Merge pull request #7343 from pweil-/security-context-types

Security context - types, kubelet, admission

api/swagger-spec/v1beta1.json

@@ -7501,7 +7501,7 @@
     "properties": {
      "capabilities": {
       "$ref": "v1beta1.Capabilities",
-      "description": "capabilities for container; cannot be updated"
+      "description": "capabilities for container; cannot be updated; deprecated; See SecurityContext"
      },
      "command": {
       "type": "array",
@@ -7563,7 +7563,7 @@
      },
      "privileged": {
       "type": "boolean",
-      "description": "whether or not the container is granted privileged status; defaults to false; cannot be updated"
+      "description": "whether or not the container is granted privileged status; defaults to false; cannot be updated; deprecated; See SecurityContext"
      },
      "readinessProbe": {
       "$ref": "v1beta1.LivenessProbe",
@@ -7573,6 +7573,10 @@
       "$ref": "v1beta1.ResourceRequirements",
       "description": "Compute Resources required by this container; cannot be updated"
      },
+     "securityContext": {
+      "$ref": "v1beta1.SecurityContext",
+      "description": "security options the pod should run with"
+     },
      "terminationMessagePath": {
       "type": "string",
       "description": "path at which the file to which the container's termination message will be written is mounted into the container's filesystem; message written is intended to be brief final status, such as an assertion failure message; defaults to /dev/termination-log; cannot be updated"
@@ -7623,7 +7627,8 @@
       "description": "restart policy for all containers within the pod; one of RestartPolicyAlways, RestartPolicyOnFailure, RestartPolicyNever"
      },
      "terminationGracePeriodSeconds": {
-      "$ref": "int64",
+      "type": "integer",
+      "format": "int64",
       "description": "optional duration in seconds the pod needs to terminate gracefully; may be decreased in delete request; value must be non-negative integer; the value zero indicates delete immediately; if this value is not set, the default grace period will be used instead; the grace period is the duration in seconds after the processes running in the pod are sent a termination signal and the time when the processes are forcibly halted with a kill signal; set this value longer than the expected cleanup time for your process"
      },
      "uuid": {
@@ -7700,7 +7705,8 @@
       "description": "an optional prefix to use to generate a unique name; has the same validation rules as name; optional, and is applied only name if is not specified"
      },
      "gracePeriodSeconds": {
-      "$ref": "int64",
+      "type": "integer",
+      "format": "int64",
       "description": "the duration in seconds to wait before deleting this object; defaults to a per object value if not specified; zero means delete immediately"
      },
      "id": {
@@ -9817,6 +9823,27 @@
     "id": "v1beta1.RestartPolicyOnFailure",
     "properties": {}
    },
+   "v1beta1.SELinuxOptions": {
+    "id": "v1beta1.SELinuxOptions",
+    "properties": {
+     "level": {
+      "type": "string",
+      "description": "the level label to apply to the container"
+     },
+     "role": {
+      "type": "string",
+      "description": "the role label to apply to the container"
+     },
+     "type": {
+      "type": "string",
+      "description": "the type label to apply to the container"
+     },
+     "user": {
+      "type": "string",
+      "description": "the user label to apply to the container"
+     }
+    }
+   },
    "v1beta1.Secret": {
     "id": "v1beta1.Secret",
     "properties": {
@@ -9945,6 +9972,28 @@
      }
     }
    },
+   "v1beta1.SecurityContext": {
+    "id": "v1beta1.SecurityContext",
+    "properties": {
+     "capabilities": {
+      "$ref": "v1beta1.Capabilities",
+      "description": "the linux capabilites that should be added or removed"
+     },
+     "privileged": {
+      "type": "boolean",
+      "description": "run the container in privileged mode"
+     },
+     "runAsUser": {
+      "type": "integer",
+      "format": "int64",
+      "description": "the user id that runs the first process in the container"
+     },
+     "seLinuxOptions": {
+      "$ref": "v1beta1.SELinuxOptions",
+      "description": "options that control the SELinux labels applied"
+     }
+    }
+   },
    "v1beta1.Service": {
     "id": "v1beta1.Service",
     "required": [

