mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-24 20:24:09 +00:00
api: Introduce os field to pod spec
This commit is contained in:
parent
d6db275cd3
commit
3b936d310c
@ -2887,6 +2887,54 @@ type PodSpec struct {
|
||||
// All topologySpreadConstraints are ANDed.
|
||||
// +optional
|
||||
TopologySpreadConstraints []TopologySpreadConstraint
|
||||
// Specifies the OS of the containers in the pod.
|
||||
// Some pod and container fields are restricted if this is set.
|
||||
//
|
||||
// If the OS field is set to linux, the following fields must be unset:
|
||||
// - securityContext.windowsOptions
|
||||
//
|
||||
// If the OS field is set to windows, following fields must be unset:
|
||||
// - spec.hostPID
|
||||
// - spec.hostIPC
|
||||
// - spec.securityContext.seLinuxOptions
|
||||
// - spec.securityContext.seccompProfile
|
||||
// - spec.securityContext.fsGroup
|
||||
// - spec.securityContext.fsGroupChangePolicy
|
||||
// - spec.securityContext.sysctls
|
||||
// - spec.shareProcessNamespace
|
||||
// - spec.securityContext.runAsUser
|
||||
// - spec.securityContext.runAsGroup
|
||||
// - spec.securityContext.supplementalGroups
|
||||
// - spec.containers[*].securityContext.seLinuxOptions
|
||||
// - spec.containers[*].securityContext.seccompProfile
|
||||
// - spec.containers[*].securityContext.capabilities
|
||||
// - spec.containers[*].securityContext.readOnlyRootFilesystem
|
||||
// - spec.containers[*].securityContext.privileged
|
||||
// - spec.containers[*].securityContext.allowPrivilegeEscalation
|
||||
// - spec.containers[*].securityContext.procMount
|
||||
// - spec.containers[*].securityContext.runAsUser
|
||||
// - spec.containers[*].securityContext.runAsGroup
|
||||
// +optional
|
||||
// This is an alpha field and requires the IdentifyPodOS feature
|
||||
OS *PodOS
|
||||
}
|
||||
|
||||
// OSName is the set of OS'es that can be used in OS.
|
||||
type OSName string
|
||||
|
||||
// These are valid values for OSName
|
||||
const (
|
||||
Linux OSName = "linux"
|
||||
Windows OSName = "windows"
|
||||
)
|
||||
|
||||
// PodOS defines the OS parameters of a pod.
|
||||
type PodOS struct {
|
||||
// Name is the name of the operating system. The currently supported values are linux and windows.
|
||||
// Additional value may be defined in future and can be one of:
|
||||
// https://github.com/opencontainers/runtime-spec/blob/master/config.md#platform-specific-configuration
|
||||
// Clients should expect to handle additional values and treat unrecognized values in this field as os: null
|
||||
Name OSName
|
||||
}
|
||||
|
||||
// HostAlias holds the mapping between IP and hostnames that will be injected as an entry in the
|
||||
@ -2932,11 +2980,13 @@ type PodSecurityContext struct {
|
||||
HostNetwork bool
|
||||
// Use the host's pid namespace.
|
||||
// Optional: Default to false.
|
||||
// Note that this field cannot be set when spec.os.name is windows.
|
||||
// +k8s:conversion-gen=false
|
||||
// +optional
|
||||
HostPID bool
|
||||
// Use the host's ipc namespace.
|
||||
// Optional: Default to false.
|
||||
// Note that this field cannot be set when spec.os.name is windows.
|
||||
// +k8s:conversion-gen=false
|
||||
// +optional
|
||||
HostIPC bool
|
||||
@ -2944,6 +2994,7 @@ type PodSecurityContext struct {
|
||||
// When this is set containers will be able to view and signal processes from other containers
|
||||
// in the same pod, and the first process in each container will not be assigned PID 1.
|
||||
// HostPID and ShareProcessNamespace cannot both be set.
|
||||
// Note that this field cannot be set when spec.os.name is windows.
