From 3b936d310c1372f7ed09acee5d0e24b007d9c84a Mon Sep 17 00:00:00 2001 From: ravisantoshgudimetla Date: Tue, 31 Aug 2021 15:07:51 -0400 Subject: [PATCH] api: Introduce os field to pod spec --- pkg/apis/core/types.go | 70 +++++++++++++++++++++++++ staging/src/k8s.io/api/core/v1/types.go | 67 +++++++++++++++++++++++ 2 files changed, 137 insertions(+) diff --git a/pkg/apis/core/types.go b/pkg/apis/core/types.go index 7a690f64b19..d290b27ee15 100644 --- a/pkg/apis/core/types.go +++ b/pkg/apis/core/types.go @@ -2887,6 +2887,54 @@ type PodSpec struct { // All topologySpreadConstraints are ANDed. // +optional TopologySpreadConstraints []TopologySpreadConstraint + // Specifies the OS of the containers in the pod. + // Some pod and container fields are restricted if this is set. + // + // If the OS field is set to linux, the following fields must be unset: + // - securityContext.windowsOptions + // + // If the OS field is set to windows, following fields must be unset: + // - spec.hostPID + // - spec.hostIPC + // - spec.securityContext.seLinuxOptions + // - spec.securityContext.seccompProfile + // - spec.securityContext.fsGroup + // - spec.securityContext.fsGroupChangePolicy + // - spec.securityContext.sysctls + // - spec.shareProcessNamespace + // - spec.securityContext.runAsUser + // - spec.securityContext.runAsGroup + // - spec.securityContext.supplementalGroups + // - spec.containers[*].securityContext.seLinuxOptions + // - spec.containers[*].securityContext.seccompProfile + // - spec.containers[*].securityContext.capabilities + // - spec.containers[*].securityContext.readOnlyRootFilesystem + // - spec.containers[*].securityContext.privileged + // - spec.containers[*].securityContext.allowPrivilegeEscalation + // - spec.containers[*].securityContext.procMount + // - spec.containers[*].securityContext.runAsUser + // - spec.containers[*].securityContext.runAsGroup + // +optional + // This is an alpha field and requires the IdentifyPodOS feature + OS *PodOS +} + +// OSName is the set of OS'es that can be used in OS. +type OSName string + +// These are valid values for OSName +const ( + Linux OSName = "linux" + Windows OSName = "windows" +) + +// PodOS defines the OS parameters of a pod. +type PodOS struct { + // Name is the name of the operating system. The currently supported values are linux and windows. + // Additional value may be defined in future and can be one of: + // https://github.com/opencontainers/runtime-spec/blob/master/config.md#platform-specific-configuration + // Clients should expect to handle additional values and treat unrecognized values in this field as os: null + Name OSName } // HostAlias holds the mapping between IP and hostnames that will be injected as an entry in the @@ -2932,11 +2980,13 @@ type PodSecurityContext struct { HostNetwork bool // Use the host's pid namespace. // Optional: Default to false. + // Note that this field cannot be set when spec.os.name is windows. // +k8s:conversion-gen=false // +optional HostPID bool // Use the host's ipc namespace. // Optional: Default to false. + // Note that this field cannot be set when spec.os.name is windows. // +k8s:conversion-gen=false // +optional HostIPC bool @@ -2944,6 +2994,7 @@ type PodSecurityContext struct { // When this is set containers will be able to view and signal processes from other containers // in the same pod, and the first process in each container will not be assigned PID 1. // HostPID and ShareProcessNamespace cannot both be set. + // Note that this field cannot be set when spec.os.name is windows. // Optional: Default to false. // +k8s:conversion-gen=false // +optional @@ -2953,11 +3004,13 @@ type PodSecurityContext struct { // container. May also be set in SecurityContext. If set in // both SecurityContext and PodSecurityContext, the value specified in SecurityContext // takes precedence for that container. + // Note that this field cannot be set when spec.os.name is windows. // +optional SELinuxOptions *SELinuxOptions // The Windows specific settings applied to all containers. // If unspecified, the options within a container's SecurityContext will be used. // If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. + // Note that this field cannot be set when spec.os.name is linux. // +optional WindowsOptions *WindowsSecurityContextOptions // The UID to run the entrypoint of the container process. @@ -2965,6 +3018,7 @@ type PodSecurityContext struct { // May also be set in SecurityContext. If set in both SecurityContext and // PodSecurityContext, the value specified in SecurityContext takes precedence // for that container. + // Note that this field cannot be set when spec.os.name is windows. // +optional RunAsUser *int64 // The GID to run the entrypoint of the container process. @@ -2972,6 +3026,7 @@ type PodSecurityContext struct { // May also be set in SecurityContext. If set in both SecurityContext and // PodSecurityContext, the value specified in SecurityContext takes precedence // for that container. + // Note that this field cannot be set when spec.os.name is windows. // +optional RunAsGroup *int64 // Indicates that the container must run as a