From d7aa31858e1734861131d2e8d67f94c766f9b577 Mon Sep 17 00:00:00 2001 From: Jean Rouge Date: Fri, 26 Apr 2019 13:52:19 -0700 Subject: [PATCH] Adding a new `WindowsSecurityOptions` struct As outlined in the KEP at https://github.com/kubernetes/enhancements/blob/master/keps/sig-windows/20190418-windows-security-context.md and improvements on it at https://github.com/kubernetes/enhancements/pull/975 For now this struct is left empty, as discussed in the KEP (see above) and as previously discussed with Jordan Liggitt. It will allow adding GMSA and options as well as `RunAsUserName` options; both of which have already been pre-implemented respectively at https://github.com/kubernetes/kubernetes/pull/75459 and https://github.com/kubernetes/kubernetes/pull/73609; and both of which will need to be re-based to make use of the new struct. Signed-off-by: Jean Rouge --- pkg/apis/core/types.go | 11 +++++++++++ staging/src/k8s.io/api/core/v1/types.go | 11 +++++++++++ 2 files changed, 22 insertions(+) diff --git a/pkg/apis/core/types.go b/pkg/apis/core/types.go index b2d84814f90..c6c0a281ddb 100644 --- a/pkg/apis/core/types.go +++ b/pkg/apis/core/types.go @@ -2733,6 +2733,9 @@ type PodSecurityContext struct { // takes precedence for that container. // +optional SELinuxOptions *SELinuxOptions + // Windows security options. + // +optional + WindowsOptions *WindowsSecurityContextOptions // The UID to run the entrypoint of the container process. // Defaults to user specified in image metadata if unspecified. // May also be set in SecurityContext. If set in both SecurityContext and @@ -4677,6 +4680,9 @@ type SecurityContext struct { // PodSecurityContext, the value specified in SecurityContext takes precedence. // +optional SELinuxOptions *SELinuxOptions + // Windows security options. + // +optional + WindowsOptions *WindowsSecurityContextOptions // The UID to run the entrypoint of the container process. // Defaults to user specified in image metadata if unspecified. // May also be set in PodSecurityContext. If set in both SecurityContext and @@ -4743,6 +4749,11 @@ type SELinuxOptions struct { Level string } +// WindowsSecurityContextOptions contain Windows-specific options and credentials. +type WindowsSecurityContextOptions struct { + // intentionally left empty for now +} + // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // RangeAllocation is an opaque API object (not exposed to end users) that can be persisted to record diff --git a/staging/src/k8s.io/api/core/v1/types.go b/staging/src/k8s.io/api/core/v1/types.go index 02170e59937..634c96af139 100644 --- a/staging/src/k8s.io/api/core/v1/types.go +++ b/staging/src/k8s.io/api/core/v1/types.go @@ -3000,6 +3000,9 @@ type PodSecurityContext struct { // takes precedence for that container. // +optional SELinuxOptions *SELinuxOptions `json:"seLinuxOptions,omitempty" protobuf:"bytes,1,opt,name=seLinuxOptions"` + // Windows security options. + // +optional + WindowsOptions *WindowsSecurityContextOptions `json:"windowsOptions,omitempty" protobuf:"bytes,8,opt,name=windowsOptions"` // The UID to run the entrypoint of the container process. // Defaults to user specified in image metadata if unspecified. // May also be set in SecurityContext. If set in both SecurityContext and @@ -5267,6 +5270,9 @@ type SecurityContext struct { // PodSecurityContext, the value specified in SecurityContext takes precedence. // +optional SELinuxOptions *SELinuxOptions `json:"seLinuxOptions,omitempty" protobuf:"bytes,3,opt,name=seLinuxOptions"` + // Windows security options. + // +optional + WindowsOptions *WindowsSecurityContextOptions `json:"windowsOptions,omitempty" protobuf:"bytes,10,opt,name=windowsOptions"` // The UID to run the entrypoint of the container process. // Defaults to user specified in image metadata if unspecified. // May also be set in PodSecurityContext. If set in both SecurityContext and @@ -5337,6 +5343,11 @@ type SELinuxOptions struct { Level string `json:"level,omitempty" protobuf:"bytes,4,opt,name=level"` } +// WindowsSecurityContextOptions contain Windows-specific options and credentials. +type WindowsSecurityContextOptions struct { + // intentionally left empty for now +} + // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // RangeAllocation is not a public type.