api/swagger-spec/v1beta2.json

@@ -7501,7 +7501,7 @@
     "properties": {
      "capabilities": {
       "$ref": "v1beta2.Capabilities",
-      "description": "capabilities for container; cannot be updated"
+      "description": "capabilities for container; cannot be updated; deprecated; See SecurityContext"
      },
      "command": {
       "type": "array",
@@ -7563,7 +7563,7 @@
      },
      "privileged": {
       "type": "boolean",
-      "description": "whether or not the container is granted privileged status; defaults to false; cannot be updated"
+      "description": "whether or not the container is granted privileged status; defaults to false; cannot be updated; deprecated; See SecurityContext"
      },
      "readinessProbe": {
       "$ref": "v1beta2.LivenessProbe",
@@ -7573,6 +7573,10 @@
       "$ref": "v1beta2.ResourceRequirements",
       "description": "Compute Resources required by this container; cannot be updated"
      },
+     "securityContext": {
+      "$ref": "v1beta2.SecurityContext",
+      "description": "security options the pod should run with"
+     },
      "terminationMessagePath": {
       "type": "string",
       "description": "path at which the file to which the container's termination message will be written is mounted into the container's filesystem; message written is intended to be brief final status, such as an assertion failure message; defaults to /dev/termination-log; cannot be updated"
@@ -7623,7 +7627,8 @@
       "description": "restart policy for all containers within the pod; one of RestartPolicyAlways, RestartPolicyOnFailure, RestartPolicyNever"
      },
      "terminationGracePeriodSeconds": {
-      "$ref": "int64",
+      "type": "integer",
+      "format": "int64",
       "description": "optional duration in seconds the pod needs to terminate gracefully; may be decreased in delete request; value must be non-negative integer; the value zero indicates delete immediately; if this value is not set, the default grace period will be used instead; the grace period is the duration in seconds after the processes running in the pod are sent a termination signal and the time when the processes are forcibly halted with a kill signal; set this value longer than the expected cleanup time for your process"
      },
      "uuid": {
@@ -7700,7 +7705,8 @@
       "description": "an optional prefix to use to generate a unique name; has the same validation rules as name; optional, and is applied only name if is not specified"
      },
      "gracePeriodSeconds": {
-      "$ref": "int64",
+      "type": "integer",
+      "format": "int64",
       "description": "the duration in seconds to wait before deleting this object; defaults to a per object value if not specified; zero means delete immediately"
      },
      "id": {
@@ -9231,10 +9237,10 @@
    "v1beta2.PersistentVolumeSpec": {
     "id": "v1beta2.PersistentVolumeSpec",
     "required": [
-     "glusterfs",
      "persistentDisk",
      "awsElasticBlockStore",
-     "hostPath"
+     "hostPath",
+     "glusterfs"
     ],
     "properties": {
      "accessModes": {
@@ -9806,6 +9812,27 @@
     "id": "v1beta2.RestartPolicyOnFailure",
     "properties": {}
    },
+   "v1beta2.SELinuxOptions": {
+    "id": "v1beta2.SELinuxOptions",
+    "properties": {
+     "level": {
+      "type": "string",
+      "description": "the level label to apply to the container"
+     },
+     "role": {
+      "type": "string",
+      "description": "the role label to apply to the container"
+     },
+     "type": {
+      "type": "string",
+      "description": "the type label to apply to the container"
+     },
+     "user": {
+      "type": "string",
+      "description": "the user label to apply to the container"
+     }
+    }
+   },
    "v1beta2.Secret": {
     "id": "v1beta2.Secret",
     "properties": {
@@ -9934,6 +9961,28 @@
      }
     }
    },
+   "v1beta2.SecurityContext": {
+    "id": "v1beta2.SecurityContext",
+    "properties": {
+     "capabilities": {
+      "$ref": "v1beta2.Capabilities",
+      "description": "the linux capabilites that should be added or removed"
+     },
+     "privileged": {
+      "type": "boolean",
+      "description": "run the container in privileged mode"
+     },
+     "runAsUser": {
+      "type": "integer",
+      "format": "int64",
+      "description": "the user id that runs the first process in the container"
+     },
+     "seLinuxOptions": {
+      "$ref": "v1beta2.SELinuxOptions",
+      "description": "options that control the SELinux labels applied"
+     }
+    }
+   },
    "v1beta2.Service": {
     "id": "v1beta2.Service",
     "required": [

