Support finer grained security capabilities #283
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Problem
We currently only have 2 levels of security:
default
andprivileged
. Since Kubernetes supports very fine-grained security features, we should support those individually.Fixes #266
Approach
Replace
privileged
boolean on our Spec object with asecurityContext
field that can be passed directly through to Kubernetes.NOTE: Since this is an admin-only field, there is no API validation or UI component to this PR.
How to Test
minikube start
docker run --name=etcd -p 4001:4001 -d ndslabs/etcd:2.2.5 /usr/local/bin/etcd \ --bind-addr=0.0.0.0:4001 \ --advertise-client-urls=http://127.0.0.1:4001
apiserver.json
to point to minikube and etcd./build.sh local && ./build/bin/apiserver-darwin-amd64
4
, create a user, verify the email address, and approve the accountfull.json
spec to the catalogfulltest
specsecurityContext
listed under yourcontainer
(not the pod itself)kubectl get pods -n <user> -o yaml
securityContext
listed under yourcontainer
(not the pod itself)NOTE: On second thought, I should probably add a new set of Postman tests for the security