diff --git a/openapi/generated_openapi/zz_generated.openapi.go b/openapi/generated_openapi/zz_generated.openapi.go index 30d3b8a35a6..9186cb93239 100644 --- a/openapi/generated_openapi/zz_generated.openapi.go +++ b/openapi/generated_openapi/zz_generated.openapi.go @@ -1278,6 +1278,8 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/openshift/api/security/v1.PodSecurityPolicySubjectReviewStatus": schema_openshift_api_security_v1_PodSecurityPolicySubjectReviewStatus(ref), "github.com/openshift/api/security/v1.RangeAllocation": schema_openshift_api_security_v1_RangeAllocation(ref), "github.com/openshift/api/security/v1.RangeAllocationList": schema_openshift_api_security_v1_RangeAllocationList(ref), + "github.com/openshift/api/security/v1.RunAsGroupIDRange": schema_openshift_api_security_v1_RunAsGroupIDRange(ref), + "github.com/openshift/api/security/v1.RunAsGroupStrategyOptions": schema_openshift_api_security_v1_RunAsGroupStrategyOptions(ref), "github.com/openshift/api/security/v1.RunAsUserStrategyOptions": schema_openshift_api_security_v1_RunAsUserStrategyOptions(ref), "github.com/openshift/api/security/v1.SELinuxContextStrategyOptions": schema_openshift_api_security_v1_SELinuxContextStrategyOptions(ref), "github.com/openshift/api/security/v1.SecurityContextConstraints": schema_openshift_api_security_v1_SecurityContextConstraints(ref), @@ -65128,6 +65130,97 @@ func schema_openshift_api_security_v1_RangeAllocationList(ref common.ReferenceCa } } +func schema_openshift_api_security_v1_RunAsGroupIDRange(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "RunAsGroupIDRange provides a min/max of an allowed range of group IDs for RunAsGroup strategy.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "min": { + SchemaProps: spec.SchemaProps{ + Description: "min is the start of the range, inclusive.", + Type: []string{"integer"}, + Format: "int64", + }, + }, + "max": { + SchemaProps: spec.SchemaProps{ + Description: "max is the end of the range, inclusive.", + Type: []string{"integer"}, + Format: "int64", + }, + }, + }, + Required: []string{"min", "max"}, + }, + }, + } +} + +func schema_openshift_api_security_v1_RunAsGroupStrategyOptions(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "RunAsGroupStrategyOptions defines the strategy type and options used to create the strategy.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "type": { + SchemaProps: spec.SchemaProps{ + Description: "type is the strategy that will dictate what RunAsGroup is used in the SecurityContext. Valid values are \"MustRunAs\", \"MustRunAsRange\", and \"RunAsAny\".", + Type: []string{"string"}, + Format: "", + }, + }, + "gid": { + SchemaProps: spec.SchemaProps{ + Description: "gid is the group id that containers must run as. Required for the MustRunAs strategy if not using namespace/service account allocated gids.", + Type: []string{"integer"}, + Format: "int64", + }, + }, + "gidRangeMin": { + SchemaProps: spec.SchemaProps{ + Description: "gidRangeMin defines the min value for a strategy that allocates by range.", + Type: []string{"integer"}, + Format: "int64", + }, + }, + "gidRangeMax": { + SchemaProps: spec.SchemaProps{ + Description: "gidRangeMax defines the max value for a strategy that allocates by range.", + Type: []string{"integer"}, + Format: "int64", + }, + }, + "ranges": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, + }, + SchemaProps: spec.SchemaProps{ + Description: "ranges are the allowed ranges of gids. If you would like to force a single gid then supply a single range with the same start and end. When omitted, any gid is allowed (equivalent to RunAsAny strategy).", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/security/v1.RunAsGroupIDRange"), + }, + }, + }, + }, + }, + }, + Required: []string{"type"}, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/security/v1.RunAsGroupIDRange"}, + } +} + func schema_openshift_api_security_v1_RunAsUserStrategyOptions(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -65429,6 +65522,13 @@ func schema_openshift_api_security_v1_SecurityContextConstraints(ref common.Refe Ref: ref("github.com/openshift/api/security/v1.FSGroupStrategyOptions"), }, }, + "runAsGroup": { + SchemaProps: spec.SchemaProps{ + Description: "runAsGroup is the strategy that will dictate what RunAsGroup is used in the SecurityContext. When omitted, the RunAsGroup strategy will not be enforced and containers may run with any group ID.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/security/v1.RunAsGroupStrategyOptions"), + }, + }, "readOnlyRootFilesystem": { SchemaProps: spec.SchemaProps{ Description: "readOnlyRootFilesystem when set to true will force containers to run with a read only root file system. If the container specifically requests to run with a non-read only root file system the SCC should deny the pod. If set to false the container may run with a read only root file system if it wishes but it will not be forced to.", @@ -65542,7 +65642,7 @@ func schema_openshift_api_security_v1_SecurityContextConstraints(ref common.Refe }, }, Dependencies: []string{ - "github.com/openshift/api/security/v1.AllowedFlexVolume", "github.com/openshift/api/security/v1.FSGroupStrategyOptions", "github.com/openshift/api/security/v1.RunAsUserStrategyOptions", "github.com/openshift/api/security/v1.SELinuxContextStrategyOptions", "github.com/openshift/api/security/v1.SupplementalGroupsStrategyOptions", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"}, + "github.com/openshift/api/security/v1.AllowedFlexVolume", "github.com/openshift/api/security/v1.FSGroupStrategyOptions", "github.com/openshift/api/security/v1.RunAsGroupStrategyOptions", "github.com/openshift/api/security/v1.RunAsUserStrategyOptions", "github.com/openshift/api/security/v1.SELinuxContextStrategyOptions", "github.com/openshift/api/security/v1.SupplementalGroupsStrategyOptions", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"}, } } diff --git a/openapi/openapi.json b/openapi/openapi.json index 5a493e31d73..3d21b8c73e8 100644 --- a/openapi/openapi.json +++ b/openapi/openapi.json @@ -38166,6 +38166,11 @@ "default": "" }, "x-kubernetes-list-type": "atomic" + }, + "runAsGroup": { + "description": "runAsGroup is the strategy that will dictate what RunAsGroup is used in the SecurityContext. When omitted, the RunAsGroup strategy will not be enforced and containers may run with any group ID.", + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.security.v1.RunAsGroupStrategyOptions" } } }, @@ -49833,6 +49838,63 @@ "description": "IntOrString is a type that can hold an int32 or a string. When used in JSON or YAML marshalling and unmarshalling, it produces or consumes the inner type. This allows you to have, for example, a JSON field that can accept a name or number.", "type": "string", "format": "int-or-string" + }, + "com.github.openshift.api.security.v1.RunAsGroupIDRange": { + "description": "RunAsGroupIDRange provides a min/max of an allowed range of group IDs for RunAsGroup strategy.", + "type": "object", + "required": [ + "min", + "max" + ], + "properties": { + "max": { + "description": "max is the end of the range, inclusive.", + "type": "integer", + "format": "int64" + }, + "min": { + "description": "min is the start of the range, inclusive.", + "type": "integer", + "format": "int64" + } + } + }, + "com.github.openshift.api.security.v1.RunAsGroupStrategyOptions": { + "description": "RunAsGroupStrategyOptions defines the strategy type and options used to create the strategy.", + "type": "object", + "required": [ + "type" + ], + "properties": { + "gid": { + "description": "gid is the group id that containers must run as. Required for the MustRunAs strategy if not using namespace/service account allocated gids.", + "type": "integer", + "format": "int64" + }, + "gidRangeMax": { + "description": "gidRangeMax defines the max value for a strategy that allocates by range.", + "type": "integer", + "format": "int64" + }, + "gidRangeMin": { + "description": "gidRangeMin defines the min value for a strategy that allocates by range.", + "type": "integer", + "format": "int64" + }, + "ranges": { + "description": "ranges are the allowed ranges of gids. If you would like to force a single gid then supply a single range with the same start and end. When omitted, any gid is allowed (equivalent to RunAsAny strategy).", + "type": "array", + "items": { + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.security.v1.RunAsGroupIDRange" + }, + "x-kubernetes-list-type": "atomic" + }, + "type": { + "description": "type is the strategy that will dictate what RunAsGroup is used in the SecurityContext. Valid values are \"MustRunAs\", \"MustRunAsRange\", and \"RunAsAny\".", + "type": "string" + } + } } } } diff --git a/payload-manifests/crds/0000_03_config-operator_01_securitycontextconstraints.crd.yaml b/payload-manifests/crds/0000_03_config-operator_01_securitycontextconstraints.crd.yaml index dc14c04a53e..b17a51bf15f 100644 --- a/payload-manifests/crds/0000_03_config-operator_01_securitycontextconstraints.crd.yaml +++ b/payload-manifests/crds/0000_03_config-operator_01_securitycontextconstraints.crd.yaml @@ -38,6 +38,10 @@ spec: jsonPath: .fsGroup.type name: FSGroup type: string + - description: Strategy that will dictate what RunAsGroup is used by