json +++ b/master/_definitions.json @@ -6690,6 +6690,10 @@ "$ref": "#/definitions/io.k8s.api.core.v1.ContainerState", "description": "State holds details about the container's current condition." }, + "user": { + "$ref": "#/definitions/io.k8s.api.core.v1.ContainerUser", + "description": "User represents user identity information initially attached to the first process of the container" + }, "volumeMounts": { "description": "Status of volume mounts.", "items": { @@ -6713,6 +6717,16 @@ ], "type": "object" }, + "io.k8s.api.core.v1.ContainerUser": { + "description": "ContainerUser represents user identity information", + "properties": { + "linux": { + "$ref": "#/definitions/io.k8s.api.core.v1.LinuxContainerUser", + "description": "Linux holds user identity information initially attached to the first process of the containers in Linux. Note that the actual running identity can be changed if the process has enough privilege to do so." + } + }, + "type": "object" + }, "io.k8s.api.core.v1.DaemonEndpoint": { "description": "DaemonEndpoint contains information about a single Daemon endpoint.", "properties": { @@ -7998,6 +8012,35 @@ ], "type": "object" }, + "io.k8s.api.core.v1.LinuxContainerUser": { + "description": "LinuxContainerUser represents user identity information in Linux containers", + "properties": { + "gid": { + "description": "GID is the primary gid initially attached to the first process in the container", + "format": "int64", + "type": "integer" + }, + "supplementalGroups": { + "description": "SupplementalGroups are the supplemental groups initially attached to the first process in the container", + "items": { + "format": "int64", + "type": "integer" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" + }, + "uid": { + "description": "UID is the primary uid initially attached to the first process in the container", + "format": "int64", + "type": "integer" + } + }, + "required": [ + "uid", + "gid" + ], + "type": "object" + }, "io.k8s.api.core.v1.LoadBalancerIngress": { "description": "LoadBalancerIngress represents the status of a load-balancer ingress point: traffic intended for the service should be sent to an ingress point.", "properties": { @@ -9632,7 +9675,7 @@ "description": "The seccomp options to use by the containers in this pod. Note that this field cannot be set when spec.os.name is windows." }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": "integer" @@ -9640,6 +9683,10 @@ "type": "array", "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": "string" + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { @@ -9782,7 +9829,7 @@ }, "os": { "$ref": "#/definitions/io.k8s.api.core.v1.PodOS", - "description": "Specifies the OS of the containers in the pod. Some pod and container fields are restricted if this is set.\n\nIf the OS field is set to linux, the following fields must be unset: -securityContext.windowsOptions\n\nIf the OS field is set to windows, following fields must be unset: - spec.hostPID - spec.hostIPC - spec.hostUsers - spec.securityContext.appArmorProfile - spec.securityContext.seLinuxOptions - spec.securityContext.seccompProfile - spec.securityContext.fsGroup - spec.securityContext.fsGroupChangePolicy - spec.securityContext.sysctls - spec.shareProcessNamespace - spec.securityContext.runAsUser - spec.securityContext.runAsGroup - spec.securityContext.supplementalGroups - spec.containers[*].securityContext.appArmorProfile - spec.containers[*].securityContext.seLinuxOptions - spec.containers[*].securityContext.seccompProfile - spec.containers[*].securityContext.capabilities - spec.containers[*].securityContext.readOnlyRootFilesystem - spec.containers[*].securityContext.privileged - spec.containers[*].securityContext.allowPrivilegeEscalation - spec.containers[*].securityContext.procMount - spec.containers[*].securityContext.runAsUser - spec.containers[*].securityContext.runAsGroup" + "description": "Specifies the OS of the containers in the pod. Some pod and container fields are restricted if this is set.\n\nIf the OS field is set to linux, the following fields must be unset: -securityContext.windowsOptions\n\nIf the OS field is set to windows, following fields must be unset: - spec.hostPID - spec.hostIPC - spec.hostUsers - spec.securityContext.appArmorProfile - spec.securityContext.seLinuxOptions - spec.securityContext.seccompProfile - spec.securityContext.fsGroup - spec.securityContext.fsGroupChangePolicy - spec.securityContext.sysctls - spec.shareProcessNamespace - spec.securityContext.runAsUser - spec.securityContext.runAsGroup - spec.securityContext.supplementalGroups - spec.securityContext.supplementalGroupsPolicy - spec.containers[*].securityContext.appArmorProfile - spec.containers[*].securityContext.seLinuxOptions - spec.containers[*].securityContext.seccompProfile - spec.containers[*].securityContext.capabilities - spec.containers[*].securityContext.readOnlyRootFilesystem - spec.containers[*].securityContext.privileged - spec.containers[*].securityContext.allowPrivilegeEscalation - spec.containers[*].securityContext.procMount - spec.containers[*].securityContext.runAsUser - spec.containers[*].securityContext.runAsGroup" }, "overhead": { "additionalProperties": { diff --git a/master/all.json b/master/all.json index cc5f1f1361..00bbe60bc3 100644 --- a/master/all.json +++ b/master/all.json @@ -660,6 +660,9 @@ { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.ContainerStatus" }, + { + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.ContainerUser" + }, { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.DaemonEndpoint" }, @@ -789,6 +792,9 @@ { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.LimitRangeSpec" }, + { + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.LinuxContainerUser" + }, { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.LoadBalancerIngress" }, diff --git a/master/containerstatus-v1.json b/master/containerstatus-v1.json index e881abab6c..76ab6c78e7 100644 --- a/master/containerstatus-v1.json +++ b/master/containerstatus-v1.json @@ -73,6 +73,10 @@ "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.ContainerState", "description": "State holds details about the container's current condition." }, + "user": { + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.ContainerUser", + "description": "User represents user identity information initially attached to the first process of the container" + }, "volumeMounts": { "description": "Status of volume mounts.", "items": { diff --git a/master/containerstatus.json b/master/containerstatus.json index e881abab6c..76ab6c78e7 100644 --- a/master/containerstatus.json +++ b/master/containerstatus.json @@ -73,6 +73,10 @@ "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.ContainerState", "description": "State holds details about the container's current condition." }, + "user": { + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.ContainerUser", + "description": "User represents user identity information initially attached to the first process of the container" + }, "volumeMounts": { "description": "Status of volume mounts.", "items": { diff --git a/master/containeruser-v1.json b/master/containeruser-v1.json new file mode 100644 index 0000000000..586584c09d --- /dev/null +++ b/master/containeruser-v1.json @@ -0,0 +1,11 @@ +{ + "description": "ContainerUser represents user identity information", + "properties": { + "linux": { + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.LinuxContainerUser", + "description": "Linux holds user identity information initially attached to the first process of the containers in Linux. Note that the actual running identity can be changed if the process has enough privilege to do so." + } + }, + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master/containeruser.json b/master/containeruser.json new file mode 100644 index 0000000000..586584c09d --- /dev/null +++ b/master/containeruser.json @@ -0,0 +1,11 @@ +{ + "description": "ContainerUser represents user identity information", + "properties": { + "linux": { + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.LinuxContainerUser", + "description": "Linux holds user identity information initially attached to the first process of the containers in Linux. Note that the actual running identity can be changed if the process has enough privilege to do so." + } + }, + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master/linuxcontaineruser-v1.json b/master/linuxcontaineruser-v1.json new file mode 100644 index 0000000000..3f198ab63c --- /dev/null +++ b/master/linuxcontaineruser-v1.json @@ -0,0 +1,42 @@ +{ + "description": "LinuxContainerUser represents user identity information in Linux containers", + "properties": { + "gid": { + "description": "GID is the primary gid initially attached to the first process in the container", + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "supplementalGroups": { + "description": "SupplementalGroups are the supplemental groups initially attached to the first process in the container", + "items": { + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "uid": { + "description": "UID is the primary uid initially attached to the first process in the container", + "format": "int64", + "type": [ + "integer", + "null" + ] + } + }, + "required": [ + "uid", + "gid" + ], + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master/linuxcontaineruser.json b/master/linuxcontaineruser.json new file mode 100644 index 0000000000..3f198ab63c --- /dev/null +++ b/master/linuxcontaineruser.json @@ -0,0 +1,42 @@ +{ + "description": "LinuxContainerUser represents user identity information in Linux containers", + "properties": { + "gid": { + "description": "GID is the primary gid initially attached to the first process in the container", + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "supplementalGroups": { + "description": "SupplementalGroups are the supplemental groups initially attached to the first process in the container", + "items": { + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "uid": { + "description": "UID is the primary uid initially attached to the first process in the container", + "format": "int64", + "type": [ + "integer", + "null" + ] + } + }, + "required": [ + "uid", + "gid" + ], + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master/podsecuritycontext-v1.json b/master/podsecuritycontext-v1.json index 0c9f745523..f80b38f8b4 100644 --- a/master/podsecuritycontext-v1.json +++ b/master/podsecuritycontext-v1.json @@ -52,7 +52,7 @@ "description": "The seccomp options to use by the containers in this pod. Note that this field cannot be set when spec.os.name is windows." }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -66,6 +66,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master/podsecuritycontext.json b/master/podsecuritycontext.json index 0c9f745523..f80b38f8b4 100644 --- a/master/podsecuritycontext.json +++ b/master/podsecuritycontext.json @@ -52,7 +52,7 @@ "description": "The seccomp options to use by the containers in this pod. Note that this field cannot be set when spec.os.name is windows." }, "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.", + "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": [ @@ -66,6 +66,13 @@ ], "x-kubernetes-list-type": "atomic" }, + "supplementalGroupsPolicy": { + "description": "Defines how supplemental groups of the first container processes are calculated. Valid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.", + "type": [ + "string", + "null" + ] + }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", "items": { diff --git a/master/podspec-v1.json b/master/podspec-v1.json index b16f19ded3..0a44b55f0a 100644 --- a/master/podspec-v1.json +++ b/master/podspec-v1.json @@ -176,7 +176,7 @@ }, "os": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.PodOS", - "description": "Specifies the OS of the containers in the pod. Some pod and container fields are restricted if this is set.