diff --git a/api/openapi-spec/swagger.json b/api/openapi-spec/swagger.json index e23b93ad9bd..28ed3fac64e 100644 --- a/api/openapi-spec/swagger.json +++ b/api/openapi-spec/swagger.json @@ -12371,7 +12371,7 @@ "type": "boolean" }, "allowedCSIDrivers": { - "description": "AllowedCSIDrivers is a whitelist of inline CSI drivers that must be explicitly set to be embedded within a pod spec. An empty value indicates that any CSI driver can be used for inline ephemeral volumes. This is an alpha field, and is only honored if the API server enables the CSIInlineVolume feature gate.", + "description": "AllowedCSIDrivers is an allowlist of inline CSI drivers that must be explicitly set to be embedded within a pod spec. An empty value indicates that any CSI driver can be used for inline ephemeral volumes. This is an alpha field, and is only honored if the API server enables the CSIInlineVolume feature gate.", "items": { "$ref": "#/definitions/io.k8s.api.policy.v1beta1.AllowedCSIDriver" }, @@ -12385,28 +12385,28 @@ "type": "array" }, "allowedFlexVolumes": { - "description": "allowedFlexVolumes is a whitelist of allowed Flexvolumes. Empty or nil indicates that all Flexvolumes may be used. This parameter is effective only when the usage of the Flexvolumes is allowed in the \"volumes\" field.", + "description": "allowedFlexVolumes is an allowlist of Flexvolumes. Empty or nil indicates that all Flexvolumes may be used. This parameter is effective only when the usage of the Flexvolumes is allowed in the \"volumes\" field.", "items": { "$ref": "#/definitions/io.k8s.api.policy.v1beta1.AllowedFlexVolume" }, "type": "array" }, "allowedHostPaths": { - "description": "allowedHostPaths is a white list of allowed host paths. Empty indicates that all host paths may be used.", + "description": "allowedHostPaths is an allowlist of host paths. Empty indicates that all host paths may be used.", "items": { "$ref": "#/definitions/io.k8s.api.policy.v1beta1.AllowedHostPath" }, "type": "array" }, "allowedProcMountTypes": { - "description": "AllowedProcMountTypes is a whitelist of allowed ProcMountTypes. Empty or nil indicates that only the DefaultProcMountType may be used. This requires the ProcMountType feature flag to be enabled.", + "description": "AllowedProcMountTypes is an allowlist of allowed ProcMountTypes. Empty or nil indicates that only the DefaultProcMountType may be used. This requires the ProcMountType feature flag to be enabled.", "items": { "type": "string" }, "type": "array" }, "allowedUnsafeSysctls": { - "description": "allowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none. Each entry is either a plain sysctl name or ends in \"*\" in which case it is considered as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed. Kubelet has to whitelist all allowed unsafe sysctls explicitly to avoid rejection.\n\nExamples: e.g. \"foo/*\" allows \"foo/bar\", \"foo/baz\", etc. e.g. \"foo.*\" allows \"foo.bar\", \"foo.baz\", etc.", + "description": "allowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none. Each entry is either a plain sysctl name or ends in \"*\" in which case it is considered as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed. Kubelet has to allowlist all allowed unsafe sysctls explicitly to avoid rejection.\n\nExamples: e.g. \"foo/*\" allows \"foo/bar\", \"foo/baz\", etc. e.g. \"foo.*\" allows \"foo.bar\", \"foo.baz\", etc.", "items": { "type": "string" }, @@ -12489,7 +12489,7 @@ "description": "supplementalGroups is the strategy that will dictate what supplemental groups are used by the SecurityContext." }, "volumes": { - "description": "volumes is a white list of allowed volume plugins. Empty indicates that no volumes may be used. To allow all volumes you may use '*'.", + "description": "volumes is an allowlist of volume plugins. Empty indicates that no volumes may be used. To allow all volumes you may use '*'.", "items": { "type": "string" }, @@ -12548,7 +12548,7 @@ "description": "RuntimeClassStrategyOptions define the strategy that will dictate the allowable RuntimeClasses for a pod.", "properties": { "allowedRuntimeClassNames": { - "description": "allowedRuntimeClassNames is a whitelist of RuntimeClass names that may be specified on a pod. A value of \"*\" means that any RuntimeClass name is allowed, and must be the only item in the list. An empty list requires the RuntimeClassName field to be unset.", + "description": "allowedRuntimeClassNames is an allowlist of RuntimeClass names that may be specified on a pod. A value of \"*\" means that any RuntimeClass name is allowed, and must be the only item in the list. An empty list requires the RuntimeClassName field to be unset.", "items": { "type": "string" }, diff --git a/pkg/apis/policy/types.go b/pkg/apis/policy/types.go index b3b64b0efac..50805b80802 100644 --- a/pkg/apis/policy/types.go +++ b/pkg/apis/policy/types.go @@ -157,7 +157,7 @@ type PodSecurityPolicySpec struct { // To allow all capabilities you may use '*'. // +optional AllowedCapabilities []api.Capability - // Volumes is a white list of allowed volume plugins. Empty indicates that + // Volumes is an allowlist of volume plugins. Empty indicates that // no volumes may be used. To allow all volumes you may use '*'. // +optional Volumes []FSType @@ -200,15 +200,15 @@ type PodSecurityPolicySpec struct { // privilege escalation. If unspecified, defaults to true. // +optional AllowPrivilegeEscalation bool - // AllowedHostPaths is a white list of allowed host paths. Empty indicates that all host paths may be used. + // AllowedHostPaths is an allowlist of host paths. Empty indicates that all host paths may be used. // +optional AllowedHostPaths []AllowedHostPath - // AllowedFlexVolumes is a whitelist of allowed Flexvolumes. Empty or nil indicates that all + // AllowedFlexVolumes is an allowlist of Flexvolumes. Empty or nil indicates that all // Flexvolumes may be used. This parameter is effective only when the usage of the Flexvolumes // is allowed in the "Volumes" field. // +optional AllowedFlexVolumes []AllowedFlexVolume - // AllowedCSIDrivers is a whitelist of inline CSI drivers that must be explicitly set to be embedded within a pod spec. + // AllowedCSIDrivers is an allowlist of inline CSI drivers that must be explicitly set to be embedded within a pod spec. // An empty value indicates that any CSI driver can be used for inline ephemeral volumes. // This is an alpha field, and is only honored if the API server enables the CSIInlineVolume feature gate. // +optional @@ -216,7 +216,7 @@ type PodSecurityPolicySpec struct { // AllowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none. // Each entry is either a plain sysctl name or ends in "*" in which case it is considered // as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed. - // Kubelet has to whitelist all allowed unsafe sysctls explicitly to avoid rejection. + // Kubelet has to allowlist all unsafe sysctls explicitly to avoid rejection. // // Examples: // e.g. "foo/*" allows "foo/bar", "foo/baz", etc. @@ -232,7 +232,7 @@ type PodSecurityPolicySpec struct { // e.g. "foo.