@@ -2384,6 +2384,168 @@ spec:
23842384 type : object
23852385 x-kubernetes-map-type : atomic
23862386 type : array
2387+ securityContext :
2388+ description : SecurityContext holds security configuration that will
2389+ be applied to a container. Some fields are present in both SecurityContext
2390+ and PodSecurityContext. When both are set, the values in SecurityContext
2391+ take precedence.
2392+ properties :
2393+ allowPrivilegeEscalation :
2394+ description : ' AllowPrivilegeEscalation controls whether a process
2395+ can gain more privileges than its parent process. This bool
2396+ directly controls if the no_new_privs flag will be set on the
2397+ container process. AllowPrivilegeEscalation is true always when
2398+ the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN
2399+ Note that this field cannot be set when spec.os.name is windows.'
2400+ type : boolean
2401+ capabilities :
2402+ description : The capabilities to add/drop when running containers.
2403+ Defaults to the default set of capabilities granted by the container
2404+ runtime. Note that this field cannot be set when spec.os.name
2405+ is windows.
2406+ properties :
2407+ add :
2408+ description : Added capabilities
2409+ items :
2410+ description : Capability represent POSIX capabilities type
2411+ type : string
2412+ type : array
2413+ drop :
2414+ description : Removed capabilities
2415+ items :
2416+ description : Capability represent POSIX capabilities type
2417+ type : string
2418+ type : array
2419+ type : object
2420+ privileged :
2421+ description : Run container in privileged mode. Processes in privileged
2422+ containers are essentially equivalent to root on the host. Defaults
2423+ to false. Note that this field cannot be set when spec.os.name
2424+ is windows.
2425+ type : boolean
2426+ procMount :
2427+ description : procMount denotes the type of proc mount to use for
2428+ the containers. The default is DefaultProcMount which uses the
2429+ container runtime defaults for readonly paths and masked paths.
2430+ This requires the ProcMountType feature flag to be enabled.
2431+ Note that this field cannot be set when spec.os.name is windows.
2432+ type : string
2433+ readOnlyRootFilesystem :
2434+ description : Whether this container has a read-only root filesystem.
2435+ Default is false. Note that this field cannot be set when spec.os.name
2436+ is windows.
2437+ type : boolean
2438+ runAsGroup :
2439+ description : The GID to run the entrypoint of the container process.
2440+ Uses runtime default if unset. May also be set in PodSecurityContext. If
2441+ set in both SecurityContext and PodSecurityContext, the value
2442+ specified in SecurityContext takes precedence. Note that this
2443+ field cannot be set when spec.os.name is windows.
2444+ format : int64
2445+ type : integer
2446+ runAsNonRoot :
2447+ description : Indicates that the container must run as a non-root
2448+ user. If true, the Kubelet will validate the image at runtime
2449+ to ensure that it does not run as UID 0 (root) and fail to start
2450+ the container if it does. If unset or false, no such validation
2451+ will be performed. May also be set in PodSecurityContext. If
2452+ set in both SecurityContext and PodSecurityContext, the value
2453+ specified in SecurityContext takes precedence.
2454+ type : boolean
2455+ runAsUser :
2456+ description : The UID to run the entrypoint of the container process.
2457+ Defaults to user specified in image metadata if unspecified.
2458+ May also be set in PodSecurityContext. If set in both SecurityContext
2459+ and PodSecurityContext, the value specified in SecurityContext
2460+ takes precedence. Note that this field cannot be set when spec.os.name
2461+ is windows.
2462+ format : int64
2463+ type : integer
2464+ seLinuxOptions :
2465+ description : The SELinux context to be applied to the container.
2466+ If unspecified, the container runtime will allocate a random
2467+ SELinux context for each container. May also be set in PodSecurityContext. If
2468+ set in both SecurityContext and PodSecurityContext, the value
2469+ specified in SecurityContext takes precedence. Note that this
2470+ field cannot be set when spec.os.name is windows.
2471+ properties :
2472+ level :
2473+ description : Level is SELinux level label that applies to
2474+ the container.
2475+ type : string
2476+ role :
2477+ description : Role is a SELinux role label that applies to
2478+ the container.
2479+ type : string
2480+ type :
2481+ description : Type is a SELinux type label that applies to
2482+ the container.
2483+ type : string
2484+ user :
2485+ description : User is a SELinux user label that applies to
2486+ the container.
2487+ type : string
2488+ type : object
2489+ seccompProfile :
2490+ description : The seccomp options to use by this container. If
2491+ seccomp options are provided at both the pod & container level,
2492+ the container options override the pod options. Note that this
2493+ field cannot be set when spec.os.name is windows.
2494+ properties :
2495+ localhostProfile :
2496+ description : localhostProfile indicates a profile defined
2497+ in a file on the node should be used. The profile must be
2498+ preconfigured on the node to work. Must be a descending
2499+ path, relative to the kubelet's configured seccomp profile
2500+ location. Must only be set if type is "Localhost".
2501+ type : string
2502+ type :
2503+ description : " type indicates which kind of seccomp profile
2504+ will be applied. Valid options are: \n Localhost - a profile
2505+ defined in a file on the node should be used. RuntimeDefault
2506+ - the container runtime default profile should be used.
2507+ Unconfined - no profile should be applied."
2508+ type : string
2509+ required :
2510+ - type
2511+ type : object
2512+ windowsOptions :
2513+ description : The Windows specific settings applied to all containers.
2514+ If unspecified, the options from the PodSecurityContext will
2515+ be used. If set in both SecurityContext and PodSecurityContext,
2516+ the value specified in SecurityContext takes precedence. Note
2517+ that this field cannot be set when spec.os.name is linux.
2518+ properties :
2519+ gmsaCredentialSpec :
2520+ description : GMSACredentialSpec is where the GMSA admission
2521+ webhook (https://github.com/kubernetes-sigs/windows-gmsa)
2522+ inlines the contents of the GMSA credential spec named by
2523+ the GMSACredentialSpecName field.
2524+ type : string
2525+ gmsaCredentialSpecName :
2526+ description : GMSACredentialSpecName is the name of the GMSA
2527+ credential spec to use.
2528+ type : string
2529+ hostProcess :
2530+ description : HostProcess determines if a container should
2531+ be run as a 'Host Process' container. This field is alpha-level
2532+ and will only be honored by components that enable the WindowsHostProcessContainers
2533+ feature flag. Setting this field without the feature flag
2534+ will result in errors when validating the Pod. All of a
2535+ Pod's containers must have the same effective HostProcess
2536+ value (it is not allowed to have a mix of HostProcess containers
2537+ and non-HostProcess containers). In addition, if HostProcess
2538+ is true then HostNetwork must also be set to true.
2539+ type : boolean
2540+ runAsUserName :
2541+ description : The UserName in Windows to run the entrypoint
2542+ of the container process. Defaults to the user specified
2543+ in image metadata if unspecified. May also be set in PodSecurityContext.
2544+ If set in both SecurityContext and PodSecurityContext, the
2545+ value specified in SecurityContext takes precedence.
2546+ type : string
2547+ type : object
2548+ type : object
23872549 serverlessResources :
23882550 description : (Optional) If specified, created database will be "serverless".
23892551 properties :
0 commit comments