@@ -1214,6 +1214,178 @@ spec:
12141214 More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
12151215type : object
12161216 type : object
1217+ securityContext :
1218+ description : |-
1219+ In deployment, daemonset, or statefulset mode, this controls
1220+ the security context settings for the primary application
1221+ container.
1222+
1223+
1224+ In sidecar mode, this controls the security context for the
1225+ injected sidecar container.
1226+ properties :
1227+ allowPrivilegeEscalation :
1228+ description : |-
1229+ AllowPrivilegeEscalation controls whether a process can gain more
1230+ privileges than its parent process. This bool directly controls if
1231+ the no_new_privs flag will be set on the container process.
1232+ AllowPrivilegeEscalation is true always when the container is:
1233+ 1) run as Privileged
1234+ 2) has CAP_SYS_ADMIN
1235+ Note that this field cannot be set when spec.os.name is windows.
1236+ type : boolean
1237+ capabilities :
1238+ description : |-
1239+ The capabilities to add/drop when running containers.
1240+ Defaults to the default set of capabilities granted by the container runtime.
1241+ Note that this field cannot be set when spec.os.name is windows.
1242+ properties :
1243+ add :
1244+ description : Added capabilities
1245+ items :
1246+ description : Capability represent POSIX capabilities type
1247+ type : string
1248+ type : array
1249+ drop :
1250+ description : Removed capabilities
1251+ items :
1252+ description : Capability represent POSIX capabilities type
1253+ type : string
1254+ type : array
1255+ type : object
1256+ privileged :
1257+ description : |-
1258+ Run container in privileged mode.
1259+ Processes in privileged containers are essentially equivalent to root on the host.
1260+ Defaults to false.
1261+ Note that this field cannot be set when spec.os.name is windows.
1262+ type : boolean
1263+ procMount :
1264+ description : |-
1265+ procMount denotes the type of proc mount to use for the containers.
1266+ The default is DefaultProcMount which uses the container runtime defaults for
1267+ readonly paths and masked paths.
1268+ This requires the ProcMountType feature flag to be enabled.
1269+ Note that this field cannot be set when spec.os.name is windows.
1270+ type : string
1271+ readOnlyRootFilesystem :
1272+ description : |-
1273+ Whether this container has a read-only root filesystem.
1274+ Default is false.
1275+ Note that this field cannot be set when spec.os.name is windows.
1276+ type : boolean
1277+ runAsGroup :
1278+ description : |-
1279+ The GID to run the entrypoint of the container process.
1280+ Uses runtime default if unset.
1281+ May also be set in PodSecurityContext. If set in both SecurityContext and
1282+ PodSecurityContext, the value specified in SecurityContext takes precedence.
1283+ Note that this field cannot be set when spec.os.name is windows.
1284+ format : int64
1285+ type : integer
1286+ runAsNonRoot :
1287+ description : |-
1288+ Indicates that the container must run as a non-root user.
1289+ If true, the Kubelet will validate the image at runtime to ensure that it
1290+ does not run as UID 0 (root) and fail to start the container if it does.
1291+ If unset or false, no such validation will be performed.
1292+ May also be set in PodSecurityContext. If set in both SecurityContext and
1293+ PodSecurityContext, the value specified in SecurityContext takes precedence.
1294+ type : boolean
1295+ runAsUser :
1296+ description : |-
1297+ The UID to run the entrypoint of the container process.
1298+ Defaults to user specified in image metadata if unspecified.
1299+ May also be set in PodSecurityContext. If set in both SecurityContext and
1300+ PodSecurityContext, the value specified in SecurityContext takes precedence.
1301+ Note that this field cannot be set when spec.os.name is windows.
1302+ format : int64
1303+ type : integer
1304+ seLinuxOptions :
1305+ description : |-
1306+ The SELinux context to be applied to the container.
1307+ If unspecified, the container runtime will allocate a random SELinux context for each
1308+ container. May also be set in PodSecurityContext. If set in both SecurityContext and
1309+ PodSecurityContext, the value specified in SecurityContext takes precedence.
1310+ Note that this field cannot be set when spec.os.name is windows.
1311+ properties :
1312+ level :
1313+ description : Level is SELinux level label that applies to
1314+ the container.
1315+ type : string
1316+ role :
1317+ description : Role is a SELinux role label that applies to
1318+ the container.
1319+ type : string
1320+ type :
1321+ description : Type is a SELinux type label that applies to
1322+ the container.
1323+ type : string
1324+ user :
1325+ description : User is a SELinux user label that applies to
1326+ the container.
1327+ type : string
1328+ type : object
1329+ seccompProfile :
1330+ description : |-
1331+ The seccomp options to use by this container. If seccomp options are
1332+ provided at both the pod & container level, the container options
1333+ override the pod options.
1334+ Note that this field cannot be set when spec.os.name is windows.
1335+ properties :
1336+ localhostProfile :
1337+ description : |-
1338+ localhostProfile indicates a profile defined in a file on the node should be used.
1339+ The profile must be preconfigured on the node to work.
1340+ Must be a descending path, relative to the kubelet's configured seccomp profile location.
1341+ Must be set if type is "Localhost". Must NOT be set for any other type.
1342+ type : string
1343+ type :
1344+ description : |-
1345+ type indicates which kind of seccomp profile will be applied.
1346+ Valid options are:
1347+
1348+
1349+ Localhost - a profile defined in a file on the node should be used.
1350+ RuntimeDefault - the container runtime default profile should be used.
1351+ Unconfined - no profile should be applied.
1352+ type : string
1353+ required :
1354+ - type
1355+ type : object
1356+ windowsOptions :
1357+ description : |-
1358+ The Windows specific settings applied to all containers.
1359+ If unspecified, the options from the PodSecurityContext will be used.
1360+ If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
1361+ Note that this field cannot be set when spec.os.name is linux.
1362+ properties :
1363+ gmsaCredentialSpec :
1364+ description : |-
1365+ GMSACredentialSpec is where the GMSA admission webhook
1366+ (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the
1367+ GMSA credential spec named by the GMSACredentialSpecName field.
1368+ type : string
1369+ gmsaCredentialSpecName :
1370+ description : GMSACredentialSpecName is the name of the GMSA
1371+ credential spec to use.
1372+ type : string
1373+ hostProcess :
1374+ description : |-
1375+ HostProcess determines if a container should be run as a 'Host Process' container.
1376+ All of a Pod's containers must have the same effective HostProcess value
1377+ (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers).
1378+ In addition, if HostProcess is true then HostNetwork must also be set to true.
1379+ type : boolean
1380+ runAsUserName :
1381+ description : |-
1382+ The UserName in Windows to run the entrypoint of the container process.
1383+ Defaults to the user specified in image metadata if unspecified.
1384+ May also be set in PodSecurityContext. If set in both SecurityContext and
1385+ PodSecurityContext, the value specified in SecurityContext takes precedence.
1386+ type : string
1387+ type : object
1388+ type : object
12171389 serviceAccount :
12181390 description : |-
12191391 ServiceAccount indicates the name of an existing service account to use with this instance. When set,
0 commit comments