*" forbids "foo.bar", "foo.baz", etc. // +optional ForbiddenSysctls []string - // AllowedProcMountTypes is a whitelist of allowed ProcMountTypes. + // AllowedProcMountTypes is an allowlist of ProcMountTypes. // Empty or nil indicates that only the DefaultProcMountType may be used. // +optional AllowedProcMountTypes []api.ProcMountType @@ -449,7 +449,7 @@ const ( // RuntimeClassStrategyOptions define the strategy that will dictate the allowable RuntimeClasses // for a pod. type RuntimeClassStrategyOptions struct { - // allowedRuntimeClassNames is a whitelist of RuntimeClass names that may be specified on a pod. + // allowedRuntimeClassNames is an allowlist of RuntimeClass names that may be specified on a pod. // A value of "*" means that any RuntimeClass name is allowed, and must be the only item in the // list. An empty list requires the RuntimeClassName field to be unset. AllowedRuntimeClassNames []string diff --git a/staging/src/k8s.io/api/extensions/v1beta1/generated.proto b/staging/src/k8s.io/api/extensions/v1beta1/generated.proto index e2d78e37f34..a81cce680cc 100644 --- a/staging/src/k8s.io/api/extensions/v1beta1/generated.proto +++ b/staging/src/k8s.io/api/extensions/v1beta1/generated.proto @@ -848,7 +848,7 @@ message PodSecurityPolicySpec { // +optional repeated string allowedCapabilities = 4; - // volumes is a white list of allowed volume plugins. Empty indicates that + // volumes is an allowlist of volume plugins. Empty indicates that // no volumes may be used. To allow all volumes you may use '*'. // +optional repeated string volumes = 5; @@ -905,18 +905,18 @@ message PodSecurityPolicySpec { // +optional optional bool allowPrivilegeEscalation = 16; - // allowedHostPaths is a white list of allowed host paths. Empty indicates + // allowedHostPaths is an allowlist of host paths. Empty indicates // that all host paths may be used. // +optional repeated AllowedHostPath allowedHostPaths = 17; - // allowedFlexVolumes is a whitelist of allowed Flexvolumes. Empty or nil indicates that all + // allowedFlexVolumes is an allowlist of Flexvolumes. Empty or nil indicates that all // Flexvolumes may be used. This parameter is effective only when the usage of the Flexvolumes // is allowed in the "volumes" field. // +optional repeated AllowedFlexVolume allowedFlexVolumes = 18; - // AllowedCSIDrivers is a whitelist of inline CSI drivers that must be explicitly set to be embedded within a pod spec. + // AllowedCSIDrivers is an allowlist of inline CSI drivers that must be explicitly set to be embedded within a pod spec. // An empty value indicates that any CSI driver can be used for inline ephemeral volumes. // +optional repeated AllowedCSIDriver allowedCSIDrivers = 23; @@ -924,7 +924,7 @@ message PodSecurityPolicySpec { // allowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none. // Each entry is either a plain sysctl name or ends in "*" in which case it is considered // as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed. - // Kubelet has to whitelist all allowed unsafe sysctls explicitly to avoid rejection. + // Kubelet has to allowlist all unsafe sysctls explicitly to avoid rejection. // // Examples: // e.g. "foo/*" allows "foo/bar", "foo/baz", etc. @@ -942,7 +942,7 @@ message PodSecurityPolicySpec { // +optional repeated string forbiddenSysctls = 20; - // AllowedProcMountTypes is a whitelist of allowed ProcMountTypes. + // AllowedProcMountTypes is an allowlist of allowed ProcMountTypes. // Empty or nil indicates that only the DefaultProcMountType may be used. // This requires the ProcMountType feature flag to be enabled. // +optional @@ -1154,7 +1154,7 @@ message RunAsUserStrategyOptions { // RuntimeClassStrategyOptions define the strategy that will dictate the allowable RuntimeClasses // for a pod. message RuntimeClassStrategyOptions { - // allowedRuntimeClassNames is a whitelist of RuntimeClass names that may be specified on a pod. + // allowedRuntimeClassNames is an allowlist of RuntimeClass names that may be specified on a pod. // A value of "*" means that any RuntimeClass name is allowed, and must be the only item in the // list. An empty list requires the RuntimeClassName field to be unset. repeated string allowedRuntimeClassNames = 1; diff --git a/staging/src/k8s.io/api/extensions/v1beta1/types.go b/staging/src/k8s.io/api/extensions/v1beta1/types.go index 9255822e720..03529ad73e6 100644 --- a/staging/src/k8s.io/api/extensions/v1beta1/types.go +++ b/staging/src/k8s.io/api/extensions/v1beta1/types.go @@ -985,7 +985,7 @@ type PodSecurityPolicySpec struct { // You must not list a capability in both allowedCapabilities and requiredDropCapabilities. // +optional AllowedCapabilities []v1.Capability `json:"allowedCapabilities,omitempty" protobuf:"bytes,4,rep,name=allowedCapabilities,casttype=k8s.io/api/core/v1.Capability"` - // volumes is a white list of allowed volume plugins. Empty indicates that + // volumes is an allowlist of volume plugins. Empty indicates that // no volumes may be used. To allow all volumes you may use '*'. // +optional Volumes []FSType `json:"volumes,omitempty" protobuf:"bytes,5,rep,name=volumes,casttype=FSType"` @@ -1029,23 +1029,23 @@ type PodSecurityPolicySpec struct { // privilege escalation. If unspecified, defaults to true. // +optional AllowPrivilegeEscalation *bool `json:"allowPrivilegeEscalation,omitempty" protobuf:"varint,16,opt,name=allowPrivilegeEscalation"` - // allowedHostPaths is a white list of allowed host paths. Empty indicates + // allowedHostPaths is an allowlist of host paths. Empty indicates // that all host paths may be used. // +optional AllowedHostPaths []AllowedHostPath `json:"allowedHostPaths,omitempty" protobuf:"bytes,17,rep,name=allowedHostPaths"` - // allowedFlexVolumes is a whitelist of allowed Flexvolumes. Empty or nil indicates that all + // allowedFlexVolumes is an allowlist of Flexvolumes. Empty or nil indicates that all // Flexvolumes may be used. This parameter is effective only when the usage of the Flexvolumes // is allowed in the "volumes" field. // +optional AllowedFlexVolumes []AllowedFlexVolume `json:"allowedFlexVolumes,omitempty" protobuf:"bytes,18,rep,name=allowedFlexVolumes"` - // AllowedCSIDrivers is a whitelist of inline CSI drivers that must be explicitly set to be embedded within a pod spec. + // AllowedCSIDrivers is an allowlist of inline CSI drivers that must be explicitly set to be embedded within a pod spec. // An empty value indicates that any CSI driver can be used for inline ephemeral volumes. // +optional AllowedCSIDrivers []AllowedCSIDriver `json:"allowedCSIDrivers,omitempty" protobuf:"bytes,23,rep,name=allowedCSIDrivers"` // allowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none. // Each entry is either a plain sysctl name or ends in "*" in which case it is considered // as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed. - // Kubelet has to whitelist all allowed unsafe sysctls explicitly to avoid rejection. + // Kubelet has to allowlist all unsafe sysctls explicitly to avoid rejection. // // Examples: // e.g. "foo/*" allows "foo/bar", "foo/baz", etc. @@ -1061,7 +1061,7 @@ type PodSecurityPolicySpec struct { // e.g. "foo.