api: Introduce os field to pod spec

This commit is contained in:
ravisantoshgudimetla 2021-08-31 15:07:51 -04:00
parent d6db275cd3
commit 3b936d310c
2 changed files with 137 additions and 0 deletions

View File

@ -2887,6 +2887,54 @@ type PodSpec struct {
// All topologySpreadConstraints are ANDed.
// +optional
TopologySpreadConstraints []TopologySpreadConstraint
// Specifies the OS of the containers in the pod.
// Some pod and container fields are restricted if this is set.
//
// If the OS field is set to linux, the following fields must be unset:
// - securityContext.windowsOptions
//
// If the OS field is set to windows, following fields must be unset:
// - spec.hostPID
// - spec.hostIPC
// - spec.securityContext.seLinuxOptions
// - spec.securityContext.seccompProfile
// - spec.securityContext.fsGroup
// - spec.securityContext.fsGroupChangePolicy
// - spec.securityContext.sysctls
// - spec.shareProcessNamespace
// - spec.securityContext.runAsUser
// - spec.securityContext.runAsGroup
// - spec.securityContext.supplementalGroups
// - spec.containers[*].securityContext.seLinuxOptions
// - spec.containers[*].securityContext.seccompProfile
// - spec.containers[*].securityContext.capabilities
// - spec.containers[*].securityContext.readOnlyRootFilesystem
// - spec.containers[*].securityContext.privileged
// - spec.containers[*].securityContext.allowPrivilegeEscalation
// - spec.containers[*].securityContext.procMount
// - spec.containers[*].securityContext.runAsUser
// - spec.containers[*].securityContext.runAsGroup
// +optional
// This is an alpha field and requires the IdentifyPodOS feature
OS *PodOS
}
// OSName is the set of OS'es that can be used in OS.
type OSName string
// These are valid values for OSName
const (
Linux OSName = "linux"
Windows OSName = "windows"
)
// PodOS defines the OS parameters of a pod.
type PodOS struct {
// Name is the name of the operating system. The currently supported values are linux and windows.
// Additional value may be defined in future and can be one of:
// https://github.com/opencontainers/runtime-spec/blob/master/config.md#platform-specific-configuration
// Clients should expect to handle additional values and treat unrecognized values in this field as os: null
Name OSName
}
// HostAlias holds the mapping between IP and hostnames that will be injected as an entry in the
@ -2932,11 +2980,13 @@ type PodSecurityContext struct {
HostNetwork bool
// Use the host's pid namespace.
// Optional: Default to false.
// Note that this field cannot be set when spec.os.name is windows.
// +k8s:conversion-gen=false
// +optional
HostPID bool
// Use the host's ipc namespace.
// Optional: Default to false.
// Note that this field cannot be set when spec.os.name is windows.
// +k8s:conversion-gen=false
// +optional
HostIPC bool
@ -2944,6 +2994,7 @@ type PodSecurityContext struct {
// When this is set containers will be able to view and signal processes from other containers
// in the same pod, and the first process in each container will not be assigned PID 1.
// HostPID and ShareProcessNamespace cannot both be set.
// Note that this field cannot be set when spec.os.name is windows.
// Optional: Default to false.
// +k8s:conversion-gen=false
// +optional
@ -2953,11 +3004,13 @@ type PodSecurityContext struct {
// container. May also be set in SecurityContext. If set in
// both SecurityContext and PodSecurityContext, the value specified in SecurityContext
// takes precedence for that container.
// Note that this field cannot be set when spec.os.name is windows.
// +optional
SELinuxOptions *SELinuxOptions
// The Windows specific settings applied to all containers.
// If unspecified, the options within a container's SecurityContext will be used.
// If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
// Note that this field cannot be set when spec.os.name is linux.
// +optional
WindowsOptions *WindowsSecurityContextOptions
// The UID to run the entrypoint of the container process.
@ -2965,6 +3018,7 @@ type PodSecurityContext struct {
// May also be set in SecurityContext. If set in both SecurityContext and
// PodSecurityContext, the value specified in SecurityContext takes precedence
// for that container.
// Note that this field cannot be set when spec.os.name is windows.
// +optional
RunAsUser *int64
// The GID to run the entrypoint of the container process.
@ -2972,6 +3026,7 @@ type PodSecurityContext struct {
// May also be set in SecurityContext. If set in both SecurityContext and
// PodSecurityContext, the value specified in SecurityContext takes precedence
// for that container.
// Note that this field cannot be set when spec.os.name is windows.
// +optional
RunAsGroup *int64
// Indicates that the container must run as a non-root user.
@ -2986,6 +3041,7 @@ type PodSecurityContext struct {
// A list of groups applied to the first process run in each container, in addition
// to the container's primary GID. If unspecified, no groups will be added to
// any container.