the SecurityContext + jsonPath: .runAsGroup.type + name: RunAsGroup + type: string - description: Strategy that will dictate what supplemental groups are used by the SecurityContext jsonPath: .supplementalGroups.type @@ -256,6 +260,63 @@ spec: nullable: true type: array x-kubernetes-list-type: atomic + runAsGroup: + description: |- + runAsGroup is the strategy that will dictate what RunAsGroup is used in the SecurityContext. + When omitted, the RunAsGroup strategy will not be enforced and containers may run with any group ID. + properties: + gid: + description: |- + gid is the group id that containers must run as. Required for the MustRunAs strategy if not using + namespace/service account allocated gids. + format: int64 + type: integer + gidRangeMax: + description: gidRangeMax defines the max value for a strategy that + allocates by range. + format: int64 + type: integer + gidRangeMin: + description: gidRangeMin defines the min value for a strategy that + allocates by range. + format: int64 + type: integer + ranges: + description: |- + ranges are the allowed ranges of gids. If you would like to force a single + gid then supply a single range with the same start and end. + When omitted, any gid is allowed (equivalent to RunAsAny strategy). + items: + description: RunAsGroupIDRange provides a min/max of an allowed + range of group IDs for RunAsGroup strategy. + properties: + max: + description: max is the end of the range, inclusive. + format: int64 + type: integer + min: + description: min is the start of the range, inclusive. + format: int64 + type: integer + required: + - max + - min + type: object + maxItems: 256 + type: array + x-kubernetes-list-type: atomic + type: + description: |- + type is the strategy that will dictate what RunAsGroup is used in the SecurityContext. + Valid values are "MustRunAs", "MustRunAsRange", and "RunAsAny". + enum: + - MustRunAs + - MustRunAsRange + - RunAsAny + type: string + required: + - type + type: object runAsUser: description: runAsUser is the strategy that will dictate what RunAsUser is used in the SecurityContext. diff --git a/security/v1/generated.pb.go b/security/v1/generated.pb.go index e28b5958412..0f69f6f5c2e 100644 --- a/security/v1/generated.pb.go +++ b/security/v1/generated.pb.go @@ -395,10 +395,66 @@ func (m *RangeAllocationList) XXX_DiscardUnknown() { var xxx_messageInfo_RangeAllocationList proto.InternalMessageInfo +func (m *RunAsGroupIDRange) Reset() { *m = RunAsGroupIDRange{} } +func (*RunAsGroupIDRange) ProtoMessage() {} +func (*RunAsGroupIDRange) Descriptor() ([]byte, []int) { + return fileDescriptor_af65d9655aa67551, []int{13} +} +func (m *RunAsGroupIDRange) XXX_Unmarshal(b []byte) error { + return m.Unmarshal(b) +} +func (m *RunAsGroupIDRange) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + b = b[:cap(b)] + n, err := m.MarshalToSizedBuffer(b) + if err != nil { + return nil, err + } + return b[:n], nil +} +func (m *RunAsGroupIDRange) XXX_Merge(src proto.Message) { + xxx_messageInfo_RunAsGroupIDRange.Merge(m, src) +} +func (m *RunAsGroupIDRange) XXX_Size() int { + return m.Size() +} +func (m *RunAsGroupIDRange) XXX_DiscardUnknown() { + xxx_messageInfo_RunAsGroupIDRange.DiscardUnknown(m) +} + +var xxx_messageInfo_RunAsGroupIDRange proto.InternalMessageInfo + +func (m *RunAsGroupStrategyOptions) Reset() { *m = RunAsGroupStrategyOptions{} } +func (*RunAsGroupStrategyOptions) ProtoMessage() {} +func (*RunAsGroupStrategyOptions) Descriptor() ([]byte, []int) { + return fileDescriptor_af65d9655aa67551, []int{14} +} +func (m *RunAsGroupStrategyOptions) XXX_Unmarshal(b []byte) error { + return m.Unmarshal(b) +} +func (m *RunAsGroupStrategyOptions) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + b = b[:cap(b)] + n, err := m.MarshalToSizedBuffer(b) + if err != nil { + return nil, err + } + return b[:n], nil +} +func (m *RunAsGroupStrategyOptions) XXX_Merge(src proto.Message) { + xxx_messageInfo_RunAsGroupStrategyOptions.Merge(m, src) +} +func (m *RunAsGroupStrategyOptions) XXX_Size() int { + return m.Size() +} +func (m *RunAsGroupStrategyOptions) XXX_DiscardUnknown() { + xxx_messageInfo_RunAsGroupStrategyOptions.DiscardUnknown(m) +} + +var xxx_messageInfo_RunAsGroupStrategyOptions proto.InternalMessageInfo + func (m *RunAsUserStrategyOptions) Reset() { *m = RunAsUserStrategyOptions{} } func (*RunAsUserStrategyOptions) ProtoMessage() {} func (*RunAsUserStrategyOptions) Descriptor() ([]byte, []int) { - return fileDescriptor_af65d9655aa67551, []int{13} + return fileDescriptor_af65d9655aa67551, []int{15} } func (m *RunAsUserStrategyOptions) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -426,7 +482,7 @@ var xxx_messageInfo_RunAsUserStrategyOptions proto.InternalMessageInfo func (m *SELinuxContextStrategyOptions) Reset() { *m = SELinuxContextStrategyOptions{} } func (*SELinuxContextStrategyOptions) ProtoMessage() {} func (*SELinuxContextStrategyOptions) Descriptor() ([]byte, []int) { - return fileDescriptor_af65d9655aa67551, []int{14} + return fileDescriptor_af65d9655aa67551, []int{16} } func (m *SELinuxContextStrategyOptions) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -454,7 +510,7 @@ var xxx_messageInfo_SELinuxContextStrategyOptions proto.InternalMessageInfo func (m *SecurityContextConstraints) Reset() { *m = SecurityContextConstraints{} } func (*SecurityContextConstraints) ProtoMessage() {} func (*SecurityContextConstraints) Descriptor() ([]byte, []int) { - return fileDescriptor_af65d9655aa67551, []int{15} + return fileDescriptor_af65d9655aa67551, []int{17} } func (m *SecurityContextConstraints) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -482,7 +538,7 @@ var xxx_messageInfo_SecurityContextConstraints proto.InternalMessageInfo func (m *SecurityContextConstraintsList) Reset() { *m = SecurityContextConstraintsList{} } func (*SecurityContextConstraintsList) ProtoMessage() {} func (*SecurityContextConstraintsList) Descriptor() ([]byte, []int) { - return fileDescriptor_af65d9655aa67551, []int{16} + return fileDescriptor_af65d9655aa67551, []int{18} } func (m *SecurityContextConstraintsList) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -512,7 +568,7 @@ func (m *ServiceAccountPodSecurityPolicyReviewStatus) Reset() { } func (*ServiceAccountPodSecurityPolicyReviewStatus) ProtoMessage() {} func (*ServiceAccountPodSecurityPolicyReviewStatus) Descriptor() ([]byte, []int) { - return fileDescriptor_af65d9655aa67551, []int{17} + return fileDescriptor_af65d9655aa67551, []int{19} } func (m *ServiceAccountPodSecurityPolicyReviewStatus) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -540,7 +596,7 @@ var xxx_messageInfo_ServiceAccountPodSecurityPolicyReviewStatus proto.InternalMe func (m *SupplementalGroupsStrategyOptions) Reset() { *m = SupplementalGroupsStrategyOptions{} } func (*SupplementalGroupsStrategyOptions) ProtoMessage() {} func (*SupplementalGroupsStrategyOptions) Descriptor() ([]byte, []int) { - return fileDescriptor_af65d9655aa67551, []int{18} + return fileDescriptor_af65d9655aa67551, []int{20} } func (m *SupplementalGroupsStrategyOptions) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -579,6 +635,8 @@ func init() { proto.RegisterType((*PodSecurityPolicySubjectReviewStatus)(nil), "github.com.openshift.api.security.v1.PodSecurityPolicySubjectReviewStatus") proto.RegisterType((*RangeAllocation)(nil), "github.com.openshift.api.security.v1.RangeAllocation") proto.RegisterType((*RangeAllocationList)(nil), "github.com.openshift.api.security.v1.RangeAllocationList") + proto.RegisterType((*RunAsGroupIDRange)(nil), "github.com.openshift.api.security.v1.RunAsGroupIDRange") + proto.RegisterType((*RunAsGroupStrategyOptions)(nil), "github.com.openshift.api.security.v1.RunAsGroupStrategyOptions") proto.RegisterType((*RunAsUserStrategyOptions)(nil), "github.com.openshift.api.security.v1.RunAsUserStrategyOptions") proto.RegisterType((*SELinuxContextStrategyOptions)(nil), "github.com.openshift.api.security.v1.SELinuxContextStrategyOptions") proto.RegisterType((*SecurityContextConstraints)(nil), "github.com.openshift.api.security.v1.SecurityContextConstraints") @@ -592,120 +650,127 @@ func init() { } var fileDescriptor_af65d9655aa67551 = []byte{ - // 1803 bytes of a gzipped FileDescriptorProto + // 1909 bytes of a gzipped FileDescriptorProto 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xcc, 0x59, 0xcd, 0x6f, 0x1b, 0xc7, - 0x15, 0xd7, 0x8a, 0xfa, 0xe2, 0x48, 0x96, 0xe4, 0x91, 0x2c, 0x4f, 0xd4, 0x98, 0x54, 0xd7, 0x6e, - 0x60, 0xb4, 0xcd, 0x32, 0x36, 0xd2, 0xc6, 0x45, 0x1a, 0x23, 0x5c, 0x31, 0x72, 0x14, 0xc8, 0x31, - 0x33, 0x8c, 0x82, 0x22, 0x08, 0x8a, 0x8c, 0x96, 0x43, 0x7a, 0xac, 0xe5, 0xee, 0x76, 0x67, 0x56, - 0x16, 0xd1, 0x4b, 0x81, 0xfe, 0x03, 0x05, 0x7a, 0xef, 0xb9, 0xfd, 0x07, 0x7a, 0x29, 0xda, 0x5e, - 0x0d, 0xb4, 0x45, 0x73, 0x2a, 0x72, 0x22, 0x6a, 0x16, 0xbd, 0xf4, 0xda, 0x9b, 0x0f, 0x45, 0x31, - 0xc3, 0xe1, 0xc7, 0x2e, 0x77, 0xe9, 0x4d, 0x6a, 0x0b, 0xbd, 0x69, 0xdf, 0xc7, 0xef, 0xfd, 0xde, - 0xcc, 0xbc, 0x37, 0x6f, 0x28, 0xf0, 0x66, 0x9b, 0x89, 0x87, 0xd1, 0x89, 0xe5, 0xf8, 0x9d, 0x8a, - 0x1f, 0x50, 0x8f, 0x3f, 0x64, 0x2d, 0x51, 0x21, 0x01, 0xab, 0x70, 0xea, 0x44, 0x21, 0x13, 0xdd, - 0xca, 0xd9, 0xad, 0x4a, 0x9b, 0x7a, 0x34, 0x24, 0x82, 0x36, 0xad, 0x20, 0xf4, 0x85, 0x0f, 0x6f, - 0x8c, 0xbd, 0xac, 0x91, 0x97, 0x45, 0x02, 