diff --git a/api/openapi-spec/swagger.json b/api/openapi-spec/swagger.json index 98873605e7f..61805b66b09 100644 --- a/api/openapi-spec/swagger.json +++ b/api/openapi-spec/swagger.json @@ -8679,7 +8679,7 @@ "type": "integer" }, "fsGroupChangePolicy": { - "description": "fsGroupChangePolicy defines behavior of changing ownership and permission of the volume before being exposed inside Pod. This field will only apply to volume types which support fsGroup based ownership(and permissions). It will have no effect on ephemeral volume types such as: secret, configmaps and emptydir. Valid values are \"OnRootMismatch\" and \"Always\". If not specified defaults to \"Always\".", + "description": "fsGroupChangePolicy defines behavior of changing ownership and permission of the volume before being exposed inside Pod. This field will only apply to volume types which support fsGroup based ownership(and permissions). It will have no effect on ephemeral volume types such as: secret, configmaps and emptydir. Valid values are \"OnRootMismatch\" and \"Always\". If not specified, \"Always\" is used.", "type": "string" }, "runAsGroup": { diff --git a/pkg/apis/core/types.go b/pkg/apis/core/types.go index afa9b06a7e4..21aaef0a097 100644 --- a/pkg/apis/core/types.go +++ b/pkg/apis/core/types.go @@ -2964,7 +2964,7 @@ type PodSecurityContext struct { // volume types which support fsGroup based ownership(and permissions). // It will have no effect on ephemeral volume types such as: secret, configmaps // and emptydir. - // Valid values are "OnRootMismatch" and "Always". If not specified defaults to "Always". + // Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. // +optional FSGroupChangePolicy *PodFSGroupChangePolicy // Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported diff --git a/pkg/features/kube_features.go b/pkg/features/kube_features.go index 7bb13a309e0..4dc3f09ee73 100644 --- a/pkg/features/kube_features.go +++ b/pkg/features/kube_features.go @@ -436,6 +436,7 @@ const ( // owner: @gnufied // alpha: v1.18 + // beta: v1.20 // Allows user to configure volume permission change policy for fsGroups when mounting // a volume in a Pod. ConfigurableFSGroupPolicy featuregate.Feature = "ConfigurableFSGroupPolicy" diff --git a/staging/src/k8s.io/api/core/v1/generated.proto b/staging/src/k8s.io/api/core/v1/generated.proto index c5794cc8ef7..f4b2d425644 100644 --- a/staging/src/k8s.io/api/core/v1/generated.proto +++ b/staging/src/k8s.io/api/core/v1/generated.proto @@ -3353,7 +3353,7 @@ message PodSecurityContext { // volume types which support fsGroup based ownership(and permissions). // It will have no effect on ephemeral volume types such as: secret, configmaps // and emptydir. - // Valid values are "OnRootMismatch" and "Always". If not specified defaults to "Always". + // Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. // +optional optional string fsGroupChangePolicy = 9; diff --git a/staging/src/k8s.io/api/core/v1/types.go b/staging/src/k8s.io/api/core/v1/types.go index 4ee36bb1893..e3cda46c2df 100644 --- a/staging/src/k8s.io/api/core/v1/types.go +++ b/staging/src/k8s.io/api/core/v1/types.go @@ -3298,7 +3298,7 @@ type PodSecurityContext struct { // volume types which support fsGroup based ownership(and permissions). // It will have no effect on ephemeral volume types such as: secret, configmaps // and emptydir. - // Valid values are "OnRootMismatch" and "Always". If not specified defaults to "Always". + // Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. // +optional FSGroupChangePolicy *PodFSGroupChangePolicy `json:"fsGroupChangePolicy,omitempty" protobuf:"bytes,9,opt,name=fsGroupChangePolicy"` // The seccomp options to use by the containers in this pod. diff --git a/staging/src/k8s.io/api/core/v1/types_swagger_doc_generated.go b/staging/src/k8s.io/api/core/v1/types_swagger_doc_generated.go index de36d8f22ed..fe6d6adb378 100644 --- a/staging/src/k8s.io/api/core/v1/types_swagger_doc_generated.go +++ b/staging/src/k8s.io/api/core/v1/types_swagger_doc_generated.go @@ -1603,7 +1603,7 @@ var map_PodSecurityContext = map[string]string{ "supplementalGroups": "A list of groups applied to the first process run in each container, in addition to the container's primary GID. If unspecified, no groups will be added to any container.", "fsGroup": "A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to change the ownership of that volume to be owned by the pod:\n\n1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 3. The permission bits are OR'd with rw-rw ", "sysctls": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch.", - "fsGroupChangePolicy": "fsGroupChangePolicy defines behavior of changing ownership and permission of the volume before being exposed inside Pod. This field will only apply to volume types which support fsGroup based ownership(and permissions). It will have no effect on ephemeral volume types such as: secret, configmaps and emptydir. Valid values are \"OnRootMismatch\" and \"Always\". If not specified defaults to \"Always\".", + "fsGroupChangePolicy": "fsGroupChangePolicy defines behavior of changing ownership and permission of the volume before being exposed inside Pod. This field will only apply to volume types which support fsGroup based ownership(and permissions). It will have no effect on ephemeral volume types such as: secret, configmaps and emptydir. Valid values are \"OnRootMismatch\" and \"Always\". If not specified, \"Always\" is used.", "seccompProfile": "The seccomp options to use by the containers in this pod.", }