*" forbids "foo.bar", "foo.baz", etc. // +optional ForbiddenSysctls []string `json:"forbiddenSysctls,omitempty" protobuf:"bytes,20,rep,name=forbiddenSysctls"` - // AllowedProcMountTypes is a whitelist of allowed ProcMountTypes. + // AllowedProcMountTypes is an allowlist of allowed ProcMountTypes. // Empty or nil indicates that only the DefaultProcMountType may be used. // This requires the ProcMountType feature flag to be enabled. // +optional @@ -1289,7 +1289,7 @@ const ( // RuntimeClassStrategyOptions define the strategy that will dictate the allowable RuntimeClasses // for a pod. type RuntimeClassStrategyOptions struct { - // allowedRuntimeClassNames is a whitelist of RuntimeClass names that may be specified on a pod. + // allowedRuntimeClassNames is an allowlist of RuntimeClass names that may be specified on a pod. // A value of "*" means that any RuntimeClass name is allowed, and must be the only item in the // list. An empty list requires the RuntimeClassName field to be unset. AllowedRuntimeClassNames []string `json:"allowedRuntimeClassNames" protobuf:"bytes,1,rep,name=allowedRuntimeClassNames"` diff --git a/staging/src/k8s.io/api/extensions/v1beta1/types_swagger_doc_generated.go b/staging/src/k8s.io/api/extensions/v1beta1/types_swagger_doc_generated.go index c190d96a924..0ef3c00593e 100644 --- a/staging/src/k8s.io/api/extensions/v1beta1/types_swagger_doc_generated.go +++ b/staging/src/k8s.io/api/extensions/v1beta1/types_swagger_doc_generated.go @@ -458,7 +458,7 @@ var map_PodSecurityPolicySpec = map[string]string{ "defaultAddCapabilities": "defaultAddCapabilities is the default set of capabilities that will be added to the container unless the pod spec specifically drops the capability. You may not list a capability in both defaultAddCapabilities and requiredDropCapabilities. Capabilities added here are implicitly allowed, and need not be included in the allowedCapabilities list.", "requiredDropCapabilities": "requiredDropCapabilities are the capabilities that will be dropped from the container. These are required to be dropped and cannot be added.", "allowedCapabilities": "allowedCapabilities is a list of capabilities that can be requested to add to the container. Capabilities in this field may be added at the pod author's discretion. You must not list a capability in both allowedCapabilities and requiredDropCapabilities.", - "volumes": "volumes is a white list of allowed volume plugins. Empty indicates that no volumes may be used. To allow all volumes you may use '*'.", + "volumes": "volumes is an allowlist of volume plugins. Empty indicates that no volumes may be used. To allow all volumes you may use '*'.", "hostNetwork": "hostNetwork determines if the policy allows the use of HostNetwork in the pod spec.", "hostPorts": "hostPorts determines which host port ranges are allowed to be exposed.", "hostPID": "hostPID determines if the policy allows the use of HostPID in the pod spec.", @@ -471,12 +471,12 @@ var map_PodSecurityPolicySpec = map[string]string{ "readOnlyRootFilesystem": "readOnlyRootFilesystem when set to true will force containers to run with a read only root file system. If the container specifically requests to run with a non-read only root file system the PSP should deny the pod. If set to false the container may run with a read only root file system if it wishes but it will not be forced to.", "defaultAllowPrivilegeEscalation": "defaultAllowPrivilegeEscalation controls the default setting for whether a process can gain more privileges than its parent process.", "allowPrivilegeEscalation": "allowPrivilegeEscalation determines if a pod can request to allow privilege escalation. If unspecified, defaults to true.", - "allowedHostPaths": "allowedHostPaths is a white list of allowed host paths. Empty indicates that all host paths may be used.", - "allowedFlexVolumes": "allowedFlexVolumes is a whitelist of allowed Flexvolumes. Empty or nil indicates that all Flexvolumes may be used. This parameter is effective only when the usage of the Flexvolumes is allowed in the \"volumes\" field.", - "allowedCSIDrivers": "AllowedCSIDrivers is a whitelist of inline CSI drivers that must be explicitly set to be embedded within a pod spec. An empty value indicates that any CSI driver can be used for inline ephemeral volumes.", - "allowedUnsafeSysctls": "allowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none. Each entry is either a plain sysctl name or ends in \"*\" in which case it is considered as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed. Kubelet has to whitelist all allowed unsafe sysctls explicitly to avoid rejection.\n\nExamples: e.g. \"foo/*\" allows \"foo/bar\", \"foo/baz\", etc. e.g. \"foo.*\" allows \"foo.bar\", \"foo.baz\", etc.", + "allowedHostPaths": "allowedHostPaths is an allowlist of host paths. Empty indicates that all host paths may be used.", + "allowedFlexVolumes": "allowedFlexVolumes is an allowlist of Flexvolumes. Empty or nil indicates that all Flexvolumes may be used. This parameter is effective only when the usage of the Flexvolumes is allowed in the \"volumes\" field.", + "allowedCSIDrivers": "AllowedCSIDrivers is an allowlist of inline CSI drivers that must be explicitly set to be embedded within a pod spec. An empty value indicates that any CSI driver can be used for inline ephemeral volumes.", + "allowedUnsafeSysctls": "allowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none. Each entry is either a plain sysctl name or ends in \"*\" in which case it is considered as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed. Kubelet has to allowlist all unsafe sysctls explicitly to avoid rejection.\n\nExamples: e.g. \"foo/*\" allows \"foo/bar\", \"foo/baz\", etc. e.g. \"foo.*\" allows \"foo.bar\", \"foo.baz\", etc.", "forbiddenSysctls": "forbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none. Each entry is either a plain sysctl name or ends in \"*\" in which case it is considered as a prefix of forbidden sysctls. Single * means all sysctls are forbidden.\n\nExamples: e.g. \"foo/*\" forbids \"foo/bar\", \"foo/baz\", etc. e.g. \"foo.