|
||||
// Optional: Default to false.
|
||||
// +k8s:conversion-gen=false
|
||||
// +optional
|
||||
@ -2953,11 +3004,13 @@ type PodSecurityContext struct {
|
||||
// container. May also be set in SecurityContext. If set in
|
||||
// both SecurityContext and PodSecurityContext, the value specified in SecurityContext
|
||||
// takes precedence for that container.
|
||||
// Note that this field cannot be set when spec.os.name is windows.
|
||||
// +optional
|
||||
SELinuxOptions *SELinuxOptions
|
||||
// The Windows specific settings applied to all containers.
|
||||
// If unspecified, the options within a container's SecurityContext will be used.
|
||||
// If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
|
||||
// Note that this field cannot be set when spec.os.name is linux.
|
||||
// +optional
|
||||
WindowsOptions *WindowsSecurityContextOptions
|
||||
// The UID to run the entrypoint of the container process.
|
||||
@ -2965,6 +3018,7 @@ type PodSecurityContext struct {
|
||||
// May also be set in SecurityContext. If set in both SecurityContext and
|
||||
// PodSecurityContext, the value specified in SecurityContext takes precedence
|
||||
// for that container.
|
||||
// Note that this field cannot be set when spec.os.name is windows.
|
||||
// +optional
|
||||
RunAsUser *int64
|
||||
// The GID to run the entrypoint of the container process.
|
||||
@ -2972,6 +3026,7 @@ type PodSecurityContext struct {
|
||||
// May also be set in SecurityContext. If set in both SecurityContext and
|
||||
// PodSecurityContext, the value specified in SecurityContext takes precedence
|
||||
// for that container.
|
||||
// Note that this field cannot be set when spec.os.name is windows.
|
||||
// +optional
|
||||
RunAsGroup *int64
|
||||
// Indicates that the container must run as a non-root user.
|
||||
@ -2986,6 +3041,7 @@ type PodSecurityContext struct {
|
||||
// A list of groups applied to the first process run in each container, in addition
|
||||
// to the container's primary GID. If unspecified, no groups will be added to
|
||||
// any container.
|
||||
// Note that this field cannot be set when spec.os.name is windows.
|
||||
// +optional
|
||||
SupplementalGroups []int64
|
||||
// A special supplemental group that applies to all containers in a pod.
|
||||
@ -2997,6 +3053,7 @@ type PodSecurityContext struct {
|
||||
// 3. The permission bits are OR'd with rw-rw----
|
||||
//
|
||||
// If unset, the Kubelet will not modify the ownership and permissions of any volume.
|
||||
// Note that this field cannot be set when spec.os.name is windows.
|
||||
// +optional
|
||||
FSGroup *int64
|
||||
// fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
|
||||
@ -3005,13 +3062,16 @@ type PodSecurityContext struct {
|
||||
// It will have no effect on ephemeral volume types such as: secret, configmaps
|
||||
// and emptydir.
|
||||
// Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.
|
||||
// Note that this field cannot be set when spec.os.name is windows.
|
||||
// +optional
|
||||
FSGroupChangePolicy *PodFSGroupChangePolicy
|
||||
// Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
|
||||
// sysctls (by the container runtime) might fail to launch.
|
||||
// Note that this field cannot be set when spec.os.name is windows.
|
||||
// +optional
|
||||
Sysctls []Sysctl
|
||||
// The seccomp options to use by the containers in this pod.
|
||||
// Note that this field cannot be set when spec.os.name is windows.
|
||||
// +optional
|
||||
SeccompProfile *SeccompProfile
|
||||
}
|
||||
@ -5288,34 +5348,40 @@ type ComponentStatusList struct {
|
||||
type SecurityContext struct {
|
||||
// The capabilities to add/drop when running containers.
|
||||
// Defaults to the default set of capabilities granted by the container runtime.
|
||||
// Note that this field cannot be set when spec.os.name is windows.
