Skip to content

Commit

Permalink
Use dedicated Unix User and Group ID types
Browse files Browse the repository at this point in the history
  • Loading branch information
Jamie Hannaford committed May 5, 2017
1 parent ee39d35 commit 9440a68
Show file tree
Hide file tree
Showing 120 changed files with 4,507 additions and 4,022 deletions.
19 changes: 12 additions & 7 deletions api/swagger-spec/apps_v1beta1.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4057,8 +4057,7 @@
"description": "The SELinux context to be applied to the container. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence."
},
"runAsUser": {
"type": "integer",
"format": "int64",
"$ref": "types.UnixUserID",
"description": "The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence."
},
"runAsNonRoot": {
Expand Down Expand Up @@ -4117,6 +4116,10 @@
}
}
},
"types.UnixUserID": {
"id": "types.UnixUserID",
"properties": {}
},
"v1.PodSecurityContext": {
"id": "v1.PodSecurityContext",
"description": "PodSecurityContext holds pod-level security attributes and common container settings. Some fields are also present in container.securityContext. Field values of container.securityContext take precedence over field values of PodSecurityContext.",
Expand All @@ -4126,8 +4129,7 @@
"description": "The SELinux context to be applied to all containers. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container."
},
"runAsUser": {
"type": "integer",
"format": "int64",
"$ref": "types.UnixUserID",
"description": "The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container."
},
"runAsNonRoot": {
Expand All @@ -4137,17 +4139,20 @@
"supplementalGroups": {
"type": "array",
"items": {
"type": "integer"
"$ref": "types.UnixGroupID"
},
"description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID. If unspecified, no groups will be added to any container."
},
"fsGroup": {
"type": "integer",
"format": "int64",
"$ref": "types.UnixGroupID",
"description": "A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to change the ownership of that volume to be owned by the pod:\n\n1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 3. The permission bits are OR'd with rw-rw "
}
}
},
"types.UnixGroupID": {
"id": "types.UnixGroupID",
"properties": {}
},
"v1.Affinity": {
"id": "v1.Affinity",
"description": "Affinity is a group of affinity scheduling rules.",
Expand Down
19 changes: 12 additions & 7 deletions api/swagger-spec/batch_v1.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2840,8 +2840,7 @@
"description": "The SELinux context to be applied to the container. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence."
},
"runAsUser": {
"type": "integer",
"format": "int64",
"$ref": "types.UnixUserID",
"description": "The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence."
},
"runAsNonRoot": {
Expand Down Expand Up @@ -2900,6 +2899,10 @@
}
}
},
"types.UnixUserID": {
"id": "types.UnixUserID",
"properties": {}
},
"v1.PodSecurityContext": {
"id": "v1.PodSecurityContext",
"description": "PodSecurityContext holds pod-level security attributes and common container settings. Some fields are also present in container.securityContext. Field values of container.securityContext take precedence over field values of PodSecurityContext.",
Expand All @@ -2909,8 +2912,7 @@
"description": "The SELinux context to be applied to all containers. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container."
},
"runAsUser": {
"type": "integer",
"format": "int64",
"$ref": "types.UnixUserID",
"description": "The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container."
},
"runAsNonRoot": {
Expand All @@ -2920,17 +2922,20 @@
"supplementalGroups": {
"type": "array",
"items": {
"type": "integer"
"$ref": "types.UnixGroupID"
},
"description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID. If unspecified, no groups will be added to any container."
},
"fsGroup": {
"type": "integer",
"format": "int64",
"$ref": "types.UnixGroupID",
"description": "A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to change the ownership of that volume to be owned by the pod:\n\n1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 3. The permission bits are OR'd with rw-rw "
}
}
},
"types.UnixGroupID": {
"id": "types.UnixGroupID",
"properties": {}
},
"v1.Affinity": {
"id": "v1.Affinity",
"description": "Affinity is a group of affinity scheduling rules.",
Expand Down
19 changes: 12 additions & 7 deletions api/swagger-spec/batch_v2alpha1.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3873,8 +3873,7 @@
"description": "The SELinux context to be applied to the container. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence."
},
"runAsUser": {
"type": "integer",
"format": "int64",
"$ref": "types.UnixUserID",
"description": "The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence."
},
"runAsNonRoot": {
Expand Down Expand Up @@ -3933,6 +3932,10 @@
}
}
},
"types.UnixUserID": {
"id": "types.UnixUserID",
"properties": {}
},
"v1.PodSecurityContext": {
"id": "v1.PodSecurityContext",
"description": "PodSecurityContext holds pod-level security attributes and common container settings. Some fields are also present in container.securityContext. Field values of container.securityContext take precedence over field values of PodSecurityContext.",
Expand All @@ -3942,8 +3945,7 @@