*\" forbids \"foo.bar\", \"foo.baz\", etc.", - "allowedProcMountTypes": "AllowedProcMountTypes is a whitelist of allowed ProcMountTypes. Empty or nil indicates that only the DefaultProcMountType may be used. This requires the ProcMountType feature flag to be enabled.", + "allowedProcMountTypes": "AllowedProcMountTypes is an allowlist of allowed ProcMountTypes. Empty or nil indicates that only the DefaultProcMountType may be used. This requires the ProcMountType feature flag to be enabled.", "runtimeClass": "runtimeClass is the strategy that will dictate the allowable RuntimeClasses for a pod. If this field is omitted, the pod's runtimeClassName field is unrestricted. Enforcement of this field depends on the RuntimeClass feature gate being enabled.", } @@ -594,7 +594,7 @@ func (RunAsUserStrategyOptions) SwaggerDoc() map[string]string { var map_RuntimeClassStrategyOptions = map[string]string{ "": "RuntimeClassStrategyOptions define the strategy that will dictate the allowable RuntimeClasses for a pod.", - "allowedRuntimeClassNames": "allowedRuntimeClassNames is a whitelist of RuntimeClass names that may be specified on a pod. A value of \"*\" means that any RuntimeClass name is allowed, and must be the only item in the list. An empty list requires the RuntimeClassName field to be unset.", + "allowedRuntimeClassNames": "allowedRuntimeClassNames is an allowlist of RuntimeClass names that may be specified on a pod. A value of \"*\" means that any RuntimeClass name is allowed, and must be the only item in the list. An empty list requires the RuntimeClassName field to be unset.", "defaultRuntimeClassName": "defaultRuntimeClassName is the default RuntimeClassName to set on the pod. The default MUST be allowed by the allowedRuntimeClassNames list. A value of nil does not mutate the Pod.", } diff --git a/staging/src/k8s.io/api/policy/v1beta1/generated.proto b/staging/src/k8s.io/api/policy/v1beta1/generated.proto index d044837403b..56ba159c373 100644 --- a/staging/src/k8s.io/api/policy/v1beta1/generated.proto +++ b/staging/src/k8s.io/api/policy/v1beta1/generated.proto @@ -230,7 +230,7 @@ message PodSecurityPolicySpec { // +optional repeated string allowedCapabilities = 4; - // volumes is a white list of allowed volume plugins. Empty indicates that + // volumes is an allowlist of volume plugins. Empty indicates that // no volumes may be used. To allow all volumes you may use '*'. // +optional repeated string volumes = 5; @@ -287,18 +287,18 @@ message PodSecurityPolicySpec { // +optional optional bool allowPrivilegeEscalation = 16; - // allowedHostPaths is a white list of allowed host paths. Empty indicates + // allowedHostPaths is an allowlist of host paths. Empty indicates // that all host paths may be used. // +optional repeated AllowedHostPath allowedHostPaths = 17; - // allowedFlexVolumes is a whitelist of allowed Flexvolumes. Empty or nil indicates that all + // allowedFlexVolumes is an allowlist of Flexvolumes. Empty or nil indicates that all // Flexvolumes may be used. This parameter is effective only when the usage of the Flexvolumes // is allowed in the "volumes" field. // +optional repeated AllowedFlexVolume allowedFlexVolumes = 18; - // AllowedCSIDrivers is a whitelist of inline CSI drivers that must be explicitly set to be embedded within a pod spec. + // AllowedCSIDrivers is an allowlist of inline CSI drivers that must be explicitly set to be embedded within a pod spec. // An empty value indicates that any CSI driver can be used for inline ephemeral volumes. // This is an alpha field, and is only honored if the API server enables the CSIInlineVolume feature gate. // +optional @@ -307,7 +307,7 @@ message PodSecurityPolicySpec { // allowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none. // Each entry is either a plain sysctl name or ends in "*" in which case it is considered // as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed. - // Kubelet has to whitelist all allowed unsafe sysctls explicitly to avoid rejection. + // Kubelet has to allowlist all allowed unsafe sysctls explicitly to avoid rejection. // // Examples: // e.g. "foo/*" allows "foo/bar", "foo/baz", etc. @@ -325,7 +325,7 @@ message PodSecurityPolicySpec { // +optional repeated string forbiddenSysctls = 20; - // AllowedProcMountTypes is a whitelist of allowed ProcMountTypes. + // AllowedProcMountTypes is an allowlist of allowed ProcMountTypes. // Empty or nil indicates that only the DefaultProcMountType may be used. // This requires the ProcMountType feature flag to be enabled. // +optional @@ -363,7 +363,7 @@ message RunAsUserStrategyOptions { // RuntimeClassStrategyOptions define the strategy that will dictate the allowable RuntimeClasses // for a pod. message RuntimeClassStrategyOptions { - // allowedRuntimeClassNames is a whitelist of RuntimeClass names that may be specified on a pod. + // allowedRuntimeClassNames is an allowlist of RuntimeClass names that may be specified on a pod. // A value of "*" means that any RuntimeClass name is allowed, and must be the only item in the // list. An empty list requires the RuntimeClassName field to be unset. repeated string allowedRuntimeClassNames = 1; diff --git a/staging/src/k8s.io/api/policy/v1beta1/types.go b/staging/src/k8s.io/api/policy/v1beta1/types.go index 127da02a6b7..f4a95f45719 100644 --- a/staging/src/k8s.io/api/policy/v1beta1/types.go +++ b/staging/src/k8s.io/api/policy/v1beta1/types.go @@ -171,7 +171,7 @@ type PodSecurityPolicySpec struct { // You must not list a capability in both allowedCapabilities and requiredDropCapabilities. // +optional AllowedCapabilities []v1.Capability `json:"allowedCapabilities,omitempty" protobuf:"bytes,4,rep,name=allowedCapabilities,casttype=k8s.io/api/core/v1.Capability"` - // volumes is a white list of allowed volume plugins. Empty indicates that + // volumes is an allowlist of volume plugins. Empty indicates that // no volumes may be used. To allow all volumes you may use '*'. // +optional Volumes []FSType `json:"volumes,omitempty" protobuf:"bytes,5,rep,name=volumes,casttype=FSType"` @@ -215,16 +215,16 @@ type PodSecurityPolicySpec struct { // privilege escalation. If unspecified, defaults to true. // +optional AllowPrivilegeEscalation *bool `json:"allowPrivilegeEscalation,omitempty" protobuf:"varint,16,opt,name=allowPrivilegeEscalation"` - // allowedHostPaths is a white list of allowed host paths. Empty indicates + // allowedHostPaths is an allowlist of host paths. Empty indicates // that all host paths may be used. // +optional AllowedHostPaths []AllowedHostPath `json:"allowedHostPaths,omitempty" protobuf:"bytes,17,rep,name=allowedHostPaths"` - // allowedFlexVolumes is a whitelist of allowed Flexvolumes. Empty or nil indicates that all + // allowedFlexVolumes is an allowlist of Flexvolumes. Empty or nil indicates that all // Flexvolumes may be used. This parameter is effective only when the usage of the Flexvolumes // is allowed in the "volumes" field. // +optional AllowedFlexVolumes []AllowedFlexVolume `json:"allowedFlexVolumes,omitempty" protobuf:"bytes,18,rep,name=allowedFlexVolumes"` - // AllowedCSIDrivers is a whitelist of inline CSI drivers that must be explicitly set to be embedded within a pod spec. + // AllowedCSIDrivers is an allowlist of inline CSI drivers that must be explicitly set to be embedded within a pod spec. // An empty value indicates that any CSI driver can be used for inline ephemeral volumes. // This is an alpha field, and is only honored if the API server enables the CSIInlineVolume feature gate. // +optional @@ -232,7 +232,7 @@ type PodSecurityPolicySpec struct { // allowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none. // Each entry is either a plain sysctl name or ends in "*" in which case it is considered // as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed. - // Kubelet has to whitelist all allowed unsafe sysctls explicitly to avoid rejection. + // Kubelet has to allowlist all allowed unsafe sysctls explicitly to avoid rejection. // // Examples: // e.g. "foo/*" allows "foo/bar", "foo/baz", etc. @@ -248,7 +248,7 @@ type PodSecurityPolicySpec struct { // e.g. "foo.