// Note that this field cannot be set when spec.os.name is windows.
// +optional
SupplementalGroups []int64
// A special supplemental group that applies to all containers in a pod.
@ -2997,6 +3053,7 @@ type PodSecurityContext struct {
// 3. The permission bits are OR'd with rw-rw----
//
// If unset, the Kubelet will not modify the ownership and permissions of any volume.
// Note that this field cannot be set when spec.os.name is windows.
// +optional
FSGroup *int64
// fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
@ -3005,13 +3062,16 @@ type PodSecurityContext struct {
// It will have no effect on ephemeral volume types such as: secret, configmaps
// and emptydir.
// Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.
// Note that this field cannot be set when spec.os.name is windows.
// +optional
FSGroupChangePolicy *PodFSGroupChangePolicy
// Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
// sysctls (by the container runtime) might fail to launch.
// Note that this field cannot be set when spec.os.name is windows.
// +optional
Sysctls []Sysctl
// The seccomp options to use by the containers in this pod.
// Note that this field cannot be set when spec.os.name is windows.
// +optional
SeccompProfile *SeccompProfile
}
@ -5288,34 +5348,40 @@ type ComponentStatusList struct {
type SecurityContext struct {
// The capabilities to add/drop when running containers.
// Defaults to the default set of capabilities granted by the container runtime.
// Note that this field cannot be set when spec.os.name is windows.
// +optional
Capabilities *Capabilities
// Run container in privileged mode.
// Processes in privileged containers are essentially equivalent to root on the host.
// Defaults to false.
// Note that this field cannot be set when spec.os.name is windows.
// +optional
Privileged *bool
// The SELinux context to be applied to the container.
// If unspecified, the container runtime will allocate a random SELinux context for each
// container. May also be set in PodSecurityContext. If set in both SecurityContext and
// PodSecurityContext, the value specified in SecurityContext takes precedence.
// Note that this field cannot be set when spec.os.name is windows.
// +optional
SELinuxOptions *SELinuxOptions
// The Windows specific settings applied to all containers.
// If unspecified, the options from the PodSecurityContext will be used.
// If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
// Note that this field cannot be set when spec.os.name is linux.
// +optional
WindowsOptions *WindowsSecurityContextOptions
// The UID to run the entrypoint of the container process.
// Defaults to user specified in image metadata if unspecified.
// May also be set in PodSecurityContext. If set in both SecurityContext and
// PodSecurityContext, the value specified in SecurityContext takes precedence.
// Note that this field cannot be set when spec.os.name is windows.
// +optional
RunAsUser *int64
// The GID to run the entrypoint of the container process.
// Uses runtime default if unset.
// May also be set in PodSecurityContext. If set in both SecurityContext and
// PodSecurityContext, the value specified in SecurityContext takes precedence.
// Note that this field cannot be set when spec.os.name is windows.
// +optional
RunAsGroup *int64
// Indicates that the container must run as a non-root user.
@ -5328,21 +5394,25 @@ type SecurityContext struct {
RunAsNonRoot *bool
// The read-only root filesystem allows you to restrict the locations that an application can write
// files to, ensuring the persistent data can only be written to mounts.
// Note that this field cannot be set when spec.os.name is windows.
// +optional
ReadOnlyRootFilesystem *bool
// AllowPrivilegeEscalation controls whether a process can gain more
// privileges than its parent process. This bool directly controls if
// the no_new_privs flag will be set on the container process.
// Note that this field cannot be set when spec.os.name is windows.
// +optional
AllowPrivilegeEscalation *bool
// ProcMount denotes the type of proc mount to use for the containers.
// The default is DefaultProcMount which uses the container runtime defaults for
// readonly paths and masked paths.
// Note that this field cannot be set when spec.os.name is windows.
// +optional
ProcMount *ProcMountType
// The seccomp options to use by this container. If seccomp options are
// provided at both the pod & container level, the container options
// override the pod options.
// Note that this field cannot be set when spec.os.name is windows.
// +optional
SeccompProfile *SeccompProfile
}

View File

@ -3186,6 +3186,54 @@ type PodSpec struct {
// Default to false.
// +optional
SetHostnameAsFQDN *bool `json:"setHostnameAsFQDN,omitempty" protobuf:"varint,35,opt,name=setHostnameAsFQDN"`
// Specifies the OS of the containers in the pod.
// Some pod and container fields are restricted if this is set.
