diff --git a/config/core/300-resources/configuration.yaml b/config/core/300-resources/configuration.yaml index 2c43aaa5753f..65bf809eb612 100644 --- a/config/core/300-resources/configuration.yaml +++ b/config/core/300-resources/configuration.yaml @@ -734,6 +734,13 @@ spec: description: Capability represent POSIX capabilities type type: string x-kubernetes-list-type: atomic + privileged: + description: |- + Run container in privileged mode. + Processes in privileged containers are essentially equivalent to root on the host. + Defaults to false. + Note that this field cannot be set when spec.os.name is windows. + type: boolean readOnlyRootFilesystem: description: |- Whether this container has a read-only root filesystem. diff --git a/config/core/300-resources/revision.yaml b/config/core/300-resources/revision.yaml index b4651d9bfe53..71bee879eb96 100644 --- a/config/core/300-resources/revision.yaml +++ b/config/core/300-resources/revision.yaml @@ -711,6 +711,13 @@ spec: description: Capability represent POSIX capabilities type type: string x-kubernetes-list-type: atomic + privileged: + description: |- + Run container in privileged mode. + Processes in privileged containers are essentially equivalent to root on the host. + Defaults to false. + Note that this field cannot be set when spec.os.name is windows. + type: boolean readOnlyRootFilesystem: description: |- Whether this container has a read-only root filesystem. diff --git a/config/core/300-resources/service.yaml b/config/core/300-resources/service.yaml index bd322152cee9..69dbe087012d 100644 --- a/config/core/300-resources/service.yaml +++ b/config/core/300-resources/service.yaml @@ -754,6 +754,13 @@ spec: description: Capability represent POSIX capabilities type type: string x-kubernetes-list-type: atomic + privileged: + description: |- + Run container in privileged mode. + Processes in privileged containers are essentially equivalent to root on the host. + Defaults to false. + Note that this field cannot be set when spec.os.name is windows. + type: boolean readOnlyRootFilesystem: description: |- Whether this container has a read-only root filesystem. diff --git a/hack/schemapatch-config.yaml b/hack/schemapatch-config.yaml index 7656efc9eb0b..abd6846a04e4 100644 --- a/hack/schemapatch-config.yaml +++ b/hack/schemapatch-config.yaml @@ -329,6 +329,7 @@ k8s.io/api/core/v1.SecurityContext: - RunAsNonRoot - RunAsUser - SeccompProfile + - Privileged k8s.io/api/core/v1.Capabilities: fieldMask: - Add diff --git a/pkg/apis/serving/fieldmask.go b/pkg/apis/serving/fieldmask.go index faff5dba9690..ab859740d913 100644 --- a/pkg/apis/serving/fieldmask.go +++ b/pkg/apis/serving/fieldmask.go @@ -710,10 +710,12 @@ func SecurityContextMask(ctx context.Context, in *corev1.SecurityContext) *corev // SeccompProfile defaults to "unconstrained", but the safe values are // "RuntimeDefault" or "Localhost" (with localhost path set) out.SeccompProfile = in.SeccompProfile - + // Only allow setting Privileged to false + if in.Privileged != nil && !*in.Privileged { + out.Privileged = in.Privileged + } // Disallowed // This list is unnecessary, but added here for clarity - out.Privileged = nil out.SELinuxOptions = nil out.ProcMount = nil diff --git a/pkg/apis/serving/k8s_validation_test.go b/pkg/apis/serving/k8s_validation_test.go index 892e381f8901..cc12b8457ab6 100644 --- a/pkg/apis/serving/k8s_validation_test.go +++ b/pkg/apis/serving/k8s_validation_test.go @@ -2703,6 +2703,15 @@ func getCommonContainerValidationTestCases() []containerValidationTestCase { }, }, want: apis.ErrDisallowedFields("securityContext.privileged"), + }, { + name: "allowed setting security context field Privileged to false", + c: corev1.Container{ + Image: "foo", + SecurityContext: &corev1.SecurityContext{ + Privileged: ptr.Bool(false), + }, + }, + want: nil, }, { name: "too large uid", c: corev1.Container{