0x66, 0x0d, 0xbd, 0xac, 0xb3, 0x5b, 0xbb, 0xaf, 0x4f, - 0x60, 0xb7, 0xfd, 0xb6, 0x5f, 0x51, 0xce, 0x27, 0x51, 0x4b, 0x7d, 0xa9, 0x0f, 0xf5, 0xd7, 0x00, - 0x74, 0xd7, 0x3c, 0xbd, 0xc3, 0x2d, 0xe6, 0xab, 0xe0, 0x8e, 0x1f, 0xd2, 0x94, 0xc0, 0xbb, 0x6f, - 0x8e, 0x6d, 0x3a, 0xc4, 0x79, 0xc8, 0x3c, 0x1a, 0x76, 0x2b, 0xc1, 0x69, 0x5b, 0x0a, 0x78, 0xa5, - 0x43, 0x05, 0x49, 0xf3, 0xfa, 0x7e, 0x96, 0x57, 0x18, 0x79, 0x82, 0x75, 0x68, 0x85, 0x3b, 0x0f, - 0x69, 0x87, 0x24, 0xfd, 0xcc, 0xb7, 0xc1, 0xe5, 0xaa, 0xeb, 0xfa, 0x8f, 0x69, 0xf3, 0xc0, 0xa5, - 0xe7, 0x9f, 0xf8, 0x6e, 0xd4, 0xa1, 0xf0, 0x35, 0xb0, 0xd4, 0x0c, 0xd9, 0x19, 0x0d, 0x91, 0xb1, - 0x67, 0xdc, 0x2c, 0xda, 0xeb, 0x4f, 0x7a, 0xe5, 0xb9, 0x7e, 0xaf, 0xbc, 0x54, 0x53, 0x52, 0xac, - 0xb5, 0xe6, 0xaf, 0x0d, 0xb0, 0x73, 0xd0, 0xb8, 0x17, 0xfa, 0x51, 0xd0, 0x10, 0x12, 0xb5, 0xdd, - 0x7d, 0x10, 0x08, 0xe6, 0x7b, 0x1c, 0xbe, 0x05, 0x16, 0x44, 0x37, 0xa0, 0x1a, 0xe0, 0xba, 0x06, - 0x58, 0xf8, 0xb8, 0x1b, 0xd0, 0x67, 0xbd, 0xf2, 0x56, 0xc2, 0x4b, 0x8a, 0xb1, 0x72, 0x80, 0xc7, - 0x60, 0x29, 0x24, 0x5e, 0x9b, 0x72, 0x34, 0xbf, 0x57, 0xb8, 0xb9, 0x7a, 0xfb, 0x75, 0x2b, 0xcf, - 0x46, 0x58, 0x87, 0x35, 0x2c, 0xbd, 0xc6, 0x54, 0xd5, 0x27, 0xc7, 0x1a, 0xcc, 0xbc, 0x07, 0x96, - 0xb5, 0x09, 0xbc, 0x06, 0x0a, 0x1d, 0xe6, 0x29, 0x66, 0x05, 0x7b, 0x55, 0xdb, 0x17, 0xee, 0x33, - 0x0f, 0x4b, 0xb9, 0x52, 0x93, 0x73, 0x34, 0x9f, 0x50, 0x93, 0x73, 0x2c, 0xe5, 0xe6, 0x5f, 0xe6, - 0xc1, 0xd5, 0xba, 0xdf, 0x6c, 0xe8, 0xd8, 0x75, 0xdf, 0x65, 0x4e, 0x17, 0xd3, 0x33, 0x46, 0x1f, - 0xc3, 0xcf, 0xc1, 0x8a, 0xdc, 0x9f, 0x26, 0x11, 0x04, 0x15, 0xf6, 0x8c, 0x9b, 0xab, 0xb7, 0xdf, - 0xb0, 0x06, 0xfb, 0x62, 0x4d, 0xee, 0x8b, 0x15, 0x9c, 0xb6, 0xa5, 0x80, 0x5b, 0xd2, 0x5a, 0xb2, - 0x7f, 0x70, 0xf2, 0x88, 0x3a, 0xe2, 0x3e, 0x15, 0xc4, 0x86, 0x3a, 0x22, 0x18, 0xcb, 0xf0, 0x08, - 0x15, 0x3a, 0x60, 0x81, 0x07, 0xd4, 0x51, 0xe4, 0x57, 0x6f, 0x57, 0xf3, 0xad, 0x4d, 0x06, 0xdd, - 0x46, 0x40, 0x1d, 0x7b, 0x6d, 0xb8, 0x33, 0xf2, 0x0b, 0x2b, 0x70, 0x78, 0x0a, 0x96, 0xb8, 0x20, - 0x22, 0xe2, 0x6a, 0x11, 0x56, 0x6f, 0xef, 0xff, 0x6f, 0x61, 0x14, 0xd4, 0x78, 0x63, 0x06, 0xdf, - 0x58, 0x87, 0x30, 0x7f, 0x67, 0x80, 0x6f, 0xcc, 0x20, 0x08, 0x3f, 0x02, 0x2b, 0x82, 0x76, 0x02, - 0x97, 0x08, 0xaa, 0xb3, 0xbe, 0x3e, 0xb1, 0xa6, 0x96, 0xac, 0x22, 0x1d, 0xfc, 0x63, 0x6d, 0xa6, - 0xf2, 0xda, 0xd4, 0xe1, 0x56, 0x86, 0x52, 0x3c, 0x82, 0x81, 0x87, 0x60, 0x8b, 0xd3, 0xf0, 0x8c, - 0x39, 0xb4, 0xea, 0x38, 0x7e, 0xe4, 0x89, 0x0f, 0x49, 0x47, 0x9f, 0xb7, 0xa2, 0x7d, 0xb5, 0xdf, - 0x2b, 0x6f, 0x35, 0xa6, 0xd5, 0x38, 0xcd, 0xc7, 0xfc, 0x93, 0x01, 0xae, 0xcd, 0xcc, 0x1b, 0xfe, - 0xc6, 0x00, 0x3b, 0x64, 0x50, 0x61, 0x71, 0x54, 0x8e, 0x0c, 0x75, 0xc0, 0x3f, 0xca, 0xb7, 0xba, - 0x71, 0xe7, 0xd9, 0x6b, 0x5d, 0xd2, 0xc9, 0xef, 0x54, 0x53, 0x03, 0xe3, 0x0c, 0x42, 0xe6, 0xbf, - 0xe6, 0x81, 0x39, 0x85, 0xdc, 0xa0, 0x6e, 0xab, 0x11, 0xa9, 0xc3, 0x78, 0x61, 0xc7, 0xdc, 0x8b, - 0x1d, 0xf3, 0xa3, 0xaf, 0x79, 0xfe, 0xa6, 0x98, 0x67, 0x9e, 0xf8, 0x30, 0x71, 0xe2, 0x3f, 0xf8, - 0xba, 0x11, 0x63, 0xd1, 0x66, 0x1f, 0xfc, 0x9f, 0x82, 0xd7, 0xf2, 0x31, 0x7e, 0x09, 0x25, 0x60, - 0xf6, 0xe7, 0x41, 0x69, 0x36, 0xfb, 0x0b, 0xd8, 0xe5, 0x47, 0xb1, 0x5d, 0x7e, 0xff, 0x85, 0xac, - 0xf9, 0xff, 0xd3, 0x0e, 0xff, 0xde, 0x48, 0x2b, 0xa7, 0x0b, 0xd8, 0x5e, 0xb8, 0x07, 0x16, 0x22, - 0x4e, 0x43, 0x95, 0x6b, 0x71, 0xbc, 0x1e, 0xc7, 0x9c, 0x86, 0x58, 0x69, 0xa0, 0x09, 0x96, 0xda, - 0xf2, 0x06, 0xe6, 0xa8, 0xa0, 0xda, 0x1e, 0x90, 0xfc, 0xd5, 0x9d, 0xcc, 0xb1, 0xd6, 0x98, 0xff, - 0x36, 0xc0, 0x8d, 0x3c, 0x0b, 0x00, 0xeb, 0xa0, 0xa8, 0x3b, 0x8a, 0xdd, 0x9d, 0x95, 0xc2, 0x03, - 0xed, 0xda, 0xa2, 0x21, 0xf5, 0x1c, 0x6a, 0x5f, 0xea, 0xf7, 0xca, 0xc5, 0xea, 0xd0, 0x13, 0x8f, - 0x41, 0xe4, 0x04, 0x12, 0x52, 0xc2, 0x7d, 0x4f, 0xa7, 0x30, 0xbe, 0xd6, 0x95, 0x14, 0x6b, 0x6d, - 0x6c, 0xed, 0x0a, 0x2f, 0xa6, 0x34, 0x7e, 0x6b, 0x80, 0x0d, 0x35, 0x28, 0x48, 0x62, 0x0e, 0x91, - 0xe3, 0x4c, 0xac, 0x16, 0x8c, 0x97, 0x52, 0x0b, 0xd7, 0xc1, 0xa2, 0x9a, 0x54, 0x74, 0xbe, 0x97, - 0xb4, 0xf1, 0xa2, 0x62, 0x82, 0x07, 0x3a, 0xf8, 0x2a, 0x58, 0x18, 0x95, 0xe3, 0x9a, 0xbd, 0x22, - 0xb7, 0xb4, 0x46, 0x04, 0xc1, 0x4a, 0x6a, 0xfe, 0xd5, 0x00, 0x5b, 0x09, 0xe2, 0x47, 0x8c, 0x0b, - 0xf8, 0xd9, 0x14, 0x79, 0x2b, 0x1f, 0x79, 0xe9, 0xad, 0xa8, 0x8f, 0x96, 0x6b, 0x28, 0x99, 0x20, - 0xfe, 0x29, 0x58, 0x64, 0x82, 0x76, 0x86, 0xe3, 0xda, 0xf7, 0xf2, 0xd5, 0x55, 0x82, 0xe7, 0x38, - 0xdf, 0x43, 0x89, 0x85, 0x07, 0x90, 0xe6, 0xdf, 0x0c, 0x80, 0x70, 0xe4, 0x55, 0xb9, 0x3c, 0xb8, - 0xc9, 0x09, 0xf3, 0x07, 0xb1, 0x09, 0xf3, 0x5b, 0x89, 0x09, 0xf3, 0xca, 0x94, 0xdf, 0xc4, 0x8c, - 0xf9, 0x0a, 0x28, 0x44, 0xac, 0xa9, 0x47, 0xbc, 0x65, 0x39, 0xde, 0x1d, 0x1f, 0xd6, 0xb0, 0x94, - 0xc1, 0x5b, 0x60, 0x35, 0x62, 0x4d, 0x45, 0xef, 0x3e, 0xf3, 0xd4, 0x4a, 0x17, 0xec, 0x8d, 0x7e, - 0xaf, 0xbc, 0x7a, 0xac, 0xe7, 0x47, 0x39, 0x28, 0x4e, 0xda, 0xc4, 0x5c, 0xc8, 0x39, 0x5a, 0x48, - 0x71, 0x21, 0xe7, 0x78, 0xd2, 0xc6, 0xfc, 0xa3, 0x01, 0xae, 0x35, 0xde, 0x3b, 0x62, 0x5e, 0x74, - 0xbe, 0xef, 0x7b, 0x82, 0x9e, 0x8b, 0x64, 0x76, 0x77, 0x63, 0xd9, 0x7d, 0x3b, 0x91, 0xdd, 0x6e, - 0xba, 0xf3, 0x44, 0x8a, 0x3f, 0x06, 0xeb, 0x9c, 0x2a, 0x1b, 0x8d, 0xa8, 0xfb, 0x9e, 0x99, 0x56, - 0x1e, 0x1a, 0x4d, 0x5b, 0xda, 0xb0, 0xdf, 0x2b, 0xaf, 0xc7, 0x65, 0x38, 0x81, 0x66, 0xfe, 0xe7, - 0x32, 0xd8, 0x1d, 0x36, 0x06, 0xcd, 0x62, 0xdf, 0xf7, 0xb8, 0x08, 0x09, 0xf3, 0x04, 0xbf, 0x80, - 0x82, 0xb9, 0x09, 0x56, 0x82, 0x90, 0xf9, 0x32, 0xbe, 0x4a, 0x6d, 0xd1, 0x5e, 0x93, 0x27, 0xb4, - 0xae, 0x65, 0x78, 0xa4, 0x85, 0x9f, 0x01, 0xa4, 0x1a, 0x4b, 0x3d, 0x64, 0x67, 0xcc, 0xa5, 0x6d, - 0xda, 0x94, 0x84, 0x89, 0x24, 0xa0, 0xf6, 0x77, 0xc5, 0xde, 0xd3, 0x91, 0x50, 0x35, 0xc3, 0x0e, - 0x67, 0x22, 0x40, 0x0e, 0x76, 0x9a, 0xb4, 0x45, 0x22, 0x57, 0x54, 0x9b, 0xcd, 0x7d, 0x12, 0x90, - 0x13, 0xe6, 0x32, 0xc1, 0x28, 0x47, 0x0b, 0xaa, 0xb1, 0xbe, 0x2d, 0xe7, 0xb0, 0x5a, 0xaa, 0xc5, - 0xb3, 0x5e, 0xf9, 0xda, 0xf4, 0x83, 0xd0, 0x1a, 0x99, 0x74, 0x71, 0x06, 0x34, 0xec, 0x02, 0x14, - 0xd2, 0x9f, 0x44, 0x2c, 0xa4, 0xcd, 0x5a, 0xe8, 0x07, 0xb1, 0xb0, 0x8b, 0x2a, 0xec, 0x3b, 0x32, - 0x1d, 0x9c, 0x61, 0xf3, 0xfc, 0xc0, 0x99, 0xf0, 0xf0, 0x11, 0xd8, 0xd2, 0x6d, 0x3a, 0x16, 0x75, - 0x49, 0x45, 0xbd, 0x23, 0x87, 0xe7, 0xea, 0xb4, 0xfa, 0xf9, 0x01, 0xd3, 0x40, 0x47, 0x3b, 0xf7, - 0xbe, 0xcf, 0x45, 0x8d, 0x85, 0x83, 0xd7, 0x69, 0xdd, 0x8d, 0xda, 0xcc, 0x43, 0xcb, 0x29, 0x3b, - 0x97, 0x62, 0x87, 0x33, 0x11, 0x60, 0x05, 0x2c, 0x9f, 0xa9, 0x6f, 0x8e, 0x56, 0x14, 0xfb, 0x2b, - 0xfd, 0x5e, 0x79, 0x79, 0x60, 0x22, 0x19, 0x2f, 0x1d, 0x34, 0x54, 0x41, 0x0d, 0xad, 0xe0, 0xcf, - 0x0d, 0x00, 0x49, 0xf2, 0xb1, 0xcc, 0xd1, 0x15, 0xd5, 0xf8, 0xde, 0xca, 0xd7, 0xf8, 0xa6, 0x1e, - 0xdb, 0xf6, 0xae, 0x4e, 0x01, 0x4e, 0xa9, 0x38, 0x4e, 0x09, 0x07, 0x6b, 0x60, 0x73, 0x94, 0xd2, - 0x87, 0x54, 0x3c, 0xf6, 0xc3, 0x53, 0x54, 0x54, 0x8b, 0x81, 0x34, 0xd2, 0x66, 0x35, 0xa1, 0xc7, - 0x53, 0x1e, 0xf0, 0x2e, 0x58, 0x1f, 0xc9, 0xea, 0x7e, 0x28, 0x38, 0x02, 0x0a, 0x63, 0x47, 0x63, - 0xac, 0x57, 0x63, 0x5a, 0x9c, 0xb0, 0x86, 0x77, 0xc0, 0xda, 0x58, 0x72, 0x58, 0x43, 0xab, 0xca, - 0x7b, 0x5b, 0x7b, 0xaf, 0x55, 0x27, 0x74, 0x38, 0x66, 0x19, 0xf3, 0x3c, 0xac, 0xef, 0xa3, 0xb5, - 0x0c, 0xcf, 0xc3, 0xfa, 0x3e, 0x8e, 0x59, 0xc2, 0xcf, 0x01, 0x94, 0xb3, 0x8b, 0x7a, 0x79, 0x05, - 0xc4, 0xa1, 0x47, 0xf4, 0x8c, 0xba, 0x68, 0x57, 0x75, 0xc8, 0x37, 0x86, 0xab, 0x78, 0x3c, 0x65, - 0xf1, 0xac, 0x57, 0x86, 0x71, 0x89, 0xda, 0xd6, 0x14, 0x2c, 0xd8, 0x01, 0xe5, 0x61, 0xc5, 0xc5, - 0xea, 0xfd, 0x3d, 0xee, 0x10, 0x57, 0xdd, 0x54, 0x68, 0x47, 0xd1, 0xbd, 0xde, 0xef, 0x95, 0xcb, - 0xb5, 0xd9, 0xa6, 0xf8, 0x79, 0x58, 0xf0, 0x47, 0xc9, 0xce, 0x34, 0x11, 0xe7, 0xaa, 0x8a, 0xf3, - 0xea, 0x74, 0x57, 0x9a, 0x08, 0x90, 0xe9, 0x2d, 0x8f, 0xea, 0xb0, 0x63, 0xeb, 0xee, 0x8c, 0x2e, - 0x7d, 0x95, 0xb7, 0xfc, 0xcc, 0xcb, 0x69, 0x7c, 0x48, 0xe2, 0x66, 0x38, 0x11, 0x12, 0xfa, 0xa0, - 0x18, 0x0e, 0xaf, 0x61, 0xb4, 0xae, 0xe2, 0xdf, 0xcd, 0x39, 0x1f, 0x64, 0xdc, 0xfa, 0xf6, 0x65, - 0x1d, 0xba, 0x38, 0xb2, 0xc0, 0xe3, 0x18, 0xf0, 0x97, 0x06, 0x80, 0x3c, 0x0a, 0x02, 0x97, 0x76, - 0xa8, 0x27, 0x88, 0x3b, 0x18, 0x68, 0xd1, 0x86, 0x0a, 0x7d, 0x2f, 0x67, 0xea, 0x53, 0xfe, 0x49, - 0x0e, 0xa3, 0x8a, 0x9d, 0x36, 0xc5, 0x29, 0xe1, 0x61, 0x1b, 0x2c, 0xb7, 0xb8, 0xfa, 0x1b, 0x6d, - 0x2a, 0x26, 0x3f, 0xcc, 0xc7, 0x24, 0xfd, 0xa7, 0x35, 0x7b, 0x43, 0x87, 0x5f, 0xd6, 0x7a, 0x3c, - 0x44, 0x87, 0x9f, 0x80, 0x9d, 0x90, 0x92, 0xe6, 0x03, 0xcf, 0xed, 0x62, 0xdf, 0x17, 0x07, 0xcc, - 0xa5, 0xbc, 0xcb, 0x05, 0xed, 0xa0, 0xcb, 0xea, 0x34, 0x8d, 0x7e, 0x17, 0xc0, 0xa9, 0x56, 0x38, - 0xc3, 0x1b, 0x96, 0xc1, 0xa2, 0x2c, 0x16, 0x8e, 0xa0, 0xea, 0x93, 0x45, 0x39, 0xa8, 0xc9, 0xf5, - 0xe6, 0x78, 0x20, 0x9f, 0x78, 0x4d, 0x6c, 0x65, 0xbd, 0x26, 0xe0, 0x3b, 0x60, 0x83, 0x53, 0xc7, - 0xf1, 0x3b, 0x41, 0x3d, 0xf4, 0x5b, 0x12, 0x1c, 0x6d, 0x2b, 0xe3, 0xad, 0x7e, 0xaf, 0xbc, 0xd1, - 0x88, 0xab, 0x70, 0xd2, 0x16, 0x1e, 0x81, 0x6d, 0xdd, 0x0c, 0x8f, 0x3d, 0x4e, 0x5a, 0xb4, 0xd1, - 0xe5, 0x8e, 0x70, 0x39, 0x42, 0x0a, 0x03, 0xf5, 0x7b, 0xe5, 0xed, 0x6a, 0x8a, 0x1e, 0xa7, 0x7a, - 0xc1, 0x77, 0xc1, 0x66, 0xcb, 0x0f, 0x4f, 0x58, 0xb3, 0x49, 0xbd, 0x21, 0xd2, 0x2b, 0x0a, 0x69, - 0x5b, 0x36, 0xd0, 0x83, 0x84, 0x0e, 0x4f, 0x59, 0x9b, 0xff, 0x34, 0x40, 0x29, 0x7b, 0x00, 0xba, - 0x80, 0xc1, 0x9b, 0xc6, 0x07, 0xef, 0x77, 0xf3, 0xfe, 0x8c, 0x94, 0x45, 0x39, 0x63, 0x06, 0xff, - 0xd5, 0x3c, 0xf8, 