Skip to content

Commit

Permalink
Add support for podSecurity (open-telemetry#469)
Browse files Browse the repository at this point in the history
  • Loading branch information
ekarlso authored and hero committed Dec 12, 2021
1 parent a6645b7 commit 1637b84
Show file tree
Hide file tree
Showing 11 changed files with 677 additions and 0 deletions.
2 changes: 2 additions & 0 deletions apis/v1alpha1/opentelemetrycollector_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,8 @@ type OpenTelemetryCollectorSpec struct {
// +operator-sdk:gen-csv:customresourcedefinitions.specDescriptors=true
SecurityContext *v1.SecurityContext `json:"securityContext,omitempty"`

PodSecurityContext *v1.PodSecurityContext `json:"podSecurityContext,omitempty"`

// HostNetwork indicates if the pod should run in the host networking namespace.
// +optional
// +operator-sdk:gen-csv:customresourcedefinitions.specDescriptors=true
Expand Down
5 changes: 5 additions & 0 deletions apis/v1alpha1/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

157 changes: 157 additions & 0 deletions bundle/manifests/opentelemetry.io_opentelemetrycollectors.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -231,6 +231,163 @@ spec:
description: PodAnnotations is the set of annotations that will be
attached to Collector and Target Allocator pods.
type: object
podSecurityContext:
description: PodSecurityContext holds pod-level security attributes
and common container settings. Some fields are also present in container.securityContext. Field
values of container.securityContext take precedence over field values
of PodSecurityContext.
properties:
fsGroup:
description: "A special supplemental group that applies to all
containers in a pod. Some volume types allow the Kubelet to
change the ownership of that volume to be owned by the pod:
\n 1. The owning GID will be the FSGroup 2. The setgid bit is
set (new files created in the volume will be owned by FSGroup)
3. The permission bits are OR'd with rw-rw---- \n If unset,
the Kubelet will not modify the ownership and permissions of
any volume."
format: int64
type: integer
fsGroupChangePolicy:
description: 'fsGroupChangePolicy defines behavior of changing
ownership and permission of the volume before being exposed
inside Pod. This field will only apply to volume types which
support fsGroup based ownership(and permissions). It will have
no effect on ephemeral volume types such as: secret, configmaps
and emptydir. Valid values are "OnRootMismatch" and "Always".
If not specified, "Always" is used.'
type: string
runAsGroup:
description: The GID to run the entrypoint of the container process.
Uses runtime default if unset. May also be set in SecurityContext. If
set in both SecurityContext and PodSecurityContext, the value
specified in SecurityContext takes precedence for that container.
format: int64
type: integer
runAsNonRoot:
description: Indicates that the container must run as a non-root
user. If true, the Kubelet will validate the image at runtime
to ensure that it does not run as UID 0 (root) and fail to start
the container if it does. If unset or false, no such validation
will be performed. May also be set in SecurityContext. If set
in both SecurityContext and PodSecurityContext, the value specified
in SecurityContext takes precedence.
type: boolean
runAsUser:
description: The UID to run the entrypoint of the container process.
Defaults to user specified in image metadata if unspecified.
May also be set in SecurityContext. If set in both SecurityContext
and PodSecurityContext, the value specified in SecurityContext
takes precedence for that container.
format: int64
type: integer
seLinuxOptions:
description: The SELinux context to be applied to all containers.
If unspecified, the container runtime will allocate a random
SELinux context for each container. May also be set in SecurityContext. If
set in both SecurityContext and PodSecurityContext, the value
specified in SecurityContext takes precedence for that container.
properties:
level:
description: Level is SELinux level label that applies to
the container.
type: string
role:
description: Role is a SELinux role label that applies to
the container.
type: string
type:
description: Type is a SELinux type label that applies to
the container.
type: string
user:
description: User is a SELinux user label that applies to
the container.
type: string
type: object
seccompProfile:
description: The seccomp options to use by the containers in this
pod.
properties:
localhostProfile:
description: localhostProfile indicates a profile defined
in a file on the node should be used. The profile must be
preconfigured on the node to work. Must be a descending
path, relative to the kubelet's configured seccomp profile
location. Must only be set if type is "Localhost".
type: string
type:
description: "type indicates which kind of seccomp profile
will be applied. Valid options are: \n Localhost - a profile
defined in a file on the node should be used. RuntimeDefault
- the container runtime default profile should be used.
Unconfined - no profile should be applied."
type: string
required:
- type
type: object
supplementalGroups:
description: A list of groups applied to the first process run
in each container, in addition to the container's primary GID. If
unspecified, no groups will be added to any container.
items:
format: int64
type: integer
type: array
sysctls:
description: Sysctls hold a list of namespaced sysctls used for
the pod. Pods with unsupported sysctls (by the container runtime)
might fail to launch.
items:
description: Sysctl defines a kernel parameter to be set
properties:
name:
description: Name of a property to set
type: string
value:
description: Value of a property to set
type: string
required:
- name
- value
type: object
type: array
windowsOptions:
description: The Windows specific settings applied to all containers.
If unspecified, the options within a container's SecurityContext
will be used. If set in both SecurityContext and PodSecurityContext,
the value specified in SecurityContext takes precedence.
properties:
gmsaCredentialSpec:
description: GMSACredentialSpec is where the GMSA admission
webhook (https://github.com/kubernetes-sigs/windows-gmsa)
inlines the contents of the GMSA credential spec named by
the GMSACredentialSpecName field.
type: string
gmsaCredentialSpecName:
description: GMSACredentialSpecName is the name of the GMSA
credential spec to use.
type: string
hostProcess:
description: HostProcess determines if a container should
be run as a 'Host Process' container. This field is alpha-level
and will only be honored by components that enable the WindowsHostProcessContainers
feature flag. Setting this field without the feature flag
will result in errors when validating the Pod. All of a
Pod's containers must have the same effective HostProcess
value (it is not allowed to have a mix of HostProcess containers
and non-HostProcess containers). In addition, if HostProcess
is true then HostNetwork must also be set to true.
type: boolean
runAsUserName:
description: The UserName in Windows to run the entrypoint
of the container process. Defaults to the user specified
in image metadata if unspecified. May also be set in PodSecurityContext.
If set in both SecurityContext and PodSecurityContext, the
value specified in SecurityContext takes precedence.
type: string
type: object
type: object
ports:
description: Ports allows a set of ports to be exposed by the underlying
v1.Service. By default, the operator will attempt to infer the required
Expand Down
Loading

0 comments on commit 1637b84

Please sign in to comment.