@@ -2816,6 +2816,174 @@ spec:
28162816 type: string
28172817 description: Annotations to be added for pods.
28182818 type: object
2819+ containerSecurityContext:
2820+ description: ContainerSecurityContext the container-level
2821+ security context used by the pod's primary container
2822+ properties:
2823+ allowPrivilegeEscalation:
2824+ description: |-
2825+ AllowPrivilegeEscalation controls whether a process can gain more
2826+ privileges than its parent process. This bool directly controls if
2827+ the no_new_privs flag will be set on the container process.
2828+ AllowPrivilegeEscalation is true always when the container is:
2829+ 1) run as Privileged
2830+ 2) has CAP_SYS_ADMIN
2831+ Note that this field cannot be set when spec.os.name is windows.
2832+ type: boolean
2833+ capabilities:
2834+ description: |-
2835+ The capabilities to add/drop when running containers.
2836+ Defaults to the default set of capabilities granted by the container runtime.
2837+ Note that this field cannot be set when spec.os.name is windows.
2838+ properties:
2839+ add:
2840+ description: Added capabilities
2841+ items:
2842+ description: Capability represent POSIX capabilities
2843+ type
2844+ type: string
2845+ type: array
2846+ drop:
2847+ description: Removed capabilities
2848+ items:
2849+ description: Capability represent POSIX capabilities
2850+ type
2851+ type: string
2852+ type: array
2853+ type: object
2854+ privileged:
2855+ description: |-
2856+ Run container in privileged mode.
2857+ Processes in privileged containers are essentially equivalent to root on the host.
2858+ Defaults to false.
2859+ Note that this field cannot be set when spec.os.name is windows.
2860+ type: boolean
2861+ procMount:
2862+ description: |-
2863+ procMount denotes the type of proc mount to use for the containers.
2864+ The default is DefaultProcMount which uses the container runtime defaults for
2865+ readonly paths and masked paths.
2866+ This requires the ProcMountType feature flag to be enabled.
2867+ Note that this field cannot be set when spec.os.name is windows.
2868+ type: string
2869+ readOnlyRootFilesystem:
2870+ description: |-
2871+ Whether this container has a read-only root filesystem.
2872+ Default is false.
2873+ Note that this field cannot be set when spec.os.name is windows.
2874+ type: boolean
2875+ runAsGroup:
2876+ description: |-
2877+ The GID to run the entrypoint of the container process.
2878+ Uses runtime default if unset.
2879+ May also be set in PodSecurityContext. If set in both SecurityContext and
2880+ PodSecurityContext, the value specified in SecurityContext takes precedence.
2881+ Note that this field cannot be set when spec.os.name is windows.
2882+ format: int64
2883+ type: integer
2884+ runAsNonRoot:
2885+ description: |-
2886+ Indicates that the container must run as a non-root user.
2887+ If true, the Kubelet will validate the image at runtime to ensure that it
2888+ does not run as UID 0 (root) and fail to start the container if it does.
2889+ If unset or false, no such validation will be performed.
2890+ May also be set in PodSecurityContext. If set in both SecurityContext and
2891+ PodSecurityContext, the value specified in SecurityContext takes precedence.
2892+ type: boolean
2893+ runAsUser:
2894+ description: |-
2895+ The UID to run the entrypoint of the container process.
2896+ Defaults to user specified in image metadata if unspecified.
2897+ May also be set in PodSecurityContext. If set in both SecurityContext and
2898+ PodSecurityContext, the value specified in SecurityContext takes precedence.
2899+ Note that this field cannot be set when spec.os.name is windows.
2900+ format: int64
2901+ type: integer
2902+ seLinuxOptions:
2903+ description: |-
2904+ The SELinux context to be applied to the container.
2905+ If unspecified, the container runtime will allocate a random SELinux context for each
2906+ container. May also be set in PodSecurityContext. If set in both SecurityContext and
2907+ PodSecurityContext, the value specified in SecurityContext takes precedence.
2908+ Note that this field cannot be set when spec.os.name is windows.
2909+ properties:
2910+ level:
2911+ description: Level is SELinux level label that applies
2912+ to the container.
2913+ type: string
2914+ role:
2915+ description: Role is a SELinux role label that applies
2916+ to the container.
2917+ type: string
2918+ type:
2919+ description: Type is a SELinux type label that applies
2920+ to the container.
2921+ type: string
2922+ user:
2923+ description: User is a SELinux user label that applies
2924+ to the container.
2925+ type: string
2926+ type: object
2927+ seccompProfile:
2928+ description: |-
2929+ The seccomp options to use by this container. If seccomp options are
2930+ provided at both the pod & container level, the container options
2931+ override the pod options.
2932+ Note that this field cannot be set when spec.os.name is windows.
2933+ properties:
2934+ localhostProfile:
2935+ description: |-
2936+ localhostProfile indicates a profile defined in a file on the node should be used.
2937+ The profile must be preconfigured on the node to work.
2938+ Must be a descending path, relative to the kubelet's configured seccomp profile location.
2939+ Must be set if type is "Localhost". Must NOT be set for any other type.
2940+ type: string
2941+ type:
2942+ description: |-
2943+ type indicates which kind of seccomp profile will be applied.
2944+ Valid options are:
2945+
2946+
2947+ Localhost - a profile defined in a file on the node should be used.
2948+ RuntimeDefault - the container runtime default profile should be used.
2949+ Unconfined - no profile should be applied.
2950+ type: string
2951+ required:
2952+ - type
2953+ type: object
2954+ windowsOptions:
2955+ description: |-
2956+ The Windows specific settings applied to all containers.
2957+ If unspecified, the options from the PodSecurityContext will be used.
2958+ If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
2959+ Note that this field cannot be set when spec.os.name is linux.
2960+ properties:
2961+ gmsaCredentialSpec:
2962+ description: |-
2963+ GMSACredentialSpec is where the GMSA admission webhook
2964+ (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the
2965+ GMSA credential spec named by the GMSACredentialSpecName field.
2966+ type: string
2967+ gmsaCredentialSpecName:
2968+ description: GMSACredentialSpecName is the name of
2969+ the GMSA credential spec to use.
2970+ type: string
2971+ hostProcess:
2972+ description: |-
2973+ HostProcess determines if a container should be run as a 'Host Process' container.
2974+ All of a Pod's containers must have the same effective HostProcess value
2975+ (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers).
2976+ In addition, if HostProcess is true then HostNetwork must also be set to true.
2977+ type: boolean
2978+ runAsUserName:
2979+ description: |-
2980+ The UserName in Windows to run the entrypoint of the container process.
2981+ Defaults to the user specified in image metadata if unspecified.
2982+ May also be set in PodSecurityContext. If set in both SecurityContext and
2983+ PodSecurityContext, the value specified in SecurityContext takes precedence.
2984+ type: string
2985+ type: object
2986+ type: object
28192987 defaultInitContainerResources:
28202988 description: DefaultInitContainerResources are the resource
28212989 requirements for the default init container(s) created by
0 commit comments