|
||||
// +optional
|
||||
Capabilities *Capabilities
|
||||
// Run container in privileged mode.
|
||||
// Processes in privileged containers are essentially equivalent to root on the host.
|
||||
// Defaults to false.
|
||||
// Note that this field cannot be set when spec.os.name is windows.
|
||||
// +optional
|
||||
Privileged *bool
|
||||
// The SELinux context to be applied to the container.
|
||||
// If unspecified, the container runtime will allocate a random SELinux context for each
|
||||
// container. May also be set in PodSecurityContext. If set in both SecurityContext and
|
||||
// PodSecurityContext, the value specified in SecurityContext takes precedence.
|
||||
// Note that this field cannot be set when spec.os.name is windows.
|
||||
// +optional
|
||||
SELinuxOptions *SELinuxOptions
|
||||
// The Windows specific settings applied to all containers.
|
||||
// If unspecified, the options from the PodSecurityContext will be used.
|
||||
// If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
|
||||
// Note that this field cannot be set when spec.os.name is linux.
|
||||
// +optional
|
||||
WindowsOptions *WindowsSecurityContextOptions
|
||||
// The UID to run the entrypoint of the container process.
|
||||
// Defaults to user specified in image metadata if unspecified.
|
||||
// May also be set in PodSecurityContext. If set in both SecurityContext and
|
||||
// PodSecurityContext, the value specified in SecurityContext takes precedence.
|
||||
// Note that this field cannot be set when spec.os.name is windows.
|
||||
// +optional
|
||||
RunAsUser *int64
|
||||
// The GID to run the entrypoint of the container process.
|
||||
// Uses runtime default if unset.
|
||||
// May also be set in PodSecurityContext. If set in both SecurityContext and
|
||||
// PodSecurityContext, the value specified in SecurityContext takes precedence.
|
||||
// Note that this field cannot be set when spec.os.name is windows.
|
||||
// +optional
|
||||
RunAsGroup *int64
|
||||
// Indicates that the container must run as a non-root user.
|
||||
@ -5328,21 +5394,25 @@ type SecurityContext struct {
|
||||
RunAsNonRoot *bool
|
||||
// The read-only root filesystem allows you to restrict the locations that an application can write
|
||||
// files to, ensuring the persistent data can only be written to mounts.
|
||||
// Note that this field cannot be set when spec.os.name is windows.
|
||||
// +optional
|
||||
ReadOnlyRootFilesystem *bool
|
||||
// AllowPrivilegeEscalation controls whether a process can gain more
|
||||
// privileges than its parent process. This bool directly controls if
|
||||
// the no_new_privs flag will be set on the container process.
|
||||
// Note that this field cannot be set when spec.os.name is windows.
|
||||
// +optional
|
||||
AllowPrivilegeEscalation *bool
|
||||
// ProcMount denotes the type of proc mount to use for the containers.
|
||||
// The default is DefaultProcMount which uses the container runtime defaults for
|
||||
// readonly paths and masked paths.
|
||||
// Note that this field cannot be set when spec.os.name is windows.
|
||||
// +optional
|
||||
ProcMount *ProcMountType
|
||||
// The seccomp options to use by this container. If seccomp options are
|
||||
// provided at both the pod & container level, the container options
|
||||
// override the pod options.
|
||||
// Note that this field cannot be set when spec.os.name is windows.
|
||||
// +optional
|
||||
SeccompProfile *SeccompProfile
|
||||
}
|
||||
|
@ -3186,6 +3186,54 @@ type PodSpec struct {
|
||||
// Default to false.
|
||||
// +optional
|
||||
SetHostnameAsFQDN *bool `json:"setHostnameAsFQDN,omitempty" protobuf:"varint,35,opt,name=setHostnameAsFQDN"`
|
||||
// Specifies the OS of the containers in the pod.
|
||||
// Some pod and container fields are restricted if this is set.