0xce, 0x57, 0xf8, 0xed, 0x09, 0xfe, 0xd9, 0x00, 0x37, 0x82, 0x1c, 0x8f, 0x46, - 0xbd, 0x22, 0x2f, 0xf2, 0x1d, 0xfe, 0x5d, 0x9d, 0x40, 0xae, 0x47, 0x2b, 0xce, 0xc5, 0x52, 0xbe, - 0xa4, 0x3d, 0xd2, 0xa1, 0xc9, 0x97, 0xb4, 0xbc, 0x37, 0xb0, 0xd2, 0x98, 0x7f, 0x30, 0xc0, 0x37, - 0x9f, 0xdb, 0x33, 0xa0, 0x1d, 0x9b, 0xe7, 0xad, 0xc4, 0x3c, 0x5f, 0xca, 0x06, 0x78, 0xe9, 0x3f, - 0x8d, 0xdb, 0x1f, 0x3c, 0x79, 0x5a, 0x9a, 0xfb, 0xe2, 0x69, 0x69, 0xee, 0xcb, 0xa7, 0xa5, 0xb9, - 0x9f, 0xf5, 0x4b, 0xc6, 0x93, 0x7e, 0xc9, 0xf8, 0xa2, 0x5f, 0x32, 0xbe, 0xec, 0x97, 0x8c, 0xbf, - 0xf7, 0x4b, 0xc6, 0x2f, 0xfe, 0x51, 0x9a, 0xfb, 0xf4, 0x46, 0x9e, 0xff, 0xa2, 0xfc, 0x37, 0x00, - 0x00, 0xff, 0xff, 0xb7, 0xb2, 0xaf, 0x36, 0x6c, 0x19, 0x00, 0x00, + 0x15, 0xd7, 0x8a, 0xfa, 0xe2, 0x93, 0x2c, 0xc9, 0x23, 0x59, 0x5e, 0x29, 0x31, 0xa9, 0xae, 0x5d, + 0xc3, 0x68, 0x1b, 0x32, 0x36, 0xd2, 0xc6, 0x6d, 0x1a, 0x37, 0x5c, 0x31, 0x52, 0x14, 0xc8, 0x31, + 0x33, 0x8c, 0x82, 0x22, 0x08, 0xda, 0x8c, 0x96, 0x43, 0x7a, 0xad, 0xe5, 0xee, 0x76, 0x67, 0x56, + 0x16, 0xd1, 0x4b, 0x81, 0xfe, 0x03, 0x05, 0x7a, 0xef, 0xb9, 0xfd, 0x07, 0x0a, 0x14, 0x45, 0xdb, + 0xab, 0x81, 0xb6, 0x68, 0x4e, 0x45, 0x4e, 0x44, 0xcd, 0xa2, 0x97, 0x5e, 0x73, 0xf3, 0xa9, 0x98, + 0xe1, 0x90, 0xdc, 0x5d, 0xee, 0xca, 0x54, 0x6a, 0x0b, 0xb9, 0x71, 0xdf, 0xc7, 0xef, 0x7d, 0xcd, + 0xbc, 0x79, 0x33, 0x84, 0x37, 0x5a, 0x36, 0x7f, 0x18, 0x1e, 0x95, 0x2c, 0xaf, 0x5d, 0xf6, 0x7c, + 0xea, 0xb2, 0x87, 0x76, 0x93, 0x97, 0x89, 0x6f, 0x97, 0x19, 0xb5, 0xc2, 0xc0, 0xe6, 0x9d, 0xf2, + 0xc9, 0xed, 0x72, 0x8b, 0xba, 0x34, 0x20, 0x9c, 0x36, 0x4a, 0x7e, 0xe0, 0x71, 0x0f, 0xdd, 0x18, + 0x69, 0x95, 0x86, 0x5a, 0x25, 0xe2, 0xdb, 0xa5, 0x81, 0x56, 0xe9, 0xe4, 0xf6, 0xd6, 0x6b, 0x11, + 0xec, 0x96, 0xd7, 0xf2, 0xca, 0x52, 0xf9, 0x28, 0x6c, 0xca, 0x2f, 0xf9, 0x21, 0x7f, 0xf5, 0x41, + 0xb7, 0x8c, 0xe3, 0xbb, 0xac, 0x64, 0x7b, 0xd2, 0xb8, 0xe5, 0x05, 0x34, 0xc5, 0xf0, 0xd6, 0x1b, + 0x23, 0x99, 0x36, 0xb1, 0x1e, 0xda, 0x2e, 0x0d, 0x3a, 0x65, 0xff, 0xb8, 0x25, 0x08, 0xac, 0xdc, + 0xa6, 0x9c, 0xa4, 0x69, 0x7d, 0x2f, 0x4b, 0x2b, 0x08, 0x5d, 0x6e, 0xb7, 0x69, 0x99, 0x59, 0x0f, + 0x69, 0x9b, 0x24, 0xf5, 0x8c, 0xb7, 0xe0, 0x72, 0xc5, 0x71, 0xbc, 0xc7, 0xb4, 0xb1, 0xeb, 0xd0, + 0xd3, 0x8f, 0x3d, 0x27, 0x6c, 0x53, 0x74, 0x13, 0xe6, 0x1a, 0x81, 0x7d, 0x42, 0x03, 0x5d, 0xdb, + 0xd6, 0x6e, 0xe5, 0xcd, 0xe5, 0x27, 0xdd, 0xe2, 0x54, 0xaf, 0x5b, 0x9c, 0xab, 0x4a, 0x2a, 0x56, + 0x5c, 0xe3, 0xb7, 0x1a, 0x6c, 0xec, 0xd6, 0xf7, 0x02, 0x2f, 0xf4, 0xeb, 0x5c, 0xa0, 0xb6, 0x3a, + 0x0f, 0x7c, 0x6e, 0x7b, 0x2e, 0x43, 0x6f, 0xc2, 0x0c, 0xef, 0xf8, 0x54, 0x01, 0x5c, 0x57, 0x00, + 0x33, 0x1f, 0x75, 0x7c, 0xfa, 0xac, 0x5b, 0x5c, 0x4b, 0x68, 0x09, 0x32, 0x96, 0x0a, 0xe8, 0x10, + 0xe6, 0x02, 0xe2, 0xb6, 0x28, 0xd3, 0xa7, 0xb7, 0x73, 0xb7, 0x16, 0xef, 0xbc, 0x56, 0x9a, 0xa4, + 0x10, 0xa5, 0xfd, 0x2a, 0x16, 0x5a, 0x23, 0x57, 0xe5, 0x27, 0xc3, 0x0a, 0xcc, 0xd8, 0x83, 0x79, + 0x25, 0x82, 0xae, 0x41, 0xae, 0x6d, 0xbb, 0xd2, 0xb3, 0x9c, 0xb9, 0xa8, 0xe4, 0x73, 0xf7, 0x6d, + 0x17, 0x0b, 0xba, 0x64, 0x93, 0x53, 0x7d, 0x3a, 0xc1, 0x26, 0xa7, 0x58, 0xd0, 0x8d, 0xbf, 0x4f, + 0xc3, 0xd5, 0x9a, 0xd7, 0xa8, 0x2b, 0xdb, 0x35, 0xcf, 0xb1, 0xad, 0x0e, 0xa6, 0x27, 0x36, 0x7d, + 0x8c, 0x3e, 0x83, 0x05, 0x51, 0x9f, 0x06, 0xe1, 0x44, 0xcf, 0x6d, 0x6b, 0xb7, 0x16, 0xef, 0xbc, + 0x5e, 0xea, 0xd7, 0xa5, 0x14, 0xad, 0x4b, 0xc9, 0x3f, 0x6e, 0x09, 0x02, 0x2b, 0x09, 0x69, 0xe1, + 0xfd, 0x83, 0xa3, 0x47, 0xd4, 0xe2, 0xf7, 0x29, 0x27, 0x26, 0x52, 0x16, 0x61, 0x44, 0xc3, 0x43, + 0x54, 0x64, 0xc1, 0x0c, 0xf3, 0xa9, 0x25, 0x9d, 0x5f, 0xbc, 0x53, 0x99, 0x2c, 0x37, 0x19, 0xee, + 0xd6, 0x7d, 0x6a, 0x99, 0x4b, 0x83, 0xca, 0x88, 0x2f, 0x2c, 0xc1, 0xd1, 0x31, 0xcc, 0x31, 0x4e, + 0x78, 0xc8, 0x64, 0x12, 0x16, 0xef, 0xec, 0xfc, 0x7f, 0x66, 0x24, 0xd4, 0xa8, 0x30, 0xfd, 0x6f, + 0xac, 0x4c, 0x18, 0x7f, 0xd4, 0xe0, 0x95, 0x33, 0x1c, 0x44, 0x1f, 0xc2, 0x02, 0xa7, 0x6d, 0xdf, + 0x21, 0x9c, 0xaa, 0xa8, 0xaf, 0x47, 0x72, 0x5a, 0x12, 0xbb, 0x48, 0x19, 0xff, 0x48, 0x89, 0xc9, + 0xb8, 0x56, 0x95, 0xb9, 0x85, 0x01, 0x15, 0x0f, 0x61, 0xd0, 0x3e, 0xac, 0x31, 0x1a, 0x9c, 0xd8, + 0x16, 0xad, 0x58, 0x96, 0x17, 0xba, 0xfc, 0x03, 0xd2, 0x56, 0xeb, 0x2d, 0x6f, 0x5e, 0xed, 0x75, + 0x8b, 0x6b, 0xf5, 0x71, 0x36, 0x4e, 0xd3, 0x31, 0xfe, 0xaa, 0xc1, 0xb5, 0x33, 0xe3, 0x46, 0xbf, + 0xd3, 0x60, 0x83, 0xf4, 0x77, 0x58, 0x1c, 0x95, 0xe9, 0x9a, 0x5c, 0xe0, 0x1f, 0x4e, 0x96, 0xdd, + 0xb8, 0xf2, 0xd9, 0xb9, 0x2e, 0xa8, 0xe0, 0x37, 0x2a, 0xa9, 0x86, 0x71, 0x86, 0x43, 0xc6, 0x7f, + 0xa7, 0xc1, 0x18, 0x43, 0xae, 0x53, 0xa7, 0x59, 0x0f, 0xe5, 0x62, 0xbc, 0xb0, 0x65, 0xee, 0xc6, + 0x96, 0xf9, 0xc1, 0x57, 0x5c, 0x7f, 0x63, 0x9e, 0x67, 0xae, 0xf8, 0x20, 0xb1, 0xe2, 0xdf, 0xff, + 0xaa, 0x16, 0x63, 0xd6, 0xce, 0x5e, 0xf8, 0x3f, 0x87, 0x9b, 0x93, 0x79, 0xfc, 0x12, 0xb6, 0x80, + 0xd1, 0x9b, 0x86, 0xc2, 0xd9, 0xde, 0x5f, 0x40, 0x95, 0x1f, 0xc5, 0xaa, 0xfc, 0xde, 0x0b, 0xc9, + 0xf9, 0xd7, 0xa9, 0xc2, 0x7f, 0xd2, 0xd2, 0xb6, 0xd3, 0x05, 0x94, 0x17, 0x6d, 0xc3, 0x4c, 0xc8, + 0x68, 0x20, 0x63, 0xcd, 0x8f, 0xf2, 0x71, 0xc8, 0x68, 0x80, 0x25, 0x07, 0x19, 0x30, 0xd7, 0x12, + 0x27, 0x30, 0xd3, 0x73, 0xb2, 0xed, 0x81, 0xf0, 0x5f, 0x9e, 0xc9, 0x0c, 0x2b, 0x8e, 0xf1, 0xa5, + 0x06, 0x37, 0x26, 0x49, 0x00, 0xaa, 0x41, 0x5e, 0x75, 0x14, 0xb3, 0x73, 0x56, 0x08, 0x0f, 0x94, + 0x6a, 0x93, 0x06, 0xd4, 0xb5, 0xa8, 0x79, 0xa9, 0xd7, 0x2d, 0xe6, 0x2b, 0x03, 0x4d, 0x3c, 0x02, + 0x11, 0x13, 0x48, 0x40, 0x09, 0xf3, 0x5c, 0x15, 0xc2, 0xe8, 0x58, 0x97, 0x54, 0xac, 0xb8, 0xb1, + 0xdc, 0xe5, 0x5e, 0xcc, 0xd6, 0xf8, 0xbd, 0x06, 0x2b, 0x72, 0x50, 0x10, 0x8e, 0x59, 0x44, 0x8c, + 0x33, 0xb1, 0xbd, 0xa0, 0xbd, 0x94, 0xbd, 0x70, 0x1d, 0x66, 0xe5, 0xa4, 0xa2, 0xe2, 0xbd, 0xa4, + 0x84, 0x67, 0xa5, 0x27, 0xb8, 0xcf, 0x43, 0xaf, 0xc2, 0xcc, 0x70, 0x3b, 0x2e, 0x99, 0x0b, 0xa2, + 0xa4, 0x55, 0xc2, 0x09, 0x96, 0x54, 0xe3, 0x1f, 0x1a, 0xac, 0x25, 0x1c, 0x3f, 0xb0, 0x19, 0x47, + 0x9f, 0x8e, 0x39, 0x5f, 0x9a, 0xcc, 0x79, 0xa1, 0x2d, 0x5d, 0x1f, 0xa6, 0x6b, 0x40, 0x89, 0x38, + 0xfe, 0x09, 0xcc, 0xda, 0x9c, 0xb6, 0x07, 0xe3, 0xda, 0x77, 0x27, 0xdb, 0x57, 0x09, 0x3f, 0x47, + 0xf1, 0xee, 0x0b, 0x2c, 0xdc, 0x87, 0x34, 0xf6, 0xe1, 0x32, 0x0e, 0xdd, 0x0a, 0x93, 0xeb, 0x72, + 0x30, 0xbe, 0x6d, 0x46, 0xc7, 0xb7, 0xf9, 0xd8, 0xe8, 0xb6, 0x19, 0x1d, 0xdd, 0xe6, 0x63, 0x63, + 0xdb, 0x1f, 0xa6, 0x61, 0x73, 0x84, 0x95, 0x9c, 0x56, 0x7f, 0x10, 0x9b, 0x56, 0x6f, 0x26, 0xa6, + 0xd5, 0x8d, 0x71, 0xc5, 0xc8, 0xc0, 0xba, 0x09, 0xb9, 0x96, 0xdd, 0x88, 0x1a, 0xdd, 0xdb, 0xaf, + 0x62, 0x41, 0x43, 0xb7, 0x61, 0xb1, 0x65, 0x37, 0xa4, 0xdb, 0xf7, 0x6d, 0x57, 0x96, 0x2d, 0x67, + 0xae, 0xf4, 0xba, 0xc5, 0xc5, 0x3d, 0x15, 0x8d, 0x70, 0x3d, 0x2a, 0x13, 0x53, 0x21, 0xa7, 0xfa, + 0x4c, 0x8a, 0x0a, 0x39, 0xc5, 0x51, 0x19, 0xf4, 0xd3, 0xe1, 0xc4, 0x3c, 0x2b, 0x4b, 0xf0, 0xe6, + 0x84, 0x25, 0x48, 0x66, 0x36, 0x73, 0x76, 0xfe, 0xa7, 0x06, 0xba, 0x94, 0x16, 0xfd, 0x23, 0x99, + 0xba, 0xef, 0xc7, 0x52, 0xf7, 0xcd, 0x44, 0xea, 0xae, 0x8c, 0xe9, 0xc5, 0x33, 0x17, 0xc6, 0x33, + 0x77, 0x28, 0x32, 0x17, 0xf6, 0x33, 0x17, 0xa6, 0x67, 0xee, 0x30, 0x9a, 0xb9, 0x30, 0x9e, 0xb9, + 0x30, 0x3d, 0x73, 0x87, 0xd1, 0xcc, 0x45, 0x64, 0x8c, 0xbf, 0x68, 0x70, 0xad, 0xfe, 0xee, 0x81, + 0xed, 0x86, 0xa7, 0x3b, 0x9e, 0xcb, 0xe9, 0x29, 0x4f, 0x46, 0x77, 0x2f, 0x16, 0xdd, 0xb7, 0x12, + 0xd1, 0x6d, 0xa5, 0x2b, 0x47, 0x42, 0xfc, 0x09, 0x2c, 0x33, 0x2a, 0x65, 0x14, 0xa2, 0x3a, 0x7e, + 0x8c, 0xb4, 0x2e, 0xa5, 0xd0, 0x94, 0xa4, 0x89, 0x7a, 0xdd, 0xe2, 0x72, 0x9c, 0x86, 0x13, 0x68, + 0xc6, 0x97, 0x08, 0xb6, 0x06, 0xfd, 0x59, 0x79, 0xb1, 0xe3, 0xb9, 0x8c, 0x07, 0xc4, 0x76, 0x39, + 0xbb, 0x80, 0xbe, 0x75, 0x0b, 0x16, 0xfc, 0xc0, 0xf6, 0x84, 0x7d, 0x19, 0xda, 0xac, 0xb9, 0x24, + 0x1a, 0x45, 0x4d, 0xd1, 0xf0, 0x90, 0x8b, 0x3e, 0x05, 0x5d, 0xf6, 0xf7, 0x5a, 0x60, 0x9f, 0xd8, + 0x0e, 0x6d, 0xd1, 0x86, 0x70, 0x98, 0x08, 0x07, 0x64, 0x7d, 0x17, 0xcc, 0x6d, 0x65, 0x49, 0xaf, + 0x64, 0xc8, 0xe1, 0x4c, 0x04, 0xc4, 0x60, 0xa3, 0x41, 0x9b, 0x24, 0x74, 0x78, 0xa5, 0xd1, 0xd8, + 0x21, 0x3e, 0x39, 0xb2, 0x1d, 0x9b, 0xdb, 0x94, 0xe9, 0x33, 0xf2, 0x7c, 0x7b, 0x4b, 0x8c, 0xc3, + 0xd5, 0x54, 0x89, 0x67, 0xdd, 0xe2, 0xb5, 0xf1, 0x7b, 0x79, 0x69, 0x28, 0xd2, 0xc1, 0x19, 0xd0, + 0xa8, 0x03, 0x7a, 0x40, 0x7f, 0x16, 0xda, 0x01, 0x6d, 0x54, 0x03, 0xcf, 0x8f, 0x99, 0x9d, 0x95, + 0x66, 0xdf, 0x16, 0xe1, 0xe0, 0x0c, 0x99, 0xe7, 0x1b, 0xce, 0x84, 0x47, 0x8f, 0x60, 0x4d, 0x9d, + 0x96, 0x31, 0xab, 0x73, 0xd2, 0xea, 0x5d, 0x71, 0x87, 0xa9, 0x8c, 0xb3, 0x9f, 0x6f, 0x30, 0x0d, + 0x74, 0x58, 0xb9, 0xf7, 0x3c, 0xc6, 0xab, 0x76, 0xd0, 0x7f, 0x24, 0xa8, 0x39, 0x61, 0xcb, 0x76, + 0xf5, 0xf9, 0x94, 0xca, 0xa5, 0xc8, 0xe1, 0x4c, 0x04, 0x54, 0x86, 0xf9, 0x13, 0xf9, 0xcd, 0xf4, + 0x05, 0xe9, 0xfd, 0x95, 0x5e, 0xb7, 0x38, 0xdf, 0x17, 0x11, 0x1e, 0xcf, 0xed, 0xd6, 0xe5, 0x86, + 0x1a, 0x48, 0xa1, 0x5f, 0x6a, 0x80, 0x48, 0xf2, 0xcd, 0x82, 0xe9, 0x57, 0xce, 0xd3, 0xfc, 0xc6, + 0xde, 0x3c, 0xcc, 0x2d, 0x15, 0x02, 0x1a, 0x63, 0x31, 0x9c, 0x62, 0x0e, 0x55, 0x61, 0x75, 0x18, + 0xd2, 0x07, 0x94, 0x3f, 0xf6, 0x82, 0x63, 0x3d, 0x2f, 0x93, 0xa1, 0x2b, 0xa4, 0xd5, 0x4a, 0x82, + 0x8f, 0xc7, 0x34, 0xd0, 0x3d, 0x58, 0x1e, 0xd2, 0x6a, 0x5e, 0xc0, 0x99, 0x0e, 0x12, 0x63, 0x43, + 0x61, 0x2c, 0x57, 0x62, 0x5c, 0x9c, 0x90, 0x46, 0x77, 0x61, 0x69, 0x44, 0xd9, 0xaf, 0xea, 0x8b, + 0x52, 0x7b, 0x5d, 0x69, 0x2f, 0x55, 0x22, 0x3c, 0x1c, 0x93, 0x8c, 0x69, 0xee, 0xd7, 0x76, 0xf4, + 0xa5, 0x0c, 0xcd, 