"description": "The SELinux context to be applied to all containers. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container."
},
"runAsUser": {
"type": "integer",
"format": "int64",
"$ref": "types.UnixUserID",
"description": "The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container."
},
"runAsNonRoot": {
Expand All @@ -3953,17 +3955,20 @@
"supplementalGroups": {
"type": "array",
"items": {
"type": "integer"
"$ref": "types.UnixGroupID"
},
"description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID. If unspecified, no groups will be added to any container."
},
"fsGroup": {
"type": "integer",
"format": "int64",
"$ref": "types.UnixGroupID",
"description": "A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to change the ownership of that volume to be owned by the pod:\n\n1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 3. The permission bits are OR'd with rw-rw "
}
}
},
"types.UnixGroupID": {
"id": "types.UnixGroupID",
"properties": {}
},
"v1.Affinity": {
"id": "v1.Affinity",
"description": "Affinity is a group of affinity scheduling rules.",
Expand Down
19 changes: 12 additions & 7 deletions api/swagger-spec/extensions_v1beta1.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8304,8 +8304,7 @@
"description": "The SELinux context to be applied to the container. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence."
},
"runAsUser": {
"type": "integer",
"format": "int64",
"$ref": "types.UnixUserID",
"description": "The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence."
},
"runAsNonRoot": {
Expand Down Expand Up @@ -8364,6 +8363,10 @@
}
}
},
"types.UnixUserID": {
"id": "types.UnixUserID",
"properties": {}
},
"v1.PodSecurityContext": {
"id": "v1.PodSecurityContext",
"description": "PodSecurityContext holds pod-level security attributes and common container settings. Some fields are also present in container.securityContext. Field values of container.securityContext take precedence over field values of PodSecurityContext.",
Expand All @@ -8373,8 +8376,7 @@
"description": "The SELinux context to be applied to all containers. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container."
},
"runAsUser": {
"type": "integer",
"format": "int64",
"$ref": "types.UnixUserID",
"description": "The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container."
},
"runAsNonRoot": {
Expand All @@ -8384,17 +8386,20 @@
"supplementalGroups": {
"type": "array",
"items": {
"type": "integer"
"$ref": "types.UnixGroupID"
},
"description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID. If unspecified, no groups will be added to any container."
},
"fsGroup": {
"type": "integer",
"format": "int64",
"$ref": "types.UnixGroupID",
"description": "A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to change the ownership of that volume to be owned by the pod:\n\n1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 3. The permission bits are OR'd with rw-rw "
}
}
},
"types.UnixGroupID": {
"id": "types.UnixGroupID",
"properties": {}
},
"v1.Affinity": {
"id": "v1.Affinity",
"description": "Affinity is a group of affinity scheduling rules.",
Expand Down
19 changes: 12 additions & 7 deletions api/swagger-spec/v1.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19891,8 +19891,7 @@
"description": "The SELinux context to be applied to the container. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence."
},
"runAsUser": {
"type": "integer",
"format": "int64",
"$ref": "types.UnixUserID",
"description": "The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence."
},
"runAsNonRoot": {
Expand Down Expand Up @@ -19951,6 +19950,10 @@
}
}
},
"types.UnixUserID": {
"id": "types.UnixUserID",
"properties": {}
},
"v1.PodSecurityContext": {
"id": "v1.PodSecurityContext",
"description": "PodSecurityContext holds pod-level security attributes and common container settings. Some fields are also present in container.securityContext. Field values of container.securityContext take precedence over field values of PodSecurityContext.",
Expand All @@ -19960,8 +19963,7 @@
"description": "The SELinux context to be applied to all containers. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container."
},
"runAsUser": {
"type": "integer",
"format": "int64",
"$ref": "types.UnixUserID",
"description": "The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container."
},
"runAsNonRoot": {
Expand All @@ -19971,17 +19973,20 @@
"supplementalGroups": {
"type": "array",
"items": {
"type": "integer"
"$ref": "types.UnixGroupID"
},
"description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID. If unspecified, no groups will be added to any container."
},
"fsGroup": {
"type": "integer",
"format": "int64",
"$ref": "types.UnixGroupID",
"description": "A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to change the ownership of that volume to be owned by the pod:\n\n1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 3. The permission bits are OR'd with rw-rw "
}
}
},
"types.UnixGroupID": {
"id": "types.UnixGroupID",
"properties": {}
},
"v1.Affinity": {
"id": "v1.Affinity",
"description": "Affinity is a group of affinity scheduling rules.",
Expand Down
26 changes: 17 additions & 9 deletions docs/api-reference/apps/v1beta1/definitions.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1755,6 +1755,10 @@ <h3 id="_v1beta1_deployment">v1beta1.Deployment</h3>
</tbody>
</table>