//
// If the OS field is set to linux, the following fields must be unset:
// -securityContext.windowsOptions
//
// If the OS field is set to windows, following fields must be unset:
// - spec.hostPID
// - spec.hostIPC
// - spec.securityContext.seLinuxOptions
// - spec.securityContext.seccompProfile
// - spec.securityContext.fsGroup
// - spec.securityContext.fsGroupChangePolicy
// - spec.securityContext.sysctls
// - spec.shareProcessNamespace
// - spec.securityContext.runAsUser
// - spec.securityContext.runAsGroup
// - spec.securityContext.supplementalGroups
// - spec.containers[*].securityContext.seLinuxOptions
// - spec.containers[*].securityContext.seccompProfile
// - spec.containers[*].securityContext.capabilities
// - spec.containers[*].securityContext.readOnlyRootFilesystem
// - spec.containers[*].securityContext.privileged
// - spec.containers[*].securityContext.allowPrivilegeEscalation
// - spec.containers[*].securityContext.procMount
// - spec.containers[*].securityContext.runAsUser
// - spec.containers[*].securityContext.runAsGroup
// +optional
// This is an alpha field and requires the IdentifyPodOS feature
OS *PodOS `json:"os,omitempty" protobuf:"bytes,36,opt,name=os"`
}
// OSName is the set of OS'es that can be used in OS.
type OSName string
// These are valid values for OSName
const (
Linux OSName = "linux"
Windows OSName = "windows"
)
// PodOS defines the OS parameters of a pod.
type PodOS struct {
// Name is the name of the operating system. The currently supported values are linux and windows.
// Additional value may be defined in future and can be one of:
// https://github.com/opencontainers/runtime-spec/blob/master/config.md#platform-specific-configuration
// Clients should expect to handle additional values and treat unrecognized values in this field as os: null
Name OSName `json:"name" protobuf:"bytes,1,opt,name=name"`
}
type UnsatisfiableConstraintAction string
@ -3293,11 +3341,13 @@ type PodSecurityContext struct {
// container. May also be set in SecurityContext. If set in
// both SecurityContext and PodSecurityContext, the value specified in SecurityContext
// takes precedence for that container.
// Note that this field cannot be set when spec.os.name is windows.
// +optional
SELinuxOptions *SELinuxOptions `json:"seLinuxOptions,omitempty" protobuf:"bytes,1,opt,name=seLinuxOptions"`
// The Windows specific settings applied to all containers.
// If unspecified, the options within a container's SecurityContext will be used.
// If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
// Note that this field cannot be set when spec.os.name is linux.
// +optional
WindowsOptions *WindowsSecurityContextOptions `json:"windowsOptions,omitempty" protobuf:"bytes,8,opt,name=windowsOptions"`
// The UID to run the entrypoint of the container process.
@ -3305,6 +3355,7 @@ type PodSecurityContext struct {
// May also be set in SecurityContext. If set in both SecurityContext and
// PodSecurityContext, the value specified in SecurityContext takes precedence
// for that container.
// Note that this field cannot be set when spec.os.name is windows.
// +optional
RunAsUser *int64 `json:"runAsUser,omitempty" protobuf:"varint,2,opt,name=runAsUser"`
// The GID to run the entrypoint of the container process.
@ -3312,6 +3363,7 @@ type PodSecurityContext struct {
// May also be set in SecurityContext. If set in both SecurityContext and
// PodSecurityContext, the value specified in SecurityContext takes precedence
// for that container.
// Note that this field cannot be set when spec.os.name is windows.
// +optional
RunAsGroup *int64 `json:"runAsGroup,omitempty" protobuf:"varint,6,opt,name=runAsGroup"`
// Indicates that the container must run as a non-root user.
@ -3325,6 +3377,7 @@ type PodSecurityContext struct {
// A list of groups applied to the first process run in each container, in addition
// to the container's primary GID. If unspecified, no groups will be added to
// any container.
// Note that this field cannot be set when spec.os.name is windows.
// +optional
SupplementalGroups []int64 `json:"supplementalGroups,omitempty" protobuf:"varint,4,rep,name=supplementalGroups"`
// A special supplemental group that applies to all containers in a pod.
@ -3336,10 +3389,12 @@ type PodSecurityContext struct {
// 3. The permission bits are OR'd with rw-rw----
//
// If unset, the Kubelet will not modify the ownership and permissions of any volume.
// Note that this field cannot be set when spec.os.name is windows.
// +optional
FSGroup *int64 `json:"fsGroup,omitempty" protobuf:"varint,5,opt,name=fsGroup"`
// Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
// sysctls (by the container runtime) might fail to launch.
// Note that this field cannot be set when spec.os.name is windows.
// +optional
Sysctls []Sysctl `json:"sysctls,omitempty" protobuf:"bytes,7,rep,name=sysctls"`
// fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
@ -3348,9 +3403,11 @@ type PodSecurityContext struct {
// It will have no effect on ephemeral volume types such as: secret, configmaps
// and emptydir.
// Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.
// Note that this field cannot be set when spec.os.name is windows.
// +optional
FSGroupChangePolicy *PodFSGroupChangePolicy `json:"fsGroupChangePolicy,omitempty" protobuf:"bytes,9,opt,name=fsGroupChangePolicy"`
// The seccomp options to use by the containers in this pod.
// Note that this field cannot be set when spec.os.name is windows.
// +optional
SeccompProfile *SeccompProfile `json:"seccompProfile,omitempty" protobuf:"bytes,10,opt,name=seccompProfile"`
}
@ -6141,34 +6198,40 @@ type DownwardAPIProjection struct {
type SecurityContext struct {
// The capabilities to add/drop when running containers.
// Defaults to the default set of capabilities granted by the container runtime.
// Note that this field cannot be set when spec.os.name is windows.
// +optional
Capabilities *Capabilities `json:"capabilities,omitempty" protobuf:"bytes,1,opt,name=capabilities"`
// Run container in privileged mode.
// Processes in privileged containers are essentially equivalent to root on the host.
// Defaults to false.
// Note that this field cannot be set when spec.os.name is windows.
// +optional
Privileged *bool `json:"privileged,omitempty" protobuf:"varint,2,opt,name=privileged"`
// The SELinux context to be applied to the container.
// If unspecified, the container runtime will allocate a random SELinux context for each
// container. May also be set in PodSecurityContext. If set in both SecurityContext and
// PodSecurityContext, the value specified in SecurityContext takes precedence.
// Note that this field cannot be set when spec.os.name is windows.
// +optional
SELinuxOptions *SELinuxOptions `json:"seLinuxOptions,omitempty" protobuf:"bytes,3,opt,name=seLinuxOptions"`
// The Windows specific settings applied to all containers.
// If unspecified, the options from the PodSecurityContext will be used.
// If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
// Note that this field cannot be set when spec.os.name is linux.
// +optional
WindowsOptions *WindowsSecurityContextOptions `json:"windowsOptions,omitempty" protobuf:"bytes,10,opt,name=windowsOptions"`
// The UID to run the entrypoint of the container process.
// Defaults to user specified in image metadata if unspecified.
// May also be set in PodSecurityContext. If set in both SecurityContext and
// PodSecurityContext, the value specified in SecurityContext takes precedence.
// Note that this field cannot be set when spec.os.name is windows.
// +optional
RunAsUser *int64 `json:"runAsUser,omitempty" protobuf:"varint,4,opt,name=runAsUser"`
// The GID to run the entrypoint of the container process.
// Uses runtime default if unset.
// May also be set in PodSecurityContext. If set in both SecurityContext and
// PodSecurityContext, the value specified in SecurityContext takes precedence.
// Note that this field cannot be set when spec.os.name is windows.
// +optional
RunAsGroup *int64 `json:"runAsGroup,omitempty" protobuf:"varint,8,opt,name=runAsGroup"`
// Indicates that the container must run as a non-root user.
@ -6181,6 +6244,7 @@ type SecurityContext struct {
RunAsNonRoot *bool `json:"runAsNonRoot,omitempty" protobuf:"varint,5,opt,name=runAsNonRoot"`
// Whether this container has a read-only root filesystem.
// Default is false.
// Note that this field cannot be set when spec.os.name is windows.
// +optional
ReadOnlyRootFilesystem *bool `json:"readOnlyRootFilesystem,omitempty" protobuf:"varint,6,opt,name=readOnlyRootFilesystem"`
// AllowPrivilegeEscalation controls whether a process can gain more
@ -6189,17 +6253,20 @@ type SecurityContext struct {
// AllowPrivilegeEscalation is true always when the container is:
// 1) run as Privileged
// 2) has CAP_SYS_ADMIN
// Note that this field cannot be set when spec.os.name is windows.
// +optional
AllowPrivilegeEscalation *bool `json:"allowPrivilegeEscalation,omitempty" protobuf:"varint,7,opt,name=allowPrivilegeEscalation"`
// procMount denotes the type of proc mount to use for the containers.
// The default is DefaultProcMount which uses the container runtime defaults for
// readonly paths and masked paths.
// This requires the ProcMountType feature flag to be enabled.
// Note that this field cannot be set when spec.os.name is windows.
// +optional
ProcMount *ProcMountType `json:"procMount,omitempty" protobuf:"bytes,9,opt,name=procMount"`
// The seccomp options to use by this container. If seccomp options are
// provided at both the pod & container level, the container options
// override the pod options.
// Note that this field cannot be set when spec.os.name is windows.
// +optional
SeccompProfile *SeccompProfile `json:"seccompProfile,omitempty" protobuf:"bytes,11,opt,name=seccompProfile"`
}