0xfd, 0xda, 0x0e, 0x8e, 0x49, 0xa2, 0xcf, 0x00, 0x89, 0x11, 0x52, 0x5e, 0x80, + 0x7d, 0x62, 0xd1, 0x03, 0x7a, 0x42, 0x1d, 0x7d, 0x4b, 0x76, 0xc8, 0xd7, 0x07, 0x59, 0x3c, 0x1c, + 0x93, 0x78, 0xd6, 0x2d, 0xa2, 0x38, 0x45, 0x96, 0x35, 0x05, 0x0b, 0xb5, 0xa1, 0x38, 0xd8, 0x71, + 0xb1, 0xfd, 0xfe, 0x2e, 0xb3, 0x88, 0x23, 0x07, 0x06, 0x7d, 0x43, 0xba, 0x7b, 0xbd, 0xd7, 0x2d, + 0x16, 0xab, 0x67, 0x8b, 0xe2, 0xe7, 0x61, 0xa1, 0x1f, 0x27, 0x3b, 0x53, 0xc4, 0xce, 0x55, 0x69, + 0xe7, 0xd5, 0xf1, 0xae, 0x14, 0x31, 0x90, 0xa9, 0x2d, 0x96, 0xea, 0xa0, 0x63, 0xab, 0xee, 0xac, + 0x5f, 0x3a, 0xcf, 0x93, 0xca, 0x99, 0x87, 0xd3, 0x68, 0x91, 0xc4, 0xc5, 0x70, 0xc2, 0x24, 0xf2, + 0x20, 0x1f, 0x0c, 0x8e, 0x61, 0x7d, 0x59, 0xda, 0xbf, 0x77, 0x8e, 0x19, 0x21, 0xe5, 0xd4, 0x37, + 0x2f, 0x2b, 0xd3, 0xf9, 0xa1, 0x04, 0x1e, 0xd9, 0x40, 0xbf, 0xd6, 0x00, 0xb1, 0xd0, 0xf7, 0x1d, + 0xda, 0xa6, 0x2e, 0x27, 0x4e, 0xff, 0x5e, 0xa1, 0xaf, 0x48, 0xd3, 0x7b, 0x13, 0x86, 0x3e, 0xa6, + 0x9f, 0xf4, 0x61, 0xb8, 0x63, 0xc7, 0x45, 0x71, 0x8a, 0x79, 0xd4, 0x82, 0xf9, 0x66, 0x7f, 0xe0, + 0xd1, 0x57, 0xa5, 0x27, 0x3f, 0x9c, 0xcc, 0x93, 0xf4, 0x17, 0x4e, 0x73, 0x45, 0x99, 0x9f, 0x57, + 0x7c, 0x3c, 0x40, 0x47, 0x0c, 0x20, 0x18, 0x0e, 0x57, 0xfa, 0x2b, 0xd2, 0xd6, 0x8f, 0xce, 0x3b, + 0x94, 0x25, 0xcd, 0x0d, 0x8f, 0xe1, 0x91, 0x08, 0x8e, 0x98, 0x41, 0x1f, 0xc3, 0x46, 0x40, 0x49, + 0xe3, 0x81, 0xeb, 0x74, 0xb0, 0xe7, 0xf1, 0x5d, 0xdb, 0xa1, 0xac, 0xc3, 0x38, 0x6d, 0xeb, 0x97, + 0xe5, 0x12, 0x1e, 0xbe, 0x09, 0xe1, 0x54, 0x29, 0x9c, 0xa1, 0x8d, 0x8a, 0x30, 0x2b, 0x76, 0x28, + 0xd3, 0x91, 0x6c, 0xce, 0x79, 0x31, 0xa4, 0x8b, 0x22, 0x33, 0xdc, 0xa7, 0x47, 0x6e, 0x92, 0x6b, + 0x59, 0x37, 0x49, 0xf4, 0x36, 0xac, 0x30, 0x6a, 0x59, 0x5e, 0xdb, 0xaf, 0x05, 0x5e, 0x53, 0x80, + 0xeb, 0xeb, 0x52, 0x78, 0xad, 0xd7, 0x2d, 0xae, 0xd4, 0xe3, 0x2c, 0x9c, 0x94, 0x45, 0x07, 0xb0, + 0xae, 0x3a, 0xf0, 0xa1, 0xcb, 0x48, 0x93, 0xd6, 0x3b, 0xcc, 0xe2, 0x0e, 0xd3, 0x75, 0x89, 0xa1, + 0xf7, 0xba, 0xc5, 0xf5, 0x4a, 0x0a, 0x1f, 0xa7, 0x6a, 0xa1, 0x77, 0x60, 0xb5, 0xe9, 0x05, 0x47, + 0x76, 0xa3, 0x41, 0xdd, 0x01, 0xd2, 0xa6, 0x44, 0x5a, 0x17, 0x5d, 0x7b, 0x37, 0xc1, 0xc3, 0x63, + 0xd2, 0xc6, 0x7f, 0x34, 0x28, 0x64, 0x4f, 0x5d, 0x17, 0x70, 0xe9, 0xa2, 0xf1, 0x4b, 0xd7, 0x3b, + 0x93, 0x3e, 0x21, 0x66, 0xb9, 0x9c, 0x71, 0xff, 0xfa, 0xcd, 0x34, 0x7c, 0xfb, 0x1c, 0xef, 0x8e, + 0xe8, 0x6f, 0x1a, 0xdc, 0xf0, 0x27, 0x78, 0x30, 0x50, 0x19, 0x79, 0x91, 0x6f, 0x30, 0xdf, 0x51, + 0x01, 0x4c, 0xf4, 0x60, 0x81, 0x27, 0xf2, 0x12, 0x6d, 0xc3, 0x8c, 0x4b, 0xda, 0x34, 0xf9, 0x8a, + 0x22, 0x0e, 0x2b, 0x2c, 0x39, 0xc6, 0x9f, 0x35, 0xf8, 0xc6, 0x73, 0x1b, 0x15, 0x32, 0x63, 0x97, + 0x88, 0x52, 0xe2, 0x12, 0x51, 0xc8, 0x06, 0x78, 0xe9, 0x7f, 0x8b, 0x98, 0xef, 0x3f, 0x79, 0x5a, + 0x98, 0xfa, 0xfc, 0x69, 0x61, 0xea, 0x8b, 0xa7, 0x85, 0xa9, 0x5f, 0xf4, 0x0a, 0xda, 0x93, 0x5e, + 0x41, 0xfb, 0xbc, 0x57, 0xd0, 0xbe, 0xe8, 0x15, 0xb4, 0x7f, 0xf5, 0x0a, 0xda, 0xaf, 0xfe, 0x5d, + 0x98, 0xfa, 0xe4, 0xc6, 0x24, 0xff, 0xa0, 0xfd, 0x2f, 0x00, 0x00, 0xff, 0xff, 0xd9, 0x2d, 0x41, + 0x78, 0x68, 0x1b, 0x00, 0x00, } func (m *AllowedFlexVolume) Marshal() (dAtA []byte, err error) { @@ -1267,6 +1332,96 @@ func (m *RangeAllocationList) MarshalToSizedBuffer(dAtA []byte) (int, error) { return len(dAtA) - i, nil } +func (m *RunAsGroupIDRange) Marshal() (dAtA []byte, err error) { + size := m.Size() + dAtA = make([]byte, size) + n, err := m.MarshalToSizedBuffer(dAtA[:size]) + if err != nil { + return nil, err + } + return dAtA[:n], nil +} + +func (m *RunAsGroupIDRange) MarshalTo(dAtA []byte) (int, error) { + size := m.Size() + return m.MarshalToSizedBuffer(dAtA[:size]) +} + +func (m *RunAsGroupIDRange) MarshalToSizedBuffer(dAtA []byte) (int, error) { + i := len(dAtA) + _ = i + var l int + _ = l + if m.Max != nil { + i = encodeVarintGenerated(dAtA, i, uint64(*m.Max)) + i-- + dAtA[i] = 0x10 + } + if m.Min != nil { + i = encodeVarintGenerated(dAtA, i, uint64(*m.Min)) + i-- + dAtA[i] = 0x8 + } + return len(dAtA) - i, nil +} + +func (m *RunAsGroupStrategyOptions) Marshal() (dAtA []byte, err error) { + size := m.Size() + dAtA = make([]byte, size) + n, err := m.MarshalToSizedBuffer(dAtA[:size]) + if err != nil { + return nil, err + } + return dAtA[:n], nil +} + +func (m *RunAsGroupStrategyOptions) MarshalTo(dAtA []byte) (int, error) { + size := m.Size() + return m.MarshalToSizedBuffer(dAtA[:size]) +} + +func (m *RunAsGroupStrategyOptions) MarshalToSizedBuffer(dAtA []byte) (int, error) { + i := len(dAtA) + _ = i + var l int + _ = l + if len(m.Ranges) > 0 { + for iNdEx := len(m.Ranges) - 1; iNdEx >= 0; iNdEx-- { + { + size, err := m.Ranges[iNdEx].MarshalToSizedBuffer(dAtA[:i]) + if err != nil { + return 0, err + } + i -= size + i = encodeVarintGenerated(dAtA, i, uint64(size)) + } + i-- + dAtA[i] = 0x2a + } + } + if m.GIDRangeMax != nil { + i = encodeVarintGenerated(dAtA, i, uint64(*m.GIDRangeMax)) + i-- + dAtA[i] = 0x20 + } + if m.GIDRangeMin != nil { + i = encodeVarintGenerated(dAtA, i, uint64(*m.GIDRangeMin)) + i-- + dAtA[i] = 0x18 + } + if m.GID != nil { + i = encodeVarintGenerated(dAtA, i, uint64(*m.GID)) + i-- + dAtA[i] = 0x10 + } + i -= len(m.Type) + copy(dAtA[i:], m.Type) + i = encodeVarintGenerated(dAtA, i, uint64(len(m.Type))) + i-- + dAtA[i] = 0xa + return len(dAtA) - i, nil +} + func (m *RunAsUserStrategyOptions) Marshal() (dAtA []byte, err error) { size := m.Size() dAtA = make([]byte, size) @@ -1370,6 +1525,18 @@ func (m *SecurityContextConstraints) MarshalToSizedBuffer(dAtA []byte) (int, err _ = i var l int _ = l + { + size, err := m.RunAsGroup.MarshalToSizedBuffer(dAtA[:i]) + if err != nil { + return 0, err + } + i -= size + i = encodeVarintGenerated(dAtA, i, uint64(size)) + } + i-- + dAtA[i] = 0x1 + i-- + dAtA[i] = 0xda i -= len(m.UserNamespaceLevel) copy(dAtA[i:], m.UserNamespaceLevel) i = encodeVarintGenerated(dAtA, i, uint64(len(m.UserNamespaceLevel))) @@ -1961,6 +2128,47 @@ func (m *RangeAllocationList) Size() (n int) { return n } +func (m *RunAsGroupIDRange) Size() (n int) { + if m == nil { + return 0 + } + var l int + _ = l + if m.Min != nil { + n += 1 + sovGenerated(uint64(*m.Min)) + } + if m.Max != nil { + n += 1 + sovGenerated(uint64(*m.Max)) + } + return n +} + +func (m *RunAsGroupStrategyOptions) Size() (n int) { + if m == nil { + return 0 + } + var l int + _ = l + l = len(m.Type) + n += 1 + l + sovGenerated(uint64(l)) + if m.GID != nil { + n += 1 + sovGenerated(uint64(*m.GID)) + } + if m.GIDRangeMin != nil { + n += 1 + sovGenerated(uint64(*m.GIDRangeMin)) + } + if m.GIDRangeMax != nil { + n += 1 + sovGenerated(uint64(*m.GIDRangeMax)) + } + if len(m.Ranges) > 0 { + for _, e := range m.Ranges { + l = e.Size() + n += 1 + l + sovGenerated(uint64(l)) + } + } + return n +} + func (m *RunAsUserStrategyOptions) Size() (n int) { if m == nil { return 0 @@ -2090,6 +2298,8 @@ func (m *SecurityContextConstraints) Size() (n int) { } l = len(m.UserNamespaceLevel) n += 2 + l + sovGenerated(uint64(l)) + l = m.RunAsGroup.Size() + n += 2 + l + sovGenerated(uint64(l)) return n } @@ -2307,6 +2517,36 @@ func (this *RangeAllocationList) String() string { }, "") return s } +func (this *RunAsGroupIDRange) String() string { + if this == nil { + return "nil" + } + s := strings.Join([]string{`&RunAsGroupIDRange{`, + `Min:` + valueToStringGenerated(this.Min) + `,`, + `Max:` + valueToStringGenerated(this.Max) + `,`, + `}`, + }, "") + return s +} +func (this *RunAsGroupStrategyOptions) String() string { + if this == nil { + return "nil" + } + repeatedStringForRanges := "[]RunAsGroupIDRange{" + for _, f := range this.Ranges { + repeatedStringForRanges += strings.Replace(strings.Replace(f.String(), "RunAsGroupIDRange", "RunAsGroupIDRange", 1), `&`, ``, 1) + "," + } + repeatedStringForRanges += "}" + s := strings.Join([]string{`&RunAsGroupStrategyOptions{`, + `Type:` + fmt.Sprintf("%v", this.Type) + `,`, + `GID:` + valueToStringGenerated(this.GID) + `,`, + `GIDRangeMin:` + valueToStringGenerated(this.GIDRangeMin) + `,`, + `GIDRangeMax:` + valueToStringGenerated(this.GIDRangeMax) + `,`, + `Ranges:` + repeatedStringForRanges + `,`, + `}`, + }, "") + return s +} func (this *RunAsUserStrategyOptions) String() string { if this == nil { return "nil" @@ -2367,6 +2607,7 @@ func (this *SecurityContextConstraints) String() string { `AllowedUnsafeSysctls:` + fmt.Sprintf("%v", this.AllowedUnsafeSysctls) + `,`, `ForbiddenSysctls:` + fmt.Sprintf("%v", this.ForbiddenSysctls) + `,`, `UserNamespaceLevel:` + fmt.Sprintf("%v", this.UserNamespaceLevel) + `,`, + `RunAsGroup:` + strings.Replace(strings.Replace(this.RunAsGroup.String(), "RunAsGroupStrategyOptions", "RunAsGroupStrategyOptions", 1), `&`, ``, 1) + `,`, `}`, }, "") return s @@ -4001,6 +4242,272 @@ func (m *RangeAllocationList) Unmarshal(dAtA []byte) error { } return nil } +func (m *RunAsGroupIDRange) Unmarshal(dAtA []byte) error { + l := len(dAtA) + iNdEx := 0 + for iNdEx < l { + preIndex := iNdEx + var wire uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + wire |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + fieldNum := int32(wire >> 3) + wireType := int(wire & 0x7) + if wireType == 4 { + return fmt.Errorf("proto: RunAsGroupIDRange: wiretype end group for non-group") + } + if fieldNum <= 0 { + return fmt.Errorf("proto: RunAsGroupIDRange: illegal tag %d (wire type %d)", fieldNum, wire) + } + switch