mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-10-24 09:05:45 +00:00
Automatic merge from submit-queue (batch tested with PRs 51337, 47080, 52646, 52635, 52666). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.. PodSecurityPolicy.allowedCapabilities: add support for * to allow to request any capabilities **What this PR does / why we need it**: Prior this change there was no way to allow to pods to request any capabilities. Cluster admin had always specify a full list of capabilities explicitly. Because there are many of them, it gets tedious. This PR makes possible to use `*` to allow all possible capabilities. Non-paranoid (and lazy) cluster admins can use it. Those who are super strict and paranoid of course won't use it because `*` allows capabilities that don't exist today but may be introduced in the future. "privileged" PSP in examples was modified to allow privileged users to use this feature. **Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #50055 **Special notes for your reviewer**: This functional is already present in OpenShift: https://github.com/openshift/origin/pull/12875 and https://github.com/openshift/origin/pull/15135 **Release note**: ```release-note PSP: add support for using `*` as a value in `allowedCapabilities` to allow to request any capabilities ``` CC @simo5 @pweil- @gyliu513 @liqlin2015