*" forbids "foo.bar", "foo.baz", etc. // +optional ForbiddenSysctls []string `json:"forbiddenSysctls,omitempty" protobuf:"bytes,20,rep,name=forbiddenSysctls"` - // AllowedProcMountTypes is a whitelist of allowed ProcMountTypes. + // AllowedProcMountTypes is an allowlist of allowed ProcMountTypes. // Empty or nil indicates that only the DefaultProcMountType may be used. // This requires the ProcMountType feature flag to be enabled. // +optional @@ -466,7 +466,7 @@ const ( // RuntimeClassStrategyOptions define the strategy that will dictate the allowable RuntimeClasses // for a pod. type RuntimeClassStrategyOptions struct { - // allowedRuntimeClassNames is a whitelist of RuntimeClass names that may be specified on a pod. + // allowedRuntimeClassNames is an allowlist of RuntimeClass names that may be specified on a pod. // A value of "*" means that any RuntimeClass name is allowed, and must be the only item in the // list. An empty list requires the RuntimeClassName field to be unset. AllowedRuntimeClassNames []string `json:"allowedRuntimeClassNames" protobuf:"bytes,1,rep,name=allowedRuntimeClassNames"` diff --git a/staging/src/k8s.io/api/policy/v1beta1/types_swagger_doc_generated.go b/staging/src/k8s.io/api/policy/v1beta1/types_swagger_doc_generated.go index 70f667c6727..7d64598900f 100644 --- a/staging/src/k8s.io/api/policy/v1beta1/types_swagger_doc_generated.go +++ b/staging/src/k8s.io/api/policy/v1beta1/types_swagger_doc_generated.go @@ -164,7 +164,7 @@ var map_PodSecurityPolicySpec = map[string]string{ "defaultAddCapabilities": "defaultAddCapabilities is the default set of capabilities that will be added to the container unless the pod spec specifically drops the capability. You may not list a capability in both defaultAddCapabilities and requiredDropCapabilities. Capabilities added here are implicitly allowed, and need not be included in the allowedCapabilities list.", "requiredDropCapabilities": "requiredDropCapabilities are the capabilities that will be dropped from the container. These are required to be dropped and cannot be added.", "allowedCapabilities": "allowedCapabilities is a list of capabilities that can be requested to add to the container. Capabilities in this field may be added at the pod author's discretion. You must not list a capability in both allowedCapabilities and requiredDropCapabilities.", - "volumes": "volumes is a white list of allowed volume plugins. Empty indicates that no volumes may be used. To allow all volumes you may use '*'.", + "volumes": "volumes is an allowlist of volume plugins. Empty indicates that no volumes may be used. To allow all volumes you may use '*'.", "hostNetwork": "hostNetwork determines if the policy allows the use of HostNetwork in the pod spec.", "hostPorts": "hostPorts determines which host port ranges are allowed to be exposed.", "hostPID": "hostPID determines if the policy allows the use of HostPID in the pod spec.", @@ -177,12 +177,12 @@ var map_PodSecurityPolicySpec = map[string]string{ "readOnlyRootFilesystem": "readOnlyRootFilesystem when set to true will force containers to run with a read only root file system. If the container specifically requests to run with a non-read only root file system the PSP should deny the pod. If set to false the container may run with a read only root file system if it wishes but it will not be forced to.", "defaultAllowPrivilegeEscalation": "defaultAllowPrivilegeEscalation controls the default setting for whether a process can gain more privileges than its parent process.", "allowPrivilegeEscalation": "allowPrivilegeEscalation determines if a pod can request to allow privilege escalation. If unspecified, defaults to true.", - "allowedHostPaths": "allowedHostPaths is a white list of allowed host paths. Empty indicates that all host paths may be used.", - "allowedFlexVolumes": "allowedFlexVolumes is a whitelist of allowed Flexvolumes. Empty or nil indicates that all Flexvolumes may be used. This parameter is effective only when the usage of the Flexvolumes is allowed in the \"volumes\" field.", - "allowedCSIDrivers": "AllowedCSIDrivers is a whitelist of inline CSI drivers that must be explicitly set to be embedded within a pod spec. An empty value indicates that any CSI driver can be used for inline ephemeral volumes. This is an alpha field, and is only honored if the API server enables the CSIInlineVolume feature gate.", - "allowedUnsafeSysctls": "allowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none. Each entry is either a plain sysctl name or ends in \"*\" in which case it is considered as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed. Kubelet has to whitelist all allowed unsafe sysctls explicitly to avoid rejection.\n\nExamples: e.g. \"foo/*\" allows \"foo/bar\", \"foo/baz\", etc. e.g. \"foo.*\" allows \"foo.bar\", \"foo.baz\", etc.", + "allowedHostPaths": "allowedHostPaths is an allowlist of host paths. Empty indicates that all host paths may be used.", + "allowedFlexVolumes": "allowedFlexVolumes is an allowlist of Flexvolumes. Empty or nil indicates that all Flexvolumes may be used. This parameter is effective only when the usage of the Flexvolumes is allowed in the \"volumes\" field.", + "allowedCSIDrivers": "AllowedCSIDrivers is an allowlist of inline CSI drivers that must be explicitly set to be embedded within a pod spec. An empty value indicates that any CSI driver can be used for inline ephemeral volumes. This is an alpha field, and is only honored if the API server enables the CSIInlineVolume feature gate.", + "allowedUnsafeSysctls": "allowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none. Each entry is either a plain sysctl name or ends in \"*\" in which case it is considered as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed. Kubelet has to allowlist all allowed unsafe sysctls explicitly to avoid rejection.\n\nExamples: e.g. \"foo/*\" allows \"foo/bar\", \"foo/baz\", etc. e.g. \"foo.