makes securityContext.Privileged configurable

knative · Dec 2, 2024 · 4809dca · 4809dca
1 parent 5717d19
commit 4809dca
Show file tree

Hide file tree

Showing 5 changed files with 14 additions and 2 deletions.
diff --git a/config/core/300-resources/configuration.yaml b/config/core/300-resources/configuration.yaml
@@ -124,6 +124,9 @@ spec:
                         automountServiceAccountToken:
                           description: AutomountServiceAccountToken indicates whether a service account token should be automatically mounted.
                           type: boolean
+                        Privileged:
+                          description: Indicates whether to run container in privileged mode.
+                          type: boolean
                         containerConcurrency:
                           description: |-
                             ContainerConcurrency specifies the maximum allowed in-flight (concurrent)

diff --git a/config/core/300-resources/revision.yaml b/config/core/300-resources/revision.yaml
@@ -101,6 +101,9 @@ spec:
                 automountServiceAccountToken:
                   description: AutomountServiceAccountToken indicates whether a service account token should be automatically mounted.
                   type: boolean
+                Privileged:
+                  description: Indicates whether to run container in privileged mode.
+                  type: boolean
                 containerConcurrency:
                   description: |-
                     ContainerConcurrency specifies the maximum allowed in-flight (concurrent)

diff --git a/config/core/300-resources/service.yaml b/config/core/300-resources/service.yaml
@@ -144,6 +144,9 @@ spec:
                         automountServiceAccountToken:
                           description: AutomountServiceAccountToken indicates whether a service account token should be automatically mounted.
                           type: boolean
+                        Privileged:
+                          description: Indicates whether to run container in privileged mode.
+                          type: boolean          
                         containerConcurrency:
                           description: |-
                             ContainerConcurrency specifies the maximum allowed in-flight (concurrent)

diff --git a/hack/schemapatch-config.yaml b/hack/schemapatch-config.yaml
@@ -58,6 +58,7 @@ k8s.io/api/core/v1.PodSpec:
     - ImagePullSecrets
     - EnableServiceLinks
     - AutomountServiceAccountToken
+    - Privileged
     # Properties behind feature flags
     - Affinity
     - DNSConfig

diff --git a/pkg/apis/serving/fieldmask.go b/pkg/apis/serving/fieldmask.go
@@ -710,10 +710,12 @@ func SecurityContextMask(ctx context.Context, in *corev1.SecurityContext) *corev
 	// SeccompProfile defaults to "unconstrained", but the safe values are
 	// "RuntimeDefault" or "Localhost" (with localhost path set)
 	out.SeccompProfile = in.SeccompProfile
-
+	// Allow setting Privileged to only false
+	if in.Privileged != nil && !*in.Privileged {
+		out.Privileged = in.Privileged
+	}
 	// Disallowed
 	// This list is unnecessary, but added here for clarity
-	out.Privileged = nil
 	out.SELinuxOptions = nil
 	out.ProcMount = nil