api/swagger-spec/v1beta3.json

@@ -8458,7 +8458,7 @@
      },
      "capabilities": {
       "$ref": "v1beta3.Capabilities",
-      "description": "capabilities for container; cannot be updated"
+      "description": "capabilities for container; cannot be updated; deprecated; See SecurityContext."
      },
      "command": {
       "type": "array",
@@ -8503,7 +8503,7 @@
      },
      "privileged": {
       "type": "boolean",
-      "description": "whether or not the container is granted privileged status; defaults to false; cannot be updated"
+      "description": "whether or not the container is granted privileged status; defaults to false; cannot be updated; deprecated;  See SecurityContext."
      },
      "readinessProbe": {
       "$ref": "v1beta3.Probe",
@@ -8513,6 +8513,10 @@
       "$ref": "v1beta3.ResourceRequirements",
       "description": "Compute Resources required by this container; cannot be updated"
      },
+     "securityContext": {
+      "$ref": "v1beta3.SecurityContext",
+      "description": "security options the pod should run with"
+     },
      "terminationMessagePath": {
       "type": "string",
       "description": "path at which the file to which the container's termination message will be written is mounted into the container's filesystem; message written is intended to be brief final status, such as an assertion failure message; defaults to /dev/termination-log; cannot be updated"
@@ -8689,7 +8693,8 @@
       "description": "version of the schema the object should have"
      },
      "gracePeriodSeconds": {
-      "$ref": "int64",
+      "type": "integer",
+      "format": "int64",
       "description": "the duration in seconds to wait before deleting this object; defaults to a per object value if not specified; zero means delete immediately"
      },
      "kind": {
@@ -9888,7 +9893,8 @@
       "description": "restart policy for all containers within the pod; one of RestartPolicyAlways, RestartPolicyOnFailure, RestartPolicyNever"
      },
      "terminationGracePeriodSeconds": {
-      "$ref": "int64",
+      "type": "integer",
+      "format": "int64",
       "description": "optional duration in seconds the pod needs to terminate gracefully; may be decreased in delete request; value must be non-negative integer; the value zero indicates delete immediately; if this value is not set, the default grace period will be used instead; the grace period is the duration in seconds after the processes running in the pod are sent a termination signal and the time when the processes are forcibly halted with a kill signal; set this value longer than the expected cleanup time for your process"
      },
      "volumes": {
@@ -10200,6 +10206,27 @@
      }
     }
    },
+   "v1beta3.SELinuxOptions": {
+    "id": "v1beta3.SELinuxOptions",
+    "properties": {
+     "level": {
+      "type": "string",
+      "description": "the level label to apply to the container"
+     },
+     "role": {
+      "type": "string",
+      "description": "the role label to apply to the container"
+     },
+     "type": {
+      "type": "string",
+      "description": "the type label to apply to the container"
+     },
+     "user": {
+      "type": "string",
+      "description": "the user label to apply to the container"
+     }
+    }
+   },
    "v1beta3.Secret": {
     "id": "v1beta3.Secret",
     "properties": {
@@ -10264,6 +10291,28 @@
      }
     }
    },
+   "v1beta3.SecurityContext": {
+    "id": "v1beta3.SecurityContext",
+    "properties": {
+     "capabilities": {
+      "$ref": "v1beta3.Capabilities",
+      "description": "the linux capabilites that should be added or removed"
+     },
+     "privileged": {
+      "type": "boolean",
+      "description": "run the container in privileged mode"
+     },
+     "runAsUser": {
+      "type": "integer",
+      "format": "int64",
+      "description": "the user id that runs the first process in the container"
+     },
+     "seLinuxOptions": {
+      "$ref": "v1beta3.SELinuxOptions",
+      "description": "options that control the SELinux labels applied"
+     }
+    }
+   },
    "v1beta3.Service": {
     "id": "v1beta3.Service",
     "properties": {
@@ -10480,15 +10529,15 @@
     "id": "v1beta3.Volume",
     "required": [
      "name",
+     "gcePersistentDisk",
      "awsElasticBlockStore",
      "gitRepo",
-     "secret",
      "nfs",
-     "glusterfs",
+     "iscsi",
      "hostPath",
-     "emptyDir",
-     "gcePersistentDisk",
-     "iscsi"
+     "secret",
+     "glusterfs",
+     "emptyDir"
     ],
     "properties": {
      "awsElasticBlockStore": {