fieldNum { + case 1: + if wireType != 0 { + return fmt.Errorf("proto: wrong wireType = %d for field Min", wireType) + } + var v int64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + v |= int64(b&0x7F) << shift + if b < 0x80 { + break + } + } + m.Min = &v + case 2: + if wireType != 0 { + return fmt.Errorf("proto: wrong wireType = %d for field Max", wireType) + } + var v int64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + v |= int64(b&0x7F) << shift + if b < 0x80 { + break + } + } + m.Max = &v + default: + iNdEx = preIndex + skippy, err := skipGenerated(dAtA[iNdEx:]) + if err != nil { + return err + } + if (skippy < 0) || (iNdEx+skippy) < 0 { + return ErrInvalidLengthGenerated + } + if (iNdEx + skippy) > l { + return io.ErrUnexpectedEOF + } + iNdEx += skippy + } + } + + if iNdEx > l { + return io.ErrUnexpectedEOF + } + return nil +} +func (m *RunAsGroupStrategyOptions) Unmarshal(dAtA []byte) error { + l := len(dAtA) + iNdEx := 0 + for iNdEx < l { + preIndex := iNdEx + var wire uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + wire |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + fieldNum := int32(wire >> 3) + wireType := int(wire & 0x7) + if wireType == 4 { + return fmt.Errorf("proto: RunAsGroupStrategyOptions: wiretype end group for non-group") + } + if fieldNum <= 0 { + return fmt.Errorf("proto: RunAsGroupStrategyOptions: illegal tag %d (wire type %d)", fieldNum, wire) + } + switch fieldNum { + case 1: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Type", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + intStringLen + if postIndex < 0 { + return ErrInvalidLengthGenerated + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.Type = RunAsGroupStrategyType(dAtA[iNdEx:postIndex]) + iNdEx = postIndex + case 2: + if wireType != 0 { + return fmt.Errorf("proto: wrong wireType = %d for field GID", wireType) + } + var v int64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + v |= int64(b&0x7F) << shift + if b < 0x80 { + break + } + } + m.GID = &v + case 3: + if wireType != 0 { + return fmt.Errorf("proto: wrong wireType = %d for field GIDRangeMin", wireType) + } + var v int64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + v |= int64(b&0x7F) << shift + if b < 0x80 { + break + } + } + m.GIDRangeMin = &v + case 4: + if wireType != 0 { + return fmt.Errorf("proto: wrong wireType = %d for field GIDRangeMax", wireType) + } + var v int64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + v |= int64(b&0x7F) << shift + if b < 0x80 { + break + } + } + m.GIDRangeMax = &v + case 5: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Ranges", wireType) + } + var msglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + msglen |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + if msglen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + msglen + if postIndex < 0 { + return ErrInvalidLengthGenerated + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.Ranges = append(m.Ranges, RunAsGroupIDRange{}) + if err := m.Ranges[len(m.Ranges)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } + iNdEx = postIndex + default: + iNdEx = preIndex + skippy, err := skipGenerated(dAtA[iNdEx:]) + if err != nil { + return err + } + if (skippy < 0) || (iNdEx+skippy) < 0 { + return ErrInvalidLengthGenerated + } + if (iNdEx + skippy) > l { + return io.ErrUnexpectedEOF + } + iNdEx += skippy + } + } + + if iNdEx > l { + return io.ErrUnexpectedEOF + } + return nil +} func (m *RunAsUserStrategyOptions) Unmarshal(dAtA []byte) error { l := len(dAtA) iNdEx := 0 @@ -5011,6 +5518,39 @@ func (m *SecurityContextConstraints) Unmarshal(dAtA []byte) error { } m.UserNamespaceLevel = NamespaceLevelType(dAtA[iNdEx:postIndex]) iNdEx = postIndex + case 27: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field RunAsGroup", wireType) + } + var msglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + msglen |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + if msglen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + msglen + if postIndex < 0 { + return ErrInvalidLengthGenerated + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + if err := m.RunAsGroup.Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } + iNdEx = postIndex default: iNdEx = preIndex skippy, err := skipGenerated(dAtA[iNdEx:]) diff --git a/security/v1/generated.proto b/security/v1/generated.proto index 933de5450e1..2aea9b68392 100644 --- a/security/v1/generated.proto +++ b/security/v1/generated.proto @@ -179,6 +179,47 @@ message RangeAllocationList { repeated RangeAllocation items = 2; } +// RunAsGroupIDRange provides a min/max of an allowed range of group IDs for RunAsGroup strategy. +message RunAsGroupIDRange { + // min is the start of the range, inclusive. + // +required + optional int64 min = 1; + + // max is the end of the range, inclusive. + // +required + optional int64 max = 2; +} + +// RunAsGroupStrategyOptions defines the strategy type and options used to create the strategy. +message RunAsGroupStrategyOptions { + // type is the strategy that will dictate what RunAsGroup is used in the SecurityContext. + // Valid values are "MustRunAs", "MustRunAsRange", and "RunAsAny". + // +required + // +kubebuilder:validation:Enum=MustRunAs;MustRunAsRange;RunAsAny + optional string type = 1; + + // gid is the group id that containers must run as. Required for the MustRunAs strategy if not using + // namespace/service account allocated gids. + // +optional + optional int64 gid = 2; + + // gidRangeMin defines the min value for a strategy that allocates by range. + // +optional + optional int64 gidRangeMin = 3; + + // gidRangeMax defines the max value for a strategy that allocates by range. + // +optional + optional int64 gidRangeMax = 4; + + // ranges are the allowed ranges of gids. If you would like to force a single + // gid then supply a single range with the same start and end. + // When omitted, any gid is allowed (equivalent to RunAsAny strategy). + // +optional + // +listType=atomic + // +kubebuilder:validation:MaxItems=256 + repeated RunAsGroupIDRange ranges = 5; +} + // RunAsUserStrategyOptions defines the strategy type and any options used to create the strategy. message RunAsUserStrategyOptions { // type is the strategy that will dictate what RunAsUser is used in the SecurityContext. @@ -221,6 +262,7 @@ message SELinuxContextStrategyOptions { // +kubebuilder:printcolumn:name="SELinux",type=string,JSONPath=.seLinuxContext.type,description="Strategy that will dictate what labels will be set in the SecurityContext" // +kubebuilder:printcolumn:name="RunAsUser",type=string,JSONPath=.runAsUser.type,description="Strategy that will dictate what RunAsUser is used in the SecurityContext" // +kubebuilder:printcolumn:name="FSGroup",type=string,JSONPath=.fsGroup.type,description="Strategy that will dictate what fs group is used by the SecurityContext" +// +kubebuilder:printcolumn:name="RunAsGroup",type=string,JSONPath=.runAsGroup.type,description="Strategy that will dictate what RunAsGroup is used by the SecurityContext" // +kubebuilder:printcolumn:name="SupGroup",type=string,JSONPath=.supplementalGroups.type,description="Strategy that will dictate what supplemental groups are used by the SecurityContext" // +kubebuilder:printcolumn:name="Priority",type=string,JSONPath=.priority,description="Sort order of SCCs" // +kubebuilder:printcolumn:name="ReadOnlyRootFS",type=string,JSONPath=.readOnlyRootFilesystem,description="Force containers to run with a read only root file system" @@ -337,6 +379,11 @@ message SecurityContextConstraints { // +nullable optional FSGroupStrategyOptions fsGroup = 16; + // runAsGroup is the strategy that will dictate what RunAsGroup is used in the SecurityContext. + // When omitted, the RunAsGroup strategy will not be enforced and containers may run with any group ID. + // +optional + optional RunAsGroupStrategyOptions runAsGroup = 27; + // readOnlyRootFilesystem when set to true will force containers to run with a read only root file // system. If the container specifically requests to run with a non-read only root file system // the SCC should deny the pod. diff --git a/security/v1/types.go b/security/v1/types.go index fb491480d76..4e627d194c5 100644 --- a/security/v1/types.go +++ b/security/v1/types.go @@ -31,6 +31,7 @@ var AllowAllCapabilities corev1.Capability = "*" // +kubebuilder:printcolumn:name="SELinux",type=string,JSONPath=.seLinuxContext.type,description="Strategy that will dictate what labels will be set in the SecurityContext" // +kubebuilder:printcolumn:name="RunAsUser",type=string,JSONPath=.runAsUser.type,description="Strategy that will dictate what RunAsUser is used in the SecurityContext" // +kubebuilder:printcolumn:name="FSGroup",type=string,JSONPath=.fsGroup.type,description="Strategy that will dictate what fs group is used by the SecurityContext" +// +kubebuilder:printcolumn:name="RunAsGroup",type=string,JSONPath=.runAsGroup.type,description="Strategy that will dictate what RunAsGroup is used by the SecurityContext" // +kubebuilder:printcolumn:name="SupGroup",type=string,JSONPath=.supplementalGroups.type,description="Strategy that will dictate what supplemental groups are used by the SecurityContext" // +kubebuilder:printcolumn:name="Priority",type=string,JSONPath=.priority,description="Sort