github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-30 06:54:01 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #53911 from tallclair/psp-docs

Browse Source 
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Clarify DefaultAddCapabilities behavior

Clarify that capabilities listed in `DefaultAddCapabilities` in the `PodSecurityPolicySpec` need not be repeated in `AllowedCapabilities`.

**Release note**:

```release-note
NONE
```
This commit is contained in:
Kubernetes Submit Queue 2017-11-12 12:17:54 -08:00 committed by GitHub
commit 95038553d7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
7 changed files with 12 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
api/openapi-spec/swagger.json generated
View File

@ -78042,7 +78042,7 @@
} }
}, },
"defaultAddCapabilities": { "defaultAddCapabilities": {
"description": "DefaultAddCapabilities is the default set of capabilities that will be added to the container unless the pod spec specifically drops the capability. You may not list a capabiility in both DefaultAddCapabilities and RequiredDropCapabilities.", "description": "DefaultAddCapabilities is the default set of capabilities that will be added to the container unless the pod spec specifically drops the capability. You may not list a capability in both DefaultAddCapabilities and RequiredDropCapabilities. Capabilities added here are implicitly allowed, and need not be included in the AllowedCapabilities list.",
"type": "array", "type": "array",
"items": { "items": {
"type": "string" "type": "string"

2
api/swagger-spec/extensions_v1beta1.json generated
View File

@ -10169,7 +10169,7 @@
"items": { "items": {
"$ref": "v1.Capability" "$ref": "v1.Capability"
}, },
"description": "DefaultAddCapabilities is the default set of capabilities that will be added to the container unless the pod spec specifically drops the capability. You may not list a capabiility in both DefaultAddCapabilities and RequiredDropCapabilities." "description": "DefaultAddCapabilities is the default set of capabilities that will be added to the container unless the pod spec specifically drops the capability. You may not list a capability in both DefaultAddCapabilities and RequiredDropCapabilities. Capabilities added here are implicitly allowed, and need not be included in the AllowedCapabilities list."
}, },
"requiredDropCapabilities": { "requiredDropCapabilities": {
"type": "array", "type": "array",

2
docs/api-reference/extensions/v1beta1/definitions.html generated
View File

@ -7718,7 +7718,7 @@ Both these may change in the future. Incoming requests are matched against the h
</tr> </tr>
<tr> <tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">defaultAddCapabilities</p></td> <td class="tableblock halign-left valign-top"><p class="tableblock">defaultAddCapabilities</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">DefaultAddCapabilities is the default set of capabilities that will be added to the container unless the pod spec specifically drops the capability. You may not list a capabiility in both DefaultAddCapabilities and RequiredDropCapabilities.</p></td> <td class="tableblock halign-left valign-top"><p class="tableblock">DefaultAddCapabilities is the default set of capabilities that will be added to the container unless the pod spec specifically drops the capability. You may not list a capability in both DefaultAddCapabilities and RequiredDropCapabilities. Capabilities added here are implicitly allowed, and need not be included in the AllowedCapabilities list.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td> <td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_v1_capability">v1.Capability</a> array</p></td> <td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_v1_capability">v1.Capability</a> array</p></td>
<td class="tableblock halign-left valign-top"></td> <td class="tableblock halign-left valign-top"></td>

3
pkg/apis/extensions/types.go
View File

@ -804,7 +804,8 @@ type PodSecurityPolicySpec struct {
Privileged bool Privileged bool
// DefaultAddCapabilities is the default set of capabilities that will be added to the container // DefaultAddCapabilities is the default set of capabilities that will be added to the container
// unless the pod spec specifically drops the capability. You may not list a capability in both // unless the pod spec specifically drops the capability. You may not list a capability in both
// DefaultAddCapabilities and RequiredDropCapabilities. // DefaultAddCapabilities and RequiredDropCapabilities. Capabilities added here are implicitly
// allowed, and need not be included in the AllowedCapabilities list.
// +optional // +optional
DefaultAddCapabilities []api.Capability DefaultAddCapabilities []api.Capability
// RequiredDropCapabilities are the capabilities that will be dropped from the container. These // RequiredDropCapabilities are the capabilities that will be dropped from the container. These