cluster/aws/config-default.sh

@@ -72,4 +72,4 @@ DNS_DOMAIN="kubernetes.local"
 DNS_REPLICAS=1
 
 # Admission Controllers to invoke prior to persisting objects in cluster
-ADMISSION_CONTROL=NamespaceLifecycle,NamespaceAutoProvision,LimitRanger,ResourceQuota
+ADMISSION_CONTROL=NamespaceLifecycle,NamespaceAutoProvision,LimitRanger,SecurityContextDeny,ResourceQuota

cluster/azure/config-default.sh

@@ -49,4 +49,4 @@ ELASTICSEARCH_LOGGING_REPLICAS=1
 ENABLE_CLUSTER_MONITORING="${KUBE_ENABLE_CLUSTER_MONITORING:-true}"
 
 # Admission Controllers to invoke prior to persisting objects in cluster
-ADMISSION_CONTROL=NamespaceLifecycle,NamespaceAutoProvision,LimitRanger,ResourceQuota
+ADMISSION_CONTROL=NamespaceLifecycle,NamespaceAutoProvision,LimitRanger,SecurityContextDeny,ResourceQuota

cluster/gce/config-default.sh

@@ -111,4 +111,4 @@ DNS_DOMAIN="kubernetes.local"
 DNS_REPLICAS=1
 
 # Admission Controllers to invoke prior to persisting objects in cluster
-ADMISSION_CONTROL=NamespaceLifecycle,NamespaceAutoProvision,LimitRanger,ResourceQuota
+ADMISSION_CONTROL=NamespaceLifecycle,NamespaceAutoProvision,LimitRanger,SecurityContextDeny,ResourceQuota,

cluster/gce/config-test.sh

@@ -70,4 +70,4 @@ DNS_SERVER_IP="10.0.0.10"
 DNS_DOMAIN="kubernetes.local"
 DNS_REPLICAS=1
 
-ADMISSION_CONTROL=NamespaceAutoProvision,LimitRanger,ResourceQuota
+ADMISSION_CONTROL=NamespaceAutoProvision,LimitRanger,SecurityContextDeny,ResourceQuota

cluster/vagrant/config-default.sh

@@ -50,7 +50,7 @@ MASTER_USER=vagrant
 MASTER_PASSWD=vagrant
 
 # Admission Controllers to invoke prior to persisting objects in cluster
-ADMISSION_CONTROL=NamespaceLifecycle,NamespaceAutoProvision,LimitRanger,ResourceQuota
+ADMISSION_CONTROL=NamespaceLifecycle,NamespaceAutoProvision,LimitRanger,SecurityContextDeny,ResourceQuota
 
 # Optional: Install node monitoring.
 ENABLE_NODE_MONITORING=true

cmd/kube-apiserver/app/plugins.go

@@ -36,4 +36,5 @@ import (
 	_ "github.com/GoogleCloudPlatform/kubernetes/plugin/pkg/admission/namespace/exists"
 	_ "github.com/GoogleCloudPlatform/kubernetes/plugin/pkg/admission/namespace/lifecycle"
 	_ "github.com/GoogleCloudPlatform/kubernetes/plugin/pkg/admission/resourcequota"
+	_ "github.com/GoogleCloudPlatform/kubernetes/plugin/pkg/admission/securitycontext/scdeny"
 )

hack/local-up-cluster.sh

@@ -116,7 +116,7 @@ echo "Starting etcd"
 kube::etcd::start
 
 # Admission Controllers to invoke prior to persisting objects in cluster
-ADMISSION_CONTROL=NamespaceLifecycle,NamespaceAutoProvision,LimitRanger,ResourceQuota
+ADMISSION_CONTROL=NamespaceLifecycle,NamespaceAutoProvision,LimitRanger,SecurityContextDeny,ResourceQuota
 
 APISERVER_LOG=/tmp/kube-apiserver.log
 sudo -E "${GO_OUT}/kube-apiserver" \