Allow securityContext in EphemeralContainers

2025-07-30 06:54:01 +00:00 · 2021-02-12 10:44:54 +01:00 · 2021-02-12 10:44:54 +01:00 · 70765fa24d
commit 70765fa24d
parent 07358f1663
5 changed files with 21 additions and 13 deletions
--- a/pkg/api/pod/util_test.go
+++ b/pkg/api/pod/util_test.go
@ -1359,12 +1359,12 @@ func TestDropEphemeralContainers(t *testing.T) {
 		pod                    func() *api.Pod
 	}{
 		{
-			description:            "has subpaths",
+			description:            "has ephemeral containers",
 			hasEphemeralContainers: true,
 			pod:                    podWithEphemeralContainers,
 		},
 		{
-			description:            "does not have subpaths",
+			description:            "does not have ephemeral containers",
 			hasEphemeralContainers: false,
 			pod:                    podWithoutEphemeralContainers,
 		},
--- a/pkg/apis/core/types.go
+++ b/pkg/apis/core/types.go
@ -3140,7 +3140,8 @@ type EphemeralContainerCommon struct {
 	TerminationMessagePolicy TerminationMessagePolicy
 	// Required: Policy for pulling images for this container
 	ImagePullPolicy PullPolicy
-	// SecurityContext is not allowed for ephemeral containers.
+	// Optional: SecurityContext defines the security options the ephemeral container should be run with.
+	// If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext.
 	// +optional
 	SecurityContext *SecurityContext

--- a/pkg/apis/core/validation/validation.go
+++ b/pkg/apis/core/validation/validation.go
@ -85,6 +85,7 @@ var allowedEphemeralContainerFields = map[string]bool{
 	"TerminationMessagePath":   true,
 	"TerminationMessagePolicy": true,
 	"ImagePullPolicy":          true,
+	"SecurityContext":          true,
 	"Stdin":                    true,
 	"StdinOnce":                true,
 	"TTY":                      true,
--- a/pkg/apis/core/validation/validation_test.go
+++ b/pkg/apis/core/validation/validation_test.go
@ -5822,7 +5822,7 @@ func TestValidateEphemeralContainers(t *testing.T) {
 				TargetContainerName:      "ctr",
 			},
 		},
-		"All Whitelisted Fields": {
+		"All allowed Fields": {
 			{
 				EphemeralContainerCommon: core.EphemeralContainerCommon{

@ -5848,9 +5848,14 @@ func TestValidateEphemeralContainers(t *testing.T) {
 					TerminationMessagePath:   "/dev/termination-log",
 					TerminationMessagePolicy: "File",
 					ImagePullPolicy:          "IfNotPresent",
-					Stdin:                    true,
-					StdinOnce:                true,
-					TTY:                      true,
+					SecurityContext: &core.SecurityContext{
+						Capabilities: &core.Capabilities{
+							Add: []core.Capability{"SYS_ADMIN"},
+						},
+					},
+					Stdin:     true,
+					StdinOnce: true,
+					TTY:       true,
 				},
 			},
 		},
@ -5923,7 +5928,7 @@ func TestValidateEphemeralContainers(t *testing.T) {
 			field.Error{Type: field.ErrorTypeNotFound, Field: "ephemeralContainers[0].targetContainerName"},
 		},
 		{
-			"Container uses non-whitelisted field: Lifecycle",
+			"Container uses disallowed field: Lifecycle",
 			[]core.EphemeralContainer{
 				{
 					EphemeralContainerCommon: core.EphemeralContainerCommon{
@ -5942,7 +5947,7 @@ func TestValidateEphemeralContainers(t *testing.T) {
 			field.Error{Type: field.ErrorTypeForbidden, Field: "ephemeralContainers[0].lifecycle"},
 		},
 		{
-			"Container uses non-whitelisted field: LivenessProbe",
+			"Container uses disallowed field: LivenessProbe",
 			[]core.EphemeralContainer{
 				{
 					EphemeralContainerCommon: core.EphemeralContainerCommon{
@ -5962,7 +5967,7 @@ func TestValidateEphemeralContainers(t *testing.T) {
 			field.Error{Type: field.ErrorTypeForbidden, Field: "ephemeralContainers[0].livenessProbe"},
 		},
 		{
-			"Container uses non-whitelisted field: Ports",
+			"Container uses disallowed field: Ports",
 			[]core.EphemeralContainer{
 				{
 					EphemeralContainerCommon: core.EphemeralContainerCommon{
@ -5979,7 +5984,7 @@ func TestValidateEphemeralContainers(t *testing.T) {
 			field.Error{Type: field.ErrorTypeForbidden, Field: "ephemeralContainers[0].ports"},
 		},
 		{
-			"Container uses non-whitelisted field: ReadinessProbe",
+			"Container uses disallowed field: ReadinessProbe",
 			[]core.EphemeralContainer{
 				{
 					EphemeralContainerCommon: core.EphemeralContainerCommon{
@ -5998,7 +6003,7 @@ func TestValidateEphemeralContainers(t *testing.T) {
 			field.Error{Type: field.ErrorTypeForbidden, Field: "ephemeralContainers[0].readinessProbe"},
 		},
 		{
-			"Container uses non-whitelisted field: Resources",
+			"Container uses disallowed field: Resources",
 			[]core.EphemeralContainer{
 				{
 					EphemeralContainerCommon: core.EphemeralContainerCommon{
--- a/staging/src/k8s.io/api/core/v1/types.go
+++ b/staging/src/k8s.io/api/core/v1/types.go
@ -3525,7 +3525,8 @@ type EphemeralContainerCommon struct {
 	// More info: https://kubernetes.io/docs/concepts/containers/images#updating-images
 	// +optional
 	ImagePullPolicy PullPolicy `json:"imagePullPolicy,omitempty" protobuf:"bytes,14,opt,name=imagePullPolicy,casttype=PullPolicy"`
-	// SecurityContext is not allowed for ephemeral containers.
+	// Optional: SecurityContext defines the security options the ephemeral container should be run with.
+	// If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext.
 	// +optional
 	SecurityContext *SecurityContext `json:"securityContext,omitempty" protobuf:"bytes,15,opt,name=securityContext"`