</div>
<div class="sect2">
<h3 id="_types_uid">types.UID</h3>

</div>
<div class="sect2">
<h3 id="_v1_azurefilevolumesource">v1.AzureFileVolumeSource</h3>
Expand Down Expand Up @@ -1803,10 +1807,6 @@ <h3 id="_v1_azurefilevolumesource">v1.AzureFileVolumeSource</h3>
</tbody>
</table>

</div>
<div class="sect2">
<h3 id="_types_uid">types.UID</h3>

</div>
<div class="sect2">
<h3 id="_v1_iscsivolumesource">v1.ISCSIVolumeSource</h3>
Expand Down Expand Up @@ -4218,6 +4218,10 @@ <h3 id="_v1_configmapprojection">v1.ConfigMapProjection</h3>
</tbody>
</table>

</div>
<div class="sect2">
<h3 id="_types_unixuserid">types.UnixUserID</h3>

</div>
<div class="sect2">
<h3 id="_v1_scaleiovolumesource">v1.ScaleIOVolumeSource</h3>
Expand Down Expand Up @@ -4590,6 +4594,10 @@ <h3 id="_v1beta1_deploymentlist">v1beta1.DeploymentList</h3>
</tbody>
</table>

</div>
<div class="sect2">
<h3 id="_types_unixgroupid">types.UnixGroupID</h3>

</div>
<div class="sect2">
<h3 id="_v1beta1_deploymentrollback">v1beta1.DeploymentRollback</h3>
Expand Down Expand Up @@ -5242,7 +5250,7 @@ <h3 id="_v1_podsecuritycontext">v1.PodSecurityContext</h3>
<td class="tableblock halign-left valign-top"><p class="tableblock">runAsUser</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">integer (int64)</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_types_unixuserid">types.UnixUserID</a></p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
<tr>
Expand All @@ -5256,7 +5264,7 @@ <h3 id="_v1_podsecuritycontext">v1.PodSecurityContext</h3>
<td class="tableblock halign-left valign-top"><p class="tableblock">supplementalGroups</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">A list of groups applied to the first process run in each container, in addition to the container&#8217;s primary GID. If unspecified, no groups will be added to any container.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">integer (int32) array</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_types_unixgroupid">types.UnixGroupID</a> array</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
<tr>
Expand All @@ -5265,7 +5273,7 @@ <h3 id="_v1_podsecuritycontext">v1.PodSecurityContext</h3>
<br>
1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 3. The permission bits are OR&#8217;d with rw-rw</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">integer (int64)</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_types_unixgroupid">types.UnixGroupID</a></p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
</tbody>
Expand Down Expand Up @@ -5639,7 +5647,7 @@ <h3 id="_v1_securitycontext">v1.SecurityContext</h3>
<td class="tableblock halign-left valign-top"><p class="tableblock">runAsUser</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">integer (int64)</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_types_unixuserid">types.UnixUserID</a></p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
<tr>
Expand Down Expand Up @@ -6339,7 +6347,7 @@ <h3 id="_any">any</h3>
</div>
<div id="footer">
<div id="footer-text">
Last updated 2017-05-02 14:37:22 UTC
Last updated 2017-05-04 11:35:33 UTC
</div>
</div>
</body>
Expand Down
Loading

0 comments on commit 9440a68

Please sign in to comment.