*\" allows \"foo.bar\", \"foo.baz\", etc.", "forbiddenSysctls": "forbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none. Each entry is either a plain sysctl name or ends in \"*\" in which case it is considered as a prefix of forbidden sysctls. Single * means all sysctls are forbidden.\n\nExamples: e.g. \"foo/*\" forbids \"foo/bar\", \"foo/baz\", etc. e.g. \"foo.*\" forbids \"foo.bar\", \"foo.baz\", etc.", - "allowedProcMountTypes": "AllowedProcMountTypes is a whitelist of allowed ProcMountTypes. Empty or nil indicates that only the DefaultProcMountType may be used. This requires the ProcMountType feature flag to be enabled.", + "allowedProcMountTypes": "AllowedProcMountTypes is an allowlist of allowed ProcMountTypes. Empty or nil indicates that only the DefaultProcMountType may be used. This requires the ProcMountType feature flag to be enabled.", "runtimeClass": "runtimeClass is the strategy that will dictate the allowable RuntimeClasses for a pod. If this field is omitted, the pod's runtimeClassName field is unrestricted. Enforcement of this field depends on the RuntimeClass feature gate being enabled.", } @@ -212,7 +212,7 @@ func (RunAsUserStrategyOptions) SwaggerDoc() map[string]string { var map_RuntimeClassStrategyOptions = map[string]string{ "": "RuntimeClassStrategyOptions define the strategy that will dictate the allowable RuntimeClasses for a pod.", - "allowedRuntimeClassNames": "allowedRuntimeClassNames is a whitelist of RuntimeClass names that may be specified on a pod. A value of \"*\" means that any RuntimeClass name is allowed, and must be the only item in the list. An empty list requires the RuntimeClassName field to be unset.", + "allowedRuntimeClassNames": "allowedRuntimeClassNames is an allowlist of RuntimeClass names that may be specified on a pod. A value of \"*\" means that any RuntimeClass name is allowed, and must be the only item in the list. An empty list requires the RuntimeClassName field to be unset.", "defaultRuntimeClassName": "defaultRuntimeClassName is the default RuntimeClassName to set on the pod. The default MUST be allowed by the allowedRuntimeClassNames list. A value of nil does not mutate the Pod.", } diff --git a/staging/src/k8s.io/cli-runtime/artifacts/openapi/swagger.json b/staging/src/k8s.io/cli-runtime/artifacts/openapi/swagger.json index 96b4b766b26..04c82a5403a 100644 --- a/staging/src/k8s.io/cli-runtime/artifacts/openapi/swagger.json +++ b/staging/src/k8s.io/cli-runtime/artifacts/openapi/swagger.json @@ -13123,7 +13123,7 @@ "type": "boolean" }, "allowedCSIDrivers": { - "description": "AllowedCSIDrivers is a whitelist of inline CSI drivers that must be explicitly set to be embedded within a pod spec. An empty value indicates that any CSI driver can be used for inline ephemeral volumes. This is an alpha field, and is only honored if the API server enables the CSIInlineVolume feature gate.", + "description": "AllowedCSIDrivers is an allowlist of inline CSI drivers that must be explicitly set to be embedded within a pod spec. An empty value indicates that any CSI driver can be used for inline ephemeral volumes. This is an alpha field, and is only honored if the API server enables the CSIInlineVolume feature gate.", "items": { "$ref": "#/definitions/io.k8s.api.extensions.v1beta1.AllowedCSIDriver" }, @@ -13137,28 +13137,28 @@ "type": "array" }, "allowedFlexVolumes": { - "description": "allowedFlexVolumes is a whitelist of allowed Flexvolumes. Empty or nil indicates that all Flexvolumes may be used. This parameter is effective only when the usage of the Flexvolumes is allowed in the \"volumes\" field.", + "description": "allowedFlexVolumes is an allowlist of Flexvolumes. Empty or nil indicates that all Flexvolumes may be used. This parameter is effective only when the usage of the Flexvolumes is allowed in the \"volumes\" field.", "items": { "$ref": "#/definitions/io.k8s.api.extensions.v1beta1.AllowedFlexVolume" }, "type": "array" }, "allowedHostPaths": { - "description": "allowedHostPaths is a white list of allowed host paths. Empty indicates that all host paths may be used.", + "description": "allowedHostPaths is an allowlist of host paths. Empty indicates that all host paths may be used.", "items": { "$ref": "#/definitions/io.k8s.api.extensions.v1beta1.AllowedHostPath" }, "type": "array" }, "allowedProcMountTypes": { - "description": "AllowedProcMountTypes is a whitelist of allowed ProcMountTypes. Empty or nil indicates that only the DefaultProcMountType may be used. This requires the ProcMountType feature flag to be enabled.", + "description": "AllowedProcMountTypes is an allowlist of ProcMountTypes. Empty or nil indicates that only the DefaultProcMountType may be used. This requires the ProcMountType feature flag to be enabled.", "items": { "type": "string" }, "type": "array" }, "allowedUnsafeSysctls": { - "description": "allowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none. Each entry is either a plain sysctl name or ends in \"*\" in which case it is considered as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed. Kubelet has to whitelist all allowed unsafe sysctls explicitly to avoid rejection.\n\nExamples: e.g. \"foo/*\" allows \"foo/bar\", \"foo/baz\", etc. e.g. \"foo.*\" allows \"foo.bar\", \"foo.baz\", etc.", + "description": "allowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none. Each entry is either a plain sysctl name or ends in \"*\" in which case it is considered as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed. Kubelet has to allowlist all unsafe sysctls explicitly to avoid rejection.\n\nExamples: e.g. \"foo/*\" allows \"foo/bar\", \"foo/baz\", etc. e.g. \"foo.*\" allows \"foo.bar\", \"foo.baz\", etc.", "items": { "type": "string" }, @@ -13241,7 +13241,7 @@ "description": "supplementalGroups is the strategy that will dictate what supplemental groups are used by the SecurityContext." }, "volumes": { - "description": "volumes is a white list of allowed volume plugins. Empty indicates that no volumes may be used. To allow all volumes you may use '*'.", + "description": "volumes is an allowlist of volume plugins. Empty indicates that no volumes may be used. To allow all volumes you may use '*'.", "items": { "type": "string" }, @@ -13500,7 +13500,7 @@ "description": "RuntimeClassStrategyOptions define the strategy that will dictate the allowable RuntimeClasses for a pod.", "properties": { "allowedRuntimeClassNames": { - "description": "allowedRuntimeClassNames is a whitelist of RuntimeClass names that may be specified on a pod. A value of \"*\" means that any RuntimeClass name is allowed, and must be the only item in the list. An empty list requires the RuntimeClassName field to be unset.", + "description": "allowedRuntimeClassNames is an allowlist of RuntimeClass names that may be specified on a pod. A value of \"*\" means that any RuntimeClass name is allowed, and must be the only item in the list. An empty list requires the RuntimeClassName field to be unset.", "items": { "type": "string" }, @@ -14498,7 +14498,7 @@ "type": "boolean" }, "allowedCSIDrivers": { - "description": "AllowedCSIDrivers is a whitelist of inline CSI drivers that must be explicitly set to be embedded within a pod spec. An empty value indicates that any CSI driver can be used for inline ephemeral volumes. This is an alpha field, and is only honored if the API server enables the CSIInlineVolume feature gate.", + "description": "AllowedCSIDrivers is an allowlist of inline CSI drivers that must be explicitly set to be embedded within a pod spec. An empty value indicates that any CSI driver can be used for inline ephemeral volumes. This is an alpha field, and is only honored if the API server enables the CSIInlineVolume feature gate.", "items": { "$ref": "#/definitions/io.k8s.api.policy.v1beta1.AllowedCSIDriver" }, @@ -14512,28 +14512,28 @@ "type": "array" }, "allowedFlexVolumes": { - "description": "allowedFlexVolumes is a whitelist of allowed Flexvolumes. Empty or nil indicates that all Flexvolumes may be used. This parameter is effective only when the usage of the Flexvolumes is allowed in the \"volumes\" field.", + "description": "allowedFlexVolumes is an allowlist of Flexvolumes. Empty or nil indicates that all Flexvolumes may be used. This parameter is effective only when the usage of the Flexvolumes is allowed in the \"volumes\" field.", "items": { "$ref": "#/definitions/io.k8s.api.policy.v1beta1.AllowedFlexVolume" }, "type": "array" }, "allowedHostPaths": { - "description": "allowedHostPaths is a white list of allowed host paths. Empty indicates that all host paths may be used.", + "description": "allowedHostPaths is an allowlist of host paths. Empty indicates that all host paths may be used.", "items": { "$ref": "#/definitions/io.k8s.api.policy.v1beta1.AllowedHostPath" }, "type": "array" }, "allowedProcMountTypes": { - "description": "AllowedProcMountTypes is a whitelist of allowed ProcMountTypes. Empty or nil indicates that only the DefaultProcMountType may be used. This requires the ProcMountType feature flag to be enabled.", + "description": "AllowedProcMountTypes is an allowlist of ProcMountTypes. Empty or nil indicates that only the DefaultProcMountType may be used. This requires the ProcMountType feature flag to be enabled.", "items": { "type": "string" }, "type": "array" }, "allowedUnsafeSysctls": { - "description": "allowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none. Each entry is either a plain sysctl name or ends in \"*\" in which case it is considered as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed. Kubelet has to whitelist all allowed unsafe sysctls explicitly to avoid rejection.\n\nExamples: e.g. \"foo/*\" allows \"foo/bar\", \"foo/baz\", etc. e.g. \"foo.*\" allows \"foo.bar\", \"foo.baz\", etc.", + "description": "allowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none. Each entry is either a plain sysctl name or ends in \"*\" in which case it is considered as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed. Kubelet has to allowlist all unsafe sysctls explicitly to avoid rejection.\n\nExamples: e.g. \"foo/*\" allows \"foo/bar\", \"foo/baz\", etc. e.g. \"foo.*\" allows \"foo.bar\", \"foo.baz\", etc.", "items": { "type": "string" }, @@ -14616,7 +14616,7 @@ "description": "supplementalGroups is the strategy that will dictate what supplemental groups are used by the SecurityContext." }, "volumes": { - "description": "volumes is a white list of allowed volume plugins. Empty indicates that no volumes may be used. To allow all volumes you may use '*'.", + "description": "volumes is an allowlist of volume plugins. Empty indicates that no volumes may be used. To allow all volumes you may use '*'.", "items": { "type": "string" }, @@ -14675,7 +14675,7 @@ "description": "RuntimeClassStrategyOptions define the strategy that will dictate the allowable RuntimeClasses for a pod.", "properties": { "allowedRuntimeClassNames": { - "description": "allowedRuntimeClassNames is a whitelist of RuntimeClass names that may be specified on a pod. A value of \"*\" means that any RuntimeClass name is allowed, and must be the only item in the list. An empty list requires the RuntimeClassName field to be unset.", + "description": "allowedRuntimeClassNames is an allowlist of RuntimeClass names that may be specified on a pod. A value of \"*\" means that any RuntimeClass name is allowed, and must be the only item in the list. An empty list requires the RuntimeClassName field to be unset.", "items": { "type": "string" }, diff --git a/staging/src/k8s.io/kubectl/testdata/openapi/swagger.json b/staging/src/k8s.io/kubectl/testdata/openapi/swagger.json index 96b4b766b26..a8e2cf8f75a 100644 --- a/staging/src/k8s.io/kubectl/testdata/openapi/swagger.json +++ b/staging/src/k8s.io/kubectl/testdata/openapi/swagger.json @@ -13123,7 +13123,7 @@ "type": "boolean" }, "allowedCSIDrivers": { - "description": "AllowedCSIDrivers is a whitelist of inline CSI drivers that must be explicitly set to be embedded within a pod spec. An empty value indicates that any CSI driver can be used for inline ephemeral volumes. This is an alpha field, and is only honored if the API server enables the CSIInlineVolume feature gate.", + "description": "AllowedCSIDrivers is an allowlist of inline CSI drivers that must be explicitly set to be embedded within a pod spec. An empty value indicates that any CSI driver can be used for inline ephemeral volumes. This is an alpha field, and is only honored if the API server enables the CSIInlineVolume feature gate.", "items": { "$ref": "#/definitions/io.k8s.api.extensions.v1beta1.AllowedCSIDriver" }, @@ -13137,28 +13137,28 @@ "type": "array" }, "allowedFlexVolumes": { - "description": "allowedFlexVolumes is a whitelist of allowed Flexvolumes. Empty or nil indicates that all Flexvolumes may be used. This parameter is effective only when the usage of the Flexvolumes is allowed in the \"volumes\" field.", + "description": "allowedFlexVolumes is an allowlist of Flexvolumes. Empty or nil indicates that all Flexvolumes may be used. This parameter is effective only when the usage of the Flexvolumes is allowed in the \"volumes\" field.", "items": { "$ref": "#/definitions/io.k8s.api.extensions.v1beta1.AllowedFlexVolume" }, "type": "array" }, "allowedHostPaths": { - "description": "allowedHostPaths is a white list of allowed host paths. Empty indicates that all host paths may be used.", + "description": "allowedHostPaths is an allowlist of host paths. Empty indicates that all host paths may be used.", "items": { "$ref": "#/definitions/io.k8s.api.extensions.v1beta1.AllowedHostPath" }, "type": "array" }, "allowedProcMountTypes": { - "description": "AllowedProcMountTypes is a whitelist of allowed ProcMountTypes. Empty or nil indicates that only the DefaultProcMountType may be used. This requires the ProcMountType feature flag to be enabled.", + "description": "AllowedProcMountTypes is an allowlist of ProcMountTypes. Empty or nil indicates that only the DefaultProcMountType may be used. This requires the ProcMountType feature flag to be enabled.", "items": { "type": "string" }, "type": "array" }, "allowedUnsafeSysctls": { - "description": "allowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none. Each entry is either a plain sysctl name or ends in \"*\" in which case it is considered as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed. Kubelet has to whitelist all allowed unsafe sysctls explicitly to avoid rejection.