non-root user. @@ -2986,6 +3041,7 @@ type PodSecurityContext struct { // A list of groups applied to the first process run in each container, in addition // to the container's primary GID. If unspecified, no groups will be added to // any container. + // Note that this field cannot be set when spec.os.name is windows. // +optional SupplementalGroups []int64 // A special supplemental group that applies to all containers in a pod. @@ -2997,6 +3053,7 @@ type PodSecurityContext struct { // 3. The permission bits are OR'd with rw-rw---- // // If unset, the Kubelet will not modify the ownership and permissions of any volume. + // Note that this field cannot be set when spec.os.name is windows. // +optional FSGroup *int64 // fsGroupChangePolicy defines behavior of changing ownership and permission of the volume @@ -3005,13 +3062,16 @@ type PodSecurityContext struct { // It will have no effect on ephemeral volume types such as: secret, configmaps // and emptydir. // Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. + // Note that this field cannot be set when spec.os.name is windows. // +optional FSGroupChangePolicy *PodFSGroupChangePolicy // Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported // sysctls (by the container runtime) might fail to launch. + // Note that this field cannot be set when spec.os.name is windows. // +optional Sysctls []Sysctl // The seccomp options to use by the containers in this pod. + // Note that this field cannot be set when spec.os.name is windows. // +optional SeccompProfile *SeccompProfile } @@ -5288,34 +5348,40 @@ type ComponentStatusList struct { type SecurityContext struct { // The capabilities to add/drop when running containers. // Defaults to the default set of capabilities granted by the container runtime. + // Note that this field cannot be set when spec.os.name is windows. // +optional Capabilities *Capabilities // Run container in privileged mode. // Processes in privileged containers are essentially equivalent to root on the host. // Defaults to false. + // Note that this field cannot be set when spec.os.name is windows. // +optional Privileged *bool // The SELinux context to be applied to the container. // If unspecified, the container runtime will allocate a random SELinux context for each // container. May also be set in PodSecurityContext. If set in both SecurityContext and // PodSecurityContext, the value specified in SecurityContext takes precedence. + // Note that this field cannot be set when spec.os.name is windows. // +optional SELinuxOptions *SELinuxOptions // The Windows specific settings applied to all containers. // If unspecified, the options from the PodSecurityContext will be used. // If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. + // Note that this field cannot be set when spec.os.name is linux. // +optional WindowsOptions *WindowsSecurityContextOptions // The UID to run the entrypoint of the container process. // Defaults to user specified in image metadata if unspecified. // May also be set in PodSecurityContext. If set in both SecurityContext and // PodSecurityContext, the value specified in SecurityContext takes precedence. + // Note that this field cannot be set when spec.os.name is windows. // +optional RunAsUser *int64 // The GID to run the entrypoint of the container process. // Uses runtime default if unset. // May also be set in PodSecurityContext. If set in both SecurityContext and // PodSecurityContext, the value specified in SecurityContext takes precedence. + // Note that this field cannot be set when spec.os.name is windows. // +optional RunAsGroup *int64 // Indicates that the container must run as a non-root user. @@ -5328,21 +5394,25 @@ type SecurityContext struct { RunAsNonRoot *bool // The read-only root filesystem allows you to restrict the locations that an application can write // files to, ensuring the persistent data can only be written to mounts. + // Note that this field cannot be set when spec.os.name is windows. // +optional ReadOnlyRootFilesystem *bool // AllowPrivilegeEscalation controls whether a process can gain more // privileges than its parent process. This bool directly controls if // the no_new_privs flag will be set on the container process. + // Note that this field cannot be set when spec.os.name is windows. // +optional AllowPrivilegeEscalation *bool // ProcMount denotes the type of proc mount to use for the containers. // The default is DefaultProcMount which uses the container runtime defaults for // readonly paths and masked paths. + // Note that this field cannot be set when spec.os.name is windows. // +optional ProcMount *ProcMountType // The seccomp options to use by this container. If seccomp options are // provided at both the pod & container level, the container options // override the pod options. + // Note that this field cannot be set when spec.os.name is windows. // +optional SeccompProfile *SeccompProfile } diff --git a/staging/src/k8s.io/api/core/v1/types.go b/staging/src/k8s.io/api/core/v1/types.go index caf13f69a5b..38bffeeea28 100644 --- a/staging/src/k8s.io/api/core/v1/types.go +++ b/staging/src/k8s.io/api/core/v1/types.go @@ -3186,6 +3186,54 @@ type PodSpec struct { // Default to false. // +optional SetHostnameAsFQDN *bool `json:"setHostnameAsFQDN,omitempty" protobuf:"varint,35,opt,name=setHostnameAsFQDN"` + // Specifies the OS of the containers in the pod. + // Some pod and container fields are restricted if this is set. + // + // If the OS field is set to linux, the following fields must be unset: + // -securityContext.windowsOptions + // + // If the OS field is set to windows, following fields must be unset: + // - spec.hostPID + // - spec.hostIPC + // - spec.securityContext.seLinuxOptions + // - spec.securityContext.seccompProfile + // - spec.securityContext.fsGroup + // - spec.securityContext.fsGroupChangePolicy + // - spec.securityContext.sysctls + // - spec.shareProcessNamespace + // - spec.securityContext.runAsUser + // - spec.securityContext.runAsGroup + // - spec.securityContext.supplementalGroups + // - spec.containers[*].securityContext.seLinuxOptions + // - spec.containers[*].securityContext.seccompProfile + // - spec.containers[*].securityContext.capabilities + // - spec.containers[*].securityContext.readOnlyRootFilesystem + // - spec.containers[*].securityContext.privileged + // - spec.containers[*].securityContext.allowPrivilegeEscalation + // - spec.containers[*].securityContext.procMount + // - spec.containers[*].securityContext.runAsUser + // - spec.containers[*].securityContext.runAsGroup + // +optional + // This is an alpha field and requires the IdentifyPodOS feature + OS *PodOS `json:"os,omitempty" protobuf:"bytes,36,opt,name=os"` +} + +// OSName is the set of OS'es that can be used in OS. +type OSName string + +// These are valid values for OSName +const ( + Linux OSName = "linux" + Windows OSName = "windows" +) + +// PodOS defines the OS parameters of a pod. +type PodOS struct { + // Name is the name of the operating system. The currently supported values are linux and windows. + // Additional value may be defined in future and can be one of: + // https://github.com/opencontainers/runtime-spec/blob/master/config.md#platform-specific-configuration + // Clients should expect to handle additional values and treat unrecognized values in this field as os: null + Name OSName `json:"name" protobuf:"bytes,1,opt,name=name"` } type UnsatisfiableConstraintAction string @@ -3293,11 +3341,13 @@ type PodSecurityContext struct { // container. May also be set in SecurityContext. If set in // both SecurityContext and PodSecurityContext, the value specified in SecurityContext // takes precedence for that container. + // Note that this field cannot be set when spec.os.name is windows. // +optional SELinuxOptions *SELinuxOptions `json:"seLinuxOptions,omitempty" protobuf:"bytes,1,opt,name=seLinuxOptions"` // The Windows specific settings applied to all containers. // If unspecified, the options within a container's SecurityContext will be used. // If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. + // Note that this field cannot be set when spec.os.name is linux. // +optional WindowsOptions *WindowsSecurityContextOptions `json:"windowsOptions,omitempty" protobuf:"bytes,8,opt,name=windowsOptions"` // The UID to run the entrypoint of the container process. @@ -3305,6 +3355,7 @@ type PodSecurityContext struct { // May also be set in SecurityContext. If set in both SecurityContext and // PodSecurityContext, the value specified in SecurityContext takes precedence // for that container. + // Note that this field cannot be set when spec.os.name is windows. // +optional RunAsUser *int64 `json:"runAsUser,omitempty" protobuf:"varint,2,opt,name=runAsUser"` // The GID to run the entrypoint of the container process. @@ -3312,6 +3363,7 @@ type PodSecurityContext struct { // May also be set in SecurityContext. If set in both SecurityContext and // PodSecurityContext, the value specified in SecurityContext takes precedence // for that container. + // Note that this field cannot be set when spec.os.name is windows. // +optional RunAsGroup *int64 `json:"runAsGroup,omitempty" protobuf:"varint,6,opt,name=runAsGroup"` // Indicates that the container must run as a non-root user. @@ -3325,6 +3377,7 @@ type PodSecurityContext struct { // A list of groups applied to the first process run in each container, in addition // to the container's primary GID. If unspecified, no groups will be added to // any container. + // Note that this field cannot be set when spec.os.name is windows. // +optional SupplementalGroups []int64 `json:"supplementalGroups,omitempty" protobuf:"varint,4,rep,name=supplementalGroups"` // A special supplemental group that applies to all containers in a pod. @@ -3336,10 +3389,12 @@ type PodSecurityContext struct { // 3. The permission bits are OR'd with rw-rw---- // // If unset, the Kubelet will not modify the ownership and permissions of any volume. + // Note that this field cannot be set when spec.os.name is windows. // +optional FSGroup *int64 `json:"fsGroup,omitempty" protobuf:"varint,5,opt,name=fsGroup"` // Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported // sysctls (by the container runtime) might fail to launch. + // Note that this