|
||||
//
|
||||
// If the OS field is set to linux, the following fields must be unset:
|
||||
// -securityContext.windowsOptions
|
||||
//
|
||||
// If the OS field is set to windows, following fields must be unset:
|
||||
// - spec.hostPID
|
||||
// - spec.hostIPC
|
||||
// - spec.securityContext.seLinuxOptions
|
||||
// - spec.securityContext.seccompProfile
|
||||
// - spec.securityContext.fsGroup
|
||||
// - spec.securityContext.fsGroupChangePolicy
|
||||
// - spec.securityContext.sysctls
|
||||
// - spec.shareProcessNamespace
|
||||
// - spec.securityContext.runAsUser
|
||||
// - spec.securityContext.runAsGroup
|
||||
// - spec.securityContext.supplementalGroups
|
||||
// - spec.containers[*].securityContext.seLinuxOptions
|
||||
// - spec.containers[*].securityContext.seccompProfile
|
||||
// - spec.containers[*].securityContext.capabilities
|
||||
// - spec.containers[*].securityContext.readOnlyRootFilesystem
|
||||
// - spec.containers[*].securityContext.privileged
|
||||
// - spec.containers[*].securityContext.allowPrivilegeEscalation
|
||||
// - spec.containers[*].securityContext.procMount
|
||||
// - spec.containers[*].securityContext.runAsUser
|
||||
// - spec.containers[*].securityContext.runAsGroup
|
||||
// +optional
|
||||
// This is an alpha field and requires the IdentifyPodOS feature
|
||||
OS *PodOS `json:"os,omitempty" protobuf:"bytes,36,opt,name=os"`
|
||||
}
|
||||
|
||||
// OSName is the set of OS'es that can be used in OS.
|
||||
type OSName string
|
||||
|
||||
// These are valid values for OSName
|
||||
const (
|
||||
Linux OSName = "linux"
|
||||
Windows OSName = "windows"
|
||||
)
|
||||
|
||||
// PodOS defines the OS parameters of a pod.
|
||||
type PodOS struct {
|
||||
// Name is the name of the operating system. The currently supported values are linux and windows.
|
||||
// Additional value may be defined in future and can be one of:
|
||||
// https://github.com/opencontainers/runtime-spec/blob/master/config.md#platform-specific-configuration
|
||||
// Clients should expect to handle additional values and treat unrecognized values in this field as os: null
|
||||
Name OSName `json:"name" protobuf:"bytes,1,opt,name=name"`
|
||||
}
|
||||
|
||||
type UnsatisfiableConstraintAction string
|
||||
@ -3293,11 +3341,13 @@ type PodSecurityContext struct {
|
||||
// container. May also be set in SecurityContext. If set in
|
||||
// both SecurityContext and PodSecurityContext, the value specified in SecurityContext
|
||||
// takes precedence for that container.
|
||||
// Note that this field cannot be set when spec.os.name is windows.
|
||||
// +optional
|
||||
SELinuxOptions *SELinuxOptions `json:"seLinuxOptions,omitempty" protobuf:"bytes,1,opt,name=seLinuxOptions"`
|
||||
// The Windows specific settings applied to all containers.
|
||||
// If unspecified, the options within a container's SecurityContext will be used.
|
||||
// If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
|
||||
// Note that this field cannot be set when spec.os.name is linux.
|
||||
// +optional
|
||||
WindowsOptions *WindowsSecurityContextOptions `json:"windowsOptions,omitempty" protobuf:"bytes,8,opt,name=windowsOptions"`
|
||||
// The UID to run the entrypoint of the container process.
|
||||
@ -3305,6 +3355,7 @@ type PodSecurityContext struct {
|
||||
// May also be set in SecurityContext. If set in both SecurityContext and
|
||||
// PodSecurityContext, the value specified in SecurityContext takes precedence
|
||||
// for that container.
|
||||
// Note that this field cannot be set when spec.os.name is windows.
|
||||
// +optional
|
||||
RunAsUser *int64 `json:"runAsUser,omitempty" protobuf:"varint,2,opt,name=runAsUser"`
|
||||
// The GID to run the entrypoint of the container process.