order of SCCs" // +kubebuilder:printcolumn:name="ReadOnlyRootFS",type=string,JSONPath=.readOnlyRootFilesystem,description="Force containers to run with a read only root file system" @@ -131,6 +132,10 @@ type SecurityContextConstraints struct { // fsGroup is the strategy that will dictate what fs group is used by the SecurityContext. // +nullable FSGroup FSGroupStrategyOptions `json:"fsGroup,omitempty" protobuf:"bytes,16,opt,name=fsGroup"` + // runAsGroup is the strategy that will dictate what RunAsGroup is used in the SecurityContext. + // When omitted, the RunAsGroup strategy will not be enforced and containers may run with any group ID. + // +optional + RunAsGroup RunAsGroupStrategyOptions `json:"runAsGroup,omitzero" protobuf:"bytes,27,opt,name=runAsGroup"` // readOnlyRootFilesystem when set to true will force containers to run with a read only root file // system. If the container specifically requests to run with a non-read only root file system // the SCC should deny the pod. @@ -268,6 +273,42 @@ type SupplementalGroupsStrategyOptions struct { Ranges []IDRange `json:"ranges,omitempty" protobuf:"bytes,2,rep,name=ranges"` } +// RunAsGroupStrategyOptions defines the strategy type and options used to create the strategy. +type RunAsGroupStrategyOptions struct { + // type is the strategy that will dictate what RunAsGroup is used in the SecurityContext. + // Valid values are "MustRunAs", "MustRunAsRange", and "RunAsAny". + // +required + // +kubebuilder:validation:Enum=MustRunAs;MustRunAsRange;RunAsAny + Type RunAsGroupStrategyType `json:"type,omitempty" protobuf:"bytes,1,opt,name=type,casttype=RunAsGroupStrategyType"` + // gid is the group id that containers must run as. Required for the MustRunAs strategy if not using + // namespace/service account allocated gids. + // +optional + GID *int64 `json:"gid,omitempty" protobuf:"varint,2,opt,name=gid"` + // gidRangeMin defines the min value for a strategy that allocates by range. + // +optional + GIDRangeMin *int64 `json:"gidRangeMin,omitempty" protobuf:"varint,3,opt,name=gidRangeMin"` + // gidRangeMax defines the max value for a strategy that allocates by range. + // +optional + GIDRangeMax *int64 `json:"gidRangeMax,omitempty" protobuf:"varint,4,opt,name=gidRangeMax"` + // ranges are the allowed ranges of gids. If you would like to force a single + // gid then supply a single range with the same start and end. + // When omitted, any gid is allowed (equivalent to RunAsAny strategy). + // +optional + // +listType=atomic + // +kubebuilder:validation:MaxItems=256 + Ranges []RunAsGroupIDRange `json:"ranges,omitempty" protobuf:"bytes,5,rep,name=ranges"` +} + +// RunAsGroupIDRange provides a min/max of an allowed range of group IDs for RunAsGroup strategy. +type RunAsGroupIDRange struct { + // min is the start of the range, inclusive. + // +required + Min *int64 `json:"min,omitempty" protobuf:"varint,1,opt,name=min"` + // max is the end of the range, inclusive. + // +required + Max *int64 `json:"max,omitempty" protobuf:"varint,2,opt,name=max"` +} + // IDRange provides a min/max of an allowed range of IDs. // TODO: this could be reused for UIDs. type IDRange struct { @@ -296,6 +337,10 @@ type SupplementalGroupsStrategyType string // SecurityContext type FSGroupStrategyType string +// RunAsGroupStrategyType denotes strategy types for generating RunAsGroup values for a +// SecurityContext +type RunAsGroupStrategyType string + const ( // NamespaceLevelAllowHost allows a pod to set `hostUsers` field to either `true` or `false` NamespaceLevelAllowHost NamespaceLevelType = "AllowHostLevel" @@ -321,6 +366,13 @@ const ( // container may make requests for any FSGroup labels. FSGroupStrategyRunAsAny FSGroupStrategyType = "RunAsAny" + // container must have RunAsGroup of X applied. + RunAsGroupStrategyMustRunAs RunAsGroupStrategyType = "MustRunAs" + // container must run with a gid in a range. + RunAsGroupStrategyMustRunAsRange RunAsGroupStrategyType = "MustRunAsRange" + // container may make requests for any RunAsGroup. + RunAsGroupStrategyRunAsAny RunAsGroupStrategyType = "RunAsAny" + // container must run as a particular gid. SupplementalGroupsStrategyMustRunAs SupplementalGroupsStrategyType = "MustRunAs" // container may make requests for any gid. diff --git a/security/v1/zz_generated.crd-manifests/0000_03_config-operator_01_securitycontextconstraints.crd.yaml b/security/v1/zz_generated.crd-manifests/0000_03_config-operator_01_securitycontextconstraints.crd.yaml index dc14c04a53e..b17a51bf15f 100644 --- a/security/v1/zz_generated.crd-manifests/0000_03_config-operator_01_securitycontextconstraints.crd.yaml +++ b/security/v1/zz_generated.crd-manifests/0000_03_config-operator_01_securitycontextconstraints.crd.yaml @@ -38,6 +38,10 @@ spec: jsonPath: .fsGroup.type name: FSGroup type: string + - description: Strategy that will dictate what RunAsGroup is used by the SecurityContext + jsonPath: .runAsGroup.type + name: RunAsGroup + type: string - description: Strategy that will dictate what supplemental groups are used by the SecurityContext jsonPath: .supplementalGroups.type @@ -256,6 +260,63 @@ spec: nullable: true type: array x-kubernetes-list-type: atomic + runAsGroup: + description: |- + runAsGroup is the strategy that will dictate what RunAsGroup is used in the SecurityContext. + When omitted, the RunAsGroup strategy will not be enforced and containers may run with any group ID. + properties: + gid: + description: |- + gid is the group id that containers must run as. Required for the MustRunAs strategy if not using + namespace/service account allocated gids. + format: int64 + type: integer + gidRangeMax: + description: gidRangeMax defines the max value for a strategy that + allocates by range. + format: int64 + type: integer + gidRangeMin: + description: gidRangeMin defines the min value for a strategy that + allocates by range. + format: int64 + type: integer + ranges: + description: |- + ranges are the allowed ranges of gids. If you would like to force a single + gid then supply a single range with the same start and end. + When omitted, any gid is allowed (equivalent to RunAsAny strategy). + items: + description: RunAsGroupIDRange provides a min/max of an allowed + range of group IDs for RunAsGroup strategy. + properties: + max: + description: max is the end of the range, inclusive. + format: int64 + type: integer + min: + description: min is the start of the range, inclusive. + format: int64 + type: integer + required: + - max + - min + type: object + maxItems: 256 + type: array + x-kubernetes-list-type: atomic + type: + description: |- + type is the strategy that will dictate what RunAsGroup is used in the SecurityContext. + Valid values are "MustRunAs", "MustRunAsRange", and "RunAsAny". + enum: + - MustRunAs + - MustRunAsRange + - RunAsAny + type: string + required: + - type + type: object runAsUser: description: runAsUser is the strategy that will dictate what RunAsUser is used in the SecurityContext. diff --git a/security/v1/zz_generated.deepcopy.go b/security/v1/zz_generated.deepcopy.go index d6263fc025d..a44dae314a8 100644 --- a/security/v1/zz_generated.deepcopy.go +++ b/security/v1/zz_generated.deepcopy.go @@ -317,6 +317,70 @@ func (in *RangeAllocationList) DeepCopyObject() runtime.Object { return nil } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *RunAsGroupIDRange) DeepCopyInto(out *RunAsGroupIDRange) { + *out = *in + if in.Min != nil { + in, out := &in.Min, &out.Min + *out = new(int64) + **out = **in + } + if in.Max != nil { + in, out := &in.Max, &out.Max + *out = new(int64) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RunAsGroupIDRange. +func (in *RunAsGroupIDRange) DeepCopy() *RunAsGroupIDRange { + if in == nil { + return nil + } + out := new(RunAsGroupIDRange) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *RunAsGroupStrategyOptions) DeepCopyInto(out *RunAsGroupStrategyOptions) { + *out = *in + if in.GID != nil { + in, out := &in.GID, &out.GID + *out = new(int64) + **out = **in + } + if in.GIDRangeMin != nil { + in, out := &in.GIDRangeMin, &out.GIDRangeMin + *out = new(int64) + **out = **in + } + if in.GIDRangeMax != nil { + in, out := &in.GIDRangeMax, &out.GIDRangeMax + *out = new(int64) + **out = **in + } + if in.Ranges != nil { + in, out := &in.Ranges, &out.Ranges + *out = make([]RunAsGroupIDRange, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RunAsGroupStrategyOptions. +func (in *RunAsGroupStrategyOptions) DeepCopy() *RunAsGroupStrategyOptions { + if in == nil { + return nil + } + out := new(RunAsGroupStrategyOptions) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *RunAsUserStrategyOptions) DeepCopyInto(out *RunAsUserStrategyOptions) { *out = *in @@ -418,6 +482,7 @@ func (in *SecurityContextConstraints) DeepCopyInto(out *SecurityContextConstrain in.RunAsUser.DeepCopyInto(&out.RunAsUser) in.SupplementalGroups.DeepCopyInto(&out.SupplementalGroups) in.FSGroup.DeepCopyInto(&out.FSGroup) + in.RunAsGroup.DeepCopyInto(&out.RunAsGroup) if in.Users != nil { in, out := &in.Users, &out.Users *out = make([]string, len(*in)) diff --git a/security/v1/zz_generated.featuregated-crd-manifests.yaml b/security/v1/zz_generated.featuregated-crd-manifests.yaml index 178c9707801..1dd39b7e19c 100644 --- a/security/v1/zz_generated.featuregated-crd-manifests.yaml +++ b/security/v1/zz_generated.featuregated-crd-manifests.yaml @@ -36,6 +36,10 @@ securitycontextconstraints.security.openshift.io: jsonPath: .fsGroup.type name: FSGroup type: string + - description: Strategy that will dictate what RunAsGroup is used by the SecurityContext + jsonPath: .runAsGroup.type + name: RunAsGroup + type: string - description: Strategy that will dictate what supplemental groups are used by the SecurityContext jsonPath: .supplementalGroups.type diff --git a/security/v1/zz_generated.featuregated-crd-manifests/securitycontextconstraints.security.openshift.io/AAA_ungated.yaml b/security/v1/zz_generated.featuregated-crd-manifests/securitycontextconstraints.security.openshift.io/AAA_ungated.yaml index 7316263d596..d41be5610ac 100644 --- a/security/v1/zz_generated.featuregated-crd-manifests/securitycontextconstraints.security.openshift.io/AAA_ungated.yaml +++ b/security/v1/zz_generated.featuregated-crd-manifests/securitycontextconstraints.security.openshift.io/AAA_ungated.yaml @@ -39,6 +39,10 @@ spec: jsonPath: .fsGroup.type name: FSGroup type: string + - description: Strategy that will dictate what RunAsGroup is used by the SecurityContext + jsonPath: .runAsGroup.type + name: RunAsGroup + type: string - description: Strategy that will dictate what supplemental groups are used by the SecurityContext jsonPath: .supplementalGroups.type @@ -257,6 +261,63 @@ spec: nullable: true type: array x-kubernetes-list-type: atomic + runAsGroup: + description: |- + runAsGroup is the strategy that will dictate what RunAsGroup is used in the SecurityContext. + When omitted, the RunAsGroup strategy will not be enforced and containers may run with any group ID. + properties: + gid: + description: |- + gid is the group id that containers must run as. Required for the MustRunAs strategy if not using + namespace/service account allocated gids. + format: int64 + type: integer + gidRangeMax: + description: gidRangeMax defines the max value for a strategy that + allocates by range. + format: int64 + type: integer + gidRangeMin: + description: gidRangeMin defines the min value for a strategy that + allocates by range. + format: int64 + type: integer + ranges: + description: |- + ranges are the allowed ranges of gids. If you would like to force a single + gid then supply a single range with the same start and end. + When omitted, any gid is allowed (equivalent to RunAsAny strategy). + items: + description: RunAsGroupIDRange provides a min/max of an allowed + range of group IDs for RunAsGroup strategy. + properties: + max: + description: max is the end of the range, inclusive. + format: int64 + type: integer + min: + description: min is the start of the range, inclusive. + format: int64 + type: integer + required: + - max + - min + type: object + maxItems: 256 + type: array + x-kubernetes-list-type: atomic + type: + description: |- + type is the strategy that will dictate what RunAsGroup is used in the SecurityContext. + Valid values are "MustRunAs", "MustRunAsRange", and "RunAsAny". + enum: + - MustRunAs + - MustRunAsRange + - RunAsAny + type: string + required: + - type + type: object runAsUser: description: runAsUser is the strategy that will dictate what RunAsUser is used in the SecurityContext. diff --git a/security/v1/zz_generated.featuregated-crd-manifests/securitycontextconstraints.security.openshift.io/UserNamespacesPodSecurityStandards.yaml b/security/v1/zz_generated.featuregated-crd-manifests/securitycontextconstraints.security.openshift.io/UserNamespacesPodSecurityStandards.yaml index dea8d21b21e..7146d1ad7d2 100644 --- a/security/v1/zz_generated.featuregated-crd-manifests/securitycontextconstraints.security.openshift.io/UserNamespacesPodSecurityStandards.yaml +++ b/security/v1/zz_generated.featuregated-crd-manifests/securitycontextconstraints.security.openshift.io/UserNamespacesPodSecurityStandards.yaml @@ -39,6 +39,10 @@ spec: jsonPath: .fsGroup.type name: FSGroup type: string + - description: Strategy that will dictate what RunAsGroup is used by the SecurityContext + jsonPath: .runAsGroup.type + name: RunAsGroup + type: string - description: Strategy that will dictate what supplemental groups are used by the SecurityContext jsonPath: .supplementalGroups.type @@ -257,6 +261,63 @@ spec: nullable: true type: array x-kubernetes-list-type: atomic + runAsGroup: + description: |- + runAsGroup is the strategy that will dictate what RunAsGroup is used in the SecurityContext. + When omitted, the RunAsGroup strategy will not be enforced and containers may run with any group ID. + properties: + gid: + description: |- + gid is the group id that containers must run as. Required for the MustRunAs strategy if not using + namespace/service account allocated gids. + format: int64 + type: integer + gidRangeMax: + description: gidRangeMax defines the max value for a strategy that + allocates by range. + format: int64 + type: integer + gidRangeMin: + description: gidRangeMin defines the min value for a strategy that + allocates by range. + format: int64 + type: integer + ranges: + description: |- + ranges are the allowed ranges of gids. If you would like to force a single + gid then supply a single range with the same start and end. + When omitted, any gid is allowed (equivalent to RunAsAny strategy). + items: + description: RunAsGroupIDRange provides a min/max of an allowed + range of group IDs for RunAsGroup strategy. + properties: + max: + description: max is the end of the range, inclusive. + format: int64 + type: integer + min: + description: min is the start of the range, inclusive. + format: int64 + type: integer + required: + - max + - min + type: object + maxItems: 256 + type: array + x-kubernetes-list-type: atomic + type: + description: |- + type is the strategy that will dictate what RunAsGroup is used in the SecurityContext. + Valid values are "MustRunAs", "MustRunAsRange", and "RunAsAny". + enum: + - MustRunAs + - MustRunAsRange + - RunAsAny + type: string + required: + - type + type: object runAsUser: description: runAsUser is the strategy that will dictate what RunAsUser is used in the SecurityContext. diff --git a/security/v1/zz_generated.swagger_doc_generated.go b/security/v1/zz_generated.swagger_doc_generated.go index 29cddf7e647..80c40239e04 100644 --- a/security/v1/zz_generated.swagger_doc_generated.go +++ b/security/v1/zz_generated.swagger_doc_generated.go @@ -144,6 +144,29 @@ func (RangeAllocationList) SwaggerDoc() map[string]string { return map_RangeAllocationList } +var map_RunAsGroupIDRange = map[string]string{ + "": "RunAsGroupIDRange provides a min/max of an allowed range of group IDs for RunAsGroup strategy.", + "min": "min is the start of the range, inclusive.", + "max": "max is the end of the range, inclusive.", +} + +func (RunAsGroupIDRange) SwaggerDoc() map[string]string { + return map_RunAsGroupIDRange +} + +var map_RunAsGroupStrategyOptions = map[string]string{ + "": "RunAsGroupStrategyOptions defines the strategy type and options used to create the strategy.", + "type": "type is the strategy that will dictate what RunAsGroup is used in the SecurityContext. Valid values are \"MustRunAs\", \"MustRunAsRange\", and \"RunAsAny\".", + "gid": "gid is the group id that containers must run as. Required for the MustRunAs strategy if not using namespace/service account allocated gids.", + "gidRangeMin": "gidRangeMin defines the min value for a strategy that allocates by range.", + "gidRangeMax": "gidRangeMax defines the max value for a strategy that allocates by range.", + "ranges": "ranges are the allowed ranges of gids. If you would like to force a single gid then supply a single range with the same start and end. When omitted, any gid is allowed (equivalent to RunAsAny strategy).", +} + +func (RunAsGroupStrategyOptions) SwaggerDoc() map[string]string { + return map_RunAsGroupStrategyOptions +} + var map_RunAsUserStrategyOptions = map[string]string{ "": "RunAsUserStrategyOptions defines the strategy type and any options used to create the strategy.", "type": "type is the strategy that will dictate what RunAsUser is used in the SecurityContext.", @@ -188,6 +211,7 @@ var map_SecurityContextConstraints = map[string]string{ "runAsUser": "runAsUser is the strategy that will dictate what RunAsUser is used in the SecurityContext.", "supplementalGroups": "supplementalGroups is the strategy that will dictate what supplemental groups are used by the SecurityContext.", "fsGroup": "fsGroup is the strategy that will dictate what fs group is used by the SecurityContext.", + "runAsGroup": "runAsGroup is the strategy that will dictate what RunAsGroup is used in the SecurityContext. When omitted, the RunAsGroup strategy will not be enforced and containers may run with any group ID.", "readOnlyRootFilesystem": "readOnlyRootFilesystem when set to true will force containers to run with a read only root file system. If the container specifically requests to run with a non-read only root file system the SCC should deny the pod. If set to false the container may run with a read only root file system if it wishes but it will not be forced to.", "users": "The users who have permissions to use this security context constraints", "groups": "The groups that have permission to use this security context constraints",