field cannot be set when spec.os.name is windows. // +optional Sysctls []Sysctl `json:"sysctls,omitempty" protobuf:"bytes,7,rep,name=sysctls"` // fsGroupChangePolicy defines behavior of changing ownership and permission of the volume @@ -3348,9 +3403,11 @@ type PodSecurityContext struct { // It will have no effect on ephemeral volume types such as: secret, configmaps // and emptydir. // Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. + // Note that this field cannot be set when spec.os.name is windows. // +optional FSGroupChangePolicy *PodFSGroupChangePolicy `json:"fsGroupChangePolicy,omitempty" protobuf:"bytes,9,opt,name=fsGroupChangePolicy"` // The seccomp options to use by the containers in this pod. + // Note that this field cannot be set when spec.os.name is windows. // +optional SeccompProfile *SeccompProfile `json:"seccompProfile,omitempty" protobuf:"bytes,10,opt,name=seccompProfile"` } @@ -6141,34 +6198,40 @@ type DownwardAPIProjection struct { type SecurityContext struct { // The capabilities to add/drop when running containers. // Defaults to the default set of capabilities granted by the container runtime. + // Note that this field cannot be set when spec.os.name is windows. // +optional Capabilities *Capabilities `json:"capabilities,omitempty" protobuf:"bytes,1,opt,name=capabilities"` // Run container in privileged mode. // Processes in privileged containers are essentially equivalent to root on the host. // Defaults to false. + // Note that this field cannot be set when spec.os.name is windows. // +optional Privileged *bool `json:"privileged,omitempty" protobuf:"varint,2,opt,name=privileged"` // The SELinux context to be applied to the container. // If unspecified, the container runtime will allocate a random SELinux context for each // container. May also be set in PodSecurityContext. If set in both SecurityContext and // PodSecurityContext, the value specified in SecurityContext takes precedence. + // Note that this field cannot be set when spec.os.name is windows. // +optional SELinuxOptions *SELinuxOptions `json:"seLinuxOptions,omitempty" protobuf:"bytes,3,opt,name=seLinuxOptions"` // The Windows specific settings applied to all containers. // If unspecified, the options from the PodSecurityContext will be used. // If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. + // Note that this field cannot be set when spec.os.name is linux. // +optional WindowsOptions *WindowsSecurityContextOptions `json:"windowsOptions,omitempty" protobuf:"bytes,10,opt,name=windowsOptions"` // The UID to run the entrypoint of the container process. // Defaults to user specified in image metadata if unspecified. // May also be set in PodSecurityContext. If set in both SecurityContext and // PodSecurityContext, the value specified in SecurityContext takes precedence. + // Note that this field cannot be set when spec.os.name is windows. // +optional RunAsUser *int64 `json:"runAsUser,omitempty" protobuf:"varint,4,opt,name=runAsUser"` // The GID to run the entrypoint of the container process. // Uses runtime default if unset. // May also be set in PodSecurityContext. If set in both SecurityContext and // PodSecurityContext, the value specified in SecurityContext takes precedence. + // Note that this field cannot be set when spec.os.name is windows. // +optional RunAsGroup *int64 `json:"runAsGroup,omitempty" protobuf:"varint,8,opt,name=runAsGroup"` // Indicates that the container must run as a non-root user. @@ -6181,6 +6244,7 @@ type SecurityContext struct { RunAsNonRoot *bool `json:"runAsNonRoot,omitempty" protobuf:"varint,5,opt,name=runAsNonRoot"` // Whether this container has a read-only root filesystem. // Default is false. + // Note that this field cannot be set when spec.os.name is windows. // +optional ReadOnlyRootFilesystem *bool `json:"readOnlyRootFilesystem,omitempty" protobuf:"varint,6,opt,name=readOnlyRootFilesystem"` // AllowPrivilegeEscalation controls whether a process can gain more @@ -6189,17 +6253,20 @@ type SecurityContext struct { // AllowPrivilegeEscalation is true always when the container is: // 1) run as Privileged // 2) has CAP_SYS_ADMIN + // Note that this field cannot be set when spec.os.name is windows. // +optional AllowPrivilegeEscalation *bool `json:"allowPrivilegeEscalation,omitempty" protobuf:"varint,7,opt,name=allowPrivilegeEscalation"` // procMount denotes the type of proc mount to use for the containers. // The default is DefaultProcMount which uses the container runtime defaults for // readonly paths and masked paths. // This requires the ProcMountType feature flag to be enabled. + // Note that this field cannot be set when spec.os.name is windows. // +optional ProcMount *ProcMountType `json:"procMount,omitempty" protobuf:"bytes,9,opt,name=procMount"` // The seccomp options to use by this container. If seccomp options are // provided at both the pod & container level, the container options // override the pod options. + // Note that this field cannot be set when spec.os.name is windows. // +optional SeccompProfile *SeccompProfile `json:"seccompProfile,omitempty" protobuf:"bytes,11,opt,name=seccompProfile"` }