Skip to content

Commit

Permalink
resolves review
Browse files Browse the repository at this point in the history
  • Loading branch information
@KapilSareen
KapilSareen committed Dec 5, 2024
1 parent 4809dca commit 55e26ad
Show file tree
Hide file tree
Showing 6 changed files with 32 additions and 11 deletions.
10 changes: 7 additions & 3 deletions config/core/300-resources/configuration.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -124,9 +124,6 @@ spec:
automountServiceAccountToken:
description: AutomountServiceAccountToken indicates whether a service account token should be automatically mounted.
type: boolean
Privileged:
description: Indicates whether to run container in privileged mode.
type: boolean
containerConcurrency:
description: |-
ContainerConcurrency specifies the maximum allowed in-flight (concurrent)
Expand Down Expand Up @@ -737,6 +734,13 @@ spec:
description: Capability represent POSIX capabilities type
type: string
x-kubernetes-list-type: atomic
privileged:
description: |-
Run container in privileged mode.
Processes in privileged containers are essentially equivalent to root on the host.
Defaults to false.
Note that this field cannot be set when spec.os.name is windows.
type: boolean
readOnlyRootFilesystem:
description: |-
Whether this container has a read-only root filesystem.
Expand Down
10 changes: 7 additions & 3 deletions config/core/300-resources/revision.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -101,9 +101,6 @@ spec:
automountServiceAccountToken:
description: AutomountServiceAccountToken indicates whether a service account token should be automatically mounted.
type: boolean
Privileged:
description: Indicates whether to run container in privileged mode.
type: boolean
containerConcurrency:
description: |-
ContainerConcurrency specifies the maximum allowed in-flight (concurrent)
Expand Down Expand Up @@ -714,6 +711,13 @@ spec:
description: Capability represent POSIX capabilities type
type: string
x-kubernetes-list-type: atomic
privileged:
description: |-
Run container in privileged mode.
Processes in privileged containers are essentially equivalent to root on the host.
Defaults to false.
Note that this field cannot be set when spec.os.name is windows.
type: boolean
readOnlyRootFilesystem:
description: |-
Whether this container has a read-only root filesystem.
Expand Down
10 changes: 7 additions & 3 deletions config/core/300-resources/service.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -144,9 +144,6 @@ spec:
automountServiceAccountToken:
description: AutomountServiceAccountToken indicates whether a service account token should be automatically mounted.
type: boolean
Privileged:
description: Indicates whether to run container in privileged mode.
type: boolean
containerConcurrency:
description: |-
ContainerConcurrency specifies the maximum allowed in-flight (concurrent)
Expand Down Expand Up @@ -757,6 +754,13 @@ spec:
description: Capability represent POSIX capabilities type
type: string
x-kubernetes-list-type: atomic
privileged:
description: |-
Run container in privileged mode.
Processes in privileged containers are essentially equivalent to root on the host.
Defaults to false.
Note that this field cannot be set when spec.os.name is windows.
type: boolean
readOnlyRootFilesystem:
description: |-
Whether this container has a read-only root filesystem.
Expand Down
2 changes: 1 addition & 1 deletion hack/schemapatch-config.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,6 @@ k8s.io/api/core/v1.PodSpec:
- ImagePullSecrets
- EnableServiceLinks
- AutomountServiceAccountToken
- Privileged
# Properties behind feature flags
- Affinity
- DNSConfig
Expand Down Expand Up @@ -330,6 +329,7 @@ k8s.io/api/core/v1.SecurityContext:
- RunAsNonRoot
- RunAsUser
- SeccompProfile
- Privileged
k8s.io/api/core/v1.Capabilities:
fieldMask:
- Add
Expand Down
2 changes: 1 addition & 1 deletion pkg/apis/serving/fieldmask.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -710,7 +710,7 @@ func SecurityContextMask(ctx context.Context, in *corev1.SecurityContext) *corev
// SeccompProfile defaults to "unconstrained", but the safe values are
// "RuntimeDefault" or "Localhost" (with localhost path set)
out.SeccompProfile = in.SeccompProfile
// Allow setting Privileged to only false
// Only allow setting Privileged to false
if in.Privileged != nil && !*in.Privileged {
out.Privileged = in.Privileged
}
Expand Down
9 changes: 9 additions & 0 deletions pkg/apis/serving/k8s_validation_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2703,6 +2703,15 @@ func getCommonContainerValidationTestCases() []containerValidationTestCase {
},
},
want: apis.ErrDisallowedFields("securityContext.privileged"),
}, {
name: "allowed setting security context field Privileged to false",
c: corev1.Container{
Image: "foo",
SecurityContext: &corev1.SecurityContext{
Privileged: ptr.Bool(false),
},
},
want: nil,
}, {
name: "too large uid",
c: corev1.Container{
Expand Down

0 comments on commit 55e26ad

Please sign in to comment.