|
||||
@ -3312,6 +3363,7 @@ type PodSecurityContext struct {
|
||||
// May also be set in SecurityContext. If set in both SecurityContext and
|
||||
// PodSecurityContext, the value specified in SecurityContext takes precedence
|
||||
// for that container.
|
||||
// Note that this field cannot be set when spec.os.name is windows.
|
||||
// +optional
|
||||
RunAsGroup *int64 `json:"runAsGroup,omitempty" protobuf:"varint,6,opt,name=runAsGroup"`
|
||||
// Indicates that the container must run as a non-root user.
|
||||
@ -3325,6 +3377,7 @@ type PodSecurityContext struct {
|
||||
// A list of groups applied to the first process run in each container, in addition
|
||||
// to the container's primary GID. If unspecified, no groups will be added to
|
||||
// any container.
|
||||
// Note that this field cannot be set when spec.os.name is windows.
|
||||
// +optional
|
||||
SupplementalGroups []int64 `json:"supplementalGroups,omitempty" protobuf:"varint,4,rep,name=supplementalGroups"`
|
||||
// A special supplemental group that applies to all containers in a pod.
|
||||
@ -3336,10 +3389,12 @@ type PodSecurityContext struct {
|
||||
// 3. The permission bits are OR'd with rw-rw----
|
||||
//
|
||||
// If unset, the Kubelet will not modify the ownership and permissions of any volume.
|
||||
// Note that this field cannot be set when spec.os.name is windows.
|
||||
// +optional
|
||||
FSGroup *int64 `json:"fsGroup,omitempty" protobuf:"varint,5,opt,name=fsGroup"`
|
||||
// Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
|
||||
// sysctls (by the container runtime) might fail to launch.
|
||||
// Note that this field cannot be set when spec.os.name is windows.
|
||||
// +optional
|
||||
Sysctls []Sysctl `json:"sysctls,omitempty" protobuf:"bytes,7,rep,name=sysctls"`
|
||||
// fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
|
||||
@ -3348,9 +3403,11 @@ type PodSecurityContext struct {
|
||||
// It will have no effect on ephemeral volume types such as: secret, configmaps
|
||||
// and emptydir.
|
||||
// Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.
|
||||
// Note that this field cannot be set when spec.os.name is windows.
|
||||
// +optional
|
||||
FSGroupChangePolicy *PodFSGroupChangePolicy `json:"fsGroupChangePolicy,omitempty" protobuf:"bytes,9,opt,name=fsGroupChangePolicy"`
|
||||
// The seccomp options to use by the containers in this pod.
|
||||
// Note that this field cannot be set when spec.os.name is windows.
|
||||
// +optional
|
||||
SeccompProfile *SeccompProfile `json:"seccompProfile,omitempty" protobuf:"bytes,10,opt,name=seccompProfile"`
|
||||
}
|
||||
@ -6141,34 +6198,40 @@ type DownwardAPIProjection struct {
|
||||
type SecurityContext struct {
|
||||
// The capabilities to add/drop when running containers.
|
||||
// Defaults to the default set of capabilities granted by the container runtime.
|
||||
// Note that this field cannot be set when spec.os.name is windows.
|
||||
// +optional
|
||||
Capabilities *Capabilities `json:"capabilities,omitempty" protobuf:"bytes,1,opt,name=capabilities"`
|
||||
// Run container in privileged mode.
|
||||
// Processes in privileged containers are essentially equivalent to root on the host.
|
||||
// Defaults to false.
|
||||
// Note that this field cannot be set when spec.os.name is windows.
|
||||
// +optional
|
||||
Privileged *bool `json:"privileged,omitempty" protobuf:"varint,2,opt,name=privileged"`
|
||||
// The SELinux context to be applied to the container.
|
||||
// If unspecified, the container runtime will allocate a random SELinux context for each
|
||||
// container. May also be set in PodSecurityContext. If set in both SecurityContext and
|
||||
// PodSecurityContext, the value specified in SecurityContext takes precedence.
