github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-24 04:06:03 +00:00
Code Issues Projects Releases Wiki Activity

ProcMount: update staging types

Browse Source 
Signed-off-by: Jess Frazelle <acidburn@microsoft.com>
This commit is contained in:
Jess Frazelle 2018-03-20 16:09:20 -04:00
parent 30dcca6233
commit a5234d8575
No known key found for this signature in database
GPG Key ID: 18F3685C0022BFF3
3 changed files with 27 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
staging/src/k8s.io/api/core/v1/types.go
View File

@ -5198,8 +5198,27 @@ type SecurityContext struct {
// 2) has CAP_SYS_ADMIN
// +optional
AllowPrivilegeEscalation *bool `json:"allowPrivilegeEscalation,omitempty" protobuf:"varint,7,opt,name=allowPrivilegeEscalation"`
// ProcMount denotes the type of proc mount to use for the containers.
// The default is DefaultProcMount which uses the container runtime defaults for
// readonly paths and masked paths.
// +optional
ProcMount *ProcMountType `json:"procMount,omitEmpty" protobuf:"bytes,9,opt,name=procMount"`
}
type ProcMountType string
const (
// DefaultProcMount uses the container runtime defaults for readonly and masked
// paths for /proc. Most container runtimes mask certain paths in /proc to avoid
// accidental security exposure of special devices or information.
DefaultProcMount ProcMountType = "Default"
// UnmaskedProcMount bypasses the default masking behavior of the container
// runtime and ensures the newly created /proc the container stays in tact with
// no modifications.
UnmaskedProcMount ProcMountType = "Unmasked"
)
// SELinuxOptions are the labels to be applied to the container
type SELinuxOptions struct {
// User is a SELinux user label that applies to the container.

4
staging/src/k8s.io/api/extensions/v1beta1/types.go
View File

@ -965,6 +965,10 @@ type PodSecurityPolicySpec struct {
// e.g. "foo.*" forbids "foo.bar", "foo.baz", etc.
// +optional
ForbiddenSysctls []string `json:"forbiddenSysctls,omitempty" protobuf:"bytes,20,rep,name=forbiddenSysctls"`
// AllowedProcMountTypes is a whitelist of allowed ProcMountTypes.
// Empty or nil indicates that only the DefaultProcMountType may be used.
// +optional
AllowedProcMountTypes []v1.ProcMountType `json:"allowedProcMountTypes,omitempty" protobuf:"bytes,21,opt,name=allowedProcMountTypes"`
}
// AllowedHostPath defines the host volume conditions that will be enabled by a policy

4
staging/src/k8s.io/api/policy/v1beta1/types.go
View File

@ -221,6 +221,10 @@ type PodSecurityPolicySpec struct {
// e.g. "foo.*" forbids "foo.bar", "foo.baz", etc.
// +optional
ForbiddenSysctls []string `json:"forbiddenSysctls,omitempty" protobuf:"bytes,20,rep,name=forbiddenSysctls"`
// AllowedProcMountTypes is a whitelist of allowed ProcMountTypes.
// Empty or nil indicates that only the DefaultProcMountType may be used.
// +optional
AllowedProcMountTypes []v1.ProcMountType `json:"allowedProcMountTypes,omitempty" protobuf:"bytes,21,opt,name=allowedProcMountTypes"`
}
// AllowedHostPath defines the host volume conditions that will be enabled by a policy