github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-09-03 18:27:49 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #58647 from oracle/for/upstream/master/hostpath-psp-readonly

Browse Source 
Automatic merge from submit-queue (batch tested with PRs 64344, 64709, 64717, 63631, 58647). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Add support for enforcing read only host paths in PSPs. 

**What this PR does / why we need it**:

This PR adds support for the PSP to enforce that host paths are readonly. 

**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #57371
xref https://github.com/kubernetes/features/issues/5

**Special notes for your reviewer**:

**Release note**:

```release-note
PodSecurityPolicy now supports restricting hostPath volume mounts to be readOnly and under specific path prefixes
```

/cc @ericchiang @liggitt
This commit is contained in:
Kubernetes Submit Queue
2018-06-05 02:16:21 -07:00
committed by GitHub
parent 0bd77a2884 c7fbcf35da
commit f73101066a
20 changed files with 593 additions and 342 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
api/openapi-spec/swagger.json generated
View File

@@ -81376,6 +81376,10 @@
"pathPrefix": {
"description": "pathPrefix is the path prefix that the host volume must match. It does not support `*`. Trailing slashes are trimmed when validating the path prefix with a host path.\n\nExamples: `/foo` would allow `/foo`, `/foo/` and `/foo/bar` `/foo` would not allow `/food` or `/etc/foo`",
"type": "string"
},
"readOnly": {
"description": "when set to true, will allow host volumes matching the pathPrefix only if all volume mounts are readOnly.",
"type": "boolean"
}
}
},
@@ -82920,6 +82924,10 @@
"pathPrefix": {
"description": "pathPrefix is the path prefix that the host volume must match. It does not support `*`. Trailing slashes are trimmed when validating the path prefix with a host path.\n\nExamples: `/foo` would allow `/foo`, `/foo/` and `/foo/bar` `/foo` would not allow `/food` or `/etc/foo`",
"type": "string"
},
"readOnly": {
"description": "when set to true, will allow host volumes matching the pathPrefix only if all volume mounts are readOnly.",
"type": "boolean"
}
}
},