\n\nIf the OS field is set to linux, the following fields must be unset: -securityContext.windowsOptions\n\nIf the OS field is set to windows, following fields must be unset: - spec.hostPID - spec.hostIPC - spec.hostUsers - spec.securityContext.appArmorProfile - spec.securityContext.seLinuxOptions - spec.securityContext.seccompProfile - spec.securityContext.fsGroup - spec.securityContext.fsGroupChangePolicy - spec.securityContext.sysctls - spec.shareProcessNamespace - spec.securityContext.runAsUser - spec.securityContext.runAsGroup - spec.securityContext.supplementalGroups - spec.containers[*].securityContext.appArmorProfile - spec.containers[*].securityContext.seLinuxOptions - spec.containers[*].securityContext.seccompProfile - spec.containers[*].securityContext.capabilities - spec.containers[*].securityContext.readOnlyRootFilesystem - spec.containers[*].securityContext.privileged - spec.containers[*].securityContext.allowPrivilegeEscalation - spec.containers[*].securityContext.procMount - spec.containers[*].securityContext.runAsUser - spec.containers[*].securityContext.runAsGroup" + "description": "Specifies the OS of the containers in the pod. Some pod and container fields are restricted if this is set.\n\nIf the OS field is set to linux, the following fields must be unset: -securityContext.windowsOptions\n\nIf the OS field is set to windows, following fields must be unset: - spec.hostPID - spec.hostIPC - spec.hostUsers - spec.securityContext.appArmorProfile - spec.securityContext.seLinuxOptions - spec.securityContext.seccompProfile - spec.securityContext.fsGroup - spec.securityContext.fsGroupChangePolicy - spec.securityContext.sysctls - spec.shareProcessNamespace - spec.securityContext.runAsUser - spec.securityContext.runAsGroup - spec.securityContext.supplementalGroups - spec.securityContext.supplementalGroupsPolicy - spec.containers[*].securityContext.appArmorProfile - spec.containers[*].securityContext.seLinuxOptions - spec.containers[*].securityContext.seccompProfile - spec.containers[*].securityContext.capabilities - spec.containers[*].securityContext.readOnlyRootFilesystem - spec.containers[*].securityContext.privileged - spec.containers[*].securityContext.allowPrivilegeEscalation - spec.containers[*].securityContext.procMount - spec.containers[*].securityContext.runAsUser - spec.containers[*].securityContext.runAsGroup" }, "overhead": { "additionalProperties": { diff --git a/master/podspec.json b/master/podspec.json index b16f19ded3..0a44b55f0a 100644 --- a/master/podspec.json +++ b/master/podspec.json @@ -176,7 +176,7 @@ }, "os": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.PodOS", - "description": "Specifies the OS of the containers in the pod. Some pod and container fields are restricted if this is set.\n\nIf the OS field is set to linux, the following fields must be unset: -securityContext.windowsOptions\n\nIf the OS field is set to windows, following fields must be unset: - spec.hostPID - spec.hostIPC - spec.hostUsers - spec.securityContext.appArmorProfile - spec.securityContext.seLinuxOptions - spec.securityContext.seccompProfile - spec.securityContext.fsGroup - spec.securityContext.fsGroupChangePolicy - spec.securityContext.sysctls - spec.shareProcessNamespace - spec.securityContext.runAsUser - spec.securityContext.runAsGroup - spec.securityContext.supplementalGroups - spec.containers[*].securityContext.appArmorProfile - spec.containers[*].securityContext.seLinuxOptions - spec.containers[*].securityContext.seccompProfile - spec.containers[*].securityContext.capabilities - spec.containers[*].securityContext.readOnlyRootFilesystem - spec.containers[*].securityContext.privileged - spec.containers[*].securityContext.allowPrivilegeEscalation - spec.containers[*].securityContext.procMount - spec.containers[*].securityContext.runAsUser - spec.containers[*].securityContext.runAsGroup" + "description": "Specifies the OS of the containers in the pod. Some pod and container fields are restricted if this is set.\n\nIf the OS field is set to linux, the following fields must be unset: -securityContext.windowsOptions\n\nIf the OS field is set to windows, following fields must be unset: - spec.hostPID - spec.hostIPC - spec.hostUsers - spec.securityContext.appArmorProfile - spec.securityContext.seLinuxOptions - spec.securityContext.seccompProfile - spec.securityContext.fsGroup - spec.securityContext.fsGroupChangePolicy - spec.securityContext.sysctls - spec.shareProcessNamespace - spec.securityContext.runAsUser - spec.securityContext.runAsGroup - spec.securityContext.supplementalGroups - spec.securityContext.supplementalGroupsPolicy - spec.containers[*].securityContext.appArmorProfile - spec.containers[*].securityContext.seLinuxOptions - spec.containers[*].securityContext.seccompProfile - spec.containers[*].securityContext.capabilities - spec.containers[*].securityContext.readOnlyRootFilesystem - spec.containers[*].securityContext.privileged - spec.containers[*].securityContext.allowPrivilegeEscalation - spec.containers[*].securityContext.procMount - spec.containers[*].securityContext.runAsUser - spec.containers[*].securityContext.runAsGroup" }, "overhead": { "additionalProperties": {