5
staging/src/k8s.io/api/extensions/v1beta1/generated.proto
View File

@ -772,8 +772,9 @@ message PodSecurityPolicySpec {
optional bool privileged = 1; optional bool privileged = 1;
// DefaultAddCapabilities is the default set of capabilities that will be added to the container // DefaultAddCapabilities is the default set of capabilities that will be added to the container
// unless the pod spec specifically drops the capability. You may not list a capabiility in both // unless the pod spec specifically drops the capability. You may not list a capability in both
// DefaultAddCapabilities and RequiredDropCapabilities. // DefaultAddCapabilities and RequiredDropCapabilities. Capabilities added here are implicitly
// allowed, and need not be included in the AllowedCapabilities list.
// +optional // +optional
repeated string defaultAddCapabilities = 2; repeated string defaultAddCapabilities = 2;

5
staging/src/k8s.io/api/extensions/v1beta1/types.go
View File

@ -882,8 +882,9 @@ type PodSecurityPolicySpec struct {
// +optional // +optional
Privileged bool `json:"privileged,omitempty" protobuf:"varint,1,opt,name=privileged"` Privileged bool `json:"privileged,omitempty" protobuf:"varint,1,opt,name=privileged"`
// DefaultAddCapabilities is the default set of capabilities that will be added to the container // DefaultAddCapabilities is the default set of capabilities that will be added to the container
// unless the pod spec specifically drops the capability. You may not list a capabiility in both // unless the pod spec specifically drops the capability. You may not list a capability in both
// DefaultAddCapabilities and RequiredDropCapabilities. // DefaultAddCapabilities and RequiredDropCapabilities. Capabilities added here are implicitly
// allowed, and need not be included in the AllowedCapabilities list.
// +optional // +optional
DefaultAddCapabilities []v1.Capability `json:"defaultAddCapabilities,omitempty" protobuf:"bytes,2,rep,name=defaultAddCapabilities,casttype=k8s.io/api/core/v1.Capability"` DefaultAddCapabilities []v1.Capability `json:"defaultAddCapabilities,omitempty" protobuf:"bytes,2,rep,name=defaultAddCapabilities,casttype=k8s.io/api/core/v1.Capability"`
// RequiredDropCapabilities are the capabilities that will be dropped from the container. These // RequiredDropCapabilities are the capabilities that will be dropped from the container. These

2
staging/src/k8s.io/api/extensions/v1beta1/types_swagger_doc_generated.go generated
View File

@ -449,7 +449,7 @@ func (PodSecurityPolicyList) SwaggerDoc() map[string]string {
var map_PodSecurityPolicySpec = map[string]string{ var map_PodSecurityPolicySpec = map[string]string{
"": "Pod Security Policy Spec defines the policy enforced.", "": "Pod Security Policy Spec defines the policy enforced.",
"privileged": "privileged determines if a pod can request to be run as privileged.", "privileged": "privileged determines if a pod can request to be run as privileged.",
"defaultAddCapabilities": "DefaultAddCapabilities is the default set of capabilities that will be added to the container unless the pod spec specifically drops the capability. You may not list a capabiility in both DefaultAddCapabilities and RequiredDropCapabilities.", "defaultAddCapabilities": "DefaultAddCapabilities is the default set of capabilities that will be added to the container unless the pod spec specifically drops the capability. You may not list a capability in both DefaultAddCapabilities and RequiredDropCapabilities. Capabilities added here are implicitly allowed, and need not be included in the AllowedCapabilities list.",
"requiredDropCapabilities": "RequiredDropCapabilities are the capabilities that will be dropped from the container. These are required to be dropped and cannot be added.", "requiredDropCapabilities": "RequiredDropCapabilities are the capabilities that will be dropped from the container. These are required to be dropped and cannot be added.",
"allowedCapabilities": "AllowedCapabilities is a list of capabilities that can be requested to add to the container. Capabilities in this field may be added at the pod author's discretion. You must not list a capability in both AllowedCapabilities and RequiredDropCapabilities.", "allowedCapabilities": "AllowedCapabilities is a list of capabilities that can be requested to add to the container. Capabilities in this field may be added at the pod author's discretion. You must not list a capability in both AllowedCapabilities and RequiredDropCapabilities.",
"volumes": "volumes is a white list of allowed volume plugins. Empty indicates that all plugins may be used.", "volumes": "volumes is a white list of allowed volume plugins. Empty indicates that all plugins may be used.",