\n\nExamples: e.g. \"foo/*\" allows \"foo/bar\", \"foo/baz\", etc. e.g. \"foo.*\" allows \"foo.bar\", \"foo.baz\", etc.", + "description": "allowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none. Each entry is either a plain sysctl name or ends in \"*\" in which case it is considered as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed. Kubelet has to allowlist all allowed unsafe sysctls explicitly to avoid rejection.\n\nExamples: e.g. \"foo/*\" allows \"foo/bar\", \"foo/baz\", etc. e.g. \"foo.*\" allows \"foo.bar\", \"foo.baz\", etc.", "items": { "type": "string" }, @@ -13241,7 +13241,7 @@ "description": "supplementalGroups is the strategy that will dictate what supplemental groups are used by the SecurityContext." }, "volumes": { - "description": "volumes is a white list of allowed volume plugins. Empty indicates that no volumes may be used. To allow all volumes you may use '*'.", + "description": "volumes is an allowlist of volume plugins. Empty indicates that no volumes may be used. To allow all volumes you may use '*'.", "items": { "type": "string" }, @@ -13500,7 +13500,7 @@ "description": "RuntimeClassStrategyOptions define the strategy that will dictate the allowable RuntimeClasses for a pod.", "properties": { "allowedRuntimeClassNames": { - "description": "allowedRuntimeClassNames is a whitelist of RuntimeClass names that may be specified on a pod. A value of \"*\" means that any RuntimeClass name is allowed, and must be the only item in the list. An empty list requires the RuntimeClassName field to be unset.", + "description": "allowedRuntimeClassNames is an allowlist of RuntimeClass names that may be specified on a pod. A value of \"*\" means that any RuntimeClass name is allowed, and must be the only item in the list. An empty list requires the RuntimeClassName field to be unset.", "items": { "type": "string" }, @@ -14498,7 +14498,7 @@ "type": "boolean" }, "allowedCSIDrivers": { - "description": "AllowedCSIDrivers is a whitelist of inline CSI drivers that must be explicitly set to be embedded within a pod spec. An empty value indicates that any CSI driver can be used for inline ephemeral volumes. This is an alpha field, and is only honored if the API server enables the CSIInlineVolume feature gate.", + "description": "AllowedCSIDrivers is an allowlist of inline CSI drivers that must be explicitly set to be embedded within a pod spec. An empty value indicates that any CSI driver can be used for inline ephemeral volumes. This is an alpha field, and is only honored if the API server enables the CSIInlineVolume feature gate.", "items": { "$ref": "#/definitions/io.k8s.api.policy.v1beta1.AllowedCSIDriver" }, @@ -14512,28 +14512,28 @@ "type": "array" }, "allowedFlexVolumes": { - "description": "allowedFlexVolumes is a whitelist of allowed Flexvolumes. Empty or nil indicates that all Flexvolumes may be used. This parameter is effective only when the usage of the Flexvolumes is allowed in the \"volumes\" field.", + "description": "allowedFlexVolumes is an allowlist of Flexvolumes. Empty or nil indicates that all Flexvolumes may be used. This parameter is effective only when the usage of the Flexvolumes is allowed in the \"volumes\" field.", "items": { "$ref": "#/definitions/io.k8s.api.policy.v1beta1.AllowedFlexVolume" }, "type": "array" }, "allowedHostPaths": { - "description": "allowedHostPaths is a white list of allowed host paths. Empty indicates that all host paths may be used.", + "description": "allowedHostPaths is an allowlist of host paths. Empty indicates that all host paths may be used.", "items": { "$ref": "#/definitions/io.k8s.api.policy.v1beta1.AllowedHostPath" }, "type": "array" }, "allowedProcMountTypes": { - "description": "AllowedProcMountTypes is a whitelist of allowed ProcMountTypes. Empty or nil indicates that only the DefaultProcMountType may be used. This requires the ProcMountType feature flag to be enabled.", + "description": "AllowedProcMountTypes is an allowlist of ProcMountTypes. Empty or nil indicates that only the DefaultProcMountType may be used. This requires the ProcMountType feature flag to be enabled.", "items": { "type": "string" }, "type": "array" }, "allowedUnsafeSysctls": { - "description": "allowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none. Each entry is either a plain sysctl name or ends in \"*\" in which case it is considered as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed. Kubelet has to whitelist all allowed unsafe sysctls explicitly to avoid rejection.\n\nExamples: e.g. \"foo/*\" allows \"foo/bar\", \"foo/baz\", etc. e.g. \"foo.*\" allows \"foo.bar\", \"foo.baz\", etc.", + "description": "allowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none. Each entry is either a plain sysctl name or ends in \"*\" in which case it is considered as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed. Kubelet has to allowlist all allowed unsafe sysctls explicitly to avoid rejection.\n\nExamples: e.g. \"foo/*\" allows \"foo/bar\", \"foo/baz\", etc. e.g. \"foo.*\" allows \"foo.bar\", \"foo.baz\", etc.", "items": { "type": "string" }, @@ -14616,7 +14616,7 @@ "description": "supplementalGroups is the strategy that will dictate what supplemental groups are used by the SecurityContext." }, "volumes": { - "description": "volumes is a white list of allowed volume plugins. Empty indicates that no volumes may be used. To allow all volumes you may use '*'.", + "description": "volumes is an allowlist of volume plugins. Empty indicates that no volumes may be used. To allow all volumes you may use '*'.", "items": { "type": "string" }, @@ -14675,7 +14675,7 @@ "description": "RuntimeClassStrategyOptions define the strategy that will dictate the allowable RuntimeClasses for a pod.", "properties": { "allowedRuntimeClassNames": { - "description": "allowedRuntimeClassNames is a whitelist of RuntimeClass names that may be specified on a pod. A value of \"*\" means that any RuntimeClass name is allowed, and must be the only item in the list. An empty list requires the RuntimeClassName field to be unset.", + "description": "allowedRuntimeClassNames is an allowlist of RuntimeClass names that may be specified on a pod. A value of \"*\" means that any RuntimeClass name is allowed, and must be the only item in the list. An empty list requires the RuntimeClassName field to be unset.", "items": { "type": "string" },