Skip to content

Commit

Permalink
Actually use securityContext attribute as PodSecurityContext (#150)
Browse files Browse the repository at this point in the history
  • Loading branch information
@vboulineau
vboulineau committed Sep 16, 2020
1 parent 20bdcff commit 6ff73b1
Show file tree
Hide file tree
Showing 9 changed files with 219 additions and 184 deletions.
123 changes: 64 additions & 59 deletions deploy/crds/datadoghq.com_datadogagents_crd.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -440,59 +440,35 @@ spec:
type: object
type: object
securityContext:
description: You can modify the security context used to run
the containers by modifying the label type
description: Pod-level SecurityContext
properties:
allowPrivilegeEscalation:
description: 'AllowPrivilegeEscalation controls whether
a process can gain more privileges than its parent process.
This bool directly controls if the no_new_privs flag will
be set on the container process. AllowPrivilegeEscalation
is true always when the container is: 1) run as Privileged
2) has CAP_SYS_ADMIN'
type: boolean
capabilities:
description: The capabilities to add/drop when running containers.
Defaults to the default set of capabilities granted by
the container runtime.
properties:
add:
description: Added capabilities
items:
description: Capability represent POSIX capabilities
type
type: string
type: array
drop:
description: Removed capabilities
items:
description: Capability represent POSIX capabilities
type
type: string
type: array
type: object
privileged:
description: Run container in privileged mode. Processes
in privileged containers are essentially equivalent to
root on the host. Defaults to false.
type: boolean
procMount:
description: procMount denotes the type of proc mount to
use for the containers. The default is DefaultProcMount
which uses the container runtime defaults for readonly
paths and masked paths. This requires the ProcMountType
feature flag to be enabled.
fsGroup:
description: "A special supplemental group that applies
to all containers in a pod. Some volume types allow the
Kubelet to change the ownership of that volume to be owned
by the pod: \n 1. The owning GID will be the FSGroup 2.
The setgid bit is set (new files created in the volume
will be owned by FSGroup) 3. The permission bits are OR'd
with rw-rw---- \n If unset, the Kubelet will not modify
the ownership and permissions of any volume."
format: int64
type: integer
fsGroupChangePolicy:
description: 'fsGroupChangePolicy defines behavior of changing
ownership and permission of the volume before being exposed
inside Pod. This field will only apply to volume types
which support fsGroup based ownership(and permissions).
It will have no effect on ephemeral volume types such
as: secret, configmaps and emptydir. Valid values are
"OnRootMismatch" and "Always". If not specified defaults
to "Always".'
type: string
readOnlyRootFilesystem:
description: Whether this container has a read-only root
filesystem. Default is false.
type: boolean
runAsGroup:
description: The GID to run the entrypoint of the container
process. Uses runtime default if unset. May also be set
in PodSecurityContext. If set in both SecurityContext
and PodSecurityContext, the value specified in SecurityContext
takes precedence.
in SecurityContext. If set in both SecurityContext and
PodSecurityContext, the value specified in SecurityContext
takes precedence for that container.
format: int64
type: integer
runAsNonRoot:
Expand All @@ -501,25 +477,26 @@ spec:
image at runtime to ensure that it does not run as UID
0 (root) and fail to start the container if it does. If
unset or false, no such validation will be performed.
May also be set in PodSecurityContext. If set in both
SecurityContext and PodSecurityContext, the value specified
in SecurityContext takes precedence.
May also be set in SecurityContext. If set in both SecurityContext
and PodSecurityContext, the value specified in SecurityContext
takes precedence.
type: boolean
runAsUser:
description: The UID to run the entrypoint of the container
process. Defaults to user specified in image metadata
if unspecified. May also be set in PodSecurityContext. If
if unspecified. May also be set in SecurityContext. If
set in both SecurityContext and PodSecurityContext, the
value specified in SecurityContext takes precedence.
value specified in SecurityContext takes precedence for
that container.
format: int64
type: integer
seLinuxOptions:
description: The SELinux context to be applied to the container.
description: The SELinux context to be applied to all containers.
If unspecified, the container runtime will allocate a
random SELinux context for each container. May also be
set in PodSecurityContext. If set in both SecurityContext
set in SecurityContext. If set in both SecurityContext
and PodSecurityContext, the value specified in SecurityContext
takes precedence.
takes precedence for that container.
properties:
level:
description: Level is SELinux level label that applies
Expand All @@ -538,11 +515,39 @@ spec:
to the container.
type: string
type: object
supplementalGroups:
description: A list of groups applied to the first process
run in each container, in addition to the container's
primary GID. If unspecified, no groups will be added
to any container.
items:
format: int64
type: integer
type: array
sysctls:
description: Sysctls hold a list of namespaced sysctls used
for the pod. Pods with unsupported sysctls (by the container
runtime) might fail to launch.
items:
description: Sysctl defines a kernel parameter to be set
properties:
name:
description: Name of a property to set
type: string
value:
description: Value of a property to set
type: string
required:
- name
- value
type: object
type: array
windowsOptions:
description: The Windows specific settings applied to all
containers. If unspecified, the options from the PodSecurityContext
will be used. If set in both SecurityContext and PodSecurityContext,
the value specified in SecurityContext takes precedence.
containers. If unspecified, the options within a container's
SecurityContext will be used. If set in both SecurityContext
and PodSecurityContext, the value specified in SecurityContext
takes precedence.
properties:
gmsaCredentialSpec:
description: GMSACredentialSpec is where the GMSA admission
Expand Down

0 comments on commit 6ff73b1

Please sign in to comment.