|
||||
// Note that this field cannot be set when spec.os.name is windows.
|
||||
// +optional
|
||||
SELinuxOptions *SELinuxOptions `json:"seLinuxOptions,omitempty" protobuf:"bytes,3,opt,name=seLinuxOptions"`
|
||||
// The Windows specific settings applied to all containers.
|
||||
// If unspecified, the options from the PodSecurityContext will be used.
|
||||
// If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
|
||||
// Note that this field cannot be set when spec.os.name is linux.
|
||||
// +optional
|
||||
WindowsOptions *WindowsSecurityContextOptions `json:"windowsOptions,omitempty" protobuf:"bytes,10,opt,name=windowsOptions"`
|
||||
// The UID to run the entrypoint of the container process.
|
||||
// Defaults to user specified in image metadata if unspecified.
|
||||
// May also be set in PodSecurityContext. If set in both SecurityContext and
|
||||
// PodSecurityContext, the value specified in SecurityContext takes precedence.
|
||||
// Note that this field cannot be set when spec.os.name is windows.
|
||||
// +optional
|
||||
RunAsUser *int64 `json:"runAsUser,omitempty" protobuf:"varint,4,opt,name=runAsUser"`
|
||||
// The GID to run the entrypoint of the container process.
|
||||
// Uses runtime default if unset.
|
||||
// May also be set in PodSecurityContext. If set in both SecurityContext and
|
||||
// PodSecurityContext, the value specified in SecurityContext takes precedence.
|
||||
// Note that this field cannot be set when spec.os.name is windows.
|
||||
// +optional
|
||||
RunAsGroup *int64 `json:"runAsGroup,omitempty" protobuf:"varint,8,opt,name=runAsGroup"`
|
||||
// Indicates that the container must run as a non-root user.
|
||||
@ -6181,6 +6244,7 @@ type SecurityContext struct {
|
||||
RunAsNonRoot *bool `json:"runAsNonRoot,omitempty" protobuf:"varint,5,opt,name=runAsNonRoot"`
|
||||
// Whether this container has a read-only root filesystem.
|
||||
// Default is false.
|
||||
// Note that this field cannot be set when spec.os.name is windows.
|
||||
// +optional
|
||||
ReadOnlyRootFilesystem *bool `json:"readOnlyRootFilesystem,omitempty" protobuf:"varint,6,opt,name=readOnlyRootFilesystem"`
|
||||
// AllowPrivilegeEscalation controls whether a process can gain more
|
||||
@ -6189,17 +6253,20 @@ type SecurityContext struct {
|
||||
// AllowPrivilegeEscalation is true always when the container is:
|
||||
// 1) run as Privileged
|
||||
// 2) has CAP_SYS_ADMIN
|
||||
// Note that this field cannot be set when spec.os.name is windows.
|
||||
// +optional
|
||||
AllowPrivilegeEscalation *bool `json:"allowPrivilegeEscalation,omitempty" protobuf:"varint,7,opt,name=allowPrivilegeEscalation"`
|
||||
// procMount denotes the type of proc mount to use for the containers.
|
||||
// The default is DefaultProcMount which uses the container runtime defaults for
|
||||
// readonly paths and masked paths.
|
||||
// This requires the ProcMountType feature flag to be enabled.
|
||||
// Note that this field cannot be set when spec.os.name is windows.
|
||||
// +optional
|
||||
ProcMount *ProcMountType `json:"procMount,omitempty" protobuf:"bytes,9,opt,name=procMount"`
|
||||
// The seccomp options to use by this container. If seccomp options are
|
||||
// provided at both the pod & container level, the container options
|
||||
// override the pod options.
|
||||
// Note that this field cannot be set when spec.os.name is windows.
|
||||
// +optional
|
||||
SeccompProfile *SeccompProfile `json:"seccompProfile,omitempty" protobuf:"bytes,11,opt,name=seccompProfile"`
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user