Merge pull request #73795 from tallclair/runtimeclass-psp

PodSecurityPolicy RuntimeClass support
2025-09-14 13:45:06 +00:00 · 2019-05-02 00:46:17 -07:00
parent 6d691c9985 c666bd0012
commit 6a48257627
24 changed files with 1552 additions and 395 deletions
--- a/api/openapi-spec/swagger.json
+++ b/api/openapi-spec/swagger.json
@@ -12467,6 +12467,10 @@
          "$ref": "#/definitions/io.k8s.api.extensions.v1beta1.RunAsUserStrategyOptions",
          "description": "runAsUser is the strategy that will dictate the allowable RunAsUser values that may be set."
        },
+        "runtimeClass": {
+          "$ref": "#/definitions/io.k8s.api.extensions.v1beta1.RuntimeClassStrategyOptions",
+          "description": "runtimeClass is the strategy that will dictate the allowable RuntimeClasses for a pod. If this field is omitted, the pod's runtimeClassName field is unrestricted. Enforcement of this field depends on the RuntimeClass feature gate being enabled."
+        },
        "seLinux": {
          "$ref": "#/definitions/io.k8s.api.extensions.v1beta1.SELinuxStrategyOptions",
          "description": "seLinux is the strategy that will dictate the allowable labels that may be set."
@@ -12731,6 +12735,26 @@
      ],
      "type": "object"
    },
+    "io.k8s.api.extensions.v1beta1.RuntimeClassStrategyOptions": {
+      "description": "RuntimeClassStrategyOptions define the strategy that will dictate the allowable RuntimeClasses for a pod.",
+      "properties": {
+        "allowedRuntimeClassNames": {
+          "description": "allowedRuntimeClassNames is a whitelist of RuntimeClass names that may be specified on a pod. A value of \"*\" means that any RuntimeClass name is allowed, and must be the only item in the list. An empty list requires the RuntimeClassName field to be unset.",
+          "items": {
+            "type": "string"
+          },
+          "type": "array"
+        },
+        "defaultRuntimeClassName": {
+          "description": "defaultRuntimeClassName is the default RuntimeClassName to set on the pod. The default MUST be allowed by the allowedRuntimeClassNames list. A value of nil does not mutate the Pod.",
+          "type": "string"
+        }
+      },
+      "required": [
+        "allowedRuntimeClassNames"
+      ],
+      "type": "object"
+    },
    "io.k8s.api.extensions.v1beta1.SELinuxStrategyOptions": {
      "description": "SELinuxStrategyOptions defines the strategy type and any options used to create the strategy. Deprecated: use SELinuxStrategyOptions from policy API Group instead.",
      "properties": {
@@ -13784,6 +13808,10 @@
          "$ref": "#/definitions/io.k8s.api.policy.v1beta1.RunAsUserStrategyOptions",
          "description": "runAsUser is the strategy that will dictate the allowable RunAsUser values that may be set."
        },
+        "runtimeClass": {
+          "$ref": "#/definitions/io.k8s.api.policy.v1beta1.RuntimeClassStrategyOptions",
+          "description": "runtimeClass is the strategy that will dictate the allowable RuntimeClasses for a pod. If this field is omitted, the pod's runtimeClassName field is unrestricted. Enforcement of this field depends on the RuntimeClass feature gate being enabled."
+        },
        "seLinux": {
          "$ref": "#/definitions/io.k8s.api.policy.v1beta1.SELinuxStrategyOptions",
          "description": "seLinux is the strategy that will dictate the allowable labels that may be set."
@@ -13848,6 +13876,26 @@
      ],
      "type": "object"
    },
+    "io.k8s.api.policy.v1beta1.RuntimeClassStrategyOptions": {
+      "description": "RuntimeClassStrategyOptions define the strategy that will dictate the allowable RuntimeClasses for a pod.",
+      "properties": {
+        "allowedRuntimeClassNames": {
+          "description": "allowedRuntimeClassNames is a whitelist of RuntimeClass names that may be specified on a pod. A value of \"*\" means that any RuntimeClass name is allowed, and must be the only item in the list. An empty list requires the RuntimeClassName field to be unset.",
+          "items": {
+            "type": "string"
+          },
+          "type": "array"
+        },
+        "defaultRuntimeClassName": {
+          "description": "defaultRuntimeClassName is the default RuntimeClassName to set on the pod. The default MUST be allowed by the allowedRuntimeClassNames list. A value of nil does not mutate the Pod.",
+          "type": "string"
+        }
+      },
+      "required": [
+        "allowedRuntimeClassNames"
+      ],
+      "type": "object"
+    },
    "io.k8s.api.policy.v1beta1.SELinuxStrategyOptions": {
      "description": "SELinuxStrategyOptions defines the strategy type and any options used to create the strategy.",
      "properties": {